ACO Rule Keeps HIE Consent "On the Fence"

When DHHS published its Proposed ACO Rule in April 2011 and then the Final ACO Rule in November 2011 (I’ll refer to them as the “ACO Rules”), discussions focused predominately on issues such as who is “qualified” to participate, what the required governaConsent on the Fence.pngnce structure should be, what methodology will be used to assign Medicare beneficiaries, and what the payment models will be.  However, as I digested the ACO Rules, my reading deliberately slowed down as I zeroed in on the not unremarkable language and comments CMS included with regard to sharing individually identifiable health information in the ACO context.

Among other things, the ACO Rules would authorize key data sharing between CMS and an ACO.  In particular, four categories of data could potentially be shared:

  • Aggregated Data
  • Personal Identifiers
  • Personally Identifiable Claims Data
  • Prescription Claims Data

In the Preamble to the Proposed Rule, CMS emphasized the importance of sharing these forms of data in order provide more complete information for the services provided or coordinated for the ACO beneficiary populations, better achieve improvements in the quality of care and gain a better understanding of the population served while lowering the growth in health care costs. Notably, while the ACO Rules would permit Medicare beneficiaries to “opt-out” of certain data sharing, other data would be shared without the patient’s consent.  Moreover, it is clear that CMS deliberately chose to proceed with an opt-out approach, given its concerns regarding beneficiary participation and ACO Participant administrative burdens.  In the Preamble to the ACO Rules, it noted that:

An opt-out approach is used successfully in most systems of electronic exchange of information because it is significantly less burdensome on consumers and providers while still providing an opportunity for caregivers to engage with patients to promote trust and permitting patients to exercise control over their data.”  See 76 Fed Reg. 19560 (2011). 

Although some of the information that CMS proposes for “sharing” will be de-identified, other information will be identifiable. For example, limited beneficiary data (i.e., name, DOB, gender, insurance claim number) would be made available at the beginning of the first performance year and in connection with quarterly aggregated data reports.  Other data proposed to be shared could potentially include: (Medicare Part A & B) procedure codes; diagnosis codes; beneficiary IDs; DOB; geneder; date of dealth; claim ID; dates of service; provider/supplier ID; claim payment type; (Medicare Part D) beneficiary ID; prescriber ID; drug service date; drug product ID; if the drug is on the formulary. 

CMS acknowledges in the ACO Rules that there could be privacy concerns with sharing identifiable information, but nevertheless takes the position that the HIPAA Privacy Rule permits disclosure for purposes of sharing Medicare Part A and Part B claims data with ACOs participating in the Shared Savings Program.  The agency also specifically notes that the disclosures of claims data would be permitted as “health care operations”.  Under HIPAA, a covered entity may disclose PHI to another covered entity for the recipient’s health care operations if they both have or had a relationship with the individual, the records pertain to that relationship, and the records will be used for a health care operation function meeting one of the first two paragraphs in the definition of health care operation under HIPAA. 

Yet, although CMS explicitly states that it has the authority to share Medicare Claims Data without patient consent, the agency also notes that it “nonetheless believe(s) that beneficiaries should be notified of, and have meaningful control over who, has access to their personal health information for purposes of the Shared Savings Program.”  See 76 FR 19559; See also 76 FR 67849.  Therefore, while patients would not be able to opt-out of having de-identified aggregated data reports or limited identifiers shared with the ACOs, CMS will allow patients to opt-out of having claims data shared with the ACOs. 

Over the past year, privacy, patient consent and HIE opt-in/opt-out continues to be debated (sometimes painfully).  The debate continues essentially because certain stakeholders hold different and strong views on if, when and at what point affirmative patient consent is required (under current law) or should be required (through promulgation of new rules).  As a result, some HIE collaboratives have required affirmative patient consent before any data is shared. Similarly, Recommendations from the ONC Tiger Team include, in part, that consent should be obtained before any information is shared with third parties, including Business Associates and HIOs(except where sharing is directed exchange (provider-to-provider), or between providers participating in an OHCA (as as side note, query if ACOs might qualify as OHCAs? probably...at least in some cases)).  Others have determined that the value of networked electronic HIE – i.e., healthcare quality improvement and cost reduction – is most efficiently realized when certain data is readily shared without prior authorization or consent, in accordance with HIPAA's exceptions, as a presumed default.  Now with CMS throwing its views on consent & opt-in/opt-out into the ring, at least with respect to ACO's data-sharing with Medicare, I'm sure many are anxious to see if the forthcoming HITECH Final Rule and NHIN Governance Rule will offer clear standards for the current HIE consent conundrum, or continue to precariously balance this issue on the fence....... I know I personally can't wait to see.

California HIE Demonstration Projects to Move Ahead with Opt-In Framework

This past Wednesday, the California Office of Health Information Integrity (CalOHII) released a comprehensive whitepaper examining patient consent and other HIE framework efforts for entities participating in the HIE Demonstration Projects and HIE throughout the state of California. CalOHII is the state entity designated for overseeing HIE in California as well as establishing and administering HIE demonstration projects within the state.  

The whitepaper builds upon initial recommendations of the California Privacy and Security Advisory Board (CalPSAB).  Although originally CalPSAB had proposed a bifurcated consent policy (i.e., opt-out for treatment, opt-in for other purposes or where sensitive information was contained in the medical record), the Board withdrew this recommendation after public concern regarding cost effective workability of the policy. 

Ultimately, CalPSAB recommended an "opt-in" patient consent framework which this whitepaper incorporates, implementing generally an affirmative consent framework for the demonstration projects.  The demonstration project participants would be required to use CalOHII approved consent forms and adopt CalOHII recommended privacy and security policies and procedures.

Although adopting a stricter approach, the whitepaper echoes the ONC Tiger Team's emphasis on meaningful patient consent, stating,

  ...CalOHII believes that the reading of an informing document and the signing of a consent form is the step at the end of a process - the process of education.  The education of the patient on the various aspects of the electronic exchange of health information, is to guide the patient in making a meaningful decision in giving or not giving his/her consent.

The whitepaper would permit certain exceptions allowing information to be accessed through an HIE without patient consent, namely for public health reporting and emergency "break the glass" situations.  In addition, the HIE demonstration projects are permitted under certain circumstances to request to "Demonstrate Alternative Requirements" (DAR process) in order to present other policies and requirements for implementing patient consent and privacy and security requirements. 

The two demonstration projects chosen for 2011 are the Western Health Information Network (WHIN) and the San Diego Beacon eHealth Community.  Both demonstration projects are currently set to test the opt-in framework as well as the CalOHII privacy and security policies that are to be developed.  The purpose of the demonstration projects is to help evaluate solutions for HIE and to test and develop innovative privacy and security practices.  Regulations for the demonstration projects are expected to be finalized shortly. 

Maine Reverts Back to Opt-Out Approach for HIE

In my previous post (April 26, 2011), I discussed legislation proposed by privacy advocates in Maine which would require, among other things, that patients "opt-in" before any information could be collected, accessed or disclosed through Maine's HIE HealthInfoNet.  Although HealthInfoNet currently operates under the "opt-out" approach, privacy advocates had pushed for the legislation in order to more adequately safeguard patient privacy.  Stakeholders had decided early on in the HIE's development that opt-in was not practical and as such, patients would be automatically enrolled in the HIE.  Patients could then exercise their choice to opt-out and have their information deleted from the HIE's central data repository. 

After considerable push-back from HealthInfoNet, as well as physicians, hospitals and their respective professional associations, the Maine legislature has reconsidered and revised the proposal.

As rewritten, the proposed legislation would permit HealthInfoNet to continue operating on an opt-out basis, but would dictate specific rules for informing patients of their right to do so. Individuals would need to be provided with, at a minimum:

  • A separate form at the point of initial contact with a description of the risks and benefits of participating in the HIE;
  • A description of how and where to obtain more information or how to contact the HIE;
  • An opportunity for the patient to refuse to participate in the HIE; and
  • A declaration that health care treatment would not be withheldfrom the patient solely based upon the patient's refusal to participate in the HIE.

Although information regarding the HIE is currently included on provider and hospital Notice of Privacy Practices, many patients were not aware that their information was being exchanged through the HIE.  As Amy Landry, communications director at HealthInfoNet acknowledged, "nobody reads the Notice of Privacy Practices." The proposed legislation reflects a compromise between concerns for patient privacy and awareness and the need of the HIE to have a large enough patient population to be of value to physicians and hospitals.

Furthermore, the proposed legislation would require confidentiality policies and procedures for protecting the confidentiality, security and integrity of health care information.  It would also require the HIE to maintain records of all disclosures made by and through the HIE in addition to requiring compliance with all applicable federal laws and regulations dealing with privacy, security and breach notification as defined by 45 CFR Part 160 and 164. 

The amended Bill (LD 1337) may be accessed here.  

Maine Considers Opt-In Requirement for HIEs

New legislation has been proposed by privacy advocates in Maine that would govern how patient information is shared through the statewide HIE, HealthInfoNet.  LD 1337, which is entitled "The Act to Ensure Patient Privacy and Control with Regard to Health Information Exchanges", would require, among other things, that patients' "written informed authorization" be obtained before the HIE could collect, store, access or disclose any health care information of a patient.  

This marks a significant departure from HealthInfoNet's current procedures.  Currently, patients of HealthInfoNet-participating providers and hospitals are automatically enrolled in the HIE, but must be given the opportunity to actively opt-out of participation. If a patient exercises his or her choice and opts-out of HealthInfoNet, all of their health information is deleted from the central data repository maintained by the HIE.  Stakeholders had decided early on in the HIE's development that an opt-out approach would be in the best interest of patients, providers and the HIE.  HealthInfoNet's executive director and CEO stated,

All agreed that an opt-in policy was impractical and would not lead to enough participation to be of value.

Notably, a majority of HIEs currently in operation utilize the opt-out approach.  A survey conducted by the eHealth Initiative in July 2010 found that only 18 percentof the HIEs that were surveyed had policies requiring patients to opt-in to the HIE.  The minority of HIEs that utilize opt-in view privacy as paramount and as such, despite the higher burden, require patient consent before including their information in the HIE. 

However, while HIE privacy and consent discussions somehow always seem to regress back to the "opt in" versus "opt out" debate, the truth is that neither approach, on its own, will ensure patient privacy. The ONC's Privacy and Security Tiger Team stated in its August 19th Letter to the National Coordinator that patient consent currently accommodates both the opt-in and opt-out approach combined with "meaningful consent." 

In my view, the question of whether or not a patient should consent to -- or 'opt in' -- to having a third party HIO "aggregate and store" their information is far less important than the question of what happens to that information after it is stored there?  The HIO, after all, has contractual obligations pursuant to its HIPAA BAA with the covered entity data contributors, and as a result of HITECH, the HIO can be directly assessed for penalties if it runs afoul of HIPAA.  So then, one might ask,

what additional and real benefit is there to having patients 'opt in' to having their information stored by such third party HIO that is already required, pursuant to contractual (the HIPAA BAAA) and legal (HITECH) obligations, to safeguard that information to prevent unauthorized access or use?

Thus, whether the HIO implements an opt-in or an opt-out approach may not be the most important question.  Rather, time discussing privacy may be better spent on questions such as:

  • Are there clear access policies, and are user roles appropriately defined?
  • What is the authentication processes?
  • Are users adequately trained (and I mean really) on what are "appropriate" reasons and inappropriate reasons to access information in the HIE?
  • Has the HIE clearly defined what are "permitted" and "prohibited" uses of PHI in the HIE? 
  • Who audits for inappropriate access? 
  • Is there accountability, and how are violators punished?

The 800-Pound HIE Gorilla Tiger in "Meaningful Use"

There has been a lot of discussion around the Meaningful Use (MU) criteria. CMS has an entire website dedicated to the subject, as does ONC. Although the clinical criteria of MU may garner much of the attention, the privacy and security components are also significant.  In particular, the MU criteria pertaining to Health Information Exchange (HIE) raise certain fundamental privacy questions.

In short, the HIE requirements for MU include the ability to: (1) exchange “key” clinical information among providers of care and patient authorized entities electronically, and (2) perform at least 1 test of exchanging information. The crucial question, then, is what exactly does "and patient authorized entities" suggest?  In listening to the privacy discussion taking place in various ONC Workgroups, including the newly-established Privacy & Security Tiger Team, one could reasonably conclude that this requirement might evolve to mean that a HIE will need to be able to capture and implement patients' specific and granular preferences (e.g., patient is "ok” with releasing info to Provider B, but not to Provider C) -- at least if you want to meet MU criteria

This interpretation, however, could throw a wrench into HIE networks across the nation that have implemented an Opt-Out consent model in part in reliance on a legitimate belief that when HHS adopted the final version of the HIPAA Privacy Rule it also vetted and already decided the question of whether a patient's prior written authorization should be required before general health information can be shared between treating providers for treatment purposes -- and it affirmatively decided to create the "Treatment Exception".  In fact, many states have laws that contain a similar exception. New Jersey, for example, specifically permits two treating doctors to share pertinent information about a common patient and expressly states that the prior consent is not required in such instances if it is in the best interest of the patient (see N.J.A.C. 13:35-6.5(d)3).

Links to the full legislative history related to the promulgation of the HIPAA Privacy Rule can be found on HHS’s website, but, a closer look at the August 14, 2002 “Modification to the HIPAA Privacy Rule –Final Rule" are worth a second read in particular.  For those who wish to review it in full, I have posted a full exerpt of the relevant sections under the “Continue Reading” window below, but in sum HHS removed the requirement of obtaining prior patient authorization after reviewing numerous public comments on the issue and concluding that:

As a result of the large number of treatment-related obstacles raised by various types of health care providers that would have been required to obtain consent, the Department became concerned that individual fixes would be too complex and could possibly overlook important problems. Instead, the Department proposed an approach designed to protect privacy interests by affording patients the opportunity to engage in important discussions regarding the use and disclosure of their health information through the strengthened notice requirement, while allowing activities that are essential to quality health care to occur unimpeded ...

The Final HIPAA Privacy Rule was adopted after HHS released multiple proposed versions, considered significant public comment, and followed administrative rule-making procedures -- all over the course of almost 3 years. Thus, as policies are recommended and developed for the HIE context, prior debate and dialogue is relevant and should not be forgotten or dismissed.

Continue Reading