ACO Rule Keeps HIE Consent "On the Fence"

When DHHS published its Proposed ACO Rule in April 2011 and then the Final ACO Rule in November 2011 (I’ll refer to them as the “ACO Rules”), discussions focused predominately on issues such as who is “qualified” to participate, what the required governaConsent on the Fence.pngnce structure should be, what methodology will be used to assign Medicare beneficiaries, and what the payment models will be.  However, as I digested the ACO Rules, my reading deliberately slowed down as I zeroed in on the not unremarkable language and comments CMS included with regard to sharing individually identifiable health information in the ACO context.

Among other things, the ACO Rules would authorize key data sharing between CMS and an ACO.  In particular, four categories of data could potentially be shared:

  • Aggregated Data
  • Personal Identifiers
  • Personally Identifiable Claims Data
  • Prescription Claims Data

In the Preamble to the Proposed Rule, CMS emphasized the importance of sharing these forms of data in order provide more complete information for the services provided or coordinated for the ACO beneficiary populations, better achieve improvements in the quality of care and gain a better understanding of the population served while lowering the growth in health care costs. Notably, while the ACO Rules would permit Medicare beneficiaries to “opt-out” of certain data sharing, other data would be shared without the patient’s consent.  Moreover, it is clear that CMS deliberately chose to proceed with an opt-out approach, given its concerns regarding beneficiary participation and ACO Participant administrative burdens.  In the Preamble to the ACO Rules, it noted that:

An opt-out approach is used successfully in most systems of electronic exchange of information because it is significantly less burdensome on consumers and providers while still providing an opportunity for caregivers to engage with patients to promote trust and permitting patients to exercise control over their data.”  See 76 Fed Reg. 19560 (2011). 

Although some of the information that CMS proposes for “sharing” will be de-identified, other information will be identifiable. For example, limited beneficiary data (i.e., name, DOB, gender, insurance claim number) would be made available at the beginning of the first performance year and in connection with quarterly aggregated data reports.  Other data proposed to be shared could potentially include: (Medicare Part A & B) procedure codes; diagnosis codes; beneficiary IDs; DOB; geneder; date of dealth; claim ID; dates of service; provider/supplier ID; claim payment type; (Medicare Part D) beneficiary ID; prescriber ID; drug service date; drug product ID; if the drug is on the formulary. 

CMS acknowledges in the ACO Rules that there could be privacy concerns with sharing identifiable information, but nevertheless takes the position that the HIPAA Privacy Rule permits disclosure for purposes of sharing Medicare Part A and Part B claims data with ACOs participating in the Shared Savings Program.  The agency also specifically notes that the disclosures of claims data would be permitted as “health care operations”.  Under HIPAA, a covered entity may disclose PHI to another covered entity for the recipient’s health care operations if they both have or had a relationship with the individual, the records pertain to that relationship, and the records will be used for a health care operation function meeting one of the first two paragraphs in the definition of health care operation under HIPAA. 

Yet, although CMS explicitly states that it has the authority to share Medicare Claims Data without patient consent, the agency also notes that it “nonetheless believe(s) that beneficiaries should be notified of, and have meaningful control over who, has access to their personal health information for purposes of the Shared Savings Program.”  See 76 FR 19559; See also 76 FR 67849.  Therefore, while patients would not be able to opt-out of having de-identified aggregated data reports or limited identifiers shared with the ACOs, CMS will allow patients to opt-out of having claims data shared with the ACOs. 

Over the past year, privacy, patient consent and HIE opt-in/opt-out continues to be debated (sometimes painfully).  The debate continues essentially because certain stakeholders hold different and strong views on if, when and at what point affirmative patient consent is required (under current law) or should be required (through promulgation of new rules).  As a result, some HIE collaboratives have required affirmative patient consent before any data is shared. Similarly, Recommendations from the ONC Tiger Team include, in part, that consent should be obtained before any information is shared with third parties, including Business Associates and HIOs(except where sharing is directed exchange (provider-to-provider), or between providers participating in an OHCA (as as side note, query if ACOs might qualify as OHCAs? probably...at least in some cases)).  Others have determined that the value of networked electronic HIE – i.e., healthcare quality improvement and cost reduction – is most efficiently realized when certain data is readily shared without prior authorization or consent, in accordance with HIPAA's exceptions, as a presumed default.  Now with CMS throwing its views on consent & opt-in/opt-out into the ring, at least with respect to ACO's data-sharing with Medicare, I'm sure many are anxious to see if the forthcoming HITECH Final Rule and NHIN Governance Rule will offer clear standards for the current HIE consent conundrum, or continue to precariously balance this issue on the fence....... I know I personally can't wait to see.