CMS, estimating that one-and-a-half to four million Medicare beneficiaries will receive care from health care providers participating in accountable care organizations within the program's first three years, is proposing to provide ACOs with Medicare claims and other data under the Medicare Shared Savings Program, authorized under the Affordable Care Act.
The agency's proposal to share Medicare data with ACOs reflects the important role of health information in health care delivery reform, and has important implications for patient privacy.
The MSSP is designed to restructure the way Medicare beneficiaries' health care is organized and incentivized, resulting in the three-part aim of better care for individuals, better health for populations and lower growth in expenditures. Under the program, health care providers would join together to create ACOs that would take responsibility for improving the quality of care and lowering the costs of a group of at least 5,000 beneficiaries. To succeed, ACOs will have to coordinate their beneficiaries' care, an activity that will require investment in health IT infrastructure and redesigned care processes.
Central to ACOs' efforts will be access to information about their beneficiaries' health and health care, on which they can base quality assessment and improvement, population health and provider performance evaluation activities. While CMS intends for ACOs to independently produce much of the data to perform these activities, the agency recognizes that it has a wealth of information -- including data about the services and supplies that beneficiaries receive from health care providers within and outside the ACO -- that can help ACOs understand the totality of care provided to their beneficiaries. By proposing to give this information to ACOs, CMS is taking an important step forward to make valuable Medicare data more widely available for quality and efficiency improvement purposes.
Exactly What Data Does Medicare Propose To Share?
CMS proposes to share three different types of Medicare data with ACOs:
- De-identified, aggregated data on beneficiary use of health care services;
- Select identifiers for patients in an ACO's historical beneficiary population; and
- Patient-identifiable claims data.
Among other reasons for providing these data,CMS suggests that knowing the beneficiaries who received a plurality of their care from ACO primary care physician participants in the past would help the ACO identify beneficiaries who may benefit from improved care coordination in the future.
As part of its request for patient-identifiable data, an ACO would have to certify that it is requesting the information as either a covered entity under the HIPAA Privacy Rule or as the business associate of its ACO participants, who are covered entities. Among other things, an ACO also would have to certify that the request reflects the minimum data necessary for the ACO to perform activities that meet the definition of "health care operations," as defined under HIPAA.
Implications for Patient Privacy
Health information inherently merits a high expectation of privacy, and hence strong legal protection. The disclosure of patient-identifiable health information is governed by a series of laws that constrain health care providers' and others' ability to share it. In the proposed rule, CMS notes that its ability to disclose patient-identifiable health information is governed by the Social Security Act, the HIPAA Privacy Rule, the Privacy Act of 1974, and federal regulations prohibiting disclosure of records of federally assisted drug and alcohol treatment programs without written patient consent.
The Social Security Act generally bars the disclosure of information that is collected under its auspices without patient consent unless another law provides for disclosure. CMS takes the position that the HIPAA Privacy Rule provisions permitting disclosures for health care operations meet this requirement, enabling it to disclose to ACOs select beneficiary identifiers and patient-identifiable data generated under Medicare Parts A and B. Health care operations include evaluation of a health care provider's performance, quality assessment and improvement activities, and population-based activities relating to improved health. CMS notes that these provisions are extensive enough to cover the uses it expects an ACO to make of the data.
To disclose claims data generated under Medicare Part D, CMS suggests that it also has to satisfy the requirements of the Medicare Modernization Act. CMS suggests that it may release Part D claims data for the purposes of research, analysis, reporting and public health functions under a Modernization Act regulation established in 2008. Although the regulation did not expressly address whether Part D data could be shared with external entities for purposes other than research, CMS takes the position that its release of the data to ACOs for care coordination, quality improvement and performance measurement activities would be consistent with the regulation.
The Privacy Act of 1974 governs the collection, maintenance and use of personally identifiable information that is maintained in systems of records by federal agencies. The act prohibits disclosure of information from systems of records without patient consent unless the disclosure is pursuant to one of 12 statutory exceptions. CMS suggests that its disclosure of patient-identifiable Medicare claims data would be permitted without consent as a "routine use" exception under the Privacy Act. Routine uses are disclosures outside of the federal agency that collected the data that are compatible with the purpose for which the agency originally collected the data.
CMS proposes not to share claims data that relate to care provided to a beneficiary by a federally assisted drug or alcohol treatment program without written patient consent.
To further protect patient privacy, CMS proposes to require an ACO to enter into a Data Use Agreement with CMS prior to receipt of any beneficiary-identifiable claims data. Under the DUA, an ACO would be prohibited from sharing the data with anyone outside of the ACO. In addition, an ACO would have to agree only to use and disclose the data as allowed under the HIPAA Privacy Rule.
Although CMS suggests that it has the legal authority to share patient-identifiable Medicare data with an ACO without patient consent, the agency proposes to give patients the ability to opt out of having their claims data shared. Specifically, CMS proposes to require an ACO to give its beneficiaries a form allowing them to opt out of having CMS disclose their claims data to the ACO. The form would have to be provided by a primary care physician participating in the ACO.
Though CMS does not prescribe any specific requirements that ACOs or their primary care physicians must follow when providing beneficiaries the opportunity to opt out, the agency suggests that, generally speaking, beneficiaries' opportunity to opt out would be considered meaningful if it:
- Allows individuals advance notice and time to make a decision;
- Is accompanied by adequate information about the benefits and risks of making their data available;
- Does not compel consent; and
- Does not use the choice to permit their information to be shared for discriminatory purposes.
Beneficiaries would not be permitted to opt out of having CMS share the four identifiers that enable an ACO to identify its historical beneficiary population.
Delicate Balance Between Improved Care and Patient Privacy
Studies suggest that individuals who are not confident in the privacy of their health information will not share it and will engage in privacy-protective behaviors like paying out of pocket for care that is covered by insurance or avoiding care altogether. Thus, ensuring patient trust in health information exchange -- including the sharing of health information by CMS -- will be integral if ACOs are to achieve the MSSP's quality and efficiency improvement goals.
CMS hopes to ensure patient trust by giving beneficiaries the ability to opt out of having their claims data shared with ACOs, although an ACO's ability to achieve the MSSP's goals diminish without access to health information that enable it to coordinate care.
Is CMS striking the right balance between improved care and patient privacy? CMS invites stakeholders to comment on this question by June 6.