In recent months, the line between health care providers and payers has become more and more gray. With rising frequency, health plans purchase physician groups, physician groups increasingly bear risk and, under the banner of accountable care organizations, a growing spectrum of delivery systems with insurance licenses begins to take shape.
Some have posited that as we consider option after option for a coordinated, high-quality, efficient health care system, the answer may already exist. Can an integrated system where health care providers and payers join forces to increase quality of care and reduce health care costs be the way, or at least one possible way, to successfully reform the system?
Structure of Integrated Systems
Integrated delivery and financing systems can take on different structures. For example, in states where corporate practice of medicine prohibitions exist (i.e., where corporations are prohibited from practicing medicine and physicians are prohibited from being employed by corporations), payers and providers, each under the umbrella of a separate legal entity, may enter into exclusive arrangements under which the beneficiaries of the plan may obtain reimbursement for services provided by the providers who participate in the integrated delivery system. Further, the providers may provide services only to patients who are members of the plan.
Alternatively, where permissible, the health plan and the health care providers may be under the same corporate umbrella (i.e., the plan is wholly owned by the same corporate entity that employs the health care providers).
In either of these situations -- and all the variations on these themes -- the asserted goal is to align the interests of the payers and the health care providers in an effort to increase the quality and efficiency of health care while reducing costs.
Potential Privacy Implications
While the goal of integrated care certainly is laudable, it is not clear whether there are any privacy implications to such a structure. Certainly, health care providers and payers use and disclose protected health information (PHI) differently, and the potential benefits to having access to such PHI are drastically different between the two. So the question remains: Does existing law take this issue into account, and what potential issues exist, if any, with respect to the joining of such forces?
The HIPAA Privacy Rule acknowledges at least some organizational structures and attempts to address related privacy issues. For example, the Privacy Rule permits legally separate covered entities that are under common ownership or control to designate themselves as a single affiliated covered entity (ACE) for purposes of compliance with the Privacy Rule. Thus, because the covered entities would be considered a single covered entity for purposes of compliance, one would think that what once would have been considered a "disclosure" of PHI between the entities, would now be a "use" within the ACE, and provided that such use was permissible under the Privacy Rule, the ACE would be in compliance with the law. This may be true; however, the Privacy Rule further requires that if an ACE is a combination of a health plan and health care provider (i.e., the ACE engages in multiple covered functions under HIPAA), the ACE, or the components thereof, must comply with any Privacy Rule obligations that exist specifically for that type (i.e., health plan or provider) of covered entity.
In addition, to the extent that only the health plan or the health care provider provides services to an individual, the ACE (and its components) may use or disclose that individual's PHI only "for purposes related to the appropriate function being performed." That is, if only the health care provider was providing services to the individual, the component of the ACE that performs health plan activities would be significantly limited in its ability to use or disclose PHI.
However, in many closed model integrated delivery systems, this limitation would have minimal effect because plan members only may be patients of participating providers and vice versa, and only rarely (e.g., if a member never received services from any provider) would this limitation be triggered. Therefore, to the extent that a payer and providers who participate in an integrated delivery and financing system meet the definition of an ACE, and designate themselves as such, the ACE could, for example, use the PHI of the ACE (obtained from both the plan and the providers) for its own treatment, payment and health care operations purposes (which are quite expansive by definition) without obtaining individuals' authorizations.
It goes without saying that this increased access to PHI is beneficial to the providers and the plan because the PHI may be used to improve quality of care while reducing overall costs. An argument could be made, however, that such increased access could potentially "harm" individuals if the PHI is used inappropriately. In response to this potential risk of harm, ACEs should have strict and effective privacy policies that restrict the use and disclosure of PHI to those permitted by law.
Similar to an ACE, the Privacy Rule further addresses the existence of an organized health care arrangement (OHCA) and includes five arrangements that could constitute an OHCA. An integrated delivery system in which payers and providers participate may meet the second of the five arrangements, which generally requires that there be an organized system of health care in which more than one covered entity participates (e.g., a health plan and provider) and in which the participating covered entities 1) hold themselves out to the public as participating in a joint arrangement; and 2) participate in joint activities that include at least one of the following: utilization review, quality assessment and improvement activities, or payment activities, if the financial risk is shared.
The benefit of qualifying as an OHCA is that covered entities that participate in an OHCA may disclose PHI to other members of the OHCA for their own or the recipient covered entity's treatment, payment or the purpose of any health care operations. Absent OHCA status, covered entities are far more limited in the ways in which they can disclose PHI for health care operations purposes.
As is the case for an ACE, this greater flexibility in terms of using and disclosing PHI may enable integrated delivery networks in which payer and providers participate to further improve the quality of care while reducing associated costs. Also similar to an ACE, to reduce the potential risk of harm related to such additional disclosures, OHCAs should have in place privacy policies and procedures that specifically address the ways in which the participants may use and disclose PHI to ensure that such uses and disclosures comply with applicable law.
Although the Privacy Rule does not address every arrangement that may exist in the health care industry, it does a fairly good job of addressing the payer-provider integrated delivery and financing system and permitting uses and disclosure by and between the covered entities participating in these arrangements. It does so in a way that allows the covered entities to use and disclose such information for purposes of improving care and reducing costs, while continuing to impose restrictions that protect the privacy of the information. As integrated delivery and financing systems proliferate, we do not envision privacy issues as being a significant impediment to their success.