December 2011 ACO Special Edition

CMS Addresses Data Sharing and HIPAA Privacy Compliance in the ACO Final Rule

By Clay J. Countryman, Breazeale Sachse & Wilson, LLP, Baton Rouge, LA

Author

On November 2, 2011, the Centers for Medicare & Medicaid Services (“CMS”) published the final rule (“Final Rule”) for Accountable Care Organizations (“ACO”s) participating in the Medicare Shared Savings Program (“MSSP”) under Section 3022 of the Patient Protection and Affordable Care Act (“PPACA”).1 In the Final Rule, CMS finalized several requirements under which CMS may share Medicare claims data with ACOs in accordance with the HIPAA Privacy Rule and other laws affecting the sharing of individually identifiable health information.2 This article is intended to provide a brief summary of the legal authorities considered by CMS in adopting the data sharing provisions in the MSSP, the types of claims data that CMS will share with ACOs, and the conditions that an ACO must satisfy to receive this data from CMS.

Legal Authority for CMS to Share Medicare Claims Data With ACOs

CMS addresses several laws that may limit the types of data that may be shared by CMS with ACOs in the rulemaking process to adopt the Final Rule. For example, Section 1106 of the Social Security Act prohibits the disclosure of information collected under PPACA without a beneficiary’s consent unless disclosure is otherwise permitted by a particular statute or regulation.3 CMS relies primarily on the HIPAA Privacy Rule as the legal authority under which CMS is permitted to disclose to ACOs any Medicare claims data that contains individually identifiable health information to ACOs.4 As discussed in this article, CMS also includes provisions in the Final Rule relating to data sharing that impose limits to uses and disclosures of data by ACOs beyond certain requirements in the HIPAA Privacy Rule.5

Under the HIPAA Privacy Rule, CMS commented that the Medicare fee-for-service (“FFS”) program is a HIPAA covered entity as a “health plan” and therefore, is subject to any limitations regarding the disclosure of “protected health information” (“PHI”) in the HIPAA Privacy Rule.6 ACO participants and ACO providers/suppliers are also HIPAA covered entities to the extent they are healthcare providers and they engage in one or more HIPAA standard transactions.7 An ACO may itself be a HIPAA covered entity if the ACO is a healthcare provider and the ACO conducts one of the HIPAA standard transactions. In conducting quality assessment and improvement activities on behalf of ACO participants and ACO providers/suppliers, an ACO will also qualify as a business associate under the HIPAA Privacy Rule of the ACO’s participants and ACO providers/suppliers.8

Based on these relationships of ACOs, ACO participants and ACO providers/suppliers under the HIPAA Privacy Rule,9 CMS considers the disclosure of any beneficiary identifiable claims data to ACOs, and the use of such data by ACOs, to be permitted by the HIPAA Privacy Rule for “health care operations” purposes.10 A covered entity, such as the Medicare FFS program, is permitted to disclose PHI to another HIPAA covered entity, such as an ACO, for the recipient’s healthcare operations purposes if both covered entities have or had a relationship with the individual whose PHI was to be disclosed, the PHI pertains to that relationship, and the recipient will use the PHI for a healthcare operations function.11 CMS includes in the Final Rule a requirement that an ACO certifies that any beneficiary identifiable data requested by the ACO is the minimum necessary data to conduct healthcare operations work that falls within the first or second paragraph of the definition of “health care operations” in the HIPAA Privacy Rule.12

CMS also addresses concerns in the Final Rule regarding whether the use by an ACO of any beneficiary identifying data elements to identify beneficiaries on the list of historically assigned patients and to contact beneficiaries would constitute marketing under the HIPAA Privacy Rule. CMS commented that these types of uses by an ACO would also include an ACO providing a description of the ACO’s available services to a beneficiary and for case management and care coordination purposes, and all of these uses would fall within the exceptions to the definition of “marketing” in the HIPAA Privacy Rule.13

CMS also addresses in the Proposed ACO Rule (“Proposed Rule”) how the disclosure of claims data by CMS to ACOs would be affected by the Privacy Act of 197414 and federal law which governs the disclosure of information from records created in connection with federally conducted or assisted substance abuse programs.15 CMS concluded in the Proposed Rule that the sharing of beneficiary identifiable information with ACOs is permitted under an exception to the Privacy Act as a “routine use” because it would be a disclosure outside of CMS that is compatible with the purpose for which CMS collected the data.16 The Final ACO Rule also provides that CMS will not share any beneficiary identifiable claims data relating to treatment for alcohol and substance abuse.17

Data Sharing with ACOs

Under the MSSP, ACOs will be accountable for the quality, cost, and overall care of the Medicare beneficiaries that are assigned to an ACO.18 CMS recognizes that although an ACO should eventually have complete information for the services that the ACO provides to its assigned beneficiaries, an ACO may not have access to information about all of the services that are provided to its assigned beneficiaries outside of the ACO.19 To enable ACOs to have a complete picture about the care their assigned beneficiaries receive, CMS finalized its proposals to provide ACOs with the following types of claims data: (1) aggregated data reports; (2) limited identifying information about beneficiaries whose information serves as the basis for the aggregate data reports; and (3) certain beneficiary identifiable claims data unless a beneficiary had chosen to decline to share his or her data with the ACO.20

Sharing Aggregate Data with ACOs

The Final Rule provides that CMS will furnish ACOs with aggregate data reports at the start of the ACO’s agreement period; such reports would be based on data for those beneficiaries historically assigned, and included in the calculation of an ACO’s benchmark. Aggregate data reports will also be provided with the yearly financial and quarterly performance reports provided to ACOs. The quarterly aggregate data reports will be based on their most recent 12 months of data from potentially assigned beneficiaries to an ACO.21 These aggregate data reports will include aggregated metrics on the beneficiary population and beneficiary data at the start of an ACO’s agreement period with CMS based on historical beneficiaries used to calculate the ACO’s benchmark.22

CMS addresses comments in the Final Rule that aggregate data would not be useful unless it was provided in a timely manner or in “real time.”23 In response, CMS commented in the Final Rule that the delay between when a service is performed and when a claim is processed, as well as the time it takes to prepare claims level data to an aggregate level data set make it impossible to provide aggregate data reports to ACOs in “real time.”24 CMS commented that aggregate data reports will not be provided to an ACO until after CMS has received and approved an ACO’s application, and the ACO has signed a participation agreement and a Data Use Agreement (“DUA”) with CMS.25

Identification of Historically Assigned Beneficiaries

An ACO may request CMS to provide the ACO with a list of four data identifiers consisting of beneficiary names, dates of birth, sex and health insurance claim number (“HICN”) regarding preliminarily prospectively assigned beneficiaries whose data was used to generate the aggregate data reports that will be provided by CMS to ACOs.26 An ACO may request these four data identifiers from CMS at the beginning of the ACO’s agreement period with CMS, during each quarter, and at the beginning of each performance year.27 CMS will also provide ACOs with listings of preliminarily prospectively assigned beneficiary names, dates of birth, sex and HICNs that were used to generate each quarterly aggregate data report.28

An ACO must certify that the ACO is requesting these four data identifiers as either a HIPAA-covered entity or a business associate of its ACO participants and ACO providers/suppliers, and the ACO’s request to CMS reflects the minimum data necessary for the ACO to conduct healthcare operations work within the first or second paragraph of the definition of healthcare operations in the HIPAA Privacy Rule.29 An ACO would request the four identifiers as a HIPAA covered entity when the ACO would use the data for its own healthcare operations.30 If an ACO performs work on behalf of its ACO participants and ACO providers/suppliers (i.e., conducting quality assessment and improvement activities), the ACO would request the four identifiers as the business associate of its ACO participants and ACO providers/suppliers.31 CMS considers these four data points the minimum data necessary for ACOs to begin the process of developing care plans in an effort to provide better care for individuals and better health for each ACO’s assigned beneficiary population.32

Sharing Beneficiary Identifiable Data With ACOs

An ACO may also request beneficiary identifiable claims data on a monthly basis for the purposes of evaluating the performance of its ACO participants or its ACO provider/suppliers, conducting quality assessment and improvement activities, and conducting population-based activities relating to improved health.33 CMS had initially proposed to limit the available claims data to beneficiaries who received a primary care service from a primary care physician participating in the ACO during the performance year, and who have been given the opportunity to decline to have their claims data shared with the ACO. In the Final Rule, however, CMS includes a process under which an ACO may request beneficiary identifiable claims data for preliminarily prospectively assigned beneficiaries who are likely to be assigned to the ACO in future performance years.34

CMS had proposed to provide ACOs with beneficiary identifiable claims data in the form of a standardized data set that would include certain Medicare Part A, Part and Part D data elements in the regulations implementing the MSSP.35 CMS commented that the listed Part A and Part B data elements in the Proposed Rule were the minimum data necessary for the ACO to accomplish a permitted use of the data.36 In response to comments to the Proposed Rule, CMS added the National Provider Identifier (“NPI”), the Taxpayer Identification Number of ACO providers/suppliers and the Plan of Service (“POS”) code for ACO suppliers to the list of Part A and Part B data elements in the Final Rule that may be the minimum data necessary to permit an ACO to evaluate the performance of an ACO’s providers and suppliers and conduct quality assessment and improvement activities.37 An important change in the Final Rule was CMS’ clarification that the list of minimum necessary Part A, Part B and Part D data elements in the Proposed Rule were provided by CMS as examples of the types of data elements that might be the minimum data necessary to permit an ACO to evaluate the performance of an ACO’s providers and suppliers and conduct quality assessment and improvement activities.38 CMS commented in the Final Rule that an ACO may request additional data elements, however, if the ACO can demonstrate how the additional requested information would be necessary to perform the functions and activities of the ACO such that the additional data would be the minimum necessary data for the ACO’s purposes.39

As a condition of receiving any requested beneficiary identifiable data, an ACO must submit a formal data request to CMS in which the ACO explains how it intends to use the data to evaluate the performance of ACO participants and ACO providers/suppliers, conduct quality assessment and improvement activities, and conduct population-based activities to improve health of its assigned beneficiary population.40 An ACO must certify that it is requesting claims data about either its own patients as a HIPAA-covered entity or the patients of its HIPAA-covered entity ACO participants or its ACO providers/suppliers, and that the request is for the minimum data necessary for the ACO to conduct its own healthcare operations work that falls within the definition of healthcare operations in the HIPAA Privacy Rule.41 This same certification requirement must be met by ACOs when requesting the four data identifiers of the beneficiaries whose claims data was used to generate the aggregate data reports that will be provided to ACOs.

An ACO must also enter into a DUA with CMS prior to the receipt of any beneficiary-identifiable claims data.42 Under the terms of the DUA, an ACO will be prohibited from sharing the Medicare claims data provided by CMS to an ACO with anyone outside of the ACO.43 The terms of a DUA will also require ACOs to agree not to use or disclose the claims data obtained pursuant to the DUA in a manner which a HIPAA-covered entity could not use or disclose the data without violating the HIPAA Privacy Rule.44 If an ACO misuses or discloses data in in a manner that violates any applicable statutory or regulatory requirements or is in non-compliance with the terms of the DUA, the ACO will not be able to receive any more data from CMS and the ACO may be terminated from participation in the MSSP.45

The Final Rule also requires ACOs to notify beneficiaries in writing that the ACO may request their Medicare claims data from CMS for purposes of care coordination and quality improvement work from CMS, and the beneficiary must have the opportunity to decline to have his or her claims information shared with the ACO.46 An ACO is required to provide all beneficiaries with a written notice as part of their first primary care service office visit explaining their opportunity to decline data sharing with the ACO.47

ACOs may also contact the Medicare beneficiaries that appear on a list of individuals being prospectively assigned to a given ACO for the purpose of notifying the patient of the provider’s participation in an ACO, and to request whether or not the patient wishes to “opt out” of data sharing with respect to his or her identifiable data.48 If the beneficiary does not opt-out within 30 days, the ACO will be able to request that beneficiary’s identifiable data from CMS.49 An ACO must still provide these beneficiaries with a form at their first primary care office visit with an ACO provider during the ACO’s agreement period explaining the beneficiary’s opportunity to decline data sharing.50

Conclusion

In the data sharing provisions of the Final Rule, CMS focused on the sharing of data by CMS with ACOs, and CMS did not address the ACOs’ sharing of data internally or among an ACO’s participants and providers/suppliers. ACOs will still need to identify and analyze federal and state laws that may affect an ACO’s internal data sharing. CMS had received several comments to the Proposed Rule requesting CMS to address privacy and security concerns with ACOs sharing data internally, and also the suppression of inappropriate data flowing to other sources (e.g., adolescent/minor data to a parent/guardian, beneficiary data to an ex-spouse, etc.).51 In response, CMS commented that ACOs will be subject to the HIPAA Privacy and Security Rules when an ACO receives data as either a HIPAA covered entity or as a business associate of a HIPAA covered entity.52 However, there still may be some sentiment that CMS should also address in future rulemaking the sharing of data by ACOs in the data sharing provisions of the MSSP.
1

76 Fed. Reg. 67802.
2

Id.

3

76 Fed. Reg. at 19556.
4

Id.

5

76 Fed. Reg. at 67848.
6

76 Fed. Reg. at 19556.
7

Id.

8

76 Fed. Reg. at 19556.
9

ACO participants

is defined as an individual or group of ACO providers/suppliers, that is identified by a Medicare-enrolled TIN, that alone or together with one or more other ACO participants comprise(s) an ACO, and that is included on the list of ACO participants that is required under § 425.204(c)(5). ACO providers/suppliers is defined as an individual or entity that: (1) is a provider or supplier; (2) is enrolled in Medicare; (3) bills for items or services it furnishes to Medicare fee-for-service beneficiaries under a Medicare billing number assigned to the TIN of an ACO participant in accordance with applicable Medicare regulations; and (4) is included on the list of ACO providers/suppliers that is required under 425.204(c)(5). 45 CFR § 425.20.
10

76 Fed. Reg. at 19556.
11

Id.

12

76 Fed. Reg. at 19556. See 45 CFR § 164.501.
13

Id.

14

76 Fed Reg. at 19556. See 5 U.S.C. § 522a(b).
15

76 Fed. Reg. at 19556.
16

Id.

17

42 C.F.R. §425.708. See 42 CFR § 290dd-2 and the implementing regulations at 42 CFR part 2.
18

76 Fed. Reg. at 67844.
19

Id.

20

Id.

21

42 C.F.R. § 425.702.
22

Id.

23

76 Fed. Reg. at 67844.
24

Id.

25

Id.

26

42 CFR § 425.702(c)(1) provides that an ACO’s request for the four identifiable data points would be for purposes of population-based activities relating to improving health or reducing growth in healthcare costs, process development, case management and care coordination.
27

76 Fed. Reg. at 67845.
28 76 Fed. Reg. at 67846.
29

45 CFR § 425.702(c)(2). See 45 C.F.R. § 164.501. The first and second paragraphs of healthcare operations include the following activities: (a) conducting quality assessment and improvement activities, including outcomes evaluation and development of clinical guidelines, provided that the obtaining of generalizable knowledge is not the primary purpose of any studies resulting from such activities; population-based activities relating to improving health or reducing healthcare costs, protocol development, case management and care coordination, contacting of healthcare providers and patients with information about treatment alternatives, and related functions that do not include treatment; and (b) reviewing the competence or qualifications of healthcare professionals, evaluating practitioner and provider performance, health plan performance, conducting training programs in which students, trainees or practitioners in areas of healthcare learn under supervision to practice or improve their skills as healthcare providers, training of non-health care professionals, accreditation, certification, licensing or credentialing activities.
30

76 Fed. Reg. at 19556. See 42 C.F.R. §425.702(cc)(2)(i).
31

Id. See

at § 425.702(c)(2)(ii).
32

76 Fed. Reg. at 67846.
33 42 C.F.R. § 425.704.
34

76 Fed. Reg. at 67850; 42 C.F.R. § 425.704.
35

76 Fed. Reg. at 19558.
36

76 Fed. Reg. at 19558.
37

76 Fed. Reg. at 67847.
38

76 Fed. Reg. at 67848.
39

76 Fed. Reg. at 67847. 42 C.F.R. § 425.706 (a) provides that the minimum necessary Parts A and B data elements may include but are not limited to the following data elements:

(1) Beneficiary ID.

(2) Procedure code.

(3) Gender.

(4) Diagnosis code.

(5) Claim ID.

(6) The from and through dates of service.

(7) The provider or supplier ID.

(8) The claim payment type.

(9) Date of birth and death, if applicable.

(10) TIN.

(11) NPI.

and (b) provides that the minimum necessary Part D data elements may include but are not limited to the following data elements:

(1) Beneficiary ID.

(2) Prescriber ID.

(3) Drug service date.

(4) Drug produce service ID.

(5) Quantity dispensed.

(6) Days supplied.

(7) Brand name.

(8) Generic name.

(9) Drug strength.

(10) TIN.

(11) NPI.

(12) Indication if on formulary.

(13) Gross drug cost.
40

Id.

41

42 C.F.R. § 425.704(b).
42

42 C.F.R. § 425.710.
43

76 Fed. Reg. at 67846.
44 Id.
45 42 C.F.R. § 425.710(2).
46 42 C.F.R. § 425.708.
47 42 C.F.R. § 425.708(c).
48 Id.
49 76 Fed. Reg. at 67851. See 42 C.F.R. § 425.708.
50 42 C.F.R. § 425.708.
51 Id.
52

76 Fed. Reg. at 67848.

The ABA Health eSource

is distributed automatically to members of the ABA Health Law Section . Please feel free to forward it! Non-members may also sign up to receive the ABA Health eSource.