ACOs and Security EssentialsHIPAA Compliance, Risk Assessments Necessary
"It's important to keep in mind that the new ACO Rule emphasizes multiple times that all data sharing has to be in compliance with HIPAA requirements," Herold says in an interview with HealthcareInfoSecurity's Howard Anderson (transcript below).
Herold emphasizes that newly formed ACOs, and their participating provider organizations, should conduct risk assessments "to identify where all the new types of risk will exist with the new information sharing capabilities."
She also notes: "Sharing information among all caregivers ... truly is at the heart of making ACOs work." And she predicts that most ACOs will use existing health information exchanges in their regions to ease data sharing.
Federal healthcare reform's Medicare Shared Savings program called for creation of ACOs, which are networks of providers that share responsibility for treating a group of Medicare beneficiaries in a community with a goal of cutting costs and improving the quality of care. ACOs that achieve these goals will receive extra Medicare payments (see: Data Sharing Guidelines for ACOs).
The Centers for Medicare & Medicaid Services recently issued a final rule outlining all the requirements for ACOs.
In the interview, Herold:
- Describes the ACO final rule's provisions that enable patients to opt out of sharing their Medicare claims data with ACOs and establish limits on how ACOs can use the claims data. She outlines, in detail, the steps involved in complying with the opt-out provision; and
- Notes that the formation of ACOs will require the creation, in certain cases, of new business associate agreements, to comply with HIPAA, as well as the creation of Data Use Agreements, as required in the ACO final rule.
Herold offers information security, privacy and compliance consulting, as well as training, through her company, Rebecca Herold & Associates. The second edition of her book, "Managing an Information Security and Privacy Awareness and Training Program," was recently published.
Accountable Care Organizations
HOWARD ANDERSON: Federal authorities recently issued a final rule governing accountable care organizations. For starters, could you briefly define ACOs for us, and explain what the government hopes to achieve by creating them?
REBECCA HEROLD: Basically, an ACO is a network of doctors and hospitals that share responsibility for providing care to patients, and in the new law, an ACO would agree to manage all of the healthcare needs of a minimum of 5,000 Medicare beneficiaries for at least three years. The ACO then will bring together all the different component parts of care for the patient - primary care and specialist hospitals, home healthcare and so on. And it will ensure that the parts are working well together.
In most places today, patients get each part of their healthcare separately. One doctor does ear, nose, throat; another dental; another heart health and so on. And often, these doctors don't even know the patient is seeing any of the others, much less know that they're communicating with each other to ensure that there is comprehensive and knowledgeable healthcare for each particular patient. The ACOs try to ensure all healthcare for an individual is done by taking into consideration all aspects of that person's healthcare, and the challenge is putting ACOs into practical application and then demonstrating that overall healthcare then really is improved and that it results in lower costs and has better efficiencies.
ANDERSON: Are the organizations that participate in an ACO likely to share electronic information about patients to help coordinate their care? And will they be forming the equivalent of what amounts to a health information exchange? What new privacy and security issues does that raise?
HEROLD: Sharing information among all caregivers for a patient truly is at the heart of making ACOs work. Doing so via electronic transmissions really is the most feasible way to do this, as opposed to making hard copies and trying to share them, which of course, would have its own risks. ... The ACOs will most likely be using [existing] health information exchanges in order to facilitate this electronic sharing, and I'm not sure you would say they're using their own HIEs. One goal of HIEs is to provide better information sharing, specifically for such purposes that are being created by an ACO. However, ACOs would need to have tightly controlled communications paths within the HIEs to help ensure that only those caregivers who need patient information can access it.
So initially, at least, ACOs agree to manage and coordinate healthcare for the Medicare beneficiaries, including taking on additional financial responsibility that, of course, is going to come along from setting up the technical aspects of this kind of data-sharing network, and also for making sure that the care is delivered effectively, efficiently and securely. Now the new security and privacy issues will really be new applications of long-existing information security and privacy concepts. You'll have to deal with limiting access, establishing access controls, logging the access to the PHI [protected health information], and also the claims information; ensuring data accuracy and integrity - that is a very important part of sharing this data among all the caregivers; ensuring data availability at all times necessary; providing patients with opportunities to opt-out of data sharing; and also, giving them access to their own data.
A lot of these involve very basic information security and privacy controls that have been around for a long time; they're just being utilized now in a new type of emerging environment.
ACO Opt-Out Provision
ANDERSON: As you just alluded to, the final ACO rule allows patients to opt-out of having certain information shared with ACOs. So what steps will ACOs and their members need to take to prepare to comply with that provision, and what kind of information does the opt-out provision cover?
HEROLD: Medicare recipients can opt-out of sharing their claims data with ACOs, which again, were created as part of the Medicare Shared Savings program. The new rule also places really specific limits on how the claims data can be used.
Now even though the opt-out provision is rather brief within that rule, the implications for the changes that will be necessary are certainly significant. It's important to look at not just the actual opt-out activity, but also the activities that need to occur prior to that to ensure that patients have been properly informed of what it means to have their information used within an ACO.
Related to this, the ACO rule requires that ACO participants have to do several different things. One, they have to notify beneficiaries at the time they receive care they are ACO providers participating in the Shared Savings program. This notification will likely be a new type of notice for the providers to create. Number two, they need to post signs in their facilities to notify the beneficiaries that ACO providers and suppliers are participating in the Shared Savings program. ... Along with this comes the accompanying training to those who may get questions in the facilities about the posters and what they mean from the patients who are reading them. And then, number three, they need to make available standardized written notices as well, regarding the participation in an ACO and ... the data opt-out options that the patients have.
These written notices need to be provided by the ACO participants in the primary healthcare facilities that the care is being given in. These are additional notices to provide, along with the HIPAA Notice of Privacy Practices. I anticipate that some providers will consider combining these together, and whether or not this is a good idea will depend upon the type of provider and the type of care that they're giving.
... ACOs have the option of notifying patients ... following the standardized written notice that the CMS has developed. And it's also important to be aware that these notifications that are made in this manner, interestingly enough, are under the definition of marketing materials and activities within HIPAA. So these organizations need to make sure that these notifications do meet all applicable marketing requirements under HIPAA.
Certainly related to this, procedures will need to be updated. Providers who are part of an ACO are required to alert their patients, who can then choose to go to another doctor if they are uncomfortable in participating in an ACO. The patient can decline to have his or her data shared within the ACO, and even though physicians probably want to have their patients go to hospitals and specialists within the ACO network, patients are still free to see the doctors of their own choice outside the network, and they cannot be charged more for doing this. Existing opt-out policies and procedures are going to need to be reviewed, and then they're going to have to be updated to allow for these choices that are required as part of being in an ACO.
ANDERSON: So the final ACO rule provisions regarding opting out don't explicitly address a patient's ability to opt-out of having their electronic records shared among ACO members, right? That would be handled separately under some sort of health information exchange agreement, perhaps?
HEROLD: Well it might be part of a health information exchange, but really, when you look at the final rule, it only provides that the patients be given the opportunity to opt-out, and there's very little supporting information that talks about the details for how it has to occur and at what point in time. I think the primary thing is that you make patients aware of how their information is shared, let them know that the others within an ACO are going to get it, and they'll probably ask, "Who are these other entities?" So you have to give them the ability to opt-out if they say, "You know what, I don't want my information going to all of these others. I want to keep my information only with these few doctors that I know I'm dealing with." That's when you have to really think about the details for how you're going to allow the patients to opt-out, the forms you're going to use, how you're going to track it in your system. And, like you said, it should be a part of an HIE system anyway to allow opt-outs for other activities; so you could be able to make use of those, as well.
ANDERSON: The final ACO rule opt-out provision deals only with Medicare claims data and not with other information like full electronic records, is that right?
HEROLD: Right, exactly. This is about the Medicare claims data. This doesn't apply to all other types of PHI. The Medicare claims data and PHI, they're going to certainly have overlaps, but they aren't the same thing. They aren't the same repository of information. That's another good point that providers need to think about. They can't be viewing both of these sets of data as being one and the same. They're two different sets, but they certainly have significant overlap.
Business Associate Agreements
ANDERSON: So might the creation of ACOs require participants to enter more business associate agreements to help protect information?
HEROLD: Well, there will likely need to be new BA agreements with the ACO entity itself, and I anticipate that the implementation of ACOs will also bring with it new service providers and software vendors who will need access to that claims data for support and maintenance and for other types of back-office processes that a BA-type of organization would be providing. Those will need to have BA agreements, because again, there's overlap between the claims data and the PHI, so certainly, you have to observe all the HIPAA requirements while you're implementing the ACOs.
Under HIPAA and the required business associate agreements, the ACO and its participants will not be able to use or disclose any PHI it receives through an ACO in any manner that a HIPAA-covered entity would be prohibited from doing. Organizations that are part of an ACO need to look at all the other entities that will be accessing PHI and then put BA agreements in place as appropriate, based upon the reasons why the other entities need to have that access.
Now something to think about beyond the BA agreement is that there's a new type of agreement with this final rule that will also need to be made, and it's called a Data Use Agreement, or DUA. Some of the analysts that I've heard have said that they believe having a DUA in place may be necessary instead of a BA agreement in some situations, and I'm not completely convinced of this; maybe in some situations, but why? Because under HIPAA and the required business associate agreements, the ACO and its participants will not be able to use or disclose any PHI in a way that a HIPAA-covered entity would be prohibited from doing.
In addition to this, under the DUA, the ACO would be prohibited from sharing the Medicare claims data, which might have some PHI in it, but also, the other claims data that's separate from PHI. They need to be prohibited from sharing that with any ACO that has not cosigned the DUA as a contractor. Those requests by patients to share their PHI or claims data with entities outside the ACO may need a BA agreement depending upon the situation, and ACOs need to comply with the limitations as well on the use and disclosure that still exists under HIPAA. They have to look at those, they have to look at the applicable DUA and then also they need to be aware of the ACO program's legal requirements that restrict sharing of the data.
Privacy & Security Issues
ANDERSON: Finally, are there other privacy and security issues that are raised by the formation of ACOs that we haven't covered yet?
HEROLD: It's important to keep in mind that the new ACO rules emphasize multiple times that all data sharing has to be in compliance with HIPAA requirements. This said, because of the additional sharing of claims information, along with potentially needing to enter into new business associate agreements with the ACO itself, and also supporting this opt-out mechanism and procedures that need to be created, the ACO participants are going to need to update their HIPAA privacy and security policies to ensure the appropriate safeguards are in place, along with all of these changes.
Just a few of the important security and privacy issues that need to be addressed will include such things as ensuring the minimum necessary access that's provided to those who are within the ACO. You can't just now give all access to all PHI along with the claims data, so you need to be very careful about ensuring minimum access is being enforced. Also, accounting of the disclosures for that data that goes to the other folks who are within the ACOs - you need to keep in mind that those have to be accounted for and logged as well. And then also, now that you have these requests from patients to opt-out and also to get access to their data, you're going to need to think about implementing security and procedures for identity verification. You want to make sure that the person who is asking you for access to data or asking you to opt-out of sharing with certain other members within the ACO really is the person they claim to be. That needs to be established as well.
Now, this would be actually a great time to perform a risk assessment, as an organization is planning to become an ACO. A risk assessment would identify where all the new types of risks would exist with these new information-sharing capabilities. Since HIPAA requires regular risk assessments anyway, and certainly a major operational change such as this, becoming a part of an ACO, is going to bring with it new risks, then doing a risk assessment will provide really more bang for the buck - to do one in conjunction with becoming an ACO participant. And it will also help to ensure all security risks - and if you want to do an expanded one, privacy risks, as well - are being mitigated before a breach occurs.