The Security Scrutinizer with Howard Anderson

ACOs Face Privacy Challenges

Protecting Medicare Patients' Data

Federal healthcare reform's Medicare Shared Savings program called for creation of ACOs, which are networks of hospitals, clinics and other providers that share responsibility for treating a group of Medicare beneficiaries in a community with a goal of cutting costs and improving the quality of care. ACOs that achieve these goals will receive extra Medicare payments (see: Data Sharing Guidelines for ACOs).

To be successful in coordinating the care of Medicare patients, ACOs clearly will need to share electronically a great deal of patient information to support timely decisions. "Sharing information among all caregivers ... truly is at the heart of making ACOs work," security expert Rebecca Herold says (see: ACOs Must Safeguard Data Sharing).

It's important to keep in mind that the new ACO Rule emphasizes multiple times that all data sharing has to be in compliance with HIPAA requirements. 

"It's important to keep in mind that the new ACO Rule emphasizes multiple times that all data sharing has to be in compliance with HIPAA requirements," she adds.

Health Information Exchanges

Herold predicts that most ACOs will use existing health information exchanges in their regions to ease data sharing. "ACOs would need to have tightly controlled communication paths within HIEs to help ensure that only those caregivers who need patient information can access it," she stresses.

See Also: The Application Security Team's Framework For Upgrading Legacy Applications

Beyond HIPAA compliance, ACOs will face yet another important privacy challenge. The final rule laying out the guidelines for ACOs enables patients to opt out of sharing their Medicare claims data with ACOs. And that will require these new organizations to take yet another set of complex steps, Herold says.

Plus, to ensure that patient information is protected, ACOs likely will need to sign business associate agreements with their partners. In addition, the final rule requires the creation of Data Use Agreements as well.

Risk Assessments Vital

The bottom line? Herold says newly formed ACOs, and their participating provider organizations, will need to conduct risk assessments "to identify where all the new types of risk will exist with the new information sharing capabilities."

It will be interesting to watch whether the incentive of extra Medicare payments will prove powerful enough to spur the creation of many ACOs. And we'll also be watching to see how they address critical privacy and security issues.



About the Author

Howard Anderson

Howard Anderson

News Editor, ISMG

Anderson is news editor of Information Security Media Group and was founding editor of HealthcareInfoSecurity and DataBreachToday. He has more than 40 years of journalism experience, with a focus on healthcare information technology issues. Before launching HealthcareInfoSecurity, he served as founding editor of Health Data Management magazine, where he worked for 17 years, and he served in leadership roles at several other healthcare magazines and newspapers.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing healthcareinfosecurity.com, you agree to our use of cookies.