ACOs Face Privacy ChallengesProtecting Medicare Patients' Data
Federal healthcare reform's Medicare Shared Savings program called for creation of ACOs, which are networks of hospitals, clinics and other providers that share responsibility for treating a group of Medicare beneficiaries in a community with a goal of cutting costs and improving the quality of care. ACOs that achieve these goals will receive extra Medicare payments (see: Data Sharing Guidelines for ACOs).
To be successful in coordinating the care of Medicare patients, ACOs clearly will need to share electronically a great deal of patient information to support timely decisions. "Sharing information among all caregivers ... truly is at the heart of making ACOs work," security expert Rebecca Herold says (see: ACOs Must Safeguard Data Sharing).
It's important to keep in mind that the new ACO Rule emphasizes multiple times that all data sharing has to be in compliance with HIPAA requirements.
"It's important to keep in mind that the new ACO Rule emphasizes multiple times that all data sharing has to be in compliance with HIPAA requirements," she adds.
Health Information Exchanges
Herold predicts that most ACOs will use existing health information exchanges in their regions to ease data sharing. "ACOs would need to have tightly controlled communication paths within HIEs to help ensure that only those caregivers who need patient information can access it," she stresses.
Beyond HIPAA compliance, ACOs will face yet another important privacy challenge. The final rule laying out the guidelines for ACOs enables patients to opt out of sharing their Medicare claims data with ACOs. And that will require these new organizations to take yet another set of complex steps, Herold says.
Plus, to ensure that patient information is protected, ACOs likely will need to sign business associate agreements with their partners. In addition, the final rule requires the creation of Data Use Agreements as well.
Risk Assessments Vital
The bottom line? Herold says newly formed ACOs, and their participating provider organizations, will need to conduct risk assessments "to identify where all the new types of risk will exist with the new information sharing capabilities."
It will be interesting to watch whether the incentive of extra Medicare payments will prove powerful enough to spur the creation of many ACOs. And we'll also be watching to see how they address critical privacy and security issues.