Governance & Risk Management , Privacy

A CIO Discusses ACO Security Issues

Sharp Healthcare's Spooner on Accountable Care Organizations

Accountable Care Organization participants face a number of challenges regarding security and privacy, including obtaining patient consent for sharing their information, says Bill Spooner, CIO at Sharp Healthcare.

ACOs are groups of hospitals, clinics and others that work together to deliver more coordinated care for patients in a region, bolstered by more comprehensive patient data sharing among clinicians. In return for improving patient outcomes while reducing costs, participating providers get a share of the savings.

Sharp Healthcare, a San Diego provider organization with seven hospitals, late last year was chosen by the Centers for Medicare and Medicaid to participate in the Pioneer ACO program. Under the program, Sharp is coordinating care for nearly 33,000 Medicare patients.

ACO organizers in San Diego and across the country are still working out all the details about patient consent for sharing information, Spooner says in an interview with HealthcareInfoSecurity's Marianne Kolbasuk McGee (transcript below).

"Patients [need to] really understand the trade-offs they're making between allowing their records to be shared for the sake of good care and patient safety versus the privacy concern that they would naturally have about the record being shared too broadly," the CIO says.

In the interview, Spooner also:

  • Describes why Sharp is building an enterprise health information exchange and connecting to a community HIE to help with the sharing of information;
  • Outlines how Sharp will use a patient portal to enable ACO participants to view their information;
  • Explains the extra data security and privacy demands that ACO participants must meet.

Spooner has been at Sharp HealthCare for about 30 years, and has served as CIO for more than 15 years. In 2009, Spooner was recipient of the John E. Gall Jr. CIO of the Year award from the College of Healthcare Information Management Executives and the Healthcare Information and Management Systems Society. He was chair of CHIME in 2006.

ACO Plans

MARIANNE KOLBASUK MCGEE: Tell us a little about your organization and your role, and also briefly tell us about Sharp's plans to become an ACO.

BILL SPOONER: Sharp Healthcare is in San Diego County, Calif. We have about 2,000 beds of hospital care on four principle campuses. We have four general-service hospitals and three specialty hospitals. In addition, we're affiliated with a 700-physician, independent-practice association - largely physicians who practice within our hospitals. They banded together several years ago for the purpose of managed-care contracting. Also within our organization we have a 400-physician, multi-specialty medical group very closely aligned.

In terms of giving you a little bit of the background of the organization, we have about 15,000 employees. We're the largest private employer in San Diego County and we've got a long history of managed care contracting. Southern California is really a hot bed of managed care, starting in the mid-80s, so an accountable care organization is a little bit different of a twist on some of the work that we've been doing for many years. We still have about 300,000 lives that we're totally responsible for on a risk basis. We're quite experienced in risk contracting.

However, an accountable care organization comes with some nuances. It's an open network model. The patients are identified to the particular provider because they get a lot of their care from them, but they're not what you might say "locked in." They can see any provider they want to. As these members are identified to us, then we need to reach out to those patients, ensure that they're getting the right care that they need and really try to align them more closely to our network.

Let me just talk about our ACO activity at a high level. We're one of the Pioneer ACOs. We have about 32,000 members who were assigned to us or attributed to us. In addition, we're part of two commercial ACOs with a total of about 20,000 members. The members [of the ACOs] are in more of an open network as compared to our managed care lives, so that we really have to market to them to try to more closely align them with us to ensure that they're getting all the care that they need.

For as long as we've been doing managed care, the concept of collaboration and information sharing among our physicians in our hospitals has been important. The ACO concept tends to elevate that in importance and particularly in geographic areas that have not bee accustomed to that. You have really the ongoing pressure to automate the patients' record to begin with. The HITECH incentives have moved that along. Many organizations have been doing that for ... several years already. But as more and more providers are automating their records - as they know that their colleagues are automating their records - they want to be able to get a complete view of the patients' experience across the many providers. So, that brings out information sharing needs.

Along with it comes the need to ensure that patient privacy is honored to ensure that the patient record is only shared with the providers that they're seeing and that they want it to be shared with. [There's also the need] to ensure that security provisions are in place so that the record isn't ... hacked. Now in addition, there are HIPAA requirements of logging. We can identify which providers have actually viewed the patient record in case the patient becomes concerned that others beyond authorized providers have been looking at it.

ACO Security, Privacy Issues

MCGEE: As you evolve into an ACO, what do you see as the biggest data privacy and security challenges that you will have to tackle?

SPOONER: I think there are a number of challenges that we have to tackle. One of the things that you'll hear all across the country that's still very much an open issue is the whole patient consent model. In some locales, it is known as opt-out, which means that a patient agrees to share the information unless they specifically ask not to have it shared. In other models, the patient has to specifically opt-in or consent to sharing within that network and to identify to whom the sharing will occur. Those models are still premature. There are still lots of discussion.

On the one hand is the concern for patient privacy and the risks associated with a patient's record being misused or being stolen. On the other side, it's patient safety: the need to have all of the relevant information in front of the provider giving services at the point in time to ensure that there's not other information that they should have considered. We worry about having too much information. We worry about having not enough information. [So we need to] come to some conclusion about that model. There does not seem to be an agreement within states or across states, and the HIPAA regulations allow state laws to override federal laws. ... We really have to get some clarity, have some public dialogue. ... Patients [need to] really understand the trade-offs they're making between allowing their records to be shared for the sake of good care and patient safety versus the privacy concern that they would naturally have about the record being shared too broadly.

MCGEE: Are the security and privacy challenges in an ACO different from being a healthcare provider that's not part of an ACO?

SPOONER: They're not different, but they're magnified as you become an ACO because the ACO's incentives are to collaborate. You expect that providers collaborate, but there's really a lot more incentive to ensure that it's a true care team working with the patients in an ACO model. [That's] because of the risk/reward incentives that are built into the model. In a more casual environment, absent that collaboration, the patient might go to a specialty provider and the specialty provider might begin from no understanding of the patient's history and start all over again in the care. In that model, it doesn't really matter whether they look at the records from the previous care that has been given. But in a collaborative care model, each provider needs to know all of the care that has preceded them. They're trying to understand the whole patient in order to ensure that patient care is better. So it's the same issues, but they're much more magnified in a collaborative care model.

ACO Coordination

MCGEE: You mentioned collaboration, and coordination of care is so important with ACOs. How will the providers in your ACO share patient data, and how will you keep it private and secure? For instance, will you have a health information exchange set up or will you participate in an existing exchange or some other method of sharing?

SPOONER: This is all emerging. We started our Pioneer ACO in January and a lot of this is evolving as we proceed, but I can give you some highlights. We're building and implementing what we call an enterprise HIE within our organization, and the intent of this is using a commercial product to be able to bring together the electronic records from the providers, hospitals and physicians of every provider who has electronic records within our hospital domain.

Then our enterprise HIE will connect with anyone outside of our direct network as we need to do that. In San Diego there's a community HIE formed, which really resulted from the Beacon Project that has been under way. We're also one of the Beacon communities. The concept for San Diego as a community is that numerous providers are doing enterprise HIEs, and then for the inter-provider traffic, for instance between Sharp and Scripps Health, also in San Diego, this traffic for out of network care will go through the local HIE that's being built. ...

Patient Consent

MCGEE: Earlier, you mentioned patient consent. Is there any special patient consent that you'll need to obtain in order to share patient data in your ACO, and if so, what sort of consent? Are you using opt-in, opt-out or a hybrid of some sort?

SPOONER: That model is evolving and there's conversation within California. We have assumed - and most providers have taken the approach - that historically it's an opt-out model within a provider organization. [That's] because providers are governed by medical staff by-laws and their business associate agreements, so there are methods of disciplining a provider who acted inappropriately [by] accessing records of patients that they were not caring for.

In the state of California the view has been for HIEs across provider organizations that it would be an opt-in model. They're re-opening that conversation as I understand it, and we're still determining the approach that we will take. Until just recently, the assumption we have made is that with these community HIEs, it will be an opt-in model, and we haven't really changed that position. But because of conversations with the state authorities, we will be discussing that again. So again, this is evolving.

With an ACO within the Pioneer Model specifically, the patient does have the right to avoid sharing of their information. That was a very specific provision of the ACO regulations. Our experience has been that some patients have opted-out of data sharing. [However,] once their primary care physician to whom they have been assigned has explained to them that they could give better care if they actually allow sharing, many patients have changed their mind and said, 'Yeah, I understand that.' Then they have consented to sharing. So as it relates to the Pioneer ACO, there's the specific consent. It's very clearly a model that requires the patient to consent before sharing.

Patient Access to Health Data

MCGEE: How will patients be able to access their own health data in your ACO?

SPOONER: This is evolving over time, but we started about two and half years ago building what we call our portal. This is focusing originally on our multi-specialty medical group, whereby a patient can go online and view things like laboratory results, their medications list, their problems, their recent visit histories. They can schedule appointments. They can pay their bills online. They can do secure e-mail with their physician, schedule appointments. They can also use the same application on an iPhone or an iPad to have contact. We have about 80,000 patients who have signed up for that service at this point.

Our independent practice association is starting to implement a similar portal for their patient population, and we're just in the early stages of rolling out to our hospital. We're encouraging our patients to go online. It's a real convenience for the patients and it's a time saver for us if we can actually let the patient schedule their primary care appointments right online rather than having to send in a telephone queue to do that.

In an ACO model, I think it's even more important that we provide that access, because we really want the patient to view us as the provider of choice. The more convenience and the more good service that we offer to that patient, we believe that will create, in marketing terms, stickiness of that patient to our organization. To me, that's a really big deal in the accountable care concept.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.