Health Care and Life Sciences > Health Reform Resource Center > Proposed ACO Rule Implicates HIPAA
11 Apr '11

On March 31, 2011, the Centers for Medicare & Medicaid Services (CMS) released a proposed rule to implement the Medicare Shared Savings Program and Accountable Care Organization (ACO) provisions of the Patient Protection and Affordable Care Act (PPACA).  See Medicare Shared Savings Program: Accountable Care Organizations and Medicare Program, 76 Fed. Reg. 19,528 (proposed Apr. 7, 2011) (to be codified at 42 C.F.R. pt. 425).  This update provides an overview of how the proposed rule’s data sharing provisions implicate the Health Insurance Portability and Accountability Act (HIPAA) and its implementing regulations.  Comments on the rulemaking must be submitted to CMS by June 6, 2011.

How HIPAA Is Implicated

To further the Medicare Shared Savings Program’s goals of improving health outcomes and achieving increased efficiency in the utilization of health care, CMS proposed sharing with ACOs both aggregate and individually identifiable beneficiary data. 

Individually identifiable beneficiary data shared with ACOs would be protected health information (PHI) for the purposes of HIPAA, and the players would be HIPAA “covered entities” or “business associates.”  HIPAA applies to covered entities, defined to include health care providers that engage in standard HIPAA transactions (like claims processing), health plans, and health care clearinghouses.  A business associate is generally an entity that creates or receives PHI in order to perform a function or service for or on behalf of a covered entity. 

To the extent CMS is a covered entity by virtue of the Medicare Fee-for-Service Program’s status as a health plan (a status that CMS confirms in the proposed rule), its disclosure of such data is subject to the HIPAA Privacy and Security Rules.  ACO participants that are HIPAA covered entities (e.g., health care providers that engage in standard HIPAA transactions, like claims processing) are also subject to the HIPAA Privacy and Security Rules in their use and re-disclosure of such data. 

CMS notes in some cases ACOs may be covered entities in their own right, while in other situations they may be business associates of ACO participants that are covered entities.  CMS suggests that these designations are mutually exclusive:  “[A]n ACO may itself be a HIPAA covered entity if it is a health care provider that conducts [standard HIPAA] transactions.  Alternatively, based on their work on behalf of ACO participants and ACO providers/suppliers in conducting quality assessment and improvement activities, the ACOs will qualify as the business associates of their covered entity ACO participants and ACO providers/suppliers.”  76 Fed. Reg. at 19,556.  Under HIPAA, however, it is generally accepted that a covered entity may also be a business associate, to the extent that it creates or receives PHI to perform a service or function for or on behalf of another covered entity.  Regardless of how this is resolved, the bottom line is that in some, if not all cases, a HIPAA-compliant Business Associate Agreement (BAA) between the ACO and the HIPAA-covered ACO participants may be required.

It is unclear why CMS did not seem to consider treating ACOs as “organized health care arrangements” (OHCAs) under HIPAA.  OHCAs are defined to include organized systems of health care in which more than one covered entity participates and in which the participating covered entities hold themselves out to the public as participating in a joint arrangement and engage in certain specific quality assessment and improvement activities.  An OHCA designation would seemingly allow health care professionals and other covered entities participating in an ACO to share PHI with each other and with the ACO for health care operation purposes without entering into a BAA with the ACO, which may simplify contracting arrangements and ease data sharing.

Aggregate Data Sharing

Under the proposed rule, CMS would provide ACOs with aggregate data on beneficiary use of health services in order to “monitor, understand, and manage its utilization and expenditure patterns, as well as to develop, target, and implement quality improvement programs and initiatives.”  Id. at 19,555.  CMS requested comment on the kinds of aggregate data and the frequency of data reports that would be most helpful to ACOs in “coordinating care, improving health, and producing efficiencies.”  Id. 

The proposed rule clarified that by “aggregate data,” CMS meant “data that omits the 18 identifiers listed at 45 CFR 164.514(b).”  See id. at 19,652 (to be codified at 42 C.F.R. § 425.19(b)).  This approach will not necessarily create a truly de-identified data set, however, as defined for HIPAA purposes.  See 45 C.F.R. § 164.514(b)(1)-(2).  Under the de-identification standard, unless the alternative statistical approach is applied, not only must the 18 identifiers be removed but the covered entity must also not have actual knowledge that the information could be used alone or in combination with other information to identify an individual who is a subject of the information.  Id.  While in large ACOs such aggregate data would be, for all practical purposes, de-identified, there is some risk that aggregate data collected on beneficiaries in smaller ACOs may be attributed to particular patients or patient groups.

Individually Identifiable Data Sharing

More significantly, the proposed rule would also allow ACOs access, upon request, to certain individually identifiable information about beneficiaries—including monthly claims data for potentially assigned beneficiaries and basic identifiers (name, date of birth, gender, and Health Insurance Claim Number (HICN)) of beneficiaries assigned to the ACO in the benchmark period (i.e., the three-year period prior to the ACO’s first performance year).  The proposed rule details the certifications the ACO must make in requesting such data, and also specifies that the ACO must enter into a Data Use Agreement with CMS in order to receive any beneficiary identifiable data.  CMS noted that this approach would allow ACOs to improve care coordination and target inefficiencies by having some indication of the population it is working with the Medicare Shared Savings Program.  

All such individually identifiable beneficiary data is PHI under HIPAA and, as such, cannot be used or disclosed without the individual’s specific written authorization unless a HIPAA exception applies.  CMS asserted that it is permitted to disclose such data for “health care operations” purposes under the HIPAA Privacy Rule, which include population-based activities relating to improving health or reducing health costs, protocol development, case management and care coordination that ACOs are required to undertake.  See 76 Fed. Reg. at 19,558.  Despite this claim of legal authority to disclose the individually identifiable data, CMS proposed allowing beneficiaries to “opt-out” of having their individual claims data shared with the ACO. 

Extra HIPAA Burdens on ACO Participants

The proposed rule’s data sharing provisions, as well as other provisions requiring the establishment and use of electronic health records and other health information technology, would impose extra HIPAA compliance burdens on covered health care providers who choose to participate in ACOs.  For instance, in addition to potentially needing to enter into new BAAs (with the ACO itself) and supporting the opt-out mechanism, ACO participants will need to update their HIPAA privacy and security policies to ensure that appropriate safeguards are in place.