Beginning on page 108 and through 22 pages of tortured arguments, HHS makes the case for the legality and benefits of providing ACOs with PHI contained in Medicare claims, unless the patient actively withdraws consent for this type of transaction. The argument for the legality of claim data sharing rests on the nebulous HIPAA clause which allows disclosure of PHI for “health care operations” within a web of covered entities and business associates connecting the ACO with Medicare and other providers of health care services for a particular patient. HHS is proposing to make available four types of medical information to participating ACOs:
- Aggregated Data, including ACO generated and non-ACO generated data, stratified and analyzed to obtain quality measures, population risk scores and indicative behaviors such as emergency room visits, hospital discharges, prescriptions and physician visits. Although this data is presumably de-identified, in a small ACO with 5000 patients, it shouldn’t be too difficult to attribute this data to particular patients. HHS proposes to provide such data to ACOs on a quarterly basis.
- Four Personal Identifiers – name, date of birth, gender and Medicare ID – for all historically ACO-assigned patients included in the aggregate data reports above. To circumvent the Privacy Act which prohibits Federal records systems from disclosing identifiable information without written permission, HHS is invoking the allowed exception for purposes of “routine use”, which requires a notice to this effect to be published in the Federal Register, after which these four identifiers may be released without consent.
- Personally Identifiable Claim Data – Here HHS is proposing to provide participating ACOs, upon request, Part A and Part B claim data on a monthly basis. The data elements that will be provided are: “procedure code, diagnosis code, beneficiary ID; date of birth; gender; and, if applicable, date of death; claim ID; the from and thru dates of service; the provider or supplier ID; and the claim payment type”. This data will be provided for patients who have had a visit with a primary care physician participating in an ACO during the performance year. Alcohol and substance abuse records are excluded from disclosure.
- Prescription Data – A subset of Part D medications claims data is also proposed to be disclosed similar to Part A and Part B data above. The minimum set includes “beneficiary ID, prescriber ID, drug service date, drug product service ID, and indication if the drug is on the formulary”.
The first two disclosures (aggregated data and the four identifiers) are proposed to occur regardless of patient consent or lack thereof. The ACO rules propose an opt-out mechanism for patients who want to prevent disclosures in items #3 and #4 above, and it seems that the opt-out option is not a legal requirement, instead it is based on a belief system at HHS: “Although we have the legal authority within the limits described previously to share Medicare claims data with ACOs without the consent of the patients, ………. We nevertheless believe that beneficiaries should be notified of, and have meaningful control over who, has access to their personal health information for purposes of the Shared Savings Program”. [Since the Medicare ACO model is intended to be adopted by payers other than CMS, one is left to wonder about the belief systems prevalent at those private organizations.]
The actual opt-out process proposed in the document consists of a conversation with a provider during which “the beneficiary would be given a form stating that they have been informed of their physician's participation in the ACO and explaining how to opt-out of having their personal data shared. The form could include a phone number and/or email address for beneficiaries to call and request that their data not be shared”. So it’s not as simple as checking a box in your doctor’s office.
For over a year ONC’s Policy Committee has been grappling with privacy issues as evidenced by the tremendous work occurring both in the Privacy & Security Policy group and Privacy & Security Tiger Team. The issue of consumer/patient trust in Health Information Exchange (HIE) and Electronic Health Records (EHR) has been repeatedly recognized as a necessary ingredient to widespread HIT adoption, and much effort has been invested in devising policies and standards to allow consumers control of their medical records in general and sensitive parts of their medical records in particular. The recent report from the President’s Council of Advisers on Science and Technology (PCAST) includes recommendations to allow patients to attach privacy controls to each separate data element in their medical records. An ONC specially appointed workgroup tasked with analyzing the PCAST report has identified privacy as an issue of concern in a possible implementation of the PCAST recommendations.
What is the purpose of all this hard work, all these committees and workgroups, all expert testimonies and public comments, hearings and debates, if CMS, in its capacity as a payer, can assume legal authority to bypass all privacy controls embedded in EHRs and HIEs and disclose medical records information, as reflected in claims data, based solely on what CMS, or any other payer, believes is necessary and proper at a particular time?