ACOs And Pay for Value … About the Data

more+
less-

It has been over three years since the Centers for Medicare and Medicaid Services (CMS) announced its proposed rule and guidance on the development and implementation of Accountable Care Organizations.  About four million Medicare beneficiaries are now in an ACO, and over 400 provider groups are participating in ACOs.  See February 19, 2013 Health Affairs Blog. An estimated 14% of the U.S. population is being treated within an ACO. See April 16, 2014 Kaiser Health News.

By all indications, these numbers will continue to grow as the US health system moves away from the fee-for-service model to pay for value models that reward quality and cost savings and require clinical coordination among different types of providers, in many cases providers who are unrelated other than through an ACO or other similar arrangement.  The seamless sharing of data, patient information and collaboration among large, medium and small physician practices, hospitals, post-acute providers, and even private companies like pharmacy chains is critical to the success of these organizations .

These arrangements involve new risks under HIPAA and state privacy and  security laws.  Providers will have much more access to information about services rendered by other providers than ever before. Providers will often have their own electronic health records systems and databases that are not compatible with each other and provide varying degrees of security.  Breaches by one provider or a vendor could implicate many other providers as well as an ACO or other “conduit” entity such as a clinically integrated network.

It is essential that ACOs and these other entities take steps to protect the privacy and security of their patients’ health information through: (i)  policies and procedures which limit the use and sharing of patient identifying information only to the minimum extent necessary, properly address “supersensitive” data, such as HIV, substance abuse and mental health data and set forth mitigation activities should a breach occur;  (ii) business associate and other contracts that adequately protect the non-breaching part(ies) in the event of a breach; (iii)  insurance policies which provide adequate coverage for  mitigation costs, fines, penalties and civil damages (and proof that participants have them as well); (iv)  privacy and security risk assessments; and (v) reasonable standards with respect to privacy and security for their  participants,  which are monitored and enforced. This requires these organizations to critically analyze the roles of their workforce, network infrastructures, technology and security policies, processes and vulnerabilities, information flow and participant capabilities.

As provider payment models  move away from the fee-for-service model, busy  executives and lawyers will have many issues to grapple with.  Exciting new relationships and arrangements may get out ahead of what may seem like less immediate concerns, specifically the prevention of and preparation for a data breach. Nevertheless, it is important for that gap not to grow too large, particularly as the public and the media increase their focus on the damage these breaches can cause.

Topics:  ACOs, CMS, Healthcare, HIPAA, Medicaid, Medicare, Patient Privacy Rights, Risk Assessment, Risk Management, Rulemaking Process

Published In: Business Organization Updates, Health Updates

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Cozen O'Connor | Attorney Advertising

Don't miss a thing! Build a custom news brief:

Read fresh new writing on compliance, cybersecurity, Dodd-Frank, whistleblowers, social media, hiring & firing, patent reform, the NLRB, Obamacare, the SEC…

…or whatever matters the most to you. Follow authors, firms, and topics on JD Supra.

Create your news brief now - it's free and easy »