It has been over three years since the Centers for Medicare and Medicaid Services (CMS) announced its proposed rule and guidance on the development and implementation of Accountable Care Organizations. About four million Medicare beneficiaries are now in an ACO, and over 400 provider groups are participating in ACOs. See February 19, 2013 Health Affairs Blog. An estimated 14% of the U.S. population is being treated within an ACO. See April 16, 2014 Kaiser Health News.
By all indications, these numbers will continue to grow as the US health system moves away from the fee-for-service model to pay for value models that reward quality and cost savings and require clinical coordination among different types of providers, in many cases providers who are unrelated other than through an ACO or other similar arrangement. The seamless sharing of data, patient information and collaboration among large, medium and small physician practices, hospitals, post-acute providers, and even private companies like pharmacy chains is critical to the success of these organizations.
These arrangements involve new risks under HIPAA and state privacy and security laws. Providers will have much more access to information about services rendered by other providers than ever before. Providers will often have their own electronic health records systems and databases that are not compatible with each other and provide varying degrees of security. Breaches by one provider or a vendor could implicate many other providers as well as an ACO or other “conduit” entity such as a clinically integrated network.
It is essential that ACOs and these other entities take steps to protect the privacy and security of their patients’ health information through: (i) policies and procedures which limit the use and sharing of patient identifying information only to the minimum extent necessary, properly address “supersensitive” data, such as HIV, substance abuse and mental health data and set forth mitigation activities should a breach occur; (ii) business associate and other contracts that adequately protect the non-breaching part(ies) in the event of a breach; (iii) insurance policies which provide adequate coverage for mitigation costs, fines, penalties and civil damages (and proof that participants have them as well); (iv) privacy and security risk assessments; and (v) reasonable standards with respect to privacy and security for their participants, which are monitored and enforced. This requires these organizations to critically analyze the roles of their workforce, network infrastructures, technology and security policies, processes and vulnerabilities, information flow and participant capabilities.
As provider payment models move away from the fee-for-service model, busy executives and lawyers will have many issues to grapple with. Exciting new relationships and arrangements may get out ahead of what may seem like less immediate concerns, specifically the prevention of and preparation for a data breach. Nevertheless, it is important for that gap not to grow too large, particularly as the public and the media increase their focus on the damage these breaches can cause.