Data Sharing Issues in Accountable Care Organizations · Data Sharing Issues . If the ACO has a breach, several factors to consider: • The ACO likely holds the funds received for

Data Sharing Issues in Accountable Care

Organizations Joel Garmon

Chief Information Security Officer Wake Forest Baptist Health

Brian Vick, JD

Associate Counsel Blue Cross Blue Shield of North Carolina

Michael Berwanger, JD Compliance Manager

Cornerstone Health Care, PA

Disclaimer

2

This presentation is not a legal opinion

or legal advice

Attendees should consult with their own legal counsel for specific legal

opinions and advice

Agenda 1. What are the Security drivers for an ACO?

2. Why does an ACO need identifiable data, and

where does it come from?

3. What are the data sharing requirements for an ACO?

4. Panel Discussion

Information Security Standards and ACOs

4

-HIPAA Security Rule -OMB Circular No. A-130

-NIST SP 800-53 -FIPS 200

Security Requirements for CMS Data Use Agreement

The User agrees to establish appropriate administrative, technical, and physical safeguards to protect the confidentiality of the data and to prevent unauthorized use or access to it. The safeguards shall provide a level and scope of security that is not less than: 1. the level and scope of security requirements established by the Office of

Management and Budget (OMB) in OMB Circular No. A-130, Appendix III--Security of Federal Automated Information Systems http://www.whitehouse.gov/omb/circulars/a130/a130.html) as well as

2. Federal Information Processing Standard 200 entitled “Minimum Security Requirements for Federal Information and Information Systems” (http://csrc.nist.gov/publications/fips/fips200/FIPS-200-final-march.pdf); and,

3. Special Publication 800-53 “Recommended Security Controls for Federal Information Systems” (http://csrc.nist.gov/ publications/nistpubs/800-53-Rev2/sp800-53-rev2-final.pdf).*

*http://www.cms.gov/Medicare/Medicare-Fee-for-Service-Payment/sharedsavingsprogram/Downloads/Data-Use-Agreement.pdf

OMB Circular No. A-130 • 23 requirements • Very similar to HIPAA, except:

o Specialized Training. Before allowing individuals access to the application, ensure that all individuals receive specialized training focused on their responsibilities and the application rules.

NIST SP 800-53 • List of security control activities per impact level

(L/M/H) o LOTS of controls listed o Good information and organization to develop a security

program o LOTS of documentation o Organizations have flexibility in applying the baseline security

controls in accordance with the guidance provided in Special Publication 800-53. This allows organizations to tailor the relevant security control baseline so that it more closely aligns with their mission and business requirements and environments of operation.

Federal Information Processing Standards 200 • Determine impact level • The security-related areas

include: (i) access control; (ii) awareness and training; (iii) audit and accountability; (iv) certification, accreditation, and security assessments; (v) configuration management; (vi) contingency planning; (vii) identification and authentication; (viii) incident response;

(ix) maintenance; (x) media protection; (xi) physical and environmental protection; (xii) planning; (xiii) personnel security; (xiv) risk assessment; (xv) systems and services acquisition; (xvi) system and communications protection; and (xvii) system and information integrity.

Why ACOs?

“Bankruptcies resulting from unpaid medical bills will affect nearly 2 million people this year—making health care the No. 1 cause of such filings, and outpacing bankruptcies due to credit-card bills or unpaid mortgages, according to new data” (http://www.cnbc.com/id/100840148).

“Although the U.S. has the most expensive health care system in the world, the nation ranks lowest in terms of ‘efficiency, equity and outcomes,’ according to the report” (http://time.com/2888403/u-s-health-care-ranked-worst-in-the-developed-world/).

Why does an ACO need all this data, and why does

security matter? Important to distinguish between a:

1. Clinically Integrated Network, and 2. Accountable Care Organization.

Clinically Integrated Network

Clinical integrated Network (CIN): A CIN involves a network of otherwise independent physicians/health systems who collectively commit to quality and cost improvement. This involves requirements such as infrastructure development, care models, and other demonstrable integration. This is an Anti-Trust term based on regulations and opinions from the DOJ and FTC.* There are requirements to achieve clinical integration from an enforcement perspective.

*See STATEMENTS OF ANTITRUST ENFORCEMENT POLICY IN HEALTH CARE, Issued by the U.S. Department of Justice and the Federal Trade Commission (Aug. 1996).

What is an ACO?

12

CMS Definition: Accountable Care Organizations (ACOs) are groups of doctors, hospitals, and other health care providers, who come together voluntarily to give coordinated high quality care to their patients. The goal of coordinated care is to ensure that patients, especially the chronically ill, get the right care at the right time, while avoiding unnecessary duplication of services and preventing medical errors. When an ACO succeeds both in delivering high-quality care and spending health care dollars more wisely, it will share in the savings it achieves.

https://www.cms.gov/Medicare/Medicare-Fee-for-Service-Payment/ACO/index.html?redirect=/ACO

What is an ACO?

13

The Basics If 2+ ACO Participants, must be a distinct legal organization, separate from the individual ACO Participants (42 C.F.R. 425.104(b))

• Strong primary care foundation

ACOs are based on contracts with payers • Medicare programs (MSSP, Pioneer, Next Generation) • Private/Commercial ACOs

Changing The Way We Deliver Care

Patient Centered Care Model

Why is data important in an ACO?

3. Attributed Patients. Patients are assigned to an ACO provider if they receive the plurality of non-inpatient care for evaluation and management services from that provider within a recent historical period.

o The ACO is responsible for all of the costs and quality of care delivered to patients attributed to providers who are exclusively members of that ACO.

1. Performance Measurement. As part of the ACO contract, the ACO is held accountable for certain performance measures tied to reimbursement.

2. Accountability. Shares financial and medical responsibility for providing coordinated care to a group of patients in hopes of:

a. Limiting unnecessary spending, b. improving care, and c. improving the patient experience with the health care system.

Information is Necessary

17

“although an ACO typically should have, or is moving towards having complete information for the services it provides to its assigned beneficiaries, we also recognize that the ACO may not have access to complete information about all of the services that are provided to its assigned beneficiaries by providers outside the ACO—information that would be key to its coordinating care for its beneficiary population. MSSP Final Rule, 67844

Where does the data come from?

18

To provide high quality care, an accurate picture of the patient’s medical information becomes necessary. Requires gathering information from: • payors, • other health systems, • lab companies, • pharmacy groups, • the patient (via portals, patient specific medical devices,

or otherwise), and • an array of other sources.

Data Sharing • A key factor in improving care while driving down costs is

sharing medical records and other data across the ACO o The providers with access to these records are no

longer part of the same entity, but instead may be part of any ACO participant (and even non-participants)

o Significant security and contractual compliance requirements in these data exchanges

• With each additional provider and data network involved, the risk of a security breach increases o Significant HIPAA and HITECH implications

Rules for Data Sharing 1. HIPAA, 2. The Privacy Act of 1974, 3. CMS Data Release Policies, 4. The CMS DUA requires compliance with: - Security requirements established by the Office of Management and Budget (OMB) in OMB Circular No. A-130, Appendix III--Security of Federal Automated Information Systems, - Federal Information Processing Standard 200 entitled “Minimum Security Requirements for Federal Information and Information Systems, and -Special Publication 800-53 “Recommended Security Controls for Federal Information Systems”

Data Sharing Issues • Unclear if and how a data breach at one ACO participant

will affect the ACO entity and the other ACO participants o Recent enforcement action outside the ACO context

against Columbia University based on a data breach at NY Presbyterian

o FTC settlement with GMR Transcription Services “company never required the individual typists it hired as contractors to implement security measures, such as installing anti-virus software”

• Consider cyber liability insurance for the ACO entity and

individual participants.

Data Sharing Issues If the ACO has a breach, several factors to consider: • The ACO likely holds the funds received for the

ACO. • If the ACO has a breach, is there a process in place,

either contractually or internal process to apply funds to the breach (i.e., would the payment come from the general fund, a reserve fund, etc.)?

• Cyber-liability coverage? • How is shared responsibility among the Participants

determined?

Data Sharing Issues What does your Participant Agreement and/or the BAA say about: • Reporting; • Audit rights; • Using off-shore vendors; • Participant involvement in vendor selection; • Damages caps; • Ownership of data; • Transition costs for onboarding/offboarding

Participants?

Summary ACOs should be considering effective strategies for: • Managing the privacy and security of data

exchange; • Governing data exchange between participants

and third parties; • Required contractual and regulatory controls; • Relationships with Payors, and how to effectively

work with Payors to exchange data.

Panel Discussion

Panel Discussion

Q1: What assurances would you like to receive on the front end of initiating a data exchange with an ACO? What about onboarding new data sources?

Panel Discussion Q2:

Part of the commitment of ACO Participation is utilizing actionable data in a meaningful way. a) How do you make this data available to

providers interacting with patients? b) What security concerns do you have

regarding the access to ACO level data at the end-user level?

Panel Discussion Q3:

From a security perspective, with multiple data sources and data recipients, how do you determine who is an appropriate recipient to share data, and once that is determined, how do you monitor these disclosures? How do you manage patient opt-out rights?

Panel Discussion Q4:

What type of governance structure may be effective for an ACO with an AMC participant? Does this change from regulatory ACOs (MSSP, Pioneer) to private payor ACOs?