MEDICAL DATA REGISTRIES POWERS PYLES SUTTER & VERVILLE PC WEBINAR 1
MEDICAL DATA REGISTRIES
POWERS PYLES SUTTER & VERVILLE PC
WEBINAR
1
MEDICAL DATA REGISTRIES
PRESENTERS:
Rob Portman
Diane Millman
Stephanie Cason
Powers Pyles Sutter & Verville PC 2
Disclaimer
This presentation is for informational purposes only and does not provide legal services or advice. Use of this information does not create an attorney-client relationship. You should not act, or refrain from acting, on the basis of information contained herein without seeking additional legal counsel regarding your own situation
The firm does not necessarily endorse, and is not responsible for, any third-party content that may be accessed through links or otherwise
If we can assist you or answer any questions you might have, please call us in Washington, DC at 202.466.6550, or send us an email
© Copyright 2011, Powers Pyles Sutter & Verville PC, Washington, DC, USA
3Powers Pyles Sutter & Verville PC
Overview
Registries: Why everyone’s doing it Legal issues in forming/operating registries Regulatory issues and CMS requirements Q&A
4Powers Pyles Sutter & Verville PC
Why Create a Medical Data Registry?
Data is everything Quality improvement through benchmarking,
tracking outcomes; micro and macro Utilization Review Patient safety Medical research; evidence-based guidelines Reimbursement
Coding/Payment PQRS
Powers Pyles Sutter & Verville PC 5
Legal Considerations
Create Separate Entity? Key Agreements Ownership of Data Privacy/Security Discoverability Liability Risk
Powers Pyles Sutter & Verville PC 6
Legal Considerations:Create New Entity?
Pros Separate governance/funding
Better suited for multi-stakeholder registries
Liability protection for parent entity
Cons Costs Administrative burdens Problems with multi-stakeholder format
7Powers Pyles Sutter & Verville PC
Legal Considerations:Key Agreements
Participation Agreement Business Associate/Data Use Agreement Agreement with outside database
vendor/hosting entity Data sharing agreements Other vendors/consultants
8Powers Pyles Sutter & Verville PC
Legal Considerations:Ownership of Data
Who owns the data? Entities that may claim ownership include:
Health care providers/database participants Database creator/owner Patients Insurers Agencies funding registry projects Government agencies
HIPAA regulates use and disclosure, but does not affect property rights
Allocate rights via contract
9Powers Pyles Sutter & Verville PC
Legal Considerations: Ownership of Data
Database participation agreement defines the applicable terms of participation
Database participation and vendor agreements should clarify ownership of data Distinguish between raw data and the database Typically sites will retain ownership of data they submit Database owner will own:
The database (including the aggregate data and subsets of data) Any reports based on the data Information derived from the data All trademarks, trade secrets, and intellectual property arising
from or reflected in the database Patients may retain an ownership interest as well Check state law as well
Powers Pyles Sutter & Verville PC 10
Legal Considerations: Privacy/Security
Rules that apply will depend on what kind of data is collected PHI Limited Data Sets De-Identified
And how data will be used Health care operations Research
Technology can help prevent registry from receiving identifiable data
11Powers Pyles Sutter & Verville PC
Legal Considerations: Privacy/Security
HIPAA Governs use and disclosure of PHI by covered entities
(health care provider, health plans, health care clearinghouses)
Participants contributing data to the database will likely be covered entity
If disclosing PHI to database, participant must ensure that it obtains necessary patient authorizations and provides required notice
– Unless for purposes of health care treatment, payment, or health care operations
– Or some exception applies Minimum necessary standard applies regardless
12Powers Pyles Sutter & Verville PC
Legal Considerations: Privacy/Security
Possible Data Registry Exceptions De-identified data
No limit on disclosure
Limited Data Set Partially de-identified PHI Can only be used or disclosed by a covered entity for the
purposes of research, public health, or health care operations
Covered entity must enter into a data use agreement with the limited data set recipient; very similar to BA agreement
13Powers Pyles Sutter & Verville PC
Legal Considerations: Privacy/Security
Possible Data Registry Exceptions Business Associate Relationship
Database owner/developer will likely be business associate of database participants—perform data aggregation services for participants
HIPAA privacy regulations permit business associates to collect PHI and provide data aggregation services on behalf of covered entities that include data analyses relating to the health care operations of those entities. 45 CFR § 164.504(e)(2)(i)(B)
“Health care operations” include “conducting quality assessment and improvement activities, including outcomes evaluation and development of clinical guidelines, provided that the obtaining of generalizable knowledge is not the primary purpose of any studies resulting from such activities.” 45 CFR § 164.501
Business Associate Agreement must be in place
14Powers Pyles Sutter & Verville PC
Legal Considerations: Privacy/Security
Business Associate Relationship (cont.)
Data registry is business associate of each database participant
Performs data aggregation services using data collected from participants
Prepares reports for participants that are used for health care operation purposes (e.g., quality improvement, utilization review, etc.)
No sharing of PHI across participants
Hub and spokes approach
Note that HITECH Act applies HIPAA requirements to BAAs, including breach notification rules
15Powers Pyles Sutter & Verville PC
Legal Considerations: Privacy/Security
A business associate, data use agreement, or combination BA/DU agreement must be in place
BA/DU agreement will address both uses of PHI and limited data sets
BA/DU agreement will set forth the obligations of each party with respect to the information; permitted uses of the information; and liability for breaches of obligations
Breach notification should be addressed
Database owner should also allocate liability through limitation of liability and indemnification provisions
Powers Pyles Sutter & Verville PC 16
Legal Considerations:Privacy/Security - HIPAA
Possible Data Registry Exceptions IRB Approval/Waiver
Necessary where primary purpose of PHI collection is research rather than health care operations
Can’t use BA/DU approach if primary purpose of collecting data is research
Definition of research: “a systematic investigation, including research development, testing, and evaluation designed to develop or contribute to generalizable knowledge”
Compare to definition of health care operations: “obtaining of generalizable knowledge is not the primary purpose of any studies resulting from such activities”
17Powers Pyles Sutter & Verville PC
Legal Considerations:Privacy/Security - HIPAA
Possible Data Registry Exceptions IRB Approval/Waiver (cont.)
Clearly-established pathway under the HIPAA regs for collecting and analyzing fully-identified PHI for research purposes without individual patient authorization. 45 C.F.R. § 164.512(i)
HIPAA regs do not require each participant in a data registry to obtain separate IRB approval for the submission of data to that registry
But, some or most sites may seek approval from their own institution’s IRB to be safe
18Powers Pyles Sutter & Verville PC
Legal Considerations: Privacy/Security
The Common Rule Applies to research involving human subjects “conducted,
supported or otherwise subject to regulation by any federal department or agency.” 45 C.F.R. § 46.101
“Subject to regulation” means “research activities for which a federal department or agency has specific responsibility for regulating as a research activity, (for example, Investigational New Drug requirements administered by the Food and Drug Administration).” 45 C.F.R. § 102(e)
Called the “Common Rule” because it has been adopted by 17 federal departments and agencies
Research involving human subject includes collection of patient identifying information
Does not apply if no federal funding or regulation involved
19Powers Pyles Sutter & Verville PC
Legal Considerations: Privacy/Security
The Common Rule Definition of research similar to HIPAA definition
Requires written assurance that the research institution will comply with the Common Rule requirements
IRB approval required In order to receive IRB approval for research must demonstrate
that “there are adequate provisions to protect the privacy of subjects and to maintain the confidentiality of data.” 45 C.F.R. § 46.111
Must obtain informed consent from patients
20Powers Pyles Sutter & Verville PC
Legal Considerations: Discoverability
Federal Law No general federal statutory privilege against
discovery
Balancing test under federal rules of evidence—likely to prevent disclosure to third parties of patient and possibly provider identities; but aggregate data will be available if compelling litigation need shown
21Powers Pyles Sutter & Verville PC
Legal Considerations: Discoverability
Deitchman v. E.R. Squibb & Sons, 740 F.2d 556 (7th Cir. 1984) Squibb sought production of data from U of C registry that
monitored a disease related to products liability action against Squibb
U of C claimed data was privileged and confidential
Court agreed that the data in the registry was privileged, but it was not an absolute privilege. Squibb had to show absolute necessity to allow discovery
Court found that Squibb was entitled to some discovery because the registry was the “only centralized repository of data on that disease” and Squibb needed the information to cross examine witnesses who were relying on these studies
Remanded to District Court so it could determine the best way to provide necessary data while preserving as much confidentiality as possible
22Powers Pyles Sutter & Verville PC
Legal Considerations: Discoverability
Wolpin v. Phillip Morris, Inc., 189 F.R.D. 418 (C.D. Cal. 1999) Secondhand smoke case against Phillip Morris
Phillip Morris sought data from study that looked at the effects of
secondhand smoke conducted by USC and the California Department of Health. Some of the data in the study came from a statewide tumor registry, and USC claimed state and federal privacy laws would not permit them to release the data
Court found that interest in preserving the confidentiality of information was outweighed by Phillip Morris’ compelling need for the information once patient names were excised from the data
Disclosure would be in the “interest of justice” because the data would assist Phillip Morris in determining the validity of the study
23Powers Pyles Sutter & Verville PC
Legal Considerations: Discoverability
HIPAA HIPAA has a liberal exception for disclosure
in judicial and administrative proceedings
Basically permits disclosure in response to court order or subpoena that meets certain conditions, including proof of notice to the person whose PHI is at issue or of receipt of a qualified protective order
24Powers Pyles Sutter & Verville PC
Legal Considerations: Discoverability
Patient Safety Organizations Act/Rules PSO Act does provide privilege against legal discovery of
patient safety work product held by PSOs Applies to subpoenas issued in federal or state cases But:
Must qualify as PSO and comply with PSO all requirements Registry data may not meet definition of PSWP Privilege is not self-enforcing and does not apply to non-
identifiable data; so outcome unlikely to be different than under current federal evidence rules
Subject to government compliance inspections/audits Must forfeit data if PSO status terminated But, can set up component PSO
25Powers Pyles Sutter & Verville PC
Legal Considerations: Discoverability
AHRQ-sponsored research and confidentiality provisions under 42 U.S.C. § 299c-3(c) AHRQ-funded research must adhere to the confidentiality
provision under 42 U.S.C. § 299c-3(c) which prohibits the disclosure of information “for any other purpose other than the purpose for which it was supplied” unless the individual whose information is at issue consents to its disclosure
The AHRQ has interpreted this provision to protect all AHRQ-funded research from compelled disclosure requests, including discovery requests in the course of litigation
This provision has not been challenged in the courts and it is unclear, given the vague statutory language, whether a court would protect the confidentiality of an AHRQ-funded registry in the course of litigation
26Powers Pyles Sutter & Verville PC
Legal Considerations: Discoverability
Certificates of Confidentiality Issued by the National Institute of Health (NIH) to protect the
privacy of certain individuals who are research subjects
CoC does broadly protect against discovery, but very limited application
Not limited to federally-funded research if the project collects identifiable information from people and was approved by an IRB, it’s eligible
But is limited to persons engaged in biomedical, behavioral, clinical, or other research (including research on mental health, including research on the use and effect of alcohol and other psychoactive drugs) to protect the privacy of individuals who are the subject of such research by withholding from all persons not connected with the conduct of such research the names or other identifying characteristics of such individuals
Unlikely to apply to registry
27Powers Pyles Sutter & Verville PC
Legal Considerations: Discoverability
State Law varies Illinois Medical Studies Act
All information “used in the course of internal quality control or of medical study for the purpose of reducing morbidity or mortality, or for improving patient care or increasing organ and tissue donation, shall be privileged, strictly confidential and shall be used only for medical research, increasing organ and tissue donation, [or] the evaluation and improvement of quality care...” 735 ILCS 5/8-2101
“Such information, records, reports, statements, notes, memoranda, or other data, shall not be admissible as evidence, nor discoverable in any action of any kind in any court or before any tribunal, board, agency or person. The disclosure of any such information or data, whether proper, or improper, shall not waive or have any effect upon its confidentiality, nondiscoverability, or nonadmissibility.” 735 ILCS 5/8-2102
Not all states provide this level of protection
28Powers Pyles Sutter & Verville PC
Legal Considerations: Liability Risk
Risk of liability for wrongful disclosure of data
Sanctions under HIPAA for wrongful disclosure of PHI
Civil fines of up to $25,000 imposed by the Office of Civil Rights
Criminal sanctions imposed by the DOJ- imprisonment and fines
29Powers Pyles Sutter & Verville PC
Legal Considerations: Liability Risk
Breach Notification – Requires notification of breaches of unsecured PHI to affected individuals, the Secretary, and, in certain circumstances, to the media
State Law – see Illinois Medical Studies Act penalties
Common law- claims for violation for privacy may also be available
30Powers Pyles Sutter & Verville PC
Legal Considerations: Liability Risk
Also possible risk of liability to third parties from wrongful use or disclosure of data/data analyses by registry or participants
Limit liability through database participation agreement Limitation of liability provision (absent gross negligence
or willful misconduct )
Indemnification provision (absent gross negligence or willful misconduct ) Participant to indemnify database owner as well as its
independent data warehouse service provider (if applicable) from and against any and all claims, actions, liabilities, etc. arising or resulting in any way from participant’s use of data obtained through the database
31Powers Pyles Sutter & Verville PC
Registries: Regulatory Issuesand CMS Requirements
32Powers Pyles Sutter & Verville PC
Physician Quality Reporting System: Registry-Based Reporting
The Physician Quality Reporting System (PQRS) is a voluntary reporting program that provides an incentive payment to practices whose eligible professionals (identified on claims by their individual National Provider Identifier [NPI]) satisfactorily report data on quality measures for covered Physician Fee Schedule (PFS) services
Beginning with the 2008 PQRS program year, eligible professionals have been able to qualify to earn a PQRS incentive by reporting quality measures data to a qualified registry
Individual eligible professionals (IEPs) whose 2011 PQRS measure information is successfully submitted by a CMS-qualified registry may earn an incentive payment equal to 1.0 percent of their total allowed charges for all MPFS covered professional services furnished during the reporting period for which the measures are reported
In addition to the PQRS quality measures, registry reporting is also authorized for the e-prescribing measures
33Powers Pyles Sutter & Verville PC
Physician Quality Reporting System: Registry-Based Reporting
System analysis for 2007 and 2008 showed that providers who did registry reporting had a 90 percent success rate for earning a PQRS bonus and claims-based reporting had a 50 percent success rate
BUT has CMS finalized new requirements for registries to use CMS-provided measure specifications and measure calculation logic?
Will a CMS-developed algorithm accurately calculate measure reporting or performance rates for IEPs?
Several practices have determined that there was a difference in results when comparing detailed claims data from CMS used for evaluation of PQRS reporting success with internal practice claims data for the same time period. This was not a problem in registry-based reporting
34Powers Pyles Sutter & Verville PC
Physician Quality Reporting System: Registry-Based Reporting
CMS will not combine data submitted via multiple reporting mechanisms to determine incentive eligibility
Will use of a CMS-developed algorithm bring IEPs’ eligibility for incentives under registry-based reporting in line with claims-based reporting?
Because of the limitations of claims-based reporting, CMS states that it will continue to consider significantly limiting the claims-based mechanism in future program years (beyond 2011)
However, CMS has agreed to maintain claims-based reporting in 2011
Since CMS will not be making a final decision on which registries to approve until the Fall, some practices may choose claims-based reporting to ensure compliance
35Powers Pyles Sutter & Verville PC
Requirements for IEPsto Use Registry Reporting
IEP must enter into and maintain an appropriate legal arrangement with a qualified 2011 PQRS registry
Registry acts as a HIPAA Business Associate and agent of IEP
Such agents are referred to as ‘‘data submission vendors”
As a data submission vendor, registry submits CMS-defined registry-derived measures information to CMS designated database for the PQRS using a CMS-specified record layout, which is provided to the registry by CMS
36Powers Pyles Sutter & Verville PC
Criteria for Satisfactory Reporting of PQRS Measures (Registry)
Individual Measures: Reporting Periods: Jan 1, 2011 - Dec 31, 2011 or Jul 1, 2011- Dec
31, 2011 Report at least three PQRS measures;* and Report each measure for at least 80% of applicable Medicare Part B
FFS patients seen during the reporting period
Group Measures: Report at least 1 PQRS measures group;* and Report each measures group for at least 30 Medicare FFS patients
seen during the reporting period IEPs using the registry-based reporting mechanism will no longer be
able to report on non-Medicare FFS patients (new)
37Powers Pyles Sutter & Verville PC
Criteria for Satisfactory Reporting of PQRS Measures (Registry)
GPRO II– Pilot for approx. 500 self-nominated groups with less than
200 eligible professionals
Reporting Mechanism - claims (or, if the only measures
groups that apply to the practice are the registry-only
measures groups, registry)
Reporting Period -- Jan 1, 2011- Dec 31, 2011
38Powers Pyles Sutter & Verville PC
Criteria for Satisfactory Reporting ofE-Prescribing Measures (Registry)
IEP must generate at least one eRx associated with a patient visit (reported using selected codes) on 25 or more unique events during the reporting period (January 1 through December 31)
IEP must have at least 10% of their Medicare Part B charges comprised of the selected codes in the denominator of the measure to be eligible for the incentive
Note that IEPs that are eligible for the e-prescribing incentive and do not meet the requirements for the first six months of 2011 may incur a 1% reduction in payment in 2012
39Powers Pyles Sutter & Verville PC
PQRS Registry Requirements for 2011
To be considered a qualified registry for purposes of submitting individual quality measures and measures groups on behalf of eligible professionals or CMS selected group practices who choose this reporting mechanism, both new and previously qualified registries must, among other things:
Have been in existence as of January 1, 2011 Have at least 25 participants by January 1, 2011 Provide at least one feedback report per year to IEPs Not be owned or managed by an individual locally-owned single-specialty
group, in other words, single-specialty practices with only one practice location or solo practitioner practices would be prohibited from self-nominating to become a qualified Physician Quality Reporting registry
Participate in 2011 PQRS conference calls hosted by CMS Be able to collect all needed data elements for at least three measures and
transmit to the data to CMS at the Tax Identification Number (TIN)/National Provider Identifier (NPI) level
40Powers Pyles Sutter & Verville PC
PQRS Registry Requirements for 2011
Be able to calculate and submit measure-level reporting rates or the data elements needed to calculate the reporting rates at the TIN/NPI level
Be able to calculate and submit, by TIN/NPI for eligible professionals, a performance rate (that is, the percentage of a defined population who receive a particular process of care or achieve a particular outcome) for each measure or measures group or the data elements needed to calculate the reporting rates
Be able to separate out and report on Medicare Fee-For-Service (FFS) Part B patients
Report the number of eligible instances (reporting denominator) and the number of instances of quality service performed (numerator); performance exclusions
Be able to transmit this data in a CMS-approved XML format and otherwise comply with a CMS-specified secure method for data submission
41Powers Pyles Sutter & Verville PC
Submit an acceptable “validation strategy” to CMS by March 31, 2011. A validation strategy ascertains whether eligible professionals have submitted accurately and on at least the minimum number (80 percent) of their eligible patients, visits, procedures, or episodes for a given measure. Acceptable validation strategies often include such provisions as the registry being able to conduct random sampling of their participants’ data, but may also be based on other credible means of verifying the accuracy of data content and completeness of reporting or adherence to a required sampling method
Perform the validation outlined in the strategy and send the results to CMS by June 30, 2012 for the 2011 reporting year’s data
Meet certain other administrative requirements, including Business Associate agreements with IEPs
PQRS Registry Requirements for 2011
42Powers Pyles Sutter & Verville PC
Obtain and keep on file signed documentation that each holder of an NPI whose data are submitted to the registry has authorized the registry to submit quality measures results and numerator and denominator data to CMS for the purpose of Physician Quality Reporting System participation. This documentation must be obtained at the time the eligible professional signs up with the registry to submit Physician Quality Reporting System quality measures data to the registry and must meet any applicable laws, regulations, and contractual business associate agreements
Provide CMS access (if requested for validation purposes) to review the Medicare beneficiary data on which 2011 Physician Quality Reporting System registry-based submissions are founded or provide to CMS a copy of the actual data (if requested)
Indicate the reporting options the registry seeks to submit on behalf of its users in addition to individual measures (measures groups, GPRO II, eRx for individuals, eRx for GPROs, 6 month, 12 month reporting periods)
Provide the reporting option(s) (reporting period and reporting criteria) that the eligible professional has satisfied or chosen
PQRS Registry Requirements for 2011
43Powers Pyles Sutter & Verville PC
Provide CMS a signed, written attestation statement via mail or e-mail which states that the quality measure results and any and all data including numerator and denominator data provided to CMS are accurate and complete
In addition to the above, registries (both new and previously qualified) who intend to report on 2011 Physician Quality Reporting System measures must:
Indicate the reporting period selected for each eligible professional who chooses to submit data on measures groups
Base reported information on measures groups only on patients to whom services were furnished during the 12-month reporting period of January through December 2011 or the 6-month reporting period of July 1, 2011 through December 31, 2011
PQRS Registry Requirements for 2011
44Powers Pyles Sutter & Verville PC
PQRS Registry Requirements for 2011
Agree that the registry’s data may be inspected or a copy requested by CMS and provided to CMS under CMS oversight authority
Be able to report data on all applicable measures in a given measures group on either 30 Medicare Part B FFS patients or more from January 1 through December 31, 2011 or on 80 percent of applicable Medicare Part B FFS patients for each IEP (with a minimum of 15 patients during the January 1 through December 31, 2011 reporting period or a minimum of eight patients during the July 1 through December 31, 2011 reporting period)
45Powers Pyles Sutter & Verville PC
New Requirements forRegistries under PQRS
Registries are no longer permitted to include non-Medicare patients for measures group(s) reporting
In an effort to reduce the variation in measures results across registries and better allow eligible professional comparisons, all current and future registries must meet the following new requirements:
Use Physician Quality Reporting System measure specifications and a standard set of measure calculation logic provided by CMS to calculate reporting rates or performance rates unless otherwise stated
Provide a calculated result using the CMS-supplied logic and XML file for each measure that the registry intends to calculate. The registries will be required to show that they can calculate the proper results (that is, reporting and performance rates) using the CMS-supplied logic and send the calculated data back to CMS in the specified format
Provide the individual data elements used to calculate the measures if so requested by CMS for validation purposes. Registries that are subject to validation will be asked to send discrete data elements for a measure (determined by CMS) in the required data format and CMS will recalculate the registries’ reported results. Validation will be conducted for several measures for a randomly selected sample of registries in order to validate their data submissions
46Powers Pyles Sutter & Verville PC
Important Deadlines
Registries (regardless of prior year participation) that wish to participate in the 2011 registry payment program were required to submit a self-nomination letter, which was required to include the measures the registry intends to submit (including e-prescribing measures) and the reporting period(s) and method(s) the registry offers its participants
Deadline for self-nomination letters for newly qualified registries was January 31, 2011
CMS plans to post a list of conditionally qualified registries (this list will include both registries that were previously qualified and those that self-nominate to be newly qualified for 2011) by Summer 2011. CMS plans to finalize the list of 2011 PQRS registries by the Fall of 2011
CMS will accept quality measure results and numerator and denominator data for 2011 PQRS measures submitted by qualified registries on behalf of their participants in February and March 2012
47Powers Pyles Sutter & Verville PC
Powers Pyles Sutter & Verville PCContact Information
Diane Millman, Principal
Powers Pyles Sutter & Verville PC
1501 M Street, NW
7th Floor
Washington, DC 20005
Phone: 202.872.6725
Fax: 202.785.1756
Email: [email protected]
48Powers Pyles Sutter & Verville PC
Powers Pyles Sutter & Verville PCContact Information
Rob Portman, Principal
Powers Pyles Sutter & Verville PC
1501 M Street, NW
7th Floor
Washington, DC 20005
Phone: 202.872.6756
Fax: 202.785.1756
Email: [email protected]
Powers Pyles Sutter & Verville PC 49
Powers Pyles Sutter & Verville PCContact Information
Stephanie Cason
Powers Pyles Sutter & Verville PC
1501 M Street, NW
7th Floor
Washington, DC 20005
Phone: 202.466.6550
Fax: 202.785.1756
Email: [email protected]
Powers Pyles Sutter & Verville PC 50