MEDICAL DATA REGISTRIES POWERS PYLES SUTTER & VERVILLE PC WEBINAR 1.

MEDICAL DATA REGISTRIES

POWERS PYLES SUTTER & VERVILLE PC

WEBINAR

1

MEDICAL DATA REGISTRIES

PRESENTERS:

Rob Portman

Diane Millman

Stephanie Cason

Powers Pyles Sutter & Verville PC 2

Disclaimer

This presentation is for informational purposes only and does not provide legal services or advice. Use of this information does not create an attorney-client relationship. You should not act, or refrain from acting, on the basis of information contained herein without seeking additional legal counsel regarding your own situation

The firm does not necessarily endorse, and is not responsible for, any third-party content that may be accessed through links or otherwise

If we can assist you or answer any questions you might have, please call us in Washington, DC at 202.466.6550, or send us an email

© Copyright 2011, Powers Pyles Sutter & Verville PC, Washington, DC, USA

3Powers Pyles Sutter & Verville PC

Overview

Registries: Why everyone’s doing it Legal issues in forming/operating registries Regulatory issues and CMS requirements Q&A


Why Create a Medical Data Registry?

Data is everything Quality improvement through benchmarking,

tracking outcomes; micro and macro Utilization Review Patient safety Medical research; evidence-based guidelines Reimbursement

Coding/Payment PQRS


Legal Considerations

Create Separate Entity? Key Agreements Ownership of Data Privacy/Security Discoverability Liability Risk


Legal Considerations:Create New Entity?

Pros Separate governance/funding

Better suited for multi-stakeholder registries

Liability protection for parent entity

Cons Costs Administrative burdens Problems with multi-stakeholder format


Legal Considerations:Key Agreements

Participation Agreement Business Associate/Data Use Agreement Agreement with outside database

vendor/hosting entity Data sharing agreements Other vendors/consultants


Legal Considerations:Ownership of Data

Who owns the data? Entities that may claim ownership include:

Health care providers/database participants Database creator/owner Patients Insurers Agencies funding registry projects Government agencies

HIPAA regulates use and disclosure, but does not affect property rights

Allocate rights via contract


Legal Considerations: Ownership of Data

Database participation agreement defines the applicable terms of participation

Database participation and vendor agreements should clarify ownership of data Distinguish between raw data and the database Typically sites will retain ownership of data they submit Database owner will own:

The database (including the aggregate data and subsets of data) Any reports based on the data Information derived from the data All trademarks, trade secrets, and intellectual property arising

from or reflected in the database Patients may retain an ownership interest as well Check state law as well


Legal Considerations: Privacy/Security

Rules that apply will depend on what kind of data is collected PHI Limited Data Sets De-Identified

And how data will be used Health care operations Research

Technology can help prevent registry from receiving identifiable data



HIPAA Governs use and disclosure of PHI by covered entities

(health care provider, health plans, health care clearinghouses)

Participants contributing data to the database will likely be covered entity

If disclosing PHI to database, participant must ensure that it obtains necessary patient authorizations and provides required notice

– Unless for purposes of health care treatment, payment, or health care operations

– Or some exception applies Minimum necessary standard applies regardless



Possible Data Registry Exceptions De-identified data

No limit on disclosure

Limited Data Set Partially de-identified PHI Can only be used or disclosed by a covered entity for the

purposes of research, public health, or health care operations

Covered entity must enter into a data use agreement with the limited data set recipient; very similar to BA agreement



Possible Data Registry Exceptions Business Associate Relationship

Database owner/developer will likely be business associate of database participants—perform data aggregation services for participants

HIPAA privacy regulations permit business associates to collect PHI and provide data aggregation services on behalf of covered entities that include data analyses relating to the health care operations of those entities. 45 CFR § 164.504(e)(2)(i)(B)

“Health care operations” include “conducting quality assessment and improvement activities, including outcomes evaluation and development of clinical guidelines, provided that the obtaining of generalizable knowledge is not the primary purpose of any studies resulting from such activities.” 45 CFR § 164.501

Business Associate Agreement must be in place



Business Associate Relationship (cont.)

Data registry is business associate of each database participant

Performs data aggregation services using data collected from participants

Prepares reports for participants that are used for health care operation purposes (e.g., quality improvement, utilization review, etc.)

No sharing of PHI across participants

Hub and spokes approach

Note that HITECH Act applies HIPAA requirements to BAAs, including breach notification rules



A business associate, data use agreement, or combination BA/DU agreement must be in place

BA/DU agreement will address both uses of PHI and limited data sets

BA/DU agreement will set forth the obligations of each party with respect to the information; permitted uses of the information; and liability for breaches of obligations

Breach notification should be addressed

Database owner should also allocate liability through limitation of liability and indemnification provisions


Legal Considerations:Privacy/Security - HIPAA

Possible Data Registry Exceptions IRB Approval/Waiver

Necessary where primary purpose of PHI collection is research rather than health care operations

Can’t use BA/DU approach if primary purpose of collecting data is research

Definition of research: “a systematic investigation, including research development, testing, and evaluation designed to develop or contribute to generalizable knowledge”

Compare to definition of health care operations: “obtaining of generalizable knowledge is not the primary purpose of any studies resulting from such activities”


Legal Considerations:Privacy/Security - HIPAA

Possible Data Registry Exceptions IRB Approval/Waiver (cont.)

Clearly-established pathway under the HIPAA regs for collecting and analyzing fully-identified PHI for research purposes without individual patient authorization. 45 C.F.R. § 164.512(i)

HIPAA regs do not require each participant in a data registry to obtain separate IRB approval for the submission of data to that registry

But, some or most sites may seek approval from their own institution’s IRB to be safe



The Common Rule Applies to research involving human subjects “conducted,

supported or otherwise subject to regulation by any federal department or agency.” 45 C.F.R. § 46.101

“Subject to regulation” means “research activities for which a federal department or agency has specific responsibility for regulating as a research activity, (for example, Investigational New Drug requirements administered by the Food and Drug Administration).” 45 C.F.R. § 102(e)

Called the “Common Rule” because it has been adopted by 17 federal departments and agencies

Research involving human subject includes collection of patient identifying information

Does not apply if no federal funding or regulation involved



The Common Rule Definition of research similar to HIPAA definition

Requires written assurance that the research institution will comply with the Common Rule requirements

IRB approval required In order to receive IRB approval for research must demonstrate

that “there are adequate provisions to protect the privacy of subjects and to maintain the confidentiality of data.” 45 C.F.R. § 46.111

Must obtain informed consent from patients


Legal Considerations: Discoverability

Federal Law No general federal statutory privilege against

discovery

Balancing test under federal rules of evidence—likely to prevent disclosure to third parties of patient and possibly provider identities; but aggregate data will be available if compelling litigation need shown



Deitchman v. E.R. Squibb & Sons, 740 F.2d 556 (7th Cir. 1984) Squibb sought production of data from U of C registry that

monitored a disease related to products liability action against Squibb

U of C claimed data was privileged and confidential

Court agreed that the data in the registry was privileged, but it was not an absolute privilege. Squibb had to show absolute necessity to allow discovery

Court found that Squibb was entitled to some discovery because the registry was the “only centralized repository of data on that disease” and Squibb needed the information to cross examine witnesses who were relying on these studies

Remanded to District Court so it could determine the best way to provide necessary data while preserving as much confidentiality as possible



Wolpin v. Phillip Morris, Inc., 189 F.R.D. 418 (C.D. Cal. 1999) Secondhand smoke case against Phillip Morris

Phillip Morris sought data from study that looked at the effects of

secondhand smoke conducted by USC and the California Department of Health. Some of the data in the study came from a statewide tumor registry, and USC claimed state and federal privacy laws would not permit them to release the data

Court found that interest in preserving the confidentiality of information was outweighed by Phillip Morris’ compelling need for the information once patient names were excised from the data

Disclosure would be in the “interest of justice” because the data would assist Phillip Morris in determining the validity of the study



HIPAA HIPAA has a liberal exception for disclosure

in judicial and administrative proceedings

Basically permits disclosure in response to court order or subpoena that meets certain conditions, including proof of notice to the person whose PHI is at issue or of receipt of a qualified protective order



Patient Safety Organizations Act/Rules PSO Act does provide privilege against legal discovery of

patient safety work product held by PSOs Applies to subpoenas issued in federal or state cases But:

Must qualify as PSO and comply with PSO all requirements Registry data may not meet definition of PSWP Privilege is not self-enforcing and does not apply to non-

identifiable data; so outcome unlikely to be different than under current federal evidence rules

Subject to government compliance inspections/audits Must forfeit data if PSO status terminated But, can set up component PSO



AHRQ-sponsored research and confidentiality provisions under 42 U.S.C. § 299c-3(c) AHRQ-funded research must adhere to the confidentiality

provision under 42 U.S.C. § 299c-3(c) which prohibits the disclosure of information “for any other purpose other than the purpose for which it was supplied” unless the individual whose information is at issue consents to its disclosure

The AHRQ has interpreted this provision to protect all AHRQ-funded research from compelled disclosure requests, including discovery requests in the course of litigation

This provision has not been challenged in the courts and it is unclear, given the vague statutory language, whether a court would protect the confidentiality of an AHRQ-funded registry in the course of litigation



Certificates of Confidentiality Issued by the National Institute of Health (NIH) to protect the

privacy of certain individuals who are research subjects

CoC does broadly protect against discovery, but very limited application

Not limited to federally-funded research if the project collects identifiable information from people and was approved by an IRB, it’s eligible

But is limited to persons engaged in biomedical, behavioral, clinical, or other research (including research on mental health, including research on the use and effect of alcohol and other psychoactive drugs) to protect the privacy of individuals who are the subject of such research by withholding from all persons not connected with the conduct of such research the names or other identifying characteristics of such individuals

Unlikely to apply to registry



State Law varies Illinois Medical Studies Act

All information “used in the course of internal quality control or of medical study for the purpose of reducing morbidity or mortality, or for improving patient care or increasing organ and tissue donation, shall be privileged, strictly confidential and shall be used only for medical research, increasing organ and tissue donation, [or] the evaluation and improvement of quality care...” 735 ILCS 5/8-2101

“Such information, records, reports, statements, notes, memoranda, or other data, shall not be admissible as evidence, nor discoverable in any action of any kind in any court or before any tribunal, board, agency or person. The disclosure of any such information or data, whether proper, or improper, shall not waive or have any effect upon its confidentiality, nondiscoverability, or nonadmissibility.” 735 ILCS 5/8-2102

Not all states provide this level of protection


Legal Considerations: Liability Risk

Risk of liability for wrongful disclosure of data

Sanctions under HIPAA for wrongful disclosure of PHI

Civil fines of up to $25,000 imposed by the Office of Civil Rights

Criminal sanctions imposed by the DOJ- imprisonment and fines



Breach Notification – Requires notification of breaches of unsecured PHI to affected individuals, the Secretary, and, in certain circumstances, to the media

State Law – see Illinois Medical Studies Act penalties

Common law- claims for violation for privacy may also be available



Also possible risk of liability to third parties from wrongful use or disclosure of data/data analyses by registry or participants

Limit liability through database participation agreement Limitation of liability provision (absent gross negligence

or willful misconduct )

Indemnification provision (absent gross negligence or willful misconduct ) Participant to indemnify database owner as well as its

independent data warehouse service provider (if applicable) from and against any and all claims, actions, liabilities, etc. arising or resulting in any way from participant’s use of data obtained through the database


Registries: Regulatory Issuesand CMS Requirements


Physician Quality Reporting System: Registry-Based Reporting

The Physician Quality Reporting System (PQRS) is a voluntary reporting program that provides an incentive payment to practices whose eligible professionals (identified on claims by their individual National Provider Identifier [NPI]) satisfactorily report data on quality measures for covered Physician Fee Schedule (PFS) services

Beginning with the 2008 PQRS program year, eligible professionals have been able to qualify to earn a PQRS incentive by reporting quality measures data to a qualified registry

Individual eligible professionals (IEPs) whose 2011 PQRS measure information is successfully submitted by a CMS-qualified registry may earn an incentive payment equal to 1.0 percent of their total allowed charges for all MPFS covered professional services furnished during the reporting period for which the measures are reported

In addition to the PQRS quality measures, registry reporting is also authorized for the e-prescribing measures



System analysis for 2007 and 2008 showed that providers who did registry reporting had a 90 percent success rate for earning a PQRS bonus and claims-based reporting had a 50 percent success rate

BUT has CMS finalized new requirements for registries to use CMS-provided measure specifications and measure calculation logic?

Will a CMS-developed algorithm accurately calculate measure reporting or performance rates for IEPs?

Several practices have determined that there was a difference in results when comparing detailed claims data from CMS used for evaluation of PQRS reporting success with internal practice claims data for the same time period. This was not a problem in registry-based reporting



CMS will not combine data submitted via multiple reporting mechanisms to determine incentive eligibility

Will use of a CMS-developed algorithm bring IEPs’ eligibility for incentives under registry-based reporting in line with claims-based reporting?

Because of the limitations of claims-based reporting, CMS states that it will continue to consider significantly limiting the claims-based mechanism in future program years (beyond 2011)

However, CMS has agreed to maintain claims-based reporting in 2011

Since CMS will not be making a final decision on which registries to approve until the Fall, some practices may choose claims-based reporting to ensure compliance


Requirements for IEPsto Use Registry Reporting

IEP must enter into and maintain an appropriate legal arrangement with a qualified 2011 PQRS registry

Registry acts as a HIPAA Business Associate and agent of IEP

Such agents are referred to as ‘‘data submission vendors”

As a data submission vendor, registry submits CMS-defined registry-derived measures information to CMS designated database for the PQRS using a CMS-specified record layout, which is provided to the registry by CMS


Criteria for Satisfactory Reporting of PQRS Measures (Registry)

Individual Measures: Reporting Periods: Jan 1, 2011 - Dec 31, 2011 or Jul 1, 2011- Dec

31, 2011 Report at least three PQRS measures;* and Report each measure for at least 80% of applicable Medicare Part B

FFS patients seen during the reporting period

Group Measures: Report at least 1 PQRS measures group;* and Report each measures group for at least 30 Medicare FFS patients

seen during the reporting period IEPs using the registry-based reporting mechanism will no longer be

able to report on non-Medicare FFS patients (new)


Criteria for Satisfactory Reporting of PQRS Measures (Registry)

GPRO II– Pilot for approx. 500 self-nominated groups with less than

200 eligible professionals

Reporting Mechanism - claims (or, if the only measures

groups that apply to the practice are the registry-only

measures groups, registry)

Reporting Period -- Jan 1, 2011- Dec 31, 2011


Criteria for Satisfactory Reporting ofE-Prescribing Measures (Registry)

IEP must generate at least one eRx associated with a patient visit (reported using selected codes) on 25 or more unique events during the reporting period (January 1 through December 31)

IEP must have at least 10% of their Medicare Part B charges comprised of the selected codes in the denominator of the measure to be eligible for the incentive

Note that IEPs that are eligible for the e-prescribing incentive and do not meet the requirements for the first six months of 2011 may incur a 1% reduction in payment in 2012


PQRS Registry Requirements for 2011

To be considered a qualified registry for purposes of submitting individual quality measures and measures groups on behalf of eligible professionals or CMS selected group practices who choose this reporting mechanism, both new and previously qualified registries must, among other things:

Have been in existence as of January 1, 2011 Have at least 25 participants by January 1, 2011 Provide at least one feedback report per year to IEPs Not be owned or managed by an individual locally-owned single-specialty

group, in other words, single-specialty practices with only one practice location or solo practitioner practices would be prohibited from self-nominating to become a qualified Physician Quality Reporting registry

Participate in 2011 PQRS conference calls hosted by CMS Be able to collect all needed data elements for at least three measures and

transmit to the data to CMS at the Tax Identification Number (TIN)/National Provider Identifier (NPI) level



Be able to calculate and submit measure-level reporting rates or the data elements needed to calculate the reporting rates at the TIN/NPI level

Be able to calculate and submit, by TIN/NPI for eligible professionals, a performance rate (that is, the percentage of a defined population who receive a particular process of care or achieve a particular outcome) for each measure or measures group or the data elements needed to calculate the reporting rates

Be able to separate out and report on Medicare Fee-For-Service (FFS) Part B patients

Report the number of eligible instances (reporting denominator) and the number of instances of quality service performed (numerator); performance exclusions

Be able to transmit this data in a CMS-approved XML format and otherwise comply with a CMS-specified secure method for data submission


Submit an acceptable “validation strategy” to CMS by March 31, 2011. A validation strategy ascertains whether eligible professionals have submitted accurately and on at least the minimum number (80 percent) of their eligible patients, visits, procedures, or episodes for a given measure. Acceptable validation strategies often include such provisions as the registry being able to conduct random sampling of their participants’ data, but may also be based on other credible means of verifying the accuracy of data content and completeness of reporting or adherence to a required sampling method

Perform the validation outlined in the strategy and send the results to CMS by June 30, 2012 for the 2011 reporting year’s data

Meet certain other administrative requirements, including Business Associate agreements with IEPs



Obtain and keep on file signed documentation that each holder of an NPI whose data are submitted to the registry has authorized the registry to submit quality measures results and numerator and denominator data to CMS for the purpose of Physician Quality Reporting System participation. This documentation must be obtained at the time the eligible professional signs up with the registry to submit Physician Quality Reporting System quality measures data to the registry and must meet any applicable laws, regulations, and contractual business associate agreements

Provide CMS access (if requested for validation purposes) to review the Medicare beneficiary data on which 2011 Physician Quality Reporting System registry-based submissions are founded or provide to CMS a copy of the actual data (if requested)

Indicate the reporting options the registry seeks to submit on behalf of its users in addition to individual measures (measures groups, GPRO II, eRx for individuals, eRx for GPROs, 6 month, 12 month reporting periods)

Provide the reporting option(s) (reporting period and reporting criteria) that the eligible professional has satisfied or chosen



Provide CMS a signed, written attestation statement via mail or e-mail which states that the quality measure results and any and all data including numerator and denominator data provided to CMS are accurate and complete

In addition to the above, registries (both new and previously qualified) who intend to report on 2011 Physician Quality Reporting System measures must:

Indicate the reporting period selected for each eligible professional who chooses to submit data on measures groups

Base reported information on measures groups only on patients to whom services were furnished during the 12-month reporting period of January through December 2011 or the 6-month reporting period of July 1, 2011 through December 31, 2011




Agree that the registry’s data may be inspected or a copy requested by CMS and provided to CMS under CMS oversight authority

Be able to report data on all applicable measures in a given measures group on either 30 Medicare Part B FFS patients or more from January 1 through December 31, 2011 or on 80 percent of applicable Medicare Part B FFS patients for each IEP (with a minimum of 15 patients during the January 1 through December 31, 2011 reporting period or a minimum of eight patients during the July 1 through December 31, 2011 reporting period)


New Requirements forRegistries under PQRS

Registries are no longer permitted to include non-Medicare patients for measures group(s) reporting

In an effort to reduce the variation in measures results across registries and better allow eligible professional comparisons, all current and future registries must meet the following new requirements:

Use Physician Quality Reporting System measure specifications and a standard set of measure calculation logic provided by CMS to calculate reporting rates or performance rates unless otherwise stated

Provide a calculated result using the CMS-supplied logic and XML file for each measure that the registry intends to calculate. The registries will be required to show that they can calculate the proper results (that is, reporting and performance rates) using the CMS-supplied logic and send the calculated data back to CMS in the specified format

Provide the individual data elements used to calculate the measures if so requested by CMS for validation purposes. Registries that are subject to validation will be asked to send discrete data elements for a measure (determined by CMS) in the required data format and CMS will recalculate the registries’ reported results. Validation will be conducted for several measures for a randomly selected sample of registries in order to validate their data submissions


Important Deadlines

Registries (regardless of prior year participation) that wish to participate in the 2011 registry payment program were required to submit a self-nomination letter, which was required to include the measures the registry intends to submit (including e-prescribing measures) and the reporting period(s) and method(s) the registry offers its participants

Deadline for self-nomination letters for newly qualified registries was January 31, 2011

CMS plans to post a list of conditionally qualified registries (this list will include both registries that were previously qualified and those that self-nominate to be newly qualified for 2011) by Summer 2011. CMS plans to finalize the list of 2011 PQRS registries by the Fall of 2011

CMS will accept quality measure results and numerator and denominator data for 2011 PQRS measures submitted by qualified registries on behalf of their participants in February and March 2012


Powers Pyles Sutter & Verville PCContact Information

Diane Millman, Principal

Powers Pyles Sutter & Verville PC

1501 M Street, NW

7th Floor

Washington, DC 20005

Phone: 202.872.6725

Fax: 202.785.1756

Email: [email protected]



Rob Portman, Principal


1501 M Street, NW

7th Floor


Phone: 202.872.6756

Fax: 202.785.1756




Stephanie Cason


1501 M Street, NW

7th Floor


Phone: 202.466.6550

Fax: 202.785.1756



MEDICAL DATA REGISTRIES POWERS PYLES SUTTER & VERVILLE PC WEBINAR 1.

Documents