By: Elizabeth G. Litten and Michael J. Kline

Kaiser Health News reported today that a division of UnitedHealth, Optum, will be using cloud computing technology to allow centralized access to fragmented health information. The Philadelphia Business Journal (the “Journal”) also reported today that three large Blues plans in Pennsylvania and New Jersey (Highmark Inc., Independence Blue Cross, and Horizon Blue Cross and Blue Shield of New Jersey) and a health information technology company, Lumeris Corp. (“Lumeris”), will be joining together to purchase NaviNet, “the country’s largest real-time communication network for physicians, hospitals, and health insurers.” 


According to the Journal article, Lumeris created an accountable-care delivery platform to support “new payment models that reward improved outcomes, enhanced patient safety, and increased physician and patient satisfaction, while lowering overall health-care costs.” The combination of the Lumeris accountable-care platform and NaviNet’s real-time communication network is designed to facilitate the sharing of information and the “administrative, clinical, and financial tasks” needed for high quality, less costly (i.e, “accountable”) care. 


Clearly, the health care industry is racing to create information superhighways into which health information can be entered, consolidated, accessed, maintained and used in novel ways that will improve our health care delivery and payment system. If the protected health information (“PHI”) flowing through these information superhighways and into and out of clouds and other data bases is adequately secured and the increased use and sophistication of health information technology results in improved quality and reduced cost, can anyone reasonably object to this race? Even the Centers for Medicare and Medicaid Services encourages sharing and using PHI to improve quality and reduce costs (see discussions of privacy issues in the Final Rule on the “Medicare Shared Savings Program: Accountable Care Organizations”).


In his recent post to this blog, our law partner Bill Maruca made it clear that the Minnesota Attorney General (“MAG”) is not a fan of the manner in which at least one company, Accretive Health, Inc. (“Accretive”), accessed and used (and, incidentally, allegedly improperly disclosed) PHI. Although the PHI breach seems to have triggered the MAG’s lawsuit against Accretive, the complaint seems particularly critical of Accretive’s “Quality and Total Cost of Care” services, which allegedly used “data mining,” “consumer behavior modeling,” and “propensity to pay” algorithms.  Accretive allegedly “amasses and has access to a high volume of sensitive and personal information,” which it uses to, among other things, create “per patient risk score” calculations. 


The MAG claims that, “upon information and belief”, patients’ medical authorization forms did not “identify Accretive by name or disclose the scope and the breadth of the information” that the hospitals that engaged Accretive for these services shared with Accretive. The MAG does not claim that the hospitals involved violated HIPAA requirements related to notice of privacy practices and patient consents and authorizations. Rather, the complaint alleges violations by Accretive of the Minnesota Prevention of Consumer Fraud Act and the Minnesota Uniform Deceptive Trade Practices Act, related to the assertion that patients were “not aware of the extent of Accretive’s involvement in their health care or the extent to which it amasses data about them.” 


We agree wholeheartedly with Bill’s closing comment, cautioning that regulators not chill legitimate uses of health information data and technology. We also wonder whether, and under what circumstances, patients should be informed of the myriad directions in which their health information might “legitimately” travel, be mined, and/or be analyzed, or whether that additional layer of patient notice will create unnecessary speed bumps in the race toward more affordable, high quality care. 


Finally, query whether such notice to a patient about the use of PHI for development of modeling, data mining, risk scores, algorithms, etc., meaningfully adds to the patient’s knowledge and understanding of what is likely to matter most to the patient – the extent, if any, to which such uses may enhance, limit and/or alter his/her personal medical treatment by physicians and other providers.