Medicare beneficiaries whose healthcare providers participate in an Accountable Care Organization (ACO) under the Medicare Shared Savings Program (MSSP) may want to add the Centers for Medicare & Medicaid Services (CMS) website, “Medicare & You”, to their lists of favorite internet links if they don’t want their Medicare claims data shared. Proposed rules published by CMS in the December 8, 2014 Federal Register (the “Proposed Rules”) tweak the data sharing “opt-out” process slightly, but significantly.
Under the current MSSP regulations, a Medicare beneficiary that is a “preliminarily prospective assigned beneficiary” (meaning the beneficiary’s primary care provider participates in the ACO, but the beneficiary has not yet sought primary care services during the ACO performance year) may get a letter from his or her provider’s ACO informing the beneficiary that the ACO “may request [from Medicare] personal health information* about the beneficiary for purposes of its care coordination and quality improvement work… .” The beneficiary has 30 days from the date the letter is sent “to decline having his/her claims information shared with the ACO.”
* Interestingly, the regulation references “personal health information”, rather than “protected health information”, the term used by the Office for Civil Rights (which, like CMS, resides in the Department of Health and Human Services) in the HIPAA regulations, but the widely-used PHI acronym works for both, so what the heck? But I digress… .
The current regulation only allows the ACO to request “identifiable claims data” (aka “personal health information” /“claims information”) from this “preliminarily prospective assigned beneficiary” if the beneficiary does not decline the data sharing within 30 days after the ACO letter is sent.
Under the Proposed Rules, Medicare fee-for-service beneficiaries will be “notified about the opportunity to decline claims data sharing through materials such as the CMS Medicare & You Handbook and through the notifications” received at the point of care. These notifications are deemed “received” by the Medicare beneficiary when posted as signs at the ACO provider’s facility or office (and, in settings in which primary care is provided, when given to the beneficiary in writing upon request). The beneficiary can still opt-out, but the notice itself will make it clear that data sharing may have already occurred: “The notifications … must state that the ACO may have requested beneficiary identifiable claims data about the beneficiary for purposes of its care coordination and quality improvement work… .”
Data sharing is a key aspect of any successful ACO and can certainly be achieved in a HIPAA-compliant manner. Notably, as CMS explains in the preamble to the Proposed Rules, care coordination and quality improvement activities, when performed by an ACO that is a covered entity or, by an ACO that is a business associate, on behalf of a covered entity, qualify as “health care operations” functions or activities under HIPAA. The elimination of the ACO letters and 30-day opt-out period for “preliminarily prospective assigned beneficiaries” is likely to reduce beneficiary confusion and ACO administrative expense.
As noted in the preamble to the Proposed Rules, only 2% of beneficiaries have historically opted out of ACO claims data sharing, anyway. Perhaps only 2% of Medicare beneficiaries care about claims data sharing. If the Proposed Rules are adopted, hopefully the “preliminarily prospective assigned beneficiaries” in the (however small) pool of future opt-outs will find the “Medicare & You” website and the ACO information (currently located on page 138) buried deep within it.