I had an interesting conversation with Mike Barrett, Chairman of the National Association of ACOs, as a result of my January 7th post on the Medicare beneficiary opt-out process described in Medicare Shared Savings Program (“MSSP”) regulations proposed by the Centers for Medicare & Medicaid Services (“CMS”).  My blog post meant to highlight a proposed opt-out process that seems unnecessarily obscure:  Will a Medicare beneficiary know about, find, and navigate the “Medicare & You” website, and then realize:  (1) he or she may be part of an ACO, by virtue of the participation of his or her physician; and (2) he or she has the ability to “opt-out” of having certain Medicare claims information shared with his or her ACO-participating physician?  Really??

But, after speaking with Mike, I realized there was a more important issue to be addressed than the murkiness of the opt-out option:  Should Medicare give the beneficiary attributed to a MSSP ACO an opt-out option in the first place?  Maybe it’s not the obscurity of the opt-out process that I should write about, but whether the opt-out is needed to begin with.

The preamble to the proposed MSSP regulations (Preamble) offers abundant and credible justification for the sharing of beneficiary claims information by a health plan (in this case, Medicare) with an ACO that either is a covered entity itself or is a business associate which has contracted with covered entity health care providers for legitimate “health care operations” purposes.  In fact, the Preamble discussion of “health care operations” and what constitutes the “minimum necessary” data required to engage meaningfully in such activities is helpfully robust and more detailed than what can be found generally in the HIPAA preamble discussion and regulations.  The performance evaluation, quality assessment activities, care coordination activities, and population-based health care improvement activities are, CMS emphasizes in the Preamble, “health care operations” of the MSSP ACOs, and Medicare must give ACOs “appropriate access to a beneficiary’s identifiable claims data” in order to achieve the goals of the MSSP ACO program.

CMS also points out that “HIPAA does not require that beneficiaries be presented with an opportunity to decline claims data sharing before their PHI can be shared,” noting that, under several other CMS initiatives, claims data is shared with providers in the absence of a Medicare beneficiary opt-out option.

Rather than giving Medicare beneficiaries the obscure claims data sharing “opt-out” proposed in the MSSP regulations, perhaps CMS should simply advise all Medicare beneficiaries at the time of eligibility and in other communications (in a prominent place, such as the first page of “Medicare & You”) that certain of their claims information will be shared with their health care providers and, if applicable, the MSSP ACO in which the providers participate.  If the Medicare beneficiary does not want this claims information shared, he or she can “opt-out” by selecting a primary care provider that does not participate in the MSSP ACO or does not submit claims to Medicare.  This is one situation in which the benefits of basic clarity and transparency (in terms of how and when Medicare will share claims data) outweigh the negligible PHI privacy protections of this ACO opt-out.