Healthcare is trending toward value-based payments. Back in January, Sylvia Burwell of the of the U.S. Department of Health & Human Services announced Medicare’s move toward paying providers based on quality, rather than quantity, of care they give to patients. Secretary Burwell emphasized the importance of alternate payment models, including accountable care organizations (“ACOs”). Regardless of whether you are for or against value based payments, ACOs are will play a big role in the future of healthcare, and many providers will find themselves involved in an ACO. So, what are the privacy and security issues associated with being an ACO participant?

ACOs are networks of providers coming together to reduce costs and improve quality through collaboration. One example is the Medicare Shared Savings Program, a voluntary program in which eligible providers, hospitals, and suppliers create or participate in an ACO to coordinate care for their Medicare fee-for-service patients. Information sharing is key to the successful operations of ACO. But because information is shared amongst the various ACO players, privacy and security considerations must be a large part of the ACO’s long-term plan.

First, ACO participants, as HIPAA covered entities, will need to ensure that they only request, use, and disclose PHI in compliance with HIPAA.  HIPAA will permit most uses and disclosures related to the ACO program for purposes of treatment, payment or healthcare operations. Accordingly, ACO participants may freely exchange information amongst each other for the purpose of treating individuals.

In addition, ACO participants may share information as necessary for a participant to obtain payment (which includes incentive payments) so long as the providers make a reasonable effort to request the minimum necessary amount of PHI. ACO participants may also use of disclose PHI for purposes of “healthcare operations” as that term is defined under HIPAA (activities that include, for example,  administrative, legal and quality improvement) so long as the use or disclosure is subject to the minimum necessary requirement. Other data sharing can occur between the ACOs and the Centers for Medicare & Medicaid Services (“CMS”). Currently, ACOs can request, among other things, personal health information of beneficiaries for purposes of care coordination and quality improvement work, unless the beneficiary opts out.

With so much data sharing taking place both in and out of ACOs, the data will inevitably become vulnerable to threats.  For example, if the information is shared by giving access to electronic health records, the ACO framework becomes ripe for a breach or an attack.  According to a new study sponsored by the security firm ID Experts, theft of data breaches in health care are on the rise, and criminal attacks are the leading cause.  In fact, according to a study conducted by the Ponemon institute, criminal attacks have risen 125 percent since 2010. The findings also showed that most healthcare organizations are unprepared to address this serious concern.

So how can healthcare providers moving toward an ACO model be prepared on the privacy and security front? Participants should:

  • Address privacy and security obligations and exposures in their ACO agreements.
  • Update their risk assessment and corresponding risk management plan.
  • Review current privacy and security policies for how they address ACO information sharing.
  • Develop a robust breach response plan.
  • Consider obtaining cyber insurance, including coverage for ACO-related risks.
  • Refresh their workforce training on privacy and security matters, and particularly for ACO information sharing.