On March 31, 2011, the Centers for Medicare & Medicaid Services (CMS) published its Proposed Rule (Proposed Rule) for Accountable Care Organizations (ACOs) under the Affordable Care Act. In laying the foundation for ACOs, the Proposed Rule emphasizes the centrality of health information technology (IT). Indeed, according to Dr. Farzad Mostashari, newly appointed deputy national coordinator for programs and policy at the Office of the National Coordinator for Health Information Technology at HHS, “health IT tools are an essential foundation to support the kinds of coordinated, patient-centered and accountable care envisioned by the ACO program.” Most evident, the Proposed Rule parallels many of the requirements delineated for providers to meet the Electronic Health Records (EHR) Implementation Program requirements of the Health Information Technology for Economic and Clinical Health Act (HITECH).

Physician Quality Reporting Systems

Under the Proposed Rule, an ACO must meet the “quality performance standard” in order to qualify for shared savings. CMS has proposed the use of 65 measures to calculate whether an ACO has met the quality performance standard. These measures are grouped into five domains: Patient/Caregiver Experience (7 measures); Care Coordination (16 measures); Patient Safety (2 measures); Preventive Health (9 measures); and At-Risk Population/Frail Elderly Health (31 measures).

Health IT plays a vital part in the reporting of the quality measures data. Although data may be submitted through various existing quality reporting programs such as the Physician Quality Reporting System and the Centers for Disease Control and Prevention National Healthcare Safety Network, CMS notes that there will be much alignment with the ACO measure specifications and the HITECH implemented EHR quality measure specifications. Additionally, some measures will need to be reported through a more sophisticated version of the currently existing data collection tool called the Group Practice Reporting Option (GPRO). As a result, CMS has proposed a reporting system for ACOs that necessitates increased adoption of EHR technology.

CMS requests comments on the proposed data submission requirements, including whether alternative data submission methods should be required or considered.

Meaningful EHR Users

The alignment of the Proposed Rule and the HITECH EHR Incentive Program is even more evident in the requirement by the Proposed Rule that at least 50% of an ACO's primary care physicians must be meaningful users of certified EHRs by the start of the second ACO performance year. CMS indicates that this is only the first step in ACO provider participation of the EHR Incentive Program and “[f]or subsequent years, we anticipate proposing greater alignment between the Shared Savings Program and the EHR Incentive program through future rulemaking.”

CMS is seeking comments as to whether the meaningful use requirement for primary care physicians should be extended to hospitals, and whether an exception should be made in those cases where an ACO may include only one hospital or no hospitals.

Evidence Based Medicine and Coordination of Care

In addition to quality based reporting, ACOs are required to develop and implement evidence based medical practices and processes to coordinate care. Part of the development for the promotion of evidence based medicine will include the need of infrastructure that enables the ACO to collect and evaluate data and provide feedback to ACO participants to influence care across the ACO. This infrastructure may include integrated EHRs with clinical decision support. Moreover, CMS requires that the ACO be able to coordinate care and identifies technologies such as predictive modeling, remote monitoring, telehealth, and electronic health information exchanges to enable coordination.

Privacy Concerns

The ability to obtain and share ACO beneficiary information is a foundational block of the ACO Program, as sharing allows an ACO provider to adjust care to improve quality and efficiency. HHS is proposing to make available various types of medical information to participating ACOs:

  1. Aggregated data on beneficiary use of healthcare services.
  2. Identification of Historically Assigned Beneficiaries – Data which includes name, date of birth, gender and Medicare ID for historically ACO-assigned patients included in the aggregate data reports above.
  3. Sharing Beneficiary-Identifiable Medicare Parts A, B, and D Claims Data – For Medicare Parts A and B, the data elements that will be provided are: procedure code, diagnosis code, beneficiary ID, date of birth, gender, and, if applicable, date of death, claim ID, the from and thru dates of service, the provider or supplier ID, and the claim payment type. The Medicare Part D data includes: beneficiary ID, prescriber ID, drug service date, drug product service ID, and indication if the drug is on the formulary.

Much of this information will fall under the scope of protected health information (PHI) under the Health Insurance Portability and Accountability Act and accompanying regulations (HIPAA). Depending on its business structure, an ACO either will be part of a covered entity or will be a business associate of the participating covered entities. In either case, the Proposed Rule depends heavily on the ability of these entities to exchange PHI for certain healthcare operation purposes.

Under the HIPAA privacy rule, the entities may exchange PHI for healthcare operations, where (1) both covered entities have or had a relationship with the subject of the PHI to be disclosed, (2) the PHI pertains to that relationship, and (3) the recipient will use the PHI for a "healthcare operations" function. As defined in the privacy rule of HIPAA, healthcare operations include “population-based activities relating to improving health or reducing health costs, protocol development, case management and care coordination.” CMS indicates that the disclosure of the identification of the historically assigned beneficiaries and sharing of Medicare Parts A, B and D claims information with ACOs would fall within the scope of healthcare operations. Additionally, CMS notes that the data shared are the “minimum necessary” to accomplish the purpose of the disclosure request.

Despite indicating the legal authority under privacy regulations to share this data, and in the spirit of keeping the patient informed, CMS proposes an opt-out model that requires ACO participants to give notice to patients and offer them a choice not to have their Medicare claims information shared with the ACO. If a patient opts-out of claims information sharing, the ACO must honor the choice, but the opt-out applies only to the data sharing portion of the program. Although the opt-out applies to the data sharing portion of the ACO program, it does not affect the patient’s assignment to the ACO or the use of the patient’s data for purposes such as calculating ACO benchmarks, per capita costs, quality performance or performance year per capita expenditures. Unfortunately, if a significant number of patients opt-out, the ACO may find itself in a dilemma in fully evaluating the care received by its beneficiaries, but will nevertheless still be held accountable for that care.

The Proposed Rule emphasizes the need to comport with privacy rules by stating that ACO agreements may be terminated for improper use or disclosure of the shared claims information. CMS requests comments on the implications of sharing protected health information, such as Parts A, B and D claims data, with ACOs and the use of an opt-out, versus an opt-in, approach to patient consent and individual choice.