Ira Parghi, Ropes & Gray health care counsel, discusses the increasing role that data and technology will play in a value-based health care world.

Click here to view video.

Transcript

Introduction

The march towards value-based health care (“VBHC”) – with its reliance on data and data analytics – has important and exciting implications for the digital health industry.

Digital health, broadly defined, refers to the use of technology in the provision and management of health care. Recent years have seen enormous boosts in funding for, and innovation in, digital health technologies, ranging from electronic health records (“EHRs”) used by hospitals and health care providers to patient-facing personal fitness monitors and mobile wellness applications (“apps”). These various technologies depend upon, and are made possible by, their ability to collect and process individual and population-level data.

For its part, VBHC seeks to compensate providers for the quality of care they provide, rather than the volume of procedures they perform. A core promise of this model, therefore, is the elevation of quality-centric outcomes over quality-agnostic output. But quality – the value-based gold standard – is not always easy to define or measure, rendering quality metrics one of the greatest challenges of VBHC. However quality may be defined, data and data analytics are critical to its delivery, placing digital health at the core of any VBHC infrastructure. In this article, we offer some predictions about what to expect and what to watch out for at the dynamic intersection of digital health and VBHC.

1. Digital health technology will create value out of raw data

From EHRs and health information exchanges to clinical decision-making tools and patient-facing wellness apps, the health care industry is generating troves of raw data. By themselves, however, raw data are not enough to drive VBHC. To yield insights about quality of care improvements and cost savings, raw data must be collected from multiple and often unrelated sources and then analyzed along various dimensions. An orthopedic hospital, for example, may generate extensive data about certain joint replacement procedures, but only in the raw form of patient records. To glean from this the information essential to a VBHC system – how often procedures are performed, on what patient populations, the frequency of certain complications, the most beneficial forms of physiotherapy – additional, large-scale analysis is required not only of the hospital records themselves, but also the records of other providers along the care continuum including the diagnosing physician and the post-operative physiotherapist. Although performance of such analytics is beyond the expertise of most conventional provider organizations, it is well within the expertise of digital health companies. Digital health technologies are uniquely placed to amass information from disparate sources and then “crunch” it in a way that can help providers understand and measure quality, improve care, and reduce costs.

2. Data sharing will become an area of focus

Data sharing between and among the entities that collect, de-identify, aggregate, and analyze clinical data, and the providers who generate that data, will become essential in the VBHC enterprise, but not without strings. VBHC data sharing will be constrained by one or more federal and state laws, including the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). Although whether and how HIPAA will apply in any given situation will be fact-specific, there are some broad considerations that providers and digital health companies alike may wish to keep in mind.

Patient Authorization

When a provider seeks to send a patient’s Protected Health Information (“PHI”, broadly defined under HIPAA as identifiable health information) to any sort of data analytics entity, a threshold question is whether the provider must first obtain a written authorization from the patient. HIPAA makes receipt of such an authorization a default requirement for the use and disclosure of PHI, subject to certain enumerated exceptions including disclosures for “health care operations.” HIPAA’s “health care operations” exception is defined to include population health activities aimed at reducing costs and improving patient care. In some circumstances, a provider’s disclosure of PHI to a data analytics entity may fall squarely within this exception; thus, a provider that can readily demonstrate the link between the analytics being performed on its PHI, on the one hand, and its cost reduction and quality improvement measures, on the other, may not need a patient authorization. That said, some providers may conclude that even if a HIPAA authorization is not required, one is still desirable for reasons of patient relations and transparency.

Notice of Privacy Practices

A related question is whether the provider is required to modify and redistribute its Notice of Privacy Practices (“NPP”) – the patient-facing document that describes the purposes for which the provider will collect, use, and disclose the patient’s PHI – to address more explicitly the analytic work to be performed on the PHI. HIPAA requires the NPP to be revised in the event of material changes to its content. Whether the outsourcing of data analytics constitutes such a material change is, again, likely to depend on the circumstances. If, however, the NPP must be modified, a provider will need to think through the logistics, especially when the revisions are substantial and the scope of the redistribution large. Additionally, as with patient authorizations, for reasons of transparency, a provider may elect to revise and redistribute its NPP to more expressly acknowledge its VBHC data sharing activities even if HIPAA does not require that it do so.

Business Associate Relationships

A third set of questions focuses on business associate relationships under HIPAA. The threshold question here is whether the relationship between the provider and the digital health entity is that of a HIPAA covered entity and a business associate. A business associate is someone who receives PHI from a covered entity (such as a physician or hospital) in order to perform certain services for or on behalf of the covered entity. For any arrangement properly characterized as a business associate relationship, it is helpful for both the provider and the digital health company to consider whether the business associate agreement and other underlying contracts between the two permit the PHI to be used and disclosed for their contemplated purposes, and whether the contracts impose any restrictions on the downstream use or disclosure of the information.

It is also essential that the digital health company ensure that it can handle the significant compliance risks and operational duties that flow from business associate status. HIPAA imposes a range of HIPAA obligations on business associates, including ones relating to internal privacy and information security policies, workforce education, and breach notification. Compliance with these requirements can be a resource-intensive undertaking for any entity.

Organized Health Care Arrangements

Some providers and payors may also want to consider whether to form an Organized Health Care Arrangement (“OHCA”) when organizing themselves into a VBHC system. Under HIPAA, an OHCA can take the form of a clinically integrated care setting (such as a hospital in which non-employed physicians work), or “an organized system of health care” in which covered entities hold themselves out to the public as participating in a joint arrangement and participate jointly in certain enumerated activities, such as quality improvement or the administration of shared financial risk. Notably, HIPAA permits a wider degree of information sharing among OHCA members, and between OHCA members and third parties, than it permits among parties in the absence of an OHCA. Thus, for example, if several providers (and/or payors) wish to share PHI with one another, or with a third party under a business associate agreement, as part of a VBHC arrangement, an OHCA structure may provide a more flexible and effective vehicle for doing so.

3. Provider interest in “evidence-based” and HIPAA-compliant technologies will drive the market

Patient-facing digital health technologies, such as software and apps for mobile devices that encourage and track healthy lifestyle behaviors, stand to play a more significant role in the VBHC enterprise. Historically, providers have relied on patient memory and informal record-keeping to populate the medical record and track clinical information. The result can be an inaccurate and incomplete set of data points, and a medical record that makes it harder for clinicians to avoid the delivery of unnecessary (e.g., duplicative) care. With the help of digital technologies, however, patients can record clinically relevant information, and their providers can receive it, more systematically, more reliably, and in real-time. Additionally, providers can store that information in a dynamic and accessible format. For this to happen, digital health technologies will need traction among providers. To date, many providers consider these technologies of limited clinical value, partly due to accuracy concerns, and are reluctant to use them without additional evidence. Digital health companies may therefore need to fit their technologies within the rubric of “evidence-based medicine,” and focus more on generating sound evidence of their technologies’ effectiveness, much like pharmaceutical and medical device companies already do.

Digital health companies may also have to focus more on regulatory compliance. Currently, many developers concentrate on digital health technologies that are patient-facing and wellness-oriented in order to avoid regulatory scrutiny, particularly under HIPAA and the Federal Food Drug and Cosmetics Act. This may change if the provider demand for such technologies takes off. A provider who wants to urge a patient to use an app to document clinical information is likely to want to ensure that the app is legally compliant. And a provider who has limited time and expertise in such matters may look for simple “signals,” such as “HIPAA-compliant” designations, when doing so. Over time, therefore, as digital health companies work to make inroads with physicians, regulatory compliance may become a de facto requirement.

4. Employer preferences will also play a stronger role

Employers will continue to be the primary purchasers of health care even if, under the current administration, the Affordable Care Act is repealed in whole or in part. This presents a tremendous opportunity for the digital health industry. Evidence suggests that many employers want to make telehealth services available to their employees. Digital health companies may benefit by leveraging this interest and developing more effective telehealth systems, and by making the large-scale workplace implementation of these services more technically and administratively feasible for employers.

Employee wellness programs present a similar opportunity. Employers increasingly view such programs as cost-saving measures, and the digital health industry is well poised to facilitate their growth. Indeed, it is difficult to imagine how large employers could continue to build out their wellness programs without employing technological aids of some kind – for instance, by encouraging or requiring their employees to use consumer-facing wellness apps to record and report their wellness program compliance.

Digital health is bound to continue to play an increasing role in the delivery and management of health care. The challenge is for digital health companies, providers, and others to capitalize on the potential opportunities presented by digital health. And in a VBHC world, those opportunities are many.