1. CDT Supports CMS’ Proposed Opt Out For Sharing Identifiable Claims Data With ACOs
2. ACOs Should Meaningfully Educate Beneficiaries, Not Just Give Written Materials
3. Clarification Needed for Use of Beneficiary’s Identifiable Claims Data
4. Clarification Needed on Data Handling for Non-Assigned Beneficiaries
5. Strengthen the Final Rule to Honor Collection and Use Restrictions
The Center for Democracy and Technology (CDT) recently submitted comments to a proposed rulemaking by the Center for Medicare and Medicaid Services (CMS) regarding Accountable Care Organizations (ACOs). This proposed rule would implement section 3022 of the Affordable Care Act (ACA), creating the Shared Savings Program, under which ACOs may receive additional payments from Medicare for meeting specified quality and savings requirements. The goal of the program is to improve quality of care and lower costs by incentivizing workflow efficiencies, data sharing and care collaboration among health care providers.
CDT’s comments are specifically aimed at the proposed implementation of section 425.19 of the ACA, which covers the sharing of Medicare claims data under the Shared Savings Program. Under this proposal, ACOs – which are groups of health care providers – will be able to request identifiable Medicare claims information about their patients or potential patients from CMS. CMS has not routinely shared this identifiable claims information with providers. Encouragingly, this rule also establishes a right for beneficiaries to opt out of this new data collection activity. CDT strongly agrees with the opt-out provisions and hopes that it is retained in the final rule. Still, the proposed rule could be strengthened in a number of areas. This policy post first discusses the merits of CMS’ approach, and then focuses on areas that could be improved upon.
CDT also signed on to comments submitted by the Markle Foundation’s Connecting for Health Initiative, addressing this the Shared Savings Program from a general policy perspective.
A key component of the success of health data exchange efforts is ensuring that the public trusts these new programs. Building trust in health information exchange requires a comprehensive framework of privacy and security policies that establish clear rules for how health information may be used and disclosed. These practices must be based on fair information practice principles, such as giving patients some control over their data through meaningful consent procedures. However, overreliance on patient consent can result in weak privacy protections. Too often individuals are asked to agree to uses and disclosures of their information they do not fully comprehend. Nonetheless, these concerns do not negate the important role of consent as part of a comprehensive set of policies governing data access, use and disclosure.
In the past CDT has recommended that individuals be given some choice over the availability of their information in infrastructures that are new or that diminish the traditional role played by the patient’s physician in managing the sharing of medical record data. In the context of the ACO Program, because identifiable claims data has not routinely been shared by CMS with providers in the past, beneficiaries who learn about the data sharing may be surprised and lose trust in the ACO program.
CDT is conscious of concerns expressed by stakeholders that providing beneficiaries with the right to opt out will make it more difficult for ACO to manage care and control costs, but CDT believes these concerns are overstated. CMS’ proposed rule only applies to identifiable claims data held by CMS; it does not impact the sharing of beneficiary clinical data among ACO participants. If past experience with consumer privacy controls is any indication, we also do not believe that many beneficiaries will exercise their right to opt out. This may be particularly true if the ACO’s education of beneficiaries encompasses more than mere completion of a form and leverages patients’ historic and foundational trust in their health care providers. In a letter to the Dept. of Health and Human Services (HHS) on patients’ rights to restrict disclosure of sensitive data categories, NCVHS noted that “where individuals have the right to put restrictions on disclosure of sensitive health information, people rarely elect to do so, but they strongly value having the right and the ability to do so.” To address concerns some provider organizations have about the opt out, CDT recommends that CMS study the impact the opt-out policy has on the quality of care and cost management.
Although CDT supports CMS’ inclusion of beneficiaries’ right to opt out, CDT believes the rule could be improved in the ways described below.
CDT Paper On The Role of Consent In Protecting Patient Privacy
Beneficiaries will not have the opportunity to make a meaningful choice with regard to sharing their identifiable claims data if they are not adequately educated on their rights and the ACO program. Beneficiaries must be informed of:
- The fact that their health care provider participates in an ACO,
- What that means in regards to how their health information will be shared, and
- That they can opt out of having their individual Medicare claims data shared with their provider.
Unfortunately, CDT believes that CMS may be placing too much emphasis on education through written materials. Written materials are an important piece of beneficiary education, and it is certainly important that ACOs keep written documentation of beneficiaries’ opt-out choices. As such, CDT was pleased to see that CMS is creating model ACO materials and will require ACOs’ educational materials to be approved by CMS.
However, beneficiaries will not have meaningful choice if their education consists primarily of written materials. Relying primarily on written materials does not qualify as engaging beneficiaries and does not provide them with an opportunity for input and dialog regarding their needs, preferences values and priorities – all of which the proposed rule would require. It is important that the providers – who engage beneficiaries from a position of trust – play an active role in discussing data sharing with beneficiaries. The final rule should make clear that education about the opt out must include conversations with beneficiaries (and, where appropriate, their caregivers) to make sure they understand the benefits and potential risks of allowing their Medicare claims data to be shared.
In accordance with fair information practices, identifiable Medicare beneficiary data should be subject to purpose specification requirements and limitations on collection and use. While the proposed rule attempts to set some boundaries on the collection and use of claims data, the actual language in the proposed rule should be clarified in order to implement CMS’ intent.
In the preamble to the proposed rule, CMS states that ACOs will be required to attest that their use of any requested identifiable claims data will be limited to certain activities related to the Shared Savings Program. The language of the proposed rule would require ACOs to limit use of the claims data to:
developing processes and engaging in appropriate activates related to coordinating care and improving the quality and efficiency of care that are applied uniformly to all Medicare beneficiaries assigned to the ACO, and that these data will not be used to reduce, limit or restrict care for specific beneficiaries.
CDT suggests strengthening the language in the final rule to state more clearly that ACOs are restricted to using Medicare identifiable claims data for the purpose of coordinating care related to the Shared Savings Program.
CMS also notes in the preamble that ACOs would be prohibited from sharing beneficiary identifiable claims data outside the ACO, yet the proposed data use agreement (DUA) – to be signed by the ACOs – does not expressly incorporate this important restriction. The DUA provisions also do not address limiting use of claims data to management of beneficiary care under the Shared Savings Program. Rather, the proposed rule states that the DUA must commit the ACO to complying with the limits of HIPAA and applicable law and prohibit the use of claims data for any prohibited use of identifiable health information. CDT suggests clarifying this section to limit ACO data use to managing care under the Shared Savings Program and prohibit ACOs from sharing identifiable claims information with entities outside the ACO. When necessary, the limits can be relaxed to include contractors, but there should be express limits on contractor’s use and retention of such information.
ACOs may request identifiable Medicare claims data on beneficiaries that may potentially be assigned to the ACO. However, the proposed rule lacks collection and use limitations on data for beneficiaries who are not and may never be assigned to the ACO. Instead, the proposed rule would require the data to be retained by ACOs for 10 years from the final date of the agreement period.
The final rule should prohibit ACOs from continuing to request claims data on beneficiaries who have not been assigned to the ACO. If there is merit to allowing an ACO to continue to receive this data, this potential broader use of information must be clearly conveyed to beneficiaries as part of the education process. Yet CDT cautions that allowing open-ended uses of claims information could affect beneficiaries’ trust in the Shared Savings Program, and may result in increased opt-out rates.
For the opt-out provision to be successful, beneficiaries who choose to opt out must not be discriminated against by ACOs. If patients are bullied into sharing their information with ACOs, the Shared Savings Program may quickly lose legitimacy and public trust. The proposed rule commits CMS to monitoring ACO avoidance of “at-risk beneficiaries,” and authorizes CMS to take action against ACOs who do so. However, the definition of an “at-risk beneficiary” does not include a beneficiary who opts out. To prevent discrimination, we urge CMS to amend the definition of “at-risk beneficiary” to include beneficiaries who have opted out.