On March 31, 2011, the Centers for Medicare & Medicaid Services (CMS) published its Proposed Rule (Proposed Rule) for Accountable Care
Organizations (ACOs) under the Affordable Care Act. In laying the foundation for ACOs, the Proposed Rule emphasizes the centrality of health
information technology (IT). Indeed, according to Dr. Farzad Mostashari, newly appointed deputy national coordinator for programs and policy at the
Office of the National Coordinator for Health Information Technology at HHS, “health IT tools are an essential foundation to support the kinds of
coordinated, patient-centered and accountable care envisioned by the ACO program.” Most evident, the Proposed Rule parallels many of the requirements
delineated for providers to meet the Electronic Health Records (EHR) Implementation Program requirements of the Health Information Technology for
Economic and Clinical Health Act (HITECH).
Physician Quality Reporting Systems
Under the Proposed Rule, an ACO must meet the “quality performance standard” in order to qualify for shared savings. CMS has proposed the use of 65
measures to calculate whether an ACO has met the quality performance standard. These measures are grouped into five domains: Patient/Caregiver
Experience (7 measures); Care Coordination (16 measures); Patient Safety (2 measures); Preventive Health (9 measures); and At-Risk Population/Frail
Elderly Health (31 measures).
Health IT plays a vital part in the reporting of the quality measures data. Although data may be submitted through various existing quality reporting
programs such as the Physician Quality Reporting System and the Centers for Disease Control and Prevention National Healthcare Safety Network, CMS
notes that there will be much alignment with the ACO measure specifications and the HITECH implemented EHR quality measure specifications.
Additionally, some measures will need to be reported through a more sophisticated version of the currently existing data collection tool called the
Group Practice Reporting Option (GPRO). As a result, CMS has proposed a reporting system for ACOs that necessitates increased adoption of EHR
CMS requests comments on the proposed data submission requirements, including whether alternative data submission methods should be required or
Meaningful EHR Users
The alignment of the Proposed Rule and the HITECH EHR Incentive Program is even more evident in the requirement by the Proposed Rule that
at least 50% of an ACO's primary care physicians must be meaningful users of certified EHRs by the start of the second ACO performance year. CMS
indicates that this is only the first step in ACO provider participation of the EHR Incentive Program and “[f]or subsequent years, we anticipate
proposing greater alignment between the Shared Savings Program and the EHR Incentive program through future rulemaking.”
CMS is seeking comments as to whether the meaningful use requirement for primary care physicians should be extended to hospitals, and whether an
exception should be made in those cases where an ACO may include only one hospital or no hospitals.
Evidence Based Medicine and Coordination of Care
In addition to quality based reporting, ACOs are required to develop and implement evidence based medical practices and processes to coordinate care.
Part of the development for the promotion of evidence based medicine will include the need of infrastructure that enables the ACO to collect and
evaluate data and provide feedback to ACO participants to influence care across the ACO. This infrastructure may include integrated EHRs with clinical
decision support. Moreover, CMS requires that the ACO be able to coordinate care and identifies technologies such as predictive modeling, remote
monitoring, telehealth, and electronic health information exchanges to enable coordination.
The ability to obtain and share ACO beneficiary information is a foundational block of the ACO Program, as sharing allows an ACO provider to adjust
care to improve quality and efficiency. HHS is proposing to make available various types of medical information to participating ACOs:
- Aggregated data on beneficiary use of healthcare services.
- Identification of Historically Assigned Beneficiaries – Data which includes name, date of birth, gender and Medicare ID for historically ACO-assigned patients included in the aggregate data reports above.
- Sharing Beneficiary-Identifiable Medicare Parts A, B, and D Claims Data – For Medicare Parts A and B, the data elements that will be provided
are: procedure code, diagnosis code, beneficiary ID, date of birth, gender, and, if applicable, date of death, claim ID, the from and thru dates of
service, the provider or supplier ID, and the claim payment type. The Medicare Part D data includes:
beneficiary ID, prescriber ID, drug service date, drug product service ID, and indication if the drug is on the formulary.
Much of this information will fall under the scope of protected health information (PHI) under the Health Insurance Portability and Accountability Act
and accompanying regulations (HIPAA). Depending on its business structure, an ACO either will be part of a covered entity or will be a business
associate of the participating covered entities. In either case, the Proposed Rule depends heavily on the ability of these entities to exchange PHI for
certain healthcare operation purposes.
Under the HIPAA privacy rule, the entities may exchange PHI for healthcare operations, where (1) both covered entities have or had a relationship with
the subject of the PHI to be disclosed, (2) the PHI pertains to that relationship, and (3) the recipient will use the PHI for a "healthcare operations"
function. As defined in the privacy rule of HIPAA, healthcare operations include “population-based activities relating to improving health or
reducing health costs, protocol development, case management and care coordination.” CMS indicates that the disclosure of the identification of the
historically assigned beneficiaries and sharing of Medicare Parts A, B and D claims information with ACOs would fall within the scope of healthcare
operations. Additionally, CMS notes that the data shared are the “minimum necessary” to accomplish the purpose of the disclosure request.
Despite indicating the legal authority under privacy regulations to share this data, and in the spirit of keeping the patient informed, CMS proposes an
opt-out model that requires ACO participants to give notice to patients and offer them a choice not to have their Medicare claims information shared
with the ACO. If a patient opts-out of claims information sharing, the ACO must honor the choice, but the opt-out applies only to the data sharing
portion of the program. Although the opt-out applies to the data sharing portion of the ACO program, it does not affect the patient’s assignment to the
ACO or the use of the patient’s data for purposes such as calculating ACO benchmarks, per capita costs, quality performance or performance year per
capita expenditures. Unfortunately, if a significant number of patients opt-out, the ACO may find itself in a dilemma in fully evaluating the care
received by its beneficiaries, but will nevertheless still be held accountable for that care.
The Proposed Rule emphasizes the need to comport with privacy rules by stating that ACO agreements may be terminated for improper use or disclosure of
the shared claims information. CMS requests comments on the implications of sharing protected health information, such as Parts A, B and D claims
data, with ACOs and the use of an opt-out, versus an opt-in, approach to patient consent and individual choice.