Skip to main content

How Accountable Care Organizations (ACOs) Will Use and Disclose Protected Health Information While Complying with HIPAA

Written by Dianne Bourque

The Centers for Medicare & Medicaid Services (CMS) has released proposed regulations establishing Accountable Care Organizations (ACOs) and creating the Medicare Shared Savings Program (the Program). The Program will permit health care providers and suppliers to form ACOs and to reward those that lower health care costs for Medicare fee-for-service beneficiaries, while meeting quality of care performance standards. The Program will also hold accountable ACOs that fail to generate savings. CMS will assign beneficiaries to ACOs based on their utilization of primary care services.

To facilitate beneficiary assignment and to ensure that ACOs have the baseline data necessary to evaluate and improve care, Medicare is proposing various uses and disclosures of beneficiary data constituting protected health information (PHI). This PHI ranges from demographic information to claims history, and all of it is protected by the privacy regulations issued under the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

After the jump, read more about CMS’s proposed uses and disclosures of PHI in connection with the Program, its rationale under HIPAA for using PHI, and additional protections proposed by CMS that exceed HIPAA requirements.

Demographic Information

CMS proposes to use beneficiary name, date of birth, sex, and health insurance claim number in order to assign beneficiaries to ACOs and to identify beneficiaries to ACO providers. Beneficiary permission or authorization for this use of PHI will not be obtained because CMS believes that the use of this data is permissible as a “health care operation” under HIPAA.

Under HIPAA, a covered entity, such as the Medicare fee-for-service program, is permitted to disclose PHI to another covered entity (such as a provider) without a patient’s authorization if both entities have a relationship with the patient and if the disclosure is for certain enumerated purposes, including population based activities relating to improving health or reducing health costs, protocol development, case management and care coordination. CMS has determined that the disclosure of PHI to an ACO is consistent with this purpose. However, CMS is seeking feedback on whether or how the chosen data points will support the goals of the Program.

Claims History

CMS proposes making detailed Medicare claims information available to ACOs, on a monthly basis, to support proactive care coordination and to help ACOs track performance against defined performance measures. However, access to claims data will not be unrestricted. CMS proposes limiting available claims data to those beneficiaries who have received services from a primary care physician participating in the ACO during the performance year. Additionally, ACOs requesting claims data will be required to justify their request and explain how they intend to use the data to evaluate performance.

Protections Beyond HIPAA Requirements

Although HIPAA’s exception for health care operations would likely permit the use and disclosure of claims data, CMS is proposing that ACOs enter into “data use agreements” with CMS prior to receiving identifiable claims data, but not in connection with disclosures of demographic data used to identify beneficiaries. A data use agreement is an agreement established under HIPAA between a covered entity and the intended recipient of a “limited data set,” which is a term used under HIPAA to describe a limited amount of PHI. A data use agreement defines the ways in which the recipient may use the data and how it must be protected. In this case, a data use agreement would prohibit the sharing of claims data outside of the ACO and would further prohibit any use of claims data that would violate HIPAA. Data use agreement compliance will be a condition of participation in the Program.

CMS is also proposing that each Medicare beneficiary receive notice at the point of care that the provider is part of an ACO. The notice would include the right to opt out of disclosures of PHI in connection with the Program. ACOs will also be required to provide a form confirming that the beneficiary has received notice of potential uses and disclosures of their claims data and a simple process for opting out of information sharing, such as a phone number or e-mail address.

The proposed regulations related to data use agreements, beneficiaries’ notices, opt-out rights, and documentation of compliance with notice requirements arguably exceed HIPAA’s requirements and have the potential to create administrative burdens for ACO participants. For example, ACOs will have to keep track of beneficiaries who have elected to opt out of claims history disclosures to ensure that they are not included in ACO care planning efforts. Also, a provider whose patients are assigned to the provider’s ACO will have to distinguish between permissible uses of PHI in the ordinary course of care and uses of PHI in connection with ACO activities for beneficiaries who have opted out.

Providers and others who are concerned about these requirements or about the use of the PHI of Medicare beneficiaries generally should consider submitting comments to CMS. Mintz Levin is prepared to assist with analysis of how these requirements may affect the administration and operation of ACOs and with the preparation of comments. The deadline for submission of comments is June 6, 2011.

Subscribe To Viewpoints


Cynthia J. Larose

Member / Co-Chair, Privacy & Cybersecurity Practice

Cynthia J. Larose is Chair of the firm's Privacy & Cybersecurity Practice, a Certified Information Privacy Professional-US (CIPP-US), and a Certified Information Privacy Professional-Europe (CIPP-E). She works with clients in various industries to develop comprehensive information security programs on the front end, and provides timely counsel when it becomes necessary to respond to a data breach.