Last Thursday, October 20, the Centers for Medicare & Medicaid Services released the final rule on the formation of accountable care organizations. This final rule contains many revisions from the March 31 proposed rule. The revisions represent CMS’s response to the numerous comments that it received.
The final rule will be published in the Federal Register on November 2. The CMS press release and other information on the 696 pages composing the final rule are available from CMS.
One important revision in the final rule deals with the the two different shared savings models for ACOs. The final rule adopts the two shared savings models as set forth in the proposed rule, but with some significant changes.
First, there is the “one-sided model” which provides for shared savings among the participants during entire initial agreement period with no sharing of losses (the first “year” of the initial agreement for ACOs that actually begin in 2012 will be 18 or 21 months). The proposed rule had required that after the first two years, an ACO choosing the one-sided model would transition into the “two-sided model,” and its participants would share savings and losses during the third year.
Second, there is the “two-sided model” where participants share savings and losses for the entire first agreement period. CMS believes that accountability for losses is an important motivator for providers to change their behavior. To reduce unnecessary expenditures, the final rule adopts the requirement that all ACOs after their initial agreement period must utilize the two-sided model.
However, CMS also recognizes that many providers may not be ready to share risk, and the one-sided model is available to them for the initial agreement period. An ACO in the one-sided model which experiences a loss during the initial agreement period will be allowed to apply to remain an ACO in the two-sided model for a subsequent agreement period.
The final rule also adopts the proposed rule’s requirement of a minimum savings rate of 2% before there is any shared savings. ACOs in the one-sided model with a smaller population would have a larger minimum savings rate, and ACOs in the one-sided model with a larger population would have a smaller rate. The maximum amount to be shared, subject to meeting reporting and quality requirements, is 50% for the one-sided model, and 60% for the two-sided model.
Another very important change in the final rule is the elimination of the proposed 25% withhold on all shared savings; now ACOs will share in all savings after meeting the requirements.
Akerman is committed to providing its healthcare clients with timely information regarding the ACO final rule. My colleagues, Rob Slavkin, Betsy Hodge, and I are available to answer any questions that you may have.
My colleagues, Steve Prom (Jacksonville) and Betsy Hodge (Tampa), healthcare attorneys at Akerman, have recently written an article for FHA on the “Organization or Development of RHIO or HIN for Risk Managers.” Their bios are at the end of this post. They have graciously allowed me to use their article here. The subject matter is very timely.
So, you’re a Risk Manager and your organization is getting involved in the organization or development of a Regional Health Information Organization (“RHIO”) or a Health Information Network (“HIN”). Many hospitals, health agencies, physicians and other health care providers are scurrying about in efforts to cobble together functioning, sustainable electronic health information networks that will permit health care providers and planners to use patient health information in a meaningful way. This article is not intended to be a primer on how to accomplish that. In fact, the authors are not aware of any groups that have claimed to have been wholly successful in their efforts. This article is an effort to inform the reader, in a meaningful way, regarding some risks that will be associated with organizing a RHIO or HIN and how to deal with them. For simplicity, the authors elected to use the term “HIN” to refer to either a RHIO, HIN, or both.
Step 1: Identify the Risks
Other than possible inaccuracies contained in an electronic medical record that is accessible in a HIN, the biggest risk that HIN participants will face is that of unauthorized disclosure. Unauthorized disclosures can be accidental, intentional or the result of “fishing” by nosey “journalists,” fans, paparazzi or, even more likely, inquisitive persons who have access to the records and may be seeking to share or leak information for pleasure or bounty, but are not authorized by the patient to do so. “Fishing” can also be the result of well-meaning administrators associated with a participant or host entity who accesses patient information without the patient’s authorization or consent, and is not using the information for purposes of diagnosis, treatment, health planning, or billing/collection.
Step 2: Identify the Participants
Participants in a HIN may include all or a subset of a universe of interested health care providers, including hospitals, physicians, local health agencies, not for profit health clinics, behavioral health providers, and homeless shelters. From a practical standpoint, the initial participants will likely either be necessary or helpful. For example, they offer expertise in HIT experience, funding, leadership, community profile, legal, HIPAA, etc. The authors’ experience reflects that hospitals, a local health department and one or more clinics that would benefit from HIN use and data analysis will likely be initial organizers/participants, although larger physician groups, networks and hospital-based or affiliated groups are natural fits, as well. Since most HINs are developed in stages, good planning will probably identify not only the prospective participants, but also their strengths, readiness and at what stage they are likely to join the HIN .
Step 3: Identify the Laws/Sanctions
A Florida patient’s rights to privacy and confidentiality with respect to his or her medical records are protected under both Florida and Federal laws. Under Florida law, a patient has a right to privacy that is protected by the Florida constitution, as well as Florida statutes. Patient medical records are to be kept confidential absent patient consent. Additionally, patient medical records relating to substance abuse, mental health and certain diseases, such as HIV/AIDS, are afforded “super confidentiality,” which means that specific consent to disclosure must be in writing and can be withdrawn at any time, subject to limited exceptions. Florida also has a breach notification law which requires persons who cause or learn of an unauthorized disclosure of unencrypted confidential patient records to notify the patient, take steps to lessen the damage, etc. This can be very expensive when, for example, the “breach” is the loss or theft of a computer server that may have tens, or hundreds of thousands, or millions of patients’ records.
In addition to Florida law protections, patient health information in both paper and electronic format is protected under the federal HIPAA and HITECH laws. Also, , Florida and federal laws prohibit the unauthorized disclosure of “super confidential” patient information related to substance abuse, mental health and certain diseases, such as HIV/AIDS. Of course, the key to risk management is to document and preserve patient authorization and consent to the disclosure or redisclosure of PHI and super confidential PHI.
Step 4: Identify Prevention Mechanisms
A HIN is only as good as its weakest link. It is critical that the HIN carefully select who will participate in the network and that all participants understand from the beginning what is expected of them.
Establish credentialing criteria for participants focused on their adherence to “best practices” with respect to maintaining the privacy and security of patient information. All participants should sign an agreement that, among other things, obligates participants to adhere to privacy and security “best practices.” Interim Final Rule on Breach Notification for Unsecured Protected Health Information published August 24, 2009 at 74 Federal Register 42740, references many of the NIST guides related to protected health information. The “meaningful use” requirements also mandate certain IT capabilities to protect patient information. Best practices that HIN participants should agree to adhere include individual user IDs and passwords, sufficiently strong passwords (use of upper and lower case, numbers and symbols), work stations timing out after a specified period, and use of security audits to detect unauthorized access to patient information. The participant agreement should also address what steps will be taken and by whom if a HIN participant or one of its employees is found to have engaged in unauthorized access or disclosure of patient information.
Additionally, HIN participants should carefully select the vendor(s) who will be providing the infrastructure. Asking for references and actually following up with those references can provide a wealth of information about the capabilities of prospective vendors, both from a technological and a customer service perspective. Also, it is important to have any contract with IT vendors reviewed by lawyers knowledgeable in that area especially since vendors will try to provide as few warranties and as many disclaimers as possible concerning their IT systems.
There must be a HIPAA and HITECH compliant Business Associate Agreement (BAA) with all covered entities participating in the HIN.
The HIN should have legal counsel involved in creating these “prevention mechanisms.” At the same time, each participant should have its own counsel review documents the HIN is requiring participants to sign. Participants need to identify in the beginning if they will be able to comply with their obligations to the HIN and identify any gaps and determine how to correct them.
Step 5: Identify Post Event Mop Up
Regardless of efforts to prevent risk occurrence, there will be adverse “events.” The time to plan your response to those events is before they occur.
The HIN should develop policies and procedures (“P & Ps”) that describe what should happen when an “adverse event” occurs. These policies and procedures should include encouraging participants to timely report to the HIN if they discover an adverse event. As with your facilities’ internal policies and P & Ps, the HIN procedures should specify who will be the central contact person when an adverse event is discovered. There may be more than one such person depending on the type of adverse event. The P & Ps should also specify how the event and the response to event will be documented.
The HIN should review with legal counsel the various federal and state laws governing data breaches in developing P & Ps for responding to an event. For example, both the federal HITECH Act and Florida’s data breach law specify steps to take in the event of a data breach.
Identify the “team” that will help respond to data breach before one occurs. Prepare a short list of, or better yet, retain, computer forensic firms, public relation firms, outside legal counsel, and firms that provide credit monitoring in advance of an event so there can be a prompt response.
Of course, all HIN participants must be educated on these policies and procedures.
Step 6: Identify Potential Damage Claims/Fines
It is important for the HIN and the participants to identify the cost of the worst-case scenario and the most-likely scenario. Both HIPAA and HITECH provide for fines for improper use and disclosure of protected health information. If there is a data breach, as defined under the HITECH Act, the entity that suffered the breach must provide notice to all who are potentially affected. HIPAA requires that the covered entity mitigate harm to those affected by a breach. Mitigation can include offering credit monitoring and setting up call centers to address questions, which can be expensive. The Florida data breach law requires that an entity that conducts business in Florida notify all of those who are affected by data breach.
In addition to fines that may be imposed by Florida and the federal government, there is the cost of responding to the breach. This may take a lot of staff time and may also require the use of outside vendors such as computer forensic specialists and outside legal counsel. If the breach is of sufficient size, the entity may need to disclose through a media outlet and disclose to HHS (which will then publish the breach on its website.) The cost of hiring a public relations firm to deal with the bad publicity should be considered. As mentioned above, it may be prudent to set up a call center and provide credit monitoring to those affected by the breach.
Also, consider the potential cost of having the federal government impose a Corrective Action Plan under HIPAA. Often, the fine is dwarfed by the costs of complying with the plan, including hiring an outside monitor, cost of updating policies and procedures regarding privacy of protected health information, training employees on the policies, and preparing various reports required under the plan.
Step 7: Identify How to Defend/Pay Damages
Both the HIN and its participants must decide how to insure against potential claims or losses related to participation in the HIN. One option is to obtain commercial insurance, if it is available. Another option is to self-insure. The HIN may also want to consider contracting responsibility for loss to its vendor. HIN participants should check with their current liability carrier to see whether the policy will cover losses related to participation in a HIN.
The HIN needs to review what damages or costs insurance will pay. Often insurance will not cover fines. Insurance will not cover punitive damages. The HIN and participants need to determine how each will pay any amounts not covered by insurance. Another issue to consider is whether there will be any indemnification between the HIN and participants, depending on who caused the adverse event. This should be addressed in the participation agreement.
The organization and operation of HINs presents both opportunities and challenges to the organizers and subsequent participants. Success and sustainability will in large part depend on organizers and participant HIT and legal counsel to understand, appreciate and address the legal risks and to set up appropriate mechanisms to prevent or minimize the adverse consequences to the patients, providers and participating organizations’ future ability to achieve their missions.
About the Authors
Stephen G. Prom, Esq.
Stephen Prom has over 30 years of multidisciplinary legal experience in the areas of corporate, business and tax, with a high concentration in the healthcare industry. His experience includes the representation of institutional, group and individual providers in connection with electronic medical records and networks. He is a shareholder in Akerman’s Jacksonville, Florida office.
Elizabeth F. Hodge, Esq.
Elizabeth Hodge has more than ten years of experience representing hospitals, physicians, and other healthcare providers in contract matters, medical record issues and general healthcare litigation, principally civil and administrative trial matters. She is Of Counsel in Akerman’s Tampa, Florida office.
Last week, HHS announced a new initiative under the Affordable Care Act. The initiative is intended “to help primary care practices deliver higher quality, more coordinated and patient-centered care.” If you follow this link, you will come to CMS’s new Comprehensive Primary Care initiative web site. A summary of the initiative is available in a CMS “FactSheet.”
The initiative is a limited demonstration project, and will be available in five to seven markets across the country, based on where a preponderance of health care payers apply. CMS intends to partner with commercial and public health insurers to promote community-wide investments in comprehensive primary care. Payers can be private insurers, Medicare Advantage Plans, states (e.g., Medicaid program or state employee health plans), high risk pools, etc.
CMS will provide resources to primary care practices that choose to participate in the initiative that will help primary care physicians work with patients to ensure that the physicians:
- Manage Care for Patients with High Health Care Needs
- Ensure Access to Care
- Deliver Preventive Care
- Engage Patients and Caregivers to participate in their own care
- Coordinate Care Across the Medical Neighborhood
CMS will pay primary care providers for improved and comprehensive care management, and after two years offer them the chance to share in any savings they generate. Equally important, CMS will look to collaborate with other payers in local markets who will commit to similar approaches to how they engage and compensate primary care practices.
Many have argued, including the AMA and other physician professional associations, that the only criteria that should affect whether a physician is allowed to become a member of a hospital’s medical staff are quality of care, experience, and competence. So-called “economic credentialing” has been labeled a thinly veiled attempt by a hospital to increase referrals and utilization. In fact, even the OIG weighed in, stating (idiotically, I think) that if medical staff membership and hospital privileges have an economic value, then a hospital’s adding any sort of quid pro quo on the granting of privileges could constitute an illegal kickback scheme. Of course, the antitrust laws get trotted out as the last offensive gesture by the denied physician when economics are considered in credentialing decisions.
The world of healthcare is different today, and getting more and more different daily. But the direction that healthcare is taking is clear: accountability, cost-effective care, incentives to provide better care at the same time as providing less care. Quality, experience, and competence are assumed. And they are no longer enough.
Interestingly, economic credentialing is no longer the exclusive province of hospitals. It has become a tool of medical staffs to protect themselves from a hospital that is trying to acquire practices, grant exclusive arrangements to certain physicians, and otherwise control physician provided healthcare.
Physicians and their associations should get out in front of the economic credentialing debate while they still have time to make a difference.
For each new physican applicant, medical executive committees and their credentialing committees need to focus on utilization and admission and discharge histories, conflicts of interest, the need for the particular specialty (or for another physician who practices it) and the availability of hospital resources the accommodate ithe applucant, the applicant’s economic dependence or independence from the hospital administration, and the overall impact of the applicant on the mission of the hospital and the medical staff.
There is no downside to physician members of a hospital’s medical insisting that new applicants and re-applicants, not only be well qualified, experienced, and competent practitioners, but that they also promote efficient and economical healthcare.
Physicians must be willing, and not embarrassed, to treat the delivery of healthcare services as a business. Medical executive committees need to review their staff bylaws and consider changes to improve their medical staffs and to increase sensitivity to the economics of healthcare in the hospital setting.
Different states will have different laws relating to economic credentialing issues, and so, while the task is simple, it will not be easy in all cases.