Whether it’s a Medicare Pioneer Program or a commercial payer, an Accountable Care Organization (ACO) that contains healthcare providers, plans and clearinghouses must comply with HIPAA standards and ensure privacy is maintained. ACOs, based on shared financial savings/risk based on reduced health plan spending, by nature share protected health information (PHI) so privacy and security considerations must be a large part of long-term planning.
As Adam H. Greene, JD, of Davis Wright Tremaine LLP, explained during the HIMSS Privacy and Security Forum last week, healthcare providers are likely to be bound to an Organized Health Care Arrangement (OHCA). These organizations need to publicize that they’re participating in joint arrangement with clear public notices and Greene asserted that it’s helpful to confirm OHCA status in the ACO participation agreement.
Where responsibilities can get confusing is deciding, under HIPAA, which organizations would be business associates (BAs) and subcontractors:
- Greene advised that a single participant is chosen to enter into business associate agreements on behalf of OHCA
- If provider (e.g., hospital) provides support to ACO, then provider is subcontractor BA of ACO
- However, if the ACO itself is separate company, then the ACO becomes the BA of the OHCA
ACO participants can share PHI for treatment, payment and joint healthcare operations and can send information under an existing HIE agreement that permits ACO sharing.
Health plan responsibilities
As a covered entity, a health plan can disclose PHI to another covered entity (or BA), assuming it meets one of these conditions:
- Both entities have/had relationship with the individual
- PHI pertains to such relationship
- For a purpose in healthcare operations such as quality improvement/assessment, improving health/reducing costs and case management/care coordination. Essentially, the requested PHI must be the minimum necessary for the participants’ health care operations