WEBINAR: PHI in the ACO - Risk Management, Mitigation and Data Collection Issues

WEBINAR: PHI in the ACO - Risk Management, Mitigation and Data Collection Issues

May 20, 2014 2:00 pm

(Save to cal)



Healthcare IT and security attorney Tatiana Melnik and Accountable Care policy attorney Carrie Nixon join Online Tech to discuss PHI in the ACO: Risk Management, Mitigation and Data Collection Issues.

Title: PHI in the ACO: Risk Management, Mitigation and Data Collection Issues

Description: With the ever increasing need for healthcare services and the aging population, Accountable Care Organizations aim to improve quality of care, while at the same time lowering the cost of care. This session will discuss:

  • Lessons learned from early adopters
  • The role of patient health and quality of care
  • Legal risk exposure and ways to mitigate risks
  • The role of technology and data collection in the patient care continuum
  • Ways to use risk management programs and technology to align interests and improve patient health and quality of care



View Slides


FTC health care competition workshop videos

April Sage: Hi, everyone, and welcome to our Tuesday at Two webinar. Today, we are going to be discussing some of the challenges that organizations are facing as they are required to share patient information within the accountable care organization framework.

For those of you who have joined us on previous Tuesday at Two webinars, you can help me welcome back Tatiana Melnik. Tatiana is an attorney specializing in IT legal issues with a specific emphasis on HIPAA, high tech, and the world of healthcare and cloud computing. She’s the managing editor of the Nanotechnology Law & Business Journal and a former council member of the Michigan Bar Information Technology Law Council. Today, she’s joining us from lovely Florida. Tatiana, welcome back.

Tatiana Melnik: Thank you very much. Florida is very lovely today.

April Sage: Amazingly, we even have some sun in Michigan today, so I’m happy to share that bit of good weather news. Please help me welcome a new guest to our webinar series today. We’re welcoming Carrie Nixon. Carrie is president of Accountable Care Law & Policy. She’s joining us from Washington, D.C., today. Hopefully, she has a bit of good weather there, as well. Carrie is a founding member of Healthcare Solutions Connection, a network of expert consultants providing integrated service solutions for the healthcare industry. As a long-time attorney for a variety of clients in the assisted living and long-term care industry, Carrie has on-the-ground experience with the unique challenges facing those who serve our aging population. She has successfully defended these clients against malpractice claims and deficiency citations, helping them to navigate the ever-changing regulatory and risk management landscape.

Carrie, we’re certainly in an area that’s changing pretty quickly. I’d say the terrain is quite varied and even a little bit challenging. Welcome. We’re very happy to have you join us today.

Carrie Nixon: Thanks so much. I’m delighted to be here. You’re right, we are in a very rapidly changing environment. That’s part of what makes it fun for me to focus my practice on the ACA reforms. There are definitely a lot of challenges but a lot of opportunities.

April Sage: Super. With no further ado, I’m going to turn it over to you, Tatiana, to take it away.

Tatiana Melnik: Thank you very much. Let’s go ahead and roll right into the presentation here, if I could figure out a way to make the slides go. There we go. Okay. Here’s just a brief outline of what we’re going to go through today. Please, as you have questions, go ahead and type them into the window, and April will bring them to our attention at the appropriate time. We’ll also be taking questions at the end of the presentation.

Why are we moving to the ACO model, the first thing we’re going to cover. Then we’re going to talk briefly about what is an ACO and some of the few early success stories that have been announced; talk more specifically about where the patient fits in the process, because after all, the whole goal here is to make the patient better; talk specifically about some of the roles that technology plays; and then of course talk about ways to minimize and mitigate some of the legal risks that come up in this framework.

We’re moving to the ACO model because really, the current system is unsustainable. I think that is no surprise to anybody on the call. The Baby Boomers are aging and are straining a system that is already having a difficult time managing and sustaining a patient population. I think some of the more recent issues that we’ve seen with the VA, for example, are a good demonstration of what happens when a system can’t support a patient population in need. That is, frankly, that people don’t get the care that they need in a timely fashion. That’s really what we’re seeing with the broader healthcare market, where people who really need services are not getting them.

Part of that problem, of course, is that the system we have in place is incentivizing the wrong behavior. Currently, providers are paid in a fee-for-service model versus being paid for providing quality care. I was actually at a conference a few weeks ago where one of the presenters was a medical professional. He said specifically that if he was compensated based on quality, that he would practice medicine differently. As a patient, you can imagine, that’s a pretty scary thought. The last thing you want to hear is a doctor saying that if he was paid for making you better, he’d actually do things differently. That’s a little problematic.

That’s also part of the problem that the accountable care organizations are supposed to fix. The goal is that through integration, we see lower fees and, at the same time, better care. We do this through matching incentives with outcomes through the shared savings program. There’s a great quote from the CEO of Saint Thomas Health in Nashville, Tennessee, where he highlights that providers are practicing medicine without the needed information. That’s really problematic. That’s problematic for patients, and that’s problematic for providers, because most of them want to do a really great job. They’re put in a position because they don’t have the information to provide the high level of care that they want to. Again, the ACO model is supposed to address at least some of these issues. Carrie?

Carrie Nixon: Thank you, Tatiana. We are headed to a fundamental change in the system. I think that everyone knows this. We’re shifting away from a traditional fee-for-service model, and we’re moving towards a more accountable patient-centered model of care. That actually, I think, would have happened whether or not the Affordable Care Act was upheld.

Back in the spring of 2012, I attended a presentation by the national medical director at UnitedHealthcare. This was the spring, and it was before the Supreme Court handed down its decision on the Affordable Care Act. His take on the matter was, “Look, the private sector recognizes that we’re on an unsustainable path. They recognize that we have got to change the way we deliver care and the way that we reimburse for care. We’re moving forward with various reforms and various changes in delivery models and payment models, whether or not the Affordable Care Act is upheld.”


A colleague and I actually, we did an op-ed arguing that the train had left the station on all of these reforms and that what the Supreme Court said about Obamacare really didn’t matter. Sure enough, the next day, the Affordable Care Act was upheld in most part. Regardless, the private sector, I think, was already on board and was seeing this fundamental change coming. This move towards accountable care is movement with the goal of achieving what’s referred to as the Triple Aim. I’m sure most people on this call have heard about that. The components of the Triple Aim are better care for individuals, better health for populations, and lower per capita costs. One way that we can get to … or the theory is, anyway … one way that we can get to the Triple is through accountable care organizations.

Let’s take a look at what exactly is an accountable care organization. An ACO is an alliance of physicians, hospitals, and other providers that coordinate care for a particular group of patients to improve quality and to reduce costs. That definition is from NCQA. There are a couple of different kinds of ACOs. One is the Medicare Shared Savings Program ACO, and one is the private ACO. The Medicare Shared Savings Program ACO has very specific parameters. It looks a certain way, to a certain extent. Private ACOs, there’s no one definition, one-size-fits-all definition of a private ACO, because the models vary, and they’re not really constrained by the same parameters as the Medicare Shared Savings Program ACOs are.

There are approximately 14 million people that are commercially insured patients today that are being served by non-Medicare ACOs. That’s actually a very high number, just to give you a sense. Looking at the Medicare Shared Savings Program ACOs, for example, this math that we have in front of us shows quite a discrepancy in the number of ACOs and where they’re located around the country.

In looking at this map, you can see that the highest density of ACOs, more than three or four, tends to be found in southern California, in Florida, Arizona, and then Maryland, New Jersey, and some of the upper East Coast areas. Some of this has to do with the fact that these are in heavily populated areas, and that certainly makes a difference. Some of it also just has to do with the laws of the states and the mentality of the providers in those states.

In looking at this map, you’ll also see that the lowest density of ACOs is, by and large, in more rural areas. If you look at South Dakota, for example, you will see that there are no ACOs at all present there. You’ve got one in North Dakota. There are actually a couple in Montana, and one in particular very well known, the Billings Clinic, which is a model ACO that many are taking a look at, and especially in rural areas. By and large, rural areas tend not to be served by ACOs as of yet. There are some particular challenges with respect to rural ACOs that those rural providers face. CMS is actually working on some changes to encourage ACOs in rural communities. To date, we have 259 total Medicare Shared Savings Program ACOs, and that number is continuing to grow.

Let’s take a look at some of the requirements for becoming an ACO. An ACO can be comprised of separately recognized … An ACO has to have a distinct legal entity. If it’s comprised of several different kinds of components, different practice groups, a hospital, entities that have their own distinct legal entity, the ACO itself must establish a new legal entity that is comprised of the combined participants. In the ACO rule, there are very particular governance structure requirements in place for ACOs. A certain percentage of the participants has to be represented on the board. There has to be a patient, a Medicare patient, on the board. Really, the threshold is pretty high for the board to understand the requirements of an ACO and to take a look at their shared savings mechanisms and seeing whether, indeed, they are meeting their targets. When someone’s considering forming an ACO, the governance requirements are much more stringent than you would have, say, in the typical hospital setting.

The ACO participants have to be Medicare-reimbursed providers or suppliers with a unique tax identification number that they’re all billing under. Each ACO has to be assigned a minimum … they have to meet a threshold of a minimum of 5,000 Medicare fee-for-service beneficiaries. These beneficiaries are assigned to an ACO by CMS based on the number of beneficiaries that participating primary care physicians see. This is actually one of the barriers that some of the rule providers face. It’s actually difficult for them to form themselves in a way that … it can be, anyway … that they are actually assigned 5,000 Medicare beneficiaries, because in rural areas, some of the beneficiaries really tend to see nurse practitioners or physician assistants. That’s one of the challenges. That is definitely a threshold with an MSSP ACO.

An ACO must agree to enter into a three-year agreement with CMS. It’s definitely a three-year commitment. They have to commit to be accountable for the quality and the cost of overall care. Sorry for the two T’s there in that slide. They have to make an explicit commitment in their agreement with CMS to be accountable for certain quality measures, and they certainly are accountable for the cost of the care.

Let’s take a look at the ACO application process. I guess the one thing that I’d like to emphasize here is that it’s a really a pretty rigorous process. CMS does not accept all of the applicants. The acceptance rate tends to be about 40 percent of applications that are submitted. We have seen some entities start the application process and realize that it’s a little more than they had anticipated doing on their own, and backing out. We advise entities to really take a good look at the application process before you begin and before you file. It’s not a good thing with CMS to submit an application that is not very well thought through. That has an impact on reputation, I think, with CMS. Some people think, “We can just give it a try. We can submit an application now. What harm will it do if we get rejected? We’ll just do it again the next time around.” We try not to recommend that, because we’re finding that it really does reduce an applicant’s credibility with CMS if they do at first submit an application that really isn’t well thought through and isn’t really demonstrating to CMS that the applicant is fully on board with becoming an ACO.

We recommend getting some assistance with the application process. There are a lot of very technical requirements, even just in terms of submitting the application itself. Anyone who is considering applying, just be forewarned. It’s not an insurmountable obstacle, but it is a rigorous application process, and it’s a lot more work than people anticipate initially going in.

For a moment, let’s talk about the beneficiary assignment. Beneficiaries are initially assigned by CMS using the data from the most recent four quarters prior to the ACO start. Then CMS updates that list, and then final assignments of beneficiaries are made retrospectively at the year end.

I talked a little bit about commitment to the ACO process that needs to be demonstrated during the application process. These ACO commitments really are at the core of an accountable care organization. If an ACO is going to be successful, they’ve got to have these commitments top of mind in everything that they do. Quality assurance is one of those commitments, and it’s absolutely one that is addressed in the regs and highlighted in the regs. Tatiana will talk in a moment about some of the quality measures that need to be submitted to CMS on a reporting basis. But quality assurance, quality and cost measures, those are things that the organization must be incredibly committed to and must demonstrate, under their ACO rule, actually demonstrate that they have processes in place to make sure that these things are happening throughout the organization.

Evidence-based medicine is another very important commitment. CMS wants to see that procedures that are being conducted or tests that are being given are evidence based and are showing good outcomes. They don’t want people just ordering tests for the sake of ordering tests. That’s obviously against the whole philosophy of an ACO.

Patient engagement is incredibly important, as well. It’s an explicit part of the rules. Patients must be engaged in their care process.

We talked a little bit about quality and cost measures. Care coordination is very, very important. There needs to be an integration of the services provided to a patient, and the patient needs to be involved in their care, patient-centeredness aspect of care. Then Tatiana will talk more about the technical infrastructure that’s necessary to really look at the data that comes in, and to analyze that data, and to make sure that the ACO is on the right track with respect to the quality that it is showing to its patients and the cost measures that they’re reflecting.

Let’s now turn for a moment to some of the cost aspects and talk about how the shared savings aspect of an accountable care organization actually works. CMS establishes a benchmark that the accountable care organization as a whole must beat in order to achieve savings at the end of the term. This benchmark is established by estimating what the Medicare fee-for-service expenditures would have been for that particular given patient population in the absence of an ACO.

It is for that particular population. CMS looks at the characteristics of the particular assigned beneficiary population, and they make their estimates according to that population. There can be disease-based accountable care organizations. There can be accountable care organizations that focus on one particular type of patient over the other. The benchmark that’s established really does reflect that particular population.

There are two models of the Shared Savings Program. The first, and by far the most popular today, is the one-sided model, where an entity can achieve shared savings of up to 50 percent of the savings that it can show at the end of the year, based in part on its quality performance score. In this one-sided model, an entity is not taking on any of the downside risk. Basically, if an entity, at the end of the year, beats the CMS benchmark and shows savings, they are therefore eligible to receive 50 percent of those savings, with the other 50 percent going to CMS. If they don’t beat the benchmark, there’s no downside to them. This seems like a pretty safe way for some entities to dip their toe in the ACO waters.

There are some entities, however, who feel like they have a lot of experience in taking on risk, and they feel like they have done a good job in the past of demonstrating this. They may opt for the two-sided model, where they have the opportunity to share in more of the savings, up to 60 percent, if indeed they beat CMS’s benchmark. They also have downside risk. If they don’t beat the benchmark, they share in the losses, and they owe CMS money. Needless to say, there are many fewer entities in the two-sided model. As we will see, there are some there, and there are some that have succeeded.

Let’s actually talk for a moment about the pioneer ACOs. These were the first accountable care organizations to get off the ground. They started in 2011 with 32 accountable care organizations. There were a number of organizations that applied to be pioneer ACOs. They needed to show CMS that they had a history of succeeding in accountable care and in taking on risk. CMS selected 32 of those entities to start off as the pioneer ACOs in 2012.

Thirteen pioneers qualified for shared savings bonuses, totaling about 76 million dollars in 2012. That’s 13 out of the 22. In 2012, two of the pioneer ACOs qualified for shared saving losses of approximately four million dollars. I should say that these pioneer ACOs were the two-sided risk models. They were folks that had experience in the accountable care realm. CMS wanted them as the pilot program to do two-sided risk. Two of the pioneers actually experienced losses. Overall, with the 32 ACOs that started in the program, there was an 87.6 million dollar amount of gross savings. The quality results overall were uniformly positive among all 32 of the ACOs.

Despite this, in 2013, nine of the entities left the pioneer ACO program. Seven of those nine switched to the regular Medicare Shared Savings Program. They didn’t want to do the pioneer model anymore. The requirements were slightly different. Several of them, frankly, switched to the one-sided model of risk. They found that they weren’t really ready to be at a two-sided risk model. Two of the nine dropped out of the program entirely.

Let’s take a look at some of the early success stories from the pioneer ACOs and just the early ACOs in general. Montefiore Medical Center is an interesting example. It was a pioneer ACO. It’s in the Bronx, New York, serving a very poor urban population. It had a track record prior to even becoming an ACO of 15 years’ experience of meeting the needs of that core urban population. Therefore, they felt that they were pretty well equipped to become a pioneer ACO. Indeed, they were right. The first year, they achieved the highest financial performance of all pioneer ACOs that looked like a seven percent reduction in the cost of care and that amounted to savings of 23 million dollars. Then 14 million dollars of that amount went directly to Montefiore as a reward for their efforts.

Looking at Heartland Regional Medical Center, this is one of only four ACOs in 2012 that opted for the two-sided risk model. They rolled the dice. They felt like they could make the two-sided risk model work. At the end of the day, they had 2.9 million dollars in savings at the end of the first year. Heartland attributes this to the care manager program that they implemented five years earlier and also, importantly for this webinar, to the information technology investments that they made. This included hiring three new employees exclusively to analyze patient data. They put in a system that had new electronic medical record alerts that doctors would see immediately when they first treated an ACO patient. They really attribute that technology infrastructure to helping them to achieve the savings. Now Heartland is actually developing criteria to identify the most high-quality, cost-efficient specialty and post-acute providers in an effort to increase their savings even more.

The final one I want to briefly look at is RGV ACO Health Providers. They also achieved savings in the two-sided model, but they really did so … They say they did so not necessarily because of their technology infrastructure, but because of their high degree of confidence that they had some significant operational changes to make that would yield savings. RGV, I think, is an example where there were some real issues previously. It was a troubled system where it was not very efficient. Therefore, there were a lot of savings that they felt could be had simply by these operational changes. The right people came in there and made those changes, and achieved some great results.

Let’s see. We see overall that the interim results for the first year of savings in 2012 ACOs was that 27 of the ACOs achieved savings. Two achieved two-sided savings, and Heartland and RGV were both examples of that. Then two incurred losses. Two of the four that went for the two-sided achieved savings, and two incurred losses.

Let’s go on to the importance of the patient. Tatiana, I’ll turn it over to you.

Tatiana Melnik: Thank you. As Carrie just talked about, all the success stories, at bottom line, the patient is what’s important. The ACO model puts the patient at the center. Frankly, that’s the whole point of patient-centered care. We can see this most clearly when we look at the vision of the Shared Savings Program, where five out of the eight elements directly involve the patient in one form or another. Of course, the point of focusing on the patient is to provide better care. There’s also this understanding that if you engage the patient in his or her own care, then in the end, costs will be lower because the patient will be more responsive to what the doctor and what the rest of the healthcare system is doing for the patient.

When designing this program, it’s really important to think about patient engagement tools and empowering your providers and those working with patients to figure out how to get the patient better engaged, whether that be through, for example, developing mobile apps where you can send reminders to the patient, or developing additional tutorials, or setting up timeframes to have additional phone calls with the patient so they really understand how to take care of themselves and how to follow the treatment plan that’s been developed for them.

Part of the focus on the patient, of course, also includes a focus on quality. As Carrie talked about earlier, quality is essential. That’s the whole basis of getting reimbursement and sharing in the program, is because you’ve improved on quality. The ACO quality performance standard is made up of 33 measures divided into four separate domains.

The measures are intended to support the Shared Savings Program; improve individual health and the health of populations; address quality aims such as prevention, care of chronic illnesses, patient safety, and so forth; and, of course, align this program with other incentive programs like the Physician Quality Reporting System and the EHR Incentive Programs. The EHR Incentive Programs are a specific focus here because if you look at the specific domain and how the quality points are calculated, some of the EHR pieces get more weight when the ACO meets those components.


The ACO must report all measures in a domain to meet quality performance requirements. A score of 70 percent is required to earn quality points for a specific measure. It’s important to note that CMS may also audit and validate the data that’s reported by an ACO. As part of this audit process, CMA may request medical records data, so it’s very important that all of that data be easily accessible. We’ll talk a little bit more about this when we get to the technology portion.

If there’s a discrepancy greater than ten percent between the quality data reported and the medical records, then the ACO will not be given credit for that measure. When you’re looking at technology and setting up an infrastructure, it’s really important that all of those component pieces work together and are properly integrated, because if something falls through the cracks, then you may fall below that 70 percent passing rate. That could cause real problems for the organization.

Also, the record-keeping requirements as a whole are quite long. Records must be kept for ten years from the final date of the agreement period or from the date of completion of any audit, evaluation, or inspection. If there’s a termination, a dispute, or an allegation of fraud against the ACO, its participants, any of the suppliers, or others that are performing any functions related to the ACO, then the records must be kept for an additional six years from the date of any resulting final resolution.

This is really important, because when you’re planning your technical infrastructure and you’re thinking about the cost associated with developing the system, it’s important to look at the record-keeping requirements, because keeping information for 16 years or longer, that requires heavy investment, because when you think about how much space medical records take up, that’s a lot of data storage. Not only the data storage itself, which is certainly getting less and less expensive, but what about the data retrieval costs? What is it going to take for you to pull that data from those storage systems?

It’s clear that technology plays an important role, but you also need to have technology, and you need to be able to analyze the data. Data collection and analytics are really the keys to success in the ACO environment. This is because quality metrics must be collected and reported to CMS and must also be shared among the ACO participants so that they can provide better care to the beneficiaries.

All of this data sharing and collection require an advanced IT infrastructure, which means that you have to understand how the IT environment works and operates, and how the data really migrates and transitions through your system, and how it flows to everybody along the line. At the same time, in terms of analytics, not only do you need to have technology in place, but you need to have people and processes in place so that that data can be understood. Having analytics is useless if you don’t have anyone in the system that can actually explain what the numbers mean and how to improve on the information that you’re getting.

Carrie mentioned earlier that one of the ACOs actually hired three separate people, three employees, who just deal with the data. How many ACOs are considering that they have to do that? Or, are they thinking, “We’ll figure that out when we get to that point”? That’s really problematic, because that can impact the long-term success of your project. You need to have those considerations in place at the forefront and really account for those costs at the beginning. It’s clear that, as I mentioned, IT plays a very important role in the ACO model. There’s also, of course, challenges, because not every organization is in a position to have an advanced IT infrastructure. First, IT is expensive. Organizations have limited financial resources. Leadership has to carefully evaluate the technology solutions that are selected, because it’s not just the cost of the solution itself. It’s also the cost of training, upgrades, customization, and so forth.

All of those considerations should be thought through at the beginning and, to the extent possible, accounted for in the contract with the vendor, because it will be really costly when you come back later with a new statement of work, and now your project’s up an extra 50, 60, 70, 80,000 dollars to develop certain interfaces. That can be quite problematic, because you need to plan for those costs, because if you have shared participation from all the ACO members, how are you figuring out who’s paying for that and who’s going to share responsibility for that? Additionally, ACOs like hospitals and providers are adopting clinical decision support systems to, again, look for those opportunities to provide better care for their patients. On this front, the FDA, together with the ONC and the FCC, released the Health IT Report in April outlining a proposed strategy and recommendations on a risk-based regulatory framework to regulate health IT, including clinical decision support tools.

Also, just last week, on May 15th, during a three-day public hearing, regulators, health IT vendors, and hospital administrators also discussed which types of clinical decision support tools should be regulated by the FDA. Hospital administrators and medical device representatives interestingly advocated for greater involvement by the FDA, because they argued that providers are often blindly relying on advice from these CDS tools to inform their clinical decisions.

For those of you who are operating in this space, it’s really important to pay attention to what’s happening on that front, because you may be seeing more regulation down the line. Specifically, the hospitals and medical device representatives argued that the CDS systems used by surgeons, for example, should be high risk because surgeons are not exactly in a position to question the information they’re seeing at the time of surgery. So those are things you need to pay attention to carefully to make sure that you’re not stepping into additional regulations, and if you are, that you’re properly accounting for those issues in your contracts and in your cost model.

Additionally, with the move to EHR, with the integration of personal health records, mobile devices, and so forth, interoperability concerns are continuing to grow. Many IT vendors are charging high rates for interfaces which become problematic in the case of an ACO, where the question really becomes, who is paying for those interfaces? When you have a large number of providers participating who all have their own EHR systems, who want to use PHRs because now they’re participating in Meaningful Use, and they want to have maybe mobile device integration, how are all those interfaces handled, and how are all those costs handled? That just increases the growth and span of the technology issues that come into play.

On this front, on the interoperability front, the FTC is involved in assessing whether some software vendors are improperly exerting control on competition. If you’re interested in this aspect, then I encourage you to take a look at some of the materials from the FTC’s workshop that was held in March. It was called Examining Healthcare Competition, where these issues were discussed. That information is available on the FTC website.


Most importantly, all of the pieces have to work together. I think we all saw from the Healthcare.gov fiasco that sometimes that is easier said than done. Technology projects are pretty complicated. To minimize those implementation issues, you really have to have someone on your team that’s leading this project that truly understands how to manage software projects. Carrie and I, we’re having another session next month to talk more specifically about some of these technology issues in the ACO and some of the contract considerations. Carrie?

Carrie Nixon: Let’s turn for a moment to everyone’s favorite topic, the legal risks associated with all of this. One of the first things that jumps to mind when we talk about legal risks in the healthcare space are the fraud and abuse laws. Accountable care organizations are, by their very nature, structured in a way that tends to implicate the fraud and abuse laws. ACO provider participants have a financial stake in the organization. They refer patients to other providers within the ACO. They share information about patients and practices. These all tend to be warning flags for running afoul of fraud and abuse laws.

However … and this is a big “however … ACOs were created with the explicit purpose of coordinating care for a population of patients. They want to reduce costs. They want to improve outcomes. In recognition of this purpose and to avoid unduly constraining ACO participants to provide coordinated care, CMS set into place five waivers to the fraud and abuse laws. Those waivers are self-implementing waivers. You don’t have to go to CMS and say, “Can I get a waiver for this?” Instead, you just create your organization and your activity in a way that fulfills the requirements of the waiver. If CMS agrees with that, it will deem as you falling within one of the waiver requirements.

The five waivers that exist with respect to ACOs at the moment are, first of all, the pre-participation waiver. That waives the fraud and abuse laws in anticipation of forming an ACO. It allows for some arrangements prior to the actual formation in anticipation of forming an ACO that might otherwise implicate the fraud and abuse laws. For example, one participant entity might fund, basically, another entity’s participation in an effort to allow that entity to achieve some of the infrastructure necessary for the success of the ACO pool going forward. That’s useful. The second one is the participation waiver, which waives the fraud and abuse laws, certain elements of the fraud and abuse laws, during the course of the participation agreement, which is typically three years. The shared savings distribution waiver applies, just as it sounds, to how the shared savings are actually distributed. It allows for some distribution that you might not otherwise think would be allowed, given the fraud and abuse laws. That’s also helpful. The physician referral waiver, or otherwise known as the Stark Law waiver, waives that aspect with respect to ACOs. The patient incentive waiver allows providers to provide, just as it sounds, some incentives to patients that otherwise would not be allowed.

The one thing that these five waivers share in common is that in order for CMS to buy into the notion that your entity falls under one of these waivers, your entity’s structure has to be reasonably related to the purpose of the Shared Savings Program. You have to be able to say in good faith to CMS, “We’re creating this structure that otherwise might implicate some fraud and abuse laws because we truly believe that this particular structure is going to further the purposes of the Shared Savings Program. It’s going to help us achieve better outcome, and it’s going to help us achieve lower cost.” The board has to make that determination. They need to discuss that and sign off as a board on the fact that they believe that the structure is reasonably related to the purpose of the Shared Savings Program. That’s what it means to be self-implementing. We’ll talk about this a little more in a moment, but the contracts and agreements that are in place as part of creating the ACO entity are really critical to this whole aspect. The organizational structure of the ACO and the legal contracts and agreements that are in place as part of that structure really need to be well thought through and well structured so that, indeed, an entity can say, “We fall under this waiver,” and CMS, if they take a look at it, they’re going to say, “You’re right, you do.”

One other obvious legal risk that comes into play has been talked about over the past couple of years in a number of articles, and that is the issue of medical malpractice with accountable care organizations. There are several articles out there claiming that ACOs may have an increased malpractice liability. For example, an article in the Journal of the American Medical Association says that this is inevitable. ACOs tie medical decisions to cost savings, and that is always going to increase medical malpractice liability potential. People will be making the arguments that ACOs are prioritizing financial successes over the health of their members.

We haven’t really seen this fear that’s being touted in these articles come to fruition. We haven’t thus far seen a real increase in medical malpractice lawsuits brought specifically against ACOs on these grounds. There’s a lot of talk about it, but it really hasn’t come to fruition. Frankly, I think you could also make the counterargument that the other element of accountable care organizations is tying evidence-based medicine and improved outcomes to medical decisions, as well. That could be a little bit of a counter to that argument.

Some people look at the managed care organization models of the past and say, “Does the same insulation from liability apply to ACOs?” The answer thus far is no. ACOs do not at this point have federal preemption protection that was instituted for managed care organizations of the past. Again, we haven’t seen a lot with respect to medical malpractice liability concerns in reality, other than a lot of speculation. Tatiana?

Tatiana Melnik: Thank you. We wouldn’t really be talking about risks and liabilities in healthcare if we weren’t talking about doctors going to prison for committing fraud. Fraud enforcement is a high priority for the government area with enforcement increasing over the past several years. The Accountable Care Act also made some enforcement easier because it changed the standard with respect to the anti-kickback statute. Under this change, a provider does not need to have actual knowledge of the anti-kickback statute or the specific intent to commit a violation of the statute to find intent. This was a specific overruling of a case which held otherwise. Now it’ll be easier for the government to make criminal cases against suspected abusers.

We’re also seeing some enforcement in other spaces. In January, a CFO from a Texas hospital was indicted for Meaningful Use fraud. Yes, there is such a thing as committing Meaningful Use fraud. When you submit those applications, you are making a legal statement. To the extent that your organization may not have actually met the Meaningful Use requirements, please contact your attorney and discuss that issue with them, because that is certainly an area that is of high interest, given the amount of money that’s been spent on Meaningful Use.

One issue to keep in mind … and we don’t know the answer to this … is whether one bad actor within an ACO will spoil the whole bunch. Just because one participant in the ACO is doing bad things, does that now mean that everyone who’s participating in the ACO is in question? We saw this actually somewhat most recently on the privacy and security front. A very large part of the ACO model is the sharing of data. The question is, what impact will this data sharing, or, more to the point, a data breach, have on the rest of the participants?

Just this month, we saw an action from the Office of Civil Rights against New York Presbyterian Hospital and Columbia University where the two parties had an affiliation agreement. The breach itself happened at NYP, but it appears that because of the affiliation agreement and the involvement of a CU provider, CU was also dragged into the breach and was also audited. In the end, both parties got fined. The question is, will the same thing happen if there’s a breach at the ACO or a breach at one of the providers, suppliers, or other participants? Maybe. It’s certainly something that has to be thought through, and those risks need to be accounted for in the contracts.

The need for data breach insurance and the amount of data breach insurance must be very carefully evaluated. On this front, consider the recently released report from the Ponemon Institute finding that the cost to remediate a breach in the healthcare space is 359 dollars per record, compared to a 201 dollar industry average. If you have 50,000 records involved in a breach, that’s 17.9 million dollars. How many organizations have those kinds of funds to pay out that amount? That’s a lot of money for any organization to have to shell out in the event of a breach. Again, that’s a risk that really needs to be evaluated carefully. Carrie?

Carrie Nixon: Absolutely. Let me un-mute here. Let’s talk for a moment about some of the most important ways that we can mitigate risk. We’ve talked about what may seem like a lot of risk here. We’ve talked about what may seem like an enormous amount of procedure and process to cut through in order to make an accountable care organization work. I really don’t want to deter people from considering an ACO as a really good opportunity for creating an innovative care model.

One of the most important things that you can do to mitigate some of the risks and some of the challenges of instituting an ACO is to get a leadership structure in place that is a really strong leadership structure. I always say that an ACO’s success or failure really rests on the strength of its leadership. You need someone who is visionary. You need a management team and a board who are committed to the accountable care organization goals. You need a board and a senior management team that really understands the regulatory requirements and understands the importance of data to making an ACO successful and looking at quality outcomes and looking at cost savings.


On that front, too, it’s important to choose the right partners when you establish your ACO. Make sure that everyone is rowing in the same direction. Make sure that all the participants in an ACO entity have the infrastructure in place, share a commitment to the end goal, and are really ready and willing to work together to make this happen.


The other thing is very important to this call is to really underscore the important of data, data, data. Have your data collection mechanisms in place, and look at your data. Look at your data. Analyze your data. Think about what it means. Think about ways that you can improve. The information technology is obviously an enormous part of that. Tatiana?

Tatiana Melnik: As we’ve been discussing, gathering data in the ACO context is very, very important. It’s also known, of course, that physician offices and hospitals in general are fertile grounds for patient safety issues. Typical safety issues include, for example, drug interaction, patient falls, misdiagnoses, and so forth. Part of the goal of the ACO, though, is to improve on these fronts so that patients have better care. These quality improvement efforts can also be cast in a negative light and used against a physician, as Carrie mentioned earlier with the medical malpractice issues.

Patient safety organizations can be used to minimize some of these risks. The Patient Safety and Quality Improvement Act broadly protects information that could be used to improve patient safety, healthcare quality, or healthcare outcome. The act provides two fundamental protections: one, a privilege that prevents the patient safety work product from being introduced in courts or other tribunals; and two, it prohibits the disclosure of patient safety work product with some very limited exceptions. It’s pretty broad protection for all of that data that you’re going to be gathering in this process.

Notably, ACOs are not included as organizations that may take advantage of the reporting opportunities, but there are other options to structure the relationships so that the data within the ACO can be protected. There are definitely other ways to mitigate some of those concerns that we discussed earlier.

On that, let me actually go ahead and wind it down, and turn it back to April, because we may have some questions. April?


April Sage: Thanks, Tatiana. Thanks, Carrie. Carrie, I know that you have another commitment at 3:00. Before we get into questions here, let me thank you for sharing your time and expertise with us today. We look forward to hearing more details from you next month. It was great to have you with us.

Carrie Nixon: I appreciate that so much. I am happy, as I know is Tatiana, to speak with any of the participants, certainly to interact by email or to set up a phone call with any of the participants that want to talk about anything that we have covered today. It’s a lot of information, and so we’re happy to circle back with anyone that would need that.

April Sage: Super. Thanks, Carrie. Tatiana, do you have a few minutes for questions, or do we need to wrap up here in the next two minutes?

Tatiana Melnik: I have a few minutes for questions. I know Carrie, you have to jump off at 3:00.

Carrie Nixon: Yep, I’ve got about three more minutes, so I’ll hang with you.

April Sage: All right. One question is, when Medicare selects a potential ACO, do they have to be successful financially already?

Carrie Nixon: It certainly helps. I guess it depends what you mean as successful financially already. You’ve got to have the mechanisms in place to really put a good infrastructure together for an ACO. You need to have the financial wherewithal to put together the technology platforms that you need to add, if you do need to add some. You need to have a good sense, I think, of where your books are and where your finances are.

Joining an ACO is not just a no-brainer solution to achieving savings. More than half of the ACOs did not achieve savings the first year. It doesn’t mean they won’t. It means that they’re learning and that they’re getting things in place. It’s not just a no-brainer way to attain additional revenue. Having said that, if you’ve got good integration already in your system, and you feel good about your quality measurements, it could be a really great way for you to achieve some savings.

April Sage: Great. Thanks so much, Carrie. Another question is that you touched on some of the special needs for ACOs that operate in remote areas, where they may be encompassing many disparate care providers and many different types of providers. MissionPoint ACO is an example of an ACO that is encompassing many different types of care providers and is actually taking the program nationwide. Are there any additional complexities that are introduced when ACOs go across state lines?

Carrie Nixon: I think there are some complexities, but they’re definitely not insurmountable. States all have different requirements in the way that they approach some things. I think the biggest obstacle in going across state lines with an ACO is just making sure that the participating entities are communicating to each other.

Actually, I should pause and say that the questioner may be referring to an entity starting several different ACOs in several different geographical locations. I actually want to let you all know that there are some really interesting ACO models where in a single ACO, that ACO is operating across four or five different states, and they’re making that work. They’re communicating together via conference calls or video conferences to make sure they’re all on the same page. It’s not insurmountable, but there are challenges.

April Sage: It’s promising that there are some organizations making it work already. Sorry, Tatiana. Go ahead.

Tatiana Melnik: That’s okay. On the contracting side, you do have to look at the licensing issues involved and how those issues are addressed, and the ownership issues, because the different states have different requirements for who can own what entity. The structural issues themselves need to be carefully evaluated, but I agree with Carrie. They’re certainly not insurmountable. It’s definitely possible. It really comes down to communication and having a good leadership team in place that’s thinking about those issues right from the start and planning for them right from the start, because particularly when we’re looking at some of the technology issues, having the proper technology in place right from the beginning makes things significantly easier than trying to fix things when they’re already broken.

April Sage: Excellent point. One other question, I’m just curious, since Online Tech operates as a business associate in the healthcare space, what’s the greatest impact that you foresee on business associates that they need to be wary of or be informed about?

Tatiana Melnik: Carrie, I don’t know if you want to take this, or if you have to jump off.

Carrie Nixon: I’ll let you address it. My call allowed me to push back ten minutes just now via email, so I’ll let you take the first crack, and if I have anything to add, I’ll jump in.

Tatiana Melnik: Certainly, business associates have risks, but I don’t think they’re really any different in this context than they are in any other context when dealing with the healthcare space. In the situation of Online Tech, where you’re a data center and you’re storing data, you’re just storing that much more information. Because you’re handling that much more data, of course your risks go up, because the more data you have, the more risks you have in terms of data breach and privacy and security concerns.

On the other front, if you have business associates that are participating with ACOs more directly and were looking at all of these fraud and abuse issues, where it’s everyone who’s involved with the ACO process has risks and liabilities on that front, and it’s this whole notion of birds of a feather. What extent now do the bad actions of one of your partners have to rub off on you? That certainly is a high risk, and frankly, we just don’t have an answer to that right now, because we haven’t seen that play out in court.

April Sage: That makes sense. Carrie, anything to add to that?

Carrie Nixon: No, I agree with that. I’m sure we will see more on this as the model continues to develop, and inevitably lawsuits are filed. It will be interesting to see how some of those lawsuits play out at the outset. We’re not really seeing that yet, but people will be keeping a close watch on that.

April Sage: Great. Thank you so much to both of you, Tatiana and Carrie, for giving us some great context for understanding some of the risks involved in sharing patient data in the ACO. I want to invite everyone to join us again in June. We are going to have a follow-up webinar on Tuesday, June 17th. It will be Tuesday at Two, Eastern. We will take a deeper dive into the technologies and the contracting issues that are involved when PHI is shared in the ACO. Thanks so much to everyone. We look forward to joining all of you.

Tatiana Melnik, Attorney
Tatiana MelnikTatiana Melnik is an attorney concentrating her practice on IT, data privacy and security, and regulatory compliance. Ms. Melnik regularly writes and speaks on IT legal issues, including HIPAA/HITECH, cloud computing, mobile device policies, telemedicine, and data breach reporting requirements, is a Managing Editor of the Nanotechnology Law and Business Journal, and a former council member of the Michigan Bar Information Technology Law Council.

Ms. Melnik holds a JD from the University of Michigan Law School, a BS in Information Systems and a BBA in International Business, both from the University of North Florida.

Carrie Nixon, President of Accountable Care Law & Policy
Carrie NixonCarrie Nixon is the CEO of Nixon Law Group and the President of Accountable Care Law & Policy. She is a founding member of Healthcare Solutions Connection, a network of expert consultants providing integrated service solutions for the healthcare industry. As a longtime attorney for a variety of clients in the assisted living and long-term care industry, Carrie has on-the-ground experience with the unique challenges facing those who serve our aging population. She has successfully defended these clients against malpractice claims and deficiency citations, helping them to navigate the ever-changing regulatory and risk management landscape.

Carrie holds a JD from the University of Virginia Law School.

Webinars    |    Online

Get started now. Exceptional service awaits.