Organizations are accustomed to sharing protected health information (PHI), specifically demographic data and medical codes, with health plans for the purposes of processing claims and determining eligibility and coverage. This sharing is permitted without explicit patient authorization per HIPAA’s treatment, payment and healthcare operations (TPO) clause.
However, providers engaging in value-based contracts are increasingly asked to submit a new type of information — quality data that’s used to determine performance benchmarks, capitated rates and incentive payments. Healthcare finance and contracting leaders are typically at the head of the table negotiating these contracts; however, they may not be aware of the HIPAA implications related to sharing PHI in this new age of value-based payment. In this interview, Chris Apgar, CISSP, president and CEO of Apgar & Associates, LLC, shares how healthcare finance professionals can navigate this sensitive and important topic.
Do quality metrics in value-based contracts typically include PHI?
Apgar: They could, depending on the specific contract. Some contracts only require aggregated information and statistics regarding the course of treatment, any procedures performed and the outcome. Others may be more granular and include identifiable information such as name, diagnosis, age, gender and other details.
What aspects of HIPAA, if any, apply when sharing quality data with health plans under these value-based contracts?
Apgar: Sharing quality data that includes PHI with a health plan is permitted under HIPAA’s TPO clause because it relates to quality improvement activities that are considered “healthcare operations.” This includes population-based activities to improve health or reduce healthcare costs. However, organizations cannot simply provide payers with a data dump of quality metrics for all patients, including patients covered under other health plans than the one requesting the data. Doing so could represent a breach of PHI because it violates the “minimum necessary” requirement. If this violation is a reportable breach (per the four-factor risk assessment), it could lead to an OCR investigation and potential civil penalties or monetary settlements. This is no different than providing auditors from a health plan with an EHR [electronic health record] login that gives access to all patient data rather than restricted access to the minimum necessary information (i.e., the specific records to be audited).
What about the actual transmission of quality data to health plans? What do CFOs need to keep in mind?
Apgar: If the organization transmits PHI, that PHI must be encrypted. In general, many healthcare entities aren’t doing this. I still run across clients that don’t encrypt laptops and send PHI through unsecured e-mail. I always reiterate the importance of encryption, given the amount of emphasis the Office for Civil Rights (OCR) has put on encryption over the last four years.
What if an organization is working with a population health vendor to extract and/or submit quality data to health plans?
Apgar: We’re seeing a lot of population health vendors support organizations in terms of implementing wellness programs and managing patients with chronic conditions. Many of these vendors also collect and transmit quality data to health plans on behalf of the organization. It’s okay to share PHI with these vendors; however, organizations must always have a business associate agreement (BAA) in place. It is a requirement under HIPAA to enact a BAA with any vendor that uses, discloses, stores or transmits PHI.
When providers share large data sets, they need to know what the vendor is doing to protect that data, including protection when the data is at rest. Over the last two or three years, we’ve seen monetary settlements because of a breach that occurred on the business associate’s side. In these cases, the covered entities never executed a business associate contract. OCR views this as willful neglect.
See related tool: Business associate contract template
What happens if there’s a breach of quality data required for value-based contracts?
Apgar: Any time organizations share data with a health plan or vendor, it’s an opportunity for a breach to occur. The more data that’s exchanged, the more organizations need to think about what they’re exchanging and how — especially when it involves PHI. Covered entities are responsible for the security of the data until the health plan receives it, which is why secure storage and transmission are so critical. This applies to all PHI — not just PHI related to quality measures. Once the health plan receives the data, the organization is no longer liable for any breach that occurs on the payer’s end.
If an organization relies on a population health vendor to submit its quality data to the health plan, and a breach occurs during the transmission of that data or while the vendor stores it, the organization is still likely liable. This is true even when the vendor is technically responsible for the breach and when there’s a BAA in place. Business associates do not have a regulatory responsibility to report breaches to OCR. They report to the covered entity. The covered entity’s name is on the report to OCR, and OCR will investigate the covered entity before it ever investigates the business associate.
Should healthcare organizations approach value-based contracts with caution?
Apgar: Yes, but not because payers have malintent but because healthcare organizations are sharing a large amount of data. Regardless of whether you’re sharing it directly with a health plan or a population health vendor, think carefully about these types of transactions, always keeping the concept of “minimum necessary” in mind. Organizations forget this because it’s easier to do a data dump rather than exclude certain pieces of data that aren’t associated with the value-based payment process. Pay attention to payer requests and push back if you need to. Payers may argue that the organization must submit the data in a certain way that actually involves sending more data than what the payer is entitled to receive. In the end, it’s the covered entity’s liability if it violates minimum necessary.
With whom should healthcare organizations work most closely to ensure that data sharing for value-based contracts complies with HIPAA?
Apgar: In addition to working with legal counsel to vet the contracting process, CFOs should work with clinical leaders and the IT department. They need to be able to answer these questions: What data does the payer request, and are we able to extract and provide that data and only that data? Organizations shouldn’t enter a contract before determining whether they can even logistically provide what the payer wants. Does the data comply with HIPAA’s TPO clause? Can we encrypt it at rest and during transmissions? Who will be responsible for extracting and sending this data? Will someone internally do it, or will we work with an external vendor?
Contracting leaders also need to keep in mind that value-based contracts can vary significantly among payers. Data-sharing strategies must be payer-specific as well, though organizations can, and should, try to align these strategies as much as possible. For example, if an organization has three different value-based contracts with three different payers, the goal is to extract the same type of data (quality measures) for all three payers. The more variable the approach, the more expensive it is to maintain — and the greater the chances of errors.
Interviewed for this article:
Chris Apgar is president and CEO of Apgar & Associates, LLC.