Your Comments, Please

yeah!!! glad to see that there are no more anonymous comments allowed.

CCO Providers and Payers Privacy & Security – Missing State Guidance That Could Place You at Risk June 18, 2012 Chris Apgar, CISSP CEO & President, Apgar & Associates, LLC A recent CCO headline announced the award of Innovation grant funding from the Center for Medicare and Medicaid Services (CMS) to the tune of $17,337,093 to assist with the launch of the Tri-County Collaborative; Multnomah, Washington and Clackamas Counties’ CCO. (See the following Providence Medical Center press release) Unfortunately what little guidance is available from the Oregon Health Authority (OHA) as it relates to the privacy and security of patient information that will be shared among CCO member health plans and health care professionals is in direct violation of 42 CFR Pt. 2 and appears to violate the HIPAA Privacy Rule and state privacy laws. The CCO Request for Applications (RFA) issued by OHA does not even include a requirement that CCOs follow Oregon’s privacy laws and the federal alcohol and chemical dependency regulations. It only requires compliance with HIPAA. CCO violation of state privacy laws or 42 CFR Pt. 2 would not interfere with CCO final certification by OHA. That appears to be more than a bit disturbing. Consider the patient registry outlined in the press release which could result in violation of state and federal privacy laws. For example, if the patient is listed in the registry as receiving care at Hooper Detox Center (part of Central City Concern), it would violate Oregon privacy law and 42 CFR Pt. 2 which specifically require the provider of alcohol and chemical dependency treatment to obtain authorization from the patient to even share the name of a patient who received treatment at the Hooper Detox Center. Also, in this case, even if the patient authorizes release to the CCO, the CCO is prohibited from sharing even the name associated with where care was received unless the CCO itself again obtains the patient’s written authorization to do so. Health care professionals who provide care where patient information sharing is specially protected by state law or other federal law may need to think twice about patient information sharing that places them at risk of a civil suit brought by the patient because of disclosure of specially protected health information without patient authorization. There are ways to address those barriers but, to date, OHA has communicated little or nothing regarding privacy and security requirements. August 1, 2012, the go-live deadline for the first fully certified CCOs, is fast approaching. If the exchange of patient information is to be relatively seamless in order to increase efficiency, reduce costs and increase quality of care, there needs to be a discussion and some guidance from OHA regarding privacy and security. As of June 18, 2012 the only “guidance” available from OHA is in the form of draft rules that are not open for public comment. The draft rule language posted on the OHA web site is in direct violation of 42 CFR Pt. 2 and appears to violate both the HIPAA Privacy Rule and state privacy laws. In short it states that any CCO member entity, no matter the type, can freely exchange patient information of any nature with all other CCO member entities. As an example, this means a social services agency and a health care provider from a local clinic can exchange mental health information and alcohol and chemical dependency information about a patient without patient authorization. Draft rule language included in 410-141-3180(4) states, “A CCO and its provider network shall use and disclose sensitive diagnosis information including HIV and other health and behavioral health diagnoses, within the CCO for the purpose of providing whole-person care.” The draft language would allow use and disclosure of all patient information for patients served by the CCO with no exceptions and no required authorization. Oregon law (ORS 433.405(3) requires health care providers to obtain a patients written authorization prior to disclosing HIV information to a number of entities, including health plans (in this case the managed care organizations (MCO) which are health plans as defined by HIPAA). The statute allows disclosure without authorization “for health care.” It does not allow release for payment purposes without specific authorization from the patient. The HIPAA Rules (45 CFR 160.103) definition of “health care” does not include disclosures for payment purposes. The health plans that are members of the ACO and the Oregon Medicaid Agency are defined as “health plans” and health plans do not provide “health care.” In this case it looks like patient information could not be shared with the health plan members of CCOs without specific patient authorization. When it comes to federal law (which, in this case, state law cannot preempt), any information related to alcohol and chemical dependency treatment by health care providers who receive federal funding (lately interpreted to include payments for care for Medicare and Medicaid beneficiaries) cannot be disclosed without a special court order or patient authorization. Oregon statute provides similar protections. Oregon statute (ORS 430.306 and 399) also requires patient authorization if the patient is receiving outpatient or inpatient treatment in most cases such as Medicaid and Medicare payment and health care coordination. While the RFA issued by the OHA does call for compliance with HIPAA, there has been little or no guidance from the agency about HIPAA compliance either. It may not be widely known that CCOs are business associates of all participating health plans and health care professionals. This means that CCOs need to execute business associate contracts with all member organizations before CCOs can legally begin sharing any patient information without specific consent from all patients whose health information will be shared. There is still confusion around the status of community health workers as well. Who will employ them? Will they have the right to access any patient information without specific patient authorization? There is this wonderful little clause in the HIPAA Privacy Rule called “minimum necessary.” If patient information is shared for treatment purposes, minimum necessary does not apply. On the other hand, if the patient information is shared for payment purposes (that includes sharing patient information with MCOs/health plans who are members of CCOs), health care providers must adhere to the minimum necessary standard. My fear is that August 1st will come and go with no official guidance from OHA and no discussion regarding privacy and security requirements, especially how to address real legal barriers to the exchange. OHA has done nothing to allay that fear. Chris Apgar, CISSP CEO and President Apgar & Associates, LLC Mailing: Office: PO Box 80278 11000 SW Barbur Blvd, Ste 201 Portland, OR 97280 Portland, OR 97219 (503) 384-2538 (voice) (503) 384-2539 (fax) http://www.apgarandassoc.com Providence Health & Services Press Release Sent: Friday, June 15, 2012 10:44 AM Awarded a CMS Innovation grant…. PROVIDENCE PORTLAND MEDICAL CENTER Project Title: “Redesigning service delivery through the Tri-County Health Commons” Geographic Reach: Oregon Funding Amount: $17,337,093 Estimated 3-Year Savings: $32,542,913 Summary: The Providence Portland Medical Center, in partnership with CareOregon, Providence Health & Services, Kaiser Permanente, Legacy Health, Oregon Health and Science University, the Coalition of Community Health Centers, Multnomah County, Clackamas County, and Washington County, is receiving an award to develop a Medicaid Coordinated Care Organization (CCO). This CCO will integrate care delivery for Medicaid and Medicare/Medicaid dual-eligible beneficiaries through an unprecedented level of cooperation among traditional competitors. The program will include a Care Coordination Registry with real-time alerts to enable care coordination across all service sites, standardized discharge and transition processes from hospitals to primary care (with care transition teams to coordinate at-risk discharges), emergency room navigation services to divert non-urgent cases to primary care, and intensive patient support services through community-based and cross-disciplinary care teams.[Emphasis Added]. The result should be reduced use of emergency rooms, fewer avoidable hospital readmissions, and better access to a more appropriate and cost-effective level of health care services. Over a three-year period, Providence Portland Medical Center’s program will train an estimated 54 workers. It will create an estimated 62 jobs. These new workers will include community outreach