The Affordable Care Act has made many headlines in the past several weeks, but few know it established a new government agency to conduct research on the American people without their consent. The Center for Medicare & Medicaid Innovation (CMMI, or Innovation Center) is meant to “test innovative payment and service delivery models to reduce program expenditures.” Several models give preference to or mandate the use of electronic health records (EHRs).
The Secretary of Health and Human Services (HHS) may choose from 18 models in the ACA statute (called “opportunities”) but is not limited to them. For example, one model uses salaried doctors rather than doctors that are paid a fee for their services. Another model provides varying payments for physicians according to their adherence to “appropriateness criteria” for ordering advanced diagnostic imaging, such as CTs and MRIs. And yet another provides “payment incentives” for care coordination and “appropriateness of care.” One goal for this Oncology Care Model (OCM) is to have the required patient data elements “seamlessly exported from practice EHRs into the OCM data registry,” reports CMS.
The implications for privacy and the practice of medicine are made clear in a proposed Medicare payment rule posted on July 11, 2014, which states that HHS “must be able to determine specifically which individuals are receiving services” through these experimental payment and delivery models. The proposed rule also says these patients—“the subjects of the intervention”—will be “compared to clinically, socio-demographically, and geographically similar matched individuals.”
And if the intrusion wasn’t clear enough, the agency writes, “To carry out this research we must have access to patient records not generally available to us.” Certain models “will conduct quality measurement across all patients regardless of payer” and require “the ability to identify all individuals subject to the model test regardless of payer.” After using more than 1,000 words to rationalize government access to identifiable patient data, the Centers for Medicare & Medicaid Services (CMS) writes: “We invite public comment on this proposal to mandate the production of the individually identifiable information necessary to conduct the statutorily mandated research under section 1115A of the Act.”
Thus, every patient seen at a participating clinic or hospital, whether publicly subsidized, privately insured or cash paying, will have their private information reported to the government. Furthermore, CMS requires submission of “identifiable health and utilization information for patients of private payers” from clinics and hospitals participating in the experiment “when an explicit purpose of the model test is to engage private sector payers.”
In short, the federal government is demanding personally identifiable health data on the privately insured for government research without the patient’s consent.
Most private payers—health plans—are involved in Medicare and Medicaid. Thirty-nine states, including Washington, D.C., have Medicaid contracts with these managed care organizations. In addition, most of the 21 million individuals in Medicare Advantage in 2018—35 percent of all Medicare enrollees—likely enrolled in the 2,734 Medicare Advantage plans offered for 2019 enrollment, such as Aetna, Blue Cross and Blue Shield affiliates, Cigna, Humana, Kaiser Permanente, UnitedHealthcare and Wellcare.
Here are a few examples from the proposed rule of information that could be required and for which the evaluator would need patient-level identifiers:
- Utilization data not otherwise available through existing CMS systems
- Beneficiary, patient, participant, family and provider experiences
- Rosters with identifiers that allow linkages across time and data sets
- Sociodemographic and ethnic characteristics
- Care management details
- Functional status and assessment data
- Health behaviors
- Clinical data, such as, but not limited, to lab values and information from EHRs
- Other data, such as employment status, educational degrees and income
The final rule, issued in November 2014, noted the many concerns expressed about this requirement. The rule received 2,945 comments, including from various entities that wanted separate assurance that the required data sharing would not violate the so-called federal HIPAA privacy rule. HHS responded by saying the data would be subject to HIPAA requirements, whether in the hands of CMMI or its “evaluation contractors,” acting as HIPAA business associates. But their response included a troubling admission:
“We respectfully disagree that sufficient assurances have not been provided. The disclosure would be required by a regulation, so it would be ‘required by law’ under HIPAA. See 45 CFR 164.512(a) and the definition of ‘required by law’ at 45 CFR 164.103. A HIPAA covered entity is permitted to disclose protected health information as required by law under these provisions so long as the disclosure complies with and is limited to the relevant requirements of the law. A separate minimum data necessary determination is not required under the HIPAA Privacy Rule for required by law disclosures under 45 CFR 164.512(a).”
Thus, under HIPAA, the permissive data-sharing rule, HHS demands full disclosure of patient data, including identifying information, characteristics, treatments and outcomes—not only from Medicare and Medicaid patients, but from any patient under the care of a participating clinic or hospital.
This is yet another extremely disturbing and privacy-crushing outcome of the Affordable Care Act.