A Question of Privilege: Protecting Data in a Clinically Integrated Network

clinicallyintegratednetwork

In this emerging era of healthcare reimbursement based on value, many providers are considering different ways to provide services to patients.  The old fee-for-service model, which often awarded providers based on volume, is being replaced with a model that incentivizes providers to provide quality care at reduced costs.

In order to position themselves for value-based reimbursement, many providers have banded together to form clinically integrated networks (CINs) to coordinate and standardize patient care across various service lines.

Whatever term given to these networks (e.g. CINs, accountable care organizations, accountable care networks etc.), the goal of these entities is to enable a diverse array of independent providers to provide high quality, value-based care.

Many CINs have entered into “shared savings” contracts with payors, under which a CIN’s provider-members have the monetary incentive to meet certain quality-based metrics.

In order for these networks to be truly “clinically integrated,” it is critical that provider-members transmit data to the CIN related to their treatment of patients.

For example, in order to ensure the proper care of patients, primary care providers may be required to provide the CIN with the blood pressure levels of patients who are managing high blood pressure.

To incentivize high quality care, the providers whose patients have blood pressure levels consistently within an acceptable range will receive a larger payout of any “shared savings” money than providers whose patients consistently have higher levels.

Without the receipt of detailed treatment data from providers, CINs would not be able to effectively set quality-based metrics, recommend best practices, and incentivize value-based care.

But there is an important question that CINs should consider: Is the data submitted by a CIN’s provider-members privileged and protected from discovery in a lawsuit?

The Peer Review Privilege

The importance of protecting sensitive information related to a healthcare provider’s services is not a new concept.

Many states throughout the country have recognized the “quality improvement” or “peer review” privilege, which protects certain documents and information that are created during the course of a quality assurance review of a provider’s treatment of patients.

The privilege is a critical mechanism to ensure that peer reviewers engage in frank and open discussion of a provider’s practice without the threat of having all of their discussions obtained by a patient or the patient’s attorney.

For example, let’s assume that a peer review committee of a hospital is reviewing the competence of an OB/GYN physician whose patient had complications during childbirth.  The patient has provided her notice of intent to sue the hospital and the physician for malpractice.

In order to ensure that physician-error did not contribute to the bad result, the hospital’s peer-reviewers closely scrutinize the physician’s performance, and also the performance of the hospital’s support staff.  Their objective is to find any deficiencies that can be corrected for future cases.

Without the peer review privilege, the hospital could be forced to release the peer reviewers’ frank discussions related to the providers’ and hospital’s potential culpability to the patient’s malpractice attorney.  These self-critical discussions and documents could be a goldmine for the patient’s case against the hospital.

Clearly, the peer review privilege is essential for a healthcare provider’s risk management.

Peer Review Privilege and Clinically Integrated Networks

Providers and CINs commonly assume that the peer review privilege applies to any data transmitted between the CIN and the CIN’s provider-members.

But this might not be an accurate assumption.

In reality, the peer review privilege in many states is very narrow and only applies if the provider has met strict requirements.

For example, the Washington State peer review privilege solely applies to information created specifically for, and collected and maintained by a regularly constituted “coordinated quality improvement committee.”

The privilege is waived if any of the information or documents are disclosed to anyone outside of the committee.  One key exception is that a coordinated quality improvement committee of one entity may share information with a coordinated quality improvement committee of another entity.

The primary issue for CINs is that Washington State law only allows certain entities, such as hospitals, medical facilities, provider groups of five or more providers, and health carriers, to form a coordinated quality improvement committee.  WAC 246-50-005.

The rules do not explicitly permit a clinically integrated network or accountable care organization that is a separate legal entity from a medical facility or hospital to form a coordinated quality improvement committee.

Therefore, under Washington State law, there is a risk that provider data shared with a CIN will be unprotected from discovery in a lawsuit.

A Possible Alternative: The Patient Safety and Quality Improvement Act

It may come to a surprise to many CINs and providers that data shared between a CIN and a provider could be subject to discovery in a legal proceeding.  However, unless a state law allows a CIN to take advantage of the peer review privilege, quality data received by a CIN is potentially at risk.

One alternative that CINs should consider is the privilege set forth in the federal Patient Safety and Quality Improvement Act (PSQIA).

The PSQIA is federal law enacted in 2005 that created a broad privilege for “patient safety work product,” which a provider may disclose to a “patient safety organization.” These terms are defined as follows:

  • Patient Safety Organization (PSO): A private or public entity (or component of such entity) that is listed as a PSO by the Secretary of Health and Human Services.
  • Patient Safety Work Product (PSWP): Includes any data, reports, records, memoranda, analyses, or written or oral statements which could improve patient safety, health care quality, or health care outcomes; and
    • Which are assembled or developed by a provider for reporting to a PSO and are reported to a PSO; or
    • Are developed by a PSO for the conduct of patient safety activities; or
    • Which identify or constitute a provider’s deliberations, analyses, or reporting related to information disclosed to a PSO.  A provider’s procedures for collecting and reporting information to a PSO are known as the provider’s “patient safety evaluation system” (PSES).

Importantly, PSWP does not include the original medical record of the patient or other information that is collected or maintained separately from the provider’s collection and reporting to the PSO.

Therefore, if a CIN were to create a PSO, quality information shared between a CIN and its provider-members could be protected from discovery in a lawsuit.  Even better, the PSQIA privilege is never waived – even if the information or documents are subsequently improperly disclosed by the PSO.

In comparison to the Washington State peer review privilege, the privilege under the PSQIA appears to be broader and more appropriate for the activities of a CIN.

Creating a PSO for a Clinically Integrated Network

Although the privilege protections of the PSQIA should interest CINs and their participating members, it is important to review the major steps needed for the proper creation of a PSO.

  1. Eligibility: The first step is to confirm that the CIN is eligible to create a PSO.  Under the rules, any private or public entity can create a PSO, so long as the entity is not listed as “excluded” by the PSQIA. The list of excluded entities includes:
    • Health insurers;
    • Regulatory agencies;
    • Accreditation and licensure entities; and
    • Entities that administer a federal, state, local, or tribal patient safety reporting system to which health care providers are required to report.

If one of these types of agencies has an ownership interest in the CIN, it is critical that the CIN’s governing documents make clear that such entities do not exercise any control over the operation of the PSO.

  1. Separate Legal Entity: In order to ensure compliance with the PSQIA, and insulate liabilities, the CIN should considering forming the PSO under a separate legal entity (e.g. limited liability company). The primary mission of the separate PSO entity must be the improvement of patient safety and the quality of health care delivery. Under the PSQIA rules, the PSO would be a “component” of the CIN.
  2. Workforce: The PSO must be staffed by a qualified “workforce,” which must include employed or contracted licensed healthcare providers. The CIN can share staff with the PSO, but such staff members should sign confidentiality agreements stating that they will not improperly disclose PSWP to the CIN.
  3. Policies: The PSO must create policies and procedures to meet the eight patient safety criteria in the PSO:
    • Efforts to improve patient safety and the quality of health care delivery;
    • The collection and analysis of PSWP;
    • The development and dissemination of information with respect to improving patient safety, such as recommendations, protocols, or information regarding best practices;
    • The utilization of PSWP for the purposes of encouraging a culture of safety and of providing feedback and assistance to effectively minimize patient risk;
    • The maintenance of procedures to preserve confidentiality with respect to PSWP;
    • The provision of appropriate security measures with respect to PSWP;
    • The utilization of qualified staff; and
    • Activities related to the operation of a PSES and to the provision of feedback to participants in a PSES.
  1. Participation Agreement: The PSO should enter into a template Participation Agreement with the CIN’s provider-members. Among other requirements, the Agreement should specify a standardized manner for the providers’ transmission of data to the PSO. The PSO and the CIN’s provider-members should also enter into a HIPAA Business Associate Agreement.
  1. Patient Safety Evaluation System: Each provider entity should set up its own policies and procedures for reporting PSWP to the PSO. This reporting structure will be each provider’s “patient safety evaluation system.”
  1. Consent for Disclosure to the CIN: The PSQIA permits a PSO to disclose PSWP back to a participating provider for “patient safety activities.”  However, due to the fact that a CIN is not a “provider” of healthcare services, it is not able to contract with the PSO and receive PSWP. This could be a problem if the CIN needs access to identifiable PSWP in order to develop quality metrics, create best practices for the members, or distribute any shared savings money.  In order to ensure that the CIN is able to receive PSWP from the PSO, each CIN provider-member should sign a consent that permits the PSO to disclose PSWP to the CIN for the purposes of clinical and financial integration.
  1. Apply for Certification: In order to officially become a PSO, the PSO entity should apply for certification from the Agency for Health Research and Quality (https://pso.ahrq.gov/forms/initial/). After approval, the PSO will be listed for a period of three years. The PSO must renew its listing after the three year period.

Please note that this is not an exhaustive list of requirements for PSOs, but it does contain many of the major steps that should be considered in forming a PSO.

By going through the process of forming a PSO, a CIN may have a better chance of protecting sensitive quality data than relying on state peer review privilege laws.

For more information on the peer review privilege, clinically integrated networks, and patient safety organizations please contact Casey Moriarty.

NCQA Awards First ACO Accreditations

The National Committee for Quality Assurance (“NCQA”) awarded its first Accountable Care Organization (“ACO”) accreditations in December, 2012.  Established as a voluntary accreditation program in 2011, the NCQA awarded accreditations to the following organizations:  Billings Clinic, Crystal Run Healthcare, HealthPartners and Kelsey-Seybold Clinic.   The NCQA website contains detailed information regarding ACO Accreditation.

In general, NCQA Accreditation includes evaluation of seven categories:

  • ACO Structure and Operations
  • Access to Needed Providers
  • Patient-Centered Primary Care
  • Care Management
  • Care Coordination and Transitions
  • Patient Rights and Responsibilities
  • Performance Reporting and Quality Improvement

In contrast to those organizations that raced to the ACO accreditation finish line, overall ACO readiness has been elusive for hospital/health system ACOs.  The Commonwealth Fund published a report from the Premier Research Institute (Premier) in December, 2012, finding a generally low level of readiness across 59 hospital organizations who were members of the Premier Partnership for Care Transformation (PACT) Readiness Collaborative.

To assess readiness, Premier assessed ACOs progress by evaluation of six core components:  a patient-centered foundation, primary care medical home, a high-value network, payer partnership, population health data management, and ACO leadership.  Although the hospital organizations were part of PACT for the purpose of easing the transition to accountable care, the report finds that no organization achieved full implementation of the six core components and several failed to undertake a single activity relative to the core components.

For more information contact Adam Snyder at 206.442.1317 or asnyder@omwlaw.com

Assigning Patients to ACOs

A hotly contested area of the proposed ACO rules concerns the assignment of Medicare Fee-for-Service (“FFS”) beneficiaries to ACOs.  Once a Medicare beneficiary is assigned to an ACO, the ACO will then be held accountable “for the quality, cost and overall care” of that beneficiary.  The ACO may also qualify to receive a share of any savings that are realized in the care of these assigned beneficiaries due to appropriate efficiencies and quality improvements that the ACO may be able to implement.

As the final rule explains, assigning Medicare beneficiaries requires several elements:

  1. An operational definition of an ACO, as opposed to a formal definition of an ACO, so that ACOs can be efficiently identified, distinguished, and associated with the beneficiaries for whom they are providing services;
  2. A definition of primary care services for purposes of determining the appropriate assignment of beneficiaries;
  3. A determination concerning whether to assign beneficiaries to ACOs prospectively, at the beginning of a performance year on the basis of services rendered prior to the performance year, or retrospectively, on the basis of services actually rendered by the ACO during the performance year; and
  4. A determination concerning the proportion of primary care services that is necessary for a beneficiary to receive from an ACO in order to be assigned to that ACO, as compared to the proportion of primary care services from other ACOs or non-ACOs.