Health reform initiatives aimed at reining in costs--such as accountable care organizations (ACOs) and medical homes--"turn on its head" a common assumption regarding these new entities' obligations under the Health Information Portability and Accountability Act (HIPAA), according to attorney Mark Hedberg, with Hunton & Williams in Richmond, Va.
"You think everyone serves the ACO, which receives [patient] information and delivers it to the payer. But the ACO is not a covered entity, and it's providing services, such as aggregating and reporting data for the others. It's really a business associate," he said, speaking at the Twentieth National HIPAA Summit March 27 in Washington, D.C.
Since all of these payment programs rely on the ability of the parties to share patient data, they need to agree to keep the information confidential pursuant to HIPAA, Hedberg said. In an ACO or other new collaborative model program, that translates to a plethora of separate contracts among the parties: between the ACO and its participants, the ACO and its subcontractors, the ACO and any applicable health information exchange (HIE), and the HIE and the ACO participants.
Hedberg points out that it would have been easier if ACOs had been defined by the government as covered entities, and if HIPAA's definition of "payment" would have included these more complicated relationships. But this did not occur.
"The contracts get us to a compliant state regarding HIPAA's privacy rule. It works because it has to work. There isn't any other way to do it," he warned.