On November 2, 2011, the Centers for Medicare & Medicaid Services (“CMS”) published the final rule (“Final Rule”) for Accountable Care Organizations (“ACO”s) participating in the Medicare Shared Savings Program (“MSSP”) under Section 3022 of the Patient Protection and Affordable Care Act (“PPACA”). In the Final Rule, the CMS finalized several requirements under which the CMS may share Medicare claims data with ACOs in accordance with the HIPAA Privacy Rule and other laws affecting the sharing of individually identifiable health information (“PHI”).

The CMS relies primarily on the HIPAA Privacy Rule as the legal authority under which the CMS is permitted to disclose to ACOs any Medicare claims data that contains PHI to ACOs. The CMS also includes provisions in the Final Rule relating to data sharing that impose limits to uses and disclosures of data by ACOs beyond certain requirements in the HIPAA Privacy Rule.

Under the HIPAA Privacy Rule, the CMS commented that the Medicare fee-for-service (“FFS”) program is a HIPAA covered entity as a “health plan” and therefore, is subject to any limitations regarding the disclosure of PHI in the HIPAA Privacy Rule.

ACO participants and ACO providers/suppliers are also HIPAA covered entities to the extent they are healthcare providers and they engage in one or more HIPAA standard transactions. An ACO may itself be a HIPAA covered entity if the ACO is a healthcare provider and the ACO conducts one of the HIPAA standard transactions.

In conducting quality assessment and improvement activities on behalf of ACO participants and ACO providers/suppliers, an ACO will also qualify as a business associate under the HIPAA Privacy Rule of the ACO’s participants and ACO providers/suppliers.

Based on these relationships of ACOs, ACO participants and ACO providers/suppliers under the HIPAA Privacy Rule, the CMS considers the disclosure of any PHI data to ACOs, and the use of such data by ACOs, to be permitted by the HIPAA Privacy Rule for “health care operations” purposes.

A covered entity, such as the Medicare FFS program, is permitted to disclose PHI to another HIPAA covered entity, such as an ACO, for the recipient’s healthcare operations purposes if both covered entities have or had a relationship with the individual whose PHI was to be disclosed, the PHI pertains to that relationship, and the recipient will use the PHI for a healthcare operations function. The CMS includes in the Final Rule a requirement that an ACO certifies that any beneficiary identifiable data requested by the ACO is the minimum necessary data to conduct healthcare operations work that falls within the first or second paragraph of the definition of “health care operations” in the HIPAA Privacy Rule.