United States: Clinically Integrated Networks: Privacy And Security Concerns With Sharing Data

The Centers for Medicare & Medicaid Services (CMS) is changing reimbursement methodologies for healthcare providers from a fee-for-service model to a value-based model. Healthcare providers are responding to the changing environment with the development of clinically integrated networks (CINs) and accountable care organizations (ACOs). The primary purposes of CIN/ACOs are to collaborate with other healthcare providers, primarily physicians, to improve the quality of healthcare, reduce cost by reducing inefficiencies such as duplication of laboratory and diagnostic testing, supporting the changing reimbursement environment such as the CMS Bundled Payment for Care Improvement Initiative or shared savings programs, and provide for population health management.

The CIN must have a health information technology (HIT) infrastructure to support data sharing in order to meet its goals. The hospital CIN may be a more common legal structure than a joint venture or a physician-controlled CIN because it has the HIT infrastructure and financial capability to support the CIN. The CIN may utilize the hospital's electronic health record system (EHR) platform to connect participants and share patient information and/or provide IT donation to participants. The EHR may be on a shared platform that all participants use to view the other participants' EHR. Because of the sharing of protected health information (PHI) and comingling of different providers' medical records, the CIN must have adequate privacy and security controls in place to comply with the law.

The CIN is a business associate of the participants and is required to comply with the relevant provisions of the HIPAA privacy and security rules applicable to business associates. Each participant is a separate and distinct covered entity under HIPAA. Additionally, each participant has an obligation to comply with the participation agreement and the CIN policies and procedures regarding access, use, and disclosure of the CIN's EHR. The CIN should delineate roles and responsibilities of the CIN and participants, including:

• Designating the privacy and security officers for the CIN.
• Creating an organized health care organization (OHCA) for the participants in the CIN.
• Revising the notice of privacy practices to explain the relationship between the participants and CIN and use of PHI.
• Developing access rights and controls for participants, and auditing and monitoring participants' access to EHR.
• Taking responsibility for handling individual rights requests, individual complaints, or inquiries.
• Taking responsibility for reporting, responding to, and investigating breaches of PHI or personally identifiable information (PII).
• Handling release-of-information requests from third parties.
• Managing elements of a designated record set and ownership of patient information contained in a shared EHR.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.