Federal regulators are starting to think about how the new accountable care organizations (ACOs) might handle patients’ personally identifiable information (PII).
The Centers for Medicare & Medicaid Services (CMS) talks about the new system of ACO records in a notice set to appear Monday in the Federal Register.
CMS is publishing the notice to comply with the requirements of the federal Privacy Act of 1974.
Section 3022 of the Patient Protection and Affordable Care Act of 2010 (PPACA) calls for CMS’ parent, the U.S. Department of Health and Human Services (HHS), to test whether ACOs – groups of providers that share financial responsibility for caring for a whole patient, rather than getting paid mostly on a fee-for-service basis – can help hold down traditional Medicare program costs while improving the quality of care.
CMS is setting up a Medicare Shared Savings Program (MSSP) and a Pioneer ACO Model program to carry out PPACA Section 3022.
The ACO record system will include information about Medicare enrollees in ACOs, providers or suppliers involved with ACOs, key leaders and managers of an ACO and ACO contact people, officials say.
The records in the system will include claim records, enrollees’ Social Security numbers, ACO eligibility records, and a variety of ACO contact information, such as the Social Security numbers of ACO providers that are sole proprietorships, officials say.
The records will be stored on both tape cartridges and in a database format, and any hard copies will be kept in file folders locked in secure file cabinets, officials say.
Some records containining PII will be discarded after 10 years, but records needed to resolve problems or prosecute fraud could be retained as long as needed, and beneficiary claim records are subject to a document preservation order. Because of the preservation order, the claim records will be preserved indefinitely, pending further notice from the U.S. Justice Department, officials say.
Personnel having access to the ACO records system must have Privacy Act and information security training, and early access to records will be limited to CMS personnel and contractors, grantees and consultants, officials say.
Eventually, officials say, ACOs, ACO participants and ACO providers may get some access to the system.
Individuals can ask the system managers whether the system contains information about them and ask for corrections of any errors.