Clinically Integrated Networks: Privacy and Security Concerns with Sharing Data

Paulette Thomas
BakerHostetler
Contact
LinkedIn
Facebook
X
Send
Embed

The Centers for Medicare & Medicaid Services (CMS) is changing reimbursement methodologies for healthcare providers from a fee-for-service model to a value-based model. Healthcare providers are responding to the changing environment with the development of clinically integrated networks (CINs) and accountable care organizations (ACOs). The primary purposes of CIN/ACOs are to collaborate with other healthcare providers, primarily physicians, to improve the quality of healthcare, reduce cost by reducing inefficiencies such as duplication of laboratory and diagnostic testing, supporting the changing reimbursement environment such as the CMS Bundled Payment for Care Improvement Initiative or shared savings programs, and provide for population health management.

The CIN must have a health information technology (HIT) infrastructure to support data sharing in order to meet its goals. The hospital CIN may be a more common legal structure than a joint venture or a physician-controlled CIN because it has the HIT infrastructure and financial capability to support the CIN. The CIN may utilize the hospital’s electronic health record system (EHR) platform to connect participants and share patient information and/or provide IT donation to participants. The EHR may be on a shared platform that all participants use to view the other participants’ EHR. Because of the sharing of protected health information (PHI) and comingling of different providers’ medical records, the CIN must have adequate privacy and security controls in place to comply with the law.

The CIN is a business associate of the participants and is required to comply with the relevant provisions of the HIPAA privacy and security rules applicable to business associates. Each participant is a separate and distinct covered entity under HIPAA. Additionally, each participant has an obligation to comply with the participation agreement and the CIN policies and procedures regarding access, use, and disclosure of the CIN’s EHR. The CIN should delineate roles and responsibilities of the CIN and participants, including:

  • Designating the privacy and security officers for the CIN.
  • Creating an organized health care organization (OHCA) for the participants in the CIN.
  • Revising the notice of privacy practices to explain the relationship between the participants and CIN and use of PHI.
  • Developing access rights and controls for participants, and auditing and monitoring participants’ access to EHR.
  • Taking responsibility for handling individual rights requests, individual complaints, or inquiries.
  • Taking responsibility for reporting, responding to, and investigating breaches of PHI or personally identifiable information (PII).
  • Handling release-of-information requests from third parties.
  • Managing elements of a designated record set and ownership of patient information contained in a shared EHR.
Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© BakerHostetler | Attorney Advertising

Written by:

BakerHostetler
BakerHostetler
Contact
more
less

PUBLISH YOUR CONTENT ON JD SUPRA NOW

  • Increased visibility
  • Actionable analytics
  • Ongoing guidance

BakerHostetler on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide