CMS will provide ACOs with aggregate data reports that will include: (1) aggregated metrics on
the assigned beneficiary population; and (2) utilization and expenditure data for the Medicare
beneficiaries used to calculate the ACO’s benchmark. CMS will provide ACOs with these
aggregate data reports at the start of the agreement period and on a quarterly basis. In
addition, at the beginning of the agreement period, during each quarter (and in conjunction
with the annual reconciliation), and at the beginning of each performance year, CMS will
provide, upon the ACO’s request, the following information regarding preliminary
prospectively assigned beneficiaries whose data was used to generate the aggregate data
reports: (1) beneficiary name; (2) date of birth; (3) health insurance claim number (“HICN”); and
(4) sex.
Beneficiary‐Identifiable Claims Data
ACOs have the opportunity to request certain beneficiary‐identifiable claims data on a monthly
basis, in compliance with applicable laws. These data sets will be limited to the minimum data
necessary for the ACO to effectively coordinate care of its patient population. If an ACO wishes
to receive beneficiary‐identifiable claims data, it must sign a Data Use Agreement (“DUA”) and
submit a formal request for data. The ACO must explain how it will use the data to evaluate
the performance of ACO participants, suppliers, and providers, conduct quality assessment and
improvement activities, and conduct population‐based activities to improve the health of the
assigned beneficiary population. The ACO may request the data during its application process
beneficiary‐identifiable information will enable practitioners in an ACO to better coordinate
and target care strategies toward the individual beneficiaries who may ultimately be assigned to
them.
Consistent with statutory and regulatory restrictions, CMS will not disclose data related to
patient records by federally conducted or assisted substance abuse programs, except as
expressly authorized. Data Use Agreement
Before receiving any beneficiary‐identifiable data, ACOs must enter into a DUA with CMS.
Under the DUA, the ACO is prohibited from sharing the Medicare claims data provided to it
with any entity outside of the ACO, and would also be prohibited from using or disclosing data
in a manner that violates the HIPAA Privacy Rule. If an ACO does not comply with the DUA, it
would result in the ACO no longer being eligible to receive data, and may also lead to
termination from the MSSP, or additional sanctions and penalties available under law. Beneficiary Opt‐Out
CMS will allow Medicare beneficiaries to opt‐out of sharing their protected health information
with an ACO. ACOs will only have access to beneficiary‐identifiable claims data for
beneficiaries that have chosen not to opt‐out of claims data sharing. An ACO can gain access to
beneficiary claims data in two ways, both requiring the ACO to inform a Medicare beneficiary
that it may request personal health information as part of the MSSP and then allowing that
beneficiary a “meaningful opportunity” to opt‐out of sharing his or her data. First, an ACO can
obtain access to protected health information for beneficiaries who (1) are listed as preliminary,
prospectively assigned patients; (2) have received from the ACO a written, advance notification
requesting data sharing; and (3) have not chosen to opt‐out of claims data sharing within 30
days after the advance notification is sent. Beneficiaries who receive advance notification in this
manner must also be given an opportunity to opt‐out of further claims data sharing during their
first primary care visit. Alternatively, an ACO can obtain access to protected health information
for beneficiaries who have (1) visited a primary care provider participating in the ACO during
the performance year; (2) been informed about how the ACO intends to use beneficiary claims
data; and (3) not chosen to opt‐out of claims data sharing.
If a beneficiary declines to have its claims data shared with the ACO, this does not preclude
physicians from sharing protected health information as allowed under HIPAA. For example, a
referring primary care physician may provide protected health information to a specialist for
Public Reporting and Transparency
Several aspects of an ACO’s operation and performance must be publicly reported: (1)
providers and suppliers participating in the ACO; (2) each member of the ACO governing
body; (3) quality performance standard scores; (4) general information on how an ACO shares
savings with its members; (5) the name and location of the ACO; (6) the primary contact of the
ACO; and (7) the ACO’s organizational information. Each ACO is responsible for making this
information available to the public in a standardized format that CMS will publish through
subregulatory guidance. Additionally, quality measures reported using the Group Practice
Reporting Option (“GPRO”) web interface will be reported on Physician Compare in the same
way it is for group practices that report under the Physician Quality Reporting System. Analysis and Potential Issues for Applicants
The necessity of a robust health information exchange infrastructure and
effective communication among ACO participants and the ACO’s neighboring
health care providers to convert large volumes of claims data into actionable
information and assist in accessing data in “real‐time” may present a
fundamental challenge to effective participation in the MSSP for smaller,
unintegrated health care providers.
Pursuant to a DUA an ACO must sign in order to receive beneficiary‐identifiable
data, ACOs must establish appropriate administrative, technical, and physical
safeguards to protect the confidentiality of the beneficiary‐identifiable claims
data and comply with HIPAA and the Privacy Act. Steps that an ACO may take
to ensure it protects the confidentiality of the beneficiary‐identifiable claims data
and complies with HIPAA and the Privacy Act include: (1) controlling who has
access to the data provided by CMS; (2) developing and communicating clear
policies and procedures regarding the protection of the data; (3) implementing
network security measures such as a network firewall; (4) implementing security
protections for individual, desktop computers; (5) regularly screening for viruses
and malware; (6) developing and initiating safeguards for remote access to the
data provided by CMS.
To request claims data about individual beneficiaries, an ACO must develop
appropriate forms to: (1) inform Medicare beneficiaries that it may request
personal health information from CMS for the purposes of the MSSP; and (2)
explain that Medicare beneficiaries can decline data sharing. ACOs should work
with legal counsel to develop forms that meet the requirements of the MSSP, as
well as federal and state privacy laws. Further, ACOs should develop and
implement policies and procedures to ensure that each beneficiary receives a
notification and has the opportunity to opt‐out of this data sharing. Finally, an