The Joint Commission on Accreditation of Healthcare Organizations, reacting to pressure from hospitals regarding privacy issues and questions about its proposed new business activities as a data analyst, is poised to pull out of the business of selling data analysis services to third parties. But the commission intends to continue its core data-mining activities for accreditation and quality reporting.
After a meeting Nov. 15 in Chicago between members of the JCAHO executive committee and heads of its member organizations, JCAHO leaders agreed to recommend to the full Joint Commission board that it would "not sell performance data analysis to third parties," according to Cathy Barry, chief communications officer for the Joint Commission.
The move comes after six months of controversy over a data-mining contract that surfaced in May between the JCAHO's for-profit Joint Commission Resources affiliate and the Blue Cross and Blue Shield Association. Under the deal, Joint Commission Resources provided hospital-specific performance reports to 14 Blues plans using, in part, hospital data supplied to the JCAHO during accreditation. As part of the deal, Joint Commission Resources subcontracted out data analytics work to the JCAHO.
JCAHO President and Chief Executive Officer Dennis O'Leary and four members of the JCAHO executive committee met with the CEOs of the American Hospital Association, American College of Surgeons, American College of Physicians, American Medical Association and a representative of the American Dental Association. The JCAHO leaders also agreed to withdraw a list of "draft principles" about its data-mining operations they planned to bring before the board at its meeting Nov. 18 and 19, Barry said.
But a JCAHO proposal to either ask or require hospitals to submit patient-level data as part of the accreditation process under its ORYX quality-improvement program "remains on the table," Barry said, which may prolong the dispute. That request was a key issue in the uproar. At deadline, the JCAHO board had not yet made an announcement regarding its decision. On Nov. 4, the AHA submitted a four-page legal brief to the Office for Civil Rights at HHS asking for guidance on whether submitting patient-level data might violate the Health Insurance Portability and Accountability Act's privacy rule. The Federation of American Hospitals and the Association of American Medical Colleges joined the AHA later in the week in a letter to O'Leary. The letter called the sale of data-mining services to the Blues and the JCAHO's announced strategy to become "a purveyor of performance data ... a disturbing chain of events ... particularly if the latter activ-ity would include the collection of patient-level performance measurement information."
In a separate letter several days later, federation President Chip Kahn said the mixing of accreditation and new JCAHO business activities, including analysis of data for third parties, "represent a clear conflict of interest for JCAHO."
The HIPAA privacy rule states: "When using or disclosing protected health information or when requesting protected health information from another covered entity, a covered entity must make reasonable efforts to limit protected health information to the minimum necessary to accomplish the intended purpose of the use, disclosure or request."
Currently, hospitals submit aggregate data to the JCAHO for accreditation with a sample of patient-level data to check the accuracy of the aggregate data submission.
Emily Stewart, a policy analyst with the advocacy group the Health Privacy Project, said that "one of the best questions that needs to be raised is the minimum use issue." Stewart said the provision was included so patients would have some reasonable expectation that their information would not be flowing around electronically without a very good reason.
The first question the AHA put to the Office for Civil Rights in its letter was for guidance on whether a JCAHO plan to make hospitals provide it with patient-level data "exceeds the minimum necessary for accreditation of the hospital, in light of the fact that aggregate data previously have been sufficient."
A meeting between Joint Commission officials and the Office for Civil Rights was scheduled for Nov. 16 with AHA representatives invited by the JCAHO to attend, Barry said. The JCAHO presented its response to the AHA brief at the meeting, she said.
In a telephone interview Nov. 16, Barry added that if the JCAHO goes forward with its request for hospitals to provide patient-level data, that data would be de-identified, an important detail that was not specified earlier.
AHA spokesman Richard Wade was guardedly upbeat about the JCAHO decision. "The primary focus for our members was (the JCAHO) putting the hospitals in the potential cross hairs on the HIPAA stuff, and the other was you could be sitting there with the Blues coming in and dropping some JCAHO data on them and saying let's negotiate prices," Wade said.
Wade said it was his understanding the JCAHO would be asking for de-identified patient-level data, but a JCAHO representative did not confirm that.
Robert Kiely, president and CEO of Middlesex Health System in Middletown, Conn., and a member of a JCAHO hospital advisory group, said the data-mining issue was an important one. "When they released the information to Blue Cross, it caught everybody by surprise. There were significant concerns about the absence of communication as well as the appropriateness of what the ... plans were."
JCAHO board member Gerald Shea, assistant to the president for government affairs at the AFL-CIO, said while the politics of launching the new data provisions might have been handled better, both sides in the dispute need to look at the bigger picture. "This us-against-them mentality is really yesteryear and we need to get over it," he said.