The Obama administration is working to balance patient privacy with the promise of tapping into market forces to boost its 4-year-old initiative to allow outside organizations to mine federal claims data for healthcare quality improvement and cost containment.
Four years ago, the CMS launched an initiative to release claims data from federal healthcare programs under the 2010 Patient Protection and Affordable Care Act. The so-called Qualified Entity Program authorizes certain entities to buy the Medicare claims and other federal data at the government's cost. But it also limits what they can do with the data and their data analytics work.
After four years, though, only two of just 13 qualified research organizations enrolled in the program have issued public reports based on their data analytics work.
The other 11 organizations are “in various stages” of work on their own public reports, according to the CMS.
The CMS initiative to share the claims data “started very tentatively,” said attorney Kirk Nahra, a partner with the Washington, D.C., firm Wiley Rein and a healthcare privacy expert. “They opened it up, but they put a ton of restrictions on it, the positive wasn't coming out. They drew the balance wrong.”
A proposed rule the CMS issued last week under the authority of the 2015 Medicare Access and CHIP Reauthorization Act would allow the 13 current quality improvement organizations and some newcomers to sell their data analytics products to private customers.
Now, with the proposed rule, “they're saying, we're going to take another shot at this,” Nahra said. “The positive for the government was, for the past couple of decades, nobody was getting this data for any purpose. Now, the recognition is there is a tremendous amount of data and good things could come from these data analytics."
The analyses that could be sold under the rule would be based on a combination of patient data from private sector sources and from Medicare, Medicaid and the Children's Health Insurance Program (CHIP).
The draft regulations would also allow these organizations to engage in “non-public” sales of the underlying combined sets of raw data, or provide the federal data to others at no cost.
Their sales and data donations would be limited to a select group of partners called “authorized users”—healthcare providers, suppliers, employers, health insurance issuers, medical societies, hospital associations, healthcare professional associations and state agencies.
The proposed expansion of the initiative would allow data analysts to combine the federal data with claims data from other sources and then sell the data combinations to evaluate provider and supplier performance. The work of these data analysts is subject to review and correction by the affected providers and suppliers. Then, their work is to be made public.
MACRA directed the CMS to boost output of the program by permitting the sale of data analysis products and data release.
“While we have been pleased with the participation in the program so far, we expect that the changes required by MACRA will increase interest in the program,” the CMS officials wrote in the proposed regulations. The agency said the expanded program "will be important in driving higher quality, lower cost care in Medicare and the health system in general” while ensuring the privacy and security of patient data.
In order to strike that balance, the proposed regulations include a number of provisions intended to safeguard the privacy and security of the patient data involved.
Sales of data and analysis under the rule must comply with the privacy requirements of HIPAA, including the ban on the sale of patient-identifiable information, the rule authors said. It acknowledges that “certain types of analysis could cause harm to patients,” such as an employer using the data to identify and fire employees with potentially high healthcare costs, or fraud or abuse of the healthcare delivery system.
But the rule does permit the sale of analysis that contains personal identifiers such as a person's name and data of birth. These identifiable data sets can be sold only “to providers or suppliers with whom the subject individuals have an established patient relationship” maintained within the past 12 months.
Other than that, patients' data in these analyses must be de-identified to HIPAA privacy rule requirements. The CMS rule, however, points out the agency has “limited authority” over authorized users once they've received data or analysis from qualified entities.
The agency attempts to address this potential loophole by requiring qualified entities to use “legally binding agreements with any authorized user to whom it provides or sells” its private analysis work.
These agreements would bind employers and other customers of the organizations selling the data and analyses from using the products for marketing or “harming or seeking to harm patients.”
But the CMS also allows authorized users to share the data products to other authorized users, provided these recipients in turn use them for “performance improvement.”
The tension between the need to protect privacy and the goals of the initiative are playing out in other big data initiatives, too, such as precision medicine and a proposed rework of the Common Rule governing human research.
“There are all kinds of information that could be used for good things,” Nahra said. “That doesn't mean their aren't negatives. That information could be use for bad purposes. It's all a question of tradeoffs. It's a perfect public policy debate.”
The rule would also require federal data to be mixed with other claims data to make the combined data set more robust, though it does not set a minimum amount of non-federal data to be included in the mix.
On the other hand, if a health insurance company seeks to be a potential buyer of data or analysis from a qualified entity, it must contribute to the qualified entity sufficient amounts of its own data. These amounts must represent a majority of its “covered lives” for the geography and time period covered by the qualified entity's research, the proposed rule said.
The requirement “would encourage (health insurance) issuers to submit data to the qualified entity to be included in the public performance reports,” increasing their sample size and reliability.
The public comment period on the proposed rule is open through March 29.
