In recent years many health care providers and managers have told me, time and again, that the health care world is accustomed to managing confidential patient information, and therefore doesn't need much in the way of social media training and policy development. This week brings news that should make those folks sit up and take notice. A physician in Rhode Island, who was fired for a Facebook faux pas, has now been fined by the state medical board as well. The physician posted a little too much information on Facebook -- information about a patient that, combined with other publicly available information, allowed third parties to identify the patient. The details of the story are available here and here.
The key takeaway from this story -- and the Johnny-come-lately approach to health care social media taken by the Rhode Island hospital in question and the Boston teaching hospital that the Boston Globe turned to for comment -- is that prevention is the best medicine.
Facebook and other social media are a fact of life, and cannot be ignored by health care providers and organizations. They can even be used as a force for good. As one example, take note of the recently-announced initiative by my colleague, Dr. Val, to start up a peer-reviewed tweetstream, @HealthyRT. At he very least, health care providers and organizations should be monitoring social media for mentions so that they can reach out, as may be necessary, to address health care and public relations issues.
HIPAA issues in the Rhode Island case led to sanctions -- not by the federales or the state AG enforcing HIPAA -- but by the medical board and the physician's employer. These sanctions, and the harm they are ineffectually seeking to remedy, may have been avoided entirely by some preventive medicine: health care social media policy and procedures development through an inclusive process that would create a broad sense of ownership and responsibility, combined with greater understanding and sensitization, across clinical and non-clinical staff. Here's hoping that health care provider organizations who are learning about these issues through the missteps of others are able to take proactive steps to avoid receiving this same kind of negative publicity themselves.
ACO regulations and related federal issuances hit the street last Thursday, after several months of waiting -- from CMS, OIG, FTC, DOJ and IRS. They cover the waterfront, ranging from the central regulation defining the structure and workings of the ACO, to limited Stark self-referral ban and anti-kickback statute waivers in the fraud and abuse arena, to new frameworks for antitrust analysis, to rules governing joint ventures involving taxable and tax-exempt organizations.
Update 11/12/2011: The final ACO Regulations are out - follow the link to my thoughts (camel, not unicorn), links to all of the final regs and issuances, and to an archived webinar on the final ACO regs and what they mean for the health care marketplace.
Here are a few points to consider as part of a first look at the ACO rules:
1. The rules were worth the wait. There are a lot of moving parts to coordinate, and the multi-agency effort really came together. The CMS rule also retains a fair amount of flexibility. Some requirements are very specific, but others much less so. (For one example of specific guidelines, take a look at the eight-part definition of patient-centeredness; an organization must satisfy all eight in order to be an ACO. Other requirements have no detail at all, and CMS will look to applicants to explain how they meet the requirements, without giving any hints.)
2. This is the Frankenstein regulation: A Medicare beneficiary must sit on the board of the ACO, CMS must approve all marketing materials before they are used .... These requirements may be traced back to origins in CMS demonstration project and Medicare Advantage policies, respectively, and illustrate the way in which CMS took a short statute and really put some meat on the bones. Some may balk at the weight of the requirements limiting the options of an ACO.
3. CMS has bootstrapped a law aimed at ACOs serving at least 5,000 Medicare beneficiaries each into a system of rules that effectively requires that commercial business be handled in an ACO-like manner. This, among other infrastructure requirements (e.g., 50% of ACO docs must be meaningful users of EHRs), leads to the conclusion that there will be relatively few ACOs, at least initially. CMS estimates 75-150 nationwide. There are, of course, many unanswered questions about what a commercial ACO would look like. One model I am familiar with -- here in the People's Republic of Massachusetts -- is the AQC, or Alternative Quality Contract offered by Blue Cross Blue Shield of Massachusetts to providers enrolled in its HMO Blue product. One question is whether a slightly different financial model could apply to the commercial side of the house. One model worth a close look is Jeff Goldsmith's proposed ACO model, which would treat primary care, emergency and diagnostic care, and episodes of specialty care in three distinct ways.
In brief, Goldsmith recommends risk-adjusted capitation payments for primary care, fee-for-service payments for emergency care and diagnostic physician visits, and bundled severity-adjusted payments for episodes of specialty care. Primary care would be provided through a patient-centered medical home model, which would likely have a collateral effect of reducing the total volume of emergency care and diagnostic physician visits. Specialty care would be provided through "specialty care marts," ideally more than one per specialty per market to maintain a little healthy competition.
A quick explanation of this approach to an intensivist over the weekend elicited a favorable response.
4. Also in the bootstrapping department, CMS has shifted the ACO from a "shared savings" approach to having ACOs share risk as well as the upside. Of course, this makes a lot of sense; a number of commentators, including the HealthBlawger, had lamented the fact that risk sharing was left out of the statute. CMS has used its general waiver and demo authority under the ACA to move the ACO into risk sharing. The ACO may choose: share risk from day one, and enjoy a potentially higher percentage of the upside, or defer the risk sharing to year three.
5. The retrospective nature of patient attribution and savings calculations mean that each ACO must treat every Medicare fee-for-service patient as if he or she is "theirs." Patients have the right to decide whether they want their data shared with an ACO; if enough patients are spooked by health care data privacy and security issues, fewer and fewer will authorize the sharing from CMS to the ACO, and the ACO will have to drive by feel -- or base its management of Medicare beneficiaries on its management of its general patient population.
6. Organizations that dominate their local markets may be the most successful as ACOs, but they may face the most involved antitrust review at the hands of the FTC/DOJ.
7. Scoring on 65 quality metrics in 5 domains will help determine the amount of any shared savings to be paid to an ACO. One domain, patient experience of care, links up nicely with the patient-centeredness threshhold requirement noted above. (For private sector attention to patient experience, see what the Leapfrog Group is doing in this domain, using some of the same measures.) While some may bristle at the number of metrics, it is worth noting that these metrics are all drawn from existing sets of measures.
8. All in all, the regulations represent the first stage of realizing the ACO vision expressed by Don Berwick last fall: there is a field open to experimentation (albeit a field likely limited to large networks of significant means that can underwrite the up-front infrastructure costs), and the ACO rules sketched out in the statute and further delineated in the regulations will enable CMS to incentivize the provider community to help achieve the triple aim of better care for individuals, better health for populations and reduced per-capita costs.
