- Email: [email protected]
Is it time for a HIPAA for physicians?
Healthcare ∎ (∎∎∎∎) ∎∎∎–∎∎∎
Contents lists available at ScienceDirect
Healthcare journal homepage: www.elsevier.com/locate/hjdsi
Opinion paper
Is it time for a HIPAA for physicians? Sarah Gebauer a,b,n, Timothy Petersen a, Elizabeth Steele a a b
Department of Anesthesiology and Critical Care Medicine, University of New Mexico, Albuquerque, USA Department of Internal Medicine, Division of Palliative Care, University of New Mexico, Albuquerque, USA
art ic l e i nf o
a b s t r a c t
Article history: Received 7 November 2015 Received in revised form 17 June 2016 Accepted 25 July 2016
Practices, hospitals, and healthcare systems are increasingly able to collect data about individual physician clinical performance. There is a strong temptation to use the data to make decisions about physicians' quality of care without first taking the time to establish a system that ensures valid conclusions. In addition, physicians are not informed that their data are being used, and thus do not have an opportunity to correct any inaccuracies. A HIPAA-equivalent law or regulation for physicians would help patients and physicians more accurately address these and other issues related to complex healthcare data. FERPA provides a useful framework for these concerns. & 2016 Elsevier Inc. All rights reserved.
1. Introduction Imagine an ophthalmologist whose public records state that her patients were twice as likely to go the emergency room after surgery than the national average. Would you choose her as your physician? Probably not. In fact, you would probably actively avoid being in her care. That she saw fifty percent more patients than average, most with more comorbidities than average, may not be mentioned in these records due to a lack of data sophistication. Without relevant safeguards, the physician will not necessarily know that these data are being used and presented in this way, or have a way to appeal the possibly unfounded impression that she provides poor quality care. The public in its turn may also be unaware that an apparently objective ranking system contains such serious flaws. Government agencies, insurers, hospitals, and practices have begun collecting, using, and transmitting data on individual physician clinical performance. We have entered the era of Big Data for healthcare, in which physicians’ performance data are monitored and reported to a variety of users, and not necessarily with providers’ knowledge or consent. Few states have enacted legislation to regulate data transmission and ensure accuracy for providers. For patients, the Health Insurance Portability and Accountability Act (HIPAA) was enacted due to patient complaints that private data was being transmitted without their knowledge and consent. Physicians currently do not have the right, in all States, to review and correct records, establish a formal hearing n Corresponding author at: Department of Anesthesiology and Critical Care, MSC10-6000, 1 University of New Mexico, Albuquerque NM 87131, USA. E-mail addresses: [email protected] (S. Gebauer), [email protected] (T. Petersen), [email protected] (E. Steele).
process for disagreements, or require publication of formulas used to determine any derived ranking. Indeed, the accumulated patient data is almost always linked to one or more physicians, and – unlike patient data – physician data can be sent to almost anyone, with physician identifiers in place, without the physician's knowledge. Is it time for a HIPAA equivalent for physician clinical performance data? One partial template for the regulation of physician clinical performance data use and disclosure is the Family Educational Rights and Privacy Act (FERPA). It gives parents and students the right to review and correct records, and includes a formal hearing process for disagreements. The law allows schools to disclose only limited information without consent, with exceptions for certain parties like school officials and the juvenile justice system 1. The law was enacted in 1974, and there are initiatives in multiple states and both chambers of Congress to update it given increasing technological capabilities 2. FERPA does not directly address the validity of analyses based on student data. Still, it provides a framework for ensuring that the data are correct, and released only with the knowledge of the affected individuals.
2. Background Governmental entities, insurance providers, hospitals, and practices face enormous pressure to demonstrate that they provide high-quality care. The availability of physician data, whether through an electronic medical record or more sophisticated registries, leads to a temptation to use it expeditiously, rather than following rigorous methods of analysis. These data lend a veneer of objectivity, but the conclusions and interpretations formed are not necessarily valid. For example, a recent New England Journal of
http://dx.doi.org/10.1016/j.hjdsi.2016.07.001 2213-0764/& 2016 Elsevier Inc. All rights reserved.
Please cite this article as: Gebauer S, et al. Is it time for a HIPAA for physicians? Healthcare (2016), http://dx.doi.org/10.1016/j. hjdsi.2016.07.001i
2
S. Gebauer et al. / Healthcare ∎ (∎∎∎∎) ∎∎∎–∎∎∎
Medicine article focused on flaws in ProPublica's surgeon ranking system and the false sense of accuracy it provides 3. Notably, the system is based on insurance claims data, which bear only a loose relationship to individual surgeon performance, and on a quantity of data that is inadequate to rank them with the kind of precision ProPublica implies. Even when organizations address data quality, analysis, and governance issues thoughtfully, there are additional caveats. Overly specific quality measures may not provide a full view of a provider's overall performance. For example, one study found that “76% of the physicians ranked in the highest third for at least 1 measure, [but] 81% of these high performers ranked in the lower third for at least 1 other measure” 4. Policymakers and the public deserve ways to find “good” (as well as “poor”) doctors that are reliable and valid. Traditionally, some amount of information on providers receiving public funds – which includes most of the healthcare provider workforce – has been available not only to the physician's employer or hospital, but also to the public. This kind of accountability serves the public and should continue. Under the Freedom of Information Act, Centers for Medicare & Medicaid Services (CMS) says it will “weigh the balance between the privacy interest of individual physicians and the public interest in disclosure of such information” 5. One author writes in the Journal of the American Medical Association that “it is reasonable for physicians and other healthcare professionals who bill Medicare to assume that their claims data may eventually become public” 6. And indeed, a lawsuit by the Wall Street Journal has already prompted Medicare to release data for individual billers 7. One of the top 2012 billers identified by that release has since been indicted for health care fraud 8. But while claims data provide relatively straightforward information about what the practice bills, analysis is not included, or even necessarily advisable on this dataset. The primary data-management goal in medicine has typically been centered on the security and appropriate use of patient data. The development of HIPAA formalized the extensive list of patient data that is considered protected, and the law is now ingrained in the medical culture. Most healthcare institutions maintain large amounts of patient data that must be protected by law, both in terms of privacy and security.
3. Governmental acts related to individual physician clinical performance data As the largest single payer of healthcare in the United States, the federal government has a large influence in the way health care is delivered, measured, and paid for in the US. Over the last decade, CMS has initiated several programs to link payments to quality. In 2015, the US Department of Health and Human Services explicitly “set a goal of tying 85% of all traditional Medicare payments to quality or value by 2016 and 90% by 2018” 9. While the federal government is establishing metrics and methods with public input, private health care plans have been moving forward with implementation such as United Healthcare's Premium Designation Program.13 Concerns about the fairness and accuracy of the Premium Designation Program led to a lawsuit in New York in 2007. As a result, the Attorney General of New York, Andrew Cuomo, released a New York Ranking Model Code which was quickly adopted by many national and regional insurers. The New York code, which the Attorney General's office considered a “national model,” has several key provisions: ranking cannot be based solely on cost, and must identify cost rankings as such; metrics must use nationally accepted standards; accurate methods must be used to make comparisons, such as sampling and risk adjustment; disclosures are required for consumers and physicians, with mechanisms for complaints and appeals 10,11; and an
independent “Ratings Examiner”, hired by the insurance plans, reports on compliance issues to the state Attorney General every six months. Since 2007, several states including Colorado, Oklahoma, Maryland, and Texas have introduced regulatory legislation along the lines of the NY ranking model code. These laws generally require health plans to follow specific standards and procedures when using clinical performance data to rate physicians 12. Though the New York initiative provides a national model, it does not necessarily apply at the federal level. A summary of selected legislation is provided in Table 1. PPACA, MACRA, and New York's code acknowledge – but do not solve – many of the issues of physician clinical performance data such as data quality, data analysis, and data governance. Table 2 provides an outline of suggested aspects of legislation for physician clinical performance data. While these recommendations are not specific, they provide a structure of crucial considerations for lawmakers. Ensuring that physician clinical performance data meet these standards will help not only physicians to protect their professional reputation and practice, but enable patients to make well-informed decisions based on meaningful data. 3.1. Data governance and stewardship The governmental acts also touch upon crucial issues about transparency and fairness, which are fundamental to data stewardship (issues surrounding its collection and use) and governance (the relevant policies and decisions). With large amounts of data being transferred through multiple systems, opportunities exist for errors in transmission, analysis, or presentation. MACRA addresses this vulnerability by stating that the government “shall provide for an opportunity for a professional… to review, and submit corrections for, the information to be made public” 14. Similarly, Colorado law establishes an appeals process for physicians who disagree with their rating, and possibly the ability to sue if a ranking organization makes an error 12. The idea of a physician appeal of his data is a complex topic that involves unresolved questions of whether the disputing physician can have access to all or parts of the database – which may include protected patient information - to verify data accuracy. If errors are discovered, the agency involved may then need a system to correct the data of other physicians. The methods used in these analyses or rankings should also be open for public review and comment. A recent article 15 purported to identify substantial variability in cardiac anesthesiologists’ outcomes, and identified a large subset of substandard anesthesiologists. This was published in a well-known specialty journal and passed both formal peer review and the review of the journal’s statistics editor. Only on further review, by the wider specialist and statistical communities, was a serious error with that analysis identified. The error was highly technical and not immediately obvious, but was sufficiently serious to warrant retraction of the article 16. When the error was addressed, the putative difference simply vanished, and the anesthesiologists’ apparent substandard performance was revealed to be simple random variation within an acceptable range 17. This example illustrates how easily inaccurate conclusions can be drawn, even by people with extensive data experience, and the importance of public review of all analytical methods.
4. Discussion All healthcare stakeholders – payers, hospitals, practice groups, physicians, and patients – have an interest in accurate, valid, and transparent physician evaluations. Withholding all information about physician performance from patients would be clearly
Please cite this article as: Gebauer S, et al. Is it time for a HIPAA for physicians? Healthcare (2016), http://dx.doi.org/10.1016/j. hjdsi.2016.07.001i
S. Gebauer et al. / Healthcare ∎ (∎∎∎∎) ∎∎∎–∎∎∎
3
Table 1 Governmental Acts related to collection of Individual Physician Clinical Performance Data. Federal Acts
Summary of key points and considerations
Physician Quality Reporting System (PQRS) – 2006
Established incentive payments and payment adjustments (penalties) for CMS. Quality metrics change year by year and by specialty. Reporting can be completed individually and/ or as a group. Patient Protection and Affordable Care Act (PPACA), aka Obamacare, which Publically accessible website intended for patients to evaluate their health care providers. includes Physician Compare - 2010 Currently only reports demographic data and participation in quality reporting such as PQRS, EHR Incentive Program. Requires data be valid and attributed correctly, allows providers to review results among other protections. Public reporting benchmarks are being developed. Medicare Access and CHIP Reauthorization (MACRA), which includes Individual physicians will receive scores based on quality, value, clinical practice imMerit-Based Incentive Payment System (MIPS) – 2015 provement, and others which are linked to monetary adjustments. Metrics and methods have not been released. State Acts New York, Model code for physician ranking programs - 2007
Colorado, Physician Designation Disclosure Act - 2008
Required insurers use nationally accepted metrics for performance (not just ranking by cost), have provisions for disclosure to consumers and physicians and pay for an independent “Ratings Examiner” who reports compliance to the Attorney General every six months. (1, 2) Addresses data integrity, disclosure, fair process and enforcement. (3)
1. Attorney General Cuomo, Senate Majority Leader Joseph Bruno and Assembly Speaker Sheldon Silver Agree to Pass Doctor Ranking Legislation in New York 2007 [cited 2016 June 16]. Available from: http://www.ag.ny.gov/press-release/attorney-general-cuomo-senate-majority-leader-joseph-bruno-and-assembly-speaker-0. 2. Attorney General Guomo Announces 2007 [cited 2016 June 16]. Available from: http://www.ag.ny.gov/press-release/attorney-general-cuomo-announces. 3. Cartwright-Smith L, Rosenbaum S. Fair process in physician performance rating systems: Overview and analysis of Colorado’s Physician Designation Disclosure Act. BNA’s Health Care Policy Report. 2009;17.
Table 2 Legislative framework for governance and stewardship of provider clinical data. Who is protected?
All eligible providers, as defined by CMS
What entities are covered by this law?
Entities that analyze physician clinical performance metrics would be held to this standard. Patient reports of physician care would be explicitly excluded.
Which records and analyses are covered?
Records of physician clinical performance based on aggregate patient records, including any clinical process or outcome measures associated with an individual clinician or group. Analyses of said records that are either intended for release to the public, or that have been released. Analyses that may affect a protected provider's employment, hospital privileges, or contract with an insurance company or other payer. Records held by individuals, or generated specifically for law enforcement, in connection with lawsuits, or other legal situations with specific concerns such as medical board complaints. Information about other clinicians.
What is not included? What can be removed from the record prior to a clinician viewing her or his own record? Who is entitled to view a record? What notification is required?
What methodologies and data were used?
The clinician, an agent acting on the clinician’s behalf, or pursuant to legal action. Notification should be provided at least 60 days prior to release. The law should outline processes for dispute resolution and hearings. In the case of unintended release, notification should occur without unnecessary delay after the breach is discovered. The methodologies used to arrive at rankings and conclusions, as well as a description of the data used that is sufficiently specific for the clinician to verify it, must be disclosed.
What are the minimum standards for the analyses themselves? Accurate attribution of patients to providers. Appropriately updated and specified period of assessment. Practice guidelines and performance measures used must be: a) promulgated/endorsed by national organizations, b) evidence- and consensus-based when possible, and c) pertinent to physician's practice. Statistical analysis must be accurate, valid, and reliable, with specified standards for statistical adjustment to relevant factors, e.g. comorbidities and case mix. Conspicuous disclaimer about rating's limitations and caveats for interpretation must be included with any release. How is this to be enforced?
Violations would be defined as “unfair/deceptive business practices” or violations of consumer protection acts. Permit enforcement via civil action and other appropriate remedies. Prohibit any contractual limitation of physician's right to enforce (e.g. waivers in employment contract).
unethical. Analysis of data as complex as medical information, however, requires the expertise of trained data scientists. It is easier, cheaper, and faster to simply look at the raw data, but unfortunately this will often lead to incorrect conclusions. The methodology used to measure physician clinical performance
should be both validated and clearly disclosed. When fair, accurate, and valid information is available, all stakeholders benefit. Payers and practice groups can make better business decisions, patients can select physicians with more confidence, and physicians can realize a competitive advantage.
Please cite this article as: Gebauer S, et al. Is it time for a HIPAA for physicians? Healthcare (2016), http://dx.doi.org/10.1016/j. hjdsi.2016.07.001i
S. Gebauer et al. / Healthcare ∎ (∎∎∎∎) ∎∎∎–∎∎∎
4
An important distinction is that between online rating systems published by an official body or interest group, and patient reviews of physicians. As society moves toward customer reviews for nearly everything, such as restaurants and car services, consumers have become familiar with the inherent biases in those systems. Patient reviews of physicians are a separate issue and require no data analysis. Making physician-specific patient satisfaction scores, also called patient experience of care, publicly available may even benefit physicians 18. It is notable that most rating services, such as Yelp, provide a mechanism for the business or service provider to respond directly to customer comments. Ratings published by government or large organizations, however, carry a different weight and expectations about correctness by consumers. Additionally, it may be difficult for physicians to respond publicly without violating HIPAA. One important question that remains is: who will be responsible for quality control for physician data? Debates related to oversight of personal electronic data have been ongoing for many years. For example, the Fair Information Practice Principles of the 1970s identify a person’s right to enforcement measures related to personally identifiable information and serves as the basis of many privacy laws. However, accountability is often self-regulated by companies or agencies using the data, and redress is not necessarily enforceable by law 19. Critics of self-regulation propose that this method is insufficient, and advocate for more governmental regulation 20. A thorough mechanism to ensure physician data quality would be complex and likely include a variety of methods including intermittent audits to assess data quality, regular reassessment of metrics and methods of risk adjustment, and ongoing input from national and professional societies. The development of clear standards and expectations for physician data would be a first step in providing organizations with guidance about acceptable use, which could then be used to evaluate the adequacy of an organization’s self-regulation. A group composed of scientists, patient advocates, physicians, healthcare organizations, and governmental representatives would be well-positioned to develop systems that provide fair, useful, and high-quality data to all involved. The multiple issues with individual physician performance data make it clear that compiling and reporting accurate data with valid conclusions is extremely difficult. The current unstructured, semisecret environment is untenable and contrary to the interests of everyone involved. A HIPAA equivalent for physicians would ideally establish rules for: physician notification prior to data use or transmission, physician ability to review her own data, a physician appeals process, and national standards for data accuracy and analysis validity. Until these regulations are put into place, the public is ill-served and physicians are subject to the whims and interpretations of anyone who happens to hold the data.
References 1. Family Educational Rights and Privacy Act (FERPA): U.S. Department of Education; [cited 2015 October 7]. Available from: 〈http://www2.ed.gov/policy/ gen/guid/fpco/ferpa/index.html〉. 2. Ferpa Sherpa: Policymakers: Ferpa Sherpa; [cited 2015 October 7]. Available from: 〈http://ferpasherpa.org/p-m.html〉. 3. Rosenbaum L. Scoring no goal - further adventures in transparency. N Engl J Med. 2015 Sep 2. PubMed PMID: 26332360. 4. Parkerton pH, Smith D.G., Belin T.R., Feldbau G.A. Physician performance assessment: nonequivalence of primary care measures. Med Care. 2003 Sep;41
(9):1034–47. PubMed PMID: 12972843. 5. Crossing the Quality Chasm: A New Health System for the 21st Century: Institute of Medicine; 2001 [cited 2015 November 10]. Available from: 〈http:// iom.nationalacademies.org/Reports/2001/Crossing-the-Quality-Chasm-A-NewHealth-System-for-the-21st-Century.aspx〉. 6. Steinbrook R. Public disclosure of Medicare payments to individual physicians. Jama. 2014 Apr 2;311(13):1285–6. PubMed PMID: 24535488. 7. Weaver C., Barry R., Stewart C. Small Group of Doctors Are Biggest Medicare Billers Wall Street Journal June 1, 2015 [cited 2015 October 18]. Available from: 〈http://www.wsj.com/articles/small-group-of-doctors-are-biggest-medicarebillers-1433182524〉. 8. South Florida Doctor Indicted for Medicare Fraud. In: Justice Do, editor. April 14, 2015. 9. Better, Smarter, Healthier: In historic announcement, HHS sets clear goals and timeline for shifting Medicare reimbursements from volume to value: Department of Health and Human Services; 2015 [cited May 11, 2016]. January 26, 2015:[. 10. Attorney General Cuomo, Senate Majority Leader Joseph Bruno and Assembly Speaker Sheldon Silver Agree to Pass Doctor Ranking Legislation in New York 2007 [cited 2016 June 16]. Available from: 〈http://www.ag.ny.gov/press-release/ attorney-general-cuomo-senate-majority-leader-joseph-bruno-and-assemblyspeaker-0〉. 11. Attorney General Guomo Announces 2007 [cited 2016 June 16]. Available from: 〈http://www.ag.ny.gov/press-release/attorney-general-cuomo-announces〉. 12. Cartwright-Smith L, Rosenbaum S. Fair process in physician performance rating systems: overview and analysis of Colorado’s Physician Designation Disclosure Act. BNA’s Health Care Policy Rep. 2009:17. 13. UnitedHealth Premium Physician Designation Program Detailed Methodology [cited 2016 May 6]. Available from: 〈https://http://www.unitedhealthcareon line.com/ccmcontent/ProviderII/UHC/en-US/Assets/ProviderStaticFiles/Provider StaticFilesPdf/Unitedhealth Premium/Detailed_Methodology_2014–2015.pdf〉. 14. H.R. 2—114th Congress: Medicare Access and CHIP REauthorization Act of 2015: Library of Congress; [cited 2015 July 8]. Available from: 〈https://http:// www.congress.gov/bill/114th-congress/house-bill/2/text〉. 15. Glance L.G., Kellermann A.L., Hannan E.L., Fleisher L.A., Eaton M.P., Dutton R.P., et al. The impact of anesthesiologists on coronary artery bypass graft surgery outcomes. Anesth Analg. 2015 Mar;120(3):526–33. PubMed PMID: 25695571. Epub 2015/02/20. eng. 16. Shafer S.L. Broken Hearts. Anesth Analg. 2016 May;122(5):1231–3. PubMed PMID: 27101479. Epub 2016/04/23. eng. 17. Glance L.G., Hannan E.L., Fleisher L.A., Eaton M.P., Dutton R.P., Lustik S.J., et al. Feasibility of Report Cards for Measuring Anesthesiologist Quality for Cardiac Surgery. Anesth Analg. 2016 May;122(5):1603–13. PubMed PMID: 27101502. Epub 2016/04/23. eng. 18. Lee V.S. Why Doctors Shouldn’t be Afraid of Online Reviews: Harvard Business Review; 2016 [cited 2016 May 6]. Available from: 〈https://hbr.org/2016/03/ why-doctors-shouldnt-be-afraid-of-online-reviews〉. 19. Appendix A – Fair Information Practice Principles (FIPPs): National Strategy for Trusted Identities in Cyberspace; [June 14, 2016]. Available from: 〈http://www. nist.gov/nstic/NSTIC-FIPPs.pdf〉. 20. Reidenburg JR. Restoring Americans’ privacy in electronic commerce. Berkeley Technol Law J. 1999;14(2):771–792.
Conflict of interest disclosure statement This statement accompanies the article Is it time for a HIPAA for physicians? authored by Sarah Gebauer and co-authored by Timothy Petersen and Elizabeth Steele and submitted to Healthcare as an Article Type. Authors collectively affirm that this manuscript represents original work that has not been published and is not being considered for publication elsewhere. We also affirm that all authors listed contributed significantly to the project and manuscript. The authors report no conflicts of interest. Consultant arrangements: None Stock/other equity ownership: None Patent licensing arrangements: None Grants/research support: None Employment: None Speakers' bureau: None Expert witness: None.
Please cite this article as: Gebauer S, et al. Is it time for a HIPAA for physicians? Healthcare (2016), http://dx.doi.org/10.1016/j. hjdsi.2016.07.001i
Contents lists available at ScienceDirect
Healthcare journal homepage: www.elsevier.com/locate/hjdsi
Opinion paper
Is it time for a HIPAA for physicians? Sarah Gebauer a,b,n, Timothy Petersen a, Elizabeth Steele a a b
Department of Anesthesiology and Critical Care Medicine, University of New Mexico, Albuquerque, USA Department of Internal Medicine, Division of Palliative Care, University of New Mexico, Albuquerque, USA
art ic l e i nf o
a b s t r a c t
Article history: Received 7 November 2015 Received in revised form 17 June 2016 Accepted 25 July 2016
Practices, hospitals, and healthcare systems are increasingly able to collect data about individual physician clinical performance. There is a strong temptation to use the data to make decisions about physicians' quality of care without first taking the time to establish a system that ensures valid conclusions. In addition, physicians are not informed that their data are being used, and thus do not have an opportunity to correct any inaccuracies. A HIPAA-equivalent law or regulation for physicians would help patients and physicians more accurately address these and other issues related to complex healthcare data. FERPA provides a useful framework for these concerns. & 2016 Elsevier Inc. All rights reserved.
1. Introduction Imagine an ophthalmologist whose public records state that her patients were twice as likely to go the emergency room after surgery than the national average. Would you choose her as your physician? Probably not. In fact, you would probably actively avoid being in her care. That she saw fifty percent more patients than average, most with more comorbidities than average, may not be mentioned in these records due to a lack of data sophistication. Without relevant safeguards, the physician will not necessarily know that these data are being used and presented in this way, or have a way to appeal the possibly unfounded impression that she provides poor quality care. The public in its turn may also be unaware that an apparently objective ranking system contains such serious flaws. Government agencies, insurers, hospitals, and practices have begun collecting, using, and transmitting data on individual physician clinical performance. We have entered the era of Big Data for healthcare, in which physicians’ performance data are monitored and reported to a variety of users, and not necessarily with providers’ knowledge or consent. Few states have enacted legislation to regulate data transmission and ensure accuracy for providers. For patients, the Health Insurance Portability and Accountability Act (HIPAA) was enacted due to patient complaints that private data was being transmitted without their knowledge and consent. Physicians currently do not have the right, in all States, to review and correct records, establish a formal hearing n Corresponding author at: Department of Anesthesiology and Critical Care, MSC10-6000, 1 University of New Mexico, Albuquerque NM 87131, USA. E-mail addresses: [email protected] (S. Gebauer), [email protected] (T. Petersen), [email protected] (E. Steele).
process for disagreements, or require publication of formulas used to determine any derived ranking. Indeed, the accumulated patient data is almost always linked to one or more physicians, and – unlike patient data – physician data can be sent to almost anyone, with physician identifiers in place, without the physician's knowledge. Is it time for a HIPAA equivalent for physician clinical performance data? One partial template for the regulation of physician clinical performance data use and disclosure is the Family Educational Rights and Privacy Act (FERPA). It gives parents and students the right to review and correct records, and includes a formal hearing process for disagreements. The law allows schools to disclose only limited information without consent, with exceptions for certain parties like school officials and the juvenile justice system 1. The law was enacted in 1974, and there are initiatives in multiple states and both chambers of Congress to update it given increasing technological capabilities 2. FERPA does not directly address the validity of analyses based on student data. Still, it provides a framework for ensuring that the data are correct, and released only with the knowledge of the affected individuals.
2. Background Governmental entities, insurance providers, hospitals, and practices face enormous pressure to demonstrate that they provide high-quality care. The availability of physician data, whether through an electronic medical record or more sophisticated registries, leads to a temptation to use it expeditiously, rather than following rigorous methods of analysis. These data lend a veneer of objectivity, but the conclusions and interpretations formed are not necessarily valid. For example, a recent New England Journal of
http://dx.doi.org/10.1016/j.hjdsi.2016.07.001 2213-0764/& 2016 Elsevier Inc. All rights reserved.
Please cite this article as: Gebauer S, et al. Is it time for a HIPAA for physicians? Healthcare (2016), http://dx.doi.org/10.1016/j. hjdsi.2016.07.001i
2
S. Gebauer et al. / Healthcare ∎ (∎∎∎∎) ∎∎∎–∎∎∎
Medicine article focused on flaws in ProPublica's surgeon ranking system and the false sense of accuracy it provides 3. Notably, the system is based on insurance claims data, which bear only a loose relationship to individual surgeon performance, and on a quantity of data that is inadequate to rank them with the kind of precision ProPublica implies. Even when organizations address data quality, analysis, and governance issues thoughtfully, there are additional caveats. Overly specific quality measures may not provide a full view of a provider's overall performance. For example, one study found that “76% of the physicians ranked in the highest third for at least 1 measure, [but] 81% of these high performers ranked in the lower third for at least 1 other measure” 4. Policymakers and the public deserve ways to find “good” (as well as “poor”) doctors that are reliable and valid. Traditionally, some amount of information on providers receiving public funds – which includes most of the healthcare provider workforce – has been available not only to the physician's employer or hospital, but also to the public. This kind of accountability serves the public and should continue. Under the Freedom of Information Act, Centers for Medicare & Medicaid Services (CMS) says it will “weigh the balance between the privacy interest of individual physicians and the public interest in disclosure of such information” 5. One author writes in the Journal of the American Medical Association that “it is reasonable for physicians and other healthcare professionals who bill Medicare to assume that their claims data may eventually become public” 6. And indeed, a lawsuit by the Wall Street Journal has already prompted Medicare to release data for individual billers 7. One of the top 2012 billers identified by that release has since been indicted for health care fraud 8. But while claims data provide relatively straightforward information about what the practice bills, analysis is not included, or even necessarily advisable on this dataset. The primary data-management goal in medicine has typically been centered on the security and appropriate use of patient data. The development of HIPAA formalized the extensive list of patient data that is considered protected, and the law is now ingrained in the medical culture. Most healthcare institutions maintain large amounts of patient data that must be protected by law, both in terms of privacy and security.
3. Governmental acts related to individual physician clinical performance data As the largest single payer of healthcare in the United States, the federal government has a large influence in the way health care is delivered, measured, and paid for in the US. Over the last decade, CMS has initiated several programs to link payments to quality. In 2015, the US Department of Health and Human Services explicitly “set a goal of tying 85% of all traditional Medicare payments to quality or value by 2016 and 90% by 2018” 9. While the federal government is establishing metrics and methods with public input, private health care plans have been moving forward with implementation such as United Healthcare's Premium Designation Program.13 Concerns about the fairness and accuracy of the Premium Designation Program led to a lawsuit in New York in 2007. As a result, the Attorney General of New York, Andrew Cuomo, released a New York Ranking Model Code which was quickly adopted by many national and regional insurers. The New York code, which the Attorney General's office considered a “national model,” has several key provisions: ranking cannot be based solely on cost, and must identify cost rankings as such; metrics must use nationally accepted standards; accurate methods must be used to make comparisons, such as sampling and risk adjustment; disclosures are required for consumers and physicians, with mechanisms for complaints and appeals 10,11; and an
independent “Ratings Examiner”, hired by the insurance plans, reports on compliance issues to the state Attorney General every six months. Since 2007, several states including Colorado, Oklahoma, Maryland, and Texas have introduced regulatory legislation along the lines of the NY ranking model code. These laws generally require health plans to follow specific standards and procedures when using clinical performance data to rate physicians 12. Though the New York initiative provides a national model, it does not necessarily apply at the federal level. A summary of selected legislation is provided in Table 1. PPACA, MACRA, and New York's code acknowledge – but do not solve – many of the issues of physician clinical performance data such as data quality, data analysis, and data governance. Table 2 provides an outline of suggested aspects of legislation for physician clinical performance data. While these recommendations are not specific, they provide a structure of crucial considerations for lawmakers. Ensuring that physician clinical performance data meet these standards will help not only physicians to protect their professional reputation and practice, but enable patients to make well-informed decisions based on meaningful data. 3.1. Data governance and stewardship The governmental acts also touch upon crucial issues about transparency and fairness, which are fundamental to data stewardship (issues surrounding its collection and use) and governance (the relevant policies and decisions). With large amounts of data being transferred through multiple systems, opportunities exist for errors in transmission, analysis, or presentation. MACRA addresses this vulnerability by stating that the government “shall provide for an opportunity for a professional… to review, and submit corrections for, the information to be made public” 14. Similarly, Colorado law establishes an appeals process for physicians who disagree with their rating, and possibly the ability to sue if a ranking organization makes an error 12. The idea of a physician appeal of his data is a complex topic that involves unresolved questions of whether the disputing physician can have access to all or parts of the database – which may include protected patient information - to verify data accuracy. If errors are discovered, the agency involved may then need a system to correct the data of other physicians. The methods used in these analyses or rankings should also be open for public review and comment. A recent article 15 purported to identify substantial variability in cardiac anesthesiologists’ outcomes, and identified a large subset of substandard anesthesiologists. This was published in a well-known specialty journal and passed both formal peer review and the review of the journal’s statistics editor. Only on further review, by the wider specialist and statistical communities, was a serious error with that analysis identified. The error was highly technical and not immediately obvious, but was sufficiently serious to warrant retraction of the article 16. When the error was addressed, the putative difference simply vanished, and the anesthesiologists’ apparent substandard performance was revealed to be simple random variation within an acceptable range 17. This example illustrates how easily inaccurate conclusions can be drawn, even by people with extensive data experience, and the importance of public review of all analytical methods.
4. Discussion All healthcare stakeholders – payers, hospitals, practice groups, physicians, and patients – have an interest in accurate, valid, and transparent physician evaluations. Withholding all information about physician performance from patients would be clearly
Please cite this article as: Gebauer S, et al. Is it time for a HIPAA for physicians? Healthcare (2016), http://dx.doi.org/10.1016/j. hjdsi.2016.07.001i
S. Gebauer et al. / Healthcare ∎ (∎∎∎∎) ∎∎∎–∎∎∎
3
Table 1 Governmental Acts related to collection of Individual Physician Clinical Performance Data. Federal Acts
Summary of key points and considerations
Physician Quality Reporting System (PQRS) – 2006
Established incentive payments and payment adjustments (penalties) for CMS. Quality metrics change year by year and by specialty. Reporting can be completed individually and/ or as a group. Patient Protection and Affordable Care Act (PPACA), aka Obamacare, which Publically accessible website intended for patients to evaluate their health care providers. includes Physician Compare - 2010 Currently only reports demographic data and participation in quality reporting such as PQRS, EHR Incentive Program. Requires data be valid and attributed correctly, allows providers to review results among other protections. Public reporting benchmarks are being developed. Medicare Access and CHIP Reauthorization (MACRA), which includes Individual physicians will receive scores based on quality, value, clinical practice imMerit-Based Incentive Payment System (MIPS) – 2015 provement, and others which are linked to monetary adjustments. Metrics and methods have not been released. State Acts New York, Model code for physician ranking programs - 2007
Colorado, Physician Designation Disclosure Act - 2008
Required insurers use nationally accepted metrics for performance (not just ranking by cost), have provisions for disclosure to consumers and physicians and pay for an independent “Ratings Examiner” who reports compliance to the Attorney General every six months. (1, 2) Addresses data integrity, disclosure, fair process and enforcement. (3)
1. Attorney General Cuomo, Senate Majority Leader Joseph Bruno and Assembly Speaker Sheldon Silver Agree to Pass Doctor Ranking Legislation in New York 2007 [cited 2016 June 16]. Available from: http://www.ag.ny.gov/press-release/attorney-general-cuomo-senate-majority-leader-joseph-bruno-and-assembly-speaker-0. 2. Attorney General Guomo Announces 2007 [cited 2016 June 16]. Available from: http://www.ag.ny.gov/press-release/attorney-general-cuomo-announces. 3. Cartwright-Smith L, Rosenbaum S. Fair process in physician performance rating systems: Overview and analysis of Colorado’s Physician Designation Disclosure Act. BNA’s Health Care Policy Report. 2009;17.
Table 2 Legislative framework for governance and stewardship of provider clinical data. Who is protected?
All eligible providers, as defined by CMS
What entities are covered by this law?
Entities that analyze physician clinical performance metrics would be held to this standard. Patient reports of physician care would be explicitly excluded.
Which records and analyses are covered?
Records of physician clinical performance based on aggregate patient records, including any clinical process or outcome measures associated with an individual clinician or group. Analyses of said records that are either intended for release to the public, or that have been released. Analyses that may affect a protected provider's employment, hospital privileges, or contract with an insurance company or other payer. Records held by individuals, or generated specifically for law enforcement, in connection with lawsuits, or other legal situations with specific concerns such as medical board complaints. Information about other clinicians.
What is not included? What can be removed from the record prior to a clinician viewing her or his own record? Who is entitled to view a record? What notification is required?
What methodologies and data were used?
The clinician, an agent acting on the clinician’s behalf, or pursuant to legal action. Notification should be provided at least 60 days prior to release. The law should outline processes for dispute resolution and hearings. In the case of unintended release, notification should occur without unnecessary delay after the breach is discovered. The methodologies used to arrive at rankings and conclusions, as well as a description of the data used that is sufficiently specific for the clinician to verify it, must be disclosed.
What are the minimum standards for the analyses themselves? Accurate attribution of patients to providers. Appropriately updated and specified period of assessment. Practice guidelines and performance measures used must be: a) promulgated/endorsed by national organizations, b) evidence- and consensus-based when possible, and c) pertinent to physician's practice. Statistical analysis must be accurate, valid, and reliable, with specified standards for statistical adjustment to relevant factors, e.g. comorbidities and case mix. Conspicuous disclaimer about rating's limitations and caveats for interpretation must be included with any release. How is this to be enforced?
Violations would be defined as “unfair/deceptive business practices” or violations of consumer protection acts. Permit enforcement via civil action and other appropriate remedies. Prohibit any contractual limitation of physician's right to enforce (e.g. waivers in employment contract).
unethical. Analysis of data as complex as medical information, however, requires the expertise of trained data scientists. It is easier, cheaper, and faster to simply look at the raw data, but unfortunately this will often lead to incorrect conclusions. The methodology used to measure physician clinical performance
should be both validated and clearly disclosed. When fair, accurate, and valid information is available, all stakeholders benefit. Payers and practice groups can make better business decisions, patients can select physicians with more confidence, and physicians can realize a competitive advantage.
Please cite this article as: Gebauer S, et al. Is it time for a HIPAA for physicians? Healthcare (2016), http://dx.doi.org/10.1016/j. hjdsi.2016.07.001i
S. Gebauer et al. / Healthcare ∎ (∎∎∎∎) ∎∎∎–∎∎∎
4
An important distinction is that between online rating systems published by an official body or interest group, and patient reviews of physicians. As society moves toward customer reviews for nearly everything, such as restaurants and car services, consumers have become familiar with the inherent biases in those systems. Patient reviews of physicians are a separate issue and require no data analysis. Making physician-specific patient satisfaction scores, also called patient experience of care, publicly available may even benefit physicians 18. It is notable that most rating services, such as Yelp, provide a mechanism for the business or service provider to respond directly to customer comments. Ratings published by government or large organizations, however, carry a different weight and expectations about correctness by consumers. Additionally, it may be difficult for physicians to respond publicly without violating HIPAA. One important question that remains is: who will be responsible for quality control for physician data? Debates related to oversight of personal electronic data have been ongoing for many years. For example, the Fair Information Practice Principles of the 1970s identify a person’s right to enforcement measures related to personally identifiable information and serves as the basis of many privacy laws. However, accountability is often self-regulated by companies or agencies using the data, and redress is not necessarily enforceable by law 19. Critics of self-regulation propose that this method is insufficient, and advocate for more governmental regulation 20. A thorough mechanism to ensure physician data quality would be complex and likely include a variety of methods including intermittent audits to assess data quality, regular reassessment of metrics and methods of risk adjustment, and ongoing input from national and professional societies. The development of clear standards and expectations for physician data would be a first step in providing organizations with guidance about acceptable use, which could then be used to evaluate the adequacy of an organization’s self-regulation. A group composed of scientists, patient advocates, physicians, healthcare organizations, and governmental representatives would be well-positioned to develop systems that provide fair, useful, and high-quality data to all involved. The multiple issues with individual physician performance data make it clear that compiling and reporting accurate data with valid conclusions is extremely difficult. The current unstructured, semisecret environment is untenable and contrary to the interests of everyone involved. A HIPAA equivalent for physicians would ideally establish rules for: physician notification prior to data use or transmission, physician ability to review her own data, a physician appeals process, and national standards for data accuracy and analysis validity. Until these regulations are put into place, the public is ill-served and physicians are subject to the whims and interpretations of anyone who happens to hold the data.
References 1. Family Educational Rights and Privacy Act (FERPA): U.S. Department of Education; [cited 2015 October 7]. Available from: 〈http://www2.ed.gov/policy/ gen/guid/fpco/ferpa/index.html〉. 2. Ferpa Sherpa: Policymakers: Ferpa Sherpa; [cited 2015 October 7]. Available from: 〈http://ferpasherpa.org/p-m.html〉. 3. Rosenbaum L. Scoring no goal - further adventures in transparency. N Engl J Med. 2015 Sep 2. PubMed PMID: 26332360. 4. Parkerton pH, Smith D.G., Belin T.R., Feldbau G.A. Physician performance assessment: nonequivalence of primary care measures. Med Care. 2003 Sep;41
(9):1034–47. PubMed PMID: 12972843. 5. Crossing the Quality Chasm: A New Health System for the 21st Century: Institute of Medicine; 2001 [cited 2015 November 10]. Available from: 〈http:// iom.nationalacademies.org/Reports/2001/Crossing-the-Quality-Chasm-A-NewHealth-System-for-the-21st-Century.aspx〉. 6. Steinbrook R. Public disclosure of Medicare payments to individual physicians. Jama. 2014 Apr 2;311(13):1285–6. PubMed PMID: 24535488. 7. Weaver C., Barry R., Stewart C. Small Group of Doctors Are Biggest Medicare Billers Wall Street Journal June 1, 2015 [cited 2015 October 18]. Available from: 〈http://www.wsj.com/articles/small-group-of-doctors-are-biggest-medicarebillers-1433182524〉. 8. South Florida Doctor Indicted for Medicare Fraud. In: Justice Do, editor. April 14, 2015. 9. Better, Smarter, Healthier: In historic announcement, HHS sets clear goals and timeline for shifting Medicare reimbursements from volume to value: Department of Health and Human Services; 2015 [cited May 11, 2016]. January 26, 2015:[. 10. Attorney General Cuomo, Senate Majority Leader Joseph Bruno and Assembly Speaker Sheldon Silver Agree to Pass Doctor Ranking Legislation in New York 2007 [cited 2016 June 16]. Available from: 〈http://www.ag.ny.gov/press-release/ attorney-general-cuomo-senate-majority-leader-joseph-bruno-and-assemblyspeaker-0〉. 11. Attorney General Guomo Announces 2007 [cited 2016 June 16]. Available from: 〈http://www.ag.ny.gov/press-release/attorney-general-cuomo-announces〉. 12. Cartwright-Smith L, Rosenbaum S. Fair process in physician performance rating systems: overview and analysis of Colorado’s Physician Designation Disclosure Act. BNA’s Health Care Policy Rep. 2009:17. 13. UnitedHealth Premium Physician Designation Program Detailed Methodology [cited 2016 May 6]. Available from: 〈https://http://www.unitedhealthcareon line.com/ccmcontent/ProviderII/UHC/en-US/Assets/ProviderStaticFiles/Provider StaticFilesPdf/Unitedhealth Premium/Detailed_Methodology_2014–2015.pdf〉. 14. H.R. 2—114th Congress: Medicare Access and CHIP REauthorization Act of 2015: Library of Congress; [cited 2015 July 8]. Available from: 〈https://http:// www.congress.gov/bill/114th-congress/house-bill/2/text〉. 15. Glance L.G., Kellermann A.L., Hannan E.L., Fleisher L.A., Eaton M.P., Dutton R.P., et al. The impact of anesthesiologists on coronary artery bypass graft surgery outcomes. Anesth Analg. 2015 Mar;120(3):526–33. PubMed PMID: 25695571. Epub 2015/02/20. eng. 16. Shafer S.L. Broken Hearts. Anesth Analg. 2016 May;122(5):1231–3. PubMed PMID: 27101479. Epub 2016/04/23. eng. 17. Glance L.G., Hannan E.L., Fleisher L.A., Eaton M.P., Dutton R.P., Lustik S.J., et al. Feasibility of Report Cards for Measuring Anesthesiologist Quality for Cardiac Surgery. Anesth Analg. 2016 May;122(5):1603–13. PubMed PMID: 27101502. Epub 2016/04/23. eng. 18. Lee V.S. Why Doctors Shouldn’t be Afraid of Online Reviews: Harvard Business Review; 2016 [cited 2016 May 6]. Available from: 〈https://hbr.org/2016/03/ why-doctors-shouldnt-be-afraid-of-online-reviews〉. 19. Appendix A – Fair Information Practice Principles (FIPPs): National Strategy for Trusted Identities in Cyberspace; [June 14, 2016]. Available from: 〈http://www. nist.gov/nstic/NSTIC-FIPPs.pdf〉. 20. Reidenburg JR. Restoring Americans’ privacy in electronic commerce. Berkeley Technol Law J. 1999;14(2):771–792.
Conflict of interest disclosure statement This statement accompanies the article Is it time for a HIPAA for physicians? authored by Sarah Gebauer and co-authored by Timothy Petersen and Elizabeth Steele and submitted to Healthcare as an Article Type. Authors collectively affirm that this manuscript represents original work that has not been published and is not being considered for publication elsewhere. We also affirm that all authors listed contributed significantly to the project and manuscript. The authors report no conflicts of interest. Consultant arrangements: None Stock/other equity ownership: None Patent licensing arrangements: None Grants/research support: None Employment: None Speakers' bureau: None Expert witness: None.
Please cite this article as: Gebauer S, et al. Is it time for a HIPAA for physicians? Healthcare (2016), http://dx.doi.org/10.1016/j. hjdsi.2016.07.001i