Are We Ready For ACOs? Security, Process Issues Abound

Posted on June 13, 2012 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

Accountable Care Organizations are starting to emerge and solidify, though they still seem to be mostly the efforts of large integrated health systems dancing with large medical groups and partner hospitals with very strong IT departments.  In other words, ACOs don’t seem to be for the weak or poorly funded, at least not yet.

The business issues these entities face (aligning physicians with global goals, most particularly) are complicated and taxing enough. Once you’ve gotten those initiatives in motion, it’s time to interoperate and share data. After all, you have a better chance of accomplishing them if your group shares health data freely and uses advanced functions of EMRs to track collective clinical progress.

The thing is, even big, mature IDNs with a tightly-knit ACO group are still struggling with physician alignment and, as we all know, getting what they need from their EMR and health data exchange.

Given how hard creating consensus and sharing interoperable data is, it’d be nice to end the critique right there. But the truth is, shared goals and shared systems are just one layer of the problem.

One thing I don’t hear much of is serious discussion as to the security issues that open up when you share data across the porous borders of ACO partner organizations.

Now, I am neither a lawyer nor an engineer (IANALOE), so I’m not going to attempt to articulate any long list of specific security problems. But just because IANALOE doesn’t mean I can’t see the obvious:  Data shared widely is data exposed, unless you’ve got some great solutions in place.

Moreover, data shared among even partnered ACO organizations will pass through some organizations that have trained their staff effectively in HIPAA compliance, and others where the training was minimal or didn’t take.  This is a problem that must be faced by HIEs in any event, but even  more when providers need to manage at the case level, doing deep dives into patient records rather than skimming summaries and drug lists.

I’m not suggesting that ACOs don’t work — actually, I think they can perform very well — but I am suggesting that we aren’t taking the process and security issues as seriously as we should.  I do hope solutions to these problems emerge as ACOs refine their business models.  If not, I see some serious crashes in the future.