Proposed Regs for ACOs Leave Many Questions Unanswered

On March 31, 2011 the Centers for Medicare & Medicaid Services (“CMS”) released the much-anticipated proposed regulations for the creation of Accountable Care Organizations (“ACOs”), which were published in the Federal Register on April 7. ACOs are a key component of the Patient Protection and Affordable Care Act (“PPACA”) and are referenced in PPACA as part of the Medicare Shared Savings Program. Section 3022 of the Patient Protection and Affordable Care Act, Pub. L. 111-148 (Mar. 23, 2010), codified at 42 U.S.C. 1395jjj. Following the launch of the ACO program on January 1, 2012, CMS expects 5 million Medicare beneficiaries to eventually receive care through an ACO. 

ACOs are coordinated healthcare delivery systems in which provider reimbursements are tied to quality measures and overall reductions in the cost of healthcare. In theory, ACOs will be able to maximize value by using a patient-centered team approach to care. In the ACO model, providers regularly communicate and collaborate on various aspects of patient care, ensuring continuity and consistency in care delivery. This approach stands in stark contrast to many current delivery models in which providers operate in silos, often creating disjointed or uncoordinated patient care. 

Structurally, an ACO will consist of a group of healthcare providers – physicians, physician groups, hospitals, and other suppliers of health services or provisions – contracting with each other and with CMS to provide comprehensive care for patients. While providers will still receive Medicare fee-for-service payments, the ACO will share in any savings it achieves for the Medicare program. At the same time, however, ACOs would be liable for any losses to Medicare. This “blended” reimbursement model eliminates incentives for overutilization inherent in a traditional fee-for-service system, yet also disincentivizes underutilization because some fee-for-service reimbursement remains.

What did the proposed regulations establish?

Broadly, the proposed regulations establish the ground rules for ACOs, although there are still many unknowns. Once formed, ACOs are subject to CMS approval and will be required to enter into a three-year contract. Among the many threshold requirements set forth are the following: each ACO must have at least 5,000 Medicare beneficiaries; ACOs must agree to datasharing provisions with CMS; and ACOs must have 50 percent of their primary care physicians using Electronic Health Records in compliance with the HITECH Act. ACOs must also have systems in place to track 65 quality metrics across five domains: patient care experience, care coordination, patient safety, preventative health, and at-risk population health. 


In exchange for an ACO’s commitment to these provisions, the ACO can select one of two reimbursement “tracks.” In Track 1, the ACO will share in savings only for the first and second year of their CMS contract; in the third year, the ACO will share in both savings and losses. In Track 2, the ACO will share in savings and losses for the duration of the contract. For ACOs in either track, in order for savings to accrue, the ACO must achieve between 2.0 and 3.9 percent savings below the CMS-established benchmark. Each ACO’s precise savings target will be established by CMS on a sliding scale related to ACO size.  


What is still to-be-determined? 


Although the proposed regulations answer many questions regarding ACOs, there is still a significant amount of uncertainty regarding their functionality. In particular, stakeholders are anxious about how ACO provisions will work in the context of tax law, anti-trust law, Stark Law, the Anti-Kickback Statute (“AKS”), and other fraud and abuse law. 


Thus far, CMS has proposed several waivers, exceptions, and safe harbors to deal with the panoply of healthcare laws implicated by ACO formation, financial arrangements, and reimbursement schemes. Although CMS acknowledges that to-date “no clear consensus has emerged on the scope of the waivers necessary to carry out the Medicare Shared Savings Program,” CMS has proposed to waive application of Stark and AKS insofar as the law applies to disbursements and distribution of shared savings within the ACO membership and the arrangement is otherwise compliant with the law or falls within an existing exception. CMS is actively seeking comment in regarding other types of waivers not yet contemplated in the proposed regulations. Specifically, CMS is interested in public perspectives on waivers that may be necessary to achieve compliance in the formation of an ACO, in pursuit of the ongoing goals of the ACO, in contracting with outside entities, and in distributing payments received from private payers.


To further inform public comment and the final regulations, CMS has engaged the Department of Justice (“DOJ”), the Federal Trade Commission (“FTC”), and the Internal Revenue Service (“IRS”) to issue guidance regarding their respective areas of enforcement. Although additional information is forthcoming, the DOJ and FTC have issued a joint statement addressing proposed anti-trust enforcement measures, and the IRS has released a notice regarding implications of the tax code for ACOs.




ACOs have the potential to transform healthcare delivery, and they are a key component in the federal government’s renewed focus on quality of care. However, in order for ACOs to achieve their potential, CMS must ensure ACO implementation is consistent with the policies and objectives of other laws targeting the healthcare industry. Absent increased predictability and certainty regarding application of these laws in the ACO context, healthcare providers and entities will be reluctant to engage in ACO transactions. 

Healthcare Professionals Call on FTC for Exemption from its Red Flags Rule

Will health care providers be the second profession to escape the Federal Trade Commission's (FTC) Red Flags Rule?  The heads of the American Dental Association, the American Medical Association, the American Osteopathic Association, and the American Veterinary Medical Association hope so, and they're asking the FTC to declare that its identity theft prevention rule (Red Flags Rule or Rule) does not apply to their licensed professionals.

In light of the November 2009 United States District Court decision in American Bar Association v. FTC, which held that the Red Flags Rule did not apply to legal professionals, the healthcare organizations issued a joint letter to the FTC requesting the same treatment.

The healthcare organizations specifically requested that the FTC:  (1) Announce that the Rule will not be applied to licensed health care professionals until at least ninety days after the final resolution of the ABA litigation and (2) Commit that if the result of the final ABA litigation is that the Red Flags Rule will not be applied to lawyers, the FTC will not apply the Rule to licensed health care professionals either.

The letter noted the substantial cost and burdens on healthcare professionals in complying with the Rule and stated that if lawyers were exempt from the Rule it would be "manifestly unfair" to subject healthcare professionals it.

D.C. Court Holds that the FTC Cannot Enforce its Red Flags Rule Against Attorneys

On December 1, 2009, the U.S. District Court for the District of Colombia issued a written opinion siding with the American Bar Association’s (ABA) challenge against the Federal Trade Commission’s (FTC) Red Flags Rule and prohibiting the FTC from enforcing its Rule against attorneys.

Among its reasons for so holding, the court declined to classify attorneys as “creditors” under the Rule.  The court stated that “credit is a specific subset of activity…which does not logically or commonly apply to attorney billing practices.”  The court went on to note that attorneys are not granting clients the right to postpone payment simply because they do not demand immediate payment from clients.  Rather, attorneys invoice clients for their own convenience, because of ethical rules which prohibit payment for services not yet rendered, and because of the unpredictable nature of the practice of law, which would make it unreasonable for attorneys to immediately calculate and collect their fees.

The court’s ruling could well have a significant impact beyond the legal arena, as several professions, including health care providers, have made similar arguments as to why they should not be subjected to the FTC’s Red Flags Rule.


And Yet Another Delay....Red Flags Rule Enforcement Date Pushed Back Until June 2010

The Federal Trade Commission (FTC) announced that it will delay the enforcement of its Red Flags Rule for a fourth time, extending the start date to June 1, 2010.  The FTC previously delayed enforcement until November 1, 2009, but decided on the further extension due to a request from members of Congress.

The Red Flags Rule addresses identity theft and requires certain "creditors" to develop identity theft prevention programs.  You can learn about the specific requirements of the Red Flags Rule in a prior DGS post.

Bill Introduced in the House Would Exclude Some Healthcare Providers from FTC Red Flags Rule

On October 8, 2009, Representative John Adler (D-NJ) introduced House Bill 3763 (PDF), which would exclude certain small businesses, including health care practices with 20 or fewer employees, from the FTC's Red Flags Rule.  The bill has been referred to the House Committee on Financial Services.  DGS will continue to track and report any noteworthy progress.

In July 2009, the FTC delayed enforcement of the Red Flags Rule for a third time, until November 1, 2009.  A prior DGS post provides more information on the requirements of the Red Flags Rule.

FTC and HHS Issue Breach Notification Rules for Electronic Health Information

As part of the American Recovery and Reinvestment Act of 2009 (the “Recovery Act”), Congress directed the Federal Trade Commission (“FTC”) and the Department of Health and Human Services (“HHS”) to issue rules requiring certain entities to notify consumers if there has been a breach in the security of their personal health information. 

The FTC rule applies to vendors of personal health records, which provide online repositories for storage and tracking of health information, and entities that offer third-party applications for personal health records. These applications could include, for example, a blood pressure cuff whose readings consumers can upload to their personal health record. 

The HHS rule, developed by the Office for Civil Rights (OCR), applies to healthcare providers and other HIPAA covered entities.

Under the rules, those entities subject to either rule must notify consumers if there is a “breach” involving their “unsecured” health information. Additionally, if a service provider or business associate of one of the entities has a breach of its own, it must notify the entity, which in turn must notify consumers.

A “breach” is defined as the unauthorized acquisition, access, use, or disclosure of protected health information, which results in the compromise of the security or privacy of such information.

Entities that secure their electronic health records through encryption or destruction are not required to provide notification in the event of a breach, as long as they follow HHS guidance on the proper methods of securing information. As an accompaniment to its rule, HHS issued an update to its current guidance (PDF) on acceptable encryption and destruction methodologies, which would render sensitive information unusable to unauthorized individuals. The policy on encryption is technical in nature and entities would be well-advised to have their IT consultants carefully review, and as deemed necessary, implement the HHS guidance.

Notification Requirements:  

In the event that a breach is discovered, an entity subject to either the FTC or HHS rule must comply with certain notification requirements, including the timing, method, and content of notification.

    • Timing: A consumer must be notified of a breach to the security of their information “without unreasonable delay” and in no case later than 60 days after the discovery of a breach.
    • Method: Written notification must be provided to the individual via first-class mail at the individual’s last known address, or if the individual agrees, by electronic mail. Where the entity lacks sufficient contact information, a substitute form of  notice “reasonably calculated” to reach the individual must be issued. If the insufficient information involves less than 10 individuals, notice may be made by an alternative form of written information or by telephone. If the entity lacks adequate information for more than 10 individuals, the substitute notice must be placed in a conspicuous posting for a 90-day period, either on the home page of the website of the entity involved, or in major print or broadcast media in areas where the affected individuals are likely to reside.
    • Content: Notice must include, to the extent possible:

1. A description of the types of information that were involved in the breach (e.g., social security number, date of birth, diagnosis);

2. Any steps individuals should take to protect themselves from potential harm that could result from the breach;

3. A brief description of the steps that the entity is taking to investigate the breach, mitigate harm caused by the breach, and to protect against any additional breaches; and

4. Contact information for individuals to ask questions or obtain additional information. This contact information must contain a toll-free telephone number, email address, website, or postal address.

In addition to the above requirements, breaches involving 500 or more people must provide notice to prominent media outlets serving the state or jurisdiction where the breach occurred. 

Finally, entities subject to either rule must provide notification to the FTC (for non-HIPAA covered entities) or HHS (entities covered by HIPAA). The FTC has provided a standard form(PDF) which can be used to report an incident. This form requests information on the type of breach, the manner in which the breach occurred, the information involved, and what steps the entity is taking to investigate the breach.

The FTC final rule(PDF) will be published in the Federal Register shortly, and will be effective 30 days after publication. The FTC will begin enforcement 180 days after publication.

The HHS interim final rule (PDF) is effective 30 days after publication in the Federal Register (which should be sometime in mid-late September) and includes a 60-day comment period.

FTC Again Delays Enforcement of its Red Flags Rule

The Federal Trade Commission (FTC) issued a press release on July 29, 2009, announcing another three-month delay in its enforcement of the Red Flags Rule. The enforcement date, which had been scheduled for August 1, 2009, will now be postponed until November 1, 2009.

The Red Flags Rule is an anti-fraud regulation, aimed at reducing identity theft by requiring "creditors" to develop programs to identify, detect and respond to "red flags," that might indicate an act of identity theft.  (You can learn more specifics about the Red Flags Rule in a prior DGS post.)

This delay was issued in response to the House Appropriations Committee’s recent request that the FTC defer enforcement in order to minimize the impact of the Rule on health care providers and other small businesses.

In its press release, the FTC publicized that it will increase its efforts to educate small businesses about compliance requirements and that it intends to provide additional materials and guidance to do so. A specific link for small and low-risk entities will be set up on the FTC’s Red Flags Rule website to enable these entities to easily access materials that are relevant to their compliance needs. 

The FTC already offers a Red Flags Rule FAQs section, which addresses many compliance and enforcement issues.

"Red Flags" Rule: New FTC Regulations Require Healthcare Providers to Combat Identity Theft.


On August 1, 2009, the Federal Trade Commission (“FTC”) will begin enforcement of its "Red Flags" Rule, which is aimed at reducing identity theft.  The Rule requires creditors to look for "red flags" that signal possible identity theft, and applies to any “creditor” that maintains “covered accounts.” 

While most healthcare providers wouldn't usually think of themselves as traditional creditors, the Rule's definitions are broad enough to bring them into that realm.

Under the Rule, creditor is defined as any person or organization that “regularly extends, renews, or continues credit.” 

  • When a healthcare provider allows a patient to pay for medical services after they are rendered or accepts payments over a period of time, that provider is acting as a creditor. 

Covered accounts include:

  1. Accounts maintained by a creditor which are primarily for personal, family, or household purposes and are designed to permit multiple payments or transactions, or
  2. Any other account for which there is a “reasonably foreseeable risk to consumers” of identity theft.
  • Patient accounts likely fit within both of these categories.

Given the above, most healthcare providers will indeed need to comply with the "Red Flags" Rule.

View this "Red Flags" Rule PowerPoint presentation for a quick overview of the Rule's requirements and the consequences of noncompliance.

You can also consult the FTC's simplified "How-To Guide" , which provides the basics for complying with the Red Flags Rule.