Under Federal Law, Omada is a Covered Entity and a Health Care Service Provider

Transcription

1 Under Federal Law, Omada is a Covered Entity and a Health Care Service Provider This document provides additional detail about Omada Health s status as a health care service provider and a covered entity that supplies health care services, as defined by both the Administrative Simplification regulations under the Health Insurance Portability and Accountability Act (HIPAA), and the Privacy and Security rules therein. In March 2017, the Centers for Medicare and Medicaid Services (CMS), in a public webinar, stated that for purposes of offering Diabetes Prevention Program (DPP) services to Medicare beneficiaries, CMS considered DPP providers to be providers and therefore covered entities, under the applicable regulations. This is consistent with the definition of provider found in HIPAA. The applicable regulation, 45 CFR , includes providers defined under the Social Security Act, and also includes: any other person who furnishes or bills and is paid for health care services or supplies in the normal course of business. CMS therefore recognized the applicability of provisions that have existed in HIPAA since the first proposed version of the Privacy Rule in The chronology of this rule is in the Appendix. Consistent with CMS s conclusion, Omada Health has always, since its founding, treated itself as a health care service provider that is a HIPAA covered entity which bills electronically for the services it supplies via an NPI. 1

2 Excerpt from CMS CDC live broadcast Excerpt from CMS CDC live broadcast Omada Health supplies its health care services under contracts with health plans, hospital or physician practices, or self-insured employee welfare benefit plans, all of whom are covered entities in their own right under HIPAA. Treating DPPs as health care service providers and therefore as covered entities as well has implications for the data relationships under HIPAA between Omada Health and its customers. The implications break down into three issues below: Privacy/Use of Data, Security of Data, and Data Science. 2

3 Privacy/Use of Data To make Omada Health s services available to a population requires first that the target population knows that it is eligible to receive Omada Health s services. This involves outreach to covered individuals about a health benefit available to them. Typically, to accomplish this, Omada Health receives from its customer a demographic file containing names and contact information for the target population. While there is an argument to be made that Omada Health could receive this file as a covered entity from another covered entity under various HIPAA rules, it s important that customers are confident that the data they supply is safely kept to their standards. Therefore, Omada Health typically agrees to receive this demographic file as the business associate of the customer. (See Illustration Normal Set Up.) The scope of that BAA is limited, however, to the demographic file. See blue lines and blue zones within Omada Health secure ecosystem. Once the demographic file has been securely received, Omada Health conducts outreach to the population. In response, the interested population goes through Omada Health s clinical risk screeners online. If accepted into the Omada program, the individual is enrolled and Omada Health DPP services begin. Data that Omada Health collects from the individual in their applications and after the individual is enrolled as a participant is PHI for which Omada Health is the covered entity, just as data a physician collects on a patient is that physician s responsibility, even if a health plan or employer is paying for the care. In Omada Health s case, the data will consist of lessons completed, weights, food intake, and messages. Omada Health s data collection from individuals is legally identical to data collected by a physician, hospital, etc. See the Normal Set Up illustration below, with the orange zones defining the Omada Health ecosystem. When Omada Health is requested to supply data back to its customer/payer, the HIPAA rules continue to apply to all data we have collected from the individual. This is why Omada Health requires clear documentation when supplying participant PHI back to a customer or to a customer s data analytics service provider. This documentation may be through contract terms, letters of agreement, non-disclosure agreements, and/or data request forms, depending on the situation. In addition, while Omada Health is allowed to supply PHI back to the customer directly under 45 CFR , there is an obligation to keep clear records when that occurs. Normal Set Up Wellness Enterprise HR Function Medical Benefit Participants OMADA PHI Participant Data ENTERPRISE PHI Eligible Files via BAA Omada Covered Entity Personal Health Information BA of the Enterprise Medical Benefit 3

4 Security of Data Trust and transparency are cornerstones of the Omada program. Omada Health has been independently audited and obtained both HITRUST and SOC 2 Type 1 certifications. The company applies rigorous security controls and processes to all data in its custody, both what it collects as a covered entity and that which customers disclose as a business associate. Omada Health, since its founding, has embraced its role as a HIPAA covered entity and the serious legal responsibilities to safeguard and appropriately use individuals health information that comes with that status. As a covered entity, Omada Health is required to maintain and safeguard the PHI it collects from individuals consistent with the HIPAA Security Rule. For more detail, see Omada Health s Approach to Security whitepaper. Data Science In fact, it is Omada Health s role as a HIPAA covered entity that powers its unique data science program. Omada Health is able, as a covered entity, to use all the data it collects from individuals to continuously assess, refine and strengthen its program. For example, data from scales and messaging can be processed and analyzed in real time, enabling the disruption of unfavorable behavioral patterns or the exploitation of favorable ones in real time on behalf of all of Omada Health s participants. In contrast, were Omada Health a business associate only of each customer (as some wellness programs are) Omada Health in the normal course would have to analyze the data separately for each customer. The totality of participants could not benefit from collective analysis of the data. As of summer 2017, Omada Health s data science program currently benefits from data on 335 million participant interactions with the Omada program, app, and scale. Summary 1 Omada Health provides health care as defined in 45 CFR The Secretary created a broad, catch-all definition for health care provider to account for, and ensure protection of, the health information about individuals that would be generated and used by the health care system in an age of digital health information (see above). 3 Omada Health is a health care provider under this broad regulatory definition, even if it is not among the entities listed in the Social Security Act. 4 As a health care provider who is billing electronically for its services, Omada Health operates as a covered entity. 1 Omada is certified by HITRUST to meet their CSF v8 criteria. More information can be found on the HITRUST website. 4

5 Appendix: Chronology This definition was first articulated in the Notice of Proposed Rule Making (NPRM) where the Secretary proposed how to define those health care providers eligible to receive a National Patient Identifier so that they could bill electronically. 63 FR 25320, (May 7, 1998). (Omada Health is eligible for and has received an organization NPI.) In fact, in that same preamble, the Secretary rejected calls to limit health care providers to licensed physicians, hospitals or health plans, stating: We believe that an individual or organization that bills and is paid for health care services is also a provider for purposes of the [HIPAA] statute. 63 FR The Secretary elaborated on this same concept in the 1999 NPRM on the Administrative Simplification (Privacy) Rule, referring to on-line health care providers. 64 FR 59927, (November 3, 1999) The Secretary developed this category, which is a broad catch-all, two decades ago to capture the many different people, organizations, entities and groups that would be providing health care and taking advantage of the developing electronic technology to bill for that care electronically, i.e., including on-line providers. In fact, in the Final Rule on the NPI, the Secretary rejected commentators calls for a narrow definition of health care provider, and wrote: Commenters who favored a broad definition of health care provider recognized the many business functions and uses in health care transactions fulfilled by health care provider numbers today....our general rule is that all health care providers, as we define that term in the regulations, will be eligible to receive NPIs. We discuss this in detail later in this section. 69 FR 3434, 3437 (January 23, 2004) After 1998, and before finalizing the NPI rule in 2004, the Secretary had several opportunities to revise and narrow this definition but did not. As cited above, the concept was not narrowed in the NPRM for the Administrative Simplification (aka Privacy) Rule in 1999 (see above). And, when finalizing that Rule in December 2000, the Secretary only removed redundant words from the earlier definition of health care provider, stating: Health Care Provider: We proposed to define health care provider to mean a provider of services as defined in section 1861(u) of the Act, a provider of medical or health services as defined in section 1861(s) of the Act, and any other person or organization who furnishes, bills, or is paid for health care services or supplies in the normal course of business. In the final rule, we delete the term services and supplies, to eliminate redundancy within the definition. The definition also reflects the addition of the applicable U.S.C. citations (42 U.S.C. 1395x(u) and 42 U.S.C. 1395x(s), respectively) for the referenced provisions of the Act that were promulgated in the Transactions Rule. 65 FR 83456, , December 28, In the August 2002 revisions to the Privacy Rule, this definition remained unchanged. The rationale for this broad definition can be found in the lengthy discussion of emerging electronic health care technology, of which Omada Health s platform is just the latest manifestation. There are two long discussions from the Secretary. The first is in the 1999 NPRM for the Administrative Simplification (Privacy) rule, beginning at 64 FR (November 3, 1999) and following. The second is in the preamble to the December 2000 Final Rule, 65 FR , see e.g (December 28, 2000), although the latter contains a lengthy discussion of consent, which is not relevant for our present discussion. 5