The last two years have brought with them radical changes to the way we think about the delivery of health care services. The Affordable Care Act was a catalyst to the development of the accountable care organization (ACO). While the Affordable Care Act did not create the concept of an ACO, it did provide substantial incentives for providers to create ACO-like organizations.

Much of the discussion today has focused on how to go about creating ACOs and the various legal risks inherent in such creation. Not much has been written about the potential risks that are inherent in operating an ACO. According to the latest count by the Centers for Medicare and Medicaid Services (CMS), 142 organizations have been approved to operate as Medicare-certified ACOs. Thus, the era of ACO operation is already here. While there are considerable legal issues to be considered in forming ACOs, health care counsel must also be cognizant of the potential risks.

These risks include medical malpractice, antitrust, credentialing and HIPAA.

Increased Risk of Corporate Negligence

The central premise of an ACO is, as the name suggests, the accountability of each provider in the ACO for the overall care provided to the patient. This accountability could give rise to liability of ACO participants for the care provided by other ACO participants. These potential theories of liability can be brought under agency principles as well as corporate negligence principles.

The doctrine of corporate negligence is well established in Pennsylvania under Thompson v. Nason Hospital, 527 Pa. 330, 591 A.2d 703, 707 (Pa. 1991). This established that a hospital’s duties include ensuring the patient’s safety and well-being while at the hospital; overseeing all people who practice medicine within its walls; and formulating, adopting and enforcing adequate rules and policies to ensure quality care for its patients. A hospital may be liable if it breaches any of these duties. While the corporate negligence doctrine has not yet been extended to ACOs, it would not be much of a stretch for it to apply. (See Fox v. Horn, 2000 U.S. Dist. LEXIS 432, (correction physician); Oven v. Pascucci, 46 Pa.D.&C.4th 506 (2000) (physician owned and operated optometry facility); Shannon v. McNulty, 718 A.2d 828 (Pa. Super. Ct. 1998) (HMOs); compare Drumm v. Schell, 2008 U.S. Dist. LEXIS 45755 (refusing to apply corporate negligence doctrine to management company).)

Furthermore, to the extent that hospital systems are often the catalysts of ACO formation, it is easy to conceive of situations where a hospital will be brought into a medical-negligence case where it is alleged that the hospital failed to properly supervise members of the ACO. This would be especially true if a hospital were involved in credentialing the ACO participants.

Finally, under an agency theory, as each participant in the ACO is deemed to be "accountable" for the care provided to patients, additional theories of agency liability are sure to arise. These theories could be based on a contention that referrals within the ACO system because of ACO requirements create such liability.

While insurers are just beginning to struggle with the issue of ACO risk and are beginning to develop policies to cover ACOs, participants should ensure that the ACO has sufficient liability coverage to prevent the participants from being brought in under alternative theories for the care provided by another ACO participant.

Antitrust and the Dangers of Spillover Collusion

To date, all of the discussion regarding antitrust risks with regard to ACOs has centered on the formation of the ACO and what must be done to integrate the ACO such that it does not run afoul of price-fixing laws. The function of an ACO within the parameters of the antitrust laws is the same as the function of any integrated joint venture. Under Section 1 of the Sherman Antitrust Act, price fixing is deemed a per se violation of the antitrust laws. Exception, however, is made when dealing with an integrated joint venture. Here, the joint setting of prices on behalf of the venture is allowed if the setting of such prices is deemed ancillary to the joint venture. In other words, if joint pricing is necessary to obtain the goals of the venture but is not the primary reason for the venture’s existence, the joint pricing is typically permitted.

An ACO is in essence a form of a clinically integrated organization. Under the joint Federal Trade Commission and Department of Justice guidance, an ACO that is approved under the Medicare program is deemed to be clinically integrated for purposes of antitrust analysis and thereby permitted to jointly price. This joint pricing applies both to government payers as well as commercial insurers. Therefore, entities meeting CMS requirements should not face allegations of price fixing as a result of the formation of the ACO.

Liability for antitrust violations, however, does not cease to exist once the ACO is formed. To the contrary, given the substantial nature of interaction among ACO participants, there is a potential for spillover collusion. Indeed, the federal agencies are keenly aware of this possibility, and in the enforcement statements regarding ACOs note that certain types of practices would be problematic under the antitrust laws.

• Preventing or discouraging commercial payers from steering patients to certain providers through anti-steering and most-favored-nation provisions.

• Tying sales of the ACO services to a commercial payer’s purchase of other services.

• Contracting on an exclusive basis with participants.

• Restricting a commercial payer’s ability to share costs and other information with enrollees.

Furthermore, as an ACO must be selective in the providers allowed into the program, there are potential concerns if a provider who has been excluded from the ACO contends that participation in the ACO is necessary to compete in the market. While these types of antitrust lawsuits were commonplace, additional development and operation of ACOs may foreshadow an increase in these types of lawsuits.

Privacy Issues

Finally, a robust electronic health record is the backbone of a well-functioning ACO. In this respect, as all providers conceivably have access to the care provided to a beneficiary with other providers, this opens up the potential for a compromise of the data. This information will flow both horizontally among the providers in the network and vertically between the ACO and various payers. In addition, in order to track appropriately the efficiency of the ACO, the CMS will provide additional data to the ACO to assist in analyzing performance. As a result, the CMS requires that any provider receiving data from it agree to comply in all respects with HIPAA.

The increased access to information creates the potential for liability because of a data breach inasmuch as the amount of information now being stored is vastly increased and includes patient information for not only the provider, but for all patients within the ACO system. Because an ACO under the shared savings program must have a minimum of at least 5,000 beneficiaries, the potential for fines because of a data breach is multiplied significantly. Additionally, most security and privacy policies are designed for individual and/or single-institution providers, and such policies may not anticipate the additional risks created by massive information-sharing required for the functioning of an ACO.


ACOs have the potential to increase quality and reduce costs. As these entities become operational, however, a new set of risks may arise. Inasmuch as insurers are only now beginning to write policies to cover these potential risks, ACOs and their counsel must be cognizant of the increased risks that ACO participants will face. In other words, beware of the unintended risk consequences of ACOs. •

Mark L. Mattioli is the chair of the health law practice group at Marshall Dennehey Warner Coleman & Goggin. He can be reached at

Stephanie M. Barr
is an associate in the health care department at the firm. She can be reached at