[Federal Register Volume 63, Number 155 (Wednesday, August 12, 1998)]
[Notices]
[Pages 43187-43190]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 98-21502]



[[Page 43187]]

-----------------------------------------------------------------------

DEPARTMENT OF HEALTH AND HUMAN SERVICES

Health Care Financing Administration


Privacy Act of 1974; System of Records

AGENCY: Department of Health and Human Services (HHS), Health Care 
Financing Administration (HCFA).

ACTION: Notice of New System of Records.

-----------------------------------------------------------------------

SUMMARY: In accordance with the requirements of the Privacy Act of 
1974, we are proposing to establish a new system of records, called 
``Health Plan Management System (HPMS),'' HHS/HCFA/CHPP, No. 09-70-
4004. We have provided background information about the proposed new 
system in the Supplementary Information section below. Although the 
Privacy Act requires only that the ``routine uses'' portion of the 
system be published for comment, HCFA invites comments on all portions 
of this notice.

DATES: HCFA filed a new system report with the Chairman of the 
Committee on Government Reform and Oversight of the House of 
Representatives, the Chairman of the Committee on Governmental Affairs 
of the Senate, and the Administrator, Office of Information and 
Regulatory Affairs, Office of Management and Budget (OMB), on July 
31,1998.
    To ensure that all parties have adequate time in which to comment, 
the new system of records, including routine uses, will become 
effective 40 days from the publication of this notice or from the date 
it was submitted to OMB and the Congress, whichever is later, unless 
HCFA receives comments which require alteration to this notice.

ADDRESSES: The public should address comments to Director, Division of 
Freedom of Information & Privacy, Health Care Financing Administration, 
7500 Security Boulevard, C2-01-11, Baltimore, Maryland 21244-1850. 
Comments received will be available for review at this location, by 
appointment, Monday through Friday 9 a.m.-3 p.m., eastern time zone.

FOR FURTHER INFORMATION CONTACT: Ms. Lori Robinson, Health Care 
Financing Administration, Center for Health Plans and Providers, 7500 
Security Boulevard, N3-09-16, Baltimore, Maryland 21244-1850. Her 
telephone number is (410) 786-1826.

SUPPLEMENTARY INFORMATION: The Health Plan Management System is a data 
file containing rates for selected performance measures for each 
Medicare health plan. The data are compiled by HIC number, member month 
contribution, and a flag to indicate if the member was counted in the 
rate's numerator. The system will collect rate information on 
categories such as the following:
     ``Use of Services'' measures such as the frequency of 
selected procedures (e.g., percutaneous transluminal coronary artery 
angioplasty, prostatectomy, coronary artery bypass with graft, 
hysterectomy, cholecystectomy, cardiac catheterization, reduction of 
fracture of the femur, total hip and knee replacement, partial excision 
of the large intestine, carotid endarterectomy); percentage of members 
receiving inpatient, day/night and ambulatory mental health and 
chemical dependency services; readmission for chemical dependency, and 
specified mental health disorders.
     ``Effectiveness of Care'' measures such as breast cancer 
screening, beta blocker treatment after a heart attack, eye exams for 
people with diabetes, and follow-up after hospitalization for mental 
illness.
     ``Member Satisfaction'' measures related to quality, 
access, and general satisfaction.
     ``Functional Status'' measures which are patient centered 
and track actual outcomes or results of care, addressing both physical 
and mental well-being over time.
    The information from HPMS will be augmented by being linked to 
other HCFA data and other administrative data to provide validation and 
greater analytic capacity. The HPMS will be used to:
     Develop and disseminate summary information required by 
the Balanced Budget Act of 1997 that will inform beneficiaries and the 
public of indicators of health plan performance to help beneficiaries 
choose among health plans. The information will include plan-to-plan 
comparisons of benefits and co-payments supplemented with consumer 
satisfaction information and plan performance data.
     Support quality improvement activities. Summary data will 
be useful for health plans' internal quality improvement, as well as to 
HCFA and Peer Review Organizations in monitoring and evaluating the 
care provided by health plans.
     Conduct research and demonstrations addressing managed 
care quality, access, and satisfaction issues.
     Provide guidance for program management and policy 
development.
    HPMS is derived from population-based tools such as Health Plan 
Employer Data and Information Set (HEDIS) and the Consumer Assessment 
of Health Plans Study (CAHPS). The system will contain information on 
recipients of Medicare Part A and Part B services who are enrolled in 
health plans. The total number of current enrollees is approximately 5 
million. We expect this number to grow over time as beneficiaries move 
from the original Medicare fee-for-service program.
    HEDIS reflects a joint effort of public and private purchasers, 
consumers, labor unions, health plans, and measurement experts to 
develop a comprehensive set of performance measures for Medicare, 
Medicaid, and commercial populations enrolled in managed care plans. 
HEDIS measures eight aspects of health care: effectiveness of care; 
access/availability of care, satisfaction with the experience of care, 
health plan stability, use of services, cost of care, informed health 
care choices, and health plan descriptive information. In 1997, HCFA is 
requiring reporting of a number of performance measures from HEDIS 
relevant to the Medicare managed care population. The HEDIS data is 
subject to audit, to ensure that plans submit accurate and complete 
data. Another aspect of the audit is to assess the reasonableness of 
the HEDIS measures. For example, if all or most health plans have 
problems with a particular measure, the problem could be with the 
measure, not the plans.
    Included in HEDIS is a functional status measure which tracks both 
physical health and mental health status over a 2-year period through a 
self-administered instrument in which the beneficiary indicates whether 
his/her health status has improved, stayed the same, or deteriorated. 
The measure is risk adjusted for co-morbid conditions, income, race, 
education, social support, age, and gender. It will be used to compare 
how well plans care for seniors. It reflects the belief that high 
quality health care can either improve or at least slow the rate of 
decline in senior members' ability to lead active and independent 
lives.
    In concert with the Agency for Health Care Policy and Research, 
HCFA sponsored the development of a Medicare specific version of the 
CAHPS consumer satisfaction survey. The survey will collect information 
about Medicare enrollees' satisfaction, access, and quality of care 
within managed care plans. Beginning in 1997, HCFA is requiring all 
Medicare contracting plans to participate in an independent third party 
administration of an annual member satisfaction survey.

[[Page 43188]]

    All performance measures are subject to modification as new 
performance measurement sets are developed with a stronger focus on 
outcomes and chronic disease issues, including patient satisfaction and 
quality of life measures relevant to specific diseases.
    The Privacy Act permits us to disclose information without the 
consent of individuals for ``routine uses''--that is, disclosures that 
are compatible with the purpose for which we collected the information. 
The proposed routine uses in the new system meet the compatibility 
criteria since the information is collected to produce estimates of 
health care use and quality, and determinants thereof, by the aged and 
disabled enrolled in group health plans. We anticipate the disclosures 
under the routine uses will not result in any unwarranted adverse 
effects on personal privacy.

    Dated: July 31, 1998.
Nancy-Ann Min DeParle,
Administrator, Health Care Financing Administration.
    09-70-4004

SYSTEM NAME:
    Health Plan Management System (HPMS), HHS/HCFA/CHPP.

SECURITY CLASSIFICATION:
    None.

SYSTEM LOCATION:
    HCFA Data Center, 7500 Security Boulevard, North Building, First 
Floor, Baltimore, Maryland 21244-1850.

CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:
    Recipients of Medicare Part A (Hospital Insurance) and Part B 
(supplementary medical insurance) services who are enrolled in Medicare 
health plans.

AUTHORITY FOR MAINTENANCE OF THE SYSTEM:
    Authority for maintenance of the system is given under section 1875 
of the Social Security Act (42 U.S.C. 1395ll), entitled Studies and 
Recommendations; section 1121 of the Social Security Act (42 U.S.C. 
1121), entitled Uniform Reporting System for Health Services Facilities 
and Organizations; and section 1876 of the Social Security Act (42 
U.S.C. 1395mm), entitled Payments to Health Maintenance Organizations 
and Competitive Medical Plans.

PURPOSES:
    To collect and maintain information on Medicare beneficiaries 
enrolled in Medicare Health Plans in order to develop and disseminate 
information required by the Balanced Budget Act of 1997 that will 
inform beneficiaries and the public of indicators of health plan 
performance to help beneficiaries choose among health plans, support 
quality improvement activities within the plans, monitor and evaluate 
care provided by health plans; provide guidance to program management 
and policies, and provide a research data base for HCFA and other 
researchers.

ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES 
OF USERS AND THE PURPOSES OF SUCH USES:
    These routine uses specify additional circumstances under which 
HCFA may release information from the Health Plan Management System 
without the consent of the individual to whom such information 
pertains. Each proposed disclosure of information under these routine 
uses will be evaluated to ensure that the disclosure is legally 
permissible, including but not limited to ensuring that the purpose of 
the disclosure is compatible with the purpose for which the information 
was collected. Also, HCFA will require each prospective recipient of 
such information to agree in writing to certain conditions to ensure 
the continuing confidentiality and security, including physical 
safeguards of the information. More specifically, as a condition of 
each disclosure under these routine uses, HCFA will, as necessary and 
appropriate:
    (a) Determine that no other Federal statute specifically prohibits 
disclosure of the information;
    (b) Determine that the use or disclosure does not violate legal 
limitations under which the information was provided, collected, or 
obtained;
    (c) Determine that the purpose for which the disclosure is to be 
made;
    (1) Cannot reasonably be accomplished unless the information is 
provided in individually identifiable form;
    (2) Is of sufficient importance to warrant the effect on or the 
risk to the privacy of the individual(s) that additional exposure of 
the record(s) might bring; and
    (3) There is a reasonable probability that the purpose of the 
disclosure will be accomplished;
    (d) Require the recipient of the information to:
    (1) Establish reasonable administrative, technical, and physical 
safeguards to prevent unauthorized access, use or disclosure of the 
record or any part thereof. The physical safeguards shall provide a 
level of security that is at least the equivalent of the level of 
security contemplated in OMB Circular No. A-130 (revised), Appendix 
III, Security of Federal Automated Information Systems which sets forth 
guidelines for security plans for automated information systems in 
Federal agencies;
    (2) Remove or destroy the information that allows the subject 
individual(s) to be identified at the earliest time at which removal or 
destruction can be accomplished consistent with the purpose of the 
request;
    (3) Refrain from using or disclosing the information for any 
purpose other than the stated purpose under which the information was 
disclosed, and
    (4) Make no further uses or disclosure of the information except:
    (i) To prevent or address an emergency directly affecting the 
health or safety of an individual;
    (ii) For use on another project under the same conditions, provided 
HCFA has authorized the additional use(s) in writing; or
    (iii) When required by law;
    (e) Secure a written statement or agreement from the prospective 
recipient of the information whereby the prospective recipient attests 
to an understanding of and willingness to abide by the foregoing 
provisions and any additional provisions that HCFA deems appropriate in 
the particular circumstances; and
    (f) Determine whether the disclosure constitutes a computer 
``matching program'' as defined in 5 U.S.C. 552a(a)(8). If the 
disclosure is determined to be a computer ``matching program,'' the 
procedures for matching agreements as contained in 5 U.S.C. 552a(o) 
must be followed.
    Disclosure may be made:
    1. To a congressional office from the record of an individual in 
response to an inquiry from the congressional office made at the 
request of that individual.
    2. To the Bureau of Census for use in processing research and 
statistical data directly related to the administration of programs 
under the Social Security Act.
    3. To the Department of Justice, to a court or other tribunal, or 
to another party before such tribunal, when
    (a) HHS, or any component thereof; or
    (b) Any HHS employee in his or her official capacity; or
    (c) Any HHS employee in his or her individual capacity where the 
Department of Justice (or HHS where it is authorized to do so) has 
agreed to represent the employee; or
    (d) The United States or any agency thereof where HHS determines 
that the litigation is likely to affect HHS or any of its components,

is a party to litigation or has an interest in such litigation, and HHS 
determines

[[Page 43189]]

that the use of such records by the Department of Justice, the 
tribunal, or the other party is relevant and necessary to the 
litigation and would help in the effective representation of the 
governmental party or interest provided, however, that in each case HHS 
determines that such disclosure is compatible with the purpose for 
which the records were collected.
    4. To an individual or organization for a research, demonstration, 
evaluation, epidemiological or health care quality improvement project 
related to the prevention of disease or disability, or the restoration 
or maintenance of health.
    5. To a contractor for the purpose of collating, analyzing, 
aggregating or otherwise refining or processing records in this system 
or for developing, modifying and/or manipulating automated information 
systems (AIS) software. Data would also be disclosed to contractors 
incidental to consultation, programming, operation, user assistance, or 
maintenance for AIS or telecommunications systems containing or 
supporting records in the system.
    6. To a Peer Review Organization for health care quality 
improvement projects conducted in accordance with its contract with 
HCFA.
    7. To state Medicaid agencies pursuant to agreements with the 
Department of Health and Human Services for determining Medicaid and 
Medicare eligibility of recipients of assistance under titles IV, 
XVIII, and XIX of the Social Security Act, and for the complete 
administration of the Medicaid program.
    8. To an agency of a state Government, or established by state law, 
for purposes of determining, evaluating and/or assessing cost, 
effectiveness, and/or the quality of health care services provided in 
the state.
    9. To another Federal or state (1) To contribute to the accuracy of 
HCFA's proper payment of Medicare health benefits, or (2) as necessary 
to enable such agency to fulfill a requirement of a Federal statute or 
regulation, or a state statute or regulation that implements a health 
benefits program funded in whole or in part with Federal funds.
    10. To other Federal agencies or states to support the 
administration of other Federal or state health care programs, if 
funded in whole or in part by Federal funds.
    11. To the Social Security Administration for its assistance in the 
implementation of HCFA's Medicare and Medicaid programs.
    12. To a HCFA Contractor, including but not limited to fiscal 
intermediaries and carriers under title XVIII of the Social Security 
Act, to administer some aspect of a HCFA-administered health benefits 
program, or to a grantee of a HCFA-administered grant program, which 
program is or could be affected by fraud or abuse, for the purpose of 
preventing, deterring, discovering, detecting, investigating, 
examining, prosecuting, suing with respect to, defending against, 
correcting, remedying, or otherwise combating such fraud or abuse in 
such programs.
    13. To another Federal agency or to an instrumentality of any 
governmental jurisdiction within or under the control of the United 
States, including any state or local government agency, for the purpose 
of preventing, deterring, discovering, detecting, investigating, 
examining, prosecuting, suing with respect to, defending against, 
correcting, remedying, or otherwise combating such fraud or abuse in 
such health benefits programs funded in whole or in part by Federal 
funds.
    14. To any entity that makes payment for or oversees administration 
of health care services, for the purpose of preventing, deterring, 
discovering, detecting, investigating, examining, prosecuting, suing 
with respect to, defending against, correcting, remedying, or otherwise 
combating fraud or abuse against such entity or the program or services 
administered by such entity, provided:
    (i) Such entity enters into an agreement with HCFA to share 
knowledge and information regarding actual or potential fraudulent or 
abusive practices or activities regarding the delivery or receipt of 
health care services, or regarding securing payment or reimbursement 
for health care services, or any practice or activity that, if directed 
toward a HCFA-administered program, might reasonably be construed as 
actually or potentially fraudulent or abusive;
    (ii) Such entity does, on a regular basis, or at such times as HCFA 
may request, fully and freely share such knowledge and information with 
HCFA, or as directed by HCFA, with HCFA's contractors; and
    (iii) HCFA determines that it may reasonably conclude that the 
knowledge or information it has received or is likely to receive from 
such entity could lead to preventing, deterring, discovering, 
detecting, investigating, examining, prosecuting, suing with respect 
to, defending against, correcting, remedying, or otherwise combating 
fraud or abuse in the Medicare, Medicaid or other health benefits 
program administered by HCFA or funded in whole or in part by Federal 
funds.

POLICIES AND PRACTICES FOR STORING, RETRIEVING, ACCESSING, RETAINING, 
AND DISPOSING OF RECORDS IN THE SYSTEM:
STORAGE:
    All records are stored in file folders, magnetic tapes, or computer 
disks.

RETRIEVABILITY:
    The records are retrieved by health insurance claim number.

SAFEGUARDS:
    For computerized records, safeguards established in accordance with 
Department standards and National Institute of Standards and Technology 
guidelines (e.g., security codes) will be used, limiting access to 
authorized personnel. System securities are established in accordance 
with HHS, Information Resource Management (IRM) Circular 10, 
Automated Information Systems Security Program; and HCFA Automated 
Information Systems (AIS) Guide, Systems Securities Policies, and OMB 
Circular No. A-130 (revised), Appendix III.

RETENTION AND DISPOSAL:
    The records are maintained with identifiers as long as needed for 
program research.

SYSTEM MANAGER(S) AND ADDRESS:
    Director, Center for Health Plans and Providers, Health Care 
Financing Administration, 7500 Security Boulevard, Baltimore, Maryland 
21244-1850.

NOTIFICATION PROCEDURE:
    For purpose of access, the subject individual should write the 
system manager, who will require the system name, health insurance 
claim number, and, for verification purposes, name, address, date of 
birth, and sex to ascertain whether or not the individual's record is 
in the system.

RECORD ACCESS PROCEDURE:
    Same as notification procedures. Requestors should also reasonably 
specify the record contents being sought. (These access procedures are 
in accordance with the Department regulations 45 CFR 5b.5(a)(2).)

CONTESTING RECORD PROCEDURES:
    Contact the system manager named above, and reasonably identify the 
record and specify the information to be contested. State the 
corrective action sought and the reasons for the correction with 
supporting justification. (These procedures are in accordance with 
Department regulation 45 CFR 5b.7.)

[[Page 43190]]

RECORD SOURCE CATEGORIES:
    The identifying information contained in these records is obtained 
from the health plans (which obtained the data from the individual 
concerned) or the individuals themselves. Also, these data will be 
linked with HCFA administrative data, such as claims and enrollment 
data.

SYSTEMS EXEMPTED FROM CERTAIN PROVISIONS OF THE ACT:
    None.

[FR Doc. 98-21502 Filed 8-11-98; 8:45 am]
BILLING CODE 4120-03-P