[Federal Register Volume 72, Number 176 (Wednesday, September 12, 2007)]
[Notices]
[Pages 52133-52140]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: E7-17907]


-----------------------------------------------------------------------

DEPARTMENT OF HEALTH AND HUMAN SERVICES

Centers for Medicare & Medicaid Services


Privacy Act of 1974; Report of New System of Records

AGENCY: Department of Health and Human Services (HHS), Centers for 
Medicare & Medicaid Services (CMS).

ACTION: Notice of a New System of Records.

-----------------------------------------------------------------------

SUMMARY: In accordance with the requirements of the Privacy Act of 
1974, CMS is proposing to establish a new system of records (SOR) 
titled, ``Performance Measurement and Reporting System (PMRS),'' System 
No. 09-70-0584. PMRS will serve as a master system of records to assist 
in projects that provide transparency in health care on a broad-scale 
enabling consumers to compare the quality and price of health care 
services so that they can make informed choices among individual 
physicians, practitioners and providers of services. In cooperation 
with local or regional public-private collaborative stakeholders; 
individuals assigned to provider groups; insurance and provider 
associations; government agencies; employers; accrediting and quality 
organizations; Chartered Value Exchanges (CVE), data aggregators, and 
other community leaders who are committed to improving the quality of 
services, CMS is laying the foundation for pooling and analyzing 
information about the quality of medical services and performance 
provided by physicians and health care providers. PMRS will further 
assist in developing existing strategies to improve health care quality 
including transparency of cost and/or price information, quality and 
utilization information; and patient safety for Medicare beneficiaries 
by collecting and aggregating data, by measuring performance at the 
individual physician level, and by reporting meaningful information to 
Medicare beneficiaries in order to make informed choices and improve 
outcomes.
    Pursuant to the ``routine use'' promulgated under this system of 
records notice, CMS or a non-Quality Improvement Organization (non-QIO)

[[Page 52134]]

contractor would make the individual physician-level performance 
measurement results available to Medicare beneficiaries by posting it 
on a public Web site and by various other methods of data 
dissemination. If local Web sites are used by a local or regional 
collaborative, CMS would have links to these Web sites on its main Web 
site. This information would be made available for the purpose of, and 
in a manner that would promote more informed choices by Medicare 
beneficiaries among their Medicare coverage options (i.e., the Medicare 
Advantage, local or regional plans offered in their area, and original 
fee-for-service Medicare). The routine uses established with this 
system contain a proper explanation as to the need for the disclosure 
provisions and provide clarity to CMS's intention to disclose 
individual-specific information contained in this system.
    The primary purpose of this system is to support the collection, 
maintenance, and processing of information promoting the effective, 
efficient, and economical delivery of health care services, and 
promoting the quality of services of the type for which payment may be 
made under title XVIII by allowing for the establishment and 
implementation of performance measures, and the provision of feedback 
to physicians. Information in this system will also be disclosed to: 
(1) Support regulatory, reimbursement, and policy functions performed 
for the Agency or by a contractor, consultant, or a CMS grantee; (2) 
assist another Federal and/or state agency, agency of a state 
government, or an agency established by state law; (3) promote more 
informed choices by Medicare beneficiaries among their Medicare group 
options by making physician performance measurement information 
available to Medicare beneficiaries through a Web site and other forms 
of data dissemination; (4) provide CVEs and data aggregators with 
information that will assist in generating single or multi-payer 
performance measurement results to promote transparency in health care 
to members of their community; (5) assist individual physicians, 
practitioners, providers of services, suppliers, laboratories, and 
others health care professionals who are participating in health care 
transparency projects; (6) assist individuals or organizations with 
projects that provide transparency in health care on a broad-scale 
enabling consumers to compare the quality and price of health care 
services; or for research, evaluation, and epidemiological projects 
related to the prevention of disease or disability; restoration or 
maintenance of health or for payment purposes; (7) assist Quality 
Improvement Organizations; (8) support litigation involving the agency; 
and (9) combat fraud, waste, and abuse in certain health benefits 
programs. We have provided background information about this new system 
in the ``Supplementary Information'' section below. Although the 
Privacy Act requires only that CMS provide an opportunity for 
interested persons to comment on the proposed routine uses, CMS invites 
comments on all portions of this notice. See ``Effective Dates'' 
section for comment period.

EFFECTIVE DATES: CMS filed a new system report with the Chair of the 
House Committee on Government Reform and Oversight, the Chair of the 
Senate Committee on Homeland Security & Governmental Affairs, and the 
Administrator, Office of Information and Regulatory Affairs, Office of 
Management and Budget (OMB) on 9/05/2007. To ensure that all parties 
have adequate time in which to comment, the new system, including 
routine uses, will become effective 30 days from the publication of the 
notice, or 40 days from the date it was submitted to OMB and Congress, 
whichever is later, unless CMS receives comments that require 
alterations to this notice.

ADDRESSES: The public should address comments to: CMS Privacy Officer, 
Division of Privacy Compliance, Enterprise Architecture and Strategy 
Group, Office of Information Services, CMS, Room N2-04-27, 7500 
Security Boulevard, Baltimore, Maryland 21244-1850. Comments received 
will be available for review at this location, by appointment, during 
regular business hours, Monday through Friday from 9 a.m. to 3 p.m., 
eastern time zone.

FOR FURTHER INFORMATION CONTACT: Aucha Prachanronarong, Health 
Insurance Specialist, Division of Ambulatory Care and Measure 
Management, Quality Measurement and Health Assessment Group, Office of 
Clinical Standards and Quality, CMS, Room C1-23-14, 7500 Security 
Boulevard, Baltimore, Maryland 21244-1850. The telephone number is 
(410) 786-1879 or contact [email protected].

SUPPLEMENTARY INFORMATION: The Value-driven Health Care Initiative is 
designed to achieve four cornerstones: Interoperable health information 
technology (HIT); transparency of price information; transparency of 
quality information; and the use of incentives to promote high-quality 
and cost-efficient health care. Regional/local public-private 
collaboration is essential to the success of this Initiative. As such, 
the Initiative is encouraging the growth of regional public-private 
collaboratives that will be chartered by the Agency for Health Research 
and Quality (AHRQ) to support and achieve the four cornerstones. Only 
mature, sustainable, multi-stakeholder entities that are committed to 
achieving the four cornerstones, including publicly reporting 
physician-level and other provider performance measurement information 
and facilitating the use of this information to improve the quality and 
efficiency of health care delivery, will become Chartered Value 
Exchanges (CVE).
    Provided they meet certain criteria established by CMS and 
disclosure is consistent with the Privacy Act, the Health Insurance 
Portability and Accountability Act (HIPAA) Privacy Rule and other 
applicable laws, CMS will provide CVEs with patient de-identified 
Medicare-inclusive individual physician-level performance measurement 
results. CMS also may provide physician and patient identifiable 
protected health claims data information to data aggregators that are 
HIPAA business associates of CMS (including working with providers, 
payers, or other HIPAA covered entities) for purposes for generating 
these results. The patient de-identified results will be calculated 
using Medicare claims data based on consensus-based measures as 
determined by CMS, including but not limited to quality, efficiency and 
utilization metrics. Available results may include single payer (i.e., 
Medicare only and private payer only performance measurement results) 
and/or multi-payer (i.e., results generated from merging or aggregating 
Medicare results with other private payer results) patient de-
identified, individual physician-level performance measurement results. 
CMS also plans to make the patient de-identified and individual 
physician-level performance measurement results available to Medicare 
beneficiaries, and others that meet CMS requirements for disclosure.
    CMS also has implemented a pilot project known as, ``The Better 
Quality Information to Improve Care for Medicare Beneficiaries (BQI) 
Project'' to develop a model for data aggregation, quality measurement, 
and public reporting. Through the BQI project, each pilot 
collaborative, as a QIO subcontractor, is aggregating private claims 
data with Medicare claims data and, in some cases, Medicaid claims data 
to produce single payer and/or multi-payer, patient de-identified, 
individual physician-level performance

[[Page 52135]]

measurement results using quality measures that are approved by CMS. 
These performance measurement results will be made available to 
Medicare beneficiaries by CMS or a CMS contractor.
    In addition, as required by the Tax Relief and Health Care Act of 
2006, CMS is implementing a voluntary Physician Quality Reporting 
Initiative (PQRI). Under PQRI, eligible professionals who choose to 
participate and successfully report on a designated set of quality 
measures for services paid under the Medicare Physician Fee Schedule 
and provided to Medicare beneficiaries under the traditional fee-for-
service program, may earn a bonus payment subject to a cap. 
Participating eligible professionals whose Medicare patients in the 
traditional fee-for-service program fit the specifications of the PQRI 
quality measures will report the corresponding appropriate Common 
Procedural Terminology (CPT) Category II codes or G-codes on their 
claims. In the future, CMS may publicly release the performance 
information that is reported by physicians pursuant to PQRI.

I. Description of the Proposed System of Records

A. Statutory and Regulatory Basis for System

    Authority for the collection, maintenance, and disclosures from 
this system is given under provisions of Sec. Sec.  1152, 1153(c), 
1153(e), 1154, 1160, 1851(d) and 1862(g) of the Social Security Act; 
Sec.  101 of the Tax Relief and Health Care Act of 2006; and Sec. Sec.  
901, 912, and 914 of the Public Health Service Act.

B. Collection and Maintenance of Data in the System

    The system contains single and multi-payer, patient de-identified, 
individual physician-level performance measurement results as well as, 
patient identifiable clinical and claims information provided by 
individual physicians, practitioners and providers of services, 
individuals assigned to provider groups, insurance and provider 
associations, government agencies, accrediting and quality 
organizations, and others who are committed to improving the quality of 
physician services. This system contains the patient's or beneficiary's 
name, sex, health insurance claim number (HIC), Social Security Number 
(SSN), address, date of birth, medical record number(s), prior stay 
information, provider name and address, physician's name, and/or 
identification number, date of admission or discharge, other health 
insurance, diagnosis, surgical procedures, and a statement of services 
rendered for related charges and other data needed to substantiate 
claims. The system contains provider characteristics, prescriber 
identification number(s), assigned provider number(s) (facility, 
referring/servicing physician), and national drug code information, 
total charges, and Medicare payment amounts.

II. Agency Policies, Procedures, and Restrictions on Routine Uses

    A. The Privacy Act permits us to disclose information without an 
individual's consent/authorization if the information is to be used for 
a purpose that is compatible with the purpose(s) for which the 
information was collected. Any such disclosure of data is known as a 
``routine use.'' The government will only release PMRS information that 
can be associated with an individual as provided for under ``Section 
III. Proposed Routine Use Disclosures of Data in the System.'' Both 
identifiable and non-identifiable data may be disclosed under a routine 
use.
    We will only disclose the minimum individually identifiable data 
necessary to achieve the purpose of PMRS. CMS has the following 
policies and procedures concerning disclosures of information that will 
be maintained in the system. In general, disclosure of information from 
the system will be approved only for the minimum information necessary 
to accomplish the purpose of the disclosure and only after CMS:
    1. Determines that the use or disclosure is consistent with the 
reason that the data is being collected, e.g., to collect, maintain, 
and process information promoting the effective, efficient, and 
economical delivery of health care services, and promoting the quality 
of services of the type for which payment may be made under title 
XVIII;
    2. Determines that:
    a. The purpose for which the disclosure is to be made can only be 
accomplished if the record is provided in individually identifiable 
form;
    b. The purpose for which the disclosure is to be made is of 
sufficient importance to warrant the effect and/or risk on the privacy 
of the individual that additional exposure of the record might bring; 
and
    c. There is a reasonable probability that the proposed use of the 
data would in fact accomplish the stated purpose(s) of the disclosure.
    3. Requires the information recipient to:
    a. Establish reasonable administrative, technical, and physical 
safeguards to prevent unauthorized use of disclosure of the record(s);
    b. Remove or destroy the information that allows the individual to 
be identified at the earliest time; and
    c. Generally agree to not use or disclose the information for any 
purpose other than the stated purpose under which the information was 
disclosed.
    4. Determines that the data are valid and reliable.

III. Proposed Routine Use Disclosures of Data in the System

A. Entities Who May Receive Disclosures Under Routine Use

    These routine uses specify circumstances, in addition to those 
provided by statute in the Privacy Act of 1974, under which CMS may 
release information from the PMRS without the consent/authorization of 
the individual to whom such information pertains. Each proposed 
disclosure of information under these routine uses will be evaluated to 
ensure that the disclosure is legally permissible, including but not 
limited to ensuring that the purpose of the disclosure is compatible 
with the purpose for which the information was collected. We propose to 
establish the following routine use disclosures of information 
maintained in the system:
    1. To support Agency contractors, consultants, or CMS grantees who 
have been engaged by the Agency to assist in accomplishment of a CMS 
function relating to the purposes for this SOR and who need to have 
access to the records in order to assist CMS.
    We contemplate disclosing information under this routine use only 
in situations in which CMS may enter into a contractual or similar 
agreement with a third party to assist in accomplishing a CMS function 
relating to purposes for this SOR.
    CMS occasionally contracts out certain of its functions when doing 
so would contribute to effective and efficient operations. CMS must be 
able to give a contractor, consultant, or CMS grantee whatever 
information is necessary for the contractor or consultant to fulfill 
its duties. In these situations, safeguards are provided in the 
contract/similar agreement prohibiting the contractor, consultant, or 
grantee from using or disclosing the information for any purpose other 
than that described in the contract/similar agreement and requires the 
contractor, consultant, or grantee to return or destroy all information 
at the completion of the contract.
    2. Pursuant to agreements with CMS to assist another Federal or 
state agency,

[[Page 52136]]

agency of a state government, or an agency established by state law to:
    a. Contribute to projects that provide transparency in health care 
on a broad-scale enabling consumers to compare the quality and price of 
health care services,
    b. Contribute to the accuracy of CMS's proper payment of Medicare 
benefits,
    c. Enable such agency to administer a Federal health benefits 
program, or as necessary to enable such agency to fulfill a requirement 
of a Federal statute or regulation that implements a health benefits 
program funded in whole or in part with Federal funds, and/or
    d. Assist Federal/state Medicaid programs which may require PMRS 
information for purposes related to this system.
    Other Federal or state agencies in their administration of a 
Federal health program may require PMRS information in order to support 
evaluations and monitoring of Medicare claims information of 
beneficiaries, including proper reimbursement for services provided.
    3. To assist in making the individual physician-level performance 
measurement results available to Medicare beneficiaries, through a Web 
site and other forms of data dissemination, in order to promote more 
informed choices by Medicare beneficiaries among their Medicare 
coverage options.
    This information would be made available to Medicare beneficiaries 
for the purpose of, and in a manner that would promote more informed 
choices by Medicare beneficiaries among their Medicare coverage options 
(i.e., the Medicare Advantage local or Regional plans offered in their 
area, and original fee-for-service Medicare).
    4. To provide Chartered Value Exchanges (CVE) and data aggregators 
with information that will assist in generating single or multi-payer 
performance measurement results that will assist beneficiaries in 
making informed choices among individual physicians, practitioners and 
providers of services; enable consumers to compare the quality and 
price of health care services; and assist in providing transparency in 
health care at the local level if CMS:
    a. Determines that the use or disclosure does not violate legal 
limitations under which the record was provided, collected, or 
obtained;
    b. Determines that the purpose for which the disclosure is to be 
made:
    (1) Is of sufficient importance to warrant the effect and/or risk 
on the privacy of the individual that additional exposure of the record 
might bring, and
    (2) There is reasonable probability that the objective for the use 
would be accomplished;
    c. Requires the recipient of the information to establish 
reasonable administrative, technical, and physical safeguards to 
prevent unauthorized use or disclosure of the record;
    d. Make no further use or disclosure of the record except:
    (1) For use in another project providing transparency in health 
care, under these same conditions, and with written authorization of 
CMS; and
    (2) When required by law.
    e. Secures a written statement attesting to the information 
recipient's understanding of and willingness to abide by these 
provisions. CVEs and data aggregators should complete a Data Use 
Agreement (CMS Form 0235) in accordance with current CMS policies.
    The disclosure of PMRS information to CVEs or data aggregators will 
support the generation of single or multi-payer performance measurement 
results that will provide a more comprehensive view of physician 
performance for Medicare beneficiaries. Both identifiable physician 
level information and patient de-identified information may be made 
available to CVEs to enable them to provide transparency in health care 
on a local level. Identifiable physician and patient level information 
may be provided to data aggregators that are HIPAA business associates 
of CMS to conduct CMS' health care operations (including working with 
other providers, payers, or other HIPAA covered entities to generate 
single and multi-payer performance information).
    5. To assist individual physicians, practitioners, providers of 
services, suppliers, laboratories, and other health care professionals 
who are participating in health care transparency projects.
    PMRS data will be released to the individual physician only on 
those individuals who received services ordered or provided by the 
individual physician and shall be limited to claims and utilization 
data necessary to perform that specific project function whose 
information was provided for the PMRS project. Individual physicians, 
practitioners, providers of services, suppliers, laboratories, and 
other health care professionals require PMRS information for the 
purpose of direct feedback with respect to their individual patients on 
a non-aggregated basis.
    PMRS information is needed in order to support evaluations, 
establish the validity of evidence, or to verify the accuracy of 
information presented by the individual physician as it concerns the 
patient's entitlement to benefits and for services provided.
    6. To assist an individual or organization with projects that 
provide transparency in health care on a broad-scale enabling consumers 
to compare the quality and price of health care services; or for 
research, evaluation, and epidemiological projects related to the 
prevention of disease or disability; restoration or maintenance of 
health or for payment purposes if CMS:
    a. Determines that the use or disclosure does not violate legal 
limitations under which the record was provided, collected, or 
obtained;
    b. Determines that the purpose for which the disclosure is to be 
made:
    (1) Cannot be reasonably accomplished unless the record is provided 
in individually identifiable form,
    (2) Is of sufficient importance to warrant the effect and/or risk 
on the privacy of the individual that additional exposure of the record 
might bring, and
    (3) There is reasonable probability that the objective for the use 
would be accomplished;
    c. Requires the recipient of the information to:
    (1) Establish reasonable administrative, technical, and physical 
safeguards to prevent unauthorized use or disclosure of the record, and
    (2) Remove or destroy the information that allows the individual to 
be identified at the earliest time at which removal or destruction can 
be accomplished consistent with the purpose of the project, unless the 
recipient presents an adequate justification of a research or health 
nature for retaining such information, and
    (3) Make no further use or disclosure of the record except:
    (a) For disclosure to a properly identified person, for purposes of 
providing transparency in health care enabling consumers to compare the 
quality and price of health care services so that they can make 
informed choices among individual physicians, practitioners and 
providers of services;
    (b) In emergency circumstances affecting the health or safety of 
any individual;
    (c) For use in another research project, under these same 
conditions, and with written authorization of CMS;
    (d) For disclosure to a properly identified person for the purpose 
of an audit related to the research project, if information that would 
enable research subjects to be identified is removed or destroyed at 
the earliest opportunity consistent with the purpose of the audit; or

[[Page 52137]]

    (e) When required by law.
    d. Secures a written statement attesting to the information 
recipient's understanding of and willingness to abide by these 
provisions. Researchers should complete a Data Use Agreement (CMS Form 
0235) in accordance with current CMS policies.
    PMRS data will provide data for projects that provide transparency 
in health care on a broad-scale enabling consumers to compare the 
quality and price of health care services; and research evaluation; and 
epidemiological projects with a broader, longitudinal, national 
perspective of the status of health care provided to Medicare 
beneficiaries. CMS anticipates that many researchers will have 
legitimate requests to use these data in projects that could ultimately 
improve the care provided to Medicare beneficiaries and the policy that 
governs the care.
    7. To support Quality Improvement Organizations (QIO) in connection 
with review of claims, or in connection with studies or other review 
activities conducted pursuant to Part B of Title XI of the Act and in 
performing affirmative outreach activities to individuals for the 
purpose of establishing and maintaining their entitlement to Medicare 
benefits or health insurance plans.
    QIOs will work to implement quality improvement programs, provide 
consultation to CMS, its contractors, and to state agencies. QIOs will 
assist the state agencies in related monitoring and enforcement 
efforts, assist CMS and intermediaries in program integrity assessment, 
and prepare summary information for release to CMS.
    8. To support the Department of Justice (DOJ), court, or 
adjudicatory body when:
    a. The Agency or any component thereof, or
    b. Any employee of the Agency in his or her official capacity, or
    c. Any employee of the Agency in his or her individual capacity 
where the DOJ has agreed to represent the employee, or
    d. The United States Government,
is a party to litigation or has an interest in such litigation, and by 
careful review, CMS determines that the records are both relevant and 
necessary to the litigation and that the use of such records by the 
DOJ, court or adjudicatory body is compatible with the purpose for 
which the agency collected the records.
    Whenever CMS is involved in litigation, or occasionally when 
another party is involved in litigation and CMS's policies or 
operations could be affected by the outcome of the litigation, CMS 
would be able to disclose information to the DOJ, court, or 
adjudicatory body involved.
    9. To assist a CMS contractor (including, but not limited to MACs, 
fiscal intermediaries and carriers) that assists in the administration 
of a CMS-administered health benefits program, or to a grantee of a 
CMS-administered grant program, when disclosure is deemed reasonably 
necessary by CMS to prevent, deter, discover, detect, investigate, 
examine, prosecute, sue with respect to, defend against, correct, 
remedy, or otherwise combat fraud, waste or abuse in such program.
    We contemplate disclosing information under this routine use only 
in situations in which CMS may enter into a contract or grant with a 
third party to assist in accomplishing CMS functions relating to the 
purpose of combating fraud, waste or abuse.
    CMS occasionally contracts out certain of its functions when doing 
so would contribute to effective and efficient operations. CMS must be 
able to give a contractor or grantee whatever information is necessary 
for the contractor or grantee to fulfill its duties. In these 
situations, safeguards are provided in the contract prohibiting the 
contractor or grantee from using or disclosing the information for any 
purpose other than that described in the contract and requiring the 
contractor or grantee to return or destroy all information.
    10. To assist another Federal agency or to an instrumentality of 
any governmental jurisdiction within or under the control of the United 
States (including any state or local governmental agency), that 
administers, or that has the authority to investigate potential fraud, 
waste or abuse in a health benefits program funded in whole or in part 
by Federal funds, when disclosure is deemed reasonably necessary by CMS 
to prevent, deter, discover, detect, investigate, examine, prosecute, 
sue with respect to, defend against, correct, remedy, or otherwise 
combat fraud, waste or abuse in such programs.
    Other agencies may require PMRS information for the purpose of 
combating fraud, waste or abuse in such Federally-funded programs.

B. Additional Circumstances Affecting Routine Use Disclosures

    To the extent this system contains Protected Health Information 
(PHI) as defined by HHS regulation ``Standards for Privacy of 
Individually Identifiable Health Information'' (45 CFR Parts 160 and 
164, Subparts A and E) 65 Fed. Reg. 82462 (12-28-00). Disclosures of 
such PHI that are otherwise authorized by these routine uses may only 
be made if, and as, permitted or required by the ``Standards for 
Privacy of Individually Identifiable Health Information.'' (See 45 CFR 
164-512 (a) (1)).

IV. Safeguards

    CMS has safeguards in place for authorized users and monitors such 
users to ensure against unauthorized use. Personnel having access to 
the system have been trained in the Privacy Act and information 
security requirements. Employees who maintain records in this system 
are instructed not to release data until the intended recipient agrees 
to implement appropriate management, operational and technical 
safeguards sufficient to protect the confidentiality, integrity and 
availability of the information and information systems and to prevent 
unauthorized access.
    This system will conform to all applicable Federal laws and 
regulations and Federal, HHS, and CMS policies and standards as they 
relate to information security and data privacy. These laws and 
regulations include but are not limited to: the Privacy Act of 1974; 
the Federal Information Security Management Act of 2002; the Computer 
Fraud and Abuse Act of 1986; the Health Insurance Portability and 
Accountability Act of 1996; the E-Government Act of 2002, the Clinger-
Cohen Act of 1996; the Medicare Modernization Act of 2003, and the 
corresponding implementing regulations. OMB Circular A-130, Management 
of Federal Resources, Appendix III, Security of Federal Automated 
Information Resources also applies. Federal, HHS, and CMS policies and 
standards include but are not limited to: all pertinent National 
Institute of Standards and Technology publications; the HHS Information 
Systems Program Handbook and the CMS Information Security Handbook.

V. Effects of the New System on the Rights of Individuals

    CMS proposes to establish this system in accordance with the 
principles and requirements of the Privacy Act and will collect, use, 
and disseminate information only as prescribed therein. We will only 
disclose the minimum personal data necessary to achieve the purpose of 
PMRS.
    Disclosure of information from the system will be approved only to 
the extent necessary to accomplish the purpose of the disclosure. CMS 
has assigned a higher level of security clearance for the information 
maintained in this system in an effort to

[[Page 52138]]

provide added security and protection of data in this system.
    CMS will take precautionary measures to minimize the risks of 
unauthorized access to the records and the potential harm to individual 
privacy or other personal or property rights. CMS will collect only 
that information necessary to perform the system's functions. In 
addition, CMS will make disclosure from the proposed system only with 
consent of the subject individual, or his/her legal representative, or 
in accordance with an applicable exception provision of the Privacy 
Act. CMS, therefore, does not anticipate an unfavorable effect on 
individual privacy as a result of the disclosure of information 
relating to individuals.

    Dated: September 4, 2007.
Charlene Frizzera,
Chief Operating Officer, Centers for Medicare & Medicaid Services.
SYSTEM No. 09-70-0584

SYSTEM NAME:
     ``Performance Measurement and Reporting System (PMRS),'' 
HHS/CMS/OCSQ

SECURITY CLASSIFICATION:
    Level Three Privacy Act Sensitive

SYSTEM LOCATION:
    CMS Data Center, 7500 Security Boulevard, North Building, First 
Floor, Baltimore, Maryland 21244-1850 and at various contractor sites.

CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:
    The system contains single and multi-payer, patient de-identified, 
individual physician-level performance measurement results as well as, 
clinical and claims information provided by individual physicians, 
practitioners and providers of services, individuals assigned to 
provider groups, insurance and provider associations, government 
agencies, accrediting and quality organizations, and others who are 
committed to improving the quality of physician services.

CATEGORIES OF RECORDS IN THE SYSTEM:
    This system contains the patient's or beneficiary's name, sex, 
health insurance claim number (HIC), Social Security Number (SSN), 
address, date of birth, medical record number(s), prior stay 
information, provider name and address, physician's name, and/or 
identification number, date of admission or discharge, other health 
insurance, diagnosis, surgical procedures, and a statement of services 
rendered for related charges and other data needed to substantiate 
claims. The system contains provider characteristics, prescriber 
identification number(s), assigned provider number(s) (facility, 
referring/servicing physician), and national drug code information, 
total charges, and Medicare payment amounts.

AUTHORITY FOR MAINTENANCE OF THE SYSTEM:
    Authority for the collection, maintenance, and disclosures from 
this system is given under provisions of Sec. Sec.  1152, 1153 (c), 
1153(e), 1154, 1160, 1851 (d) and 1862 (g) of the Social Security Act; 
Sec.  101 of the Tax Relief and Health Care Act of 2006; and Sec. Sec.  
901, 912, and 914 of the Public Health Service Act.

PURPOSE (S) OF THE SYSTEM:
    The primary purpose of this system is to support the collection, 
maintenance, and processing of information promoting the effective, 
efficient, and economical delivery of health care services, and 
promoting the quality of services of the type for which payment may be 
made under title XVIII by allowing for the establishment and 
implementation of performance measures, and the provision of feedback 
to physicians. Information in this system will also be disclosed to: 
(1) Support regulatory, reimbursement, and policy functions performed 
for the Agency or by a contractor, consultant, or a CMS grantee; (2) 
assist another Federal and/or state agency, agency of a state 
government, or an agency established by state law; (3) promote more 
informed choices by Medicare beneficiaries among their Medicare group 
options by making physician performance measurement information 
available to Medicare beneficiaries through a Web site and other forms 
of data dissemination; (4) provide Charted Value Exchanges (CVE) and 
data aggregators with information that will assist in generating single 
or multi-payer performance measurement results to promote transparency 
in health care to members of their community; (5) assist individual 
physicians, practitioners, providers of services, suppliers, 
laboratories, and other health care professionals who are participating 
in health care transparency projects; (6) assist individuals or 
organizations with projects that provide transparency in health care on 
a broad-scale, enabling consumers to compare the quality and price of 
health care services; or for research, evaluation, and epidemiological 
projects related to the prevention of disease or disability; 
restoration or maintenance of health or for payment purposes; (7) 
assist Quality Improvement Organizations; (8) support litigation 
involving the agency; and (9) combat fraud, waste, and abuse in certain 
health benefits programs

ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES 
OF USERS AND THE PURPOSES OF SUCH USES:
    A. Entities Who May Receive Disclosures Under Routine Use. These 
routine uses specify circumstances, in addition to those provided by 
statute in the Privacy Act of 1974, under which CMS may release 
information from the PMRS without the consent/authorization of the 
individual to whom such information pertains. Each proposed disclosure 
of information under these routine uses will be evaluated to ensure 
that the disclosure is legally permissible, including but not limited 
to ensuring that the purpose of the disclosure is compatible with the 
purpose for which the information was collected. We propose to 
establish the following routine use disclosures of information 
maintained in the system:
    1. To support Agency contractors, consultants, or CMS grantees who 
have been engaged by the Agency to assist in accomplishment of a CMS 
function relating to the purposes for this SOR and who need to have 
access to the records in order to assist CMS.
    2. Pursuant to agreements with CMS to assist another Federal or 
state agency, agency of a state government, or an agency established by 
state law to:
    a. Contribute to projects that provide transparency in health care 
on a broad-scale enabling consumers to compare the quality and price of 
health care services,
    b. Contribute to the accuracy of CMS's proper payment of Medicare 
benefits,
    c. Enable such agency to administer a Federal health benefits 
program, or as necessary to enable such agency to fulfill a requirement 
of a Federal statute or regulation that implements a health benefits 
program funded in whole or in part with Federal funds, and/or
    d. Assist Federal/state Medicaid programs which may require PMRS 
information for purposes related to this system.
    3. To assist in making the individual physician-level performance 
measurement results available to Medicare beneficiaries, through a Web 
site and other forms of data dissemination, in order to promote more 
informed choices by Medicare beneficiaries among their Medicare 
coverage options.
    4. To provide Chartered Value Exchanges (CVE) and data aggregators 
with information that will assist in generating single or multi-payer

[[Page 52139]]

performance measurement results that will assist beneficiaries in 
making informed choices among individual physicians, practitioners and 
providers of services; enable consumers to compare the quality and 
price of health care services; and assist in providing transparency in 
health care at the local level if CMS:
    a. Determines that the use or disclosure does not violate legal 
limitations under which the record was provided, collected, or 
obtained;
    b. Determines that the purpose for which the disclosure is to be 
made:
    (1) Is of sufficient importance to warrant the effect on and/or 
risk to the privacy of the individual that additional exposure of the 
record might bring, and
    (2) There is reasonable probability that the objective for the use 
would be accomplished;
    c. Requires the recipient of the information to establish 
reasonable administrative, technical, and physical safeguards to 
prevent unauthorized use or disclosure of the record,
    d. Make no further use or disclosure of the record except:
    (1) For use in another project providing transparency in health 
care, under these same conditions, and with written authorization of 
CMS;
    (2) When required by law.
    e. Secures a written statement attesting to the information 
recipient's understanding of and willingness to abide by these 
provisions. CVEs and data aggregators should complete a Data Use 
Agreement (CMS Form 0235) in accordance with current CMS policies.
    5. To assist individual physicians, practitioners, providers of 
services, suppliers, laboratories, and other health care professionals 
who are participating in health care transparency projects.
    6. To assist an individual or organization with projects that 
provide transparency in health care on a broad scale, enabling 
consumers to compare the quality and price of health care services; or 
for research, evaluation, and epidemiological projects related to the 
prevention of disease or disability; restoration or maintenance of 
health or for payment purposes if CMS:
    a. Determines that the use or disclosure does not violate legal 
limitations under which the record was provided, collected, or 
obtained;
    b. Determines that the purpose for which the disclosure is to be 
made:
    (1) Cannot be reasonably accomplished unless the record is provided 
in individually identifiable form,
    (2) Is of sufficient importance to warrant the effect and/or risk 
on the privacy of the individual that additional exposure of the record 
might bring, and
    (3) There is reasonable probability that the objective for the use 
would be accomplished;
    c. Requires the recipient of the information to:
    (1) Establish reasonable administrative, technical, and physical 
safeguards to prevent unauthorized use or disclosure of the record, and
    (2) Remove or destroy the information that allows the individual to 
be identified at the earliest time at which removal or destruction can 
be accomplished consistent with the purpose of the project, unless the 
recipient presents an adequate justification of a research or health 
nature for retaining such information, and
    (3) Make no further use or disclosure of the record except:
    (a) For disclosure to a properly identified person, for purposes of 
providing transparency in health care enabling consumers to compare the 
quality and price of health care services so that they can make 
informed choices among individual physicians, practitioners and 
providers of services;
    (b) In emergency circumstances affecting the health or safety of 
any individual;
    (c) For use in another research project, under these same 
conditions, and with written authorization of CMS;
    (d) For disclosure to a properly identified person for the purpose 
of an audit related to the research project, if information that would 
enable research subjects to be identified is removed or destroyed at 
the earliest opportunity consistent with the purpose of the audit; or
    (e) When required by law.
    d. Secures a written statement attesting to the information 
recipient's understanding of and willingness to abide by these 
provisions. Researchers should complete a Data Use Agreement (CMS Form 
0235) in accordance with current CMS policies.
    7. To support Quality Improvement Organizations (QIO) in connection 
with review of claims, or in connection with studies or other review 
activities conducted pursuant to Part B of Title XI of the Act and in 
performing affirmative outreach activities to individuals for the 
purpose of establishing and maintaining their entitlement to Medicare 
benefits or health insurance plans.
    8. To support the Department of Justice (DOJ), court, or 
adjudicatory body when:
    a. The Agency or any component thereof, or
    b. Any employee of the Agency in his or her official capacity, or
    c. Any employee of the Agency in his or her individual capacity 
where the DOJ has agreed to represent the employee, or
    d. The United States Government,

    is a party to litigation or has an interest in such litigation, and 
by careful review, CMS determines that the records are both relevant 
and necessary to the litigation and that the use of such records by the 
DOJ, court or adjudicatory body is compatible with the purpose for 
which the agency collected the records.
    9. To assist a CMS contractor (including, but not limited to MACs, 
fiscal intermediaries and carriers) that assists in the administration 
of a CMS-administered health benefits program, or to a grantee of a 
CMS-administered grant program, when disclosure is deemed reasonably 
necessary by CMS to prevent, deter, discover, detect, investigate, 
examine, prosecute, sue with respect to, defend against, correct, 
remedy, or otherwise combat fraud, waste or abuse in such program.
    10. To assist another Federal agency or an instrumentality of any 
governmental jurisdiction within or under the control of the United 
States (including any state or local governmental agency), that 
administers, or that has the authority to investigate potential fraud, 
waste or abuse in a health benefits program funded in whole or in part 
by Federal funds, when disclosure is deemed reasonably necessary by CMS 
to prevent, deter, discover, detect, investigate, examine, prosecute, 
sue with respect to, defend against, correct, remedy, or otherwise 
combat fraud, waste or abuse in such programs.
    B. Additional Circumstances Affecting Routine Use Disclosures. To 
the extent this system contains Protected Health Information (PHI) as 
defined by HHS regulation ``Standards for Privacy of Individually 
Identifiable Health Information'' (45 CFR Parts 160 and 164, Subparts A 
and E) 65 Fed. Reg. 82462 (12-28-00). Disclosures of such PHI that are 
otherwise authorized by these routine uses may only be made if, and as, 
permitted or required by the ``Standards for Privacy of Individually 
Identifiable Health Information.'' (See 45 CFR 164-512(a)(1)).

POLICIES AND PRACTICES FOR STORING, RETRIEVING, ACCESSING, RETAINING, 
AND DISPOSING OF RECORDS IN THE SYSTEM:
STORAGE:
    Records are stored on both tape cartridges (magnetic storage media) 
and

[[Page 52140]]

in a DB2 relational database management environment (DASD data storage 
media).

RETRIEVABILITY:
    Information is most frequently retrieved by HICN, provider number 
(facility, physician, IDs), service dates, and beneficiary state code.

SAFEGUARDS:
    CMS has safeguards in place for authorized users and monitors such 
users to ensure against unauthorized use. Personnel having access to 
the system have been trained in the Privacy Act and information 
security requirements. Employees who maintain records in this system 
are instructed not to release data until the intended recipient agrees 
to implement appropriate management, operational and technical 
safeguards sufficient to protect the confidentiality, integrity and 
availability of the information and information systems and to prevent 
unauthorized access.
    This system will conform to all applicable Federal laws and 
regulations and Federal, HHS, and CMS policies and standards as they 
relate to information security and data privacy. These laws and 
regulations include but are not limited to: the Privacy Act of 1974; 
the Federal Information Security Management Act of 2002; the Computer 
Fraud and Abuse Act of 1986; the Health Insurance Portability and 
Accountability Act of 1996; the E-Government Act of 2002, the Clinger-
Cohen Act of 1996; the Medicare Modernization Act of 2003, and the 
corresponding implementing regulations. OMB Circular A-130, Management 
of Federal Resources, Appendix III, Security of Federal Automated 
Information Resources also applies. Federal, HHS, and CMS policies and 
standards include but are not limited to: all pertinent National 
Institute of Standards and Technology publications; the HHS Information 
Systems Program Handbook and the CMS Information Security Handbook.

RETENTION AND DISPOSAL:
    Records are maintained with identifiers for all transactions after 
they are entered into the system for a period of 20 years. Records are 
housed in both active and archival files. All claims-related records 
are encompassed by the document preservation order and will be retained 
until notification is received from the Department of Justice.

SYSTEM MANAGER AND ADDRESS:
    Director, Quality Measurement and Health Assessment Group, Office 
of Clinical Standards and Quality, CMS, Room C1-23-14, 7500 Security 
Boulevard, Baltimore, Maryland 21244-1850.

NOTIFICATION PROCEDURE:
    For purpose of notification, the subject individual should write to 
the system manager who will require the system name, and the retrieval 
selection criteria (e.g., HICN, Provider number, etc.).

RECORD ACCESS PROCEDURE:
    For purpose of access, use the same procedures outlined in 
Notification Procedures above. Requestors should also reasonably 
specify the record contents being sought. (These procedures are in 
accordance with Department regulation 45 CFR 5b.5(a)(2)).

CONTESTING RECORD PROCEDURES:
    The subject individual should contact the system manager named 
above, and reasonably identify the record and specify the information 
to be contested. State the corrective action sought and the reasons for 
the correction with supporting justification. (These procedures are in 
accordance with Department regulation 45 CFR 5b.7).

RECORD SOURCE CATEGORIES:
    Medicare Beneficiary Database (09-70-0536), National Claims History 
File (09-70-0558), and private physicians, private providers, 
laboratories, other providers and suppliers who are participating in 
health care transparency projects sponsored by the Agency.

SYSTEMS EXEMPTED FROM CERTAIN PROVISIONS OF THE ACT:
    None.

[FR Doc. E7-17907 Filed 9-11-07; 8:45 am]
BILLING CODE 4120-03-P