[Federal Register Volume 76, Number 110 (Wednesday, June 8, 2011)]
[Proposed Rules]
[Pages 33566-33588]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2011-14003]



[[Page 33565]]

Vol. 76

Wednesday

No. 110

June 8, 2011

Part III





Department of Health and Human Services





-----------------------------------------------------------------------



Centers for Medicare & Medicaid Services



-----------------------------------------------------------------------



42 CFR Part 401



Medicare Program; Availability of Medicare Data for Performance 
Measurement; Proposed Rule

  Federal Register / Vol. 76, No. 110 / Wednesday June 8, 2011 / 
Proposed Rules  

[[Page 33566]]


-----------------------------------------------------------------------

DEPARTMENT OF HEALTH AND HUMAN SERVICES

Centers for Medicare & Medicaid Services

42 CFR Part 401

[CMS-5059-P]
RIN 0938-AQ17


Medicare Program; Availability of Medicare Data for Performance 
Measurement

AGENCY: Centers for Medicare & Medicaid Services (CMS), HHS.

ACTION: Proposed rule.

-----------------------------------------------------------------------

SUMMARY: This rule proposes to implement new statutory requirements 
regarding the release and use of standardized extracts of Medicare 
claims data to measure the performance of providers and suppliers in 
ways that protect patient privacy. This rule explains how entities can 
become qualified by CMS to receive standardized extracts of claims data 
under Medicare Parts A, B, and D for the purpose of evaluation of the 
performance of providers of services and suppliers.

DATES: To be assured consideration, comments must be received at one of 
the addresses provided below, no later than 5 p.m. on August 8, 2011.

ADDRESSES: In commenting, please refer to file code CMS-5059-P. Because 
of staff and resource limitations, we cannot accept comments by 
facsimile (FAX) transmission.
    You may submit comments in one of four ways (please choose only one 
of the ways listed):
    1. Electronically. You may submit electronic comments on this 
regulation to http://www.regulations.gov. Follow the ``Submit a 
comment'' instructions.
    2. By regular mail. You may mail written comments to the following 
address ONLY: Centers for Medicare & Medicaid Services, Department of 
Health and Human Services, Attention: CMS-5059-P, P.O. Box 8012, 
Baltimore, MD 21244-1850.
    Please allow sufficient time for mailed comments to be received 
before the close of the comment period.
    3. By express or overnight mail. You may send written comments to 
the following address ONLY: Centers for Medicare & Medicaid Services, 
Department of Health and Human Services, Attention: CMS-5059-P, Mail 
Stop C4-26-05, 7500 Security Boulevard, Baltimore, MD 21244-1850.
    4. By hand or courier. Alternatively, you may deliver (by hand or 
courier) your written comments ONLY to the following addresses prior to 
the close of the comment period: a. For delivery in Washington, DC-- 
Centers for Medicare & Medicaid Services, Department of Health and 
Human Services, Room 445-G, Hubert H. Humphrey Building, 200 
Independence Avenue, SW., Washington, DC 20201.
    (Because access to the interior of the Hubert H. Humphrey Building 
is not readily available to persons without Federal Government 
identification, commenters are encouraged to leave their comments in 
the CMS drop slots located in the main lobby of the building. A stamp-
in clock is available for persons wishing to retain a proof of filing 
by stamping in and retaining an extra copy of the comments being 
filed.)
    b. For delivery in Baltimore, MD--Centers for Medicare & Medicaid 
Services, Department of Health and Human Services, 7500 Security 
Boulevard, Baltimore, MD 21244-1850.
    If you intend to deliver your comments to the Baltimore address, 
please call telephone number (410) 786-9994 in advance to schedule your 
arrival with one of our staff members.
    Comments erroneously mailed to the addresses indicated as 
appropriate for hand or courier delivery may be delayed and received 
after the comment period.
    For information on viewing public comments, see the beginning of 
the SUPPLEMENTARY INFORMATION section.

FOR FURTHER INFORMATION CONTACT: Colleen Bruce, (410) 786-5529.

SUPPLEMENTARY INFORMATION: 
    Inspection of Public Comments: All comments received before the 
close of the comment period are available for viewing by the public, 
including any personally identifiable or confidential business 
information that is included in a comment. We post all comments 
received before the close of the comment period on the following Web 
site as soon as possible after they have been received at: http://www.regulations.gov. Follow the search instructions on that Web site to 
view public comments.
    Comments received in a timely fashion would also be available for 
public inspection as they are received, generally beginning 
approximately 3 weeks after publication of a document, at the 
headquarters of the Centers for Medicare & Medicaid Services, 7500 
Security Boulevard, Baltimore, Maryland 21244, Monday through Friday of 
each week from 8:30 a.m. to 4 p.m. To schedule an appointment to view 
public comments, phone 1-800-743-3951.

I. Background

    On March 23, 2010, the Patient Protection and Affordable Care Act, 
(``Affordable Care Act'') Public Law 111-148, was enacted. Effective 
January 1, 2012, section 10332 of the Affordable Care Act would amend 
section 1874 of the Social Security Act (the Act) by adding a new 
subsection (e) requiring standardized extracts of Medicare claims data 
under parts A, B, and D be made available to ``qualified entities'' for 
the evaluation of the performance of providers of services and 
suppliers. Such a disclosure is permitted under the Privacy Rule issued 
under the Health Insurance Portability and Accountability Act as a 
disclosure ``required by law.'' Qualified entities may use the 
information obtained under section 1874(e) of the Act for the sole 
purpose of evaluating the performance of providers of services and 
suppliers, and to generate specified public reports. Qualified entities 
may receive data for one or more specified geographic areas and must 
pay a fee equal to the cost of making the data available. Congress also 
required that qualified entities combine claims data from sources other 
than Medicare with the Medicare data when evaluating the performance of 
providers of services and suppliers. Potential qualified entities that 
wish to request data under these provisions would have to submit an 
application to the Secretary that includes, among other things, a 
description of the methodologies that the applicant proposes to use to 
evaluate the performance of providers of services and suppliers in the 
geographic area(s) they select. Qualified entities would generally be 
required to use standard measures for evaluating the performance of 
providers of services and suppliers unless the Secretary, in 
consultation with appropriate stakeholders, determines that use of 
alternative measures would be more valid, reliable, responsive to 
consumer preferences, cost-effective, or relevant to dimensions of 
quality and resource use not addressed by standard measures. Reports 
generated by the qualified entities may only include information on 
individual providers of services and suppliers in aggregate form, that 
is, at the provider of services or supplier level, and may not be 
released to the public until the providers of services and suppliers 
have had an opportunity to review them and ask for corrections. 
Congress included a provision at section 1874(e)(3) of the Act to allow 
the Secretary to take such actions as may be necessary to protect the 
identity of individuals entitled to or enrolled in Medicare.

[[Page 33567]]

    We believe the sharing of Medicare data with qualified entities 
through this program and the resulting reports produced by qualified 
entities would be an important driver of improving quality and reducing 
costs in Medicare, as well as for the healthcare system in general. 
Additionally, we believe this program would increase the transparency 
of provider and supplier performance, while ensuring beneficiary 
privacy.

II. Provisions of the Proposed Rule

    To implement the new statutory provisions of section 1874(e) of the 
Act, we are proposing to revise Part 401 by adding a new subpart G, 
``Availability of Medicare Data for Performance Measurement.'' The 
proposals in this rule would be consistent with section 10332 of the 
Affordable Care Act. Throughout the preamble, we identify options and 
alternatives to the provisions we propose. We have attempted to take 
into consideration comments received during the listening session on 
September 20, 2010. However, we strongly encourage comments on our 
proposed approach and on alternatives that would help us implement the 
appropriate requirements and regulatory provisions under section 
1874(e) of the Act.

A. Considerations for the Definition, Eligibility Criteria, and 
Operating Requirements of Qualified Entities

1. Definitions
    Section 1874(e)(1) of the Act requires the Secretary to make 
available to qualified entities data for the evaluation of the 
performance of providers of services and suppliers, as proposed at 
Subpart G of this proposed rule. Section 1874(e)(2) of the Act defines 
a qualified entity as a public or private entity that:
     Is qualified (as determined by the Secretary) to use 
claims data to evaluate the performance of providers of services and 
suppliers on measures of quality, efficiency, effectiveness, and 
resource use; and
     Agrees to meet the requirements described in section 
1874(e)(4) of the Act and meets such other requirements as the 
Secretary may specify, such as ensuring security of data.
    We have proposed a definition that is consistent with these 
statutory provisions at 42 CFR 401.702(a). Specifically, we have 
defined a qualified entity as a public or private entity that: (1) is 
qualified, as determined by the Secretary, to use claims data to 
evaluate the performance of providers of services and suppliers on 
measures of quality, efficiency, effectiveness, and resources use, and 
(2) agrees to meet the requirements of the Act and meets stated 
regulatory requirements at Sec. Sec.  401.703 through 401.710.
2. Eligibility Criteria
    As amended, section 1874(e)(2)(A) of the Act provides the Secretary 
with discretion to establish criteria to determine whether an entity is 
qualified to use claims data to evaluate the performance of providers 
of services and suppliers. In determining the qualified entity 
eligibility requirements, we sought to balance the need to ensure the 
production of timely, high quality, usable reports on providers of 
services and suppliers with the need to protect the privacy and 
security of beneficiary identifiable data and the need to ensure 
providers of services and suppliers have the opportunity to review the 
reports, appeal, and correct errors prior to public release.
    We are proposing at Sec.  401.703 to evaluate an organization's 
eligibility qualifications across three areas: organizational and 
governance capabilities, addition of claims data from other sources, 
and data privacy and security. In determining an applicant's 
eligibility, potential qualified entities would be evaluated 
individually to ensure they are prepared to meet the requirements in 
the statute for serving as a qualified entity. We are not planning to 
limit the number of qualified entities. Any entity that meets the 
eligibility criteria would be able to become a qualified entity.
a. Organizational and Governance Capabilities
    Section 1874(e)(2)(A) of the Act gives the Secretary the authority 
to establish the criteria to determine whether an entity is qualified 
to fulfill the requirements of the statute. We propose to thoroughly 
evaluate potential qualified entities on their organizational and 
governance capabilities to perform all of the following tasks:
     Accurately calculating quality, efficiency, effectiveness, 
and resource use measures from claims data, including:
    [cir] Identifying an appropriate method to attribute a particular 
patient's services to specific providers of services and suppliers.
    [cir] Ensuring the use of approaches to ensure statistical validity 
such as a minimum number of observations or minimum denominator for 
each measure.
    [cir] Using methods for risk-adjustment to account for variation in 
both case-mix and severity among providers of services and suppliers.
    [cir] Identifying methods for handling outliers.
    [cir] Correcting measurement errors and assessing measure 
reliability.
    [cir] Identifying appropriate peer groups of providers and 
suppliers for meaningful comparisons.
     Successfully combining claims data from different payers 
to calculate performance reports.
     Designing, and continuously improving the format of 
performance reports on providers of services and suppliers.
     Preparing an understandable description of the measures 
used to evaluate the performance of providers of services and suppliers 
so that consumers, providers of services and suppliers, health plans, 
researchers, and other stakeholders can assess performance reports.
     Implementing and maintaining a process for providers of 
services and suppliers identified in a report to review the report 
prior to publication, and providing timely responses to provider of 
services and supplier inquiries regarding requests for data, error 
correction, and appeals.
     Establishing, maintaining, and monitoring a rigorous data 
privacy and security program, including disclosing to CMS in its 
application any inappropriate disclosures of beneficiary identifiable 
information or HIPAA violations for the preceding 10-year period, and 
any corrective actions taken to address such issues.
     Accurately preparing performance reports on providers of 
services and suppliers and making performance report information 
available to the public in aggregate form, that is, at the provider of 
services or supplier level.
    Applicants would generally be expected to demonstrate expertise and 
sustained experience on each of these criteria. Generally, an applicant 
would be considered to have demonstrated expertise and sustained 
experience on these criteria if the applicant can show that it has been 
handling claims data and calculating performance measures for a period 
of at least three years. We believe that to be a successful qualified 
entity, an applicant would need to have an established track record of 
profiling providers of services and suppliers. However, we propose to 
consider applicants with fewer years of experience in handling claims 
data and calculating performance measures, or limited experience 
implementing and maintaining a process for providers of services and 
suppliers to request error correction if the applicant has sufficient

[[Page 33568]]

experience in the other areas described above. In all other areas, 
applicants must demonstrate expertise and sustained experience as 
stated above. We seek comment on our approach to evaluating qualified 
entities, and whether three years of demonstrated expertise is 
sufficient to ensure that only the highest quality entities are 
admitted to this program.
    We note that several of the tasks that are required of the 
qualified entities necessitate expertise and careful attention to the 
required processes as outlined below. Due to the importance of ensuring 
that the qualified entity is able to achieve the goals of the program, 
we wish to ensure that the qualified entities have the resources to 
meet their obligations to measure providers of services and suppliers 
and publish reports under the statute. Therefore, we propose that 
qualified entity applicants would also need to submit a description of 
the business model they plan to use for covering the costs of 
performing the required functions listed below, including paying the 
fee for the data. We solicit comment on our proposal.
b. Addition of Claims Data From Other Sources
    Section 1874(e)(1) and Section 1874(e)(3) of the Act require the 
Secretary to provide standardized extracts of claims data under 
Medicare Parts A, B, and D for one or more specified geographic areas 
and time periods to qualified entities so they can use the information 
in concert with other claims data to evaluate the performance of 
providers and suppliers. As discussed in section II.B. below, the 
qualified entities are to evaluate the performance of providers of 
services and suppliers using measures that may be calculated from the 
claims data only. At Sec.  401.702(d), we propose to define claims 
data, whether from Medicare claims or other sources, to be 
administrative claims data only, meaning, itemized billing statements 
from providers of services and suppliers that, except in the context of 
Part D drug event data, request reimbursement for a list of services 
and supplies that were provided to a Medicare beneficiary in the fee-
for-service context or to a participant in another insurance or 
entitlement program. Claims data would need to have characteristics and 
variables similar to the data discussed in section II.C. below. Data 
from other sources, such as registry data, chart abstracted data, or 
data from electronic medical records would not be considered claims 
data.
    Section 1874(e)(4)(B)(iii) of the Act requires qualified entities 
to combine Medicare data made available under this section with claims 
data from sources other than Medicare in their performance evaluations 
of providers of services or suppliers. We believe that this provision 
was intended to make Medicare data available to those already working 
with other claims data in order to increase sample sizes used to 
calculate measures and evaluate the performance of providers of 
services and suppliers. This belief is based on past experiences where 
measurement entities have expressed an interest in obtaining Medicare 
data to combine with other claims data to improve the population sample 
upon which their performance findings are based, and to address 
concerns expressed by stakeholders regarding small sample sizes in 
performance reports generated from a single payer source. The relative 
size of Medicare enrollment makes it one of the largest payers in any 
given market.
    In addition, since Medicare serves an older population with 
declining health, using claims data from Medicare would provide more 
opportunities to assess care provided to the chronically ill and other 
resource-intensive populations than is found in other claims data. The 
goal expressed by those seeking this data in the past has been that 
Medicare data, when coupled with other claims data, can provide 
measurement initiatives with greatly increased sample sizes upon which 
to calculate more reliable performance results.
    The statute requires the inclusion of claims data from other 
sources, but it does not specify a minimum amount of such data to 
qualify as a qualified entity. CMS has considered how to best ensure 
that Medicare data is combined with a sufficient amount of other claims 
data to meaningfully address some of the concerns regarding sample size 
and reliability outlined above. We are proposing at Sec.  401.703(a)(2) 
that applicants demonstrate to CMS that the claims data from other 
sources, which they are combining with Medicare data, addresses the 
concerns regarding sample size and reliability expressed by multiple 
stakeholders regarding the calculation of performance measures from a 
single payer source. In order to ensure that Medicare data is only made 
available to qualified entities that have additional claims data from 
other sources, applicants would not be approved as qualified entities 
unless they possess the claims data from other sources at the time of 
their application, and that data meets the requirements outlined above.
    We considered imposing a specific threshold amount of additional 
claims data, but we believe that it would be difficult to precisely 
establish a threshold amount of data to address concerns about small 
sample sizes and reliability. We are requesting comments on this policy 
decision, as well as suggestions for other possible options or 
alternatives. We are also considering a proposal to require qualified 
entities to have claims data from two or more other sources. For 
example, a qualified entity would need to have claims data from two 
private payers, or one private payer and Medicaid claims data, in order 
to be eligible to receive Medicare data. We believe that a requirement 
for claims data from two or more other sources may help further 
alleviate some of the methodological issues associated with performance 
measurement based on single-source data. Measurement of a provider of 
services or supplier based on one other source plus Medicare may still 
not represent enough of a provider of services' or supplier's patient 
population to provide meaningful data that would help improve 
performance. We are considering a proposal to require claims data from 
two or more other sources to ensure that performance reports produced 
by qualified entities are as fair a representation as possible of any 
provider of services' or suppliers' practice to encourage behavior 
change. We seek comments on this alternative proposal of requiring 
claims data from two or more other sources to be combined with Medicare 
claims data, and whether there are particular challenges associated 
with requiring claims data from multiple sources before a qualified 
entity can participate in this program.
c. Data Privacy and Security
    It is of the utmost importance to CMS that beneficiary identifiable 
Medicare data remain private and secure. Section 1874(e)(3) of the Act 
requires the Secretary to take actions necessary to protect the 
identity of individuals entitled to or enrolled in our programs.
    In order to fulfill this obligation, we are proposing at Sec.  
401.703(a)(3) to require that applicants demonstrate that they have 
rigorous privacy and security practices in place to protect the data 
released to them and have programs in place to train staff on data 
privacy protections and general data security protocols. Applicants 
would not be eligible to serve as qualified entities unless CMS 
determines that they have thoroughly documented data privacy and 
security practices including enforcement mechanisms. The data privacy 
and security requirements for qualified entities are discussed in 
detail at Section II.D.

[[Page 33569]]

3. Proposed Operating and Governance Requirements for Serving as a 
Qualified Entity
    CMS recognizes that applicants may not have fully developed plans 
for every aspect of serving as a qualified entity; however, there are 
key aspects that we believe are important enough to require the 
submission of proposed plans as a condition of being approved as a 
qualified entity. Specifically, we propose at Sec.  401.704 that 
applicants would submit, as part of their application: (1) The measures 
they intend to use, including, among other things, the methods of 
creating and disseminating reports; (2) the report review process they 
would use to afford providers of services and suppliers with reports 
confidentially prior to public release, including addressing report 
recipient requests for data and for error correction; (3) a prototype 
for the required reports, including any narrative language, and 
dissemination plans for providing reports to the public. Additional 
information regarding the application requirements may be found in 
section II.G. below.

B. Considerations for the Definition, Selection, and Use of Performance 
Measures by Qualified Entities

    Section 1874(e)(2)(A) of the Act requires qualified entities be 
qualified to use claims data to evaluate the performance of providers 
of services and suppliers using measures of quality, efficiency, 
effectiveness, and resource use. Specifically, section 
1874(e)(4)(B)(ii)(I) of the Act requires qualified entities requesting 
standardized extracts of Medicare claims to use standard measures, if 
available, such as measures endorsed by the entity with a contract 
under section 1890(a) of the Act, and measures developed pursuant to 
section 931 of the Public Health Service Act. Section 
1874(e)(4)(B)(ii)(II) of the Act also provides for the use of 
alternative measures by qualified entities if the Secretary, in 
consultation with appropriate stakeholders, determines that use of such 
alternative measures would be more valid, reliable, responsive to 
consumer preferences, cost-effective, or relevant to dimensions of 
quality and resource use not addressed by the standard measures. 
Qualified entities may only use standard or approved alternative 
measures to evaluate the performance of providers of services and 
suppliers using claims data from Medicare parts A, B, or D.
1. Proposed Definition of, and Process for Identifying and Approving 
Standard Measures for Use by Qualified Entities
    For purposes of a qualified entity selecting and using measures to 
evaluate the performance of providers of services and suppliers, we 
propose to define at Sec.  401.708(a) a ``standard measure'' to be a 
measure that can be calculated using only claims data and that is--(1) 
endorsed by the entity with a contract under section 1890(a) of the 
Act; (2) developed pursuant to section 931 of the Public Health Service 
Act; or (3) was adopted through notice and comment rulemaking and is 
currently being used in a CMS program that includes performance 
measurement, even if it is not endorsed by the entity with a contract 
under section 1890(a) of the Act.
    Currently, the entity with a contract under section 1890(a) of the 
Act is the National Quality Forum (NQF). NQF uses its formal Consensus 
Development Process to evaluate and endorse consensus standards, 
including performance measures, on an ongoing basis. It is viewed as a 
trusted partner in ensuring that any nationally endorsed provider of 
services and supplier performance measures are subject to rigorous 
multi-stakeholder scrutiny to ensure they are scientifically valid, 
address clear performance improvement needs and can be calculated in a 
manner that does not impose undue burden on providers and suppliers. 
There are currently hundreds of NQF-endorsed quality measures covering 
a range of clinicians, settings, and specialties, although not all of 
these measures can be calculated using only claims data.
    A list of currently NQF-endorsed performance measures can be 
obtained from the NQF Web site at http://www.qualityforum.org/Measures_List.aspx. We propose to define any measure endorsed by the 
entity with a contract under section 1890(a) of the Act which can be 
calculated from standardized extracts of Medicare parts A, B, or D 
claims as a standard measure. In addition to endorsed NQF measures, we 
propose to also define a measure which can be calculated from 
standardized extracts of Medicare parts A, B, or D claims data that has 
time-limited NQF endorsement as a standard measure. Measures that are 
time-limited endorsed that were not developed pursuant to section 931 
of the Public Health Service Act, or that are being used by a CMS 
program that includes performance measurement, would only be considered 
standard measures until such time as the NQF determines their 
endorsement status. Time-limited endorsed measures that ultimately 
receive endorsement would remain standard measures for as long as they 
remain endorsed, and time-limited endorsed measures that do not 
ultimately receive endorsement would lose their status as standard 
measures unless they were developed pursuant to section 931 of the 
Public Health Service Act, or can be calculated from standardized 
extracts of Medicare parts A, B, or D claims data, were adopted through 
notice and comments rulemaking, and are being used in a CMS program 
that includes quality measurement. Time-limited measures that do not 
receive NQF endorsement and that were not developed pursuant to Section 
931 of the Public Health Act, or are not used in a CMS program that 
includes performance measurement could however, be submitted for 
approval as alternative measures through the alternative measure 
process outlined below at II.B.2.
    Section 931 of the Public Health Service Act, as added by Section 
3013 of the Affordable Care Act supports the development, improvement, 
update, or expansion of quality measures for use in Federal health 
programs. To date, no measures have been developed under this 
provision. We propose that any measures developed or updated under this 
provision would also be considered standard measures regardless of 
their NQF endorsement status, as long as the measures can be calculated 
from the standardized extracts of Medicare parts A, B, and D claims 
data available to the qualified entity.
    We also propose to include in the definition of standard measure 
any measure that was adopted through notice and comment rulemaking and 
that is currently used in a CMS program that involves performance 
measurement, even if it is not NQF-endorsed or developed under section 
931 of the Public Health Service Act, as long as the measure can be 
calculated from the standardized extracts of Medicare parts A, B, and D 
claims data available to the qualified entity. For example, several 
measures in the hospital Inpatient Quality Reporting program beginning 
in FY 2012 (foreign object retained after surgery, air embolism, 
catheter-associated urinary tract infection, blood incompatibility, 
pressure ulcer stages III and IV, falls and trauma, manifestations of 
poor glycemic control, and vascular catheter associated infection) fit 
this criteria.
    The notice and comment rulemaking process includes a public comment 
period in which stakeholders are able to express their views regarding 
the proposed measures. Measures

[[Page 33570]]

implemented via the rulemaking process are not finalized until the 
public comment period closes, the comments are reviewed and considered, 
and a final rule is published. Because the notice and comment 
rulemaking process involves extensive opportunity for public input, we 
believe that measures used in CMS programs, regardless of whether they 
are endorsed by the NQF or developed under section 931 of the Public 
Health Service Act, have been subjected to sufficient scrutiny that 
they can be considered standard measures. We propose to make a list of 
measures that meet the requirements of being adopted through notice and 
comment rulemaking and currently being used in a CMS program that 
includes performance measurement, available in subregulatory guidance.
    In using any standard measure, we propose to require that the 
qualified entity must follow the measure specifications as written, 
including all numerator and denominator inclusions and exclusions, 
measured time periods, and specified data sources. We recognize that 
some measure specifications may require additional customization to 
implement in specific contexts, but such customization should not 
change the defined numerator, denominator, and exclusion criteria for 
the measure.
    We invite comments on the proposed definition of standard measures 
and the proposed requirement for qualified entities to follow the 
measure specifications as written.
2. Proposed Definition of, and Process for Identifying and Approving 
Alternative Measures for Use by Qualified Entities
    We also recognize that a qualified entity may wish to measure 
performance in an area for which there are no standard measures. We 
note that there are several areas of performance measurement with very 
few available measures that meet the definition of a standard measure 
as proposed above. We hope to encourage innovation in the development 
of new claims-based measures to evaluate the performance of providers 
of services and suppliers through the use of alternative measures. 
While the statute does not require the Secretary to allow the use of 
alternative measures, we believe that allowing qualified entities to 
propose the use of alternative measures encourages the development of 
additional claims-based performance measures.
    For qualified entities wishing to use alternative measures, we 
propose to adopt an alternative measure selection process through 
future notice and comment rulemaking that would subject proposed 
alternative measures to public comment after qualified entities propose 
candidate alternative measures for the Secretary's consideration. At 
Sec.  401.708(b)(1), we propose to define ``alternative measure'' as a 
measure that is not a standard measure, but that can be calculated 
using only standardized extracts of Medicare parts A, B, and D claims, 
and that has been found by the Secretary to be more valid, reliable, 
responsive to consumer preferences, cost effective, or relevant to 
dimensions of quality and resource use not addressed by standard 
measures.
    As discussed above, section 1874(e)(4)(B)(ii)(II) of the Act 
permits the use of alternative measures if the proposed alternative 
measure is more valid, reliable, responsive to consumer preferences, 
cost-effective, or relevant to dimensions of quality and resource use 
than existing claims-based standard measures. If there is a claims-
based standard measure for the clinical area or topic(s) that the 
qualified entity chooses to measure, we propose that the qualified 
entity must use the standard measure in lieu of any alternative 
measures, unless the qualified entity can provide detailed scientific 
justification for asserting that the proposed alternative measure in 
that clinical area or topic is more valid, reliable, responsive to 
consumer preferences, cost-effective, or relevant to dimensions of 
quality and resource use than the existing claims-based standard 
measure, and such assertions are accepted through the notice and 
comment rulemaking process outlined below.
    Similarly, in the case where a standard measure was not previously 
available for a particular clinical area or condition, but such a 
measure subsequently becomes available, we propose that qualified 
entities must cease use of the alternative measure and switch to the 
standard measure within 6 months (for example, if a standard measure 
becomes available in February 2013, either through being endorsed by 
the entity with a contract under section 1890(a) of the Act, developed 
pursuant to section 931 of the Public Health Service Act, or adopted 
through notice and comment rulemaking to be used in a CMS program that 
includes performance measurement, qualified entities would have to 
begin using the standard measure instead of the alternative measure in 
any reports by August 2013). If the qualified entity wishes to continue 
to use the alternative measure, then it must provide the scientific 
justification outlined above to obtain approval for the use of 
alternative measures when a standard measure for the clinical area or 
condition(s) that the qualified entity chooses to measure is available.
    In order to provide us with the information necessary to determine 
whether an alternative measure is more valid, reliable, responsive to 
consumer preferences, cost-effective, or relevant to dimensions of 
quality and resource use not addressed by the standard measures as 
required by section 1874(e)(4)(B)(ii)(II) of the Act, we propose that 
the qualified entity would need to submit to the Secretary the 
following information about a proposed alternative measure:
     The name of the alternative measure that the qualified 
entity is requesting the Secretary to consider as an alternative 
measure.
     The name of the alternative measure's developer or owner.
     Detailed specifications for the alternative measure.
     Information demonstrating how the alternative measure is 
more valid, reliable, responsive to consumer preferences, cost-
effective, or relevant to dimensions of quality and resource use not 
addressed by standard measures.
    We solicit comments on our proposals regarding alternative 
measures, and we welcome comments on whether any additional information 
regarding proposed alternative measures should be required in order to 
request the Secretary's consideration of a candidate alternative 
measure.
    Section 1874(e)(4)(B)(ii)(II) of the Act further requires the 
Secretary to review the candidate alternative measures in consultation 
with appropriate stakeholders in order to determine if an alternative 
measure would be more valid, reliable, responsive to consumer 
preferences, cost-effective or relevant to dimensions of quality and 
resource use not addressed by standard measures. In order to obtain 
consultation with appropriate stakeholders, we propose that once all 
qualified entities have submitted the above information regarding a 
proposed alternative measures, we would use the notice and comment 
rulemaking process to obtain public comment on approving the measures 
as alternative measures. We solicit comment on our proposal to engage 
in consultation with appropriate stakeholders through notice and 
comment rulemaking and we also welcome comments on alternative 
processes to consider for meeting the stakeholder consultation 
requirement.
    The statute requires the Secretary to make the final determination 
regarding whether an alternative measure is more valid, reliable, 
responsive to consumer

[[Page 33571]]

preferences, cost-effective, or relevant to dimensions of quality and 
resource use not addressed by standard measures. The Secretary would 
consider the information received from the qualified entity and other 
stakeholders during the notice and comment rulemaking process in order 
to determine whether a proposed alternative measure meets the statutory 
criteria for approval as an alternative measure. Once an alternative 
measure has been approved by the Secretary, the alternative measure 
would be available for use by all qualified entities, not just the 
submitting entity.
    Any measure that is not approved as an alternative measure may not 
be used to evaluate the performance of providers of services and 
suppliers using data from the qualified entity program. In the event 
additional information is available for an alternative measure that was 
previously denied approval, the alternative measure may be resubmitted 
to the Secretary for consideration.
    Because our proposals for the approval process of alternative 
measures would require notice and comment rulemaking, it would be 
logistically challenging for alternative measures to be approved in 
time to enable measure calculation and reporting of alternative 
measures in the first year of the program. While qualified entities 
would be able to submit alternative measures for consideration during 
the first year of the program, the approval process would likely not 
conclude in time to use the alternative measure in the first year of 
the program.
    Depending on the volume and timing of alternative measure 
submissions, we anticipate conducting the notice and comment rulemaking 
process on an annual basis. We are proposing to establish an annual 
deadline of May 31 for the submission of proposed alternative quality 
measures in order to allow for the measures to go through notice and 
comment rulemaking prior to the start of the next calendar year. The 
notice and comment rulemaking period generally takes 6 months from the 
publication of a proposed rule to the effective date of a final rule, 
so the alternative measures submitted by May 31 would be ready for use 
in the following calendar year, i.e., a measure submitted by May 31, 
2012 would be available for calendar year 2013. If no proposed 
alternative measures are received by the annual deadline, we would not 
publish a rule. Proposed alternative measures submitted after the 
annual deadline would be considered for rulemaking during the following 
calendar year.
    We believe this proposed approach is adequate because:
     We have proposed an expansive definition of what 
constitutes a standard measure (including non-NQF endorsed measures 
which can be calculated from standardized extracts of Medicare parts A, 
B, and D claims if they were adopted through notice and comment 
rulemaking and are currently being used in CMS programs that include 
quality measurement), and this would greatly increase the number of 
standard measures available for use by qualified entities.
     It is appropriate for qualified entities to focus on well 
established measures that are either NQF-endorsed or used in CMS 
programs in their first year of operation as qualified entities.
    We solicit comment on our proposals regarding the approval process 
for alternative measures.
    As with standard measures, when using an alternative measure 
approved by the Secretary, we propose to require that the qualified 
entity follow the measure specifications as written, including all 
numerator and denominator inclusions and exclusions, measured time 
periods, and specified data sources. We recognize that some measure 
specifications may require additional customization to implement the 
measure in specific contexts, but such customization should not change 
the defined numerator, denominator, and exclusion criteria for the 
measure. We invite comments on the proposed requirement for qualified 
entities to follow the measure specifications as written.
3. Selection and Justification of Measures by Qualified Entities
    We propose, at Sec.  401.704(a), to require that qualified entities 
provide a description of each standard or alternative measure they plan 
to use to calculate the performance of providers of services and 
suppliers as part of their application. This description should include 
the name of the measure, the name of the measure developer/owner, and 
the measure specifications including the numerator and the denominator. 
In addition, we propose to require an explanation of the applicant's 
rationale for selecting the measure, which would include a description 
of the relationship of any proposed measure (standard or alternative) 
to existing measurement efforts, and the relevancy of each proposed 
measure to the population(s) in the geographic area(s) the applicant is 
proposing to serve. The rationale would also include a specific 
description of the geographic area(s) the applicant intends to serve 
and a specific description of how each measure evaluates providers of 
services and suppliers on quality, efficiency, effectiveness, and/or 
resource use. Finally, we propose to require an applicant to provide a 
description of the methodologies it intends to use in creating reports 
with respect to attribution of beneficiaries to providers of services 
and suppliers, benchmarking performance data, and severity and case-mix 
adjustments.
    We propose at Sec.  401.706(a)(1) to allow a qualified entity to 
calculate and report measures that were not included in its initial 
application if the qualified entity submits the information described 
above about the additional measure(s) to CMS no less than ninety (90) 
days prior to the anticipated date for the confidential distribution of 
reports using those measures to providers of services and suppliers. We 
would review this information and approve or disapprove the use of the 
measure. We propose barring qualified entities from using a measure 
that has not been approved by CMS, even if CMS' review takes longer 
than ninety days.
4. Methodologies Used in Performance Reports
    Section 1874(e)(4)(B)(I) of the Act requires qualified entities to 
submit a description of the methodologies that they would use to 
evaluate the performance of providers services and suppliers. In 
keeping with this requirement, we have proposed Sec.  401.704(a)(5), 
which requires an applicant to submit a description of methodologies it 
intends to use in creating reports. We believe, however, that a review 
of methodologies is inadequate in the absence of a review of the 
abilities of the qualified entity to appropriately apply those 
methodologies. Therefore, we propose at Sec.  401.703(a)(1) that in 
order to be eligible to serve as a qualified entity, applicants must 
demonstrate expertise and sustained experience in several areas 
necessary for performance measurement.
5. Reports and Reporting
    Section 1874(e)(4)(C)(ii) of the Act requires qualified entities to 
make their draft reports available in a confidential manner to 
providers of services and suppliers identified in the reports before 
such reports are released publicly in order to offer them an 
opportunity to review these reports, and, if appropriate, appeal to 
request correction of any errors. We propose to require the qualified 
entities to include a plan for establishing and maintaining these 
appeal and correction processes in their

[[Page 33572]]

application materials, as we have stated in proposed Sec.  401.704(b). 
The plan must clearly describe how the qualified entity would make 
providers of services and suppliers aware of the process and establish 
procedures, including timeframes, for how providers of services and 
suppliers can request data from the qualified entity and request error 
corrections in the reports before the reports are made public.
    After reports have been shared confidentially with providers of 
services and suppliers, and any errors have been corrected, Section 
1874(e)(4)(C)(iv) of the Act requires the reports to be made available 
to the public. As discussed further below in Section II.E., in cases 
where provider requests for error correction cannot be resolved prior 
to a date specified by the qualified entity (at least 30 business days 
after the report was originally shared with providers of services and 
suppliers), the reports would be released publically with information 
that a provider of services or supplier error correction is ongoing. As 
stated in the statute at Section 1874(e)(4)(C)(iii) of the Act, the 
reports must include ``an understandable description'' of the measures, 
rationale for use, methodology (including risk-adjustment and physician 
attribution), data specifications and limitations, and sponsors. We 
interpret ``an understandable description'' to mean any descriptions 
that can be easily read and understood by a lay person. Additionally, 
the reports to the public may only include data on providers of 
services or suppliers at the provider of services or supplier level 
with no claim or person-level information to ensure beneficiary 
privacy.
    Pursuant to Section 1874(e)(4)(B)(vi) of the Act, we propose 
requiring qualified entities to submit prototype reports for both the 
reports they would send to providers of services and suppliers, and the 
reports they would release to the public (if they are different) in 
their application, including the narrative language they plan to use in 
the reports to describe the data and results. The prototype report 
should also contain an easily comprehensible description of the 
proposed measures, the rationale for the use of those measures, a 
description of the methodologies to be used, and a description of the 
data specifications and limitations.
    We have given extensive consideration to when in the process 
qualified entities should submit these prototype reports to CMS. One 
option would be for qualified entities to submit prototype reports with 
their applications to become qualified entities. As outlined above, one 
of the eligibility criteria for qualified entities is demonstrated 
expertise and experience in designing, disseminating, and continuously 
improving performance reports to providers of services and suppliers. 
Given this criteria, it seems reasonable to assume that qualified 
entities would be in a position to provide CMS with prototype reports 
at the time of their applications.
    A countervailing argument would be that qualified entities may need 
some time working with Medicare data and claims data from other sources 
before they would be in a position to identify an appropriate format 
for the required performance reports. This scenario would support 
requiring the submission of the prototype report sometime after an 
organization has been approved as a qualified entity, but at a time 
prior to the confidential release to providers of services and 
suppliers. Under this scenario, the qualified entity would receive 
Medicare data without having to demonstrate that they had considered 
how they could use that data to produce measure results.
    While we believe that qualified entities may identify changes that 
would be necessary as they work with the data, we believe that it is 
appropriate to expect that they have sufficiently considered these 
reporting obligations as they consider their desires to apply for 
qualified entity status, and that such considerations would include at 
least an initial concept of what they could provide in the reports. 
Therefore, despite the concern that qualified entities would need some 
time with the data to identify the appropriate format for reports, we 
believe that qualified entities should have the expertise and skills to 
be able to submit prototype reports at the time of their applications 
to become qualified entities.
    In recognition of the advances that could be made to these 
prototypes as the qualified entities work, we propose, at Sec.  
401.706(a)(2), providing for a process whereby they can modify the 
initial prototypes as long as these modifications are submitted to, and 
approved by, CMS. We propose requiring these submissions no less than 
90 days prior to the confidential release of report to providers of 
services and suppliers. We would review the modified prototype report 
and make a determination regarding the use of the new report. This 
determination would be based on the extent to which the proposed 
changes make the description of the measures used in the report more 
understandable. We propose barring qualified entities from using a 
report that has not been approved by CMS, even if CMS' review takes 
longer than 90 days.
    In addition, we propose to require the submission of plans for 
making the reports available to the public at the time of application. 
To the extent that the report formats or delivery mechanisms differ 
from those proposed at the time of application, we propose to also 
require an explanation and justification of those differences no less 
than 90 days prior to the release of differing report formats or 
delivery mechanisms.
    Finally, at Sec.  401.705(d) we propose requiring qualified 
entities to produce reports on the performance of providers of services 
and suppliers at a minimum of at least once a year. If CMS provides 
qualified entities with yearly updates to the data, as discussed below, 
we believe qualified entities should be expected to use the updates to 
produce performance reports. We seek comments on these proposals.

C. Data Extraction and Dissemination

    Section 1874(e)(3) of the Act requires the Secretary to provide 
qualified entities with standardized extracts of claims data from 
Medicare parts A, B, and D for one or more specified geographic areas 
and time periods. These data extracts would include information from 
all seven claim types that are submitted for payment in the Medicare 
Fee-For-Service Program. Information extracted from institutional 
claims includes inpatient hospital, outpatient hospital, skilled 
nursing facility, home health, and hospice services. Information 
extracted from non-institutional claims includes physician/supplier and 
durable medical equipment claims. These files contain only final action 
claims, meaning non-rejected claims for which a payment has been made. 
All disputes and adjustments have been resolved and details clarified.
    Medicare institutional and non-institutional claims include, but 
are not limited to, the following data elements: beneficiary ID, claim 
ID, the start and end dates of service, the provider or supplier ID, 
the principal procedure and diagnosis codes, the attending physician, 
other physicians, and the claim payment type.
    Qualified entities would also be eligible to receive certain Part D 
claims information for beneficiaries enrolled in the Medicare Fee-For-
Service Program. This type of information is known as ``drug event'' 
information, as opposed to ``claims'' information, because prescription 
drug coverage under Part D is provided by private insurance plans.

[[Page 33573]]

These plans have varied pricing methods, and often pay capitated rates. 
We note that the use of the term ``drug event'' does not mean this 
database includes information about adverse reactions to drugs. The key 
data elements for this database include: beneficiary ID, prescriber ID, 
drug service date, drug product service ID, quantity dispensed, days' 
supply, gross drug cost brand name, generic name, drug strength, and 
indication if the drug is on the formulary of the Part D plan.
    All claims files would contain a unique encrypted beneficiary 
identification number that would allow a qualified entity to link 
claims for an individual beneficiary. These files would not contain the 
actual beneficiary Medicare Health Insurance Claim Number.
    A comprehensive record layout for all three of these databases is 
offered at http://www.ccwdata.org/variables/var_claim_files.php for 
institutional claims, http://www.ccwdata.org/variables/var_claim_files2.php for non-intuitional claims, and http://www.ccwdata.org/variables/var_ptd_event.php for Part D drug events.
    The institutional claims database includes the following files:
    Inpatient claim file: The Inpatient claim file contains final 
action claims data submitted by inpatient hospital providers for 
reimbursement of facility costs. Some of the information contained in 
this file includes diagnosis, (ICD-9 diagnosis), procedure (ICD-9 
procedure code), Medicare Severity--Diagnosis Related Group (MS-DRG), 
dates of service, reimbursement amount, and hospital provider 
information. Each observation in this file is at the claim level.
    Skilled Nursing Facility claim file: The Skilled Nursing Facility 
(SNF) claim file contains final action claims data submitted by SNF 
providers. Some of the information contained in this file includes 
diagnosis and procedure (ICD-9 diagnosis and ICD-9 procedure code), 
dates of service, reimbursement amount, and SNF provider number. Each 
observation in this file is at the claim level.
    Outpatient claim file: The Outpatient claim file contains final 
action claims data submitted by institutional outpatient providers. 
Examples of institutional outpatient providers include hospital 
outpatient departments, rural health clinics, renal dialysis 
facilities, outpatient rehabilitation facilities, comprehensive 
outpatient rehabilitation facilities, and community mental health 
centers. Some of the information contained in this file includes 
diagnosis and procedure (ICD-9 diagnosis, Healthcare Common Procedure 
Coding System (HCPCS) codes), dates of service, reimbursement amount, 
outpatient provider number, and revenue center codes. Each observation 
in this file is at the claim level.
    Home Health Agency claim file: The Home Health Agency (HHA) claim 
file contains final action claims data submitted by HHA providers. Some 
of the information contained in this file includes the number of 
visits, type of visit (skilled-nursing care, home health aides, 
physical therapy, speech therapy, occupational therapy, and medical 
social services), diagnosis (ICD-9 diagnosis), dates of visits, 
reimbursement amount, and HHA provider number. Each observation in this 
file is at the claim level.
    Hospice claim file: The Hospice claim file contains final action 
claims data submitted by Hospice providers. Some of the information 
contained in this file includes the level of hospice care received (for 
example, routine home care, inpatient respite care), terminal diagnosis 
(ICD-9 diagnosis), dates of service, reimbursement amount, and Hospice 
provider number. Each observation in this file is at the claim level.
    The non-institutional claims database includes the following files:
    Carrier claim file: The Carrier claim file contains final action 
claims data submitted by non-institutional providers. Examples of non-
institutional providers include physicians, physician assistants, 
clinical social workers, nurse practitioners, independent clinical 
laboratories, ambulance providers, and free-standing ambulatory 
surgical centers. Some of the information contained in this file 
includes diagnosis and procedure (ICD-9 diagnosis, Healthcare Common 
Procedure Coding System (HCPCS) codes), dates of service, reimbursement 
amount, and non-institutional provider numbers (for example, UPIN, PIN, 
NPI). Each observation in this file is at the claim level.
    Durable Medical Equipment claim file: The Durable Medical Equipment 
(DME) claim file contains final action claims data submitted by Durable 
Medical Equipment suppliers. Some of the information contained in this 
file includes diagnosis, (ICD-9 diagnosis), services provided 
(Healthcare Common Procedure Coding System (HCPCS) codes), dates of 
service, reimbursement amount, and DME provider number. Each 
observation in this file is at the claim level.
    The Part D database includes the following file:
    Drug Event Database: The drug event database includes the 
following: encrypted beneficiary identifier, date of service, drug 
product dispensed, drug quantity, number of days supply of product, 
drug costs, beneficiary and other payer cost-sharing, formulary tier 
and utilization management, Part D benefit phase, encrypted pharmacy 
identifier, encrypted prescriber identifier, and encrypted plan 
identifier.
    We plan to provide identical standard data extracts to all 
qualified entities, that is, all extracts would include the same data 
elements and the same record layout. CMS does not plan to provide any 
customized data files to qualified entities under section 1874(e) of 
the Act. It would be the responsibility of the qualified entities to 
create customized analytical files and databases to support their 
calculation of performance measures for providers of services and 
suppliers.
    We seek comment on whether qualified entities would require any 
technical assistance to aid in understanding and working with Medicare 
data, what type of technical assistance would be beneficial, and 
whether we should include technical assistance in the fee charged for 
the data (see Section II.C.3. below). We plan to encourage the 
development of a voluntary knowledge sharing mechanism for qualified 
entities to communicate with each other regarding best practices for 
calculating measures, designing reports, and other important elements 
of this program. We seek comments on whether technical assistance is 
needed and how such a voluntary knowledge sharing mechanism would best 
be designed and operated.
1. Number of Years of Data
    Section 1874(e)(3) of the Act requires the Secretary to provide 
standardized extracts to qualified entities containing data from 
specific time periods. CMS is proposing to provide qualified entities 
with the most recent three years of Medicare data available at the time 
the qualified entity is approved for participation in the program. For 
example, if a qualified entity applies and is approved for 
participation in 2012, data for calendar years 2008, 2009, and 2010 
would be provided since they would be the most recent final action 
claims data available. Thereafter, CMS proposes to provide qualified 
entities with the most recent additional year of data on a yearly 
basis.

[[Page 33574]]

2. Geographic Areas
    Section 1874(e)(3) of the Act requires the Secretary to provide 
standardized extracts to qualified entities containing data for 
specific geographic areas. CMS is proposing that qualified entities 
receive standardized data extracts for a single geographic area or 
multiple regions. We propose to limit the provision of Medicare data to 
the geographic spread of the qualified entity's other claims data. For 
example, if a qualified entity has a sufficient amount of claims data 
from other sources (as determined by CMS during the application 
process) for people in Maryland, CMS would provide Medicare data for 
the state of Maryland.
    During the September 20, 2010 public listening session for section 
10332 of the Affordable Care Act, CMS received suggestions to release 
nationwide Medicare claims if the data are necessary for qualified 
entities to evaluate the performance of the providers of services and 
suppliers at a national level. In this proposed rule, we are requesting 
comments as to whether CMS should provide an option for the release of 
nationwide Medicare data. We specifically welcome comments regarding 
how the qualified entities would obtain a sufficient amount of non-
Medicare nationwide claims data to include in the evaluation of 
providers of services and suppliers and how the qualified entities 
would implement and manage a nationwide provider of services and 
suppliers confidential review and appeal process.
3. Cost To Obtain the Data
    Section 1874(e)(4)(A) of the Act requires qualified entities to pay 
a fee for obtaining the data that is equal to the cost of making such 
data available. We interpret the cost of making the data available 
broadly, to include the cost of providing the technical assistance 
(described above), the cost of processing qualified entities' 
applications, and the costs of monitoring qualified entities to ensure 
appropriate use of the data and appropriate adherence to data privacy 
and security standards. This monitoring may include, but is not limited 
to, periodic requests for documentation relating to privacy and 
security policies and procedures. The data fees would vary in 
accordance with the amount of data requested by the qualified entities. 
CMS would provide each prospective qualified entity with the actual 
cost of obtaining the data they request, and post on the CMS Web site 
examples of data requests and what each costs. However, based on our 
past experience providing Medicare data to research entities, we 
estimate that the approximate costs to provide three years of data for 
2.5 million beneficiaries to a qualified entity would be $200,000. 
Approximately $75,000 of the $200,000 is the cost of the claims data, 
while $125,000 is the cost of making the data available including the 
cost of processing applications and data requests, providing technical 
assistance, and monitoring. Therefore, to provide a qualified entity 
with three years of data for 5.0 million beneficiaries, the approximate 
costs would be $275,000 ($150,000 for the data and $125,000 for the 
program costs).
    Qualified entities would be expected to pay the fee annually. 
However, after the first year, costs would be lower since qualified 
entities would only be receiving one year of Medicare claims data. We 
solicit comment on the prospective fee amount and the ability of 
prospective applicants to pay it.
    We note that the creation and dissemination of nationwide extracts 
of Medicare data (mentioned above) would significantly increase the 
cost to any qualified entity seeking such nationwide data of obtaining 
and processing Medicare data. As stated above, we seek comment on the 
likelihood of a qualified entity having sufficient other claims data to 
meet the requirements to receive a nationwide extract of Medicare data.

D. Data Security and Privacy

    This provision creates a new program that provides for the release 
of Medicare beneficiary level data to private entities that are not 
enrolled in Medicare. We recognize that many approved qualified 
entities would be organizations with many years of experience in using 
claims data to produce performance reports on providers of services and 
suppliers, and, as such, may have existing agreements with private 
health plans who provide them data regarding the data security and 
privacy standards they must observe. While CMS is committed to ensuring 
the success of qualified entities in combining Medicare data with 
claims data from other sources to create comprehensive performance 
reports for providers of services and suppliers, CMS is also committed 
to ensuring that the beneficiary level data provided to qualified 
entities is subject to stringent security and privacy standards 
throughout all phases of the performance measure calculation, 
confidential reporting, appeal, and public reporting processes.
    In addition to the statutory requirements contained in section 
1874(e)(4) of the Act, qualified entities must meet any requirements 
that are adopted by the Secretary under section 1874(e)(2)(B) of the 
Act, which provides for the adoption of ``such other requirements as 
the Secretary may specify.'' In accordance with the explicit language 
of the statute, such ``other requirements'' may include security 
requirements for the data. Furthermore, section 1874(e)(3) of the Act 
requires the Secretary to take such actions as deemed necessary to 
protect the identity of individuals entitled to or enrolled in Medicare 
Parts A, B or D. As such, the Secretary is authorized to impose privacy 
and security requirements on qualified entities as a condition of 
participating in this program.
    We have considered whether qualified entities would require 
beneficiary identifiable data to calculate measures. As defined at 
Sec.  401.702(f) we interpret beneficiary identifiable data to mean 
data that permits a qualified entity to determine the name, or name and 
other direct identifying factors (for example, race, sex, age, address) 
of an individual beneficiary. If one approaches this issue purely from 
the point of view of the ability of qualified entities to engage in 
measure calculation and reporting, beneficiary identifiable data is not 
required. Qualified entities would be able to engage in measure 
calculation and reporting with files containing an encrypted 
beneficiary identifier. For this reason, we propose to include in any 
data files provided to qualified entities an encrypted beneficiary 
identifier that would permit linking of claims for the same beneficiary 
across multiple files and multiple years without identifying individual 
beneficiaries.
    While we realize that the statute permits providers of services and 
suppliers to request of qualified entities the Medicare claims data 
underlying their measure results, we anticipate that it would be 
difficult for providers of services and suppliers to identify errors in 
measurement in the absence of patient names. For example, a report from 
a qualified entity might indicate to a provider that only 50 percent of 
their assigned diabetic patients received recommended Hba1c tests in a 
given year. In the absence of patient names, we believe that it would 
be difficult for the provider to tell whether there were errors in how 
the measure result was calculated. Specifically, a provider may feel 
that there is an error in the underlying claims data that has 
inappropriately lowered their measure result. This could happen for a 
number of reasons. The provider may have conducted a Hba1c test but for 
some reason may not have submitted that

[[Page 33575]]

claim for payment, or may have submitted the claim for payment and it 
does not appear in the claims data provided to qualified entities due 
to an error. Additionally, a claims-based quality measure may not have 
fully captured the exclusion criteria that apply to many quality 
measures. For example, a qualified entity may, using available claims 
data, conclude that a provider has not provided a mammogram to an 
eligible patient. However, the patient may have undergone mastectomy 
surgery in previous years and therefore no longer be eligible for 
inclusion in the denominator for the breast cancer screening measure.
    For these reasons we believe that if a provider has a list of 
patient names associated with a measure result, it gives them the 
ability to cross reference the patient name against medical records in 
an effort to assess if there is missing clinical information that could 
be shared with the qualified entity in order to improve the accuracy of 
their results.
    As a result, we believe that on balance, it may be appropriate to 
provide qualified entities with the beneficiary names if it is 
requested as described below, in order to enable adequate review 
opportunities for providers of services and suppliers and to promote 
increased provider acceptance of, and trust in claims-based quality 
measures.
    While we believe that these contemplated disclosures are important 
to the success of the program, we also recognize the importance of 
protecting beneficiary data. In 2008, we published a regulation to 
permit Part D drug event data to be used for program monitoring, 
research, public health, care coordination, quality improvement, 
population of personal health records, and other purposes. See 73 FR 
30664. As discussed in the regulation, we sought to balance access to 
the data with protections for beneficiary privacy and commercially-
sensitive plan data to safeguard public health and permit broader 
public knowledge about the operations of the Part D program. Under the 
qualified entity program, release of Part D data is needed for provider 
performance evaluation, and provider performance evaluation is 
necessary for care coordination and quality improvement. We intend to 
ensure that Part D data released by CMS under this program complies 
with the requirements in the Part D data regulation, and that qualified 
entities take the necessary steps to ensure that any prescription drug 
data released to providers of services and suppliers as part of the 
review, appeal, and error corrections process is also safeguarded to 
ensure privacy and security of beneficiary information.
    Additionally, as discussed further in II.D.2. below, we believe 
that the Health Insurance Portability and Accountability Act (HIPAA) 
Privacy and Security rules would also provide a degree of protection 
for this information, especially when it is in the hands of providers 
of services and suppliers. CMS is committed to protecting the privacy 
and security of beneficiary identifiable data provided to qualified 
entities whether they are subject to HIPAA or not. Such data are 
carefully protected by a number of laws and policies, including HIPAA, 
when it is in the hands of CMS or one of its contractors. While 
qualified entities would not legally be a contractor of CMS and 
therefore would not be subject to these laws and policies, we believe 
that these protections should not cease merely because CMS is making 
these data available to another entity for other purposes that are 
perceived to have a public benefit.
    As described below, we propose to require qualified entities to 
apply privacy and security protections similar to those we require when 
we make beneficiary claims data available to external organizations for 
research purposes. To ensure that qualified entities apply appropriate 
privacy and security protections, we are proposing that approved 
qualified entities be required to execute a Data Use Agreement (DUA), 
described below, before receipt of any CMS data (the DUA is available 
at http://www.cms.gov/cmsforms/downloads/cms-r-0235.pdf). We note that 
this DUA contains significant penalties for inappropriate disclosures 
of the data, including both civil monetary penalties and criminal 
penalties. We seek comment on our proposal to apply privacy and 
security protections to qualified entities that are similar to those we 
require when we make beneficiary claims data available to external 
organizations for research purposes.
    As described above, we do not propose to send the data in a fully 
identifiable format when we send it to the qualified entity. All of the 
Medicare claims data provided to qualified entities would be furnished 
in a data set that contains a unique encrypted beneficiary 
identification number which would enable the qualified entities to link 
all claims for an individual beneficiary without knowing the identity 
(that is, name and other identifying characteristics) of the 
beneficiary.
    We are considering three potential options for sharing beneficiary 
names with qualified entities, and by extension, providers of services 
and suppliers. Under the first option, qualified entities would be 
provided with a crosswalk file linking all encrypted beneficiary 
identifiers to the patients' names for their Medicare data. We realize 
that this makes a large amount of data identifiable by the qualified 
entity. However, qualified entities would be permitted to give to a 
provider of services or supplier only the names of those beneficiaries 
included in that requester's performance report. Further, the qualified 
entity would only be permitted to provide the claims relevant to the 
particular measure or measure result that the provider of services or 
supplier is appealing, as is discussed in more detail below at section 
II.D.2.
    Under the second option, CMS would only provide beneficiary names 
to qualified entities on a transactional basis for the purposes of 
responding to specific requests for data by providers of services and 
suppliers. Each request for beneficiary names would be addressed on a 
case-by-case basis through the forwarding of each data request by the 
qualified entity to CMS. The qualified entity would receive beneficiary 
names only for those claims that were included in the requester's 
report and would be expected to destroy the identifiable data after 
responding to the providers' request for this data. We believe that 
this approach better safeguards any potential threats to beneficiary 
privacy.
    Under the third option, a provider of services or supplier who 
wishes to receive beneficiary names would request the encrypted claims 
data from the qualified entity as permitted under the statute. The 
provider of services or supplier would then submit a request to CMS for 
the beneficiary names for those specific claims.
    We believe that all three approaches have pros and cons. The first 
option is the least resource intensive from the perspective of both CMS 
and qualified entities. However, this option creates legitimate privacy 
concerns because it results in more data becoming identifiable to the 
qualified entity than is necessary to respond to the requests of 
specific providers of services or suppliers request for beneficiary 
names. The second option would be potentially more resource intensive 
for both CMS and qualified entities, but we believe it addresses many 
of the concerns posed by the first option because it would result in 
beneficiary names being made available only on an as-needed basis. The 
third option would also be

[[Page 33576]]

potentially more resource intensive for CMS and more resource intensive 
for providers of services and suppliers because providers of services 
and suppliers would have to engage in a two-step process involving both 
a qualified entity and CMS to obtain the requested data. We believe 
this may disrupt the relationship between the qualified entity and the 
provider of services or supplier, which is important for error 
correction and confidence in measure results.
    Having considered these things, we propose the second option 
because we believe it represents the best compromise between adequately 
safeguarding beneficiary privacy and fostering strong and productive 
relationships between qualified entities and providers of services and 
suppliers. If a qualified entity receives a request for data from a 
provider of services or supplier, we propose that the qualified entity 
would be required to submit a request to CMS in writing with a signed 
provider of services or supplier request appended as an attachment. 
However, we seek comment on all three options, as well as suggestions 
for other approaches not proposed here.
1. Privacy and Security Requirements for Qualified Entities
    We are proposing to require that qualified entities have in place 
security protections for all data released by CMS, and any derivative 
files, including any Medicare claims data and any beneficiary 
identifiable data. As part of their applications, qualified entities 
would have to explain how they would ensure that only the minimum 
necessary beneficiary identifiable data would be disclosed to the 
provider of services or supplier in the event of a request by a 
provider of services or supplier, and how data would be securely 
transmitted to the provider.
    In fulfilling these requirements, we are proposing at Sec.  
401.703(a)(1)(viii), that in order to be eligible to apply to receive 
Medicare data as a qualified entity, the applicant must demonstrate its 
capabilities to establish, maintain, and monitor a rigorous data 
privacy and security program, including ensuring compliance with plans 
related to the privacy and security of data. Additionally, Sec.  
401.703(a)(3) requires the applicant to submit to CMS a description of 
its rigorous data privacy and security policies including enforcement 
mechanisms.
    As noted above, we intend to provide a DUA to potential qualified 
entities at the time of their application. This DUA would be CMS' 
current standard data use agreement for research disclosures (available 
at http://www.cms.gov/cmsforms/downloads/cms-r-0235.pdf), but would be 
customized for the purposes of the qualified entity program through 
addenda to paragraph 12, which allows CMS to add attachments to the DUA 
to address the specific needs of the data recipient. We seek comment on 
the current DUA and any modifications that might be necessary for the 
purposes of providing data to qualified entities.
    Specifically, the current DUA requires a level and scope of 
security that is not less than the level and scope of security 
requirements established by the Office of Management and Budget (OMB) 
in OMB Circular No. A-130, Appendix III--Security of Federal Automated 
Information Systems (http://www.whitehouse.gov/omb/circulars/a130/a130.html) as well as Federal Information Processing Standard 200 
entitled ``Minimum Security Requirements for Federal Information 
Systems'' (http://csrc.nist.gov/publications/fips/fips200/FIPS-200-final-march.pdf); and Special Publication 800-53 ``Recommended Security 
Controls for Federal Information Systems'' (http://csrc.nist.gov/publications/nistpubs/800-53-Rev2/sp800-53-rev2-final.pdf).
    We propose prohibiting the use of unsecured telecommunications to 
transmit beneficiary identifiable data or deducible information derived 
from any CMS data file(s).
    Further, we propose to require qualified entities to disclose as 
part of their data privacy and security policies the circumstances 
under which data provided by CMS would be stored and/or transmitted.
    We propose to require compliance with the listed OMB and NIST 
requirements in all of the qualified entities' activities with CMS data 
received through the qualified entity program, including but not 
limited to the receipt, storage, and possession of these data for 
purposes of calculating and reporting performance measures, beginning 
with the qualified entities' receipt of encrypted file(s) from CMS.
    We propose to require qualified entities to ensure that they bind 
any contractors or subcontractors that are working on behalf of the 
qualified entities to these same limitations and requirements. We 
propose that, if approved, qualified entities would have to attest that 
they have extended and applied CMS' security requirements to their 
contractors before receiving CMS data. We solicit comments on our 
proposals.
    In order to meet the requirements in Sec.  401.707 to establish, 
maintain, and monitor a security and privacy program, and to assure 
data are kept private and secure, we propose to require qualified 
entities to maintain their privacy and security programs throughout the 
duration of their participation as qualified entities, and through 
their winding down of business as a qualified entity, including the 
return or destruction of CMS data and any and all derivative files. 
Failure to comply with these requirements would result in a qualified 
entity being disqualified from further participation in the program. We 
propose to require the return or destruction of all CMS data files and 
derivative files in the possession of the qualified entity or its 
contractors and subcontractors within 30 days of any disqualification 
from the program or voluntary withdrawal from the program.
    Finally, we are seeking public comment on the appropriateness of 
accepting some form of independent accreditation or certification of 
compliance with data privacy and security requirements from qualified 
entities, and what that accreditation or certification might entail. 
The accreditation or certification would need to be at a level and 
scope of security that is not less than the level and scope of security 
requirements described above.
2. Privacy and Security of Data Released to Providers of Services and 
Suppliers
    We have also considered how to ensure the security and privacy of 
the beneficiary identifiable data after it has been placed in the hands 
of a provider of services or supplier during the report review and 
error correction process. We believe that the HIPAA Privacy and 
Security rules would apply to a majority of providers of services and 
suppliers who would receive beneficiary identifiable data from 
qualified entities. We base this belief on CMS' claims processing 
experience. Due to the statutory requirement that Medicare claims be 
filed electronically, the electronic claim filing rates are very high. 
However, there are exceptions to electronic filing. For example, 
certain small providers are exempt. For institutional claim billers 
(for example, hospitals, SNFs, HHAs) the rate of providers filing 
electronically is approximately 99.9 percent, and for non-institutional 
claims (for example, physicians, other practitioners, labs, ambulance) 
the rate is 98.2 percent.
    By law, providers that transmit any beneficiary identifiable health 
information in the context of an electronic transaction for which there 
is a HIPAA standard transaction are HIPAA covered entities that are 
subject

[[Page 33577]]

to the HIPAA Security and Privacy rules. Providers of services and 
suppliers that are already subject to the HIPAA Privacy and Security 
rules are required to have policies and procedures in place to protect 
the privacy and security of beneficiary identifiable data. We believe 
that the HIPAA Privacy and Security rules provide an appropriate level 
of protection of beneficiary identifiable data received by a provider 
of services or supplier from a qualified entity as the result of an 
appeal process or error correction request.
    However, qualified entities may generate performance reports for 
providers of services and suppliers not subject to HIPAA. For those few 
providers that are not subject to HIPAA because they do not transmit 
beneficiary identifiable health information in the context of an 
electronic transaction for which there is a HIPAA standard transaction, 
we propose to require that qualified entities include a plan in their 
application materials for assuring protection of the data that is 
released as a part of the measure report review process, such as 
requiring a signed privacy and security agreement between the qualified 
entity and the provider of services or supplier that includes the same 
privacy and security protections as the qualified entity is subject to 
under the DUA it enters into with CMS. We believe that the few 
providers this affects would be willing to enter into such agreements, 
and that this would ensure that beneficiary level data that is given to 
a provider of services or supplier through an appeals process would 
remain secure and protected, and only used for purposes related to the 
appeal. We seek comments on these proposals.
    Section 1874(e)(4)(B)(v) of the Act requires qualified entities to 
make the Medicare claims data they receive available to providers of 
services and suppliers. We believe that for many providers of services 
and suppliers, the beneficiary name may be of more practical use in 
determining the accuracy of the measures results than the underlying 
claims used to calculate the measures. However, the statute does 
explicitly acknowledge that upon request qualified entities would need 
to share with providers of services or suppliers ``data made available 
under this subsection.'' We would like to make it clear that we do not 
interpret this provision to mean that providers could receive all 
Medicare claims data for a given patient or patients. Rather, we 
interpret this to mean that in certain circumstances, qualified 
entities may have to provide all the claims relevant to the particular 
measure or measure results the provider of services or supplier is 
appealing. Therefore, a provider requesting claims data in relation to 
a diabetes quality measure would only receive the claims related to the 
calculation of that quality measure. We realize this may result in 
providers of services or suppliers receiving claims submitted by 
another provider. For example, the provider that performs a test on a 
patient may not be the provider who is ultimately determined by the 
qualified entity to be responsible for the care of that patient. 
Therefore, if the responsible provider requests access to the 
underlying claims data informing their measure results, some of that 
claims data may be from other providers. We solicit comment on any 
privacy or security issues related to this situation.
    We also believe that the intent of this program is not just for 
qualified entities to engage in measure calculation and reporting to 
providers, but for the reports generated by qualified entities to 
result in meaningful quality improvement activities by providers. As a 
result, we believe that it is appropriate for providers of services and 
suppliers to use the claims data and beneficiary name received as part 
of an appeal to engage in quality improvement activities as long as the 
quality improvement work is in accordance with the HIPAA limitations 
discussed herein.
3. Beneficiary Privacy and Security Concerns
    Following provision of the performance reports on a confidential 
basis to providers of services or suppliers, qualified entities are 
required to make performance information public. We note that the 
publication is only of aggregated, non-beneficiary identifiable data 
that would not be able to be reidentifed (for example, a provider 
conducted an annual HbA1C test for 70 percent of their diabetic 
patients). We propose to require that qualified entities ensure that 
all publicly available reports do not contain beneficiary identifiable 
information. Additionally, we propose to prohibit qualified entities 
from disclosing information in their publicly available reports that 
there is a reasonable basis to believe can be used in combination with 
other publicly available information to re-identify individual 
patients. We expect that this reporting of aggregate non-identifiable 
data should not compromise beneficiary privacy.
    We also propose requiring qualified entities to have in place a 
process to respond to beneficiary queries or complaints regarding the 
privacy and security of their data. In addition, we propose to require 
qualified entities to inform beneficiaries of a breach pursuant to the 
requirements in paragraph 13 of the DUA. Finally, we propose below at 
section F of the preamble that qualified entities submit information on 
privacy or security breaches to CMS, to allow CMS to monitor qualified 
entity actions in this area. We seek comments on these proposals.

E. Confidential Opportunities to Review, Appeal, and Correct Reports

    The statute describes two requirements to ensure that providers of 
services and suppliers are afforded an opportunity to provide input on 
the reporting of their performance metrics. Section 1874(e)(4)(C)(ii) 
of the Act requires qualified entities to make their reports available 
confidentially to providers of services and suppliers identified in the 
reports prior to the public release of such reports, and to offer them 
the opportunity to appeal and correct errors. Additionally, section 
1874(e)(4)(B)(v) of the Act requires qualified entities to release 
relevant Medicare claims data that was made available to them under 
section 1874 of the Act to providers of services and suppliers who 
request it. We interpret this section of the Act to indicate that 
qualified entities must provide relevant data made available to them 
under this subsection to any provider of services or supplier 
identified in the qualified entity's report who requests such data. By 
relevant data, we mean the underlying claims data used to calculate the 
results for any measure that a provider wishes to appeal. We assume 
that the reason providers of services and suppliers would make requests 
for data is so they can appeal and request the correction of errors in 
their reports.
    To ensure that qualified entities have a method to address these 
two requirements, we propose, at Sec.  401.704(b), to require that 
applicants include a plan for their process for confidential report 
review, appeals, and error correction processes in their application 
materials.
    We are proposing that these plans would contain several elements. 
First, a qualified entity would need to provide for a means of 
informing providers of services and suppliers of the specific steps 
that were taken in order to generate their performance reports in order 
for providers of services and suppliers to be able to understand their 
performance reports. We propose requiring that this plan include an

[[Page 33578]]

explanation of the measurement methodology, estimates of statistical 
reliability, and information on how to interpret the results to help 
providers of services and suppliers understand their performance 
relative to others. To the greatest extent possible, these explanations 
and information should be written using a language and formats that are 
as easily understood as possible. As discussed below, the qualified 
entity would also be required to have a plan for informing providers of 
services or suppliers about their rights to request data, appeal the 
reports, and request error correction.
    Second, the qualified entity would be required to describe the 
means by which providers of services and suppliers may request the 
Medicare data that was used to calculate the performance measures they 
wish to appeal and, if necessary, correct. The qualified entities would 
be required to describe how they would ensure that the information that 
is shared would be limited to those beneficiaries included in the 
requestor's performance report and only contains those claims relevant 
to the particular measure(s) being appealed.
    Third, as discussed above in this section, we are proposing to 
require that qualified entities describe their means of confidentially 
sharing results with providers of services and suppliers (for example 
secure Web site or e-mail) in their application. Qualified entities 
would be required to use secure methods suitable for transmitting or 
otherwise providing secure access to identifiable health information to 
providers of services or suppliers. We seek comment on the appropriate 
secure methods that should be required for sharing the information with 
providers of services or suppliers, such as two factor authentication.
    Fourth, we propose to require a description of the means by which 
providers of services and suppliers can submit appeals for error 
correction. This process must describe the timeframes for providers of 
services or suppliers to submit requests for data and requests for 
error correction. The timeframes must meet several parameters. We 
believe these timeframes are reasonable because they balance the need 
for careful review by providers of services and suppliers with one of 
the main intents of the program, which is to make performance 
information available to the public. Qualified entities must share 
measures, measurement methodology, and measure results with providers 
of services and suppliers at least 30 business days prior to making 
measure results public. Additionally, qualified entities must allow 
providers of services and suppliers at least 10 business days to make a 
request for data, and an additional 10 business days for a provider to 
request an error correction. Per the qualified entity's request, the 
provider of services or supplier may be required to provide comments, 
additional data, or documentation for consideration.
    Fifth, the qualified entity must make clear to providers of 
services and suppliers that reports would be made public after a 
specified date (at a minimum 30 business days after sharing measure 
results with providers of services and suppliers), regardless of the 
status of any providers of services or suppliers' requests for error 
correction. We propose to encourage qualified entities to dedicate 
appropriate resources, including qualified staff, to resolving good 
faith questions regarding performance results to both parties' 
satisfaction whenever possible. If the request for a data or error 
correction is still outstanding at the time of making the reports 
public, we propose the qualified entity must, if feasible, post 
publicly the name of the appealing provider and a description of the 
appeal request. While we understand that this proposal means that some 
provider of services and supplier requests for error correction might 
not be resolved prior to publication of the results, we have included 
this requirement to ensure that providers do not make spurious requests 
for error correction to prevent the publication of measure results. We 
want to ensure that providers of services and suppliers have the 
opportunity to correct their results in situations where there are 
errors, but also ensure that performance results are released in a 
timely manner.
    CMS proposes to monitor the number of provider appeals for each 
qualified entity, both as a mechanism for ensuring the overall quality 
of individual qualified entity reporting mechanisms and to identify any 
situations where providers of services or suppliers might be appealing 
on spurious grounds so that CMS can determine whether to further 
investigate any such situations.
    Finally, qualified entities must describe the means by which they 
would notify the provider of services or supplier of the outcome of the 
request for error correction and basis for the decision.
    We request comments on our proposed approach to requiring potential 
qualified entities to describe their processes for providers of 
services and suppliers to review reports confidentially, request data, 
and appeal to the qualified entity for error correction in their 
applications.
    Additionally, although we do not have the statutory authority to 
require it, we strongly encourage qualified entities to share not only 
Medicare data but also their claims data from other sources with 
providers of services and suppliers, if they ask to correct an error or 
appeal their results on specific measures.

F. Monitoring, Oversight, Sanctioning, and Termination

    CMS is committed to ensuring the successful implementation of this 
program, maximizing the appropriate use of Medicare data for the 
production of performance reports, while minimizing the risk of 
inappropriate disclosure of beneficiary information. Section 
1874(e)(2)(B) of the Act authorizes CMS to require qualified entities 
to meet any other requirements we specify, ``such as ensuring the 
security of data.'' We have outlined a range of requirements in this 
rule that qualified entities would be expected to meet and maintain on 
an ongoing basis. In order to ensure that the highest standards are 
adhered to by all qualified entities, we are proposing a monitoring 
program which would assess qualified entities' compliance with the 
requirements laid out in this rule and assess sanctions or termination 
as deemed appropriate by CMS. We are proposing at Sec.  401.710(a)(1) 
that CMS, or one of its designated contractors, would periodically 
audit qualified entities use of Medicare data for the production of 
performance reports on providers of services or suppliers to ensure 
that the Medicare data is being used only for its intended purpose, 
that is, in combination with claims data from other sources to 
calculate and report either standard or alternative claims-based 
measures to providers of services and suppliers. We propose that these 
audits be done at the discretion of CMS.
    We also propose that CMS would monitor the amount of claims data 
from other sources being used in the production of performance reports 
to ensure that it is equal to or greater than the amount promised by 
the qualified entity in its application. This would require production 
of documentation on data sources and quantities of data, and may 
necessitate a site visit to the qualified entity by data experts. 
Again, if CMS finds that qualified entities are not, in fact, 
calculating performance reports using the amount and type of data 
specified in its initial application that would also be grounds for 
sanction or termination.
    We recognize that in certain circumstances the amount of claims 
data from other sources a qualified

[[Page 33579]]

entity has access to may decrease. For example, a qualified entity may 
lose access to a data set in the second year of their participation in 
the program or may discover that some of the other claims data they 
possess is inaccurate and therefore unusable. In these cases, we 
propose that the qualified entity must immediately inform CMS of the 
reduction in the amount of other claims data it possesses and provide 
documentation that the remaining other claims data is still sufficient 
to address the concerns regarding sample size and reliability expressed 
by stakeholders regarding the calculation of performance measures from 
a single payer source. We would review this information and determine 
whether the qualified entity may continue to participate in the 
program. If CMS determines the amount of data is not sufficient to meet 
the requirements, the qualified entity would have 60 days to acquire 
new claims data and submit documentation to CMS. Under no circumstances 
may a qualified entity issue a report, use a measure, or share a report 
during this 60 day period. If after the 60 days, the qualified entity 
does not have access to new data or if CMS decides the qualified entity 
still does not possess an adequate amount of additional claims data, 
CMS would terminate its relationship with the qualified entity. We 
solicit comments on our proposal for regarding the CMS response to a 
decrease in the amount of claims data possessed by a qualified entity.
    We propose requiring qualified entities to submit an annual report 
to CMS covering two topics, as described in further detail below: (1) 
General program adherence and (2) engagement of providers of services 
and suppliers.
    1. General Program Adherence: To monitor general program adherence, 
we propose that qualified entities would submit an annual report 
containing the number of Medicare and other claims combined, the 
percent of the overall market share the number of claims represents in 
the qualified entity's area, the number of measures calculated, the 
number of providers of services and suppliers profiled by type of 
provider and supplier, and a measure of the public use of the reports 
(for example, the number of Web site hits).
    2. Engagement of Providers of Services and Suppliers: We believe 
that one of the most important outcomes of this program would be the 
engagement of providers of services and suppliers with qualified 
entities to improve health care quality and efficiency. We want to 
ensure that qualified entities engage providers of services and 
suppliers in a constructive and respectful manner, and diligently work 
to address the concerns of the providers of services or suppliers 
throughout any appeal and error correction processes. Therefore, we are 
also proposing to impose reporting requirements so that CMS would be 
able to monitor the requests from providers of services and suppliers 
for information, error correction, and appeals, as well as the 
responsiveness of the qualified entity to those requests. In order to 
permit CMS to monitor these requests, we propose that qualified 
entities would provide a yearly report to CMS regarding: (1) The number 
of requests for data and the number of requests fulfilled; (2) the 
number of subsequent error corrections; (3) the type of problem(s) 
leading to the appeal or request for error correction; (4) the time for 
the qualified entity to acknowledge the request for data or error 
correction; (5) the time for the qualified entity to respond to the 
request for appeal or error correction; and (6) the number of requests 
for appeal or error correction that are resolved.
    As stated above, CMS is committed to ensuring that qualified 
entities protect the privacy and security of beneficiary information. 
To monitor qualified entities actions in this area, we are proposing 
that qualified entities would submit to CMS information regarding any 
inappropriate disclosures or uses of beneficiary identifiable data 
pursuant to the requirements in the DUA. We solicit comment on our 
proposal as well as other indicators that would demonstrate that a 
qualified entity is appropriately responding to the requests from 
providers of services or suppliers.
    If, based upon the monitoring activities described above or by any 
other manner, we conclude that a qualified entity is not adequately 
observing the requirements of the program we propose that CMS, in its 
sole discretion, may take any or all of the following actions:
     Provide a warning notice, which indicates that future 
deficiencies could lead to termination, to the qualified entity of the 
specific performance concern;
     Request a corrective action plan (CAP) from the qualified 
entity;
     Place the qualified entity on a special monitoring plan;
     Terminate the qualified entity.
    The level of sanctions and/or termination would depend on an 
assessment by CMS of the seriousness of the observed deficiency or 
deficiencies by the qualified entity. One or more disclosures of 
beneficiary identifiable information would likely to result in 
termination. Additionally, since the statute explicitly bars the reuse 
of Medicare claims for purposes other than generating performance 
reports, we propose CMS terminate its relationship with the qualified 
entity in the event of reuse of Medicare claims. Other deficiencies 
that may be the result of employee error and can be easily corrected in 
the future would likely just result in a warning notice. However, as 
noted above, any time the qualified entity is terminated we propose to 
require the destruction or return of any Medicare data within 30 days.

G. Qualified Entity Application Content

    In accordance with these proposals, if finalized, CMS proposes to 
develop an application process for potential qualified entities that 
would require the following information:
    1. Applicant name and entity description.
    2. A description of the applicant's organizational and governance 
qualifications as laid out in Section II.A.2. above and at Sec.  
401.703(a)(1).
    3. A description of the business model the applicant plans to use 
for covering the costs of the required functions.
    4. A description of the additional claims data the applicant would 
use in combination with the requested Medicare data, and the amount of 
data that would be combined with Medicare data.
    5. A description of geographic area(s) for which Medicare data 
would be requested.
    6. Documentation of its proposed data privacy and security policies 
and enforcement mechanisms.
    7. A description of the proposed measures it intends to calculate 
and report, including the name of the measure, the name of the measure 
developer, the measure specifications, the rationale for selecting 
those measures including the relationship of the measures to existing 
measurement efforts and the relevancy to the proposed population in the 
proposed geographic area, and a description of the methodologies it 
intends to use in creating reports; if seeking approval of an 
alternative measure, documentation that the proposed alternative 
measure has been accepted by the Secretary as an alternative measure 
through notice and comment rulemaking.
    8. A description of the process it would establish to allow 
providers of services and suppliers to review draft reports 
confidentially, request data and appeal to correct errors before the 
reports are made public.
    9. A prototype report for reporting findings to providers of 
services and suppliers, and if different, to consumers,

[[Page 33580]]

including any standard explanatory language (narrative), an easily 
comprehensible description of the proposed measures, the rationale for 
use of those measures, a description of the methodologies to be used, 
and a description of the data specifications and limitations, as well 
as a dissemination plan for reports.
    We propose to assess the veracity of each applicant's assertions 
through a comprehensive review of their supporting documentation as 
part of the application review process.
    Applications would generally be approved based on the overall 
expertise and sustained experience demonstrated. We are not proposing 
to limit the number of qualified entities or review the applications 
against one another. We believe our proposed approach to determining 
qualified entity eligibility balances the need to ensure fairness in 
qualified entities' evaluation of providers of services and suppliers 
with beneficiaries' needs for confidentiality of their health care 
information. We seek comments on our proposed application requirements 
and the total burden associated with them.
    We recognize that by not limiting the number of qualified entities 
in any particular geographic region, in certain circumstances providers 
of services and suppliers might receive multiple reports from different 
qualified entities. We believe that given the requirement that 
qualified entities contribute claims data from other sources, the 
likelihood of multiple qualified entities in the same area is low. 
However, we seek comment on the implications of providers of services 
and suppliers receiving multiple reports. We also seek comment on 
whether CMS should limit the number of qualified entities that are 
approved for a particular region, as well as other methods to address 
this issue.
    In selecting qualified entities, CMS would evaluate all 
applications received and identify those that meet these requirements. 
We propose that applications for participation in the program would be 
available on the CMS Web site beginning January 1, 2012. Applications 
would only be collected and processed once a year. We propose that 
applications would be due on March 31, 2012, and by the close of the 
first quarter of the calendar year each year thereafter. We considered, 
instead, using a rolling application process, where organizations could 
apply at any point in the year. However, we are concerned about the 
burden this would place on CMS in processing and reviewing 
applications. We seek comment on our proposed application process, 
specifically our decision to have a yearly application date rather than 
using a rolling application process.
    Applicants would be approved for a period of three years from the 
date of notification of the application approval by CMS. In order to 
continue to serve as a qualified entity for any subsequent three year 
periods, the qualified entity would need to reapply. To reapply, a 
qualified entity would need to submit to CMS documentation of any 
changes to what was included in their original application. Qualified 
entities would need to submit this documentation at least 6 months 
before the end of their three-year approval period. If a qualified 
entity has submitted a reapplication, it would be able to continue to 
serve as qualified entities until the re-application is either approved 
or denied by CMS. If the re-application is denied, CMS would terminate 
its relationship with the qualified entity. We propose that a qualified 
entity would need to be in good standing in order to reapply. A 
qualified entity would be considered in good standing if it had no 
violations of the requirements of the program or if the qualified 
entity was addressing any past deficiencies either on its own or 
through the implementation of a corrective action plan.

III. Collection of Information Requirements

    Under the Paperwork Reduction Act of 1995, we are required to 
provide 60-day notice in the Federal Register and solicit public 
comment before a collection of information requirement is submitted to 
the Office of Management and Budget (OMB) for review and approval. In 
order to fairly evaluate whether an information collection should be 
approved by OMB, section 3506(c)(2)(A) of the Paperwork Reduction Act 
of 1995 requires that we solicit comment on the following issues:
     The need for the information collection and its usefulness 
in carrying out the proper functions of our agency.
     The accuracy of our estimate of the information collection 
burden.
     The quality, utility, and clarity of the information to be 
collected.
     Recommendations to minimize the information collection 
burden on the affected public, including automated collection 
techniques.
    We are soliciting public comment on each of these issues for the 
following sections of this proposed rule that contain information 
collection requirements (ICRs).
    If finalized, these regulations would require an organization 
seeking to receive data as a qualified entity to submit an application. 
Specifically, an applicant must submit the information listed in 
proposed Sec. Sec.  401.703-401.705. The burden associated with this 
requirement is the time and effort necessary to gather, process, and 
submit the required information to CMS. We estimate that 35 
organizations would submit applications to receive data as qualified 
entities. We further estimate that it would take each applicant 500 
hours to gather, process and submit the required information. The total 
estimated burden associated with this requirement is 500 hours at an 
estimated cost of $795,641.
    Proposed Sec.  401.707(a)(iv) states that as part of the 
application review and approval process, a qualified entity would be 
required to execute a Data Use Agreement (DUA) with CMS, that among 
other things, reaffirms the statutory bar on the use of Medicare data 
for purposes other than those referenced above. The burden associated 
with executing this DUA is currently approved under OMB control number 
0938-0734.
    Proposed Sec.  401.705(f) would require qualified entities in good 
standing to re-apply for qualified entity status 6 months before the 
end of their three-year approval period. We estimate that 25 entities 
would be required to comply with this requirement. We estimate that it 
would take 120 hours to reapply to CMS. The total estimated burden 
associated with this requirement is 120 hours at an estimated cost of 
$136,396.
    Proposed Sec.  410.710(b) requires qualified entities to submit 
annual reports to CMS as part of CMS' ongoing monitoring of qualified 
entity activities. We estimate that the 25 entities in the program will 
be required to comply with this requirement. We estimate that it will 
take 150 hours to complete an annual monitoring report. The total 
estimated burden associated with this requirement is 150 hours at 
$170,475.

[[Page 33581]]



                                              Table 1--Estimated Annual Recordkeeping and Reporting Burden
--------------------------------------------------------------------------------------------------------------------------------------------------------
                                                                                                           Hourly       Total
                                                                                 Burden per     Total    labor cost  labor cost     Total
     Regulation section(s)         OMB Control No.     Respondents    Responses   response     annual        of          of        capital/   Total cost
                                                                                   (hours)     burden     reporting   reporting  maintenance      ($)
                                                                                               (hours)       ($)        ($)*      costs ($)
--------------------------------------------------------------------------------------------------------------------------------------------------------
Sec.   401.703(a)..............  0938-New..........              35          35         500      17,500          **     795,641            0     795,641
Sec.   401.705(f)..............  0938-New..........              25          25         120       3,000          **     136,396            0     136,396
Sec.   401.710(b)..............  0938-New..........              25          25         150       3,750          **     170,475            0     170,475
                                                    ----------------------------------------------------------------------------------------------------
    Total......................  ..................              35          35  ..........      24,250  ..........  ..........  ...........   1,102,512
--------------------------------------------------------------------------------------------------------------------------------------------------------
* Total labor cost assuming 92% of total hours are professional and technical and 8% are legal.
** Wage rates vary by level of staff involved in complying with the information collection request (ICR).

    To obtain copies of the supporting statement and any related forms 
for the proposed paperwork collections referenced above, access CMS' 
Web site at http://www.cms.gov/PaperworkReductionActof1995/PRAL/list.asp#TopOfPage or e-mail your request, including your address, 
phone number, OMB number, and CMS document identifier, to 
[email protected], or call the Reports Clearance Office at 410-786-
1326.
    If you comment on these information collection and recordkeeping 
requirements, please do either of the following:
    1. Submit your comments electronically as specified in the 
ADDRESSES section of this proposed rule; or
    2. Submit your comments to the Office of Information and Regulatory 
Affairs, Office of Management and Budget, Attention: CMS Desk Officer, 
[CMS-5059-P], Fax: (202) 395 6974; or E-mail: [email protected].

IV. Regulatory Impact Analysis

A. Overall Impact

    We have examined the impacts of this rule as required by Executive 
Order 12866 on Regulatory Planning and Review (September 30, 1993), the 
Regulatory Flexibility Act (RFA) (September 19, 1980, Pub. L. 96-354), 
section 1102(b) of the Social Security Act, section 202 of the Unfunded 
Mandates Reform Act of 1995 (Pub. L. 104-4), Executive Order 13132 on 
Federalism (August 4, 1999), and the Congressional Review Act (5 U.S.C. 
804(2)).
    Executive Order 12866 directs agencies to assess all costs and 
benefits of available regulatory alternatives and, if regulation is 
necessary, to select regulatory approaches that maximize net benefits 
(including potential economic, environmental, public health and safety 
effects, distributive impacts, and equity). A regulatory impact 
analysis (RIA) must be prepared for major rules with economically 
significant effects ($100 million or more in any 1 year). For the 
reasons discussed below, we estimate that the total impact of this 
proposed rule would be less than $90 million and therefore, it would 
not reach the threshold for economically significant effects and is not 
considered a major rule.
    The RFA requires agencies to analyze options for regulatory relief 
of small businesses, if a rule has a significant impact on a 
substantial number of small entities. For purposes of the RFA, we 
estimate that most hospitals and most other providers are small 
entities as that term is used in the RFA (including small businesses, 
nonprofit organizations, and small governmental jurisdictions). 
However, since the total estimated impact of this rule is less than 
$100 million, and the total estimated impact would be spread over both 
qualified entities and providers of services and suppliers, no one 
entity would face significant impact. Thus, we are not preparing an 
analysis of options for regulatory relief of small businesses because 
we have determined that this rule would not have a significant economic 
impact on a substantial number of small entities.
    We estimate that two types of entities may be affected by the 
program established by section 1874(e) of the Act: Organizations that 
desire to operate as qualified entities and the providers of services 
and suppliers who receive performance reports from qualified entities.
    We anticipate that most providers of services and suppliers 
receiving qualified entities' performance reports would be hospitals 
and physicians. Many hospitals and most other health care providers and 
suppliers are small entities, either by being nonprofit organizations 
or by meeting the Small Business Administration definition of a small 
business (having revenues of less than $34.5 million in any 1 year) 
(for details see the Small Business Administration's Web site at http://sba.gov/idc/groups/public/documents/sba_homepage/serv_sstd_tablepdf.pdf (refer to the 620000 series). For purposes of the RFA, 
physicians are considered small businesses if they generate revenues of 
$10 million or less based on Small Business Administration size 
standards. Approximately 95 percent of physicians are considered to be 
small entities.
    The analysis and discussion provided in this section and elsewhere 
in this proposed rule complies with the RFA requirements. Because we 
acknowledge that many of the affected entities are small entities, the 
analysis discussed throughout the preamble of this proposed rule 
constitutes our regulatory flexibility analysis for the remaining 
provisions and addresses comments received on these issues.
    In addition, section 1102(b) of the Act requires us to prepare a 
regulatory impact analysis, if a rule may have a significant impact on 
the operations of a substantial number of small rural hospitals. Any 
such regulatory impact analysis must conform to the provisions of 
section 603 of the RFA. For purposes of section 1102(b) of the Act, we 
define a small rural hospital as a hospital that is located outside of 
a metropolitan statistical area and has fewer than 100 beds. We do not 
believe this proposed rule has impact on significant operations of a 
substantial number of small rural hospitals because we anticipate that 
most qualified entities would focus their performance evaluation 
efforts on metropolitan areas where the majority of health services are 
provided. As a result, this rule would not have a significant impact on 
small rural hospitals. Therefore, the Secretary has determined that 
this proposed rule would not have a significant impact on the 
operations of a substantial number of small rural hospitals.
    Section 202 of the Unfunded Mandates Reform Act of 1995 (UMRA) also 
requires that agencies assess anticipated costs and benefits before 
issuing any rule whose mandates require spending in any 1 year of $100 
million in 1995 dollars, updated annually for inflation. In 2011, that 
threshold is approximately $136 million. This proposed rule would not 
mandate any requirements for State,

[[Page 33582]]

local, or tribal governments in the aggregate, or by the private 
sector, of $136 million. Specifically, as explained below we anticipate 
the total impact of this rule on all parties to be approximately $87 
million.
    Executive Order 13132 establishes certain requirements that an 
agency must meet when it promulgates a proposed rule (and subsequent 
final rule) that imposes substantial direct requirement costs on State 
and local governments, preempts State law, or otherwise has Federalism 
implications. We have examined this proposed rule in accordance with 
Executive Order 13132 and have determined that this regulation would 
not have any substantial direct effect on State or local governments, 
preempt States, or otherwise have a Federalism implication.

B. Anticipated Effects

1. Impact on Qualified Entities
    Because section 1874(e) of the Act establishes a new program, there 
is little quantitative information available to inform our estimates. 
However, we believe that many or most qualified entities are likely to 
resemble community quality collaborative programs such as participants 
in the CMS Better Quality Information for Medicare Beneficiaries pilot 
(https://www.cms.gov/BQI/) and the AHRQ Chartered Value Exchange (CVE) 
program (http://www.ahrq.gov/qual/value/lncveover.htm). Community 
quality collaboratives are community-based organizations of multiple 
stakeholders that work together to transform health care at the local 
level by promoting quality and efficiency of care, and by measuring and 
publishing quality information. Consequently, we have examined 
available information related to those programs to inform our 
assumptions, although there is only limited available data that is 
directly applicable to this analysis.
    We estimate that 35 organizations would submit applications to 
participate as qualified entities. We anticipate that the majority of 
applicants would be nonprofit organizations such as existing community 
collaboratives. In estimating qualified entity impacts, we used hourly 
labor costs in several labor categories reported by the Bureau of Labor 
Statistics (BLS) at http://data.bls.gov/pdq/querytool.jsp?survey=ce. We 
used the annual rates for 2009 and added 33 percent for overhead and 
fringe benefit costs. These rates are displayed in Table 2.

                           Table 2--Labor Rates for Qualified Entity Impact Estimates
----------------------------------------------------------------------------------------------------------------
                                                            2009 hourly wage    OH and fringe     Total hourly
                                                               rate  (BLS)          (33%)             costs
----------------------------------------------------------------------------------------------------------------
Professional and technical services.......................            $34.08            $11.25            $45.33
Legal review..............................................             35.35             11.67             47.02
Custom computer programming...............................             40.37             13.32             53.69
Data processing and hosting...............................             29.36              9.69             39.05
Other information services................................             30.62             10.10             40.72
----------------------------------------------------------------------------------------------------------------

    We estimate that preparation of an application would require a 
total of 500 hours of effort, requiring a combination of staff in the 
professional and technical services and the legal labor categories. We 
seek comment on our estimate that 35 organizations would apply to 
become qualified entities and encourage any interested organizations to 
signal their intent to apply as qualified entities in their comments on 
this rule.
    We estimate that 25 of these applicants would be approved as 
participating qualified entities, and that each qualified entity would 
request Medicare claims data accompanied by payment for these data. 
Because of the eligibility criteria we are proposing for qualified 
entities, we believe that it is likely that all of these organizations 
would already be performing work related to calculation of quality 
measures and production of performance reports for health care 
providers, so the impact of the program established by section 1874(e) 
of the Act would be an opportunity to add Medicare claims data to their 
existing function.
    The statute directs that the fees for these data be equal to the 
government's cost to make the data available. We are proposing to 
initially provide three years of data to qualified entities with yearly 
updates thereafter. Based on CMS past experience providing Medicare 
data to research entities, we estimate that the total approximate costs 
to provide three years of data for 2.5 million beneficiaries to a 
qualified entity would be $200,000. As shown in Table 3, this would 
include approximately $75,000 in costs to produce the claims data, as 
well as approximately $125,000 in additional costs associated with 
technical assistance, processing applications and requests for data, 
and monitoring.
    We estimate that, on average, each qualified entity's activity to 
analyze the Medicare claims data, calculate performance measures and 
produce provider performance reports would require 5,500 hours of 
effort. While qualified entities would not be able to calculate or 
produce alternative measures in the first year of serving as a 
qualified entity, they may submit measures for approval in the first 
year of the program, so we have also included estimates here of the 
level of effort required to develop and submit alternative measures. We 
estimate that half of the qualified entities (13) would propose 
alternative performance measures, which would involve an additional 
2,100 hours of effort for each entity.
    We further estimate that, on average, each qualified entity would 
expend 5,000 hours of effort processing providers' and suppliers' 
appeals of their performance reports and producing revised reports, and 
2,000 hours making information about the performance measures publicly 
available. These estimates assume that, as discussed below in the 
section on provider and supplier impacts, on average 25 percent of 
providers or services and suppliers would appeal their results from a 
qualified entity. These assumptions are based on a belief that in the 
first year of the program many providers would want to appeal their 
results prior to performance reports being made available to the 
public. Responding to these appeals in an appropriate manner would 
require a significant investment of time on the part of qualified 
entities. This equates to an average of four hours per appeal for each 
qualified entity. We assume that the complexity of appeals would vary 
greatly, and as such, the time required to address them would also vary 
greatly. Many appeals may be able to be dealt with in an hour or less 
while some appeals may require multiple meetings

[[Page 33583]]

between the qualified entity and the affected provider of services or 
supplier. On average however, we believe that this is a realistic and 
reasonable estimate of the burden of the appeals process on qualified 
entities. We discuss the burden of the appeals process on providers of 
services and suppliers below.
    We anticipate that qualified entities would expend 2,000 hours of 
effort developing their proposed performance report. These estimated 
hours are separated into labor categories in Table 3 below, with the 
pertinent hourly labor rates and cost totals.
    Finally, we estimate that each qualified entity would spend 255 
hours of effort submitting information to CMS for monitoring purposes. 
This would include audits and site visits as discussed above. It would 
also include an annual report that contains measures of general program 
adherence, measures of the provider of services and suppliers data 
sharing, error correction, and appeals process, and measures of the 
success of the program with consumers. Finally, qualified entities 
would be required to notify CMS of inappropriate disclosures or use of 
beneficiary identifiable data pursuant to the requirements in the DUA. 
We believe that many of the required data elements in both the annual 
report and the report generated in response to an inappropriate 
disclosure or use of beneficiary identifiable data would be generated 
as a matter of course by the qualified entities and therefore, would 
not require significant additional effort. Based on the assumptions we 
have described, we estimate the total impact on qualified entities for 
the first year of the program to be a cost of $49,003,203.

                                         Table 3--Impact on Qualified Entities for the First Year of the Program
                                                             [Impact on Qualified Entities]
--------------------------------------------------------------------------------------------------------------------------------------------------------
                                                                     Hours
                                          -----------------------------------------------------------
                 Activity                                                              Data process-     Labor       Cost per    Number of    Total cost
                                            Professional     Legal       Computer        sing and     hourly cost   applicant    applicants     impact
                                            and technical               programming       hosting
--------------------------------------------------------------------------------------------------------------------------------------------------------
                                                                    APPLICATION COSTS
--------------------------------------------------------------------------------------------------------------------------------------------------------
Preparation of application by candidate    ..............  .........  ..............  ..............  ...........  ...........  ...........  ...........
 QEs.....................................
a. Prepare draft application.............             360  .........  ..............  ..............       $45.33      $16,319  ...........  ...........
b. Legal review..........................  ..............         40  ..............  ..............       $47.02       $1,881  ...........  ...........
c. Revisions to draft application........              60  .........  ..............  ..............       $45.33       $2,720  ...........  ...........
d. Senior management review and signature              40  .........  ..............  ..............       $45.33       $1,813  ...........  ...........
Total: application preparation...........             460         40  ..............  ..............  ...........      $22,733           35     $795,641
Medicare data purchase costs by approved   ..............  .........  ..............  ..............           NA      $75,000           25   $1,875,000
 QEs.....................................
Additional Medicare data application       ..............  .........  ..............  ..............           NA     $125,000           25   $3,125,000
 costs...................................
Total: Applications......................  ..............  .........  ..............  ..............  ...........  ...........  ...........   $5,795,641
--------------------------------------------------------------------------------------------------------------------------------------------------------
                                                                   QE OPERATIONS COSTS
--------------------------------------------------------------------------------------------------------------------------------------------------------
Database administration..................  ..............  .........  ..............             500       $39.05  ...........           25     $488,125
Data analysis/measure calculation/report   ..............  .........            2500  ..............       $53.69     $134,225           25   $3,355,625
 preparation.............................
                                           ..............  .........  ..............            2500       $39.05      $97,625           25   $2,440,625
Development and submission of alternative            1000  .........  ..............  ..............       $45.33      $45,330           13     $589,290
 measures................................
                                           ..............  .........             100  ..............       $53.69       $5,369           13      $69,797
                                           ..............  .........  ..............            1000       $39.05      $39,050           13     $507,650
QE processing of provider appeals and                4000  .........  ..............  ..............       $45.33     $181,320           25   $4,533,000
 report revision.........................
                                           ..............       1000  ..............  ..............       $47.02      $47,020           25   $1,175,500
Development of proposed performance                  1000  .........  ..............  ..............       $45.53      $45,530           25   $1,138,250
 report formats..........................
                                           ..............  .........            1000  ..............       $53.69      $53,690           25   $1,342,250
Publication of performance reports.......  ..............  .........            1000  ..............       $53.69      $53,690           25   $1,342,250
                                           ..............  .........  ..............            1000       $39.05      $39,050           25     $976,250
Monitoring...............................  ..............  .........  ..............             255       $39.05       $9,958           25     $248,950

[[Page 33584]]

 
Computer hardware and processing.........  ..............  .........  ..............  ..............  ...........   $1,000,000           25   $25,000,00
                                                                                                                                                       0
--------------------------------------------------------------------------------------------------------------------------------------------------------
Total: Operations........................  ..............  .........  ..............  ..............  ...........  ...........  ...........  $43,207,562
                                          --------------------------------------------------------------------------------------------------------------
    Total QE Impacts (application plus     ..............  .........  ..............  ..............  ...........  ...........  ...........  $49,003,203
     operations).........................
--------------------------------------------------------------------------------------------------------------------------------------------------------

2. Impact on Health Care Providers of Services and Suppliers
    Table 4 reflects the hourly labor rates used in our estimate of the 
impacts of the first year of section 1874(e) of the Act on health care 
providers of services and suppliers. We note that numerous health care 
payers, community quality collaboratives, States, and other 
organizations are producing performance measures for health care 
providers of services and suppliers using data from other sources, and 
that providers of services and suppliers are already receiving 
performance reports from these sources. We anticipate that the Medicare 
claims data would merely be added to those existing efforts to improve 
the statistical validity of the measure findings, and therefore the 
impact of including Medicare claims data in these existing performance 
reporting processes is likely to be marginal. However, we invite 
comments on the impact of this new voluntary program.

                         Table 4--Labor Rates for Provider and Supplier Impact Estimates
----------------------------------------------------------------------------------------------------------------
                                                                                Overhead and
                                                            2009 hourly wage   fringe benefits    Total hourly
                                                               rate (BLS)           (33%)             costs
----------------------------------------------------------------------------------------------------------------
Physicians' offices.......................................            $30.90            $10.20            $41.10
Hospitals.................................................             26.44              8.73             35.17
----------------------------------------------------------------------------------------------------------------

    We anticipate that the impacts on providers of services and 
suppliers consist of costs to review the performance reports generated 
by qualified entities and, if they choose, appeal their performance 
calculations. Based on a review of available information from the 
Better Quality Information and the Charter Value Exchange programs, we 
estimate that, on average, each qualified entity would distribute 
performance reports to 5,000 health providers of services and 
suppliers. We anticipate that the largest proportion of providers of 
services and suppliers would be physicians because they comprise the 
largest group of providers of services and suppliers, and are a primary 
focus of many recent performance evaluation efforts. Based on our 
review of information from these existing programs, we assume that 95 
percent of the recipients of performance reports (that is, an average 
of 4,750 per qualified entity) would be physicians, and 5 percent (that 
is, an average of 250 per qualified entity) would be hospitals and 
other suppliers. Providers of services and suppliers receive these 
reports with no obligation to review them, but we assume that most 
would do so to verify that their calculated performance measures 
reflect their actual patients and health events. We estimate that, on 
average, each provider of services or supplier would devote five hours 
to reviewing these reports. We also estimate that 25 percent of the 
providers of services and suppliers would decide to appeal their 
performance calculations, and that preparing the appeal would involve 
an average of ten hours of effort on the part of a provider of services 
or supplier. As with our assumptions regarding the level of effort 
required by qualified entities in operating the appeals process, we 
believe that this average covers a range of provider efforts from 
providers who would need just one or two hours to clarify any questions 
or concerns regarding their performance reports to providers who would 
devote significant time and resources to the appeals process.
    Using the hourly costs displayed in Table 4, the impacts on 
providers of services and suppliers are calculated below in Table 5. 
Based on the assumptions we have described, we estimate the total 
impact on providers for the first year of the program to be a cost of 
$38,262,815.
    As stated above in Table 3, we estimate the total impact on 
qualified entities to be a cost of $49,003,203. Therefore, the total 
impact on qualified entities and on providers of services and suppliers 
for the first year of the program is estimated to be $87,266,018.

[[Page 33585]]



                                Table 5--Impact on Providers of Services and Suppliers for the First Year of the Program
                                                     [Impact on Providers of Services and Suppliers]
--------------------------------------------------------------------------------------------------------------------------------------------------------
                                                                   Hours per provider
                                                                ------------------------    Labor       Cost per    Number of    Number of    Total cost
                            Activity                              Physician              hourly cost   applicant    providers       QEs         impact
                                                                   offices    Hospitals                               per QE
--------------------------------------------------------------------------------------------------------------------------------------------------------
Provider review of performance reports.........................           5  ..........       $41.10         $206        4,750           25  $24,403,125
                                                                 ..........           5        35.17          176          250           25    1,099,063
Preparing and submitting appeal request to QEs.................          10  ..........        41.10          411         1188           25   12,206,700
                                                                 ..........          10        35.17          352           63           25      533,928
                                                                ----------------------------------------------------------------------------------------
    Total Provider Impacts.....................................  ..........  ..........  ...........  ...........  ...........  ...........   38,262,815
--------------------------------------------------------------------------------------------------------------------------------------------------------

C. Alternatives Considered

    The statutory provisions that were added by section 10332 of the 
Affordable Care Act are detailed and prescriptive about the eligibility 
for, and requirements of the Qualified Entity Program. Consequently, we 
believe there are limited approaches that would ensure program success 
and statutory compliance. We considered proposing a less comprehensive 
set of eligibility criteria for qualified entities (for example, 
eliminating requirements that applicants demonstrate capabilities 
related to calculation of measures, developing performance reports, 
combining Medicare claims data with other claims, and data privacy and 
security protection). While such an approach might have reduced certain 
application and operating costs for these entities, we did not adopt 
such an approach for several reasons. An important consideration is the 
protection of beneficiary identifiable data. We believe if we do not 
require qualified entities to provide sufficient evidence of data 
privacy and security protection capabilities, there would be increased 
risks related to the protection of beneficiary identifiable data.
    Additionally, we believe that requiring less stringent requirements 
regarding the production and reporting of measures would lead to 
increases in the number of provider appeals, and consequently in 
appeals-related costs of both providers and qualified entities. We 
expect that such a scenario would not support the development of a 
cooperative relationship between qualified entities and providers of 
services and suppliers. We request public comments on other approaches 
that could be considered.

D. Conclusion

    As explained above, we estimate the total impact for the first year 
of the program on qualified entities and providers to be a cost of 
$87,266,018. Based on these estimates, we conclude this proposed rule 
does not reach the threshold for economically significant effects and 
thus is not considered a major rule.
    In accordance with the provisions of Executive Order 12866, this 
regulation was reviewed by the Office of Management and Budget.

List of Subjects in 42 CFR Part 401

    Claims, Freedom of information, Health facilities, Medicare, 
Privacy.

    For the reasons set forth in the Preamble, the Centers for Medicare 
and Medicaid Services proposes to amend 42 CFR Chapter IV as set forth 
below:

PART 401--GENERAL ADMINISTRATIVE REQUIREMENTS

    1. The authority citation for part 401 is revised to read as 
follows:

    Authority:  Secs. 1102, 1871, and 1874(e) of the Social Security 
Act (42 U.S.C. 1302, 1395hh, and 1395w-5).

    2. A new subpart G is added to part 401 to read as follows:
Subpart G--Availability of Medicare Data for Performance Measurement
Sec.
401.701 Purpose and scope.
401.702 Definitions.
401.703 Eligibility criteria for qualified entities.
401.704 Operating and governance requirements for qualified 
entities.
401.705 The application process and requirements.
401.706 Updates to plans submitted as part of the application 
process.
401.707 Ensuring the privacy and security of data.
401.708 Selection and use of performance measures.
401.709 Provider of services and supplier requests for error 
correction.
401.710 Monitoring and sanctioning of qualified entities.
401.711 Termination of qualified entities.

Subpart G--Availability of Medicare Data for Performance 
Measurement


Sec.  401.701  Purpose and scope.

    The regulations in this subpart implement section 1874(e) of the 
Social Security Act as it applies to the Centers for Medicare & 
Medicaid Services (CMS). The rules apply to Medicare data made 
available to qualified entities for the evaluation of the performance 
of providers of services and suppliers.


Sec.  401.702  Definitions.

    (a) Qualified entity. A qualified entity is defined as a public or 
private entity that:
    (1) Is qualified, as determined by the Secretary, to use claims 
data to evaluate the performance of providers of services and suppliers 
on measures of quality, efficiency, effectiveness, and resource use, 
and
    (2) Agrees to meet the requirements described in Section 1874(e) of 
the Social Security Act and meets the requirements at Sec. Sec.  
401.703 through 401.710.
    (b) Provider of services. A provider of services under this subpart 
is defined in the same manner as the identical term at section 1861(u) 
of the Social Security Act.
    (c) Supplier. A supplier under this subpart is defined in the same 
manner as the identical term at section 1861(d) of the Social Security 
Act.
    (d) Claims. Claims are itemized billing statements from providers 
of services and suppliers that, except in the context of Part D drug 
event date, request reimbursement for a list of services and supplies 
that were provided to a Medicare beneficiary in the Medicare fee-for-
service context, or to a participant in other insurance or entitlement 
program contexts. In the Medicare program, claims files are available 
for each institutional (inpatient, outpatient, skilled nursing 
facility, hospice, or home health agency) and non-institutional 
(physician and durable medical equipment providers

[[Page 33586]]

and suppliers) claim type as well as Medicare Part D (Prescription 
Drug) Event data.
    (e) Standardized data extract. For purposes of this subpart, the 
standardized data extract is the subset of Medicare claims data that 
the Secretary would make available to qualified entities under this 
subpart.
    (f) Beneficiary identifiable data. For the purposes of this 
subpart, beneficiary identifiable data is any data that contains the 
beneficiary name or beneficiary name and any other direct identifying 
factors, including, but not limited to, race, sex, age, or address.
    (g) Encrypted data. For the purposes of this subpart, encrypted 
data is any data that does not contain the beneficiary name or any 
other direct identifying factors, but does include a unique beneficiary 
identifier that allows for the linking of claims without divulging the 
direct identifier of the beneficiary.


Sec.  401.703  Eligibility criteria for qualified entities.

    (a) Eligibility criteria: To be eligible to apply to receive data 
as a qualified entity under this section, an applicant generally must 
demonstrate expertise and sustained experience, defined as three or 
more years, to the Secretary's satisfaction in the following three 
areas:
    (1) Organizational and governance criteria, including:
    (i) Accurately calculating quality, efficiency, effectiveness, and 
resource use measures from claims data, including:
    (A) Indentifying an appropriate method to attribute a particular 
patient's services to specific providers of services and suppliers.
    (B) Ensuring the use of approaches to ensure statistical validity 
such as a minimum number of observations or minimum denominator for 
each measure.
    (C) Using methods for risk-adjustment to account for variation in 
both case-mix and severity among providers of services and suppliers.
    (D) Identifying methods for handling outliers.
    (E) Correcting measurement errors and assessing measure 
reliability.
    (F) Identifying appropriate peer groups of providers and suppliers 
for meaningful comparisons.
    (ii) A business model that would cover the costs of performing the 
required functions, including the fee for the data.
    (iii) Successfully combining claims data from different payers to 
calculate performance reports.
    (iv) Designing, and continuously improving the format of 
performance reports on providers of services and suppliers.
    (v) Preparing an understandable description of the measures used to 
evaluate the performance of providers of services and suppliers so that 
consumers, providers of services and suppliers, health plans, 
researchers, and other stakeholders can assess performance reports.
    (vi) Implementing and maintaining a process for providers of 
services and suppliers identified in a report to review the report 
prior to publication and providing a timely response to provider of 
services and supplier inquiries regarding requests for data, error 
correction, and appeals.
    (vii) Establishing, maintaining, and monitoring a rigorous data 
privacy and security program, including disclosing to CMS any 
inappropriate disclosures of beneficiary identifiable information or 
HIPAA violations for the preceding 10-year period, and any corrective 
actions taken to address such issues.
    (viii) Accurately preparing performance reports on providers of 
services and suppliers and making performance report information 
available to the public in aggregate form, that is, at the provider of 
services or supplier level.
    (2) Ability to combine Medicare claims data with claims data from 
other sources, including demonstrating to the Secretary's satisfaction 
that the claims data from other sources that it intends to combine with 
the Medicare data received under this subpart address many of the 
methodological concerns expressed by multiple stakeholders regarding 
the calculation of performance measures from a single payer source.
    (3) Documentation of rigorous data privacy and security policies 
including enforcement mechanisms.
    (b) [Reserved]


Sec.  401.704  Operating and governance requirements for qualified 
entities.

    (a) Submit to CMS a list of all measures it intends to calculate 
and report, the geographic areas it intends to serve, and the methods 
of creating and disseminating reports. This list must include the 
following information:
    (1) Name of the measure, and whether it is a standard or 
alternative measure,
    (2) Name of the measure developer/owner,
    (3) Measure specifications, including numerator and denominator,
    (4) The rationale for selecting each measure, including the 
relationship to existing measurement efforts and the relevancy to the 
population in the geographic area(s) the entity would serve, including:
    (i) A specific description of the geographic area or areas it 
intends to serve, and
    (ii) A specific description of how each measure evaluates providers 
of services and suppliers on quality, efficiency, effectiveness, and/or 
resource use.
    (5) A description of the methodologies it intends to use in 
creating reports with respect to all of the following topics:
    (i) Attribution of beneficiaries to providers and/or suppliers,
    (ii) Benchmarking performance data, including:
    (A) Methods for creating peer groups,
    (B) Justification of any minimum sample size determinations made, 
and
    (C) Methods for handling statistical outliers.
    (iii) Risk adjustment.
    (b) Submit to CMS a description of the process it would establish 
to allow providers of services and suppliers to view reports 
confidentially, request data, and ask for the correction of errors 
before the reports are made public.
    (c) Submit to CMS a prototype report and a description of their 
plans for making the reports available to the public.


Sec.  401.705  The application process and requirements.

    (a) Application deadline. Qualified entity applications must be 
submitted by March 31, 2012 and by the close of the first quarter of 
the calendar year each year thereafter.
    (b) Selection criteria. To be approved as a qualified entity under 
this subpart, the applicant must meet the eligibility and operational 
and governance requirements, and fulfill all of the application 
requirements to CMS' satisfaction, agree to pay a fee equal to the cost 
of CMS making the data available, and execute a Data Use Agreement with 
CMS, that among other things, reaffirms the statutory ban on the use of 
Medicare data provided to the qualified entity by CMS under this 
subpart for purposes other than those referenced in this subpart.
    (c) Duration of approval. The entity would be permitted to 
participate as a qualified entity for a period of three years from the 
date of notification of application approval by CMS. The qualified 
entity must abide by all CMS regulations and instructions for this 
program. If the qualified entity wishes to continue performing the 
tasks under this subpart after the three-year approval period, the 
entity may re-apply for qualified entity status following the 
procedures set forth below.
    (d) Reporting period. Unless otherwise specified, the qualified 
entities must produce reports on the

[[Page 33587]]

performance of providers of services and suppliers annually beginning 
in the calendar year after they are approved by CMS.
    (e) The distribution of data. Once a qualified entity is approved 
by CMS under this subpart, it would be required to pay a fee equal to 
the cost of CMS making this data available. After the qualified entity 
pays the fee, CMS would release claims data to the qualified entity.
    (1) CMS would release standardized extracts of encrypted data from 
Medicare parts A and B claims data, and D drug event data for the most 
recent three years of data available at that time. The data would be 
limited to the geographic spread of the qualified entity's other claims 
data as determined by CMS.
    (2) After the first year of participation, CMS would provide 
qualified entities with the most recent additional year of data on a 
yearly basis. Qualified entities would be required to pay a fee equal 
to the cost of CMS making this data available before CMS would release 
the most recent year of additional data to the qualified entity.
    (f) Re-application. Qualified entities in good standing may re-
apply for qualified entity status. A qualified entity would be 
considered in good standing if it has had no violations of the 
requirements of the program or if the qualified entity is addressing 
any past deficiencies either on its own or through the implementation 
of a corrective action plan. To reapply a qualified entity would need 
to submit to CMS documentation of any changes to what was included in 
their original application. Reapplicants would need to submit this 
documentation at least 6 months before the end of their three year 
approval period and would be able to continue to serve as qualified 
entities until the re-application is either approved or denied by CMS. 
If the re-application is denied, CMS would terminate its relationship 
with the qualified entity.


Sec.  401.706  Updates to plans submitted as part of the application 
process.

    (a) If a qualified entity wishes to make changes to:
    (1) Its list of proposed measures, the qualified entity must send 
all the information referenced in Sec.  401.704(a) for the new measure 
to CMS at least 90 days prior to its intended confidential release to 
providers of services and suppliers.
    (2) Its proposed prototype report, the qualified entity must send 
the new prototype report to CMS at least 90 days prior to its intended 
confidential release to providers of services and suppliers.
    (3) Its plans for sharing the reports with the public, the 
qualified entity must send the new plans to CMS at least 90 days prior 
to its intended confidential release to providers of services and 
suppliers.
    (b) The qualified entity would be notified when its proposed 
changes are approved or denied for use. Under no circumstances may a 
qualified entity issue a report, use a measure, or share a report 
without first obtaining CMS approval.
    (c) If the amount of claims data from other sources available to a 
qualified entity decreases, the qualified entity must immediately 
inform CMS and submit documentation that the remaining claims data from 
other sources is sufficient to address the methodological concerns 
regarding sample size and reliability. Under no circumstances may a 
qualified entity issue a report, use a measure, or share a report after 
this point.
    (1) If CMS determines that the remaining claims data is not 
sufficient, the qualified entity would have 60 days to acquire new data 
and submit new documentation to CMS. If after 60 days, the qualified 
entity does not have access to new data or if CMS decides the qualified 
entity still does not possess the need amount of additional claims 
data, CMS shall terminate its relationship with the qualified entity.
    (2) If CMS determines that the remaining claims data is sufficient, 
the qualified entity may resume issuing reports, using measures, and 
sharing reports.


Sec.  401.707  Ensuring the privacy and security of data.

    (a) Qualified entities must comply with the data requirements in 
the data use agreement (DUA) with CMS. The DUA would require the 
qualified entity to maintain privacy and security protocols throughout 
the duration of their agreement with CMS and would ban the use of data 
for purposes other than those referenced in this subpart. The DUA would 
also prohibit the use of unsecured telecommunications to transmit CMS 
data and would require disclosure of the circumstances under which CMS 
data would be stored and transmitted.
    (b) Qualified entities must inform each beneficiary whose 
beneficiary identifiable data has been or is reasonably believed to 
have been inappropriately accessed, acquired, or disclosed pursuant to 
the DUA.


Sec.  401.708  Selection and use of performance measures.

    (a) Standard measure. A standard measure is defined as a measure 
that can be calculated from the standardized extracts of Medicare Parts 
A and B claims, and Part D drug event data that:
    (1) Meets one of the following criteria:
    (i) Endorsed by the entity with a contract under section 1890(a) of 
the Social Security Act;
    (ii) Time-limited endorsed by the entity with a contract under 
Section 1890(a) of the Social Security Act until such time as the full 
endorsement status is determined;
    (iii) Developed pursuant to section 931 of the Public Health 
Service Act; or
    (iv) Can be calculated from standardized extracts of Medicare parts 
A or B claims or part D drug event data, was adopted through notice and 
comment rulemaking and is currently being used in CMS programs that 
include quality measurement.
    (2) Is used in a manner that follows the measure specifications as 
written (or as adopted through notice and comment rulemaking), 
including all numerator and denominator inclusions and exclusions, 
measured time periods, and specified data sources.
    (b) Alternative measure. (1) An alternative measure is defined as a 
measure that is not a standard measure, but that can be calculated from 
the standardized extracts of Medicare Parts A and B claims, and Part D 
drug event data that:
    (i) Has been found by the Secretary through a notice and comment 
rulemaking process, to be more valid, reliable, responsive to consumer 
preferences, cost-effective, or relevant to dimensions of quality and 
resource use not addressed by standard measures, and,
    (ii) Is used by a qualified entity in a manner that follows the 
measure specifications as written (or as adopted through notice and 
comment rulemaking), including all numerator and denominator inclusions 
and exclusions, measured time periods, and specified data sources.
    (2) An alternative measure may be used up until the point that a 
standard measure for the particular clinical area or condition becomes 
available at which point the qualified entity must switch to the 
standard measure within 6 months or submit additional scientific 
justification and receive approval from the Secretary to continue using 
the alternative measure.
    (3) To submit an alternative measure for consideration for use in 
the following calendar year an entity must submit the following by May 
31st:

[[Page 33588]]

    (i) The name of the alternative measure.
    (ii) The name of the alternative measure's developer or owner.
    (iii) Detailed specifications for the alternative measure.
    (iv) Information demonstrating how the alternative measure is more 
cost-effective, relevant to consumer preferences, cost-effective, or 
relevant to dimensions of quality and resource use not addressed by 
standard measures.


Sec.  401.709  Provider of services and supplier requests for error 
correction.

    (a) Qualified entities must confidentially share measures, 
measurement methodologies, and measure results with providers of 
services and suppliers at least 30 business days prior to making 
reports public. The 30 days begins on the date on which qualified 
entities send the confidential reports to providers of services and 
suppliers.
    (b) Qualified entities must allow providers of services and 
suppliers at least 10 business days after receipt of a report to make a 
request for the data.
    (c) Qualified entities must allow providers of services and 
suppliers at least 10 business days after receipt of the data to make a 
request for error correction.
    (d) If a qualified entity receives a request for beneficiary names 
from a provider of services or supplier, the qualified entity must 
forward that request to CMS including a copy of the signed request from 
the provider of services or supplier as an attachment.
    (1) After the qualified entity receives the beneficiary names from 
CMS and sends the information to the requesting provider of services or 
supplier, the qualified entity must immediately destroy that data and 
is not permitted to retain or use the beneficiary names in any way.
    (2) If a qualified entity does not immediately destroy all 
identifiable data after sharing the information with the requesting 
provider of services or supplier, it will be subject to the penalties 
referenced in Sec.  401.710(d).
    (e) Qualified entities must inform providers of services and 
suppliers that reports would be made public, including information 
related to the status of any data or error correction requests, after a 
specified date (at least 30 business days after the report was 
originally shared with providers of services and suppliers), regardless 
of the status of any requests for error correction.
    (f) If a provider of services or supplier still has a data or error 
correction request outstanding at the time of making the reports 
public, the qualified entity must, if feasible, post publicly the name 
of the appealing provider and the category of the appeal request.


Sec.  401.710  Monitoring and sanctioning of qualified entities.

    (a) CMS would monitor and assess the performance of qualified 
entities using the following methods:
    (1) Audits
    (2) Submission of documentation of data sources and quantities of 
data upon the request of CMS and/or site visits
    (3) Analysis of specific data reported to CMS by qualified entities 
through annual reports, as described in paragraph (b) of this section, 
and reports on inappropriate disclosures or uses of beneficiary 
identifiable data, as described in paragraph (c) of this section.
    (4) Analysis of beneficiary and/or provider complaints
    (b) Qualified entities must provide annual reports to CMS 
containing information related to:
    (1) General program adherence, including:
    (i) The number of Medicare and private claims combined.
    (ii) The percent of the overall market share the number of claims 
represents in the qualified entity's area.
    (iii) The number of measures calculated.
    (iv) The number of providers of services and suppliers profiled by 
type of provider and supplier.
    (v) A measure of public use of the reports.
    (2) The provider of services and suppliers data sharing, error 
correction, and appeals process, including:
    (i) The number of providers of services and suppliers requesting 
claims data.
    (ii) The number of requests for claims data fulfilled.
    (iii) The number of error corrections.
    (iv) The type(s) of problem(s) leading to the request for error 
correction.
    (v) The time to acknowledge the request for data or error 
correction.
    (vi) The time to respond to the request for error correction.
    (vii) The number of requests for error correction resolved.
    (c) Qualified entities must inform CMS of inappropriate disclosures 
or uses of beneficiary identifiable data pursuant to the requirements 
in the DUA.
    (d) CMS may take the following actions against qualified entities 
if it is determined that they are violation of any of the requirements 
of the qualified entity program, regardless of how CMS learns of the 
violation:
    (1) Provide a warning notice, which indicates that future 
deficiencies could lead to termination, to the qualified entity of the 
specific concern
    (2) Request a corrective action plan (CAP) from the qualified 
entity
    (3) Place the qualified entity on a special monitoring plan
    (4) Terminate the qualified entity


Sec.  401.711  Termination of qualified entities.

    (a) Grounds for terminating a qualified entity agreement. CMS may 
terminate an agreement with a qualified entity if the qualified entity:
    (1) Engages in one or more serious violations of the requirements 
of the qualified entity program.
    (2) Fails to completely and accurately report information to CMS or 
fails to make timely corrections to reported performance information 
per providers of services and supplier requests for such correction.
    (3) Fails to submit an approvable corrective action plan (CAP), 
fails to implement an approved CAP, or fails to demonstrate improved 
performance after the implementation of a CAP.
    (4) Improperly uses or discloses claims information received from 
CMS in violation of the requirements of the regulations in this 
subpart.
    (5) Based on their reapplication, no longer meets the requirements 
in this subpart.
    (b) Return of CMS data upon voluntary or involuntary termination 
from the qualified entity program:
    (1) If a qualified entity's agreement with CMS is terminated by 
CMS, it must immediately upon receipt of notification of such 
termination commence returning or destroying any and all CMS data (and 
any derivative files). In no instance should this process exceed 30 
days.
    (2) If a qualified entity voluntarily terminates participation in 
the program, it must return to CMS, or destroy, any and all CMS data in 
its possession within 30 days notifying CMS of its intent to end 
participation.

(Catalog of Federal Domestic Assistance Program No. 93.773, 
Medicare--Hospital Insurance; and Program No. 93.774, Medicare--
Supplementary Medical Insurance Program)


    Dated: May 4, 2011.
Donald M. Berwick,
Administrator, Centers for Medicare & Medicaid Services.
    Approved: June 1, 2011.
Kathleen Sebelius,
Secretary, Department of Health and Human Services.
[FR Doc. 2011-14003 Filed 6-3-11; 11:15 am]
BILLING CODE 4120-01-P