[Federal Register Volume 76, Number 203 (Thursday, October 20, 2011)]
[Notices]
[Pages 65196-65197]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2011-27149]


-----------------------------------------------------------------------

DEPARTMENT OF HEALTH AND HUMAN SERVICES

Centers for Medicare & Medicaid Services


Privacy Act of 1974; Report of a New Routine Use for Selected CMS 
System of Records

AGENCY: Department of Health and Human Services (HHS), Centers for 
Medicare & Medicaid Services (CMS).

ACTION: Notice of a new routine use for selected CMS system of records.

-----------------------------------------------------------------------

SUMMARY: In accordance with the requirements of the Privacy Act of 
1974, CMS is adding a new routine use to disclose information to 
Qualified Entities (QEs) for selected Centers for Medicare & Medicaid 
Services (CMS) systems of records. Section 10332 of the Patient 
Protection and Affordable Care Act (ACA) adds a new subsection to 
Section 1874 of the Social Security Act, requiring that the Secretary 
establish a process to allow for the use of standardized extracts of 
Medicare Parts A, B, and D claims data by QEs to evaluate and report on 
the performance of providers of services and suppliers on measures of 
quality, efficiency, effectiveness, and resource use.

New Routine Use for Qualified Entities

    1. To assist a public or private entity that is qualified (as 
determined by the Secretary of the Department of Health and Human 
Services (the Secretary)) to use Medicare claims data to evaluate the 
performance of providers of services and suppliers on measures of 
quality, efficiency, effectiveness, and resource use; and who agrees to 
meet the requirements regarding the transparency of their methods and 
their use and protection of Medicare data as the Secretary may specify, 
if CMS:
    a. Determines that the use or disclosure does not violate legal 
limitations under which the record was provided, collected, or 
obtained; and
    b. Secures a written statement attesting to the information 
recipient's understanding of and willingness to abide by these 
provisions. Every Qualified Entity receiving data must have an 
agreement with CMS in the form of an Information Exchange Agreement or 
contract with all security and privacy requirements included. A Data 
Use Agreement (DUA) (CMS Form 0235) must be completed by the person 
receiving CMS data in accordance with current CMS policies.
    This routine use fulfills the requirement in section 1174(e) of the 
Social Security Act (42 U.S.C. 1395kk (e)) to make standardized 
extracts of claims data under Medicare Parts A, B, and D available to a 
Qualified Entity (QE), recognized by the Secretary to make evaluations 
of provider/supplier performance in accordance with that section, and 
that agrees to meet specific requirements regarding the transparency of 
their methods and their use and protection of Medicare data. The IDR, 
National Claims History (NCH), CCDR, and Part D data will provide QEs, 
a broader, longitudinal, national perspective of the performance of 
Medicare providers/suppliers for use in authorized QE projects that 
could ultimately improve the care provided to Medicare beneficiaries 
and the policy that governs the care.

CMS Systems of Records To Be Modified by This Routine Use

    This new routine use, when published, will be added to the 
compatible systems of records used to disclose Medicare claims 
information and numbered as the next consecutive number in the order of 
published routine uses for the following systems of records notices:
    1. ``National Claims History (NCH),'' System No. 09-70-0558, last 
published at 71 FR 67137 (November 20, 2006). The primary purpose of 
this system is to collect and maintain billing and utilization data on 
Medicare beneficiaries enrolled in hospital insurance (Part A) or 
medical insurance (Part B) of the Medicare program for

[[Page 65197]]

statistical and research purposes related to evaluating and studying 
the operation and effectiveness of the Medicare program.
    2. ``Medicare Drug Data Processing System (DDPS),'' System No. 09-
70-0553, last published at 73 FR 30943 (May 29, 2008). The primary 
purpose of this system is to collect, maintain, and process information 
on all Medicare covered, and as many non-covered drug events as 
possible, for people with Medicare who have enrolled into a Medicare 
Part D plan.
    3. ``Medicare Integrated Data Repository (IDR),'' System No. 09-70-
0571, published at 71 FR 74915 (December 13, 2006). The primary purpose 
of this system is to establish an enterprise resource that provides one 
integrated view of all CMS data to administer the Medicare and Medicaid 
programs.
    4. ``Chronic Condition Data Repository (CCDR),'' System No. 09-70-
0573, published at 71 FR 54495 (September 15, 2006). The purpose of 
this system is to collect and maintain a person-level view of 
identifiable data to establish a data repository to study chronically 
ill Medicare beneficiaries. This system utilizes data extraction tools 
to support accessing data by chronic conditions and processes complex 
customized research data requests related to chronic illnesses.

DATES: The Centers for Medicare & Medicaid Services (CMS) invites 
interested parties to submit written comments on the proposed system 
until November 16, 2011. As required by the Privacy Act (5 U.S.C. 
552a(r)), CMS on October 17, 2011 sent a report of a new system of 
records to the Committee on Homeland Security and Governmental Affairs 
of the Senate, the Committee on Oversight and Government Reform of the 
House of Representatives, and the Office of Information and Regulatory 
Affairs of the Office of Management and Budget (OMB). The proposed 
action described in this notice is effective on November 26, 2011, 
unless CMS receives comments which result in a republication of the 
notice.

ADDRESSES: The public should address comments to: CMS Privacy Officer, 
Division of Information Security & Privacy Management, Enterprise 
Architecture and Strategy Group, Office of Information Services, CMS, 
Room N1-24-08, 7500 Security Boulevard, Baltimore, Maryland 21244-1850. 
Comments received will be available for review at this location, by 
appointment, during regular business hours, Monday through Friday from 
9 a.m.-3 p.m., Eastern Time zone.

FOR FURTHER INFORMATION CONTACT: Chris Haffer, Ph.D., Program Manager, 
Data Development and Services Group, Center for Strategic Planning, 
Centers for Medicare and Medicaid Services, 7500 Security Boulevard, 
Mail-stop: C3-24-07, Baltimore, MD 21244-1850. Office: 410-786-8764, 
Facsimile: (410) 786-5515, E-mail address: [email protected].

SUPPLEMENTARY INFORMATION: The statute defines QEs as public or private 
entities that are determined by the Secretary to be qualified to use 
Medicare claims data to make such evaluations of provider/supplier 
performance, and that agree to meet specific requirements regarding the 
transparency of their methods and their use and protection of Medicare 
data. The statute requires that Medicare claims extracts be combined 
with other claims data, although the statute is not specific on what, 
or how much, other claims data should be combined with Medicare claims 
data. The statute requires that the only use of such data and the 
derived performance information about providers and suppliers be in 
reports in an aggregate form, released and made available to the 
public, after first making such reports available to any identified 
provider or supplier and affording an opportunity to appeal and correct 
errors. The statute also instructs the Secretary to take such actions 
as she deems necessary to protect the identity of individual 
beneficiaries, and authorizes her to establish additional requirements 
that she may specify for QEs to meet, such as ensuring the security of 
data. The Medicare claims extracts are to be made available to QEs at a 
fee equal to the cost of making such data available (the fees will be 
deposited into the Part B Trust Fund).

    Dated: October 12, 2011.
Michelle Snyder,
Deputy Chief Operating Officer, Centers for Medicare & Medicaid 
Services.
[FR Doc. 2011-27149 Filed 10-19-11; 8:45 am]
BILLING CODE 4120-03-P