[Federal Register Volume 76, Number 235 (Wednesday, December 7, 2011)]
[Rules and Regulations]
[Pages 76542-76571]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2011-31232]



[[Page 76541]]

Vol. 76

Wednesday,

No. 235

December 7, 2011

Part III





Department of Health and Human Services





-----------------------------------------------------------------------





Centers for Medicare & Medicaid Services





-----------------------------------------------------------------------





42 CFR Part 401





 Medicare Program; Availability of Medicare Data for Performance 
Measurement; Final Rule

  Federal Register / Vol. 76, No. 235 / Wednesday, December 7, 2011 / 
Rules and Regulations  

[[Page 76542]]


-----------------------------------------------------------------------

DEPARTMENT OF HEALTH AND HUMAN SERVICES

Centers for Medicare & Medicaid Services

42 CFR Part 401

[CMS-5059-F]
RIN 0938-AQ17


Medicare Program; Availability of Medicare Data for Performance 
Measurement

AGENCY: Centers for Medicare & Medicaid Services (CMS), HHS.

ACTION: Final rule.

-----------------------------------------------------------------------

SUMMARY: This final rule implements Section 10332 of the Affordable 
Care Act regarding the release and use of standardized extracts of 
Medicare claims data for qualified entities to measure the performance 
of providers of services (referred to as providers) and suppliers. This 
rule explains how entities can become qualified by CMS to receive 
standardized extracts of claims data under Medicare Parts A, B, and D 
for the purpose of evaluation of the performance of providers and 
suppliers. This rule also lays out the criteria qualified entities must 
follow to protect the privacy of Medicare beneficiaries.

DATES: Effective Date: These regulations are effective January 6, 2012.

FOR FURTHER INFORMATION CONTACT: Colleen Bruce, (410) 786-5529.

SUPPLEMENTARY INFORMATION: 

I. Background

    The Patient Protection and Affordable Care Act (Pub. L. 111-148), 
enacted on March 23, 2010, and the Health Care and Education 
Reconciliation Act of 2010 (Pub. L. 111-152), enacted on March 30, 
2010, are collectively referred to in this final rule as the 
``Affordable Care Act.'' Effective January 1, 2012, section 10332 of 
the Affordable Care Act would amend section 1874 of the Social Security 
Act (the Act) by adding a new subsection (e) requiring standardized 
extracts of Medicare claims data under parts A, B, and D to be made 
available to ``qualified entities'' for the evaluation of the 
performance of providers and suppliers. Qualified entities may use the 
information obtained under section 1874(e) of the Act for the purpose 
of evaluating the performance of providers and suppliers, and to 
generate public reports regarding such performance. Qualified entities 
may receive data for one or more specified geographic areas and must 
pay a fee equal to the cost of making the data available. Congress also 
required that qualified entities combine claims data from sources other 
than Medicare with the Medicare data when evaluating the performance of 
providers and suppliers.
    Section 1874(e) of the Act requires potential qualified entities 
that wish to request data under this provision to submit an application 
to the Secretary that includes, among other things, a description of 
the methodologies that the applicant proposes to use to evaluate the 
performance of providers and suppliers in the geographic area(s) they 
select. Qualified entities generally must use standard measures for 
evaluating the performance of providers and suppliers unless the 
Secretary, in consultation with appropriate stakeholders, determines 
that use of alternative measures would be more valid, reliable, 
responsive to consumer preferences, cost-effective, or relevant to 
dimensions of quality and resource use not addressed by standard 
measures. Reports generated by the qualified entities may only include 
information on individual providers and suppliers in aggregate form, 
that is, at the provider or supplier level, and may not be released to 
the public until the providers and suppliers have had an opportunity to 
review them and, if necessary, ask for corrections. Congress included a 
provision at section 1874(e)(3) of the Act to allow the Secretary to 
take such actions as may be necessary to protect the identity of 
individuals entitled to or enrolled in Medicare.
    We believe the sharing of Medicare data with qualified entities 
through this program and the resulting reports produced by qualified 
entities will be an important driver of improving quality and reducing 
costs in Medicare, as well as for the health care system in general. 
Additionally, we believe this program will increase the transparency of 
provider and supplier performance, while ensuring beneficiary privacy.

II. Provisions of the Proposed Rule and Analysis of and Responses to 
Public Comments

    We received approximately 100 comments from a wide variety of 
individuals and organizations. About half of the comments were from 
providers and suppliers, or organizations representing providers and 
suppliers. The other half of the comments were from organizations 
engaged in performance measurement or data aggregation that may 
potentially be approved to receive Medicare data as qualified entities 
under this program. We also received a number of comments from consumer 
advocacy organizations.

A. Definition, Eligibility Criteria, and Operating Requirements of 
Qualified Entities

    Almost all of the comments were positive and praised CMS' proposals 
regarding how the qualified entity program would operate. Commenters 
also had a range of suggestions for how CMS should administer the 
program, including several comments on performance measurement in 
general. We also received numerous comments on data privacy and 
security, which are discussed in more detail in subsection D below.
1. Definitions
    In the proposed rule, we defined a qualified entity as a public or 
private entity that meets two standards. The first is that the entity 
is qualified, as determined by the Secretary, to use claims data to 
evaluate the performance of providers and suppliers on measures of 
quality, efficiency, effectiveness, and resource use. The second is 
that the entity agrees to meet the requirements described in Section 
1874(e) of the Social Security Act and at Sec. Sec.  401.703-401.710 of 
the proposed rule.
    Comment: We received several comments, suggestions, and questions 
regarding the use of the Medicare data qualified entities receive 
through this program. Section 1874(e)(4)(B) of the Act specifies the 
uses of the Medicare data. Some commenters requested that qualified 
entities be allowed to use the data for purposes other than performance 
reporting, such as internal analyses, pay-for-performance initiatives, 
and provider tiering; other commenters requested that CMS clarify that 
the data provided would be used for performance reporting only.
    Response: The statute bars the re-use of the Medicare claims data 
provided to qualified entities under section 1874(e) of the Social 
Security Act (the Act). Section 1874(e)(4)(D) provides that the 
qualified entity ``shall only use such data, and information derived 
from such evaluation'' for performance reports on providers and 
suppliers. Additionally, the Data Use Agreement (DUA, discussed in more 
detail below) bars re-use of the data for other purposes; violation of 
the DUA may result in a qualified entity's access to data under 1874(e) 
of the Act being terminated. However, while the data itself and any 
derivative data may only be used for creating the prescribed reports, 
section 1874(e) does not address the use of the publically reported 
result. Subject to any limitations imposed by other applicable laws 
(for example, copyright laws), these publicly reported results

[[Page 76543]]

could be used by any party, including the qualified entity, for 
activities such as internal analyses, pay-for-performance initiatives, 
or provider tiering.
    Qualified entities will not be allowed to do performance 
measurement with Medicare data alone. Section 1874(e)(4)(B)(iii) 
specifically provides that qualified entities must include ``claims 
data from sources other than claims data under this title in the 
evaluation of performance of providers of services and suppliers.'' We 
have added a definition of ``claims data from other sources'' at Sec.  
401.703(h).
    We have made several technical changes to the definitions at Sec.  
401.703 to reflect the regulatory interpretation of the statutory 
provisions cited in the proposed rule. We have modified the definition 
of a qualified entity to require the entity to agree to meet the 
requirements in Sec. Sec.  401.705-401.721 of the final rule, removing 
the proposed rule's reference to section 1874(e) of the Act. We have 
also modified the definitions of provider and supplier; specifically we 
have defined both terms in terms of the definitions for the identical 
terms at Sec.  400.202.
    We have also added a definition of clinical data. This addition is 
discussed in further detail below.
2. Eligibility Criteria
    In determining the eligibility standards for qualified entities we 
sought to balance the needs to: (1) Ensure the production of timely, 
high quality, and actionable reports on the performance of providers 
and suppliers, (2) protect beneficiary privacy and security, and (3) 
ensure providers and suppliers have an appropriate amount of time to 
review the reports, appeal, and, if necessary, correct errors prior to 
public reporting. We therefore proposed to evaluate an organization's 
eligibility to serve as a qualified entity across three areas: 
Organizational and governance capabilities, addition of claims data 
from other sources, and data privacy and security.
    Additionally, we proposed not to limit the number of qualified 
entities eligible to serve in an area. Any entity that satisfactorily 
meets the eligibility criteria would be able to participate in the 
program.
    Comment: We received several comments on the eligibility criteria 
as a whole. Many commenters supported the proposed eligibility 
standards; however others said the eligibility standards were too 
prescriptive. Several commenters asked CMS to clarify qualified 
entities' ability to combine expertise across more than one entity to 
meet the requirements in the rule related to experience or amount of 
other claims data.
    Response: We thank commenters for their support for the eligibility 
standards. While we understand that the eligibility standards 
necessitate that prospective qualified entities have extensive 
experience in performance measurement, access to data, and appropriate 
privacy and security protocols, we believe these standards are 
essential to ensure both the privacy and security of beneficiary data 
and the acceptance of the program by providers and suppliers.
    We clarify, however, that qualified entities do not need to be 
composed of a single legal entity. A qualified entity applicant may 
contract with other entities to achieve the ability to meet the 
eligibility criteria. If an entity chooses to contract with one or more 
other entities to meet the eligibility standards, the application must 
be submitted by one lead entity. This lead entity must submit 
documentation describing the contractual relationships that exist 
between and among all entities applying together under the lead entity 
to become a qualified entity. In addition, as discussed in subsection 
D.1. below, contractors will be required to abide by the same privacy 
and security requirements as the lead entity, including signing a data 
use agreement prior to being given access to Medicare claims data or 
beneficiary information. Contractors will also be subject to CMS 
monitoring and their actions may result in sanctions and/or termination 
of the qualified entity.
    We believe that requiring contractual arrangements among the 
members of such a group will ultimately protect both the providers and 
suppliers receiving reports, as well as the beneficiaries seeking to 
use this information to make health care decisions by ensuring that the 
lead entity has partners with the necessary expertise to carry out the 
duties of a qualified entity and that the qualified entity's partners 
are committed to the project through legally enforceable agreements.
    In a contractual arrangement, there would be breach of contract 
liability if one of the members of the group fails to deliver, and 
there would be the potential of collecting damages for that failure to 
perform. Such damages would potentially provide the lead entity with 
the resources that would be necessary for finding and hiring another 
entity to carry out the functions of a contractor/subcontractor that 
failed to perform. Any other less formal arrangement among a group of 
entities that, in sum, possessed the requisite traits required of a 
qualified entity, such as a partnership or other consortium-like 
affiliation, would not offer the breach of contract protections that 
would provide assurances that the entities listed as participants in 
the group would in fact provide the services/skills/resources that the 
qualified entity applicant asserts. In a non-contractual arrangement, 
participating members of the group could stop performing at any time, 
leaving the remainder of the group with little recourse and, possibly, 
not qualified to carry on as a qualified entity. This could prevent the 
issuance of the desired reports. It could also leave providers and 
suppliers, as well as beneficiaries, without any recourse for remedying 
reporting errors or answering questions related to the reports. This 
would have a very negative effect on the program as a whole, and 
jeopardize this important transparency effort.
    We emphasize that a single entity may seek to fulfill all of the 
eligibility standards; there is no requirement that a qualified entity 
must be a group of two or more entities. However, we believe that more 
potential qualified entities would apply if they use contractual 
relationships to address any requirements that they may be lacking.
    Comment: Several commenters suggested additions to the eligibility 
standards. A handful of commenters recommended adding a public input 
component as part of the eligibility process. Commenters also suggested 
evaluating provider complaints against applicants when making 
determinations about qualified entity eligibility. One commenter asked 
CMS to create a provisional track for entities without the necessary 
experience or the non-Medicare data to serve as a qualified entity in 
the general program.
    Response: Through evaluating each entity's (including the lead 
entity's and any contractors') past experience, other claims data, and 
privacy and security protocols, we are confident that entities approved 
as qualified entities will meet the requirements of the program. 
Extensive monitoring requirements for the lead entity and any 
contractors, as well as the ability to terminate our agreement with a 
qualified entity, will ensure that the highest standards are adhered to 
by all qualified entities. However, we are interested in beneficiary 
and/or provider complaints against a qualified entity once that entity 
is approved. As discussed below in section II.F., we have included an 
analysis of beneficiary and/or provider complaints as part of the 
monitoring and performance assessment of qualified entities.

[[Page 76544]]

    While we appreciate the interest in allowing a variety of 
organizations to serve as qualified entities, we believe a provisional 
track is not consistent with the requirement in the statute that 
entities be qualified, as determined by the Secretary, to use claims 
data to evaluate provider and supplier performance. We hope that the 
discussion above, which notes that potential qualified entity 
applicants may form contractual agreements to meet the eligibility 
requirements, will allow entities with less experience or limited other 
claims data to gain the necessary expertise or gather the needed data 
to be approved as a qualified entities. We also have added a 
conditional approval process, discussed in more detail below, for those 
applicants that do not have access to claims data from other sources at 
the time of their application.
    Comment: We received several comments requesting CMS limit the 
organizations eligible to serve as qualified entities to non-profit and 
government organizations. However, we also received comments asking CMS 
to continue to allow any organization that meets the eligibility 
requirements and submits an application to serve as a qualified entity.
    Response: On balance, we believe it is appropriate for CMS to 
continue to allow any organization that meets the eligibility 
requirements and the requirements at sections Sec. Sec.  401.703-
401.710 of the proposed rule to serve as a qualified entity, which 
appear, as modified in the following discussion, in sections Sec. Sec.  
401.705-401.721 of this final rule.
    Comment: While we received several comments supporting our proposal 
not to limit the number of qualified entities in a geographic region, 
we also received comments suggesting we limit the number of qualified 
entities eligible to serve in an area. Many of those who suggested 
limiting the number of qualified entities in an area expressed concern 
that allowing multiple qualified entities in a region would lead to 
multiple reports on the same provider or supplier, which would confuse 
both the individual or entity being measured and the consumer. One 
commenter suggested CMS take a phased approach to the number of 
qualified entities, allowing providers to get accustomed to measurement 
before expanding the number of qualified entities.
    Response: We acknowledge commenters' desire to limit the number of 
reports on a provider or supplier; however, we do not anticipate many 
regions will have multiple entities that meet the requirements to serve 
as qualified entities. Specifically, it is difficult to imagine there 
will be many areas where multiple organizations will possess sufficient 
claims data from other sources. Additionally, we believe allowing all 
eligible organizations to serve as qualified entities will encourage 
innovation in measure development and performance reporting. In the 
case that there are multiple organizations in an area that could serve 
as individual qualified entities, we would like to reiterate that these 
organizations could form contractual arrangements with each other and 
apply for the program under a lead applicant.
a. Organizational and Governance Capabilities
    Under organizational and governance capabilities, we proposed to 
evaluate the applicant's capability to perform a variety of tasks 
related to serving as a qualified entity. Tasks included the ability to 
accurately calculate measures from claims data, successfully combine 
claims data from different payers, design performance reports, prepare 
an understandable description of measures, implement a report review 
process for providers and suppliers, maintain a rigorous data privacy 
and security program, and make reports containing provider and supplier 
level data available to the public. We proposed to generally require 
applicants to demonstrate expertise and sustained experience on each of 
the criteria, which could be demonstrated by three or more years of 
experience in each area. We also proposed to consider applications with 
fewer years experience handling claims data and calculating measures, 
and/or limited experience implementing or maintaining a report review 
process for providers and suppliers as long as the applicant has 
sufficient experience in all other areas.
    Comment: Commenters had mixed opinions about the proposed 
requirement of three or more years of experience. Commenters who did 
not support a minimum three years experience were concerned about 
limiting eligibility of otherwise viable entities. On the other hand, 
commenters who strongly supported the eligibility criteria suggested 
lengthening the time requirement to five years.
    Response: While we are sensitive to the desire to allow all 
interested organizations to serve as qualified entities, we believe 
that many viable entities will possess three years of experience, 
particularly now that we have clarified that a qualified entity may 
contract with other entities in order to demonstrate required 
experience. It is essential for the success of the qualified entity 
program that organizations approved as qualified entities have the 
necessary expertise and experience to successfully perform all the 
functions required in the statute. We believe the experience 
requirements we have included are sufficient to ensure organizations 
approved as qualified entities possess the necessary experience to 
successfully meet the requirements of the program.
    Comment: Commenters suggested changes to specific tasks in the 
organizational and governance capabilities section of the eligibility 
criteria. Several commenters asked CMS to only require expertise in the 
areas of measurement the entity is proposing to use instead of all four 
areas of measurement: Quality, efficiency, effectiveness, and resource 
use. Similarly, commenters also noted that not all measures require 
risk-adjustment and requested CMS only require experience in risk-
adjustment if the entity is planning on using measures that incorporate 
risk-adjustment. Commenters also recommended removing the requirement 
that organizations have experience successfully combining claims data 
from different payers, arguing that this requirement would necessitate 
that applicants currently have data from two or more payers other than 
Medicare.
    Response: We agree with commenters about the proposal that would 
have required expertise in all four areas of measurement. As a result, 
we are modifying the eligibility requirements related to these areas of 
performance measurement and will require all applicants to have 
experience calculating quality measures, and, to the extent that they 
propose using such measures, experience calculating efficiency, 
effectiveness and resource use measures. Similarly, we will only 
require entities to have experience with risk-adjustment, if they 
propose using measures requiring risk adjustment. Finally, the law 
requires that a qualified entity combine data from different payers, so 
we will retain that requirement in this final rule.
    Comment: One commenter requested that CMS only approve applicants 
with a demonstrated track record of working with providers and 
suppliers and helping them with quality improvement.
    Response: While we hope this program will support quality 
improvement efforts, the statute only requires qualified entities to 
confidentially make reports available prior to publication and to allow

[[Page 76545]]

providers and suppliers the opportunity to request error correction. We 
believe that our requirement that applicants submit documentation of 
experience in both maintaining a process for providers and suppliers to 
review their reports prior to publication, and providing timely 
response to requests for error correction will be adequate to ensure an 
applicant's ability to work with providers and suppliers to ensure the 
availability of reports and appropriate correction mechanisms.
    Comment: We received several comments on our proposal to require 
applicants to disclose inappropriate disclosures of beneficiary 
identifiable information. Specifically, one commenter suggested that 
requiring disclosure of a 10-year privacy breach history is 
unreasonable. Another commenter requested that CMS include a 
requirement that applicants disclose confirmed violations of State 
privacy laws, in addition to inappropriate disclosures of beneficiary 
identifiable information.
    Response: We believe that requiring an applicant to disclose 10 
years' worth of inappropriate disclosures of beneficiary information is 
a reasonable requirement, but we recognize that some applicants may not 
have a 10 year history. For those entities that do not have a 10 year 
history, we will require reporting the required information for the 
length of time the organization has been in existence. We clarify, 
however, that a qualified entity's application to receive Medicare data 
will be evaluated based on all of the information submitted; a past 
inappropriate disclosure of beneficiary identifiable information will 
not automatically disqualify an entity from participation in the 
program. If an entity's application lists these events, CMS will engage 
in further discussions with that applicant to determine what corrective 
processes the entity has put in place to avoid future inappropriate 
disclosure of beneficiary identifiable information. We agree that 
violations of State, as well as federal, privacy and security laws 
should also be submitted to CMS and will add this requirement to the 
eligibility criteria. For clarity, we have rephrased the proposed 
language in Sec.  410.705(a)(1)(vii) that referred to violations of 
State privacy laws or HIPAA violations to read ``violations of 
applicable federal and State privacy and security laws and 
regulations'' to encompass the full range of information privacy and 
security laws and regulations at both the federal and State levels with 
which the applicant may have to comply. In addition to demonstrating 
experience and expertise, we also proposed to require qualified 
entities to submit a business model for covering the cost of required 
functions.
    Comment: Some commenters argued that requiring prospective 
applicants to submit a business model is too prescriptive, while others 
were supportive of this requirement. A handful of commenters asked CMS 
for guidance on financing mechanisms, as well as whether they could 
change a fee for the reports or license the data for secondary use.
    Response: In requiring submission of a business model, it was not 
our intent to be overly prescriptive. Rather, we were seeking to ensure 
that the qualified entities would have the resources necessary to carry 
out what we expect would be a relatively resource-intensive and 
important undertaking. We expect that by requiring submission of a 
business plan qualified entities would be more likely to have a viable 
business model under which they would be able to carry out their 
obligations under the qualified entity program. We do not intend to 
limit an organization's ability to change or adapt its business plan 
once approved as a qualified entity. We only ask that the qualified 
entity demonstrate that it has thought through what it would need to do 
to succeed. Finally, as for financing mechanisms, we note that the 
qualified entity program regulations do not generally place any added 
limitations on what is otherwise feasible under applicable laws. For 
example, the content of the publicly released reports will be subject 
to existing laws on copyright. Qualified entities cannot, however, 
charge providers or suppliers for the confidential copies of the pre-
publication reports that qualified entities are required to provide in 
advance of publication. Furthermore, qualified entities must publically 
report measure results free of charge and in a manner that is 
consistent with the requirements in Section 1874(e)(4)(C) of the Act. 
We encourage qualified entities to be innovative in creating business 
models to support their efforts.
b. Addition of Claims Data From Other Sources
    In accordance with the statutory requirements at section 
1874(e)(4)(B)(iii), we proposed to require entities to have claims data 
from non-title 18 (Medicare) sources to combine with Medicare data. We 
proposed to require possession of such other data at the time of their 
application. We defined claims data as administrative claims, meaning 
data that is not chart-abstracted data, registry data, or data from 
electronic health records. We proposed to require entities to 
demonstrate to CMS that the other claims data they possess is 
sufficient to address issues of sample size and reliability expressed 
by stakeholders regarding the calculation of performance measures from 
a single payer source. We also requested comment on whether CMS should 
require entities to possess claims data from two or more other sources 
to be eligible to serve as a qualified entity.
    Comments: Some commenters were supportive of the requirement that 
entities possess claims data from other sources at the time of 
application, but others argued that this requirement is too restrictive 
and not consistent with the intent of the statute. Specifically, 
commenters argued that it might be difficult to acquire claims data 
from other sources without approval from CMS to serve as a qualified 
entity. Other commenters sought clarification on whether qualified 
entities had to physically possess claims data from other sources or 
whether agreements with owners of claims data from other sources and 
proof of a functioning distributed data approach, meaning that claims 
data from different sources residing at different physical locations as 
long as measure results could be securely and accurately aggregated, 
would suffice.
    Response: While most organizations that are experienced in 
performance measurement will already have claims data they are using 
for performance measurement, we understand commenters' concerns about 
the requirement that entities possess claims data from other sources at 
the time of application. Therefore, for those applicants that do not 
have access to other claims data at the time of their application, we 
will create a conditional approval process. First, applicants that are 
found to meet all the requirements of the program, but do not have 
access to other claims data at the time of their application, will 
receive a conditional acceptance. Then, once an entity with a 
conditional acceptance gets access to adequate claims data from other 
sources, it will submit documentation that the claims data from other 
sources that it intends to combine with the Medicare data received 
under this subpart address the methodological concerns regarding sample 
size and reliability that have been expressed by stakeholders regarding 
the calculation of performance measures from a single payer source. CMS 
will review the documentation and if the amount of other claims data is 
found to be sufficient, the entity will pay a fee equal to the cost of 
CMS making the data

[[Page 76546]]

available and execute a Data Use Agreement (DUA) with CMS to be 
approved as a qualified entity. A conditionally approved qualified 
entity will not be eligible to receive Medicare claims data or the 
beneficiary crosswalk (discussed further in Section D.1) until it has 
received full approval, pays a fee equal to the cost of making the data 
available, and signs a DUA.
    This conditional approval process will be in addition to the normal 
approval process that will remain in place for those applicants that 
have access to a sufficient amount of other claims data at the time of 
their application. Additionally, we want to clarify that distributed 
data approaches, as described above, are permissible under the scope of 
this program.
    Comment: We received several comments asking CMS to clarify the 
amount of other claims data applicants must possess. Commenters also 
asked if CMS would consider Medicaid data to be other claims data.
    Response: As stated in the proposed rule, we do not believe it is 
feasible to establish an absolute threshold for a minimum amount of 
additional claims data. Rather, we ask applicants to explain how the 
data they do have for use in the qualified entity program will be 
adequate to address the concerns about small sample size and 
reliability that have been expressed by stakeholders regarding the 
calculation of performance measures from a single payer source. Each 
application will be evaluated on its collective merits, including the 
amount of claims data from other sources and its explanation on why 
that data, in combination with the requested Medicare data, is adequate 
for the stated purposes of this program. ``Other claims data'' can 
include Medicaid data as well as any private payer claims data.
    Comment: We also received mixed comments on our proposal to require 
organizations to have two or more data sources at the time of 
application. Some commenters said this requirement seemed appropriate, 
while others argued it was too burdensome. One commenter argued that 
unless combined data represents at least 90 percent of a provider's 
practice, any resulting quality measurements will not be meaningful.
    Response: We based our proposal about acquiring data from two or 
more sources on the interests of providers, suppliers, and consumers to 
have reports that provide valid results that cover an adequate portion 
of the providers' or suppliers' patients. However, in certain cases, 
one source may provide a sufficient amount of other claims data such 
that, when the other claims data is combined with Medicare data, it 
covers a considerable portion of a provider's or supplier's patients. 
We will therefore not require an applicant to have two sources of 
additional claims data, but we note that claims data from two or more 
sources is preferable to data from only one other source. We 
acknowledge that it is important for the combined data to represent a 
large portion of a provider's business, but believe an arbitrary 
requirement of 90 percent is unnecessarily high, especially given that 
the program is just beginning.
c. Data Privacy and Security
    We proposed to require applicants to demonstrate their capabilities 
to establish, maintain, and monitor a rigorous privacy and security 
program, including programs to educate staff on privacy and data 
security protocols.
    Comments related to the proposed data privacy and security 
eligibility criteria requirements are covered in the Data Security and 
Privacy section below in section II.D. of this final rule.
3. Operating and Governance Requirements for Serving as a Qualified 
Entity
    We require documentation of operating and governance requirements 
at the time of application for several key activities. We proposed that 
applicants would submit as part of their application: (1) The measures 
they intend to use, including methodologies and a rationale for using 
the measure; (2) the report review process they would use with 
providers and suppliers, including addressing requests for data and 
error correction; and (3) a prototype for required reports, including 
the methods for disseminating reports.
    Comments: We received several comments that the submission of 
measures and methodologies, as well as a prototype for reports at the 
time of application is too burdensome. Additionally, commenters argued 
that 90 days notice for approval of changes was too long and that 
certain types of minor changes to the report prototype need not trigger 
CMS approval. Several commenters also argued that submitting 
specifications on standard measures is unnecessary since these measures 
have established specifications and are generally publically available.
    Response: We understand organizations' desire to have flexibility 
in selecting measures and report formats. We also believe that making 
these decisions is a key aspect of serving as a qualified entity and is 
important enough to require the submission of proposed plans prior to 
being approved as a qualified entity. However, we recognize commenters' 
desire to ensure measures and report formats are approved and available 
for use as quickly as possible. Therefore, we will change the timeframe 
for CMS approval to 30 days. Qualified entities may change selected 
measures, and may modify their report prototype, with 30 days notice to 
CMS and CMS approval of the changes or modifications. We believe that 
the majority of changes proposed by qualified entities will be 
straightforward and CMS will be able to comfortably conduct a review 
and approval within 30 days of submission; however, in certain 
circumstances CMS may request an additional 30 days to approve more 
wide-reaching changes or modifications. If a CMS decision on approval 
or disapproval for a change or modification is not forthcoming within 
30 days and CMS does not request an additional 30 days for review, the 
change or modification shall be deemed to be approved.
    We acknowledge the interest in only requiring CMS approval for 
substantive changes in the prototype reports. However, as it is the 
first year of the program, we are still determining the types of 
changes to the prototype reports that qualified entities will need to 
submit to CMS for approval. CMS is considering releasing guidance on 
the types of changes to the report prototype that need not be submitted 
once the qualified entity program has started.
    We agree with commenters that including standard measure 
specifications is unnecessary. Thus far, available standard measures 
only include measures endorsed by the National Quality Forum and CMS 
measures; and the specifications for these measures are available to 
the public. Therefore, we will only require applicants to include 
measure specifications for alternative measures. We will use future 
rulemaking to address the submission of specifications for standard 
measures if the public availability of standard measure specifications 
changes in the future.
    Comment: One commenter requested that CMS require each applicant to 
submit an analytic plan clarifying its goals relative to the statute.
    Response: We believe that the requirement for entities to submit a 
rationale for selecting each measure, including its relationship to 
existing measurement efforts, addresses the issue of an organization's 
goals as they relate to the statute. We believe this is sufficient 
documentation of an organization's plans.
    Comment: One commenter requested that CMS require applicants to 
submit

[[Page 76547]]

conflict of interest information. Commenters were concerned that 
conflicts of interest could result in inaccurate or misleading 
reporting. One commenter specifically requested that qualified entities 
be required to attest that they have no relationship or affiliation 
with any health plans, insurers, providers, suppliers, manufacturers or 
other entities that may have an interest in or use for the data.
    Response: We do not believe it is necessary for applicants to 
submit information on conflicts of interest to CMS. We expect that many 
qualified entities will have relationships with health plans, insurers, 
providers and suppliers, and other entities that have an interest in or 
use for the data in order to meet the requirements of the qualified 
entity program, such as obtaining other claims data or disseminating 
performance results. We believe the eligibility requirements and 
monitoring requirements will ensure that the organizations who serve as 
qualified entities comply with the requirements of the program.

B. Definition, Selection, and Use of Performance Measures

1. Standard and Alternative Measures
    The statute permits qualified entities to use both standard and 
alternative measures. We proposed to define standard measures as any 
claims-based measure endorsed (or time-limited endorsed) by the entity 
with a contract under section 1890(a) of the Act (currently the 
National Quality Forum), any claims-based measure that is currently 
being used in a CMS program that includes quality measurement, or any 
measure developed pursuant to Section 931 of the Public Health Service 
Act. The statute requires the Secretary to consult with appropriate 
stakeholders as to whether the use of alternative measures would be 
more valid, reliable, responsive to consumer preferences, cost-
effective, or relevant to dimensions of quality and resource use not 
addressed by standard measures. In light of these requirements, we 
proposed to define alternative measures as any claims-based measure 
that, while not a standard measure, was adopted by the Secretary 
through a notice and comment rulemaking process. Qualified entities 
would submit proposed alternative measures to CMS who would then make 
the proposed alternative measures available for stakeholder input via a 
proposed rule, and, where appropriate, following receipt of public 
comments, the Secretary would determine which alternative measures to 
approve for use in the program.
    Comment: Some commenters suggested that qualified entities be 
allowed to calculate measures that are not based solely on claims data. 
Specifically, commenters were interested in calculating measures that 
involve combining claims data with clinical data (for example, registry 
data or chart-abstracted data). Commenters argued that allowing 
qualified entities to use these measures would expand the list of 
available measures. Several commenters also expressed that the use of 
these types of measures would help produce a more accurate picture of 
provider and supplier performance.
    Response: We recognize commenters' desire to use clinical data 
combined with claims data when calculating standard and alternative 
measures. Given the added value that clinical data brings to 
performance measurement, whenever standard or alternative measures 
provide for the use of clinical data, we will allow qualified entities 
to use clinical data in combination with Medicare and other claims data 
to calculate those standard and alternative measures. We have added a 
definition of clinical data at Sec.  401.703(i), specifically clinical 
data is registry data, chart-abstracted data, laboratory results, 
electronic health record information, or other information relating to 
the care or services provided to patients that is not included in 
administrative claims data. Measurement efforts using clinical data 
would only be supported under the qualified entity program if the 
clinical data is combined with the qualified entity's Medicare and 
other claims data to calculate the measures. These regulations do not 
address the use and publication of purely clinical-based measures.
    Furthermore, we recognize the near impossibility of combining 
Medicare claims data with clinical data without an identifier to link 
them. As a result, we are changing the proposed process for releasing 
beneficiary identifiable information to allow--with strict privacy and 
security standards--for the disclosure of identifiers to qualified 
entities; this change is discussed in more detail in the Privacy and 
Security requirements section below.
    Comment: Many commenters were supportive of the alternative measure 
review process. However, several commenters argued that the notice and 
comment rulemaking process was overly burdensome on qualified entities, 
would significantly restrict innovation in measure development and use, 
and was contrary to the overall goals of the provision. Some commenters 
proposed that qualified entities only be required to seek the 
permission of local stakeholders before calculating and reporting 
alternative measures. However, other commenters argued that the notice 
and comment rulemaking process provided appropriate safeguards against 
the public reporting of untested measures.
    Response: We believe that the intent of the alternative measure 
provision in statute is to promote innovation in claims-based 
performance measurement, while ensuring that measures are not used in 
the qualified entity program without proper testing and validation. 
That said, in light of the comments received, we believe that greater 
flexibility could be afforded to qualified entities to better balance 
innovation with appropriate use. We are therefore adding additional 
flexibility into the alternative measure process by adding a second 
avenue by which to seek Secretarial approval of alternative measures. 
In order to receive approval to use an alternative measure under this 
new avenue, a qualified entity will need to submit documentation to CMS 
outlining consultation and agreement with stakeholders in the 
geographic region the qualified entity serves, and evidence that the 
measure is ``more valid, reliable, responsive to consumer preferences, 
cost-effective, or relevant to dimensions of quality and resource use 
not addressed by such standard measures'' in accordance with the 
statutory requirements at Section 1874(e)(4)(B)(ii)(II). Stakeholders 
must include a valid cross representation of providers, suppliers, 
employers, payers, and consumers. At a minimum, a qualified entity must 
submit:
     A description of the process by which the qualified entity 
notified stakeholders of its intent to seek approval of an alternative 
measure.
     A list of stakeholders from whom feedback was solicited, 
including the stakeholder names and each stakeholder's role in the 
community.
     A description of the discussion about the proposed 
alternative measure, including a summary of all pertinent arguments for 
and against use of the measure.
     An explanation backed by scientific evidence that 
demonstrates why the measure is ``more valid, reliable, responsive to 
consumer preferences, cost-effective, or relevant to dimensions of 
quality and resource use not addressed by [a] standard measure.''
    CMS will review the submission and make a decision as to whether 
the qualified entity has consulted the appropriate stakeholders and 
whether the new measure meets the requirements for alternative measures 
at Section 1874(e)(4)(B)(ii)(II) of the Act.

[[Page 76548]]

Qualified entities must send all the information required for approval 
of an alternative measure to CMS at least 60 days prior to its intended 
use of the measure. CMS will make every effort to ensure that measures 
are approved during the 60 day period. If a CMS decision on approval or 
disapproval for an alternative measure is not forthcoming within 60 
days, the measure shall be deemed to be approved. However, CMS retains 
the right to disapprove a measure if, even after 60 days, in accordance 
with the statutory requirements at Section 1874(e)(4)(B)(ii)(II) it is 
found to not be ``more valid, reliable, responsive to consumer 
preferences, cost-effective, or relevant to dimensions of quality and 
resource'' than a standard measure. Once a measure is approved CMS will 
release the name of the measure, as well as the scientific evidence 
that demonstrates why the measure is ``more valid, reliable, responsive 
to consumer preferences, cost-effective, or relevant to dimensions of 
quality and resource use not addressed by [a] standard measure.''
    Alternative measures submitted and approved using this process may 
only be used by the qualified entity that submitted the measure for 
consideration because the stakeholder consultation approval process 
only requires consultation with stakeholders in the geographic region 
the qualified entity serves. If another qualified entity wishes to use 
the same measure, it would need to consult with stakeholders in its own 
community, and submit its own request for alternative measure approval 
under the rulemaking or stakeholder consultation approval process. 
However, we recognize that scientific evidence demonstrating that the 
measure is ``more valid, reliable, responsive to consumer preferences, 
cost-effective, or relevant to dimensions of quality and resource use 
not addressed by [a] standard measure'' will not differ for a measure 
in use across communities. Therefore, once an alternative measure is 
approved for use via the stakeholder consultation approval process, 
future requests for use of an identical measure will not need to 
include the same explanation backed by scientific evidence that 
demonstrates why the measure is ``more valid, reliable, responsive to 
consumer preferences, cost-effective, or relevant to dimensions of 
quality and resource use not addressed by [a] standard measure.'' 
However, if there is scientific evidence that has become available 
since the measure was approved by CMS, the qualified entity seeking to 
use that measure must conduct the necessary research and provide that 
new scientific evidence to CMS.
    We will also retain the notice and comment rulemaking process as a 
second option for the approval of alternative measures. As discussed in 
the proposed rule, alternative measures approved through notice and 
comment rulemaking may be used by any qualified entity up until the 
point that an equivalent standard measure for the particular clinical 
area or condition becomes available.
    Comment: One commenter suggested that the alternative measure 
process as outlined conflicted with the process under Section 3014 of 
the Affordable Care Act.
    Response: Section 1874(e)(4)(B)(ii)(I) provides for the use of 
standard measures such as the measures endorsed by the entity with a 
contract under section 1890(a) of the Act (currently NQF) and measures 
developed pursuant to section 931 of the Public Health Service Act. 
Section 1874(e)(4)(B)(ii)(II) provides for use of additional measures 
that are not approved by such entities. This latter category explicitly 
provides for the approval and use of non-NQF standards. Furthermore, 
section 3014 of the Affordable Care Act does not require the Secretary 
to use the recognized standards by the entity with a contract under 
section 1890(a) of the Act. It merely serves to provide recommendations 
on appropriate standards to consider.
    Comment: Several commenters questioned whether the requirement for 
qualified entities to cease using alternative measures within six 
months of an equivalent standard measure being endorsed was reasonable.
    Response: We believe six months is a reasonable time period for 
qualified entities to transition to using newly endorsed standard 
measures equivalent to existing alternative measures or to submit 
scientific justification to file a request for alternative measure 
approval.
    Comment: We received several comments on our definition of standard 
measures. While many commenters were supportive of our definition, one 
commenter suggested that we change our definition of standard measures 
to include measures endorsed by consensus-based entities other than the 
NQF. The commenter specifically mentioned the Patient Charter, a 2008 
agreement among consumer, purchaser, provider and insurer groups on 
principles to guide performance reporting. Other commenters asked if 
all NQF-endorsed measures were standard measures. One commenter asked 
that standard measures be limited to true outcome measures in order to 
measure the effectiveness of care.
    Response: We appreciate the suggestion to include measures endorsed 
by consensus-based entities other than the NQF and have changed our 
definition of standard measures to include such measures. Specifically, 
we will now include as a standard measure any measure calculated in 
full or in part from claims data that is endorsed by a consensus-based 
entity, providing that the consensus-based entity has been approved as 
such by CMS. Rather than defining consensus-based entities in advance, 
CMS will approve organizations as consensus based entities on an as 
needed basis.
    To receive approval as a consensus-based entity, an organization 
will need to submit information to CMS documenting their processes for 
stakeholder consultation and measure approval. Such documentation must 
show that the entity has a prescribed process for vetting and approving 
measures that includes representation from all types of stakeholders 
relevant to the topic being measured. The description of the approval 
process must be publicly available and the stakeholder consultation 
must be open to any that are interested in participating. Additionally, 
organizations will only receive approval as a consensus-based entity if 
all measure specifications are publicly available. Consensus-based 
entities will receive approval for a time period of three years and 
their endorsed measures will be made available to all qualified 
entities. CMS will also make a list of approved consensus-based 
entities available publicly. After three years, organizations will 
simply have to resubmit documentation on their processes for 
stakeholder consultation and measure again, noting any changes from 
their original submission.
    Regarding the request that we add a requirement that standard 
measures be ``outcome measures,'' which we understand to mean measures 
that evaluate final results, such as mortality rates, we feel that 
imposing this requirement would substantially reduce the number of 
available standard measures. Additionally, while we agree that outcome 
measures may be better indicators of the effectiveness of care, we feel 
process measures will also offer the public, as well as providers and 
suppliers, important information on performance. Therefore, we have not 
incorporated this suggestion.
    Comment: One commenter suggested that the rule should permit the 
use of composite measures.

[[Page 76549]]

    Response: We believe that composite measures can be calculated and 
reported under the revised alternative measure process we established 
in this final rule.
    Comment: One commenter suggested that the rule should permit 
qualified entities to withdraw measures prior to public reporting if 
the measure results turn out to be unreliable.
    Response: We appreciate this suggestion; however, the statute 
requires public reporting of all measures. Specifically, Section 
1874(e)(4)(C)(iv) requires the reports be made available to the public, 
while allowing for confidential review by providers and suppliers. We 
note that this does not prohibit commentary on the measure and results 
in the report. We hope that qualified entities will take the 
requirement of public reporting into consideration when determining 
which measures should be calculated under this program. We recognize 
that there may be errors in measure calculation and believe that the 
confidential reporting and appeals process will help qualified entities 
discover and correct any errors in the calculation of measures.
    Comment: We received a variety of comments on measurement 
methodologies. Several commenters suggested that CMS should be more 
proscriptive regarding the types of attribution, risk adjustment, and 
benchmarking methods qualified entities should employ and that 
methodology descriptions should be standardized across payers and 
qualified entities. Commenters were also concerned about payment 
standardization as it relates to efficiency and resource use measures. 
Payment standardization is viewed as an important methodological 
approach to normalize comparisons of resource use across providers and 
suppliers. Several commenters also stressed the need for accurate 
attribution and risk adjustment in general. One commenter asked if 
methodologies employed by the qualified entity could change during the 
three-year agreement period. One commenter urged CMS to require 
qualified entities to submit to CMS a specific description of how it 
will handle outlier providers and ensure that a report of a provider's 
or supplier's performance is accurately adjusted as appropriate to 
reflect characteristics of the patient population.
    Response: The statute does not require CMS to be proscriptive in 
this regard. Consistent with the statute, the proposed rule would 
require qualified entities to submit to the Secretary a description of 
methodologies that the qualified entity proposes to use to evaluate the 
performance of providers and suppliers. The proposed rule would also 
require qualified entities to include an understandable description of 
their attribution, risk adjustment, and benchmarking methods so that 
report recipients can properly assess such reports. We agree with 
commenters that payment standardization is an important aspect of 
measurement methodologies, and agree that payment standardization 
methodologies should be included where appropriate. Therefore, we have 
added a requirement that qualified entities include information on 
payment standardization when appropriate.
    Additionally, we feel that performance measurement is evolving, and 
that clear standards for attribution, risk adjustment, and benchmarking 
have not yet emerged, and therefore it would be inappropriate for CMS 
to preemptively determine such standards. We are confident that as 
qualified entities and the performance measurement environment matures 
over the coming years methodologies will begin to coalesce around 
clearly defined standards. As discussed above, qualified entities can 
change methodologies during the three year agreement period provided 
they give appropriate notice to CMS and receive CMS' approval. 
Regarding outliers, we feel that this issue will be adequately 
addressed in the requirements at Sec.  401.707(b)(5)(ii) for a 
qualified entity to provide details on methodologies it intends to use 
in creating reports with respect to benchmarking performance data, 
including methods for creating peer groups, justification of minimum 
sample size determinations, and methods for handling statistical 
outliers, to both CMS and users of the reports.
    Comment: One commenter asked about the release of the details of 
proprietary methodologies and proprietary measure specifications to 
CMS.
    Response: While we understand the concerns about releasing 
methodologies for proprietary measures, we believe that the goal of 
this program is to increase transparency. As discussed above in section 
II.A.3., we are not requiring qualified entities to submit measure 
specifications for standard measures because, thus far, all 
specifications for these measures are available to the public. However, 
we believe that, in order for CMS to evaluate a qualified entity's 
proposed plan for calculating measures, disclosure of proprietary 
measure methodologies and proprietary specifications for alternative 
measures to CMS as part of the application process is warranted. The 
Trade Secrets Act (18 U.S.C. 1905) bars CMS from re-disclosing 
proprietary information unless it is authorized to do so by law. Any 
disclosure to CMS regarding measurement methodologies or specifications 
will generally not be made public by CMS. As a result, we feel it is 
appropriate to require the disclosure of detailed methodologies and 
specifications for alternative measures to CMS as part of the 
application.
    Additionally, qualified entities will be required to disclose 
proprietary measure methodologies to providers and suppliers as a part 
of the confidential review process. We believe it is essential for 
providers and suppliers to understand exactly how the measure is 
calculated in order to review their results. To protect proprietary 
methodologies, a qualified entity may choose to limit further 
disclosure of proprietary measure methodologies, perhaps by requiring a 
provider or supplier to execute a non-disclosure agreement as a 
condition of that disclosure; however, the qualified entity must share 
the proprietary measure methodologies with the provider or supplier 
regardless of whether they are willing to execute a non-disclosure 
agreement. If a qualified entity does not wish to share proprietary 
measure methodologies with both CMS and providers or suppliers, it 
should not seek approval to use those measures in the qualified entity 
program.
    Comment: One commenter suggested that all proposed measures, both 
standard and alternative, be open for public review by providers and 
suppliers prior to approval.
    Response: We do not feel that this requirement is necessary. 
Standard measures as currently defined have already been subject to 
multi stakeholder input and approval either through the entity with a 
contract under section 1890(a) of the Act (currently NQF) or through 
public comment via notice and comment rulemaking in the case of CMS 
measures. Also, any measures developed by a consensus based entity will 
have gone through some form of stakeholder consultation. Thus far, 
there have been no measures developed pursuant to section 931 of the 
Public Health Service Act; however, section 931 requires consultation 
with stakeholders during the quality measure development process. 
Further, both of the alternative measure processes include requirements 
regarding stakeholder input.
    Comment: Several commenters urged CMS to provide a comprehensive 
list of

[[Page 76550]]

the standard and alternative measures that qualified entities may use.
    Response: We plan to release a list of standard measures to 
potential qualified entity applicants prior to the start of the 
program. We would like to note, however, that this list will be dynamic 
since the entity with the contract under section 1890(a) of the Act 
(currently NQF) is continually reviewing measures for endorsement and 
CMS is continually undergoing rulemaking to add measures to our 
programs. Additionally, as new consensus based entities are approved by 
CMS, additional standard measures will be available for use by 
qualified entities. We will also release a list of approved alternative 
measures once alternative measures are approved. Qualified entities are 
encouraged to check these lists frequently to ensure they have the most 
accurate information regarding acceptable measures.
2. Reports and Reporting
    Section 1874(e)(4)(C)(ii) of the Act requires qualified entities to 
make their draft reports available in a confidential manner to 
providers and suppliers identified in the reports before such reports 
are released publicly in order to offer them an opportunity to review 
these reports, and, if appropriate, appeal to request correction of any 
errors. After reports have been shared confidentially with providers 
and suppliers, and there has been an opportunity to have any errors 
corrected, Section 1874(e)(4)(C)(iv) of the Act requires the reports to 
be made available to the public.
    As stated in the statute at Section 1874(e)(4)(C)(i) of the Act, 
the reports must include ``an understandable description'' of the 
measures, rationale for use, methodology (including risk-adjustment and 
physician attribution methods), data specifications and limitations, 
and sponsors. We interpreted ``an understandable description'' to mean 
any descriptions that can be easily read and understood by a lay 
person. Additionally, the reports to the public may only include data 
on providers or suppliers at the provider or supplier level with no 
claim or patient-level information to ensure beneficiary privacy.
    We proposed requiring qualified entities to submit prototype 
reports for both the reports they would send to providers and 
suppliers, and the reports they would release to the public (if they 
are different) in their application, including the narrative language 
they plan to use in the reports to describe the data and results.
    Comment: We received several comments about the reporting process 
generally. One commenter asked that qualified entities be required to 
report less frequently than once per year, as proposed. Other 
commenters asked that qualified entities be required to report more 
frequently than once per year. Yet other commenters expressed concern 
about public reporting and asked that no measurement data be publicly 
reported at all.
    Response: The statute, at 1874(e)(C)(iv), requires qualified entity 
reports to be made available to the public after they are made 
available to providers and suppliers for review and requests for 
corrections. We have no discretion to allow qualified entities to 
produce reports for confidential use only. While the statute does not 
mention any specific frequency of public reporting, we believe that 
once per year is an appropriate requirement. Requiring public reporting 
once per year strikes a balance between reporting frequently enough 
that the information is actionable for consumers, and not reporting so 
frequently that providers and suppliers constantly have to 
confidentially review reports. However, we note that reporting once per 
year is the minimum requirement. A qualified entity may choose to 
report more frequently than once per year, as long as it is still able 
to meet the requirement of allowing providers and suppliers the 
opportunity to review and request error correction.
    Comment: Commenters raised questions about the possibility of 
providers and suppliers receiving multiple reports, which may 
potentially contain contradictory or confusing performance measure 
results. Some commenters requested that CMS standardize the report 
formats among qualified entities to make them easier to interpret, and 
others simply asked CMS to clarify how we will address this issue.
    Response: As discussed in the proposed rule and above, we do not 
intend to limit the number of qualified entities accepted for 
participation into this program, and therefore, it is possible that 
there will be more than one qualified entity working in the same 
geographic area. While we are requiring qualified entities to submit 
prototype reports for CMS approval before use, we do not intend to 
standardize the reports. We believe this program is intended to 
supplement measurement activity already ongoing at the community level, 
and excessive CMS involvement will erode the relationships qualified 
entities either already have, or will develop, with providers and 
suppliers. This is precisely why providers and suppliers are afforded 
the opportunity to review their reports and work through any issues 
directly with the qualified entity, and not with CMS.
    Comment: We received several comments regarding the provider or 
supplier's role in the reporting process. One commenter stated that 
providers and suppliers should be allowed to petition CMS to require 
qualified entities to modify report formats. Another commenter 
requested that qualified entities should be required to include 
providers' or suppliers' comments in the public reports. And finally, 
one commenter requested that qualified entities be required to be 
capable of allowing providers and suppliers to download reports 
electronically.
    Response: As stated in the proposed rule, and discussed elsewhere 
in this final rule, CMS' direct role in this program is relatively 
limited, and includes only the functions necessary for reviewing 
applications from qualified entities and providing standardized data 
extracts to those entities that meet the requirements, as well as 
describing the program to the public. We believe these comments about 
issues related to how the qualified entities publicly report data are 
outside the scope of CMS' statutory authority under section 1874(e). 
Therefore, providers and suppliers will not be allowed to petition CMS 
to change the reports, and a qualified entity will decide itself 
whether to post comments in a public report or make its reports 
available for download in an electronic format.
    Comment: One commenter noted that the proposed rule could be 
interpreted as requiring qualified entities to do all reporting at the 
individual physician level. Another commenter noted that, in terms of 
performance measurement, specialty hospitals need to be accounted for 
differently.
    Response: The statute does not specify the level at which reports 
are to be generated (that is, individual physician, physician group, 
integrated delivery system, etc.), nor does it specify the types of 
providers and suppliers to be measured. A qualified entity may choose 
to which providers and/or suppliers it will apply measures, and in so 
doing, for which entities its reports will be generated. Reporting may 
be at any level for which the measures can be used, but reports must be 
devoid of patient identifiers to protect the identity of the 
beneficiaries.
    Comment: One commenter requested that CMS require qualified 
entities to license or otherwise make available quality measures to 
other entities that

[[Page 76551]]

have the ability to publish performance measurement information.
    Response: As stated above, these regulations will generally not 
place any added limitations on what is otherwise feasible under 
applicable law (such as copyright law). Qualified entities cannot, 
however, charge providers or suppliers for the confidential pre-
publication reports, and they must make reports available to the public 
free of charge in accordance with section 1874(e)(4)(c)(iv).

C. Data Extraction and Dissemination

    Section 1874(e)(3) of the Act requires the Secretary to provide 
qualified entities with standardized extracts of claims data from 
Medicare parts A, B, and D for one or more specified geographic areas 
and time periods. For Medicare parts A and B, we proposed that these 
data extracts would include information from all seven claim types that 
are submitted for payment in the Medicare Fee-For-Service Program, 
including both institutional and non-institutional claims. 
Institutional claim types include inpatient hospital, outpatient 
hospital, skilled nursing facility, home health, and hospice services, 
whereas non-institutional claim types include physician/supplier and 
durable medical equipment claims. Medicare institutional and non-
institutional claims include, but are not limited to, the following 
data elements: Beneficiary ID, claim ID, the start and end dates of 
service, the provider or supplier ID, the principal procedure and 
diagnosis codes, the attending physician, other physicians, and the 
claim payment type.
    We proposed that qualified entities would also receive certain Part 
D information for beneficiaries enrolled in the Medicare Fee-For-
Service Program. The Part D information is known as ``drug event'' 
information, as opposed to ``claims'' information, because prescription 
drug coverage under Part D is provided by private insurance plans or 
``Part D plan sponsors.'' Part D plans are responsible for paying a 
claim for benefits at the pharmacy. The Part D plan then submits a 
Prescription Drug Event record or ``PDE'' to CMS. The key data elements 
in the Part D prescription drug event database include: Beneficiary ID, 
prescriber ID, drug service date, drug product service ID, quantity 
dispensed, days' supply, gross drug cost, brand name, generic name, and 
drug strength. CMS will also include an indication if the drug is on 
the formulary of the Part D plan.
    In order to allow qualified entities to link Medicare claims for an 
individual beneficiary, with appropriate security and privacy 
protections, we proposed that all claims files would contain a unique 
encrypted beneficiary identification (ID) number, rather than the 
actual beneficiary Medicare Health Insurance Claim Number (HICN).
    Comment: We received several comments regarding data extract 
structure. A number of commenters requested clarification on how the 
data linkage across data sets will be accomplished. Several comments 
asked how qualified entities would identify the provider or supplier 
associated with a claim. One commenter expressed concern that no 
accurate or acceptable physician contact data base or directory is 
currently available on a nationwide level. An additional comment asked 
if CMS plans to make changes to the data in the CMS database if a 
qualified entity, provider, or supplier determines there is an error in 
the Medicare claims data.
    Response: CMS understands the importance of linking beneficiaries 
across Medicare data sets in a way that is secure and protects 
beneficiaries' privacy. All claims files provided to qualified entities 
will contain a unique encrypted beneficiary identification number that 
will allow a qualified entity to link claims for an individual 
beneficiary across all Medicare claim types and across all years. That 
is, a unique encrypted beneficiary ID number will be assigned to an 
individual beneficiary and will remain the same for that individual 
beneficiary across Medicare claim types and years. This encrypted 
beneficiary ID is unique to the qualified entity program and will be 
included on each file the qualified entity receives. With appropriate 
security and privacy protections, these files will also contain 
beneficiary date of birth, race, and gender, important elements for 
calculating performance measures.
    Additionally, to allow qualified entities to identify the provider 
or supplier associated with a claim, the files will contain the actual 
provider or supplier ID or, where required by law, the National 
Provider Identifier (NPI). Although, in HIPAA standard transactions the 
NPI must be used in lieu of other provider numbers, CMS will also make 
the Unique Physician Identification Number (UPIN) associated with the 
claim available to qualified entities. CMS maintains both a publically 
available query-only database and a publically available downloadable 
file that links the NPI to other information on a provider such as the 
provider name and mailing address. We believe that this national-level 
database and downloadable file will allow qualified entities to 
identify the provider or supplier associated with the claim. 
Furthermore, given the eligibility requirements described above in 
Section II.A.1.a., we expect approved qualified entities to have 
experience in accurately identifying a provider or supplier across 
multiple data sources.
    As to reporting suspected issues with CMS data, CMS currently has a 
process in place for reporting, tracking, and resolving potential 
errors or issues identified in CMS data. Once approved, each qualified 
entity will receive guidance and training in this area.
    Comment: Several commenters raised concerns about some of the data 
elements we proposed to release. A number of commenters expressed 
concern on the release of drug cost information in the Part D data, as 
well as the release of Part D plan identifiers. Additionally, a handful 
of commenters suggested that private physician financial information 
contained in the Part B data is protected from disclosure under the 
Privacy Act.
    Response: CMS is aware of the concerns and restrictions on 
releasing certain Part D drug cost information. Given these concerns, 
in the files provided to qualified entities, CMS will release the Total 
Drug Cost element, which is derived from the sum of four elements: 
Ingredient Cost, Dispensing Fee, Vaccine Administration Fee, and Total 
Amount Attributable to Sales Tax. However, to protect the Part D plans' 
proprietary cost information, these individual component costs will not 
be released. We believe the aggregation of cost information will help 
to ensure that the most confidential information--the separate amounts 
paid by Part D sponsors for ingredient cost or dispensing fee--will not 
be released. This approach is also consistent with the treatment of 
these data under the regulations governing the use and disclosure of 
Part D data for non-payment related purposes. See 73 FR 30,664, 30669 
(May 28, 2008). Furthermore, the Part D data will not identify 
individual Part D plans, but will include an encrypted plan ID number. 
We believe this encryption will afford further protection for Part D 
drug cost information.
    While certain physician payment information contained in the Part B 
claims data is protected from disclosure to the general public by court 
injunctions entered in Florida Medical Association, Inc. v. Department 
of Health, Education & Welfare, 479 F. Supp. 1291 (M.D. Fla. 1979), and 
American Ass'n of Councils of Medical Staffs of Private Hospitals, Inc. 
v. Health Care Financing Administration, No. 78-

[[Page 76552]]

1373 (E.D. La 1980), that protection is specific to disclosures under 
the Freedom of Information Act (FOIA) exception to the Privacy Act at 5 
U.S.C. 552a(b)(2). Disclosures made under the qualified entity program 
under section 1874(e) of the Act are not FOIA-based disclosures. 
Rather, they are ``routine use'' disclosures from the National Claims 
History (NCH)--System No. 09-70-0558, Medicare Drug Data Processing 
System (DDPS)--System No. 09-70-0553, Medicare Integrated Data 
Repository (IDR)--System No. 09-70-0571, and Chronic Condition Data 
Repository (CCDR)--System No. 09-70-0573 systems of records under the 
Privacy Act and these implementing regulations. As such, they are not 
subject to the injunction.
    Comment: We received a variety of comments on technical assistance 
for qualified entities. Several commenters asked that CMS provide 
technical assistance, but not include it in the fee charged for the 
data. Other commenters suggested that technical assistance would not be 
needed.
    Response: We plan to provide qualified entities with the option to 
request technical assistance. Since we are removing all program 
management costs from the fee we will charge qualified entities, see 
discussion below at II.C.3., we do not plan to charge for these 
services.
1. Number of Years of Data
    CMS proposed to provide qualified entities with the most recent 
three calendar years of Medicare final action data available at the 
time the qualified entity is approved for participation in the program.
    Comment: Comments from both potential qualified entities and 
provider groups raised concerns about the timeliness of the data. 
Commenters generally requested that CMS release data on a quarterly 
basis or a rolling 12 month basis, with no more than a quarterly time 
lag. One commenter suggested that CMS only provide qualified entities 
with two calendar years of data because performance information 
regarding care provided in 2008 is too outdated to be relevant for 
providers or consumers.
    Response: We agree with commenters, so we are modifying what we 
proposed to make more timely data available to qualified entities. CMS 
will provide qualified entities with the most recent available 
historical data, which, for qualified entities approved at the 
beginning of the program, we expect would include data for CY2009, 
CY2010, and the first two quarters of 2011. Then, we would provide 
quarterly data updates on a rolling basis.
2. Geographic Areas
    CMS proposed to provide qualified entities with standardized data 
extracts for either a single geographic area or multiple regions, and 
to limit the provision of Medicare data to the geographic spread of the 
qualified entity's other claims data. In the proposed rule, we sought 
comment on releasing nationwide extracts of Medicare data.
    Comment: Several commenters requested that CMS release nationwide 
Medicare claims data. Some expected to conduct a nationwide performance 
review program, but many were interested in calculating national 
benchmarks. Commenters expressed feelings that national Medicare 
benchmarks would foster greater consumer and provider understanding of 
local measure results.
    Response: For entities interested in conducting a nationwide 
performance review program, we are unsure about the ability of any one 
entity to assemble a sufficient amount of data nationally to justify a 
nationwide release of Medicare data. If a qualified entity can 
demonstrate it has a sufficient amount of data nationwide, however, CMS 
will provide a 100% national extract.
    We agree that nationwide data may assist qualified entities in 
benchmarking their results. As a result, qualified entities will be 
allowed to request a 5% national sample of Medicare claims for the 
purposes of calculating national benchmarks. The 5% national sample of 
claims will not include a crosswalk to beneficiary names and Health 
Insurance Claim Numbers, discussed below in Section D.1, only the 
encrypted beneficiary ID to allow linking across Medicare claims data 
for measure calculation purposes. Qualified entities should provide a 
justification of needing a 5% national sample with their request. We 
will include a requirement in the Data Use Agreement (DUA, discussed in 
more detail below) prohibiting qualified entities from re-identifying 
claims included in the national sample they receive. Additionally, as 
these files are already in existence because they are used for other 
purposes, we anticipate that the cost of making this data available 
will be nominal.
    Comment: We received several comments on how CMS would determine 
which claims apply to a certain geographic region. We also received 
comments requesting that CMS not limit the provision of Medicare data 
to the geographic spread of the qualified entity's other claims data.
    Response: We will release claims based on the location of the 
beneficiary residence, not the location of the provider or supplier 
rendering the services. This will mean the qualified entity might not 
receive all of the Medicare claims for a given provider or supplier.
    While we recognize the desire to calculate performance measures for 
areas outside the geographic spread of the qualified entity's other 
claims data, we believe the intent of statute is for qualified entities 
to combine other claims data from an area with Medicare claims data for 
that same area to produce robust and actionable performance measures 
for providers, suppliers, and consumers.
3. Cost To Obtain Data
    Section 1874(e)(4)(A) of the Act requires qualified entities to pay 
a fee for obtaining the data that is equal to the cost of making such 
data available. In the proposed rule CMS interpreted the cost of making 
the data available to include two parts: (1) The cost of running the 
qualified entity program, including costs for processing applications, 
monitoring qualified entities, and providing technical assistance, and 
(2) the cost of creating a data set specific to each qualified entity's 
requested geographic area and securely transmitting the data set to the 
qualified entity. We estimated that the approximate cost to provide 
data for 2.5 million beneficiaries to a qualified entity would be 
$200,000. Approximately $75,000 of the $200,000 is cost of the claims 
data and approximately $125,000 is the cost of making the data 
available. We proposed that data costs would vary depending on the 
amount of data requested.
    Comment: Many commenters stated that CMS was being too broad in our 
interpretation of the statutory requirement to charge qualified 
entities for the cost of making the data available. Commenters 
suggested that CMS only charge qualified entities for the cost of 
generating the data, and not the cost of running the program. The 
comments also noted that high cost would be a barrier to entry for non-
profit organizations and states.
    Response: CMS concurs that there are public interests at stake that 
justify narrowing the scope of what constitutes the cost of making this 
data available. As such, we will drop the program management portion of 
the costs from what is included in the data fee we will charge 
qualified entities. We have also worked to identify several 
efficiencies in data preparation and distribution that will 
significantly reduce our initial

[[Page 76553]]

estimates for data costs. Our initial estimates were based on the fee 
we charge researchers for similar data. However, because all qualified 
entities will receive a standardized extract of the Medicare data, we 
will not need to address each request for data on an individual basis 
as we do with researchers, thereby significantly reducing the cost of 
making the data available, particularly the costs of encrypting the 
data.
    We estimate that the total approximate costs to provide data for 
2.5 million beneficiaries to qualified entities would be $40,000 in the 
first year of the program. We estimate that the cost to provide ten 
quarters (CY 2009, CY 2010, and Q1-Q2 CY2011) of data when the 
qualified entity is first approved would be $24,000. Thereafter, in 
2012 qualified entities would get 2 additional quarterly updates 
covering the remainder of CY 2011, each for a fee of $8,000, bringing 
the total cost of data for the first year of the program to $40,000. 
After the first year, qualified entities would get quarterly updates, 
each for a fee of $8,000, bringing the total cost to a qualified entity 
for subsequent years of the program to $32,000. It is important to note 
that all estimates of data costs are currently predicated on an 
estimate of 25 qualified entities, so if fewer than 25 qualified 
entities are approved, data costs per qualified entity will be higher, 
and conversely, if greater than 25 are approved, the costs will be 
lower. Additionally, data costs for qualified entities will vary 
depending on the amount of Medicare claims data the qualified entity 
requests (for example, more than one State, or a nationwide extract). 
CMS also reserves the right to revise the cost of the data if 
unanticipated expenses are determined in the future.

D. Data Security and Privacy

    The subpart created by these regulations will create a new program 
that provides for the release of Medicare beneficiary level data, with 
appropriate privacy and security protections. We recognize that many 
qualified entities will have had many years of experience using claims 
data to produce performance reports on providers and suppliers. 
Additionally, many qualified entities will have received data from 
private health plans through agreements that will require that the 
qualified entities observe certain security and privacy standards. We 
also recognize that new organizations or combinations of organizations 
may want to serve as qualified entities to produce performance reports. 
While CMS is committed to ensuring the success of qualified entities in 
combining Medicare data with claims data from other sources to create 
comprehensive performance reports for providers and suppliers, CMS is 
also committed to ensuring that the beneficiary-level data provided to 
qualified entities is subject to stringent security and privacy 
standards throughout all phases of the performance measure calculation, 
confidential reporting, appeal, and public reporting processes.
    In 2008, we published a regulation to permit Part D prescription 
drug event data to be used for program monitoring, research, public 
health, care coordination, quality improvement, population of personal 
health records, and other purposes. See 73 FR 30664. We intend to 
ensure that the release of Part D prescription drug event data under 
this program complies with the requirements in the Part D data 
regulation, including the minimum necessary data policy, and that 
qualified entities take the necessary steps to ensure that any 
prescription drug event data released to providers and suppliers as 
part of the review, appeal, and error correction process are also 
safeguarded to ensure the privacy and security of beneficiary 
information.
    Comment: Commenters were generally supportive of our intent to 
ensure the privacy and security of Medicare data under this program. A 
few commenters made specific suggestions regarding data privacy in 
general. One commenter suggested we clarify the interaction of this 
program and its data privacy and security requirements with State data 
privacy laws and specifically requested that CMS promulgate regulations 
that would preempt State law.
    Response: On the issue of the interaction of this program with 
State laws, we believe the issuance of universally applicable privacy 
regulations that would preempt State laws is outside the scope of the 
qualified entity program. Qualified entities will need to abide by 
applicable state laws in addition to the requirements in this subpart.
1. Privacy and Security Requirements for Qualified Entities
    We proposed to require that qualified entities have in place 
security protections for all data released by CMS, and any derivative 
files, including any Medicare claims data and any beneficiary 
identifiable data.
    We proposed that in order to be eligible to apply to receive 
Medicare data as a qualified entity, the applicant must demonstrate its 
capabilities to establish, maintain, and monitor a rigorous data 
privacy and security program, including ensuring compliance with 
submitted plans related to the privacy and security of data. 
Additionally, we proposed a requirement that the applicant submit to 
CMS a description of its rigorous data privacy and security policies 
including enforcement mechanisms. As part of their applications, 
qualified entities will also have to explain how they would ensure that 
only the minimum necessary beneficiary identifiable data would be 
disclosed to the provider or supplier in the event of a request by a 
provider or supplier in the context of a confidential review of a 
report, and how data would be securely transmitted to the provider or 
supplier.
    Comment: Commenters were generally supportive of requiring that 
qualified entities have rigorous data privacy and security protocols in 
place. Several commenters recommended that CMS require qualified 
entities to impose the same data and security requirements on the 
qualified entity's non-Medicare claims data as we require on the 
Medicare claims data. One commenter suggested CMS require qualified 
entities and other non-covered entities (that is, the small fraction of 
providers who do not submit claims electronically, and are therefore 
not subject to HIPAA) to enter into business associate agreements with 
CMS, pursuant to HIPAA.
    Response: We agree that the integrity of performance measurement 
depends on the integrity of the data, and CMS intends to take very 
seriously its role in ensuring qualified entities use Medicare data 
appropriately. However, we do not have the statutory authority to 
impose specific requirements on qualified entities with regard to the 
privacy and security of their non-Medicare claims data. It is our 
understanding that organizations will have executed contracts or other 
agreements with the entities from which they receive the non-Medicare 
claims data (for example, commercial insurance plans) that will contain 
the privacy and security requirements regarding that data. Similarly, 
we also cannot prescribe how or where a qualified entity stores its 
non-Medicare data.
    We seek to clarify the interaction between this program and HIPAA. 
Some commenters thought that we could address the privacy and security 
concerns related to qualified entities and other entities that are not 
directly subject to HIPAA by making them CMS' business associates 
(BAs). BAs are persons who or entities that use or disclose 
individually identifiable health information in conducting functions or

[[Page 76554]]

activities on behalf of a covered entity (see the definition of a BA at 
45 CFR 160.103), but qualified entities and providers and suppliers 
subject to the qualified entity program cannot serve as BAs because 
they are not doing their work on behalf of CMS as part of the Medicare 
program. CMS is merely providing data to qualified entities in 
accordance with the mandate in the Affordable Care Act, and, as such, 
its disclosure of protected health information is permitted by the 
HIPAA Privacy Rule as ``required by law'' (45 CFR 164.512(a)). That 
said, we believe our thorough evaluation of applicant qualified 
entities, the requirement to sign a Data Use Agreement (DUA), and 
subjecting the qualified entities to ongoing monitoring will be 
sufficient to ensure that qualified entities are appropriately using 
the Medicare data, as well as appropriately disclosing the Medicare 
data to providers and suppliers who request it.
    We proposed to require each approved qualified entity sign a DUA, 
which requires a level and scope of security that is not less than the 
level and scope of security requirements established by the Office of 
Management and Budget (OMB) in OMB Circular No. A-130, Appendix III--
Security of Federal Automated Information Systems (http://www.whitehouse.gov/omb/circulars/a130/a130.html) as well as Federal 
Information Processing Standard 200 entitled ``Minimum Security 
Requirements for Federal Information Systems'' (http://csrc.nist.gov/publications/fips/fips200/FIPS-200-final-march.pdf); and Special 
Publication 800-53 ``Recommended Security Controls for Federal 
Information Systems'' (http://csrc.nist.gov/publications/nistpubs/800-53-Rev2/sp800-53-rev2-final.pdf).
    Comment: Commenters were in support of requiring qualified entities 
to sign a DUA with CMS. One commenter suggested we ensure the DUA is 
appropriate for this program, since the DUA cited in the proposed rule 
was the current DUA used for research purposes. Another commenter 
suggested CMS impose civil and criminal penalties on any qualified 
entity that causes a data privacy breach or violation. In addition, one 
commenter requested that we discuss how a qualified entity's existing 
DUAs might interact with this program.
    Response: We believe the requirement for each qualified entity to 
sign a DUA will ensure a high level of privacy and security of the 
Medicare data given to qualified entities. Because we have clarified 
that qualified entities do not need to be composed of a single legal 
entity, but may contract with other entities to achieve the ability to 
meet the eligibility criteria, we also clarify that both the lead 
entity as well as its contractors that are anticipated to use Medicare 
claims data or beneficiary identifiable data are required to sign the 
DUA. As discussed in the proposed rule, the DUA cited in the proposed 
rule is the current research DUA. We intend to use the addendum feature 
provided for in paragraph 12 of the document to address the specific 
needs of the qualified entity program. With regard to the comment 
suggesting imposition of civil and criminal penalties, we point out 
that the DUA currently does, and will continue to have, enforcement 
mechanisms including criminal penalties. CMS intends to make use of 
these provisions in the event of a breach or violation. We do not have 
the statutory authority to impose penalties beyond those already listed 
in the DUA. Finally, we note that DUAs are specific to a particular 
data disclosure from CMS to a data recipient. Any existing DUAs a 
qualified entity may have in place will only affect the data received 
under those DUAs. The qualified entity program DUA will govern 
qualified entity program Medicare data.
    Comment: We received some comments containing suggestions for 
requirements CMS should impose on qualified entities with regard to 
internal qualified entity operations. These suggestions included 
requiring that qualified entities limit the number of staff with access 
to identifiable information, and that qualified entities store Medicare 
data separately from other claims data.
    Response: The DUA, discussed above, contains provisions regarding 
access to and storage of CMS data. The DUA requires the qualified 
entity to limit access to the identifiable Medicare data to the minimum 
number of individuals required to create the performance reports. The 
DUA also requires the qualified entity to specify the site where the 
data is to be stored and to grant CMS access to the site to confirm 
compliance with the DUA. Additionally, as stated in the preamble to the 
proposed rule, we believe the entities that will be successful 
applicants to this program are entities that are experienced in 
handling sensitive information and will have the appropriate internal 
protocols and procedures in place.
    We also sought public comment on the appropriateness of accepting 
some form of independent accreditation or certification of compliance 
with data privacy and security requirements from qualified entities, 
and what that accreditation or certification might entail. The 
accreditation or certification would need to be at a level and scope of 
security that is not less than the level and scope of security 
requirements described above.
    Comment: We received no comments on this proposal.
    Response: Since we received no comments, we will not require 
qualified entities to have any kind of accreditation or certification 
separate from CMS' process in reviewing the application and requiring a 
signed DUA.
    We proposed that all the Medicare claims data provided to qualified 
entities would contain a unique encrypted beneficiary identification 
number, which would enable the qualified entities to link all Medicare 
claims for an individual beneficiary without knowing the identity (that 
is, name or Medicare Health Insurance Claim Number) of the beneficiary. 
We did not propose to send patient names with the claims data that 
would be initially disclosed to qualified entities. However, we 
recognized the need for beneficiary names to facilitate provider and 
supplier appeals.
    In the proposed rule, we considered three potential options for 
sharing beneficiary identifiers with qualified entities, and by 
extension, providers and suppliers. Under the first option, all 
qualified entities would be provided with a crosswalk file, with 
appropriate privacy and security protections, linking all encrypted 
beneficiary identifiers to the patients' names for their Medicare data. 
This would provide the qualified entity with identifiable data, but 
qualified entities would be permitted to give to a provider or supplier 
only the names of the beneficiaries included in that requester's 
performance report. Under the second option, CMS would only provide 
beneficiary names to qualified entities on a transactional basis for 
the purposes of responding to specific requests for data by providers 
and suppliers. Each request for beneficiary names would be addressed on 
a case-by-case basis through the forwarding of each data request by the 
qualified entity to CMS. CMS would then allow the qualified entity 
access to the beneficiary names for the specific data request. Under 
the third option, a provider or supplier who wishes to receive 
beneficiary names would request the encrypted claims data from the 
qualified entity as permitted under the statute. Then, the provider or 
supplier would submit a request to CMS for the beneficiary names for 
those specific claims and CMS would share the beneficiary names 
directly with the provider or supplier. Under the third

[[Page 76555]]

option, the qualified entity would never have access to the beneficiary 
names.
    Comment: Comments were mixed between favoring the first option and 
the second option. Very few commenters supported the third option. As 
discussed above in Section II.B.1., some commenters were interested in 
using measures that incorporate clinical data. A number of these 
commenters noted that the information contained in the crosswalk under 
option one (beneficiary names) would be necessary to their being able 
to link claims data to clinical data. Several commenters also noted 
that they would need an additional identifier, like the Medicare Health 
Insurance Claim Number (HICN), if they were to ensure the accurate 
linkage. Among other things, they asserted that the inclusion of 
multiple identifiers would ensure that they could differentiate amongst 
individuals with similar or identical names. Additionally, several 
commenters noted that, in instances in which an individual moved from 
coverage under one plan (for example, a private plan) to coverage under 
another (for example, Medicare), they would need patient identifiers in 
order to track the care provided to a patient over time. These 
commenters also supported the first option since it would allow 
qualified entities to match an individual's claims from other sources 
with their Medicare claims data. Commenters also supported the first 
option because it would allow qualified entities to quickly respond to 
requests for the data from providers and suppliers, and argued that the 
first option would be the least burdensome for qualified entities.
    One commenter suggested we phase-in release of beneficiary-
identifiable information: In the first year, qualified entities would 
receive the full crosswalk so they can easily respond to the 
anticipated high volume of requests from providers and suppliers, but 
in later years, after recipients are more familiar with the reports, 
beneficiary-identifiable information would only be released on a 
transactional basis. Still other commenters supported the second option 
because they felt it offered an appropriate balance between ensuring 
beneficiary privacy and allowing qualified entities to respond to 
specific provider or supplier requests for beneficiary names.
    Response: In response to the insights offered by the comments, we 
plan to implement a modified version of the first option. While we had 
thought that ``If one approaches this issue purely from the point of 
view of the ability of qualified entities to engage in measure 
calculation and reporting, beneficiary identifiable data is not 
required'' (76 FR 33574), it is clear from the comments noted above 
that beneficiary identifiable data, with appropriate privacy and 
security protections, is required if clinical data is to be used or if 
a qualified entity needs to link an individual's claims records across 
plans as they move over time from plan to plan.
    For example, a qualified entity could have private plan data for a 
patient who was enrolled in a private health plan in 2009 and early 
2010, but then in May 2010 enrolled in Medicare. To accurately 
calculate measures, the qualified entity may need to be able to match 
the private payer claims data that covers 2009 and January to April of 
2010 for the patient with the Medicare claims data that covers May 2010 
forward for the same patient. The beneficiary name alone would not be 
sufficient to match patients between claims data sources because of the 
high likelihood of duplicative names or naming variations in the data. 
To accurately match claims data from multiple sources, the patient 
social security number would be ideal. However, Medicare claims contain 
the Medicare HICN, which for many beneficiaries is the beneficiary's 
social security number plus a letter. In most cases the HICN will allow 
qualified entities to differentiate between individuals, and may allow 
for accurately matching claims data between sources in those instances 
in which it does include the beneficiary's own social security number. 
We acknowledge that there are cases where the HICN does not include the 
beneficiary's social security number, for example, for beneficiaries 
who qualify for Medicare through their spouse. In these cases, the 
beneficiary name will be the best available identifier to use to match 
records from multiple sources, but even if the HICN cannot be used to 
match claims data between sources, it will still be needed to 
differentiate individuals with similar names or naming variations.
    In light of the overwhelming support for the release of a crosswalk 
file in the comments, the likelihood that entities will need the 
identifiers to combine clinical data or link claims records across 
plans over time, the need for the identifiers to conduct the provider 
and supplier review and appeal process, and the considerable costs that 
would be entailed in building a case-by-case inquiry capability for 
qualified entities, we will amend our proposal and adopt the policy of 
automatically releasing a crosswalk file with appropriate privacy and 
security protections linking the encrypted ID to both the beneficiary 
name and the beneficiary Medicare HICN to all qualified entities. This 
constitutes a modified version of option one.
    We expect that our rigorous eligibility requirements, the 
requirement that the lead entity, as well as any contractors who use 
the data, sign a DUA, and comprehensive monitoring process will ensure 
that any data shared with qualified entities are kept in a manner that 
will not compromise beneficiary privacy. As noted above, an applicant 
must have strict data privacy and security protocols in place to be 
eligible to serve as a qualified entity. Furthermore, the DUA contains 
a requirement that the qualified entity establish the ``appropriate 
administrative, technical, and physical safeguards to protect the 
confidentiality of the data and to prevent unauthorized use or access 
to it'' and does not allow the data to be physically moved, 
transmitted, or disclosed without written approval from CMS. The DUA 
also allows CMS or the Office of the Inspector General to access the 
site where the data is stored to confirm compliance with required 
security standards. The DUA requires the qualified entity to limit 
access to the data to the minimum amount of data and minimum number of 
individuals necessary to achieve the purposes of the qualified entity 
program. In the event that CMS determines or has a reasonable belief 
that unauthorized uses, reuses, or disclosures of the data may have 
taken place, the DUA allows CMS, among other things, to require the 
destruction of all data files and to refuse to release further CMS data 
to the qualified entity for any period of time. As noted above, the DUA 
also contains criminal penalties, including fines and imprisonment, for 
unauthorized disclosures of the data. The comprehensive qualified 
entity monitoring program is discussed in more detail below in section 
II.F. and includes CMS audits of qualified entities' use of the data, 
site visits, and analysis of beneficiary and/or provider complaints 
among other things.
    As a result of the decision to release a crosswalk with appropriate 
privacy and security protections to all qualified entities, qualified 
entities will already be in possession of patients' names and HICNs at 
the time providers and suppliers are reviewing draft reports and making 
correction requests. We will ensure that the qualified entity program 
DUA (discussed above) provides for qualified entities releasing names 
only upon request by providers and suppliers

[[Page 76556]]

when that information is relevant to their review and requests for 
correction.
    We recognize that some may question why we are retaining our plan 
to include an encrypted beneficiary identifier in the claims data if 
every qualified entity will receive the crosswalk. We have two reasons 
to separate the claims data from the beneficiary names and HICNs. 
First, shipping the claims data separate from the crosswalk file adds 
an additional level of security while the data is in transit. Second, 
we believe that qualified entities may want to limit access to the 
crosswalk file to ensure the utmost privacy and security of this data 
and having two separate files will make this much easier.
    It is also worth noting that CMS does not ship claims data without 
first encrypting the data. Unlike encrypting an individual data 
element, this process involves cryptographically scrambling the data so 
that it cannot be correctly re-assembled (that is, deciphered) unless 
the receiving party has the correct key. This protects the data while 
it is in transit.
    We hope that through implementing this modified version of option 
one with appropriate privacy and security protections, qualified 
entities will be able to link clinical data to claims data and match 
claims data from other sources to Medicare claims data for the same 
patient. Additionally, implementing a modified version of option one 
allows qualified entities to quickly respond to requests from providers 
or suppliers for beneficiary identifiers during the report review and 
correction request process.
2. Privacy and Security Requirements of Data Released to Providers and 
Suppliers
    Section 1874(e)(4)(B)(v) of the Act requires qualified entities to 
make the Medicare claims data they receive available to providers and 
suppliers upon their request. We do not interpret this requirement to 
mean that providers or suppliers could receive all Medicare claims data 
for a given patient or patients. Rather, we proposed to require 
qualified entities to provide, with appropriate privacy and security 
protections, only the claims relevant to the particular measure or 
measure results being appealed. Therefore, for example, a provider or 
supplier requesting claims data in relation to a diabetes quality 
measure would only receive the claims related to the calculation of 
that quality measure. We realize this may result in providers or 
suppliers receiving data related to claims submitted by another 
provider or supplier. We solicited comment on any privacy or security 
issues related to release of data to providers or suppliers.
    Comment: We received several comments concerning the privacy and 
security of the data released to providers and suppliers. One commenter 
suggested we clarify exactly what data can be requested from the 
qualified entity. And, as stated above, comments included the 
suggestion that CMS require non-covered entities (that is, the small 
fraction of providers who do not submit claims electronically, and are 
therefore not subject to HIPAA) to enter into business associate 
agreements with CMS, pursuant to HIPAA.
    Response: Regarding the request for clarification about what data 
can be released, we stated in the preamble to the proposed rule (at 76 
FR 33577), that we believe that for many providers and suppliers, the 
beneficiary name may be of more practical use in determining the 
accuracy of the measure results than the underlying claims used to 
calculate the measures. However, the statute does explicitly 
acknowledge that upon request qualified entities would need to share 
with providers or suppliers ``data made available under this 
subsection.'' We would like to reiterate that we do not interpret this 
provision to mean that providers or suppliers could receive all 
Medicare claims data for a given patient or patients. Rather, we 
interpret this to mean that, at the request of providers or suppliers, 
qualified entities will provide only claims and/or beneficiary names 
relevant to the particular measure or measure results that the provider 
or supplier is appealing.
    Since we made a technical change in the regulation text and removed 
the reference to section 1874(e) from the definition of a qualified 
entity (as noted above in Section II.A.1.), we have added the 
requirement that qualified entities release Medicare claims to 
providers and suppliers to the regulation text. We have added a 
requirement in Sec.  401.717(c) that qualified entities, at the request 
of a provider or supplier and with appropriate privacy and security 
protections, release the Medicare claims and/or beneficiary names to 
the provider or supplier, but we require qualified entities to only 
release those claims and/or beneficiary names relevant to the measure 
or measure results being appealed.
    As stated above, we acknowledge that the providers and suppliers 
who request data may or may not be covered entities under HIPAA. Also, 
as noted above, a BA is limited to a person or an entity using or 
disclosing individually identifiable health information on behalf of a 
HIPAA covered entity. The qualified entity and providers and suppliers 
in the qualified entity program are not going to be doing anything on 
behalf of CMS or the Medicare program. They therefore cannot be BAs of 
CMS by virtue of the qualified entity program.
3. Beneficiary Privacy and Security
    Following provision of the performance reports on a confidential 
basis to providers or suppliers, qualified entities are required to 
make performance information public. In accordance with the statute, we 
proposed to require that qualified entities ensure that all publicly 
available reports do not contain beneficiary identifiable information. 
Additionally, we proposed to prohibit qualified entities from 
disclosing information in their publicly available reports that there 
is a reasonable basis to believe can be used in combination with other 
publicly available information to re-identify individual patients.
    Comment: One commenter suggested we allow beneficiaries to opt-out 
of having their data released under this program.
    Response: We do not have the statutory authority to permit 
beneficiaries to opt out of this program. However, we also note that 
the intent of this program is to increase transparency and promote 
innovation in measure development which we believe will contribute 
significantly to improving beneficiary care in the long run. As 
mentioned above, we also believe the final rule contains appropriate 
beneficiary privacy protections and penalties for any misuse of the 
data by qualified entities.

E. Confidential Opportunities To Review, Appeal, and Correct Errors

    One important aspect of this program is ensuring that providers and 
suppliers are afforded an opportunity to correct errors in the 
reporting of their performance metrics. To meet the requirements in the 
statute related to appeal and error correction, we proposed to require 
applicants to include a plan for their report review, appeals, and 
error correction process in their application. This plan would contain 
several elements, including the means for sharing results 
confidentially and the means by which a provider or supplier can 
request and receive Medicare claims data. We proposed that qualified 
entities would need to confidentially share measure results with 
providers and suppliers at least 30 days prior to making the reports 
public. We also proposed that qualified entities must inform providers 
and suppliers

[[Page 76557]]

that the report would be made public on a certain date (at least 30 
days after confidentially sharing the measure results), regardless of 
the status of error correction.
    Comment: We received several comments on the overall review, 
appeals, and error correction process. Some commenters asked CMS to 
standardize the process across qualified entities. On the other hand, 
one commenter argued that if CMS both approves and audits the claims 
and the qualified entity process for creating the reports, review by 
providers and suppliers is unnecessary. Another commenter asked CMS to 
require qualified entities to automatically provide the beneficiary 
names to providers and suppliers. Several commenters asked CMS to 
require qualified entities to announce publically on a Web site 
supported by HHS or in notifications to major organizations that 
represent providers and suppliers that have been evaluated by the 
qualified entity, the availability of reports for confidential review. 
Finally, several commenters suggested allowing qualified entities to 
require that a provider or supplier document and authenticate their 
identity and, if requesting data, their legal right to see the data, as 
well as provide a secure communication process for transmission of 
requested information.
    Response: We believe an important aspect of the qualified entity 
program is innovation, not only in the development of measures, but 
also in the process for sharing measure results with physicians, as 
well as the process for responding to requests for data and for error 
correction. To reiterate, this is not a Medicare quality measurement 
program--we are merely a data source for those who meet the 
requirements laid out in this subpart. Qualified entities design their 
programs within the statutory and regulatory limits, including crafting 
their own confidential review, appeals, and error correction processes. 
This will result in innovations that will improve the way providers and 
suppliers receive reports and interact with the qualified entity. The 
statute is clear in the requirement that qualified entities develop a 
confidential review, appeals, and error correction process, so we do 
not agree that this is an unnecessary part of the qualified entity 
program. Furthermore, while we understand the interest in obtaining 
beneficiary names automatically, protecting the privacy and security of 
beneficiary identifiable information is required by the statute, as 
well as being of the utmost importance to CMS. We feel that releasing 
beneficiary names only at the request of a provider or supplier and 
only for the measure or measure results being appealed strikes the 
appropriate balance between protecting beneficiary privacy and allowing 
providers and suppliers the opportunity to provide input on their 
reports.
    The statute requires that qualified entities make reports available 
to providers and suppliers prior to the public release of reports. 
Since each provider or supplier will confidentially receive any report 
where they are identified, we see no need for qualified entities to 
announce publically the availability of reports. Additionally, we 
acknowledge the importance of ensuring the data is securely transmitted 
to the correct provider or supplier. However, we believe that it is the 
responsibility of the qualified entity to ensure that the data is 
delivered using a secure method to the appropriate provider or supplier 
and require applicants to describe their means of confidentially 
sharing reports with providers and suppliers as part of their 
application.
    Comment: Many commenters argued that the proposed time period 
between providers and suppliers confidentially receiving reports and 
the qualified entity publically reporting results is too short. 
Commenters suggested a time period of 60 or 90 days.
    Response: We recognize, in light of the comments, that our proposal 
may not have allowed providers and suppliers an appropriate amount of 
time to review their confidential reports. However, we also recognize 
the importance of ensuring that report results are released to the 
public in a timely manner. Therefore, qualified entities must share 
measures, measurement methodology, and measure results with providers 
and suppliers at least 60 calendar days prior to making the measure 
results public. Beginning on the date on which the qualified entity 
sends the confidential reports to a provider or supplier, that provider 
and supplier will have a minimum of 60 calendar days to review the 
reports, make a request for the data, review the data, and, if 
necessary, make a request for error correction. Qualified entities also 
must inform providers and suppliers of the date the reports would be 
made public at least 60 calendar days before making the reports public. 
Additionally, the qualified entity must publically release reports on 
the specified date regardless of the status of any requests for error 
correction. We recognize that this process allows providers and 
suppliers to make a request for the data or a request for error 
correction up to the point the reports are made public; however, we 
believe that it is up to the qualified entity and provider or supplier 
to manage the timing of this process to ensure that they have adequate 
time to request the data and, if necessary, request error 
correction(s).
    Comment: We received several comments on our proposal that 
qualified entities publish reports on a certain date, regardless of the 
status of requests for appeals or error correction. Several commenters 
requested that CMS not allow qualified entities to publish measure 
results until the request for error correction is resolved. Other 
commenters recommended that we create a two-step track where if a 
request cannot be resolved between the qualified entity and a provider 
or supplier, the request is elevated to CMS for a final decision. 
Furthermore, some commenters wanted CMS to require qualified entities 
to publish provider or supplier comments in the report if a request is 
not resolved at the time of report publication. One commenter requested 
that CMS allow providers or suppliers to publicly defend themselves if 
reports are published prior to resolving error correction requests. We 
also received a comment suggesting CMS allow providers or suppliers to 
appeal after reports are made public. Finally, one commenter asked CMS 
to ensure that qualified entities have the appropriate amount of staff 
to respond to appeals.
    Response: We acknowledge the interest of providers and suppliers in 
ensuring that any measure results reported publicly are correct. 
However, as we mentioned in the proposed rule, we included this 
requirement to prevent providers or suppliers from making spurious 
requests for error correction to prevent the publication of measure 
results. We will maintain our requirement that qualified entities 
publicly report measure results on the date specified to the provider 
or supplier when the report is sent for review (at least 60 days after 
the date on which the confidential reports are sent to a provider or 
supplier), regardless of the status of a request for error correction. 
We hope that by extending the amount of time between confidentially 
sharing reports with providers and suppliers and publically reporting 
results to at least 60 calendar days, we are allowing both providers 
and suppliers ample opportunity to resolve the appeals process. If an 
appeal request is still outstanding at the time of public reporting, we 
will maintain the requirement that qualified entities post publicly the 
name and category of the appeal request for providers or suppliers

[[Page 76558]]

with outstanding requests for error correction, if feasible, but do not 
believe that qualified entities should be required to publicly post 
comments from providers or suppliers.
    Additionally, since this program does not involve CMS contracting 
with qualified entities to carry out a quality measurement program on 
behalf of CMS, we do not believe it is appropriate for CMS to become 
involved in the appeals and error correction process or to offer a 
public forum for providers or suppliers to defend themselves. We 
recognize the concern about ensuring that a qualified entity has the 
appropriate staff to respond to requests for error correction. However, 
we are certain that the rigorous application process will guarantee 
that only qualified organizations receive Medicare claims data. 
Additionally, we will be monitoring qualified entities to determine if 
they are promptly responding to requests for data and requests for 
error correction.
    In the proposed rule, we acknowledged that CMS does not have the 
statutory authority to require qualified entities to share their claims 
data from other sources. We encouraged qualified entities to share this 
data with providers or suppliers upon request.
    Comment: We received multiple comments asking CMS to require 
qualified entities to release their non-Medicare claims data to 
providers or suppliers upon request. Some commenters requested that CMS 
only approve entities who agreed to release their other claims data.
    Response: We do not have the statutory authority to require 
qualified entities to release their non-Medicare data. We hope that 
qualified entities will choose to do so whenever it is legally 
permitted, but are aware that their ability to release other claims 
data is partially dependent on the terms of the arrangement the 
qualified entity has with the entity from whom they received the data.
    Comment: Commenters suggested we implement 2012 as a ``test year'' 
for the program and allow qualified entities to only produce 
confidential performance reports without any public reporting.
    Response: We do not have the statutory authority to implement a 
``test year'' for this program. The statutory effective date of this 
provision is January 1, 2012, and all requirements under the law are 
applicable on that date.

F. Monitoring, Oversight, Sanctioning, and Termination

    To ensure that qualified entities adhere to the highest standards, 
we proposed a monitoring program that would assess compliance with the 
requirements of the program and assess sanctions or termination as 
deemed appropriate by CMS. We proposed that CMS, or one of its 
designated contractors, would periodically audit (including site 
visits) qualified entities for their use of the Medicare data to ensure 
that the data is only being used for its intended purpose. We also 
proposed to monitor the amount of claims data from other sources the 
qualified entity is using in the production of performance reports 
using documentation produced by the qualified entity or, at the 
discretion of CMS, site visits. Additionally, we proposed to use 
analysis of beneficiary and/or provider complaints to monitor and 
assess the performance of qualified entities. We also proposed to 
require qualified entities to submit an annual report covering program 
adherence (for example, number of claims, market share, number of 
measures) and engagement of providers and suppliers (for example, 
requests for data, number of corrections, time to respond to requests 
for appeal or error correction). Finally, we proposed requiring 
qualified entities to submit to CMS information regarding any 
inappropriate disclosures or uses of beneficiary identifiable data 
pursuant to the requirements in the DUA.
    Comment: We received many comments supporting our monitoring 
program. Some commenters specifically supported the requirement that 
qualified entities submit a report covering the engagement of providers 
and suppliers. One commenter asked CMS to ensure that there is 
appropriate funding for CMS to conduct the necessary qualified entity 
monitoring activities.
    Response: We would like to reiterate our commitment to ensuring the 
successful implementation of this program and that all qualified 
entities adhere to the highest standards, which includes ensuring that 
we have the necessary funding to support a monitoring program.
    Comment: Some commenters made suggestions about specific aspects of 
the monitoring plan. One commenter suggested that qualified entities 
only submit reports on program adherence and engagement of providers 
and suppliers once every two years. Additionally, several commenters 
requested CMS not include site visits as a part of monitoring because 
it is too burdensome.
    Response: We plan to maintain our proposed monitoring process and 
note that, in the cases where a qualified entity is composed of a lead 
entity and contractors, contractors will also be subject to CMS 
monitoring. We believe that annual reports and site visits are 
essential to allow CMS to best monitor the program and to both maximize 
the appropriate use of Medicare data for the production of performance 
reports and minimize the risk of inappropriate disclosure of 
beneficiary information.
    We proposed that a qualified entity must immediately inform CMS if 
its amount of claims data from other sources decreases. We also 
proposed to require that the qualified entity provide documentation 
that the remaining non-Medicare claims data is still sufficient to 
address methodological concerns regarding sample size and reliability 
expressed by stakeholders regarding the calculation of performance 
measures from a single source. As reflected at Sec.  401.706(c) of the 
proposed rule, the qualified entity would no longer be able to issue a 
report, use a measure, or share a report after the amount of claims 
data from other sources decreases until CMS made an assessment as to 
the sufficiency of the remaining data. If CMS determined that the 
qualified entity's remaining claims data was not sufficient, we 
proposed that the qualified entity would have 60 days to acquire new 
data and submit new documentation to CMS. The qualified entity would 
not be able to use Medicare data to issue reports, use measures, share 
measures, or share a report during this time. If after re-submission of 
documentation, CMS determined the qualified entity still did not 
possess adequate data, we proposed to terminate the relationship with 
the qualified entity. If after resubmission of documentation, CMS 
determined that the qualified entity did possess sufficient data, we 
proposed the qualified entity could resume all measurement and 
reporting activities.
    Comment: Commenters requested two changes to our proposed process 
for addressing a decrease in the amount of other claims data. First, 
several commenters suggested that qualified entities only be required 
to stop measurement and reporting if the decrease in other claims data 
is significant. Second, commenters requested more time for qualified 
entities to acquire new data.
    Response: While we recognize the interest in continuing measurement 
efforts during this review process, we believe it is important for CMS 
to make the determination as to whether the remaining claims data is 
adequate to ensure that the methodological concerns regarding sample 
size and reliability expressed by stakeholders regarding

[[Page 76559]]

calculation of performance measures from a single payer source. To 
ensure that the decrease does not materially affect the validity of 
measure results, we will maintain our proposal to require qualified 
entities to stop all activities while CMS reviews the documentation 
related to the decrease in other claims data; after the amount of 
claims data from other sources decreases, the qualified entity would no 
longer be able to create a report, use a measure, or share a report 
(either confidentially or publically) using Medicare data until CMS 
determines either that the remaining claims data is sufficient, or that 
the qualified entity has collected adequate additional data to address 
any deficiencies. That said, we recognize the request to extend the 
amount of time a qualified entity has to acquire new data, so we will 
extend this timeframe to 120 days.
    We also proposed that if a qualified entity is not adhering to the 
requirements of the program, CMS may take several enforcement actions, 
such as providing a warning notice, requesting a corrective action 
plan, placing an entity on a special monitoring plan, or terminating 
the qualified entity. These enforcement actions are in addition to the 
actions CMS may take if a qualified entity violates the DUA, as 
discussed in more detail above in section II.D.1. The choice of 
enforcement action would depend on the seriousness of the deficiency. 
Any time a qualified entity is voluntarily or involuntarily terminated, 
we proposed requiring the destruction or return of Medicare data within 
30 days.
    Comment: We received some comments stating that the proposed 
penalties are not strict enough. Additionally, one commenter requested 
that CMS provide for termination for inaccurate reporting or for 
failing to make timely corrections upon providers' or suppliers' 
request.
    Response: We are limited by the statute in the penalties we can 
impose on qualified entities who do not comply with the requirements of 
the program. We note, however, that CMS does have additional 
enforcement capabilities for violations of the DUA, including criminal 
penalties. As CMS will require the lead entity, as well as any 
contractors who have access to the Medicare claims data or beneficiary 
identifiable data, to sign the DUA before CMS releases any data, these 
penalties will apply to all organizations with access to the Medicare 
data.
    While CMS reserves the right to terminate a qualified entity for 
inaccurate reporting, we believe that there are degrees of seriousness 
in inaccurate reporting, and some situations may not warrant 
termination, particularly if the inaccuracy was unintentional, CMS was 
promptly identified, and the inaccuracy was promptly resolved. We will 
therefore maintain our proposal to base our actions on the seriousness 
of the deficiency.
    Comment: Several commenters requested clarification on how long 
qualified entities would be able to keep the Medicare data that they 
receive under this program. One commenter suggested placing an outer 
limit on retention of files.
    Response: After carefully considering the beneficiary privacy and 
security implications of our policy, we do not believe that qualified 
entities must destroy or return Medicare data (including crosswalks) 
provided under the qualified entity program unless they voluntarily 
leave or are involuntarily terminated from the program. Qualified 
entities will need to retain the Medicare data, with appropriate 
privacy and security protections, in order to trend measure results 
over time or to calculate measures that require a number of years of 
data for measure calculation. We understand that this will mean that 
qualified entities will also retain beneficiary identifiable data 
(including that found in the crosswalks), but we believe that this 
information will also be necessary to calculate measures that require a 
number of years of claims data. We feel it is important to note that a 
beneficiary's encrypted identifier will not change from year to year, 
so unless a beneficiary dies or moves out of the geographic region, the 
qualified entity will continue to need the crosswalk linking the 
encrypted ID to the beneficiary HICN and name to carry out the 
activities outlined above in our crosswalk discussion. We have 
carefully considered the beneficiary privacy and security implications 
of our policy, and note that the DUA remains in effect so long as the 
qualified entity participates in the program. Furthermore, the 
monitoring requirements described herein, as well as the requirement 
that qualified entities reapply every three years as described below in 
section II.G., should assist in ensuring that this data remains secure 
and private. We would like to reiterate, however, that once an entity 
voluntarily leaves or is involuntarily terminated from the program it 
must destroy or return all CMS data provided under this subsection 
within 30 days.

G. Qualified Entity Application Content

    We proposed to develop an application process for organizations 
interested in becoming qualified entities in which they would provide 
certain specified information. We proposed applications and related 
materials would be collected and reviewed once a year, at the close of 
the first quarter of the calendar year. We proposed approval periods of 
three years, followed by an opportunity to reapply.
    Comment: We received comments containing suggestions for how CMS 
could improve the application content and process. Specifically, one 
commenter suggested using a standard electronic application. 
Additionally, a commenter suggested that CMS accept applications on a 
rolling basis. Another commenter preferred that CMS not require re-
application after three years.
    Response: CMS appreciates and acknowledges the benefits of 
accepting qualified entity applications on a rolling basis instead of 
once annually. This would allow organizations to apply to be a 
qualified entity as soon as they believe they meet all the eligibility 
requirements, instead of requiring the organization to wait a year 
until the next application cycle. We are therefore changing to a 
rolling application process. We will also use an electronic 
application.
    While we understand the burdens that re-application will impose, we 
also need to ensure that Medicare data are being used appropriately and 
handled securely. While we believe the monitoring program described 
above will help ensure qualified entities continue to meet the 
requirements of the program, the application process covers 
significantly more aspects of an organization's continuing ability to 
serve as a qualified entity. Therefore, CMS believes that requiring re-
application every three years balances the burden on qualified entities 
with the need to ensure Medicare data is being handled appropriately.

H. Other Comments

    We received several additional suggestions for improvements to the 
program regarding topics that were not specifically discussed in the 
preamble to the proposed rule.
    Comment: A few commenters advised that CMS require knowledge 
sharing among qualified entities, rather than merely suggesting it.
    Response: CMS agrees with commenters that performance improvement 
will occur most rapidly in an open collaborative environment where 
ideas and knowledge are shared

[[Page 76560]]

freely and openly. CMS will strongly encourage and facilitate, where 
possible, collaborative knowledge sharing, but will not require it as a 
condition of program participation.
    Comment: Several commenters expressed concern about CMS conducting 
performance analysis of providers and suppliers. Commenters also 
expressed concern about performance measurement generally, and had 
specific concerns about performance measurement based solely on claims 
data.
    Response: This program is not a CMS measurement program and, 
therefore, CMS will not be conducting performance analysis of providers 
and suppliers in this program. Rather qualified entities will combine 
Medicare claims data supplied by CMS with other claims data to 
calculate performance measures for providers and suppliers. We 
recognize commenters' concerns about the limitations of performance 
measurement based on claims data alone. Therefore, as discussed above 
in section II.B.1, we will allow qualified entities to use measures 
that incorporate clinical data, as long as the measure can be 
calculated in part from Medicare and other claims data.
    Comment: Commenters suggested CMS should undertake a public 
education and outreach program to inform consumers about the qualified 
entity program and explain the limitations of provider and supplier 
performance measurement.
    Response: We agree that CMS should inform consumers about the 
qualified entity program. We also believe it is essential for CMS to be 
transparent to beneficiaries and the general public about our plans for 
sharing identifiable information, with appropriate privacy and security 
protections, with qualified entities. CMS will publish educational 
materials on the CMS Web site regarding the qualified entity program, 
including a description of the beneficiary information that is being 
shared with qualified entities and an explanation of the privacy and 
security requirements, as well as the qualified entity monitoring 
program and termination policies.
    We also hope that qualified entities will engage in public 
education and outreach in the communities where they serve. However, we 
are not requiring qualified entities to do public outreach beyond 
making the performance reports, with an understandable description of 
the measures, available to the public after confidential review by 
providers and suppliers.
    Comment: One commenter requested that we clarify how performance 
measurement information will be published.
    Response: The statute requires that qualified entities allow 
confidential review of the reports, that they be provided to the 
public, and that the reports contain understandable descriptions of the 
methodologies used. Qualified entities must receive approval of report 
formats before they can be published, but each qualified entity has the 
discretion to design reports and publish using the approved formats.
    Comment: One commenter suggested that CMS make available the full 
data set at no charge to recognized provider organizations such as the 
American Medical Association and allow providers and suppliers to 
analyze their data there.
    Response: The statute does not permit CMS to release the data to 
any entity other than those approved as qualified entities. However, as 
stated in the preamble to the proposed rule, we are not placing any 
restrictions on the types of organizations that can apply to be a 
qualified entity. If a recognized provider organization meets the 
eligibility criteria, it can become a qualified entity and receive 
Medicare data. Additionally, the statute does not permit CMS to release 
data at no charge. Section 1874(e)(4)(A) states that the data ``shall 
be made available * * * at a fee equal to the cost of making such data 
available.'' That said, as discussed in section II.C.3. above, we have 
revised our method for pricing this data and we believe the data will 
be significantly more affordable than originally proposed.
    Comment: One commenter requested that CMS clarify that the data 
released to qualified entities will not be subject to discovery or 
admissible as evidence in judicial or administrative proceedings.
    Response: The statute, at 1874(e)(4)(D), explicitly states, 
``[d]ata released to a qualified entity under this subsection shall not 
be subject to discovery or admission as evidence in judicial or 
administrative proceedings without consent of the applicable provider 
of services or supplier.'' We acknowledge that we did not address this 
specific statement in the preamble to the proposed rule, but we believe 
this statement is self-implementing in that it requires no further 
explanation, and the data will not be subject to discovery or admission 
as evidence absent the described consent(s).
    Comment: One commenter asked CMS to clarify that these regulations 
have no effect on any other programs in which Medicare claims data are 
released. A second commenter requested that we ensure the program can 
accommodate the transition to ICD-10.
    Response: We clarify that this program will not have any effect on 
other CMS programs in which Medicare claims data are released. CMS is 
working to ensure that the transition to ICD-10 happens smoothly.
    Comment: One commenter requested that CMS only allow measurement 
and rating of providers and suppliers in situations where CMS pays for 
the item or services.
    Response: Medicare only pays claims for covered services and 
supplies; if a service or supply is not covered, a claim will not 
appear in the Medicare data. While a qualified entity could decide to 
produce a measurement report based solely on its other claims data, 
such reporting would be outside of the qualified entity program and the 
reports would be outside of the reach of these regulations.

III. Provisions of the Final Regulations

    For the most part, this final rule incorporates the provisions of 
the proposed rule. Those provisions of this final rule that differ from 
the proposed rule are as follows:
     We have made technical changes to the definition of a 
qualified entity, provider, and supplier to reflect regulatory 
interpretation of the statutory provisions cited in the proposed rule. 
We have also added a definition of claims data from other sources at 
Sec.  401.703(h) and a definition of clinical data at Sec.  401.703(i).
     We clarify that qualified entities do not need to be a 
single organization. Applicants may contract with others to achieve the 
ability to meet the eligibility criteria. Specifically, at Sec.  
401.705(b) we allow entities to demonstrate expertise and experience 
through activities it has conducted directly or through (a) contract(s) 
with other public or private entities.
     We changed our eligibility requirements at Sec.  
401.705(a)(1) to only require that entities demonstrate expertise in 
quality measurement and in the other three areas of measurement 
(efficiency, effectiveness, and resource use) to the extent that they 
propose to use such measures.
     At Sec.  401.705(a)(1)(ii) we clarify that we only expect 
applicants to submit a plan for a business model that is projected to 
cover the costs of performing the required functions. We realize that 
qualified entities may need to adapt this plan once they are approved 
and do not intend to limit an entity's ability to adapt or change its

[[Page 76561]]

business plan once approved as a qualified entity.
     We added language at Sec.  401.705(a)(1)(vii) that would 
require qualified entities to also disclose any violations of 
applicable federal and State privacy and security laws and regulations 
for the preceding 10-year period, in addition to requiring qualified 
entities to disclose any inappropriate disclosures of beneficiary 
identifiable information for the preceding 10-year period. We also 
clarified that for those entities that have not been in existence for 
10 years, we will require a breach history for the length of time the 
organization has been in existence.
     We have revised the selection criteria to allow applicants 
to apply and receive a conditional acceptance as a qualified entity if 
they do not have adequate claims data from other sources at the time of 
their application, but meet all the other selection requirements.
     Since standard measure specifications are available to the 
public at this time, we removed the requirement that qualified entities 
submit measure specifications for standard measures the qualified 
entity plans to calculate.
     We clarified that these regulations do not place any added 
limitations on the qualified entity's ability to copyright the content 
of the publicly released reports. We noted, however that the qualified 
entity must provide confidential reports to the subject providers and 
suppliers free of charge and must provide the final reports to the 
public free of change in a manner consistent with the requirements in 
the qualified entity program statute.
     At Sec.  401.711(a) we allow qualified entities to change 
their list of proposed measures, proposed prototype report, and plans 
for sharing reports with the public with 30 days notice to CMS, instead 
of 90 days notice to CMS. We provide for a possible 30-day extension of 
the review period where necessary. If a CMS decision on approval or 
disapproval for a change or modification is not forthcoming within 30 
days or CMS does not request an additional 30 days for review, the 
change or modification shall be deemed to be approved.
     We will allow qualified entities to use standard and 
alternative measures calculated in full or in part from Medicare Parts 
A and B claims, and Part D prescription drug event data and claims from 
other sources. This means that qualified entities will be allowed to 
calculate measures that include clinical data. As noted above, we have 
added a definition of clinical data at Sec.  401.703(i).
     We have added measures endorsed by a CMS-approved 
consensus-based entity to the list of standard measures. CMS will 
approve organizations as consensus-based entities based on review of 
documentation of the consensus-based entity's measure approval process.
     We have added a second process by which qualified entities 
may seek approval to use alternative measures. Organizations and 
individuals will still be able to submit alternative measures for 
approval through the notice and comment rulemaking process. However, at 
Sec.  401.715(b)(1)(ii), we also allow an entity to submit measures for 
approval by the Secretary by submitting: (1) A description of the 
process by which the qualified entity notified stakeholders (defined as 
a valid cross representation of providers, suppliers, employers, 
payers, and consumers) in the geographic region the qualified entity 
serves of its intent to seek approval of an alternative measures; (2) a 
list of stakeholders from whom feedback was solicited, including the 
stakeholder names and each stakeholder's role in the community; (3) a 
description of the discussion about the proposed alternative measure, 
including a summary of all pertinent arguments for and against the 
measure; and (4) unless CMS has already approved the same measure for 
use by another qualified entity, an explanation backed by scientific 
evidence that demonstrates why the measure meets the requirements for 
alternative measures at Section 1874(e)(4)(B)(i)(II) of the Act. If a 
qualified entity is seeking to use an alternative measure that CMS has 
already approved for use by another qualified entity, the qualified 
entity submitting the measure for approval must submit any additional 
or new scientific evidence, if it is available. If a CMS decision on 
approval or disapproval of measures submitted via the process at 
401.715(b)(1)(ii) is not forthcoming 60 days after the submission of 
the measure, the measure will be deemed approved. However, CMS retains 
the right, even after 60 days, to direct the qualified entity to stop 
using the measure if we subsequently find the measure does not meet the 
requirements at Section 1874(e)(4)(B)(i)(II) of the Act.
     We have identified efficiencies that will reduce the cost 
of Medicare claims data under the qualified entity program, and we have 
altered the dates of data that will be made available through this 
program, thereby increasing the timeliness of that data.
     We will allow qualified entities to purchase a 5 percent 
national sample of Medicare claims data for the purpose of calculating 
national benchmarks.
     Using appropriate privacy and security protections, we 
will provide qualified entities (that sign the DUA and meet all the 
privacy and security requirements) with a crosswalk file linking 
encrypted beneficiary ID to the beneficiary name and beneficiary Health 
Insurance Claim Number.
     At Sec.  401.717(a), we extended the time period between a 
qualified entity sending a confidential report to a provider or 
supplier and public reporting of measure results to at least 60 
calendar days.
     We will allow qualified entities 120 days to acquire new 
data if the amount of other claims data they have decreases and CMS 
determines the remaining amount of other claims data is not sufficient.
     We changed our application process and will accept 
applications on a rolling basis as discussed at Sec.  401.709(a).

IV. Collection of Information Requirements

    Under the Paperwork Reduction Act of 1995, we are required to 
provide 30-day notice in the Federal Register and solicit public 
comment before a collection of information requirement is submitted to 
the Office of Management and Budget (OMB) for review and approval. In 
order to fairly evaluate whether an information collection should be 
approved by OMB, section 3506(c)(2)(A) of the Paperwork Reduction Act 
of 1995 requires that we solicit comment on the following issues:
     The need for the information collection and its usefulness 
in carrying out the proper functions of our agency.
     The accuracy of our estimate of the information collection 
burden.
     The quality, utility, and clarity of the information to be 
collected.
     Recommendations to minimize the information collection 
burden on the affected public, including automated collection 
techniques.
    We are soliciting public comment on each of these issues for the 
following sections of this document that contain information collection 
requirements (ICRs).
    If finalized, these regulations would require an organization 
seeking to receive data as a qualified entity to submit an application. 
Specifically, an applicant must submit the information listed in 
Sec. Sec.  401.705-401.709. The burden associated with this requirement 
is the time and effort necessary to gather, process, and submit the 
required information to CMS. We estimate that 35 organizations would 
submit applications to receive data as qualified

[[Page 76562]]

entities. We further estimate that it would take each applicant 500 
hours to gather, process and submit the required information. The total 
estimated burden associated with this requirement is 500 hours per 
applicant at an estimated cost of $795,641.
    Section 401.713(a) states that as part of the application review 
and approval process, a qualified entity would be required to execute a 
Data Use Agreement (DUA) with CMS, that among other things, reaffirms 
the statutory bar on the use of Medicare data for purposes other than 
those referenced above. The burden associated with executing this DUA 
is currently approved under OMB control number 0938-0734.
    Section 401.709(f) would require qualified entities in good 
standing to re-apply for qualified entity status 6 months before the 
end of their three-year approval period. We estimate that 25 entities 
would be required to comply with this requirement. We estimate that it 
would take 120 hours to reapply to CMS. The total estimated burden 
associated with this requirement is 120 hours at an estimated cost of 
$136,396.
    Section 410.719(b) requires qualified entities to submit annual 
reports to CMS as part of CMS' ongoing monitoring of qualified entity 
activities. We estimate that the 25 entities in the program will be 
required to comply with this requirement. We estimate that it will take 
150 hours to complete an annual monitoring report. The total estimated 
burden associated with this requirement is 150 hours at $170,475.

                                              Table 1--Estimated Annual Recordkeeping and Reporting Burden
--------------------------------------------------------------------------------------------------------------------------------------------------------
                                                                                                         Hourly
                                                                             Burden per     Total      labor cost  Total labor     Total
     Regulation section(s)      OMB control No.   Respondents   Responses     response      annual         of        cost of      capital/    Total cost
                                                                              (hours)       burden     reporting    reporting   maintenance      ($)
                                                                                           (hours)        ($)         ($) *      costs  ($)
--------------------------------------------------------------------------------------------------------------------------------------------------------
Sec.   401.705(a).............  0938-New.......            35           35          500       17,500           **      795,641            0      795,641
Sec.   401.709(f).............  0938-New.......            25           25          120        3,000           **      136,396            0      136,396
Sec.   401.719(b).............  0938-New.......            25           25          150        3,750           **      170,475            0      170,475
                               -------------------------------------------------------------------------------------------------------------------------
    Total.....................  ...............            35           35  ...........       24,250  ...........  ...........  ...........    1,102,512
--------------------------------------------------------------------------------------------------------------------------------------------------------
* Total labor cost assuming 92% of total hours are professional and technical and 8% are legal.
** Wage rates vary by level of staff involved in complying with the information collection request (ICR).

    To obtain copies of the supporting statement and any related forms 
for the proposed paperwork collections referenced above, access CMS' 
Web site at http://www.cms.gov/PaperworkReductionActof1995/PRAL/list.asp#TopOfPage or email your request, including your address, phone 
number, OMB number, and CMS document identifier, to 
[email protected], or call the Reports Clearance Office at 410-786-
1326.
    If you comment on these information collection and recordkeeping 
requirements, please submit your comments to the Office of Information 
and Regulatory Affairs, Office of Management and Budget,
    Attention: CMS Desk Officer, CMS-5059-F.
    Fax: (202) 395-6974; or
    Email: [email protected].

V. Regulatory Impact Analysis

A. Response to Comments

    We received several comments on the anticipated effects of the 
program.
    Comment: Several commenters argued that the cost of the data is too 
high. As stated above, these commenters often recommended CMS remove 
the data application costs or provide a sliding scale fee for the data, 
charging non-profits and government organizations a lower fee.
    Response: While we do not feel we were being too broad in our 
interpretation of the statute, we recognize commenters' concerns and, 
as discussed above, have removed the program management costs from the 
fee we will charge for the data. As further addressed above, we have 
also identified several efficiencies in the creation of the data files 
which will further lower the cost of the data. However, we would like 
to reiterate that these estimates are based on a qualified entity 
program with 25 approved qualified entities. The cost of the data will 
increase if fewer organizations are approved as qualified entities and 
decrease if more organizations are approved as qualified entities 
because the fixed costs of providing the data would be spread across 
the total number of qualified entities.
    Comment: We received a handful of comments stating that the 
application process for qualified entities is too burdensome.
    Response: As discussed above, we believe ensuring that 
organizations approved as qualified entities are experienced in 
performance measurement and reporting and have the necessary plans to 
serve as a qualified entity is essential for the success of the 
qualified entity program. Thus, we do not believe the application is 
too burdensome.
    Comment: We received several comments on the impact on providers 
and suppliers. A number of commenters stated that the number of hours 
estimated for a provider or supplier to review performance reports or 
submit correction requests is too low. Many commenters also argued that 
the hourly wage rate for physicians' offices is too low. Finally, a 
number of comments suggested that providers and suppliers might hire 
contractors to help with reviewing draft reports and requesting 
corrections.
    Response: While we understand that some providers and suppliers may 
spend many hours reviewing reports and submitting correction requests, 
we believe 5 hours reviewing reports is appropriate as an average. For 
example, some providers and suppliers will spend less than an hour 
reviewing their reports, but others may spend 10 hours. The same 
situation applies for error correction requests. Some providers and 
suppliers may only have concerns about one measure, and after seeing 
the data may realize that their concerns were unfounded. However, 
others may engage in a longer discourse with the qualified entity. On 
average, we believe that providers and suppliers will spend 
approximately 10 hours preparing and submitting error correction 
requests. We do recognize that some providers and suppliers may choose 
to hire contractors to assist in preparing and submitting a correction 
request and have added this to the impact on providers and suppliers 
discussed below.
    Additionally, while we understand physicians' hourly wage exceeds 
$30.90, we believe physicians are not the only ones in their offices 
who will be reviewing the performance reports and

[[Page 76563]]

submitting correction requests. Some of this work may be done by other 
physician office staff such as administrative staff, nurses, physician 
assistants, and case workers. Therefore, we believe our average hourly 
wage rate is appropriate to calculate the impact of this program on 
providers and suppliers. Changes described in our response are 
reflected in the remainder of the Regulatory Impact Analysis.

B. Overall Impact

    We have examined the impacts of this rule as required by Executive 
Order 12866 on Regulatory Planning and Review (September 30, 1993), 
Executive Order 13563 on Improving Regulation and Regulatory Review 
(January 18, 2011), the Regulatory Flexibility Act (RFA) (September 19, 
1980, Pub. L. 96-354), section 1102(b) of the Social Security Act, 
section 202 of the Unfunded Mandates Reform Act of 1995 (March 22, 
1995, Pub. L. 104-4), Executive Order 13132 on Federalism (August 4, 
1999), and the Congressional Review Act (5 U.S.C. 804(2)).
    Executive Orders 12866 and 13563 direct agencies to assess all 
costs and benefits of available regulatory alternatives and, if 
regulation is necessary, to select regulatory approaches that maximize 
net benefits (including potential economic, environmental, public 
health and safety effects, distributive impacts, and equity). Executive 
Order 13563 emphasizes the importance of quantifying both cost and 
benefits, reducing costs, harmonizing rules, and promoting flexibility. 
A regulatory impact analysis (RIA) must be prepared for major rules 
with economically significant effects ($100 million or more in any 1 
year). This final rule is not economically significant as measured by 
the $100 million threshold, and hence not a major rule under the 
Congressional Review Act. We estimate the total impact of this final 
rule to be approximately $86 million. We provided a detailed assessment 
of the impacts associated with this final rule, as noted below.
    The RFA requires agencies to analyze options for regulatory relief 
of small businesses, if a rule has a significant impact on a 
substantial number of small entities. We estimate that two types of 
entities may be affected by the program established by section 1874(e) 
of the Act: Organizations that desire to operate as qualified entities 
and the providers and suppliers who receive performance reports from 
qualified entities. We anticipate that most providers and suppliers 
receiving qualified entities' performance reports would be hospitals 
and physicians. Many hospitals and most other health care providers and 
suppliers are small entities, either by being nonprofit organizations 
or by meeting the Small Business Administration definition of a small 
business (having revenues of less than $34.5 million in any 1 year) 
(for details, see the Small Business Administration's Web site at 
http://sba.gov/idc/groups/public/documents/sba_homepage/serv_sstd_tablepdf.pdf (refer to the 620000 series). For purposes of the RFA, 
physicians are considered small businesses if they generate revenues of 
$10 million or less based on Small Business Administration size 
standards. Approximately 95 percent of physicians are considered to be 
small entities. We estimate that most hospitals and most other 
providers are small entities as that term is used in the RFA (including 
small businesses, nonprofit organizations, and small governmental 
jurisdictions). However, because the total estimated impact would be 
spread over a number of providers and suppliers, no one entity would 
face a significant impact. Additionally, as CMS has reduced the cost of 
the data for qualified entities, we do not anticipate that this rule 
will have a significant impact on qualified entities. Therefore, the 
Secretary has determined this final rule would not have a significant 
impact on a substantial number of small entities. We have voluntarily 
provided an analysis of the estimated impacts on qualified entities and 
providers and suppliers below in section V.C., as well as alternatives 
considered in section V.D.
    In addition, section 1102(b) of the Act requires us to prepare a 
regulatory impact analysis, if a rule may have a significant impact on 
the operations of a substantial number of small rural hospitals. Any 
such regulatory impact analysis must conform to the provisions of 
section 604 of the RFA. For purposes of section 1102(b) of the Act, we 
define a small rural hospital as a hospital that is located outside of 
a metropolitan statistical area and has fewer than 100 beds. We do not 
believe this final rule has impact on significant operations of a 
substantial number of small rural hospitals because we anticipate that 
most qualified entities would focus their performance evaluation 
efforts on metropolitan areas where the majority of health services are 
provided. Therefore, the Secretary has determined that this final rule 
would not have a significant impact on the operations of a substantial 
number of small rural hospitals.
    Section 202 of the Unfunded Mandates Reform Act of 1995 (UMRA) also 
requires that agencies assess anticipated costs and benefits before 
issuing any rule whose mandates require spending in any 1 year of $100 
million in 1995 dollars, updated annually for inflation. In 2011, that 
threshold is approximately $136 million. This rule would not mandate 
any requirements for State, local, or tribal governments in the 
aggregate, or by the private sector, of $136 million. Specifically, as 
explained below we anticipate the total impact of this final rule on 
all parties to be approximately $86 million.
    Executive Order 13132 establishes certain requirements that an 
agency must meet when it promulgates a final rule that imposes 
substantial direct requirement costs on State and local governments, 
preempts State law, or otherwise has Federalism implications. We have 
examined this final rule in accordance with Executive Order 13132 and 
have determined that this regulation would not have any substantial 
direct effect on State or local governments, preempt States, or 
otherwise have a Federalism implication.

C. Anticipated Effects

a. Impact on Qualified Entities
    Because section 1874(e) of the Act establishes a new program, there 
is little quantitative information available to inform our estimates. 
However, we believe that many or most qualified entities are likely to 
resemble community quality collaborative programs such as participants 
in the CMS Better Quality Information for Medicare Beneficiaries pilot 
(https://www.cms.gov/BQI/) and the AHRQ Chartered Value Exchange (CVE) 
program (http://www.ahrq.gov/qual/value/lncveover.htm). Community 
quality collaboratives are community-based organizations of multiple 
stakeholders that work together to transform health care at the local 
level by promoting quality and efficiency of care, and by measuring and 
publishing quality information. Consequently, we have examined 
available information related to those programs to inform our 
assumptions, although there is only limited available data that is 
directly applicable to this analysis.
    We estimate that 35 organizations would submit applications to 
participate as qualified entities. We anticipate that the majority of 
applicants would be nonprofit organizations such as existing community 
collaboratives. In estimating qualified entity impacts, we used hourly 
labor costs in several labor categories reported by the Bureau of Labor 
Statistics (BLS) at http://

[[Page 76564]]

data.bls.gov/pdq/querytool.jsp?survey=ce. We used the annual rates for 
2010, an update from the proposed rule where we used rates from 2009, 
and added 33 percent for overhead and fringe benefit costs. These rates 
are displayed in Table 2.

                           Table 2--Labor Rates for Qualified Entity Impact Estimates
----------------------------------------------------------------------------------------------------------------
                                                                    2010 hourly
                                                                     wage rate     OH and fringe   Total hourly
                                                                       (BLS)           (33%)           costs
----------------------------------------------------------------------------------------------------------------
Professional & technical services...............................          $34.63          $11.43          $46.06
Legal review....................................................           35.98           11.87           47.85
Custom computer programming.....................................           40.50           13.37           53.87
Data processing & hosting.......................................           31.57           10.42           41.99
Other information services......................................           33.55           11.07           44.62
----------------------------------------------------------------------------------------------------------------

    We estimate that preparation of an application would require a 
total of 500 hours of effort, requiring a combination of staff in the 
professional and technical services and the legal labor categories.
    We estimate that 25 of these applicants would be approved as 
participating qualified entities, and that each qualified entity would 
request Medicare claims data accompanied by payment for these data. 
Because of the eligibility criteria we are proposing for qualified 
entities, we believe that it is likely that all of these organizations 
would already be performing work related to calculation of quality 
measures and production of performance reports for health care 
providers and suppliers, so the impact of the program established by 
section 1874(e) of the Act would be an opportunity to add Medicare 
claims data to their existing function.
    The statute directs that the fees for these data be equal to the 
government's cost to make the data available. We are proposing to 
initially provide ten quarters of data to qualified entities with 
quarterly updates thereafter. Based on CMS past experience providing 
Medicare data to research entities, we estimate that the total 
approximate costs to provide ten quarters (CY 2009, CY 2010, and Q1-Q2 
CY2011) of data for 2.5 million beneficiaries to a qualified entity 
would be $24,000. Qualified entities would also get 2 quarterly 
updates, each for a fee of $8,000, during the year, bringing the total 
cost of data for the first year of the program to $40,000 as shown in 
Table 3.
    We estimate that, on average, each qualified entity's activity to 
analyze the Medicare claims data, calculate performance measures and 
produce provider and supplier performance reports would require 5,500 
hours of effort. We estimate that half of the qualified entities (13) 
would propose alternative performance measures, which would involve an 
additional 2,100 hours of effort for each entity.
    We further estimate that, on average, each qualified entity would 
expend 5,000 hours of effort processing providers' and suppliers' 
appeals of their performance reports and producing revised reports, and 
2,000 hours making information about the performance measures publicly 
available. These estimates assume that, as discussed below in the 
section on provider and supplier impacts, on average 25 percent of 
providers and suppliers would appeal their results from a qualified 
entity. These assumptions are based on a belief that in the first year 
of the program many providers or suppliers would want to appeal their 
results prior to performance reports being made available to the 
public. Responding to these appeals in an appropriate manner would 
require a significant investment of time on the part of qualified 
entities. This equates to an average of four hours per appeal for each 
qualified entity. We assume that the complexity of appeals would vary 
greatly, and as such, the time required to address them would also vary 
greatly. Many appeals may be able to be dealt with in an hour or less 
while some appeals may require multiple meetings between the qualified 
entity and the affected provider or supplier. On average however, we 
believe that this is a realistic and reasonable estimate of the burden 
of the appeals process on qualified entities. We discuss the burden of 
the appeals process on providers and suppliers below.
    We anticipate that qualified entities would expend 2,000 hours of 
effort developing their proposed performance report. These estimated 
hours are separated into labor categories in Table 3 below, with the 
pertinent hourly labor rates and cost totals.
    Finally, we estimate that each qualified entity would spend 255 
hours of effort submitting information to CMS for monitoring purposes. 
This would include audits and site visits as discussed above. It would 
also include an annual report that contains measures of general program 
adherence, measures of the provider and suppliers data sharing, error 
correction, and appeals process, and measures of the success of the 
program with consumers. Finally, qualified entities would be required 
to notify CMS of inappropriate disclosures or use of beneficiary 
identifiable data pursuant to the requirements in the DUA. We believe 
that many of the required data elements in both the annual report and 
the report generated in response to an inappropriate disclosure or use 
of beneficiary identifiable data would be generated as a matter of 
course by the qualified entities and therefore, would not require 
significant additional effort. Based on the assumptions we have 
described, we estimate the total impact on qualified entities for the 
first year of the program to be a cost of $45,504,048.

[[Page 76565]]



                                                             Table 3--Impact on Qualified Entities for the First Year of the Program
                                                                                 [Impact on qualified entities]
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
                                                                                               Hours
                                                                 ----------------------------------------------------------------
                            Activity                                                                                   Data        Labor hourly      Cost  per       Number of      Total cost
                                                                   Professional        Legal         Computer       processing         cost          applicant      applicants        impact
                                                                   and technical                    programming     and hosting
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
                                                                                        APPLICATION COSTS
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Preparation of application by candidate qualified entities
a. Prepare draft application....................................             360  ..............  ..............  ..............          $46.06         $16,582  ..............  ..............
b. Legal review.................................................  ..............              40  ..............  ..............           47.85           1,914  ..............  ..............
c. Revisions to draft application...............................              60  ..............  ..............  ..............           46.06           2,764  ..............  ..............
d. Senior management review and signature.......................              40  ..............  ..............  ..............           46.06           1,842  ..............  ..............
Total: application preparation..................................             460              40  ..............  ..............  ..............          23,102              35        $808,556
Medicare data purchase costs by approved qualified entities.....  ..............  ..............  ..............  ..............  ..............          40,000              25       1,000,000
                                                                 -------------------------------------------------------------------------------------------------------------------------------
    Total: Applications.........................................  ..............  ..............  ..............  ..............  ..............  ..............  ..............       1,808,556
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
                                                                                       QE OPERATIONS COSTS
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Database administration.........................................  ..............  ..............  ..............             500           41.99          20,995              25         524,875
Data analysis/measure calculation/report preparation............  ..............  ..............            2500  ..............           53.87         134,675              25       3,366,875
                                                                                                                            2500           41.99         104,975              25       2,624,375
Development and submission of alternative measures..............            1000  ..............  ..............  ..............           46.06          46,060              13         598,780
                                                                                                             100            1000           53.87           5,387              13          70,031
                                                                                                                                           41.99          41,990              13         545,870
Qualified entity processing of provider or supplier appeals and             4000  ..............  ..............  ..............           46.06         184,240              25       4,606,000
 report revision................................................                            1000                                           47.85          47,850              25       1,196,250
Development of proposed performance report formats..............            1000  ..............  ..............  ..............           46.06          46,060              25       1,151,500
                                                                                                            1000                           53.87          53,870              25       1,346,750
Publication of performance reports..............................  ..............  ..............            1000  ..............           53.87          53,870              25       1,346,750
                                                                                                                            1000           41.99          41,990              25       1,049,750
Monitoring......................................................  ..............  ..............  ..............             255           41.99          10,707              25         267,686
Computer hardware and processing................................  ..............  ..............  ..............  ..............  ..............       1,000,000              25      25,000,000
                                                                 -------------------------------------------------------------------------------------------------------------------------------
    Total: Operations...........................................  ..............  ..............  ..............  ..............  ..............  ..............  ..............      43,695,492
                                                                 -------------------------------------------------------------------------------------------------------------------------------
        TOTAL QUALIFIED ENTITY IMPACTS (application plus          ..............  ..............  ..............  ..............  ..............  ..............  ..............      45,504,048
         operations)............................................
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

b. Impact on Health Care Providers and Suppliers
    Table 4 reflects the hourly labor rates used in our estimate of the 
impacts of the first year of section 1874(e) of the Act on health care 
providers and suppliers, as well as the professional and technical 
services of consultants. The rates in Table 4 are for 2010 and have 
been updated from the proposed rule where we used rates for 2009. We 
note that numerous health care payers, community quality 
collaboratives, States, and other organizations are producing 
performance measures for health care providers and suppliers using data 
from other sources, and that providers and suppliers are already 
receiving performance reports from these sources. We anticipate that 
the Medicare claims data would merely be added to those existing 
efforts to improve the statistical validity of the measure findings, 
and therefore the impact of including Medicare claims data in these 
existing performance reporting processes is likely to be marginal. 
Additionally, while we acknowledge that reviewing and appealing the 
reports will be a burden for providers and suppliers, we also note that 
there are many benefits of this program for providers and suppliers, as 
well as the Medicare program, consumers, and purchasers. As a result of 
this program, providers and suppliers will likely receive one report 
covering a majority of their patients, rather than a report from each 
payer. Furthermore, the transparency of performance results will help 
providers and suppliers improve quality and reduce costs.

[[Page 76566]]



                         Table 4--Labor Rates for Provider and Supplier Impact Estimates
----------------------------------------------------------------------------------------------------------------
                                                                               Overhead and
                                                         2010 hourly  wage   fringe benefits      Total hourly
                                                            rate  (BLS)           (33%)              costs
----------------------------------------------------------------------------------------------------------------
                             Labor Rates for Provider and Supplier Impact Estimates
----------------------------------------------------------------------------------------------------------------
Physicians' offices....................................             $32.24             $10.64             $42.88
Hospitals..............................................              27.42               9.05              36.47
Professional and technical services....................              34.63              11.43              46.06
----------------------------------------------------------------------------------------------------------------

    We anticipate that the impacts on providers and suppliers consist 
of costs to review the performance reports generated by qualified 
entities and, if they choose, appeal their performance calculations. 
Based on a review of available information from the Better Quality 
Information and the Charter Value Exchange programs, we estimate that, 
on average, each qualified entity would distribute performance reports 
to 5,000 health providers and suppliers. We anticipate that the largest 
proportion of providers and suppliers would be physicians because they 
comprise the largest group of providers and suppliers, and are a 
primary focus of many recent performance evaluation efforts. Based on 
our review of information from these existing programs, we assume that 
95 percent of the recipients of performance reports (that is, an 
average of 4,750 per qualified entity) would be physicians, and 5 
percent (that is, an average of 250 per qualified entity) would be 
hospitals and other suppliers. Providers and suppliers receive these 
reports with no obligation to review them, but we assume that most 
would do so to verify that their calculated performance measures 
reflect their actual patients and health events. We estimate that, on 
average, each provider or supplier would devote five hours to reviewing 
these reports. This average reflects that some providers and suppliers 
will spend less than half an hour reviewing reports, while others may 
spend 10 hours.
    We estimate that 25 percent of the providers and suppliers would 
decide to appeal their performance calculations, and that preparing the 
appeal would involve an average of ten hours of effort on the part of a 
provider or supplier. We assume that 50 percent of the providers and 
suppliers who decide to appeal would hire consultants to assist with 
the appeals process. As with our assumptions regarding the level of 
effort required by qualified entities in operating the appeals process, 
we believe that this average covers a range of provider and supplier 
efforts from those who would need just one or two hours to clarify any 
questions or concerns regarding their performance reports to those who 
would devote significant time and resources to the appeals process.
    Using the hourly costs displayed in Table 4, the impacts on 
providers and suppliers are calculated below in Table 5. Based on the 
assumptions we have described, we estimate the total impact on 
providers and suppliers for the first year of the program to be a cost 
of $40,458,400.
    As stated above in Table 3, we estimate the total impact on 
qualified entities to be a cost of $45,504,048. Therefore, the total 
impact on qualified entities and on providers and suppliers for the 
first year of the program is estimated to be $85,962,448.

                                      Table 5--Impact on Providers and Suppliers for the First Year of the Program
--------------------------------------------------------------------------------------------------------------------------------------------------------
                                                           Hours per provider                                       Number of
                                                ----------------------------------------                            providers    Number of
                    Activity                                               Professional     Labor       Cost per       per       qualified    Total cost
                                                  Physician    Hospitals        and      hourly cost   applicant    qualified     entities      impact
                                                   offices                   technical                                entity
--------------------------------------------------------------------------------------------------------------------------------------------------------
                                                            Impact on Providers and Suppliers
--------------------------------------------------------------------------------------------------------------------------------------------------------
Provider review of performance reports.........            5  ...........  ............       $42.88         $214        4,750           25  $25,460,000
                                                 ...........            5  ............        36.47          182          250           25    1,139,688
Preparing and submitting appeal request to                10  ...........  ............        42.88          429          594           25    6,367,680
 qualified entities............................
                                                 ...........           10  ............        36.47          365           31           25      282,643
                                                 ...........  ...........            10        46.06          461          626           25    7,208,390
                                                --------------------------------------------------------------------------------------------------------
    Total provider impacts.....................  ...........  ...........  ............  ...........  ...........  ...........  ...........   40,458,400
--------------------------------------------------------------------------------------------------------------------------------------------------------

D. Alternatives Considered

    The statutory provisions that were added by section 1874(e) of the 
Act are detailed and prescriptive about the eligibility for, and 
requirements of the qualified entity program. Consequently, we believe 
there are limited alternative approaches that would ensure program 
success and statutory compliance. We considered proposing a less 
comprehensive set of eligibility criteria for qualified entities (for 
example, eliminating requirements that applicants demonstrate 
capabilities related to calculation of measures, developing performance 
reports, combining Medicare claims data with other claims, and data 
privacy and security protection). While such an approach might have 
reduced certain application and operating costs for these entities, we 
did not adopt such an approach for several reasons. An important 
consideration is the protection of beneficiary identifiable data. We 
believe if we do not require qualified entities to provide sufficient

[[Page 76567]]

evidence of data privacy and security protection capabilities, there 
would be increased risks related to the protection of beneficiary 
identifiable data.
    Additionally, we believe that requiring less stringent requirements 
regarding the production and reporting of measures would lead to 
increases in the number of provider and supplier appeals, and 
consequently in appeals-related costs for providers, suppliers and 
qualified entities. We expect that such a scenario would not support 
the development of a cooperative relationship between qualified 
entities and providers and suppliers.

E. Conclusion

    As explained above, we estimate the total impact for the first year 
of the program on qualified entities, providers and suppliers to be a 
cost of $85,962,448. Based on these estimates, we conclude this final 
rule does not reach the threshold for economically significant effects 
and thus is not considered a major rule.
    In accordance with the provisions of Executive Order 12866, this 
regulation was reviewed by the Office of Management and Budget.

List of Subjects in 42 CFR Part 401

    Claims, Freedom of information, Health facilities, Medicare, 
Privacy.

    For the reasons set forth in the preamble, the Centers for Medicare 
& Medicaid Services amends 42 CFR chapter IV as set forth below:

PART 401--GENERAL ADMINISTRATIVE REQUIREMENTS

0
1. The authority citation for part 401 is revised to read as follows:

    Authority: Secs. 1102, 1871, and 1874(e) of the Social Security 
Act (42 U.S.C. 1302, 1395hh, and 1395w-5).


0
2. A new subpart G is added to part 401 to read as follows:
Subpart G--Availability of Medicare Data for Performance Measurement
Sec.
401.701 Purpose and scope.
401.703 Definitions.
401.705 Eligibility criteria for qualified entities.
401.707 Operating and governance requirements for qualified 
entities.
401.709 The application process and requirements.
401.711 Updates to plans submitted as part of the application 
process.
401.713 Ensuring the privacy and security of data.
401.715 Selection and use of performance measures.
401.717 Provider and supplier requests for error correction.
401.719 Monitoring and sanctioning of qualified entities.
401.721 Terminating an agreement with a qualified entity.

Subpart G--Availability of Medicare Data for Performance 
Measurement


Sec.  401.701  Purpose and scope.

    The regulations in this subpart implement section 1874(e) of the 
Social Security Act as it applies to Medicare data made available to 
qualified entities for the evaluation of the performance of providers 
and suppliers.


Sec.  401.703  Definitions.

    For purposes of this subpart:
    (a) Qualified entity means either a single public or private 
entity, or a lead entity and its contractors, that meets the following 
requirements:
    (1) Is qualified, as determined by the Secretary, to use claims 
data to evaluate the performance of providers and suppliers on measures 
of quality, efficiency, effectiveness, and resource use.
    (2) Agrees to meet the requirements described in this subpart at 
Sec. Sec.  401.705 through 401.721.
    (b) Provider of services (referred to as a provider) has the same 
meaning as the term ``provider'' in Sec.  400.202 of this chapter.
    (c) Supplier has the same meaning as the term ``supplier'' at Sec.  
400.202 of this chapter.
    (d) Claim means an itemized billing statement from a provider or 
supplier that, except in the context of Part D prescription drug event 
data, requests payment for a list of services and supplies that were 
furnished to a Medicare beneficiary in the Medicare fee-for-service 
context, or to a participant in other insurance or entitlement program 
contexts. In the Medicare program, claims files are available for each 
institutional (inpatient, outpatient, skilled nursing facility, 
hospice, or home health agency) and non-institutional (physician and 
durable medical equipment providers and suppliers) claim type as well 
as Medicare Part D Prescription Drug Event (PDE) data.
    (e) Standardized data extract is a subset of Medicare claims data 
that the Secretary would make available to qualified entities under 
this subpart.
    (f) Beneficiary identifiable data is any data that contains the 
beneficiary's name, Medicare Health Insurance Claim Number (HICN), or 
any other direct identifying factors, including, but not limited to 
postal address or telephone number.
    (g) Encrypted data is any data that does not contain the 
beneficiary's name or any other direct identifying factors, but does 
include a unique CMS-assigned beneficiary identifier that allows for 
the linking of claims without divulging any direct identifier of the 
beneficiary.
    (h) Claims data from other sources means provider- or supplier-
identifiable claims data that an applicant or qualified entity has full 
data usage right to due to its own operations or disclosures from 
providers, suppliers, private payers, multi-payer databases, or other 
sources.
    (i) Clinical data is registry data, chart-abstracted data, 
laboratory results, electronic health record information, or other 
information relating to the care or services furnished to patients that 
is not included in administrative claims data, but is available in 
electronic form.


Sec.  401.705  Eligibility criteria for qualified entities.

    (a) Eligibility criteria: To be eligible to apply to receive data 
as a qualified entity under this subpart, an applicant generally must 
demonstrate expertise and sustained experience, defined as 3 or more 
years, in the following three areas, as applicable and appropriate to 
the proposed use:
    (1) Organizational and governance criteria, including:
    (i) Expertise in the areas of measurement that they propose to use 
in accurately calculating quality, and efficiency, effectiveness, or 
resource use measures from claims data, including the following:
    (A) Identifying an appropriate method to attribute a particular 
patient's services to specific providers and suppliers.
    (B) Ensuring the use of approaches to ensure statistical validity 
such as a minimum number of observations or minimum denominator for 
each measure.
    (C) Using methods for risk-adjustment to account for variations in 
both case-mix and severity among providers and suppliers.
    (D) Identifying methods for handling outliers.
    (E) Correcting measurement errors and assessing measure 
reliability.
    (F) Identifying appropriate peer groups of providers and suppliers 
for meaningful comparisons.
    (ii) A plan for a business model that is projected to cover the 
costs of performing the required functions, including the fee for the 
data.
    (iii) Successfully combining claims data from different payers to 
calculate performance reports.
    (iv) Designing, and continuously improving the format of 
performance reports on providers and suppliers.

[[Page 76568]]

    (v) Preparing an understandable description of the measures used to 
evaluate the performance of providers and suppliers so that consumers, 
providers and suppliers, health plans, researchers, and other 
stakeholders can assess performance reports.
    (vi) Implementing and maintaining a process for providers and 
suppliers identified in a report to review the report prior to 
publication and providing a timely response to provider and supplier 
inquiries regarding requests for data, error correction, and appeals.
    (vii) Establishing, maintaining, and monitoring a rigorous data 
privacy and security program, including disclosing to CMS any 
inappropriate disclosures of beneficiary identifiable information, 
violations of applicable federal and State privacy and security laws 
and regulations for the preceding 10-year period (or, if the applicant 
has not been in existence for 10 years, the length of time the 
applicant has been an organization), and any corrective actions taken 
to address the issues.
    (viii) Accurately preparing performance reports on providers and 
suppliers and making performance report information available to the 
public in aggregate form, that is, at the provider or supplier level.
    (2) Expertise in combining Medicare claims data with claims data 
from other sources, including demonstrating to the Secretary's 
satisfaction that the claims data from other sources that it intends to 
combine with the Medicare data received under this subpart address the 
methodological concerns regarding sample size and reliability that have 
been expressed by stakeholders regarding the calculation of performance 
measures from a single payer source.
    (3) Expertise in establishing, documenting and implementing 
rigorous data privacy and security policies including enforcement 
mechanisms.
    (b) Source of expertise and experience: An applicant may 
demonstrate expertise and experience in any or all of the areas 
described in paragraph (a) of this section through one of the 
following:
    (1) Activities it has conducted directly through its own staff.
    (2) Contracts with other entities if the applicant is the lead 
entity and includes documentation in its application of the contractual 
arrangements that exist between it and any other entity whose expertise 
and experience is relied upon in submitting the application.


Sec.  401.707  Operating and governance requirements for qualified 
entities.

    A qualified entity must meet the following operating and governance 
requirements:
    (a) Submit to CMS a list of all measures it intends to calculate 
and report, the geographic areas it intends to serve, and the methods 
of creating and disseminating reports. This list must include the 
following information, as applicable and appropriate to the proposed 
use:
    (1) Name of the measure, and whether it is a standard or 
alternative measure.
    (2) Name of the measure developer/owner.
    (3) If it is an alternative measure, measure specifications, 
including numerator and denominator.
    (4) The rationale for selecting each measure, including the 
relationship to existing measurement efforts and the relevancy to the 
population in the geographic area(s) the entity would serve, including 
the following:
    (i) A specific description of the geographic area or areas it 
intends to serve.
    (ii) A specific description of how each measure evaluates providers 
and suppliers on quality, efficiency, effectiveness, and/or resource 
use.
    (5) A description of the methodologies it intends to use in 
creating reports with respect to all of the following topics:
    (i) Attribution of beneficiaries to providers and/or suppliers.
    (ii) Benchmarking performance data, including the following:
    (A) Methods for creating peer groups.
    (B) Justification of any minimum sample size determinations made.
    (C) Methods for handling statistical outliers.
    (iii) Risk adjustment, where appropriate.
    (iv) Payment standardization, where appropriate.
    (b) Submit to CMS a description of the process it would establish 
to allow providers and suppliers to view reports confidentially, 
request data, and ask for the correction of errors before the reports 
are made public.
    (c) Submit to CMS a prototype report and a description of its plans 
for making the reports available to the public.
    (d) Submit to CMS information about the claims data it possesses 
from other sources, as defined at Sec.  401.703(h), and documentation 
of adequate rights to use the other claims data for the purposes of 
this subpart.
    (e) If requesting a 5 percent national sample to calculate 
benchmarks for the specific measures it is using, submit to CMS a 
justification for needing the file to calculate benchmarks.


Sec.  401.709  The application process and requirements.

    (a) Application deadline. CMS accepts qualified entity applications 
on a rolling basis after an application is made available on the CMS 
Web site. CMS reviews applications in the order in which they are 
received.
    (b) Selection criteria. To be approved as a qualified entity under 
this subpart, the applicant must meet one of the following:
    (1) Standard approval process: Meet the eligibility and operational 
and governance requirements, fulfill all of the application 
requirements to CMS' satisfaction, and agree to pay a fee equal to the 
cost of CMS making the data available. The applicant and each of its 
contractors that are anticipated to have access to the Medicare data 
must also execute a Data Use Agreement with CMS, that among other 
things, reaffirms the statutory ban on the use of Medicare data 
provided to the qualified entity by CMS under this subpart for purposes 
other than those referenced in this subpart.
    (2) Conditional approval process: Meet the eligibility and 
operational and governance requirements, and fulfill all of the 
application requirements to CMS' satisfaction, with the exception of 
possession of sufficient claims data from other sources. Meeting these 
requirements will result in a conditional approval as a qualified 
entity. Entities gaining a conditional approval as a qualified entity 
must meet the eligibility requirements related to claims data from 
other sources the entity intends to combine with the Medicare data, 
agree to pay a fee equal to the cost of CMS making the data available, 
and execute a Data Use Agreement with CMS, that among other things, 
reaffirms the statutory ban on the use of Medicare data provided to the 
qualified entity by CMS under this subpart for purposes other than 
those referenced in this subpart before receiving any Medicare data. If 
the qualified entity is composed of lead entity with contractors, any 
contractors that are anticipated to have access to the Medicare data 
must also execute a Data Use Agreement with CMS.
    (c) Duration of approval. CMS permits an entity to participate as a 
qualified entity for a period of 3 years from the date of notification 
of the application approval by CMS. The qualified entity must abide by 
all CMS regulations and instructions. If the qualified entity wishes to 
continue performing the tasks after the 3-year approval period, the 
entity may re-apply for qualified entity status following the 
procedures in paragraph (f) of this section.

[[Page 76569]]

    (d) Reporting period. A qualified entity must produce reports on 
the performance of providers and suppliers at least annually, beginning 
in the calendar year after they are approved by CMS.
    (e) The distribution of data.--(1) Initial data release. Once CMS 
fully approves a qualified entity under this subpart, the qualified 
entity must pay a fee equal to the cost of CMS making data available. 
After the qualified entity pays the fee, CMS will release the 
applicable encrypted claims data, as well as a file that crosswalks the 
encrypted beneficiary ID to the beneficiary name and the Medicare HICN. 
The data will be the most recent data available, and will be limited to 
the geographic spread of the qualified entity's other claims data, as 
determined by CMS.
    (2) Subsequent data releases. After the first quarter of 
participation, CMS will provide a qualified entity with the most recent 
additional quarter of currently available data, as well as a table that 
crosswalks the encrypted beneficiary ID to the beneficiary's name and 
the Medicare HICN. Qualified entities are required to pay CMS a fee 
equal to the cost of making data available before CMS will release the 
most recent quarter of additional data to the qualified entity.
    (f) Re-application. A qualified entity that is in good standing may 
re-apply for qualified entity status. A qualified entity is considered 
to be in good standing if it has had no violations of the requirements 
in this subpart or if the qualified entity is addressing any past 
deficiencies either on its own or through the implementation of a 
corrective action plan. To re-apply a qualified entity must submit to 
CMS documentation of any changes to what was included in its 
previously-approved application. A re-applicant must submit this 
documentation at least 6 months before the end of its 3-year approval 
period and will be able to continue to serve as a qualified entity 
until the re-application is either approved or denied by CMS. If the 
re-application is denied, CMS will terminate its relationship with the 
qualified entity and the qualified entity will be subject to the 
requirements for return or destruction of data at Sec.  401.721(b).


Sec.  401.711  Updates to plans submitted as part of the application 
process.

    (a) If a qualified entity wishes to make changes to the following 
parts of its previously-approved application:
    (1) Its list of proposed measures--the qualified entity must send 
all the information referenced in Sec.  401.707(a) for the new measures 
to CMS at least 30 days before its intended confidential release to 
providers and suppliers.
    (2) Its proposed prototype report--the qualified entity must send 
the new prototype report to CMS at least 30 days before its intended 
confidential release to providers and suppliers.
    (3) Its plans for sharing the reports with the public--the 
qualified entity must send the new plans to CMS at least 30 days before 
its intended confidential release to providers and suppliers.
    (b) CMS will notify the qualified entity when the entity's proposed 
changes are approved or denied for use, generally within 30 days of the 
qualified entity submitting the changes to CMS. If a CMS decision on 
approval or disapproval for a change is not forthcoming within 30 days 
and CMS does not request an additional 30 days for review, the change 
or modification shall be deemed to be approved.
    (c) If the amount of claims data from other sources available to a 
qualified entity decreases, the qualified entity must immediately 
inform CMS and submit documentation that the remaining claims data from 
other sources is sufficient to address the methodological concerns 
regarding sample size and reliability. Under no circumstances may a 
qualified entity use Medicare data to create a report, use a measure, 
or share a report after the amount of claims data from other sources 
available to a qualified entity decreases until CMS determines either 
that the remaining claims data is sufficient or that the qualified 
entity has collected adequate additional data to address any 
deficiencies.
    (1) If the qualified entity cannot submit the documentation 
required in paragraph (c) of this section, or if CMS determines that 
the remaining claims data is not sufficient, CMS will afford the 
qualified entity up to 120 days to obtain additional claims to address 
any deficiencies. If the qualified entity does not have access to 
sufficient new data after that time, CMS will terminate its 
relationship with the qualified entity.
    (2) If CMS determines that the remaining claims data is sufficient, 
the qualified entity may continue issuing reports, using measures, and 
sharing reports.


Sec.  401.713  Ensuring the privacy and security of data.

    (a) A qualified entity must comply with the data requirements in 
its data use agreement (DUA) with CMS. Contractors of qualified 
entities that are anticipated to have access to the Medicare claims 
data or beneficiary identifiable data in the context of this program 
are also required to execute and comply with the DUA. The DUA will 
require the qualified entity to maintain privacy and security protocols 
throughout the duration of the agreement with CMS and will ban the use 
of data for purposes other than those set out in this subpart. The DUA 
will also prohibit the use of unsecured telecommunications to transmit 
CMS data and will specify the circumstances under which CMS data must 
be stored and transmitted.
    (b) A qualified entity must inform each beneficiary whose 
beneficiary identifiable data has been (or is reasonably believed to 
have been) inappropriately accessed, acquired, or disclosed in 
accordance with the DUA.
    (c) Contractor(s) must report to the qualified entity whenever 
there is an incident where beneficiary identifiable data has been (or 
is reasonably believed to have been) inappropriately accessed, 
acquired, or disclosed.


Sec.  401.715  Selection and use of performance measures.

    (a) Standard measures. A standard measure is a measure that can be 
calculated in full or in part from claims data from other sources and 
the standardized extracts of Medicare Parts A and B claims, and Part D 
prescription drug event data and meets the following requirements:
    (1) Meets one of the following criteria:
    (i) Is endorsed by the entity with a contract under section 1890(a) 
of the Social Security Act.
    (ii) Is time-limited endorsed by the entity with a contract under 
section 1890(a) of the Social Security Act until such time as the full 
endorsement status is determined.
    (iii) Is developed under section 931 of the Public Health Service 
Act.
    (iv) Can be calculated from standardized extracts of Medicare Parts 
A or B claims or Part D prescription drug event data, was adopted 
through notice-and-comment rulemaking, and is currently being used in 
CMS programs that include quality measurement.
    (v) Is endorsed by a CMS-approved consensus-based entity. CMS will 
approve organizations as consensus-based entities based on review of 
documentation of the consensus-based entity's measure approval process. 
To receive approval as a consensus-based entity, an organization must 
submit information to CMS documenting its processes for stakeholder 
consultation and measures approval; an organization will only receive 
approval as a consensus-based entity if all measure specifications are 
publically available. An organization will retain CMS acceptance as a 
consensus-based entity

[[Page 76570]]

for 3 years after the approval date, at which time CMS will review new 
documentation of the consensus-based entity's measure approval process 
for a new 3-year approval.
    (2) Is used in a manner that follows the measure specifications as 
written (or as adopted through notice-and-comment rulemaking), 
including all numerator and denominator inclusions and exclusions, 
measured time periods, and specified data sources.
    (b) Alternative measure. (1) An alternative measure is a measure 
that is not a standard measure, but that can be calculated in full, or 
in part, from claims data from other sources and the standardized 
extracts of Medicare Parts A and B claims, and Part D prescription drug 
event data, and that meets one of the following criteria:
    (i) Rulemaking process: Has been found by the Secretary, through a 
notice-and comment-rulemaking process, to be more valid, reliable, 
responsive to consumer preferences, cost-effective, or relevant to 
dimensions of quality and resource use not addressed by standard 
measures, and is used by a qualified entity in a manner that follows 
the measure specifications as adopted through notice-and-comment 
rulemaking, including all numerator and denominator inclusions and 
exclusions, measured time periods, and specified data sources.
    (ii) Stakeholder consultation approval process: Has been found by 
the Secretary, using documentation submitted by a qualified entity that 
outlines its consultation and agreement with stakeholders in its 
community, to be more valid, responsive to consumer preferences, cost-
effective, or relevant to dimensions of quality and resource use not 
addressed by standard measures, and is used by a qualified entity in a 
manner that follows the measure specifications as submitted, including 
all numerator and denominator inclusions and exclusions, measured time 
periods, and specified data sources. If a CMS decision on approval or 
disapproval of alternative measures submitted using the stakeholder 
consultation approval process is not forthcoming within 60 days of 
submission of the measure by the qualified entity, the measure will be 
deemed approved. However, CMS retains the right to disapprove a measure 
if, even after 60 days, we find it to not be ``more valid, reliable, 
responsive to consumer preferences, cost-effective, or relevant to 
dimensions of quality and resource'' than a standard measure.
    (2) An alternative measure approved under the process at paragraph 
(b)(1)(i) of this section may be used by any qualified entity. An 
alternative measure approved under the process at paragraph (b)(1)(ii) 
of this section may only be used by the qualified entity that submitted 
the measure for consideration by the Secretary. A qualified entity may 
use an alternative measure up until the point that an equivalent 
standard measure for the particular clinical area or condition becomes 
available at which point the qualified entity must switch to the 
standard measure within 6 months or submit additional scientific 
justification and receive approval, via either paragraphs (b)(1)(i) or 
(b)(1)(ii) of this section, from the Secretary to continue using the 
alternative measure.
    (3) To submit an alternative measure for consideration under the 
notice-and-comment-rulemaking process, for use in the calendar year 
following the submission, an entity must submit the following 
information by May 31st:
    (i) The name of the alternative measure.
    (ii) The name of the developer or owner of the alternative measure.
    (iii) Detailed specifications for the alternative measure.
    (iv) Evidence that use of the alternative measure would be more 
valid, reliable, responsive to consumer preferences, cost-effective, or 
relevant to dimensions of quality and resource use not addressed by 
standard measures.
    (4) To submit an alternative measure for consideration under the 
documentation of stakeholder consultation approval process described in 
paragraph (b)(1)(ii) of this section, for use once the measure is 
approved by the Secretary, an entity must submit the following 
information to CMS:
    (i) The name of the alternative measure.
    (ii) The name of the developer or owner of the alternative measure.
    (iii) Detailed specifications for the alternative measure.
    (iv) A description of the process by which the qualified entity 
notified stakeholders in the geographic region it serves of its intent 
to seek approval of an alternative measure. Stakeholders must include a 
valid cross representation of providers, suppliers, payers, employers, 
and consumers.
    (v) A list of stakeholders from whom feedback was solicited, 
including the stakeholders' names and roles in the community.
    (vi) A description of the discussion about the proposed alternative 
measure, including a summary of all pertinent arguments supporting and 
opposing the measure.
    (vii) Unless CMS has already approved the same measure for use by 
another qualified entity, no new scientific evidence on the measure is 
available, and the subsequent qualified entity wishes to rely upon the 
scientific evidence submitted by the previously approved applicant, an 
explanation backed by scientific evidence that demonstrates why the 
measure is more valid, reliable, responsive to consumer preferences, 
cost-effective, or relevant to dimensions of quality and resource use 
not addressed by a standard measure.


Sec.  401.717  Provider and supplier requests for error correction.

    (a) A qualified entity must confidentially share measures, 
measurement methodologies, and measure results with providers and 
suppliers at least 60 calendar days before making reports public. The 
60 calendar days begin on the date on which qualified entities send the 
confidential reports to providers and suppliers. A qualified entity 
must inform providers and suppliers of the date the reports will be 
made public at least 60 calendar days before making the reports public.
    (b) Before making the reports public, a qualified entity must allow 
providers and suppliers the opportunity to make a request for the data, 
or to make a request for error correction, within 60 calendar days 
after sending the confidential reports to providers or suppliers.
    (c) During the 60 calendar days between sending a confidential 
report on measure results and releasing the report to the public, the 
qualified entity must, at the request of a provider or supplier and 
with appropriate privacy and security protections, release the Medicare 
claims data and beneficiary names to the provider or supplier. 
Qualified entities may only provide the Medicare claims and/or 
beneficiary names relevant to the particular measure or measure result 
the provider or supplier is appealing.
    (d) A qualified entity must inform providers and suppliers that 
reports will be made public, including information related to the 
status of any data or error correction requests, after the date 
specified to the provider or supplier when the report is sent for 
review and, if necessary, error correction requests (at least 60 
calendar days after the report was originally sent to the providers and 
suppliers), regardless of the status of any requests for error 
correction.
    (e) If a provider or supplier has a data or error correction 
request outstanding at the time the reports become public, the 
qualified entity must, if feasible, post publicly the name of the 
appealing

[[Page 76571]]

provider or supplier and the category of the appeal request.


Sec.  401.719  Monitoring and sanctioning of qualified entities.

    (a) CMS will monitor and assess the performance of qualified 
entities and their contractors using the following methods:
    (1) Audits.
    (2) Submission of documentation of data sources and quantities of 
data upon the request of CMS and/or site visits.
    (3) Analysis of specific data reported to CMS by qualified entities 
through annual reports (as described in paragraph (b) of this section) 
and reports on inappropriate disclosures or uses of beneficiary 
identifiable data (as described in paragraph (c) of this section).
    (4) Analysis of complaints from beneficiaries and/or providers or 
suppliers.
    (b) A qualified entity must provide annual reports to CMS 
containing information related to the following:
    (1) General program adherence, including the following information:
    (i) The number of Medicare and private claims combined.
    (ii) The percent of the overall market share the number of claims 
represent in the qualified entity's geographic area.
    (iii) The number of measures calculated.
    (iv) The number of providers and suppliers profiled by type of 
provider and supplier.
    (v) A measure of public use of the reports.
    (2) The provider and supplier data sharing, error correction, and 
appeals process, including the following information:
    (i) The number of providers and suppliers requesting claims data.
    (ii) The number of requests for claims data fulfilled.
    (iii) The number of error corrections.
    (iv) The type(s) of problem(s) leading to the request for error 
correction.
    (v) The amount of time to acknowledge the request for data or error 
correction.
    (vi) The amount of time to respond to the request for error 
correction.
    (vii) The number of requests for error correction resolved.
    (c) A qualified entity must inform CMS of inappropriate disclosures 
or uses of beneficiary identifiable data under the DUA.
    (d) CMS may take the following actions against a qualified entity 
if CMS determines that the qualified entity violated any of the 
requirements of this subpart, regardless of how CMS learns of a 
violation:
    (1) Provide a warning notice to the qualified entity of the 
specific concern, which indicates that future deficiencies could lead 
to termination.
    (2) Request a corrective action plan (CAP) from the qualified 
entity.
    (3) Place the qualified entity on a special monitoring plan.
    (4) Terminate the qualified entity.


Sec.  401.721  Terminating an agreement with a qualified entity.

    (a) Grounds for terminating a qualified entity agreement. CMS may 
terminate an agreement with a qualified entity if CMS determines the 
qualified entity or its contractor meets any of the following:
    (1) Engages in one or more serious violations of the requirements 
of this subpart.
    (2) Fails to completely and accurately report information to CMS or 
fails to make appropriate corrections in response to confidential 
reviews by providers and suppliers in a timely manner.
    (3) Fails to submit an approvable corrective action plan (CAP) as 
prescribed by CMS, fails to implement an approved CAP, or fails to 
demonstrate improved performance after the implementation of a CAP.
    (4) Improperly uses or discloses claims information received from 
CMS in violation of the requirements in this subpart.
    (5) Based on its re-application, no longer meets the requirements 
in this subpart.
    (6) Fails to maintain adequate data from other sources in 
accordance with Sec.  401.711(c).
    (b) Return or destruction of CMS data upon voluntary or involuntary 
termination from the qualified entity program:
    (1) If CMS terminates a qualified entity's agreement, the qualified 
entity and its contractors must immediately upon receipt of 
notification of the termination commence returning or destroying any 
and all CMS data (and any derivative files). In no instance can this 
process exceed 30 days.
    (2) If a qualified entity voluntarily terminates participation 
under this subpart, it and its contractors must return to CMS, or 
destroy, any and all CMS data in its possession within 30 days of 
notifying CMS of its intent to end its participation.

(Catalog of Federal Domestic Assistance Program No. 93.773, 
Medicare--Hospital Insurance; and Program No. 93.774, Medicare--
Supplementary Medical Insurance Program)

    Dated: November 1, 2011.
Donald M. Berwick,
Administrator, Centers for Medicare & Medicaid Services.
    Approved: November 29, 2011.
Kathleen Sebelius,
Secretary, Department of Health and Human Services.
[FR Doc. 2011-31232 Filed 12-5-11; 11:15 am]
BILLING CODE 4120-01-P