[Federal Register Volume 78, Number 25 (Wednesday, February 6, 2013)]
[Notices]
[Pages 8536-8538]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2013-02669]


-----------------------------------------------------------------------

DEPARTMENT OF HEALTH AND HUMAN SERVICES

Centers for Medicare & Medicaid Services


Privacy Act of 1974; Report of New System of Records

AGENCY: Department of Health and Human Services (HHS), Centers for 
Medicare & Medicaid Services (CMS).

ACTION: Notice of a new system of records.

-----------------------------------------------------------------------

SUMMARY: In accordance with the requirements of the Privacy Act of 
1974, CMS is establishing a new system of records (SOR) titled, ``Long 
Term Care Hospitals Quality Reporting Program (LTCH QRP),'' System No. 
09-70-0539. The new system will support a new quality reporting program 
for Long Term Care Hospitals (LTCH) created pursuant to Section 3004 of 
the Patient Protection and Affordable Care Act of 2010 (ACA) (Pub. L. 
111-148), amending the Social Security Act (the Act) (42 U.S.C. 
1886(m)).

DATES: Effective Dates: Effective 30 days after publication. Written 
comments should be submitted on or before the effective date. HHS/CMS/
CCSQ may publish an amended SORN in light of any comments received.

ADDRESSES: The public should address comments to: CMS Privacy Officer, 
Privacy Policy Compliance Group, Office of E-Health Standards & 
Services, Office of Enterprise Management, Centers for Medicare & 
Medicaid Services, 7500 Security Boulevard, Baltimore, MD 21244-1870, 
Mailstop: S2-24-25, Office: (410) 786-5357, Facsimile: (410) 786-1347, 
E-Mail: [email protected]. Comments received will be available 
for review at this location, by appointment, during regular business 
hours, Monday through Friday from 9:00 a.m.-3:00 p.m., Eastern Time 
zone.

FOR FURTHER INFORMATION CONTACT: Caroline Gallaher, Nurse Consultant, 
CMS, Centers for Clinical Standards and Quality, Quality Measurement & 
Health Assessment Group, Division of Chronic & Post-Acute Care, 7500 
Security Boulevard, Mail Stop S3-02-01, Baltimore, MD 21244-1850. 
Office: 410-786-8705, Facsimile: (410) 786-8532, Email address: 
[email protected].

SUPPLEMENTARY INFORMATION:

I. Background on the LTCH QRP System

    The ACA directs the Secretary of HHS to compile, and eventually 
publish, quality measure data, measuring the quality of care provided 
to patients in LTCHs. The quality measure data is required to be valid, 
meaningful, and feasible to collect, and to address symptom management, 
patient preferences and avoidable adverse events. Although CMS 
administers the LTCH QRP, information is also collected on LTCH 
patients who may not be Medicare beneficiaries.
    CMS created the LTCH QRP System (the System) to house the data sets 
needed for the Program. The first quality measure for which CMS has 
begun compiling data under the Program is ``the Percent of Patient 
Residents with Pressure Ulcers That Are New or Worsened.'' CMS 
developed the ``LTCH Continuity Assessment Record & Evaluation (CARE) 
Data Set'' (LTCH CARE Data Set) as the vehicle by which the System will 
collect pressure ulcer quality measure data from LTCH patients and LTCH 
providers, after determining that there were no existing suitable data 
sets that could be leveraged to supply quality measure data about 
pressure ulcers in the LTCH setting. As additional quality measures are 
added to the Program, data items will be added the LTCH CARE data set 
to compile quality measure data about other conditions.

II. Personally Identifiable Information in LTCH

    Most of the personally identifiable information (PII) in LTCH will 
be about LTCH patients; however, certain information may be collected 
about providers who work in LTCHs that may be considered to be PII 
(i.e., National Provider Identifier (NPI), personal contact 
information, and Social Security Number (SSN), if used for business 
purposes). At this time, the LTCH CARE Data Set includes these 
components: (1) Condition (i.e., pressure ulcer) documentation; (2) 
selected covariates related to the condition; and (3) patient 
demographic information. The PII in LTCH, and how it may be used and 
disclosed, is more fully described in the System of Records Notice 
(SORN), below. LTCH data when published on the Internet will be in 
aggregate form and will not contain any personally identifiable data 
elements.

III. The Privacy Act

    The Privacy Act (5 U.S.C. 552a) governs the means by which the 
United States Government collects, maintains, and uses personally 
identifiable information (PII) in a system of records. A ``system of 
records'' is a group of any records under the control of a Federal 
agency from which information about individuals is retrieved by name or 
other personal identifier. The Privacy Act requires each agency to 
publish in the Federal Register a system of records notice (SORN) 
identifying and describing each system of records the agency maintains, 
including the purposes for which the agency uses PII in the system, the 
routine uses for which the agency discloses such information outside 
the agency, and how individual record subjects can exercise their 
rights under the Privacy Act (e.g., to determine if the system contains 
information about them).

SYSTEM NUMBER:
    09-70-0539

SYSTEM NAME:
    ``Long Term Care Hospitals Quality Reporting Program (LTCH QRP)'' 
HHS/CMS/CCSQ.

SECURITY CLASSIFICATION:
    Unclassified.

SYSTEM LOCATION:
    CMS Data Center, 7500 Security Boulevard, North Building, First 
Floor, Baltimore, Maryland 21244-1850, and at various LTCHs and 
contractor sites.

CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:
    The system will contain personally identifiable information (PII) 
about the following categories of individuals who participate in or are 
involved with the LTCH QRP: LTCH patients and Medicare beneficiaries, 
who receive health care services coordinated and managed by LTCHs; any 
providers and or any contact persons for a LTCH who provide home or 
personal contact information.

CATEGORIES OF RECORDS IN THE SYSTEM:
    This system will include the following categories of records, 
containing, but not necessarily limited to, the following PII data 
elements: Patient/beneficiary condition, selected covariates about the 
condition, and patient/beneficiary demographic records containing the 
patient/beneficiary's name, gender, beneficiary's Health Insurance 
Claim Number (HICN) or

[[Page 8537]]

patient's SSN, address, and date of birth. LTCH provider records, 
containing the provider's name, address, and the Taxpayer 
Identification Number (TIN), which could be a Social Security Number 
(SSN); and National Provider Identifier (NPI).

AUTHORITY FOR MAINTENANCE OF THE SYSTEM:
    Section 3004 of the Patient Protection and Affordable Care Act of 
2010 (Pub. L. 111-148), amending the Social Security Act (42 U.S.C. 
1886(m)).

PURPOSE(S) OF THE SYSTEM:
    CMS will use this system to compile quality measure data, measuring 
the quality of care provided to patients in LTCHs. CMS will or may use 
personally identifiable information from this system to: (1) Support 
regulatory, reimbursement, and policy functions performed by Agency 
contractors, consultants, or CMS grantees; (2) assist federal and state 
agencies and their fiscal agents to perform the statutory functions of 
the LTCH QRP; (3) assist LTCHs with the statutory reporting 
requirements; (4) support research, evaluation, or epidemiological 
projects related to the prevention of disease or disability, or the 
restoration or maintenance of health, and for payment related projects; 
(5) support the functions of Quality Improvement Organizations; (6) 
support the functions of national accrediting organizations; (7) 
support litigation involving the agency; (8) combat fraud, waste, and 
abuse in certain health benefits programs, (9) assist agencies, 
entities, contractors, or persons tasked with the response and remedial 
efforts in the event of a breach of information, and (10) assist the 
U.S. Department of Homeland Security (DHS) cyber security personnel.

ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES 
OR USERS AND THE PURPOSES OF SUCH USES:
    A. Entities Who May Receive Disclosures Under Routine Use
    These routine uses specify circumstances, in addition to those 
provided by statute in the Privacy Act of 1974, under which CMS may 
release information from LTCH without the consent of the individual to 
whom such information pertains. Each proposed disclosure of information 
under these routine uses will be evaluated to ensure that the 
disclosure is legally permissible, including but not limited to 
ensuring that the purpose of the disclosure is compatible with the 
purpose for which the information was collected. We propose to 
establish the following routine use disclosures of information 
maintained in the system:
    1. To support Agency contractors, consultants, or CMS grantees who 
have been engaged by the Agency to assist in accomplishment of a CMS 
function relating to the purposes for this collection and who need to 
have access to the records in order to assist CMS.
    2. To assist another Federal, agency of a State government, an 
agency established by State law, or its fiscal agents with information 
that is necessary and/or required in order to perform the statutory 
functions of the LTCH QRP;
    3. To provide LTCHs with information they need to meet any 
statutory requirements of the program, assist with other reports as 
required by CMS, and to assist in the implementation of quality 
standards.
    4. To support an individual or organization for research, as well 
as evaluation or epidemiological projects related to the prevention of 
disease or disability, the restoration or maintenance of health, or for 
understanding and improving payment projects.
    5. To support Quality Improvement Organizations (QIO) in connection 
with review of claims, or in connection with studies or other review 
activities conducted pursuant to Part B of Title XI of the Act, and in 
performing affirmative outreach activities to individuals for the 
purpose of establishing and maintaining their entitlement to Medicare 
benefits or health insurance plans.
    6. To assist national accrediting organization(s) whose accredited 
facilities are presumed to meet certain Medicare requirements (e.g., 
the Joint Commission for the Accreditation of Healthcare Organizations, 
the American Osteopathic Association, or the Commission on 
Accreditation of Rehabilitation Facilities).
    7. To provide information to the U.S. Department of Justice (DOJ), 
a court, or an adjudicatory body when (a) the Agency or any component 
thereof, or (b) any employee of the Agency in his or her official 
capacity, or (c) any employee of the Agency in his or her individual 
capacity where the DOJ has agreed to represent the employee, or (d) the 
United State Government, is a party to litigation or has an interest in 
such litigation, and by careful review, CMS determines that the records 
are both relevant and necessary to the litigation and that the use of 
such records by the DOJ, court, or adjudicatory body is compatible with 
the purpose for which the agency collected the records.
    8. To assist a CMS contractor (including, but not limited to 
Medicare Administrative Contractors, fiscal intermediaries, and 
carriers) that assists in the administration of a CMS-administered 
health benefits program, or to a grantee of a CMS-administered grant 
program, when disclosure is deemed reasonably necessary by CMS to 
prevent, deter, discover, detect, investigate, examine, prosecute, sue 
with respect to, defend against, correct, remedy, or otherwise combat 
fraud, waste or abuse in such program.
    9. To assist another Federal agency or to an instrumentality of any 
governmental jurisdiction within or under the control of the United 
States (including any state or local governmental agency), that 
administers or that has the authority to investigate potential fraud, 
waste or abuse in a health benefits program funded in whole or in part 
by Federal funds, when disclosure is deemed reasonably necessary by CMS 
to prevent, deter, discover, detect, investigate, examine, prosecute, 
sue with respect to, defend against, correct, remedy, or otherwise 
combat fraud, waste or abuse in such programs.
    10. To disclose records to appropriate Federal agencies and 
Department contractors that have a need to know the information for the 
purpose of assisting the Department's efforts to respond to a suspected 
or confirmed breach of the security or confidentiality of information 
maintained in this system of records, and the information disclosed is 
relevant and necessary for that assistance.
    11. To assist the U.S. Department of Homeland Security (DHS) cyber 
security personnel, if captured in an intrusion detection system used 
by HHS and DHS pursuant to the Einstein 2 program.

B. ADDITIONAL CIRCUMSTANCES AFFECTING DISCLOSURE OF PII DATA:
    To the extent that the individual claims records in this system 
contain Protected Health Information (PHI) as defined by HHS regulation 
``Standards for Privacy of Individually Identifiable Health 
Information'' (45 CFR Parts 160 and 164, Subparts A and E), disclosures 
of such PHI that are otherwise authorized by these routine uses may 
only be made if, and as, permitted or required by the ``Standards for 
Privacy of Individually Identifiable Health Information'' (see 45 CFR 
164-512(a)(1)).
    In addition, HHS policy will be to prohibit release even of data 
not directly identifiable with a particular individual, except pursuant 
to one of the routine uses or if required by law, if CMS determines 
there is a possibility that a particular individual can be identified 
through implicit deduction based on small cell sizes (instances where 
the

[[Page 8538]]

patient population is so small that individuals could, because of the 
small size, use this information to deduce the identity of a particular 
individual).

POLICIES AND PRACTICES FOR STORING, RETRIEVING, ACCESSING, RETAINING, 
AND DISPOSING OF RECORDS IN THE SYSTEM--
STORAGE:
    All records are stored on magnetic media.

RETRIEVABILITY:
    Information may be retrieved by any of these personal identifiers: 
provider's TIN (which could be a SSN); National Provider Identifier 
(NPI); Patient's SSN or a Beneficiary's HICN; a patient's or 
beneficiary's name in combination with the patient's or beneficiary's 
date of birth.

SAFEGUARDS:
    Personnel having access to the system have been trained in the 
Privacy Act and information security requirements. Employees who 
maintain records in this system are instructed not to release data 
until the intended recipient agrees to implement appropriate 
management, operational and technical safeguards sufficient to protect 
the confidentiality, integrity and availability of the information and 
information systems and to prevent unauthorized access. Access to 
records in the LTCH database system will be limited to CMS personnel 
and contractors through password security, encryption, firewalls, and 
secured operating system. Any electronic or hard copies of financial-
related records containing PII at CMS and contractor locations will be 
kept in secure electronic files or in file folders locked in secure 
file cabinets during non-duty hours.

RETENTION AND DISPOSAL:
    Records containing PII will be maintained for a period of up to 10 
years after entry in the database. Any such records that are needed 
longer, such as to resolve claims and audit exceptions or to prosecute 
fraud, will be retained until such matters are resolved. Beneficiary 
claims records are currently subject to a document preservation order 
and will be preserved indefinitely pending further notice from the U.S. 
Department of Justice.

SYSTEM MANAGER AND ADDRESS:
    Director, Division of Chronic & Post-Acute Care, Quality 
Measurement & Health Assessment Group, Center for Clinical Standards 
and Quality, Centers for Medicare & Medicaid Services, 7500 Security 
Boulevard, Mail Stop S3-02-01, Baltimore, MD 21244-1850.

NOTIFICATION PROCEDURE:
    An individual record subject who wishes to know if this system 
contains records about him or her should write to the system manager 
who will require the system name, HICN, and for verification purposes, 
the subject individual's name (woman's maiden name, if applicable), and 
SSN (furnishing the SSN is voluntary, but it may make searching for a 
record easier and prevent delay).

RECORD ACCESS PROCEDURE:
    An individual seeking access to records about him or her in this 
system should use the same procedures outlined in Notification 
Procedures above. The requestor should also reasonably specify the 
record contents being sought. (These procedures are in accordance with 
Department regulation 45 CFR 5b.5(a)(2).)

CONTESTING RECORD PROCEDURES:
    To contest a record, the subject individual should contact the 
system manager named above, and reasonably identify the record and 
specify the information to be contested. The individual should state 
the corrective action sought and the reasons for the correction with 
supporting justification. (These procedures are in accordance with 
Department regulation 45 CFR 5b.7.)

RECORD SOURCE CATEGORIES:
    Personally identifiable information in this database is collected 
by LTCH providers from and about LTCH patients and beneficiaries by 
means of the LTCH CARE Data Set. LTCH data is reported to CMS from LTCH 
providers through an on-line system known as LTCH Assessment Submission 
Entry and Reporting (LASER).

EXEMPTIONS CLAIMED FOR THIS SYSTEM:
    None.

    Dated: January 10, 2013.
Michelle Snyder,
Deputy Chief Operating Officer, Centers for Medicare & Medicaid 
Services.
[FR Doc. 2013-02669 Filed 2-5-13; 8:45 am]
BILLING CODE 4120-03-P