[Federal Register Volume 79, Number 67 (Tuesday, April 8, 2014)]
[Notices]
[Pages 19341-19344]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2014-07552]


-----------------------------------------------------------------------

DEPARTMENT OF HEALTH AND HUMAN SERVICES

Centers for Medicare & Medicaid Services


Privacy Act of 1974, Report of New System of Records

AGENCY: Department of Health and Human Services (HHS), Centers for 
Medicare & Medicaid Services (CMS).

ACTION: Notice of a New System of Records (SOR).

-----------------------------------------------------------------------

SUMMARY: In accordance with the requirements of the Privacy Act of 
1974, CMS is establishing a new SOR titled, ``Hospice Item Set (HIS) 
System,'' System No. 09-70-0548. The new system will support the 
collection of data required for the Hospice Quality Reporting Program 
(HQRP) pursuant to Section 3004(c) of the Patient Protection and 
Affordable Care Act of 2010 (ACA) (Pub. L. 111-148), which amended the 
Social Security Act (the Act) (42 U.S.C. 1814(i)). HIS is a 
standardized, patient-level data collection vehicle consisting of data 
elements confirming that the appropriate assessments were made and 
inquiries or concerns were addressed for each patient at the time of 
admission for the following domains of care: (1) Pain; (2) Respiratory 
Status; (3) Medications; (4) Patient Preferences; and (5) Beliefs & 
Values.

DATES: Effective Dates: Effective 30 days after publication. Written 
comments should be submitted on or before the effective date. HHS/CMS/
CCSQ may publish an amended SORN in light of any comments received.

ADDRESSES: The public should address comments to: CMS Privacy Officer, 
Privacy Policy Compliance Group, Office of E-Health Standards & 
Services, Office of Enterprise Management, Centers for Medicare & 
Medicaid Services, 7500 Security Boulevard, Baltimore, MD 21244-1870, 
Mailstop: S2-24-25, Office: (410) 786-5357,

[[Page 19342]]

Facsimile: (410) 786-1347, E-Mail: [email protected]. Comments 
received will be available for review at this location, by appointment, 
during regular business hours, Monday through Friday from 9:00 a.m.-
3:00 p.m., Eastern Time zone.

FOR FURTHER INFORMATION CONTACT: Caroline Gallaher, Nurse Consultant, 
CMS, Centers for Clinical Standards and Quality, Quality Measurement & 
Health Assessment Group, Division of Chronic & Post-Acute Care, 7500 
Security Boulevard, Mail Stop S3-02-01, Baltimore, MD 21244-1850. 
Office: 410-786-8705, Facsimile: (410) 786-8532, Email address: 
[email protected].

SUPPLEMENTARY INFORMATION:

I. Background and Introduction

    Section 3004(c) of the ACA directed the Secretary of HHS to 
establish a quality reporting program for hospices for the purpose of 
collecting, compiling and eventually publishing data measuring the 
quality of care provided to patients receiving hospice care. The 
quality measure data is required to be valid, meaningful, and feasible 
to collect, and to address symptom management, patient preferences and 
care coordination. Although CMS administers the HIS, information is 
also collected on hospice patients who may not be Medicare 
beneficiaries.
    A hospice is a public agency or private organization or a 
subdivision of either that is primarily engaged in providing care to 
terminally ill individuals, meets the conditions of participation for 
hospices, and has a valid Medicare provider agreement. Hospice care is 
an approach to caring for terminally ill individuals that stresses 
palliative care (relief of pain and uncomfortable symptoms), as opposed 
to curative care. In addition to meeting the patient's medical needs, 
hospice care addresses the physical, psychosocial, and spiritual needs 
of the patient, as well as the psychosocial needs of the patient's 
family/caregiver. The HIS is not a patient assessment instrument and 
will not be administered to the patient and/or family or caregivers. In 
contrast, HIS is a standardized mechanism for abstracting data from the 
medical record.
    The HIS was developed specifically for use by hospices and contains 
data elements that can be used by CMS to collect the patient-level data 
required for seven National Quality Forum--(NQF) endorsed quality 
measures and a modification of one NQF-endorsed measure. These measures 
include: (1) Hospice and Palliative Care--Pain Screening (NQF 
1634); (2) Hospice and Palliative Care--Pain Assessment (NQF 
1637); (3) Hospice and Palliative Care--Dyspnea Screening (NQF 
1639); (4) Hospice and Palliative Care--Dyspnea Treatment (NQF 
1638); (5) Patients Treated With an Opioid who are Given a 
Bowel Regimen (NQF 1617); (6) Hospice and Palliative Care--
Treatment Preferences (NQF 1641); and (7) Beliefs/values 
addressed (modified version of the NQF 1647 measure).
    Hospices will begin using the HIS for all patients beginning July 
1, 2014. Hospices will be required to submit two HIS records for each 
patient admitted to their organization--a HIS-Admission record and a 
HIS-Discharge record. The HIS-Admission contains both administrative 
items for patient identification and clinical items for calculating the 
seven quality measures. The HIS-Discharge is a limited set of 
administrative items also used for patient identification, as well as 
discharge information, which will be used primarily to determine 
patient exclusions for some of the seven quality measures.

II. The Privacy Act

    The Privacy Act (5 U.S.C. 552a) governs the means by which the 
United States Government collects, maintains, and uses personally 
identifiable information (PII) in a SOR. A SOR is a group of any 
records under the control of a Federal agency from which information 
about individuals is retrieved by name or other personal identifier. 
The Privacy Act requires each agency to publish in the Federal Register 
a system of records notice (SORN) identifying and describing each 
system of records the agency maintains, including the purposes for 
which the agency uses information about individuals in the system, the 
routine uses for which the agency discloses such information outside 
the agency, and how individual record subjects can exercise their 
rights under the Privacy Act (e.g., to determine if the system contains 
information about them).
System Number: 09-70-0548

SYSTEM NAME:
    ``Hospice Item Set (HIS) System'' HHS/CMS/CCSQ.

SECURITY CLASSIFICATION:
    Unclassified.

SYSTEM LOCATION:
    CMS Data Center, 7500 Security Boulevard, North Building, First 
Floor, Baltimore, Maryland 21244-1850, and at various Hospices and 
contractor sites.

CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:
    The system will contain information about the following categories 
of individuals who participate in or are involved with the HQRP: (1) 
Hospice patients and Medicare beneficiaries, who receive health care 
services coordinated and managed by hospices; and, (2) any individual 
providers and/or any contact persons for a hospice whose personal 
information (such as, home or personal contact information, or Social 
Security Number (SSN) if used for business purposes) is provided as 
business-identifying information on the collection instrument.

CATEGORIES OF RECORDS IN THE SYSTEM:
    Information in the HIS about hospice patients includes but not 
limited to information related to condition, selected covariates about 
the condition, and patient/beneficiary demographic records containing 
the patient/beneficiary's name, gender, beneficiary's Health Insurance 
Claim Number (HICN), SSN, Medicaid number (MA number), race, and date 
of birth. Information collected about providers who work in hospices 
considered to be PII includes records containing the provider's name, 
address, National Provider Identifier (NPI), and CMS Certification 
Number (CCN), personal contact information, tax identification number, 
and SSN if used for business purposes.

AUTHORITY FOR MAINTENANCE OF THE SYSTEM:
    Authority for the SOR is given at Section 3004(c) of the Patient 
Protection and Affordable Care Act of 2010 (Pub. L. 111-148), amending 
the Social Security Act (42 U.S.C. 1814(i)).

PURPOSE(S) OF THE SYSTEM:
    The purpose(s) of this SOR is to create a hospice item set that is 
used as a standardized mechanism for abstracting data from the medical 
record to address symptom management, patient preferences and care 
coordination; to house the data needed for the HQRP, and to maintain a 
quality reporting program for hospices for the purpose of collecting, 
compiling and eventually publishing data measuring the quality of care 
provided to patients receiving hospice care. CMS will or may use 
personally identifiable information from this system to: (1) Support 
regulatory, reimbursement, and policy functions performed by Agency 
contractors, consultants, or CMS grantees; (2) assist Federal and state 
agencies and their fiscal agents to perform the statutory functions of 
the HQRP; (3) assist hospices with the statutory reporting 
requirements; (4) support research,

[[Page 19343]]

evaluation, or epidemiological projects related to end of life care, 
and for payment related projects; (5) support the functions of Quality 
Improvement Organizations; (6) support the functions of national 
accrediting organizations; (7) support litigation involving the agency; 
(8) combat fraud, waste, and abuse in certain health benefits programs, 
(9) assist agencies, entities, contractors, or persons tasked with the 
response and remedial efforts in the event of a breach of information, 
and (10) assist the U.S. Department of Homeland Security (DHS) cyber 
security personnel.

ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES 
OR USERS AND THE PURPOSES OF SUCH USES:
A. Entities Who May Receive Disclosures Under Routine Use
    These routine uses specify circumstances, in addition to those 
provided by statute in the Privacy Act of 1974, under which CMS may 
release information from HIS without the consent of the individual to 
whom such information pertains. Each proposed disclosure of information 
under these routine uses will be evaluated to ensure that the 
disclosure is legally permissible, including but not limited to 
ensuring that the purpose of the disclosure is compatible with the 
purpose for which the information was collected. We propose to 
establish the following routine use disclosures of information 
maintained in the system:
    1. To support Agency contractors, consultants, or CMS grantees who 
have been engaged by the Agency to assist in accomplishment of a CMS 
function relating to the purposes for this collection and who need to 
have access to the records in order to assist CMS.
    2. To assist another Federal Agency, agency of a State government, 
an agency established by State law, or its fiscal agents with 
information that is necessary and/or required in order to perform the 
statutory functions of the HQRP;
    3. To provide hospices with information they need to meet any 
statutory requirements of the program, assist with other reports as 
required by CMS, and to assist in the implementation of quality 
standards;
    4. To support an individual or organization for research, as well 
as evaluation or epidemiological projects related to end of life care, 
or for understanding and improving payment projects;
    5. To support Quality Improvement Organizations (QIOs) in 
connection with review of claims, or in connection with studies or 
other review activities conducted pursuant to Part B of Title XI of the 
Act, and in performing affirmative outreach activities to individuals 
for the purpose of establishing and maintaining their entitlement to 
Medicare benefits or health insurance plans;
    6. To assist national accrediting organization(s) whose accredited 
providers are presumed to meet certain Medicare requirements (e.g., the 
Joint Commission for the Accreditation of Healthcare Organizations, the 
Community Health Accreditation Program (CHAP), or the Accreditation 
Commission for Health Care (ACHC);
    7. To provide information to the U.S. Department of Justice (DOJ), 
a court, or an adjudicatory body when (a) the Agency or any component 
thereof, or (b) any employee of the Agency in his or her official 
capacity, or (c) any employee of the Agency in his or her individual 
capacity where the DOJ has agreed to represent the employee, or (d) the 
United State Government, is a party to litigation or has an interest in 
such litigation, and by careful review, CMS determines that the records 
are both relevant and necessary to the litigation and that the use of 
such records by the DOJ, court, or adjudicatory body is compatible with 
the purpose for which the agency collected the records;
    8. To assist a CMS contractor (including, but not limited to 
Medicare Administrative Contractors, fiscal intermediaries, and 
carriers) that assists in the administration of a CMS-administered 
health benefits program, or to a grantee of a CMS-administered grant 
program, when disclosure is deemed reasonably necessary by CMS to 
prevent, deter, discover, detect, investigate, examine, prosecute, sue 
with respect to, defend against, correct, remedy, or otherwise combat 
fraud, waste or abuse in such program;
    9. To assist another Federal agency or to an instrumentality of any 
governmental jurisdiction within or under the control of the United 
States (including any state or local governmental agency), that 
administers or that has the authority to investigate potential fraud, 
waste or abuse in a health benefits program funded in whole or in part 
by Federal funds, when disclosure is deemed reasonably necessary by CMS 
to prevent, deter, discover, detect, investigate, examine, prosecute, 
sue with respect to, defend against, correct, remedy, or otherwise 
combat fraud, waste or abuse in such programs;
    10. To disclose records to appropriate Federal agencies and 
Department contractors that have a need to know the information for the 
purpose of assisting the Department's efforts to respond to a suspected 
or confirmed breach of the security or confidentiality of information 
maintained in this system of records, and the information disclosed is 
relevant and necessary for that assistance; and
    11. To assist the U.S. Department of Homeland Security (DHS) cyber 
security personnel, if captured in an intrusion detection system used 
by HHS and DHS (e.g., pursuant to the Einstein 2 program).

B. ADDITIONAL CIRCUMSTANCES AFFECTING DISCLOSURE OF PII DATA:
    To the extent that the individual claims records in this system 
contain Protected Health Information (PHI) as defined by HHS regulation 
``Standards for Privacy of Individually Identifiable Health 
Information'' (45 CFR Parts 160 and 164, Subparts A and E), disclosures 
of such PHI that are otherwise authorized by these routine uses may 
only be made if, and as, permitted or required by the ``Standards for 
Privacy of Individually Identifiable Health Information'' (see 45 CFR 
164-512(a)(1)).
    In addition, HHS policy will be to prohibit release even of data 
not directly identifiable with a particular individual, except pursuant 
to one of the routine uses or if required by law, if CMS determines 
there is a possibility that a particular individual can be identified 
through implicit deduction based on small cell sizes (instances where 
the patient population is so small that individuals could, because of 
the small size, use this information to deduce the identity of a 
particular individual).

POLICIES AND PRACTICES FOR STORING, RETRIEVING, ACCESSING, RETAINING, 
AND DISPOSING OF RECORDS IN THE SYSTEM:
STORAGE:
    All records are stored on magnetic media.

RETRIEVABILITY:
    Information may be retrieved by any of these personal identifiers: 
provider's TIN (which could be a SSN); NPI; CMS Certification Number 
(CCN); Patient's SSN or a Beneficiary's HICN; a patient's or 
beneficiary's name in combination with the patient's or beneficiary's 
date of birth.

SAFEGUARDS:
    Personnel having access to the system have been trained in the 
Privacy Act and information security requirements. Employees who 
maintain records in this system are instructed not to release data 
until the intended recipient agrees to implement appropriate 
management, operational and technical safeguards sufficient to protect 
the confidentiality,

[[Page 19344]]

integrity and availability of the information and information systems 
and to prevent unauthorized access.
    Access to records in the hospice database system will be limited to 
CMS personnel and contractors through password security, encryption, 
firewalls, and secured operating system. Any electronic or hard copies 
of financial-related records containing PII at CMS and contractor 
locations will be kept in secure electronic files or in file folders 
locked in secure file cabinets during non-duty hours.

RETENTION AND DISPOSAL:
    Retention and disposal of these records are in accordance with 
published record schedules of the Centers for Medicare & Medicaid 
Services and as approved by the National Archives and Records 
Administration. Beneficiary claims records are currently subject to a 
document preservation order and will be preserved indefinitely pending 
further notice from the U.S. Department of Justice.

SYSTEM MANAGER AND ADDRESS:
    Director, Division of Chronic & Post-Acute Care, Quality 
Measurement & Health Assessment Group, Center for Clinical Standards 
and Quality, Centers for Medicare & Medicaid Services, 7500 Security 
Boulevard, Mail Stop S3-02-01, Baltimore, MD 21244-1850.

NOTIFICATION PROCEDURE:
    An individual record subject who wishes to know if this system 
contains records about him or her should write to the system manager 
who will require the system name, HICN, and for verification purposes, 
the subject individual's name (woman's maiden name, if applicable), and 
SSN. Furnishing the SSN is voluntary, but it may make searching for a 
record easier and prevent delay.

RECORD ACCESS PROCEDURE:
    An individual seeking access to records about him or her in this 
system should use the same procedures outlined in Notification 
Procedures above. The requestor should also reasonably specify the 
record contents being sought. (These procedures are in accordance with 
Department regulation 45 CFR 5b.5(a)(2).)

CONTESTING RECORD PROCEDURES:
    To contest a record, the subject individual should contact the 
system manager named above, and reasonably identify the record and 
specify the information to be contested. The individual should state 
the corrective action sought and the reasons for the correction with 
supporting justification. (These procedures are in accordance with 
Department regulation 45 CFR 5b.7)

RECORD SOURCE CATEGORIES:
    Information about individuals collected and maintained in this 
database is collected by means of the HIS. Hospices may transmit HIS 
data to CMS using free software that is provided by CMS. In the 
alternative, hospice providers may submit HIS data via customized 
computer programs which are created by private vendors in accordance 
with technical data specifications issued by CMS. Information 
transmitted about hospice patients is collected by hospice providers 
directly from the patients or from the patients' medical records. Any 
information about an individual provider or contact person for a 
provider that is included as the provider's business-identifying 
information on the collection instrument is provided by the provider or 
contact person.

EXEMPTIONS CLAIMED FOR THIS SYSTEM:
    None.

    Dated: March 26, 2014.
Timothy P. Love,
Chief Operating Officer, Centers for Medicare & Medicaid Services.
[FR Doc. 2014-07552 Filed 4-7-14; 8:45 am]
BILLING CODE 4120-03-P