[Federal Register Volume 79, Number 116 (Tuesday, June 17, 2014)]
[Notices]
[Pages 34539-34542]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2014-14038]


-----------------------------------------------------------------------

DEPARTMENT OF HEALTH AND HUMAN SERVICES

Centers for Medicare and Medicaid Services


Privacy Act of 1974; Report of New System of Records

AGENCY: Centers for Medicare & Medicaid Services (CMS), Department of 
Health and Human Services (HHS).

ACTION: Notice of New System of Records (SOR).

-----------------------------------------------------------------------

SUMMARY: In accordance with the requirements of the Privacy Act of 
1974, we are proposing to establish a new SOR, titled ``CMS Encounter 
Data System (EDS)'', System No. 09-70-0506. CMS intends to collect 
encounter data, or data on each item or service delivered to enrollees 
of Medicare Advantage (MA) plans offered by MA organizations as defined 
at Title 42, Code of Federal Regulation (CFR), Sec.  422.4. Pursuant to 
42 CFR 422.310, each MA organization must submit encounter data to CMS 
that is used to determine the risk adjustment factors for payment, 
updating the risk adjustment model, calculating Medicare 
Disproportionate Share Hospital (DSH) percentages, Medicare coverage 
purposes, and quality review and improvement activities. Encounter data 
will be collected and maintained in the EDS.
    Under the authority granted in Section 1115 of the Social Security 
Act (the Act), CMS is authorized to conduct experimental, pilot or 
demonstration

[[Page 34540]]

projects. CMS is conducting a demonstration project under the Financial 
Alignment Initiative to test a new capitated payment system and item/
service delivery model designed to lower costs and improve the quality 
of care for individuals eligible for both Medicare and Medicaid (dual 
eligibles). CMS and the participating State Medicaid agency jointly 
contract with health plans (known as Medicare-Medicaid Plans or 
``MMPs''). MMPs are paid monthly on a capitated basis and are required 
to submit to CMS comprehensive encounter data on each item or service 
provided to each enrollee, including both Medicare and Medicaid items 
and services. The program and the SOR are more thoroughly described in 
the Supplemental Information section and System of Records Notice 
(SORN), below.

DATES: Effective 30 days after publication. Written comments should be 
submitted on or before the effective date. HHS/CMS/CM may publish an 
amended SORN in light of any comments received.

ADDRESSES: The public should send comments to: CMS Privacy Officer, 
Division of Privacy Policy, Privacy Policy and Compliance Group, Office 
of E-Health Standards and Services, Offices of Enterprise Management, 
CMS, Room S2-24-25, 7500 Security Boulevard, Baltimore, Maryland 21244-
1850. Comments received will be available for review at this location, 
by appointment, during regular business hours, Monday through Friday 
from 9:00 a.m.-3:00 p.m., Eastern Time zone.

FOR FURTHER INFORMATION CONTACT: Shari Kosko, Division of Encounter 
Data and Risk Adjustment Operations, Medicare Plan Payment Group, 
Center for Medicare, Centers for Medicare & Medicaid Services, Mail 
Stop C1-13-07, 7500 Security Boulevard, Baltimore, Maryland 21244-1850. 
The telephone number is (410) 786-6159 or email: 
[email protected].

SUPPLEMENTARY INFORMATION: Medicare beneficiaries who receive both Part 
A and Part B benefits may elect to receive their Medicare coverage by 
enrolling in a plan offered by a MA organization or certain other 
Medicare private plans. MA plans must provide all Medicare-covered 
items and services, and may also provide additional benefits not 
covered by Original Medicare. CMS pays MA organizations on a monthly 
capitated rate for each beneficiary enrolled, and the MA organizations 
are responsible for paying providers for items and services that are 
provided to enrolled beneficiaries. All MA organizations are required 
to submit encounter data that CMS uses to adjust the advanced monthly 
payments made to the MA organization.
    CMS will collect encounter data for all items and services provided 
to MA plan enrollees covered by all MA organizations in the states 
where the demonstration projects are being conducted. In the case of 
cost plans, only encounter data for items and services covered by the 
plans will be collected. None of the data that will be included in the 
EDS will come from Medicare Part A or Part B data, nor will any 
additional identifiers be provided in the EDS data submitted by the MA 
organizations. However, the data submitted to EDS will be provided into 
the Integrated Data Repository (IDR) and will be available along with 
Medicare Part A and Part B data.
    Beginning with calendar year 2007, 100 percent of monthly payments 
to MA organizations have been subject to adjustment based on risk 
adjustment factors. Given the increased importance of the accuracy of 
our risk adjustment methodology, CMS amended 42 CFR 422.310 in August 
of 2008 to authorize the collection of data from MA organizations 
regarding each item and service provided to a MA plan enrollee. Once 
encounter data for MA enrollees are available in the EDS, CMS will have 
beneficiary-specific information on the utilization of items and 
services by MA plan enrollees. These data will primarily be used to 
develop and calibrate the CMS hierarchical condition categories (CMS-
HCC) for risk adjustment models using MA patterns of diagnoses and 
expenditures. These new models will be used to calculate the risk 
adjustment factors used to adjust advanced monthly payments to MA plans 
made by CMS on behalf of beneficiaries. The data will also be used for 
other purposes such as calculating Disproportionate Share Hospital 
(DSH) payments and quality improvement activities, etc. as outlined in 
42 CFR 422.310(f).
    The types of MA organizations that CMS collects encounter data from 
include: coordinated care plans (including Special Needs Plans), 
private fee for service plans, and a combination of a MA Medical 
Savings Account (MSA) and a contribution into a MA MSA established in 
accordance with 42 CFR 422.262. These categories also include Medicare 
Advantage-Prescription Drug plans, Program-of-All-Inclusive-Care-for-
the-Elderly-(PACE) organizations, Employer Group Health Plans (EGHPs), 
Section 1833 health care prepayment plans (HCPPs) and Section 1876 
plans operated by an HMO or Competitive Medical Plan (HMO/CMP) (42 
U.S.C. 1833 and 42 U.S.C. 1876, referred to collectively as ``cost 
plans'').
    The encounter data that CMS collects includes, the identity of the 
Medicare beneficiary, the provider, the place of service, and the item 
or service provided. In addition to identifying information about the 
beneficiary and provider, other significant data elements submitted by 
the MA organization include, claim pricing information, contact 
information, service provider information, revenue center codes, 
modifiers, Healthcare Common Procedure Coding System (HCPCS) codes, and 
Current Procedural Terminology (CPT) codes.

The Privacy Act

    The Privacy Act (5 U.S.C. 552a) governs the means by which the 
United States Government maintains personally identifiable information 
(PII) in a system of records. A ``system of records'' is a group of any 
records under the control of a Federal agency from which information 
about individuals is retrieved by name or other personal identifier. 
The Privacy Act requires each agency to publish in the Federal Register 
a system of records notice (SORN) identifying and describing each 
system of records the agency maintains, including a description of the 
categories of records maintained in the system, the source(s) of 
records in the system, the purposes for which the agency uses PII in 
the system, the routine uses for which the agency discloses such 
information outside the agency, and how individual record subjects can 
exercise their rights under the Privacy Act (e.g., to determine if the 
system contains information about them).
SYSTEM NUMBER: 09-70-0506

SYSTEM NAME:
    CMS Encounter Data System (EDS), HHS/CMS/CM.

SECURITY CLASSIFICATION:
    Sensitive, unclassified.

SYSTEM LOCATION:
    CMS Data Center, 7500 Security Boulevard, North Building, First 
Floor, Baltimore, Maryland 21244-1850; CDS Columbia Data Center EDC2, 
I-20 at Alpine Road, AA-278, Columbia, SC 29219; and at various 
contractor sites.

CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:
    Information maintained in this system includes identifying 
information of individuals and beneficiaries who have enrolled in a MA 
plan (including coordinated care plans, Special Needs

[[Page 34541]]

Plans, private fee for service plans, Medicare Medical Savings 
Accounts, PACE organizations, MMPs, and MA-PD plans) (Medicare 
Advantage plus Part D plans) (collectively, ``MA plan enrollees''), 
whose information is reported by a Medicare provider, supplier, 
physician, or other practitioner. It also includes identifying 
information of those health care professionals who provide the items or 
services to individuals during a service year.

CATEGORIES OF RECORDS IN THE SYSTEM:
    The system contains the name and other identifying information of 
the MA plan enrollee, beneficiary; and the name, work address, work 
phone number, social security number, National Provider Identification 
Number (NPI) of servicing providers, supplier, physician, or other 
practitioner. CMS will collect the admission date, discharge date, 
health insurance claim number (HICN), Medicare hospital number/CCN (CMS 
Certification Number) and other identifying demographics of individuals 
necessary to characterize the context and purposes of each item and 
service provided to a Medicare enrollee by a provider, supplier, 
physician, or other practitioner. MA plans will make data collection 
changes from 5 data elements currently collected to all of the required 
data elements on the HIPAA 5010 version of the X12 standards.

AUTHORITY FOR MAINTENANCE OF THE SYSTEM:
    Section 1853(a)(3)(B) of the Act requires that MA organizations and 
certain other private Medicare plans submit data regarding inpatient 
hospital and other services that CMS deems necessary to risk adjust 
these payments. The final 2009 Inpatient Prospective Payment System 
rule (73 FR 48757, August 19, 2008) modified 42 CFR 422.310 to clarify 
that the Secretary has the authority to require MA organizations and 
other private plans to submit encounter data for each item and service 
provided to a MA plan enrollee. Information for the Financial Alignment 
Initiative is being collected from MA plans that provide an integrated 
set of Medicare and Medicaid services through the demonstration project 
authorized under section 1115 of the Act.

PURPOSE(S) OF THE SYSTEM:
    The primary purpose of the SOR is to collect and maintain encounter 
data for each item and service provided to MA plan enrollees reported 
by a Medicare provider, supplier, physician, or other practitioner. CMS 
will collect information necessary to determine the risk adjustment 
factors used to adjust payments, calculate Medicare DSH percentages, 
conduct quality review and improvement activities, and for other 
Medicare coverage purposes. Information retrieved from this SOR will 
also be disseminated or disclosed to: (1) Support regulatory, 
reimbursement, and policy functions performed within the Agency or by a 
contractor, consultant, or a CMS grantee; (2) assist another Federal 
agency, agency of a state government, an agency established by state 
law, or its fiscal agent; (3) assist MA plans with required collection 
of encounter data obtained from the provider, supplier, physician, or 
other practitioner that furnished the item or service; (4) support an 
individual or organization for a research; (5) support litigation 
involving the Agency related to this SOR; (6) to assist a contractor 
combat fraud, waste, and abuse in certain health care programs; (7) to 
assist another Federal agency combat fraud, waste, and abuse; (8) to 
assist appropriate Federal agencies and CMS contractors and consultants 
to assist in CMS' efforts to respond to a suspected or confirmed 
breach; (9) assist the U.S. Department of Homeland Security (DHS) cyber 
security personnel; and (10) assist with emergency preparedness.

ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES 
OR USERS AND THE PURPOSES OF SUCH USES:
Entities Who May Receive Disclosures Under Routine Uses
    These routine uses specify circumstances, in addition to those 
provided by statute in the Privacy Act of 1974, under which CMS may 
release information from the EDS without the consent of the individual 
to whom such information pertains. Each proposed disclosure of 
information under these routine uses will be evaluated to ensure that 
the disclosure is legally permissible under 42 CFR 422.310, including 
but not limited to ensuring that the purpose of the disclosure is 
compatible with the purpose for which the information was collected. We 
propose to establish the following routine use disclosures of 
information maintained in the system:
    1. To Agency contractors, consultants, or CMS grantees who have 
been engaged by the Agency in order to support them in accomplishment 
of a CMS function relating to the purposes for this collection and who 
need to have access to the records in order to assist CMS.
    2. To another Federal agency, agency of a state government, an 
agency established by state law, or its fiscal agent in order to:
    a. Contribute to the accuracy of CMS' proper payment of Medicare 
benefits,
    b. enable such agency to administer a Federal health benefits 
program, or as necessary to enable such agency to fulfill a requirement 
of a Federal statute or regulation that implements a health benefits 
program funded in whole or in part with Federal funds, and/or
    c. fulfill oversight, regulatory, or policy functions performed by 
such agency.
    3. To assist MA plans with the required collection of encounter 
data, which is to be obtained from the provider, supplier, physician, 
or other practitioner that furnished the item or service.
    4. To an individual or organization to support or assist them with 
(a) a research, evaluation or epidemiological project related to the 
prevention of disease or disability, the restoration or maintenance of 
health, (b) payment related projects, and (c) analysis of the provision 
of health services.
    5. To provide information to the U.S. Department of Justice (DOJ), 
a court, or an adjudicatory body when (a) CMS or any component thereof, 
or (b) any employee of CMS in his or her official capacity, or (c) any 
employee of CMS in his or her individual capacity where the DOJ has 
agreed to represent the employee, or (d) the United States Government, 
is a party to litigation or has an interest in such litigation, and by 
careful review, CMS determines that the records are both relevant and 
necessary to the litigation and that the use of such records by the 
DOJ, court, or adjudicatory body is compatible with the purpose for 
which the agency collected the records.
    6. To a CMS contractor (including but not limited to Medicare 
Administrative Contractors) that assists in the administration of a 
CMS-administered health benefits program, or to a grantee of a CMS-
administered grant program, when disclosure is deemed reasonably 
necessary by CMS to prevent, deter, discover, detect, investigate, 
examine, prosecute, sue with respect to, defend against, correct, 
remedy, or otherwise combat fraud, waste or abuse in such program.
    7. To another Federal agency or to an instrumentality of any 
governmental jurisdiction within or under the control of the United 
States (including any state or local governmental agency), that 
administers or that has the authority to investigate potential fraud, 
waste or abuse in a health benefits program funded in whole or in part 
by Federal funds, when disclosure is deemed reasonably necessary by CMS 
to prevent, deter, discover, detect,

[[Page 34542]]

investigate, examine, prosecute, sue with respect to, defend against, 
correct, remedy, or otherwise combat fraud, waste or abuse in such 
programs.
    8. To appropriate Federal agencies and CMS contractors and 
consultants that have a need to know the information for the purpose of 
assisting CMS' efforts to respond to a suspected or confirmed breach of 
the security or confidentiality of information maintained in this SOR, 
provided that the information disclosed is relevant and necessary for 
that assistance.
    9. To the U.S. Department of Homeland Security (DHS) cyber security 
personnel, if captured in an intrusion detection system used by HHS and 
DHS pursuant to the Einstein 2 programs.
    10. To disclose the personally identifiable information of MA plan 
enrollees to public health authorities, and those entities acting under 
a delegation of authority from a public health authority, when 
requesting such information to carry out statutorily-authorized public 
health activities pertaining to emergency preparedness and response. 
Disclosures under this routine use will be limited to ``public health 
authorities'', ``public health activities'', and ``minimum necessary 
data'', as defined in the HIPAA Privacy Rule (45 CFR 154.502, 
164.512(b), 164.502(b) and 164.514(d)(3)(iii)(A)).

POLICIES AND PRACTICES FOR STORING, RETRIEVING, ACCESSING, RETAINING, 
AND DISPOSING OF RECORDS IN THE SYSTEM
STORAGE:
    All records are stored on magnetic media.

RETRIEVABILITY:
    All records are accessible by NPI/NPPES or by beneficiary HICN. 
This system supports both on-line and batch access. The EDS system 
itself does not provide reporting capabilities. All reporting 
functionality can be found in the IDR.

SAFEGUARDS:
    Personnel having access to the system have been trained in the 
Privacy Act and information security requirements. Employees who 
maintain records in this system are instructed not to release data 
until the intended recipient agrees to implement appropriate 
management, operational, and technical safeguards sufficient to protect 
the confidentiality, integrity and availability of the information and 
information systems, and to prevent unauthorized access. Access to 
records in the EDS will be limited to CMS personnel and approved 
contractors.

RETENTION AND DISPOSAL:
    Records containing PII will be maintained for a period of up to 10 
years after entry in the database. Any such records that are needed 
longer, such as to resolve claims and audit exceptions or to prosecute 
fraud, will be retained until such matters are resolved. Enrollee 
claims records are currently subject to a document preservation order 
and will be preserved indefinitely pending further notice from the DOJ.

SYSTEM MANAGER AND ADDRESS:
    Director, Division of Risk Adjustment Payment and Policy, Medicare 
Plan Payment Group, Center for Medicare, Centers for Medicare & 
Medicaid Services.

NOTIFICATION PROCEDURE:
    Individuals wishing to know if this system contains records about 
them should write to the system managers and include the pertinent 
personal identifier used for retrieval of their records (i.e., TIN, NPI 
or HICN).

RECORD ACCESS PROCEDURE:
    Individuals seeking access to records about them in this system 
should follow the same instructions indicated under ``Notification 
Procedure'' and reasonably specify the record contents being sought. 
(These procedures are in accordance with HHS Privacy Act regulations at 
45 CFR 5b.5 (a)(2)).

CONTESTING RECORD PROCEDURES:
    Individuals seeking to contest the content of information about 
them in this system should follow the same instructions indicated under 
``Notification Procedure.'' The request should reasonably identify the 
record and specify the information being contested; state the 
corrective actions sought, and provide the reasons for the correction, 
with supporting justification. (These procedures are in accordance with 
HHS Privacy Act regulations at 45 CFR 5b.7).

RECORD SOURCE CATEGORIES:
    Sources of information contained in this records system include 
data collected from MA organizations and encounter data obtained from 
the provider, supplier, physician, or other practitioner that furnished 
the item or service.

SYSTEMS EXEMPTED FROM CERTAIN PROVISIONS OF THE ACT:
    None.

Celeste Dade-Vinson,
Health Insurance Specialist, Centers for Medicare & Medicaid Services.
[FR Doc. 2014-14038 Filed 6-16-14; 8:45 am]
BILLING CODE 4120-03-P