[Federal Register Volume 79, Number 211 (Friday, October 31, 2014)]
[Notices]
[Pages 64802-64805]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2014-25937]


-----------------------------------------------------------------------

DEPARTMENT OF HEALTH AND HUMAN SERVICES

Centers for Medicare & Medicaid Services


Privacy Act of 1974; Report of Modified System of Records

AGENCY: Centers for Medicare & Medicaid Services (CMS), Department of 
Health and Human Services (HHS).

ACTION: Notice of a Modified System of Records (SOR).

-----------------------------------------------------------------------

SUMMARY: In accordance with the requirements of the Privacy Act of 
1974, we are proposing to modify an existing SOR titled, ``Chronic 
Condition Data Repository (CCDR), System No. 09-70-0573'' last 
published at 71 FR 54495, September 15, 2006. The current name of the 
SOR, Chronic Condition Data Repository, was developed during the 
planning and development stages of the system. Upon the implementation 
and throughout the operations and maintenance stages of the system, the 
system has been referred to as the Chronic Condition Warehouse (CCW) in 
common usage and written references. In keeping with this current 
usage, we will modify the name of this SOR to read, and from this point 
forward will refer to the system as: ``Chronic Condition Warehouse 
(CCW).''
    We propose to broaden the scope of the system to include data that 
can be easily linked, at the individual patient level, to all Medicare 
and Medicaid claims, enrollment and/or eligibility data, nursing home 
and home health assessments, and CMS beneficiary survey data. 
Accordingly, we are updating the Authority Section to include Title 
XVIII of the Social Security Act as amended (the Act); Section 
1902(a)(6) of the Act; Section

[[Page 64803]]

1142(c)(6) of the Act; and Title IV of the Balanced Budget Act (Pub. L. 
105-33). The Record Source Categories section will be modified to 
include data from two new systems of records: the CMS Encounter Data 
System, System No. 09-70-0506, and the National Death Index, System No. 
09-20-0166. These modifications will make the CCW a more useful tool by 
which to support research, policy analysis, quality improvement 
activities, and demonstrations that attempt to foster a better 
understanding of how to improve the quality of life and contain the 
health care costs of the chronically ill.
    We propose to modify existing Routine Use Number 1, to limit 
disclosures only to contractors of CMS. We also propose to add two new 
routine uses. Specifically, we propose adding a routine use to permit 
disclosures to healthcare providers who seek patient information for 
use in care coordination and quality improvement activities as 
described at 45 CFR 164.506(c)(4). This routine use will be added as 
Routine Use Number 4. We also propose adding a routine use to support 
public or private Qualified Entities (QEs) that use Medicare claims 
data to evaluate the performance of providers of services and suppliers 
on measures of quality, efficiency, effectiveness, and resource use. 
This routine use will be added as routine use number 6.
    Finally, we are modifying the language in Routine Use Number 3 to 
include grantees of CMS administered grant programs and have made minor 
grammatical changes to Routine Use Number 10. These modifications will 
provide a better explanation as to the need for the routine use, and to 
clearly state CMS's intention when making disclosures of individually 
identifiable information contained in this system.
    We have provided background information about the modified system 
in the Supplementary Information section below. Although the Privacy 
Act requires only that the ``Routine Use'' section of the system of 
records notice be published for comment, CMS invites comments on all 
portions of this notice. See the Effective Dates section for 
information on the comment period.

DATES: Effective Dates: CMS filed a modified SOR report with the Chair 
of the House Committee on Government Reform and Oversight, the Chair of 
the Senate Committee on Homeland Security and Government Affairs, and 
the Administrator, Office of Information and Regulatory Affairs, Office 
of Management and Budget (OMB) on September 16, 2014. To ensure that 
all parties have adequate time in which to comment, the modified notice 
will become effective 30 days from the publication of the notice, or 40 
days from the date it was submitted to OMB and the Congress, whichever 
is later. We may defer implementation of this modified system or one or 
more of the new routine uses listed below if we receive comments that 
persuade us to defer implementation.

ADDRESSES: The public should address comments to: CMS Privacy Officer, 
Privacy Policy Compliance Group, Office of E-Health Standards & 
Services, Office of Enterprise Management, CMS, 7500 Security 
Boulevard, Baltimore, MD 21244-1870, Mailstop: S2-24-25, Office: (410) 
786-5357, E-Mail: [email protected]. Comments received will be 
available for review at this location, by appointment, during regular 
business hours, Monday through Friday from 9:00 a.m.-3:00 p.m., Eastern 
Time zone.

FOR FURTHER INFORMATION CONTACT: Michelle Seal, Health Insurance 
Specialist, Division of Research Data Development (DRDD), Data 
Development and Services Group, Office of Information Products and Data 
Analytics (OIPDA), OEM, CMS, Mail Stop B2-29-04, 7500 Security 
Boulevard, Baltimore, MD 21244-1850. Office Phone: 410-786-3679, Email 
address: [email protected].

SUPPLEMENTARY INFORMATION: The CCW will house data that will be easily 
linked, at the individual patient level, for all Medicare and Medicaid 
claims, enrollment and/or eligibility data, nursing home and home 
health assessments, and CMS beneficiary survey data. This data 
repository will transform and summarize this administrative health and 
health insurance information into data which will support research, 
policy analysis, quality improvement activities, demonstrations, and 
studies. These are aimed at improving the quality of care and reducing 
the cost of care for chronically ill Medicare beneficiaries and 
Medicaid recipients.
    The repository is designed to encourage research and innovation 
that will reduce program spending, inform policy analyses, make current 
Medicare and Medicaid program data more readily available to 
researchers to study chronic illness in the Medicare and Medicaid 
populations, and improve process time for research data requests by 
refocusing on analytic, as opposed to operational considerations. The 
repository will also use utilize data analytic tools to organize and 
transform diagnostic information on a beneficiary's Medicare or 
Medicaid claims into information about their chronic medical 
conditions.
    The Virtual Research Data Center (VRDC), an analytic tool, provides 
a secure mechanism for accessing and analyzing data within the 
environment instead of sending physical data files to researchers for 
analysis at their site. The workbench analytic tool provides users with 
the ability to create a custom sample of individuals and view 
associated claims within the VRDC environment. Analysis of data using 
these tools increases the privacy and security of the data.

The Privacy Act

    The Privacy Act governs the collection, maintenance, use, and 
dissemination of certain information about individuals by agencies of 
the Federal Government.
    A ``SOR'' is a group of any records under the control of a Federal 
agency from which information about individuals is retrieved by name or 
other personal identifier. The Privacy Act requires each agency to 
publish in the Federal Register a description of the type and character 
of each system of records that the agency maintains, and the routine 
uses that are contained in each system to make agency recordkeeping 
practices transparent, to notify individuals regarding the uses to 
which their records are put, and to assist individuals to more easily 
find such files within the agency.
SYSTEM NUMBER: 09-70-0573

SYSTEM NAME:
    ``Chronic Condition Warehouse'' (CCW) HHS/CMS/OEM.

SECURITY CLASSIFICATION:
    Unclassified

SYSTEM LOCATION:
    CMS Data Center, 7500 Security Boulevard, North Building, First 
Floor, Baltimore, Maryland 21244-1850, and at various contractor sites.

CATEGORIES OF INDIVIDUALS IN THE SYSTEM:
    CCW will collect and maintain individually identifiable and other 
data collected on Medicare beneficiaries, Medicaid recipients, and 
individually identifiable data on certain health care professionals.

CATEGORIES OF RECORDS IN THE SYSTEM:
    The collected information will include, but is not limited to, 
individually identifiable Medicare and Medicaid claims, enrollment, and 
eligibility data, including names, addresses, health insurance claims 
numbers, social security numbers, race/

[[Page 64804]]

ethnicity data, gender, date of birth, Medicare Part A, B and C 
enrollment information, prescription drug coverage information, 
surgical procedures, diagnoses, provider name(s), unique provider 
identification numbers, National Provider Identification Numbers (NPI) 
as well as clinical assessment and outcome measures, and demographic, 
health/well-being, and background information relating to Medicare and 
Medicaid issues.

AUTHORITY FOR MAINTENANCE OF THE SYSTEM:
    The CCW is authorized by Sections 723 of the Medicare Prescription 
Drug Improvement and Modernization Act of 2003 (MMA) (Pub. L. 108-173), 
which was enacted into law on December 8, 2003, and amended Title XVIII 
of the Social Security Act (the Act); Section 1902(a)(6) of the Act; 
Section 1142(c)(6) of the Act; and Title IV of the Balanced Budget Act 
(Pub. L. 105-33).

PURPOSE(S) OF THE SYSTEM:
    The purpose of this system is to support research, policy analysis, 
quality improvement activities, and demonstrations that attempt to 
foster a better understanding of how to improve the quality of life and 
contain the health care costs of the chronically ill. This system will 
utilize data analytic tools to support accessing data by chronic 
conditions and process complex customized data requests related to 
chronic illnesses.

ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES 
OR USERS AND THE PURPOSES OF SUCH USES:
A. Entities Who May Receive Disclosures under Routine Use
    The Privacy Act allows CMS to disclose information without an 
individual's consent if the information is to be used for a purpose 
that is compatible with the purpose(s) for which the information was 
collected. Any such compatible use of data is known as a ``routine 
use''. The proposed routine uses in this system meet the compatibility 
requirement of the Privacy Act. We are proposing to establish the 
following routine use disclosures of information maintained in the 
system:
    1. To CMS contractors who have been engaged by the agency to assist 
in the performance of a service related to this collection and who need 
to have access to the records in order to perform the activity.
    2. To another Federal or state agency to:
    a. Contribute to the accuracy of CMS's proper payment of Medicare 
benefits;
    b. Enable such agency to administer a Federal health benefits 
program, or, as necessary, to enable such agency to fulfill a 
requirement of a Federal statute or regulation that implements a health 
benefits program funded in whole or in part with Federal funds; and/or
    c. Assist Federal and/or state officials carrying out the Medicaid 
program.
    3. To an individual or organization including grantees of a CMS 
administered grant program that require individually identifiable 
health information for use in research projects including any 
evaluation project related to the prevention of disease or disability, 
the restoration or maintenance of health, or payment reform related 
projects that produces generalizable knowledge.
    4. To a healthcare provider who seeks patient information for use 
in care coordination and quality improvement activities as described at 
45 CFR 164.506(c)(4);
    5. To Quality Improvement Organizations (QIO) in connection with 
review of claims, or in connection with studies or other review 
activities conducted pursuant to Part B of Title XI of the Act, and in 
performing affirmative outreach activities to individuals for the 
purpose of establishing and maintaining their entitlement to Medicare 
benefits or health insurance plans.
    6. To a public or private Qualified Entity (QE) that uses Medicare 
claims data to evaluate the performance of providers of services and 
suppliers on measures of quality, efficiency, effectiveness, and 
resource use; and who agrees to meet the requirements regarding the 
transparency of their methods and their use and protection of Medicare 
data.
    7. To the Department of Justice (DOJ), court or adjudicatory body 
when: a. The agency or any component thereof, or b. Any employee of the 
agency in his or her official capacity, or c. Any employee of the 
agency in his or her individual capacity where the DOJ has agreed to 
represent the employee, or d. The United States Government, is a party 
to litigation or has an interest in such litigation, and, by careful 
review, CMS determines that the records are both relevant and necessary 
to the litigation and that the use of such records by the DOJ, court or 
adjudicatory body is compatible with the purpose for which the agency 
collected the records.
    8. To a CMS contractor (including, but not necessarily limited to, 
Medicare Administrative Contractors (MACs)) that assists in the 
administration of a CMS- administered health benefits program, when 
disclosure is deemed reasonably necessary by CMS to prevent, deter, 
discover, detect, investigate, examine, prosecute, sue with respect to, 
defend against, correct, remedy, or otherwise combat fraud or abuse in 
such program.
    9. To another Federal agency or to an instrumentality of any 
governmental jurisdiction within or under the control of the United 
States (including any State or local governmental agency), that 
administers, or that has the authority to investigate potential fraud 
or abuse in, a health benefits program funded in whole or in part by 
Federal funds, when disclosure is deemed reasonably necessary by CMS to 
prevent, deter, discover, detect, investigate, examine, prosecute, sue 
with respect to, defend against, correct, remedy, or otherwise combat 
fraud or abuse in such programs.
    10. To Federal Departments, agencies and their contractors that 
have a need to know the information for the purpose of assisting the 
Department's efforts to respond to a suspected or confirmed breach of 
the security or confidentiality of information maintained in this 
system of records, where the information disclosed is relevant to and 
necessary for that assistance.
    11. To the U.S. Department of Homeland Security (DHS) cyber 
security personnel, if captured in an intrusion detection system used 
by HHS and DHS pursuant to the Einstein 2 program.
    12. To public health authorities, and those entities acting under a 
delegation of authority from a public health authority, when requesting 
beneficiary-identifiable information to carry out statutorily-
authorized public health activities pertaining to emergency 
preparedness and response.

B. ADDITIONAL CIRCUMSTANCES AFFECTING DISCLOSURE OF PII DATA:
    To the extent that the individual claims records in this system 
contain Protected Health Information (PHI) as defined by HHS regulation 
``Standards for Privacy of Individually Identifiable Health 
Information'' (45 CFR parts 160 and 164, Subparts A and E), disclosures 
of such PHI that are otherwise authorized by these routine uses may 
only be made if, and as, permitted or required by the ``Standards for 
Privacy of Individually Identifiable Health Information'' (see 45 CFR 
164-512 (a) (1)).
    In addition, HHS policy will be to prohibit release even of data 
not directly identifiable with a particular individual, except pursuant 
to one of the routine uses or if required by law, if CMS determines 
there is a possibility that a particular individual can be identified 
through implicit deduction based on small cell sizes (instances where 
the patient population is so small that individuals could, because of 
the small

[[Page 64805]]

size, use this information to deduce the identity of a particular 
individual).

RETENTION AND DISPOSAL:
    CMS will retain information for a total period not to exceed 30 
years. All claims-related records are encompassed by the document 
preservation order and will be retained until notification is received 
from DOJ.

RETRIEVING, ACCESSING, RETAINING, AND DISPOSING OF RECORDS IN THE 
SYSTEM:
STORAGE:
    All records are stored on electronic media.

RETRIEVABILITY:
    The collected data are retrieved by an individual identifier; e.g., 
beneficiary, recipient or provider name, HICN, or unique provider 
identification number (NPI).

SAFEGUARDS:
    CMS has safeguards in place for authorized users and monitors such 
users to ensure against excessive or unauthorized use. Personnel having 
access to the system have been trained in the Privacy Act and 
information security requirements. Employees who maintain records in 
this system are instructed not to release data until the intended 
recipient agrees to implement appropriate management, operational and 
technical safeguards sufficient to protect the confidentiality, 
integrity and availability of the information and information systems 
and to prevent unauthorized access.
    This system will conform to all applicable Federal laws and 
regulations and Federal, HHS, and CMS policies and standards as they 
relate to information security and data privacy. These laws and 
regulations may apply but are not limited to: The Privacy Act of 1974; 
and the Federal Information Department regulation 45 CFR 5b.7.

SYSTEM MANAGER AND ADDRESS:
    Director, Data Development and Services Group, Office of 
Information Products and Data Analytics (OIPDA), OEM, Mail Stop B2-29-
04, CMS, 7500 Security Boulevard, Baltimore, MD 21244-1849.

NOTIFICATION PROCEDURE:
    An individual record subject who wishes to know if this system 
contains records about him or her should write to the system manager 
who will require the system name, HICN, and for verification purposes, 
the subject individual's name (woman's maiden name, if applicable), and 
SSN (furnishing the SSN is voluntary, but it may make searching for a 
record easier and prevent delay).

RECORD ACCESS PROCEDURE:
    An individual seeking access to records about him or her in this 
system should use the same procedures outlined in Notification 
Procedures above. The requestor should also reasonably specify the 
record contents being sought. (These procedures are in accordance with 
Department regulation 45 CFR 5b.5(a)(2).)

CONTESTING RECORD PROCEDURES:
    To contest a record, the subject individual should contact the 
system manager named above, and reasonably identify the record and 
specify the information to be contested. The individual should state 
the corrective action sought and the reasons for the correction with 
supporting justification. (These procedures are in accordance with 
Department regulation 45 CFR 5b.7.)

RECORDS SOURCE CATEGORIES:
    The data collected and maintained in this system are retrieved from 
the following databases: Medicare Drug Data Processing System, System 
No. 09-70-0553 (73 FR 30943 (May 29, 2008)); Medicare Beneficiary 
Database, System No. 09-70-0536 (71 FR 70396 (December 4, 2006)); 
Medicare Advantage Prescription Drug System, System No. 09-70-0588 (76 
FR 47190 (August 4, 2011)); Medicaid Statistical Information System, 
System No. 09-70-0541 (71 FR 65527 (November 8, 2006)); Retiree Drug 
Subsidy Program, System No. 09-70-0550 (70 FR 41035 (July 15, 2005)); 
Common Working File, System No. 09-70-0526 (71 FR 64955 (November 6, 
2006)); National Claims History, System No. 09-70-0558 (71 FR 67137 11/
20/2006 (November 20, 2006)); Enrollment Database, System No. 09-70-
0502 (73 FR 10249 2/26/2008 (February 26, 2008)); Carrier Medicare 
Claims Record, System No. 09-70-0501 (71 FR 64968 11/6/2006 (November 
6, 2006)); Intermediary Medicare Claims Record, System No. 09-70-0503 
(71 FR 648961 (November 6, 2006)); Unique Physician/Provider 
Identification Number, System No. 09-70-0525 (71 FR 66535 (November 15, 
2006)); Medicare Supplier Identification File, System No. 09-70-0530 
(71 FR 70404 (December 4, 2006)), A Current Beneficiary Survey, System 
No. 09-70-0519 (71 FR 60722 (October 16, 2006)); National Plan & 
Provider Enumerator System, System No. 09-70-0555, (75 FR 30411 (June 
1, 2010)); Long Term Care MDS, System No. 09-70-0528 (72 FR 12801 
(March 19, 2007)); HHA Outcome and Assessment Information Set, System 
No. 09-70-0522 (72 FR 63906 (November 13, 2007)); and Integrated Data 
Repository, System No. 09-70-0571 (71 FR 74915 (December 13, 2006)); 
Provider Enrollment Chain and Ownership System, System No. 09-70-0532 
(71 FR 60536 (October 13, 2006); Medicare and Medicaid Electronic 
Health Record (EHR) Incentive Program National Level Repository, System 
No. 09-70-0587 (75 FR 73095 (November 29, 2010)); Performance 
Measurement and Reporting System, System No. 09-70-0584 (74 FR 17672 
(April 16, 2009)); Encounter Data System, 09-70-0506 (79 FR 34539 (June 
17, 2014)); and National Death Index, 09-20-0166 (49 FR 37692 
(September 25, 1984)).

SYSTEMS EXEMPTED FROM CERTAIN PROVISIONS OF THE ACT:
    None.

Celeste Dade-Vinson,
Health Insurance Specialist, Centers for Medicare & Medicaid Services.
[FR Doc. 2014-25937 Filed 10-30-14; 8:45 am]
BILLING CODE 4120-03-P