[Federal Register Volume 81, Number 21 (Tuesday, February 2, 2016)]
[Proposed Rules]
[Pages 5397-5417]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2016-01790]


=======================================================================
-----------------------------------------------------------------------

DEPARTMENT OF HEALTH AND HUMAN SERVICES

Centers for Medicare & Medicaid Services

42 CFR Part 401

[CMS-5061-P]
RIN 0938-AS66


Medicare Program: Expanding Uses of Medicare Data by Qualified 
Entities

AGENCY: Centers for Medicare & Medicaid Services (CMS), HHS.

ACTION: Proposed rule.

-----------------------------------------------------------------------

SUMMARY: This proposed rule would implement new statutory requirements 
that would expand how qualified entities may use and disclose data 
under the qualified entity program to the extent consistent with 
applicable program requirements and other applicable laws, including 
information, privacy, security and disclosure laws. In doing so, this 
proposed rule would explain how qualified entities may create non-
public analyses and provide or sell such analyses to authorized users, 
as well as how qualified entities may provide or sell combined data, or 
provide Medicare claims data alone at no cost, to certain authorized 
users. This proposed rule would also implement certain privacy and 
security requirements, and impose assessments on qualified entities if 
the qualified entity or the authorized user violates the terms of a 
data use agreement (DUA) required by the qualified entity program.

DATES: To be assured consideration, comments must be received at one of 
the addresses provided below, no later than 5 p.m. on March 29, 2016.

ADDRESSES: In commenting, please refer to file code CMS-5061-P. Because 
of staff and resource limitations, we cannot accept comments by 
facsimile (FAX) transmission.
    You may submit comments in one of four ways (please choose only one 
of the ways listed):
    1. Electronically. You may submit electronic comments on this 
regulation to http://www.regulations.gov. Follow the ``Submit a 
comment'' instructions.
    2. By regular mail. You may mail written comments to the following 
address only: Centers for Medicare & Medicaid Services, Department of 
Health and Human Services, Attention: CMS-5061-P, P.O. Box 8010, 
Baltimore, MD 21244-1850.
    Please allow sufficient time for mailed comments to be received 
before the close of the comment period.
    3. By express or overnight mail. You may send written comments to 
the following address only: Centers for Medicare & Medicaid Services, 
Department of Health and Human Services, Attention: CMS-5061-P, Mail 
Stop C4-26-05, 7500 Security Boulevard, Baltimore, MD 21244-1850.
    4. By hand or courier. Alternatively, you may deliver (by hand or 
courier) your written comments only to the following addresses prior to 
the close of the comment period:
    a. For delivery in Washington, DC--Centers for Medicare & Medicaid 
Services, Department of Health and Human Services, Room 445-G, Hubert 
H. Humphrey Building, 200 Independence Avenue SW., Washington, DC 
20201.
    (Because access to the interior of the Hubert H. Humphrey Building 
is not readily available to persons without Federal government 
identification, commenters are encouraged to leave their comments in 
the CMS drop slots located in the main lobby of the building. A stamp-
in clock is available for persons wishing to retain a proof of filing 
by stamping in and retaining an extra copy of the comments being 
filed.)
    b. For delivery in Baltimore, MD--Centers for Medicare & Medicaid 
Services, Department of Health and Human Services, 7500 Security 
Boulevard, Baltimore, MD 21244-1850.
    If you intend to deliver your comments to the Baltimore address, 
call telephone number (410) 786-9994 in advance to schedule your 
arrival with one of our staff members.
    Comments erroneously mailed to the addresses indicated as 
appropriate for hand or courier delivery may be delayed and received 
after the comment period.
    For information on viewing public comments, see the beginning of 
the SUPPLEMENTARY INFORMATION section.

FOR FURTHER INFORMATION CONTACT: Allison Oelschlaeger, (202) 690-8257. 
Kari Gaare, (410) 786-8612.

SUPPLEMENTARY INFORMATION:
    Inspection of Public Comments: All comments received before the 
close of the comment period are available for viewing by the public, 
including any personally identifiable or confidential business 
information that is included in a comment. We post all comments 
received before the close of the comment period on the following Web 
site as soon as possible after they have been received: http://www.regulations.gov. Follow the search instructions on that Web site to 
view public comments.
    Comments received timely will also be available for public 
inspection as they are received, generally beginning approximately 3 
weeks after publication of a document, at the headquarters of the 
Centers for Medicare & Medicaid Services, 7500 Security Boulevard, 
Baltimore, Maryland 21244, Monday through Friday of each week from 8:30 
a.m. to 4 p.m. To schedule an appointment to view public comments, 
phone 1-800-743-3951.

I. Background

    On April 16, 2015, the Medicare Access and CHIP Reauthorization Act 
of 2015 (MACRA) (Pub. L. 114-10) was enacted. The law included a 
provision, Section 105, Expanding the Availability of Medicare Data, 
which takes effect on July 1, 2016. This section expands how qualified 
entities will be allowed to use and disclose data under the qualified 
entity program, including data subject to section 1874(e) of the Social 
Security Act (the Act), to the extent consistent with other applicable 
laws, including information, privacy, security and disclosure laws.
    The Qualified Entity program was established by Section 10332 of 
the Patient Protection and Affordable Care Act (Affordable Care Act) 
(Pub. L. 111-148). The implementing regulations, which became effective 
January 6, 2012, are found in subpart G of 42 CFR part 401 (76 FR 
76542). Under those provisions, CMS provides standardized extracts of 
Medicare Part A and B claims data and Part D drug event data

[[Page 5398]]

(hereinafter collectively referred to as Medicare claims data) covering 
one or more geographic regions to qualified entities at a fee equal to 
the cost of producing the data. Under the original statutory 
provisions, such Medicare claims data must be combined with other non-
Medicare claims data and may only be used to evaluate the performance 
of providers and suppliers. The measures, methodologies and results 
that comprise such evaluations are subject to review and correction by 
the subject providers and suppliers, after which the results are to be 
disseminated in public reports.
    Those wishing to become qualified entities are required to apply to 
the program. Currently, thirteen organizations have applied and 
received approval to be a qualified entity. Of these organizations, two 
have completed public reporting while the other eleven are in various 
stages of preparing for public reporting. While we have been pleased 
with the participation in the program so far, we expect that the 
changes required by MACRA will increase interest in the program.
    Under section 105 of MACRA, effective July 1, 2016, qualified 
entities will be allowed to use the combined data and information 
derived from the evaluations described in 1874(e)(4)(D) of the Act to 
conduct non-public analyses and provide or sell these analyses to 
authorized users for non-public use in accordance with the program 
requirements and other applicable laws. In highlighting the need to 
comply with other applicable laws, we particularly note that any 
qualified entity that is a covered entity or business associate as 
defined in the Health Insurance Portability and Accountability Act of 
1996 (``HIPAA'') regulations at 45 CFR 160.103 will need to ensure 
compliance with any applicable HIPAA requirements, including the bar on 
the sale of Protected Health Information.
    In addition, qualified entities will be permitted to provide or 
sell the combined data, or provide the Medicare claims data alone at no 
cost, again, in accordance with the program requirements and other 
applicable laws, to providers, suppliers, hospital associations, and 
medical societies. Qualified entities that elect to provide or sell 
analyses and/or data under these new provisions will be subject to an 
assessment if they or the authorized users to whom they disclose 
beneficiary identifiable data in the form of analyses or raw data act 
in a manner that violates the terms of a program-required Qualified 
EntityData Use Agreement (QE DUA). Furthermore, qualified entities that 
make analyses or data available under these new provisions will be 
subject to new annual reporting requirements to aid CMS in monitoring 
compliance with the program requirements. These new annual reporting 
requirements will only apply to qualified entities that choose to 
provide or sell non-public analyses and/or provide or sell combined 
data, or provide Medicare claims data alone at no cost.
    We believe these changes to the qualified entity program will be 
important in driving higher quality, lower cost care in Medicare and 
the health system in general. We also believe that these changes will 
drive renewed interest in the qualified entity program, leading to more 
transparency regarding provider and supplier performance and innovative 
uses of data that will result in improvements to the healthcare 
delivery system while still ensuring appropriate privacy and security 
protections for beneficiary-identifiable data.

II. Provisions of the Proposed Regulations

    To implement the new statutory provisions of section 105 of MACRA, 
we propose to amend and make conforming changes to Part 401 Subpart G, 
``Availability of Medicare Data for Performance Measurement.'' 
Throughout the preamble, we identify options and alternatives to the 
provisions we propose. We strongly encourage comments on our proposed 
approach, as well as any alternatives.

A. Non-Public Analyses

    Section 105(a)(1) of MACRA expands how qualified entities will be 
allowed to use and disclose the combined data and any information 
derived from the evaluations described in section 1874(e)(4)(D) of the 
Act. The section provides for such data's use and/or disclosure in 
additional non-public analyses that may be given or, in certain 
circumstances, sold to authorized users in accordance with program 
requirements and other applicable laws, including information, privacy, 
security, and disclosure laws. An authorized user is defined at Sec.  
401.703(j) and the definition is discussed below in section II.C. The 
new proposals regarding the disclosure and/or sale of combined data or 
the disclosure of Medicare data at no cost are discussed below in 
section II.B.
    To implement the non-public analyses provisions, we propose to add 
a new Sec.  401.716. Under Sec.  401.716, paragraph (a) would provide 
for the qualified entity's use of the combined data or information 
derived from the evaluations described in section 1874(e)(4)(D) of the 
Act to create non-public analyses. Paragraph (b) would provide for the 
provision or sale of these analyses to authorized users in accordance 
with the program requirements discussed later in this section, as well 
as other applicable laws.
1. Additional Analyses
    We propose at Sec.  401.703(q) to define combined data as a set of 
CMS claims data provided under subpart G combined with a subset of 
claims data from at least one of the other claims data sources 
described in Sec.  401.707(d). Sec.  401.707(d) requires qualified 
entities to submit to CMS information on the claims data it possesses 
from other sources, that is, any other provider-identifiable or 
supplier-identifiable data for which the qualified entity has full data 
usage rights. In defining the term in this manner, we are not proposing 
to establish a minimum amount of data that must be included in the 
combined data set from other sources, but, as we noted in our December 
7, 2011 final rule (76 FR 76542), we believe that the requirement to 
use combined data is likely to lead to increased validity and 
reliability of the performance findings through the use of larger and 
more diverse samples. As such, we expect qualified entities will choose 
to use sufficient claims data from other sources to ensure such 
validity and reliability. That said, we recognize that there may be 
instances in which other sources of claims data (for example, Medicaid 
or private payer data) may be of limited value. For instance, depending 
on the other claims data a given qualified entity may hold, Medicare 
data may provide the best opportunity to conduct analyses on 
chronically ill or other resource-intensive populations that may not be 
commonly represented in other sources of claims data. Thus, while the 
statute requires the use of combined data for the analyses, it does not 
specify the minimum amount of data from other sources to qualify as 
combined data, and, as we believe it would be difficult to establish a 
threshold given the variability in the analyses that the qualified 
entities may conduct, we propose not to adopt any minimum standard for 
the amount of other sources of claims data that must be included in a 
combined data set. We are requesting comments on this proposal as well 
as suggestions for other possible alternatives or options.
2. Limitations on the Qualified Entities With Respect to the Sale and 
Provision of Non-Public Analyses
    MACRA imposes a number of limitations on qualified entities with

[[Page 5399]]

respect to the sale and provision of non-public analyses. It mandates 
that a qualified entity may not provide or sell non-public analyses to 
a health insurance issuer unless the issuer is providing the qualified 
entity with claims data under section 1874(e)(4)(B)(iii) of the Act. In 
doing so, the statute does not specify the minimum amount of data that 
the issuer must be providing to the qualified entity. We considered not 
imposing a threshold on the amount of data being provided by the 
issuer, but decided that specifying a threshold would encourage issuers 
to submit data to the qualified entity to be included in the public 
performance reports, increasing the reports' reliability and sample 
size. As a result, we propose at Sec.  401.716(b)(1) to limit qualified 
entities to only providing or selling non-public analyses to issuers 
after they provide the qualified entity with claims data that 
represents a majority of the issuers' covered lives in the geographic 
region and during the time frame of the non-public analyses requested 
by the issuer. For example, if an issuer requested non-public analyses 
using the combined data for the first 6 months of 2015 in Minnesota, it 
would need to provide the qualified entity with data that represents 
over 50 percent of the issuer's covered lives during those 6 months in 
Minnesota. We believe this threshold will ensure that issuers submit a 
large portion of their data to the qualified entity without requiring 
them to share data for their entire population in order to be eligible 
to receive non-public analyses. We seek comment on whether the 
threshold of a majority of the issuer's covered lives in the desired 
geographic area during the time frame covered by the non-public 
analyses requested by the issuer is too high or low, as well as other 
alternatives to specify the amount of data the issuer must provide to a 
qualified entity to be eligible to receive or purchase non-public 
analyses.
    Section 105(a)(3) of MACRA imposes additional requirements on the 
dissemination of non-public analyses or data that contain information 
that individually identify a patient. Because we define the term 
``patient'' later in this section and in a manner that does not relate 
to de-identification of individually identifiable information, we will 
use the word beneficiary in relation to de-identification rather than 
patient. In light of these MACRA provisions, as well as our belief that 
protecting the privacy and security of beneficiaries' information is of 
the utmost importance and our belief that identifiable information on 
individual beneficiaries would generally not be needed by authorized 
users, we propose to impose limits on the content of the non-public 
analyses. In doing so, we recognize that when non-public analyses are 
provided or sold to a provider or supplier, individually identifying 
information such as name, age, gender, or date of birth may be 
essential for the provider or supplier to proactively use the 
information gleaned from the analyses. For example, a provider may not 
know who a patient is based on the unique identifier assigned by the 
payer and as a result would not be able to use the analyses to improve 
care or better coordinate care with other providers for that patient. 
In addition, there is a high likelihood that providers may have 
patients with the same or similar names, so age or date of birth may be 
necessary to identify the patient in the analyses. We therefore propose 
at Sec.  401.716(b)(2) to limit the provision or sale of non-public 
analyses that individually identify a beneficiary to providers or 
suppliers with whom the subject individual(s) have established a 
patient relationship.
    While the term ``patient'' is commonly used in the provision of 
healthcare, reasonable minds may differ on the periodicity with which 
an individual must have contact with a provider or supplier to maintain 
a ``patient'' relationship. Depending on individual practice or 
applicable laws, a person may still be considered a patient of a 
provider or supplier even though a number of years have passed since 
they were seen or provided services by the provider or supplier. 
However, when the individual has not visited a provider or supplier in 
a number of years, analyses that contain individually identifiable 
information about that patient may not be very useful, as any care 
coordination or quality improvement efforts would, presumably, require 
continued contact with that patient. Therefore, for the purposes of 
this program, we propose to define patient as an individual who has 
visited the provider or supplier for a face-to-face or telehealth 
appointment at least once in the past 12 months. This definition is 
similar to that used in the Medicare Shared Savings Program which 
assigns beneficiaries to Accountable Care Organizations based on 
services delivered in the past 12 months. We also believe this 
definition will ensure that providers and suppliers are able to receive 
information about patients they are actively treating. We seek comments 
on this proposal, particularly any beneficiary concerns if we were to 
implement this proposal, and any reasonable alternatives to this 
proposal that might address those concerns.
    Except when patient-identifiable non-public analyses are shared 
with the patient's provider or supplier as described above, we propose 
at Sec.  401.716(b)(3) to require that all non-public analyses must be 
beneficiary de-identified using the de-identification standards in the 
HIPAA Privacy Rule at 45 CFR 164.514(b). De-identification under this 
standard requires the removal of specified data elements or reliance on 
a statistical analysis that concludes that the information is unlikely 
to be able to be used alone or in combination with other available 
information to identify/re-identify the patient subjects of the data. 
The statistical de-identification approach may be more difficult 
because an entity may not have access to an expert capable of 
performing the analysis in accordance with HIPAA Rules, but we believe 
that the protections afforded by HIPAA-like standards of de-
identification are appropriate, as HIPAA has, in many ways, established 
a reasoned and appropriate privacy and security floor for the health 
care industry. That said, the framework for de-identification that is 
laid out in the HIPAA Privacy Rule represents a widely accepted 
industry standard for de-identification, so we think its concepts are 
appropriate for adoption into this program. Additional information on 
the HIPAA de-identification standards can be found on the HHS Office 
for Civil Rights Web site at http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/De-identification/guidance.html.
    We seek comment on this proposal and whether another set of de-
identification standards would be more appropriate to ensure that non-
public analyses do not contain information that individually identifies 
a beneficiary, except as provided for above where the individual is a 
patient of the provider or supplier who is receiving the analyses, and 
how qualified entities that are HIPAA-covered entities could comply 
with such alternate qualified entity program standards while still 
meeting any applicable HIPAA obligations.
    In addition, section 105(a)(6) of MACRA preserves providers' and 
suppliers' opportunity to review analyses (now including non-public 
analyses) that individually identify the provider or supplier. As such, 
we propose at Sec.  401.716(b)(4) to bar qualified entities' disclosure 
of non-public analyses that individually identify a provider or 
supplier unless: (a) The analysis only individually

[[Page 5400]]

identifies the singular recipient of the analysis or (b) each provider 
or supplier who is individually identified in a non-public analysis 
that identifies multiple providers/suppliers has been afforded an 
opportunity to review the aspects of the analysis about them, and, if 
applicable, request error correction. We describe the proposed appeal 
and error correction process in more detail in section II.A.4 below.
3. Limitations on the Authorized User
    While CMS has been granted statutory authority to impose 
requirements and limitations on the qualified entity, it has limited 
authority to oversee authorized users. As such, this proposed 
regulatory scheme is generally structured to require the qualified 
entity to ensure authorized users' compliance with the concepts laid 
out in MACRA through contractual means. In keeping with this, we 
propose at Sec.  401.716(b)(2) and Sec.  401.716(c) to require the 
qualified entity's use of legally binding agreements with any 
authorized users to whom it provides or sells the non-public analyses.
Types of Legally Binding Agreements
    For non-public analyses that include patient identifiable data, we 
propose at Sec.  401.716(b)(2) to require the qualified entity to enter 
into a QE DUA with any authorized users as a pre-condition to providing 
or selling such non-public analyses. As we are also proposing to 
require use of the QE DUA in the context of the provision or sale of 
combined data, or the provision of Medicare data at no cost, we discuss 
the QE DUA in the data disclosure discussion in section II.B below. For 
non-public analyses that include beneficiary de-identified data, we 
propose at Sec.  401.716(c) to require the qualified entity to enter 
into a contractually binding non-public analyses agreement with any 
authorized users as a pre-condition to providing or selling such non-
public analyses. A discussion of the proposed requirements for the non-
public analyses agreements follows in this section.
    We believe that the use of the non-public analyses agreement when 
authorized users receive non-public analyses containing de-identified 
data and the QE DUA when authorized users receive non-public analyses 
that contain patient identifiable information are the best mechanisms 
for ensuring that both qualified entities and authorized users are 
aware of and compliant with the data use and disclosure limitations 
established by MACRA. We seek comment on whether the non-public 
analyses agreement and the QE DUA are the best mechanisms to ensure 
compliance with these restrictions given the authorities established by 
MACRA.
Requirements in the Non-Public Analyses Agreement
    The statute generally allows qualified entities to provide or sell 
their non-public analyses to authorized users for non-public use, but 
it bars use or disclosure of such analyses for marketing (see section 
105(a)(3)(c) of MACRA). Such analyses therefore may include, but would 
not be limited to analyses intended to assist providers' and suppliers' 
development of, and participation in, quality and patient care 
improvement activities, including development of new models of care. 
But, while many types of non-public analyses could lead to improvements 
in the health care delivery system, certain types of analyses could 
cause harm to patients or lead to additional fraud and/or abuse 
concerns for the delivery system. Therefore, despite the breadth of the 
statutory authority, we believe it is important to establish additional 
limits on the non-public analyses, given the expansive types of non-
public analyses that could be conducted by the qualified entities if no 
limits are placed on such analyses, and the potential deleterious 
consequences of some such analyses.
    With this in mind, we propose at Sec.  401.716(c)(1) that the non-
public analyses agreement require that non-public analyses conducted 
using combined data or the information derived from the evaluations 
described in section 1874(e)(4)(D) of the Act may not be used or 
disclosed for the following purposes: marketing, harming or seeking to 
harm patients and other individuals both within and outside the 
healthcare system regardless of whether their data are included in the 
analyses (for example, an employer using the analyses to attempt to 
identify and fire employees with high healthcare costs), or 
effectuating or seeking opportunities to effectuate fraud and/or abuse 
in the healthcare system (for example, a provider using the analyses to 
identify ways to submit fraudulent claims that might not be caught by 
auditing software).
    Rather than developing a new definition for marketing under this 
program, we propose at Sec.  401.703(s) to generally define marketing 
using the definition at 45 CFR 164.501 in the HIPAA Privacy Rule. Under 
this definition, marketing means making a communication about a product 
or service that encourages recipients of the communication to purchase 
or use the product or service. In doing so, we note that the HIPAA 
Privacy Rule also includes a general restriction on use of an 
individual's Protected Health Information (PHI) for marketing. Given 
the similarities between the use and disclosure of PHI under HIPAA and 
the data sharing limitations under this program, we believe the 
definition of marketing in HIPAA should also generally be used for this 
program, but, given the categorical statutory bar on marketing in this 
program, we are not proposing a consent exception to the bar like that 
seen in the HIPAA Privacy Rule. We also believe that use of this HIPAA 
definition as modified will simplify compliance with the qualified 
entity program requirements, especially decisions regarding what is and 
is not considered marketing. We seek comment on the proposal to use 
this definition as modified from HIPAA for the purposes of this 
program.
    The proposed restrictions on using analyses and/or derivative data, 
meaning data gleaned from the analyses, that would or could be used to 
exploit patients or other individuals or to effectuate fraud and/or 
abuse in the healthcare system are intended to ensure that the analyses 
are unlikely to result in physical or financial harm to patients or 
other individuals within or outside the health care delivery system. We 
seek comments on these proposals as well as whether there are other 
restrictions that should be imposed to limit potential physical or 
financial harm to patients or other individuals within or outside the 
healthcare system.
    Section 105(a)(1)(B)(i) of MACRA requires that any non-public 
analyses provided or sold to an employer may only be used by the 
employer for the purposes of providing health insurance to employees 
and retirees of the employer. We believe this limit should also apply 
to ``dependents'' of either category whenever the employer offers 
coverage for family members who are neither employees nor retirees. As 
such, we further propose that if the qualified entity is providing or 
selling non-public analyses to an employer that this requirement be 
included in the non-public analyses agreement. We seek comment on 
whether the resulting non-public analyses agreement between the 
qualified entity and the employer is the best mechanism to ensure 
compliance with this restriction given the authorities established by 
MACRA.
    The statute also contains limitations on the re-disclosure of non-
public analyses provided or sold to authorized users at section 
105(a)(5) of MACRA. Under that provision, re-disclosure is limited to 
authorized users who are a provider or supplier. Furthermore, these

[[Page 5401]]

providers and suppliers are to limit any re-disclosures to instances in 
which the recipient would use the non-public analyses for provider/
supplier ``performance improvement.'' As many if not most providers and 
suppliers that receive non-public analyses from the qualified entity 
will be HIPAA-covered entities, we propose to limit performance 
improvement re-disclosures to those that would support quality 
assessment and improvement, and care coordination activities by or on 
behalf of the eligible downstream provider or supplier. For example, 
providers may need to share the non-public analyses or derivative data 
with someone working on their behalf to carry out such quality 
assessment and improvement or care coordination activities. That is, if 
they are a HIPAA-covered entity, they may wish to share the non-public 
analyses or derivative data with their business associate. Such a 
scenario could arise when a consultant is hired to assist the provider/
supplier in interpreting the non-public analyses, or in determining 
what changes in the delivery of care are needed to assess or improve 
the quality of care, or to better coordinate care. Another example is 
if the provider or supplier wants to share the non-public analyses with 
other treating providers/suppliers for quality assessment and 
improvement or care coordination purposes.
    In addition, especially under circumstances in which patient 
identifiable data is included in the non-public analysis, we recognize 
that there are instances in which a provider or supplier may be 
required to produce information to a regulatory authority as required 
by a statute or regulation. For example, a HIPAA-covered entity may be 
required to produce PHI to the Secretary for purposes of an 
investigation of a potential HIPAA violation. Therefore, for purposes 
of this qualified entity program, we propose to adopt the HIPAA 
definition of ``required by law'' at 45 CFR 164.103 so as to allow for 
such mandatory disclosures. As defined at 45 CFR 164.103, ``required by 
law'' means any mandate in law that compels an entity to make a use or 
disclosure of PHI that is enforceable in a court of law (including 
disclosures compelled by court order, statute, or regulation). An 
example would be a court order to turn over medical records as part of 
litigation. Another common example would be disclosures required by the 
regulations governing the submission of a claim for payment for 
Medicare fee-for-service covered services.
    As a result, we propose at Sec.  401.716(c)(3)(i) to require 
qualified entities to include in the non-public analysis agreement a 
requirement to limit re-disclosure of non-public analyses or derivative 
data to instances in which the authorized user is a provider or 
supplier, and the re-disclosure is as a covered entity would be 
permitted under 45 CFR 164.506(c)(4)(i) or 164.502(e)(1). Accordingly, 
a qualified entity may only re-disclose individually identifiable 
health information to a covered entity for the purposes of the covered 
entity's quality assessment and improvement or for the purposes of care 
coordination activities, where that entity has a patient relationship 
with the individual who is the subject of the information, or to a 
business associate of such a covered entity under a written contract as 
defined at 45 CFR 164.502(e)(1). Furthermore, as section 105(a)(5)(A) 
of MACRA states that the analyses generally may not be re-disclosed or 
released to the public, we generally propose at Sec.  401.716(c)(3)(ii) 
to require qualified entities to use non-public analyses agreements to 
explicitly bar authorized users from any other re-disclosure of the 
non-public analyses or any derivative data except to the extent a 
disclosure qualifies as a ``required by law'' disclosure. We seek 
comment on our proposal to require qualified entities to contractually 
limit re-disclosures of beneficiary de-identified non-public analyses 
or any derivative data other than as described above.
    As discussed above, the non-public analyses agreement can only be 
used in the disclosure of analyses that include beneficiary de-
identified data. However, even though the analyses subject to a non-
public analyses agreement are beneficiary de-identified, we believe 
that additional restrictions on the authorized user are necessary to 
ensure appropriate privacy and security protections for our 
beneficiaries. We therefore propose at Sec.  401.716(c)(5) to require 
qualified entities to impose a legally enforceable bar on the 
authorized user's use or disclosure of any non-public analyses (or data 
or analyses derived from such non-public analyses) to re-identify or 
attempt to re-identify any individual whose data is included in the 
analyses or any derivative data. We believe this additional level of 
privacy and security protection is necessary to protect beneficiaries. 
We seek comment on this proposal.
    Finally, we propose at Sec.  401.716(d)(6) to require qualified 
entities to use their non-public analyses agreements to bind their non-
public analyses recipients to reporting any violation of the terms of 
that non-public analyses agreement to the qualified entity. As 
explained below in Section D, qualified entities will be expected to 
report on these violations as part of their annual reporting to CMS. 
Even though the analyses covered by the non-public analyses agreement 
will be de-identified, due to the risk of re-identification of 
beneficiary information, we still believe that this requirement is 
essential to our ability to monitor and ensure the privacy and security 
of beneficiary information. We seek comment on these proposals.
4. Confidential Opportunity To Review, Appeal, and Correct Analyses
    As noted briefly above, section 105(a)(6) of MACRA directs us to 
ensure that qualified entities provide providers and suppliers who are 
individually identified in a non-public analysis with an opportunity to 
review and request corrections before the qualified entity provides or 
sells the non-public analyses to an authorized user. But, as noted 
above, we have proposed one exception to this general rule in cases 
where the analysis only individually identifies the (singular) provider 
or supplier who is being provided or sold the analysis. In all other 
cases, we propose that the qualified entity must follow the 
confidential review, appeal, and error correction requirements in 
section 1874(e)(4)(C)(ii) of the Act.
    Specifically, we propose at Sec.  401.717(f) that a qualified 
entity generally must comply with the same error corrections process 
and timelines as are required for public performance reporting before 
disclosing non-public analyses. This process includes confidentially 
sharing the measures, measure methodologies and measure results that 
comprise such evaluations with providers and suppliers at least 60 
calendar days before providing or selling the analyses to one or more 
authorized users. During these 60 calendar days, the provider or 
supplier may make a request for the Medicare claims data and 
beneficiary names that may be needed to confirm statements about the 
care that they delivered to their patients. If the provider or supplier 
requests such data, the qualified entity must release the Medicare 
claims and beneficiary names relevant to what is said about the 
requesting provider/supplier in the draft non-public analyses. We 
believe that for many providers and suppliers, a beneficiary's name 
will be of more practical use in determining the accuracy of analyses 
than the underlying claims used in the analyses. The sharing of such 
data must be done via a secure mechanism that is suitable for 
transmitting or providing access to individually identifiable

[[Page 5402]]

health information. The qualified entity also must ensure that the 
provider or supplier has been notified of the date on which the 
analyses will be shared with the authorized user. If any requests for 
error correction are not resolved by the date on which the analyses are 
to be shared, the qualified entity may release the analyses, but must 
inform the authorized user that the analyses are still under appeal, 
and the reason for the appeal.
    We believe that the process we established for review and error 
correction for public performance reporting finds the right balance 
between allowing providers and suppliers the opportunity to review the 
non-public analyses while also ensuring that the information is 
disseminated in a timely manner. However, we have had limited public 
reporting thus far to confirm this. Furthermore, using the same process 
for review and error correction for non-public analyses and the public 
reports creates continuity and a balance between the needs and 
interests of providers and suppliers and those of the qualified 
entities, authorized users and the public. We also believe that using 
the same timeframes and requirements will simplify the review process 
for providers and suppliers. We seek comment on our proposal generally 
to require qualified entities to comply with the same error corrections 
process and timelines as are required for public performance reporting 
when sharing analyses that individually identify a provider or 
supplier.
    Although we do not believe that we have statutory authority to 
require it given that section 1874(e) of the Act only covers the 
disclosure of Medicare claims data, to the extent permitted by 
applicable law, we strongly encourage qualified entities to also share 
the claims data from other sources with providers and suppliers if they 
ask for the underlying data used for the analyses.

B. Dissemination of Data and the Use of QE DUAs for Data Dissemination 
and Patient-Identifiable Non-Public Analyses

    Subject to other applicable law, section 105(a)(2) of MACRA expands 
the permissible uses and disclosures of data by a qualified entity to 
include providing or selling combined data for non-public use to 
certain authorized users, including providers of services, suppliers, 
medical societies, and hospital associations. Subject to the same 
limits, it also permits a qualified entity to provide Medicare claims 
data for non-public use to these authorized users; however, a qualified 
entity may not charge a fee for providing such Medicare claims data. 
But, in order to provide or sell combined data or Medicare data, 
section 501(a)(4) of MACRA instructs the qualified entity to enter into 
a DUA with their intended data recipient(s).
1. General Requirements for Data Dissemination
    To implement these provisions in MACRA, we propose at Sec.  
401.718(a) to provide that, subject to other applicable laws (including 
applicable information, privacy, security and disclosure laws) and 
certain defined program requirements, including that the data be used 
only for non-public purposes, a qualified entity may provide or sell 
combined data or provide Medicare claims data at no cost to certain 
authorized users, including providers of services, suppliers, medical 
societies, and hospital associations. Where a qualified entity is a 
HIPAA-covered entity or is acting as a business associate, compliance 
with other applicable laws will include the need to ensure that it 
fulfills the requirements under the HIPAA Privacy Rule, including the 
bar on the sale of PHI.
    We note that we propose definitions for authorized user, medical 
societies, and hospital associations in section II.C below, and have 
already proposed a definition for combined data in section II.A above.
2. Limitations on the Qualified Entity Regarding Data Disclosure
    The statute places a number of limitations on the sale or provision 
of combined data and the provision of Medicare claims data by qualified 
entities, including generally barring the disclosure of beneficiary 
identifiable data obtained through the qualified entity program. 
Therefore, in keeping with our other proposals at Sec.  401.716(b)(3), 
we propose at Sec.  401.718(b)(1) to generally require that any 
combined data or Medicare claims data that is provided to an authorized 
user by a qualified entity under subpart G be beneficiary de-identified 
in accordance with the de-identification standards in the HIPAA Privacy 
Rule at 45 CFR 164.514(b). As noted above, we believe that the HIPAA 
Privacy Rule de-identification standard represents a widely accepted 
industry standard for de-identification, so we think its concepts are 
appropriate for adoption under the qualified entity program.
    We do recognize, however, that providers or suppliers with current 
treatment relationships with the patient subjects of such data may 
desire and benefit from receiving data that contains individually 
identifiable information about those patients. Therefore, we also 
propose an exception at Sec.  401.718(b)(2) that would allow a 
qualified entity to provide or sell patient identifiable combined data/
and or provide patient identifiable Medicare claims data at no cost to 
an individual or entity that is a provider or supplier if the provider 
or supplier has a patient relationship with every patient about whom 
individually identifiable information is provided and the disclosure is 
consistent with applicable law.
    MACRA also requires qualified entities to bind the recipients of 
their data to a DUA that will govern the use and, where applicable, re-
disclosure of any data received through this program prior to the 
provision or sale of such data to an authorized user. Therefore, we 
further propose at Sec.  401.718(c), to require that a qualified entity 
impose certain contractually binding use/re-disclosure requirements as 
a condition of providing and/or selling combined data and/or providing 
Medicare claims data to an authorized user. The following section 
provides the proposed requirements for such DUAs between qualified 
entities and authorized users.
3. Data Use Agreement
    Section 501(a)(4) of MACRA requires execution of a DUA as a 
precondition to a qualified entity's provision or sale of data to an 
authorized user. The DUA must address the use and, if applicable, re-
disclosure of the data, and the applicable privacy and security 
requirements that must be established and maintained by or for the 
authorized user. The statute also imposes a number of other limitations 
on the authorized user. But, while CMS has authority to impose 
requirements on the qualified entity, we must rely upon the qualified 
entity to impose legally enforceable obligations on the authorized 
users.
    Therefore, in Sec.  401.713(a), we propose certain clarifying 
changes that will recognize that there are now two distinct DUAs in the 
qualified entity program--the CMS DUA, which is the agreement between 
CMS and a qualified entity, and what we will refer to as the QE DUA, 
which will be the legally binding agreement between a qualified entity 
and an authorized user. We are not proposing any changes to the 
requirements for the CMS DUA, but rather are clarifying that there are 
now two DUAs--the CMS DUA and the QE DUA.
    Furthermore, in Sec.  401.713(d), we propose a number of provisions 
that address the privacy and security of the combined data and/or the 
Medicare

[[Page 5403]]

claims data and/or non-public analyses that contain patient 
identifiable data. These provisions require the qualified entity to 
condition the disclosure of data on the imposition of contractually 
binding limits on the permissible uses and re-disclosures that can be 
made of the combined data and/or the Medicare claims data and/or non-
public analyses that contain patient identifiable data and/or any 
derivative data. Such contractually binding provisions would be 
included in the QE DUA.
    First, we propose to require that the QE DUA contain certain 
limitations on the authorized user's use of the combined data and/or 
Medicare claims data and/or non-public analyses that contain patient 
identifiable data and/or any derivative data. In Sec.  401.713(d)(1), 
we propose that the QE DUA limit authorized users use of the combined 
data and/or Medicare claims data and/or non-public analyses that 
contain patient identifiable data and/or any derivative data to the 
purposes described in the first or second paragraph of the definition 
of ``health care operations'' under 45 CFR 164.501, or that which 
qualifies as ``fraud and abuse detection or compliance activities'' 
under 45 CFR 164.506(c)(4). If finalized, this means that authorized 
users would only be permitted to use the combined data and/or Medicare 
claims data and/or non-public analyses that contain patient 
identifiable data and/or any derivative data provided by the qualified 
entity for quality assessment and improvement activities, care 
coordination activities, including the review of provider or supplier 
performance, and/or for fraud, waste, and abuse detection and 
compliance purposes. We believe these uses need to be permitted to 
support quality improvement and care coordination activities, as well 
as efforts to ensure fraud, waste, and abuse detection and compliance, 
and that these uses should encompass the full range of activities for 
which the authorized users will legitimately need the combined data 
and/or Medicare claims data and/or non-public analyses that contain 
patient identifiable data and/or any derivative data. We also propose 
to require that all other uses and disclosures of combined data and/or 
Medicare claims data and/or non-public analyses that contain patient 
identifiable data and/or any derivative data be forbidden except to the 
extent a disclosure qualifies as a ``required by law'' disclosure.
    The statute also prohibits the authorized user from using the 
combined data and/or Medicare claims data for marketing purposes. We 
therefore propose at Sec.  401.713(d)(2) to require qualified entities 
to use the QE DUA to contractually prohibit the authorized users from 
using the combined data and/or Medicare claims data and/or non-public 
analyses that contain patient identifiable data and/or any derivative 
data for marketing purposes. As noted above, we propose to define 
``marketing'' as it is defined in the HIPAA Privacy Rule, but, given 
the statutory bar, we do not propose to adopt an exception to the bar 
for ``consent''-based marketing. As noted above, HIPAA provides well-
recognized standards for the appropriate use and disclosure of certain 
individually identifiable health information, and we believe that the 
HIPAA definition for ``marketing'' is appropriate for the qualified 
entity program as well. For additional information and guidance on the 
HIPAA Privacy Rule, including guidance on what constitutes marketing, 
please visit the HHS Office for Civil Rights Web site at http://www.hhs.gov/ocr/privacy/.
    Furthermore, we propose to require qualified entities' use of the 
QE DUA to address minimum privacy and security standards. CMS is 
committed to protecting the privacy and security of beneficiary-
identifiable data when it is disseminated, including when it is in the 
hands of authorized users. This is especially important as there are no 
guarantees that authorized users will be subject to the HIPAA Privacy 
and Security Rules. Therefore, we propose at Sec.  401.713(d)(3) to 
require qualified entities to contractually bind authorized users using 
the QE DUA to protect patient identifiable combined data and/or 
Medicare data, any patient identifiable derivative data, and/or non-
public analyses that contain patient identifiable data, with at least 
the privacy and security protections that would be required of covered 
entities and their business associates under HIPAA Privacy and Security 
Rules. Additional guidance on the Security rule can be found on the 
Office for Civil Rights Web site at http://www.hhs.gov/ocr/privacy/hipaa/. Such protections would apply when using, disclosing, or 
maintaining patient identifiable data, regardless of whether the 
authorized user is a HIPAA Covered Entity or business associate. In 
addition, we propose to require that the QE DUA contain provisions that 
require that the authorized user maintain written privacy and security 
policies and procedures that ensure compliance with these HIPAA-based 
privacy and security standards and the other standards required under 
this subpart for the duration of the QE DUA, or for so long as they 
hold combined data and/or Medicare claims data and/or non-public 
analyses that contain patient identifiable data and/or any derivative 
data that was subject to the QE DUA, should return/destruction of the 
combined data and/or Medicare claims data and/or non-public analyses 
that contain patient identifiable data and/or any derivative data not 
be feasible as of the expiration of the QE DUA.
    Furthermore, we propose to require QE DUA provisions detailing such 
policies and procedures must survive termination of the QE DUA, whether 
for cause or not. We believe that requiring compliance with these HIPAA 
Privacy and Security Rule concepts outside of the HIPAA context will 
provide the needed protection for the combined data, Medicare claims 
data, and/or non-public analyses that contain patient identifiable data 
and/or any derivative data provided or sold to authorized users under 
the qualified entity program.
    We also propose at Sec.  401.713(d)(7) to require that the 
qualified entity use the QE DUA to contractually bind an authorized 
user as a condition of receiving combined data and/or Medicare claims 
data and/or non-public analyses that contain patient identifiable data 
and/or any derivative data under the qualified entity program to notify 
the qualified entity of any violations of the QE DUA. Violations might 
include reportable breaches of data, such as those defined in the HIPAA 
Breach Rule, or other violations of QE DUA provisions. The QE DUA also 
will require the authorized user to fully cooperate in the qualified 
entity's effort to mitigate any harm that may result from such 
violations, as well as any assistance the qualified entity may request 
to fulfill the qualified entity's obligations under this subpart.
    We request comment on whether the proposed privacy and security 
requirements are appropriate and adequate, or whether there are more 
appropriate standards or additional protections that are advisable.
    MACRA section 105(a)(5) directs that any combined data, Medicare 
claims data, and/or non-public analyses that contain patient 
identifiable data and/or any derivative data provided or sold under 
this program to authorized users is to be non-public, and it requires 
the imposition of re-disclosure limitations on authorized users. Under 
those provisions, qualified entities may only permit providers and 
suppliers to re-disclose combined data and/or Medicare claims data and/
or non-public analyses that contain patient identifiable data and/or 
any derivative data for the

[[Page 5404]]

purposes of performance improvement and care coordination. We propose 
to require qualified entities to include provisions in their QE DUA 
that contractually limit the re-disclosure and/or linking of combined 
data, Medicare claims data, and/or non-public analyses that contain 
patient identifiable data and/or any derivative data provided or sold 
under this program.
    We therefore propose at Sec.  401.713(d)(4) to require that the 
qualified entity include a provision in its QE DUAs that prohibits the 
authorized user from re-disclosing or making public any combined data, 
Medicare claims data, and/or non-public analyses that contain patient 
identifiable data and/or any derivative data subject to QE DUA except 
as provided under the QE DUA. Furthermore, we propose at Sec.  
401.713(d)(5) to require that the qualified entity use the QE DUA to 
limit provider's and supplier's re-disclosures to a covered entity 
pursuant to 45 CFR 164.506(c)(4)(i) or 164.502(e)(1). Therefore, a 
provider or supplier would only be permitted to re-disclose combined 
data, Medicare claims data, and/or non-public analyses that contain 
patient identifiable data and/or any derivative data, subject to the QE 
DUA, to a covered entity for activities focused on quality assessment 
and improvement, including the review of provider or supplier 
performance or a business associate of the provider or supplier. We 
also propose to require re-disclosure when required by law. We propose 
these limitations in an effort to ensure that the combined data, 
Medicare claims data, and/or non-public analyses that contain patient 
identifiable data will be protected in the hands of the downstream 
entity despite these regulations not reaching such individuals/entities 
directly. We believe that limiting downstream re-disclosures to 
entities that are subject to the HIPAA Privacy and Security rules will 
ensure that the combined data and/or Medicare claims data and/or non-
public analyses that contain patient identifiable data and/or any 
derivative data is appropriately maintained, used, and disclosed. We 
seek comment on whether the proposed re-disclosure requirements should 
be more restrictive or should be broadened to allow for additional re-
disclosure.
    We also propose to require qualified entities to impose a 
contractual bar using their QE DUA on the downstream recipients' 
linking of the re-disclosed combined data, Medicare claims data, and/or 
non-public analyses that contain patient identifiable data and/or any 
derivative data to any other identifiable source of information. The 
only exception to this general policy would be if a provider or 
supplier were to receive identifiable information limited to their/its 
own patients. We request comment on whether an authorized user should 
be permitted to link combined data, Medicare claims data, and/or non-
public analyses that contain patient identifiable data and/or any 
derivative data with other data sources, and whether the proposed 
provisions are adequate to protect the privacy and security of the 
combined data, Medicare claims data, and/or non-public analyses that 
contain patient identifiable data and/or any derivative data given to 
downstream users.

C. Authorized Users

1. Definition of Authorized User
    As discussed above, section 105(a)(1) of MACRA permits qualified 
entities to provide or sell non-public analyses to authorized users. In 
addition, section 105(a)(2) of MACRA permits qualified entities to 
provide or sell combined data, or to provide Medicare data at no cost, 
only to certain authorized users. These include providers, suppliers, 
medical societies, and hospital associations.
    Section 105(a)(9)(A) of MACRA defines authorized users as:
     A provider of services.
     A supplier.
     An employer (as defined in section 3(5) of the Employee 
Retirement Insurance Security Act of 1974).
     A health insurance issuer (as defined in section 2791 of 
the Public Health Service Act).
     A medical society or hospital association.
     Any entity not yet described in clauses (i) through (v) 
that is approved by the Secretary (other than an employer or health 
insurance issuer not described in clauses (iii) and (iv), respectively, 
as determined by the Secretary).
    We propose a definition for authorized user at Sec.  401.703(k) 
that is consistent with these statutory provisions. Specifically, we 
define an authorized user as: (1) A provider; (2) a supplier; (3) an 
employer; (4) a health insurance issuer; (5) a medical society; (6) a 
hospital association; (7) a health care professional association; or 
(8) a state agency.
    We also propose definitions for entities that are authorized users, 
but are not yet defined within this subpart. Therefore, we propose 
definitions for employer, health insurance issuer, medical society, 
hospital association, a healthcare professional association, and a 
state agency.
2. Definition of Employer
    We have proposed a definition for employer at Sec.  401.703(k) that 
is consistent with existing statutory provisions. Specifically, we 
propose to define an employer as having the same meaning as the term 
``employer'' defined in section 3(5) of the Employee Retirement 
Insurance Security Act of 1974. Under that provision, an employer means 
any person acting directly as an employer, or indirectly in the 
interest of an employer, in relation to an employee benefit plan; and 
includes a group or association of employers acting for an employer in 
such capacity.
3. Definition of Health Insurance Issuer
    We have also proposed a definition for health insurance issuer at 
Sec.  401.703(l) that is consistent with existing statutory provisions. 
Specifically, we propose to define a health insurance issuer as having 
the same meaning as the term ``health insurance issuer'' defined in 
section 2791(b)(2) of the Public Health Service Act. Under that 
provision, health insurance issuer means an insurance company, 
insurance service, or insurance organization (including an HMO) that is 
licensed to engage in the business of insurance in a State and is 
subject to State law that regulates insurance. Such term does not 
include a group health plan.
4. Definition of ``Medical Society''
    We propose to define ``medical society'' at Sec.  401.703(m) as a 
nonprofit organization or association that provides unified 
representation for a large number of physicians at the national or 
state level and whose membership is comprised of a majority of 
physicians.
    We conducted extensive research to develop this definition, 
including reviewing mission statements of national and state healthcare 
professional associations and medical societies, as well as state laws. 
While we were unable to identify a commonly recognized definition of 
``medical society,'' our research did reveal a number of common themes 
that shaped our proposed definition of medical society.
    We propose to define medical society as comprised of a majority of 
physicians, based on state law definitions around the practice of 
medicine. Although medical societies may also include non-physician 
members, due to the strong emphasis on physicians as practitioners of 
medicine, we propose that a medical society's

[[Page 5405]]

membership must be comprised of a majority of physicians. Medical 
societies often serve as the consensus voice of their members in 
matters related to their profession, the patient-physician 
relationship, and other issues pertaining to the practice of medicine. 
Therefore, we propose that medical societies be at the national or 
state level as we believe these larger groups will have the capacity to 
act on the data and analyses available through this program, and to do 
so in accordance with the statute and the implementing regulations.
    While we recognize that there are many local medical societies (for 
example, regional and county) performing similar functions to their 
national and state counterparts, we propose to maintain the definition 
of a medical society at the national or state level to reduce 
redundancy in the dissemination of data. State societies often serve as 
federations of local medical societies, and therefore, any use of the 
data by state societies could benefit their constituent local 
organizations.
    We also propose that these organizations be nonprofit as many of 
the existing medical societies are nonprofit organizations. In 
addition, because medical societies will be eligible to receive non-
public analyses and data, we believe it is important that these 
entities be nonprofit to ensure that data provided under this program 
are used to support quality improvement and assessment activities with 
their members rather than for profit driven purposes.
5. Definition of ``Hospital Association''
    We propose to define a ``hospital association'' at Sec.  401.703(n) 
as a nonprofit organization or association that provides unified 
representation for a large number of hospitals or health systems at a 
national or state level and whose membership is comprised of a majority 
of hospitals and health systems.
    For purposes of this definition, we propose to give hospitals the 
same meaning as SSA Sec.  1861(e), 42 U.S.C. 1395x(e). We propose to 
include health systems in this definition as our review of national and 
state hospital associations member lists revealed that these larger 
organizations (that are generally comprised of healthcare facilities, 
such as surgical centers and long terms care facilities, as well as 
hospitals) were members. Due to their membership status in existing 
hospital associations, we find it appropriate to propose their 
inclusion into this definition. Hospital associations often serve as 
the consensus voice of their members in matters related to their 
facilities, quality and affordability of services, and other issues 
regarding the provision of health care. Therefore, we propose that 
hospital associations at the national or state level be included in 
this definition as we believe that these larger groups will have the 
capacity to act on the data, and to do so in accordance with the 
statute and implementing regulations.
    While we recognize that there are many local hospital associations 
(for example, regional and county) performing similar functions to 
their national and state counterparts, we proposed to maintain the 
definition at the national or state level to reduce redundancy. State-
level hospital associations are often affiliated with those local 
associations, and therefore, any use of the data by state hospital 
associations could benefit those affiliated associations.
    We also propose that these organizations be nonprofit as many of 
the existing hospital associations are nonprofit organizations. In 
addition, because hospital associations will be eligible to receive 
non-public analyses and data, we believe it is important that these 
entities be nonprofit to ensure that data provided under this program 
are used to support quality improvement and assessment activities with 
their members rather than for profit driven purposes.
6. Definition of ``Healthcare Provider and/or Supplier Association''
    We recognize that within the field of health care, there are many 
other suppliers and providers beyond physicians, hospitals, and health 
systems. These entities also form organizations for the betterment of 
their professions and to improve the quality of patient care. We 
believe these types of entities would also benefit from the opportunity 
to purchase or receive non-public analyses and data from qualified 
entities.
    While the term ``healthcare professional association'' is not 
specifically included in the definition of authorized user, the 
Secretary, in the exercise of her discretion pursuant to 
105(a)(9)(A)(vi) of MACRA, proposes to include these organizations as 
authorized users. Therefore, we propose to define ``healthcare provider 
and/or supplier association'' at Sec.  401.703(o) as a nonprofit 
organization or association that represents suppliers and providers at 
the national or state level and whose membership is comprised of a 
majority of suppliers or providers. Similar to the themes that emerge 
for medical societies and hospital associations, we believe these 
organizations and associations often serve as the consensus voice of 
their members in matters related to their respective professions, and 
that representation at the national or state level is most appropriate 
as we believe that these larger groups will have the capacity to act on 
the data and analyses available through this program, and to do so in 
accordance with the statute and the implementing regulations.
7. Definition of ``State Agency''
    While state agencies were not specifically included in the 
definition of authorized user at section 105(a)(9) of MACRA, we believe 
that state agencies would benefit from the ability to purchase or 
receive non-public analyses from qualified entities. States are 
important partners with CMS in transforming the health care delivery 
system, and these analyses would have the potential to help states 
improve the quality of care and reduce costs. Therefore, the Secretary, 
in the exercise of her discretion pursuant to 105(a)(9)(A)(vi) of 
MACRA, proposes to include state agencies within the definition of 
authorized user and to define it at Sec.  401.703(p) as any office, 
department, division, bureau, board, commission, agency, institution, 
or committee within the executive branch of a state government.
    Because there is currently no federal definition of a state agency, 
we looked to state laws for definitions. While states differ in the 
definition of state agency, we propose to exclude the judiciary and 
legislative branches from our proposed definition of state agency under 
this subpart. We believe that entities within the executive branch of a 
state government, for example state Medicaid agencies or state public 
health departments, will have the greatest interest in and need to 
receive these analyses. We solicit comment on whether we should expand 
the definition to include other branches of state government or should 
further limit the definition of state agency to only certain agencies, 
such as those working to regulate the health and/or insurance industry.
    We invite comments on the proposed definitions for authorized user, 
medical society, hospital association, healthcare professional 
association, and state agency.

D. Annual Report Requirements

1. Reporting Requirements for Analyses
    Section 105(a)(8) of MACRA expands the information that a qualified 
entity must report annually to the Secretary if

[[Page 5406]]

a qualified entity provides or sells non-public analyses. Specifically, 
it requires the qualified entity to provide a summary of the analyses 
provided or sold, including information on the number of such analyses, 
the number of purchasers of such analyses, and the total amount of fees 
received for such analyses. It also requires the qualified entity to 
provide a description of the topics and purposes of such analyses. 
Furthermore, the Secretary may impose other reporting requirements, as 
appropriate.
    In Sec.  401.719(b)(3), we propose the annual reporting 
requirements that a qualified entity must perform if it provides or 
sells non-public analyses under this subpart. Consistent with the 
statutory requirements, we propose to require that the qualified entity 
provide a summary of the non-public analyses provided or sold under 
this subpart, including specific information about the number of 
analyses, the number of purchasers of such analyses, the types of 
authorized users that purchased analyses, the total amount of fees 
received for such analyses. We also propose to require the qualified 
entity to provide a description of the topics and purposes of such 
analyses. In addition, we propose to require a qualified entity to 
provide information on QE DUA and non-public analyses agreement 
violations.
2. Reporting Requirements for Data
    Section 105(a)(8) of MACRA also requires a qualified entity to 
submit a report annually if it provides or sells data. It specifically 
requires information on the entities who received data under section 
105(a)(2) of MACRA, the uses of the data, and the total amount of fees 
received for providing, selling, or sharing the data. In addition, the 
Secretary may require additional information as determined appropriate.
    Therefore, in Sec.  401.719(b)(4), we also propose to require 
qualified entities that provide or sell data under this subpart to 
provide the following information as part of its annual report: 
Information on the entities who received data, the uses of the data, 
the total amount of fees received for providing, selling, or sharing 
the data, and any QE DUA violations.
    We do not propose to require any additional information at this 
time; however, we seek comment on whether any additional information 
should be collected in the future.

E. Assessment for a Breach

1. Violation of a DUA
    Section 105(a)(7) of MACRA requires the Secretary to impose an 
assessment on a qualified entity in the case of a ``breach'' of a CMS 
DUA between the Secretary and a qualified entity or a breach of a QE 
DUA between a qualified entity and an authorized user. Because the term 
``breach'' is defined in HIPAA, and this definition is not consistent 
with the use of the term for this program, we propose instead to adopt 
the term ``violation'' when referring to a ``breach'' of a DUA for 
purposes of this program. We anticipate this will reduce the potential 
for confusion. Therefore in Sec.  401.703(t), we propose to define the 
term ``violation'' to mean a failure to comply with a requirement in a 
CMS DUA or QE DUA. We request comments on the proposed definition of 
violation.
    We also propose at Sec.  401.719(d)(5) to impose an assessment on 
any qualified entity that violates a CMS DUA or fails to ensure that 
their authorized users do not violate a QE DUA.
    MACRA provides guidance only on the assessment amount and what 
triggers an assessment, but it does not dictate the procedures for 
imposing such assessments. We therefore propose to adopt certain 
relevant provisions of section 1128A of the Social Security Act (the 
Act) (Civil Money Penalties) and part 402 (Civil Money Penalties, 
Assessments, and Exclusions) to specify the process and procedures for 
calculating the assessment, notifying a qualified entity of a 
violation, collecting the assessment, and providing qualified entities 
an appeals process.
2. Amount of Assessment
    Section 105(a)(7)(B) of MACRA specifies that when a violation 
occurs, the assessment is to be calculated based on the number of 
affected individuals who are entitled to, or enrolled in, benefits 
under part A of title XVIII of the Act, or enrolled in part B of such 
title. Affected individuals are those whose information, either 
identifiable or de-identified, was provided to a qualified entity or an 
authorized user under a DUA. Assessments can be up to $100 per affected 
individual, but, given the broad discretion in establishing some lesser 
amount, we looked to part 402 as a model for proposing aggravating and 
mitigating circumstances that would be considered when calculating the 
assessment amount per impacted individual. However, violations under 
section 105(a)(7)(B) of MACRA are considered point-in-time violations, 
not continuing violations.
Number of Individuals
    We propose at Sec.  401.719(d)(5)(i) that CMS will calculate the 
amount of the assessment of up to $100 per individual entitled to, or 
enrolled in part A of title XVIII of the Act and/or enrolled in part B 
of such title whose data was implicated in the violation.
    We generally propose to determine the number of potentially 
affected individuals by looking at the number of beneficiaries whose 
Medicare claims information was provided either by CMS to the qualified 
entity or by the qualified entity to the authorized user in the form of 
individually identifiable or de-identified data sets that were 
potentially affected by the violation.
    We recognize that, depending on the number and types of datasets 
requested, a single beneficiary may appear multiple times within a 
dataset or non-public analysis. We propose that a single beneficiary, 
regardless of the number of times their information appears in a 
singular non-public report or dataset, would only count towards the 
calculation of an assessment for a violation once. We propose to use 
the unique beneficiary identification number in the Chronic Conditions 
Warehouse (CCW) to establish the number of beneficiaries that were 
included in a given dataset that was transferred to the qualified 
entity, and subsequently re-disclosed in accordance with this subpart. 
For qualified entities that provide or sell subsets of the dataset that 
CMS provided to them, combined information, or non-public analyses, we 
propose to require that the qualified entity provide the Secretary with 
an accurate number of beneficiaries whose data was sold or provided to 
the authorized user and, thereby, potentially affected by the 
violation. In those instances in which the qualified entity is unable 
to establish a reliable number of potentially affected beneficiaries, 
we propose to impose the assessment based on the total number of 
beneficiaries that were included in the data set(s) that was/were 
transferred to the qualified entity under that DUA.
Assessment Amount per Impacted Individual
    MACRA allows an assessment in the amount of up to $100 per 
potentially affected individual. We therefore propose to draw on 
factors established in 42 CFR part 402 to specify the factors and 
circumstances that will be considered in determining the assessment 
amount per potentially affected individual.

[[Page 5407]]

    We propose at Sec.  401.719(d)(5)(i)(A) that the following basic 
factors be considered in establishing the assessment amount per 
potentially affected individual: (1) The nature and extent of the 
violation; (2) the nature and extent of the harm or potential harm 
resulting from the violation; and (3) the degree of culpability and 
history of prior violations.
    In addition, in considering these basic factors and determining the 
amount of the assessment per potentially affected individual, we 
propose to take into account certain aggravating and mitigating 
circumstances.
    We propose at Sec.  401.719(d)(5)(i)(B)(1) that CMS consider 
certain aggravating circumstances in determining the amount per 
potentially affected individual, including the following: Whether there 
were several types of violations, occurring over a lengthy period of 
time; whether there were many violations or the nature and 
circumstances indicate a pattern of violations; and whether the nature 
of the violation had the potential or actually resulted in harm to 
beneficiaries.
    In addition, we propose at Sec.  401.719(d)(5)(i)(B)(2) that CMS 
take into account certain mitigating circumstances in determining the 
amount per potentially affected individual, including the following: 
Whether all of the violations subject to the imposition of an 
assessment were few in number, of the same type, and occurring within a 
short period of time, and/or whether the violation was the result of an 
unintentional and unrecognized error and the qualified entity took 
corrective steps immediately after discovering the error.
    We request comment on the proposed method for calculating the 
number of individuals. In addition, we request comments on whether the 
proposed factors for determining the amount of the assessment per 
potentially affected individual are sufficient, or whether additional 
factors should be considered. We also request comment on the proposed 
basic, aggravating, and mitigating factors.
3. Notice of Determination
    We looked to the relevant provisions in 42 CFR part 402 and Section 
1128A of the Act to frame proposals regarding the specific elements 
that would be included in the notice of determination. To that end, we 
propose at Sec.  401.719(d)(5)(ii) that the Secretary would provide 
notice of a determination to a qualified entity by certified mail with 
return receipt requested. The notice of determination would include 
information on (1) the assessment amount, (2) the statutory and 
regulatory bases for the assessment, (3) a description of the 
violations upon which the assessment was proposed, (4) information 
concerning response to the notice, and (5) the means by which the 
qualified entity must pay the assessment if they do not intend to 
request a hearing in accordance with procedures established at Section 
1128A of the Act and implemented in 42 CFR part 1005.
    We believe this information will provide a qualified entity with 
sufficient information to understand why an assessment was imposed and 
how the amount of the assessment was calculated. We seek comment 
regarding these proposals, including whether any additional information 
should be provided in the notice of determination.
4. Failure To Request a Hearing
    We also looked to the relevant provisions in 42 CFR part 402 and 
section 1128A of the Act to inform our proposals regarding what happens 
when a hearing is not requested.
    We propose at Sec.  401.719(d)(5)(iii) that an assessment will 
become final if a qualified entity does not request a hearing within 60 
days of receipt of the notice of the proposed determination. At this 
point, CMS would impose the proposed assessment. CMS would notify the 
qualified entity, by certified mail with return receipt, of the 
assessment and the means by which the qualified entity may pay the 
assessment. Under these proposals a qualified entity would not have the 
right to appeal an assessment unless it has requested a hearing within 
60 days of receipt of the notice of the proposed determination.
5. When an Assessment Is Collectible
    We again looked to the relevant provisions in 42 CFR part 402 and 
section 1128A of the Act to inform our proposed policies regarding when 
an assessment becomes collectible.
    We propose at Sec.  401.719(d)(5)(iv) that an assessment becomes 
collectible after the earliest of the following situations: (1) On the 
61st day after the qualified entity receives CMS's notice of proposed 
determination under Sec.  401.719(d)(5)(ii), if the entity does not 
request a hearing; (2) immediately after the qualified entity abandons 
or waives its appeal right at any administrative level; (3) 30 days 
after the qualified entity receives the Administrative Law Judge's 
(ALJ) decision imposing an assessment under Sec.  1005.20(d), if the 
qualified entity has not requested a review before the Department 
Appeal Board (DAB); or (4) 60 days after the qualified entity receives 
the DAB's decision imposing an assessment if the qualified entity has 
not requested a stay of the decision under Sec.  1005.22(b).
6. Collection of an Assessment
    We also looked to the relevant provisions in 42 CFR part 402 and 
section 1128A of the Act in framing our proposals regarding the 
collection of an Assessment.
    We propose at Sec.  401.719(d)(5)(v) that CMS be responsible for 
collecting any assessment once a determination is made final by HHS. In 
addition, we propose that the General Counsel may compromise an 
assessment imposed under this part, after consulting with CMS or Office 
of Inspector General (OIG), and the Federal government may recover the 
assessment in a civil action brought in the United States district 
court for the district where the claim was presented or where the 
qualified entity resides. We also propose that the United States may 
deduct the amount of an assessment when finally determined, or the 
amount agreed upon in compromise, from any sum then or later owing the 
qualified entity. Finally, we propose that matters that were raised or 
that could have been raised in a hearing before an ALJ or in an appeal 
under section 1128A(e) of the Act may not be raised as a defense in a 
civil action by the United States to collect an assessment.
    We seek comments on these proposals.

F. Termination of Qualified Entity Agreement

    We propose at Sec.  401.721(a)(7) that CMS may unilaterally 
terminate the qualified entity's agreement and trigger the data 
destruction requirements in the CMS DUA if CMS determines that a 
qualified entity or its contractor fails to monitor authorized users' 
compliance with the terms of their QE DUAs or non-public analysis use 
agreements. We believe this proposed provision is consistent with the 
intent of MACRA to ensure the protection of data and analyses provided 
by qualified entities to authorized users under this subpart. We 
request comments on this proposed provision.

G. Additional Data

    Section 105(c) of MACRA expands, at the discretion of the 
Secretary, the data that the Secretary may make available to qualified 
entities, including standardized extracts of claims data under titles 
XIX (Medicaid) and XXI (the Children's Health Insurance Program, CHIP) 
for one or more specified geographic areas and time periods as may be 
requested by the

[[Page 5408]]

qualified entity. Currently, CMS is only required to provide qualified 
entities with standardized extracts of claims data from Medicare Parts 
A, B, and D. While CMS has data for Medicare and Medicaid/CHIP, the 
timeliness and quality of data differs significantly between the 
programs.
    Medicare is a national program that is administered by CMS and, as 
a result, the claims data are available on a relatively timely basis, 
and guidelines about claims submission and data cleaning are consistent 
across the entire program. Medicaid and CHIP, however, are state-run 
programs where the states submit data to CMS. Each state's Medicaid 
agency collects enrollment and claims data for persons enrolled in 
Medicaid and CHIP. These data are collected in the state's Medicaid 
Management Information System (MMIS). Each state's MMIS is tailored to 
the needs of that state's Medicaid program. In partnership with the 
states, the federal government does manage aspects of the Medicaid 
program, and works with the various Medicaid State Agencies to monitor 
health care delivery and payment on a national level. To aid in that 
work the data in the MMIS are converted into a national standard and 
submitted to CMS via the Medicaid and CHIP Statistical Information 
System (MSIS). But the MSIS data (enrollment and claims data) are only 
reported to CMS on a quarterly basis, and the MSIS data can be 
challenging to use due to the data representing a mixture of time 
periods.
    Given the difficulties in using the MSIS data, the timeliness 
issues with our Medicaid data, and the variation of time periods 
reflected in our data, we believe that qualified entities would be 
better off seeking Medicaid and/or CHIP data through the State Medicaid 
Agencies. As a result, we propose not to expand the data available to 
qualified entities from CMS.

H. Qualified Clinical Data Registries

    Section 105(b) of MACRA allows qualified clinical data registries 
to request access to Medicare data for the purposes of linking the data 
with clinical outcomes data and performing risk-adjusted, 
scientifically valid analyses, and research to support quality 
improvement or patient safety. The CMS research data disclosure 
policies already allow qualified clinical data registries to request 
Medicare data for these purposes, as well as other types of research. 
More information on accessing CMS data for research can be found on the 
Research Data Assistance Center (ResDAC) Web site at www.resdac.org. 
Given these existing processes and procedures, we propose not to adopt 
any new policies or procedures regarding qualified clinical data 
registries' access to Medicare claims data for quality improvement or 
patient safety research.

III. Collection of Information Requirements

    Under the Paperwork Reduction Act of 1995, we are required to 
provide 60-day notice in the Federal Register and solicit public 
comment before a collection of information requirement is submitted to 
the Office of Management and Budget (OMB) for review and approval. In 
order to fairly evaluate whether an information collection should be 
approved by OMB, section 3506(c)(2)(A) of the Paperwork Reduction Act 
of 1995 requires that we solicit comment on the following issues:
     The need for the information collection and its usefulness 
in carrying out the proper functions of our agency.
     The accuracy of our estimate of the information collection 
burden.
     The quality, utility, and clarity of the information to be 
collected.
     Recommendations to minimize the information collection 
burden on the affected public, including automated collection 
techniques.
    We are soliciting public comment on each of these issues for the 
following sections of this proposed rule that contain information 
collection requirements (ICRs).
    Proposed Sec.  401.718(c) and Sec.  401.716(b)(2)(ii) require a 
qualified entity to enter into a QE DUA with an authorized user prior 
to providing or selling data or selling a non-public analyses that 
contains individually identifiable beneficiary information. Proposed 
Sec.  401.713(d) requires specific provisions in the QE DUA. Proposed 
Sec.  401.716(c) requires a qualified entity to enter into a non-public 
analyses agreement with the authorized user as a pre-condition to 
providing or selling de-identified analyses. We estimate that it will 
take each qualified entity a total of 40 hours to develop the QE DUA 
and non-public analyses agreement. Of the 40 hours, we estimate it will 
take a professional/technical services employee with an hourly labor 
cost of $75.08 a total of 20 hours to develop both the QE DUA and non-
public analyses agreement and estimate that it will require a total of 
20 hours of legal review at an hourly labor cost of $77.16 for both the 
QE DUA and non-public analyses agreement. We also estimate that it will 
take each qualified entity 2 hours to process and maintain each QE DUA 
or non-public analyses agreement with an authorized user by a 
professional/technical service employee with an hourly labor cost of 
$75.08. While there may be two different staff positions that perform 
these duties (one that is responsible for processing the QE DUAs and/or 
non-public analyses agreement and one that is responsible for 
maintaining the QE DUA and/or non-public analyses agreement), we 
believe that both positions would fall under the professional/technical 
services employee labor category with an hourly labor cost of $75.08. 
This would mean that to develop each QE DUA and non-public analysis 
agreement, the burden cost per qualified entity would be $3,045 with a 
total estimated burden for all 15 qualified entities of $45,675. This 
does not include the two hours to process and maintain each QE DUA.
    As discussed in the regulatory impact analysis below, we estimate 
that each qualified entity would need to process and maintain 70 QE 
DUAs or non-public analyses agreements as some authorized users may 
receive both datasets and a non-public analyses and would only need to 
execute one QE DUA. We estimate that it will take each qualified entity 
2 hours to process and maintain each QE DUA or non-public analyses 
agreement. This would mean the burden cost per qualified entity to 
process and maintain 70 QE DUAs or non-public analyses agreements would 
be $10,511 with a total estimated burden for all 15 qualified entities 
of $157,668. While we anticipate that the requirement to create a QE 
DUA and/or non-public analyses agreement will only be incurred once by 
a qualified entity, we believe that the requirement to process and 
maintain the QE DUAs and/or non-public analyses will be an ongoing 
cost. We request comment on the number of hours that will be needed to 
create and process the QE DUA and non-public analyses agreement.
    If finalized, these regulations would also require a qualified 
entity to submit additional information as part of its annual report to 
CMS. A qualified entity is currently required to submit an annual 
report to CMS under Sec.  401.719(b). Proposed Sec.  401.719(b)(3) and 
(4) provide for additional reporting requirements if a qualified entity 
chooses to provide or sell analyses and/or data to authorized users. 
The burden associated with this requirement is the time and effort 
necessary to gather, process, and submit the required information to 
CMS. There are currently 13 qualified entities; however we estimate 
that number will increase to 20 if these proposals are finalized. Some 
qualified entities may not want to bear the risk of the potential 
assessments and

[[Page 5409]]

have been able to accomplish their program goals under other CMS data 
sharing programs, therefore some qualified entities may not elect to 
provide or sell analyses and/or data to authorized users. As a result, 
we estimate that 15 qualified entities will choose to provide or sell 
analyses and/or data to authorized users, and therefore, would be 
required to comply with these additional reporting requirements within 
the first three years of the program. We further estimate that it would 
take each qualified entity 50 hours to gather, process, and submit the 
required information. We estimate that it will take each qualified 
entity 34 hours to gather the required information, 15 hours to process 
the information, and 1 hour to submit the information to CMS. We 
believe a professional or technical services employee of the qualified 
entity with an hourly labor cost of $75.08 will fulfill these 
additional annual report requirements. We estimate that 15 qualified 
entities will need to comply with this requirement and that the total 
estimated burden associated with this requirement is $56,310. We 
request comment on the type of employee and the number of hours that 
will be needed to fulfill these additional annual reporting 
requirements.
    As a reminder, the final rule for the qualified entity program, 
published December 7, 2011, included information about the burden 
associated with the provisions in that rule. Specifically, Sections 
401.705-401.709 provide the application and reapplication requirements 
for qualified entities. The burden associated with these requirements 
is currently approved under OMB control number 0938-1144 with an 
expiration date of May 31, 2018. This package accounts for 35 
responses. Section 401.713(a) states that as part of the application 
review and approval process, a qualified entity would be required to 
execute a DUA with CMS, that among other things, reaffirms the 
statutory bar on the use of Medicare data for purposes other than those 
referenced above. The burden associated with executing this DUA is 
currently approved under OMB control number 0938-0734 with an 
expiration date of December 31, 2017. This package accounts for 9,240 
responses (this package covers all CMS DUAs, not only DUAs under the 
qualified entity program). We currently have 13 qualified entities and 
estimate it will increase to 20 so we have not surpassed the previously 
approved numbers.
    We based the hourly labor costs on those reported by the Bureau of 
Labor Statistics (BLS) at http://data.bls.gov/pdq/querytool.jsp?survey=ce for this labor category. We used the annual 
rate for 2014 and added 100 percent for overhead and fringe benefit 
costs.

                                                           Table 1--Collection of Information
--------------------------------------------------------------------------------------------------------------------------------------------------------
                                                                                                                        Hourly       Total
                                                                                   Number of  Burden per     Total    labor cost  labor cost
          Regulation section(s)                OMB control No.        Number of    responses   response     annual        of          of      Total cost
                                                                     respondents      per       (hours)     burden     reporting   reporting      ($)
                                                                                  respondent                (hours)      ($) *        ($)
--------------------------------------------------------------------------------------------------------------------------------------------------------
Sec.   401.718, Sec.   401.716, and Sec.  0938--New................           15           1          20         300       75.08      22,524      22,524
   401.713 (DUA and non-public analyses
 agreement Development).
Sec.   401.718 and Sec.   401.716 (Legal  0938--New................           15           1          20         300       77.16      23,148      23,148
 Review).
Sec.   401.718 and Sec.   401.716         0938--New................           15          70           2       2,100       75.08     157,668     157,668
 (Processing and Maintenance).
Sec.   401.719(b).......................  0938--New................           15           1          50         750       75.08      56,310      56,310
                                                                    ------------------------------------------------------------------------------------
    Total...............................  .........................           15          73  ..........       3,450  ..........  ..........     259,650
--------------------------------------------------------------------------------------------------------------------------------------------------------
* The values listed are based on 100 percent overhead and fringe benefit calculations.
Note: There are no capital/maintenance costs associated with the information collection requirements contained in this rule; therefore, we have removed
  the associated column from Table 1.

    If you comment on these information collection and recordkeeping 
requirements, please submit your comments electronically as specified 
in the ADDRESSES section of this proposed rule.
    Comments must be received on/by April 4, 2016.

IV. Response to Comments

    Because of the large number of public comments we normally receive 
on Federal Register documents, we are not able to acknowledge or 
respond to them individually. We will consider all comments we receive 
by the date and time specified in the DATES section of this preamble, 
and, when we proceed with a subsequent document, we will respond to the 
comments in the preamble to that document.

V. Regulatory Impact Statement

    In accordance with the provisions of Executive Order 12866, this 
regulation was reviewed by the Office of Management and Budget.

A. Overall Impact

    We have examined the impacts of this rule as required by Executive 
Order 12866 on Regulatory Planning and Review (September 30, 1993), the 
Regulatory Flexibility Act (RFA) (September 19, 1980, 96), section 
1102(b) of the Act, section 202 of the Unfunded Mandates Reform Act of 
1995 (Pub. L. 104-4), Executive Order 13132 on Federalism (August 4, 
1999), and the Congressional Review Act (5 U.S.C. 804(2)). Executive 
Order 12866 directs agencies to assess all costs and benefits of 
available regulatory alternatives and, if regulation is necessary, to 
select regulatory approaches that maximize net benefits (including 
potential economic, environmental, public health and safety effects, 
distributive impacts, and equity). A regulatory impact analysis (RIA) 
must be prepared for major rules with economically significant effects 
($100 million or more in any 1 year). For the reasons discussed below, 
we estimate that the total impact of this proposed rule would be less 
than $58 million and therefore, it would not reach the threshold for 
economically significant effects and is not considered a major rule.
    The RFA requires agencies to analyze options for regulatory relief 
of small businesses, if a rule has a significant impact on a 
substantial number of small entities. For purposes of the RFA, we 
estimate that most hospitals and most other providers are small 
entities as that term is used in the RFA (including small businesses, 
nonprofit organizations, and small governmental jurisdictions). 
However, since the total estimated impact of this rule is less than 
$100 million, and the total estimated impact would be spread over 
82,500 providers and suppliers (who are the subject of reports), no one 
entity would face significant impact. Of the 82,500 providers, we 
estimate that 78,605

[[Page 5410]]

would be physician offices that have average annual receipts of $11 
million and 4,125 would be hospitals that have average annual receipts 
of $38.5 million. As discussed below, the estimated cost per provider 
is $8,426 (see table 5 below) and the estimated cost per hospital is 
$6,523 (see table 5 below). For both types of entities, these costs 
would be a very small percentage of overall receipts. Thus, we are not 
preparing an analysis of options for regulatory relief of small 
businesses because we have determined that this rule would not have a 
significant economic impact on a substantial number of small entities.
    For section 105(a) of MACRA, we estimate that two types of entities 
may be affected by the additional program opportunities: Qualified 
entities that choose to provide or sell non-public analyses or data to 
authorized users; and providers and suppliers who are identified in the 
non-public analyses create by qualified entities and provided or sold 
to authorized users.
    We anticipate that most providers and suppliers that may be 
identified in qualified entities' non-public analyses would be 
hospitals and physicians. Many hospitals and most other health care 
providers and suppliers are small entities, either by being nonprofit 
organizations or by meeting the Small Business Administration 
definition of a small business (having revenues of less than $38.5 
million in any 1 year) (for details see the Small Business 
Administration's Web site at https://www.sba.gov/sites/default/files/files/Size_Standards_Table.pdf (refer to the 620000 series). For 
purposes of the RFA, physicians are considered small businesses if they 
generate revenues of $11 million or less based on Small Business 
Administration size standards. Approximately 95 percent of physicians 
are considered to be small entities.
    The analysis and discussion provided in this section and elsewhere 
in this proposed rule complies with the RFA requirements. Because we 
acknowledge that many of the affected entities are small entities, the 
analysis discussed throughout the preamble of this proposed rule 
constitutes our regulatory flexibility analysis for the remaining 
provisions and addresses comments received on these issues.
    In addition, section 1102(b) of the Act requires us to prepare a 
regulatory impact analysis, if a rule may have a significant impact on 
the operations of a substantial number of small rural hospitals. Any 
such regulatory impact analysis must conform to the provisions of 
section 603 of the RFA. For purposes of section 1102(b) of the Act, we 
define a small rural hospital as a hospital that is located outside of 
a metropolitan statistical area and has fewer than 100 beds. We do not 
believe this proposed rule has impact on significant operations of a 
substantial number of small rural hospitals because we anticipate that 
most qualified entities would focus their performance evaluation 
efforts on metropolitan areas where the majority of health services are 
provided. As a result, this rule would not have a significant impact on 
small rural hospitals. Therefore, the Secretary has determined that 
this proposed rule would not have a significant impact on the 
operations of a substantial number of small rural hospitals.
    Section 202 of the Unfunded Mandates Reform Act of 1995 (UMRA) also 
requires that agencies assess anticipated costs and benefits before 
issuing any rule whose mandates require spending in any 1 year of $100 
million in 1995 dollars, updated annually for inflation. In 2015, that 
threshold is approximately $144 million. This proposed rule will not 
impose spending costs on state, local, or tribal governments in the 
aggregate, or by the private sector, of $144 million or more. 
Specifically, as explained below we anticipate the total impact of this 
rule on all parties to be approximately $58 million.
    Executive Order 13132 establishes certain requirements that an 
agency must meet when it promulgates a proposed rule (and subsequent 
final rule) that imposes substantial direct requirement costs on State 
and local governments, preempts State law, or otherwise has Federalism 
implications. We have examined this proposed rule in accordance with 
Executive Order 13132 and have determined that this regulation would 
not have any substantial direct effect on State or local governments, 
preempt States, or otherwise have a Federalism implication.

B. Anticipated Effects

1. Impact on Qualified Entities
    Because section 105(a) of MACRA allows qualified entities to use 
the data in new ways to provide or sell non-public analyses or data to 
authorized users, there is little quantitative information to inform 
our estimates on the number of analyses and datasets that the qualified 
entity costs may provide or sell or on the costs associated with the 
creation of the non-public analyses or datasets. Therefore, we look to 
the estimates from the original qualified entity rules to estimate the 
number of hours that it may take to create non-public analyses and to 
process provider appeals and revisions. We also looked to the Centers 
for Medicare and Medicaid's cost of providing data to qualified 
entities since qualified entities' data fees are equal to the 
government's cost to make the data available.
    There are currently 13 qualified entities and these qualified 
entities all are in different stages of the qualified entity program. 
For example, some qualified entities have released public reports and 
some qualified entities are still completing the security requirements 
in order to receive CMS data. Given the requirements in the different 
phases and the current status of the qualified entities, we estimate 
that 11 qualified entities will be able to provide or sell analyses 
and/or data to authorized users within the first year of the program, 
and therefore, would be incurring extra costs. As discussed above, we 
believe the total number of qualified entities will ultimately grow to 
20 in subsequent years, with 15 entities providing or selling analyses 
and/or data to authorized users. In estimating qualified entity 
impacts, we used hourly labor costs in several labor categories 
reported by the Bureau of Labor Statistics (BLS) at http://data.bls.gov/pdq/querytool.jsp?survey=ce. We used the annual rates for 
2014 and added 100 percent for overhead and fringe benefit costs. These 
rates are displayed in Table 2.

                           Table 2--Labor Rates for Qualified Entity Impact Estimates
----------------------------------------------------------------------------------------------------------------
                                                                    2014 hourly
                                                                     wage rate     OH and fringe   Total hourly
                                                                       (BLS)          (100%)           costs
----------------------------------------------------------------------------------------------------------------
Professional and technical services.............................          $37.54          $37.54          $75.08
Legal review....................................................           38.58           38.58           77.16
Custom computer programming.....................................           43.05           43.05           86.10
Data processing and hosting.....................................           34.02           34.02           68.04

[[Page 5411]]

 
Other information services......................................           39.72           39.72           79.44
----------------------------------------------------------------------------------------------------------------

    We estimate that within the first year that 11 qualified entities 
will provide or sell on average 55 non-public analyses or provide or 
sell 35 datasets. We do not believe the number of datasets and non-
public analyses per qualified entity will change in future years of the 
program. We seek comment on the number of non-public analyses or 
datasets that a qualified entity will create and provide or sell within 
the first year and future years.
    In the original proposed rule for the qualified entity program (76 
FR 33566), we estimated that each qualified entities' activities to 
analyze the Medicare claims data, calculate performance measures and 
produce public provider performance reports would require 5,500 hours 
of effort per qualified entity. We anticipate under this proposed rule 
that implements section 105(a) of MACRA that qualified entities will 
base the non-public analyses on their public performance reports. 
Therefore, the creation of the non-public analyses will require much 
less effort and only require a fraction of the time it takes to produce 
the public reports. We estimate that a qualified entity's activities 
for each non-public analysis to analyze the Medicare claims data, 
calculate performance measures, and produce the report would require 
320 hours, between five and six percent of the time to produce the 
public reports. We anticipate that half of this time will be spent on 
data analysis, measure calculation, and report creation and the other 
half on data processing. We request comment on the level of effort to 
create the non-public analyses.
    We anticipate that within the first year of the program a qualified 
entity will, on average, provide one-year datasets containing all data 
types for a cohort of 750,000 to 1.75 million beneficiaries to 35 
authorized users. We estimate that it will require 226 hours to create 
each dataset that will be provided to an authorized user. We looked to 
the Centers for Medicare and Medicaid Centers' data costs and time to 
estimate a qualified entity's costs and time to create datasets. While 
the majority of the time will be devoted to computer processing, we 
anticipate about 100 hours will be spent on computer programming, 
particularly if the qualified entity is de-identiying the data. We seek 
comment of the level of effort required to create each dataset and the 
number of authorized users that will obtain or purchases data from a 
qualified entity.
    We further estimate that, on average, each qualified entity would 
expend 7,500 hours of effort processing providers' and suppliers' 
appeals of their performance reports and producing revised reports, 
including legal review of the appeals and revised reports. These 
estimates assume that, as discussed below in the section on provider 
and supplier impacts, on average 25 percent of providers and suppliers 
would appeal their results from a qualified entity. Responding to these 
appeals in an appropriate manner would require a significant investment 
of time on the part of qualified entities. This equates to an average 
of four hours per appeal for each qualified entity. These estimates are 
similar to those in the Qualified Entities final rule. We assume that 
the complexity of appeals would vary greatly, and as such, the time 
required to address them would also vary greatly. Many appeals may be 
able to be dealt with in an hour or less while some appeals may require 
multiple meetings between the qualified entity and the affected 
provider or supplier. On average, however, we believe that this is a 
reasonable estimate of the burden of the appeals process on qualified 
entities. We discuss the burden of the appeals process on providers and 
suppliers below.
    We estimate that each qualified entity would spend 40 hours 
creating a non-public analyses agreement template and a QE DUA. We also 
estimate that it would take a qualified entity 2 hours to process a QE 
DUA or non-public analyses agreement.
    Finally, we estimate that each qualified entity would spend 50 
hours on the additional annual reporting requirements.
    Qualified entities would be required to notify CMS of inappropriate 
disclosures or use of beneficiary identifiable data pursuant to the 
requirements in the CMS DUA. We believe that the report generated in 
response to an inappropriate disclosure or use of beneficiary 
identifiable data would be generated as a matter of course by the 
qualified entities and therefore, would not require significant 
additional effort. Based on the assumptions we have described, we 
estimate the total impact on qualified entities for the first year of 
the program to be a cost of $27,925,198.

                                         Table 3--Impact on Qualified Entities for the First Year of the Program
--------------------------------------------------------------------------------------------------------------------------------------------------------
                                                              Impact on qualified entities
---------------------------------------------------------------------------------------------------------------------------------------------------------
                                                           Hours
                                   -----------------------------------------------------                Cost per    Number of    Number of
             Activity               Professional                                Data        Labor      authorized   authorized   qualified    Total cost
                                         and         Legal       Computer    processing  hourly cost      user        users       entities      impact
                                      technical                programming  and hosting
--------------------------------------------------------------------------------------------------------------------------------------------------------
Dissemination of Data:
    Data processing & hosting.....  ............  ...........  ...........          126       $68.04       $8,573           35           11   $3,300,620
    Computer programming..........  ............  ...........          100  ...........        86.10        8,610           35           11    3,314,850
                                   ---------------------------------------------------------------------------------------------------------------------
        Total: Dissemination of     ............  ...........  ...........  ...........  ...........  ...........  ...........  ...........    6,615,470
         Data.....................
Non-Public Analyses:
    Data analysis/measure           ............  ...........          160  ...........        86.10       13,776           55           11    8,334,480
     calculation/report
     preparation..................

[[Page 5412]]

 
    Data Processing and hosting...  ............  ...........  ...........          160        68.04       10,886           55           11    6,586,272
                                   ---------------------------------------------------------------------------------------------------------------------
        Total Non-public Analyses.  ............  ...........  ...........  ...........  ...........  ...........  ...........  ...........   14,920,752
Qualified entity processing of             5,500  ...........  ...........  ...........        75.08      412,940  ...........           11    4,542,340
 provider appeals and report
 revision.........................
Qualified entity legal analysis of  ............        2,000  ...........  ...........        77.16      154,320  ...........           11    1,697,520
 provider appeals and report
 revisions........................
                                   ---------------------------------------------------------------------------------------------------------------------
Total qualified entity processing   ............  ...........  ...........  ...........  ...........  ...........  ...........  ...........    6,239,860
 of provider appeals and report
 revision.........................
QE DUA and Non-public analyses:
    Development of the QE DUA and             20  ...........  ...........  ...........        75.08        1,502  ...........           11       16,518
     non-public analyses agreement
    Legal review of the QE DUA and  ............           20  ...........  ...........        77.16        1,543  ...........           11       16,975
     non-public analyses agreement
    Processing QE DUA and non-                 2  ...........  ...........  ...........        75.08          150           70           11      115,623
     public analyses agreement....
                                   ---------------------------------------------------------------------------------------------------------------------
        Total QE DUA and non-       ............  ...........  ...........  ...........  ...........  ...........  ...........  ...........      149,116
         public analyses
         agreements...............
Additional Annual Report                      50  ...........  ...........  ...........        75.08        3,754  ...........           11       41,294
 Requirements.....................
                                   ---------------------------------------------------------------------------------------------------------------------
    Total qualified entity Impacts  ............  ...........  ...........  ...........  ...........  ...........  ...........  ...........   27,966,492
--------------------------------------------------------------------------------------------------------------------------------------------------------

2. Impact on Health Care Providers and Suppliers
    We note that numerous health care payers, community quality 
collaboratives, States, and other organizations are producing 
performance measures for health care providers and suppliers using data 
from other sources, and that providers and suppliers are already 
receiving performance reports from these sources. We anticipate that 
the review of non-public analyses would merely be added to those 
existing efforts to improve the statistical validity of the measure 
findings. However, we invite comments on the impact of this new 
voluntary program.
    Table 4 reflects the hourly labor rates used in our estimate of the 
impacts of the first year of section 105(a) of MACRA on health care 
providers and suppliers.

                         Table 4--Labor Rates for Provider and Supplier Impact Estimates
----------------------------------------------------------------------------------------------------------------
                                                                                   Overhead and
                                                                    2014 hourly       fringe       Total hourly
                                                                     wage rate       benefits          costs
                                                                       (BLS)          (100%)
----------------------------------------------------------------------------------------------------------------
Physicians' offices.............................................          $38.27          $38.27          $76.54
Hospitals.......................................................           29.65           29.65           59.30
----------------------------------------------------------------------------------------------------------------

    We anticipate that the impacts on providers and suppliers consist 
of costs to review the performance reports generated by qualified 
entities and, if they choose, appeal the performance calculations. We 
believe, on average, each qualified entity would produce non-public 
analyses that in total include information on 7,500 health providers 
and suppliers. This is based on estimates in the qualified entity final 
rule, but also include an increase of 50 percent because we believe 
that more providers and suppliers will be included in the non-public 
analyses. We anticipate that the largest proportion of providers and 
suppliers would be physicians because they comprise the largest group 
of providers and suppliers, and are a primary focus of many recent 
performance evaluation efforts. We also believe that many providers and 
suppliers will be the recipients of the non-public analyses in order to 
support their own performance improvement activities, and therefore, 
there would be no requirement for a correction or appeals process. As 
discussed above, there is no requirement for a corrections or appeals 
process where the analysis only individually identifies the (singular) 
provider or supplier who is being provided or sold the analysis.

[[Page 5413]]

Based on our review of information from existing programs, we assume 
that 95 percent of the recipients of performance reports (that is, an 
average of 7,125 per qualified entity) would be physicians, and 5 
percent (that is, an average of 375 per qualified entity) would be 
hospitals and other suppliers. Providers and suppliers receive these 
reports with no obligation to review them, but we assume that most 
would do so to verify that their calculated performance measures 
reflect their actual patients and health events. Because these non-
public analyses will be based on the same underlying data as the public 
performance reports, we estimate that it would take less time for 
providers or suppliers to review theses analyses and generate an 
appeal. We estimate that, on average, each provider or supplier would 
devote three hours to reviewing these analyses. We also estimate that 
25 percent of the providers and suppliers would decide to appeal their 
performance calculations, and that preparing the appeal would involve 
an average of seven hours of effort on the part of a provider or 
supplier. As with our assumptions regarding the level of effort 
required by qualified entities in operating the appeals process, we 
believe that this average covers a range of provider efforts from 
providers who would need just one or two hours to clarify any questions 
or concerns regarding their performance reports to providers who would 
devote significant time and resources to the appeals process.
    Using the hourly costs displayed in Table 4, the impacts on 
providers and suppliers are calculated below in Table 5. Based on the 
assumptions we have described, we estimate the total impact on 
providers for the first year of the program to be a cost of 
$29,690,386.
    As stated above in Table 3, we estimate the total impact on 
qualified entities to be a cost of $27,966,492. Therefore, the total 
impact on qualified entities and on providers and suppliers for the 
first year of the program is estimated to be $57,656,878.

                                      Table 5--Impact on Providers and Suppliers for the First Year of the Program
--------------------------------------------------------------------------------------------------------------------------------------------------------
                                                            Impact on Providers and Suppliers
---------------------------------------------------------------------------------------------------------------------------------------------------------
                                                Hours per provider                                           Number of
                                         --------------------------------  Labor hourly      Cost per      providers per     Number of      Total cost
                Activity                     Physician                         cost          provider        qualified       qualified        impact
                                              offices        Hospitals                                        entity         entities
--------------------------------------------------------------------------------------------------------------------------------------------------------
Physician office review of performance                 3  ..............           76.54            $230           7,125              11     $18,026,250
 reports................................
Hospital review of performance reports..  ..............               3           59.30             178             375              11         734,250
Physician office preparing and                         7  ..............           76.54             536           1,781              11      10,500,776
 submitting appeal requests to qualified
 entities...............................
Hospital preparing and submitting appeal  ..............               7           59.30             415              94              11         429,110
 requests to qualified entities.........
                                         ---------------------------------------------------------------------------------------------------------------
    Total Impact on Providers and         ..............  ..............  ..............  ..............  ..............  ..............      29,690,386
     Suppliers..........................
--------------------------------------------------------------------------------------------------------------------------------------------------------

C. Alternatives Considered

    The statutory provisions added by section 105(a) of MACRA are 
detailed and prescriptive about the permissible uses of the data under 
the Qualified Entity Program. We believe there are limited approaches 
that would ensure statutory compliance. We considered proposing less 
prescriptive requirements on the provisions that would need to be 
included in the agreements between qualified entities and authorized 
users that received or purchased analyses or data. For example, we 
could have required less strenuous data privacy and security 
protections such as not setting a minimum standard for protection of 
beneficiary identifiable data or non-public analyses. In addition, we 
could have reduced additional restrictions on re-disclosure or 
permitted data or analyses to be re-disclosed to additional downstream 
users. While these approaches might reduce costs for qualified 
entities, we did not adopt such an approach because of the importance 
of protecting beneficiary data. We believe if we do not require 
qualified entities to provide sufficient evidence of data privacy and 
security protection capabilities, there would be increased risks 
related to the protection of beneficiary identifiable data.

D. Conclusion

    As explained above, we estimate the total impact for the first year 
of the program on qualified entities and providers to be a cost of 
$57,656,878. While we anticipate the number of qualified entities to 
increase slightly, we do not anticipate significant growth in the 
qualified entity program given the qualified entity program 
requirements, as well as other existing programs that allow entities to 
obtain Medicare data. Based on these estimates, we conclude this 
proposed rule does not reach the threshold for economically significant 
effects and thus is not considered a major rule.
    In accordance with the provisions of Executive Order 12866, this 
regulation was reviewed by the Office of Management and Budget.

List of Subjects in 42 CFR Part 401

    Claims, Freedom of information, Health facilities, Medicare, 
Privacy.

    For the reasons set forth in the preamble, the Centers for Medicare 
& Medicaid Services proposes to amend 42 CFR part 401 as set forth 
below:

PART 401--GENERAL ADMINISTRATIVE REQUIREMENTS

0
1. The authority citation for part 401 is revised to read as follows:

    Authority: Secs. 1102, 1871, and 1874(e) of the Social Security 
Act (42 U.S.C. 1302,

[[Page 5414]]

1395hh, and 1395w-5) and section 105 of the Medicare Access and CHIP 
Reauthorization Act of 2015 (Pub. L. 114-10).

0
2. Section 401.703 is amended by adding paragraphs (j) through (u) to 
read as follows:


Sec.  401.703  Definitions.

* * * * *
    (j) Authorized user is a third party (meaning not the qualified 
entity or its contractors) to whom/which the qualified entity provides 
or sells data as permitted under this subpart. Authorized users are 
limited to the following entities:
    (1) A provider.
    (2) A supplier.
    (3) A medical society.
    (4) A hospital association.
    (5) An employer.
    (6) A health insurance issuer.
    (7) A healthcare provider and/or supplier association.
    (8) A state agency.
    (k) Employer has the same meaning as the term ``employer'' as 
defined in section 3(5) of the Employee Retirement Insurance Security 
Act of 1974.
    (l) Health insurance issuer has the same meaning as the term 
``health insurance issuer'' as defined in section 2791 of the Public 
Health Service Act.
    (m) Medical society means a nonprofit organization or association 
that provides unified representation and advocacy for physicians at the 
national or state level and whose membership is comprised of a majority 
of physicians.
    (n) Hospital association means a nonprofit organization or 
association that provides unified representation and advocacy for 
hospitals or health systems at a national or state level and whose 
membership is comprised of a majority of hospitals and health systems.
    (o) Healthcare Provider and/or Supplier Association means a 
nonprofit organization or association that provides unified 
representation and advocacy for providers and suppliers at the national 
or state level and whose membership is comprised of a majority of 
suppliers or providers.
    (p) State Agency means any office, department, division, bureau, 
board, commission, agency, institution, or committee within the 
executive branch of a state government.
    (q) Combined data means a set of CMS claims data provided under 
subpart G combined with claims data, or a subset of claims data from at 
least one of the other claims data sources described in Sec.  
401.707(d).
    (r) Patient means an individual who has visited the provider or 
supplier for a face-to-face or telehealth appointment at least once in 
the past 12 months.
    (s) Marketing means the same as the term ``marketing'' at 45 CFR 
164.501 without the exception to the bar for ``consent'' based 
marketing.
    (t) Violation means a failure to comply with a requirement of a CMS 
DUA or QE DUA.
    (u) Required by law means the same as the phrase ``required by 
law'' at 45 CFR 164.103.
0
3. Section 401.713 is amended by revising paragraph (a) and adding 
paragraph (d) to read as follows:


Sec.  401.713  Ensuring the privacy and security of data.

    (a) Data Use Agreement between CMS and a qualified entity. A 
qualified entity must comply with the data requirements in its data use 
agreement with CMS (hereinafter the CMS DUA). Contractors of qualified 
entities that are anticipated to have access to the Medicare claims 
data or beneficiary identifiable data in the context of this program 
are also required to execute and comply with the CMS DUA. The CMS DUA 
will require the qualified entity to maintain privacy and security 
protocols throughout the duration of the agreement with CMS, and will 
ban the use or disclosure of CMS data or any derivative data for 
purposes other than those set out in this subpart. The CMS DUA will 
also prohibit the use of unsecured telecommunications to transmit such 
data, and will specify the circumstances under which such data must be 
stored and may be transmitted.
* * * * *
    (d) Data Use Agreement between a qualified entity and an authorized 
user. In addition to meeting the other requirements of this subpart, 
and as a pre-condition of selling or disclosing any combined data or 
any Medicare claims data (or any beneficiary-identifiable derivative 
data of either kind) and as a pre-condition of selling or disclosing 
non-public analyses that include individually identifiable beneficiary 
data, the qualified entity must enter a DUA (hereinafter the QE DUA) 
with the authorized user. Among other things laid out in this subpart, 
such QE DUA must contractually bind the authorized user to the 
following:
    (1)(i) The authorized user may be permitted to use such data and 
non-public analyses in a manner that a HIPAA Covered Entity could do 
under the following provisions:
    (A) Activities falling under the first paragraph of the definition 
of ``health care operations'' under 45 CFR 164.501: Quality improvement 
activities, including care coordination activities and efforts to track 
and manage medical costs.
    (B) Activities falling under the second paragraph of the definition 
of ``health care operations'' under 45 CFR 164.501: Population-based 
activities such as those aimed at improving patient safety, quality of 
care, or population health, including the development of new models of 
care, the development of means to expand coverage and improve access to 
healthcare, the development of means of reducing health care 
disparities, and the development or improvement of methods of payment 
or coverage policies.
    (C) Activities that qualify as ``fraud and abuse detection or 
compliance activities'' under 45 CFR 164.506(c)(4)(ii).
    (ii) All other uses and disclosures of such data and/or such non-
public analyses must be forbidden except to the extent a disclosure 
qualifies as a ``required by law'' disclosure.
    (2) The authorized user is prohibited from using or disclosing the 
data or non-public analyses for marketing purposes as defined at Sec.  
401.703(s).
    (3) The authorized user is required to ensure adequate privacy and 
security protection for such data and non-public analyses. At a 
minimum, regardless of whether the authorized user is a HIPAA covered 
entity, such protections of beneficiary identifiable data must be at 
least as protective as what is required of covered entities regarding 
protected health information (PHI) under the HIPAA Privacy and Security 
Rules. In all cases, these requirements must be imposed for the life of 
such beneficiary identifiable data or non-public analyses and/or any 
derivative data, that is until all copies of such data or non-public 
analyses are returned or destroyed. Such duties must be written in such 
a manner as to survive termination of the QE DUA, whether for cause or 
not.
    (4) Except as provided for in paragraph (d)(5) of this section, the 
authorized user must be prohibited from re-disclosing or making public 
any such data or non-public analyses.
    (5)(i) At the qualified entity's discretion, it may permit an 
authorized user that is a provider as defined in Sec.  401.703(b) or a 
supplier as defined in Sec.  401.703(c), to re-disclose such data and 
non-public analyses as a covered entity would be permitted to disclose 
PHI under 45 CFR 164.506(c)(4)(i)), or under 45 CFR 164.502(e)(1).
    (ii) All other uses and disclosures of such data and/or such non-
public analyses is forbidden except to the extent a disclosure 
qualifies as a ``required by law'' disclosure.
    (6) Authorized users who/that receive the beneficiary de-identified 
combined data or Medicare data as contemplated

[[Page 5415]]

under Sec.  401.718 are contractually prohibited from linking the 
beneficiary de-identified data to any other identifiable source of 
information, and must be contractually barred from attempting any other 
means of re-identifying any individual whose data is included in such 
data.
    (7) The QE DUA must bind authorized user(s) to notifying the 
qualified entity of any violations of the QE DUA, and it must require 
the full cooperation of the authorized user in the qualified entity's 
efforts to mitigate any harm that may result from such violations, or 
to comply with the breach provisions governing qualified entities under 
this subpart.
0
4. Section 401.716 is added to read as follows:


Sec.  401.716  Non-public analyses.

    (a) General. So long as it meets the other requirements of this 
subpart, and subject to the limits in paragraphs (b) and (c) of this 
section, the qualified entity may use the combined data to create non-
public analyses in addition to performance measures.
    (b) Limitations on a qualified entity. In addition to meeting the 
other requirements of this subpart, a qualified entity must comply with 
the following limitations as a pre-condition of dissemination or 
selling non-public analyses to an authorized user:
    (1) A qualified entity may only provide or sell a non-public 
analysis to a health insurance issuer as defined in Sec.  401.703(l), 
after the health insurance issuer has provided the qualified entity 
with claims data that represents a majority of the health insurance 
issuer's covered lives for the time period and geographic region 
covered by the issuer-requested non-public analyses.
    (2) Analyses that contain information that individually identifies 
one or more beneficiaries may only be disclosed to a provider or 
supplier (as defined at Sec.  401.703(b) and (c)) when the following 
conditions are met:
    (i) The analyses only contain identifiable information on 
beneficiaries with whom the provider or supplier have a patient 
relationship as defined at Sec.  401.703(r), and
    (ii) a QE DUA as defined at Sec.  401.713(d) is executed between 
the qualified entity and the provider or supplier prior to making any 
individually identifiable beneficiary information available to the 
provider or supplier.
    (3) Except as specified under paragraph (c)(2) of this section, all 
analyses must be limited to beneficiary de-identified data. Regardless 
of the HIPAA covered entity or business associate status of the 
qualified entity and/or the authorized user, de-identification must be 
determined based on the standards for HIPAA covered entities found at 
45 CFR 164.514(b).
    (4) Analyses that contain information that individually identifies 
a provider or supplier may not be disclosed unless:
    (i) The analysis only individually identifies the provider or 
supplier that is being supplied the analysis, or
    (ii) Every provider or supplier individually identified in the 
analysis has been afforded the opportunity to appeal or correct errors 
using the process at Sec.  401.717(f).
    (c) Non-public analyses agreement between a qualified entity and an 
authorized user for beneficiary de-identified non-public analyses 
disclosures. In addition to the other requirements of this subpart, a 
qualified entity must enter a contractually binding non-public analyses 
agreement with the authorized user as a pre-condition to providing or 
selling de-identified analyses. Such non-public analyses agreement must 
contain the following provisions:
    (1) The authorized user may not use the analyses or derivative data 
for the following purposes:
    (i) Marketing, as defined at Sec.  401.703(s).
    (ii) Harming or seeking to harm patients or other individuals both 
within and outside the healthcare system regardless of whether their 
data are included in the analyses.
    (iii) Effectuating or seeking opportunities to effectuate fraud 
and/or abuse in the health care system.
    (2) If the authorized user is an employer as defined in Sec.  
401.703(k), the authorized user may only use the analyses or derivative 
data for purposes of providing health insurance to employees, retirees, 
or dependents of employees or retirees of that employer.
    (3)(i) At the qualified entity's discretion, it may permit an 
authorized user that is a provider as defined in Sec.  401.703(b) or a 
supplier as defined in Sec.  401.703(c), to re-disclose the de-
identified analyses or derivative data, as a covered entity would be 
permitted under 45 CFR 164.506(c)(4)(i), or under 45 CFR 164.502(e)(1).
    (ii) All other uses and disclosures of such data and/or such non-
public analyses is forbidden except to the extent a disclosure 
qualifies as a ``required by law'' disclosure.
    (4) If the authorized user is not a provider or supplier, the 
authorized user may not re-disclose or make public any non-public 
analyses or derivative data except as required by law.
    (5) The authorized user may not link the de-identified analyses to 
any other identifiable source of information and may not in any other 
way attempt to identify any individual whose de-identified data is 
included in the analyses.
    (6) The authorized user must notify the qualified entity of any DUA 
violations, and it must fully cooperate with the qualified entity's 
efforts to mitigate any harm that may result from such violations.
0
5. Section 401.717 is amended by adding paragraph (f) to read as 
follows:


Sec.  401.717  Provider and supplier requests for error correction.

* * * * *
    (f) A qualified entity also must comply with paragraphs (a) through 
(e) of this section before disclosing non-public analyses, as defined 
at Sec.  401.716, that contain information that individually identifies 
a provider or supplier.
0
6. Section 401.718 is added to read as follows:


Sec.  401.718  Dissemination of data.

    (a) General. Subject to the other requirements in this subpart, the 
requirements in paragraphs (b) and (c) of this section and any other 
applicable laws or contractual agreements, a qualified entity may 
provide or sell combined data, or provide Medicare data at no cost to 
authorized users defined at Sec.  401.703(b), (c), (m), and (n).
    (b) Data--(1) De-identification. Except as specified in paragraph 
(b)(2) of this section, any data provided or sold by a qualified entity 
to an authorized user must be limited to beneficiary de-identified 
data. De-identification must be determined based on the de-
identification standards for HIPAA covered entities found at Sec.  
164.514(b).
    (2) Exception. If such disclosure would be consistent with all 
applicable laws, data that individually identifies a beneficiary may 
only be disclosed to a provider or supplier (as defined at Sec.  
401.703(b) and (c)) with whom the identifiable individuals in such data 
have a current patient relationship as defined at Sec.  401.703(r).
    (c) Data Use Agreement between a qualified entity and an authorized 
user. A qualified entity must contractually require an authorized user 
to comply with the requirements in Sec.  401.713(d) prior to providing 
or selling data to an authorized user under Sec.  401.718.
0
7. Section 401.719 is amended by adding paragraphs (b)(3) and (4) and 
(d)(5) to read as follows:

[[Page 5416]]

Sec.  401.719  Monitoring and sanctioning of qualified entities.

* * * * *
    (b) * * *
    (3) Non-public analyses provided or sold to authorized users under 
this subpart, including the following information:
    (i) A summary of the analyses provided or sold, including--
    (A) The number of analyses.
    (B) The number of purchasers of such analyses.
    (C) The types of authorized users that purchased analyses.
    (D) The total amount of fees received for such analyses.
    (E) QE DUA or non-public analyses agreement violations.
    (ii) A description of the topics and purposes of such analyses.
    (4) Data provided or sold to authorized users under this subpart, 
including the following information:
    (i) The entities who received data.
    (ii) The basis under which each entity received such data.
    (iii) The total amount of fees received for providing, selling, or 
sharing the data.
    (iv) QE DUA violations.
* * * * *
    (d) * * *
    (5) In the case of a violation, as defined at Sec.  401.703(t) of 
the CMS DUA or the QE DUA, CMS will impose an assessment on a qualified 
entity in accordance with the following:
    (i) Amount of Assessment. CMS will calculate the amount of the 
assessment of up to $100 per individual entitled to, or enrolled for, 
benefits under part A of title XVIII of the Social Security Act or 
enrolled for benefits under part B of such title whose data was 
implicated in the violation based on the following:
    (A) Basic Factors. In determining the amount per impacted 
individual, CMS takes into account the following:
    (1) The nature and the extent of the violation.
    (2) The nature and the extent of the harm or potential harm 
resulting from the violation.
    (3) The degree of culpability and the history of prior violations.
    (B) Criteria to be considered. In establishing the basic factors, 
CMS considers the following circumstances, including:
    (1) Aggravating Circumstances. Aggravating circumstances include 
the following:
    (i) There were several types of violations occurring over a lengthy 
period of time.
    (ii) There were many of these violations or the nature and 
circumstances indicate a pattern of violations.
    (iii) The nature of the violation had the potential or actually 
resulted in harm to beneficiaries.
    (2) Mitigating circumstances. Mitigating circumstances include the 
following:
    (i) All of the violations subject to the imposition of an 
assessment were few in number, of the same type, and occurring within a 
short period of time.
    (ii) The violation was the result of an unintentional and 
unrecognized error and the qualified entity took corrective steps 
immediately after discovering the error.
    (C) Effects of aggravating or mitigating circumstances. In 
determining the amount of the assessment to be imposed under 
(d)(5)(i)(A) of this section.
    (1) If there are substantial or several mitigating circumstance, 
the aggregate amount of the assessment is set at an amount sufficiently 
below the maximum permitted by (d)(5)(A) of this section to reflect the 
mitigating circumstances.
    (2) If there are substantial or several aggravating circumstances, 
the aggregate amount of the assessment is set at an amount at or 
sufficiently close to the maximum permitted by (d)(5)(i)(A) of this 
section to reflect the aggravating circumstances.
    (D) The standards set for the qualified entity in this paragraph 
are binding, except to the extent that--
    (1) The amount imposed is not less than the approximate amount 
required to fully compensate the United States, or any State, for its 
damages and costs, tangible and intangible, including but not limited 
to the costs attributable to the investigation, prosecution, and 
administrative review of the case.
    (2) Nothing in this section limits the authority of CMS to settle 
any issue or case as provided by part 1005 of this title or to 
compromise any assessment as provided by (d)(5)(E) of this section.
    (ii) Notice of Determination. CMS must propose an assessment in 
accordance with this paragraph, by notifying the qualified entity by 
certified mail, return receipt requested. Such notice must include the 
following information:
    (A) The assessment amount.
    (B) The statutory and regulatory bases for the assessment.
    (C) A description of the violations upon which the assessment was 
proposed.
    (D) Any mitigating or aggravating circumstances that CMS considered 
when it calculated the amount of the proposed assessment.
    (E) Information concerning response to the notice, including:
    (1) A specific statement of the respondent's right to a hearing in 
accordance with procedures established at Section 1128A of the Act and 
implemented in 42 CFR part 1005.
    (2) A statement that failure to respond within 60 days renders the 
proposed determination final and permits the imposition of the proposed 
assessment.
    (3) A statement that the debt may be collected through an 
administrative offset.
    (4) In the case of a respondent that has an agreement under section 
1866 of the Act, notice that imposition of an exclusion may result in 
termination of the provider's agreement in accordance with section 
1866(b)(2)(C) of the Act.
    (F) The means by which the qualified entity may pay the amount if 
they do not intend to request a hearing.
    (iii) Failure to request a hearing. If the qualified entity does 
not request a hearing within 60 days of receipt of the notice of 
proposed determination specified in the preceding paragraph, any 
assessment becomes final and CMS may impose the proposed assessment.
    (A) CMS notifies the qualified entity, by certified mail with 
return receipt requested, of any assessment that has been imposed and 
of the means by which the qualified entity may satisfy the judgment.
    (B) The qualified entity has no right to appeal an assessment for 
which the qualified entity has not requested a hearing.
    (iv) When an assessment is collectible. An assessment becomes 
collectible after the earliest of the following:
    (A) 60 days after the qualified entity receives CMS's notice of 
proposed determination under (d)(5)(ii) of this section, if the 
qualified entity has not requested a hearing.
    (B) Immediately after the qualified entity abandons or waives its 
appeal right at any administrative level.
    (C) 30 days after the qualified entity receives the ALJ's decision 
imposing an assessment under Sec.  1005.20(d) of this title, if the 
qualified entity has not requested a review before the DAB.
    (D) 60 days after the qualified entity receives the DAB's decision 
imposing an assessment if the qualified entity has not requested a stay 
of the decision under Sec.  1005.22(b) of this title.
    (v) Collection of an assessment. Once a determination by HHS has 
become final, CMS is responsible for the collection of any assessment.
    (A) The General Counsel may compromise an assessment imposed under 
this part, after consulting with CMS or OIG, and the Federal government 
may recover the assessment in a civil action brought in the United

[[Page 5417]]

States district court for the district where the claim was presented or 
where the qualified entity resides.
    (B) The United States or a state agency may deduct the amount of an 
assessment when finally determined, or the amount agreed upon in 
compromise, from any sum then or later owing the qualified entity.
    (C) Matters that were raised or that could have been raised in a 
hearing before an ALJ or in an appeal under section 1128A(e) of the Act 
may not be raised as a defense in a civil action by the United States 
to collect an assessment.
0
8. Section 401.721 is amended by adding paragraph (a)(7) to read as 
follows:


Sec.  401.721  Terminating an agreement with a qualified entity.

    (a) * * *
    (7) Fails to ensure authorized users comply with their QE DUAs or 
analysis use agreements.
* * * * *

    Dated: October 15, 2015.
Andrew M. Slavitt,
Acting Administrator, Centers for Medicare & Medicaid Services.
    Dated: January 27, 2016.
Sylvia M. Burwell,
Secretary, Department of Health and Human Services.
[FR Doc. 2016-01790 Filed 1-29-16; 11:15 am]
BILLING CODE 4120-01-P