[Federal Register Volume 81, Number 21 (Tuesday, February 2, 2016)]
[Proposed Rules]
[Pages 5397-5417]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2016-01790]
=======================================================================
-----------------------------------------------------------------------
DEPARTMENT OF HEALTH AND HUMAN SERVICES
Centers for Medicare & Medicaid Services
42 CFR Part 401
[CMS-5061-P]
RIN 0938-AS66
Medicare Program: Expanding Uses of Medicare Data by Qualified
Entities
AGENCY: Centers for Medicare & Medicaid Services (CMS), HHS.
ACTION: Proposed rule.
-----------------------------------------------------------------------
SUMMARY: This proposed rule would implement new statutory requirements
that would expand how qualified entities may use and disclose data
under the qualified entity program to the extent consistent with
applicable program requirements and other applicable laws, including
information, privacy, security and disclosure laws. In doing so, this
proposed rule would explain how qualified entities may create non-
public analyses and provide or sell such analyses to authorized users,
as well as how qualified entities may provide or sell combined data, or
provide Medicare claims data alone at no cost, to certain authorized
users. This proposed rule would also implement certain privacy and
security requirements, and impose assessments on qualified entities if
the qualified entity or the authorized user violates the terms of a
data use agreement (DUA) required by the qualified entity program.
DATES: To be assured consideration, comments must be received at one of
the addresses provided below, no later than 5 p.m. on March 29, 2016.
ADDRESSES: In commenting, please refer to file code CMS-5061-P. Because
of staff and resource limitations, we cannot accept comments by
facsimile (FAX) transmission.
You may submit comments in one of four ways (please choose only one
of the ways listed):
1. Electronically. You may submit electronic comments on this
regulation to http://www.regulations.gov. Follow the ``Submit a
comment'' instructions.
2. By regular mail. You may mail written comments to the following
address only: Centers for Medicare & Medicaid Services, Department of
Health and Human Services, Attention: CMS-5061-P, P.O. Box 8010,
Baltimore, MD 21244-1850.
Please allow sufficient time for mailed comments to be received
before the close of the comment period.
3. By express or overnight mail. You may send written comments to
the following address only: Centers for Medicare & Medicaid Services,
Department of Health and Human Services, Attention: CMS-5061-P, Mail
Stop C4-26-05, 7500 Security Boulevard, Baltimore, MD 21244-1850.
4. By hand or courier. Alternatively, you may deliver (by hand or
courier) your written comments only to the following addresses prior to
the close of the comment period:
a. For delivery in Washington, DC--Centers for Medicare & Medicaid
Services, Department of Health and Human Services, Room 445-G, Hubert
H. Humphrey Building, 200 Independence Avenue SW., Washington, DC
20201.
(Because access to the interior of the Hubert H. Humphrey Building
is not readily available to persons without Federal government
identification, commenters are encouraged to leave their comments in
the CMS drop slots located in the main lobby of the building. A stamp-
in clock is available for persons wishing to retain a proof of filing
by stamping in and retaining an extra copy of the comments being
filed.)
b. For delivery in Baltimore, MD--Centers for Medicare & Medicaid
Services, Department of Health and Human Services, 7500 Security
Boulevard, Baltimore, MD 21244-1850.
If you intend to deliver your comments to the Baltimore address,
call telephone number (410) 786-9994 in advance to schedule your
arrival with one of our staff members.
Comments erroneously mailed to the addresses indicated as
appropriate for hand or courier delivery may be delayed and received
after the comment period.
For information on viewing public comments, see the beginning of
the SUPPLEMENTARY INFORMATION section.
FOR FURTHER INFORMATION CONTACT: Allison Oelschlaeger, (202) 690-8257.
Kari Gaare, (410) 786-8612.
SUPPLEMENTARY INFORMATION:
Inspection of Public Comments: All comments received before the
close of the comment period are available for viewing by the public,
including any personally identifiable or confidential business
information that is included in a comment. We post all comments
received before the close of the comment period on the following Web
site as soon as possible after they have been received: http://www.regulations.gov. Follow the search instructions on that Web site to
view public comments.
Comments received timely will also be available for public
inspection as they are received, generally beginning approximately 3
weeks after publication of a document, at the headquarters of the
Centers for Medicare & Medicaid Services, 7500 Security Boulevard,
Baltimore, Maryland 21244, Monday through Friday of each week from 8:30
a.m. to 4 p.m. To schedule an appointment to view public comments,
phone 1-800-743-3951.
I. Background
On April 16, 2015, the Medicare Access and CHIP Reauthorization Act
of 2015 (MACRA) (Pub. L. 114-10) was enacted. The law included a
provision, Section 105, Expanding the Availability of Medicare Data,
which takes effect on July 1, 2016. This section expands how qualified
entities will be allowed to use and disclose data under the qualified
entity program, including data subject to section 1874(e) of the Social
Security Act (the Act), to the extent consistent with other applicable
laws, including information, privacy, security and disclosure laws.
The Qualified Entity program was established by Section 10332 of
the Patient Protection and Affordable Care Act (Affordable Care Act)
(Pub. L. 111-148). The implementing regulations, which became effective
January 6, 2012, are found in subpart G of 42 CFR part 401 (76 FR
76542). Under those provisions, CMS provides standardized extracts of
Medicare Part A and B claims data and Part D drug event data
[[Page 5398]]
(hereinafter collectively referred to as Medicare claims data) covering
one or more geographic regions to qualified entities at a fee equal to
the cost of producing the data. Under the original statutory
provisions, such Medicare claims data must be combined with other non-
Medicare claims data and may only be used to evaluate the performance
of providers and suppliers. The measures, methodologies and results
that comprise such evaluations are subject to review and correction by
the subject providers and suppliers, after which the results are to be
disseminated in public reports.
Those wishing to become qualified entities are required to apply to
the program. Currently, thirteen organizations have applied and
received approval to be a qualified entity. Of these organizations, two
have completed public reporting while the other eleven are in various
stages of preparing for public reporting. While we have been pleased
with the participation in the program so far, we expect that the
changes required by MACRA will increase interest in the program.
Under section 105 of MACRA, effective July 1, 2016, qualified
entities will be allowed to use the combined data and information
derived from the evaluations described in 1874(e)(4)(D) of the Act to
conduct non-public analyses and provide or sell these analyses to
authorized users for non-public use in accordance with the program
requirements and other applicable laws. In highlighting the need to
comply with other applicable laws, we particularly note that any
qualified entity that is a covered entity or business associate as
defined in the Health Insurance Portability and Accountability Act of
1996 (``HIPAA'') regulations at 45 CFR 160.103 will need to ensure
compliance with any applicable HIPAA requirements, including the bar on
the sale of Protected Health Information.
In addition, qualified entities will be permitted to provide or
sell the combined data, or provide the Medicare claims data alone at no
cost, again, in accordance with the program requirements and other
applicable laws, to providers, suppliers, hospital associations, and
medical societies. Qualified entities that elect to provide or sell
analyses and/or data under these new provisions will be subject to an
assessment if they or the authorized users to whom they disclose
beneficiary identifiable data in the form of analyses or raw data act
in a manner that violates the terms of a program-required Qualified
EntityData Use Agreement (QE DUA). Furthermore, qualified entities that
make analyses or data available under these new provisions will be
subject to new annual reporting requirements to aid CMS in monitoring
compliance with the program requirements. These new annual reporting
requirements will only apply to qualified entities that choose to
provide or sell non-public analyses and/or provide or sell combined
data, or provide Medicare claims data alone at no cost.
We believe these changes to the qualified entity program will be
important in driving higher quality, lower cost care in Medicare and
the health system in general. We also believe that these changes will
drive renewed interest in the qualified entity program, leading to more
transparency regarding provider and supplier performance and innovative
uses of data that will result in improvements to the healthcare
delivery system while still ensuring appropriate privacy and security
protections for beneficiary-identifiable data.
II. Provisions of the Proposed Regulations
To implement the new statutory provisions of section 105 of MACRA,
we propose to amend and make conforming changes to Part 401 Subpart G,
``Availability of Medicare Data for Performance Measurement.''
Throughout the preamble, we identify options and alternatives to the
provisions we propose. We strongly encourage comments on our proposed
approach, as well as any alternatives.
A. Non-Public Analyses
Section 105(a)(1) of MACRA expands how qualified entities will be
allowed to use and disclose the combined data and any information
derived from the evaluations described in section 1874(e)(4)(D) of the
Act. The section provides for such data's use and/or disclosure in
additional non-public analyses that may be given or, in certain
circumstances, sold to authorized users in accordance with program
requirements and other applicable laws, including information, privacy,
security, and disclosure laws. An authorized user is defined at Sec.
401.703(j) and the definition is discussed below in section II.C. The
new proposals regarding the disclosure and/or sale of combined data or
the disclosure of Medicare data at no cost are discussed below in
section II.B.
To implement the non-public analyses provisions, we propose to add
a new Sec. 401.716. Under Sec. 401.716, paragraph (a) would provide
for the qualified entity's use of the combined data or information
derived from the evaluations described in section 1874(e)(4)(D) of the
Act to create non-public analyses. Paragraph (b) would provide for the
provision or sale of these analyses to authorized users in accordance
with the program requirements discussed later in this section, as well
as other applicable laws.
1. Additional Analyses
We propose at Sec. 401.703(q) to define combined data as a set of
CMS claims data provided under subpart G combined with a subset of
claims data from at least one of the other claims data sources
described in Sec. 401.707(d). Sec. 401.707(d) requires qualified
entities to submit to CMS information on the claims data it possesses
from other sources, that is, any other provider-identifiable or
supplier-identifiable data for which the qualified entity has full data
usage rights. In defining the term in this manner, we are not proposing
to establish a minimum amount of data that must be included in the
combined data set from other sources, but, as we noted in our December
7, 2011 final rule (76 FR 76542), we believe that the requirement to
use combined data is likely to lead to increased validity and
reliability of the performance findings through the use of larger and
more diverse samples. As such, we expect qualified entities will choose
to use sufficient claims data from other sources to ensure such
validity and reliability. That said, we recognize that there may be
instances in which other sources of claims data (for example, Medicaid
or private payer data) may be of limited value. For instance, depending
on the other claims data a given qualified entity may hold, Medicare
data may provide the best opportunity to conduct analyses on
chronically ill or other resource-intensive populations that may not be
commonly represented in other sources of claims data. Thus, while the
statute requires the use of combined data for the analyses, it does not
specify the minimum amount of data from other sources to qualify as
combined data, and, as we believe it would be difficult to establish a
threshold given the variability in the analyses that the qualified
entities may conduct, we propose not to adopt any minimum standard for
the amount of other sources of claims data that must be included in a
combined data set. We are requesting comments on this proposal as well
as suggestions for other possible alternatives or options.
2. Limitations on the Qualified Entities With Respect to the Sale and
Provision of Non-Public Analyses
MACRA imposes a number of limitations on qualified entities with
[[Page 5399]]
respect to the sale and provision of non-public analyses. It mandates
that a qualified entity may not provide or sell non-public analyses to
a health insurance issuer unless the issuer is providing the qualified
entity with claims data under section 1874(e)(4)(B)(iii) of the Act. In
doing so, the statute does not specify the minimum amount of data that
the issuer must be providing to the qualified entity. We considered not
imposing a threshold on the amount of data being provided by the
issuer, but decided that specifying a threshold would encourage issuers
to submit data to the qualified entity to be included in the public
performance reports, increasing the reports' reliability and sample
size. As a result, we propose at Sec. 401.716(b)(1) to limit qualified
entities to only providing or selling non-public analyses to issuers
after they provide the qualified entity with claims data that
represents a majority of the issuers' covered lives in the geographic
region and during the time frame of the non-public analyses requested
by the issuer. For example, if an issuer requested non-public analyses
using the combined data for the first 6 months of 2015 in Minnesota, it
would need to provide the qualified entity with data that represents
over 50 percent of the issuer's covered lives during those 6 months in
Minnesota. We believe this threshold will ensure that issuers submit a
large portion of their data to the qualified entity without requiring
them to share data for their entire population in order to be eligible
to receive non-public analyses. We seek comment on whether the
threshold of a majority of the issuer's covered lives in the desired
geographic area during the time frame covered by the non-public
analyses requested by the issuer is too high or low, as well as other
alternatives to specify the amount of data the issuer must provide to a
qualified entity to be eligible to receive or purchase non-public
analyses.
Section 105(a)(3) of MACRA imposes additional requirements on the
dissemination of non-public analyses or data that contain information
that individually identify a patient. Because we define the term
``patient'' later in this section and in a manner that does not relate
to de-identification of individually identifiable information, we will
use the word beneficiary in relation to de-identification rather than
patient. In light of these MACRA provisions, as well as our belief that
protecting the privacy and security of beneficiaries' information is of
the utmost importance and our belief that identifiable information on
individual beneficiaries would generally not be needed by authorized
users, we propose to impose limits on the content of the non-public
analyses. In doing so, we recognize that when non-public analyses are
provided or sold to a provider or supplier, individually identifying
information such as name, age, gender, or date of birth may be
essential for the provider or supplier to proactively use the
information gleaned from the analyses. For example, a provider may not
know who a patient is based on the unique identifier assigned by the
payer and as a result would not be able to use the analyses to improve
care or better coordinate care with other providers for that patient.
In addition, there is a high likelihood that providers may have
patients with the same or similar names, so age or date of birth may be
necessary to identify the patient in the analyses. We therefore propose
at Sec. 401.716(b)(2) to limit the provision or sale of non-public
analyses that individually identify a beneficiary to providers or
suppliers with whom the subject individual(s) have established a
patient relationship.
While the term ``patient'' is commonly used in the provision of
healthcare, reasonable minds may differ on the periodicity with which
an individual must have contact with a provider or supplier to maintain
a ``patient'' relationship. Depending on individual practice or
applicable laws, a person may still be considered a patient of a
provider or supplier even though a number of years have passed since
they were seen or provided services by the provider or supplier.
However, when the individual has not visited a provider or supplier in
a number of years, analyses that contain individually identifiable
information about that patient may not be very useful, as any care
coordination or quality improvement efforts would, presumably, require
continued contact with that patient. Therefore, for the purposes of
this program, we propose to define patient as an individual who has
visited the provider or supplier for a face-to-face or telehealth
appointment at least once in the past 12 months. This definition is
similar to that used in the Medicare Shared Savings Program which
assigns beneficiaries to Accountable Care Organizations based on
services delivered in the past 12 months. We also believe this
definition will ensure that providers and suppliers are able to receive
information about patients they are actively treating. We seek comments
on this proposal, particularly any beneficiary concerns if we were to
implement this proposal, and any reasonable alternatives to this
proposal that might address those concerns.
Except when patient-identifiable non-public analyses are shared
with the patient's provider or supplier as described above, we propose
at Sec. 401.716(b)(3) to require that all non-public analyses must be
beneficiary de-identified using the de-identification standards in the
HIPAA Privacy Rule at 45 CFR 164.514(b). De-identification under this
standard requires the removal of specified data elements or reliance on
a statistical analysis that concludes that the information is unlikely
to be able to be used alone or in combination with other available
information to identify/re-identify the patient subjects of the data.
The statistical de-identification approach may be more difficult
because an entity may not have access to an expert capable of
performing the analysis in accordance with HIPAA Rules, but we believe
that the protections afforded by HIPAA-like standards of de-
identification are appropriate, as HIPAA has, in many ways, established
a reasoned and appropriate privacy and security floor for the health
care industry. That said, the framework for de-identification that is
laid out in the HIPAA Privacy Rule represents a widely accepted
industry standard for de-identification, so we think its concepts are
appropriate for adoption into this program. Additional information on
the HIPAA de-identification standards can be found on the HHS Office
for Civil Rights Web site at http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/De-identification/guidance.html.
We seek comment on this proposal and whether another set of de-
identification standards would be more appropriate to ensure that non-
public analyses do not contain information that individually identifies
a beneficiary, except as provided for above where the individual is a
patient of the provider or supplier who is receiving the analyses, and
how qualified entities that are HIPAA-covered entities could comply
with such alternate qualified entity program standards while still
meeting any applicable HIPAA obligations.
In addition, section 105(a)(6) of MACRA preserves providers' and
suppliers' opportunity to review analyses (now including non-public
analyses) that individually identify the provider or supplier. As such,
we propose at Sec. 401.716(b)(4) to bar qualified entities' disclosure
of non-public analyses that individually identify a provider or
supplier unless: (a) The analysis only individually
[[Page 5400]]
identifies the singular recipient of the analysis or (b) each provider
or supplier who is individually identified in a non-public analysis
that identifies multiple providers/suppliers has been afforded an
opportunity to review the aspects of the analysis about them, and, if
applicable, request error correction. We describe the proposed appeal
and error correction process in more detail in section II.A.4 below.
3. Limitations on the Authorized User
While CMS has been granted statutory authority to impose
requirements and limitations on the qualified entity, it has limited
authority to oversee authorized users. As such, this proposed
regulatory scheme is generally structured to require the qualified
entity to ensure authorized users' compliance with the concepts laid
out in MACRA through contractual means. In keeping with this, we
propose at Sec. 401.716(b)(2) and Sec. 401.716(c) to require the
qualified entity's use of legally binding agreements with any
authorized users to whom it provides or sells the non-public analyses.
Types of Legally Binding Agreements
For non-public analyses that include patient identifiable data, we
propose at Sec. 401.716(b)(2) to require the qualified entity to enter
into a QE DUA with any authorized users as a pre-condition to providing
or selling such non-public analyses. As we are also proposing to
require use of the QE DUA in the context of the provision or sale of
combined data, or the provision of Medicare data at no cost, we discuss
the QE DUA in the data disclosure discussion in section II.B below. For
non-public analyses that include beneficiary de-identified data, we
propose at Sec. 401.716(c) to require the qualified entity to enter
into a contractually binding non-public analyses agreement with any
authorized users as a pre-condition to providing or selling such non-
public analyses. A discussion of the proposed requirements for the non-
public analyses agreements follows in this section.
We believe that the use of the non-public analyses agreement when
authorized users receive non-public analyses containing de-identified
data and the QE DUA when authorized users receive non-public analyses
that contain patient identifiable information are the best mechanisms
for ensuring that both qualified entities and authorized users are
aware of and compliant with the data use and disclosure limitations
established by MACRA. We seek comment on whether the non-public
analyses agreement and the QE DUA are the best mechanisms to ensure
compliance with these restrictions given the authorities established by
MACRA.
Requirements in the Non-Public Analyses Agreement
The statute generally allows qualified entities to provide or sell
their non-public analyses to authorized users for non-public use, but
it bars use or disclosure of such analyses for marketing (see section
105(a)(3)(c) of MACRA). Such analyses therefore may include, but would
not be limited to analyses intended to assist providers' and suppliers'
development of, and participation in, quality and patient care
improvement activities, including development of new models of care.
But, while many types of non-public analyses could lead to improvements
in the health care delivery system, certain types of analyses could
cause harm to patients or lead to additional fraud and/or abuse
concerns for the delivery system. Therefore, despite the breadth of the
statutory authority, we believe it is important to establish additional
limits on the non-public analyses, given the expansive types of non-
public analyses that could be conducted by the qualified entities if no
limits are placed on such analyses, and the potential deleterious
consequences of some such analyses.
With this in mind, we propose at Sec. 401.716(c)(1) that the non-
public analyses agreement require that non-public analyses conducted
using combined data or the information derived from the evaluations
described in section 1874(e)(4)(D) of the Act may not be used or
disclosed for the following purposes: marketing, harming or seeking to
harm patients and other individuals both within and outside the
healthcare system regardless of whether their data are included in the
analyses (for example, an employer using the analyses to attempt to
identify and fire employees with high healthcare costs), or
effectuating or seeking opportunities to effectuate fraud and/or abuse
in the healthcare system (for example, a provider using the analyses to
identify ways to submit fraudulent claims that might not be caught by
auditing software).
Rather than developing a new definition for marketing under this
program, we propose at Sec. 401.703(s) to generally define marketing
using the definition at 45 CFR 164.501 in the HIPAA Privacy Rule. Under
this definition, marketing means making a communication about a product
or service that encourages recipients of the communication to purchase
or use the product or service. In doing so, we note that the HIPAA
Privacy Rule also includes a general restriction on use of an
individual's Protected Health Information (PHI) for marketing. Given
the similarities between the use and disclosure of PHI under HIPAA and
the data sharing limitations under this program, we believe the
definition of marketing in HIPAA should also generally be used for this
program, but, given the categorical statutory bar on marketing in this
program, we are not proposing a consent exception to the bar like that
seen in the HIPAA Privacy Rule. We also believe that use of this HIPAA
definition as modified will simplify compliance with the qualified
entity program requirements, especially decisions regarding what is and
is not considered marketing. We seek comment on the proposal to use
this definition as modified from HIPAA for the purposes of this
program.
The proposed restrictions on using analyses and/or derivative data,
meaning data gleaned from the analyses, that would or could be used to
exploit patients or other individuals or to effectuate fraud and/or
abuse in the healthcare system are intended to ensure that the analyses
are unlikely to result in physical or financial harm to patients or
other individuals within or outside the health care delivery system. We
seek comments on these proposals as well as whether there are other
restrictions that should be imposed to limit potential physical or
financial harm to patients or other individuals within or outside the
healthcare system.
Section 105(a)(1)(B)(i) of MACRA requires that any non-public
analyses provided or sold to an employer may only be used by the
employer for the purposes of providing health insurance to employees
and retirees of the employer. We believe this limit should also apply
to ``dependents'' of either category whenever the employer offers
coverage for family members who are neither employees nor retirees. As
such, we further propose that if the qualified entity is providing or
selling non-public analyses to an employer that this requirement be
included in the non-public analyses agreement. We seek comment on
whether the resulting non-public analyses agreement between the
qualified entity and the employer is the best mechanism to ensure
compliance with this restriction given the authorities established by
MACRA.
The statute also contains limitations on the re-disclosure of non-
public analyses provided or sold to authorized users at section
105(a)(5) of MACRA. Under that provision, re-disclosure is limited to
authorized users who are a provider or supplier. Furthermore, these
[[Page 5401]]
providers and suppliers are to limit any re-disclosures to instances in
which the recipient would use the non-public analyses for provider/
supplier ``performance improvement.'' As many if not most providers and
suppliers that receive non-public analyses from the qualified entity
will be HIPAA-covered entities, we propose to limit performance
improvement re-disclosures to those that would support quality
assessment and improvement, and care coordination activities by or on
behalf of the eligible downstream provider or supplier. For example,
providers may need to share the non-public analyses or derivative data
with someone working on their behalf to carry out such quality
assessment and improvement or care coordination activities. That is, if
they are a HIPAA-covered entity, they may wish to share the non-public
analyses or derivative data with their business associate. Such a
scenario could arise when a consultant is hired to assist the provider/
supplier in interpreting the non-public analyses, or in determining
what changes in the delivery of care are needed to assess or improve
the quality of care, or to better coordinate care. Another example is
if the provider or supplier wants to share the non-public analyses with
other treating providers/suppliers for quality assessment and
improvement or care coordination purposes.
In addition, especially under circumstances in which patient
identifiable data is included in the non-public analysis, we recognize
that there are instances in which a provider or supplier may be
required to produce information to a regulatory authority as required
by a statute or regulation. For example, a HIPAA-covered entity may be
required to produce PHI to the Secretary for purposes of an
investigation of a potential HIPAA violation. Therefore, for purposes
of this qualified entity program, we propose to adopt the HIPAA
definition of ``required by law'' at 45 CFR 164.103 so as to allow for
such mandatory disclosures. As defined at 45 CFR 164.103, ``required by
law'' means any mandate in law that compels an entity to make a use or
disclosure of PHI that is enforceable in a court of law (including
disclosures compelled by court order, statute, or regulation). An
example would be a court order to turn over medical records as part of
litigation. Another common example would be disclosures required by the
regulations governing the submission of a claim for payment for
Medicare fee-for-service covered services.
As a result, we propose at Sec. 401.716(c)(3)(i) to require
qualified entities to include in the non-public analysis agreement a
requirement to limit re-disclosure of non-public analyses or derivative
data to instances in which the authorized user is a provider or
supplier, and the re-disclosure is as a covered entity would be
permitted under 45 CFR 164.506(c)(4)(i) or 164.502(e)(1). Accordingly,
a qualified entity may only re-disclose individually identifiable
health information to a covered entity for the purposes of the covered
entity's quality assessment and improvement or for the purposes of care
coordination activities, where that entity has a patient relationship
with the individual who is the subject of the information, or to a
business associate of such a covered entity under a written contract as
defined at 45 CFR 164.502(e)(1). Furthermore, as section 105(a)(5)(A)
of MACRA states that the analyses generally may not be re-disclosed or
released to the public, we generally propose at Sec. 401.716(c)(3)(ii)
to require qualified entities to use non-public analyses agreements to
explicitly bar authorized users from any other re-disclosure of the
non-public analyses or any derivative data except to the extent a
disclosure qualifies as a ``required by law'' disclosure. We seek
comment on our proposal to require qualified entities to contractually
limit re-disclosures of beneficiary de-identified non-public analyses
or any derivative data other than as described above.
As discussed above, the non-public analyses agreement can only be
used in the disclosure of analyses that include beneficiary de-
identified data. However, even though the analyses subject to a non-
public analyses agreement are beneficiary de-identified, we believe
that additional restrictions on the authorized user are necessary to
ensure appropriate privacy and security protections for our
beneficiaries. We therefore propose at Sec. 401.716(c)(5) to require
qualified entities to impose a legally enforceable bar on the
authorized user's use or disclosure of any non-public analyses (or data
or analyses derived from such non-public analyses) to re-identify or
attempt to re-identify any individual whose data is included in the
analyses or any derivative data. We believe this additional level of
privacy and security protection is necessary to protect beneficiaries.
We seek comment on this proposal.
Finally, we propose at Sec. 401.716(d)(6) to require qualified
entities to use their non-public analyses agreements to bind their non-
public analyses recipients to reporting any violation of the terms of
that non-public analyses agreement to the qualified entity. As
explained below in Section D, qualified entities will be expected to
report on these violations as part of their annual reporting to CMS.
Even though the analyses covered by the non-public analyses agreement
will be de-identified, due to the risk of re-identification of
beneficiary information, we still believe that this requirement is
essential to our ability to monitor and ensure the privacy and security
of beneficiary information. We seek comment on these proposals.
4. Confidential Opportunity To Review, Appeal, and Correct Analyses
As noted briefly above, section 105(a)(6) of MACRA directs us to
ensure that qualified entities provide providers and suppliers who are
individually identified in a non-public analysis with an opportunity to
review and request corrections before the qualified entity provides or
sells the non-public analyses to an authorized user. But, as noted
above, we have proposed one exception to this general rule in cases
where the analysis only individually identifies the (singular) provider
or supplier who is being provided or sold the analysis. In all other
cases, we propose that the qualified entity must follow the
confidential review, appeal, and error correction requirements in
section 1874(e)(4)(C)(ii) of the Act.
Specifically, we propose at Sec. 401.717(f) that a qualified
entity generally must comply with the same error corrections process
and timelines as are required for public performance reporting before
disclosing non-public analyses. This process includes confidentially
sharing the measures, measure methodologies and measure results that
comprise such evaluations with providers and suppliers at least 60
calendar days before providing or selling the analyses to one or more
authorized users. During these 60 calendar days, the provider or
supplier may make a request for the Medicare claims data and
beneficiary names that may be needed to confirm statements about the
care that they delivered to their patients. If the provider or supplier
requests such data, the qualified entity must release the Medicare
claims and beneficiary names relevant to what is said about the
requesting provider/supplier in the draft non-public analyses. We
believe that for many providers and suppliers, a beneficiary's name
will be of more practical use in determining the accuracy of analyses
than the underlying claims used in the analyses. The sharing of such
data must be done via a secure mechanism that is suitable for
transmitting or providing access to individually identifiable
[[Page 5402]]
health information. The qualified entity also must ensure that the
provider or supplier has been notified of the date on which the
analyses will be shared with the authorized user. If any requests for
error correction are not resolved by the date on which the analyses are
to be shared, the qualified entity may release the analyses, but must
inform the authorized user that the analyses are still under appeal,
and the reason for the appeal.
We believe that the process we established for review and error
correction for public performance reporting finds the right balance
between allowing providers and suppliers the opportunity to review the
non-public analyses while also ensuring that the information is
disseminated in a timely manner. However, we have had limited public
reporting thus far to confirm this. Furthermore, using the same process
for review and error correction for non-public analyses and the public
reports creates continuity and a balance between the needs and
interests of providers and suppliers and those of the qualified
entities, authorized users and the public. We also believe that using
the same timeframes and requirements will simplify the review process
for providers and suppliers. We seek comment on our proposal generally
to require qualified entities to comply with the same error corrections
process and timelines as are required for public performance reporting
when sharing analyses that individually identify a provider or
supplier.
Although we do not believe that we have statutory authority to
require it given that section 1874(e) of the Act only covers the
disclosure of Medicare claims data, to the extent permitted by
applicable law, we strongly encourage qualified entities to also share
the claims data from other sources with providers and suppliers if they
ask for the underlying data used for the analyses.
B. Dissemination of Data and the Use of QE DUAs for Data Dissemination
and Patient-Identifiable Non-Public Analyses
Subject to other applicable law, section 105(a)(2) of MACRA expands
the permissible uses and disclosures of data by a qualified entity to
include providing or selling combined data for non-public use to
certain authorized users, including providers of services, suppliers,
medical societies, and hospital associations. Subject to the same
limits, it also permits a qualified entity to provide Medicare claims
data for non-public use to these authorized users; however, a qualified
entity may not charge a fee for providing such Medicare claims data.
But, in order to provide or sell combined data or Medicare data,
section 501(a)(4) of MACRA instructs the qualified entity to enter into
a DUA with their intended data recipient(s).
1. General Requirements for Data Dissemination
To implement these provisions in MACRA, we propose at Sec.
401.718(a) to provide that, subject to other applicable laws (including
applicable information, privacy, security and disclosure laws) and
certain defined program requirements, including that the data be used
only for non-public purposes, a qualified entity may provide or sell
combined data or provide Medicare claims data at no cost to certain
authorized users, including providers of services, suppliers, medical
societies, and hospital associations. Where a qualified entity is a
HIPAA-covered entity or is acting as a business associate, compliance
with other applicable laws will include the need to ensure that it
fulfills the requirements under the HIPAA Privacy Rule, including the
bar on the sale of PHI.
We note that we propose definitions for authorized user, medical
societies, and hospital associations in section II.C below, and have
already proposed a definition for combined data in section II.A above.
2. Limitations on the Qualified Entity Regarding Data Disclosure
The statute places a number of limitations on the sale or provision
of combined data and the provision of Medicare claims data by qualified
entities, including generally barring the disclosure of beneficiary
identifiable data obtained through the qualified entity program.
Therefore, in keeping with our other proposals at Sec. 401.716(b)(3),
we propose at Sec. 401.718(b)(1) to generally require that any
combined data or Medicare claims data that is provided to an authorized
user by a qualified entity under subpart G be beneficiary de-identified
in accordance with the de-identification standards in the HIPAA Privacy
Rule at 45 CFR 164.514(b). As noted above, we believe that the HIPAA
Privacy Rule de-identification standard represents a widely accepted
industry standard for de-identification, so we think its concepts are
appropriate for adoption under the qualified entity program.
We do recognize, however, that providers or suppliers with current
treatment relationships with the patient subjects of such data may
desire and benefit from receiving data that contains individually
identifiable information about those patients. Therefore, we also
propose an exception at Sec. 401.718(b)(2) that would allow a
qualified entity to provide or sell patient identifiable combined data/
and or provide patient identifiable Medicare claims data at no cost to
an individual or entity that is a provider or supplier if the provider
or supplier has a patient relationship with every patient about whom
individually identifiable information is provided and the disclosure is
consistent with applicable law.
MACRA also requires qualified entities to bind the recipients of
their data to a DUA that will govern the use and, where applicable, re-
disclosure of any data received through this program prior to the
provision or sale of such data to an authorized user. Therefore, we
further propose at Sec. 401.718(c), to require that a qualified entity
impose certain contractually binding use/re-disclosure requirements as
a condition of providing and/or selling combined data and/or providing
Medicare claims data to an authorized user. The following section
provides the proposed requirements for such DUAs between qualified
entities and authorized users.
3. Data Use Agreement
Section 501(a)(4) of MACRA requires execution of a DUA as a
precondition to a qualified entity's provision or sale of data to an
authorized user. The DUA must address the use and, if applicable, re-
disclosure of the data, and the applicable privacy and security
requirements that must be established and maintained by or for the
authorized user. The statute also imposes a number of other limitations
on the authorized user. But, while CMS has authority to impose
requirements on the qualified entity, we must rely upon the qualified
entity to impose legally enforceable obligations on the authorized
users.
Therefore, in Sec. 401.713(a), we propose certain clarifying
changes that will recognize that there are now two distinct DUAs in the
qualified entity program--the CMS DUA, which is the agreement between
CMS and a qualified entity, and what we will refer to as the QE DUA,
which will be the legally binding agreement between a qualified entity
and an authorized user. We are not proposing any changes to the
requirements for the CMS DUA, but rather are clarifying that there are
now two DUAs--the CMS DUA and the QE DUA.
Furthermore, in Sec. 401.713(d), we propose a number of provisions
that address the privacy and security of the combined data and/or the
Medicare
[[Page 5403]]
claims data and/or non-public analyses that contain patient
identifiable data. These provisions require the qualified entity to
condition the disclosure of data on the imposition of contractually
binding limits on the permissible uses and re-disclosures that can be
made of the combined data and/or the Medicare claims data and/or non-
public analyses that contain patient identifiable data and/or any
derivative data. Such contractually binding provisions would be
included in the QE DUA.
First, we propose to require that the QE DUA contain certain
limitations on the authorized user's use of the combined data and/or
Medicare claims data and/or non-public analyses that contain patient
identifiable data and/or any derivative data. In Sec. 401.713(d)(1),
we propose that the QE DUA limit authorized users use of the combined
data and/or Medicare claims data and/or non-public analyses that
contain patient identifiable data and/or any derivative data to the
purposes described in the first or second paragraph of the definition
of ``health care operations'' under 45 CFR 164.501, or that which
qualifies as ``fraud and abuse detection or compliance activities''
under 45 CFR 164.506(c)(4). If finalized, this means that authorized
users would only be permitted to use the combined data and/or Medicare
claims data and/or non-public analyses that contain patient
identifiable data and/or any derivative data provided by the qualified
entity for quality assessment and improvement activities, care
coordination activities, including the review of provider or supplier
performance, and/or for fraud, waste, and abuse detection and
compliance purposes. We believe these uses need to be permitted to
support quality improvement and care coordination activities, as well
as efforts to ensure fraud, waste, and abuse detection and compliance,
and that these uses should encompass the full range of activities for
which the authorized users will legitimately need the combined data
and/or Medicare claims data and/or non-public analyses that contain
patient identifiable data and/or any derivative data. We also propose
to require that all other uses and disclosures of combined data and/or
Medicare claims data and/or non-public analyses that contain patient
identifiable data and/or any derivative data be forbidden except to the
extent a disclosure qualifies as a ``required by law'' disclosure.
The statute also prohibits the authorized user from using the
combined data and/or Medicare claims data for marketing purposes. We
therefore propose at Sec. 401.713(d)(2) to require qualified entities
to use the QE DUA to contractually prohibit the authorized users from
using the combined data and/or Medicare claims data and/or non-public
analyses that contain patient identifiable data and/or any derivative
data for marketing purposes. As noted above, we propose to define
``marketing'' as it is defined in the HIPAA Privacy Rule, but, given
the statutory bar, we do not propose to adopt an exception to the bar
for ``consent''-based marketing. As noted above, HIPAA provides well-
recognized standards for the appropriate use and disclosure of certain
individually identifiable health information, and we believe that the
HIPAA definition for ``marketing'' is appropriate for the qualified
entity program as well. For additional information and guidance on the
HIPAA Privacy Rule, including guidance on what constitutes marketing,
please visit the HHS Office for Civil Rights Web site at http://www.hhs.gov/ocr/privacy/.
Furthermore, we propose to require qualified entities' use of the
QE DUA to address minimum privacy and security standards. CMS is
committed to protecting the privacy and security of beneficiary-
identifiable data when it is disseminated, including when it is in the
hands of authorized users. This is especially important as there are no
guarantees that authorized users will be subject to the HIPAA Privacy
and Security Rules. Therefore, we propose at Sec. 401.713(d)(3) to
require qualified entities to contractually bind authorized users using
the QE DUA to protect patient identifiable combined data and/or
Medicare data, any patient identifiable derivative data, and/or non-
public analyses that contain patient identifiable data, with at least
the privacy and security protections that would be required of covered
entities and their business associates under HIPAA Privacy and Security
Rules. Additional guidance on the Security rule can be found on the
Office for Civil Rights Web site at http://www.hhs.gov/ocr/privacy/hipaa/. Such protections would apply when using, disclosing, or
maintaining patient identifiable data, regardless of whether the
authorized user is a HIPAA Covered Entity or business associate. In
addition, we propose to require that the QE DUA contain provisions that
require that the authorized user maintain written privacy and security
policies and procedures that ensure compliance with these HIPAA-based
privacy and security standards and the other standards required under
this subpart for the duration of the QE DUA, or for so long as they
hold combined data and/or Medicare claims data and/or non-public
analyses that contain patient identifiable data and/or any derivative
data that was subject to the QE DUA, should return/destruction of the
combined data and/or Medicare claims data and/or non-public analyses
that contain patient identifiable data and/or any derivative data not
be feasible as of the expiration of the QE DUA.
Furthermore, we propose to require QE DUA provisions detailing such
policies and procedures must survive termination of the QE DUA, whether
for cause or not. We believe that requiring compliance with these HIPAA
Privacy and Security Rule concepts outside of the HIPAA context will
provide the needed protection for the combined data, Medicare claims
data, and/or non-public analyses that contain patient identifiable data
and/or any derivative data provided or sold to authorized users under
the qualified entity program.
We also propose at Sec. 401.713(d)(7) to require that the
qualified entity use the QE DUA to contractually bind an authorized
user as a condition of receiving combined data and/or Medicare claims
data and/or non-public analyses that contain patient identifiable data
and/or any derivative data under the qualified entity program to notify
the qualified entity of any violations of the QE DUA. Violations might
include reportable breaches of data, such as those defined in the HIPAA
Breach Rule, or other violations of QE DUA provisions. The QE DUA also
will require the authorized user to fully cooperate in the qualified
entity's effort to mitigate any harm that may result from such
violations, as well as any assistance the qualified entity may request
to fulfill the qualified entity's obligations under this subpart.
We request comment on whether the proposed privacy and security
requirements are appropriate and adequate, or whether there are more
appropriate standards or additional protections that are advisable.
MACRA section 105(a)(5) directs that any combined data, Medicare
claims data, and/or non-public analyses that contain patient
identifiable data and/or any derivative data provided or sold under
this program to authorized users is to be non-public, and it requires
the imposition of re-disclosure limitations on authorized users. Under
those provisions, qualified entities may only permit providers and
suppliers to re-disclose combined data and/or Medicare claims data and/
or non-public analyses that contain patient identifiable data and/or
any derivative data for the
[[Page 5404]]
purposes of performance improvement and care coordination. We propose
to require qualified entities to include provisions in their QE DUA
that contractually limit the re-disclosure and/or linking of combined
data, Medicare claims data, and/or non-public analyses that contain
patient identifiable data and/or any derivative data provided or sold
under this program.
We therefore propose at Sec. 401.713(d)(4) to require that the
qualified entity include a provision in its QE DUAs that prohibits the
authorized user from re-disclosing or making public any combined data,
Medicare claims data, and/or non-public analyses that contain patient
identifiable data and/or any derivative data subject to QE DUA except
as provided under the QE DUA. Furthermore, we propose at Sec.
401.713(d)(5) to require that the qualified entity use the QE DUA to
limit provider's and supplier's re-disclosures to a covered entity
pursuant to 45 CFR 164.506(c)(4)(i) or 164.502(e)(1). Therefore, a
provider or supplier would only be permitted to re-disclose combined
data, Medicare claims data, and/or non-public analyses that contain
patient identifiable data and/or any derivative data, subject to the QE
DUA, to a covered entity for activities focused on quality assessment
and improvement, including the review of provider or supplier
performance or a business associate of the provider or supplier. We
also propose to require re-disclosure when required by law. We propose
these limitations in an effort to ensure that the combined data,
Medicare claims data, and/or non-public analyses that contain patient
identifiable data will be protected in the hands of the downstream
entity despite these regulations not reaching such individuals/entities
directly. We believe that limiting downstream re-disclosures to
entities that are subject to the HIPAA Privacy and Security rules will
ensure that the combined data and/or Medicare claims data and/or non-
public analyses that contain patient identifiable data and/or any
derivative data is appropriately maintained, used, and disclosed. We
seek comment on whether the proposed re-disclosure requirements should
be more restrictive or should be broadened to allow for additional re-
disclosure.
We also propose to require qualified entities to impose a
contractual bar using their QE DUA on the downstream recipients'
linking of the re-disclosed combined data, Medicare claims data, and/or
non-public analyses that contain patient identifiable data and/or any
derivative data to any other identifiable source of information. The
only exception to this general policy would be if a provider or
supplier were to receive identifiable information limited to their/its
own patients. We request comment on whether an authorized user should
be permitted to link combined data, Medicare claims data, and/or non-
public analyses that contain patient identifiable data and/or any
derivative data with other data sources, and whether the proposed
provisions are adequate to protect the privacy and security of the
combined data, Medicare claims data, and/or non-public analyses that
contain patient identifiable data and/or any derivative data given to
downstream users.
C. Authorized Users
1. Definition of Authorized User
As discussed above, section 105(a)(1) of MACRA permits qualified
entities to provide or sell non-public analyses to authorized users. In
addition, section 105(a)(2) of MACRA permits qualified entities to
provide or sell combined data, or to provide Medicare data at no cost,
only to certain authorized users. These include providers, suppliers,
medical societies, and hospital associations.
Section 105(a)(9)(A) of MACRA defines authorized users as:
A provider of services.
A supplier.
An employer (as defined in section 3(5) of the Employee
Retirement Insurance Security Act of 1974).
A health insurance issuer (as defined in section 2791 of
the Public Health Service Act).
A medical society or hospital association.
Any entity not yet described in clauses (i) through (v)
that is approved by the Secretary (other than an employer or health
insurance issuer not described in clauses (iii) and (iv), respectively,
as determined by the Secretary).
We propose a definition for authorized user at Sec. 401.703(k)
that is consistent with these statutory provisions. Specifically, we
define an authorized user as: (1) A provider; (2) a supplier; (3) an
employer; (4) a health insurance issuer; (5) a medical society; (6) a
hospital association; (7) a health care professional association; or
(8) a state agency.
We also propose definitions for entities that are authorized users,
but are not yet defined within this subpart. Therefore, we propose
definitions for employer, health insurance issuer, medical society,
hospital association, a healthcare professional association, and a
state agency.
2. Definition of Employer
We have proposed a definition for employer at Sec. 401.703(k) that
is consistent with existing statutory provisions. Specifically, we
propose to define an employer as having the same meaning as the term
``employer'' defined in section 3(5) of the Employee Retirement
Insurance Security Act of 1974. Under that provision, an employer means
any person acting directly as an employer, or indirectly in the
interest of an employer, in relation to an employee benefit plan; and
includes a group or association of employers acting for an employer in
such capacity.
3. Definition of Health Insurance Issuer
We have also proposed a definition for health insurance issuer at
Sec. 401.703(l) that is consistent with existing statutory provisions.
Specifically, we propose to define a health insurance issuer as having
the same meaning as the term ``health insurance issuer'' defined in
section 2791(b)(2) of the Public Health Service Act. Under that
provision, health insurance issuer means an insurance company,
insurance service, or insurance organization (including an HMO) that is
licensed to engage in the business of insurance in a State and is
subject to State law that regulates insurance. Such term does not
include a group health plan.
4. Definition of ``Medical Society''
We propose to define ``medical society'' at Sec. 401.703(m) as a
nonprofit organization or association that provides unified
representation for a large number of physicians at the national or
state level and whose membership is comprised of a majority of
physicians.
We conducted extensive research to develop this definition,
including reviewing mission statements of national and state healthcare
professional associations and medical societies, as well as state laws.
While we were unable to identify a commonly recognized definition of
``medical society,'' our research did reveal a number of common themes
that shaped our proposed definition of medical society.
We propose to define medical society as comprised of a majority of
physicians, based on state law definitions around the practice of
medicine. Although medical societies may also include non-physician
members, due to the strong emphasis on physicians as practitioners of
medicine, we propose that a medical society's
[[Page 5405]]
membership must be comprised of a majority of physicians. Medical
societies often serve as the consensus voice of their members in
matters related to their profession, the patient-physician
relationship, and other issues pertaining to the practice of medicine.
Therefore, we propose that medical societies be at the national or
state level as we believe these larger groups will have the capacity to
act on the data and analyses available through this program, and to do
so in accordance with the statute and the implementing regulations.
While we recognize that there are many local medical societies (for
example, regional and county) performing similar functions to their
national and state counterparts, we propose to maintain the definition
of a medical society at the national or state level to reduce
redundancy in the dissemination of data. State societies often serve as
federations of local medical societies, and therefore, any use of the
data by state societies could benefit their constituent local
organizations.
We also propose that these organizations be nonprofit as many of
the existing medical societies are nonprofit organizations. In
addition, because medical societies will be eligible to receive non-
public analyses and data, we believe it is important that these
entities be nonprofit to ensure that data provided under this program
are used to support quality improvement and assessment activities with
their members rather than for profit driven purposes.
5. Definition of ``Hospital Association''
We propose to define a ``hospital association'' at Sec. 401.703(n)
as a nonprofit organization or association that provides unified
representation for a large number of hospitals or health systems at a
national or state level and whose membership is comprised of a majority
of hospitals and health systems.
For purposes of this definition, we propose to give hospitals the
same meaning as SSA Sec. 1861(e), 42 U.S.C. 1395x(e). We propose to
include health systems in this definition as our review of national and
state hospital associations member lists revealed that these larger
organizations (that are generally comprised of healthcare facilities,
such as surgical centers and long terms care facilities, as well as
hospitals) were members. Due to their membership status in existing
hospital associations, we find it appropriate to propose their
inclusion into this definition. Hospital associations often serve as
the consensus voice of their members in matters related to their
facilities, quality and affordability of services, and other issues
regarding the provision of health care. Therefore, we propose that
hospital associations at the national or state level be included in
this definition as we believe that these larger groups will have the
capacity to act on the data, and to do so in accordance with the
statute and implementing regulations.
While we recognize that there are many local hospital associations
(for example, regional and county) performing similar functions to
their national and state counterparts, we proposed to maintain the
definition at the national or state level to reduce redundancy. State-
level hospital associations are often affiliated with those local
associations, and therefore, any use of the data by state hospital
associations could benefit those affiliated associations.
We also propose that these organizations be nonprofit as many of
the existing hospital associations are nonprofit organizations. In
addition, because hospital associations will be eligible to receive
non-public analyses and data, we believe it is important that these
entities be nonprofit to ensure that data provided under this program
are used to support quality improvement and assessment activities with
their members rather than for profit driven purposes.
6. Definition of ``Healthcare Provider and/or Supplier Association''
We recognize that within the field of health care, there are many
other suppliers and providers beyond physicians, hospitals, and health
systems. These entities also form organizations for the betterment of
their professions and to improve the quality of patient care. We
believe these types of entities would also benefit from the opportunity
to purchase or receive non-public analyses and data from qualified
entities.
While the term ``healthcare professional association'' is not
specifically included in the definition of authorized user, the
Secretary, in the exercise of her discretion pursuant to
105(a)(9)(A)(vi) of MACRA, proposes to include these organizations as
authorized users. Therefore, we propose to define ``healthcare provider
and/or supplier association'' at Sec. 401.703(o) as a nonprofit
organization or association that represents suppliers and providers at
the national or state level and whose membership is comprised of a
majority of suppliers or providers. Similar to the themes that emerge
for medical societies and hospital associations, we believe these
organizations and associations often serve as the consensus voice of
their members in matters related to their respective professions, and
that representation at the national or state level is most appropriate
as we believe that these larger groups will have the capacity to act on
the data and analyses available through this program, and to do so in
accordance with the statute and the implementing regulations.
7. Definition of ``State Agency''
While state agencies were not specifically included in the
definition of authorized user at section 105(a)(9) of MACRA, we believe
that state agencies would benefit from the ability to purchase or
receive non-public analyses from qualified entities. States are
important partners with CMS in transforming the health care delivery
system, and these analyses would have the potential to help states
improve the quality of care and reduce costs. Therefore, the Secretary,
in the exercise of her discretion pursuant to 105(a)(9)(A)(vi) of
MACRA, proposes to include state agencies within the definition of
authorized user and to define it at Sec. 401.703(p) as any office,
department, division, bureau, board, commission, agency, institution,
or committee within the executive branch of a state government.
Because there is currently no federal definition of a state agency,
we looked to state laws for definitions. While states differ in the
definition of state agency, we propose to exclude the judiciary and
legislative branches from our proposed definition of state agency under
this subpart. We believe that entities within the executive branch of a
state government, for example state Medicaid agencies or state public
health departments, will have the greatest interest in and need to
receive these analyses. We solicit comment on whether we should expand
the definition to include other branches of state government or should
further limit the definition of state agency to only certain agencies,
such as those working to regulate the health and/or insurance industry.
We invite comments on the proposed definitions for authorized user,
medical society, hospital association, healthcare professional
association, and state agency.
D. Annual Report Requirements
1. Reporting Requirements for Analyses
Section 105(a)(8) of MACRA expands the information that a qualified
entity must report annually to the Secretary if
[[Page 5406]]
a qualified entity provides or sells non-public analyses. Specifically,
it requires the qualified entity to provide a summary of the analyses
provided or sold, including information on the number of such analyses,
the number of purchasers of such analyses, and the total amount of fees
received for such analyses. It also requires the qualified entity to
provide a description of the topics and purposes of such analyses.
Furthermore, the Secretary may impose other reporting requirements, as
appropriate.
In Sec. 401.719(b)(3), we propose the annual reporting
requirements that a qualified entity must perform if it provides or
sells non-public analyses under this subpart. Consistent with the
statutory requirements, we propose to require that the qualified entity
provide a summary of the non-public analyses provided or sold under
this subpart, including specific information about the number of
analyses, the number of purchasers of such analyses, the types of
authorized users that purchased analyses, the total amount of fees
received for such analyses. We also propose to require the qualified
entity to provide a description of the topics and purposes of such
analyses. In addition, we propose to require a qualified entity to
provide information on QE DUA and non-public analyses agreement
violations.
2. Reporting Requirements for Data
Section 105(a)(8) of MACRA also requires a qualified entity to
submit a report annually if it provides or sells data. It specifically
requires information on the entities who received data under section
105(a)(2) of MACRA, the uses of the data, and the total amount of fees
received for providing, selling, or sharing the data. In addition, the
Secretary may require additional information as determined appropriate.
Therefore, in Sec. 401.719(b)(4), we also propose to require
qualified entities that provide or sell data under this subpart to
provide the following information as part of its annual report:
Information on the entities who received data, the uses of the data,
the total amount of fees received for providing, selling, or sharing
the data, and any QE DUA violations.
We do not propose to require any additional information at this
time; however, we seek comment on whether any additional information
should be collected in the future.
E. Assessment for a Breach
1. Violation of a DUA
Section 105(a)(7) of MACRA requires the Secretary to impose an
assessment on a qualified entity in the case of a ``breach'' of a CMS
DUA between the Secretary and a qualified entity or a breach of a QE
DUA between a qualified entity and an authorized user. Because the term
``breach'' is defined in HIPAA, and this definition is not consistent
with the use of the term for this program, we propose instead to adopt
the term ``violation'' when referring to a ``breach'' of a DUA for
purposes of this program. We anticipate this will reduce the potential
for confusion. Therefore in Sec. 401.703(t), we propose to define the
term ``violation'' to mean a failure to comply with a requirement in a
CMS DUA or QE DUA. We request comments on the proposed definition of
violation.
We also propose at Sec. 401.719(d)(5) to impose an assessment on
any qualified entity that violates a CMS DUA or fails to ensure that
their authorized users do not violate a QE DUA.
MACRA provides guidance only on the assessment amount and what
triggers an assessment, but it does not dictate the procedures for
imposing such assessments. We therefore propose to adopt certain
relevant provisions of section 1128A of the Social Security Act (the
Act) (Civil Money Penalties) and part 402 (Civil Money Penalties,
Assessments, and Exclusions) to specify the process and procedures for
calculating the assessment, notifying a qualified entity of a
violation, collecting the assessment, and providing qualified entities
an appeals process.
2. Amount of Assessment
Section 105(a)(7)(B) of MACRA specifies that when a violation
occurs, the assessment is to be calculated based on the number of
affected individuals who are entitled to, or enrolled in, benefits
under part A of title XVIII of the Act, or enrolled in part B of such
title. Affected individuals are those whose information, either
identifiable or de-identified, was provided to a qualified entity or an
authorized user under a DUA. Assessments can be up to $100 per affected
individual, but, given the broad discretion in establishing some lesser
amount, we looked to part 402 as a model for proposing aggravating and
mitigating circumstances that would be considered when calculating the
assessment amount per impacted individual. However, violations under
section 105(a)(7)(B) of MACRA are considered point-in-time violations,
not continuing violations.
Number of Individuals
We propose at Sec. 401.719(d)(5)(i) that CMS will calculate the
amount of the assessment of up to $100 per individual entitled to, or
enrolled in part A of title XVIII of the Act and/or enrolled in part B
of such title whose data was implicated in the violation.
We generally propose to determine the number of potentially
affected individuals by looking at the number of beneficiaries whose
Medicare claims information was provided either by CMS to the qualified
entity or by the qualified entity to the authorized user in the form of
individually identifiable or de-identified data sets that were
potentially affected by the violation.
We recognize that, depending on the number and types of datasets
requested, a single beneficiary may appear multiple times within a
dataset or non-public analysis. We propose that a single beneficiary,
regardless of the number of times their information appears in a
singular non-public report or dataset, would only count towards the
calculation of an assessment for a violation once. We propose to use
the unique beneficiary identification number in the Chronic Conditions
Warehouse (CCW) to establish the number of beneficiaries that were
included in a given dataset that was transferred to the qualified
entity, and subsequently re-disclosed in accordance with this subpart.
For qualified entities that provide or sell subsets of the dataset that
CMS provided to them, combined information, or non-public analyses, we
propose to require that the qualified entity provide the Secretary with
an accurate number of beneficiaries whose data was sold or provided to
the authorized user and, thereby, potentially affected by the
violation. In those instances in which the qualified entity is unable
to establish a reliable number of potentially affected beneficiaries,
we propose to impose the assessment based on the total number of
beneficiaries that were included in the data set(s) that was/were
transferred to the qualified entity under that DUA.
Assessment Amount per Impacted Individual
MACRA allows an assessment in the amount of up to $100 per
potentially affected individual. We therefore propose to draw on
factors established in 42 CFR part 402 to specify the factors and
circumstances that will be considered in determining the assessment
amount per potentially affected individual.
[[Page 5407]]
We propose at Sec. 401.719(d)(5)(i)(A) that the following basic
factors be considered in establishing the assessment amount per
potentially affected individual: (1) The nature and extent of the
violation; (2) the nature and extent of the harm or potential harm
resulting from the violation; and (3) the degree of culpability and
history of prior violations.
In addition, in considering these basic factors and determining the
amount of the assessment per potentially affected individual, we
propose to take into account certain aggravating and mitigating
circumstances.
We propose at Sec. 401.719(d)(5)(i)(B)(1) that CMS consider
certain aggravating circumstances in determining the amount per
potentially affected individual, including the following: Whether there
were several types of violations, occurring over a lengthy period of
time; whether there were many violations or the nature and
circumstances indicate a pattern of violations; and whether the nature
of the violation had the potential or actually resulted in harm to
beneficiaries.
In addition, we propose at Sec. 401.719(d)(5)(i)(B)(2) that CMS
take into account certain mitigating circumstances in determining the
amount per potentially affected individual, including the following:
Whether all of the violations subject to the imposition of an
assessment were few in number, of the same type, and occurring within a
short period of time, and/or whether the violation was the result of an
unintentional and unrecognized error and the qualified entity took
corrective steps immediately after discovering the error.
We request comment on the proposed method for calculating the
number of individuals. In addition, we request comments on whether the
proposed factors for determining the amount of the assessment per
potentially affected individual are sufficient, or whether additional
factors should be considered. We also request comment on the proposed
basic, aggravating, and mitigating factors.
3. Notice of Determination
We looked to the relevant provisions in 42 CFR part 402 and Section
1128A of the Act to frame proposals regarding the specific elements
that would be included in the notice of determination. To that end, we
propose at Sec. 401.719(d)(5)(ii) that the Secretary would provide
notice of a determination to a qualified entity by certified mail with
return receipt requested. The notice of determination would include
information on (1) the assessment amount, (2) the statutory and
regulatory bases for the assessment, (3) a description of the
violations upon which the assessment was proposed, (4) information
concerning response to the notice, and (5) the means by which the
qualified entity must pay the assessment if they do not intend to
request a hearing in accordance with procedures established at Section
1128A of the Act and implemented in 42 CFR part 1005.
We believe this information will provide a qualified entity with
sufficient information to understand why an assessment was imposed and
how the amount of the assessment was calculated. We seek comment
regarding these proposals, including whether any additional information
should be provided in the notice of determination.
4. Failure To Request a Hearing
We also looked to the relevant provisions in 42 CFR part 402 and
section 1128A of the Act to inform our proposals regarding what happens
when a hearing is not requested.
We propose at Sec. 401.719(d)(5)(iii) that an assessment will
become final if a qualified entity does not request a hearing within 60
days of receipt of the notice of the proposed determination. At this
point, CMS would impose the proposed assessment. CMS would notify the
qualified entity, by certified mail with return receipt, of the
assessment and the means by which the qualified entity may pay the
assessment. Under these proposals a qualified entity would not have the
right to appeal an assessment unless it has requested a hearing within
60 days of receipt of the notice of the proposed determination.
5. When an Assessment Is Collectible
We again looked to the relevant provisions in 42 CFR part 402 and
section 1128A of the Act to inform our proposed policies regarding when
an assessment becomes collectible.
We propose at Sec. 401.719(d)(5)(iv) that an assessment becomes
collectible after the earliest of the following situations: (1) On the
61st day after the qualified entity receives CMS's notice of proposed
determination under Sec. 401.719(d)(5)(ii), if the entity does not
request a hearing; (2) immediately after the qualified entity abandons
or waives its appeal right at any administrative level; (3) 30 days
after the qualified entity receives the Administrative Law Judge's
(ALJ) decision imposing an assessment under Sec. 1005.20(d), if the
qualified entity has not requested a review before the Department
Appeal Board (DAB); or (4) 60 days after the qualified entity receives
the DAB's decision imposing an assessment if the qualified entity has
not requested a stay of the decision under Sec. 1005.22(b).
6. Collection of an Assessment
We also looked to the relevant provisions in 42 CFR part 402 and
section 1128A of the Act in framing our proposals regarding the
collection of an Assessment.
We propose at Sec. 401.719(d)(5)(v) that CMS be responsible for
collecting any assessment once a determination is made final by HHS. In
addition, we propose that the General Counsel may compromise an
assessment imposed under this part, after consulting with CMS or Office
of Inspector General (OIG), and the Federal government may recover the
assessment in a civil action brought in the United States district
court for the district where the claim was presented or where the
qualified entity resides. We also propose that the United States may
deduct the amount of an assessment when finally determined, or the
amount agreed upon in compromise, from any sum then or later owing the
qualified entity. Finally, we propose that matters that were raised or
that could have been raised in a hearing before an ALJ or in an appeal
under section 1128A(e) of the Act may not be raised as a defense in a
civil action by the United States to collect an assessment.
We seek comments on these proposals.
F. Termination of Qualified Entity Agreement
We propose at Sec. 401.721(a)(7) that CMS may unilaterally
terminate the qualified entity's agreement and trigger the data
destruction requirements in the CMS DUA if CMS determines that a
qualified entity or its contractor fails to monitor authorized users'
compliance with the terms of their QE DUAs or non-public analysis use
agreements. We believe this proposed provision is consistent with the
intent of MACRA to ensure the protection of data and analyses provided
by qualified entities to authorized users under this subpart. We
request comments on this proposed provision.
G. Additional Data
Section 105(c) of MACRA expands, at the discretion of the
Secretary, the data that the Secretary may make available to qualified
entities, including standardized extracts of claims data under titles
XIX (Medicaid) and XXI (the Children's Health Insurance Program, CHIP)
for one or more specified geographic areas and time periods as may be
requested by the
[[Page 5408]]
qualified entity. Currently, CMS is only required to provide qualified
entities with standardized extracts of claims data from Medicare Parts
A, B, and D. While CMS has data for Medicare and Medicaid/CHIP, the
timeliness and quality of data differs significantly between the
programs.
Medicare is a national program that is administered by CMS and, as
a result, the claims data are available on a relatively timely basis,
and guidelines about claims submission and data cleaning are consistent
across the entire program. Medicaid and CHIP, however, are state-run
programs where the states submit data to CMS. Each state's Medicaid
agency collects enrollment and claims data for persons enrolled in
Medicaid and CHIP. These data are collected in the state's Medicaid
Management Information System (MMIS). Each state's MMIS is tailored to
the needs of that state's Medicaid program. In partnership with the
states, the federal government does manage aspects of the Medicaid
program, and works with the various Medicaid State Agencies to monitor
health care delivery and payment on a national level. To aid in that
work the data in the MMIS are converted into a national standard and
submitted to CMS via the Medicaid and CHIP Statistical Information
System (MSIS). But the MSIS data (enrollment and claims data) are only
reported to CMS on a quarterly basis, and the MSIS data can be
challenging to use due to the data representing a mixture of time
periods.
Given the difficulties in using the MSIS data, the timeliness
issues with our Medicaid data, and the variation of time periods
reflected in our data, we believe that qualified entities would be
better off seeking Medicaid and/or CHIP data through the State Medicaid
Agencies. As a result, we propose not to expand the data available to
qualified entities from CMS.
H. Qualified Clinical Data Registries
Section 105(b) of MACRA allows qualified clinical data registries
to request access to Medicare data for the purposes of linking the data
with clinical outcomes data and performing risk-adjusted,
scientifically valid analyses, and research to support quality
improvement or patient safety. The CMS research data disclosure
policies already allow qualified clinical data registries to request
Medicare data for these purposes, as well as other types of research.
More information on accessing CMS data for research can be found on the
Research Data Assistance Center (ResDAC) Web site at www.resdac.org.
Given these existing processes and procedures, we propose not to adopt
any new policies or procedures regarding qualified clinical data
registries' access to Medicare claims data for quality improvement or
patient safety research.
III. Collection of Information Requirements
Under the Paperwork Reduction Act of 1995, we are required to
provide 60-day notice in the Federal Register and solicit public
comment before a collection of information requirement is submitted to
the Office of Management and Budget (OMB) for review and approval. In
order to fairly evaluate whether an information collection should be
approved by OMB, section 3506(c)(2)(A) of the Paperwork Reduction Act
of 1995 requires that we solicit comment on the following issues:
The need for the information collection and its usefulness
in carrying out the proper functions of our agency.
The accuracy of our estimate of the information collection
burden.
The quality, utility, and clarity of the information to be
collected.
Recommendations to minimize the information collection
burden on the affected public, including automated collection
techniques.
We are soliciting public comment on each of these issues for the
following sections of this proposed rule that contain information
collection requirements (ICRs).
Proposed Sec. 401.718(c) and Sec. 401.716(b)(2)(ii) require a
qualified entity to enter into a QE DUA with an authorized user prior
to providing or selling data or selling a non-public analyses that
contains individually identifiable beneficiary information. Proposed
Sec. 401.713(d) requires specific provisions in the QE DUA. Proposed
Sec. 401.716(c) requires a qualified entity to enter into a non-public
analyses agreement with the authorized user as a pre-condition to
providing or selling de-identified analyses. We estimate that it will
take each qualified entity a total of 40 hours to develop the QE DUA
and non-public analyses agreement. Of the 40 hours, we estimate it will
take a professional/technical services employee with an hourly labor
cost of $75.08 a total of 20 hours to develop both the QE DUA and non-
public analyses agreement and estimate that it will require a total of
20 hours of legal review at an hourly labor cost of $77.16 for both the
QE DUA and non-public analyses agreement. We also estimate that it will
take each qualified entity 2 hours to process and maintain each QE DUA
or non-public analyses agreement with an authorized user by a
professional/technical service employee with an hourly labor cost of
$75.08. While there may be two different staff positions that perform
these duties (one that is responsible for processing the QE DUAs and/or
non-public analyses agreement and one that is responsible for
maintaining the QE DUA and/or non-public analyses agreement), we
believe that both positions would fall under the professional/technical
services employee labor category with an hourly labor cost of $75.08.
This would mean that to develop each QE DUA and non-public analysis
agreement, the burden cost per qualified entity would be $3,045 with a
total estimated burden for all 15 qualified entities of $45,675. This
does not include the two hours to process and maintain each QE DUA.
As discussed in the regulatory impact analysis below, we estimate
that each qualified entity would need to process and maintain 70 QE
DUAs or non-public analyses agreements as some authorized users may
receive both datasets and a non-public analyses and would only need to
execute one QE DUA. We estimate that it will take each qualified entity
2 hours to process and maintain each QE DUA or non-public analyses
agreement. This would mean the burden cost per qualified entity to
process and maintain 70 QE DUAs or non-public analyses agreements would
be $10,511 with a total estimated burden for all 15 qualified entities
of $157,668. While we anticipate that the requirement to create a QE
DUA and/or non-public analyses agreement will only be incurred once by
a qualified entity, we believe that the requirement to process and
maintain the QE DUAs and/or non-public analyses will be an ongoing
cost. We request comment on the number of hours that will be needed to
create and process the QE DUA and non-public analyses agreement.
If finalized, these regulations would also require a qualified
entity to submit additional information as part of its annual report to
CMS. A qualified entity is currently required to submit an annual
report to CMS under Sec. 401.719(b). Proposed Sec. 401.719(b)(3) and
(4) provide for additional reporting requirements if a qualified entity
chooses to provide or sell analyses and/or data to authorized users.
The burden associated with this requirement is the time and effort
necessary to gather, process, and submit the required information to
CMS. There are currently 13 qualified entities; however we estimate
that number will increase to 20 if these proposals are finalized. Some
qualified entities may not want to bear the risk of the potential
assessments and
[[Page 5409]]
have been able to accomplish their program goals under other CMS data
sharing programs, therefore some qualified entities may not elect to
provide or sell analyses and/or data to authorized users. As a result,
we estimate that 15 qualified entities will choose to provide or sell
analyses and/or data to authorized users, and therefore, would be
required to comply with these additional reporting requirements within
the first three years of the program. We further estimate that it would
take each qualified entity 50 hours to gather, process, and submit the
required information. We estimate that it will take each qualified
entity 34 hours to gather the required information, 15 hours to process
the information, and 1 hour to submit the information to CMS. We
believe a professional or technical services employee of the qualified
entity with an hourly labor cost of $75.08 will fulfill these
additional annual report requirements. We estimate that 15 qualified
entities will need to comply with this requirement and that the total
estimated burden associated with this requirement is $56,310. We
request comment on the type of employee and the number of hours that
will be needed to fulfill these additional annual reporting
requirements.
As a reminder, the final rule for the qualified entity program,
published December 7, 2011, included information about the burden
associated with the provisions in that rule. Specifically, Sections
401.705-401.709 provide the application and reapplication requirements
for qualified entities. The burden associated with these requirements
is currently approved under OMB control number 0938-1144 with an
expiration date of May 31, 2018. This package accounts for 35
responses. Section 401.713(a) states that as part of the application
review and approval process, a qualified entity would be required to
execute a DUA with CMS, that among other things, reaffirms the
statutory bar on the use of Medicare data for purposes other than those
referenced above. The burden associated with executing this DUA is
currently approved under OMB control number 0938-0734 with an
expiration date of December 31, 2017. This package accounts for 9,240
responses (this package covers all CMS DUAs, not only DUAs under the
qualified entity program). We currently have 13 qualified entities and
estimate it will increase to 20 so we have not surpassed the previously
approved numbers.
We based the hourly labor costs on those reported by the Bureau of
Labor Statistics (BLS) at http://data.bls.gov/pdq/querytool.jsp?survey=ce for this labor category. We used the annual
rate for 2014 and added 100 percent for overhead and fringe benefit
costs.
Table 1--Collection of Information
--------------------------------------------------------------------------------------------------------------------------------------------------------
Hourly Total
Number of Burden per Total labor cost labor cost
Regulation section(s) OMB control No. Number of responses response annual of of Total cost
respondents per (hours) burden reporting reporting ($)
respondent (hours) ($) * ($)
--------------------------------------------------------------------------------------------------------------------------------------------------------
Sec. 401.718, Sec. 401.716, and Sec. 0938--New................ 15 1 20 300 75.08 22,524 22,524
401.713 (DUA and non-public analyses
agreement Development).
Sec. 401.718 and Sec. 401.716 (Legal 0938--New................ 15 1 20 300 77.16 23,148 23,148
Review).
Sec. 401.718 and Sec. 401.716 0938--New................ 15 70 2 2,100 75.08 157,668 157,668
(Processing and Maintenance).
Sec. 401.719(b)....................... 0938--New................ 15 1 50 750 75.08 56,310 56,310
------------------------------------------------------------------------------------
Total............................... ......................... 15 73 .......... 3,450 .......... .......... 259,650
--------------------------------------------------------------------------------------------------------------------------------------------------------
* The values listed are based on 100 percent overhead and fringe benefit calculations.
Note: There are no capital/maintenance costs associated with the information collection requirements contained in this rule; therefore, we have removed
the associated column from Table 1.
If you comment on these information collection and recordkeeping
requirements, please submit your comments electronically as specified
in the ADDRESSES section of this proposed rule.
Comments must be received on/by April 4, 2016.
IV. Response to Comments
Because of the large number of public comments we normally receive
on Federal Register documents, we are not able to acknowledge or
respond to them individually. We will consider all comments we receive
by the date and time specified in the DATES section of this preamble,
and, when we proceed with a subsequent document, we will respond to the
comments in the preamble to that document.
V. Regulatory Impact Statement
In accordance with the provisions of Executive Order 12866, this
regulation was reviewed by the Office of Management and Budget.
A. Overall Impact
We have examined the impacts of this rule as required by Executive
Order 12866 on Regulatory Planning and Review (September 30, 1993), the
Regulatory Flexibility Act (RFA) (September 19, 1980, 96), section
1102(b) of the Act, section 202 of the Unfunded Mandates Reform Act of
1995 (Pub. L. 104-4), Executive Order 13132 on Federalism (August 4,
1999), and the Congressional Review Act (5 U.S.C. 804(2)). Executive
Order 12866 directs agencies to assess all costs and benefits of
available regulatory alternatives and, if regulation is necessary, to
select regulatory approaches that maximize net benefits (including
potential economic, environmental, public health and safety effects,
distributive impacts, and equity). A regulatory impact analysis (RIA)
must be prepared for major rules with economically significant effects
($100 million or more in any 1 year). For the reasons discussed below,
we estimate that the total impact of this proposed rule would be less
than $58 million and therefore, it would not reach the threshold for
economically significant effects and is not considered a major rule.
The RFA requires agencies to analyze options for regulatory relief
of small businesses, if a rule has a significant impact on a
substantial number of small entities. For purposes of the RFA, we
estimate that most hospitals and most other providers are small
entities as that term is used in the RFA (including small businesses,
nonprofit organizations, and small governmental jurisdictions).
However, since the total estimated impact of this rule is less than
$100 million, and the total estimated impact would be spread over
82,500 providers and suppliers (who are the subject of reports), no one
entity would face significant impact. Of the 82,500 providers, we
estimate that 78,605
[[Page 5410]]
would be physician offices that have average annual receipts of $11
million and 4,125 would be hospitals that have average annual receipts
of $38.5 million. As discussed below, the estimated cost per provider
is $8,426 (see table 5 below) and the estimated cost per hospital is
$6,523 (see table 5 below). For both types of entities, these costs
would be a very small percentage of overall receipts. Thus, we are not
preparing an analysis of options for regulatory relief of small
businesses because we have determined that this rule would not have a
significant economic impact on a substantial number of small entities.
For section 105(a) of MACRA, we estimate that two types of entities
may be affected by the additional program opportunities: Qualified
entities that choose to provide or sell non-public analyses or data to
authorized users; and providers and suppliers who are identified in the
non-public analyses create by qualified entities and provided or sold
to authorized users.
We anticipate that most providers and suppliers that may be
identified in qualified entities' non-public analyses would be
hospitals and physicians. Many hospitals and most other health care
providers and suppliers are small entities, either by being nonprofit
organizations or by meeting the Small Business Administration
definition of a small business (having revenues of less than $38.5
million in any 1 year) (for details see the Small Business
Administration's Web site at https://www.sba.gov/sites/default/files/files/Size_Standards_Table.pdf (refer to the 620000 series). For
purposes of the RFA, physicians are considered small businesses if they
generate revenues of $11 million or less based on Small Business
Administration size standards. Approximately 95 percent of physicians
are considered to be small entities.
The analysis and discussion provided in this section and elsewhere
in this proposed rule complies with the RFA requirements. Because we
acknowledge that many of the affected entities are small entities, the
analysis discussed throughout the preamble of this proposed rule
constitutes our regulatory flexibility analysis for the remaining
provisions and addresses comments received on these issues.
In addition, section 1102(b) of the Act requires us to prepare a
regulatory impact analysis, if a rule may have a significant impact on
the operations of a substantial number of small rural hospitals. Any
such regulatory impact analysis must conform to the provisions of
section 603 of the RFA. For purposes of section 1102(b) of the Act, we
define a small rural hospital as a hospital that is located outside of
a metropolitan statistical area and has fewer than 100 beds. We do not
believe this proposed rule has impact on significant operations of a
substantial number of small rural hospitals because we anticipate that
most qualified entities would focus their performance evaluation
efforts on metropolitan areas where the majority of health services are
provided. As a result, this rule would not have a significant impact on
small rural hospitals. Therefore, the Secretary has determined that
this proposed rule would not have a significant impact on the
operations of a substantial number of small rural hospitals.
Section 202 of the Unfunded Mandates Reform Act of 1995 (UMRA) also
requires that agencies assess anticipated costs and benefits before
issuing any rule whose mandates require spending in any 1 year of $100
million in 1995 dollars, updated annually for inflation. In 2015, that
threshold is approximately $144 million. This proposed rule will not
impose spending costs on state, local, or tribal governments in the
aggregate, or by the private sector, of $144 million or more.
Specifically, as explained below we anticipate the total impact of this
rule on all parties to be approximately $58 million.
Executive Order 13132 establishes certain requirements that an
agency must meet when it promulgates a proposed rule (and subsequent
final rule) that imposes substantial direct requirement costs on State
and local governments, preempts State law, or otherwise has Federalism
implications. We have examined this proposed rule in accordance with
Executive Order 13132 and have determined that this regulation would
not have any substantial direct effect on State or local governments,
preempt States, or otherwise have a Federalism implication.
B. Anticipated Effects
1. Impact on Qualified Entities
Because section 105(a) of MACRA allows qualified entities to use
the data in new ways to provide or sell non-public analyses or data to
authorized users, there is little quantitative information to inform
our estimates on the number of analyses and datasets that the qualified
entity costs may provide or sell or on the costs associated with the
creation of the non-public analyses or datasets. Therefore, we look to
the estimates from the original qualified entity rules to estimate the
number of hours that it may take to create non-public analyses and to
process provider appeals and revisions. We also looked to the Centers
for Medicare and Medicaid's cost of providing data to qualified
entities since qualified entities' data fees are equal to the
government's cost to make the data available.
There are currently 13 qualified entities and these qualified
entities all are in different stages of the qualified entity program.
For example, some qualified entities have released public reports and
some qualified entities are still completing the security requirements
in order to receive CMS data. Given the requirements in the different
phases and the current status of the qualified entities, we estimate
that 11 qualified entities will be able to provide or sell analyses
and/or data to authorized users within the first year of the program,
and therefore, would be incurring extra costs. As discussed above, we
believe the total number of qualified entities will ultimately grow to
20 in subsequent years, with 15 entities providing or selling analyses
and/or data to authorized users. In estimating qualified entity
impacts, we used hourly labor costs in several labor categories
reported by the Bureau of Labor Statistics (BLS) at http://data.bls.gov/pdq/querytool.jsp?survey=ce. We used the annual rates for
2014 and added 100 percent for overhead and fringe benefit costs. These
rates are displayed in Table 2.
Table 2--Labor Rates for Qualified Entity Impact Estimates
----------------------------------------------------------------------------------------------------------------
2014 hourly
wage rate OH and fringe Total hourly
(BLS) (100%) costs
----------------------------------------------------------------------------------------------------------------
Professional and technical services............................. $37.54 $37.54 $75.08
Legal review.................................................... 38.58 38.58 77.16
Custom computer programming..................................... 43.05 43.05 86.10
Data processing and hosting..................................... 34.02 34.02 68.04
[[Page 5411]]
Other information services...................................... 39.72 39.72 79.44
----------------------------------------------------------------------------------------------------------------
We estimate that within the first year that 11 qualified entities
will provide or sell on average 55 non-public analyses or provide or
sell 35 datasets. We do not believe the number of datasets and non-
public analyses per qualified entity will change in future years of the
program. We seek comment on the number of non-public analyses or
datasets that a qualified entity will create and provide or sell within
the first year and future years.
In the original proposed rule for the qualified entity program (76
FR 33566), we estimated that each qualified entities' activities to
analyze the Medicare claims data, calculate performance measures and
produce public provider performance reports would require 5,500 hours
of effort per qualified entity. We anticipate under this proposed rule
that implements section 105(a) of MACRA that qualified entities will
base the non-public analyses on their public performance reports.
Therefore, the creation of the non-public analyses will require much
less effort and only require a fraction of the time it takes to produce
the public reports. We estimate that a qualified entity's activities
for each non-public analysis to analyze the Medicare claims data,
calculate performance measures, and produce the report would require
320 hours, between five and six percent of the time to produce the
public reports. We anticipate that half of this time will be spent on
data analysis, measure calculation, and report creation and the other
half on data processing. We request comment on the level of effort to
create the non-public analyses.
We anticipate that within the first year of the program a qualified
entity will, on average, provide one-year datasets containing all data
types for a cohort of 750,000 to 1.75 million beneficiaries to 35
authorized users. We estimate that it will require 226 hours to create
each dataset that will be provided to an authorized user. We looked to
the Centers for Medicare and Medicaid Centers' data costs and time to
estimate a qualified entity's costs and time to create datasets. While
the majority of the time will be devoted to computer processing, we
anticipate about 100 hours will be spent on computer programming,
particularly if the qualified entity is de-identiying the data. We seek
comment of the level of effort required to create each dataset and the
number of authorized users that will obtain or purchases data from a
qualified entity.
We further estimate that, on average, each qualified entity would
expend 7,500 hours of effort processing providers' and suppliers'
appeals of their performance reports and producing revised reports,
including legal review of the appeals and revised reports. These
estimates assume that, as discussed below in the section on provider
and supplier impacts, on average 25 percent of providers and suppliers
would appeal their results from a qualified entity. Responding to these
appeals in an appropriate manner would require a significant investment
of time on the part of qualified entities. This equates to an average
of four hours per appeal for each qualified entity. These estimates are
similar to those in the Qualified Entities final rule. We assume that
the complexity of appeals would vary greatly, and as such, the time
required to address them would also vary greatly. Many appeals may be
able to be dealt with in an hour or less while some appeals may require
multiple meetings between the qualified entity and the affected
provider or supplier. On average, however, we believe that this is a
reasonable estimate of the burden of the appeals process on qualified
entities. We discuss the burden of the appeals process on providers and
suppliers below.
We estimate that each qualified entity would spend 40 hours
creating a non-public analyses agreement template and a QE DUA. We also
estimate that it would take a qualified entity 2 hours to process a QE
DUA or non-public analyses agreement.
Finally, we estimate that each qualified entity would spend 50
hours on the additional annual reporting requirements.
Qualified entities would be required to notify CMS of inappropriate
disclosures or use of beneficiary identifiable data pursuant to the
requirements in the CMS DUA. We believe that the report generated in
response to an inappropriate disclosure or use of beneficiary
identifiable data would be generated as a matter of course by the
qualified entities and therefore, would not require significant
additional effort. Based on the assumptions we have described, we
estimate the total impact on qualified entities for the first year of
the program to be a cost of $27,925,198.
Table 3--Impact on Qualified Entities for the First Year of the Program
--------------------------------------------------------------------------------------------------------------------------------------------------------
Impact on qualified entities
---------------------------------------------------------------------------------------------------------------------------------------------------------
Hours
----------------------------------------------------- Cost per Number of Number of
Activity Professional Data Labor authorized authorized qualified Total cost
and Legal Computer processing hourly cost user users entities impact
technical programming and hosting
--------------------------------------------------------------------------------------------------------------------------------------------------------
Dissemination of Data:
Data processing & hosting..... ............ ........... ........... 126 $68.04 $8,573 35 11 $3,300,620
Computer programming.......... ............ ........... 100 ........... 86.10 8,610 35 11 3,314,850
---------------------------------------------------------------------------------------------------------------------
Total: Dissemination of ............ ........... ........... ........... ........... ........... ........... ........... 6,615,470
Data.....................
Non-Public Analyses:
Data analysis/measure ............ ........... 160 ........... 86.10 13,776 55 11 8,334,480
calculation/report
preparation..................
[[Page 5412]]
Data Processing and hosting... ............ ........... ........... 160 68.04 10,886 55 11 6,586,272
---------------------------------------------------------------------------------------------------------------------
Total Non-public Analyses. ............ ........... ........... ........... ........... ........... ........... ........... 14,920,752
Qualified entity processing of 5,500 ........... ........... ........... 75.08 412,940 ........... 11 4,542,340
provider appeals and report
revision.........................
Qualified entity legal analysis of ............ 2,000 ........... ........... 77.16 154,320 ........... 11 1,697,520
provider appeals and report
revisions........................
---------------------------------------------------------------------------------------------------------------------
Total qualified entity processing ............ ........... ........... ........... ........... ........... ........... ........... 6,239,860
of provider appeals and report
revision.........................
QE DUA and Non-public analyses:
Development of the QE DUA and 20 ........... ........... ........... 75.08 1,502 ........... 11 16,518
non-public analyses agreement
Legal review of the QE DUA and ............ 20 ........... ........... 77.16 1,543 ........... 11 16,975
non-public analyses agreement
Processing QE DUA and non- 2 ........... ........... ........... 75.08 150 70 11 115,623
public analyses agreement....
---------------------------------------------------------------------------------------------------------------------
Total QE DUA and non- ............ ........... ........... ........... ........... ........... ........... ........... 149,116
public analyses
agreements...............
Additional Annual Report 50 ........... ........... ........... 75.08 3,754 ........... 11 41,294
Requirements.....................
---------------------------------------------------------------------------------------------------------------------
Total qualified entity Impacts ............ ........... ........... ........... ........... ........... ........... ........... 27,966,492
--------------------------------------------------------------------------------------------------------------------------------------------------------
2. Impact on Health Care Providers and Suppliers
We note that numerous health care payers, community quality
collaboratives, States, and other organizations are producing
performance measures for health care providers and suppliers using data
from other sources, and that providers and suppliers are already
receiving performance reports from these sources. We anticipate that
the review of non-public analyses would merely be added to those
existing efforts to improve the statistical validity of the measure
findings. However, we invite comments on the impact of this new
voluntary program.
Table 4 reflects the hourly labor rates used in our estimate of the
impacts of the first year of section 105(a) of MACRA on health care
providers and suppliers.
Table 4--Labor Rates for Provider and Supplier Impact Estimates
----------------------------------------------------------------------------------------------------------------
Overhead and
2014 hourly fringe Total hourly
wage rate benefits costs
(BLS) (100%)
----------------------------------------------------------------------------------------------------------------
Physicians' offices............................................. $38.27 $38.27 $76.54
Hospitals....................................................... 29.65 29.65 59.30
----------------------------------------------------------------------------------------------------------------
We anticipate that the impacts on providers and suppliers consist
of costs to review the performance reports generated by qualified
entities and, if they choose, appeal the performance calculations. We
believe, on average, each qualified entity would produce non-public
analyses that in total include information on 7,500 health providers
and suppliers. This is based on estimates in the qualified entity final
rule, but also include an increase of 50 percent because we believe
that more providers and suppliers will be included in the non-public
analyses. We anticipate that the largest proportion of providers and
suppliers would be physicians because they comprise the largest group
of providers and suppliers, and are a primary focus of many recent
performance evaluation efforts. We also believe that many providers and
suppliers will be the recipients of the non-public analyses in order to
support their own performance improvement activities, and therefore,
there would be no requirement for a correction or appeals process. As
discussed above, there is no requirement for a corrections or appeals
process where the analysis only individually identifies the (singular)
provider or supplier who is being provided or sold the analysis.
[[Page 5413]]
Based on our review of information from existing programs, we assume
that 95 percent of the recipients of performance reports (that is, an
average of 7,125 per qualified entity) would be physicians, and 5
percent (that is, an average of 375 per qualified entity) would be
hospitals and other suppliers. Providers and suppliers receive these
reports with no obligation to review them, but we assume that most
would do so to verify that their calculated performance measures
reflect their actual patients and health events. Because these non-
public analyses will be based on the same underlying data as the public
performance reports, we estimate that it would take less time for
providers or suppliers to review theses analyses and generate an
appeal. We estimate that, on average, each provider or supplier would
devote three hours to reviewing these analyses. We also estimate that
25 percent of the providers and suppliers would decide to appeal their
performance calculations, and that preparing the appeal would involve
an average of seven hours of effort on the part of a provider or
supplier. As with our assumptions regarding the level of effort
required by qualified entities in operating the appeals process, we
believe that this average covers a range of provider efforts from
providers who would need just one or two hours to clarify any questions
or concerns regarding their performance reports to providers who would
devote significant time and resources to the appeals process.
Using the hourly costs displayed in Table 4, the impacts on
providers and suppliers are calculated below in Table 5. Based on the
assumptions we have described, we estimate the total impact on
providers for the first year of the program to be a cost of
$29,690,386.
As stated above in Table 3, we estimate the total impact on
qualified entities to be a cost of $27,966,492. Therefore, the total
impact on qualified entities and on providers and suppliers for the
first year of the program is estimated to be $57,656,878.
Table 5--Impact on Providers and Suppliers for the First Year of the Program
--------------------------------------------------------------------------------------------------------------------------------------------------------
Impact on Providers and Suppliers
---------------------------------------------------------------------------------------------------------------------------------------------------------
Hours per provider Number of
-------------------------------- Labor hourly Cost per providers per Number of Total cost
Activity Physician cost provider qualified qualified impact
offices Hospitals entity entities
--------------------------------------------------------------------------------------------------------------------------------------------------------
Physician office review of performance 3 .............. 76.54 $230 7,125 11 $18,026,250
reports................................
Hospital review of performance reports.. .............. 3 59.30 178 375 11 734,250
Physician office preparing and 7 .............. 76.54 536 1,781 11 10,500,776
submitting appeal requests to qualified
entities...............................
Hospital preparing and submitting appeal .............. 7 59.30 415 94 11 429,110
requests to qualified entities.........
---------------------------------------------------------------------------------------------------------------
Total Impact on Providers and .............. .............. .............. .............. .............. .............. 29,690,386
Suppliers..........................
--------------------------------------------------------------------------------------------------------------------------------------------------------
C. Alternatives Considered
The statutory provisions added by section 105(a) of MACRA are
detailed and prescriptive about the permissible uses of the data under
the Qualified Entity Program. We believe there are limited approaches
that would ensure statutory compliance. We considered proposing less
prescriptive requirements on the provisions that would need to be
included in the agreements between qualified entities and authorized
users that received or purchased analyses or data. For example, we
could have required less strenuous data privacy and security
protections such as not setting a minimum standard for protection of
beneficiary identifiable data or non-public analyses. In addition, we
could have reduced additional restrictions on re-disclosure or
permitted data or analyses to be re-disclosed to additional downstream
users. While these approaches might reduce costs for qualified
entities, we did not adopt such an approach because of the importance
of protecting beneficiary data. We believe if we do not require
qualified entities to provide sufficient evidence of data privacy and
security protection capabilities, there would be increased risks
related to the protection of beneficiary identifiable data.
D. Conclusion
As explained above, we estimate the total impact for the first year
of the program on qualified entities and providers to be a cost of
$57,656,878. While we anticipate the number of qualified entities to
increase slightly, we do not anticipate significant growth in the
qualified entity program given the qualified entity program
requirements, as well as other existing programs that allow entities to
obtain Medicare data. Based on these estimates, we conclude this
proposed rule does not reach the threshold for economically significant
effects and thus is not considered a major rule.
In accordance with the provisions of Executive Order 12866, this
regulation was reviewed by the Office of Management and Budget.
List of Subjects in 42 CFR Part 401
Claims, Freedom of information, Health facilities, Medicare,
Privacy.
For the reasons set forth in the preamble, the Centers for Medicare
& Medicaid Services proposes to amend 42 CFR part 401 as set forth
below:
PART 401--GENERAL ADMINISTRATIVE REQUIREMENTS
0
1. The authority citation for part 401 is revised to read as follows:
Authority: Secs. 1102, 1871, and 1874(e) of the Social Security
Act (42 U.S.C. 1302,
[[Page 5414]]
1395hh, and 1395w-5) and section 105 of the Medicare Access and CHIP
Reauthorization Act of 2015 (Pub. L. 114-10).
0
2. Section 401.703 is amended by adding paragraphs (j) through (u) to
read as follows:
Sec. 401.703 Definitions.
* * * * *
(j) Authorized user is a third party (meaning not the qualified
entity or its contractors) to whom/which the qualified entity provides
or sells data as permitted under this subpart. Authorized users are
limited to the following entities:
(1) A provider.
(2) A supplier.
(3) A medical society.
(4) A hospital association.
(5) An employer.
(6) A health insurance issuer.
(7) A healthcare provider and/or supplier association.
(8) A state agency.
(k) Employer has the same meaning as the term ``employer'' as
defined in section 3(5) of the Employee Retirement Insurance Security
Act of 1974.
(l) Health insurance issuer has the same meaning as the term
``health insurance issuer'' as defined in section 2791 of the Public
Health Service Act.
(m) Medical society means a nonprofit organization or association
that provides unified representation and advocacy for physicians at the
national or state level and whose membership is comprised of a majority
of physicians.
(n) Hospital association means a nonprofit organization or
association that provides unified representation and advocacy for
hospitals or health systems at a national or state level and whose
membership is comprised of a majority of hospitals and health systems.
(o) Healthcare Provider and/or Supplier Association means a
nonprofit organization or association that provides unified
representation and advocacy for providers and suppliers at the national
or state level and whose membership is comprised of a majority of
suppliers or providers.
(p) State Agency means any office, department, division, bureau,
board, commission, agency, institution, or committee within the
executive branch of a state government.
(q) Combined data means a set of CMS claims data provided under
subpart G combined with claims data, or a subset of claims data from at
least one of the other claims data sources described in Sec.
401.707(d).
(r) Patient means an individual who has visited the provider or
supplier for a face-to-face or telehealth appointment at least once in
the past 12 months.
(s) Marketing means the same as the term ``marketing'' at 45 CFR
164.501 without the exception to the bar for ``consent'' based
marketing.
(t) Violation means a failure to comply with a requirement of a CMS
DUA or QE DUA.
(u) Required by law means the same as the phrase ``required by
law'' at 45 CFR 164.103.
0
3. Section 401.713 is amended by revising paragraph (a) and adding
paragraph (d) to read as follows:
Sec. 401.713 Ensuring the privacy and security of data.
(a) Data Use Agreement between CMS and a qualified entity. A
qualified entity must comply with the data requirements in its data use
agreement with CMS (hereinafter the CMS DUA). Contractors of qualified
entities that are anticipated to have access to the Medicare claims
data or beneficiary identifiable data in the context of this program
are also required to execute and comply with the CMS DUA. The CMS DUA
will require the qualified entity to maintain privacy and security
protocols throughout the duration of the agreement with CMS, and will
ban the use or disclosure of CMS data or any derivative data for
purposes other than those set out in this subpart. The CMS DUA will
also prohibit the use of unsecured telecommunications to transmit such
data, and will specify the circumstances under which such data must be
stored and may be transmitted.
* * * * *
(d) Data Use Agreement between a qualified entity and an authorized
user. In addition to meeting the other requirements of this subpart,
and as a pre-condition of selling or disclosing any combined data or
any Medicare claims data (or any beneficiary-identifiable derivative
data of either kind) and as a pre-condition of selling or disclosing
non-public analyses that include individually identifiable beneficiary
data, the qualified entity must enter a DUA (hereinafter the QE DUA)
with the authorized user. Among other things laid out in this subpart,
such QE DUA must contractually bind the authorized user to the
following:
(1)(i) The authorized user may be permitted to use such data and
non-public analyses in a manner that a HIPAA Covered Entity could do
under the following provisions:
(A) Activities falling under the first paragraph of the definition
of ``health care operations'' under 45 CFR 164.501: Quality improvement
activities, including care coordination activities and efforts to track
and manage medical costs.
(B) Activities falling under the second paragraph of the definition
of ``health care operations'' under 45 CFR 164.501: Population-based
activities such as those aimed at improving patient safety, quality of
care, or population health, including the development of new models of
care, the development of means to expand coverage and improve access to
healthcare, the development of means of reducing health care
disparities, and the development or improvement of methods of payment
or coverage policies.
(C) Activities that qualify as ``fraud and abuse detection or
compliance activities'' under 45 CFR 164.506(c)(4)(ii).
(ii) All other uses and disclosures of such data and/or such non-
public analyses must be forbidden except to the extent a disclosure
qualifies as a ``required by law'' disclosure.
(2) The authorized user is prohibited from using or disclosing the
data or non-public analyses for marketing purposes as defined at Sec.
401.703(s).
(3) The authorized user is required to ensure adequate privacy and
security protection for such data and non-public analyses. At a
minimum, regardless of whether the authorized user is a HIPAA covered
entity, such protections of beneficiary identifiable data must be at
least as protective as what is required of covered entities regarding
protected health information (PHI) under the HIPAA Privacy and Security
Rules. In all cases, these requirements must be imposed for the life of
such beneficiary identifiable data or non-public analyses and/or any
derivative data, that is until all copies of such data or non-public
analyses are returned or destroyed. Such duties must be written in such
a manner as to survive termination of the QE DUA, whether for cause or
not.
(4) Except as provided for in paragraph (d)(5) of this section, the
authorized user must be prohibited from re-disclosing or making public
any such data or non-public analyses.
(5)(i) At the qualified entity's discretion, it may permit an
authorized user that is a provider as defined in Sec. 401.703(b) or a
supplier as defined in Sec. 401.703(c), to re-disclose such data and
non-public analyses as a covered entity would be permitted to disclose
PHI under 45 CFR 164.506(c)(4)(i)), or under 45 CFR 164.502(e)(1).
(ii) All other uses and disclosures of such data and/or such non-
public analyses is forbidden except to the extent a disclosure
qualifies as a ``required by law'' disclosure.
(6) Authorized users who/that receive the beneficiary de-identified
combined data or Medicare data as contemplated
[[Page 5415]]
under Sec. 401.718 are contractually prohibited from linking the
beneficiary de-identified data to any other identifiable source of
information, and must be contractually barred from attempting any other
means of re-identifying any individual whose data is included in such
data.
(7) The QE DUA must bind authorized user(s) to notifying the
qualified entity of any violations of the QE DUA, and it must require
the full cooperation of the authorized user in the qualified entity's
efforts to mitigate any harm that may result from such violations, or
to comply with the breach provisions governing qualified entities under
this subpart.
0
4. Section 401.716 is added to read as follows:
Sec. 401.716 Non-public analyses.
(a) General. So long as it meets the other requirements of this
subpart, and subject to the limits in paragraphs (b) and (c) of this
section, the qualified entity may use the combined data to create non-
public analyses in addition to performance measures.
(b) Limitations on a qualified entity. In addition to meeting the
other requirements of this subpart, a qualified entity must comply with
the following limitations as a pre-condition of dissemination or
selling non-public analyses to an authorized user:
(1) A qualified entity may only provide or sell a non-public
analysis to a health insurance issuer as defined in Sec. 401.703(l),
after the health insurance issuer has provided the qualified entity
with claims data that represents a majority of the health insurance
issuer's covered lives for the time period and geographic region
covered by the issuer-requested non-public analyses.
(2) Analyses that contain information that individually identifies
one or more beneficiaries may only be disclosed to a provider or
supplier (as defined at Sec. 401.703(b) and (c)) when the following
conditions are met:
(i) The analyses only contain identifiable information on
beneficiaries with whom the provider or supplier have a patient
relationship as defined at Sec. 401.703(r), and
(ii) a QE DUA as defined at Sec. 401.713(d) is executed between
the qualified entity and the provider or supplier prior to making any
individually identifiable beneficiary information available to the
provider or supplier.
(3) Except as specified under paragraph (c)(2) of this section, all
analyses must be limited to beneficiary de-identified data. Regardless
of the HIPAA covered entity or business associate status of the
qualified entity and/or the authorized user, de-identification must be
determined based on the standards for HIPAA covered entities found at
45 CFR 164.514(b).
(4) Analyses that contain information that individually identifies
a provider or supplier may not be disclosed unless:
(i) The analysis only individually identifies the provider or
supplier that is being supplied the analysis, or
(ii) Every provider or supplier individually identified in the
analysis has been afforded the opportunity to appeal or correct errors
using the process at Sec. 401.717(f).
(c) Non-public analyses agreement between a qualified entity and an
authorized user for beneficiary de-identified non-public analyses
disclosures. In addition to the other requirements of this subpart, a
qualified entity must enter a contractually binding non-public analyses
agreement with the authorized user as a pre-condition to providing or
selling de-identified analyses. Such non-public analyses agreement must
contain the following provisions:
(1) The authorized user may not use the analyses or derivative data
for the following purposes:
(i) Marketing, as defined at Sec. 401.703(s).
(ii) Harming or seeking to harm patients or other individuals both
within and outside the healthcare system regardless of whether their
data are included in the analyses.
(iii) Effectuating or seeking opportunities to effectuate fraud
and/or abuse in the health care system.
(2) If the authorized user is an employer as defined in Sec.
401.703(k), the authorized user may only use the analyses or derivative
data for purposes of providing health insurance to employees, retirees,
or dependents of employees or retirees of that employer.
(3)(i) At the qualified entity's discretion, it may permit an
authorized user that is a provider as defined in Sec. 401.703(b) or a
supplier as defined in Sec. 401.703(c), to re-disclose the de-
identified analyses or derivative data, as a covered entity would be
permitted under 45 CFR 164.506(c)(4)(i), or under 45 CFR 164.502(e)(1).
(ii) All other uses and disclosures of such data and/or such non-
public analyses is forbidden except to the extent a disclosure
qualifies as a ``required by law'' disclosure.
(4) If the authorized user is not a provider or supplier, the
authorized user may not re-disclose or make public any non-public
analyses or derivative data except as required by law.
(5) The authorized user may not link the de-identified analyses to
any other identifiable source of information and may not in any other
way attempt to identify any individual whose de-identified data is
included in the analyses.
(6) The authorized user must notify the qualified entity of any DUA
violations, and it must fully cooperate with the qualified entity's
efforts to mitigate any harm that may result from such violations.
0
5. Section 401.717 is amended by adding paragraph (f) to read as
follows:
Sec. 401.717 Provider and supplier requests for error correction.
* * * * *
(f) A qualified entity also must comply with paragraphs (a) through
(e) of this section before disclosing non-public analyses, as defined
at Sec. 401.716, that contain information that individually identifies
a provider or supplier.
0
6. Section 401.718 is added to read as follows:
Sec. 401.718 Dissemination of data.
(a) General. Subject to the other requirements in this subpart, the
requirements in paragraphs (b) and (c) of this section and any other
applicable laws or contractual agreements, a qualified entity may
provide or sell combined data, or provide Medicare data at no cost to
authorized users defined at Sec. 401.703(b), (c), (m), and (n).
(b) Data--(1) De-identification. Except as specified in paragraph
(b)(2) of this section, any data provided or sold by a qualified entity
to an authorized user must be limited to beneficiary de-identified
data. De-identification must be determined based on the de-
identification standards for HIPAA covered entities found at Sec.
164.514(b).
(2) Exception. If such disclosure would be consistent with all
applicable laws, data that individually identifies a beneficiary may
only be disclosed to a provider or supplier (as defined at Sec.
401.703(b) and (c)) with whom the identifiable individuals in such data
have a current patient relationship as defined at Sec. 401.703(r).
(c) Data Use Agreement between a qualified entity and an authorized
user. A qualified entity must contractually require an authorized user
to comply with the requirements in Sec. 401.713(d) prior to providing
or selling data to an authorized user under Sec. 401.718.
0
7. Section 401.719 is amended by adding paragraphs (b)(3) and (4) and
(d)(5) to read as follows:
[[Page 5416]]
Sec. 401.719 Monitoring and sanctioning of qualified entities.
* * * * *
(b) * * *
(3) Non-public analyses provided or sold to authorized users under
this subpart, including the following information:
(i) A summary of the analyses provided or sold, including--
(A) The number of analyses.
(B) The number of purchasers of such analyses.
(C) The types of authorized users that purchased analyses.
(D) The total amount of fees received for such analyses.
(E) QE DUA or non-public analyses agreement violations.
(ii) A description of the topics and purposes of such analyses.
(4) Data provided or sold to authorized users under this subpart,
including the following information:
(i) The entities who received data.
(ii) The basis under which each entity received such data.
(iii) The total amount of fees received for providing, selling, or
sharing the data.
(iv) QE DUA violations.
* * * * *
(d) * * *
(5) In the case of a violation, as defined at Sec. 401.703(t) of
the CMS DUA or the QE DUA, CMS will impose an assessment on a qualified
entity in accordance with the following:
(i) Amount of Assessment. CMS will calculate the amount of the
assessment of up to $100 per individual entitled to, or enrolled for,
benefits under part A of title XVIII of the Social Security Act or
enrolled for benefits under part B of such title whose data was
implicated in the violation based on the following:
(A) Basic Factors. In determining the amount per impacted
individual, CMS takes into account the following:
(1) The nature and the extent of the violation.
(2) The nature and the extent of the harm or potential harm
resulting from the violation.
(3) The degree of culpability and the history of prior violations.
(B) Criteria to be considered. In establishing the basic factors,
CMS considers the following circumstances, including:
(1) Aggravating Circumstances. Aggravating circumstances include
the following:
(i) There were several types of violations occurring over a lengthy
period of time.
(ii) There were many of these violations or the nature and
circumstances indicate a pattern of violations.
(iii) The nature of the violation had the potential or actually
resulted in harm to beneficiaries.
(2) Mitigating circumstances. Mitigating circumstances include the
following:
(i) All of the violations subject to the imposition of an
assessment were few in number, of the same type, and occurring within a
short period of time.
(ii) The violation was the result of an unintentional and
unrecognized error and the qualified entity took corrective steps
immediately after discovering the error.
(C) Effects of aggravating or mitigating circumstances. In
determining the amount of the assessment to be imposed under
(d)(5)(i)(A) of this section.
(1) If there are substantial or several mitigating circumstance,
the aggregate amount of the assessment is set at an amount sufficiently
below the maximum permitted by (d)(5)(A) of this section to reflect the
mitigating circumstances.
(2) If there are substantial or several aggravating circumstances,
the aggregate amount of the assessment is set at an amount at or
sufficiently close to the maximum permitted by (d)(5)(i)(A) of this
section to reflect the aggravating circumstances.
(D) The standards set for the qualified entity in this paragraph
are binding, except to the extent that--
(1) The amount imposed is not less than the approximate amount
required to fully compensate the United States, or any State, for its
damages and costs, tangible and intangible, including but not limited
to the costs attributable to the investigation, prosecution, and
administrative review of the case.
(2) Nothing in this section limits the authority of CMS to settle
any issue or case as provided by part 1005 of this title or to
compromise any assessment as provided by (d)(5)(E) of this section.
(ii) Notice of Determination. CMS must propose an assessment in
accordance with this paragraph, by notifying the qualified entity by
certified mail, return receipt requested. Such notice must include the
following information:
(A) The assessment amount.
(B) The statutory and regulatory bases for the assessment.
(C) A description of the violations upon which the assessment was
proposed.
(D) Any mitigating or aggravating circumstances that CMS considered
when it calculated the amount of the proposed assessment.
(E) Information concerning response to the notice, including:
(1) A specific statement of the respondent's right to a hearing in
accordance with procedures established at Section 1128A of the Act and
implemented in 42 CFR part 1005.
(2) A statement that failure to respond within 60 days renders the
proposed determination final and permits the imposition of the proposed
assessment.
(3) A statement that the debt may be collected through an
administrative offset.
(4) In the case of a respondent that has an agreement under section
1866 of the Act, notice that imposition of an exclusion may result in
termination of the provider's agreement in accordance with section
1866(b)(2)(C) of the Act.
(F) The means by which the qualified entity may pay the amount if
they do not intend to request a hearing.
(iii) Failure to request a hearing. If the qualified entity does
not request a hearing within 60 days of receipt of the notice of
proposed determination specified in the preceding paragraph, any
assessment becomes final and CMS may impose the proposed assessment.
(A) CMS notifies the qualified entity, by certified mail with
return receipt requested, of any assessment that has been imposed and
of the means by which the qualified entity may satisfy the judgment.
(B) The qualified entity has no right to appeal an assessment for
which the qualified entity has not requested a hearing.
(iv) When an assessment is collectible. An assessment becomes
collectible after the earliest of the following:
(A) 60 days after the qualified entity receives CMS's notice of
proposed determination under (d)(5)(ii) of this section, if the
qualified entity has not requested a hearing.
(B) Immediately after the qualified entity abandons or waives its
appeal right at any administrative level.
(C) 30 days after the qualified entity receives the ALJ's decision
imposing an assessment under Sec. 1005.20(d) of this title, if the
qualified entity has not requested a review before the DAB.
(D) 60 days after the qualified entity receives the DAB's decision
imposing an assessment if the qualified entity has not requested a stay
of the decision under Sec. 1005.22(b) of this title.
(v) Collection of an assessment. Once a determination by HHS has
become final, CMS is responsible for the collection of any assessment.
(A) The General Counsel may compromise an assessment imposed under
this part, after consulting with CMS or OIG, and the Federal government
may recover the assessment in a civil action brought in the United
[[Page 5417]]
States district court for the district where the claim was presented or
where the qualified entity resides.
(B) The United States or a state agency may deduct the amount of an
assessment when finally determined, or the amount agreed upon in
compromise, from any sum then or later owing the qualified entity.
(C) Matters that were raised or that could have been raised in a
hearing before an ALJ or in an appeal under section 1128A(e) of the Act
may not be raised as a defense in a civil action by the United States
to collect an assessment.
0
8. Section 401.721 is amended by adding paragraph (a)(7) to read as
follows:
Sec. 401.721 Terminating an agreement with a qualified entity.
(a) * * *
(7) Fails to ensure authorized users comply with their QE DUAs or
analysis use agreements.
* * * * *
Dated: October 15, 2015.
Andrew M. Slavitt,
Acting Administrator, Centers for Medicare & Medicaid Services.
Dated: January 27, 2016.
Sylvia M. Burwell,
Secretary, Department of Health and Human Services.
[FR Doc. 2016-01790 Filed 1-29-16; 11:15 am]
BILLING CODE 4120-01-P