[Federal Register Volume 81, Number 85 (Tuesday, May 3, 2016)]
[Notices]
[Pages 26566-26569]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2016-10253]


-----------------------------------------------------------------------

DEPARTMENT OF HEALTH AND HUMAN SERVICES

Centers for Medicare & Medicaid Services


Privacy Act of 1974; Report of New System of Records

AGENCY: Department of Health and Human Services (HHS), Centers for 
Medicare & Medicaid Services (CMS).

ACTION: Notice of New System of Records (SOR).

-----------------------------------------------------------------------

SUMMARY: In accordance with the requirements of the Privacy Act of 
1974, we are proposing to establish a new SOR titled, ``CMS Risk 
Adjustment Data Validation System (RAD-V),'' System No. 09-70-0511. 
Under Sec.  1343 of the Patient Protection and Affordable Care Act 
(Pub. L. 111-148) as amended by the Health Care and Education 
Reconciliation Act of 2010 (Pub. L. 111-152), (hereinafter, the ACA), 
and the implementing regulations at 45 CFR part 153, data collected and 
maintained in this system will be used to support the audit functions 
of the risk adjustment

[[Page 26567]]

program, including validation activities under the risk adjustment data 
validation program.
    The goal of the risk adjustment program is to provide payments to 
non-grandfathered health insurance issuers in the individual and small 
group markets that attract higher-risk populations, including a 
validation program to ensure the reliability of data used as a basis 
for risk adjustment payments and charges. Non-grandfathered plans are 
health plans that came into existence after March 23, 2010. Insurers 
offering these plans were required to modify them to follow the ACA 
rules as of January 1, 2014.
    The RAD-V system will contain personally identifiable information 
(PII) about individuals who are current or former enrollees in non-
grandfathered health plans, including information obtained through the 
risk adjustment data validation process to establish the relative 
deviation from the average. The program and the system of record are 
more thoroughly described in the SUPPLEMENTARY INFORMATION section and 
System of Records Notice below.
    At this time, the only personally identifiable information that 
will be collected under this System will be through the RAD-V, part of 
the risk adjustment program.

DATES: This action will be effective without further notice 30 days 
after publication in the Federal Register or 40 days after providing a 
report of this Notice to the Office of Management and Budget and 
Congress, whichever is later. Written comments should be submitted 
within 30 days of publication in the Federal Register. HHS may publish 
an amended system of records notice (SORN) in light of any comments 
received.

ADDRESSES: Written comments can be sent to: CMS Privacy Act Officer, 
Division of Security, Privacy Policy & Governance, Information Security 
& Privacy Group, Office of Enterprise Information, CMS, 7500 Security 
Boulevard, Baltimore, MD 21244-1870, Mailstop: N1-24-08, or by E-Mail 
to: [email protected]. Comments received will be available for 
review at this location, by appointment, during regular business hours, 
Monday through Friday from 9:00 a.m.-3:00 p.m., Eastern Time zone.

FOR INFORMATION CONTACT:  Catherine Anderson, RAD-V Mailbox 
Coordinator, Division of Risk Adjustment Operations, CCIIO, CMS, 7500 
Security Boulevard, Baltimore, Maryland 21244. The email address is 
[email protected].

SUPPLEMENTARY INFORMATION: Section 1343(b) of the ACA requires the 
Secretary to establish criteria and methods to carry out a risk 
adjustment program. Section 1321(a)(1)(C) of the ACA directs the 
Secretary to issue regulations and set standards to establish the risk 
adjustment program. Consistent with Sec.  1321(c)(1) of the ACA, 45 CFR 
153.310(a) provides that HHS will operate risk adjustment where a State 
does not elect to administer the risk adjustment program. The primary 
goals of the risk adjustment program are to assist health plans that 
provide coverage to individuals with higher health care costs and will 
help ensure that those who are sick have access to the coverage they 
need. The ACA's risk adjustment program also serves to level the 
playing field inside and outside of the individual and small group 
markets in each state by stabilizing premiums.
    Under 45 CFR 153.620(b), issuers of risk adjustment covered plans 
must maintain documents and records to enable such evaluation, and must 
make such records available to HHS upon request for purposes of 
verification, investigation, audit or other review. As part of the risk 
adjustment data validation program, HHS may audit an issuer of a risk 
adjustment covered plan to assess its compliance with the risk 
adjustment requirements.
    The state, or HHS on behalf of the state, must ensure proper 
validation of a statistically valid sample of risk adjustment data from 
each issuer that offers at least one risk adjustment covered plan in 
that state, as well as an administrative process to appeal findings 
from the risk adjustment data validation process. When HHS is 
conducting the risk adjustment data validation program, 45 CFR 
153.620(a) and 153.630(a), requires issuers of risk adjustment covered 
plans to comply with any request for data for any audit or validation 
preformed, including relevant source enrollment documentation, all 
claims and encounter data, and medical record documentation.
    Existing information privacy and security standards, such as 
standards under HIPAA and those detailed at 45 CFR 153.630(f)(2), which 
governs the risk adjustment data validation program, will apply to 
issuers and their initial validation auditors. In order to minimize the 
amount of individually identifiable information collected, CMS will use 
the smallest possible sample size that will provide a statistically 
valid sample, in accordance with the regulations at 45 CFR 153.350(a).

The Privacy Act

    The Privacy Act governs the collection, maintenance, use, and 
dissemination of certain information about individuals by agencies of 
the federal government. A system of records is a group of any records 
under the control of a federal agency from which information about 
individuals is retrieved by name or other personal identifier. The 
Privacy Act requires each agency to publish notice in the Federal 
Register of the existence and character of each system of records that 
the agency maintains, including the name and location of the system; 
the categories of individuals whom records are maintained; the 
categories, routine uses, and sources of the records; the agencies 
policies and practices regarding storage retrieval, access controls, 
and retention and disposal of the records; and the title and business 
address of the agency official to contact with notification, access, 
and amendment requests.
SYSTEM NUMBER:
    09-70-0511.

SYSTEM NAME:
    Risk Adjustment Data Validation System (RAD-V), HHS/CMS/CCIIO.

SECURITY CLASSIFICATION:
    Unclassified.

SYSTEM LOCATION:
    The RAD-V will be physically located at the CMS Data Center, 7500 
Security Boulevard, North Building, First Floor, Baltimore, MD 21244-
1850, and at various contractor sites.

CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:
    The system will contain information about individuals currently or 
previously enrolled in a risk adjustment covered plan as defined at 45 
CFR 153.20, and individual providers of medical or health care 
services.

CATEGORIES OF RECORDS IN THE SYSTEM:
    CMS will collect demographic, geographic, medical and/or health 
care information, date of birth, gender, dates of service about 
individuals that are currently and previously enrolled in risk 
adjustment covered plans. In addition, CMS will collect identifiable 
information about individual health care providers, including but not 
limited to name, ITIN or EIN, and NPI numbers.

AUTHORITY FOR MAINTENANCE OF THE SYSTEM:
    Authority for the maintenance of the RAD-V is given under the 
provisions of Sec. Sec.  1321 and 1343 of the Patient

[[Page 26568]]

Protection and Affordable Care Act (Pub. L. 111-148) as amended by the 
Health Care and Education Reconciliation Act of 2010 (Pub. L. 111-152), 
and the Regulations at 45 CFR 153.350, 153.620, 153.630.

PURPOSE(S) OF THE SYSTEM:
    The primary purpose of this system is to collect and maintain 
necessary to support the audit functions of the risk adjustment 
programs, including validation activities under the risk adjustment 
data validation system (RAD-V).

ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES 
OR USERS AND THE PURPOSES OF SUCH USES:
    A. Entities Who May Receive Disclosures under Routine Uses Records 
about an individual may be disclosed from this system of records to the 
following parties outside the agency, without the individual's consent, 
for these purposes:
    1. To CMS contractors who have been engaged by the agency to assist 
in the performance of a service related to this collection and who need 
to have access to the records in order to perform the activity.
    2. To a health insurance issuer participating in the risk 
adjustment data validation program or any agent, contractor, sub-
contractor or entity of that health insurance issuer that has entered 
into an agreement or contract with the issuer to assist in compliance 
with the risk adjustment data validation program.
    3. The Department of Justice (DOJ), a court or an adjudicatory body 
when: a. The agency or any component thereof, or b. Any employee of the 
agency in his/her official capacity, or c. Any employee of the agency 
in his/her individual capacity where the DOJ has agreed to represent 
the employee, or d. The United States Government is a party to 
litigation or has an interest in such litigation, and by careful 
review, CMS determines that the records are both relevant and necessary 
to the litigation and that the use of such records by the DOJ, a court 
or an adjudicatory body is compatible for the purpose for which the 
agency collected the records.
    4. To a CMS contractor that assists in the administration of a CMS 
administered health benefits program, when disclosure is deemed 
reasonably necessary by CMS, to prevent, deter, discover, detect, 
investigate, examine, prosecute, sue with respect to, defend against, 
correct, remedy, or otherwise combat fraud or abuse in such program.
    5. To another Federal agency or to an instrumentality of any 
governmental jurisdiction within or under the control of the United 
States (including any State or local governmental agency), that 
administers, or that has the authority to investigate, potential fraud 
in the health benefits program funded in whole or in part by Federal 
funds, when disclosure is deemed reasonably necessary by CMS to 
prevent, deter, discover, detect, investigate, examine, prosecute, sue 
with respect to, defend against, correct, remedy, or otherwise combat 
fraud or abuse in such program.
    6. To appropriate federal agencies and Department contractors that 
have a need to know the information for the purpose of assisting the 
Department's efforts to respond to a suspected or confirmed breach of 
the security or confidentiality of information maintained in this 
system of records, if the information disclosed is relevant to and 
necessary for that assistance; and information from this system may 
become available to U.S. Department of Homeland Security (DHS) cyber 
security personnel if captured in an intrusion detection system used by 
HHS and DHS pursuant to a DHS cyber security program that monitors 
internet traffic to and from federal government computer networks to 
prevent a variety of types of cybersecurity incidents.
    Records may also be disclosed to parties outside the agency, 
without the individual's consent, for any of the purposes authorized 
directly in the Privacy Act at 5 U.S.C Sec.  552(a)(b)(1), (2) and 
(b)(4)-(b)(12).

POLICIES AND PRACTICES FOR STORING, RETRIEVING, ACCESSING, RETAINING, 
AND DISPOSING OF RECORDS IN THE SYSTEM
STORAGE:
    Archived records for the risk adjustment data validation program 
will be stored in electronic form in the HHS-RADV Audit Tool maintained 
in the Acumen Web Portal.

RETRIEVABILITY:
    The data collected is retrieved by the name of an individual, or by 
some other identifying number, symbol, or other identifying particular 
assigned to an individual.

SAFEGUARDS:
    CMS has safeguards in place for authorized users and monitors such 
users to ensure against excessive or unauthorized use. Personnel having 
access to the RAD-V have been trained in the Privacy Act information 
privacy and security requirements. Employees who maintain records in 
this system are instructed not to release data unless the intended 
recipient agrees to implement appropriate physical, technical, and 
administrative safeguards sufficient to protect the confidentiality, 
integrity and availability of the information and information systems, 
and to prevent unauthorized access.
    This system will conform to all applicable Federal laws and 
regulation and Federal, HHS and CMS policies and standards as they 
relate to information security and data privacy. These laws and 
regulation mat apply but are not limited to: the Privacy Act of 1974; 
the Federal Information Security Act of 2002; the Computer Fraud and 
Abuse Act of 1986; the Health Insurance Portability and Accountability 
Act of 1996; the e-Government Act of 2002; the Clinger-Cohen Act of 
1996; the Medicare Modernization Act of 2003, and their corresponding 
implementing regulations. OMB Circular A-130, Management of Federal 
Resources, Appendix III Security of Federal Automated Information 
Resources also applies, as well as Federal, HHS, and CMS information 
system security and privacy policies.

RETENTION AND DISPOSAL:
    Records will be maintained until they become inactive, at which 
time they will be retired or destroyed in accordance with published 
records schedules of CMS, as approved by the National Archives and 
Records Administration, and following the guidelines in National 
Institutes of Science and Technology (NIST) Special Publication 800-88, 
Guidelines for Media Sanitation. Enrollee claims records subject to a 
document preservation order will be preserved consistent with the terms 
of the court's order.

SYSTEM MANAGER AND ADDRESS:
    Director, Division of Risk Adjustment Operations, Payment Policy & 
Financial Management Group, CCIIO, CMS, 7500 Security Boulevard, 
Baltimore, MD 21244.

NOTIFICATION PROCEDURE:
    Individuals wishing to know if this system contains records about 
them should write to the System Manager and include pertinent 
personally identifiable information (which CMS recommends be encrypted 
and properly transmitted) to be used for retrieval of their records.

RECORD ACCESS PROCEDURE:
    Individuals seeking access to records about them in this system 
should follow the same instructions indicated under ``Notification 
Procedure'' and reasonably specify the record content being sought. 
(These procedures are in accordance with HHS regulations at 45 CFR 
5b.5(a)(2).)

[[Page 26569]]

CONTESTING RECORD PROCEDURES:
    Individuals seeking to contest the content of information about 
them in this system should follow the same instructions indicated under 
``Notification Procedure.'' The request should: Reasonably identify the 
record and specify the information being contested; state the 
corrective action sought; and provide the reasons for the correction, 
with supporting justification. (These procedures are in accordance with 
HHS regulations at 45 CFR 5b.7.)

RECORD SOURCE CATEGORIES:
    The RAD-V will contain individually identifiable enrollment and 
demographic information, claims and encounter information and 
enrollees' medical records provided by issuers of risk adjustment 
covered plans. The issuers will provide the information as requested by 
CMS or a contractor on CMS' behalf.

SYSTEMS EXEMPTED FROM CERTAIN PROVISIONS OF THE ACT:
    None.

    Dated: April 26, 2016.
Emery Csulak,
CMS Senior Official for Privacy, Centers for Medicare & Medicaid 
Services.
[FR Doc. 2016-10253 Filed 5-2-16; 8:45 am]
 BILLING CODE 4120-03-P