[Federal Register Volume 81, Number 130 (Thursday, July 7, 2016)]
[Rules and Regulations]
[Pages 44456-44482]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2016-15708]



[[Page 44455]]

Vol. 81

Thursday,

No. 130

July 7, 2016

Part III





Department of Health and Human Services





-----------------------------------------------------------------------





Centers for Medicare & Medicaid Services





-----------------------------------------------------------------------





42 CFR Part 401





Medicare Program: Expanding Uses of Medicare Data by Qualified 
Entities; Final Rule

  Federal Register / Vol. 81 , No. 130 / Thursday, July 7, 2016 / Rules 
and Regulations  

[[Page 44456]]


-----------------------------------------------------------------------

DEPARTMENT OF HEALTH AND HUMAN SERVICES

Centers for Medicare & Medicaid Services

42 CFR Part 401

[CMS-5061-F]
RIN 0938-AS66


Medicare Program: Expanding Uses of Medicare Data by Qualified 
Entities

AGENCY: Centers for Medicare & Medicaid Services (CMS), HHS.

ACTION: Final rule.

-----------------------------------------------------------------------

SUMMARY: This final rule implements requirements under Section 105 of 
the Medicare Access and CHIP Reauthorization Act of 2015 that expand 
how qualified entities may use and disclose data under the qualified 
entity program to the extent consistent with applicable program 
requirements and other applicable laws, including information, privacy, 
security and disclosure laws. This rule also explains how qualified 
entities may create non-public analyses and provide or sell such 
analyses to authorized users, as well as how qualified entities may 
provide or sell combined data, or provide Medicare claims data alone at 
no cost, to certain authorized users. In addition, this rule implements 
certain privacy and security requirements, and imposes assessments on 
qualified entities if the qualified entity or the authorized user 
violates the terms of a data use agreement required by the qualified 
entity program.

DATES: These regulations are effective on September 6, 2016.

FOR FURTHER INFORMATION CONTACT: Allison Oelschlaeger, (202) 690-8257. 
Kari Gaare, (410) 786-8612.

SUPPLEMENTARY INFORMATION:

I. Background

    On April 16, 2015, the Medicare Access and CHIP Reauthorization Act 
of 2015 (MACRA) (Pub. L. 114-10) was enacted. The law included a 
provision, Section 105, Expanding the Availability of Medicare Data, 
which takes effect on July 1, 2016. This section expands how qualified 
entities will be allowed to use and disclose data under the qualified 
entity program, including data subject to section 1874(e) of the Social 
Security Act (the Act), to the extent consistent with other applicable 
laws, including information, privacy, security and disclosure laws.
    The Qualified Entity program was established by Section 10332 of 
the Patient Protection and Affordable Care Act (Affordable Care Act) 
(Pub. L. 111-148). The implementing regulations, which became effective 
January 6, 2012, are found in subpart G of 42 CFR part 401 (76 FR 
76542). Under those provisions, CMS provides standardized extracts of 
Medicare Part A and B claims data and Part D drug event data 
(hereinafter collectively referred to as Medicare claims data) covering 
one or more geographic regions to qualified entities at a fee equal to 
the cost of producing the data. Under the original statutory 
provisions, such Medicare claims data must be combined with other non-
Medicare claims data and may only be used to evaluate the performance 
of providers and suppliers. The measures, methodologies and results 
that comprise such evaluations are subject to review and correction by 
the subject providers and suppliers, after which the results are to be 
disseminated in public reports.
    Those wishing to become qualified entities are required to apply to 
the program. Currently, fourteen organizations have applied and 
received approval to be a qualified entity. Of these organizations, two 
have completed public reporting while the other twelve are in various 
stages of preparing for public reporting. While we have been pleased 
with the participation in the program so far, we expect that the 
changes required by MACRA will increase interest in the program.
    Under section 105 of MACRA, effective July 1, 2016, qualified 
entities will be allowed to use the combined data and information 
derived from the evaluations described in 1874(e)(4)(D) of the Act to 
conduct non-public analyses and provide or sell these analyses to 
authorized users for non-public use in accordance with the program 
requirements and other applicable laws. In highlighting the need to 
comply with other applicable laws, we particularly note that any 
qualified entity that is a covered entity or business associate as 
defined in the Health Insurance Portability and Accountability Act of 
1996 (``HIPAA'') regulations at 45 CFR 160.103 will need to ensure 
compliance with any applicable HIPAA requirements, including the 
restriction on the sale of protected health information (PHI) without 
authorization at 45 CFR 164.502(a)(5)(ii).
    In addition, qualified entities will be permitted to provide or 
sell the combined data, or provide the Medicare claims data alone at no 
cost, again, in accordance with the program requirements and other 
applicable laws, to providers, suppliers, hospital associations, and 
medical societies. Qualified entities that elect to provide or sell 
analyses and/or data under these new provisions will be subject to an 
assessment if they or the authorized users to whom they disclose 
patient-identifiable data in the form of analyses or raw data act in a 
manner that violates the terms of a program-required Qualified Entity 
Data Use Agreement (QE DUA). Furthermore, qualified entities that make 
analyses or data available under these new provisions will be subject 
to new annual reporting requirements to aid CMS in monitoring 
compliance with the program requirements. These new annual reporting 
requirements will only apply to qualified entities that choose to 
provide or sell non-public analyses and/or provide or sell combined 
data, or provide Medicare claims data alone at no cost.
    We believe these changes to the qualified entity program will be 
important in driving higher quality, lower cost care in Medicare and 
the health system in general. We also believe that these changes will 
increase interest in the qualified entity program, leading to more 
transparency regarding provider and supplier performance and innovative 
uses of data that will result in improvements to the healthcare 
delivery system while still ensuring appropriate privacy and security 
protections for beneficiary-identifiable data.

II. Provisions of the Proposed Regulations and Responses to Public 
Comments

    In the February 2, 2016 Federal Register (81 FR 5397), we published 
the proposed rule entitled, ``Expanding Uses of Medicare Data by 
Qualified Entities.'' We provided a 60-day public comment period.
    In the proposed rule, to implement the new statutory provisions of 
section 105 of MACRA, we proposed to amend and make conforming changes 
to part 401, subpart G, ``Availability of Medicare Data for Performance 
Measurement.'' We received approximately 50 comments on the proposed 
rule from a wide variety of individuals and organizations. Many of the 
comments were from providers or suppliers, or organizations 
representing providers and suppliers. We also received a number of 
comments from organizations engaged in performance measurement or data 
aggregation, some of whom are already qualified entities and others who 
may apply to be qualified entities in the future. Other comments came 
from registries, state Medicaid agencies, issuers, and individuals.
    Many of the comments were positive and praised CMS for the proposed

[[Page 44457]]

changes to the qualified entity program. Commenters also had a range of 
suggestions for changes to program requirements around the provision or 
sale of non-public analyses and data. We received a number of comments 
on expanding the data available to qualified entities to include claims 
data under Medicaid and the Children's Health Insurance Program (CHIP). 
In addition, we received a number of comments on the disclosure of data 
to qualified clinical data registries for quality improvement and 
patient safety activities.
    A more detailed summary of the public comments and our responses 
can be found below in the appropriate sections of this final rule.

A. Non-Public Analyses

    In accordance with Section 105(a)(1) of MACRA, we proposed to allow 
for the qualified entity's use of the combined data or information 
derived from the evaluations described in section 1874(e)(4)(D) of the 
Act to create non-public analyses and provide for the provision or sale 
of these analyses to authorized users in accordance with the program 
requirements discussed later in this section, as well as other 
applicable laws.
    Comment: Commenters generally supported the proposal to allow 
qualified entities to create non-public analyses and either provide or 
sell these analyses. One commenter suggested that CMS expressly state 
at Sec.  401.716(a) that qualified entities may provide or sell the 
non-public analyses. Another commenter recommended that CMS clarify 
that the non-public analyses are not subject to discovery or admittance 
into evidence in any judicial or administrative proceeding.
    Response: We thank commenters for their support of the provision or 
sale of non-public analyses. Since the intent of this section is to 
allow qualified entities to both provide and sell non-public analyses 
in accordance with program requirements and other applicable laws, we 
have made changes to the regulation text to expressly state as much.
    The statute, at 1874(e)(4)(D) of the Act, explicitly states, ``data 
released to a qualified entity under this subsection shall not be 
subject to discovery or admission as evidence in judicial or 
administrative proceedings without consent of the applicable provider 
or supplier.'' We believe this statutory shield only applies to data 
released to the qualified entity under 1874(e) and when that data is in 
the possession of the qualified entity. Once the Medicare data is used 
to create non-public analyses and those non-public analyses are shared 
with authorized users, we do not believe the statutory shield applies.
1. Additional Analyses
    In the proposed rule, we defined combined data as a set of CMS 
claims data provided under subpart G combined with a subset of claims 
data from at least one of the other claims data sources described in 
Sec.  401.707(d). We did not propose to establish a minimum amount of 
data that must be included in the combined data set from other sources.
    Comment: We received numerous comments on the definition of 
combined data. Many commenters recommended that CMS alter the 
definition of combined data to allow qualified entities to combine the 
Medicare data with clinical data for the creation of non-public 
analyses. These commenters stated that clinical data can help 
facilitate more appropriate analyses of provider resource use than just 
claims data alone. One commenter suggested that the definition of 
combined data also include consumer, socio-demographic, and other types 
of patient and provider-level data. Other commenters suggested that CMS 
clarify that combined data must, at a minimum, be comprised of CMS 
claims data merged with claims data from other sources, but other data 
may also be included in this combined data. One commenter agreed with 
the proposed definition of combined data.
    Response: Section 105(a)(1)(A) of MACRA requires that the non-
public analyses be based on the combined data described in 
1874(e)(4)(B)(iii) as ``data made available under this subsection with 
claims data from sources other than claims data under this title''. 
Given these statutory limitations, we do not believe we can modify the 
definition of combined data.
    However, we do recognize the value of combining claims data with 
clinical data for the development of non-public analyses and believe 
the use of clinical data in non-public analyses can significantly 
improve the value of these analyses to support quality and patient 
improvement activities. Clinical data such as laboratory test results 
or radiology and pathology reports, can add useful information about a 
patient's chronic condition burden, health status, and other factors 
that are not available in claims data. We can also see some value in 
combining consumer, socio-demographic, and other types of patient and 
provider level data with the Medicare data. As a result, we do want to 
clarify, that combined data requires at a minimum that the CMS claims 
data be combined with other sources of claims data, but that this does 
not prevent the qualified entity from merging other data (for example, 
clinical, consumer, or socio-demographic data) with the combined data 
for the development of non-public analyses.
    Comment: Several commenters suggested that CMS require qualified 
entities to make public a list of the claims data it receives from CMS 
and the data it intends to combine with the CMS claims data for non-
public analyses. One commenter suggested that this public release of 
information also include the percent of the cohort for analysis that 
each source is contributing.
    Response: We are very committed to greater data transparency and 
all qualified entities are required to publicly report on provider 
performance as part of their participation in the program. However, we 
do not see significant value in requiring qualified entities to 
publicly report on the other sources of data used in non-public 
analyses since the analyses themselves will not be released publicly.
    Comment: Several commenters stated that they supported the proposal 
not to establish a threshold for the minimum amount of data that must 
be included in the combined data set from other sources.
    Response: We thank commenters for their support.
    Comment: A few commenters recommended that the requirement to use 
combined data not preclude Medicare-only analyses. These commenters 
stated that Medicare-only analyses such as segmenting provider and 
supplier performance evaluations by payer type or conducting 
longitudinal analysis of differences in cost and quality for certain 
conditions by payer type would have significant value for many 
authorized users.
    Response: We recognize the value of Medicare-only analyses, 
especially to help providers and suppliers understand how quality and 
costs differ across their patient population. In addition, as the CMS 
Innovation Center continues to develop and test new models of care, 
qualified entities may play a role in conducting analyses to help 
providers and suppliers better manage patient outcomes and costs under 
a different payment model. As a result, we want to clarify that the 
requirement to use combined data does not prevent qualified entities 
from providing or selling analyses that allow the authorized user to 
drill down by payer type to Medicare-only results. For example, a 
qualified entity may provide or sell a provider a report that includes 
the provider's overall score on certain

[[Page 44458]]

quality and resource use measures (using combined data) and then 
presents scores for each of these measures by payer type (including a 
Medicare fee-for-service category).
2. Limitations on the Qualified Entities With Respect to the Sale and 
Provision of Non-Public Analyses
    In accordance with section 105(a)(1) of MACRA, we proposed a number 
of limitations on qualified entities with respect to the sale and 
provision of non-public analyses.
    First, we proposed to limit qualified entities to only providing or 
selling non-public analyses to issuers after the issuer provides the 
qualified entity with claims data that represents a majority of the 
issuers' covered lives in the geographic region and during the time 
frame of the non-public analyses requested by the issuer.
    Comment: Many commenters supported the requirement of issuers to 
submit data to the qualified entity in order to receive analyses, but 
commenters had differing recommendations on the threshold of a majority 
of the issuers' covered lives. A number of commenters stated that CMS 
should not impose a threshold on the amount of data issuers must submit 
to a qualified entity to receive analyses. These commenters stated that 
the responsibility to ensure appropriate sample size for analyses 
should rest with the qualified entity. However, another commenter 
recommended that CMS require an issuer to provide the qualified entity 
with data on all of its covered lives for the geographic region and 
during the time frame of the non-public analyses requested. This 
commenter stated that requiring 100 percent of an issuer's covered 
lives would allow for more complete analyses. One commenter supported 
the threshold of the majority of an issuers covered lives, but stated 
that CMS should allow a health insurance issuer to request a non-public 
analysis for a geographic region outside the issuer's area of coverage, 
provided the issuer supplies claims data for a majority of the covered 
lives for the time period requested in all regions where it provides 
coverage. This commenter noted that analyses for other geographic 
regions may be beneficial to smaller, regional health insurance issuers 
interested in cost and utilization in a comparable region or looking to 
expand their areas of coverage. Another commenter supported the 
threshold, but recommended that CMS create an exceptions process for 
cases where legitimate and important analyses, such as identifying 
providers treating orphan diseases or analysis fundamental for a health 
plan issuer to enter a new market, that could not meet the proposed 
threshold. Finally, one commenter stated that CMS should allow 
qualified entities discretion to provide or sell analyses to health 
insurance issuers who have made a good faith commitment to providing 
the qualified entity with claims data that represents a majority of the 
health insurance issuer's covered lives by a certain future date.
    Response: As we stated in the proposed rule, we considered not 
applying a threshold on the amount of data being provided by the 
issuer, but decided that specifying a threshold would encourage issuers 
to submit data to the qualified entity to be included in the public 
performance reports, increasing the reports' reliability. We believe 
this rationale still applies, and we still believe that there are a 
number of situations where requiring the issuer to provide 100 percent 
of their data for a given time period and geographic region is not 
feasible for the issuer. Based on comments, we revisited whether, on 
balance, requiring issuers to submit data that represents a majority of 
their covered lives in the geographic region and during the time frame 
of the non-public analyses requested by the issuer is generally the 
most appropriate threshold. In doing so, we recognized that in some 
cases an issuer may wish to have analyses for a geographic region where 
it does not provide coverage. However, we believe that in those 
instances the issuer should not be able to receive analyses due to the 
requirement at section 105(a)(1)(B)(ii) of MACRA, that a qualified 
entity may only provide or sell analyses to issuers that have provided 
the qualified entity with data. Therefore, we are modifying our 
proposed requirement around the issuer's claims data submission 
threshold to clarify that qualified entities may not provide or sell 
analyses to issuers when the analyses include geographic areas where 
the issuer does not offer coverage.
    We would like to clarify, however, that the requirement that an 
issuer provide the qualified entity with claims data for at least 50 
percent of its covered lives for the time period and geographic region 
covered by the analyses does not mean that all analyses provided or 
sold to the issuer would need to be based on analyses that considered 
at least 50 percent of the issuers' covered lives. So long as Medicare 
data is combined with other claims data to create the analyses, certain 
analyses, such as those on rare diseases, could be based only on a 
subset of the Medicare claims data and other claims data collected by 
the qualified entity. For example, an issuer could provide data for at 
least 50 percent of their covered lives for the time period and 
geographic region of the non-public analyses to a qualified entity. The 
qualified entity could then use a subset of that data, such as patients 
with a specific rare disease, combine it with Medicare data for 
patients with that rare disease, and provide or sell analyses about 
patients with the rare disease to the issuer. We would like to note, 
however, that qualified entities will need to be careful when producing 
analyses for issuers based on small populations and limited claims data 
to ensure that the resulting analyses truly are patient de-identified.
    We understand the desire to create an exceptions process to allow 
issuers who do not contribute a majority of their covered lives in the 
geographic region and during the timeframe of the non-public analyses 
requested by the issuer to receive analyses. However, we believe that 
imposing a standard threshold for issuer covered lives across all 
qualified entities and issuers is the simplest and least 
administratively burdensome method to ensure equal treatment of 
qualified entities and issuers under this program.
    We also understand the interest in allowing qualified entities to 
provide or sell analyses to health insurance issuers who have made a 
good faith commitment to provide the qualified entity with claims data 
for the majority of their covered lives in the geographic region and 
during the time frame of the non-public analyses requested by the 
issuer. However, we believe that this type of policy could reduce the 
incentives for issuers to share their data with the qualified entity.
    Comment: Several commenters recommended that CMS provide additional 
clarity around the requirements for issuers' claims data submissions to 
the qualified entity. One commenter stated that qualified entities 
should be allowed to meet the covered lives threshold regardless of 
whether they have obtained the claims information directly from the 
issuer or indirectly from a third party. Several commenters recommended 
that CMS provide additional details on the term covered lives to 
clarify how this would be assessed in certain circumstances, such as 
when an issuer is a secondary payer or a member is not enrolled for a 
full year.
    Response: Qualified entities may only provide or sell analyses to 
an issuer if it receives claims data from the issuer. Such data can be 
provided directly by the issuer, or it can be submitted on the

[[Page 44459]]

issuer's behalf by an issuer's business associate. Regardless, the 
qualified entity is responsible for ensuring that the issuer or the 
issuer's business associate is truly providing the qualified entity 
with claims data for a majority of the issuer's covered lives in the 
geographic region and during the timeframe of the non-public analyses 
requested by the issuer.
    We recognize the desire to allow use of data from other sources to 
meet the issuer's claims submission threshold. However, due to the 
statutory limits on to whom the qualified entity may release patient 
identifiable data, we do not believe it would be possible for an issuer 
to ever verify whether the data the qualified entity holds is 
representative of the majority of the issuer's covered lives in the 
applicable geographic region during the applicable time frame unless 
the issuer or its business associate was the source of such data.
    Regarding the definition of covered lives, we recognize that there 
is no commonly accepted definition of covered lives. We plan to rely on 
the methods of calculating covered lives established in regulations 
promulgated by the Internal Revenue Service (IRS) in December of 2012. 
These regulations at 26 CFR 46.4375-1(c)(2) offer issuers four methods 
for calculating the average number of lives covered under a specified 
health insurance policy--(1) the actual count method, (2) the snapshot 
method, (3) the member months method, and (4) the state form method--
and provide both the calculation method and an example for each of the 
four methods for counting covered lives. These calculations all only 
apply to health insurance policies and we would like to clarify that 
the calculation of covered lives for purposes of the qualified entity 
program does not include dental, disability, or life insurance 
policies. We have modified the regulatory text at Sec.  401.716(b)(1) 
to refer directly to the IRS regulations.
    Second, we proposed that except when patient-identifiable non-
public analyses are shared with the patient's provider or supplier, all 
non-public analyses must be patient de-identified using the de-
identification standards in the HIPAA Privacy Rule at 45 CFR 
164.514(b). Additional information on the HIPAA de-identification 
standards can be found on the HHS Office for Civil Rights Web site at 
http://www.hhs.gov/hipaa/for-professionals/privacy/special-topics/de-identification/index.html. We also proposed a definition for patient.
    Comment: Many commenters stated that they agreed with CMS' proposal 
that analyses must be de-identified unless the recipient is the 
patient's provider or supplier. One commenter suggested that CMS allow 
other authorized users to receive patient-identifiable analyses, 
stating that patient-identifiable data will be equally valuable to the 
additional proposed authorized users, and that patients can also 
directly benefit from the sharing of patient-identifiable data beyond 
suppliers and providers.
    Response: We thank commenters for their support. While we can see 
some advantages to sharing patient-identifiable analyses with other 
types of authorized users, the statutory language at Section 
105(a)(3)(B) of MACRA states that analyses may not contain any 
information that individually identifies a patient unless the analyses 
are provided or sold to the patient's provider or supplier. Given the 
statutory requirements, we are finalizing our proposal that patient-
identifiable analyses should only be shared with the patient's provider 
or supplier.
    Comment: Many commenters stated that they agreed with the proposal 
to use the de-identification standards in the HIPAA Privacy Rule. 
However, one commenter suggested that CMS modify the HIPAA de-
identification standards to allow inclusion of full patient five-digit 
zip code without population thresholds and inclusion of the month 
element for all dates directly related to a patient, including date of 
death but excepting date of birth. This commenter stated that this 
additional information would empower providers and suppliers to fully 
evaluate their care and quality improvement efforts on a timely and 
ongoing basis with insight into geographic and temporal factors and 
patterns.
    Response: The framework for de-identification that is described in 
the HIPAA Privacy Rule represents an industry standard for de-
identification of health information. Additional information on the 
HIPAA de-identification standards can be found on the HHS Office for 
Civil Rights Web site at http://www.hhs.gov/hipaa/for-professionals/privacy/special-topics/de-identification/index.html. We believe that 
modifying this framework for the purposes of the qualified entity 
program would be likely to create confusion among qualified entities 
and authorized users, many of whom are or will be HIPAA covered 
entities or their business associates.
    Comment: One commenter noted a technical issue at Sec.  
401.716(b)(3) where the text inappropriately referenced Sec.  
401.716(c)(2). One commenter suggested CMS clarify whether the data 
used in the analysis needs to be de-identified at the time of the 
analysis or whether the analysis itself has to be de-identified at the 
time it is shared with an authorized user.
    Response: We thank the commenter for noting this technical issue 
and have fixed the reference to Sec.  401.716(b)(2). We would also like 
to clarify that the data used by the qualified entity to conduct the 
analyses does not need to be de-identified, but the analyses must be 
patient de-identified before they are shared with or sold to an 
authorized user unless the recipient is the patient's provider or 
supplier.
    Comment: We received a number of comments on the definition of a 
patient. Many commenters stated that the time period of 12 months for a 
face-to-face or telehealth appointment was not sufficient. One 
commenter recommended extending the period to 18 months, while several 
other commenters suggested a timeframe of 24 months. These commenters 
noted that stabilized patients do not necessarily visit their physician 
every year. Another commenter suggested that a patient be defined as an 
individual who has visited the provider or supplier at least once 
during the timeframe for which the analysis is being conducted.
    Response: We acknowledge that healthy patients may not visit a 
provider or supplier every year. As a result, we are changing the 
definition of a patient to have a timeframe of the past 24 months for a 
face-to-face or telehealth appointment.
    Comment: One commenter recommended that the definition of a patient 
be expanded beyond an affiliation with a provider or supplier to an 
affiliation with an issuer, employer, or state agency or any other 
authorized user.
    Response: As noted above, we believe Section 105(a)(3)(B) of MACRA 
only permits patient-identifiable information to be shared by a 
qualified entity with the patient's provider or supplier.
    Third, we proposed to bar qualified entities' disclosure of non-
public analyses that individually identify a provider or supplier 
unless: (a) The analysis only individually identifies the singular 
recipient of the analysis or (b) each provider or supplier who is 
individually identified in a non-public analysis that identifies 
multiple providers/suppliers has been afforded an opportunity to review 
the aspects of the analysis about them, and, if applicable, request 
error correction. We describe the proposed appeal and error correction 
process in more detail in section II.A.4 below.
    Comment: Several commenters recommended that providers and

[[Page 44460]]

suppliers should not have the opportunity to review and request error 
correction for analyses that individually identify the provider or 
supplier. These commenters noted in particular that analyses 
identifying fraud or abuse should not be reviewed by the provider in 
advance of being shared with the authorized user. One commenter 
suggested that a review and error corrections process for non-public 
reports only be triggered when a provider or supplier is individually 
identified and his or her performance is evaluated in the manner 
described in section 1874(e)(4)(C). Another commenter recommended that 
when a group of providers are identified as part of a practice group 
(that is, part of the same Tax Identification Number), and prior 
consent by the providers has been obtained, the practice group should 
be considered the entity that can receive analyses for the individual 
providers in the practice.
    Response: We believe that Section 105(a)(6) of MACRA requires that 
qualified entities allow providers and suppliers an opportunity to 
review analyses that individually identify the provider or supplier 
and, if necessary, and, when needed, request error correction in the 
analyses. In addition, regardless of the statutory requirements, we 
believe that providers and suppliers should not be evaluated by a 
qualified entity without having a chance to review and, when needed, 
request error correction in the analyses. For example, it would not be 
fair for an issuer to move a provider to a different network tier based 
on analyses that did not correctly attribute patients to that provider. 
We recognize that the review and corrections process may lead to some 
limitations in the development of certain types of analyses, such as 
those identifying fraud and abuse. However, we believe that creating 
different standards for different types of analyses would be too 
administratively complex to implement, and could create tensions 
between providers and suppliers and qualified entities over whether an 
analysis warranted review by the provider or supplier before it was 
shared with an authorized user.
    However, we recognize that in many cases providers or suppliers may 
wish to allow certain authorized users to receive analyses without the 
need for a review process. For example, clinicians that are part of a 
group practice may want to allow their practice manager, who may be 
functioning as the clinician's business associate, to receive analyses 
without first going through a provider/supplier review or being subject 
to a request for correction. We believe that the decision about who 
should be able to receive analyses that individually identify a 
provider or supplier without such review and opportunity to correct 
should rest with the individual provider or supplier. As a result, we 
are adding a third exception to the bar on disclosure of non-public 
analyses that individually identify a provider or supplier to allow 
providers or suppliers to designate, in writing, the authorized user(s) 
that may receive analyses from the qualified entity without first 
giving the provider or supplier individually identified in the 
analysis/es the opportunity to review the analyses, and, if applicable, 
request error correction.
    Comment: One commenter recommended that CMS add clarity to what it 
means to ``individually identify'' a provider or supplier and stated 
that the definition should indicate that to individually identify means 
to use direct identifiers such as name or provider number for a 
provider or supplier that is an individual person. This commenter 
suggested that naming a physician group or clinic that is not itself a 
provider or supplier (but that may be comprised of individual providers 
or suppliers) would not count as individually identifying a provider or 
supplier. Another commenter suggested that the review and corrections 
process only apply to the entity that the analyses focus on. For 
example, if the qualified entity is conducting analyses of episodes of 
care for patients with joint replacement at a given hospital, the 
analyses may include findings on many different providers and 
suppliers, such as surgeons, skilled nursing facilities, home health 
agencies, and others. In this case, the commenter recommended that only 
the hospital be given the opportunity to review and request correction 
of errors.
    Response: Regardless of whether they are an individual clinician, 
group practice, or facility and regardless of whether they are the 
direct subject of the report, we believe section 105(a)(6) of MACRA 
requires that qualified entities allow providers and suppliers the 
opportunity to review and request correction of errors in analyses that 
identify the provider or supplier. Group practice and facility-level 
providers and suppliers, as well as those indirectly evaluated in 
analyses, face as much reputational harm from the dissemination of 
incorrect information about care delivery and costs as individual 
clinicians or those directly evaluated in the analyses. We have added 
language to clarify this requirement at Sec.  401.716(b)(4).
    Comment: One commenter suggested that CMS implement a process to 
proactively educate providers and suppliers regarding the review, 
corrections, and appeals process for non-public analyses.
    Response: We believe that many qualified entities that decide to 
disclose analyses that individually identify a provider or supplier 
will choose to do an education campaign with providers and suppliers in 
their region to ensure that any necessary review and error correction 
processes go smoothly. This will allow the qualified entity to build a 
direct relationship with the provider or supplier. In addition, since 
providers and suppliers are one of the types of authorized users that 
qualified entities can provide or sell non-public analyses and data to, 
we believe that qualified entities will proactively attempt to build 
strong relationships with the provider and supplier community in their 
region. As a result, while we see a small role for CMS to play in 
educating providers and suppliers about the review and error correction 
process through our usual provider outreach channels, we believe 
qualified entities will play the main role in provider and supplier 
education about the review, corrections, and appeals process.
    Comment: Several commenters suggested additional limitations that 
CMS should impose on qualified entities with respect to the disclosure 
of non-public analyses. One commenter recommended that CMS require 
qualified entities to provide authorized users with a detailed 
methodology of statistical analyses to ensure their validity. This 
commenter also stated that CMS should require qualified entities to 
follow an appropriate methodology in attributing costs to providers. 
Another commenter suggested that evaluations of physician performance 
should be required to have data from at least two sources.
    Response: With regard to the suggestions around statistical 
validity and cost attribution, we believe that these are issues that 
the qualified entity should discuss directly with the authorized user 
who is receiving or purchasing the analyses. We expect that most, if 
not all, authorized users will expect the qualified entity to include 
some description of the methodology for the analyses along with the 
report, but that the level of detail and content needed by each 
authorized user may vary. In addition, authorized users may have 
different ideas about the most appropriate method for cost attribution 
and we believe that they should be able to work with the qualified 
entity to make a determination for how to

[[Page 44461]]

attribute costs to providers and suppliers. On the issue of requiring 
at least two sources of data, we believe that section 105(a)(1)(A) of 
MACRA requires that the non-public analyses be based on the combined 
data described in 1874(e)(4)(B)(iii) as ``data made available under 
this subsection with claims data from sources other than claims data 
under this title''.
3. Limitations on the Authorized User
    We proposed to require the qualified entity's use of legally 
binding agreements with any authorized users to whom it provides or 
sells non-public analyses. For non-public analyses that only include 
patient de-identified data, we proposed to require the qualified entity 
to enter into a contractually binding non-public analyses agreement 
with any authorized users as a pre-condition to providing or selling 
such non-public analyses.
    Comment: Several commenters stated that they supported the use of a 
legally binding agreement between the qualified entity and the 
authorized user. One commenter suggested that CMS develop a standard 
non-public analyses agreement for qualified entities to use with 
authorized users.
    Response: We thank commenters for their support of this proposal. 
We believe that many qualified entities will have existing agreements 
with authorized users that cover the use and disclosure of analyses 
related to their claims data from other sources. While there may be 
some value in providing organizations new to this type of work a 
template for the agreement, we believe that qualified entities would be 
better served by engaging with their own legal counsel to ensure the 
agreement meets their specific needs.
    For non-public analyses that include patient identifiable data, we 
proposed to require the qualified entity to enter into a qualified 
entity Data Use Agreement (QE DUA) with any authorized users as a pre-
condition to providing or selling such non-public analyses. As we also 
proposed to require use of the QE DUA in the context of the provision 
or sale of combined data, or the provision of Medicare data at no cost, 
we discuss our proposals related to the QE DUA and associated comments 
in the data disclosure discussion in section II.B below.

Requirements in the Non-Public Analyses Agreement

    The statute generally allows qualified entities to provide or sell 
their non-public analyses to authorized users for non-public use, but 
it bars use or disclosure of such analyses for marketing (see section 
105(a)(3)(c) of MACRA). We proposed additional limits on the non-public 
analyses, given the expansive types of non-public analyses that could 
be conducted by the qualified entities if no limits are placed on such 
analyses, and the potential deleterious consequences of some such 
analyses.
    First, we proposed that the non-public analyses agreement require 
that non-public analyses conducted using combined data or the 
information derived from the evaluations described in section 
1874(e)(4)(D) of the Act may not be used or disclosed for the following 
purposes: Marketing, harming or seeking to harm patients and other 
individuals both within and outside the healthcare system regardless of 
whether their data are included in the analyses (for example, an 
employer using the analyses to attempt to identify and fire employees 
with high healthcare costs), or effectuating or seeking opportunities 
to effectuate fraud and/or abuse in the healthcare system (for example, 
a provider using the analyses to identify ways to submit fraudulent 
claims that might not be caught by auditing software). We also proposed 
to adopt the definition of marketing at 45 CFR 164.501 in the HIPAA 
Privacy Rule.
    Comment: Many commenters stated that they supported the proposed 
restrictions on the use of the non-public analyses. One commenter 
suggested that CMS provide greater clarification on what would 
constitute harm to patients and other individuals both within and 
outside the healthcare system. This commenter suggested that harm 
should include activities that would create overly tiered networks that 
could exclude high quality providers, as well as efforts to limit 
patient access to certain treatments or drugs or steer patients to 
certain practices based solely on cost.
    Response: We thank commenters for their support of the restrictions 
on the use of the analyses. On further consideration, we agree that the 
industry may benefit from additional guidance regarding these 
restrictions. Therefore, we anticipate providing additional sub-
regulatory guidance on the standards adopted in this rule for the 
Qualified Entity Certification Program Web site at https://www.qemedicaredata.org/SitePages/home.aspx.
    As we did not receive any comments on the proposed definition of 
marketing, we will finalize the definition without modification.
    Second, in accordance with section 105(a)(1)(B)(i) of MACRA, we 
proposed to require that any non-public analyses provided or sold to an 
employer may only be used by the employer for the purposes of providing 
health insurance to employees and retirees of the employer. We also 
further proposed that if the qualified entity is providing or selling 
non-public analyses to an employer that this requirement be included in 
the non-public analyses agreement. We did not receive any comments on 
this proposal, so are finalizing it without modification.
    We also proposed to require qualified entities to include in the 
non-public analysis agreement a requirement to limit re-disclosure of 
non-public analyses or derivative data to instances in which the 
authorized user is a provider or supplier, and the re-disclosure is as 
a covered entity would be permitted under 45 CFR 164.506(c)(4)(i) or 
164.502(e)(1). Accordingly, a provider or supplier may only re-disclose 
-identifiable health information to a covered entity for the purposes 
of the covered entity's quality assessment and improvement or for the 
purposes of care coordination activities, where that entity has a 
patient relationship with the individual who is the subject of the 
information, or to a business associate of such a covered entity under 
a written contract. We also generally proposed to require qualified 
entities to use a non-public analyses agreement to explicitly bar 
authorized users that are not providers or suppliers from re-disclosure 
of the non-public analyses or any derivative data except to the extent 
a disclosure qualifies as a ``required by law'' disclosure.
    Comment: Several commenters suggested that authorized users be 
allowed to re-disclose analyses in order to publish research findings 
provided the analyses do not individually identify a provider. These 
commenters noted that public health interests can be served by allowing 
the disclosure of research findings to the public. One commenter 
recommended allowing broad re-disclosure of analyses when the 
information is beneficiary de-identified, stating that this is 
necessary to reduce cost and improve patient care across the healthcare 
system. Several commenters suggested that authorized users be allowed 
to re-disclose analyses for the purposes of developing products or 
services, such as analytic tools, algorithms, and other innovations for 
improving health outcomes.
    Response: The statutory language at section 105(a)(5) of MACRA 
states that authorized users may not re-disclose or make public any 
analyses, with the exception of allowing providers and suppliers to re-
disclose analyses, as determined by the Secretary, for the

[[Page 44462]]

purposes of care coordination and performance improvement activities. 
As a result, we are finalizing the proposed language on re-disclosure 
of analyses without modification. However, we would like to note that 
CMS currently makes data available to researchers outside of this 
qualified entity program, including those interested in developing 
products or tools. Individuals and organizations interested in 
accessing CMS data for research purposes should visit the Research Data 
Assistance Center (ResDAC) at www.resdac.org for more information.
    Fourth, we proposed to require qualified entities to impose a 
legally enforceable bar on the authorized user's linking de-identified 
analyses (or data or analyses derived from such non-public analyses) to 
any other identifiable source of information or in any other way 
attempting to identify any individual whose de-identified data is 
included in the analyses or any derivative data.
    Comment: One commenter stated that an authorized user should be 
allowed to link the analyses that contain patient identifiers or any 
derivative data with other sources when this information is limited to 
their own patients.
    Response: We would like to highlight that the restriction on 
linking analyses only applies to de-identified analyses. To the extent 
providers and suppliers are receiving identifiable information on their 
own patients, the restriction on linking to any other identifiable 
source of information does not apply.
    Finally, we proposed to require qualified entities to use their 
non-public analyses agreements to bind their non-public analyses 
recipients to reporting any violation of the terms of that non-public 
analyses agreement to the qualified entity. We did not receive any 
comments on this proposal, so are finalizing it without modification.
4. Confidential Opportunity To Review, Appeal, and Correct Analyses
    In accordance, with section 105(a)(6) of MACRA, we proposed that 
the qualified entity must follow the confidential review, appeal, and 
error correction requirements established at 401.717(f) under section 
1874(e)(4)(C)(ii) of the Act.
    Comment: We received a wide-ranging set of comments on the proposed 
review and corrections process. Several commenters supported the 
proposed review and corrections process. Many commenters suggested 
changes to the review process for non-public analyses. In general these 
commenters cited the burden of the proposed process for qualified 
entities and recommended options to make the process less burdensome. 
However, other commenters focused on the need for providers and 
suppliers to have enough time to ensure the analyses are accurate.
    Several commenters suggested provider or supplier notification as 
the first step for review of non-public analyses. One commenter 
recommended creating an alternative approach to individualized appeals, 
such as an accreditation process. Another commenter suggested that when 
a non-public analysis is released to one or more authorized users, or 
when a non-public analysis is subsequently used for a public report, 
the qualified entity need only provide an opportunity for the provider 
or supplier to have reviewed and, if necessary, requested error 
correction once before the initial release of the analysis. Another 
commenter recommended that providers and suppliers only be given one 
chance to request error correction of the underlying data, after which 
the data could be used in any future non-public analyses.
    A few commenters suggested that a 60-day period to review the 
analyses may not be sufficient. On the other hand, several commenters 
suggested a 30-day review period for non-public analyses, while another 
commenter suggested giving providers and suppliers an ongoing right to 
review the analyses and request error correction.
    Response: We appreciate commenters' concerns about allowing 
providers and suppliers the necessary time to review analyses as well 
as the concerns about the burden on qualified entities of implementing 
the public reporting review and corrections process for non-public 
analyses. However, as noted in the proposed rule, we also believe using 
the same process for review and error correction for both the non-
public analyses and the public reports creates continuity and a balance 
between the needs and interests of providers and suppliers and those of 
the qualified entities, authorized users, and the public.
    That said, on further consideration, we believe that the addition 
of a procedural step whereby the qualified entity would confidentially 
notify a provider or supplier about the non-public analyses and give 
the provider or supplier the opportunity to opt-in to the review and 
error correction process established at Sec.  401.717(a) through (e) is 
both consistent with the statute and has the potential to reduce the 
burden on both qualified entities and providers and suppliers. In some 
cases, notification may be sufficient to meet the needs of a provider 
or supplier and, as a result, the provider or supplier will choose not 
to opt-in to the review and correction process, reducing the paperwork 
and resource burden for both the qualified entity and the provider/
supplier. In addition, where the analyses are similar to previous 
analyses or use data the provider or supplier has already corrected, 
the provider or supplier may also choose not to review the analyses.
    Under this procedural step, a qualified entity must confidentially 
notify a provider or supplier that non-public analyses that 
individually identify the provider or supplier are going to be released 
at least 65 calendar days before disclosing the analyses to the 
authorized user. The first five days of the 65 day period is intended 
to allow time to notify the provider or supplier, and to allow them 
time to respond to the qualified entity. The next sixty days are 
reflective of the sixty day review period in Sec.  401.717(a) through 
(e). The confidential notification about the non-public analyses should 
include a short summary of the analyses (which must include the 
measures being calculated, but does not have to include the 
methodologies and measure results), the process for the provider or 
supplier to request the analyses, the authorized users receiving the 
analyses, and the date on which the qualified entity will release the 
analyses to the authorized users. This notification can cover multiple 
non-public analyses that use different datasets and measures. The 65-
day period begins on the date the qualified entity sends or emails the 
notification to providers and suppliers. As we presume some qualified 
entities may utilize National Provider Identifier (NPI) data as a means 
of contacting providers and suppliers, we would like to use this 
opportunity to remind providers and suppliers of the need to keep their 
NPI information up-to-date.
    At any point during this 65-day period, the qualified entity must 
allow the provider or supplier to opt-in to the review and error 
correction process established at Sec.  401.717(a) through (e) and 
request copies of the analyses and, where applicable, access to the 
data used in the analyses, and to request the correction of any errors 
in the analyses. However, if the provider or supplier chooses to opt-in 
to the review and correction process more than 5 days into the 
notification period, the time for the review and correction process is 
shortened from regulatory 60 days in Sec.  401.717(a) through (e) to 
the number of days remaining between the provider or supplier opt-in 
date and the release

[[Page 44463]]

date specified in the confidential notification.
    We understand the desire to create an alternative approach to 
individualized appeals, such as an accreditation process, however, we 
believe the statutory language at Section 105(a)(6) of MACRA requires 
that qualified entities allow providers and suppliers an opportunity to 
review analyses that individually identify the provider or supplier 
and, if necessary, and, when needed, request error correction in the 
analyses. In addition, as stated above, regardless of the statutory 
requirements, we believe that providers and suppliers should not be 
evaluated by a qualified entity without having a chance to review and, 
when needed, request error correction in the analyses.
    Comment: One commenter recommended that qualified entities not be 
allowed to provide or sell analyses to an authorized use while an error 
correction request is outstanding.
    Response: We acknowledge the interest of providers and suppliers in 
ensuring that any analyses correctly represent their care delivery 
patterns and costs. However, we are concerned that providers and 
suppliers may make spurious requests for error correction in order to 
prevent the authorized user from receiving the analyses. As a result, 
we will maintain the provisions that allow qualified entities to 
release the non-public analyses after the 65-day period regardless of 
the status of error corrections. As with the public reporting, the 
qualified entity must inform the authorized user if a request for error 
correction is outstanding when the analyses are delivered to the 
authorized user, and, if applicable, provide corrected analyses if 
corrections are ultimately made.

B. Dissemination of Data and the Use of QE DUAs for Data Dissemination 
and Patient-Identifiable Non-Public Analyses

    Subject to other applicable law, section 105(a)(2) of MACRA expands 
the permissible uses and disclosures of data by a qualified entity to 
include providing or, where applicable, selling combined data for non-
public use to certain authorized users, including providers of 
services, suppliers, medical societies, and hospital associations for 
use in developing and participating in quality and patient care 
improvement activities. Section 105(a)(3)(B) of MACRA. Subject to the 
same limits, it also permits a qualified entity to provide Medicare 
claims data for non-public use to these authorized users; however, a 
qualified entity may not charge a fee for providing such Medicare 
claims data. In addition, in order to provide or sell combined data or 
Medicare data, section 105(a)(4) of MACRA instructs the qualified 
entity to enter into a DUA with their intended data recipient(s).
1. General Requirements for Data Dissemination
    To implement the provisions in Section 105(b) of MACRA, we proposed 
to provide that, subject to other applicable laws (including applicable 
information, privacy, security and disclosure laws) and certain defined 
program requirements, including that the data be used only for non-
public purposes, a qualified entity may provide or sell combined data 
or provide Medicare claims data at no cost to certain authorized users, 
including providers of services, suppliers, medical societies, and 
hospital associations. Where a qualified entity is a HIPAA-covered 
entity or is acting as a business associate, compliance with other 
applicable laws will include the need to ensure that it fulfills the 
requirements under the HIPAA Privacy Rule, including the restriction on 
the sale of PHI at 45 CFR 164.502(a)(5)(ii).
    Comment: Several commenters stated that CMS should provide 
additional clarity on the term no cost as it relates to the provision 
of Medicare data. For example, commenters stated that qualified 
entities may wish to charge a fee for entering into a data use 
agreement with an authorized user, but then not charge for the data. In 
addition, some of these commenters recommended that CMS allow qualified 
entities to recoup the costs associated with providing Medicare data at 
no cost. These commenters stated that there is a cost associated with 
providing claims data to authorized users, such as staff time to create 
the data extract and encrypt the file.
    Response: We understand that qualified entities will face costs 
providing Medicare data to authorized users. However, section 
105(a)(2)(C) of MACRA expressly states that, if a qualified entity were 
to elect to make Medicare claims data available, such data must be 
``provided'' at no cost. We believe that the paperwork and processing 
costs associated with accepting and fulfilling Medicare claims data 
requests are an integral part of the ``provision'' of data. As such, 
qualified entities may not charge authorized users for the Medicare 
data itself or any activity associated with requests for or the 
fulfillment of Medicare data requests (such as the processing of a data 
use agreement). However, we also note that the qualified entity is not 
required to offer authorized users the opportunity to request Medicare 
claims data. Qualified entities may choose to only offer authorized 
users the opportunity to receive or purchase combined data. Qualified 
entities may also choose not to allow authorized users to request data 
at all.
    Comment: One commenter suggested that CMS require qualified 
entities to sell the combined data at a reasonable price which reflects 
their actual cost.
    Response: We appreciate the commenter's interest in ensuring 
qualified entities charge authorized users reasonable fees for combined 
data. However, we believe that qualified entities should be allowed to 
determine the appropriate fee to charge authorized users for access to 
the combined data. If qualified entities set their prices too high 
authorized users have the choice of not buying the data, or potentially 
obtaining the data from another qualified entity with more reasonable 
pricing.
    Comment: One commenter recommended that CMS provide additional 
clarity on the threshold for the amount of other data that must be 
combined with the Medicare data in order for the qualified entity to 
sell the combined data.
    Response: As discussed above, we have not established a threshold 
for the amount of other data that must be combined with the Medicare 
data. It is our expectation that qualified entities will use sufficient 
claims data from other sources to ensure validity and reliability.
2. Limitations on the Qualified Entity Regarding Data Disclosure
    In accordance with section 105(a)(2), we proposed to place a number 
of limitations on the sale or provision of combined data and the 
provision of Medicare claims data by qualified entities, including 
generally barring the disclosure of patient-identifiable data obtained 
through the qualified entity program.
    Comment: Several commenters stated that CMS should provide 
additional clarity around whether the data must go through a review and 
corrections process before it is disclosed to an authorized user. One 
commenter recommended that providers and suppliers be allowed to 
review, appeal, and correct the data before it is disclosed.
    Response: Section 105(a)(6) of MACRA only requires a review and 
corrections process when a qualified entity is providing or selling an 
analysis to an authorized user. While we understand that some providers 
and

[[Page 44464]]

suppliers may wish to ensure that their data is correct before it is 
shared with an authorized user, we believe that this process would be 
very rigorous and burdensome for the qualified entity and would have 
little value for most providers and suppliers.
    We proposed to require any combined data or Medicare claims data 
that is provided to an authorized user by a qualified entity under 
subpart G be beneficiary de-identified in accordance with the de-
identification standards in the HIPAA Privacy Rule at 45 CFR 
164.514(b). We also proposed an exception that would allow a qualified 
entity to provide or sell patient-identifiable combined data and/or 
provide patient-identifiable Medicare claims data at no cost to an 
individual or entity that is a provider or supplier if the provider or 
supplier has a patient relationship with every patient about whom 
individually identifiable information is provided and the disclosure is 
consistent with applicable law.
    Comment: Several commenters agreed with the proposal to only allow 
identifiable data to be disclosed to providers or suppliers with whom 
the identified individuals have a patient relationship. One commenter 
suggested that qualified entities be allowed to share limited data sets 
(as defined in HIPAA) with providers and suppliers for individuals who 
are not their patients. Another commenter recommended that qualified 
entities be allowed to disclose patient-identifiable data to health 
plans.
    Response: Section 105(a)(3) of MACRA requires that data disclosed 
to an authorized user not contain information that individually 
identifies a patient unless the data is being shared with that 
patient's provider or supplier. We further note that limited data sets 
include indirect identifiers, and, as such, are subject to that 
mandate. While we can imagine that health systems would be interested 
in conducting population-wide analyses that look at disease incidence 
or care delivery patterns, we believe these types of analyses can be 
conducted using de-identified data. In addition, authorized users that 
may not receive patient-identifiable data, such as issuers, could ask 
the qualified entity to conduct analyses on these topics, and purchase 
or receive the patient-deidentified analyses that result from such 
efforts.
    Second, we proposed to require qualified entities to bind the 
recipients of their data to a DUA that will govern the use and, where 
applicable, re-disclosure of any data received through this program 
prior to the provision or sale of such data to an authorized user.
    Comment: Several commenters stated that they agreed with the 
proposal to require qualified entities to bind authorized users who 
receive data to a DUA. One commenter recommended that when the required 
``QE DUA'' (the DUA between the Qualified Entity (QE) and the 
Authorized User) provisions already exist in another contract between 
the qualified entity and the authorized user, the qualified entity 
should not be required to re-paper those terms.
    Response: We thank commenters for their support of this proposal. 
In cases where all the terms of the QE DUA at Sec.  401.713(d) are 
contained in a contractually binding agreement between the qualified 
entity and the authorized user, we do not intend to require the 
qualified entity to re-paper that agreement as a QE DUA.
3. Data Use Agreement (DUA)
    A qualified entity must enter a DUA with CMS as a condition of 
receiving Medicare data. Furthermore, in accordance with Section 
105(a)(4) of MACRA, we proposed to require the execution of a DUA as a 
precondition to a qualified entity's provision or sale of data to an 
authorized user. As discussed above, we also proposed to require the 
qualified entity to enter into a DUA with any authorized user as a pre-
condition to providing or selling non-public analyses that include 
patient-identifiable data. To help differentiate the DUA between CMS 
and the qualified entity from the DUAs between the qualified entity and 
the authorized user, we proposed certain clarifying changes that 
recognize that there are now two distinct DUAs in the qualified entity 
program--the CMS DUA, which is the agreement between CMS and a 
qualified entity, and what we will refer to as the QE DUA, which will 
be the legally binding agreement between a qualified entity and an 
authorized user.
    Comment: Several commenters had overall comments on the QE DUA. One 
commenter recommended that CMS create a standard QE DUA. Another 
commenter stated that the data released to authorized users should not 
be subject to discovery or admitted into evidence without the provider 
or supplier's consent. A few commenters suggested that the QE DUA 
include a provision that prevents the disclosure of competitively 
sensitive data, such as Part D bid information. Finally, one commenter 
suggested that authorized users should have some direct responsibility 
for actions that run afoul of contractual requirements.
    Response: As noted above, qualified entities may have existing 
agreements with authorized users where all required QE DUA elements are 
covered, and we are not requiring re-papering in those instances. 
Furthermore, also as noted above, we believe that qualified entities 
without existing agreements would be better served by engaging with 
their own legal counsel to ensure the QE DUA meets their specific 
needs.
    As discussed above, we believe the statutory requirement that data 
not be subject to discovery or admitted into evidence without the 
provider or supplier's consent only applies to data released to the 
qualified entity under 1874(e) and when that data is in the possession 
of the qualified entity.
    Regarding concerns about disclosure of competitively sensitive 
information, qualified entities only receive Medicare Parts A and B 
claims data and certain Part D drug event data from CMS. In addition, 
we only provide qualified entities with aggregated Part D cost 
information, not the proprietary individual component costs. As a 
result, we do not believe there is a risk that qualified entities would 
be in a position to disclose competitively sensitive information to 
authorized users.
    Finally, as we stated in the proposed rule, we only have authority 
to impose requirements on the qualified entity. As a result, we must 
rely on the qualified entity to impose legally enforceable obligations 
on the authorized user.

Requirements in the QE DUA

    In Sec.  401.713(d), we proposed a number of contractually binding 
provisions that would be included in the QE DUA. First, we proposed to 
require that the QE DUA contain certain limitations on the authorized 
user's use of the combined data and/or Medicare claims data and/or non-
public analyses that contain patient-identifiable data and/or any 
derivative data (hereinafter referred to as data subject to the QE DUA) 
to those purposes described in the first or second paragraph of the 
definition of ``healthcare operations'' under 45 CFR 164.501, or that 
which qualifies as ``fraud and abuse detection or compliance 
activities'' under 45 CFR 164.506(c)(4). We also proposed to require 
that all other uses and disclosures of data subject to the QE DUA be 
prohibited except to the extent a disclosure qualifies as a ``required 
by law'' disclosure. We did not receive any comments on our proposal to 
allow authorized users to use the data subject to the QE DUA for the 
purposes described in the first or second paragraph of the definition 
of ``healthcare operations'' under 45 CFR

[[Page 44465]]

164.501. Therefore, we are finalizing our proposal. In doing so, we 
identified inadvertent drafting errors in the proposed regulatory text 
at Sec.  401.713(d)(1)(i)(A) and (B) (mis-identifying which activities 
fell into which paragraphs of 45 CFR 164.501). We have therefore 
corrected those draft regulatory provisions to conform the new 42 CFR 
401.713(d)(1)(i)(A) and (B) with the content of the first and second 
paragraphs of the definition of health care operations under 45 CFR 
164.501.
    Comment: We received several comments on allowing authorized users 
to use the data subject to the QE DUA for purposes which qualify as 
``fraud and abuse detection or compliance activities'' under 45 CFR 
164.506(c)(4). Several commenters stated that the allowing use of the 
data subject to the QE DUA for fraud and abuse detection is unwarranted 
and without basis in the statutory text. However, another commenter 
explicitly supported use of the data subject to the QE DUA to bolster 
efforts to fight fraud. One commenter suggested the addition of 
``waste'' detection as an allowed use of the data subject to the QE 
DUA.
    Response: We believe that section 105(a)(3)(A)(ii) of MACRA is 
illustrative (providing for certain non-public uses ``including'' 
certain cross-referenced activities). It does not prevent use of the 
data for fraud and abuse detection and compliance activities. As a 
result, we are finalizing our proposal to allow authorized users to use 
the data subject to the QE DUA for fraud and abuse detection. While we 
can understand the interest in adding waste detection to the list of 
allowed uses of the data subject to the QE DUA, we believe it is best 
to stay consistent with the language established in HIPAA since many of 
other authorized users receiving data subject to the QE DUA are also 
HIPAA covered entities.
    Comment: One commenter suggested that authorized users also be 
allowed to use the data subject to the QE DUA for ``treatment'' as 
defined under 45 CFR 164.501.
    Response: We agree that use of the data subject to the QE DUA for 
treatment purposes is a valid possible use of the data and consistent 
with the statute. As a result, we have modified the language at Sec.  
401.713(d)(1)(i) to include treatment.
    We also proposed to require qualified entities to use the QE DUA to 
contractually prohibit the authorized users from using the data subject 
to the QE DUA for marketing purposes. We did not receive any comments 
on this proposal, and are finalizing it without modification.
    We proposed at Sec.  401.713(d)(3) to require qualified entities to 
contractually bind authorized users using the QE DUA to protect 
patient-identifiable data subject to the QE DUA, with at least the 
privacy and security protections that would be required of covered 
entities and their business associates under the HIPAA Privacy and 
Security Rules. We proposed to require that the QE DUA contain 
provisions that require that the authorized user maintain written 
privacy and security policies and procedures that ensure compliance 
with these HIPAA-based privacy and security standards and the other 
standards required under this subpart for the duration of the QE DUA. 
We also proposed to require QE DUA provisions detailing such policies 
and procedures survive termination of the QE DUA, whether for cause or 
not.
    Comment: One commenter suggested that CMS clarify that the QE DUA 
by itself does not make the authorized user a covered entity or 
business associate under HIPAA if the authorized user does not 
otherwise meet those definitions.
    Response: We wish to clarify that this rule does not comment on 
whether an entity is a covered entity or business associate under 
HIPAA. We are simply requiring the authorized users to comply with the 
privacy and security protections required of covered entities and their 
business associates under the HIPAA Privacy and Security Rules (that 
is, the authorized users must comply with those provisions as if they 
were acting in the capacity of a covered entity or business associate 
dealing with protected health information). We feel that such standards 
represent an industry-wide standard for the protection of patient-
identifiable data, and note that this requirement would be in keeping 
with section 105(a)(4) of MACRA.
    We also proposed at Sec.  401.713(d)(7) to require that the 
qualified entity use the QE DUA to contractually bind an authorized 
user as a condition of receiving data subject to the QE DUA under the 
qualified entity program to notify the qualified entity of any 
violations of the QE DUA. We did not receive any comments on this 
proposal, so are finalizing it without modification.
    In addition, we proposed at Sec.  401.713(d)(4) to require that the 
qualified entity include a provision in its QE DUAs that prohibits the 
authorized user from re-disclosing or making public data subject to the 
QE DUA except as provided in paragraph (d)(5). We proposed at Sec.  
401.713(d)(5) to require that the qualified entity use the QE DUA to 
limit provider's and supplier's re-disclosures to a covered entity 
pursuant to 45 CFR 164.506(c)(4)(i) or 164.502(e)(1). Therefore, a 
provider or supplier would generally only be permitted to re-disclose 
data subject to the QE DUA to a covered entity or its business 
associate for activities focused on that covered entity's quality 
assessment and improvement, including the review of provider or 
supplier performance. We also proposed to require re-disclosure when 
required by law.
    Comment: Several commenters stated that they supported CMS' 
proposals related to re-disclosure of data. One commenter suggested 
that providers and suppliers be allowed to re-disclose data for direct 
patient care and issues of patient safety. Another commenter 
recommended that any authorized user be allowed to re-disclose de-
identified data for the purposes of publishing de-identified 
statistical results.
    Response: We thank commenters for their support of the re-
disclosure proposals. While we can understand interest in explicitly 
referencing issues of patient safety, we do not believe it is necessary 
given that the first paragraph of the definition of healthcare 
operations includes patient safety activities and, thus issues of 
patient safety are permitted reasons for re-disclosure of the data. 
However, we recognize that as proposed, providers and suppliers would 
not be allowed to re-disclose the data subject to the QE DUA for 
treatment purposes. As a result, we are modifying the language at Sec.  
401.713(d)(5)(i) to allow providers and suppliers to re-disclose data 
subject to the QE DUA as a covered entity would be permitted to 
disclose PHI under 45 CFR 164.506(c)(2), which allows a covered entity 
to disclose data for the treatment activities of a healthcare provider.
    Regarding the recommendation to allow for re-disclosure of de-
identified data in order to publish statistical results, we do not 
believe that this purpose is consistent with section 105(a)(5)(A) of 
the MACRA statute, which explicitly states that an authorized user who 
is provided or sold data shall not make public such data or any 
analysis using such data.
    We also proposed to require qualified entities to impose a 
contractual bar using the QE DUA on the downstream recipients' linking 
of the re-disclosed data subject to the QE DUA to any other 
identifiable source of information. The only exception to this general 
policy would be if a provider or supplier were to receive identifiable 
information limited to its own patients.

[[Page 44466]]

    Comment: Several commenters stated that they supported the 
proposals related to linking the data. One commenter suggested that 
business associates of providers or suppliers be allowed to link the 
data subject to the QE DUA. Another commenter recommended that 
authorized users be allowed to link the patient de-identified data so 
long as the intent or result is not to re-identify patients and the 
resulting data set meets the HIPAA standard for de-identification.
    Response: We would like to clarify that the prohibition on linking 
only applies to patient de-identified data subject to the QE DUA. To 
the extent that a provider or supplier receives patient-identifiable 
data subject to the QE DUA and discloses that data to a business 
associate as allowed under Sec.  401.713(d)(5)(i), that provider or 
supplier may request that the business associate link the data subject 
to the QE DUA to another data source.
    While we understand that some authorized users may wish to link the 
de-identified data subject to the QE DUA, we believe that this creates 
too much risk of inadvertent re-identification. However, instead of 
linking the data themselves, authorized users could choose to share 
their additional data, in accordance with applicable law, with the 
qualified entity who could link this new data source to the existing 
data and then create de-identified analyses to share with the 
authorized user.

C. Authorized Users

1. Definition of Authorized User
    Section 105(a)(9)(A) of MACRA defines authorized users as: A 
provider of services, a supplier, an employer (as defined in section 
3(5) of the Employee Retirement Insurance Security Act of 1974), a 
health insurance issuer (as defined in section 2791 of the Public 
Health Service act), a medical society or hospital association, and any 
other entity that is approved by the Secretary. We proposed a 
definition for authorized user at Sec.  401.703(k) that is consistent 
with Section 105(a)(9)(A) of MACRA and includes two additional types of 
entities beyond those established in the statute--healthcare 
professional associations and state agencies. Specifically, we proposed 
to define an authorized user as: (1) A provider; (2) a supplier; (3) an 
employer; (4) a health insurance issuer; (5) a medical society; (6) a 
hospital association; (7) a healthcare professional association; or (8) 
a state agency.
    Comment: Commenters had a wide ranging list of suggested additions 
to the definition of an authorized users, including: Other types of 
associations and partnership groups whose missions support the 
permitted data uses, entities with expertise in quality measure 
development, organizations engaged in research, federal agencies, 
regional health improvement collaboratives, and the Indian Health 
Service (and Indian Health programs). Several commenters also suggested 
that CMS create a process for qualified entities to seek approval for 
additional authorized users that may not fit into the regulatory 
definitions.
    Response: We recognize that many organizations are interested in 
accessing analyses provided by the qualified entity. However, CMS 
believes we must maintain a carefully curated list of authorized users 
to prevent the monitoring of the qualified entity program from becoming 
too cumbersome. As a result, we are only adding federal agencies, 
including, but not limited to the Indian Health Service (and Indian 
Health programs), to the definition of authorized users. Similar to 
state agencies, we believe that federal agencies, particularly those 
that provide healthcare services such as the Indian Health Service and 
the U.S. Department of Veteran Affairs are important partners with CMS 
in transforming the healthcare delivery system and could substantially 
benefit from access to analyses to help improve quality and reduce 
costs, especially for individuals who utilize their services. On the 
other hand, we believe many of the other suggested authorized users do 
not represent well defined groups, which could lead to significant 
confusion as to which entities fall within the group and which do not. 
In addition, as we noted above, the statute is explicit in its 
prohibition of releasing the analyses or data to the public, so the 
addition of any authorized user with a research aim is not consistent 
with the parameters of the program.
    We believe a separate approval process would be very costly for CMS 
and create additional burdens for qualified entities. We also believe 
that a standard list of authorized users is the simplest and least 
administratively burdensome method to ensure equal treatment of 
qualified entities. Because many of the suggested authorized users do 
not represent well defined groups, we would envision an approval 
process for each entity requesting analyses, which would potentially be 
more burdensome for smaller regional qualified entities that do not 
have the time or resources to devote to the approval process. 
Furthermore, we have an existing process through which entities can 
obtain Medicare data for research purposes. More information on 
accessing CMS data for research can be found on the ResDAC Web site at 
www.resdac.org.
    Comment: Several commenters suggested that other organizations 
beyond providers, suppliers, hospital associations, and medical 
societies be allowed to access data. A few commenters suggested any 
entity should be allowed to access de-identified data. Another 
commenter recommended the creation of a new authorized user called a 
healthcare provider or supplier collaborator and defined as an 
organization or entity that does not directly treat patients, but works 
closely with the provider or supplier in connection with treatment of 
patients.
    Response: Section 105 (a)(2)(A)(i) only allows for the disclosure 
of data to a provider of services, a supplier, and a medical society or 
hospital association.
    Comment: Several commenters suggested that authorized users that 
are allowed to act on behalf of their subparts (for example, 
Accountable Care Organizations) or business associates as defined in 
HIPAA should be allowed to receive data and/or analyses directly.
    Response: We do not intend to prevent organizations acting under a 
contract with an authorized user from receiving data or the analyses on 
behalf of the authorized user. Therefore, we have modified the 
definition of authorized user to include contractors, including, where 
applicable, business associates as that term is defined at 45 CFR 
160.103. An authorized user is now defined as a third party and its 
contractors (including, where applicable, business associates as that 
term is defined at 45 CFR 160.103) that need analyses or data covered 
by this section to carry out work on behalf of that third party 
(meaning not the qualified entity or the qualified entity's 
contractors) to whom/which the qualified entity provides or sells data 
as permitted under this subpart. Authorized user third parties are 
limited to the following entities: A provider, a supplier, a medical 
society, a hospital association, an employer, a health insurance 
issuer, a healthcare provider and/or supplier association, a state 
entity, a federal agency.
    We would like to note that with this change to the definition of 
authorized user a qualified entity is now also liable for the actions 
of the third party's contractors who enter into a QE DUA with the 
qualified entity.
    Comment: One commenter suggested a modification to the definition 
of provider to include dieticians, social workers, case management 
nurses, and other allied health professionals.

[[Page 44467]]

    Response: The current definition of a supplier is a physician or 
other practitioner that furnishes healthcare services under Medicare. 
To the extent that dieticians, social workers, case management nurses, 
and other allied health professionals are furnishing healthcare 
services under Medicare, they would already be considered suppliers. If 
they are not furnishing services under Medicare, we do not believe the 
analyses or data based on Medicare claims data will hold much value for 
improving care delivery or reducing costs, and so we decline expanding 
the definition to include them.
2. Definition of Employer
    We proposed to define an employer as having the same meaning as the 
term ``employer'' defined in Section 3(5) of the Employee Retirement 
Insurance Security Act of 1974.
    Comment: One commenter suggested that the definition of employer 
should not include any third-party consultant or wellness program 
vendors.
    Response: As noted above, we believe authorized users should be 
allowed to share analyses and data with contractors who need such 
information to conduct work on their behalf. Therefore, we modified the 
definition of authorized user to include contractors. To the extent a 
wellness vendor is an employer's contractor, the vendor will be 
required to sign a non-public analyses agreement and will be bound to 
only use and disclose the analyses in a manner consistent with the 
provisions of that agreement. We would also like to point out that as 
specified in Sec.  401.716(c)(2), employers, and their contractors, may 
only use the analyses for the purposes of providing health insurance to 
employees, retirees, or dependents of employees.
3. Definition of Health Insurance Issuer
    We proposed to define a health insurance issuer as having the same 
meaning as the term ``health insurance issuer'' defined in Section 
2791(b)(2) of the Public Health Service Act.
    Comment: One commenter suggested that the definition of health 
insurance issuer should not include any third-party consultant or 
wellness program vendors.
    Response: As with employers, we believe issuers should be allowed 
to share analyses and data with contractors who need such information 
to conduct work on their behalf. Therefore, as stated above, we have 
modified the definition of authorized user. To the extent a wellness 
vendor is an issuer's contractor, the vendor will be required to sign a 
non-public analyses agreement and will be bound to only use and 
disclose the analyses in a manner consistent with the provisions of 
that agreement.
4. Definition of ``Medical Society''
    We proposed to define a medical society as a non-profit 
organization or association that provides unified representation for a 
large number of physicians at the national or state level and whose 
membership is comprised mainly of physicians.
    Comment: One commenter requested that CMS provide an example of a 
medical society.
    Response: We would consider the American Medical Association or the 
American Academy of Family Physicians to be national-level medical 
societies. At the state-level, the Medical Association of the State of 
Alabama is an example of a medical society under this definition.
5. Definition of ``Hospital Association''
    We proposed to define a hospital association as a non-profit 
organization or association that provides unified representation for a 
large number of hospitals or health systems at the national or state 
level and whose membership is comprised of a majority of hospitals and 
health systems.
    Comment: One commenter requested that CMS provide an example of a 
hospital association.
    Response: We would consider the American Hospital Association or 
the Federation of American Hospitals to be national hospital 
associations. At the state-level, the Hospital and Healthsystem 
Association of Pennsylvania is an example of a hospital association 
under this definition.
    Comment: Several commenters suggested that the definition of 
hospital association be expanded to include associations at the local 
level and quality organizations that are affiliated with, but have 
separate 501(c)(3) numbers from their state hospital association.
    Response: CMS recognizes that local hospital associations may work 
more closely on issues such as quality improvement with hospitals and 
health systems in their area than state or national associations. As a 
result, we have modified the definition of hospital association to 
include local-level organizations. However, we do not believe that the 
MACRA statute at 105(a)(9)(v) intends for quality organizations 
affiliated with a hospital association to be considered a hospital 
association since the language only refers to hospital association and 
does not reference quality organizations. To the extent that these 
quality organizations are doing work on behalf of the state hospital 
association under contract, and that work requires access to such data 
or analyses, these quality organizations would be considered authorized 
users and would be required to enter into a QE DUA and/or non-public 
analyses agreement with the qualified entity.
6. Definition of ``Healthcare Provider and/or Supplier Association''
    We proposed to define a healthcare provider and/or supplier 
association as a non-profit organization or association that represents 
providers and suppliers at the national or state level and whose 
membership is comprised of a majority of providers and/or suppliers. We 
did not receive any comments on this definition, so are finalizing it 
without modification.
7. Definition of ``State Agency''
    We proposed to define a state agency as any office, department, 
division, bureau, board, commission, agency, institution, or committee 
within the executive branch of a state government.
    Comment: One commenter stated that state agencies should be limited 
to those entities that promote care quality and patient care 
improvement activities. Another commenter recommended that the term 
state agency be changed to state entity to help avoid conflict with 
state-specific references to the word ``agency.'' One commenter 
suggested CMS provide clarity on whether the definition of state agency 
includes political subdivisions of the state.
    Response: We do not believe that state agencies should be limited 
to those entities focused on care quality and patient care improvement. 
There are a wide-array of uses of the non-public analyses by states who 
are CMS' partners in transforming the healthcare delivery system. We do 
appreciate the comment related to the use of the term agency at the 
state-level, and have modified this term in the regulations to be 
``state entity.'' In addition, to provide clarity, we note that we did 
not intend for the definition of state agency to include political 
subdivisions of a state, such as a county, city, town, or village, and 
as a result have not added these to the definition.

D. Annual Report Requirements

1. Reporting Requirements for Analyses
    Section 105(a)(8) of MACRA expands the information that a qualified 
entity must report annually to the Secretary if

[[Page 44468]]

a qualified entity provides or sells non-public analyses. Therefore, 
consistent with these requirements, we proposed to require that the 
qualified entity provide a summary of the non-public analyses provided 
or sold under this subpart, including specific information about the 
number of analyses, the number of purchasers of such analyses, the 
types of authorized users that purchased analyses, the total amount of 
fees received for such analyses. We also proposed to require the 
qualified entity to provide a description of the topics and purposes of 
such analyses. In addition, we proposed to require a qualified entity 
to provide information on QE DUA and non-public analyses agreement 
violations.
    Comment: Several commenters suggested additions to the reporting 
requirements for analyses. One commenter suggested that qualified 
entities include the specific entities to whom analyses were provided 
or sold as well as more detailed pricing information. Another commenter 
recommended the addition of the frequency and nature of requests for 
error correction, and how often analyses are disclosed with unresolved 
requests for error correction.
    Response: We believe that Section 105(a)(8)(A) of MACRA intends for 
qualified entities to provide a summary of the analyses and that the 
specific details of the entities who received analyses or the pricing 
information for analyses are not consistent with that intent. We do 
believe there is value in monitoring requests for error correction to 
ensure that qualified entities are not releasing analyses that 
consistently have requests for error correction, which could indicate a 
qualified entities' poor use of the Medicare data; however, we believe 
the requirement to provide this information, with the exception of how 
often analyses are disclosed with unresolved requests for error 
correction, already exists as part of the annual reporting requirements 
under Sec.  401.719(b)(2). We believe including how often analyses are 
disclosed with unresolved error requests in the annual reports is 
important because it allows CMS to track possible poor use of the 
Medicare data by qualified entities. Therefore, we have added the 
requirement to report the number of analyses disclosed with unresolved 
requests for error correction at Sec.  401.719(b)(3)(iii).
    Comment: One commenter suggested that the annual reports be made 
public.
    Response: We recognize that in some cases the annual reports may 
contain sensitive commercial information and, as a result, we do not 
believe the reports should be made public. We would like to clarify, 
however, that anytime CMS receives a request for information under the 
Freedom of Information Act (FOIA), the agency always evaluates whether 
the information is subject to one of the FOIA exemptions, including 
Exemption 4, which protects commercial or financial information that is 
privileged and confidential. We welcome identification of any materials 
within such reports that the qualified entity believes are subject to a 
FOIA exemption, and the rationale therefore.
2. Reporting Requirements for Data
    Section 105(a)(8) of MACRA also requires a qualified entity to 
submit a report annually if it provides or sells data. Therefore, 
consistent with the statutory requirements, we also proposed to require 
qualified entities that provide or sell data under this subpart to 
provide the following information as part of its annual report: 
Information on the entities who received data, the uses of the data, 
the total amount of fees received for providing, selling, or sharing 
the data, and any QE DUA violations.
    Comment: Several of the comments on reporting requirements for data 
were the same as those for analyses addressed above. One commenter 
suggested the addition of information on authorized user data breaches 
to the annual report. Another commenter stated that the annual 
reporting requirements for data may contain sensitive commercial 
information that may be subject to confidentiality provisions between 
the qualified entity and applicable authorized users.
    Response: We believe that data breaches should be reported to CMS 
in a much timelier manner than the annual report. As discussed above, 
the QE DUA requires authorized users to notify the qualified entity of 
any violations of the QE DUA and to comply with the breach provisions 
governing qualified entities. As a result, we do not believe this 
element is needed in the annual report.
    We recognize that some of the information we proposed to require of 
qualified entities in their annual reports will be sensitive commercial 
information. As noted above, anytime CMS receives a request for 
information under the FOIA, the agency always evaluates whether the 
information is subject to one of the FOIA exemptions, including 
Exemption 4, which protects commercial or financial information that is 
privileged and confidential. Contractual confidentiality provisions 
between authorized users and qualified entities will not negate CMS' 
obligations under FOIA, but we welcome identification of any materials 
within such reports that the qualified entity believes are subject to a 
FOIA exemption, and the rationale therefore.

E. Assessment for a Breach

1. Violation of a DUA
    Section 105(a)(7) of MACRA requires the Secretary to impose an 
assessment on a qualified entity in the case of a ``breach'' of a CMS 
DUA between the Secretary and a qualified entity or a breach of a QE 
DUA between a qualified entity and an authorized user. Because the term 
``breach'' is defined in HIPAA, and this definition is not consistent 
with the use of the term for this program, we proposed instead to adopt 
the term ``violation'' when referring to a ``breach'' of a DUA for 
purposes of this program. We also proposed to define a ``violation'' to 
mean a failure to comply with a requirement in a CMS DUA or QE DUA. We 
also proposed to impose an assessment on any qualified entity that 
violates a CMS DUA or fails to ensure that their authorized users and 
their contractors/business associates do not violate a QE DUA.
    Comment: A few commenters recommended that CMS further define and 
provide examples of what would constitute a DUA violation. Another 
commenter suggested CMS expand the definition of a violation so that 
both the qualified entity and the authorized user may be held 
responsible for a breach.
    Response: While we recognize that not all terms of the DUAs are 
equal regarding the risk to the privacy and security of the Medicare 
data, we believe the aggravating and mitigating circumstances discussed 
in more detail below provide us the flexibility to ensure the 
assessment amount is consistent with the nature of the violation. One 
example of a violation would be knowingly releasing patient names and 
other protected health information for marketing purposes. Another 
example of a violation would be sharing individually identifiable 
information for an individual who does not meet the definition of a 
patient with a supplier.
    While we recognize that it may be the authorized user who is 
responsible for the violation, we believe Section 105(a)(7) of MACRA 
does not give us the authority to impose an assessment on the 
authorized user. However, we do believe that the qualified entity could 
include terms in their agreement with the authorized user to require 
the authorized user to pay the assessment if the authorized user is 
responsible for the violation.

[[Page 44469]]

    MACRA provides guidance only on the assessment amount and what 
triggers an assessment, but it does not dictate the procedures for 
imposing such assessments. We therefore proposed to model qualified 
entity program procedures on certain relevant provisions of Section 
1128A of the Act (Civil Money Penalties) and part 402 (Civil Money 
Penalties, Assessments, and Exclusions) including the process and 
procedures for calculating the assessment, notifying a qualified entity 
of a violation, collecting the assessment, and providing qualified 
entities an appeals process.
2. Amount of Assessment
    Section 105(a)(7)(B) of MACRA specifies that when a violation 
occurs, the assessment is to be calculated based on the number of 
affected individuals who are entitled to, or enrolled in, benefits 
under part A of title XVIII of the Act, or enrolled in part B of such 
title. Assessments can be up to $100 per affected individual, but, 
given the broad discretion in establishing some lesser amount, we 
looked to part 402 as a model for proposing aggravating and mitigating 
circumstances that would be considered when calculating the assessment 
amount per impacted individual. However, violations under section 
105(a)(7)(B) of MACRA are considered point-in-time violations, not 
continuing violations.
Number of Individuals
    We proposed at Sec.  401.719(d)(5)(i) that CMS will calculate the 
amount of the assessment of up to $100 per individual entitled to, or 
enrolled in part A of title XVIII of the Act and/or enrolled in part B 
of such title whose data was implicated in the violation.
    We generally proposed to determine the number of potentially 
affected individuals by looking at the number of beneficiaries whose 
Medicare claims information was provided either by CMS to the qualified 
entity or by the qualified entity to the authorized user in the form of 
individually identifiable or de-identified data sets that were 
potentially affected by the violation.
    We proposed that a single beneficiary, regardless of the number of 
times their information appears in a singular non-public report or 
dataset, would only count towards the calculation of an assessment for 
a violation once. For qualified entities that provide or sell subsets 
of the dataset that CMS provided to them, combined information, or non-
public analyses, we proposed to require that the qualified entity 
provide the Secretary with an accurate number of beneficiaries whose 
data was sold or provided to the authorized user and, thereby, 
potentially affected by the violation. In those instances in which the 
qualified entity is unable to establish a reliable number of 
potentially affected beneficiaries, we proposed to impose the 
assessment based on the total number of beneficiaries that were 
included in the data set(s) that was/were transferred to the qualified 
entity under the CMS DUA.

Assessment Amount per Impacted Individual

    As noted above, MACRA allows an assessment in the amount of up to 
$100 per potentially affected individual. We therefore proposed to draw 
on 42 CFR part 402 to specify the factors and circumstances that will 
be considered in determining the assessment amount per potentially 
affected individual.
    We proposed at Sec.  401.719(d)(5)(i)(A) that the following basic 
factors be considered in establishing the assessment amount per 
potentially affected individual: (1) The nature and extent of the 
violation; (2) the nature and extent of the harm or potential harm 
resulting from the violation; and (3) the degree of culpability and 
history of prior violations.
    In addition, in considering these basic factors and determining the 
amount of the assessment per potentially affected individual, we 
proposed to take into account certain aggravating and mitigating 
circumstances.
    We proposed at Sec.  401.719(d)(5)(i)(B)(1) that CMS consider 
certain aggravating circumstances in determining the amount per 
potentially affected individual, including the following: Whether there 
were several types of violations, occurring over a lengthy period of 
time; whether there were many violations or the nature and 
circumstances indicate a pattern of violations; and whether the nature 
of the violation had the potential or actually resulted in harm to 
beneficiaries.
    In addition, we proposed at Sec.  401.719(d)(5)(i)(B)(2) that CMS 
take into account certain mitigating circumstances in determining the 
amount per potentially affected individual, including the following: 
Whether the violations subject to the imposition of an assessment were 
few in number, of the same type, and occurring within a short period of 
time, and/or whether the violation was the result of an unintentional 
and unrecognized error and the qualified entity took corrective steps 
immediately after discovering the error.
    Comment: One commenter suggested that CMS allow the qualified 
entity to take corrective action in the case of a minor violation. 
Another commenter recommended that CMS impose a limit on the assessment 
amount because not specifying a maximum assessment amount could create 
a barrier to entry for entities interested in the program. One 
commenter stated they supported the statutorily set assessment of $100 
per affected individual because it creates a strong incentives for 
excellent data security.
    Response: We recognize the need for a corrective action process and 
have already established one at Sec.  401.719(d)(1) through (3) that 
applies regardless of the amount of the assessment. We appreciate 
commenters concerns about creating a barrier for entry, but agree that 
allowing for an assessment of up to $100 per affected individual 
creates strong incentives for the qualified entity to ensure the 
privacy and security of the Medicare data. We believe the basic, 
aggravating, and mitigating circumstances provide CMS with the 
flexibility to set the assessment value appropriately given the nature 
of the violation and the qualified entity's history with violations.
3. Notice of Determination
    We looked to the relevant provisions in 42 CFR part 402 and Section 
1128A of the Act to frame proposals regarding the specific elements 
that would be included in the notice of determination. To that end, we 
proposed at Sec.  401.719(d)(5)(ii) that the Secretary would provide 
notice of a determination to a qualified entity by certified mail with 
return receipt requested. The notice of determination would include 
information on (1) the assessment amount, (2) the statutory and 
regulatory bases for the assessment, (3) a description of the 
violations upon which the assessment was proposed, (4) information 
concerning response to the notice, and (5) the means by which the 
qualified entity must pay the assessment if they do not intend to 
request a hearing in accordance with procedures established at Section 
1128A of the Act and implemented in 42 CFR part 1005. We did not 
receive any comments on this proposal so are finalizing it without 
modification.
4. Failure To Request a Hearing
    We also looked to the relevant provisions in 42 CFR part 402 and 
section 1128A of the Act to inform our proposals regarding what happens 
when a hearing is not requested.

[[Page 44470]]

    We proposed at Sec.  401.719(d)(5)(iii) that an assessment will 
become final if a qualified entity does not request a hearing within 60 
days of receipt of the notice of the proposed determination. At this 
point, CMS would impose the proposed assessment. CMS would notify the 
qualified entity, by certified mail with return receipt, of the 
assessment and the means by which the qualified entity may pay the 
assessment. Under these proposals, a qualified entity would not have 
the right to appeal an assessment unless it has requested a hearing 
within 60 days of receipt of the notice of the proposed determination. 
We did not receive any comments on these proposals so are finalizing 
them without modification.
5. When an Assessment Is Collectible
    We again looked to the relevant provisions in 42 CFR part 402 and 
section 1128A of the Act to inform our proposed policies regarding when 
an assessment becomes collectible.
    We proposed at Sec.  401.719(d)(5)(iv) that an assessment becomes 
collectible after the earliest of the following situations: (1) On the 
61st day after the qualified entity receives CMS's notice of proposed 
determination under Sec.  401.719(d)(5)(ii), if the entity does not 
request a hearing; (2) immediately after the qualified entity abandons 
or waives its appeal right at any administrative level; (3) 30 days 
after the qualified entity receives the Administrative Law Judge's 
(ALJ) decision imposing an assessment under Sec.  1005.20(d), if the 
qualified entity has not requested a review before the Department 
Appeal Board (DAB); or (4) 60 days after the qualified entity receives 
the DAB's decision imposing an assessment if the qualified entity has 
not requested a stay of the decision under Sec.  1005.22(b). We did not 
receive any comments on this proposal so are finalizing it without 
modification.
6. Collection of an Assessment
    We also looked to the relevant provisions in 42 CFR part 402 and 
section 1128A of the Act in framing our proposals regarding the 
collection of an Assessment.
    We proposed at Sec.  401.719(d)(5)(v) that CMS be responsible for 
collecting any assessment once a determination is made final by HHS. In 
addition, we proposed that the General Counsel may compromise an 
assessment imposed under this part, after consulting with CMS or Office 
of Inspector General (OIG), and the Federal government may recover the 
assessment in a civil action brought in the United States district 
court for the district where the claim was presented or where the 
qualified entity resides. We also proposed that the United States may 
deduct the amount of an assessment when finally determined, or the 
amount agreed upon in compromise, from any sum then or later owing the 
qualified entity. Finally, we proposed that matters that were raised or 
that could have been raised in a hearing before an ALJ or in an appeal 
under section 1128A(e) of the Act may not be raised as a defense in a 
civil action by the United States to collect an assessment. We did not 
receive any comments on these proposals so are finalizing them without 
modification.

F. Termination of Qualified Entity Agreement

    We proposed at Sec.  401.721(a)(7) that CMS may unilaterally 
terminate the qualified entity's agreement and trigger the data 
destruction requirements in the CMS DUA if CMS determines through our 
monitoring program at Sec.  401.717(a) and (b) that a qualified entity 
or its contractor fails to monitor authorized users' compliance with 
the terms of their QE DUAs or non-public analysis use agreements. We 
stated in the proposed rule that we believe this proposed provision is 
consistent with the intent of MACRA to ensure the protection of data 
and analyses provided by qualified entities to authorized users under 
this subpart.
    Comment: One commenter stated that CMS should have a violation 
corrections period prior to terminating a qualified entity. Another 
commenter recommended that CMS carefully monitor all aspects of the 
qualified entity program and related authorized user activities to 
minimize the risk of unintended consequences.
    Response: We currently have a process in place to require qualified 
entities to develop a corrective action plan or to put qualified 
entities on a special monitoring plan if we determine that the 
qualified entity violated any terms of the program. In addition, we 
already have a number of mechanisms in place to monitor qualified 
entities participating in the program including audits, site visits, 
and required reporting. We believe the additional annual reporting 
elements described above will ensure that we can continue to monitor 
qualified entities appropriately given the changes to the program. As a 
result, we are finalizing our proposed language on termination of a 
qualified entity's agreement at Sec.  401.721(a)(7).

G. Additional Data

    Section 105(c) of MACRA expands, at the discretion of the 
Secretary, the data that the Secretary may make available to qualified 
entities, including standardized extracts of claims data under titles 
XIX (Medicaid) and XXI (the Children's Health Insurance Program, CHIP) 
for one or more specified geographic areas and time periods as may be 
requested by the qualified entity. However, due to issues involving 
Medicaid data submitted to CMS, including lack of data timeliness and 
overall data quality, we proposed not to expand the data available to 
qualified entities from CMS and instead suggested that qualified 
entities would be better off seeking Medicaid and/or CHIP data through 
the State Medicaid Agencies.
    Comment: Many commenters recommended that CMS expand the data 
available to qualified entities to include Medicaid and CHIP data. 
These commenters noted the additional burden of having to request the 
data from each state individually. On the other hand, one commenter 
stated that they agreed with CMS' proposal not to expand access to 
Medicaid and/or CHIP data.
    Response: As some commenters noted, we have been working with 
states to transform our Medicaid Statistical Information System (MSIS) 
to address concerns regarding data timeliness and quality. This is 
essential for the Medicaid program to keep pace with the data needed to 
improve quality of care, track enrollment and utilization of services, 
improve program integrity, and support states and other stakeholders 
need for information about Medicaid and CHIP. This new data set is 
known as Transformed MSIS (T-MSIS). The T-MSIS data set contains 
enhanced information about beneficiary eligibility, beneficiary and 
provider enrollment, service utilization, claims and managed care data, 
and expenditure data for Medicaid and CHIP. We are currently working 
with states to help them transition from MSIS to T-MSIS.
    We recognize commenters' interest in accessing Medicaid and CHIP 
data from CMS rather than going to each state individually. We believe 
that T-MSIS can create a framework for CMS collection of Medicaid and 
CHIP data that addresses many of the concerns about the timeliness and 
quality of the MSIS data that we raised in the proposed rule. As a 
result, we anticipate future rulemaking to make Medicaid and CHIP data 
available to qualified entities when the T-MSIS data becomes available 
and is determined to be of sufficient quality for use in public 
provider performance reporting.
    Comment: One commenter suggested that CMS also allow qualified 
entities to

[[Page 44471]]

request access to Medicare Advantage data.
    Response: We believe section 1874(e)(3) of the Act only allows for 
the disclosure of Medicare claims data under Parts A, B, and D, as well 
as Medicaid and/or CHIP claims data.

H. Qualified Clinical Data Registries

    Section 105(b) of MACRA allows qualified clinical data registries 
to request access to Medicare data for the purposes of linking the data 
with clinical outcomes data and performing risk-adjusted, 
scientifically valid analyses, and research to support quality 
improvement or patient safety. The CMS research data disclosure 
policies already allow qualified clinical data registries to request 
Medicare data for research purposes. More information on accessing CMS 
data for research can be found on the ResDAC Web site at 
www.resdac.org. Given the existing research request processes and 
procedures, we proposed not to adopt any new policies or procedures 
regarding qualified clinical data registries' access to Medicare claims 
data for quality improvement or patient safety analyses.
    Comment: Several commenters recommended that CMS offer qualified 
clinical data registries an alternative path to the research request 
process to allow them to access CMS data for quality improvement and 
patient safety activities. Commenters stated that qualified clinical 
data registries need data to conduct quality improvement activities 
that will improve patient care and that, in many cases, this work is 
not consistent with the research request process requirement that the 
work to contribute to generalizable knowledge.
    Response: We recognize that the research request pathway may not be 
consistent with types of analyses qualified clinical data registries 
envision conducting using the CMS data. As a result, we are modifying 
the regulations to allow qualified clinical data registries to serve as 
quasi-qualified entities, provided the qualified clinical data registry 
agrees to meet all the requirements in this subpart with the exception 
of the requirement at Sec.  401.707(d) that the organization submit 
information about the claims data it possesses from other sources. In 
addition, for the purposes of qualified clinical data registries acting 
as quasi qualified entities under the qualified entity program 
requirements, we define combined data as, at a minimum, a set of CMS 
claims data provided under subpart G combined with clinical data or a 
subset of clinical data. Since the language at section 105(b) of MACRA 
does not reference section 1874(e)(4)(d) of the Act, which provides 
parameters for the definition of combined data for the purposes of the 
qualified entity program, we do not believe these requirements for 
combined data apply to qualified clinical data registries serving as 
quasi qualified entities.
    We believe that the requirements of the qualified entity program, 
which was created to allow for provider performance reporting, also 
create an appropriate framework for qualified clinical data registries 
to conduct analyses to support quality improvement and patient safety. 
In addition, we believe that the new parameters of the qualified entity 
program, discussed in detail above, would allow qualified clinical data 
registries to work directly with providers and suppliers on issues 
related to quality improvement and patient safety. Qualified clinical 
data registries could also elect to become qualified entities and work 
with providers and suppliers in accordance with applicable laws to 
develop new quality measures in the context of nonpublic analyses that 
could then be used across the healthcare system to measure provider and 
supplier performance.
    Comment: Several commenters suggested that CMS make the Social 
Security Death Master File available to qualified clinical data 
registries to allow for enhanced accuracy of patient outcomes 
information.
    Response: We recognize that death information is a key aspect of 
analyses of patient outcomes, but CMS does not have the authority to 
disclose the Social Security Death Master File to qualified clinical 
data registries. However, CMS has date of death information for 
Medicare patients and we include this date of death information on the 
data files that are shared with qualified entities and those that would 
be shared with qualified clinical data registries.

I. Other Comments

    We received several additional suggestions for improvements to the 
program regarding topics that were not specifically discussed in the 
preamble to the proposed rule.
    Comment: Several commenters raised issues related to qualified 
entity application process. One commenter suggested CMS make the 
application process and costs for becoming a qualified entity more 
transparent. A few commenters suggested that CMS offer qualified 
entities better technical assistance on the security certification step 
of the approval process. One commenter recommended that CMS streamline 
the application process for applicants that already have certifications 
or accreditations that demonstrate a high level of security.
    Response: We thank commenters for their feedback on the qualified 
entity application process. We believe the issues raised by commenters 
on this topic are outside the scope of this final rule. However, we are 
always looking for ways to improve the program and will take these 
comments into consideration.
    Comment: Some commenters addressed general program requirements of 
the qualified entity program. One commenter suggested that qualified 
entities that focus on certain clinical conditions should not have to 
meet the same threshold for amount of other claims data. Another 
commenter recommended that CMS allow state-level public reporting in 
the qualified entity program. A few commenters stated that CMS should 
provide qualified entities with access to timelier Medicare data. One 
commenter stated that some of the existing provisions in the CMS DUA 
conflict with requirements in HIPAA, specifically the requirement to 
destroy data if and when an organization leaves the program.
    Response: We have not established a threshold for the minimum 
amount of other claims an organization needs to become a qualified 
entity. Instead, we ask applicants to explain how the data they do have 
for use in the qualified entity program will be adequate to address 
concerns about sample size and reliability that have been expressed by 
stakeholders regarding the calculation of performance measures from a 
single payer source. Each application is evaluated on its collective 
merit, including the amount of claims data from other sources, and its 
explanation of why that data in combination with the requested Medicare 
data is adequate for the stated purposes of the program.
    We also do not prohibit qualified entities from publicly reporting 
their findings regarding provider and supplier performance at the 
state-level. Qualified entities are allowed to report on providers and 
suppliers at any level for which the measures can be used, provided the 
statutory and regulatory requirements are met, including that no 
patient information is disclosed.
    We currently make data available to qualified entities on quarterly 
basis. We believe the timeliness of this data strikes the right balance 
between data completeness and data timeliness.
    Finally, we do not believe that requirements in the CMS DUA are 
inconsistent with HIPAA. We use a very similar DUA to share data with 
HIPAA-

[[Page 44472]]

covered providers and suppliers who are participating in Innovation 
Center models. We do recognize that some qualified entities may have 
trouble incorporating the Medicare data into their data systems because 
they may not be able to ensure the destruction of this data once it is 
linked with other data maintained by the qualified entity. However, we 
believe that requiring destruction of the data if a qualified entity 
leaves the program is important for ensuring the privacy and security 
of CMS data.
    Comment: One commenter suggested that CMS clarify how FOIA may or 
may not apply to data or reports submitted by qualified entities. 
Another commenter recommended that CMS clarify how the changes to the 
qualified entity program intersect with other statutory and regulatory 
requirements.
    Response: As we noted above, any information that we collect from 
qualified entities is subject to FOIA. However, any time we receive a 
request for information under FOIA, we always evaluate whether the 
information is subject to one of the FOIA exemptions, including 
Exemption 4, which protects commercial or financial information that is 
privileged and confidential.
    We are not able to address the breadth and scope of laws with which 
the qualified entity program requirements may intersect in this rule. 
Such analyses require case-by-case assessment of the facts at hand, and 
depending on jurisdiction, may vary based on which state laws apply. 
Entities should consult with their legal counsel to advise them on what 
laws apply to them, and to what effect.
    Comment: One commenter suggested that the release of Part D data to 
qualified entities should be tailored to protect the viability of the 
Part D program.
    Response: We are committed to ensuring that commercially sensitive 
information from the Part D program is protected. As we stated in the 
previous final rule on the qualified entity program, published on 
December 7, 2011, we are aware of the concerns related to, and 
restrictions governing the release of certain Part D drug cost 
information. Due to these concerns, we only release the Total Drug Cost 
element to qualified entities. We do not release the four subcomponents 
of drug cost: Ingredient cost, dispensing fee, vaccine administration 
fee, and total amount attributable to sales tax.
    Comment: One commenter stated that the rule does not address how 
states that have all payer claims databases (APCDs) can access Medicare 
data.
    Response: We do not believe that state APCDs are prohibited from 
becoming qualified entities. However, state APCDs with an interest in 
conducting research rather than provider performance reporting can also 
request data from CMS via the research request process. Organizations 
interested in accessing CMS data for research should visit 
www.resdac.org.
    Comment: One commenter stated that CMS should adopt a new version 
of the claims form that includes a field for unique device identifiers.
    Response: This comment is outside the scope of the qualified entity 
rule. That said, CMS uses claims that comply with the HIPAA standard 
transactions regulations (45 CFR part 162). Any changes to forms would 
be achieved through rulemaking under those provisions.
    Comment: Several commenters stated that they had concerns about the 
security of the Medicare data.
    Response: We are committed to ensuring the privacy and security of 
all data and we believe the existing and new program requirements 
create an appropriate framework for maintaining the security of data 
disclosed to qualified entities. Organizations applying to become 
qualified entities currently go through a rigorous security review 
during the application process. In addition, we monitor qualified 
entities closely to ensure that they continue to maintain appropriate 
data security standards once approved. As discussed above, we have also 
established data security protections that qualified entities must meet 
when sharing data with authorized users, including a requirement that 
the authorized user report any breaches to the qualified entity (and 
that the qualified entity report the breaches to CMS).
    Comment: Several commenters recommended that CMS clarify that 
organizations already approved as qualified entities would be allowed 
to begin using the Medicare data for the uses described in this final 
rule, regardless of whether the qualified entity has generated a public 
report.
    Response: We would like to clarify that once these regulations 
become effective, organizations approved as qualified entities will be 
allowed to use the Medicare data to create non-public analyses and 
provide or sell such analyses to authorized users, as well provide or 
sell combined data, or provide Medicare claims data alone at no cost, 
to certain authorized users. However, we believe that public reporting 
is a very important aspect of participation in the qualified entity 
program and would like to remind qualified entities about the provision 
at Sec.  401.709(d) which requires qualified entities to produce public 
reports at least annually.

III. Provisions of the Final Rule

    For the most part, this final rule incorporates the provisions of 
the proposed rule. Those provisions of this final rule that differ from 
the proposed rule are as follows:
     We modified the definition of authorized user at Sec.  
401.703(j) to: Include a federal agency, change the term ``state 
agency'' to ``state entity'' to provide additional clarity, and include 
any contractors (or business associates) that need analyses or data to 
carry out work on behalf of authorized user third parties.
     We modified the definition of hospital association at 
Sec.  401.703(n) to include organizations or associations at the local 
level.
     At Sec.  401.703(r), we modified the definition of patient 
to extend the window for a face-to-face or telehealth appointment to at 
least once in the past 24 months.
     We added activities that qualify as treatment under 45 CFR 
164.501 to permitted uses of the data subject to the QE DUA.
     We modified the terms of the QE DUA to permit authorized 
users to re-disclose data subject to the QE DUA as a covered entity 
would be permitted to disclose PHI for treatment activities, as allowed 
under 45 CFR 164.506(c)(2).
     At Sec.  401.716(b)(2), we modified the requirements to 
clarify that a qualified entity may not provide or sell a non-public 
analysis to an issuer for a geographic area where the issuer does not 
provide coverage and, thus, does not have any covered lives to 
contribute to the analyses.
     At Sec.  401.716(b)(4)(iii), we allowed for the disclosure 
of non-public analyses that individually identify a provider or 
supplier if every provider or supplier identified in the analysis has 
notified the qualified entity that analyses may be disclosed to that 
authorized user without prior review by the provider or supplier.
     We added a procedural step to the review and error 
correction process for non-public analyses at Sec.  401.717(f) to 
include confidential notification of the provider or supplier.
     We added a new provision at Sec.  401.722(a) to allow a 
qualified clinical data registry that agrees to meet the requirements 
in this subpart, with the exception of the requirement to submit 
information on the claims data from other sources it possesses, to 
request

[[Page 44473]]

access to Medicare data as a quasi-qualified entity.

IV. Collection of Information Requirements

    Under the Paperwork Reduction Act of 1995, we are required to 
provide 30-day notice in the Federal Register and solicit public 
comment before a collection of information requirement is submitted to 
the Office of Management and Budget (OMB) for review and approval. In 
order to fairly evaluate whether an information collection should be 
approved by OMB, section 3506(c)(2)(A) of the Paperwork Reduction Act 
of 1995 requires that we solicit comment on the following issues:
     The need for the information collection and its usefulness 
in carrying out the proper functions of our agency.
     The accuracy of our estimate of the information collection 
burden.
     The quality, utility, and clarity of the information to be 
collected.
     Recommendations to minimize the information collection 
burden on the affected public, including automated collection 
techniques.
    We solicited public comment on each of these issues for the 
following sections of this document that contain information collection 
requirements (ICRs).
    Proposed Sec.  401.718(c) and Sec.  401.716(b)(2)(ii) require a 
qualified entity to enter into a QE DUA with an authorized user prior 
to providing or selling data or selling a non-public analyses that 
contains individually identifiable beneficiary information. Proposed 
Sec.  401.713(d) requires specific provisions in the QE DUA. Proposed 
Sec.  401.716(c) requires a qualified entity to enter into a non-public 
analyses agreement with the authorized user as a pre-condition to 
providing or selling de-identified analyses. We estimate that it will 
take each qualified entity a total of 40 hours to develop the QE DUA 
and non-public analyses agreement. Of the 40 hours, we estimate it will 
take a professional/technical services employee with an hourly labor 
cost of $75.08 a total of 20 hours to develop both the QE DUA and non-
public analyses agreement and estimate that it will require a total of 
20 hours of legal review at an hourly labor cost of $77.16 for both the 
QE DUA and non-public analyses agreement. We also estimate that it will 
take each qualified entity 2 hours to process and maintain each QE DUA 
or non-public analyses agreement with an authorized user by a 
professional/technical service employee with an hourly labor cost of 
$75.08. While there may be two different staff positions that perform 
these duties (one that is responsible for processing the QE DUAs and/or 
non-public analyses agreement and one that is responsible for 
maintaining the QE DUA and/or non-public analyses agreement), we 
believe that both positions would fall under the professional/technical 
services employee labor category with an hourly labor cost of $75.08. 
There are currently 15 qualified entities; however we estimate that 
number will increase to 20 if these proposals are finalized. This 
number includes qualified entities and ``quasi qualified entities'' 
(meaning qualified clinical data registries that are approved under 
Sec.  401.722(a) as described in this preamble), which we hereinafter 
collectively refer to as ``qualified entity''. This would mean that to 
develop each QE DUA and non-public analysis agreement, the burden cost 
per qualified entity would be $3,045 with a total estimated burden for 
all 15 qualified entities of $45,675. This does not include the two 
hours to process and maintain each QE DUA.
    As discussed in the regulatory impact analysis below, we estimate 
that each qualified entity would need to process and maintain 70 QE 
DUAs or non-public analyses agreements as some authorized users may 
receive both datasets and a non-public analyses and would only need to 
execute one QE DUA. We estimate that it will take each qualified entity 
2 hours to process and maintain each QE DUA or non-public analyses 
agreement. This would mean the burden cost per qualified entity to 
process and maintain 70 QE DUAs or non-public analyses agreements would 
be $10,511 with a total estimated burden for all 15 qualified entities 
of $157, 668. While we anticipate that the requirement to create a QE 
DUA and/or non-public analyses agreement will only be incurred once by 
a qualified entity, we believe that the requirement to process and 
maintain the QE DUAs and/or non-public analyses will be an ongoing 
cost.
    These regulations would also require a qualified entity to submit 
additional information as part of its annual report to CMS. A qualified 
entity is currently required to submit an annual report to CMS under 
Sec.  401.719(b). Proposed Sec.  401.719(b)(3) and (4) provide for 
additional reporting requirements if a qualified entity chooses to 
provide or sell analyses and/or data to authorized users. The burden 
associated with this requirement is the time and effort necessary to 
gather, process, and submit the required information to CMS. As noted 
above, there are currently 15 qualified entities; however we estimate 
that number will increase to 20 if these proposals are finalized. Some 
qualified entities may not want to bear the risk of the potential 
assessments and have been able to accomplish their program goals under 
other CMS data sharing programs, therefore some qualified entities may 
not elect to provide or sell analyses and/or data to authorized users. 
As a result, we estimate that 15 qualified entities will choose to 
provide or sell analyses and/or data to authorized users, and 
therefore, would be required to comply with these additional reporting 
requirements within the first three years of the program. We further 
estimate that it would take each qualified entity 50 hours to gather, 
process, and submit the required information. We estimate that it will 
take each qualified entity 34 hours to gather the required information, 
15 hours to process the information, and 1 hour to submit the 
information to CMS. We believe a professional or technical services 
employee of the qualified entity with an hourly labor cost of $75.08 
will fulfill these additional annual report requirements. We estimate 
that 15 qualified entities will need to comply with this requirement 
and that the total estimated burden associated with this requirement is 
$56,310. We requested comment on the type of employee and the number of 
hours that will be needed to fulfill these additional annual reporting 
requirements.
    As a reminder, the final rule for the qualified entity program, 
published December 7, 2011, included information about the burden 
associated with the provisions in that rule. Specifically, Sec. Sec.  
401.705 through 401.709 provide the application and reapplication 
requirements for qualified entities. The burden associated with these 
requirements is currently approved under OMB control number 0938-1144 
with an expiration date of May 31, 2018. This package accounts for 35 
responses. Section 401.713(a) states that as part of the application 
review and approval process, a qualified entity would be required to 
execute a DUA with CMS, that among other things, reaffirms the 
statutory bar on the use of Medicare data for purposes other than those 
referenced above. The burden associated with executing this DUA is 
currently approved under OMB control number 0938-0734 with an 
expiration date of December 31, 2017. This package accounts for 9,240 
responses (this package covers all CMS DUAs, not only DUAs under the 
qualified entity program). We currently have 15 qualified entities and 
estimate it will increase to 20 so we have not surpassed the previously 
approved numbers.
    We based the hourly labor costs on those reported by the Bureau of 
Labor

[[Page 44474]]

Statistics (BLS) at http://data.bls.gov/pdq/querytool.jsp?survey=ce for 
this labor category. We used the annual rate for 2014 and added 100 
percent for overhead and fringe benefit costs.

                                                           Table 1--Collection of Information
--------------------------------------------------------------------------------------------------------------------------------------------------------
                                                                                                                      Hourly
                                                                             Number of    Burden per     Total      labor cost  Total labor
        Regulation section(s)             OMB Control No.       Number of    responses     response      annual         of        cost of     Total cost
                                                               respondents      per        (hours)       burden     reporting    reporting       ($)
                                                                             respondent                 (hours)       ($) *         ($)
--------------------------------------------------------------------------------------------------------------------------------------------------------
Sec.   401.718, Sec.   401.716, and   0938 New...............           15            1           20          300        75.08       22,524       22,524
 Sec.   401.713 (DUA and non-public
 analyses agreement Development).
Sec.   401.718 and Sec.   401.716     0938 New...............           15            1           20          300        77.16       23,148       23,148
 (Legal Review).
Sec.   401.718 and Sec.   401.716     0938 New...............           15           70            2        2,100        75.08      157,668      157,668
 (Processing and Maintenance).
Sec.   401.719(b)...................  0938 New...............           15            1           50          750        75.08       56,310       56,310
                                                              ------------------------------------------------------------------------------------------
    Total...........................  .......................           15           73  ...........        3,450  ...........  ...........      259,650
--------------------------------------------------------------------------------------------------------------------------------------------------------
* The values listed are based on 100 percent overhead and fringe benefit calculations.
Note: There are no capital/maintenance costs associated with the information collection requirements contained in this rule; therefore, we have removed
  the associated column from Table 1.

    If you comment on these information collection and recordkeeping 
requirements, please submit your comments to the Office of Information 
and Regulatory Affairs, Office of Management and Budget,

Attention: CMS Desk Officer, CMS-5061-F
Fax: (202) 395-6974; or
Email: [email protected]

V. Regulatory Impact Statement

    In accordance with the provisions of Executive Order 12866, this 
regulation was reviewed by the Office of Management and Budget.

A. Response to Comments

    We received a few comments on the anticipated effects of these 
modifications to the qualified entity program.
    Comment: One commenter suggested that it would take each qualified 
entity an estimated 60 hours to develop and review the QE DUA and non-
public analyses agreement. Of those 60 hours, 30 hours would be to 
develop the QE DUA and non-public analyses agreement and 30 would be 
needed for legal review. In addition, the commenter estimated that it 
would take each qualified entity 3 hours to process and maintain each 
QE DUA and non-public analyses agreement.
    Response: In the proposed rule, we estimated that it would take 
each qualified entity 40 hours to develop and review the QE DUA and 
non-public analyses agreement. Of those 40 hours, 20 hours would be 
needed to develop the QE DUA and non-public analyses agreement and 20 
hours would be needed for legal review. We also estimated that it would 
take 2 hours to process and maintain each QE DUA and non-public 
analyses agreement. We recognize that some qualified entities may spend 
more hours than other qualified entities to develop, process, and 
maintain QE DUAs and non-public analyses agreements. For example, some 
qualified entities may spend 60 hours to develop the QE DUA and non-
public analyses agreement and other qualified entities will spend 30 
hours. However, we believe that 40 hours to develop the QE DUA and the 
non-public analyses agreement and 2 hours to process each QE DUA and 
the non-public analyses agreement is a reasonable average.
    Comment: We received a few comments about the impact on providers 
and suppliers. One commenter suggested that CMS reconsider the 
assumption that all 1500 small rural hospitals would not be impacted by 
this rule and that the 3 hour average estimate for providers and 
suppliers to review non-public analyses appears too low. Another 
commenter suggested that CMS monitor provider burden as expanded data 
access unfolds and the number of qualified entities and authorized 
users begin to grow.
    Response: We appreciate commenters' concerns about the potential 
impact on providers and suppliers. As discussed above in section 
II.A.4, we made procedural changes to the proposed review and 
corrections process for non-public analyses in order to reduce burden 
to both qualified entities and providers and suppliers. As a first step 
of the review and correction process, the qualified entity would be 
required to notify the provider or supplier that analyses that 
individually identify the provider or supplier are going to be released 
to an authorized user and allow the provider or supplier to opt-in to 
the review and corrections process at Sec.  401.717(a) through (e). 
This notification should include a short summary of the analyses, the 
process for the provider or supplier to request the analyses, and the 
date on which the qualified entity will release the analyses to the 
authorized user. This date should be at least 65 calendar days from the 
date the provider or supplier is notified of the analyses.
    Given these procedural changes to the review and corrections 
process in the context of the non-public analyses, we believe that the 
3 hours average estimate for providers and suppliers to review non-
public analyses is a sufficient estimate of provider and supplier 
burden. This average takes into account the range of potential cases 
given the new review and corrections process. In some cases, for 
example, notification may be sufficient to meet the needs of providers 
or suppliers. In other cases, however, where the analyses are similar 
to previous analyses or use data the provider or supplier has already 
corrected, the provider or supplier may choose not to review the 
analyses. In addition, as discussed in the proposed rule, even if a 
provider or supplier requests the non-public analyses, there will be 
variability in the amount of time providers or suppliers will need for 
the review and corrections process.
    As discussed in the proposed rule, we do not anticipate this rule 
will have a significant impact on the operations of a substantial 
number of small rural hospitals because we anticipate that most 
qualified entities will focus their performance evaluation efforts on 
metropolitan areas where the majority of health services are provided. 
In addition, given the limited number of health services provided in 
rural regions, we anticipate that any analyses that included rural 
regions would not individually identify the providers or suppliers, but 
rather focus on regional or state metrics. As suggested by a commenter, 
we will monitor provider burden as the number of qualified

[[Page 44475]]

entities grows and more non-public analyses are provided to authorized 
users.

B. Overall Impact

    We have examined the impacts of this rule as required by Executive 
Order 12866 on Regulatory Planning and Review (September 30, 1993), the 
Regulatory Flexibility Act (RFA) (September 19, 1980, 96), section 
1102(b) of the Act, section 202 of the Unfunded Mandates Reform Act of 
1995 (Pub. L. 104-4), Executive Order 13132 on Federalism (August 4, 
1999), and the Congressional Review Act (5 U.S.C. 804(2)).
    Executive Order 12866 directs agencies to assess all costs and 
benefits of available regulatory alternatives and, if regulation is 
necessary, to select regulatory approaches that maximize net benefits 
(including potential economic, environmental, public health and safety 
effects, distributive impacts, and equity). A regulatory impact 
analysis (RIA) must be prepared for major rules with economically 
significant effects ($100 million or more in any 1 year). For the 
reasons discussed below, we estimate that the total impact of this 
final rule will be less than $58 million and therefore, it will not 
reach the threshold for economically significant effects and is not 
considered a major rule.
    The RFA requires agencies to analyze options for regulatory relief 
of small businesses, if a rule has a significant impact on a 
substantial number of small entities. For purposes of the RFA, we 
estimate that most hospitals and most other providers are small 
entities as that term is used in the RFA (including small businesses, 
nonprofit organizations, and small governmental jurisdictions). 
However, since the total estimated impact of this rule is less than 
$100 million, and the total estimated impact will be spread over 82,500 
providers and suppliers (who are the subject of reports), no one entity 
will face significant impact. Of the 82,500 providers, we estimate that 
78,605 will be physician offices that have average annual receipts of 
$11 million and 4,125 will be hospitals that have average annual 
receipts of $38.5 million. As discussed below, the estimated cost per 
provider is $8,426 (see table 5 below) and the estimated cost per 
hospital is $6,523 (see table 5 below). For both types of entities, 
these costs will be a very small percentage of overall receipts. Thus, 
we are not preparing an analysis of options for regulatory relief of 
small businesses because we have determined that this rule will not 
have a significant economic impact on a substantial number of small 
entities.
    For section 105(a) of MACRA, we estimate that two types of entities 
may be affected by the additional program opportunities: Qualified 
entities that choose to provide or sell non-public analyses or data to 
authorized users; and providers and suppliers who are identified in the 
non-public analyses create by qualified entities and provided or sold 
to authorized users.
    We anticipate that most providers and suppliers that may be 
identified in qualified entities' non-public analyses will be hospitals 
and physicians. Many hospitals and most other healthcare providers and 
suppliers are small entities, either by being nonprofit organizations 
or by meeting the Small Business Administration definition of a small 
business (having revenues of less than $38.5 million in any 1 year) 
(for details see the Small Business Administration's Web site at 
https://www.sba.gov/sites/default/files/files/Size_Standards_Table.pdf 
(refer to the 620000 series). For purposes of the RFA, physicians are 
considered small businesses if they generate revenues of $11 million or 
less based on Small Business Administration size standards. 
Approximately 95 percent of physicians are considered to be small 
entities.
    The analysis and discussion provided in this section and elsewhere 
in this final rule complies with the RFA requirements. Because we 
acknowledge that many of the affected entities are small entities, the 
analysis discussed throughout the preamble of this final rule 
constitutes our regulatory flexibility analysis for the remaining 
provisions and addresses comments received on these issues.
    In addition, section 1102(b) of the Act requires us to prepare a 
regulatory impact analysis, if a rule may have a significant impact on 
the operations of a substantial number of small rural hospitals. Any 
such regulatory impact analysis must conform to the provisions of 
section 604 of the RFA. For purposes of section 1102(b) of the Act, we 
define a small rural hospital as a hospital that is located outside of 
a metropolitan statistical area and has fewer than 100 beds. We do not 
believe this final rule has impact on significant operations of a 
substantial number of small rural hospitals because we anticipate that 
most qualified entities will focus their performance evaluation efforts 
on metropolitan areas where the majority of health services are 
provided. As a result, this rule will not have a significant impact on 
small rural hospitals. Therefore, the Secretary has determined that 
this final rule will not have a significant impact on the operations of 
a substantial number of small rural hospitals.
    Section 202 of the Unfunded Mandates Reform Act of 1995 (UMRA) also 
requires that agencies assess anticipated costs and benefits before 
issuing any rule whose mandates require spending in any 1 year of $100 
million in 1995 dollars, updated annually for inflation. In 2016, that 
threshold is approximately $146 million. This final rule will not 
impose spending costs on state, local, or tribal governments in the 
aggregate, or by the private sector, of $146 million or more. 
Specifically, as explained below we anticipate the total impact of this 
rule on all parties to be approximately $58 million.
    Executive Order 13132 establishes certain requirements that an 
agency must meet when it promulgates a proposed rule (and subsequent 
final rule) that imposes substantial direct requirement costs on State 
and local governments, preempts State law, or otherwise has Federalism 
implications. We have examined this final rule in accordance with 
Executive Order 13132 and have determined that this regulation will not 
have any substantial direct effect on State or local governments, 
preempt States, or otherwise have a Federalism implication.

C. Anticipated Effects

1. Impact on Qualified Entities
    Because section 105(a) of MACRA allows qualified entities to use 
the data in new ways to provide or sell non-public analyses or data to 
authorized users, there is little quantitative information to inform 
our estimates on the number of analyses and datasets that the qualified 
entity costs may provide or sell or on the costs associated with the 
creation of the non-public analyses or datasets. Therefore, we look to 
the estimates from the original qualified entity rules to estimate the 
number of hours that it may take to create non-public analyses, to 
process provider/supplier appeals and revisions, and to complete annual 
reports. We also looked to the Centers for Medicare and Medicaid's cost 
of providing data to qualified entities since qualified entities' data 
fees are equal to the government's cost to make the data available.
    There are currently 15 qualified entities and these qualified 
entities all are in different stages of the qualified entity program. 
For example, some qualified entities have released public reports and 
some qualified entities are

[[Page 44476]]

still completing the security requirements in order to receive Medicare 
data. Given the requirements in the different phases and the current 
status of the qualified entities, we estimate that 11 qualified 
entities will be able to provide or sell analyses and/or data to 
authorized users within the first year of the program, and therefore, 
will be incurring extra costs. As discussed above, we believe the total 
number of qualified entities will ultimately grow to 20 in subsequent 
years, with 15 entities providing or selling analyses and/or data to 
authorized users. In estimating qualified entity impacts, we used 
hourly labor costs in several labor categories reported by the Bureau 
of Labor Statistics (BLS) at http://data.bls.gov/pdq/querytool.jsp?survey=ce. We used the annual rates for 2014 and added 
100 percent for overhead and fringe benefit costs. These rates are 
displayed in Table 2.

                           Table 2--Labor Rates for Qualified Entity Impact Estimates
----------------------------------------------------------------------------------------------------------------
                                                                   2014  Hourly
                                                                    wage  rate    OH and  fringe   Total hourly
                                                                       (BLS)           (100%)          costs
----------------------------------------------------------------------------------------------------------------
Professional and technical services.............................          $37.54          $37.54          $75.08
Legal review....................................................           38.58           38.58           77.16
Custom computer programming.....................................           43.05           43.05           86.10
Data processing and hosting.....................................           34.02           34.02           68.04
Other information services......................................           39.72           39.72           79.44
----------------------------------------------------------------------------------------------------------------

    We estimate that within the first year that 11 qualified entities 
will provide or sell on average 55 non-public analyses or provide or 
sell 35 datasets. We do not believe the number of datasets and non-
public analyses per qualified entity will change in future years of the 
program.
    In the original proposed rule for the qualified entity program (76 
FR 33566), we estimated that each qualified entities' activities to 
analyze the Medicare claims data, calculate performance measures and 
produce public provider performance reports will require 5,500 hours of 
effort per qualified entity. We anticipate under this final rule that 
implements section 105(a) of MACRA that qualified entities will base 
the non-public analyses on their public performance reports. Therefore, 
the creation of the non-public analyses will require much less effort 
and only require a fraction of the time it takes to produce the public 
reports. We estimate that a qualified entity's activities for each non-
public analysis to analyze the Medicare claims data, calculate 
performance measures, and produce the report will require 320 hours, 
between five and six percent of the time to produce the public reports. 
We anticipate that half of this time will be spent on data analysis, 
measure calculation, and report creation and the other half on data 
processing.
    We anticipate that within the first year of the program a qualified 
entity will, on average, provide one-year datasets containing all data 
types for a cohort of 750,000 to 1.75 million beneficiaries to 35 
authorized users. We estimate that it will require 226 hours to create 
each dataset that will be provided to an authorized user. We looked to 
the Centers for Medicare and Medicaid Centers' data costs and time to 
estimate a qualified entity's costs and time to create datasets. While 
the majority of the time will be devoted to computer processing, we 
anticipate about 100 hours will be spent on computer programming, 
particularly if the qualified entity is de-identiying the data.
    We further estimate that, on average, each qualified entity will 
expend 7,500 hours of effort processing providers' and suppliers' 
appeals of their performance reports and producing revised reports, 
including legal review of the appeals and revised reports. These 
estimates assume that, as discussed below in the section on provider 
and supplier impacts, on average 25 percent of providers and suppliers 
will appeal their results from a qualified entity. Responding to these 
appeals in an appropriate manner will require a significant investment 
of time on the part of qualified entities. This equates to an average 
of four hours per appeal for each qualified entity. These estimates are 
similar to those in the Qualified Entities final rule. We assume that 
the complexity of appeals will vary greatly, and as such, the time 
required to address them will also vary greatly. Many appeals may be 
able to be dealt with in an hour or less while some appeals may require 
multiple meetings between the qualified entity and the affected 
provider or supplier. On average, however, we believe that this is a 
reasonable estimate of the burden of the appeals process on qualified 
entities. We discuss the burden of the appeals process on providers and 
suppliers below.
    We estimate that each qualified entity will spend 40 hours creating 
a non-public analyses agreement template and a QE DUA. We also estimate 
that it will take a qualified entity 2 hours to process a QE DUA or 
non-public analyses agreement.
    Finally, we estimate that each qualified entity will spend 50 hours 
on the additional annual reporting requirements.
    Qualified entities will be required to notify CMS of inappropriate 
disclosures or use of beneficiary identifiable data pursuant to the 
requirements in the CMS DUA. We believe that the report generated in 
response to an inappropriate disclosure or use of beneficiary 
identifiable data will be generated as a matter of course by the 
qualified entities and therefore, will not require significant 
additional effort. Based on the assumptions we have described, we 
estimate the total impact on qualified entities for the first year of 
the program to be a cost of $27,925,198.

[[Page 44477]]



                                         Table 3--Impact on Qualified Entities for the First Year of the Program
--------------------------------------------------------------------------------------------------------------------------------------------------------
                                                           Hours
                                   -----------------------------------------------------
                                                                                Data        Labor       Cost per    Number of    Number of    Total cost
             Activity               Professional                 Computer   processsing  hourly cost   authorized   authorized   qualified      impact
                                         and         Legal     programming       and                      user        users       entities
                                      technical                               hosting
--------------------------------------------------------------------------------------------------------------------------------------------------------
                                                             [Impact on Qualified Entities]
--------------------------------------------------------------------------------------------------------------------------------------------------------
Dissemination of Data
--------------------------------------------------------------------------------------------------------------------------------------------------------
Data processing & hosting.........  ............  ...........  ...........          126       $68.04       $8,573           35           11   $3,300,620
Computer programming..............  ............  ...........          100  ...........        86.10        8,610           35           11    3,314,850
                                   ---------------------------------------------------------------------------------------------------------------------
    Total: Dissemination of Data..  ............  ...........  ...........  ...........  ...........  ...........  ...........  ...........   $6,615,470
--------------------------------------------------------------------------------------------------------------------------------------------------------
                                                                   Non-Public Analyses
--------------------------------------------------------------------------------------------------------------------------------------------------------
Data analysis/measure calculation/  ............  ...........          160  ...........        86.10       13,776           55           11    8,334,480
 report preparation...............
Data Processing and hosting.......  ............  ...........  ...........          160        68.04       10,886           55           11    6,586,272
                                   ---------------------------------------------------------------------------------------------------------------------
    Total: Non-public Analyses....  ............  ...........  ...........  ...........  ...........  ...........  ...........  ...........   14,920,752
--------------------------------------------------------------------------------------------------------------------------------------------------------
                                                   Processing of Provider Appeals and Report Revision
--------------------------------------------------------------------------------------------------------------------------------------------------------
Qualified entity processing of             5,500  ...........  ...........  ...........        75.08      412,940  ...........           11    4,542,340
 provider appeals and report
 revision.........................
Qualified entity legal analysis of  ............        2,000  ...........  ...........        77.16      154,320  ...........           11    1,697,520
 provider appeals and report
 revisions........................
                                   ---------------------------------------------------------------------------------------------------------------------
    Total: Qualified entity         ............  ...........  ...........  ...........  ...........  ...........  ...........  ...........    6,239,860
     processing of provider
     appeals and report revision..
--------------------------------------------------------------------------------------------------------------------------------------------------------
                                                        QE DUA and Non-Public Analyses Agreements
--------------------------------------------------------------------------------------------------------------------------------------------------------
QE DUA and Non-public analyses:
    Development of the QE DUA and             20  ...........  ...........  ...........        75.08         1502  ...........           11       16,518
     non-public analyses agreement
    Legal review of the QE DUA and  ............           20  ...........  ...........        77.16        1,543  ...........           11       16,975
     non-public analyses agreement
    Processing QE DUA and non-                 2  ...........  ...........  ...........        75.08          150           70           11      115,623
     public analyses agreement....
                                   ---------------------------------------------------------------------------------------------------------------------
        Total QE DUA and non-       ............  ...........  ...........  ...........  ...........  ...........  ...........  ...........      149,116
         public analyses
         agreements...............
    Additional Annual Report                  50  ...........  ...........  ...........        75.08        3,754  ...........           11       41,294
     Requirements.................
                                   ---------------------------------------------------------------------------------------------------------------------
        Total qualified entity      ............  ...........  ...........  ...........  ...........  ...........  ...........  ...........   27,966,492
         Impacts..................
--------------------------------------------------------------------------------------------------------------------------------------------------------

2. Impact on Healthcare Providers and Suppliers
    We note that numerous healthcare payers, community quality 
collaboratives, States, and other organizations are producing 
performance measures for healthcare providers and suppliers using data 
from other sources, and that providers and suppliers are already 
receiving performance reports from these sources. We anticipate that 
the review of non-public analyses will merely be added to those 
existing efforts to improve the statistical validity of the measure 
findings.
    Table 4 reflects the hourly labor rates used in our estimate of the 
impacts of the first year of section 105(a) of MACRA on healthcare 
providers and suppliers.

                         Table 4--Labor Rates for Provider and Supplier Impact Estimates
----------------------------------------------------------------------------------------------------------------
                                                                                   Overhead and
                                                                   2014  Hourly       fringe       Total hourly
                                                                     wage rate       benefits          costs
                                                                       (BLS)          (100%)
----------------------------------------------------------------------------------------------------------------
Physicians' offices.............................................          $38.27          $38.27          $76.54
Hospitals.......................................................           29.65           29.65           59.30
----------------------------------------------------------------------------------------------------------------


[[Page 44478]]

    We anticipate that the impacts on providers and suppliers consist 
of costs to review the performance reports generated by qualified 
entities and, if they choose, appeal the performance calculations. We 
believe, on average, each qualified entity will produce non-public 
analyses that in total include information on 7,500 health providers 
and suppliers. This is based on estimates in the qualified entity final 
rule, but also include an increase of 50 percent because we believe 
that more providers and suppliers will be included in the non-public 
analyses. We anticipate that the largest proportion of providers and 
suppliers will be physicians because they comprise the largest group of 
providers and suppliers, and are a primary focus of many recent 
performance evaluation efforts. We also believe that many providers and 
suppliers will be the recipients of the non-public analyses in order to 
support their own performance improvement activities, and therefore, 
there will be no requirement for a correction or appeals process. As 
discussed above, there is no requirement for a corrections or appeals 
process where the analysis only individually identifies the (singular) 
provider or supplier who is being provided or sold the analysis. Based 
on our review of information from existing programs, we assume that 95 
percent of the recipients of performance reports (that is, an average 
of 7,125 per qualified entity) will be physicians, and 5 percent (that 
is, an average of 375 per qualified entity) will be hospitals and other 
suppliers. Providers and suppliers receive these reports with no 
obligation to review them, but we assume that most will do so to verify 
that their calculated performance measures reflect their actual 
patients and health events. Because these non-public analyses will be 
based on the same underlying data as the public performance reports, we 
estimate that it will take less time for providers or suppliers to 
review these analyses and generate an appeal. We estimate that, on 
average, each provider or supplier will devote three hours to reviewing 
these analyses. We also estimate that 25 percent of the providers and 
suppliers will decide to appeal their performance calculations, and 
that preparing the appeal will involve an average of seven hours of 
effort on the part of a provider or supplier. As with our assumptions 
regarding the level of effort required by qualified entities in 
operating the appeals process, we believe that this average covers a 
range of provider efforts from providers who will need just one or two 
hours to clarify any questions or concerns regarding their performance 
reports to providers who will devote significant time and resources to 
the appeals process.
    Using the hourly costs displayed in Table 4, the impacts on 
providers and suppliers are calculated below in Table 5. Based on the 
assumptions we have described, we estimate the total impact on 
providers for the first year of the program to be a cost of 
$29,690,386.
    As stated above in Table 3, we estimate the total impact on 
qualified entities to be a cost of $27,966,492. Therefore, the total 
impact on qualified entities and on providers and suppliers for the 
first year of the program is estimated to be $57,656,878.

                                      Table 5--Impact on Providers and Suppliers for the First Year of the Program
--------------------------------------------------------------------------------------------------------------------------------------------------------
                                                                  Hours per provider                                Number of
                                                              --------------------------                            providers    Number of
                           Activity                                                         Labor       Cost per       per       qualified    Total cost
                                                                Physician    Hospitals   hourly cost    provider    qualified     entities      impact
                                                                 offices                                              entity
--------------------------------------------------------------------------------------------------------------------------------------------------------
                                                           [Impact on Providers and Suppliers]
--------------------------------------------------------------------------------------------------------------------------------------------------------
Physician office review of performance reports...............            3  ...........       $76.54         $230        7,125           11  $18,026,250
Hospital review of performance reports.......................  ...........            3        59.30          178          375           11      734,250
Physician office preparing and submitting appeal requests to             7  ...........        76.54          536        1,781           11   10,500,776
 qualified entities..........................................
Hospital preparing and submitting appeal requests to           ...........            7        59.30          415           94           11      429,110
 qualified entities..........................................
                                                              ------------------------------------------------------------------------------------------
    Total Impact on Providers and Suppliers..................  ...........  ...........  ...........  ...........  ...........  ...........   29,690,386
--------------------------------------------------------------------------------------------------------------------------------------------------------

D. Alternatives Considered

    The statutory provisions added by section 105(a) of MACRA are 
detailed and prescriptive about the permissible uses of the data under 
the Qualified Entity Program. We believe there are limited approaches 
that will ensure statutory compliance. We considered less prescriptive 
requirements on the provisions that will need to be included in the 
agreements between qualified entities and authorized users that 
received or purchased analyses or data. For example, we could have 
required less strenuous data privacy and security protections such as 
not setting a minimum standard for protection of beneficiary 
identifiable data or non-public analyses. In addition, we could have 
reduced additional restrictions on re-disclosure or permitted data or 
analyses to be re-disclosed to additional downstream users. While these 
approaches might reduce costs for qualified entities, we did not adopt 
such an approach because of the importance of protecting beneficiary 
data. We believe if we do not require qualified entities to provide 
sufficient evidence of data privacy and security protection 
capabilities, there will be increased risks related to the protection 
of beneficiary identifiable data.

E. Conclusion

    As explained above, we estimate the total impact for the first year 
of the program on qualified entities and providers to be a cost of 
$57,656,878. While we anticipate the number of qualified entities to 
increase slightly, we do not anticipate significant growth in the 
qualified entity program given the qualified entity program 
requirements, as well as other existing programs that allow entities to 
obtain Medicare data. Based on these estimates, we conclude this final 
rule does not reach the threshold for economically significant effects 
and thus is not considered a major rule.
    In accordance with the provisions of Executive Order 12866, this 
regulation was reviewed by the Office of Management and Budget.

[[Page 44479]]

List of Subjects in 42 CFR Part 401

    Claims, Freedom of information, Health facilities, Medicare, 
Privacy.

    For the reasons set forth in the preamble, the Centers for Medicare 
& Medicaid Services amends 42 CFR part 401 as set forth below:

PART 401--GENERAL ADMINISTRATIVE REQUIREMENTS

0
1. The authority citation for part 401 is revised to read as follows:

    Authority:  Secs. 1102, 1871, and 1874(e) of the Social Security 
Act (42 U.S.C. 1302, 1395hh, and 1395w-5) and sec. 105, Pub. L. 114-
10, 129 Stat. 87.


0
2. Section 401.703 is amended by adding paragraphs (j) through (u) to 
read as follows:


Sec.  401.703  Definitions.

* * * * *
    (j) Authorized user is a third party and its contractors 
(including, where applicable, business associates as that term is 
defined at 45 CFR 160.103) that need analyses or data covered by this 
section to carry out work on behalf of that third party (meaning not 
the qualified entity or the qualified entity's contractors) to whom/
which the qualified entity provides or sells data as permitted under 
this subpart. Authorized user third parties are limited to the 
following entities:
    (1) A provider.
    (2) A supplier.
    (3) A medical society.
    (4) A hospital association.
    (5) An employer.
    (6) A health insurance issuer.
    (7) A healthcare provider and/or supplier association.
    (8) A state entity.
    (9) A federal agency.
    (k) Employer has the same meaning as the term ``employer'' as 
defined in section 3(5) of the Employee Retirement Insurance Security 
Act of 1974.
    (l) Health insurance issuer has the same meaning as the term 
``health insurance issuer'' as defined in section 2791 of the Public 
Health Service Act.
    (m) Medical society means a nonprofit organization or association 
that provides unified representation and advocacy for physicians at the 
national or state level and whose membership is comprised of a majority 
of physicians.
    (n) Hospital association means a nonprofit organization or 
association that provides unified representation and advocacy for 
hospitals or health systems at a national, state, or local level and 
whose membership is comprised of a majority of hospitals and health 
systems.
    (o) Healthcare Provider and/or Supplier Association means a 
nonprofit organization or association that provides unified 
representation and advocacy for providers and suppliers at the national 
or state level and whose membership is comprised of a majority of 
suppliers or providers.
    (p) State Entity means any office, department, division, bureau, 
board, commission, agency, institution, or committee within the 
executive branch of a state government.
    (q) Combined data means, at a minimum, a set of CMS claims data 
provided under this subpart combined with claims data, or a subset of 
claims data from at least one of the other claims data sources 
described in Sec.  401.707(d).
    (r) Patient means an individual who has visited the provider or 
supplier for a face-to-face or telehealth appointment at least once in 
the past 24 months.
    (s) Marketing means the same as the term ``marketing'' at 45 CFR 
164.501 without the exception to the bar for ``consent'' based 
marketing.
    (t) Violation means a failure to comply with a requirement of a CMS 
DUA (CMS data use agreement) or QE DUA (qualified entity data use 
agreement).
    (u) Required by law means the same as the phrase ``required by 
law'' at 45 CFR 164.103.

0
3. Section 401.713 is amended by revising paragraph (a) and adding 
paragraph (d) to read as follows:


Sec.  401.713  Ensuring the privacy and security of data.

    (a) Data use agreement between CMS and a qualified entity. A 
qualified entity must comply with the data requirements in its data use 
agreement with CMS (hereinafter the CMS DUA). Contractors (including, 
where applicable, business associates) of qualified entities that are 
anticipated to have access to the Medicare claims data or beneficiary 
identifiable data in the context of this program are also required to 
execute and comply with the CMS DUA. The CMS DUA will require the 
qualified entity to maintain privacy and security protocols throughout 
the duration of the agreement with CMS, and will ban the use or 
disclosure of Medicare data or any derivative data for purposes other 
than those set out in this subpart. The CMS DUA will also prohibit the 
use of unsecured telecommunications to transmit such data, and will 
specify the circumstances under which such data must be stored and may 
be transmitted.
* * * * *
    (d) Data use agreement between a qualified entity and an authorized 
user. In addition to meeting the other requirements of this subpart, 
and as a pre-condition of selling or disclosing any combined data or 
any Medicare claims data (or any beneficiary-identifiable derivative 
data of either kind) and as a pre-condition of selling or disclosing 
non-public analyses that include individually identifiable beneficiary 
data, the qualified entity must enter a DUA (hereinafter the QE DUA) 
with the authorized user. Among other things laid out in this subpart, 
such QE DUA must contractually bind the authorized user (including any 
contractors or business associates described in the definition of 
authorized user) to the following:
    (1)(i) The authorized user may be permitted to use such data and 
non-public analyses in a manner that a HIPAA Covered Entity could do 
under the following provisions:
    (A) Activities falling under paragraph (1) of the definition of 
``health care operations'' under 45 CFR 164.501: Quality improvement 
activities, including care coordination activities and efforts to track 
and manage medical costs; patient-safety activities; population-based 
activities such as those aimed at improving patient safety, quality of 
care, or population health, including the development of new models of 
care, the development of means to expand coverage and improve access to 
healthcare, the development of means of reducing healthcare 
disparities, and the development or improvement of methods of payment 
or coverage policies.
    (B) Activities falling under paragraph (2) of the definition of 
``health care operations'' under 45 CFR 164.501: Reviewing the 
competence or qualifications of health care professionals, evaluating 
practitioner and provider performance, health plan performance, 
conducting training programs in which students, trainees, or 
practitioners in areas of health care learn under supervision to 
practice or improve their skills as health care providers, training of 
non-health care professionals, accreditation, certification, licensing, 
or credentialing activities.
    (C) Activities that qualify as ``fraud and abuse detection or 
compliance activities'' under 45 CFR 164.506(c)(4)(ii).
    (D) Activities that qualify as ``treatment'' under 45 CFR 164.501.
    (ii) All other uses and disclosures of such data and/or such non-
public analyses must be forbidden except to the extent a disclosure 
qualifies as a ``required by law'' disclosure as defined at 45 CFR 
164.103.

[[Page 44480]]

    (2) The authorized user is prohibited from using or disclosing the 
data or non-public analyses for marketing purposes as defined at Sec.  
401.703(s).
    (3) The authorized user is required to ensure adequate privacy and 
security protection for such data and non-public analyses. At a 
minimum, regardless of whether the authorized user is a HIPAA covered 
entity, such protections of beneficiary identifiable data must be at 
least as protective as what is required of covered entities and their 
business associates regarding protected health information (PHI) under 
the HIPAA Privacy and Security Rules. In all cases, these requirements 
must be imposed for the life of such beneficiary identifiable data or 
non-public analyses and/or any derivative data, that is until all 
copies of such data or non-public analyses are returned or destroyed. 
Such duties must be written in such a manner as to survive termination 
of the QE DUA, whether for cause or not.
    (4) Except as provided for in paragraph (d)(5) of this section, the 
authorized user must be prohibited from re-disclosing or making public 
any such data or non-public analyses.
    (5)(i) At the qualified entity's discretion, it may permit an 
authorized user that is a provider as defined in Sec.  401.703(b) or a 
supplier as defined in Sec.  401.703(c), to re-disclose such data and 
non-public analyses as a covered entity will be permitted to disclose 
PHI under 45 CFR 164.506(c)(4)(i), under 45 CFR 164.506(c)(2), or under 
45 CFR 164.502(e)(1).
    (ii) All other uses and disclosures of such data and/or such non-
public analyses is forbidden except to the extent a disclosure 
qualifies as a ``required by law'' disclosure.
    (6) Authorized users who/that receive the beneficiary de-identified 
combined data or Medicare data as contemplated under Sec.  401.718 are 
contractually prohibited from linking the beneficiary de-identified 
data to any other identifiable source of information, and must be 
contractually barred from attempting any other means of re-identifying 
any individual whose data is included in such data.
    (7) The QE DUA must bind authorized user(s) to notifying the 
qualified entity of any violations of the QE DUA, and it must require 
the full cooperation of the authorized user in the qualified entity's 
efforts to mitigate any harm that may result from such violations, or 
to comply with the breach provisions governing qualified entities under 
this subpart.

0
4. Section 401.716 is added to read as follows:


Sec.  401.716  Non-public analyses.

    (a) General. So long as it meets the other requirements of this 
subpart, and subject to the limits in paragraphs (b) and (c) of this 
section, the qualified entity may use the combined data to create non-
public analyses in addition to performance measures and provide or sell 
these non-public analyses to authorized users (including any 
contractors or business associates described in the definition of 
authorized user).
    (b) Limitations on a qualified entity. In addition to meeting the 
other requirements of this subpart, a qualified entity must comply with 
the following limitations as a pre-condition of dissemination or 
selling non-public analyses to an authorized user:
    (1) A qualified entity may only provide or sell a non-public 
analysis to a health insurance issuer as defined in Sec.  401.703(l), 
after the health insurance issuer or a business associate of that 
health insurance issuer has provided the qualified entity with claims 
data that represents a majority of the health insurance issuer's 
covered lives, using one of the four methods of calculating covered 
lives established at 26 CFR 46.4375-1(c)(2), for the time period and 
geographic region covered by the issuer-requested non-public analyses. 
A qualified entity may not provide or sell a non-public analysis to a 
health insurance issuer if the issuer does not have any covered lives 
in the geographic region covered by the issuer-requested non-public 
analysis.
    (2) Analyses that contain information that individually identifies 
one or more beneficiaries may only be disclosed to a provider or 
supplier (as defined at Sec.  401.703(b) and (c)) when both of the 
following conditions are met:
    (i) The analyses only contain identifiable information on 
beneficiaries with whom the provider or supplier have a patient 
relationship as defined at Sec.  401.703(r).
    (ii) A QE DUA as defined at Sec.  401.713(d) is executed between 
the qualified entity and the provider or supplier prior to making any 
individually identifiable beneficiary information available to the 
provider or supplier.
    (3) Except as specified under paragraph (b)(2) of this section, all 
analyses must be limited to beneficiary de-identified data. Regardless 
of the HIPAA covered entity or business associate status of the 
qualified entity and/or the authorized user, de-identification must be 
determined based on the standards for HIPAA covered entities found at 
45 CFR 164.514(b).
    (4) Analyses that contain information that individually identifies 
a provider or supplier (regardless of the level of the provider or 
supplier, that is, individual clinician, group of clinicians, or 
integrated delivery system) may not be disclosed unless one of the 
following three conditions apply:
    (i) The analysis only individually identifies the provider or 
supplier that is being supplied the analysis.
    (ii) Every provider or supplier individually identified in the 
analysis has been afforded the opportunity to appeal or correct errors 
using the process at Sec.  401.717(f).
    (iii) Every provider or supplier individually identified in the 
analysis has notified the qualified entity, in writing, that analyses 
can be disclosed to the authorized user without first going through the 
appeal and error correction process at Sec.  401.717(f).
    (c) Non-public analyses agreement between a qualified entity and an 
authorized user for beneficiary de-identified non-public analyses 
disclosures. In addition to the other requirements of this subpart, a 
qualified entity must enter a contractually binding non-public analyses 
agreement with the authorized user (including any contractors or 
business associates described in the definition of authorized user) as 
a pre-condition to providing or selling de-identified analyses. Such 
non-public analyses agreement must contain the following provisions:
    (1) The authorized user may not use the analyses or derivative data 
for the following purposes:
    (i) Marketing, as defined at Sec.  401.703(s).
    (ii) Harming or seeking to harm patients or other individuals both 
within and outside the healthcare system regardless of whether their 
data are included in the analyses.
    (iii) Effectuating or seeking opportunities to effectuate fraud 
and/or abuse in the healthcare system.
    (2) If the authorized user is an employer as defined in Sec.  
401.703(k), the authorized user may only use the analyses or derivative 
data for purposes of providing health insurance to employees, retirees, 
or dependents of employees or retirees of that employer.
    (3)(i) At the qualified entity's discretion, it may permit an 
authorized user that is a provider as defined in Sec.  401.703(b) or a 
supplier as defined in Sec.  401.703(c), to re-disclose the de-
identified analyses or derivative data, as a covered entity will be 
permitted under 45 CFR 164.506(c)(4)(i), or under 45 CFR 164.502(e)(1).
    (ii) All other uses and disclosures of such data and/or such non-
public

[[Page 44481]]

analyses is forbidden except to the extent a disclosure qualifies as a 
``required by law'' disclosure.
    (4) If the authorized user is not a provider or supplier, the 
authorized user may not re-disclose or make public any non-public 
analyses or derivative data except as required by law.
    (5) The authorized user may not link the de-identified analyses to 
any other identifiable source of information and may not in any other 
way attempt to identify any individual whose de-identified data is 
included in the analyses.
    (6) The authorized user must notify the qualified entity of any DUA 
violations, and it must fully cooperate with the qualified entity's 
efforts to mitigate any harm that may result from such violations.

0
5. Section 401.717 is amended by adding paragraph (f) to read as 
follows:


Sec.  401.717  Provider and supplier requests for error correction.

* * * * *
    (f) A qualified entity must comply with the following requirements 
before disclosing non-public analyses, as defined at Sec.  401.716, 
which contain information that individually identifies a provider or 
supplier:
    (1) A qualified entity must confidentially notify a provider or 
supplier that non-public analyses that individually identify the 
provider or supplier are going to be released to an authorized user at 
least 65 calendar days before disclosing the analyses. This 
confidential notification must include a short summary of the analyses 
(including the measures calculated), the process for the provider or 
supplier to request the analyses, the authorized users receiving the 
analyses, and the date on which the qualified entity will release the 
analyses to the authorized user.
    (2) A qualified entity must allow providers and suppliers the 
opportunity to opt-in to the review and correction process as defined 
in paragraphs (a) through (e) of this section, anytime during the 65 
calendar days. If a provider or supplier chooses to opt-in to the 
review and correction process more than 5 days into the notification 
period, the time for the review and correction process is shortened 
from 60 days to the number of days between the provider or supplier 
opt-in date and the release date specified in the confidential 
notification.

0
6. Section 401.718 is added to read as follows:


Sec.  401.718  Dissemination of data.

    (a) General. Subject to the other requirements in this subpart, the 
requirements in paragraphs (b) and (c) of this section and any other 
applicable laws or contractual agreements, a qualified entity may 
provide or sell combined data or provide Medicare data at no cost to 
authorized users defined at Sec.  401.703(b), (c), (m), and (n).
    (b) Data--(1) De-identification. Except as specified in paragraph 
(b)(2) of this section, any data provided or sold by a qualified entity 
to an authorized user must be limited to beneficiary de-identified 
data. De-identification must be determined based on the de-
identification standards for HIPAA covered entities found at 45 CFR 
164.514(b).
    (2) Exception. If such disclosure will be consistent with all 
applicable laws, data that individually identifies a beneficiary may 
only be disclosed to a provider or supplier (as defined at Sec.  
401.703(b) and (c)) with whom the identifiable individuals in such data 
have a current patient relationship as defined at Sec.  401.703(r).
    (c) Data use agreement between a qualified entity and an authorized 
user. A qualified entity must contractually require an authorized user 
to comply with the requirements in Sec.  401.713(d) prior to providing 
or selling data to an authorized user under Sec.  401.718.

0
7. Section 401.719 is amended by adding paragraphs (b)(3) and (4) and 
(d)(5) to read as follows:


Sec.  401.719  Monitoring and sanctioning of qualified entities.

* * * * *
    (b) * * *
    (3) Non-public analyses provided or sold to authorized users under 
this subpart, including the following information:
    (i) A summary of the analyses provided or sold, including--
    (A) The number of analyses.
    (B) The number of purchasers of such analyses.
    (C) The types of authorized users that purchased analyses.
    (D) The total amount of fees received for such analyses.
    (E) QE DUA or non-public analyses agreement violations.
    (ii) A description of the topics and purposes of such analyses.
    (iii) The number of analyses disclosed with unresolved requests for 
error correction.
    (4) Data provided or sold to authorized users under this subpart, 
including the following information:
    (i) The entities who received data.
    (ii) The basis under which each entity received such data.
    (iii) The total amount of fees received for providing, selling, or 
sharing the data.
    (iv) QE DUA violations.
* * * * *
    (d) * * *
    (5) In the case of a violation, as defined at Sec.  401.703(t), of 
the CMS DUA or the QE DUA, CMS will impose an assessment on a qualified 
entity in accordance with the following:
    (i) Amount of assessment. CMS will calculate the amount of the 
assessment of up to $100 per individual entitled to, or enrolled for, 
benefits under part A of title XVIII of the Social Security Act or 
enrolled for benefits under Part B of such title whose data was 
implicated in the violation based on the following:
    (A) Basic factors. In determining the amount per impacted 
individual, CMS takes into account the following:
    (1) The nature and the extent of the violation.
    (2) The nature and the extent of the harm or potential harm 
resulting from the violation.
    (3) The degree of culpability and the history of prior violations.
    (B) Criteria to be considered. In establishing the basic factors, 
CMS considers the following circumstances:
    (1) Aggravating circumstances. Aggravating circumstances include 
the following:
    (i) There were several types of violations occurring over a lengthy 
period of time.
    (ii) There were many of these violations or the nature and 
circumstances indicate a pattern of violations.
    (iii) The nature of the violation had the potential or actually 
resulted in harm to beneficiaries.
    (2) Mitigating circumstances. Mitigating circumstances include the 
following:
    (i) All of the violations subject to the imposition of an 
assessment were few in number, of the same type, and occurring within a 
short period of time.
    (ii) The violation was the result of an unintentional and 
unrecognized error and the qualified entity took corrective steps 
immediately after discovering the error.
    (C) Effects of aggravating or mitigating circumstances. In 
determining the amount of the assessment to be imposed under paragraph 
(d)(5)(i)(A) of this section:
    (1) If there are substantial or several mitigating circumstance, 
the aggregate amount of the assessment is set at an amount sufficiently 
below the maximum permitted by paragraph (d)(5)(i)(A) of this section 
to reflect the mitigating circumstances.

[[Page 44482]]

    (2) If there are substantial or several aggravating circumstances, 
the aggregate amount of the assessment is set at an amount at or 
sufficiently close to the maximum permitted by paragraph (d)(5)(i)(A) 
of this section to reflect the aggravating circumstances.
    (D) The standards set for the qualified entity in this paragraph 
are binding, except to the extent that--
    (1) The amount imposed is not less than the approximate amount 
required to fully compensate the United States, or any State, for its 
damages and costs, tangible and intangible, including but not limited 
to the costs attributable to the investigation, prosecution, and 
administrative review of the case.
    (2) Nothing in this section limits the authority of CMS to settle 
any issue or case as provided by part 1005 of this title or to 
compromise any assessment as provided by paragraph (d)(5)(ii)(E) of 
this section.
    (ii) Notice of determination. CMS must propose an assessment in 
accordance with this paragraph (d)(5), by notifying the qualified 
entity by certified mail, return receipt requested. Such notice must 
include the following information:
    (A) The assessment amount.
    (B) The statutory and regulatory bases for the assessment.
    (C) A description of the violations upon which the assessment was 
proposed.
    (D) Any mitigating or aggravating circumstances that CMS considered 
when it calculated the amount of the proposed assessment.
    (E) Information concerning response to the notice, including:
    (1) A specific statement of the respondent's right to a hearing in 
accordance with procedures established at Section 1128A of the Act and 
implemented in 42 CFR part 1005.
    (2) A statement that failure to respond within 60 days renders the 
proposed determination final and permits the imposition of the proposed 
assessment.
    (3) A statement that the debt may be collected through an 
administrative offset.
    (4) In the case of a respondent that has an agreement under section 
1866 of the Act, notice that imposition of an exclusion may result in 
termination of the provider's agreement in accordance with section 
1866(b)(2)(C) of the Act.
    (F) The means by which the qualified entity may pay the amount if 
they do not intend to request a hearing.
    (iii) Failure to request a hearing. If the qualified entity does 
not request a hearing within 60 days of receipt of the notice of 
proposed determination, any assessment becomes final and CMS may impose 
the proposed assessment.
    (A) CMS notifies the qualified entity, by certified mail with 
return receipt requested, of any assessment that has been imposed and 
of the means by which the qualified entity may satisfy the judgment.
    (B) The qualified entity has no right to appeal an assessment for 
which the qualified entity has not requested a hearing.
    (iv) When an assessment is collectible. An assessment becomes 
collectible after the earliest of the following:
    (A) Sixty (60) days after the qualified entity receives CMS's 
notice of proposed determination under paragraph (d)(5)(ii) of this 
section, if the qualified entity has not requested a hearing.
    (B) Immediately after the qualified entity abandons or waives its 
appeal right at any administrative level.
    (C) Thirty (30) days after the qualified entity receives the ALJ's 
decision imposing an assessment under Sec.  1005.20(d) of this title, 
if the qualified entity has not requested a review before the DAB.
    (D) Sixty (60) days after the qualified entity receives the DAB's 
decision imposing an assessment if the qualified entity has not 
requested a stay of the decision under Sec.  1005.22(b) of this title.
    (v) Collection of an assessment. Once a determination by HHS has 
become final, CMS is responsible for the collection of any assessment.
    (A) The General Counsel may compromise an assessment imposed under 
this part, after consulting with CMS or OIG, and the Federal government 
may recover the assessment in a civil action brought in the United 
States district court for the district where the claim was presented or 
where the qualified entity resides.
    (B) The United States or a state agency may deduct the amount of an 
assessment when finally determined, or the amount agreed upon in 
compromise, from any sum then or later owing the qualified entity.
    (C) Matters that were raised or that could have been raised in a 
hearing before an ALJ or in an appeal under section 1128A(e) of the Act 
may not be raised as a defense in a civil action by the United States 
to collect an assessment.

0
8. Section 401.721 is amended by adding paragraph (a)(7) to read as 
follows:


Sec.  401.721  Terminating an agreement with a qualified entity.

    (a) * * *
    (7) Fails to ensure authorized users comply with their QE DUAs or 
analysis use agreements.
* * * * *

0
9. Section 401.722 is added to read as follows:


Sec.  401.722  Qualified clinical data registries.

    (a) A qualified clinical data registry that agrees to meet all the 
requirements in this subpart, with the exception of Sec.  401.707(d), 
may request access to Medicare data as a quasi qualified entity in 
accordance with such qualified entity program requirements.
    (b) Notwithstanding Sec.  401.703(q) (generally defining combined 
data), for purposes of qualified clinical data registries acting as 
quasi qualified entities under the qualified entity program 
requirements, combined data means, at a minimum, a set of CMS claims 
data provided under this subpart combined with clinical data or a 
subset of clinical data.

    Dated: June 22, 2016.
Andrew M. Slavitt,
Acting Administrator, Centers for Medicare & Medicaid Services.

    Dated: June 28, 2016.
Sylvia M. Burwell,
Secretary, Department of Health and Human Services.
[FR Doc. 2016-15708 Filed 7-1-16; 11:15 am]
 BILLING CODE 4120-01-P