[Federal Register Volume 76, Number 110 (Wednesday, June 8, 2011)]
[Proposed Rules]
[Pages 33566-33588]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2011-14003]
[[Page 33565]]
Vol. 76
Wednesday
No. 110
June 8, 2011
Part III
Department of Health and Human Services
-----------------------------------------------------------------------
Centers for Medicare & Medicaid Services
-----------------------------------------------------------------------
42 CFR Part 401
Medicare Program; Availability of Medicare Data for Performance
Measurement; Proposed Rule
��Federal Register / Vol. 76, No. 110 / Wednesday June 8, 2011 /
Proposed Rules��
[[Page 33566]]
-----------------------------------------------------------------------
DEPARTMENT OF HEALTH AND HUMAN SERVICES
Centers for Medicare & Medicaid Services
42 CFR Part 401
[CMS-5059-P]
RIN 0938-AQ17
Medicare Program; Availability of Medicare Data for Performance
Measurement
AGENCY: Centers for Medicare & Medicaid Services (CMS), HHS.
ACTION: Proposed rule.
-----------------------------------------------------------------------
SUMMARY: This rule proposes to implement new statutory requirements
regarding the release and use of standardized extracts of Medicare
claims data to measure the performance of providers and suppliers in
ways that protect patient privacy. This rule explains how entities can
become qualified by CMS to receive standardized extracts of claims data
under Medicare Parts A, B, and D for the purpose of evaluation of the
performance of providers of services and suppliers.
DATES: To be assured consideration, comments must be received at one of
the addresses provided below, no later than 5 p.m. on August 8, 2011.
ADDRESSES: In commenting, please refer to file code CMS-5059-P. Because
of staff and resource limitations, we cannot accept comments by
facsimile (FAX) transmission.
You may submit comments in one of four ways (please choose only one
of the ways listed):
1. Electronically. You may submit electronic comments on this
regulation to http://www.regulations.gov. Follow the ``Submit a
comment'' instructions.
2. By regular mail. You may mail written comments to the following
address ONLY: Centers for Medicare & Medicaid Services, Department of
Health and Human Services, Attention: CMS-5059-P, P.O. Box 8012,
Baltimore, MD 21244-1850.
Please allow sufficient time for mailed comments to be received
before the close of the comment period.
3. By express or overnight mail. You may send written comments to
the following address ONLY: Centers for Medicare & Medicaid Services,
Department of Health and Human Services, Attention: CMS-5059-P, Mail
Stop C4-26-05, 7500 Security Boulevard, Baltimore, MD 21244-1850.
4. By hand or courier. Alternatively, you may deliver (by hand or
courier) your written comments ONLY to the following addresses prior to
the close of the comment period: a. For delivery in Washington, DC--
Centers for Medicare & Medicaid Services, Department of Health and
Human Services, Room 445-G, Hubert H. Humphrey Building, 200
Independence Avenue, SW., Washington, DC 20201.
(Because access to the interior of the Hubert H. Humphrey Building
is not readily available to persons without Federal Government
identification, commenters are encouraged to leave their comments in
the CMS drop slots located in the main lobby of the building. A stamp-
in clock is available for persons wishing to retain a proof of filing
by stamping in and retaining an extra copy of the comments being
filed.)
b. For delivery in Baltimore, MD--Centers for Medicare & Medicaid
Services, Department of Health and Human Services, 7500 Security
Boulevard, Baltimore, MD 21244-1850.
If you intend to deliver your comments to the Baltimore address,
please call telephone number (410) 786-9994 in advance to schedule your
arrival with one of our staff members.
Comments erroneously mailed to the addresses indicated as
appropriate for hand or courier delivery may be delayed and received
after the comment period.
For information on viewing public comments, see the beginning of
the SUPPLEMENTARY INFORMATION section.
FOR FURTHER INFORMATION CONTACT: Colleen Bruce, (410) 786-5529.
SUPPLEMENTARY INFORMATION:
Inspection of Public Comments: All comments received before the
close of the comment period are available for viewing by the public,
including any personally identifiable or confidential business
information that is included in a comment. We post all comments
received before the close of the comment period on the following Web
site as soon as possible after they have been received at: http://www.regulations.gov. Follow the search instructions on that Web site to
view public comments.
Comments received in a timely fashion would also be available for
public inspection as they are received, generally beginning
approximately 3 weeks after publication of a document, at the
headquarters of the Centers for Medicare & Medicaid Services, 7500
Security Boulevard, Baltimore, Maryland 21244, Monday through Friday of
each week from 8:30 a.m. to 4 p.m. To schedule an appointment to view
public comments, phone 1-800-743-3951.
I. Background
On March 23, 2010, the Patient Protection and Affordable Care Act,
(``Affordable Care Act'') Public Law 111-148, was enacted. Effective
January 1, 2012, section 10332 of the Affordable Care Act would amend
section 1874 of the Social Security Act (the Act) by adding a new
subsection (e) requiring standardized extracts of Medicare claims data
under parts A, B, and D be made available to ``qualified entities'' for
the evaluation of the performance of providers of services and
suppliers. Such a disclosure is permitted under the Privacy Rule issued
under the Health Insurance Portability and Accountability Act as a
disclosure ``required by law.'' Qualified entities may use the
information obtained under section 1874(e) of the Act for the sole
purpose of evaluating the performance of providers of services and
suppliers, and to generate specified public reports. Qualified entities
may receive data for one or more specified geographic areas and must
pay a fee equal to the cost of making the data available. Congress also
required that qualified entities combine claims data from sources other
than Medicare with the Medicare data when evaluating the performance of
providers of services and suppliers. Potential qualified entities that
wish to request data under these provisions would have to submit an
application to the Secretary that includes, among other things, a
description of the methodologies that the applicant proposes to use to
evaluate the performance of providers of services and suppliers in the
geographic area(s) they select. Qualified entities would generally be
required to use standard measures for evaluating the performance of
providers of services and suppliers unless the Secretary, in
consultation with appropriate stakeholders, determines that use of
alternative measures would be more valid, reliable, responsive to
consumer preferences, cost-effective, or relevant to dimensions of
quality and resource use not addressed by standard measures. Reports
generated by the qualified entities may only include information on
individual providers of services and suppliers in aggregate form, that
is, at the provider of services or supplier level, and may not be
released to the public until the providers of services and suppliers
have had an opportunity to review them and ask for corrections.
Congress included a provision at section 1874(e)(3) of the Act to allow
the Secretary to take such actions as may be necessary to protect the
identity of individuals entitled to or enrolled in Medicare.
[[Page 33567]]
We believe the sharing of Medicare data with qualified entities
through this program and the resulting reports produced by qualified
entities would be an important driver of improving quality and reducing
costs in Medicare, as well as for the healthcare system in general.
Additionally, we believe this program would increase the transparency
of provider and supplier performance, while ensuring beneficiary
privacy.
II. Provisions of the Proposed Rule
To implement the new statutory provisions of section 1874(e) of the
Act, we are proposing to revise Part 401 by adding a new subpart G,
``Availability of Medicare Data for Performance Measurement.'' The
proposals in this rule would be consistent with section 10332 of the
Affordable Care Act. Throughout the preamble, we identify options and
alternatives to the provisions we propose. We have attempted to take
into consideration comments received during the listening session on
September 20, 2010. However, we strongly encourage comments on our
proposed approach and on alternatives that would help us implement the
appropriate requirements and regulatory provisions under section
1874(e) of the Act.
A. Considerations for the Definition, Eligibility Criteria, and
Operating Requirements of Qualified Entities
1. Definitions
Section 1874(e)(1) of the Act requires the Secretary to make
available to qualified entities data for the evaluation of the
performance of providers of services and suppliers, as proposed at
Subpart G of this proposed rule. Section 1874(e)(2) of the Act defines
a qualified entity as a public or private entity that:
Is qualified (as determined by the Secretary) to use
claims data to evaluate the performance of providers of services and
suppliers on measures of quality, efficiency, effectiveness, and
resource use; and
Agrees to meet the requirements described in section
1874(e)(4) of the Act and meets such other requirements as the
Secretary may specify, such as ensuring security of data.
We have proposed a definition that is consistent with these
statutory provisions at 42 CFR 401.702(a). Specifically, we have
defined a qualified entity as a public or private entity that: (1) is
qualified, as determined by the Secretary, to use claims data to
evaluate the performance of providers of services and suppliers on
measures of quality, efficiency, effectiveness, and resources use, and
(2) agrees to meet the requirements of the Act and meets stated
regulatory requirements at Sec. Sec. 401.703 through 401.710.
2. Eligibility Criteria
As amended, section 1874(e)(2)(A) of the Act provides the Secretary
with discretion to establish criteria to determine whether an entity is
qualified to use claims data to evaluate the performance of providers
of services and suppliers. In determining the qualified entity
eligibility requirements, we sought to balance the need to ensure the
production of timely, high quality, usable reports on providers of
services and suppliers with the need to protect the privacy and
security of beneficiary identifiable data and the need to ensure
providers of services and suppliers have the opportunity to review the
reports, appeal, and correct errors prior to public release.
We are proposing at Sec. 401.703 to evaluate an organization's
eligibility qualifications across three areas: organizational and
governance capabilities, addition of claims data from other sources,
and data privacy and security. In determining an applicant's
eligibility, potential qualified entities would be evaluated
individually to ensure they are prepared to meet the requirements in
the statute for serving as a qualified entity. We are not planning to
limit the number of qualified entities. Any entity that meets the
eligibility criteria would be able to become a qualified entity.
a. Organizational and Governance Capabilities
Section 1874(e)(2)(A) of the Act gives the Secretary the authority
to establish the criteria to determine whether an entity is qualified
to fulfill the requirements of the statute. We propose to thoroughly
evaluate potential qualified entities on their organizational and
governance capabilities to perform all of the following tasks:
Accurately calculating quality, efficiency, effectiveness,
and resource use measures from claims data, including:
[cir] Identifying an appropriate method to attribute a particular
patient's services to specific providers of services and suppliers.
[cir] Ensuring the use of approaches to ensure statistical validity
such as a minimum number of observations or minimum denominator for
each measure.
[cir] Using methods for risk-adjustment to account for variation in
both case-mix and severity among providers of services and suppliers.
[cir] Identifying methods for handling outliers.
[cir] Correcting measurement errors and assessing measure
reliability.
[cir] Identifying appropriate peer groups of providers and
suppliers for meaningful comparisons.
Successfully combining claims data from different payers
to calculate performance reports.
Designing, and continuously improving the format of
performance reports on providers of services and suppliers.
Preparing an understandable description of the measures
used to evaluate the performance of providers of services and suppliers
so that consumers, providers of services and suppliers, health plans,
researchers, and other stakeholders can assess performance reports.
Implementing and maintaining a process for providers of
services and suppliers identified in a report to review the report
prior to publication, and providing timely responses to provider of
services and supplier inquiries regarding requests for data, error
correction, and appeals.
Establishing, maintaining, and monitoring a rigorous data
privacy and security program, including disclosing to CMS in its
application any inappropriate disclosures of beneficiary identifiable
information or HIPAA violations for the preceding 10-year period, and
any corrective actions taken to address such issues.
Accurately preparing performance reports on providers of
services and suppliers and making performance report information
available to the public in aggregate form, that is, at the provider of
services or supplier level.
Applicants would generally be expected to demonstrate expertise and
sustained experience on each of these criteria. Generally, an applicant
would be considered to have demonstrated expertise and sustained
experience on these criteria if the applicant can show that it has been
handling claims data and calculating performance measures for a period
of at least three years. We believe that to be a successful qualified
entity, an applicant would need to have an established track record of
profiling providers of services and suppliers. However, we propose to
consider applicants with fewer years of experience in handling claims
data and calculating performance measures, or limited experience
implementing and maintaining a process for providers of services and
suppliers to request error correction if the applicant has sufficient
[[Page 33568]]
experience in the other areas described above. In all other areas,
applicants must demonstrate expertise and sustained experience as
stated above. We seek comment on our approach to evaluating qualified
entities, and whether three years of demonstrated expertise is
sufficient to ensure that only the highest quality entities are
admitted to this program.
We note that several of the tasks that are required of the
qualified entities necessitate expertise and careful attention to the
required processes as outlined below. Due to the importance of ensuring
that the qualified entity is able to achieve the goals of the program,
we wish to ensure that the qualified entities have the resources to
meet their obligations to measure providers of services and suppliers
and publish reports under the statute. Therefore, we propose that
qualified entity applicants would also need to submit a description of
the business model they plan to use for covering the costs of
performing the required functions listed below, including paying the
fee for the data. We solicit comment on our proposal.
b. Addition of Claims Data From Other Sources
Section 1874(e)(1) and Section 1874(e)(3) of the Act require the
Secretary to provide standardized extracts of claims data under
Medicare Parts A, B, and D for one or more specified geographic areas
and time periods to qualified entities so they can use the information
in concert with other claims data to evaluate the performance of
providers and suppliers. As discussed in section II.B. below, the
qualified entities are to evaluate the performance of providers of
services and suppliers using measures that may be calculated from the
claims data only. At Sec. 401.702(d), we propose to define claims
data, whether from Medicare claims or other sources, to be
administrative claims data only, meaning, itemized billing statements
from providers of services and suppliers that, except in the context of
Part D drug event data, request reimbursement for a list of services
and supplies that were provided to a Medicare beneficiary in the fee-
for-service context or to a participant in another insurance or
entitlement program. Claims data would need to have characteristics and
variables similar to the data discussed in section II.C. below. Data
from other sources, such as registry data, chart abstracted data, or
data from electronic medical records would not be considered claims
data.
Section 1874(e)(4)(B)(iii) of the Act requires qualified entities
to combine Medicare data made available under this section with claims
data from sources other than Medicare in their performance evaluations
of providers of services or suppliers. We believe that this provision
was intended to make Medicare data available to those already working
with other claims data in order to increase sample sizes used to
calculate measures and evaluate the performance of providers of
services and suppliers. This belief is based on past experiences where
measurement entities have expressed an interest in obtaining Medicare
data to combine with other claims data to improve the population sample
upon which their performance findings are based, and to address
concerns expressed by stakeholders regarding small sample sizes in
performance reports generated from a single payer source. The relative
size of Medicare enrollment makes it one of the largest payers in any
given market.
In addition, since Medicare serves an older population with
declining health, using claims data from Medicare would provide more
opportunities to assess care provided to the chronically ill and other
resource-intensive populations than is found in other claims data. The
goal expressed by those seeking this data in the past has been that
Medicare data, when coupled with other claims data, can provide
measurement initiatives with greatly increased sample sizes upon which
to calculate more reliable performance results.
The statute requires the inclusion of claims data from other
sources, but it does not specify a minimum amount of such data to
qualify as a qualified entity. CMS has considered how to best ensure
that Medicare data is combined with a sufficient amount of other claims
data to meaningfully address some of the concerns regarding sample size
and reliability outlined above. We are proposing at Sec. 401.703(a)(2)
that applicants demonstrate to CMS that the claims data from other
sources, which they are combining with Medicare data, addresses the
concerns regarding sample size and reliability expressed by multiple
stakeholders regarding the calculation of performance measures from a
single payer source. In order to ensure that Medicare data is only made
available to qualified entities that have additional claims data from
other sources, applicants would not be approved as qualified entities
unless they possess the claims data from other sources at the time of
their application, and that data meets the requirements outlined above.
We considered imposing a specific threshold amount of additional
claims data, but we believe that it would be difficult to precisely
establish a threshold amount of data to address concerns about small
sample sizes and reliability. We are requesting comments on this policy
decision, as well as suggestions for other possible options or
alternatives. We are also considering a proposal to require qualified
entities to have claims data from two or more other sources. For
example, a qualified entity would need to have claims data from two
private payers, or one private payer and Medicaid claims data, in order
to be eligible to receive Medicare data. We believe that a requirement
for claims data from two or more other sources may help further
alleviate some of the methodological issues associated with performance
measurement based on single-source data. Measurement of a provider of
services or supplier based on one other source plus Medicare may still
not represent enough of a provider of services' or supplier's patient
population to provide meaningful data that would help improve
performance. We are considering a proposal to require claims data from
two or more other sources to ensure that performance reports produced
by qualified entities are as fair a representation as possible of any
provider of services' or suppliers' practice to encourage behavior
change. We seek comments on this alternative proposal of requiring
claims data from two or more other sources to be combined with Medicare
claims data, and whether there are particular challenges associated
with requiring claims data from multiple sources before a qualified
entity can participate in this program.
c. Data Privacy and Security
It is of the utmost importance to CMS that beneficiary identifiable
Medicare data remain private and secure. Section 1874(e)(3) of the Act
requires the Secretary to take actions necessary to protect the
identity of individuals entitled to or enrolled in our programs.
In order to fulfill this obligation, we are proposing at Sec.
401.703(a)(3) to require that applicants demonstrate that they have
rigorous privacy and security practices in place to protect the data
released to them and have programs in place to train staff on data
privacy protections and general data security protocols. Applicants
would not be eligible to serve as qualified entities unless CMS
determines that they have thoroughly documented data privacy and
security practices including enforcement mechanisms. The data privacy
and security requirements for qualified entities are discussed in
detail at Section II.D.
[[Page 33569]]
3. Proposed Operating and Governance Requirements for Serving as a
Qualified Entity
CMS recognizes that applicants may not have fully developed plans
for every aspect of serving as a qualified entity; however, there are
key aspects that we believe are important enough to require the
submission of proposed plans as a condition of being approved as a
qualified entity. Specifically, we propose at Sec. 401.704 that
applicants would submit, as part of their application: (1) The measures
they intend to use, including, among other things, the methods of
creating and disseminating reports; (2) the report review process they
would use to afford providers of services and suppliers with reports
confidentially prior to public release, including addressing report
recipient requests for data and for error correction; (3) a prototype
for the required reports, including any narrative language, and
dissemination plans for providing reports to the public. Additional
information regarding the application requirements may be found in
section II.G. below.
B. Considerations for the Definition, Selection, and Use of Performance
Measures by Qualified Entities
Section 1874(e)(2)(A) of the Act requires qualified entities be
qualified to use claims data to evaluate the performance of providers
of services and suppliers using measures of quality, efficiency,
effectiveness, and resource use. Specifically, section
1874(e)(4)(B)(ii)(I) of the Act requires qualified entities requesting
standardized extracts of Medicare claims to use standard measures, if
available, such as measures endorsed by the entity with a contract
under section 1890(a) of the Act, and measures developed pursuant to
section 931 of the Public Health Service Act. Section
1874(e)(4)(B)(ii)(II) of the Act also provides for the use of
alternative measures by qualified entities if the Secretary, in
consultation with appropriate stakeholders, determines that use of such
alternative measures would be more valid, reliable, responsive to
consumer preferences, cost-effective, or relevant to dimensions of
quality and resource use not addressed by the standard measures.
Qualified entities may only use standard or approved alternative
measures to evaluate the performance of providers of services and
suppliers using claims data from Medicare parts A, B, or D.
1. Proposed Definition of, and Process for Identifying and Approving
Standard Measures for Use by Qualified Entities
For purposes of a qualified entity selecting and using measures to
evaluate the performance of providers of services and suppliers, we
propose to define at Sec. 401.708(a) a ``standard measure'' to be a
measure that can be calculated using only claims data and that is--(1)
endorsed by the entity with a contract under section 1890(a) of the
Act; (2) developed pursuant to section 931 of the Public Health Service
Act; or (3) was adopted through notice and comment rulemaking and is
currently being used in a CMS program that includes performance
measurement, even if it is not endorsed by the entity with a contract
under section 1890(a) of the Act.
Currently, the entity with a contract under section 1890(a) of the
Act is the National Quality Forum (NQF). NQF uses its formal Consensus
Development Process to evaluate and endorse consensus standards,
including performance measures, on an ongoing basis. It is viewed as a
trusted partner in ensuring that any nationally endorsed provider of
services and supplier performance measures are subject to rigorous
multi-stakeholder scrutiny to ensure they are scientifically valid,
address clear performance improvement needs and can be calculated in a
manner that does not impose undue burden on providers and suppliers.
There are currently hundreds of NQF-endorsed quality measures covering
a range of clinicians, settings, and specialties, although not all of
these measures can be calculated using only claims data.
A list of currently NQF-endorsed performance measures can be
obtained from the NQF Web site at http://www.qualityforum.org/Measures_List.aspx. We propose to define any measure endorsed by the
entity with a contract under section 1890(a) of the Act which can be
calculated from standardized extracts of Medicare parts A, B, or D
claims as a standard measure. In addition to endorsed NQF measures, we
propose to also define a measure which can be calculated from
standardized extracts of Medicare parts A, B, or D claims data that has
time-limited NQF endorsement as a standard measure. Measures that are
time-limited endorsed that were not developed pursuant to section 931
of the Public Health Service Act, or that are being used by a CMS
program that includes performance measurement, would only be considered
standard measures until such time as the NQF determines their
endorsement status. Time-limited endorsed measures that ultimately
receive endorsement would remain standard measures for as long as they
remain endorsed, and time-limited endorsed measures that do not
ultimately receive endorsement would lose their status as standard
measures unless they were developed pursuant to section 931 of the
Public Health Service Act, or can be calculated from standardized
extracts of Medicare parts A, B, or D claims data, were adopted through
notice and comments rulemaking, and are being used in a CMS program
that includes quality measurement. Time-limited measures that do not
receive NQF endorsement and that were not developed pursuant to Section
931 of the Public Health Act, or are not used in a CMS program that
includes performance measurement could however, be submitted for
approval as alternative measures through the alternative measure
process outlined below at II.B.2.
Section 931 of the Public Health Service Act, as added by Section
3013 of the Affordable Care Act supports the development, improvement,
update, or expansion of quality measures for use in Federal health
programs. To date, no measures have been developed under this
provision. We propose that any measures developed or updated under this
provision would also be considered standard measures regardless of
their NQF endorsement status, as long as the measures can be calculated
from the standardized extracts of Medicare parts A, B, and D claims
data available to the qualified entity.
We also propose to include in the definition of standard measure
any measure that was adopted through notice and comment rulemaking and
that is currently used in a CMS program that involves performance
measurement, even if it is not NQF-endorsed or developed under section
931 of the Public Health Service Act, as long as the measure can be
calculated from the standardized extracts of Medicare parts A, B, and D
claims data available to the qualified entity. For example, several
measures in the hospital Inpatient Quality Reporting program beginning
in FY 2012 (foreign object retained after surgery, air embolism,
catheter-associated urinary tract infection, blood incompatibility,
pressure ulcer stages III and IV, falls and trauma, manifestations of
poor glycemic control, and vascular catheter associated infection) fit
this criteria.
The notice and comment rulemaking process includes a public comment
period in which stakeholders are able to express their views regarding
the proposed measures. Measures
[[Page 33570]]
implemented via the rulemaking process are not finalized until the
public comment period closes, the comments are reviewed and considered,
and a final rule is published. Because the notice and comment
rulemaking process involves extensive opportunity for public input, we
believe that measures used in CMS programs, regardless of whether they
are endorsed by the NQF or developed under section 931 of the Public
Health Service Act, have been subjected to sufficient scrutiny that
they can be considered standard measures. We propose to make a list of
measures that meet the requirements of being adopted through notice and
comment rulemaking and currently being used in a CMS program that
includes performance measurement, available in subregulatory guidance.
In using any standard measure, we propose to require that the
qualified entity must follow the measure specifications as written,
including all numerator and denominator inclusions and exclusions,
measured time periods, and specified data sources. We recognize that
some measure specifications may require additional customization to
implement in specific contexts, but such customization should not
change the defined numerator, denominator, and exclusion criteria for
the measure.
We invite comments on the proposed definition of standard measures
and the proposed requirement for qualified entities to follow the
measure specifications as written.
2. Proposed Definition of, and Process for Identifying and Approving
Alternative Measures for Use by Qualified Entities
We also recognize that a qualified entity may wish to measure
performance in an area for which there are no standard measures. We
note that there are several areas of performance measurement with very
few available measures that meet the definition of a standard measure
as proposed above. We hope to encourage innovation in the development
of new claims-based measures to evaluate the performance of providers
of services and suppliers through the use of alternative measures.
While the statute does not require the Secretary to allow the use of
alternative measures, we believe that allowing qualified entities to
propose the use of alternative measures encourages the development of
additional claims-based performance measures.
For qualified entities wishing to use alternative measures, we
propose to adopt an alternative measure selection process through
future notice and comment rulemaking that would subject proposed
alternative measures to public comment after qualified entities propose
candidate alternative measures for the Secretary's consideration. At
Sec. 401.708(b)(1), we propose to define ``alternative measure'' as a
measure that is not a standard measure, but that can be calculated
using only standardized extracts of Medicare parts A, B, and D claims,
and that has been found by the Secretary to be more valid, reliable,
responsive to consumer preferences, cost effective, or relevant to
dimensions of quality and resource use not addressed by standard
measures.
As discussed above, section 1874(e)(4)(B)(ii)(II) of the Act
permits the use of alternative measures if the proposed alternative
measure is more valid, reliable, responsive to consumer preferences,
cost-effective, or relevant to dimensions of quality and resource use
than existing claims-based standard measures. If there is a claims-
based standard measure for the clinical area or topic(s) that the
qualified entity chooses to measure, we propose that the qualified
entity must use the standard measure in lieu of any alternative
measures, unless the qualified entity can provide detailed scientific
justification for asserting that the proposed alternative measure in
that clinical area or topic is more valid, reliable, responsive to
consumer preferences, cost-effective, or relevant to dimensions of
quality and resource use than the existing claims-based standard
measure, and such assertions are accepted through the notice and
comment rulemaking process outlined below.
Similarly, in the case where a standard measure was not previously
available for a particular clinical area or condition, but such a
measure subsequently becomes available, we propose that qualified
entities must cease use of the alternative measure and switch to the
standard measure within 6 months (for example, if a standard measure
becomes available in February 2013, either through being endorsed by
the entity with a contract under section 1890(a) of the Act, developed
pursuant to section 931 of the Public Health Service Act, or adopted
through notice and comment rulemaking to be used in a CMS program that
includes performance measurement, qualified entities would have to
begin using the standard measure instead of the alternative measure in
any reports by August 2013). If the qualified entity wishes to continue
to use the alternative measure, then it must provide the scientific
justification outlined above to obtain approval for the use of
alternative measures when a standard measure for the clinical area or
condition(s) that the qualified entity chooses to measure is available.
In order to provide us with the information necessary to determine
whether an alternative measure is more valid, reliable, responsive to
consumer preferences, cost-effective, or relevant to dimensions of
quality and resource use not addressed by the standard measures as
required by section 1874(e)(4)(B)(ii)(II) of the Act, we propose that
the qualified entity would need to submit to the Secretary the
following information about a proposed alternative measure:
The name of the alternative measure that the qualified
entity is requesting the Secretary to consider as an alternative
measure.
The name of the alternative measure's developer or owner.
Detailed specifications for the alternative measure.
Information demonstrating how the alternative measure is
more valid, reliable, responsive to consumer preferences, cost-
effective, or relevant to dimensions of quality and resource use not
addressed by standard measures.
We solicit comments on our proposals regarding alternative
measures, and we welcome comments on whether any additional information
regarding proposed alternative measures should be required in order to
request the Secretary's consideration of a candidate alternative
measure.
Section 1874(e)(4)(B)(ii)(II) of the Act further requires the
Secretary to review the candidate alternative measures in consultation
with appropriate stakeholders in order to determine if an alternative
measure would be more valid, reliable, responsive to consumer
preferences, cost-effective or relevant to dimensions of quality and
resource use not addressed by standard measures. In order to obtain
consultation with appropriate stakeholders, we propose that once all
qualified entities have submitted the above information regarding a
proposed alternative measures, we would use the notice and comment
rulemaking process to obtain public comment on approving the measures
as alternative measures. We solicit comment on our proposal to engage
in consultation with appropriate stakeholders through notice and
comment rulemaking and we also welcome comments on alternative
processes to consider for meeting the stakeholder consultation
requirement.
The statute requires the Secretary to make the final determination
regarding whether an alternative measure is more valid, reliable,
responsive to consumer
[[Page 33571]]
preferences, cost-effective, or relevant to dimensions of quality and
resource use not addressed by standard measures. The Secretary would
consider the information received from the qualified entity and other
stakeholders during the notice and comment rulemaking process in order
to determine whether a proposed alternative measure meets the statutory
criteria for approval as an alternative measure. Once an alternative
measure has been approved by the Secretary, the alternative measure
would be available for use by all qualified entities, not just the
submitting entity.
Any measure that is not approved as an alternative measure may not
be used to evaluate the performance of providers of services and
suppliers using data from the qualified entity program. In the event
additional information is available for an alternative measure that was
previously denied approval, the alternative measure may be resubmitted
to the Secretary for consideration.
Because our proposals for the approval process of alternative
measures would require notice and comment rulemaking, it would be
logistically challenging for alternative measures to be approved in
time to enable measure calculation and reporting of alternative
measures in the first year of the program. While qualified entities
would be able to submit alternative measures for consideration during
the first year of the program, the approval process would likely not
conclude in time to use the alternative measure in the first year of
the program.
Depending on the volume and timing of alternative measure
submissions, we anticipate conducting the notice and comment rulemaking
process on an annual basis. We are proposing to establish an annual
deadline of May 31 for the submission of proposed alternative quality
measures in order to allow for the measures to go through notice and
comment rulemaking prior to the start of the next calendar year. The
notice and comment rulemaking period generally takes 6 months from the
publication of a proposed rule to the effective date of a final rule,
so the alternative measures submitted by May 31 would be ready for use
in the following calendar year, i.e., a measure submitted by May 31,
2012 would be available for calendar year 2013. If no proposed
alternative measures are received by the annual deadline, we would not
publish a rule. Proposed alternative measures submitted after the
annual deadline would be considered for rulemaking during the following
calendar year.
We believe this proposed approach is adequate because:
We have proposed an expansive definition of what
constitutes a standard measure (including non-NQF endorsed measures
which can be calculated from standardized extracts of Medicare parts A,
B, and D claims if they were adopted through notice and comment
rulemaking and are currently being used in CMS programs that include
quality measurement), and this would greatly increase the number of
standard measures available for use by qualified entities.
It is appropriate for qualified entities to focus on well
established measures that are either NQF-endorsed or used in CMS
programs in their first year of operation as qualified entities.
We solicit comment on our proposals regarding the approval process
for alternative measures.
As with standard measures, when using an alternative measure
approved by the Secretary, we propose to require that the qualified
entity follow the measure specifications as written, including all
numerator and denominator inclusions and exclusions, measured time
periods, and specified data sources. We recognize that some measure
specifications may require additional customization to implement the
measure in specific contexts, but such customization should not change
the defined numerator, denominator, and exclusion criteria for the
measure. We invite comments on the proposed requirement for qualified
entities to follow the measure specifications as written.
3. Selection and Justification of Measures by Qualified Entities
We propose, at Sec. 401.704(a), to require that qualified entities
provide a description of each standard or alternative measure they plan
to use to calculate the performance of providers of services and
suppliers as part of their application. This description should include
the name of the measure, the name of the measure developer/owner, and
the measure specifications including the numerator and the denominator.
In addition, we propose to require an explanation of the applicant's
rationale for selecting the measure, which would include a description
of the relationship of any proposed measure (standard or alternative)
to existing measurement efforts, and the relevancy of each proposed
measure to the population(s) in the geographic area(s) the applicant is
proposing to serve. The rationale would also include a specific
description of the geographic area(s) the applicant intends to serve
and a specific description of how each measure evaluates providers of
services and suppliers on quality, efficiency, effectiveness, and/or
resource use. Finally, we propose to require an applicant to provide a
description of the methodologies it intends to use in creating reports
with respect to attribution of beneficiaries to providers of services
and suppliers, benchmarking performance data, and severity and case-mix
adjustments.
We propose at Sec. 401.706(a)(1) to allow a qualified entity to
calculate and report measures that were not included in its initial
application if the qualified entity submits the information described
above about the additional measure(s) to CMS no less than ninety (90)
days prior to the anticipated date for the confidential distribution of
reports using those measures to providers of services and suppliers. We
would review this information and approve or disapprove the use of the
measure. We propose barring qualified entities from using a measure
that has not been approved by CMS, even if CMS' review takes longer
than ninety days.
4. Methodologies Used in Performance Reports
Section 1874(e)(4)(B)(I) of the Act requires qualified entities to
submit a description of the methodologies that they would use to
evaluate the performance of providers services and suppliers. In
keeping with this requirement, we have proposed Sec. 401.704(a)(5),
which requires an applicant to submit a description of methodologies it
intends to use in creating reports. We believe, however, that a review
of methodologies is inadequate in the absence of a review of the
abilities of the qualified entity to appropriately apply those
methodologies. Therefore, we propose at Sec. 401.703(a)(1) that in
order to be eligible to serve as a qualified entity, applicants must
demonstrate expertise and sustained experience in several areas
necessary for performance measurement.
5. Reports and Reporting
Section 1874(e)(4)(C)(ii) of the Act requires qualified entities to
make their draft reports available in a confidential manner to
providers of services and suppliers identified in the reports before
such reports are released publicly in order to offer them an
opportunity to review these reports, and, if appropriate, appeal to
request correction of any errors. We propose to require the qualified
entities to include a plan for establishing and maintaining these
appeal and correction processes in their
[[Page 33572]]
application materials, as we have stated in proposed Sec. 401.704(b).
The plan must clearly describe how the qualified entity would make
providers of services and suppliers aware of the process and establish
procedures, including timeframes, for how providers of services and
suppliers can request data from the qualified entity and request error
corrections in the reports before the reports are made public.
After reports have been shared confidentially with providers of
services and suppliers, and any errors have been corrected, Section
1874(e)(4)(C)(iv) of the Act requires the reports to be made available
to the public. As discussed further below in Section II.E., in cases
where provider requests for error correction cannot be resolved prior
to a date specified by the qualified entity (at least 30 business days
after the report was originally shared with providers of services and
suppliers), the reports would be released publically with information
that a provider of services or supplier error correction is ongoing. As
stated in the statute at Section 1874(e)(4)(C)(iii) of the Act, the
reports must include ``an understandable description'' of the measures,
rationale for use, methodology (including risk-adjustment and physician
attribution), data specifications and limitations, and sponsors. We
interpret ``an understandable description'' to mean any descriptions
that can be easily read and understood by a lay person. Additionally,
the reports to the public may only include data on providers of
services or suppliers at the provider of services or supplier level
with no claim or person-level information to ensure beneficiary
privacy.
Pursuant to Section 1874(e)(4)(B)(vi) of the Act, we propose
requiring qualified entities to submit prototype reports for both the
reports they would send to providers of services and suppliers, and the
reports they would release to the public (if they are different) in
their application, including the narrative language they plan to use in
the reports to describe the data and results. The prototype report
should also contain an easily comprehensible description of the
proposed measures, the rationale for the use of those measures, a
description of the methodologies to be used, and a description of the
data specifications and limitations.
We have given extensive consideration to when in the process
qualified entities should submit these prototype reports to CMS. One
option would be for qualified entities to submit prototype reports with
their applications to become qualified entities. As outlined above, one
of the eligibility criteria for qualified entities is demonstrated
expertise and experience in designing, disseminating, and continuously
improving performance reports to providers of services and suppliers.
Given this criteria, it seems reasonable to assume that qualified
entities would be in a position to provide CMS with prototype reports
at the time of their applications.
A countervailing argument would be that qualified entities may need
some time working with Medicare data and claims data from other sources
before they would be in a position to identify an appropriate format
for the required performance reports. This scenario would support
requiring the submission of the prototype report sometime after an
organization has been approved as a qualified entity, but at a time
prior to the confidential release to providers of services and
suppliers. Under this scenario, the qualified entity would receive
Medicare data without having to demonstrate that they had considered
how they could use that data to produce measure results.
While we believe that qualified entities may identify changes that
would be necessary as they work with the data, we believe that it is
appropriate to expect that they have sufficiently considered these
reporting obligations as they consider their desires to apply for
qualified entity status, and that such considerations would include at
least an initial concept of what they could provide in the reports.
Therefore, despite the concern that qualified entities would need some
time with the data to identify the appropriate format for reports, we
believe that qualified entities should have the expertise and skills to
be able to submit prototype reports at the time of their applications
to become qualified entities.
In recognition of the advances that could be made to these
prototypes as the qualified entities work, we propose, at Sec.
401.706(a)(2), providing for a process whereby they can modify the
initial prototypes as long as these modifications are submitted to, and
approved by, CMS. We propose requiring these submissions no less than
90 days prior to the confidential release of report to providers of
services and suppliers. We would review the modified prototype report
and make a determination regarding the use of the new report. This
determination would be based on the extent to which the proposed
changes make the description of the measures used in the report more
understandable. We propose barring qualified entities from using a
report that has not been approved by CMS, even if CMS' review takes
longer than 90 days.
In addition, we propose to require the submission of plans for
making the reports available to the public at the time of application.
To the extent that the report formats or delivery mechanisms differ
from those proposed at the time of application, we propose to also
require an explanation and justification of those differences no less
than 90 days prior to the release of differing report formats or
delivery mechanisms.
Finally, at Sec. 401.705(d) we propose requiring qualified
entities to produce reports on the performance of providers of services
and suppliers at a minimum of at least once a year. If CMS provides
qualified entities with yearly updates to the data, as discussed below,
we believe qualified entities should be expected to use the updates to
produce performance reports. We seek comments on these proposals.
C. Data Extraction and Dissemination
Section 1874(e)(3) of the Act requires the Secretary to provide
qualified entities with standardized extracts of claims data from
Medicare parts A, B, and D for one or more specified geographic areas
and time periods. These data extracts would include information from
all seven claim types that are submitted for payment in the Medicare
Fee-For-Service Program. Information extracted from institutional
claims includes inpatient hospital, outpatient hospital, skilled
nursing facility, home health, and hospice services. Information
extracted from non-institutional claims includes physician/supplier and
durable medical equipment claims. These files contain only final action
claims, meaning non-rejected claims for which a payment has been made.
All disputes and adjustments have been resolved and details clarified.
Medicare institutional and non-institutional claims include, but
are not limited to, the following data elements: beneficiary ID, claim
ID, the start and end dates of service, the provider or supplier ID,
the principal procedure and diagnosis codes, the attending physician,
other physicians, and the claim payment type.
Qualified entities would also be eligible to receive certain Part D
claims information for beneficiaries enrolled in the Medicare Fee-For-
Service Program. This type of information is known as ``drug event''
information, as opposed to ``claims'' information, because prescription
drug coverage under Part D is provided by private insurance plans.
[[Page 33573]]
These plans have varied pricing methods, and often pay capitated rates.
We note that the use of the term ``drug event'' does not mean this
database includes information about adverse reactions to drugs. The key
data elements for this database include: beneficiary ID, prescriber ID,
drug service date, drug product service ID, quantity dispensed, days'
supply, gross drug cost brand name, generic name, drug strength, and
indication if the drug is on the formulary of the Part D plan.
All claims files would contain a unique encrypted beneficiary
identification number that would allow a qualified entity to link
claims for an individual beneficiary. These files would not contain the
actual beneficiary Medicare Health Insurance Claim Number.
A comprehensive record layout for all three of these databases is
offered at http://www.ccwdata.org/variables/var_claim_files.php for
institutional claims, http://www.ccwdata.org/variables/var_claim_files2.php for non-intuitional claims, and http://www.ccwdata.org/variables/var_ptd_event.php for Part D drug events.
The institutional claims database includes the following files:
Inpatient claim file: The Inpatient claim file contains final
action claims data submitted by inpatient hospital providers for
reimbursement of facility costs. Some of the information contained in
this file includes diagnosis, (ICD-9 diagnosis), procedure (ICD-9
procedure code), Medicare Severity--Diagnosis Related Group (MS-DRG),
dates of service, reimbursement amount, and hospital provider
information. Each observation in this file is at the claim level.
Skilled Nursing Facility claim file: The Skilled Nursing Facility
(SNF) claim file contains final action claims data submitted by SNF
providers. Some of the information contained in this file includes
diagnosis and procedure (ICD-9 diagnosis and ICD-9 procedure code),
dates of service, reimbursement amount, and SNF provider number. Each
observation in this file is at the claim level.
Outpatient claim file: The Outpatient claim file contains final
action claims data submitted by institutional outpatient providers.
Examples of institutional outpatient providers include hospital
outpatient departments, rural health clinics, renal dialysis
facilities, outpatient rehabilitation facilities, comprehensive
outpatient rehabilitation facilities, and community mental health
centers. Some of the information contained in this file includes
diagnosis and procedure (ICD-9 diagnosis, Healthcare Common Procedure
Coding System (HCPCS) codes), dates of service, reimbursement amount,
outpatient provider number, and revenue center codes. Each observation
in this file is at the claim level.
Home Health Agency claim file: The Home Health Agency (HHA) claim
file contains final action claims data submitted by HHA providers. Some
of the information contained in this file includes the number of
visits, type of visit (skilled-nursing care, home health aides,
physical therapy, speech therapy, occupational therapy, and medical
social services), diagnosis (ICD-9 diagnosis), dates of visits,
reimbursement amount, and HHA provider number. Each observation in this
file is at the claim level.
Hospice claim file: The Hospice claim file contains final action
claims data submitted by Hospice providers. Some of the information
contained in this file includes the level of hospice care received (for
example, routine home care, inpatient respite care), terminal diagnosis
(ICD-9 diagnosis), dates of service, reimbursement amount, and Hospice
provider number. Each observation in this file is at the claim level.
The non-institutional claims database includes the following files:
Carrier claim file: The Carrier claim file contains final action
claims data submitted by non-institutional providers. Examples of non-
institutional providers include physicians, physician assistants,
clinical social workers, nurse practitioners, independent clinical
laboratories, ambulance providers, and free-standing ambulatory
surgical centers. Some of the information contained in this file
includes diagnosis and procedure (ICD-9 diagnosis, Healthcare Common
Procedure Coding System (HCPCS) codes), dates of service, reimbursement
amount, and non-institutional provider numbers (for example, UPIN, PIN,
NPI). Each observation in this file is at the claim level.
Durable Medical Equipment claim file: The Durable Medical Equipment
(DME) claim file contains final action claims data submitted by Durable
Medical Equipment suppliers. Some of the information contained in this
file includes diagnosis, (ICD-9 diagnosis), services provided
(Healthcare Common Procedure Coding System (HCPCS) codes), dates of
service, reimbursement amount, and DME provider number. Each
observation in this file is at the claim level.
The Part D database includes the following file:
Drug Event Database: The drug event database includes the
following: encrypted beneficiary identifier, date of service, drug
product dispensed, drug quantity, number of days supply of product,
drug costs, beneficiary and other payer cost-sharing, formulary tier
and utilization management, Part D benefit phase, encrypted pharmacy
identifier, encrypted prescriber identifier, and encrypted plan
identifier.
We plan to provide identical standard data extracts to all
qualified entities, that is, all extracts would include the same data
elements and the same record layout. CMS does not plan to provide any
customized data files to qualified entities under section 1874(e) of
the Act. It would be the responsibility of the qualified entities to
create customized analytical files and databases to support their
calculation of performance measures for providers of services and
suppliers.
We seek comment on whether qualified entities would require any
technical assistance to aid in understanding and working with Medicare
data, what type of technical assistance would be beneficial, and
whether we should include technical assistance in the fee charged for
the data (see Section II.C.3. below). We plan to encourage the
development of a voluntary knowledge sharing mechanism for qualified
entities to communicate with each other regarding best practices for
calculating measures, designing reports, and other important elements
of this program. We seek comments on whether technical assistance is
needed and how such a voluntary knowledge sharing mechanism would best
be designed and operated.
1. Number of Years of Data
Section 1874(e)(3) of the Act requires the Secretary to provide
standardized extracts to qualified entities containing data from
specific time periods. CMS is proposing to provide qualified entities
with the most recent three years of Medicare data available at the time
the qualified entity is approved for participation in the program. For
example, if a qualified entity applies and is approved for
participation in 2012, data for calendar years 2008, 2009, and 2010
would be provided since they would be the most recent final action
claims data available. Thereafter, CMS proposes to provide qualified
entities with the most recent additional year of data on a yearly
basis.
[[Page 33574]]
2. Geographic Areas
Section 1874(e)(3) of the Act requires the Secretary to provide
standardized extracts to qualified entities containing data for
specific geographic areas. CMS is proposing that qualified entities
receive standardized data extracts for a single geographic area or
multiple regions. We propose to limit the provision of Medicare data to
the geographic spread of the qualified entity's other claims data. For
example, if a qualified entity has a sufficient amount of claims data
from other sources (as determined by CMS during the application
process) for people in Maryland, CMS would provide Medicare data for
the state of Maryland.
During the September 20, 2010 public listening session for section
10332 of the Affordable Care Act, CMS received suggestions to release
nationwide Medicare claims if the data are necessary for qualified
entities to evaluate the performance of the providers of services and
suppliers at a national level. In this proposed rule, we are requesting
comments as to whether CMS should provide an option for the release of
nationwide Medicare data. We specifically welcome comments regarding
how the qualified entities would obtain a sufficient amount of non-
Medicare nationwide claims data to include in the evaluation of
providers of services and suppliers and how the qualified entities
would implement and manage a nationwide provider of services and
suppliers confidential review and appeal process.
3. Cost To Obtain the Data
Section 1874(e)(4)(A) of the Act requires qualified entities to pay
a fee for obtaining the data that is equal to the cost of making such
data available. We interpret the cost of making the data available
broadly, to include the cost of providing the technical assistance
(described above), the cost of processing qualified entities'
applications, and the costs of monitoring qualified entities to ensure
appropriate use of the data and appropriate adherence to data privacy
and security standards. This monitoring may include, but is not limited
to, periodic requests for documentation relating to privacy and
security policies and procedures. The data fees would vary in
accordance with the amount of data requested by the qualified entities.
CMS would provide each prospective qualified entity with the actual
cost of obtaining the data they request, and post on the CMS Web site
examples of data requests and what each costs. However, based on our
past experience providing Medicare data to research entities, we
estimate that the approximate costs to provide three years of data for
2.5 million beneficiaries to a qualified entity would be $200,000.
Approximately $75,000 of the $200,000 is the cost of the claims data,
while $125,000 is the cost of making the data available including the
cost of processing applications and data requests, providing technical
assistance, and monitoring. Therefore, to provide a qualified entity
with three years of data for 5.0 million beneficiaries, the approximate
costs would be $275,000 ($150,000 for the data and $125,000 for the
program costs).
Qualified entities would be expected to pay the fee annually.
However, after the first year, costs would be lower since qualified
entities would only be receiving one year of Medicare claims data. We
solicit comment on the prospective fee amount and the ability of
prospective applicants to pay it.
We note that the creation and dissemination of nationwide extracts
of Medicare data (mentioned above) would significantly increase the
cost to any qualified entity seeking such nationwide data of obtaining
and processing Medicare data. As stated above, we seek comment on the
likelihood of a qualified entity having sufficient other claims data to
meet the requirements to receive a nationwide extract of Medicare data.
D. Data Security and Privacy
This provision creates a new program that provides for the release
of Medicare beneficiary level data to private entities that are not
enrolled in Medicare. We recognize that many approved qualified
entities would be organizations with many years of experience in using
claims data to produce performance reports on providers of services and
suppliers, and, as such, may have existing agreements with private
health plans who provide them data regarding the data security and
privacy standards they must observe. While CMS is committed to ensuring
the success of qualified entities in combining Medicare data with
claims data from other sources to create comprehensive performance
reports for providers of services and suppliers, CMS is also committed
to ensuring that the beneficiary level data provided to qualified
entities is subject to stringent security and privacy standards
throughout all phases of the performance measure calculation,
confidential reporting, appeal, and public reporting processes.
In addition to the statutory requirements contained in section
1874(e)(4) of the Act, qualified entities must meet any requirements
that are adopted by the Secretary under section 1874(e)(2)(B) of the
Act, which provides for the adoption of ``such other requirements as
the Secretary may specify.'' In accordance with the explicit language
of the statute, such ``other requirements'' may include security
requirements for the data. Furthermore, section 1874(e)(3) of the Act
requires the Secretary to take such actions as deemed necessary to
protect the identity of individuals entitled to or enrolled in Medicare
Parts A, B or D. As such, the Secretary is authorized to impose privacy
and security requirements on qualified entities as a condition of
participating in this program.
We have considered whether qualified entities would require
beneficiary identifiable data to calculate measures. As defined at
Sec. 401.702(f) we interpret beneficiary identifiable data to mean
data that permits a qualified entity to determine the name, or name and
other direct identifying factors (for example, race, sex, age, address)
of an individual beneficiary. If one approaches this issue purely from
the point of view of the ability of qualified entities to engage in
measure calculation and reporting, beneficiary identifiable data is not
required. Qualified entities would be able to engage in measure
calculation and reporting with files containing an encrypted
beneficiary identifier. For this reason, we propose to include in any
data files provided to qualified entities an encrypted beneficiary
identifier that would permit linking of claims for the same beneficiary
across multiple files and multiple years without identifying individual
beneficiaries.
While we realize that the statute permits providers of services and
suppliers to request of qualified entities the Medicare claims data
underlying their measure results, we anticipate that it would be
difficult for providers of services and suppliers to identify errors in
measurement in the absence of patient names. For example, a report from
a qualified entity might indicate to a provider that only 50 percent of
their assigned diabetic patients received recommended Hba1c tests in a
given year. In the absence of patient names, we believe that it would
be difficult for the provider to tell whether there were errors in how
the measure result was calculated. Specifically, a provider may feel
that there is an error in the underlying claims data that has
inappropriately lowered their measure result. This could happen for a
number of reasons. The provider may have conducted a Hba1c test but for
some reason may not have submitted that
[[Page 33575]]
claim for payment, or may have submitted the claim for payment and it
does not appear in the claims data provided to qualified entities due
to an error. Additionally, a claims-based quality measure may not have
fully captured the exclusion criteria that apply to many quality
measures. For example, a qualified entity may, using available claims
data, conclude that a provider has not provided a mammogram to an
eligible patient. However, the patient may have undergone mastectomy
surgery in previous years and therefore no longer be eligible for
inclusion in the denominator for the breast cancer screening measure.
For these reasons we believe that if a provider has a list of
patient names associated with a measure result, it gives them the
ability to cross reference the patient name against medical records in
an effort to assess if there is missing clinical information that could
be shared with the qualified entity in order to improve the accuracy of
their results.
As a result, we believe that on balance, it may be appropriate to
provide qualified entities with the beneficiary names if it is
requested as described below, in order to enable adequate review
opportunities for providers of services and suppliers and to promote
increased provider acceptance of, and trust in claims-based quality
measures.
While we believe that these contemplated disclosures are important
to the success of the program, we also recognize the importance of
protecting beneficiary data. In 2008, we published a regulation to
permit Part D drug event data to be used for program monitoring,
research, public health, care coordination, quality improvement,
population of personal health records, and other purposes. See 73 FR
30664. As discussed in the regulation, we sought to balance access to
the data with protections for beneficiary privacy and commercially-
sensitive plan data to safeguard public health and permit broader
public knowledge about the operations of the Part D program. Under the
qualified entity program, release of Part D data is needed for provider
performance evaluation, and provider performance evaluation is
necessary for care coordination and quality improvement. We intend to
ensure that Part D data released by CMS under this program complies
with the requirements in the Part D data regulation, and that qualified
entities take the necessary steps to ensure that any prescription drug
data released to providers of services and suppliers as part of the
review, appeal, and error corrections process is also safeguarded to
ensure privacy and security of beneficiary information.
Additionally, as discussed further in II.D.2. below, we believe
that the Health Insurance Portability and Accountability Act (HIPAA)
Privacy and Security rules would also provide a degree of protection
for this information, especially when it is in the hands of providers
of services and suppliers. CMS is committed to protecting the privacy
and security of beneficiary identifiable data provided to qualified
entities whether they are subject to HIPAA or not. Such data are
carefully protected by a number of laws and policies, including HIPAA,
when it is in the hands of CMS or one of its contractors. While
qualified entities would not legally be a contractor of CMS and
therefore would not be subject to these laws and policies, we believe
that these protections should not cease merely because CMS is making
these data available to another entity for other purposes that are
perceived to have a public benefit.
As described below, we propose to require qualified entities to
apply privacy and security protections similar to those we require when
we make beneficiary claims data available to external organizations for
research purposes. To ensure that qualified entities apply appropriate
privacy and security protections, we are proposing that approved
qualified entities be required to execute a Data Use Agreement (DUA),
described below, before receipt of any CMS data (the DUA is available
at http://www.cms.gov/cmsforms/downloads/cms-r-0235.pdf). We note that
this DUA contains significant penalties for inappropriate disclosures
of the data, including both civil monetary penalties and criminal
penalties. We seek comment on our proposal to apply privacy and
security protections to qualified entities that are similar to those we
require when we make beneficiary claims data available to external
organizations for research purposes.
As described above, we do not propose to send the data in a fully
identifiable format when we send it to the qualified entity. All of the
Medicare claims data provided to qualified entities would be furnished
in a data set that contains a unique encrypted beneficiary
identification number which would enable the qualified entities to link
all claims for an individual beneficiary without knowing the identity
(that is, name and other identifying characteristics) of the
beneficiary.
We are considering three potential options for sharing beneficiary
names with qualified entities, and by extension, providers of services
and suppliers. Under the first option, qualified entities would be
provided with a crosswalk file linking all encrypted beneficiary
identifiers to the patients' names for their Medicare data. We realize
that this makes a large amount of data identifiable by the qualified
entity. However, qualified entities would be permitted to give to a
provider of services or supplier only the names of those beneficiaries
included in that requester's performance report. Further, the qualified
entity would only be permitted to provide the claims relevant to the
particular measure or measure result that the provider of services or
supplier is appealing, as is discussed in more detail below at section
II.D.2.
Under the second option, CMS would only provide beneficiary names
to qualified entities on a transactional basis for the purposes of
responding to specific requests for data by providers of services and
suppliers. Each request for beneficiary names would be addressed on a
case-by-case basis through the forwarding of each data request by the
qualified entity to CMS. The qualified entity would receive beneficiary
names only for those claims that were included in the requester's
report and would be expected to destroy the identifiable data after
responding to the providers' request for this data. We believe that
this approach better safeguards any potential threats to beneficiary
privacy.
Under the third option, a provider of services or supplier who
wishes to receive beneficiary names would request the encrypted claims
data from the qualified entity as permitted under the statute. The
provider of services or supplier would then submit a request to CMS for
the beneficiary names for those specific claims.
We believe that all three approaches have pros and cons. The first
option is the least resource intensive from the perspective of both CMS
and qualified entities. However, this option creates legitimate privacy
concerns because it results in more data becoming identifiable to the
qualified entity than is necessary to respond to the requests of
specific providers of services or suppliers request for beneficiary
names. The second option would be potentially more resource intensive
for both CMS and qualified entities, but we believe it addresses many
of the concerns posed by the first option because it would result in
beneficiary names being made available only on an as-needed basis. The
third option would also be
[[Page 33576]]
potentially more resource intensive for CMS and more resource intensive
for providers of services and suppliers because providers of services
and suppliers would have to engage in a two-step process involving both
a qualified entity and CMS to obtain the requested data. We believe
this may disrupt the relationship between the qualified entity and the
provider of services or supplier, which is important for error
correction and confidence in measure results.
Having considered these things, we propose the second option
because we believe it represents the best compromise between adequately
safeguarding beneficiary privacy and fostering strong and productive
relationships between qualified entities and providers of services and
suppliers. If a qualified entity receives a request for data from a
provider of services or supplier, we propose that the qualified entity
would be required to submit a request to CMS in writing with a signed
provider of services or supplier request appended as an attachment.
However, we seek comment on all three options, as well as suggestions
for other approaches not proposed here.
1. Privacy and Security Requirements for Qualified Entities
We are proposing to require that qualified entities have in place
security protections for all data released by CMS, and any derivative
files, including any Medicare claims data and any beneficiary
identifiable data. As part of their applications, qualified entities
would have to explain how they would ensure that only the minimum
necessary beneficiary identifiable data would be disclosed to the
provider of services or supplier in the event of a request by a
provider of services or supplier, and how data would be securely
transmitted to the provider.
In fulfilling these requirements, we are proposing at Sec.
401.703(a)(1)(viii), that in order to be eligible to apply to receive
Medicare data as a qualified entity, the applicant must demonstrate its
capabilities to establish, maintain, and monitor a rigorous data
privacy and security program, including ensuring compliance with plans
related to the privacy and security of data. Additionally, Sec.
401.703(a)(3) requires the applicant to submit to CMS a description of
its rigorous data privacy and security policies including enforcement
mechanisms.
As noted above, we intend to provide a DUA to potential qualified
entities at the time of their application. This DUA would be CMS'
current standard data use agreement for research disclosures (available
at http://www.cms.gov/cmsforms/downloads/cms-r-0235.pdf), but would be
customized for the purposes of the qualified entity program through
addenda to paragraph 12, which allows CMS to add attachments to the DUA
to address the specific needs of the data recipient. We seek comment on
the current DUA and any modifications that might be necessary for the
purposes of providing data to qualified entities.
Specifically, the current DUA requires a level and scope of
security that is not less than the level and scope of security
requirements established by the Office of Management and Budget (OMB)
in OMB Circular No. A-130, Appendix III--Security of Federal Automated
Information Systems (http://www.whitehouse.gov/omb/circulars/a130/a130.html) as well as Federal Information Processing Standard 200
entitled ``Minimum Security Requirements for Federal Information
Systems'' (http://csrc.nist.gov/publications/fips/fips200/FIPS-200-final-march.pdf); and Special Publication 800-53 ``Recommended Security
Controls for Federal Information Systems'' (http://csrc.nist.gov/publications/nistpubs/800-53-Rev2/sp800-53-rev2-final.pdf).
We propose prohibiting the use of unsecured telecommunications to
transmit beneficiary identifiable data or deducible information derived
from any CMS data file(s).
Further, we propose to require qualified entities to disclose as
part of their data privacy and security policies the circumstances
under which data provided by CMS would be stored and/or transmitted.
We propose to require compliance with the listed OMB and NIST
requirements in all of the qualified entities' activities with CMS data
received through the qualified entity program, including but not
limited to the receipt, storage, and possession of these data for
purposes of calculating and reporting performance measures, beginning
with the qualified entities' receipt of encrypted file(s) from CMS.
We propose to require qualified entities to ensure that they bind
any contractors or subcontractors that are working on behalf of the
qualified entities to these same limitations and requirements. We
propose that, if approved, qualified entities would have to attest that
they have extended and applied CMS' security requirements to their
contractors before receiving CMS data. We solicit comments on our
proposals.
In order to meet the requirements in Sec. 401.707 to establish,
maintain, and monitor a security and privacy program, and to assure
data are kept private and secure, we propose to require qualified
entities to maintain their privacy and security programs throughout the
duration of their participation as qualified entities, and through
their winding down of business as a qualified entity, including the
return or destruction of CMS data and any and all derivative files.
Failure to comply with these requirements would result in a qualified
entity being disqualified from further participation in the program. We
propose to require the return or destruction of all CMS data files and
derivative files in the possession of the qualified entity or its
contractors and subcontractors within 30 days of any disqualification
from the program or voluntary withdrawal from the program.
Finally, we are seeking public comment on the appropriateness of
accepting some form of independent accreditation or certification of
compliance with data privacy and security requirements from qualified
entities, and what that accreditation or certification might entail.
The accreditation or certification would need to be at a level and
scope of security that is not less than the level and scope of security
requirements described above.
2. Privacy and Security of Data Released to Providers of Services and
Suppliers
We have also considered how to ensure the security and privacy of
the beneficiary identifiable data after it has been placed in the hands
of a provider of services or supplier during the report review and
error correction process. We believe that the HIPAA Privacy and
Security rules would apply to a majority of providers of services and
suppliers who would receive beneficiary identifiable data from
qualified entities. We base this belief on CMS' claims processing
experience. Due to the statutory requirement that Medicare claims be
filed electronically, the electronic claim filing rates are very high.
However, there are exceptions to electronic filing. For example,
certain small providers are exempt. For institutional claim billers
(for example, hospitals, SNFs, HHAs) the rate of providers filing
electronically is approximately 99.9 percent, and for non-institutional
claims (for example, physicians, other practitioners, labs, ambulance)
the rate is 98.2 percent.
By law, providers that transmit any beneficiary identifiable health
information in the context of an electronic transaction for which there
is a HIPAA standard transaction are HIPAA covered entities that are
subject
[[Page 33577]]
to the HIPAA Security and Privacy rules. Providers of services and
suppliers that are already subject to the HIPAA Privacy and Security
rules are required to have policies and procedures in place to protect
the privacy and security of beneficiary identifiable data. We believe
that the HIPAA Privacy and Security rules provide an appropriate level
of protection of beneficiary identifiable data received by a provider
of services or supplier from a qualified entity as the result of an
appeal process or error correction request.
However, qualified entities may generate performance reports for
providers of services and suppliers not subject to HIPAA. For those few
providers that are not subject to HIPAA because they do not transmit
beneficiary identifiable health information in the context of an
electronic transaction for which there is a HIPAA standard transaction,
we propose to require that qualified entities include a plan in their
application materials for assuring protection of the data that is
released as a part of the measure report review process, such as
requiring a signed privacy and security agreement between the qualified
entity and the provider of services or supplier that includes the same
privacy and security protections as the qualified entity is subject to
under the DUA it enters into with CMS. We believe that the few
providers this affects would be willing to enter into such agreements,
and that this would ensure that beneficiary level data that is given to
a provider of services or supplier through an appeals process would
remain secure and protected, and only used for purposes related to the
appeal. We seek comments on these proposals.
Section 1874(e)(4)(B)(v) of the Act requires qualified entities to
make the Medicare claims data they receive available to providers of
services and suppliers. We believe that for many providers of services
and suppliers, the beneficiary name may be of more practical use in
determining the accuracy of the measures results than the underlying
claims used to calculate the measures. However, the statute does
explicitly acknowledge that upon request qualified entities would need
to share with providers of services or suppliers ``data made available
under this subsection.'' We would like to make it clear that we do not
interpret this provision to mean that providers could receive all
Medicare claims data for a given patient or patients. Rather, we
interpret this to mean that in certain circumstances, qualified
entities may have to provide all the claims relevant to the particular
measure or measure results the provider of services or supplier is
appealing. Therefore, a provider requesting claims data in relation to
a diabetes quality measure would only receive the claims related to the
calculation of that quality measure. We realize this may result in
providers of services or suppliers receiving claims submitted by
another provider. For example, the provider that performs a test on a
patient may not be the provider who is ultimately determined by the
qualified entity to be responsible for the care of that patient.
Therefore, if the responsible provider requests access to the
underlying claims data informing their measure results, some of that
claims data may be from other providers. We solicit comment on any
privacy or security issues related to this situation.
We also believe that the intent of this program is not just for
qualified entities to engage in measure calculation and reporting to
providers, but for the reports generated by qualified entities to
result in meaningful quality improvement activities by providers. As a
result, we believe that it is appropriate for providers of services and
suppliers to use the claims data and beneficiary name received as part
of an appeal to engage in quality improvement activities as long as the
quality improvement work is in accordance with the HIPAA limitations
discussed herein.
3. Beneficiary Privacy and Security Concerns
Following provision of the performance reports on a confidential
basis to providers of services or suppliers, qualified entities are
required to make performance information public. We note that the
publication is only of aggregated, non-beneficiary identifiable data
that would not be able to be reidentifed (for example, a provider
conducted an annual HbA1C test for 70 percent of their diabetic
patients). We propose to require that qualified entities ensure that
all publicly available reports do not contain beneficiary identifiable
information. Additionally, we propose to prohibit qualified entities
from disclosing information in their publicly available reports that
there is a reasonable basis to believe can be used in combination with
other publicly available information to re-identify individual
patients. We expect that this reporting of aggregate non-identifiable
data should not compromise beneficiary privacy.
We also propose requiring qualified entities to have in place a
process to respond to beneficiary queries or complaints regarding the
privacy and security of their data. In addition, we propose to require
qualified entities to inform beneficiaries of a breach pursuant to the
requirements in paragraph 13 of the DUA. Finally, we propose below at
section F of the preamble that qualified entities submit information on
privacy or security breaches to CMS, to allow CMS to monitor qualified
entity actions in this area. We seek comments on these proposals.
E. Confidential Opportunities to Review, Appeal, and Correct Reports
The statute describes two requirements to ensure that providers of
services and suppliers are afforded an opportunity to provide input on
the reporting of their performance metrics. Section 1874(e)(4)(C)(ii)
of the Act requires qualified entities to make their reports available
confidentially to providers of services and suppliers identified in the
reports prior to the public release of such reports, and to offer them
the opportunity to appeal and correct errors. Additionally, section
1874(e)(4)(B)(v) of the Act requires qualified entities to release
relevant Medicare claims data that was made available to them under
section 1874 of the Act to providers of services and suppliers who
request it. We interpret this section of the Act to indicate that
qualified entities must provide relevant data made available to them
under this subsection to any provider of services or supplier
identified in the qualified entity's report who requests such data. By
relevant data, we mean the underlying claims data used to calculate the
results for any measure that a provider wishes to appeal. We assume
that the reason providers of services and suppliers would make requests
for data is so they can appeal and request the correction of errors in
their reports.
To ensure that qualified entities have a method to address these
two requirements, we propose, at Sec. 401.704(b), to require that
applicants include a plan for their process for confidential report
review, appeals, and error correction processes in their application
materials.
We are proposing that these plans would contain several elements.
First, a qualified entity would need to provide for a means of
informing providers of services and suppliers of the specific steps
that were taken in order to generate their performance reports in order
for providers of services and suppliers to be able to understand their
performance reports. We propose requiring that this plan include an
[[Page 33578]]
explanation of the measurement methodology, estimates of statistical
reliability, and information on how to interpret the results to help
providers of services and suppliers understand their performance
relative to others. To the greatest extent possible, these explanations
and information should be written using a language and formats that are
as easily understood as possible. As discussed below, the qualified
entity would also be required to have a plan for informing providers of
services or suppliers about their rights to request data, appeal the
reports, and request error correction.
Second, the qualified entity would be required to describe the
means by which providers of services and suppliers may request the
Medicare data that was used to calculate the performance measures they
wish to appeal and, if necessary, correct. The qualified entities would
be required to describe how they would ensure that the information that
is shared would be limited to those beneficiaries included in the
requestor's performance report and only contains those claims relevant
to the particular measure(s) being appealed.
Third, as discussed above in this section, we are proposing to
require that qualified entities describe their means of confidentially
sharing results with providers of services and suppliers (for example
secure Web site or e-mail) in their application. Qualified entities
would be required to use secure methods suitable for transmitting or
otherwise providing secure access to identifiable health information to
providers of services or suppliers. We seek comment on the appropriate
secure methods that should be required for sharing the information with
providers of services or suppliers, such as two factor authentication.
Fourth, we propose to require a description of the means by which
providers of services and suppliers can submit appeals for error
correction. This process must describe the timeframes for providers of
services or suppliers to submit requests for data and requests for
error correction. The timeframes must meet several parameters. We
believe these timeframes are reasonable because they balance the need
for careful review by providers of services and suppliers with one of
the main intents of the program, which is to make performance
information available to the public. Qualified entities must share
measures, measurement methodology, and measure results with providers
of services and suppliers at least 30 business days prior to making
measure results public. Additionally, qualified entities must allow
providers of services and suppliers at least 10 business days to make a
request for data, and an additional 10 business days for a provider to
request an error correction. Per the qualified entity's request, the
provider of services or supplier may be required to provide comments,
additional data, or documentation for consideration.
Fifth, the qualified entity must make clear to providers of
services and suppliers that reports would be made public after a
specified date (at a minimum 30 business days after sharing measure
results with providers of services and suppliers), regardless of the
status of any providers of services or suppliers' requests for error
correction. We propose to encourage qualified entities to dedicate
appropriate resources, including qualified staff, to resolving good
faith questions regarding performance results to both parties'
satisfaction whenever possible. If the request for a data or error
correction is still outstanding at the time of making the reports
public, we propose the qualified entity must, if feasible, post
publicly the name of the appealing provider and a description of the
appeal request. While we understand that this proposal means that some
provider of services and supplier requests for error correction might
not be resolved prior to publication of the results, we have included
this requirement to ensure that providers do not make spurious requests
for error correction to prevent the publication of measure results. We
want to ensure that providers of services and suppliers have the
opportunity to correct their results in situations where there are
errors, but also ensure that performance results are released in a
timely manner.
CMS proposes to monitor the number of provider appeals for each
qualified entity, both as a mechanism for ensuring the overall quality
of individual qualified entity reporting mechanisms and to identify any
situations where providers of services or suppliers might be appealing
on spurious grounds so that CMS can determine whether to further
investigate any such situations.
Finally, qualified entities must describe the means by which they
would notify the provider of services or supplier of the outcome of the
request for error correction and basis for the decision.
We request comments on our proposed approach to requiring potential
qualified entities to describe their processes for providers of
services and suppliers to review reports confidentially, request data,
and appeal to the qualified entity for error correction in their
applications.
Additionally, although we do not have the statutory authority to
require it, we strongly encourage qualified entities to share not only
Medicare data but also their claims data from other sources with
providers of services and suppliers, if they ask to correct an error or
appeal their results on specific measures.
F. Monitoring, Oversight, Sanctioning, and Termination
CMS is committed to ensuring the successful implementation of this
program, maximizing the appropriate use of Medicare data for the
production of performance reports, while minimizing the risk of
inappropriate disclosure of beneficiary information. Section
1874(e)(2)(B) of the Act authorizes CMS to require qualified entities
to meet any other requirements we specify, ``such as ensuring the
security of data.'' We have outlined a range of requirements in this
rule that qualified entities would be expected to meet and maintain on
an ongoing basis. In order to ensure that the highest standards are
adhered to by all qualified entities, we are proposing a monitoring
program which would assess qualified entities' compliance with the
requirements laid out in this rule and assess sanctions or termination
as deemed appropriate by CMS. We are proposing at Sec. 401.710(a)(1)
that CMS, or one of its designated contractors, would periodically
audit qualified entities use of Medicare data for the production of
performance reports on providers of services or suppliers to ensure
that the Medicare data is being used only for its intended purpose,
that is, in combination with claims data from other sources to
calculate and report either standard or alternative claims-based
measures to providers of services and suppliers. We propose that these
audits be done at the discretion of CMS.
We also propose that CMS would monitor the amount of claims data
from other sources being used in the production of performance reports
to ensure that it is equal to or greater than the amount promised by
the qualified entity in its application. This would require production
of documentation on data sources and quantities of data, and may
necessitate a site visit to the qualified entity by data experts.
Again, if CMS finds that qualified entities are not, in fact,
calculating performance reports using the amount and type of data
specified in its initial application that would also be grounds for
sanction or termination.
We recognize that in certain circumstances the amount of claims
data from other sources a qualified
[[Page 33579]]
entity has access to may decrease. For example, a qualified entity may
lose access to a data set in the second year of their participation in
the program or may discover that some of the other claims data they
possess is inaccurate and therefore unusable. In these cases, we
propose that the qualified entity must immediately inform CMS of the
reduction in the amount of other claims data it possesses and provide
documentation that the remaining other claims data is still sufficient
to address the concerns regarding sample size and reliability expressed
by stakeholders regarding the calculation of performance measures from
a single payer source. We would review this information and determine
whether the qualified entity may continue to participate in the
program. If CMS determines the amount of data is not sufficient to meet
the requirements, the qualified entity would have 60 days to acquire
new claims data and submit documentation to CMS. Under no circumstances
may a qualified entity issue a report, use a measure, or share a report
during this 60 day period. If after the 60 days, the qualified entity
does not have access to new data or if CMS decides the qualified entity
still does not possess an adequate amount of additional claims data,
CMS would terminate its relationship with the qualified entity. We
solicit comments on our proposal for regarding the CMS response to a
decrease in the amount of claims data possessed by a qualified entity.
We propose requiring qualified entities to submit an annual report
to CMS covering two topics, as described in further detail below: (1)
General program adherence and (2) engagement of providers of services
and suppliers.
1. General Program Adherence: To monitor general program adherence,
we propose that qualified entities would submit an annual report
containing the number of Medicare and other claims combined, the
percent of the overall market share the number of claims represents in
the qualified entity's area, the number of measures calculated, the
number of providers of services and suppliers profiled by type of
provider and supplier, and a measure of the public use of the reports
(for example, the number of Web site hits).
2. Engagement of Providers of Services and Suppliers: We believe
that one of the most important outcomes of this program would be the
engagement of providers of services and suppliers with qualified
entities to improve health care quality and efficiency. We want to
ensure that qualified entities engage providers of services and
suppliers in a constructive and respectful manner, and diligently work
to address the concerns of the providers of services or suppliers
throughout any appeal and error correction processes. Therefore, we are
also proposing to impose reporting requirements so that CMS would be
able to monitor the requests from providers of services and suppliers
for information, error correction, and appeals, as well as the
responsiveness of the qualified entity to those requests. In order to
permit CMS to monitor these requests, we propose that qualified
entities would provide a yearly report to CMS regarding: (1) The number
of requests for data and the number of requests fulfilled; (2) the
number of subsequent error corrections; (3) the type of problem(s)
leading to the appeal or request for error correction; (4) the time for
the qualified entity to acknowledge the request for data or error
correction; (5) the time for the qualified entity to respond to the
request for appeal or error correction; and (6) the number of requests
for appeal or error correction that are resolved.
As stated above, CMS is committed to ensuring that qualified
entities protect the privacy and security of beneficiary information.
To monitor qualified entities actions in this area, we are proposing
that qualified entities would submit to CMS information regarding any
inappropriate disclosures or uses of beneficiary identifiable data
pursuant to the requirements in the DUA. We solicit comment on our
proposal as well as other indicators that would demonstrate that a
qualified entity is appropriately responding to the requests from
providers of services or suppliers.
If, based upon the monitoring activities described above or by any
other manner, we conclude that a qualified entity is not adequately
observing the requirements of the program we propose that CMS, in its
sole discretion, may take any or all of the following actions:
Provide a warning notice, which indicates that future
deficiencies could lead to termination, to the qualified entity of the
specific performance concern;
Request a corrective action plan (CAP) from the qualified
entity;
Place the qualified entity on a special monitoring plan;
Terminate the qualified entity.
The level of sanctions and/or termination would depend on an
assessment by CMS of the seriousness of the observed deficiency or
deficiencies by the qualified entity. One or more disclosures of
beneficiary identifiable information would likely to result in
termination. Additionally, since the statute explicitly bars the reuse
of Medicare claims for purposes other than generating performance
reports, we propose CMS terminate its relationship with the qualified
entity in the event of reuse of Medicare claims. Other deficiencies
that may be the result of employee error and can be easily corrected in
the future would likely just result in a warning notice. However, as
noted above, any time the qualified entity is terminated we propose to
require the destruction or return of any Medicare data within 30 days.
G. Qualified Entity Application Content
In accordance with these proposals, if finalized, CMS proposes to
develop an application process for potential qualified entities that
would require the following information:
1. Applicant name and entity description.
2. A description of the applicant's organizational and governance
qualifications as laid out in Section II.A.2. above and at Sec.
401.703(a)(1).
3. A description of the business model the applicant plans to use
for covering the costs of the required functions.
4. A description of the additional claims data the applicant would
use in combination with the requested Medicare data, and the amount of
data that would be combined with Medicare data.
5. A description of geographic area(s) for which Medicare data
would be requested.
6. Documentation of its proposed data privacy and security policies
and enforcement mechanisms.
7. A description of the proposed measures it intends to calculate
and report, including the name of the measure, the name of the measure
developer, the measure specifications, the rationale for selecting
those measures including the relationship of the measures to existing
measurement efforts and the relevancy to the proposed population in the
proposed geographic area, and a description of the methodologies it
intends to use in creating reports; if seeking approval of an
alternative measure, documentation that the proposed alternative
measure has been accepted by the Secretary as an alternative measure
through notice and comment rulemaking.
8. A description of the process it would establish to allow
providers of services and suppliers to review draft reports
confidentially, request data and appeal to correct errors before the
reports are made public.
9. A prototype report for reporting findings to providers of
services and suppliers, and if different, to consumers,
[[Page 33580]]
including any standard explanatory language (narrative), an easily
comprehensible description of the proposed measures, the rationale for
use of those measures, a description of the methodologies to be used,
and a description of the data specifications and limitations, as well
as a dissemination plan for reports.
We propose to assess the veracity of each applicant's assertions
through a comprehensive review of their supporting documentation as
part of the application review process.
Applications would generally be approved based on the overall
expertise and sustained experience demonstrated. We are not proposing
to limit the number of qualified entities or review the applications
against one another. We believe our proposed approach to determining
qualified entity eligibility balances the need to ensure fairness in
qualified entities' evaluation of providers of services and suppliers
with beneficiaries' needs for confidentiality of their health care
information. We seek comments on our proposed application requirements
and the total burden associated with them.
We recognize that by not limiting the number of qualified entities
in any particular geographic region, in certain circumstances providers
of services and suppliers might receive multiple reports from different
qualified entities. We believe that given the requirement that
qualified entities contribute claims data from other sources, the
likelihood of multiple qualified entities in the same area is low.
However, we seek comment on the implications of providers of services
and suppliers receiving multiple reports. We also seek comment on
whether CMS should limit the number of qualified entities that are
approved for a particular region, as well as other methods to address
this issue.
In selecting qualified entities, CMS would evaluate all
applications received and identify those that meet these requirements.
We propose that applications for participation in the program would be
available on the CMS Web site beginning January 1, 2012. Applications
would only be collected and processed once a year. We propose that
applications would be due on March 31, 2012, and by the close of the
first quarter of the calendar year each year thereafter. We considered,
instead, using a rolling application process, where organizations could
apply at any point in the year. However, we are concerned about the
burden this would place on CMS in processing and reviewing
applications. We seek comment on our proposed application process,
specifically our decision to have a yearly application date rather than
using a rolling application process.
Applicants would be approved for a period of three years from the
date of notification of the application approval by CMS. In order to
continue to serve as a qualified entity for any subsequent three year
periods, the qualified entity would need to reapply. To reapply, a
qualified entity would need to submit to CMS documentation of any
changes to what was included in their original application. Qualified
entities would need to submit this documentation at least 6 months
before the end of their three-year approval period. If a qualified
entity has submitted a reapplication, it would be able to continue to
serve as qualified entities until the re-application is either approved
or denied by CMS. If the re-application is denied, CMS would terminate
its relationship with the qualified entity. We propose that a qualified
entity would need to be in good standing in order to reapply. A
qualified entity would be considered in good standing if it had no
violations of the requirements of the program or if the qualified
entity was addressing any past deficiencies either on its own or
through the implementation of a corrective action plan.
III. Collection of Information Requirements
Under the Paperwork Reduction Act of 1995, we are required to
provide 60-day notice in the Federal Register and solicit public
comment before a collection of information requirement is submitted to
the Office of Management and Budget (OMB) for review and approval. In
order to fairly evaluate whether an information collection should be
approved by OMB, section 3506(c)(2)(A) of the Paperwork Reduction Act
of 1995 requires that we solicit comment on the following issues:
The need for the information collection and its usefulness
in carrying out the proper functions of our agency.
The accuracy of our estimate of the information collection
burden.
The quality, utility, and clarity of the information to be
collected.
Recommendations to minimize the information collection
burden on the affected public, including automated collection
techniques.
We are soliciting public comment on each of these issues for the
following sections of this proposed rule that contain information
collection requirements (ICRs).
If finalized, these regulations would require an organization
seeking to receive data as a qualified entity to submit an application.
Specifically, an applicant must submit the information listed in
proposed Sec. Sec. 401.703-401.705. The burden associated with this
requirement is the time and effort necessary to gather, process, and
submit the required information to CMS. We estimate that 35
organizations would submit applications to receive data as qualified
entities. We further estimate that it would take each applicant 500
hours to gather, process and submit the required information. The total
estimated burden associated with this requirement is 500 hours at an
estimated cost of $795,641.
Proposed Sec. 401.707(a)(iv) states that as part of the
application review and approval process, a qualified entity would be
required to execute a Data Use Agreement (DUA) with CMS, that among
other things, reaffirms the statutory bar on the use of Medicare data
for purposes other than those referenced above. The burden associated
with executing this DUA is currently approved under OMB control number
0938-0734.
Proposed Sec. 401.705(f) would require qualified entities in good
standing to re-apply for qualified entity status 6 months before the
end of their three-year approval period. We estimate that 25 entities
would be required to comply with this requirement. We estimate that it
would take 120 hours to reapply to CMS. The total estimated burden
associated with this requirement is 120 hours at an estimated cost of
$136,396.
Proposed Sec. 410.710(b) requires qualified entities to submit
annual reports to CMS as part of CMS' ongoing monitoring of qualified
entity activities. We estimate that the 25 entities in the program will
be required to comply with this requirement. We estimate that it will
take 150 hours to complete an annual monitoring report. The total
estimated burden associated with this requirement is 150 hours at
$170,475.
[[Page 33581]]
Table 1--Estimated Annual Recordkeeping and Reporting Burden
--------------------------------------------------------------------------------------------------------------------------------------------------------
Hourly Total
Burden per Total labor cost labor cost Total
Regulation section(s) OMB Control No. Respondents Responses response annual of of capital/ Total cost
(hours) burden reporting reporting maintenance ($)
(hours) ($) ($)* costs ($)
--------------------------------------------------------------------------------------------------------------------------------------------------------
Sec. 401.703(a).............. 0938-New.......... 35 35 500 17,500 ** 795,641 0 795,641
Sec. 401.705(f).............. 0938-New.......... 25 25 120 3,000 ** 136,396 0 136,396
Sec. 401.710(b).............. 0938-New.......... 25 25 150 3,750 ** 170,475 0 170,475
----------------------------------------------------------------------------------------------------
Total...................... .................. 35 35 .......... 24,250 .......... .......... ........... 1,102,512
--------------------------------------------------------------------------------------------------------------------------------------------------------
* Total labor cost assuming 92% of total hours are professional and technical and 8% are legal.
** Wage rates vary by level of staff involved in complying with the information collection request (ICR).
To obtain copies of the supporting statement and any related forms
for the proposed paperwork collections referenced above, access CMS'
Web site at http://www.cms.gov/PaperworkReductionActof1995/PRAL/list.asp#TopOfPage or e-mail your request, including your address,
phone number, OMB number, and CMS document identifier, to
[email protected], or call the Reports Clearance Office at 410-786-
1326.
If you comment on these information collection and recordkeeping
requirements, please do either of the following:
1. Submit your comments electronically as specified in the
ADDRESSES section of this proposed rule; or
2. Submit your comments to the Office of Information and Regulatory
Affairs, Office of Management and Budget, Attention: CMS Desk Officer,
[CMS-5059-P], Fax: (202) 395 6974; or E-mail: [email protected].
IV. Regulatory Impact Analysis
A. Overall Impact
We have examined the impacts of this rule as required by Executive
Order 12866 on Regulatory Planning and Review (September 30, 1993), the
Regulatory Flexibility Act (RFA) (September 19, 1980, Pub. L. 96-354),
section 1102(b) of the Social Security Act, section 202 of the Unfunded
Mandates Reform Act of 1995 (Pub. L. 104-4), Executive Order 13132 on
Federalism (August 4, 1999), and the Congressional Review Act (5 U.S.C.
804(2)).
Executive Order 12866 directs agencies to assess all costs and
benefits of available regulatory alternatives and, if regulation is
necessary, to select regulatory approaches that maximize net benefits
(including potential economic, environmental, public health and safety
effects, distributive impacts, and equity). A regulatory impact
analysis (RIA) must be prepared for major rules with economically
significant effects ($100 million or more in any 1 year). For the
reasons discussed below, we estimate that the total impact of this
proposed rule would be less than $90 million and therefore, it would
not reach the threshold for economically significant effects and is not
considered a major rule.
The RFA requires agencies to analyze options for regulatory relief
of small businesses, if a rule has a significant impact on a
substantial number of small entities. For purposes of the RFA, we
estimate that most hospitals and most other providers are small
entities as that term is used in the RFA (including small businesses,
nonprofit organizations, and small governmental jurisdictions).
However, since the total estimated impact of this rule is less than
$100 million, and the total estimated impact would be spread over both
qualified entities and providers of services and suppliers, no one
entity would face significant impact. Thus, we are not preparing an
analysis of options for regulatory relief of small businesses because
we have determined that this rule would not have a significant economic
impact on a substantial number of small entities.
We estimate that two types of entities may be affected by the
program established by section 1874(e) of the Act: Organizations that
desire to operate as qualified entities and the providers of services
and suppliers who receive performance reports from qualified entities.
We anticipate that most providers of services and suppliers
receiving qualified entities' performance reports would be hospitals
and physicians. Many hospitals and most other health care providers and
suppliers are small entities, either by being nonprofit organizations
or by meeting the Small Business Administration definition of a small
business (having revenues of less than $34.5 million in any 1 year)
(for details see the Small Business Administration's Web site at http://sba.gov/idc/groups/public/documents/sba_homepage/serv_sstd_tablepdf.pdf (refer to the 620000 series). For purposes of the RFA,
physicians are considered small businesses if they generate revenues of
$10 million or less based on Small Business Administration size
standards. Approximately 95 percent of physicians are considered to be
small entities.
The analysis and discussion provided in this section and elsewhere
in this proposed rule complies with the RFA requirements. Because we
acknowledge that many of the affected entities are small entities, the
analysis discussed throughout the preamble of this proposed rule
constitutes our regulatory flexibility analysis for the remaining
provisions and addresses comments received on these issues.
In addition, section 1102(b) of the Act requires us to prepare a
regulatory impact analysis, if a rule may have a significant impact on
the operations of a substantial number of small rural hospitals. Any
such regulatory impact analysis must conform to the provisions of
section 603 of the RFA. For purposes of section 1102(b) of the Act, we
define a small rural hospital as a hospital that is located outside of
a metropolitan statistical area and has fewer than 100 beds. We do not
believe this proposed rule has impact on significant operations of a
substantial number of small rural hospitals because we anticipate that
most qualified entities would focus their performance evaluation
efforts on metropolitan areas where the majority of health services are
provided. As a result, this rule would not have a significant impact on
small rural hospitals. Therefore, the Secretary has determined that
this proposed rule would not have a significant impact on the
operations of a substantial number of small rural hospitals.
Section 202 of the Unfunded Mandates Reform Act of 1995 (UMRA) also
requires that agencies assess anticipated costs and benefits before
issuing any rule whose mandates require spending in any 1 year of $100
million in 1995 dollars, updated annually for inflation. In 2011, that
threshold is approximately $136 million. This proposed rule would not
mandate any requirements for State,
[[Page 33582]]
local, or tribal governments in the aggregate, or by the private
sector, of $136 million. Specifically, as explained below we anticipate
the total impact of this rule on all parties to be approximately $87
million.
Executive Order 13132 establishes certain requirements that an
agency must meet when it promulgates a proposed rule (and subsequent
final rule) that imposes substantial direct requirement costs on State
and local governments, preempts State law, or otherwise has Federalism
implications. We have examined this proposed rule in accordance with
Executive Order 13132 and have determined that this regulation would
not have any substantial direct effect on State or local governments,
preempt States, or otherwise have a Federalism implication.
B. Anticipated Effects
1. Impact on Qualified Entities
Because section 1874(e) of the Act establishes a new program, there
is little quantitative information available to inform our estimates.
However, we believe that many or most qualified entities are likely to
resemble community quality collaborative programs such as participants
in the CMS Better Quality Information for Medicare Beneficiaries pilot
(https://www.cms.gov/BQI/) and the AHRQ Chartered Value Exchange (CVE)
program (http://www.ahrq.gov/qual/value/lncveover.htm). Community
quality collaboratives are community-based organizations of multiple
stakeholders that work together to transform health care at the local
level by promoting quality and efficiency of care, and by measuring and
publishing quality information. Consequently, we have examined
available information related to those programs to inform our
assumptions, although there is only limited available data that is
directly applicable to this analysis.
We estimate that 35 organizations would submit applications to
participate as qualified entities. We anticipate that the majority of
applicants would be nonprofit organizations such as existing community
collaboratives. In estimating qualified entity impacts, we used hourly
labor costs in several labor categories reported by the Bureau of Labor
Statistics (BLS) at http://data.bls.gov/pdq/querytool.jsp?survey=ce. We
used the annual rates for 2009 and added 33 percent for overhead and
fringe benefit costs. These rates are displayed in Table 2.
Table 2--Labor Rates for Qualified Entity Impact Estimates
----------------------------------------------------------------------------------------------------------------
2009 hourly wage OH and fringe Total hourly
rate (BLS) (33%) costs
----------------------------------------------------------------------------------------------------------------
Professional and technical services....................... $34.08 $11.25 $45.33
Legal review.............................................. 35.35 11.67 47.02
Custom computer programming............................... 40.37 13.32 53.69
Data processing and hosting............................... 29.36 9.69 39.05
Other information services................................ 30.62 10.10 40.72
----------------------------------------------------------------------------------------------------------------
We estimate that preparation of an application would require a
total of 500 hours of effort, requiring a combination of staff in the
professional and technical services and the legal labor categories. We
seek comment on our estimate that 35 organizations would apply to
become qualified entities and encourage any interested organizations to
signal their intent to apply as qualified entities in their comments on
this rule.
We estimate that 25 of these applicants would be approved as
participating qualified entities, and that each qualified entity would
request Medicare claims data accompanied by payment for these data.
Because of the eligibility criteria we are proposing for qualified
entities, we believe that it is likely that all of these organizations
would already be performing work related to calculation of quality
measures and production of performance reports for health care
providers, so the impact of the program established by section 1874(e)
of the Act would be an opportunity to add Medicare claims data to their
existing function.
The statute directs that the fees for these data be equal to the
government's cost to make the data available. We are proposing to
initially provide three years of data to qualified entities with yearly
updates thereafter. Based on CMS past experience providing Medicare
data to research entities, we estimate that the total approximate costs
to provide three years of data for 2.5 million beneficiaries to a
qualified entity would be $200,000. As shown in Table 3, this would
include approximately $75,000 in costs to produce the claims data, as
well as approximately $125,000 in additional costs associated with
technical assistance, processing applications and requests for data,
and monitoring.
We estimate that, on average, each qualified entity's activity to
analyze the Medicare claims data, calculate performance measures and
produce provider performance reports would require 5,500 hours of
effort. While qualified entities would not be able to calculate or
produce alternative measures in the first year of serving as a
qualified entity, they may submit measures for approval in the first
year of the program, so we have also included estimates here of the
level of effort required to develop and submit alternative measures. We
estimate that half of the qualified entities (13) would propose
alternative performance measures, which would involve an additional
2,100 hours of effort for each entity.
We further estimate that, on average, each qualified entity would
expend 5,000 hours of effort processing providers' and suppliers'
appeals of their performance reports and producing revised reports, and
2,000 hours making information about the performance measures publicly
available. These estimates assume that, as discussed below in the
section on provider and supplier impacts, on average 25 percent of
providers or services and suppliers would appeal their results from a
qualified entity. These assumptions are based on a belief that in the
first year of the program many providers would want to appeal their
results prior to performance reports being made available to the
public. Responding to these appeals in an appropriate manner would
require a significant investment of time on the part of qualified
entities. This equates to an average of four hours per appeal for each
qualified entity. We assume that the complexity of appeals would vary
greatly, and as such, the time required to address them would also vary
greatly. Many appeals may be able to be dealt with in an hour or less
while some appeals may require multiple meetings
[[Page 33583]]
between the qualified entity and the affected provider of services or
supplier. On average however, we believe that this is a realistic and
reasonable estimate of the burden of the appeals process on qualified
entities. We discuss the burden of the appeals process on providers of
services and suppliers below.
We anticipate that qualified entities would expend 2,000 hours of
effort developing their proposed performance report. These estimated
hours are separated into labor categories in Table 3 below, with the
pertinent hourly labor rates and cost totals.
Finally, we estimate that each qualified entity would spend 255
hours of effort submitting information to CMS for monitoring purposes.
This would include audits and site visits as discussed above. It would
also include an annual report that contains measures of general program
adherence, measures of the provider of services and suppliers data
sharing, error correction, and appeals process, and measures of the
success of the program with consumers. Finally, qualified entities
would be required to notify CMS of inappropriate disclosures or use of
beneficiary identifiable data pursuant to the requirements in the DUA.
We believe that many of the required data elements in both the annual
report and the report generated in response to an inappropriate
disclosure or use of beneficiary identifiable data would be generated
as a matter of course by the qualified entities and therefore, would
not require significant additional effort. Based on the assumptions we
have described, we estimate the total impact on qualified entities for
the first year of the program to be a cost of $49,003,203.
Table 3--Impact on Qualified Entities for the First Year of the Program
[Impact on Qualified Entities]
--------------------------------------------------------------------------------------------------------------------------------------------------------
Hours
-----------------------------------------------------------
Activity Data process- Labor Cost per Number of Total cost
Professional Legal Computer sing and hourly cost applicant applicants impact
and technical programming hosting
--------------------------------------------------------------------------------------------------------------------------------------------------------
APPLICATION COSTS
--------------------------------------------------------------------------------------------------------------------------------------------------------
Preparation of application by candidate .............. ......... .............. .............. ........... ........... ........... ...........
QEs.....................................
a. Prepare draft application............. 360 ......... .............. .............. $45.33 $16,319 ........... ...........
b. Legal review.......................... .............. 40 .............. .............. $47.02 $1,881 ........... ...........
c. Revisions to draft application........ 60 ......... .............. .............. $45.33 $2,720 ........... ...........
d. Senior management review and signature 40 ......... .............. .............. $45.33 $1,813 ........... ...........
Total: application preparation........... 460 40 .............. .............. ........... $22,733 35 $795,641
Medicare data purchase costs by approved .............. ......... .............. .............. NA $75,000 25 $1,875,000
QEs.....................................
Additional Medicare data application .............. ......... .............. .............. NA $125,000 25 $3,125,000
costs...................................
Total: Applications...................... .............. ......... .............. .............. ........... ........... ........... $5,795,641
--------------------------------------------------------------------------------------------------------------------------------------------------------
QE OPERATIONS COSTS
--------------------------------------------------------------------------------------------------------------------------------------------------------
Database administration.................. .............. ......... .............. 500 $39.05 ........... 25 $488,125
Data analysis/measure calculation/report .............. ......... 2500 .............. $53.69 $134,225 25 $3,355,625
preparation.............................
.............. ......... .............. 2500 $39.05 $97,625 25 $2,440,625
Development and submission of alternative 1000 ......... .............. .............. $45.33 $45,330 13 $589,290
measures................................
.............. ......... 100 .............. $53.69 $5,369 13 $69,797
.............. ......... .............. 1000 $39.05 $39,050 13 $507,650
QE processing of provider appeals and 4000 ......... .............. .............. $45.33 $181,320 25 $4,533,000
report revision.........................
.............. 1000 .............. .............. $47.02 $47,020 25 $1,175,500
Development of proposed performance 1000 ......... .............. .............. $45.53 $45,530 25 $1,138,250
report formats..........................
.............. ......... 1000 .............. $53.69 $53,690 25 $1,342,250
Publication of performance reports....... .............. ......... 1000 .............. $53.69 $53,690 25 $1,342,250
.............. ......... .............. 1000 $39.05 $39,050 25 $976,250
Monitoring............................... .............. ......... .............. 255 $39.05 $9,958 25 $248,950
[[Page 33584]]
Computer hardware and processing......... .............. ......... .............. .............. ........... $1,000,000 25 $25,000,00
0
--------------------------------------------------------------------------------------------------------------------------------------------------------
Total: Operations........................ .............. ......... .............. .............. ........... ........... ........... $43,207,562
--------------------------------------------------------------------------------------------------------------
Total QE Impacts (application plus .............. ......... .............. .............. ........... ........... ........... $49,003,203
operations).........................
--------------------------------------------------------------------------------------------------------------------------------------------------------
2. Impact on Health Care Providers of Services and Suppliers
Table 4 reflects the hourly labor rates used in our estimate of the
impacts of the first year of section 1874(e) of the Act on health care
providers of services and suppliers. We note that numerous health care
payers, community quality collaboratives, States, and other
organizations are producing performance measures for health care
providers of services and suppliers using data from other sources, and
that providers of services and suppliers are already receiving
performance reports from these sources. We anticipate that the Medicare
claims data would merely be added to those existing efforts to improve
the statistical validity of the measure findings, and therefore the
impact of including Medicare claims data in these existing performance
reporting processes is likely to be marginal. However, we invite
comments on the impact of this new voluntary program.
Table 4--Labor Rates for Provider and Supplier Impact Estimates
----------------------------------------------------------------------------------------------------------------
Overhead and
2009 hourly wage fringe benefits Total hourly
rate (BLS) (33%) costs
----------------------------------------------------------------------------------------------------------------
Physicians' offices....................................... $30.90 $10.20 $41.10
Hospitals................................................. 26.44 8.73 35.17
----------------------------------------------------------------------------------------------------------------
We anticipate that the impacts on providers of services and
suppliers consist of costs to review the performance reports generated
by qualified entities and, if they choose, appeal their performance
calculations. Based on a review of available information from the
Better Quality Information and the Charter Value Exchange programs, we
estimate that, on average, each qualified entity would distribute
performance reports to 5,000 health providers of services and
suppliers. We anticipate that the largest proportion of providers of
services and suppliers would be physicians because they comprise the
largest group of providers of services and suppliers, and are a primary
focus of many recent performance evaluation efforts. Based on our
review of information from these existing programs, we assume that 95
percent of the recipients of performance reports (that is, an average
of 4,750 per qualified entity) would be physicians, and 5 percent (that
is, an average of 250 per qualified entity) would be hospitals and
other suppliers. Providers of services and suppliers receive these
reports with no obligation to review them, but we assume that most
would do so to verify that their calculated performance measures
reflect their actual patients and health events. We estimate that, on
average, each provider of services or supplier would devote five hours
to reviewing these reports. We also estimate that 25 percent of the
providers of services and suppliers would decide to appeal their
performance calculations, and that preparing the appeal would involve
an average of ten hours of effort on the part of a provider of services
or supplier. As with our assumptions regarding the level of effort
required by qualified entities in operating the appeals process, we
believe that this average covers a range of provider efforts from
providers who would need just one or two hours to clarify any questions
or concerns regarding their performance reports to providers who would
devote significant time and resources to the appeals process.
Using the hourly costs displayed in Table 4, the impacts on
providers of services and suppliers are calculated below in Table 5.
Based on the assumptions we have described, we estimate the total
impact on providers for the first year of the program to be a cost of
$38,262,815.
As stated above in Table 3, we estimate the total impact on
qualified entities to be a cost of $49,003,203. Therefore, the total
impact on qualified entities and on providers of services and suppliers
for the first year of the program is estimated to be $87,266,018.
[[Page 33585]]
Table 5--Impact on Providers of Services and Suppliers for the First Year of the Program
[Impact on Providers of Services and Suppliers]
--------------------------------------------------------------------------------------------------------------------------------------------------------
Hours per provider
------------------------ Labor Cost per Number of Number of Total cost
Activity Physician hourly cost applicant providers QEs impact
offices Hospitals per QE
--------------------------------------------------------------------------------------------------------------------------------------------------------
Provider review of performance reports......................... 5 .......... $41.10 $206 4,750 25 $24,403,125
.......... 5 35.17 176 250 25 1,099,063
Preparing and submitting appeal request to QEs................. 10 .......... 41.10 411 1188 25 12,206,700
.......... 10 35.17 352 63 25 533,928
----------------------------------------------------------------------------------------
Total Provider Impacts..................................... .......... .......... ........... ........... ........... ........... 38,262,815
--------------------------------------------------------------------------------------------------------------------------------------------------------
C. Alternatives Considered
The statutory provisions that were added by section 10332 of the
Affordable Care Act are detailed and prescriptive about the eligibility
for, and requirements of the Qualified Entity Program. Consequently, we
believe there are limited approaches that would ensure program success
and statutory compliance. We considered proposing a less comprehensive
set of eligibility criteria for qualified entities (for example,
eliminating requirements that applicants demonstrate capabilities
related to calculation of measures, developing performance reports,
combining Medicare claims data with other claims, and data privacy and
security protection). While such an approach might have reduced certain
application and operating costs for these entities, we did not adopt
such an approach for several reasons. An important consideration is the
protection of beneficiary identifiable data. We believe if we do not
require qualified entities to provide sufficient evidence of data
privacy and security protection capabilities, there would be increased
risks related to the protection of beneficiary identifiable data.
Additionally, we believe that requiring less stringent requirements
regarding the production and reporting of measures would lead to
increases in the number of provider appeals, and consequently in
appeals-related costs of both providers and qualified entities. We
expect that such a scenario would not support the development of a
cooperative relationship between qualified entities and providers of
services and suppliers. We request public comments on other approaches
that could be considered.
D. Conclusion
As explained above, we estimate the total impact for the first year
of the program on qualified entities and providers to be a cost of
$87,266,018. Based on these estimates, we conclude this proposed rule
does not reach the threshold for economically significant effects and
thus is not considered a major rule.
In accordance with the provisions of Executive Order 12866, this
regulation was reviewed by the Office of Management and Budget.
List of Subjects in 42 CFR Part 401
Claims, Freedom of information, Health facilities, Medicare,
Privacy.
For the reasons set forth in the Preamble, the Centers for Medicare
and Medicaid Services proposes to amend 42 CFR Chapter IV as set forth
below:
PART 401--GENERAL ADMINISTRATIVE REQUIREMENTS
1. The authority citation for part 401 is revised to read as
follows:
Authority: Secs. 1102, 1871, and 1874(e) of the Social Security
Act (42 U.S.C. 1302, 1395hh, and 1395w-5).
2. A new subpart G is added to part 401 to read as follows:
Subpart G--Availability of Medicare Data for Performance Measurement
Sec.
401.701 Purpose and scope.
401.702 Definitions.
401.703 Eligibility criteria for qualified entities.
401.704 Operating and governance requirements for qualified
entities.
401.705 The application process and requirements.
401.706 Updates to plans submitted as part of the application
process.
401.707 Ensuring the privacy and security of data.
401.708 Selection and use of performance measures.
401.709 Provider of services and supplier requests for error
correction.
401.710 Monitoring and sanctioning of qualified entities.
401.711 Termination of qualified entities.
Subpart G--Availability of Medicare Data for Performance
Measurement
Sec. 401.701 Purpose and scope.
The regulations in this subpart implement section 1874(e) of the
Social Security Act as it applies to the Centers for Medicare &
Medicaid Services (CMS). The rules apply to Medicare data made
available to qualified entities for the evaluation of the performance
of providers of services and suppliers.
Sec. 401.702 Definitions.
(a) Qualified entity. A qualified entity is defined as a public or
private entity that:
(1) Is qualified, as determined by the Secretary, to use claims
data to evaluate the performance of providers of services and suppliers
on measures of quality, efficiency, effectiveness, and resource use,
and
(2) Agrees to meet the requirements described in Section 1874(e) of
the Social Security Act and meets the requirements at Sec. Sec.
401.703 through 401.710.
(b) Provider of services. A provider of services under this subpart
is defined in the same manner as the identical term at section 1861(u)
of the Social Security Act.
(c) Supplier. A supplier under this subpart is defined in the same
manner as the identical term at section 1861(d) of the Social Security
Act.
(d) Claims. Claims are itemized billing statements from providers
of services and suppliers that, except in the context of Part D drug
event date, request reimbursement for a list of services and supplies
that were provided to a Medicare beneficiary in the Medicare fee-for-
service context, or to a participant in other insurance or entitlement
program contexts. In the Medicare program, claims files are available
for each institutional (inpatient, outpatient, skilled nursing
facility, hospice, or home health agency) and non-institutional
(physician and durable medical equipment providers
[[Page 33586]]
and suppliers) claim type as well as Medicare Part D (Prescription
Drug) Event data.
(e) Standardized data extract. For purposes of this subpart, the
standardized data extract is the subset of Medicare claims data that
the Secretary would make available to qualified entities under this
subpart.
(f) Beneficiary identifiable data. For the purposes of this
subpart, beneficiary identifiable data is any data that contains the
beneficiary name or beneficiary name and any other direct identifying
factors, including, but not limited to, race, sex, age, or address.
(g) Encrypted data. For the purposes of this subpart, encrypted
data is any data that does not contain the beneficiary name or any
other direct identifying factors, but does include a unique beneficiary
identifier that allows for the linking of claims without divulging the
direct identifier of the beneficiary.
Sec. 401.703 Eligibility criteria for qualified entities.
(a) Eligibility criteria: To be eligible to apply to receive data
as a qualified entity under this section, an applicant generally must
demonstrate expertise and sustained experience, defined as three or
more years, to the Secretary's satisfaction in the following three
areas:
(1) Organizational and governance criteria, including:
(i) Accurately calculating quality, efficiency, effectiveness, and
resource use measures from claims data, including:
(A) Indentifying an appropriate method to attribute a particular
patient's services to specific providers of services and suppliers.
(B) Ensuring the use of approaches to ensure statistical validity
such as a minimum number of observations or minimum denominator for
each measure.
(C) Using methods for risk-adjustment to account for variation in
both case-mix and severity among providers of services and suppliers.
(D) Identifying methods for handling outliers.
(E) Correcting measurement errors and assessing measure
reliability.
(F) Identifying appropriate peer groups of providers and suppliers
for meaningful comparisons.
(ii) A business model that would cover the costs of performing the
required functions, including the fee for the data.
(iii) Successfully combining claims data from different payers to
calculate performance reports.
(iv) Designing, and continuously improving the format of
performance reports on providers of services and suppliers.
(v) Preparing an understandable description of the measures used to
evaluate the performance of providers of services and suppliers so that
consumers, providers of services and suppliers, health plans,
researchers, and other stakeholders can assess performance reports.
(vi) Implementing and maintaining a process for providers of
services and suppliers identified in a report to review the report
prior to publication and providing a timely response to provider of
services and supplier inquiries regarding requests for data, error
correction, and appeals.
(vii) Establishing, maintaining, and monitoring a rigorous data
privacy and security program, including disclosing to CMS any
inappropriate disclosures of beneficiary identifiable information or
HIPAA violations for the preceding 10-year period, and any corrective
actions taken to address such issues.
(viii) Accurately preparing performance reports on providers of
services and suppliers and making performance report information
available to the public in aggregate form, that is, at the provider of
services or supplier level.
(2) Ability to combine Medicare claims data with claims data from
other sources, including demonstrating to the Secretary's satisfaction
that the claims data from other sources that it intends to combine with
the Medicare data received under this subpart address many of the
methodological concerns expressed by multiple stakeholders regarding
the calculation of performance measures from a single payer source.
(3) Documentation of rigorous data privacy and security policies
including enforcement mechanisms.
(b) [Reserved]
Sec. 401.704 Operating and governance requirements for qualified
entities.
(a) Submit to CMS a list of all measures it intends to calculate
and report, the geographic areas it intends to serve, and the methods
of creating and disseminating reports. This list must include the
following information:
(1) Name of the measure, and whether it is a standard or
alternative measure,
(2) Name of the measure developer/owner,
(3) Measure specifications, including numerator and denominator,
(4) The rationale for selecting each measure, including the
relationship to existing measurement efforts and the relevancy to the
population in the geographic area(s) the entity would serve, including:
(i) A specific description of the geographic area or areas it
intends to serve, and
(ii) A specific description of how each measure evaluates providers
of services and suppliers on quality, efficiency, effectiveness, and/or
resource use.
(5) A description of the methodologies it intends to use in
creating reports with respect to all of the following topics:
(i) Attribution of beneficiaries to providers and/or suppliers,
(ii) Benchmarking performance data, including:
(A) Methods for creating peer groups,
(B) Justification of any minimum sample size determinations made,
and
(C) Methods for handling statistical outliers.
(iii) Risk adjustment.
(b) Submit to CMS a description of the process it would establish
to allow providers of services and suppliers to view reports
confidentially, request data, and ask for the correction of errors
before the reports are made public.
(c) Submit to CMS a prototype report and a description of their
plans for making the reports available to the public.
Sec. 401.705 The application process and requirements.
(a) Application deadline. Qualified entity applications must be
submitted by March 31, 2012 and by the close of the first quarter of
the calendar year each year thereafter.
(b) Selection criteria. To be approved as a qualified entity under
this subpart, the applicant must meet the eligibility and operational
and governance requirements, and fulfill all of the application
requirements to CMS' satisfaction, agree to pay a fee equal to the cost
of CMS making the data available, and execute a Data Use Agreement with
CMS, that among other things, reaffirms the statutory ban on the use of
Medicare data provided to the qualified entity by CMS under this
subpart for purposes other than those referenced in this subpart.
(c) Duration of approval. The entity would be permitted to
participate as a qualified entity for a period of three years from the
date of notification of application approval by CMS. The qualified
entity must abide by all CMS regulations and instructions for this
program. If the qualified entity wishes to continue performing the
tasks under this subpart after the three-year approval period, the
entity may re-apply for qualified entity status following the
procedures set forth below.
(d) Reporting period. Unless otherwise specified, the qualified
entities must produce reports on the
[[Page 33587]]
performance of providers of services and suppliers annually beginning
in the calendar year after they are approved by CMS.
(e) The distribution of data. Once a qualified entity is approved
by CMS under this subpart, it would be required to pay a fee equal to
the cost of CMS making this data available. After the qualified entity
pays the fee, CMS would release claims data to the qualified entity.
(1) CMS would release standardized extracts of encrypted data from
Medicare parts A and B claims data, and D drug event data for the most
recent three years of data available at that time. The data would be
limited to the geographic spread of the qualified entity's other claims
data as determined by CMS.
(2) After the first year of participation, CMS would provide
qualified entities with the most recent additional year of data on a
yearly basis. Qualified entities would be required to pay a fee equal
to the cost of CMS making this data available before CMS would release
the most recent year of additional data to the qualified entity.
(f) Re-application. Qualified entities in good standing may re-
apply for qualified entity status. A qualified entity would be
considered in good standing if it has had no violations of the
requirements of the program or if the qualified entity is addressing
any past deficiencies either on its own or through the implementation
of a corrective action plan. To reapply a qualified entity would need
to submit to CMS documentation of any changes to what was included in
their original application. Reapplicants would need to submit this
documentation at least 6 months before the end of their three year
approval period and would be able to continue to serve as qualified
entities until the re-application is either approved or denied by CMS.
If the re-application is denied, CMS would terminate its relationship
with the qualified entity.
Sec. 401.706 Updates to plans submitted as part of the application
process.
(a) If a qualified entity wishes to make changes to:
(1) Its list of proposed measures, the qualified entity must send
all the information referenced in Sec. 401.704(a) for the new measure
to CMS at least 90 days prior to its intended confidential release to
providers of services and suppliers.
(2) Its proposed prototype report, the qualified entity must send
the new prototype report to CMS at least 90 days prior to its intended
confidential release to providers of services and suppliers.
(3) Its plans for sharing the reports with the public, the
qualified entity must send the new plans to CMS at least 90 days prior
to its intended confidential release to providers of services and
suppliers.
(b) The qualified entity would be notified when its proposed
changes are approved or denied for use. Under no circumstances may a
qualified entity issue a report, use a measure, or share a report
without first obtaining CMS approval.
(c) If the amount of claims data from other sources available to a
qualified entity decreases, the qualified entity must immediately
inform CMS and submit documentation that the remaining claims data from
other sources is sufficient to address the methodological concerns
regarding sample size and reliability. Under no circumstances may a
qualified entity issue a report, use a measure, or share a report after
this point.
(1) If CMS determines that the remaining claims data is not
sufficient, the qualified entity would have 60 days to acquire new data
and submit new documentation to CMS. If after 60 days, the qualified
entity does not have access to new data or if CMS decides the qualified
entity still does not possess the need amount of additional claims
data, CMS shall terminate its relationship with the qualified entity.
(2) If CMS determines that the remaining claims data is sufficient,
the qualified entity may resume issuing reports, using measures, and
sharing reports.
Sec. 401.707 Ensuring the privacy and security of data.
(a) Qualified entities must comply with the data requirements in
the data use agreement (DUA) with CMS. The DUA would require the
qualified entity to maintain privacy and security protocols throughout
the duration of their agreement with CMS and would ban the use of data
for purposes other than those referenced in this subpart. The DUA would
also prohibit the use of unsecured telecommunications to transmit CMS
data and would require disclosure of the circumstances under which CMS
data would be stored and transmitted.
(b) Qualified entities must inform each beneficiary whose
beneficiary identifiable data has been or is reasonably believed to
have been inappropriately accessed, acquired, or disclosed pursuant to
the DUA.
Sec. 401.708 Selection and use of performance measures.
(a) Standard measure. A standard measure is defined as a measure
that can be calculated from the standardized extracts of Medicare Parts
A and B claims, and Part D drug event data that:
(1) Meets one of the following criteria:
(i) Endorsed by the entity with a contract under section 1890(a) of
the Social Security Act;
(ii) Time-limited endorsed by the entity with a contract under
Section 1890(a) of the Social Security Act until such time as the full
endorsement status is determined;
(iii) Developed pursuant to section 931 of the Public Health
Service Act; or
(iv) Can be calculated from standardized extracts of Medicare parts
A or B claims or part D drug event data, was adopted through notice and
comment rulemaking and is currently being used in CMS programs that
include quality measurement.
(2) Is used in a manner that follows the measure specifications as
written (or as adopted through notice and comment rulemaking),
including all numerator and denominator inclusions and exclusions,
measured time periods, and specified data sources.
(b) Alternative measure. (1) An alternative measure is defined as a
measure that is not a standard measure, but that can be calculated from
the standardized extracts of Medicare Parts A and B claims, and Part D
drug event data that:
(i) Has been found by the Secretary through a notice and comment
rulemaking process, to be more valid, reliable, responsive to consumer
preferences, cost-effective, or relevant to dimensions of quality and
resource use not addressed by standard measures, and,
(ii) Is used by a qualified entity in a manner that follows the
measure specifications as written (or as adopted through notice and
comment rulemaking), including all numerator and denominator inclusions
and exclusions, measured time periods, and specified data sources.
(2) An alternative measure may be used up until the point that a
standard measure for the particular clinical area or condition becomes
available at which point the qualified entity must switch to the
standard measure within 6 months or submit additional scientific
justification and receive approval from the Secretary to continue using
the alternative measure.
(3) To submit an alternative measure for consideration for use in
the following calendar year an entity must submit the following by May
31st:
[[Page 33588]]
(i) The name of the alternative measure.
(ii) The name of the alternative measure's developer or owner.
(iii) Detailed specifications for the alternative measure.
(iv) Information demonstrating how the alternative measure is more
cost-effective, relevant to consumer preferences, cost-effective, or
relevant to dimensions of quality and resource use not addressed by
standard measures.
Sec. 401.709 Provider of services and supplier requests for error
correction.
(a) Qualified entities must confidentially share measures,
measurement methodologies, and measure results with providers of
services and suppliers at least 30 business days prior to making
reports public. The 30 days begins on the date on which qualified
entities send the confidential reports to providers of services and
suppliers.
(b) Qualified entities must allow providers of services and
suppliers at least 10 business days after receipt of a report to make a
request for the data.
(c) Qualified entities must allow providers of services and
suppliers at least 10 business days after receipt of the data to make a
request for error correction.
(d) If a qualified entity receives a request for beneficiary names
from a provider of services or supplier, the qualified entity must
forward that request to CMS including a copy of the signed request from
the provider of services or supplier as an attachment.
(1) After the qualified entity receives the beneficiary names from
CMS and sends the information to the requesting provider of services or
supplier, the qualified entity must immediately destroy that data and
is not permitted to retain or use the beneficiary names in any way.
(2) If a qualified entity does not immediately destroy all
identifiable data after sharing the information with the requesting
provider of services or supplier, it will be subject to the penalties
referenced in Sec. 401.710(d).
(e) Qualified entities must inform providers of services and
suppliers that reports would be made public, including information
related to the status of any data or error correction requests, after a
specified date (at least 30 business days after the report was
originally shared with providers of services and suppliers), regardless
of the status of any requests for error correction.
(f) If a provider of services or supplier still has a data or error
correction request outstanding at the time of making the reports
public, the qualified entity must, if feasible, post publicly the name
of the appealing provider and the category of the appeal request.
Sec. 401.710 Monitoring and sanctioning of qualified entities.
(a) CMS would monitor and assess the performance of qualified
entities using the following methods:
(1) Audits
(2) Submission of documentation of data sources and quantities of
data upon the request of CMS and/or site visits
(3) Analysis of specific data reported to CMS by qualified entities
through annual reports, as described in paragraph (b) of this section,
and reports on inappropriate disclosures or uses of beneficiary
identifiable data, as described in paragraph (c) of this section.
(4) Analysis of beneficiary and/or provider complaints
(b) Qualified entities must provide annual reports to CMS
containing information related to:
(1) General program adherence, including:
(i) The number of Medicare and private claims combined.
(ii) The percent of the overall market share the number of claims
represents in the qualified entity's area.
(iii) The number of measures calculated.
(iv) The number of providers of services and suppliers profiled by
type of provider and supplier.
(v) A measure of public use of the reports.
(2) The provider of services and suppliers data sharing, error
correction, and appeals process, including:
(i) The number of providers of services and suppliers requesting
claims data.
(ii) The number of requests for claims data fulfilled.
(iii) The number of error corrections.
(iv) The type(s) of problem(s) leading to the request for error
correction.
(v) The time to acknowledge the request for data or error
correction.
(vi) The time to respond to the request for error correction.
(vii) The number of requests for error correction resolved.
(c) Qualified entities must inform CMS of inappropriate disclosures
or uses of beneficiary identifiable data pursuant to the requirements
in the DUA.
(d) CMS may take the following actions against qualified entities
if it is determined that they are violation of any of the requirements
of the qualified entity program, regardless of how CMS learns of the
violation:
(1) Provide a warning notice, which indicates that future
deficiencies could lead to termination, to the qualified entity of the
specific concern
(2) Request a corrective action plan (CAP) from the qualified
entity
(3) Place the qualified entity on a special monitoring plan
(4) Terminate the qualified entity
Sec. 401.711 Termination of qualified entities.
(a) Grounds for terminating a qualified entity agreement. CMS may
terminate an agreement with a qualified entity if the qualified entity:
(1) Engages in one or more serious violations of the requirements
of the qualified entity program.
(2) Fails to completely and accurately report information to CMS or
fails to make timely corrections to reported performance information
per providers of services and supplier requests for such correction.
(3) Fails to submit an approvable corrective action plan (CAP),
fails to implement an approved CAP, or fails to demonstrate improved
performance after the implementation of a CAP.
(4) Improperly uses or discloses claims information received from
CMS in violation of the requirements of the regulations in this
subpart.
(5) Based on their reapplication, no longer meets the requirements
in this subpart.
(b) Return of CMS data upon voluntary or involuntary termination
from the qualified entity program:
(1) If a qualified entity's agreement with CMS is terminated by
CMS, it must immediately upon receipt of notification of such
termination commence returning or destroying any and all CMS data (and
any derivative files). In no instance should this process exceed 30
days.
(2) If a qualified entity voluntarily terminates participation in
the program, it must return to CMS, or destroy, any and all CMS data in
its possession within 30 days notifying CMS of its intent to end
participation.
(Catalog of Federal Domestic Assistance Program No. 93.773,
Medicare--Hospital Insurance; and Program No. 93.774, Medicare--
Supplementary Medical Insurance Program)
Dated: May 4, 2011.
Donald M. Berwick,
Administrator, Centers for Medicare & Medicaid Services.
Approved: June 1, 2011.
Kathleen Sebelius,
Secretary, Department of Health and Human Services.
[FR Doc. 2011-14003 Filed 6-3-11; 11:15 am]
BILLING CODE 4120-01-P