Federal Register, Volume 76 Issue 181 (Monday, September 19, 2011)

[Federal Register Volume 76, Number 181 (Monday, September 19, 2011)]
[Notices]
[Pages 58007-58011]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2011-23959]


-----------------------------------------------------------------------

DEPARTMENT OF HEALTH AND HUMAN SERVICES

Centers for Medicare & Medicaid Services


Privacy Act of 1974; Report of a New System of Records

AGENCY: Centers for Medicare & Medicaid Services (CMS), Department of 
Health and Human Services (HHS).

ACTION: Notice to establish a new system of records.

-----------------------------------------------------------------------

SUMMARY: In accordance with the requirements of the Privacy Act of 
1974, CMS is establishing a new system of records to support its shared 
savings programs, the first of which are the Medicare Shared Savings 
Program and Pioneer ACO Model (collectively referred to as the ACO 
program). The ACO program implements recent health care reform 
provisions of the Patient Protection and Affordable Care Act (PPACA), 
amending the Social Security Act (the Act). The system of records will 
contain personally identifiable information (PII) about certain 
individuals who participate in, or whose PII is used to determine 
eligibility of an Accountable Care Organization (ACO) to participate 
in, a shared savings program; i.e., Medicare fee-for-service (FFS) 
beneficiaries, sole proprietor health care ACO participants and ACO 
suppliers/providers, key leaders and managers of accountable care 
organizations (ACOs), and contact persons for ACOs. The program and the 
system of records are more thoroughly described in the Supplementary 
Information section and System of Records Notice (SORN), below.

[[Page 58008]]


DATES: CMS filed a new system report with the Chair of the House 
Committee on Government Reform and Oversight, the Chair of the Senate 
Committee on Homeland Security & Governmental Affairs, and the 
Administrator, Office of Information and Regulatory Affairs, Office of 
Management and Budget (OMB) on September 14, 2011. To ensure that all 
parties have adequate time in which to comment, the new system, 
including routine uses, will become effective October 19, 2011. If CMS 
receives comments that require alterations to this notice, we will 
publish a revised notice in the Federal Register.

ADDRESSES: The public should send comments to: CMS Privacy Officer, 
Division of Information Security & Privacy Management, Enterprise 
Architecture and Strategy Group, Office of Information Services, CMS, 
Room N1-24-08, 7500 Security Boulevard, Baltimore, Maryland 21244-1850. 
Comments received will be available for review at this location, by 
appointment, during regular business hours, Monday through Friday from 
9 a.m.-3 p.m., Eastern Time zone.

FOR FURTHER INFORMATION CONTACT: For Medicare Shared Savings Program: 
Rebecca Weiss, Program Analyst, Performance-Based Payment Policy Staff, 
Center for Medicare, Centers for Medicare & Medicaid Services, 7500 
Security Boulevard, Mail-stop: C5-15-12, Baltimore, MD 21244-1850. 
Office: 410-786-8084, Facsimile: (410) 786-8005, E-mail address: 
[email protected].
    For Pioneer Aco Model: Alli Chandra, Health Insurance Specialist, 
Center for Medicare and Medicaid Innovation, Centers for Medicare & 
Medicaid Services, 7500 Security Boulevard, Mailstop: S3-13-05, 
Baltimore, MD 21244-1850. Office Ph: 410-786-1132, Facsimile: (410) 
786-0487, E-mail address: [email protected].

SUPPLEMENTARY INFORMATION: This System of Records Notice (SORN) 
addresses a new system which HHS is establishing to support CMS shared 
savings programs created as a result of the Patient Protection and 
Affordable Care Act (Pub. L. 111-148), the first of which are the 
Medicare Shared Savings Program and Pioneer ACO Model (ACO program) 
described in more detail below.

I. Medicare Shared Savings Program

    The recently passed health care reform bill, the Affordable Care 
Act (PPACA) (Pub. L. 111-148), contains provisions that seek to reward 
quality care and takes steps toward paying for high quality and 
efficient care. One of these provisions, Section 3022, amended Title 
XVIII of the Social Security Act (the Act) (42 U.S.C. 1395 et seq.) by 
adding new section 1899 to the Act to establish a shared savings 
program (SSP) that promotes accountability for a patient population, 
coordinates items and services under Parts A and B, and encourages 
investment in infrastructure and redesigned care processes for high 
quality and efficient service delivery. Specifically:
     Section 1899(a)(1) of the Act requires the Secretary to 
establish the shared savings program no later than January 1, 2012. 
Section 1899(a)(1) (A) of the Act further provides that, ``groups of 
providers of services and suppliers meeting criteria specified by the 
Secretary may work together to manage and coordinate care for Medicare 
fee-for-service (FFS) beneficiaries through an accountable care 
organization (ACO).''
     Section 1899(a)(1)(B) of the Act provides that ACOs that 
meet quality performance standards established by the Secretary are 
eligible to receive payments for ``shared savings.''
    The Shared Savings Program is a voluntary program. The statute 
provides that, to participate in the program, an ACO must ``provide the 
Secretary with such information regarding the ACO professionals 
participating in the ACO as the Secretary determines necessary to 
support the assignment of Medicare fee-for-service beneficiaries to an 
ACO, the implementation of quality and other reporting requirements * * 
* and the determination of payments for shared savings.'' The statute 
requires an ACO to meet certain eligibility criteria including, but not 
limited to, having ``a formal legal structure that would allow the 
organization to receive and distribute payments for shared savings,'' 
having ``in place a leadership and management structure that includes 
clinical and administrative systems,'' and demonstrating ``to the 
Secretary that it meets patient-centeredness criteria specific by the 
Secretary.'' In addition, the ACO must agree to participate for not 
less than 3 years, have a formal legal structure including primary care 
providers sufficient for the care of not less than 5000 beneficiaries, 
and meet others requirements.
    The statute defines an ACO as organization of health care providers 
that agrees to become accountable for the quality, cost, and overall 
care of Medicare beneficiaries who are enrolled in the traditional fee-
for-service program who are assigned to it. The statute states that 
there are many types of organizational arrangements for eligibility to 
become an ACO, as determined appropriate by the Secretary.
    To qualify for shared savings payments, the ACO must meet specific 
cost and quality benchmarks. Quality performance standards will be 
determined by the Secretary and may include measures of clinical 
processes and outcomes, patient and/or caregiver experience, and 
utilization measures. An ACO will be eligible to receive a share (a 
percentage, and any limits, to be determined by the Secretary) of any 
savings if the actual per capita expenditures of its assigned Medicare 
beneficiaries are a sufficient percentage below its specified benchmark 
amount. The benchmark for each ACO will be based on the most recent 
available three years of per-beneficiary expenditures for Parts A and B 
services for Medicare FFS beneficiaries assigned to the ACO. The 
benchmark for each ACO will be adjusted for beneficiary characteristics 
and other factors as determined by the Secretary, and updated by the 
projected absolute amount of growth in national per capita expenditures 
for Parts A and B.

II. Pioneer ACO Model

    Another provision of the Affordable Care Act (PPACA), Section 3021, 
amended Title XVIII of the Social Security Act (the Act) (42 U.S.C. 
1395 et seq.) by adding new section 1899 to the Act to establish the 
Center for Medicare and Medicaid Innovation (Innovation Center). The 
Innovation Center is tasked with development of the Pioneer ACO Model. 
Under the Pioneer ACO Model, the Innovation Center will engage up to 30 
highly experienced provider organizations in testing alternative 
payment models that include escalating financial accountability and 
substantial quality/patient experience standards (``outcomes based 
arrangements''). CMS intends to pursue payment models that (1) include 
escalating levels of financial accountability through successive 
performance periods during the Participation Agreement; (2) provide a 
transition to Population-Based Payment by the third performance period, 
and (3) are projected by CMS to generate Medicare savings by the end of 
the second performance period.

III. The Privacy Act

    The Privacy Act (5 U.S.C. 552a) governs the means by which the 
United States Government collects, maintains, and uses personally 
identifiable information (PII) in a system of records. A ``system of 
records'' is a group of any records under the control of a Federal

[[Page 58009]]

agency from which information about individuals is retrieved by name or 
other personal identifier. The Privacy Act requires each agency to 
publish in the Federal Register a system of records notice (SORN) 
identifying and describing each system of records the agency maintains, 
including the purposes for which the agency uses PII in the system, the 
routine uses for which the agency discloses such information outside 
the agency, and how individual record subjects can exercise their 
rights under the Privacy Act (e.g., to determine if the system contains 
information about them).
    The Privacy Act permits an agency to disclose information about an 
individual (PII) without that individual's consent if the information 
is to be used for a purpose that is compatible with the purpose(s) for 
which the information was collected. Any such disclosure of PII is 
known as a ``routine use.'' HHS/CMS will only release PII from this 
system as provided in the ``Routine Uses'' section below. Both 
identifiable and non-identifiable data may be disclosed under a routine 
use. HHS/CMS will only disclose the minimum PII necessary to achieve 
the purpose of the routine use, after determining that:
     The use or disclosure is consistent with the reason that 
the PII was collected;
     The purpose for which the disclosure is to be made can 
only be accomplished if the record is provided in individually 
identifiable form;
     The purpose for which the disclosure is to be made is of 
sufficient importance to warrant the effect on and/or risk to the 
privacy of the individual that additional exposure of the record might 
bring;
     There is a strong probability that the proposed use of the 
data would in fact accomplish the stated purpose(s); and
     The data are valid and reliable.
    Additionally, HHS/CMS will require the information recipient to:
     Establish administrative, technical, and physical 
safeguards to prevent unauthorized use or disclosure of the record;
     Remove or destroy at the earliest time all individually-
identifiable information; and
     Agree to not use or disclose the information for any 
purpose other than the stated purpose under which the information was 
disclosed.
SYSTEM NUMBER:
09-70-0598

SYSTEM NAME:
    ACO Database System HHS/CMS/CM and HHS/CMS/CMMI.

SECURITY CLASSIFICATION:
    Sensitive, unclassified.

SYSTEM LOCATION:
    CMS Data Center, 7500 Security Boulevard, North Building, First 
Floor, Baltimore, Maryland 21244-1850 and at various accountable care 
organization (ACO) locations and contractor sites.

CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:
    The system will contain personally identifiable information (PII) 
about the following categories of individuals who participate in, or 
whose PII is used to determine eligibility of an ACO to participate in, 
a Health and Human Services (HHS) Centers for Medicare & Medicaid 
Services (CMS) Medicare shared savings program:
     Medicare fee-for-service (FFS) beneficiaries who receive 
health care services coordinated and managed by a group of health care 
providers and suppliers organized to receive shared savings incentive 
payments, as an accountable care organization (ACO).
     Any providers or suppliers participating in an ACO who are 
sole proprietorships, for whom certain business-identifying information 
may therefore constitute personally identifiable information.
     Key leaders and managers of an ACO who provide certain 
personally identifiable information that is used to determine the ACO's 
eligibility to participate in the program.
     Any contact persons for an ACO who provide contact 
information for use in contacting them for information about the ACO.

CATEGORIES OF RECORDS IN THE SYSTEM:
    This system may include, but will not necessarily be limited to, 
the following categories of records, containing PII (or possible PII) 
data elements such as the following:
     Medicare fee-for-service (FFS) beneficiary claims records, 
containing the beneficiary's name, gender, Health Insurance Claim 
Number (HICN) (which could be the beneficiary's Social Security 
Number), address, date of birth and description of provided services.
     ACO eligibility and contact records, containing the ACO 
name and address (which could be the home address of a key leader or 
manager of the ACO); ACO participant or ACO provider/supplier names and 
addresses (which could include home addresses for any sole proprietor 
providers/suppliers in the ACO); ACO participant Tax Identification 
Number (TIN) (which could be a Social Security Number for a sole 
proprietor ACO participant or ACO provider/supplier in the ACO); 
National Provider Identifier (NPI) (which is considered PII for an 
individual provider/supplier); and (for individuals serving as key 
leaders or managers of an ACO) the individual's name and address (which 
could be a home address).

AUTHORITY FOR MAINTENANCE OF THE SYSTEM:
    The Patient Protection and Affordable Care Act (Pub. L. 111-148), 
which amended Title XVIII of the Social Security Act (the Act) (42 
U.S.C. 1395 et seq.) to add new section 1899 to the Act to establish a 
Medicare Shared Savings Program (MSSP); and Section 3021 of the Patient 
Protection and Affordable Care Act, which amended Title XI of the 
Social Security Act (the Act) (42 U.S.C. 1301 et seq.) to add new 
section 1115A to the Act to establish the Center for Medicare and 
Medicaid Innovation.

PURPOSE(S) OF THE SYSTEM:
    The system will enable the HHS Centers for Medicare & Medicaid 
Services (CMS) to administer the ACO program. Relevant HHS personnel, 
and any CMS contractors, grantees and consultants assisting them, will 
use personally identifiable information (PII) from this system on a 
``need to know'' basis for these purposes:
     Beneficiary claims information and ACO eligibility and 
contact information will be used to support the regulatory, 
reimbursement and policy functions of shared savings programs and to 
combat fraud, waste and abuse in certain health benefits programs.

ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES 
OR USERS AND THE PURPOSES OF SUCH USES:
    Any of the PII from this system may be disclosed outside HHS for 
these routine uses:
    1. To obtain assistance from other Federal agencies that help HHS, 
pursuant to agreements with CMS, to determine the eligibility of ACO 
applicants to participate in the program. For example, a TIN (which may 
be a Social Security Number) may be shared with the U.S. Federal Trade 
Commission (FTC) and the U.S. Department of Justice (DOJ) for purposes 
of obtaining their assessment of the ACO applicant's market share 
status.
    2. To provide ACOs with information they need to meet requirements 
and

[[Page 58010]]

implement quality and other reporting requirements of the program.
    3. To provide information to the U.S. Department of Justice (DOJ), 
a court, or an adjudicatory body when (a) the Agency or any component 
thereof, or (b) any employee of the Agency in his or her official 
capacity, or (c) any employee of the Agency in his or her individual 
capacity where the DOJ has agreed to represent the employee, or (d) the 
United State Government, is a party to litigation or has an interest in 
such litigation, and by careful review, CMS determines that the records 
are both relevant and necessary to the litigation and that the use of 
such records by the DOJ, court, or adjudicatory body is compatible with 
the purpose for which the agency collected the records.
    4. To assist another Federal agency or an instrumentality of any 
governmental jurisdiction within or under the control of the United 
States (including any state or local governmental agency), that 
administers or that has the authority to investigate potential fraud, 
waste or abuse in a health benefits program funded in whole or in part 
by Federal funds, when disclosure is deemed reasonably necessary by CMS 
to prevent, deter, discover, detect, investigate, examine, prosecute, 
sue with respect to, defend against, correct, remedy, or otherwise 
combat fraud, waste or abuse in such programs.
    5. To assist appropriate Federal agencies and HHS contractors that 
have a need to know the information for the purpose of assisting HHS's 
efforts to respond to a suspected or confirmed breach of the security 
or confidentiality of information maintained in this system of records, 
provided that the information disclosed is relevant and necessary for 
that assistance.

Additional Circumstances Affecting Disclosure of PII About 
Beneficiaries:
    To the extent that the beneficiary claims records in this system 
contain Protected Health Information (PHI) as defined by HHS regulation 
``Standards for Privacy of Individually Identifiable Health 
Information'' (45 CFR parts 160 and 164, subparts A and E), disclosures 
of such PHI that are otherwise authorized by these routine uses may 
only be made if, and as, permitted or required by the ``Standards for 
Privacy of Individually Identifiable Health Information'' (see 45 CFR 
164-512 (a) (1)). In addition, HHS policy will be to prohibit release 
even of data not directly identifiable with a particular beneficiary, 
except pursuant to one of the routine uses or if required by law, if 
HHS determines there is a possibility that a particular beneficiary can 
be identified through implicit deduction based on small cell sizes 
(instances where the patient population is so small that individuals 
could, because of the small size, use this information to deduce the 
identity of a particular beneficiary).

POLICIES AND PRACTICES FOR STORING, RETRIEVING, ACCESSING, RETAINING, 
AND DISPOSING OF RECORDS IN THE SYSTEM--
STORAGE:
    Electronic records will be stored on both tape cartridges (magnetic 
storage media) and in a in a DB2 and/or Oracle relational database 
management environment (DASD data storage media). Any hard copies of 
ACO program-related records containing PII at HHS/CMS, ACO and 
contractor locations will be kept in hard-copy file folders locked in 
secure file cabinets during non-duty hours.

RETRIEVABILITY:
    Information may be retrieved by any of these personal identifiers: 
ACO participant TIN (which could be a sole proprietor provider/
supplier's Social Security Number), National Provider Identifier (NPI), 
or beneficiary Health Insurance Claim Number (HICN)) (which may be the 
beneficiary's Social Security Number).

SAFEGUARDS:
    Personnel having access to the system have been trained in the 
Privacy Act and information security requirements. Employees who 
maintain records in this system are instructed not to release data 
until the intended recipient agrees to implement appropriate 
management, operational and technical safeguards sufficient to protect 
the confidentiality, integrity and availability of the information and 
information systems and to prevent unauthorized access.
    Access to records in the ACO Database System will be limited to CMS 
personnel, and any contractors, grantees and consultants assisting 
them, through password security, encryption, firewalls, and secured 
operating system.
    Future system enhancements may allow for ACOs, ACO participants or 
ACO provider/suppliers, and beneficiaries to be external users of the 
system, for purposes of viewing and inputting their records in this 
system. Access controls will ensure that each external user is 
restricted to viewing only the user's own records, not records 
pertaining to other users.
    Any electronic or hard copies of ACO program-related records 
containing PII at HHS/CMS, an ACO, and any contractor, grantee or 
consultant locations will be kept in secure electronic files or in 
hard-copy file folders locked in secure file cabinets during non-duty 
hours.

RETENTION AND DISPOSAL:
    Records containing PII will be maintained for a period of up to 10 
years after entry in the database. Any records that are needed longer, 
such as to resolve claims and audit exceptions or to prosecute fraud, 
will be retained until such matters are resolved. Beneficiary claims 
records are currently subject to a document preservation order and will 
be preserved indefinitely pending further notice from the U.S. 
Department of Justice.

SYSTEM MANAGER AND ADDRESS:
    Director, Performance-Based Payment Policy Staff, Center for 
Medicare, Centers for Medicare & Medicaid Services, 7500 Security 
Boulevard, Mailstop: C5-15-12, Baltimore, MD 21244-1850; and
    Director, Pioneer ACO Model, Center for Medicare and Medicaid 
Innovation, Centers for Medicare and Medicaid Services, Mailstop: S3-
13-05, 7500 Security Boulevard, Baltimore, MD 21244-1850.

NOTIFICATION PROCEDURE:
    Individuals wishing to know if this system contains records about 
them should write to one of the system managers and include the 
pertinent personal identifier used for retrieval of their records 
(i.e., TIN, NPI or beneficiary Health Insurance Claim Number).

RECORD ACCESS PROCEDURE:
    Individuals seeking access to records about them in this system 
should follow the same instructions indicated under ``Notification 
Procedure'' and reasonably specify the record contents being sought. 
(These procedures are in accordance with Department regulation 45 CFR 
5b.5 (a)(2).)

CONTESTING RECORD PROCEDURES:
    Individuals seeking to contest the content of information about 
them in this system should follow the same instructions indicated under 
``Notification Procedure.'' The request should reasonably identify the 
record and specify the information being contested, state the 
corrective action sought, and provide the reasons for the correction, 
with supporting justification. (These procedures are in accordance with 
Department regulation 45 CFR 5b.7.)

RECORD SOURCE CATEGORIES:
    Personally identifiable information in this database is obtained 
from the

[[Page 58011]]

Medicare Beneficiary Database (MBD) (09-70-0536), from the National 
Claims History File (NCH) (09-70-0558), and from ACOs that provide the 
information as required to perform the statutory functions of 
beneficiary assignment, implementation of quality and other reporting 
requirements, and determination of shared savings.

EXEMPTIONS CLAIMED FOR THIS SYSTEM:
    None.

    Dated: September 14, 2011.
Michelle Snyder,
Deputy Chief Operating Officer, Centers for Medicare & Medicaid 
Services.
[FR Doc. 2011-23959 Filed 9-15-11; 11:15 am]
BILLING CODE 4120-03-P