[Federal Register Volume 79, Number 211 (Friday, October 31, 2014)]
[Notices]
[Pages 64802-64805]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2014-25937]
-----------------------------------------------------------------------
DEPARTMENT OF HEALTH AND HUMAN SERVICES
Centers for Medicare & Medicaid Services
Privacy Act of 1974; Report of Modified System of Records
AGENCY: Centers for Medicare & Medicaid Services (CMS), Department of
Health and Human Services (HHS).
ACTION: Notice of a Modified System of Records (SOR).
-----------------------------------------------------------------------
SUMMARY: In accordance with the requirements of the Privacy Act of
1974, we are proposing to modify an existing SOR titled, ``Chronic
Condition Data Repository (CCDR), System No. 09-70-0573'' last
published at 71 FR 54495, September 15, 2006. The current name of the
SOR, Chronic Condition Data Repository, was developed during the
planning and development stages of the system. Upon the implementation
and throughout the operations and maintenance stages of the system, the
system has been referred to as the Chronic Condition Warehouse (CCW) in
common usage and written references. In keeping with this current
usage, we will modify the name of this SOR to read, and from this point
forward will refer to the system as: ``Chronic Condition Warehouse
(CCW).''
We propose to broaden the scope of the system to include data that
can be easily linked, at the individual patient level, to all Medicare
and Medicaid claims, enrollment and/or eligibility data, nursing home
and home health assessments, and CMS beneficiary survey data.
Accordingly, we are updating the Authority Section to include Title
XVIII of the Social Security Act as amended (the Act); Section
1902(a)(6) of the Act; Section
[[Page 64803]]
1142(c)(6) of the Act; and Title IV of the Balanced Budget Act (Pub. L.
105-33). The Record Source Categories section will be modified to
include data from two new systems of records: the CMS Encounter Data
System, System No. 09-70-0506, and the National Death Index, System No.
09-20-0166. These modifications will make the CCW a more useful tool by
which to support research, policy analysis, quality improvement
activities, and demonstrations that attempt to foster a better
understanding of how to improve the quality of life and contain the
health care costs of the chronically ill.
We propose to modify existing Routine Use Number 1, to limit
disclosures only to contractors of CMS. We also propose to add two new
routine uses. Specifically, we propose adding a routine use to permit
disclosures to healthcare providers who seek patient information for
use in care coordination and quality improvement activities as
described at 45 CFR 164.506(c)(4). This routine use will be added as
Routine Use Number 4. We also propose adding a routine use to support
public or private Qualified Entities (QEs) that use Medicare claims
data to evaluate the performance of providers of services and suppliers
on measures of quality, efficiency, effectiveness, and resource use.
This routine use will be added as routine use number 6.
Finally, we are modifying the language in Routine Use Number 3 to
include grantees of CMS administered grant programs and have made minor
grammatical changes to Routine Use Number 10. These modifications will
provide a better explanation as to the need for the routine use, and to
clearly state CMS's intention when making disclosures of individually
identifiable information contained in this system.
We have provided background information about the modified system
in the Supplementary Information section below. Although the Privacy
Act requires only that the ``Routine Use'' section of the system of
records notice be published for comment, CMS invites comments on all
portions of this notice. See the Effective Dates section for
information on the comment period.
DATES: Effective Dates: CMS filed a modified SOR report with the Chair
of the House Committee on Government Reform and Oversight, the Chair of
the Senate Committee on Homeland Security and Government Affairs, and
the Administrator, Office of Information and Regulatory Affairs, Office
of Management and Budget (OMB) on September 16, 2014. To ensure that
all parties have adequate time in which to comment, the modified notice
will become effective 30 days from the publication of the notice, or 40
days from the date it was submitted to OMB and the Congress, whichever
is later. We may defer implementation of this modified system or one or
more of the new routine uses listed below if we receive comments that
persuade us to defer implementation.
ADDRESSES: The public should address comments to: CMS Privacy Officer,
Privacy Policy Compliance Group, Office of E-Health Standards &
Services, Office of Enterprise Management, CMS, 7500 Security
Boulevard, Baltimore, MD 21244-1870, Mailstop: S2-24-25, Office: (410)
786-5357, E-Mail: [email protected]. Comments received will be
available for review at this location, by appointment, during regular
business hours, Monday through Friday from 9:00 a.m.-3:00 p.m., Eastern
Time zone.
FOR FURTHER INFORMATION CONTACT: Michelle Seal, Health Insurance
Specialist, Division of Research Data Development (DRDD), Data
Development and Services Group, Office of Information Products and Data
Analytics (OIPDA), OEM, CMS, Mail Stop B2-29-04, 7500 Security
Boulevard, Baltimore, MD 21244-1850. Office Phone: 410-786-3679, Email
address: [email protected].
SUPPLEMENTARY INFORMATION: The CCW will house data that will be easily
linked, at the individual patient level, for all Medicare and Medicaid
claims, enrollment and/or eligibility data, nursing home and home
health assessments, and CMS beneficiary survey data. This data
repository will transform and summarize this administrative health and
health insurance information into data which will support research,
policy analysis, quality improvement activities, demonstrations, and
studies. These are aimed at improving the quality of care and reducing
the cost of care for chronically ill Medicare beneficiaries and
Medicaid recipients.
The repository is designed to encourage research and innovation
that will reduce program spending, inform policy analyses, make current
Medicare and Medicaid program data more readily available to
researchers to study chronic illness in the Medicare and Medicaid
populations, and improve process time for research data requests by
refocusing on analytic, as opposed to operational considerations. The
repository will also use utilize data analytic tools to organize and
transform diagnostic information on a beneficiary's Medicare or
Medicaid claims into information about their chronic medical
conditions.
The Virtual Research Data Center (VRDC), an analytic tool, provides
a secure mechanism for accessing and analyzing data within the
environment instead of sending physical data files to researchers for
analysis at their site. The workbench analytic tool provides users with
the ability to create a custom sample of individuals and view
associated claims within the VRDC environment. Analysis of data using
these tools increases the privacy and security of the data.
The Privacy Act
The Privacy Act governs the collection, maintenance, use, and
dissemination of certain information about individuals by agencies of
the Federal Government.
A ``SOR'' is a group of any records under the control of a Federal
agency from which information about individuals is retrieved by name or
other personal identifier. The Privacy Act requires each agency to
publish in the Federal Register a description of the type and character
of each system of records that the agency maintains, and the routine
uses that are contained in each system to make agency recordkeeping
practices transparent, to notify individuals regarding the uses to
which their records are put, and to assist individuals to more easily
find such files within the agency.
SYSTEM NUMBER: 09-70-0573
SYSTEM NAME:
``Chronic Condition Warehouse'' (CCW) HHS/CMS/OEM.
SECURITY CLASSIFICATION:
Unclassified
SYSTEM LOCATION:
CMS Data Center, 7500 Security Boulevard, North Building, First
Floor, Baltimore, Maryland 21244-1850, and at various contractor sites.
CATEGORIES OF INDIVIDUALS IN THE SYSTEM:
CCW will collect and maintain individually identifiable and other
data collected on Medicare beneficiaries, Medicaid recipients, and
individually identifiable data on certain health care professionals.
CATEGORIES OF RECORDS IN THE SYSTEM:
The collected information will include, but is not limited to,
individually identifiable Medicare and Medicaid claims, enrollment, and
eligibility data, including names, addresses, health insurance claims
numbers, social security numbers, race/
[[Page 64804]]
ethnicity data, gender, date of birth, Medicare Part A, B and C
enrollment information, prescription drug coverage information,
surgical procedures, diagnoses, provider name(s), unique provider
identification numbers, National Provider Identification Numbers (NPI)
as well as clinical assessment and outcome measures, and demographic,
health/well-being, and background information relating to Medicare and
Medicaid issues.
AUTHORITY FOR MAINTENANCE OF THE SYSTEM:
The CCW is authorized by Sections 723 of the Medicare Prescription
Drug Improvement and Modernization Act of 2003 (MMA) (Pub. L. 108-173),
which was enacted into law on December 8, 2003, and amended Title XVIII
of the Social Security Act (the Act); Section 1902(a)(6) of the Act;
Section 1142(c)(6) of the Act; and Title IV of the Balanced Budget Act
(Pub. L. 105-33).
PURPOSE(S) OF THE SYSTEM:
The purpose of this system is to support research, policy analysis,
quality improvement activities, and demonstrations that attempt to
foster a better understanding of how to improve the quality of life and
contain the health care costs of the chronically ill. This system will
utilize data analytic tools to support accessing data by chronic
conditions and process complex customized data requests related to
chronic illnesses.
ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES
OR USERS AND THE PURPOSES OF SUCH USES:
A. Entities Who May Receive Disclosures under Routine Use
The Privacy Act allows CMS to disclose information without an
individual's consent if the information is to be used for a purpose
that is compatible with the purpose(s) for which the information was
collected. Any such compatible use of data is known as a ``routine
use''. The proposed routine uses in this system meet the compatibility
requirement of the Privacy Act. We are proposing to establish the
following routine use disclosures of information maintained in the
system:
1. To CMS contractors who have been engaged by the agency to assist
in the performance of a service related to this collection and who need
to have access to the records in order to perform the activity.
2. To another Federal or state agency to:
a. Contribute to the accuracy of CMS's proper payment of Medicare
benefits;
b. Enable such agency to administer a Federal health benefits
program, or, as necessary, to enable such agency to fulfill a
requirement of a Federal statute or regulation that implements a health
benefits program funded in whole or in part with Federal funds; and/or
c. Assist Federal and/or state officials carrying out the Medicaid
program.
3. To an individual or organization including grantees of a CMS
administered grant program that require individually identifiable
health information for use in research projects including any
evaluation project related to the prevention of disease or disability,
the restoration or maintenance of health, or payment reform related
projects that produces generalizable knowledge.
4. To a healthcare provider who seeks patient information for use
in care coordination and quality improvement activities as described at
45 CFR 164.506(c)(4);
5. To Quality Improvement Organizations (QIO) in connection with
review of claims, or in connection with studies or other review
activities conducted pursuant to Part B of Title XI of the Act, and in
performing affirmative outreach activities to individuals for the
purpose of establishing and maintaining their entitlement to Medicare
benefits or health insurance plans.
6. To a public or private Qualified Entity (QE) that uses Medicare
claims data to evaluate the performance of providers of services and
suppliers on measures of quality, efficiency, effectiveness, and
resource use; and who agrees to meet the requirements regarding the
transparency of their methods and their use and protection of Medicare
data.
7. To the Department of Justice (DOJ), court or adjudicatory body
when: a. The agency or any component thereof, or b. Any employee of the
agency in his or her official capacity, or c. Any employee of the
agency in his or her individual capacity where the DOJ has agreed to
represent the employee, or d. The United States Government, is a party
to litigation or has an interest in such litigation, and, by careful
review, CMS determines that the records are both relevant and necessary
to the litigation and that the use of such records by the DOJ, court or
adjudicatory body is compatible with the purpose for which the agency
collected the records.
8. To a CMS contractor (including, but not necessarily limited to,
Medicare Administrative Contractors (MACs)) that assists in the
administration of a CMS- administered health benefits program, when
disclosure is deemed reasonably necessary by CMS to prevent, deter,
discover, detect, investigate, examine, prosecute, sue with respect to,
defend against, correct, remedy, or otherwise combat fraud or abuse in
such program.
9. To another Federal agency or to an instrumentality of any
governmental jurisdiction within or under the control of the United
States (including any State or local governmental agency), that
administers, or that has the authority to investigate potential fraud
or abuse in, a health benefits program funded in whole or in part by
Federal funds, when disclosure is deemed reasonably necessary by CMS to
prevent, deter, discover, detect, investigate, examine, prosecute, sue
with respect to, defend against, correct, remedy, or otherwise combat
fraud or abuse in such programs.
10. To Federal Departments, agencies and their contractors that
have a need to know the information for the purpose of assisting the
Department's efforts to respond to a suspected or confirmed breach of
the security or confidentiality of information maintained in this
system of records, where the information disclosed is relevant to and
necessary for that assistance.
11. To the U.S. Department of Homeland Security (DHS) cyber
security personnel, if captured in an intrusion detection system used
by HHS and DHS pursuant to the Einstein 2 program.
12. To public health authorities, and those entities acting under a
delegation of authority from a public health authority, when requesting
beneficiary-identifiable information to carry out statutorily-
authorized public health activities pertaining to emergency
preparedness and response.
B. ADDITIONAL CIRCUMSTANCES AFFECTING DISCLOSURE OF PII DATA:
To the extent that the individual claims records in this system
contain Protected Health Information (PHI) as defined by HHS regulation
``Standards for Privacy of Individually Identifiable Health
Information'' (45 CFR parts 160 and 164, Subparts A and E), disclosures
of such PHI that are otherwise authorized by these routine uses may
only be made if, and as, permitted or required by the ``Standards for
Privacy of Individually Identifiable Health Information'' (see 45 CFR
164-512 (a) (1)).
In addition, HHS policy will be to prohibit release even of data
not directly identifiable with a particular individual, except pursuant
to one of the routine uses or if required by law, if CMS determines
there is a possibility that a particular individual can be identified
through implicit deduction based on small cell sizes (instances where
the patient population is so small that individuals could, because of
the small
[[Page 64805]]
size, use this information to deduce the identity of a particular
individual).
RETENTION AND DISPOSAL:
CMS will retain information for a total period not to exceed 30
years. All claims-related records are encompassed by the document
preservation order and will be retained until notification is received
from DOJ.
RETRIEVING, ACCESSING, RETAINING, AND DISPOSING OF RECORDS IN THE
SYSTEM:
STORAGE:
All records are stored on electronic media.
RETRIEVABILITY:
The collected data are retrieved by an individual identifier; e.g.,
beneficiary, recipient or provider name, HICN, or unique provider
identification number (NPI).
SAFEGUARDS:
CMS has safeguards in place for authorized users and monitors such
users to ensure against excessive or unauthorized use. Personnel having
access to the system have been trained in the Privacy Act and
information security requirements. Employees who maintain records in
this system are instructed not to release data until the intended
recipient agrees to implement appropriate management, operational and
technical safeguards sufficient to protect the confidentiality,
integrity and availability of the information and information systems
and to prevent unauthorized access.
This system will conform to all applicable Federal laws and
regulations and Federal, HHS, and CMS policies and standards as they
relate to information security and data privacy. These laws and
regulations may apply but are not limited to: The Privacy Act of 1974;
and the Federal Information Department regulation 45 CFR 5b.7.
SYSTEM MANAGER AND ADDRESS:
Director, Data Development and Services Group, Office of
Information Products and Data Analytics (OIPDA), OEM, Mail Stop B2-29-
04, CMS, 7500 Security Boulevard, Baltimore, MD 21244-1849.
NOTIFICATION PROCEDURE:
An individual record subject who wishes to know if this system
contains records about him or her should write to the system manager
who will require the system name, HICN, and for verification purposes,
the subject individual's name (woman's maiden name, if applicable), and
SSN (furnishing the SSN is voluntary, but it may make searching for a
record easier and prevent delay).
RECORD ACCESS PROCEDURE:
An individual seeking access to records about him or her in this
system should use the same procedures outlined in Notification
Procedures above. The requestor should also reasonably specify the
record contents being sought. (These procedures are in accordance with
Department regulation 45 CFR 5b.5(a)(2).)
CONTESTING RECORD PROCEDURES:
To contest a record, the subject individual should contact the
system manager named above, and reasonably identify the record and
specify the information to be contested. The individual should state
the corrective action sought and the reasons for the correction with
supporting justification. (These procedures are in accordance with
Department regulation 45 CFR 5b.7.)
RECORDS SOURCE CATEGORIES:
The data collected and maintained in this system are retrieved from
the following databases: Medicare Drug Data Processing System, System
No. 09-70-0553 (73 FR 30943 (May 29, 2008)); Medicare Beneficiary
Database, System No. 09-70-0536 (71 FR 70396 (December 4, 2006));
Medicare Advantage Prescription Drug System, System No. 09-70-0588 (76
FR 47190 (August 4, 2011)); Medicaid Statistical Information System,
System No. 09-70-0541 (71 FR 65527 (November 8, 2006)); Retiree Drug
Subsidy Program, System No. 09-70-0550 (70 FR 41035 (July 15, 2005));
Common Working File, System No. 09-70-0526 (71 FR 64955 (November 6,
2006)); National Claims History, System No. 09-70-0558 (71 FR 67137 11/
20/2006 (November 20, 2006)); Enrollment Database, System No. 09-70-
0502 (73 FR 10249 2/26/2008 (February 26, 2008)); Carrier Medicare
Claims Record, System No. 09-70-0501 (71 FR 64968 11/6/2006 (November
6, 2006)); Intermediary Medicare Claims Record, System No. 09-70-0503
(71 FR 648961 (November 6, 2006)); Unique Physician/Provider
Identification Number, System No. 09-70-0525 (71 FR 66535 (November 15,
2006)); Medicare Supplier Identification File, System No. 09-70-0530
(71 FR 70404 (December 4, 2006)), A Current Beneficiary Survey, System
No. 09-70-0519 (71 FR 60722 (October 16, 2006)); National Plan &
Provider Enumerator System, System No. 09-70-0555, (75 FR 30411 (June
1, 2010)); Long Term Care MDS, System No. 09-70-0528 (72 FR 12801
(March 19, 2007)); HHA Outcome and Assessment Information Set, System
No. 09-70-0522 (72 FR 63906 (November 13, 2007)); and Integrated Data
Repository, System No. 09-70-0571 (71 FR 74915 (December 13, 2006));
Provider Enrollment Chain and Ownership System, System No. 09-70-0532
(71 FR 60536 (October 13, 2006); Medicare and Medicaid Electronic
Health Record (EHR) Incentive Program National Level Repository, System
No. 09-70-0587 (75 FR 73095 (November 29, 2010)); Performance
Measurement and Reporting System, System No. 09-70-0584 (74 FR 17672
(April 16, 2009)); Encounter Data System, 09-70-0506 (79 FR 34539 (June
17, 2014)); and National Death Index, 09-20-0166 (49 FR 37692
(September 25, 1984)).
SYSTEMS EXEMPTED FROM CERTAIN PROVISIONS OF THE ACT:
None.
Celeste Dade-Vinson,
Health Insurance Specialist, Centers for Medicare & Medicaid Services.
[FR Doc. 2014-25937 Filed 10-30-14; 8:45 am]
BILLING CODE 4120-03-P