[Federal Register Volume 81, Number 130 (Thursday, July 7, 2016)]
[Rules and Regulations]
[Pages 44456-44482]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2016-15708]
[[Page 44455]]
Vol. 81
Thursday,
No. 130
July 7, 2016
Part III
Department of Health and Human Services
-----------------------------------------------------------------------
Centers for Medicare & Medicaid Services
-----------------------------------------------------------------------
42 CFR Part 401
Medicare Program: Expanding Uses of Medicare Data by Qualified
Entities; Final Rule
��Federal Register / Vol. 81 , No. 130 / Thursday, July 7, 2016 / Rules
and Regulations��
[[Page 44456]]
-----------------------------------------------------------------------
DEPARTMENT OF HEALTH AND HUMAN SERVICES
Centers for Medicare & Medicaid Services
42 CFR Part 401
[CMS-5061-F]
RIN 0938-AS66
Medicare Program: Expanding Uses of Medicare Data by Qualified
Entities
AGENCY: Centers for Medicare & Medicaid Services (CMS), HHS.
ACTION: Final rule.
-----------------------------------------------------------------------
SUMMARY: This final rule implements requirements under Section 105 of
the Medicare Access and CHIP Reauthorization Act of 2015 that expand
how qualified entities may use and disclose data under the qualified
entity program to the extent consistent with applicable program
requirements and other applicable laws, including information, privacy,
security and disclosure laws. This rule also explains how qualified
entities may create non-public analyses and provide or sell such
analyses to authorized users, as well as how qualified entities may
provide or sell combined data, or provide Medicare claims data alone at
no cost, to certain authorized users. In addition, this rule implements
certain privacy and security requirements, and imposes assessments on
qualified entities if the qualified entity or the authorized user
violates the terms of a data use agreement required by the qualified
entity program.
DATES: These regulations are effective on September 6, 2016.
FOR FURTHER INFORMATION CONTACT: Allison Oelschlaeger, (202) 690-8257.
Kari Gaare, (410) 786-8612.
SUPPLEMENTARY INFORMATION:
I. Background
On April 16, 2015, the Medicare Access and CHIP Reauthorization Act
of 2015 (MACRA) (Pub. L. 114-10) was enacted. The law included a
provision, Section 105, Expanding the Availability of Medicare Data,
which takes effect on July 1, 2016. This section expands how qualified
entities will be allowed to use and disclose data under the qualified
entity program, including data subject to section 1874(e) of the Social
Security Act (the Act), to the extent consistent with other applicable
laws, including information, privacy, security and disclosure laws.
The Qualified Entity program was established by Section 10332 of
the Patient Protection and Affordable Care Act (Affordable Care Act)
(Pub. L. 111-148). The implementing regulations, which became effective
January 6, 2012, are found in subpart G of 42 CFR part 401 (76 FR
76542). Under those provisions, CMS provides standardized extracts of
Medicare Part A and B claims data and Part D drug event data
(hereinafter collectively referred to as Medicare claims data) covering
one or more geographic regions to qualified entities at a fee equal to
the cost of producing the data. Under the original statutory
provisions, such Medicare claims data must be combined with other non-
Medicare claims data and may only be used to evaluate the performance
of providers and suppliers. The measures, methodologies and results
that comprise such evaluations are subject to review and correction by
the subject providers and suppliers, after which the results are to be
disseminated in public reports.
Those wishing to become qualified entities are required to apply to
the program. Currently, fourteen organizations have applied and
received approval to be a qualified entity. Of these organizations, two
have completed public reporting while the other twelve are in various
stages of preparing for public reporting. While we have been pleased
with the participation in the program so far, we expect that the
changes required by MACRA will increase interest in the program.
Under section 105 of MACRA, effective July 1, 2016, qualified
entities will be allowed to use the combined data and information
derived from the evaluations described in 1874(e)(4)(D) of the Act to
conduct non-public analyses and provide or sell these analyses to
authorized users for non-public use in accordance with the program
requirements and other applicable laws. In highlighting the need to
comply with other applicable laws, we particularly note that any
qualified entity that is a covered entity or business associate as
defined in the Health Insurance Portability and Accountability Act of
1996 (``HIPAA'') regulations at 45 CFR 160.103 will need to ensure
compliance with any applicable HIPAA requirements, including the
restriction on the sale of protected health information (PHI) without
authorization at 45 CFR 164.502(a)(5)(ii).
In addition, qualified entities will be permitted to provide or
sell the combined data, or provide the Medicare claims data alone at no
cost, again, in accordance with the program requirements and other
applicable laws, to providers, suppliers, hospital associations, and
medical societies. Qualified entities that elect to provide or sell
analyses and/or data under these new provisions will be subject to an
assessment if they or the authorized users to whom they disclose
patient-identifiable data in the form of analyses or raw data act in a
manner that violates the terms of a program-required Qualified Entity
Data Use Agreement (QE DUA). Furthermore, qualified entities that make
analyses or data available under these new provisions will be subject
to new annual reporting requirements to aid CMS in monitoring
compliance with the program requirements. These new annual reporting
requirements will only apply to qualified entities that choose to
provide or sell non-public analyses and/or provide or sell combined
data, or provide Medicare claims data alone at no cost.
We believe these changes to the qualified entity program will be
important in driving higher quality, lower cost care in Medicare and
the health system in general. We also believe that these changes will
increase interest in the qualified entity program, leading to more
transparency regarding provider and supplier performance and innovative
uses of data that will result in improvements to the healthcare
delivery system while still ensuring appropriate privacy and security
protections for beneficiary-identifiable data.
II. Provisions of the Proposed Regulations and Responses to Public
Comments
In the February 2, 2016 Federal Register (81 FR 5397), we published
the proposed rule entitled, ``Expanding Uses of Medicare Data by
Qualified Entities.'' We provided a 60-day public comment period.
In the proposed rule, to implement the new statutory provisions of
section 105 of MACRA, we proposed to amend and make conforming changes
to part 401, subpart G, ``Availability of Medicare Data for Performance
Measurement.'' We received approximately 50 comments on the proposed
rule from a wide variety of individuals and organizations. Many of the
comments were from providers or suppliers, or organizations
representing providers and suppliers. We also received a number of
comments from organizations engaged in performance measurement or data
aggregation, some of whom are already qualified entities and others who
may apply to be qualified entities in the future. Other comments came
from registries, state Medicaid agencies, issuers, and individuals.
Many of the comments were positive and praised CMS for the proposed
[[Page 44457]]
changes to the qualified entity program. Commenters also had a range of
suggestions for changes to program requirements around the provision or
sale of non-public analyses and data. We received a number of comments
on expanding the data available to qualified entities to include claims
data under Medicaid and the Children's Health Insurance Program (CHIP).
In addition, we received a number of comments on the disclosure of data
to qualified clinical data registries for quality improvement and
patient safety activities.
A more detailed summary of the public comments and our responses
can be found below in the appropriate sections of this final rule.
A. Non-Public Analyses
In accordance with Section 105(a)(1) of MACRA, we proposed to allow
for the qualified entity's use of the combined data or information
derived from the evaluations described in section 1874(e)(4)(D) of the
Act to create non-public analyses and provide for the provision or sale
of these analyses to authorized users in accordance with the program
requirements discussed later in this section, as well as other
applicable laws.
Comment: Commenters generally supported the proposal to allow
qualified entities to create non-public analyses and either provide or
sell these analyses. One commenter suggested that CMS expressly state
at Sec. 401.716(a) that qualified entities may provide or sell the
non-public analyses. Another commenter recommended that CMS clarify
that the non-public analyses are not subject to discovery or admittance
into evidence in any judicial or administrative proceeding.
Response: We thank commenters for their support of the provision or
sale of non-public analyses. Since the intent of this section is to
allow qualified entities to both provide and sell non-public analyses
in accordance with program requirements and other applicable laws, we
have made changes to the regulation text to expressly state as much.
The statute, at 1874(e)(4)(D) of the Act, explicitly states, ``data
released to a qualified entity under this subsection shall not be
subject to discovery or admission as evidence in judicial or
administrative proceedings without consent of the applicable provider
or supplier.'' We believe this statutory shield only applies to data
released to the qualified entity under 1874(e) and when that data is in
the possession of the qualified entity. Once the Medicare data is used
to create non-public analyses and those non-public analyses are shared
with authorized users, we do not believe the statutory shield applies.
1. Additional Analyses
In the proposed rule, we defined combined data as a set of CMS
claims data provided under subpart G combined with a subset of claims
data from at least one of the other claims data sources described in
Sec. 401.707(d). We did not propose to establish a minimum amount of
data that must be included in the combined data set from other sources.
Comment: We received numerous comments on the definition of
combined data. Many commenters recommended that CMS alter the
definition of combined data to allow qualified entities to combine the
Medicare data with clinical data for the creation of non-public
analyses. These commenters stated that clinical data can help
facilitate more appropriate analyses of provider resource use than just
claims data alone. One commenter suggested that the definition of
combined data also include consumer, socio-demographic, and other types
of patient and provider-level data. Other commenters suggested that CMS
clarify that combined data must, at a minimum, be comprised of CMS
claims data merged with claims data from other sources, but other data
may also be included in this combined data. One commenter agreed with
the proposed definition of combined data.
Response: Section 105(a)(1)(A) of MACRA requires that the non-
public analyses be based on the combined data described in
1874(e)(4)(B)(iii) as ``data made available under this subsection with
claims data from sources other than claims data under this title''.
Given these statutory limitations, we do not believe we can modify the
definition of combined data.
However, we do recognize the value of combining claims data with
clinical data for the development of non-public analyses and believe
the use of clinical data in non-public analyses can significantly
improve the value of these analyses to support quality and patient
improvement activities. Clinical data such as laboratory test results
or radiology and pathology reports, can add useful information about a
patient's chronic condition burden, health status, and other factors
that are not available in claims data. We can also see some value in
combining consumer, socio-demographic, and other types of patient and
provider level data with the Medicare data. As a result, we do want to
clarify, that combined data requires at a minimum that the CMS claims
data be combined with other sources of claims data, but that this does
not prevent the qualified entity from merging other data (for example,
clinical, consumer, or socio-demographic data) with the combined data
for the development of non-public analyses.
Comment: Several commenters suggested that CMS require qualified
entities to make public a list of the claims data it receives from CMS
and the data it intends to combine with the CMS claims data for non-
public analyses. One commenter suggested that this public release of
information also include the percent of the cohort for analysis that
each source is contributing.
Response: We are very committed to greater data transparency and
all qualified entities are required to publicly report on provider
performance as part of their participation in the program. However, we
do not see significant value in requiring qualified entities to
publicly report on the other sources of data used in non-public
analyses since the analyses themselves will not be released publicly.
Comment: Several commenters stated that they supported the proposal
not to establish a threshold for the minimum amount of data that must
be included in the combined data set from other sources.
Response: We thank commenters for their support.
Comment: A few commenters recommended that the requirement to use
combined data not preclude Medicare-only analyses. These commenters
stated that Medicare-only analyses such as segmenting provider and
supplier performance evaluations by payer type or conducting
longitudinal analysis of differences in cost and quality for certain
conditions by payer type would have significant value for many
authorized users.
Response: We recognize the value of Medicare-only analyses,
especially to help providers and suppliers understand how quality and
costs differ across their patient population. In addition, as the CMS
Innovation Center continues to develop and test new models of care,
qualified entities may play a role in conducting analyses to help
providers and suppliers better manage patient outcomes and costs under
a different payment model. As a result, we want to clarify that the
requirement to use combined data does not prevent qualified entities
from providing or selling analyses that allow the authorized user to
drill down by payer type to Medicare-only results. For example, a
qualified entity may provide or sell a provider a report that includes
the provider's overall score on certain
[[Page 44458]]
quality and resource use measures (using combined data) and then
presents scores for each of these measures by payer type (including a
Medicare fee-for-service category).
2. Limitations on the Qualified Entities With Respect to the Sale and
Provision of Non-Public Analyses
In accordance with section 105(a)(1) of MACRA, we proposed a number
of limitations on qualified entities with respect to the sale and
provision of non-public analyses.
First, we proposed to limit qualified entities to only providing or
selling non-public analyses to issuers after the issuer provides the
qualified entity with claims data that represents a majority of the
issuers' covered lives in the geographic region and during the time
frame of the non-public analyses requested by the issuer.
Comment: Many commenters supported the requirement of issuers to
submit data to the qualified entity in order to receive analyses, but
commenters had differing recommendations on the threshold of a majority
of the issuers' covered lives. A number of commenters stated that CMS
should not impose a threshold on the amount of data issuers must submit
to a qualified entity to receive analyses. These commenters stated that
the responsibility to ensure appropriate sample size for analyses
should rest with the qualified entity. However, another commenter
recommended that CMS require an issuer to provide the qualified entity
with data on all of its covered lives for the geographic region and
during the time frame of the non-public analyses requested. This
commenter stated that requiring 100 percent of an issuer's covered
lives would allow for more complete analyses. One commenter supported
the threshold of the majority of an issuers covered lives, but stated
that CMS should allow a health insurance issuer to request a non-public
analysis for a geographic region outside the issuer's area of coverage,
provided the issuer supplies claims data for a majority of the covered
lives for the time period requested in all regions where it provides
coverage. This commenter noted that analyses for other geographic
regions may be beneficial to smaller, regional health insurance issuers
interested in cost and utilization in a comparable region or looking to
expand their areas of coverage. Another commenter supported the
threshold, but recommended that CMS create an exceptions process for
cases where legitimate and important analyses, such as identifying
providers treating orphan diseases or analysis fundamental for a health
plan issuer to enter a new market, that could not meet the proposed
threshold. Finally, one commenter stated that CMS should allow
qualified entities discretion to provide or sell analyses to health
insurance issuers who have made a good faith commitment to providing
the qualified entity with claims data that represents a majority of the
health insurance issuer's covered lives by a certain future date.
Response: As we stated in the proposed rule, we considered not
applying a threshold on the amount of data being provided by the
issuer, but decided that specifying a threshold would encourage issuers
to submit data to the qualified entity to be included in the public
performance reports, increasing the reports' reliability. We believe
this rationale still applies, and we still believe that there are a
number of situations where requiring the issuer to provide 100 percent
of their data for a given time period and geographic region is not
feasible for the issuer. Based on comments, we revisited whether, on
balance, requiring issuers to submit data that represents a majority of
their covered lives in the geographic region and during the time frame
of the non-public analyses requested by the issuer is generally the
most appropriate threshold. In doing so, we recognized that in some
cases an issuer may wish to have analyses for a geographic region where
it does not provide coverage. However, we believe that in those
instances the issuer should not be able to receive analyses due to the
requirement at section 105(a)(1)(B)(ii) of MACRA, that a qualified
entity may only provide or sell analyses to issuers that have provided
the qualified entity with data. Therefore, we are modifying our
proposed requirement around the issuer's claims data submission
threshold to clarify that qualified entities may not provide or sell
analyses to issuers when the analyses include geographic areas where
the issuer does not offer coverage.
We would like to clarify, however, that the requirement that an
issuer provide the qualified entity with claims data for at least 50
percent of its covered lives for the time period and geographic region
covered by the analyses does not mean that all analyses provided or
sold to the issuer would need to be based on analyses that considered
at least 50 percent of the issuers' covered lives. So long as Medicare
data is combined with other claims data to create the analyses, certain
analyses, such as those on rare diseases, could be based only on a
subset of the Medicare claims data and other claims data collected by
the qualified entity. For example, an issuer could provide data for at
least 50 percent of their covered lives for the time period and
geographic region of the non-public analyses to a qualified entity. The
qualified entity could then use a subset of that data, such as patients
with a specific rare disease, combine it with Medicare data for
patients with that rare disease, and provide or sell analyses about
patients with the rare disease to the issuer. We would like to note,
however, that qualified entities will need to be careful when producing
analyses for issuers based on small populations and limited claims data
to ensure that the resulting analyses truly are patient de-identified.
We understand the desire to create an exceptions process to allow
issuers who do not contribute a majority of their covered lives in the
geographic region and during the timeframe of the non-public analyses
requested by the issuer to receive analyses. However, we believe that
imposing a standard threshold for issuer covered lives across all
qualified entities and issuers is the simplest and least
administratively burdensome method to ensure equal treatment of
qualified entities and issuers under this program.
We also understand the interest in allowing qualified entities to
provide or sell analyses to health insurance issuers who have made a
good faith commitment to provide the qualified entity with claims data
for the majority of their covered lives in the geographic region and
during the time frame of the non-public analyses requested by the
issuer. However, we believe that this type of policy could reduce the
incentives for issuers to share their data with the qualified entity.
Comment: Several commenters recommended that CMS provide additional
clarity around the requirements for issuers' claims data submissions to
the qualified entity. One commenter stated that qualified entities
should be allowed to meet the covered lives threshold regardless of
whether they have obtained the claims information directly from the
issuer or indirectly from a third party. Several commenters recommended
that CMS provide additional details on the term covered lives to
clarify how this would be assessed in certain circumstances, such as
when an issuer is a secondary payer or a member is not enrolled for a
full year.
Response: Qualified entities may only provide or sell analyses to
an issuer if it receives claims data from the issuer. Such data can be
provided directly by the issuer, or it can be submitted on the
[[Page 44459]]
issuer's behalf by an issuer's business associate. Regardless, the
qualified entity is responsible for ensuring that the issuer or the
issuer's business associate is truly providing the qualified entity
with claims data for a majority of the issuer's covered lives in the
geographic region and during the timeframe of the non-public analyses
requested by the issuer.
We recognize the desire to allow use of data from other sources to
meet the issuer's claims submission threshold. However, due to the
statutory limits on to whom the qualified entity may release patient
identifiable data, we do not believe it would be possible for an issuer
to ever verify whether the data the qualified entity holds is
representative of the majority of the issuer's covered lives in the
applicable geographic region during the applicable time frame unless
the issuer or its business associate was the source of such data.
Regarding the definition of covered lives, we recognize that there
is no commonly accepted definition of covered lives. We plan to rely on
the methods of calculating covered lives established in regulations
promulgated by the Internal Revenue Service (IRS) in December of 2012.
These regulations at 26 CFR 46.4375-1(c)(2) offer issuers four methods
for calculating the average number of lives covered under a specified
health insurance policy--(1) the actual count method, (2) the snapshot
method, (3) the member months method, and (4) the state form method--
and provide both the calculation method and an example for each of the
four methods for counting covered lives. These calculations all only
apply to health insurance policies and we would like to clarify that
the calculation of covered lives for purposes of the qualified entity
program does not include dental, disability, or life insurance
policies. We have modified the regulatory text at Sec. 401.716(b)(1)
to refer directly to the IRS regulations.
Second, we proposed that except when patient-identifiable non-
public analyses are shared with the patient's provider or supplier, all
non-public analyses must be patient de-identified using the de-
identification standards in the HIPAA Privacy Rule at 45 CFR
164.514(b). Additional information on the HIPAA de-identification
standards can be found on the HHS Office for Civil Rights Web site at
http://www.hhs.gov/hipaa/for-professionals/privacy/special-topics/de-identification/index.html. We also proposed a definition for patient.
Comment: Many commenters stated that they agreed with CMS' proposal
that analyses must be de-identified unless the recipient is the
patient's provider or supplier. One commenter suggested that CMS allow
other authorized users to receive patient-identifiable analyses,
stating that patient-identifiable data will be equally valuable to the
additional proposed authorized users, and that patients can also
directly benefit from the sharing of patient-identifiable data beyond
suppliers and providers.
Response: We thank commenters for their support. While we can see
some advantages to sharing patient-identifiable analyses with other
types of authorized users, the statutory language at Section
105(a)(3)(B) of MACRA states that analyses may not contain any
information that individually identifies a patient unless the analyses
are provided or sold to the patient's provider or supplier. Given the
statutory requirements, we are finalizing our proposal that patient-
identifiable analyses should only be shared with the patient's provider
or supplier.
Comment: Many commenters stated that they agreed with the proposal
to use the de-identification standards in the HIPAA Privacy Rule.
However, one commenter suggested that CMS modify the HIPAA de-
identification standards to allow inclusion of full patient five-digit
zip code without population thresholds and inclusion of the month
element for all dates directly related to a patient, including date of
death but excepting date of birth. This commenter stated that this
additional information would empower providers and suppliers to fully
evaluate their care and quality improvement efforts on a timely and
ongoing basis with insight into geographic and temporal factors and
patterns.
Response: The framework for de-identification that is described in
the HIPAA Privacy Rule represents an industry standard for de-
identification of health information. Additional information on the
HIPAA de-identification standards can be found on the HHS Office for
Civil Rights Web site at http://www.hhs.gov/hipaa/for-professionals/privacy/special-topics/de-identification/index.html. We believe that
modifying this framework for the purposes of the qualified entity
program would be likely to create confusion among qualified entities
and authorized users, many of whom are or will be HIPAA covered
entities or their business associates.
Comment: One commenter noted a technical issue at Sec.
401.716(b)(3) where the text inappropriately referenced Sec.
401.716(c)(2). One commenter suggested CMS clarify whether the data
used in the analysis needs to be de-identified at the time of the
analysis or whether the analysis itself has to be de-identified at the
time it is shared with an authorized user.
Response: We thank the commenter for noting this technical issue
and have fixed the reference to Sec. 401.716(b)(2). We would also like
to clarify that the data used by the qualified entity to conduct the
analyses does not need to be de-identified, but the analyses must be
patient de-identified before they are shared with or sold to an
authorized user unless the recipient is the patient's provider or
supplier.
Comment: We received a number of comments on the definition of a
patient. Many commenters stated that the time period of 12 months for a
face-to-face or telehealth appointment was not sufficient. One
commenter recommended extending the period to 18 months, while several
other commenters suggested a timeframe of 24 months. These commenters
noted that stabilized patients do not necessarily visit their physician
every year. Another commenter suggested that a patient be defined as an
individual who has visited the provider or supplier at least once
during the timeframe for which the analysis is being conducted.
Response: We acknowledge that healthy patients may not visit a
provider or supplier every year. As a result, we are changing the
definition of a patient to have a timeframe of the past 24 months for a
face-to-face or telehealth appointment.
Comment: One commenter recommended that the definition of a patient
be expanded beyond an affiliation with a provider or supplier to an
affiliation with an issuer, employer, or state agency or any other
authorized user.
Response: As noted above, we believe Section 105(a)(3)(B) of MACRA
only permits patient-identifiable information to be shared by a
qualified entity with the patient's provider or supplier.
Third, we proposed to bar qualified entities' disclosure of non-
public analyses that individually identify a provider or supplier
unless: (a) The analysis only individually identifies the singular
recipient of the analysis or (b) each provider or supplier who is
individually identified in a non-public analysis that identifies
multiple providers/suppliers has been afforded an opportunity to review
the aspects of the analysis about them, and, if applicable, request
error correction. We describe the proposed appeal and error correction
process in more detail in section II.A.4 below.
Comment: Several commenters recommended that providers and
[[Page 44460]]
suppliers should not have the opportunity to review and request error
correction for analyses that individually identify the provider or
supplier. These commenters noted in particular that analyses
identifying fraud or abuse should not be reviewed by the provider in
advance of being shared with the authorized user. One commenter
suggested that a review and error corrections process for non-public
reports only be triggered when a provider or supplier is individually
identified and his or her performance is evaluated in the manner
described in section 1874(e)(4)(C). Another commenter recommended that
when a group of providers are identified as part of a practice group
(that is, part of the same Tax Identification Number), and prior
consent by the providers has been obtained, the practice group should
be considered the entity that can receive analyses for the individual
providers in the practice.
Response: We believe that Section 105(a)(6) of MACRA requires that
qualified entities allow providers and suppliers an opportunity to
review analyses that individually identify the provider or supplier
and, if necessary, and, when needed, request error correction in the
analyses. In addition, regardless of the statutory requirements, we
believe that providers and suppliers should not be evaluated by a
qualified entity without having a chance to review and, when needed,
request error correction in the analyses. For example, it would not be
fair for an issuer to move a provider to a different network tier based
on analyses that did not correctly attribute patients to that provider.
We recognize that the review and corrections process may lead to some
limitations in the development of certain types of analyses, such as
those identifying fraud and abuse. However, we believe that creating
different standards for different types of analyses would be too
administratively complex to implement, and could create tensions
between providers and suppliers and qualified entities over whether an
analysis warranted review by the provider or supplier before it was
shared with an authorized user.
However, we recognize that in many cases providers or suppliers may
wish to allow certain authorized users to receive analyses without the
need for a review process. For example, clinicians that are part of a
group practice may want to allow their practice manager, who may be
functioning as the clinician's business associate, to receive analyses
without first going through a provider/supplier review or being subject
to a request for correction. We believe that the decision about who
should be able to receive analyses that individually identify a
provider or supplier without such review and opportunity to correct
should rest with the individual provider or supplier. As a result, we
are adding a third exception to the bar on disclosure of non-public
analyses that individually identify a provider or supplier to allow
providers or suppliers to designate, in writing, the authorized user(s)
that may receive analyses from the qualified entity without first
giving the provider or supplier individually identified in the
analysis/es the opportunity to review the analyses, and, if applicable,
request error correction.
Comment: One commenter recommended that CMS add clarity to what it
means to ``individually identify'' a provider or supplier and stated
that the definition should indicate that to individually identify means
to use direct identifiers such as name or provider number for a
provider or supplier that is an individual person. This commenter
suggested that naming a physician group or clinic that is not itself a
provider or supplier (but that may be comprised of individual providers
or suppliers) would not count as individually identifying a provider or
supplier. Another commenter suggested that the review and corrections
process only apply to the entity that the analyses focus on. For
example, if the qualified entity is conducting analyses of episodes of
care for patients with joint replacement at a given hospital, the
analyses may include findings on many different providers and
suppliers, such as surgeons, skilled nursing facilities, home health
agencies, and others. In this case, the commenter recommended that only
the hospital be given the opportunity to review and request correction
of errors.
Response: Regardless of whether they are an individual clinician,
group practice, or facility and regardless of whether they are the
direct subject of the report, we believe section 105(a)(6) of MACRA
requires that qualified entities allow providers and suppliers the
opportunity to review and request correction of errors in analyses that
identify the provider or supplier. Group practice and facility-level
providers and suppliers, as well as those indirectly evaluated in
analyses, face as much reputational harm from the dissemination of
incorrect information about care delivery and costs as individual
clinicians or those directly evaluated in the analyses. We have added
language to clarify this requirement at Sec. 401.716(b)(4).
Comment: One commenter suggested that CMS implement a process to
proactively educate providers and suppliers regarding the review,
corrections, and appeals process for non-public analyses.
Response: We believe that many qualified entities that decide to
disclose analyses that individually identify a provider or supplier
will choose to do an education campaign with providers and suppliers in
their region to ensure that any necessary review and error correction
processes go smoothly. This will allow the qualified entity to build a
direct relationship with the provider or supplier. In addition, since
providers and suppliers are one of the types of authorized users that
qualified entities can provide or sell non-public analyses and data to,
we believe that qualified entities will proactively attempt to build
strong relationships with the provider and supplier community in their
region. As a result, while we see a small role for CMS to play in
educating providers and suppliers about the review and error correction
process through our usual provider outreach channels, we believe
qualified entities will play the main role in provider and supplier
education about the review, corrections, and appeals process.
Comment: Several commenters suggested additional limitations that
CMS should impose on qualified entities with respect to the disclosure
of non-public analyses. One commenter recommended that CMS require
qualified entities to provide authorized users with a detailed
methodology of statistical analyses to ensure their validity. This
commenter also stated that CMS should require qualified entities to
follow an appropriate methodology in attributing costs to providers.
Another commenter suggested that evaluations of physician performance
should be required to have data from at least two sources.
Response: With regard to the suggestions around statistical
validity and cost attribution, we believe that these are issues that
the qualified entity should discuss directly with the authorized user
who is receiving or purchasing the analyses. We expect that most, if
not all, authorized users will expect the qualified entity to include
some description of the methodology for the analyses along with the
report, but that the level of detail and content needed by each
authorized user may vary. In addition, authorized users may have
different ideas about the most appropriate method for cost attribution
and we believe that they should be able to work with the qualified
entity to make a determination for how to
[[Page 44461]]
attribute costs to providers and suppliers. On the issue of requiring
at least two sources of data, we believe that section 105(a)(1)(A) of
MACRA requires that the non-public analyses be based on the combined
data described in 1874(e)(4)(B)(iii) as ``data made available under
this subsection with claims data from sources other than claims data
under this title''.
3. Limitations on the Authorized User
We proposed to require the qualified entity's use of legally
binding agreements with any authorized users to whom it provides or
sells non-public analyses. For non-public analyses that only include
patient de-identified data, we proposed to require the qualified entity
to enter into a contractually binding non-public analyses agreement
with any authorized users as a pre-condition to providing or selling
such non-public analyses.
Comment: Several commenters stated that they supported the use of a
legally binding agreement between the qualified entity and the
authorized user. One commenter suggested that CMS develop a standard
non-public analyses agreement for qualified entities to use with
authorized users.
Response: We thank commenters for their support of this proposal.
We believe that many qualified entities will have existing agreements
with authorized users that cover the use and disclosure of analyses
related to their claims data from other sources. While there may be
some value in providing organizations new to this type of work a
template for the agreement, we believe that qualified entities would be
better served by engaging with their own legal counsel to ensure the
agreement meets their specific needs.
For non-public analyses that include patient identifiable data, we
proposed to require the qualified entity to enter into a qualified
entity Data Use Agreement (QE DUA) with any authorized users as a pre-
condition to providing or selling such non-public analyses. As we also
proposed to require use of the QE DUA in the context of the provision
or sale of combined data, or the provision of Medicare data at no cost,
we discuss our proposals related to the QE DUA and associated comments
in the data disclosure discussion in section II.B below.
Requirements in the Non-Public Analyses Agreement
The statute generally allows qualified entities to provide or sell
their non-public analyses to authorized users for non-public use, but
it bars use or disclosure of such analyses for marketing (see section
105(a)(3)(c) of MACRA). We proposed additional limits on the non-public
analyses, given the expansive types of non-public analyses that could
be conducted by the qualified entities if no limits are placed on such
analyses, and the potential deleterious consequences of some such
analyses.
First, we proposed that the non-public analyses agreement require
that non-public analyses conducted using combined data or the
information derived from the evaluations described in section
1874(e)(4)(D) of the Act may not be used or disclosed for the following
purposes: Marketing, harming or seeking to harm patients and other
individuals both within and outside the healthcare system regardless of
whether their data are included in the analyses (for example, an
employer using the analyses to attempt to identify and fire employees
with high healthcare costs), or effectuating or seeking opportunities
to effectuate fraud and/or abuse in the healthcare system (for example,
a provider using the analyses to identify ways to submit fraudulent
claims that might not be caught by auditing software). We also proposed
to adopt the definition of marketing at 45 CFR 164.501 in the HIPAA
Privacy Rule.
Comment: Many commenters stated that they supported the proposed
restrictions on the use of the non-public analyses. One commenter
suggested that CMS provide greater clarification on what would
constitute harm to patients and other individuals both within and
outside the healthcare system. This commenter suggested that harm
should include activities that would create overly tiered networks that
could exclude high quality providers, as well as efforts to limit
patient access to certain treatments or drugs or steer patients to
certain practices based solely on cost.
Response: We thank commenters for their support of the restrictions
on the use of the analyses. On further consideration, we agree that the
industry may benefit from additional guidance regarding these
restrictions. Therefore, we anticipate providing additional sub-
regulatory guidance on the standards adopted in this rule for the
Qualified Entity Certification Program Web site at https://www.qemedicaredata.org/SitePages/home.aspx.
As we did not receive any comments on the proposed definition of
marketing, we will finalize the definition without modification.
Second, in accordance with section 105(a)(1)(B)(i) of MACRA, we
proposed to require that any non-public analyses provided or sold to an
employer may only be used by the employer for the purposes of providing
health insurance to employees and retirees of the employer. We also
further proposed that if the qualified entity is providing or selling
non-public analyses to an employer that this requirement be included in
the non-public analyses agreement. We did not receive any comments on
this proposal, so are finalizing it without modification.
We also proposed to require qualified entities to include in the
non-public analysis agreement a requirement to limit re-disclosure of
non-public analyses or derivative data to instances in which the
authorized user is a provider or supplier, and the re-disclosure is as
a covered entity would be permitted under 45 CFR 164.506(c)(4)(i) or
164.502(e)(1). Accordingly, a provider or supplier may only re-disclose
-identifiable health information to a covered entity for the purposes
of the covered entity's quality assessment and improvement or for the
purposes of care coordination activities, where that entity has a
patient relationship with the individual who is the subject of the
information, or to a business associate of such a covered entity under
a written contract. We also generally proposed to require qualified
entities to use a non-public analyses agreement to explicitly bar
authorized users that are not providers or suppliers from re-disclosure
of the non-public analyses or any derivative data except to the extent
a disclosure qualifies as a ``required by law'' disclosure.
Comment: Several commenters suggested that authorized users be
allowed to re-disclose analyses in order to publish research findings
provided the analyses do not individually identify a provider. These
commenters noted that public health interests can be served by allowing
the disclosure of research findings to the public. One commenter
recommended allowing broad re-disclosure of analyses when the
information is beneficiary de-identified, stating that this is
necessary to reduce cost and improve patient care across the healthcare
system. Several commenters suggested that authorized users be allowed
to re-disclose analyses for the purposes of developing products or
services, such as analytic tools, algorithms, and other innovations for
improving health outcomes.
Response: The statutory language at section 105(a)(5) of MACRA
states that authorized users may not re-disclose or make public any
analyses, with the exception of allowing providers and suppliers to re-
disclose analyses, as determined by the Secretary, for the
[[Page 44462]]
purposes of care coordination and performance improvement activities.
As a result, we are finalizing the proposed language on re-disclosure
of analyses without modification. However, we would like to note that
CMS currently makes data available to researchers outside of this
qualified entity program, including those interested in developing
products or tools. Individuals and organizations interested in
accessing CMS data for research purposes should visit the Research Data
Assistance Center (ResDAC) at www.resdac.org for more information.
Fourth, we proposed to require qualified entities to impose a
legally enforceable bar on the authorized user's linking de-identified
analyses (or data or analyses derived from such non-public analyses) to
any other identifiable source of information or in any other way
attempting to identify any individual whose de-identified data is
included in the analyses or any derivative data.
Comment: One commenter stated that an authorized user should be
allowed to link the analyses that contain patient identifiers or any
derivative data with other sources when this information is limited to
their own patients.
Response: We would like to highlight that the restriction on
linking analyses only applies to de-identified analyses. To the extent
providers and suppliers are receiving identifiable information on their
own patients, the restriction on linking to any other identifiable
source of information does not apply.
Finally, we proposed to require qualified entities to use their
non-public analyses agreements to bind their non-public analyses
recipients to reporting any violation of the terms of that non-public
analyses agreement to the qualified entity. We did not receive any
comments on this proposal, so are finalizing it without modification.
4. Confidential Opportunity To Review, Appeal, and Correct Analyses
In accordance, with section 105(a)(6) of MACRA, we proposed that
the qualified entity must follow the confidential review, appeal, and
error correction requirements established at 401.717(f) under section
1874(e)(4)(C)(ii) of the Act.
Comment: We received a wide-ranging set of comments on the proposed
review and corrections process. Several commenters supported the
proposed review and corrections process. Many commenters suggested
changes to the review process for non-public analyses. In general these
commenters cited the burden of the proposed process for qualified
entities and recommended options to make the process less burdensome.
However, other commenters focused on the need for providers and
suppliers to have enough time to ensure the analyses are accurate.
Several commenters suggested provider or supplier notification as
the first step for review of non-public analyses. One commenter
recommended creating an alternative approach to individualized appeals,
such as an accreditation process. Another commenter suggested that when
a non-public analysis is released to one or more authorized users, or
when a non-public analysis is subsequently used for a public report,
the qualified entity need only provide an opportunity for the provider
or supplier to have reviewed and, if necessary, requested error
correction once before the initial release of the analysis. Another
commenter recommended that providers and suppliers only be given one
chance to request error correction of the underlying data, after which
the data could be used in any future non-public analyses.
A few commenters suggested that a 60-day period to review the
analyses may not be sufficient. On the other hand, several commenters
suggested a 30-day review period for non-public analyses, while another
commenter suggested giving providers and suppliers an ongoing right to
review the analyses and request error correction.
Response: We appreciate commenters' concerns about allowing
providers and suppliers the necessary time to review analyses as well
as the concerns about the burden on qualified entities of implementing
the public reporting review and corrections process for non-public
analyses. However, as noted in the proposed rule, we also believe using
the same process for review and error correction for both the non-
public analyses and the public reports creates continuity and a balance
between the needs and interests of providers and suppliers and those of
the qualified entities, authorized users, and the public.
That said, on further consideration, we believe that the addition
of a procedural step whereby the qualified entity would confidentially
notify a provider or supplier about the non-public analyses and give
the provider or supplier the opportunity to opt-in to the review and
error correction process established at Sec. 401.717(a) through (e) is
both consistent with the statute and has the potential to reduce the
burden on both qualified entities and providers and suppliers. In some
cases, notification may be sufficient to meet the needs of a provider
or supplier and, as a result, the provider or supplier will choose not
to opt-in to the review and correction process, reducing the paperwork
and resource burden for both the qualified entity and the provider/
supplier. In addition, where the analyses are similar to previous
analyses or use data the provider or supplier has already corrected,
the provider or supplier may also choose not to review the analyses.
Under this procedural step, a qualified entity must confidentially
notify a provider or supplier that non-public analyses that
individually identify the provider or supplier are going to be released
at least 65 calendar days before disclosing the analyses to the
authorized user. The first five days of the 65 day period is intended
to allow time to notify the provider or supplier, and to allow them
time to respond to the qualified entity. The next sixty days are
reflective of the sixty day review period in Sec. 401.717(a) through
(e). The confidential notification about the non-public analyses should
include a short summary of the analyses (which must include the
measures being calculated, but does not have to include the
methodologies and measure results), the process for the provider or
supplier to request the analyses, the authorized users receiving the
analyses, and the date on which the qualified entity will release the
analyses to the authorized users. This notification can cover multiple
non-public analyses that use different datasets and measures. The 65-
day period begins on the date the qualified entity sends or emails the
notification to providers and suppliers. As we presume some qualified
entities may utilize National Provider Identifier (NPI) data as a means
of contacting providers and suppliers, we would like to use this
opportunity to remind providers and suppliers of the need to keep their
NPI information up-to-date.
At any point during this 65-day period, the qualified entity must
allow the provider or supplier to opt-in to the review and error
correction process established at Sec. 401.717(a) through (e) and
request copies of the analyses and, where applicable, access to the
data used in the analyses, and to request the correction of any errors
in the analyses. However, if the provider or supplier chooses to opt-in
to the review and correction process more than 5 days into the
notification period, the time for the review and correction process is
shortened from regulatory 60 days in Sec. 401.717(a) through (e) to
the number of days remaining between the provider or supplier opt-in
date and the release
[[Page 44463]]
date specified in the confidential notification.
We understand the desire to create an alternative approach to
individualized appeals, such as an accreditation process, however, we
believe the statutory language at Section 105(a)(6) of MACRA requires
that qualified entities allow providers and suppliers an opportunity to
review analyses that individually identify the provider or supplier
and, if necessary, and, when needed, request error correction in the
analyses. In addition, as stated above, regardless of the statutory
requirements, we believe that providers and suppliers should not be
evaluated by a qualified entity without having a chance to review and,
when needed, request error correction in the analyses.
Comment: One commenter recommended that qualified entities not be
allowed to provide or sell analyses to an authorized use while an error
correction request is outstanding.
Response: We acknowledge the interest of providers and suppliers in
ensuring that any analyses correctly represent their care delivery
patterns and costs. However, we are concerned that providers and
suppliers may make spurious requests for error correction in order to
prevent the authorized user from receiving the analyses. As a result,
we will maintain the provisions that allow qualified entities to
release the non-public analyses after the 65-day period regardless of
the status of error corrections. As with the public reporting, the
qualified entity must inform the authorized user if a request for error
correction is outstanding when the analyses are delivered to the
authorized user, and, if applicable, provide corrected analyses if
corrections are ultimately made.
B. Dissemination of Data and the Use of QE DUAs for Data Dissemination
and Patient-Identifiable Non-Public Analyses
Subject to other applicable law, section 105(a)(2) of MACRA expands
the permissible uses and disclosures of data by a qualified entity to
include providing or, where applicable, selling combined data for non-
public use to certain authorized users, including providers of
services, suppliers, medical societies, and hospital associations for
use in developing and participating in quality and patient care
improvement activities. Section 105(a)(3)(B) of MACRA. Subject to the
same limits, it also permits a qualified entity to provide Medicare
claims data for non-public use to these authorized users; however, a
qualified entity may not charge a fee for providing such Medicare
claims data. In addition, in order to provide or sell combined data or
Medicare data, section 105(a)(4) of MACRA instructs the qualified
entity to enter into a DUA with their intended data recipient(s).
1. General Requirements for Data Dissemination
To implement the provisions in Section 105(b) of MACRA, we proposed
to provide that, subject to other applicable laws (including applicable
information, privacy, security and disclosure laws) and certain defined
program requirements, including that the data be used only for non-
public purposes, a qualified entity may provide or sell combined data
or provide Medicare claims data at no cost to certain authorized users,
including providers of services, suppliers, medical societies, and
hospital associations. Where a qualified entity is a HIPAA-covered
entity or is acting as a business associate, compliance with other
applicable laws will include the need to ensure that it fulfills the
requirements under the HIPAA Privacy Rule, including the restriction on
the sale of PHI at 45 CFR 164.502(a)(5)(ii).
Comment: Several commenters stated that CMS should provide
additional clarity on the term no cost as it relates to the provision
of Medicare data. For example, commenters stated that qualified
entities may wish to charge a fee for entering into a data use
agreement with an authorized user, but then not charge for the data. In
addition, some of these commenters recommended that CMS allow qualified
entities to recoup the costs associated with providing Medicare data at
no cost. These commenters stated that there is a cost associated with
providing claims data to authorized users, such as staff time to create
the data extract and encrypt the file.
Response: We understand that qualified entities will face costs
providing Medicare data to authorized users. However, section
105(a)(2)(C) of MACRA expressly states that, if a qualified entity were
to elect to make Medicare claims data available, such data must be
``provided'' at no cost. We believe that the paperwork and processing
costs associated with accepting and fulfilling Medicare claims data
requests are an integral part of the ``provision'' of data. As such,
qualified entities may not charge authorized users for the Medicare
data itself or any activity associated with requests for or the
fulfillment of Medicare data requests (such as the processing of a data
use agreement). However, we also note that the qualified entity is not
required to offer authorized users the opportunity to request Medicare
claims data. Qualified entities may choose to only offer authorized
users the opportunity to receive or purchase combined data. Qualified
entities may also choose not to allow authorized users to request data
at all.
Comment: One commenter suggested that CMS require qualified
entities to sell the combined data at a reasonable price which reflects
their actual cost.
Response: We appreciate the commenter's interest in ensuring
qualified entities charge authorized users reasonable fees for combined
data. However, we believe that qualified entities should be allowed to
determine the appropriate fee to charge authorized users for access to
the combined data. If qualified entities set their prices too high
authorized users have the choice of not buying the data, or potentially
obtaining the data from another qualified entity with more reasonable
pricing.
Comment: One commenter recommended that CMS provide additional
clarity on the threshold for the amount of other data that must be
combined with the Medicare data in order for the qualified entity to
sell the combined data.
Response: As discussed above, we have not established a threshold
for the amount of other data that must be combined with the Medicare
data. It is our expectation that qualified entities will use sufficient
claims data from other sources to ensure validity and reliability.
2. Limitations on the Qualified Entity Regarding Data Disclosure
In accordance with section 105(a)(2), we proposed to place a number
of limitations on the sale or provision of combined data and the
provision of Medicare claims data by qualified entities, including
generally barring the disclosure of patient-identifiable data obtained
through the qualified entity program.
Comment: Several commenters stated that CMS should provide
additional clarity around whether the data must go through a review and
corrections process before it is disclosed to an authorized user. One
commenter recommended that providers and suppliers be allowed to
review, appeal, and correct the data before it is disclosed.
Response: Section 105(a)(6) of MACRA only requires a review and
corrections process when a qualified entity is providing or selling an
analysis to an authorized user. While we understand that some providers
and
[[Page 44464]]
suppliers may wish to ensure that their data is correct before it is
shared with an authorized user, we believe that this process would be
very rigorous and burdensome for the qualified entity and would have
little value for most providers and suppliers.
We proposed to require any combined data or Medicare claims data
that is provided to an authorized user by a qualified entity under
subpart G be beneficiary de-identified in accordance with the de-
identification standards in the HIPAA Privacy Rule at 45 CFR
164.514(b). We also proposed an exception that would allow a qualified
entity to provide or sell patient-identifiable combined data and/or
provide patient-identifiable Medicare claims data at no cost to an
individual or entity that is a provider or supplier if the provider or
supplier has a patient relationship with every patient about whom
individually identifiable information is provided and the disclosure is
consistent with applicable law.
Comment: Several commenters agreed with the proposal to only allow
identifiable data to be disclosed to providers or suppliers with whom
the identified individuals have a patient relationship. One commenter
suggested that qualified entities be allowed to share limited data sets
(as defined in HIPAA) with providers and suppliers for individuals who
are not their patients. Another commenter recommended that qualified
entities be allowed to disclose patient-identifiable data to health
plans.
Response: Section 105(a)(3) of MACRA requires that data disclosed
to an authorized user not contain information that individually
identifies a patient unless the data is being shared with that
patient's provider or supplier. We further note that limited data sets
include indirect identifiers, and, as such, are subject to that
mandate. While we can imagine that health systems would be interested
in conducting population-wide analyses that look at disease incidence
or care delivery patterns, we believe these types of analyses can be
conducted using de-identified data. In addition, authorized users that
may not receive patient-identifiable data, such as issuers, could ask
the qualified entity to conduct analyses on these topics, and purchase
or receive the patient-deidentified analyses that result from such
efforts.
Second, we proposed to require qualified entities to bind the
recipients of their data to a DUA that will govern the use and, where
applicable, re-disclosure of any data received through this program
prior to the provision or sale of such data to an authorized user.
Comment: Several commenters stated that they agreed with the
proposal to require qualified entities to bind authorized users who
receive data to a DUA. One commenter recommended that when the required
``QE DUA'' (the DUA between the Qualified Entity (QE) and the
Authorized User) provisions already exist in another contract between
the qualified entity and the authorized user, the qualified entity
should not be required to re-paper those terms.
Response: We thank commenters for their support of this proposal.
In cases where all the terms of the QE DUA at Sec. 401.713(d) are
contained in a contractually binding agreement between the qualified
entity and the authorized user, we do not intend to require the
qualified entity to re-paper that agreement as a QE DUA.
3. Data Use Agreement (DUA)
A qualified entity must enter a DUA with CMS as a condition of
receiving Medicare data. Furthermore, in accordance with Section
105(a)(4) of MACRA, we proposed to require the execution of a DUA as a
precondition to a qualified entity's provision or sale of data to an
authorized user. As discussed above, we also proposed to require the
qualified entity to enter into a DUA with any authorized user as a pre-
condition to providing or selling non-public analyses that include
patient-identifiable data. To help differentiate the DUA between CMS
and the qualified entity from the DUAs between the qualified entity and
the authorized user, we proposed certain clarifying changes that
recognize that there are now two distinct DUAs in the qualified entity
program--the CMS DUA, which is the agreement between CMS and a
qualified entity, and what we will refer to as the QE DUA, which will
be the legally binding agreement between a qualified entity and an
authorized user.
Comment: Several commenters had overall comments on the QE DUA. One
commenter recommended that CMS create a standard QE DUA. Another
commenter stated that the data released to authorized users should not
be subject to discovery or admitted into evidence without the provider
or supplier's consent. A few commenters suggested that the QE DUA
include a provision that prevents the disclosure of competitively
sensitive data, such as Part D bid information. Finally, one commenter
suggested that authorized users should have some direct responsibility
for actions that run afoul of contractual requirements.
Response: As noted above, qualified entities may have existing
agreements with authorized users where all required QE DUA elements are
covered, and we are not requiring re-papering in those instances.
Furthermore, also as noted above, we believe that qualified entities
without existing agreements would be better served by engaging with
their own legal counsel to ensure the QE DUA meets their specific
needs.
As discussed above, we believe the statutory requirement that data
not be subject to discovery or admitted into evidence without the
provider or supplier's consent only applies to data released to the
qualified entity under 1874(e) and when that data is in the possession
of the qualified entity.
Regarding concerns about disclosure of competitively sensitive
information, qualified entities only receive Medicare Parts A and B
claims data and certain Part D drug event data from CMS. In addition,
we only provide qualified entities with aggregated Part D cost
information, not the proprietary individual component costs. As a
result, we do not believe there is a risk that qualified entities would
be in a position to disclose competitively sensitive information to
authorized users.
Finally, as we stated in the proposed rule, we only have authority
to impose requirements on the qualified entity. As a result, we must
rely on the qualified entity to impose legally enforceable obligations
on the authorized user.
Requirements in the QE DUA
In Sec. 401.713(d), we proposed a number of contractually binding
provisions that would be included in the QE DUA. First, we proposed to
require that the QE DUA contain certain limitations on the authorized
user's use of the combined data and/or Medicare claims data and/or non-
public analyses that contain patient-identifiable data and/or any
derivative data (hereinafter referred to as data subject to the QE DUA)
to those purposes described in the first or second paragraph of the
definition of ``healthcare operations'' under 45 CFR 164.501, or that
which qualifies as ``fraud and abuse detection or compliance
activities'' under 45 CFR 164.506(c)(4). We also proposed to require
that all other uses and disclosures of data subject to the QE DUA be
prohibited except to the extent a disclosure qualifies as a ``required
by law'' disclosure. We did not receive any comments on our proposal to
allow authorized users to use the data subject to the QE DUA for the
purposes described in the first or second paragraph of the definition
of ``healthcare operations'' under 45 CFR
[[Page 44465]]
164.501. Therefore, we are finalizing our proposal. In doing so, we
identified inadvertent drafting errors in the proposed regulatory text
at Sec. 401.713(d)(1)(i)(A) and (B) (mis-identifying which activities
fell into which paragraphs of 45 CFR 164.501). We have therefore
corrected those draft regulatory provisions to conform the new 42 CFR
401.713(d)(1)(i)(A) and (B) with the content of the first and second
paragraphs of the definition of health care operations under 45 CFR
164.501.
Comment: We received several comments on allowing authorized users
to use the data subject to the QE DUA for purposes which qualify as
``fraud and abuse detection or compliance activities'' under 45 CFR
164.506(c)(4). Several commenters stated that the allowing use of the
data subject to the QE DUA for fraud and abuse detection is unwarranted
and without basis in the statutory text. However, another commenter
explicitly supported use of the data subject to the QE DUA to bolster
efforts to fight fraud. One commenter suggested the addition of
``waste'' detection as an allowed use of the data subject to the QE
DUA.
Response: We believe that section 105(a)(3)(A)(ii) of MACRA is
illustrative (providing for certain non-public uses ``including''
certain cross-referenced activities). It does not prevent use of the
data for fraud and abuse detection and compliance activities. As a
result, we are finalizing our proposal to allow authorized users to use
the data subject to the QE DUA for fraud and abuse detection. While we
can understand the interest in adding waste detection to the list of
allowed uses of the data subject to the QE DUA, we believe it is best
to stay consistent with the language established in HIPAA since many of
other authorized users receiving data subject to the QE DUA are also
HIPAA covered entities.
Comment: One commenter suggested that authorized users also be
allowed to use the data subject to the QE DUA for ``treatment'' as
defined under 45 CFR 164.501.
Response: We agree that use of the data subject to the QE DUA for
treatment purposes is a valid possible use of the data and consistent
with the statute. As a result, we have modified the language at Sec.
401.713(d)(1)(i) to include treatment.
We also proposed to require qualified entities to use the QE DUA to
contractually prohibit the authorized users from using the data subject
to the QE DUA for marketing purposes. We did not receive any comments
on this proposal, and are finalizing it without modification.
We proposed at Sec. 401.713(d)(3) to require qualified entities to
contractually bind authorized users using the QE DUA to protect
patient-identifiable data subject to the QE DUA, with at least the
privacy and security protections that would be required of covered
entities and their business associates under the HIPAA Privacy and
Security Rules. We proposed to require that the QE DUA contain
provisions that require that the authorized user maintain written
privacy and security policies and procedures that ensure compliance
with these HIPAA-based privacy and security standards and the other
standards required under this subpart for the duration of the QE DUA.
We also proposed to require QE DUA provisions detailing such policies
and procedures survive termination of the QE DUA, whether for cause or
not.
Comment: One commenter suggested that CMS clarify that the QE DUA
by itself does not make the authorized user a covered entity or
business associate under HIPAA if the authorized user does not
otherwise meet those definitions.
Response: We wish to clarify that this rule does not comment on
whether an entity is a covered entity or business associate under
HIPAA. We are simply requiring the authorized users to comply with the
privacy and security protections required of covered entities and their
business associates under the HIPAA Privacy and Security Rules (that
is, the authorized users must comply with those provisions as if they
were acting in the capacity of a covered entity or business associate
dealing with protected health information). We feel that such standards
represent an industry-wide standard for the protection of patient-
identifiable data, and note that this requirement would be in keeping
with section 105(a)(4) of MACRA.
We also proposed at Sec. 401.713(d)(7) to require that the
qualified entity use the QE DUA to contractually bind an authorized
user as a condition of receiving data subject to the QE DUA under the
qualified entity program to notify the qualified entity of any
violations of the QE DUA. We did not receive any comments on this
proposal, so are finalizing it without modification.
In addition, we proposed at Sec. 401.713(d)(4) to require that the
qualified entity include a provision in its QE DUAs that prohibits the
authorized user from re-disclosing or making public data subject to the
QE DUA except as provided in paragraph (d)(5). We proposed at Sec.
401.713(d)(5) to require that the qualified entity use the QE DUA to
limit provider's and supplier's re-disclosures to a covered entity
pursuant to 45 CFR 164.506(c)(4)(i) or 164.502(e)(1). Therefore, a
provider or supplier would generally only be permitted to re-disclose
data subject to the QE DUA to a covered entity or its business
associate for activities focused on that covered entity's quality
assessment and improvement, including the review of provider or
supplier performance. We also proposed to require re-disclosure when
required by law.
Comment: Several commenters stated that they supported CMS'
proposals related to re-disclosure of data. One commenter suggested
that providers and suppliers be allowed to re-disclose data for direct
patient care and issues of patient safety. Another commenter
recommended that any authorized user be allowed to re-disclose de-
identified data for the purposes of publishing de-identified
statistical results.
Response: We thank commenters for their support of the re-
disclosure proposals. While we can understand interest in explicitly
referencing issues of patient safety, we do not believe it is necessary
given that the first paragraph of the definition of healthcare
operations includes patient safety activities and, thus issues of
patient safety are permitted reasons for re-disclosure of the data.
However, we recognize that as proposed, providers and suppliers would
not be allowed to re-disclose the data subject to the QE DUA for
treatment purposes. As a result, we are modifying the language at Sec.
401.713(d)(5)(i) to allow providers and suppliers to re-disclose data
subject to the QE DUA as a covered entity would be permitted to
disclose PHI under 45 CFR 164.506(c)(2), which allows a covered entity
to disclose data for the treatment activities of a healthcare provider.
Regarding the recommendation to allow for re-disclosure of de-
identified data in order to publish statistical results, we do not
believe that this purpose is consistent with section 105(a)(5)(A) of
the MACRA statute, which explicitly states that an authorized user who
is provided or sold data shall not make public such data or any
analysis using such data.
We also proposed to require qualified entities to impose a
contractual bar using the QE DUA on the downstream recipients' linking
of the re-disclosed data subject to the QE DUA to any other
identifiable source of information. The only exception to this general
policy would be if a provider or supplier were to receive identifiable
information limited to its own patients.
[[Page 44466]]
Comment: Several commenters stated that they supported the
proposals related to linking the data. One commenter suggested that
business associates of providers or suppliers be allowed to link the
data subject to the QE DUA. Another commenter recommended that
authorized users be allowed to link the patient de-identified data so
long as the intent or result is not to re-identify patients and the
resulting data set meets the HIPAA standard for de-identification.
Response: We would like to clarify that the prohibition on linking
only applies to patient de-identified data subject to the QE DUA. To
the extent that a provider or supplier receives patient-identifiable
data subject to the QE DUA and discloses that data to a business
associate as allowed under Sec. 401.713(d)(5)(i), that provider or
supplier may request that the business associate link the data subject
to the QE DUA to another data source.
While we understand that some authorized users may wish to link the
de-identified data subject to the QE DUA, we believe that this creates
too much risk of inadvertent re-identification. However, instead of
linking the data themselves, authorized users could choose to share
their additional data, in accordance with applicable law, with the
qualified entity who could link this new data source to the existing
data and then create de-identified analyses to share with the
authorized user.
C. Authorized Users
1. Definition of Authorized User
Section 105(a)(9)(A) of MACRA defines authorized users as: A
provider of services, a supplier, an employer (as defined in section
3(5) of the Employee Retirement Insurance Security Act of 1974), a
health insurance issuer (as defined in section 2791 of the Public
Health Service act), a medical society or hospital association, and any
other entity that is approved by the Secretary. We proposed a
definition for authorized user at Sec. 401.703(k) that is consistent
with Section 105(a)(9)(A) of MACRA and includes two additional types of
entities beyond those established in the statute--healthcare
professional associations and state agencies. Specifically, we proposed
to define an authorized user as: (1) A provider; (2) a supplier; (3) an
employer; (4) a health insurance issuer; (5) a medical society; (6) a
hospital association; (7) a healthcare professional association; or (8)
a state agency.
Comment: Commenters had a wide ranging list of suggested additions
to the definition of an authorized users, including: Other types of
associations and partnership groups whose missions support the
permitted data uses, entities with expertise in quality measure
development, organizations engaged in research, federal agencies,
regional health improvement collaboratives, and the Indian Health
Service (and Indian Health programs). Several commenters also suggested
that CMS create a process for qualified entities to seek approval for
additional authorized users that may not fit into the regulatory
definitions.
Response: We recognize that many organizations are interested in
accessing analyses provided by the qualified entity. However, CMS
believes we must maintain a carefully curated list of authorized users
to prevent the monitoring of the qualified entity program from becoming
too cumbersome. As a result, we are only adding federal agencies,
including, but not limited to the Indian Health Service (and Indian
Health programs), to the definition of authorized users. Similar to
state agencies, we believe that federal agencies, particularly those
that provide healthcare services such as the Indian Health Service and
the U.S. Department of Veteran Affairs are important partners with CMS
in transforming the healthcare delivery system and could substantially
benefit from access to analyses to help improve quality and reduce
costs, especially for individuals who utilize their services. On the
other hand, we believe many of the other suggested authorized users do
not represent well defined groups, which could lead to significant
confusion as to which entities fall within the group and which do not.
In addition, as we noted above, the statute is explicit in its
prohibition of releasing the analyses or data to the public, so the
addition of any authorized user with a research aim is not consistent
with the parameters of the program.
We believe a separate approval process would be very costly for CMS
and create additional burdens for qualified entities. We also believe
that a standard list of authorized users is the simplest and least
administratively burdensome method to ensure equal treatment of
qualified entities. Because many of the suggested authorized users do
not represent well defined groups, we would envision an approval
process for each entity requesting analyses, which would potentially be
more burdensome for smaller regional qualified entities that do not
have the time or resources to devote to the approval process.
Furthermore, we have an existing process through which entities can
obtain Medicare data for research purposes. More information on
accessing CMS data for research can be found on the ResDAC Web site at
www.resdac.org.
Comment: Several commenters suggested that other organizations
beyond providers, suppliers, hospital associations, and medical
societies be allowed to access data. A few commenters suggested any
entity should be allowed to access de-identified data. Another
commenter recommended the creation of a new authorized user called a
healthcare provider or supplier collaborator and defined as an
organization or entity that does not directly treat patients, but works
closely with the provider or supplier in connection with treatment of
patients.
Response: Section 105 (a)(2)(A)(i) only allows for the disclosure
of data to a provider of services, a supplier, and a medical society or
hospital association.
Comment: Several commenters suggested that authorized users that
are allowed to act on behalf of their subparts (for example,
Accountable Care Organizations) or business associates as defined in
HIPAA should be allowed to receive data and/or analyses directly.
Response: We do not intend to prevent organizations acting under a
contract with an authorized user from receiving data or the analyses on
behalf of the authorized user. Therefore, we have modified the
definition of authorized user to include contractors, including, where
applicable, business associates as that term is defined at 45 CFR
160.103. An authorized user is now defined as a third party and its
contractors (including, where applicable, business associates as that
term is defined at 45 CFR 160.103) that need analyses or data covered
by this section to carry out work on behalf of that third party
(meaning not the qualified entity or the qualified entity's
contractors) to whom/which the qualified entity provides or sells data
as permitted under this subpart. Authorized user third parties are
limited to the following entities: A provider, a supplier, a medical
society, a hospital association, an employer, a health insurance
issuer, a healthcare provider and/or supplier association, a state
entity, a federal agency.
We would like to note that with this change to the definition of
authorized user a qualified entity is now also liable for the actions
of the third party's contractors who enter into a QE DUA with the
qualified entity.
Comment: One commenter suggested a modification to the definition
of provider to include dieticians, social workers, case management
nurses, and other allied health professionals.
[[Page 44467]]
Response: The current definition of a supplier is a physician or
other practitioner that furnishes healthcare services under Medicare.
To the extent that dieticians, social workers, case management nurses,
and other allied health professionals are furnishing healthcare
services under Medicare, they would already be considered suppliers. If
they are not furnishing services under Medicare, we do not believe the
analyses or data based on Medicare claims data will hold much value for
improving care delivery or reducing costs, and so we decline expanding
the definition to include them.
2. Definition of Employer
We proposed to define an employer as having the same meaning as the
term ``employer'' defined in Section 3(5) of the Employee Retirement
Insurance Security Act of 1974.
Comment: One commenter suggested that the definition of employer
should not include any third-party consultant or wellness program
vendors.
Response: As noted above, we believe authorized users should be
allowed to share analyses and data with contractors who need such
information to conduct work on their behalf. Therefore, we modified the
definition of authorized user to include contractors. To the extent a
wellness vendor is an employer's contractor, the vendor will be
required to sign a non-public analyses agreement and will be bound to
only use and disclose the analyses in a manner consistent with the
provisions of that agreement. We would also like to point out that as
specified in Sec. 401.716(c)(2), employers, and their contractors, may
only use the analyses for the purposes of providing health insurance to
employees, retirees, or dependents of employees.
3. Definition of Health Insurance Issuer
We proposed to define a health insurance issuer as having the same
meaning as the term ``health insurance issuer'' defined in Section
2791(b)(2) of the Public Health Service Act.
Comment: One commenter suggested that the definition of health
insurance issuer should not include any third-party consultant or
wellness program vendors.
Response: As with employers, we believe issuers should be allowed
to share analyses and data with contractors who need such information
to conduct work on their behalf. Therefore, as stated above, we have
modified the definition of authorized user. To the extent a wellness
vendor is an issuer's contractor, the vendor will be required to sign a
non-public analyses agreement and will be bound to only use and
disclose the analyses in a manner consistent with the provisions of
that agreement.
4. Definition of ``Medical Society''
We proposed to define a medical society as a non-profit
organization or association that provides unified representation for a
large number of physicians at the national or state level and whose
membership is comprised mainly of physicians.
Comment: One commenter requested that CMS provide an example of a
medical society.
Response: We would consider the American Medical Association or the
American Academy of Family Physicians to be national-level medical
societies. At the state-level, the Medical Association of the State of
Alabama is an example of a medical society under this definition.
5. Definition of ``Hospital Association''
We proposed to define a hospital association as a non-profit
organization or association that provides unified representation for a
large number of hospitals or health systems at the national or state
level and whose membership is comprised of a majority of hospitals and
health systems.
Comment: One commenter requested that CMS provide an example of a
hospital association.
Response: We would consider the American Hospital Association or
the Federation of American Hospitals to be national hospital
associations. At the state-level, the Hospital and Healthsystem
Association of Pennsylvania is an example of a hospital association
under this definition.
Comment: Several commenters suggested that the definition of
hospital association be expanded to include associations at the local
level and quality organizations that are affiliated with, but have
separate 501(c)(3) numbers from their state hospital association.
Response: CMS recognizes that local hospital associations may work
more closely on issues such as quality improvement with hospitals and
health systems in their area than state or national associations. As a
result, we have modified the definition of hospital association to
include local-level organizations. However, we do not believe that the
MACRA statute at 105(a)(9)(v) intends for quality organizations
affiliated with a hospital association to be considered a hospital
association since the language only refers to hospital association and
does not reference quality organizations. To the extent that these
quality organizations are doing work on behalf of the state hospital
association under contract, and that work requires access to such data
or analyses, these quality organizations would be considered authorized
users and would be required to enter into a QE DUA and/or non-public
analyses agreement with the qualified entity.
6. Definition of ``Healthcare Provider and/or Supplier Association''
We proposed to define a healthcare provider and/or supplier
association as a non-profit organization or association that represents
providers and suppliers at the national or state level and whose
membership is comprised of a majority of providers and/or suppliers. We
did not receive any comments on this definition, so are finalizing it
without modification.
7. Definition of ``State Agency''
We proposed to define a state agency as any office, department,
division, bureau, board, commission, agency, institution, or committee
within the executive branch of a state government.
Comment: One commenter stated that state agencies should be limited
to those entities that promote care quality and patient care
improvement activities. Another commenter recommended that the term
state agency be changed to state entity to help avoid conflict with
state-specific references to the word ``agency.'' One commenter
suggested CMS provide clarity on whether the definition of state agency
includes political subdivisions of the state.
Response: We do not believe that state agencies should be limited
to those entities focused on care quality and patient care improvement.
There are a wide-array of uses of the non-public analyses by states who
are CMS' partners in transforming the healthcare delivery system. We do
appreciate the comment related to the use of the term agency at the
state-level, and have modified this term in the regulations to be
``state entity.'' In addition, to provide clarity, we note that we did
not intend for the definition of state agency to include political
subdivisions of a state, such as a county, city, town, or village, and
as a result have not added these to the definition.
D. Annual Report Requirements
1. Reporting Requirements for Analyses
Section 105(a)(8) of MACRA expands the information that a qualified
entity must report annually to the Secretary if
[[Page 44468]]
a qualified entity provides or sells non-public analyses. Therefore,
consistent with these requirements, we proposed to require that the
qualified entity provide a summary of the non-public analyses provided
or sold under this subpart, including specific information about the
number of analyses, the number of purchasers of such analyses, the
types of authorized users that purchased analyses, the total amount of
fees received for such analyses. We also proposed to require the
qualified entity to provide a description of the topics and purposes of
such analyses. In addition, we proposed to require a qualified entity
to provide information on QE DUA and non-public analyses agreement
violations.
Comment: Several commenters suggested additions to the reporting
requirements for analyses. One commenter suggested that qualified
entities include the specific entities to whom analyses were provided
or sold as well as more detailed pricing information. Another commenter
recommended the addition of the frequency and nature of requests for
error correction, and how often analyses are disclosed with unresolved
requests for error correction.
Response: We believe that Section 105(a)(8)(A) of MACRA intends for
qualified entities to provide a summary of the analyses and that the
specific details of the entities who received analyses or the pricing
information for analyses are not consistent with that intent. We do
believe there is value in monitoring requests for error correction to
ensure that qualified entities are not releasing analyses that
consistently have requests for error correction, which could indicate a
qualified entities' poor use of the Medicare data; however, we believe
the requirement to provide this information, with the exception of how
often analyses are disclosed with unresolved requests for error
correction, already exists as part of the annual reporting requirements
under Sec. 401.719(b)(2). We believe including how often analyses are
disclosed with unresolved error requests in the annual reports is
important because it allows CMS to track possible poor use of the
Medicare data by qualified entities. Therefore, we have added the
requirement to report the number of analyses disclosed with unresolved
requests for error correction at Sec. 401.719(b)(3)(iii).
Comment: One commenter suggested that the annual reports be made
public.
Response: We recognize that in some cases the annual reports may
contain sensitive commercial information and, as a result, we do not
believe the reports should be made public. We would like to clarify,
however, that anytime CMS receives a request for information under the
Freedom of Information Act (FOIA), the agency always evaluates whether
the information is subject to one of the FOIA exemptions, including
Exemption 4, which protects commercial or financial information that is
privileged and confidential. We welcome identification of any materials
within such reports that the qualified entity believes are subject to a
FOIA exemption, and the rationale therefore.
2. Reporting Requirements for Data
Section 105(a)(8) of MACRA also requires a qualified entity to
submit a report annually if it provides or sells data. Therefore,
consistent with the statutory requirements, we also proposed to require
qualified entities that provide or sell data under this subpart to
provide the following information as part of its annual report:
Information on the entities who received data, the uses of the data,
the total amount of fees received for providing, selling, or sharing
the data, and any QE DUA violations.
Comment: Several of the comments on reporting requirements for data
were the same as those for analyses addressed above. One commenter
suggested the addition of information on authorized user data breaches
to the annual report. Another commenter stated that the annual
reporting requirements for data may contain sensitive commercial
information that may be subject to confidentiality provisions between
the qualified entity and applicable authorized users.
Response: We believe that data breaches should be reported to CMS
in a much timelier manner than the annual report. As discussed above,
the QE DUA requires authorized users to notify the qualified entity of
any violations of the QE DUA and to comply with the breach provisions
governing qualified entities. As a result, we do not believe this
element is needed in the annual report.
We recognize that some of the information we proposed to require of
qualified entities in their annual reports will be sensitive commercial
information. As noted above, anytime CMS receives a request for
information under the FOIA, the agency always evaluates whether the
information is subject to one of the FOIA exemptions, including
Exemption 4, which protects commercial or financial information that is
privileged and confidential. Contractual confidentiality provisions
between authorized users and qualified entities will not negate CMS'
obligations under FOIA, but we welcome identification of any materials
within such reports that the qualified entity believes are subject to a
FOIA exemption, and the rationale therefore.
E. Assessment for a Breach
1. Violation of a DUA
Section 105(a)(7) of MACRA requires the Secretary to impose an
assessment on a qualified entity in the case of a ``breach'' of a CMS
DUA between the Secretary and a qualified entity or a breach of a QE
DUA between a qualified entity and an authorized user. Because the term
``breach'' is defined in HIPAA, and this definition is not consistent
with the use of the term for this program, we proposed instead to adopt
the term ``violation'' when referring to a ``breach'' of a DUA for
purposes of this program. We also proposed to define a ``violation'' to
mean a failure to comply with a requirement in a CMS DUA or QE DUA. We
also proposed to impose an assessment on any qualified entity that
violates a CMS DUA or fails to ensure that their authorized users and
their contractors/business associates do not violate a QE DUA.
Comment: A few commenters recommended that CMS further define and
provide examples of what would constitute a DUA violation. Another
commenter suggested CMS expand the definition of a violation so that
both the qualified entity and the authorized user may be held
responsible for a breach.
Response: While we recognize that not all terms of the DUAs are
equal regarding the risk to the privacy and security of the Medicare
data, we believe the aggravating and mitigating circumstances discussed
in more detail below provide us the flexibility to ensure the
assessment amount is consistent with the nature of the violation. One
example of a violation would be knowingly releasing patient names and
other protected health information for marketing purposes. Another
example of a violation would be sharing individually identifiable
information for an individual who does not meet the definition of a
patient with a supplier.
While we recognize that it may be the authorized user who is
responsible for the violation, we believe Section 105(a)(7) of MACRA
does not give us the authority to impose an assessment on the
authorized user. However, we do believe that the qualified entity could
include terms in their agreement with the authorized user to require
the authorized user to pay the assessment if the authorized user is
responsible for the violation.
[[Page 44469]]
MACRA provides guidance only on the assessment amount and what
triggers an assessment, but it does not dictate the procedures for
imposing such assessments. We therefore proposed to model qualified
entity program procedures on certain relevant provisions of Section
1128A of the Act (Civil Money Penalties) and part 402 (Civil Money
Penalties, Assessments, and Exclusions) including the process and
procedures for calculating the assessment, notifying a qualified entity
of a violation, collecting the assessment, and providing qualified
entities an appeals process.
2. Amount of Assessment
Section 105(a)(7)(B) of MACRA specifies that when a violation
occurs, the assessment is to be calculated based on the number of
affected individuals who are entitled to, or enrolled in, benefits
under part A of title XVIII of the Act, or enrolled in part B of such
title. Assessments can be up to $100 per affected individual, but,
given the broad discretion in establishing some lesser amount, we
looked to part 402 as a model for proposing aggravating and mitigating
circumstances that would be considered when calculating the assessment
amount per impacted individual. However, violations under section
105(a)(7)(B) of MACRA are considered point-in-time violations, not
continuing violations.
Number of Individuals
We proposed at Sec. 401.719(d)(5)(i) that CMS will calculate the
amount of the assessment of up to $100 per individual entitled to, or
enrolled in part A of title XVIII of the Act and/or enrolled in part B
of such title whose data was implicated in the violation.
We generally proposed to determine the number of potentially
affected individuals by looking at the number of beneficiaries whose
Medicare claims information was provided either by CMS to the qualified
entity or by the qualified entity to the authorized user in the form of
individually identifiable or de-identified data sets that were
potentially affected by the violation.
We proposed that a single beneficiary, regardless of the number of
times their information appears in a singular non-public report or
dataset, would only count towards the calculation of an assessment for
a violation once. For qualified entities that provide or sell subsets
of the dataset that CMS provided to them, combined information, or non-
public analyses, we proposed to require that the qualified entity
provide the Secretary with an accurate number of beneficiaries whose
data was sold or provided to the authorized user and, thereby,
potentially affected by the violation. In those instances in which the
qualified entity is unable to establish a reliable number of
potentially affected beneficiaries, we proposed to impose the
assessment based on the total number of beneficiaries that were
included in the data set(s) that was/were transferred to the qualified
entity under the CMS DUA.
Assessment Amount per Impacted Individual
As noted above, MACRA allows an assessment in the amount of up to
$100 per potentially affected individual. We therefore proposed to draw
on 42 CFR part 402 to specify the factors and circumstances that will
be considered in determining the assessment amount per potentially
affected individual.
We proposed at Sec. 401.719(d)(5)(i)(A) that the following basic
factors be considered in establishing the assessment amount per
potentially affected individual: (1) The nature and extent of the
violation; (2) the nature and extent of the harm or potential harm
resulting from the violation; and (3) the degree of culpability and
history of prior violations.
In addition, in considering these basic factors and determining the
amount of the assessment per potentially affected individual, we
proposed to take into account certain aggravating and mitigating
circumstances.
We proposed at Sec. 401.719(d)(5)(i)(B)(1) that CMS consider
certain aggravating circumstances in determining the amount per
potentially affected individual, including the following: Whether there
were several types of violations, occurring over a lengthy period of
time; whether there were many violations or the nature and
circumstances indicate a pattern of violations; and whether the nature
of the violation had the potential or actually resulted in harm to
beneficiaries.
In addition, we proposed at Sec. 401.719(d)(5)(i)(B)(2) that CMS
take into account certain mitigating circumstances in determining the
amount per potentially affected individual, including the following:
Whether the violations subject to the imposition of an assessment were
few in number, of the same type, and occurring within a short period of
time, and/or whether the violation was the result of an unintentional
and unrecognized error and the qualified entity took corrective steps
immediately after discovering the error.
Comment: One commenter suggested that CMS allow the qualified
entity to take corrective action in the case of a minor violation.
Another commenter recommended that CMS impose a limit on the assessment
amount because not specifying a maximum assessment amount could create
a barrier to entry for entities interested in the program. One
commenter stated they supported the statutorily set assessment of $100
per affected individual because it creates a strong incentives for
excellent data security.
Response: We recognize the need for a corrective action process and
have already established one at Sec. 401.719(d)(1) through (3) that
applies regardless of the amount of the assessment. We appreciate
commenters concerns about creating a barrier for entry, but agree that
allowing for an assessment of up to $100 per affected individual
creates strong incentives for the qualified entity to ensure the
privacy and security of the Medicare data. We believe the basic,
aggravating, and mitigating circumstances provide CMS with the
flexibility to set the assessment value appropriately given the nature
of the violation and the qualified entity's history with violations.
3. Notice of Determination
We looked to the relevant provisions in 42 CFR part 402 and Section
1128A of the Act to frame proposals regarding the specific elements
that would be included in the notice of determination. To that end, we
proposed at Sec. 401.719(d)(5)(ii) that the Secretary would provide
notice of a determination to a qualified entity by certified mail with
return receipt requested. The notice of determination would include
information on (1) the assessment amount, (2) the statutory and
regulatory bases for the assessment, (3) a description of the
violations upon which the assessment was proposed, (4) information
concerning response to the notice, and (5) the means by which the
qualified entity must pay the assessment if they do not intend to
request a hearing in accordance with procedures established at Section
1128A of the Act and implemented in 42 CFR part 1005. We did not
receive any comments on this proposal so are finalizing it without
modification.
4. Failure To Request a Hearing
We also looked to the relevant provisions in 42 CFR part 402 and
section 1128A of the Act to inform our proposals regarding what happens
when a hearing is not requested.
[[Page 44470]]
We proposed at Sec. 401.719(d)(5)(iii) that an assessment will
become final if a qualified entity does not request a hearing within 60
days of receipt of the notice of the proposed determination. At this
point, CMS would impose the proposed assessment. CMS would notify the
qualified entity, by certified mail with return receipt, of the
assessment and the means by which the qualified entity may pay the
assessment. Under these proposals, a qualified entity would not have
the right to appeal an assessment unless it has requested a hearing
within 60 days of receipt of the notice of the proposed determination.
We did not receive any comments on these proposals so are finalizing
them without modification.
5. When an Assessment Is Collectible
We again looked to the relevant provisions in 42 CFR part 402 and
section 1128A of the Act to inform our proposed policies regarding when
an assessment becomes collectible.
We proposed at Sec. 401.719(d)(5)(iv) that an assessment becomes
collectible after the earliest of the following situations: (1) On the
61st day after the qualified entity receives CMS's notice of proposed
determination under Sec. 401.719(d)(5)(ii), if the entity does not
request a hearing; (2) immediately after the qualified entity abandons
or waives its appeal right at any administrative level; (3) 30 days
after the qualified entity receives the Administrative Law Judge's
(ALJ) decision imposing an assessment under Sec. 1005.20(d), if the
qualified entity has not requested a review before the Department
Appeal Board (DAB); or (4) 60 days after the qualified entity receives
the DAB's decision imposing an assessment if the qualified entity has
not requested a stay of the decision under Sec. 1005.22(b). We did not
receive any comments on this proposal so are finalizing it without
modification.
6. Collection of an Assessment
We also looked to the relevant provisions in 42 CFR part 402 and
section 1128A of the Act in framing our proposals regarding the
collection of an Assessment.
We proposed at Sec. 401.719(d)(5)(v) that CMS be responsible for
collecting any assessment once a determination is made final by HHS. In
addition, we proposed that the General Counsel may compromise an
assessment imposed under this part, after consulting with CMS or Office
of Inspector General (OIG), and the Federal government may recover the
assessment in a civil action brought in the United States district
court for the district where the claim was presented or where the
qualified entity resides. We also proposed that the United States may
deduct the amount of an assessment when finally determined, or the
amount agreed upon in compromise, from any sum then or later owing the
qualified entity. Finally, we proposed that matters that were raised or
that could have been raised in a hearing before an ALJ or in an appeal
under section 1128A(e) of the Act may not be raised as a defense in a
civil action by the United States to collect an assessment. We did not
receive any comments on these proposals so are finalizing them without
modification.
F. Termination of Qualified Entity Agreement
We proposed at Sec. 401.721(a)(7) that CMS may unilaterally
terminate the qualified entity's agreement and trigger the data
destruction requirements in the CMS DUA if CMS determines through our
monitoring program at Sec. 401.717(a) and (b) that a qualified entity
or its contractor fails to monitor authorized users' compliance with
the terms of their QE DUAs or non-public analysis use agreements. We
stated in the proposed rule that we believe this proposed provision is
consistent with the intent of MACRA to ensure the protection of data
and analyses provided by qualified entities to authorized users under
this subpart.
Comment: One commenter stated that CMS should have a violation
corrections period prior to terminating a qualified entity. Another
commenter recommended that CMS carefully monitor all aspects of the
qualified entity program and related authorized user activities to
minimize the risk of unintended consequences.
Response: We currently have a process in place to require qualified
entities to develop a corrective action plan or to put qualified
entities on a special monitoring plan if we determine that the
qualified entity violated any terms of the program. In addition, we
already have a number of mechanisms in place to monitor qualified
entities participating in the program including audits, site visits,
and required reporting. We believe the additional annual reporting
elements described above will ensure that we can continue to monitor
qualified entities appropriately given the changes to the program. As a
result, we are finalizing our proposed language on termination of a
qualified entity's agreement at Sec. 401.721(a)(7).
G. Additional Data
Section 105(c) of MACRA expands, at the discretion of the
Secretary, the data that the Secretary may make available to qualified
entities, including standardized extracts of claims data under titles
XIX (Medicaid) and XXI (the Children's Health Insurance Program, CHIP)
for one or more specified geographic areas and time periods as may be
requested by the qualified entity. However, due to issues involving
Medicaid data submitted to CMS, including lack of data timeliness and
overall data quality, we proposed not to expand the data available to
qualified entities from CMS and instead suggested that qualified
entities would be better off seeking Medicaid and/or CHIP data through
the State Medicaid Agencies.
Comment: Many commenters recommended that CMS expand the data
available to qualified entities to include Medicaid and CHIP data.
These commenters noted the additional burden of having to request the
data from each state individually. On the other hand, one commenter
stated that they agreed with CMS' proposal not to expand access to
Medicaid and/or CHIP data.
Response: As some commenters noted, we have been working with
states to transform our Medicaid Statistical Information System (MSIS)
to address concerns regarding data timeliness and quality. This is
essential for the Medicaid program to keep pace with the data needed to
improve quality of care, track enrollment and utilization of services,
improve program integrity, and support states and other stakeholders
need for information about Medicaid and CHIP. This new data set is
known as Transformed MSIS (T-MSIS). The T-MSIS data set contains
enhanced information about beneficiary eligibility, beneficiary and
provider enrollment, service utilization, claims and managed care data,
and expenditure data for Medicaid and CHIP. We are currently working
with states to help them transition from MSIS to T-MSIS.
We recognize commenters' interest in accessing Medicaid and CHIP
data from CMS rather than going to each state individually. We believe
that T-MSIS can create a framework for CMS collection of Medicaid and
CHIP data that addresses many of the concerns about the timeliness and
quality of the MSIS data that we raised in the proposed rule. As a
result, we anticipate future rulemaking to make Medicaid and CHIP data
available to qualified entities when the T-MSIS data becomes available
and is determined to be of sufficient quality for use in public
provider performance reporting.
Comment: One commenter suggested that CMS also allow qualified
entities to
[[Page 44471]]
request access to Medicare Advantage data.
Response: We believe section 1874(e)(3) of the Act only allows for
the disclosure of Medicare claims data under Parts A, B, and D, as well
as Medicaid and/or CHIP claims data.
H. Qualified Clinical Data Registries
Section 105(b) of MACRA allows qualified clinical data registries
to request access to Medicare data for the purposes of linking the data
with clinical outcomes data and performing risk-adjusted,
scientifically valid analyses, and research to support quality
improvement or patient safety. The CMS research data disclosure
policies already allow qualified clinical data registries to request
Medicare data for research purposes. More information on accessing CMS
data for research can be found on the ResDAC Web site at
www.resdac.org. Given the existing research request processes and
procedures, we proposed not to adopt any new policies or procedures
regarding qualified clinical data registries' access to Medicare claims
data for quality improvement or patient safety analyses.
Comment: Several commenters recommended that CMS offer qualified
clinical data registries an alternative path to the research request
process to allow them to access CMS data for quality improvement and
patient safety activities. Commenters stated that qualified clinical
data registries need data to conduct quality improvement activities
that will improve patient care and that, in many cases, this work is
not consistent with the research request process requirement that the
work to contribute to generalizable knowledge.
Response: We recognize that the research request pathway may not be
consistent with types of analyses qualified clinical data registries
envision conducting using the CMS data. As a result, we are modifying
the regulations to allow qualified clinical data registries to serve as
quasi-qualified entities, provided the qualified clinical data registry
agrees to meet all the requirements in this subpart with the exception
of the requirement at Sec. 401.707(d) that the organization submit
information about the claims data it possesses from other sources. In
addition, for the purposes of qualified clinical data registries acting
as quasi qualified entities under the qualified entity program
requirements, we define combined data as, at a minimum, a set of CMS
claims data provided under subpart G combined with clinical data or a
subset of clinical data. Since the language at section 105(b) of MACRA
does not reference section 1874(e)(4)(d) of the Act, which provides
parameters for the definition of combined data for the purposes of the
qualified entity program, we do not believe these requirements for
combined data apply to qualified clinical data registries serving as
quasi qualified entities.
We believe that the requirements of the qualified entity program,
which was created to allow for provider performance reporting, also
create an appropriate framework for qualified clinical data registries
to conduct analyses to support quality improvement and patient safety.
In addition, we believe that the new parameters of the qualified entity
program, discussed in detail above, would allow qualified clinical data
registries to work directly with providers and suppliers on issues
related to quality improvement and patient safety. Qualified clinical
data registries could also elect to become qualified entities and work
with providers and suppliers in accordance with applicable laws to
develop new quality measures in the context of nonpublic analyses that
could then be used across the healthcare system to measure provider and
supplier performance.
Comment: Several commenters suggested that CMS make the Social
Security Death Master File available to qualified clinical data
registries to allow for enhanced accuracy of patient outcomes
information.
Response: We recognize that death information is a key aspect of
analyses of patient outcomes, but CMS does not have the authority to
disclose the Social Security Death Master File to qualified clinical
data registries. However, CMS has date of death information for
Medicare patients and we include this date of death information on the
data files that are shared with qualified entities and those that would
be shared with qualified clinical data registries.
I. Other Comments
We received several additional suggestions for improvements to the
program regarding topics that were not specifically discussed in the
preamble to the proposed rule.
Comment: Several commenters raised issues related to qualified
entity application process. One commenter suggested CMS make the
application process and costs for becoming a qualified entity more
transparent. A few commenters suggested that CMS offer qualified
entities better technical assistance on the security certification step
of the approval process. One commenter recommended that CMS streamline
the application process for applicants that already have certifications
or accreditations that demonstrate a high level of security.
Response: We thank commenters for their feedback on the qualified
entity application process. We believe the issues raised by commenters
on this topic are outside the scope of this final rule. However, we are
always looking for ways to improve the program and will take these
comments into consideration.
Comment: Some commenters addressed general program requirements of
the qualified entity program. One commenter suggested that qualified
entities that focus on certain clinical conditions should not have to
meet the same threshold for amount of other claims data. Another
commenter recommended that CMS allow state-level public reporting in
the qualified entity program. A few commenters stated that CMS should
provide qualified entities with access to timelier Medicare data. One
commenter stated that some of the existing provisions in the CMS DUA
conflict with requirements in HIPAA, specifically the requirement to
destroy data if and when an organization leaves the program.
Response: We have not established a threshold for the minimum
amount of other claims an organization needs to become a qualified
entity. Instead, we ask applicants to explain how the data they do have
for use in the qualified entity program will be adequate to address
concerns about sample size and reliability that have been expressed by
stakeholders regarding the calculation of performance measures from a
single payer source. Each application is evaluated on its collective
merit, including the amount of claims data from other sources, and its
explanation of why that data in combination with the requested Medicare
data is adequate for the stated purposes of the program.
We also do not prohibit qualified entities from publicly reporting
their findings regarding provider and supplier performance at the
state-level. Qualified entities are allowed to report on providers and
suppliers at any level for which the measures can be used, provided the
statutory and regulatory requirements are met, including that no
patient information is disclosed.
We currently make data available to qualified entities on quarterly
basis. We believe the timeliness of this data strikes the right balance
between data completeness and data timeliness.
Finally, we do not believe that requirements in the CMS DUA are
inconsistent with HIPAA. We use a very similar DUA to share data with
HIPAA-
[[Page 44472]]
covered providers and suppliers who are participating in Innovation
Center models. We do recognize that some qualified entities may have
trouble incorporating the Medicare data into their data systems because
they may not be able to ensure the destruction of this data once it is
linked with other data maintained by the qualified entity. However, we
believe that requiring destruction of the data if a qualified entity
leaves the program is important for ensuring the privacy and security
of CMS data.
Comment: One commenter suggested that CMS clarify how FOIA may or
may not apply to data or reports submitted by qualified entities.
Another commenter recommended that CMS clarify how the changes to the
qualified entity program intersect with other statutory and regulatory
requirements.
Response: As we noted above, any information that we collect from
qualified entities is subject to FOIA. However, any time we receive a
request for information under FOIA, we always evaluate whether the
information is subject to one of the FOIA exemptions, including
Exemption 4, which protects commercial or financial information that is
privileged and confidential.
We are not able to address the breadth and scope of laws with which
the qualified entity program requirements may intersect in this rule.
Such analyses require case-by-case assessment of the facts at hand, and
depending on jurisdiction, may vary based on which state laws apply.
Entities should consult with their legal counsel to advise them on what
laws apply to them, and to what effect.
Comment: One commenter suggested that the release of Part D data to
qualified entities should be tailored to protect the viability of the
Part D program.
Response: We are committed to ensuring that commercially sensitive
information from the Part D program is protected. As we stated in the
previous final rule on the qualified entity program, published on
December 7, 2011, we are aware of the concerns related to, and
restrictions governing the release of certain Part D drug cost
information. Due to these concerns, we only release the Total Drug Cost
element to qualified entities. We do not release the four subcomponents
of drug cost: Ingredient cost, dispensing fee, vaccine administration
fee, and total amount attributable to sales tax.
Comment: One commenter stated that the rule does not address how
states that have all payer claims databases (APCDs) can access Medicare
data.
Response: We do not believe that state APCDs are prohibited from
becoming qualified entities. However, state APCDs with an interest in
conducting research rather than provider performance reporting can also
request data from CMS via the research request process. Organizations
interested in accessing CMS data for research should visit
www.resdac.org.
Comment: One commenter stated that CMS should adopt a new version
of the claims form that includes a field for unique device identifiers.
Response: This comment is outside the scope of the qualified entity
rule. That said, CMS uses claims that comply with the HIPAA standard
transactions regulations (45 CFR part 162). Any changes to forms would
be achieved through rulemaking under those provisions.
Comment: Several commenters stated that they had concerns about the
security of the Medicare data.
Response: We are committed to ensuring the privacy and security of
all data and we believe the existing and new program requirements
create an appropriate framework for maintaining the security of data
disclosed to qualified entities. Organizations applying to become
qualified entities currently go through a rigorous security review
during the application process. In addition, we monitor qualified
entities closely to ensure that they continue to maintain appropriate
data security standards once approved. As discussed above, we have also
established data security protections that qualified entities must meet
when sharing data with authorized users, including a requirement that
the authorized user report any breaches to the qualified entity (and
that the qualified entity report the breaches to CMS).
Comment: Several commenters recommended that CMS clarify that
organizations already approved as qualified entities would be allowed
to begin using the Medicare data for the uses described in this final
rule, regardless of whether the qualified entity has generated a public
report.
Response: We would like to clarify that once these regulations
become effective, organizations approved as qualified entities will be
allowed to use the Medicare data to create non-public analyses and
provide or sell such analyses to authorized users, as well provide or
sell combined data, or provide Medicare claims data alone at no cost,
to certain authorized users. However, we believe that public reporting
is a very important aspect of participation in the qualified entity
program and would like to remind qualified entities about the provision
at Sec. 401.709(d) which requires qualified entities to produce public
reports at least annually.
III. Provisions of the Final Rule
For the most part, this final rule incorporates the provisions of
the proposed rule. Those provisions of this final rule that differ from
the proposed rule are as follows:
We modified the definition of authorized user at Sec.
401.703(j) to: Include a federal agency, change the term ``state
agency'' to ``state entity'' to provide additional clarity, and include
any contractors (or business associates) that need analyses or data to
carry out work on behalf of authorized user third parties.
We modified the definition of hospital association at
Sec. 401.703(n) to include organizations or associations at the local
level.
At Sec. 401.703(r), we modified the definition of patient
to extend the window for a face-to-face or telehealth appointment to at
least once in the past 24 months.
We added activities that qualify as treatment under 45 CFR
164.501 to permitted uses of the data subject to the QE DUA.
We modified the terms of the QE DUA to permit authorized
users to re-disclose data subject to the QE DUA as a covered entity
would be permitted to disclose PHI for treatment activities, as allowed
under 45 CFR 164.506(c)(2).
At Sec. 401.716(b)(2), we modified the requirements to
clarify that a qualified entity may not provide or sell a non-public
analysis to an issuer for a geographic area where the issuer does not
provide coverage and, thus, does not have any covered lives to
contribute to the analyses.
At Sec. 401.716(b)(4)(iii), we allowed for the disclosure
of non-public analyses that individually identify a provider or
supplier if every provider or supplier identified in the analysis has
notified the qualified entity that analyses may be disclosed to that
authorized user without prior review by the provider or supplier.
We added a procedural step to the review and error
correction process for non-public analyses at Sec. 401.717(f) to
include confidential notification of the provider or supplier.
We added a new provision at Sec. 401.722(a) to allow a
qualified clinical data registry that agrees to meet the requirements
in this subpart, with the exception of the requirement to submit
information on the claims data from other sources it possesses, to
request
[[Page 44473]]
access to Medicare data as a quasi-qualified entity.
IV. Collection of Information Requirements
Under the Paperwork Reduction Act of 1995, we are required to
provide 30-day notice in the Federal Register and solicit public
comment before a collection of information requirement is submitted to
the Office of Management and Budget (OMB) for review and approval. In
order to fairly evaluate whether an information collection should be
approved by OMB, section 3506(c)(2)(A) of the Paperwork Reduction Act
of 1995 requires that we solicit comment on the following issues:
The need for the information collection and its usefulness
in carrying out the proper functions of our agency.
The accuracy of our estimate of the information collection
burden.
The quality, utility, and clarity of the information to be
collected.
Recommendations to minimize the information collection
burden on the affected public, including automated collection
techniques.
We solicited public comment on each of these issues for the
following sections of this document that contain information collection
requirements (ICRs).
Proposed Sec. 401.718(c) and Sec. 401.716(b)(2)(ii) require a
qualified entity to enter into a QE DUA with an authorized user prior
to providing or selling data or selling a non-public analyses that
contains individually identifiable beneficiary information. Proposed
Sec. 401.713(d) requires specific provisions in the QE DUA. Proposed
Sec. 401.716(c) requires a qualified entity to enter into a non-public
analyses agreement with the authorized user as a pre-condition to
providing or selling de-identified analyses. We estimate that it will
take each qualified entity a total of 40 hours to develop the QE DUA
and non-public analyses agreement. Of the 40 hours, we estimate it will
take a professional/technical services employee with an hourly labor
cost of $75.08 a total of 20 hours to develop both the QE DUA and non-
public analyses agreement and estimate that it will require a total of
20 hours of legal review at an hourly labor cost of $77.16 for both the
QE DUA and non-public analyses agreement. We also estimate that it will
take each qualified entity 2 hours to process and maintain each QE DUA
or non-public analyses agreement with an authorized user by a
professional/technical service employee with an hourly labor cost of
$75.08. While there may be two different staff positions that perform
these duties (one that is responsible for processing the QE DUAs and/or
non-public analyses agreement and one that is responsible for
maintaining the QE DUA and/or non-public analyses agreement), we
believe that both positions would fall under the professional/technical
services employee labor category with an hourly labor cost of $75.08.
There are currently 15 qualified entities; however we estimate that
number will increase to 20 if these proposals are finalized. This
number includes qualified entities and ``quasi qualified entities''
(meaning qualified clinical data registries that are approved under
Sec. 401.722(a) as described in this preamble), which we hereinafter
collectively refer to as ``qualified entity''. This would mean that to
develop each QE DUA and non-public analysis agreement, the burden cost
per qualified entity would be $3,045 with a total estimated burden for
all 15 qualified entities of $45,675. This does not include the two
hours to process and maintain each QE DUA.
As discussed in the regulatory impact analysis below, we estimate
that each qualified entity would need to process and maintain 70 QE
DUAs or non-public analyses agreements as some authorized users may
receive both datasets and a non-public analyses and would only need to
execute one QE DUA. We estimate that it will take each qualified entity
2 hours to process and maintain each QE DUA or non-public analyses
agreement. This would mean the burden cost per qualified entity to
process and maintain 70 QE DUAs or non-public analyses agreements would
be $10,511 with a total estimated burden for all 15 qualified entities
of $157, 668. While we anticipate that the requirement to create a QE
DUA and/or non-public analyses agreement will only be incurred once by
a qualified entity, we believe that the requirement to process and
maintain the QE DUAs and/or non-public analyses will be an ongoing
cost.
These regulations would also require a qualified entity to submit
additional information as part of its annual report to CMS. A qualified
entity is currently required to submit an annual report to CMS under
Sec. 401.719(b). Proposed Sec. 401.719(b)(3) and (4) provide for
additional reporting requirements if a qualified entity chooses to
provide or sell analyses and/or data to authorized users. The burden
associated with this requirement is the time and effort necessary to
gather, process, and submit the required information to CMS. As noted
above, there are currently 15 qualified entities; however we estimate
that number will increase to 20 if these proposals are finalized. Some
qualified entities may not want to bear the risk of the potential
assessments and have been able to accomplish their program goals under
other CMS data sharing programs, therefore some qualified entities may
not elect to provide or sell analyses and/or data to authorized users.
As a result, we estimate that 15 qualified entities will choose to
provide or sell analyses and/or data to authorized users, and
therefore, would be required to comply with these additional reporting
requirements within the first three years of the program. We further
estimate that it would take each qualified entity 50 hours to gather,
process, and submit the required information. We estimate that it will
take each qualified entity 34 hours to gather the required information,
15 hours to process the information, and 1 hour to submit the
information to CMS. We believe a professional or technical services
employee of the qualified entity with an hourly labor cost of $75.08
will fulfill these additional annual report requirements. We estimate
that 15 qualified entities will need to comply with this requirement
and that the total estimated burden associated with this requirement is
$56,310. We requested comment on the type of employee and the number of
hours that will be needed to fulfill these additional annual reporting
requirements.
As a reminder, the final rule for the qualified entity program,
published December 7, 2011, included information about the burden
associated with the provisions in that rule. Specifically, Sec. Sec.
401.705 through 401.709 provide the application and reapplication
requirements for qualified entities. The burden associated with these
requirements is currently approved under OMB control number 0938-1144
with an expiration date of May 31, 2018. This package accounts for 35
responses. Section 401.713(a) states that as part of the application
review and approval process, a qualified entity would be required to
execute a DUA with CMS, that among other things, reaffirms the
statutory bar on the use of Medicare data for purposes other than those
referenced above. The burden associated with executing this DUA is
currently approved under OMB control number 0938-0734 with an
expiration date of December 31, 2017. This package accounts for 9,240
responses (this package covers all CMS DUAs, not only DUAs under the
qualified entity program). We currently have 15 qualified entities and
estimate it will increase to 20 so we have not surpassed the previously
approved numbers.
We based the hourly labor costs on those reported by the Bureau of
Labor
[[Page 44474]]
Statistics (BLS) at http://data.bls.gov/pdq/querytool.jsp?survey=ce for
this labor category. We used the annual rate for 2014 and added 100
percent for overhead and fringe benefit costs.
Table 1--Collection of Information
--------------------------------------------------------------------------------------------------------------------------------------------------------
Hourly
Number of Burden per Total labor cost Total labor
Regulation section(s) OMB Control No. Number of responses response annual of cost of Total cost
respondents per (hours) burden reporting reporting ($)
respondent (hours) ($) * ($)
--------------------------------------------------------------------------------------------------------------------------------------------------------
Sec. 401.718, Sec. 401.716, and 0938 New............... 15 1 20 300 75.08 22,524 22,524
Sec. 401.713 (DUA and non-public
analyses agreement Development).
Sec. 401.718 and Sec. 401.716 0938 New............... 15 1 20 300 77.16 23,148 23,148
(Legal Review).
Sec. 401.718 and Sec. 401.716 0938 New............... 15 70 2 2,100 75.08 157,668 157,668
(Processing and Maintenance).
Sec. 401.719(b)................... 0938 New............... 15 1 50 750 75.08 56,310 56,310
------------------------------------------------------------------------------------------
Total........................... ....................... 15 73 ........... 3,450 ........... ........... 259,650
--------------------------------------------------------------------------------------------------------------------------------------------------------
* The values listed are based on 100 percent overhead and fringe benefit calculations.
Note: There are no capital/maintenance costs associated with the information collection requirements contained in this rule; therefore, we have removed
the associated column from Table 1.
If you comment on these information collection and recordkeeping
requirements, please submit your comments to the Office of Information
and Regulatory Affairs, Office of Management and Budget,
Attention: CMS Desk Officer, CMS-5061-F
Fax: (202) 395-6974; or
Email: [email protected]
V. Regulatory Impact Statement
In accordance with the provisions of Executive Order 12866, this
regulation was reviewed by the Office of Management and Budget.
A. Response to Comments
We received a few comments on the anticipated effects of these
modifications to the qualified entity program.
Comment: One commenter suggested that it would take each qualified
entity an estimated 60 hours to develop and review the QE DUA and non-
public analyses agreement. Of those 60 hours, 30 hours would be to
develop the QE DUA and non-public analyses agreement and 30 would be
needed for legal review. In addition, the commenter estimated that it
would take each qualified entity 3 hours to process and maintain each
QE DUA and non-public analyses agreement.
Response: In the proposed rule, we estimated that it would take
each qualified entity 40 hours to develop and review the QE DUA and
non-public analyses agreement. Of those 40 hours, 20 hours would be
needed to develop the QE DUA and non-public analyses agreement and 20
hours would be needed for legal review. We also estimated that it would
take 2 hours to process and maintain each QE DUA and non-public
analyses agreement. We recognize that some qualified entities may spend
more hours than other qualified entities to develop, process, and
maintain QE DUAs and non-public analyses agreements. For example, some
qualified entities may spend 60 hours to develop the QE DUA and non-
public analyses agreement and other qualified entities will spend 30
hours. However, we believe that 40 hours to develop the QE DUA and the
non-public analyses agreement and 2 hours to process each QE DUA and
the non-public analyses agreement is a reasonable average.
Comment: We received a few comments about the impact on providers
and suppliers. One commenter suggested that CMS reconsider the
assumption that all 1500 small rural hospitals would not be impacted by
this rule and that the 3 hour average estimate for providers and
suppliers to review non-public analyses appears too low. Another
commenter suggested that CMS monitor provider burden as expanded data
access unfolds and the number of qualified entities and authorized
users begin to grow.
Response: We appreciate commenters' concerns about the potential
impact on providers and suppliers. As discussed above in section
II.A.4, we made procedural changes to the proposed review and
corrections process for non-public analyses in order to reduce burden
to both qualified entities and providers and suppliers. As a first step
of the review and correction process, the qualified entity would be
required to notify the provider or supplier that analyses that
individually identify the provider or supplier are going to be released
to an authorized user and allow the provider or supplier to opt-in to
the review and corrections process at Sec. 401.717(a) through (e).
This notification should include a short summary of the analyses, the
process for the provider or supplier to request the analyses, and the
date on which the qualified entity will release the analyses to the
authorized user. This date should be at least 65 calendar days from the
date the provider or supplier is notified of the analyses.
Given these procedural changes to the review and corrections
process in the context of the non-public analyses, we believe that the
3 hours average estimate for providers and suppliers to review non-
public analyses is a sufficient estimate of provider and supplier
burden. This average takes into account the range of potential cases
given the new review and corrections process. In some cases, for
example, notification may be sufficient to meet the needs of providers
or suppliers. In other cases, however, where the analyses are similar
to previous analyses or use data the provider or supplier has already
corrected, the provider or supplier may choose not to review the
analyses. In addition, as discussed in the proposed rule, even if a
provider or supplier requests the non-public analyses, there will be
variability in the amount of time providers or suppliers will need for
the review and corrections process.
As discussed in the proposed rule, we do not anticipate this rule
will have a significant impact on the operations of a substantial
number of small rural hospitals because we anticipate that most
qualified entities will focus their performance evaluation efforts on
metropolitan areas where the majority of health services are provided.
In addition, given the limited number of health services provided in
rural regions, we anticipate that any analyses that included rural
regions would not individually identify the providers or suppliers, but
rather focus on regional or state metrics. As suggested by a commenter,
we will monitor provider burden as the number of qualified
[[Page 44475]]
entities grows and more non-public analyses are provided to authorized
users.
B. Overall Impact
We have examined the impacts of this rule as required by Executive
Order 12866 on Regulatory Planning and Review (September 30, 1993), the
Regulatory Flexibility Act (RFA) (September 19, 1980, 96), section
1102(b) of the Act, section 202 of the Unfunded Mandates Reform Act of
1995 (Pub. L. 104-4), Executive Order 13132 on Federalism (August 4,
1999), and the Congressional Review Act (5 U.S.C. 804(2)).
Executive Order 12866 directs agencies to assess all costs and
benefits of available regulatory alternatives and, if regulation is
necessary, to select regulatory approaches that maximize net benefits
(including potential economic, environmental, public health and safety
effects, distributive impacts, and equity). A regulatory impact
analysis (RIA) must be prepared for major rules with economically
significant effects ($100 million or more in any 1 year). For the
reasons discussed below, we estimate that the total impact of this
final rule will be less than $58 million and therefore, it will not
reach the threshold for economically significant effects and is not
considered a major rule.
The RFA requires agencies to analyze options for regulatory relief
of small businesses, if a rule has a significant impact on a
substantial number of small entities. For purposes of the RFA, we
estimate that most hospitals and most other providers are small
entities as that term is used in the RFA (including small businesses,
nonprofit organizations, and small governmental jurisdictions).
However, since the total estimated impact of this rule is less than
$100 million, and the total estimated impact will be spread over 82,500
providers and suppliers (who are the subject of reports), no one entity
will face significant impact. Of the 82,500 providers, we estimate that
78,605 will be physician offices that have average annual receipts of
$11 million and 4,125 will be hospitals that have average annual
receipts of $38.5 million. As discussed below, the estimated cost per
provider is $8,426 (see table 5 below) and the estimated cost per
hospital is $6,523 (see table 5 below). For both types of entities,
these costs will be a very small percentage of overall receipts. Thus,
we are not preparing an analysis of options for regulatory relief of
small businesses because we have determined that this rule will not
have a significant economic impact on a substantial number of small
entities.
For section 105(a) of MACRA, we estimate that two types of entities
may be affected by the additional program opportunities: Qualified
entities that choose to provide or sell non-public analyses or data to
authorized users; and providers and suppliers who are identified in the
non-public analyses create by qualified entities and provided or sold
to authorized users.
We anticipate that most providers and suppliers that may be
identified in qualified entities' non-public analyses will be hospitals
and physicians. Many hospitals and most other healthcare providers and
suppliers are small entities, either by being nonprofit organizations
or by meeting the Small Business Administration definition of a small
business (having revenues of less than $38.5 million in any 1 year)
(for details see the Small Business Administration's Web site at
https://www.sba.gov/sites/default/files/files/Size_Standards_Table.pdf
(refer to the 620000 series). For purposes of the RFA, physicians are
considered small businesses if they generate revenues of $11 million or
less based on Small Business Administration size standards.
Approximately 95 percent of physicians are considered to be small
entities.
The analysis and discussion provided in this section and elsewhere
in this final rule complies with the RFA requirements. Because we
acknowledge that many of the affected entities are small entities, the
analysis discussed throughout the preamble of this final rule
constitutes our regulatory flexibility analysis for the remaining
provisions and addresses comments received on these issues.
In addition, section 1102(b) of the Act requires us to prepare a
regulatory impact analysis, if a rule may have a significant impact on
the operations of a substantial number of small rural hospitals. Any
such regulatory impact analysis must conform to the provisions of
section 604 of the RFA. For purposes of section 1102(b) of the Act, we
define a small rural hospital as a hospital that is located outside of
a metropolitan statistical area and has fewer than 100 beds. We do not
believe this final rule has impact on significant operations of a
substantial number of small rural hospitals because we anticipate that
most qualified entities will focus their performance evaluation efforts
on metropolitan areas where the majority of health services are
provided. As a result, this rule will not have a significant impact on
small rural hospitals. Therefore, the Secretary has determined that
this final rule will not have a significant impact on the operations of
a substantial number of small rural hospitals.
Section 202 of the Unfunded Mandates Reform Act of 1995 (UMRA) also
requires that agencies assess anticipated costs and benefits before
issuing any rule whose mandates require spending in any 1 year of $100
million in 1995 dollars, updated annually for inflation. In 2016, that
threshold is approximately $146 million. This final rule will not
impose spending costs on state, local, or tribal governments in the
aggregate, or by the private sector, of $146 million or more.
Specifically, as explained below we anticipate the total impact of this
rule on all parties to be approximately $58 million.
Executive Order 13132 establishes certain requirements that an
agency must meet when it promulgates a proposed rule (and subsequent
final rule) that imposes substantial direct requirement costs on State
and local governments, preempts State law, or otherwise has Federalism
implications. We have examined this final rule in accordance with
Executive Order 13132 and have determined that this regulation will not
have any substantial direct effect on State or local governments,
preempt States, or otherwise have a Federalism implication.
C. Anticipated Effects
1. Impact on Qualified Entities
Because section 105(a) of MACRA allows qualified entities to use
the data in new ways to provide or sell non-public analyses or data to
authorized users, there is little quantitative information to inform
our estimates on the number of analyses and datasets that the qualified
entity costs may provide or sell or on the costs associated with the
creation of the non-public analyses or datasets. Therefore, we look to
the estimates from the original qualified entity rules to estimate the
number of hours that it may take to create non-public analyses, to
process provider/supplier appeals and revisions, and to complete annual
reports. We also looked to the Centers for Medicare and Medicaid's cost
of providing data to qualified entities since qualified entities' data
fees are equal to the government's cost to make the data available.
There are currently 15 qualified entities and these qualified
entities all are in different stages of the qualified entity program.
For example, some qualified entities have released public reports and
some qualified entities are
[[Page 44476]]
still completing the security requirements in order to receive Medicare
data. Given the requirements in the different phases and the current
status of the qualified entities, we estimate that 11 qualified
entities will be able to provide or sell analyses and/or data to
authorized users within the first year of the program, and therefore,
will be incurring extra costs. As discussed above, we believe the total
number of qualified entities will ultimately grow to 20 in subsequent
years, with 15 entities providing or selling analyses and/or data to
authorized users. In estimating qualified entity impacts, we used
hourly labor costs in several labor categories reported by the Bureau
of Labor Statistics (BLS) at http://data.bls.gov/pdq/querytool.jsp?survey=ce. We used the annual rates for 2014 and added
100 percent for overhead and fringe benefit costs. These rates are
displayed in Table 2.
Table 2--Labor Rates for Qualified Entity Impact Estimates
----------------------------------------------------------------------------------------------------------------
2014 Hourly
wage rate OH and fringe Total hourly
(BLS) (100%) costs
----------------------------------------------------------------------------------------------------------------
Professional and technical services............................. $37.54 $37.54 $75.08
Legal review.................................................... 38.58 38.58 77.16
Custom computer programming..................................... 43.05 43.05 86.10
Data processing and hosting..................................... 34.02 34.02 68.04
Other information services...................................... 39.72 39.72 79.44
----------------------------------------------------------------------------------------------------------------
We estimate that within the first year that 11 qualified entities
will provide or sell on average 55 non-public analyses or provide or
sell 35 datasets. We do not believe the number of datasets and non-
public analyses per qualified entity will change in future years of the
program.
In the original proposed rule for the qualified entity program (76
FR 33566), we estimated that each qualified entities' activities to
analyze the Medicare claims data, calculate performance measures and
produce public provider performance reports will require 5,500 hours of
effort per qualified entity. We anticipate under this final rule that
implements section 105(a) of MACRA that qualified entities will base
the non-public analyses on their public performance reports. Therefore,
the creation of the non-public analyses will require much less effort
and only require a fraction of the time it takes to produce the public
reports. We estimate that a qualified entity's activities for each non-
public analysis to analyze the Medicare claims data, calculate
performance measures, and produce the report will require 320 hours,
between five and six percent of the time to produce the public reports.
We anticipate that half of this time will be spent on data analysis,
measure calculation, and report creation and the other half on data
processing.
We anticipate that within the first year of the program a qualified
entity will, on average, provide one-year datasets containing all data
types for a cohort of 750,000 to 1.75 million beneficiaries to 35
authorized users. We estimate that it will require 226 hours to create
each dataset that will be provided to an authorized user. We looked to
the Centers for Medicare and Medicaid Centers' data costs and time to
estimate a qualified entity's costs and time to create datasets. While
the majority of the time will be devoted to computer processing, we
anticipate about 100 hours will be spent on computer programming,
particularly if the qualified entity is de-identiying the data.
We further estimate that, on average, each qualified entity will
expend 7,500 hours of effort processing providers' and suppliers'
appeals of their performance reports and producing revised reports,
including legal review of the appeals and revised reports. These
estimates assume that, as discussed below in the section on provider
and supplier impacts, on average 25 percent of providers and suppliers
will appeal their results from a qualified entity. Responding to these
appeals in an appropriate manner will require a significant investment
of time on the part of qualified entities. This equates to an average
of four hours per appeal for each qualified entity. These estimates are
similar to those in the Qualified Entities final rule. We assume that
the complexity of appeals will vary greatly, and as such, the time
required to address them will also vary greatly. Many appeals may be
able to be dealt with in an hour or less while some appeals may require
multiple meetings between the qualified entity and the affected
provider or supplier. On average, however, we believe that this is a
reasonable estimate of the burden of the appeals process on qualified
entities. We discuss the burden of the appeals process on providers and
suppliers below.
We estimate that each qualified entity will spend 40 hours creating
a non-public analyses agreement template and a QE DUA. We also estimate
that it will take a qualified entity 2 hours to process a QE DUA or
non-public analyses agreement.
Finally, we estimate that each qualified entity will spend 50 hours
on the additional annual reporting requirements.
Qualified entities will be required to notify CMS of inappropriate
disclosures or use of beneficiary identifiable data pursuant to the
requirements in the CMS DUA. We believe that the report generated in
response to an inappropriate disclosure or use of beneficiary
identifiable data will be generated as a matter of course by the
qualified entities and therefore, will not require significant
additional effort. Based on the assumptions we have described, we
estimate the total impact on qualified entities for the first year of
the program to be a cost of $27,925,198.
[[Page 44477]]
Table 3--Impact on Qualified Entities for the First Year of the Program
--------------------------------------------------------------------------------------------------------------------------------------------------------
Hours
-----------------------------------------------------
Data Labor Cost per Number of Number of Total cost
Activity Professional Computer processsing hourly cost authorized authorized qualified impact
and Legal programming and user users entities
technical hosting
--------------------------------------------------------------------------------------------------------------------------------------------------------
[Impact on Qualified Entities]
--------------------------------------------------------------------------------------------------------------------------------------------------------
Dissemination of Data
--------------------------------------------------------------------------------------------------------------------------------------------------------
Data processing & hosting......... ............ ........... ........... 126 $68.04 $8,573 35 11 $3,300,620
Computer programming.............. ............ ........... 100 ........... 86.10 8,610 35 11 3,314,850
---------------------------------------------------------------------------------------------------------------------
Total: Dissemination of Data.. ............ ........... ........... ........... ........... ........... ........... ........... $6,615,470
--------------------------------------------------------------------------------------------------------------------------------------------------------
Non-Public Analyses
--------------------------------------------------------------------------------------------------------------------------------------------------------
Data analysis/measure calculation/ ............ ........... 160 ........... 86.10 13,776 55 11 8,334,480
report preparation...............
Data Processing and hosting....... ............ ........... ........... 160 68.04 10,886 55 11 6,586,272
---------------------------------------------------------------------------------------------------------------------
Total: Non-public Analyses.... ............ ........... ........... ........... ........... ........... ........... ........... 14,920,752
--------------------------------------------------------------------------------------------------------------------------------------------------------
Processing of Provider Appeals and Report Revision
--------------------------------------------------------------------------------------------------------------------------------------------------------
Qualified entity processing of 5,500 ........... ........... ........... 75.08 412,940 ........... 11 4,542,340
provider appeals and report
revision.........................
Qualified entity legal analysis of ............ 2,000 ........... ........... 77.16 154,320 ........... 11 1,697,520
provider appeals and report
revisions........................
---------------------------------------------------------------------------------------------------------------------
Total: Qualified entity ............ ........... ........... ........... ........... ........... ........... ........... 6,239,860
processing of provider
appeals and report revision..
--------------------------------------------------------------------------------------------------------------------------------------------------------
QE DUA and Non-Public Analyses Agreements
--------------------------------------------------------------------------------------------------------------------------------------------------------
QE DUA and Non-public analyses:
Development of the QE DUA and 20 ........... ........... ........... 75.08 1502 ........... 11 16,518
non-public analyses agreement
Legal review of the QE DUA and ............ 20 ........... ........... 77.16 1,543 ........... 11 16,975
non-public analyses agreement
Processing QE DUA and non- 2 ........... ........... ........... 75.08 150 70 11 115,623
public analyses agreement....
---------------------------------------------------------------------------------------------------------------------
Total QE DUA and non- ............ ........... ........... ........... ........... ........... ........... ........... 149,116
public analyses
agreements...............
Additional Annual Report 50 ........... ........... ........... 75.08 3,754 ........... 11 41,294
Requirements.................
---------------------------------------------------------------------------------------------------------------------
Total qualified entity ............ ........... ........... ........... ........... ........... ........... ........... 27,966,492
Impacts..................
--------------------------------------------------------------------------------------------------------------------------------------------------------
2. Impact on Healthcare Providers and Suppliers
We note that numerous healthcare payers, community quality
collaboratives, States, and other organizations are producing
performance measures for healthcare providers and suppliers using data
from other sources, and that providers and suppliers are already
receiving performance reports from these sources. We anticipate that
the review of non-public analyses will merely be added to those
existing efforts to improve the statistical validity of the measure
findings.
Table 4 reflects the hourly labor rates used in our estimate of the
impacts of the first year of section 105(a) of MACRA on healthcare
providers and suppliers.
Table 4--Labor Rates for Provider and Supplier Impact Estimates
----------------------------------------------------------------------------------------------------------------
Overhead and
2014 Hourly fringe Total hourly
wage rate benefits costs
(BLS) (100%)
----------------------------------------------------------------------------------------------------------------
Physicians' offices............................................. $38.27 $38.27 $76.54
Hospitals....................................................... 29.65 29.65 59.30
----------------------------------------------------------------------------------------------------------------
[[Page 44478]]
We anticipate that the impacts on providers and suppliers consist
of costs to review the performance reports generated by qualified
entities and, if they choose, appeal the performance calculations. We
believe, on average, each qualified entity will produce non-public
analyses that in total include information on 7,500 health providers
and suppliers. This is based on estimates in the qualified entity final
rule, but also include an increase of 50 percent because we believe
that more providers and suppliers will be included in the non-public
analyses. We anticipate that the largest proportion of providers and
suppliers will be physicians because they comprise the largest group of
providers and suppliers, and are a primary focus of many recent
performance evaluation efforts. We also believe that many providers and
suppliers will be the recipients of the non-public analyses in order to
support their own performance improvement activities, and therefore,
there will be no requirement for a correction or appeals process. As
discussed above, there is no requirement for a corrections or appeals
process where the analysis only individually identifies the (singular)
provider or supplier who is being provided or sold the analysis. Based
on our review of information from existing programs, we assume that 95
percent of the recipients of performance reports (that is, an average
of 7,125 per qualified entity) will be physicians, and 5 percent (that
is, an average of 375 per qualified entity) will be hospitals and other
suppliers. Providers and suppliers receive these reports with no
obligation to review them, but we assume that most will do so to verify
that their calculated performance measures reflect their actual
patients and health events. Because these non-public analyses will be
based on the same underlying data as the public performance reports, we
estimate that it will take less time for providers or suppliers to
review these analyses and generate an appeal. We estimate that, on
average, each provider or supplier will devote three hours to reviewing
these analyses. We also estimate that 25 percent of the providers and
suppliers will decide to appeal their performance calculations, and
that preparing the appeal will involve an average of seven hours of
effort on the part of a provider or supplier. As with our assumptions
regarding the level of effort required by qualified entities in
operating the appeals process, we believe that this average covers a
range of provider efforts from providers who will need just one or two
hours to clarify any questions or concerns regarding their performance
reports to providers who will devote significant time and resources to
the appeals process.
Using the hourly costs displayed in Table 4, the impacts on
providers and suppliers are calculated below in Table 5. Based on the
assumptions we have described, we estimate the total impact on
providers for the first year of the program to be a cost of
$29,690,386.
As stated above in Table 3, we estimate the total impact on
qualified entities to be a cost of $27,966,492. Therefore, the total
impact on qualified entities and on providers and suppliers for the
first year of the program is estimated to be $57,656,878.
Table 5--Impact on Providers and Suppliers for the First Year of the Program
--------------------------------------------------------------------------------------------------------------------------------------------------------
Hours per provider Number of
-------------------------- providers Number of
Activity Labor Cost per per qualified Total cost
Physician Hospitals hourly cost provider qualified entities impact
offices entity
--------------------------------------------------------------------------------------------------------------------------------------------------------
[Impact on Providers and Suppliers]
--------------------------------------------------------------------------------------------------------------------------------------------------------
Physician office review of performance reports............... 3 ........... $76.54 $230 7,125 11 $18,026,250
Hospital review of performance reports....................... ........... 3 59.30 178 375 11 734,250
Physician office preparing and submitting appeal requests to 7 ........... 76.54 536 1,781 11 10,500,776
qualified entities..........................................
Hospital preparing and submitting appeal requests to ........... 7 59.30 415 94 11 429,110
qualified entities..........................................
------------------------------------------------------------------------------------------
Total Impact on Providers and Suppliers.................. ........... ........... ........... ........... ........... ........... 29,690,386
--------------------------------------------------------------------------------------------------------------------------------------------------------
D. Alternatives Considered
The statutory provisions added by section 105(a) of MACRA are
detailed and prescriptive about the permissible uses of the data under
the Qualified Entity Program. We believe there are limited approaches
that will ensure statutory compliance. We considered less prescriptive
requirements on the provisions that will need to be included in the
agreements between qualified entities and authorized users that
received or purchased analyses or data. For example, we could have
required less strenuous data privacy and security protections such as
not setting a minimum standard for protection of beneficiary
identifiable data or non-public analyses. In addition, we could have
reduced additional restrictions on re-disclosure or permitted data or
analyses to be re-disclosed to additional downstream users. While these
approaches might reduce costs for qualified entities, we did not adopt
such an approach because of the importance of protecting beneficiary
data. We believe if we do not require qualified entities to provide
sufficient evidence of data privacy and security protection
capabilities, there will be increased risks related to the protection
of beneficiary identifiable data.
E. Conclusion
As explained above, we estimate the total impact for the first year
of the program on qualified entities and providers to be a cost of
$57,656,878. While we anticipate the number of qualified entities to
increase slightly, we do not anticipate significant growth in the
qualified entity program given the qualified entity program
requirements, as well as other existing programs that allow entities to
obtain Medicare data. Based on these estimates, we conclude this final
rule does not reach the threshold for economically significant effects
and thus is not considered a major rule.
In accordance with the provisions of Executive Order 12866, this
regulation was reviewed by the Office of Management and Budget.
[[Page 44479]]
List of Subjects in 42 CFR Part 401
Claims, Freedom of information, Health facilities, Medicare,
Privacy.
For the reasons set forth in the preamble, the Centers for Medicare
& Medicaid Services amends 42 CFR part 401 as set forth below:
PART 401--GENERAL ADMINISTRATIVE REQUIREMENTS
0
1. The authority citation for part 401 is revised to read as follows:
Authority: Secs. 1102, 1871, and 1874(e) of the Social Security
Act (42 U.S.C. 1302, 1395hh, and 1395w-5) and sec. 105, Pub. L. 114-
10, 129 Stat. 87.
0
2. Section 401.703 is amended by adding paragraphs (j) through (u) to
read as follows:
Sec. 401.703 Definitions.
* * * * *
(j) Authorized user is a third party and its contractors
(including, where applicable, business associates as that term is
defined at 45 CFR 160.103) that need analyses or data covered by this
section to carry out work on behalf of that third party (meaning not
the qualified entity or the qualified entity's contractors) to whom/
which the qualified entity provides or sells data as permitted under
this subpart. Authorized user third parties are limited to the
following entities:
(1) A provider.
(2) A supplier.
(3) A medical society.
(4) A hospital association.
(5) An employer.
(6) A health insurance issuer.
(7) A healthcare provider and/or supplier association.
(8) A state entity.
(9) A federal agency.
(k) Employer has the same meaning as the term ``employer'' as
defined in section 3(5) of the Employee Retirement Insurance Security
Act of 1974.
(l) Health insurance issuer has the same meaning as the term
``health insurance issuer'' as defined in section 2791 of the Public
Health Service Act.
(m) Medical society means a nonprofit organization or association
that provides unified representation and advocacy for physicians at the
national or state level and whose membership is comprised of a majority
of physicians.
(n) Hospital association means a nonprofit organization or
association that provides unified representation and advocacy for
hospitals or health systems at a national, state, or local level and
whose membership is comprised of a majority of hospitals and health
systems.
(o) Healthcare Provider and/or Supplier Association means a
nonprofit organization or association that provides unified
representation and advocacy for providers and suppliers at the national
or state level and whose membership is comprised of a majority of
suppliers or providers.
(p) State Entity means any office, department, division, bureau,
board, commission, agency, institution, or committee within the
executive branch of a state government.
(q) Combined data means, at a minimum, a set of CMS claims data
provided under this subpart combined with claims data, or a subset of
claims data from at least one of the other claims data sources
described in Sec. 401.707(d).
(r) Patient means an individual who has visited the provider or
supplier for a face-to-face or telehealth appointment at least once in
the past 24 months.
(s) Marketing means the same as the term ``marketing'' at 45 CFR
164.501 without the exception to the bar for ``consent'' based
marketing.
(t) Violation means a failure to comply with a requirement of a CMS
DUA (CMS data use agreement) or QE DUA (qualified entity data use
agreement).
(u) Required by law means the same as the phrase ``required by
law'' at 45 CFR 164.103.
0
3. Section 401.713 is amended by revising paragraph (a) and adding
paragraph (d) to read as follows:
Sec. 401.713 Ensuring the privacy and security of data.
(a) Data use agreement between CMS and a qualified entity. A
qualified entity must comply with the data requirements in its data use
agreement with CMS (hereinafter the CMS DUA). Contractors (including,
where applicable, business associates) of qualified entities that are
anticipated to have access to the Medicare claims data or beneficiary
identifiable data in the context of this program are also required to
execute and comply with the CMS DUA. The CMS DUA will require the
qualified entity to maintain privacy and security protocols throughout
the duration of the agreement with CMS, and will ban the use or
disclosure of Medicare data or any derivative data for purposes other
than those set out in this subpart. The CMS DUA will also prohibit the
use of unsecured telecommunications to transmit such data, and will
specify the circumstances under which such data must be stored and may
be transmitted.
* * * * *
(d) Data use agreement between a qualified entity and an authorized
user. In addition to meeting the other requirements of this subpart,
and as a pre-condition of selling or disclosing any combined data or
any Medicare claims data (or any beneficiary-identifiable derivative
data of either kind) and as a pre-condition of selling or disclosing
non-public analyses that include individually identifiable beneficiary
data, the qualified entity must enter a DUA (hereinafter the QE DUA)
with the authorized user. Among other things laid out in this subpart,
such QE DUA must contractually bind the authorized user (including any
contractors or business associates described in the definition of
authorized user) to the following:
(1)(i) The authorized user may be permitted to use such data and
non-public analyses in a manner that a HIPAA Covered Entity could do
under the following provisions:
(A) Activities falling under paragraph (1) of the definition of
``health care operations'' under 45 CFR 164.501: Quality improvement
activities, including care coordination activities and efforts to track
and manage medical costs; patient-safety activities; population-based
activities such as those aimed at improving patient safety, quality of
care, or population health, including the development of new models of
care, the development of means to expand coverage and improve access to
healthcare, the development of means of reducing healthcare
disparities, and the development or improvement of methods of payment
or coverage policies.
(B) Activities falling under paragraph (2) of the definition of
``health care operations'' under 45 CFR 164.501: Reviewing the
competence or qualifications of health care professionals, evaluating
practitioner and provider performance, health plan performance,
conducting training programs in which students, trainees, or
practitioners in areas of health care learn under supervision to
practice or improve their skills as health care providers, training of
non-health care professionals, accreditation, certification, licensing,
or credentialing activities.
(C) Activities that qualify as ``fraud and abuse detection or
compliance activities'' under 45 CFR 164.506(c)(4)(ii).
(D) Activities that qualify as ``treatment'' under 45 CFR 164.501.
(ii) All other uses and disclosures of such data and/or such non-
public analyses must be forbidden except to the extent a disclosure
qualifies as a ``required by law'' disclosure as defined at 45 CFR
164.103.
[[Page 44480]]
(2) The authorized user is prohibited from using or disclosing the
data or non-public analyses for marketing purposes as defined at Sec.
401.703(s).
(3) The authorized user is required to ensure adequate privacy and
security protection for such data and non-public analyses. At a
minimum, regardless of whether the authorized user is a HIPAA covered
entity, such protections of beneficiary identifiable data must be at
least as protective as what is required of covered entities and their
business associates regarding protected health information (PHI) under
the HIPAA Privacy and Security Rules. In all cases, these requirements
must be imposed for the life of such beneficiary identifiable data or
non-public analyses and/or any derivative data, that is until all
copies of such data or non-public analyses are returned or destroyed.
Such duties must be written in such a manner as to survive termination
of the QE DUA, whether for cause or not.
(4) Except as provided for in paragraph (d)(5) of this section, the
authorized user must be prohibited from re-disclosing or making public
any such data or non-public analyses.
(5)(i) At the qualified entity's discretion, it may permit an
authorized user that is a provider as defined in Sec. 401.703(b) or a
supplier as defined in Sec. 401.703(c), to re-disclose such data and
non-public analyses as a covered entity will be permitted to disclose
PHI under 45 CFR 164.506(c)(4)(i), under 45 CFR 164.506(c)(2), or under
45 CFR 164.502(e)(1).
(ii) All other uses and disclosures of such data and/or such non-
public analyses is forbidden except to the extent a disclosure
qualifies as a ``required by law'' disclosure.
(6) Authorized users who/that receive the beneficiary de-identified
combined data or Medicare data as contemplated under Sec. 401.718 are
contractually prohibited from linking the beneficiary de-identified
data to any other identifiable source of information, and must be
contractually barred from attempting any other means of re-identifying
any individual whose data is included in such data.
(7) The QE DUA must bind authorized user(s) to notifying the
qualified entity of any violations of the QE DUA, and it must require
the full cooperation of the authorized user in the qualified entity's
efforts to mitigate any harm that may result from such violations, or
to comply with the breach provisions governing qualified entities under
this subpart.
0
4. Section 401.716 is added to read as follows:
Sec. 401.716 Non-public analyses.
(a) General. So long as it meets the other requirements of this
subpart, and subject to the limits in paragraphs (b) and (c) of this
section, the qualified entity may use the combined data to create non-
public analyses in addition to performance measures and provide or sell
these non-public analyses to authorized users (including any
contractors or business associates described in the definition of
authorized user).
(b) Limitations on a qualified entity. In addition to meeting the
other requirements of this subpart, a qualified entity must comply with
the following limitations as a pre-condition of dissemination or
selling non-public analyses to an authorized user:
(1) A qualified entity may only provide or sell a non-public
analysis to a health insurance issuer as defined in Sec. 401.703(l),
after the health insurance issuer or a business associate of that
health insurance issuer has provided the qualified entity with claims
data that represents a majority of the health insurance issuer's
covered lives, using one of the four methods of calculating covered
lives established at 26 CFR 46.4375-1(c)(2), for the time period and
geographic region covered by the issuer-requested non-public analyses.
A qualified entity may not provide or sell a non-public analysis to a
health insurance issuer if the issuer does not have any covered lives
in the geographic region covered by the issuer-requested non-public
analysis.
(2) Analyses that contain information that individually identifies
one or more beneficiaries may only be disclosed to a provider or
supplier (as defined at Sec. 401.703(b) and (c)) when both of the
following conditions are met:
(i) The analyses only contain identifiable information on
beneficiaries with whom the provider or supplier have a patient
relationship as defined at Sec. 401.703(r).
(ii) A QE DUA as defined at Sec. 401.713(d) is executed between
the qualified entity and the provider or supplier prior to making any
individually identifiable beneficiary information available to the
provider or supplier.
(3) Except as specified under paragraph (b)(2) of this section, all
analyses must be limited to beneficiary de-identified data. Regardless
of the HIPAA covered entity or business associate status of the
qualified entity and/or the authorized user, de-identification must be
determined based on the standards for HIPAA covered entities found at
45 CFR 164.514(b).
(4) Analyses that contain information that individually identifies
a provider or supplier (regardless of the level of the provider or
supplier, that is, individual clinician, group of clinicians, or
integrated delivery system) may not be disclosed unless one of the
following three conditions apply:
(i) The analysis only individually identifies the provider or
supplier that is being supplied the analysis.
(ii) Every provider or supplier individually identified in the
analysis has been afforded the opportunity to appeal or correct errors
using the process at Sec. 401.717(f).
(iii) Every provider or supplier individually identified in the
analysis has notified the qualified entity, in writing, that analyses
can be disclosed to the authorized user without first going through the
appeal and error correction process at Sec. 401.717(f).
(c) Non-public analyses agreement between a qualified entity and an
authorized user for beneficiary de-identified non-public analyses
disclosures. In addition to the other requirements of this subpart, a
qualified entity must enter a contractually binding non-public analyses
agreement with the authorized user (including any contractors or
business associates described in the definition of authorized user) as
a pre-condition to providing or selling de-identified analyses. Such
non-public analyses agreement must contain the following provisions:
(1) The authorized user may not use the analyses or derivative data
for the following purposes:
(i) Marketing, as defined at Sec. 401.703(s).
(ii) Harming or seeking to harm patients or other individuals both
within and outside the healthcare system regardless of whether their
data are included in the analyses.
(iii) Effectuating or seeking opportunities to effectuate fraud
and/or abuse in the healthcare system.
(2) If the authorized user is an employer as defined in Sec.
401.703(k), the authorized user may only use the analyses or derivative
data for purposes of providing health insurance to employees, retirees,
or dependents of employees or retirees of that employer.
(3)(i) At the qualified entity's discretion, it may permit an
authorized user that is a provider as defined in Sec. 401.703(b) or a
supplier as defined in Sec. 401.703(c), to re-disclose the de-
identified analyses or derivative data, as a covered entity will be
permitted under 45 CFR 164.506(c)(4)(i), or under 45 CFR 164.502(e)(1).
(ii) All other uses and disclosures of such data and/or such non-
public
[[Page 44481]]
analyses is forbidden except to the extent a disclosure qualifies as a
``required by law'' disclosure.
(4) If the authorized user is not a provider or supplier, the
authorized user may not re-disclose or make public any non-public
analyses or derivative data except as required by law.
(5) The authorized user may not link the de-identified analyses to
any other identifiable source of information and may not in any other
way attempt to identify any individual whose de-identified data is
included in the analyses.
(6) The authorized user must notify the qualified entity of any DUA
violations, and it must fully cooperate with the qualified entity's
efforts to mitigate any harm that may result from such violations.
0
5. Section 401.717 is amended by adding paragraph (f) to read as
follows:
Sec. 401.717 Provider and supplier requests for error correction.
* * * * *
(f) A qualified entity must comply with the following requirements
before disclosing non-public analyses, as defined at Sec. 401.716,
which contain information that individually identifies a provider or
supplier:
(1) A qualified entity must confidentially notify a provider or
supplier that non-public analyses that individually identify the
provider or supplier are going to be released to an authorized user at
least 65 calendar days before disclosing the analyses. This
confidential notification must include a short summary of the analyses
(including the measures calculated), the process for the provider or
supplier to request the analyses, the authorized users receiving the
analyses, and the date on which the qualified entity will release the
analyses to the authorized user.
(2) A qualified entity must allow providers and suppliers the
opportunity to opt-in to the review and correction process as defined
in paragraphs (a) through (e) of this section, anytime during the 65
calendar days. If a provider or supplier chooses to opt-in to the
review and correction process more than 5 days into the notification
period, the time for the review and correction process is shortened
from 60 days to the number of days between the provider or supplier
opt-in date and the release date specified in the confidential
notification.
0
6. Section 401.718 is added to read as follows:
Sec. 401.718 Dissemination of data.
(a) General. Subject to the other requirements in this subpart, the
requirements in paragraphs (b) and (c) of this section and any other
applicable laws or contractual agreements, a qualified entity may
provide or sell combined data or provide Medicare data at no cost to
authorized users defined at Sec. 401.703(b), (c), (m), and (n).
(b) Data--(1) De-identification. Except as specified in paragraph
(b)(2) of this section, any data provided or sold by a qualified entity
to an authorized user must be limited to beneficiary de-identified
data. De-identification must be determined based on the de-
identification standards for HIPAA covered entities found at 45 CFR
164.514(b).
(2) Exception. If such disclosure will be consistent with all
applicable laws, data that individually identifies a beneficiary may
only be disclosed to a provider or supplier (as defined at Sec.
401.703(b) and (c)) with whom the identifiable individuals in such data
have a current patient relationship as defined at Sec. 401.703(r).
(c) Data use agreement between a qualified entity and an authorized
user. A qualified entity must contractually require an authorized user
to comply with the requirements in Sec. 401.713(d) prior to providing
or selling data to an authorized user under Sec. 401.718.
0
7. Section 401.719 is amended by adding paragraphs (b)(3) and (4) and
(d)(5) to read as follows:
Sec. 401.719 Monitoring and sanctioning of qualified entities.
* * * * *
(b) * * *
(3) Non-public analyses provided or sold to authorized users under
this subpart, including the following information:
(i) A summary of the analyses provided or sold, including--
(A) The number of analyses.
(B) The number of purchasers of such analyses.
(C) The types of authorized users that purchased analyses.
(D) The total amount of fees received for such analyses.
(E) QE DUA or non-public analyses agreement violations.
(ii) A description of the topics and purposes of such analyses.
(iii) The number of analyses disclosed with unresolved requests for
error correction.
(4) Data provided or sold to authorized users under this subpart,
including the following information:
(i) The entities who received data.
(ii) The basis under which each entity received such data.
(iii) The total amount of fees received for providing, selling, or
sharing the data.
(iv) QE DUA violations.
* * * * *
(d) * * *
(5) In the case of a violation, as defined at Sec. 401.703(t), of
the CMS DUA or the QE DUA, CMS will impose an assessment on a qualified
entity in accordance with the following:
(i) Amount of assessment. CMS will calculate the amount of the
assessment of up to $100 per individual entitled to, or enrolled for,
benefits under part A of title XVIII of the Social Security Act or
enrolled for benefits under Part B of such title whose data was
implicated in the violation based on the following:
(A) Basic factors. In determining the amount per impacted
individual, CMS takes into account the following:
(1) The nature and the extent of the violation.
(2) The nature and the extent of the harm or potential harm
resulting from the violation.
(3) The degree of culpability and the history of prior violations.
(B) Criteria to be considered. In establishing the basic factors,
CMS considers the following circumstances:
(1) Aggravating circumstances. Aggravating circumstances include
the following:
(i) There were several types of violations occurring over a lengthy
period of time.
(ii) There were many of these violations or the nature and
circumstances indicate a pattern of violations.
(iii) The nature of the violation had the potential or actually
resulted in harm to beneficiaries.
(2) Mitigating circumstances. Mitigating circumstances include the
following:
(i) All of the violations subject to the imposition of an
assessment were few in number, of the same type, and occurring within a
short period of time.
(ii) The violation was the result of an unintentional and
unrecognized error and the qualified entity took corrective steps
immediately after discovering the error.
(C) Effects of aggravating or mitigating circumstances. In
determining the amount of the assessment to be imposed under paragraph
(d)(5)(i)(A) of this section:
(1) If there are substantial or several mitigating circumstance,
the aggregate amount of the assessment is set at an amount sufficiently
below the maximum permitted by paragraph (d)(5)(i)(A) of this section
to reflect the mitigating circumstances.
[[Page 44482]]
(2) If there are substantial or several aggravating circumstances,
the aggregate amount of the assessment is set at an amount at or
sufficiently close to the maximum permitted by paragraph (d)(5)(i)(A)
of this section to reflect the aggravating circumstances.
(D) The standards set for the qualified entity in this paragraph
are binding, except to the extent that--
(1) The amount imposed is not less than the approximate amount
required to fully compensate the United States, or any State, for its
damages and costs, tangible and intangible, including but not limited
to the costs attributable to the investigation, prosecution, and
administrative review of the case.
(2) Nothing in this section limits the authority of CMS to settle
any issue or case as provided by part 1005 of this title or to
compromise any assessment as provided by paragraph (d)(5)(ii)(E) of
this section.
(ii) Notice of determination. CMS must propose an assessment in
accordance with this paragraph (d)(5), by notifying the qualified
entity by certified mail, return receipt requested. Such notice must
include the following information:
(A) The assessment amount.
(B) The statutory and regulatory bases for the assessment.
(C) A description of the violations upon which the assessment was
proposed.
(D) Any mitigating or aggravating circumstances that CMS considered
when it calculated the amount of the proposed assessment.
(E) Information concerning response to the notice, including:
(1) A specific statement of the respondent's right to a hearing in
accordance with procedures established at Section 1128A of the Act and
implemented in 42 CFR part 1005.
(2) A statement that failure to respond within 60 days renders the
proposed determination final and permits the imposition of the proposed
assessment.
(3) A statement that the debt may be collected through an
administrative offset.
(4) In the case of a respondent that has an agreement under section
1866 of the Act, notice that imposition of an exclusion may result in
termination of the provider's agreement in accordance with section
1866(b)(2)(C) of the Act.
(F) The means by which the qualified entity may pay the amount if
they do not intend to request a hearing.
(iii) Failure to request a hearing. If the qualified entity does
not request a hearing within 60 days of receipt of the notice of
proposed determination, any assessment becomes final and CMS may impose
the proposed assessment.
(A) CMS notifies the qualified entity, by certified mail with
return receipt requested, of any assessment that has been imposed and
of the means by which the qualified entity may satisfy the judgment.
(B) The qualified entity has no right to appeal an assessment for
which the qualified entity has not requested a hearing.
(iv) When an assessment is collectible. An assessment becomes
collectible after the earliest of the following:
(A) Sixty (60) days after the qualified entity receives CMS's
notice of proposed determination under paragraph (d)(5)(ii) of this
section, if the qualified entity has not requested a hearing.
(B) Immediately after the qualified entity abandons or waives its
appeal right at any administrative level.
(C) Thirty (30) days after the qualified entity receives the ALJ's
decision imposing an assessment under Sec. 1005.20(d) of this title,
if the qualified entity has not requested a review before the DAB.
(D) Sixty (60) days after the qualified entity receives the DAB's
decision imposing an assessment if the qualified entity has not
requested a stay of the decision under Sec. 1005.22(b) of this title.
(v) Collection of an assessment. Once a determination by HHS has
become final, CMS is responsible for the collection of any assessment.
(A) The General Counsel may compromise an assessment imposed under
this part, after consulting with CMS or OIG, and the Federal government
may recover the assessment in a civil action brought in the United
States district court for the district where the claim was presented or
where the qualified entity resides.
(B) The United States or a state agency may deduct the amount of an
assessment when finally determined, or the amount agreed upon in
compromise, from any sum then or later owing the qualified entity.
(C) Matters that were raised or that could have been raised in a
hearing before an ALJ or in an appeal under section 1128A(e) of the Act
may not be raised as a defense in a civil action by the United States
to collect an assessment.
0
8. Section 401.721 is amended by adding paragraph (a)(7) to read as
follows:
Sec. 401.721 Terminating an agreement with a qualified entity.
(a) * * *
(7) Fails to ensure authorized users comply with their QE DUAs or
analysis use agreements.
* * * * *
0
9. Section 401.722 is added to read as follows:
Sec. 401.722 Qualified clinical data registries.
(a) A qualified clinical data registry that agrees to meet all the
requirements in this subpart, with the exception of Sec. 401.707(d),
may request access to Medicare data as a quasi qualified entity in
accordance with such qualified entity program requirements.
(b) Notwithstanding Sec. 401.703(q) (generally defining combined
data), for purposes of qualified clinical data registries acting as
quasi qualified entities under the qualified entity program
requirements, combined data means, at a minimum, a set of CMS claims
data provided under this subpart combined with clinical data or a
subset of clinical data.
Dated: June 22, 2016.
Andrew M. Slavitt,
Acting Administrator, Centers for Medicare & Medicaid Services.
Dated: June 28, 2016.
Sylvia M. Burwell,
Secretary, Department of Health and Human Services.
[FR Doc. 2016-15708 Filed 7-1-16; 11:15 am]
BILLING CODE 4120-01-P