[Federal Register Volume 76, Number 235 (Wednesday, December 7, 2011)]
[Rules and Regulations]
[Pages 76542-76571]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2011-31232]
[[Page 76541]]
Vol. 76
Wednesday,
No. 235
December 7, 2011
Part III
Department of Health and Human Services
-----------------------------------------------------------------------
Centers for Medicare & Medicaid Services
-----------------------------------------------------------------------
42 CFR Part 401
Medicare Program; Availability of Medicare Data for Performance
Measurement; Final Rule
Federal Register / Vol. 76, No. 235 / Wednesday, December 7, 2011 /
Rules and Regulations
[[Page 76542]]
-----------------------------------------------------------------------
DEPARTMENT OF HEALTH AND HUMAN SERVICES
Centers for Medicare & Medicaid Services
42 CFR Part 401
[CMS-5059-F]
RIN 0938-AQ17
Medicare Program; Availability of Medicare Data for Performance
Measurement
AGENCY: Centers for Medicare & Medicaid Services (CMS), HHS.
ACTION: Final rule.
-----------------------------------------------------------------------
SUMMARY: This final rule implements Section 10332 of the Affordable
Care Act regarding the release and use of standardized extracts of
Medicare claims data for qualified entities to measure the performance
of providers of services (referred to as providers) and suppliers. This
rule explains how entities can become qualified by CMS to receive
standardized extracts of claims data under Medicare Parts A, B, and D
for the purpose of evaluation of the performance of providers and
suppliers. This rule also lays out the criteria qualified entities must
follow to protect the privacy of Medicare beneficiaries.
DATES: Effective Date: These regulations are effective January 6, 2012.
FOR FURTHER INFORMATION CONTACT: Colleen Bruce, (410) 786-5529.
SUPPLEMENTARY INFORMATION:
I. Background
The Patient Protection and Affordable Care Act (Pub. L. 111-148),
enacted on March 23, 2010, and the Health Care and Education
Reconciliation Act of 2010 (Pub. L. 111-152), enacted on March 30,
2010, are collectively referred to in this final rule as the
``Affordable Care Act.'' Effective January 1, 2012, section 10332 of
the Affordable Care Act would amend section 1874 of the Social Security
Act (the Act) by adding a new subsection (e) requiring standardized
extracts of Medicare claims data under parts A, B, and D to be made
available to ``qualified entities'' for the evaluation of the
performance of providers and suppliers. Qualified entities may use the
information obtained under section 1874(e) of the Act for the purpose
of evaluating the performance of providers and suppliers, and to
generate public reports regarding such performance. Qualified entities
may receive data for one or more specified geographic areas and must
pay a fee equal to the cost of making the data available. Congress also
required that qualified entities combine claims data from sources other
than Medicare with the Medicare data when evaluating the performance of
providers and suppliers.
Section 1874(e) of the Act requires potential qualified entities
that wish to request data under this provision to submit an application
to the Secretary that includes, among other things, a description of
the methodologies that the applicant proposes to use to evaluate the
performance of providers and suppliers in the geographic area(s) they
select. Qualified entities generally must use standard measures for
evaluating the performance of providers and suppliers unless the
Secretary, in consultation with appropriate stakeholders, determines
that use of alternative measures would be more valid, reliable,
responsive to consumer preferences, cost-effective, or relevant to
dimensions of quality and resource use not addressed by standard
measures. Reports generated by the qualified entities may only include
information on individual providers and suppliers in aggregate form,
that is, at the provider or supplier level, and may not be released to
the public until the providers and suppliers have had an opportunity to
review them and, if necessary, ask for corrections. Congress included a
provision at section 1874(e)(3) of the Act to allow the Secretary to
take such actions as may be necessary to protect the identity of
individuals entitled to or enrolled in Medicare.
We believe the sharing of Medicare data with qualified entities
through this program and the resulting reports produced by qualified
entities will be an important driver of improving quality and reducing
costs in Medicare, as well as for the health care system in general.
Additionally, we believe this program will increase the transparency of
provider and supplier performance, while ensuring beneficiary privacy.
II. Provisions of the Proposed Rule and Analysis of and Responses to
Public Comments
We received approximately 100 comments from a wide variety of
individuals and organizations. About half of the comments were from
providers and suppliers, or organizations representing providers and
suppliers. The other half of the comments were from organizations
engaged in performance measurement or data aggregation that may
potentially be approved to receive Medicare data as qualified entities
under this program. We also received a number of comments from consumer
advocacy organizations.
A. Definition, Eligibility Criteria, and Operating Requirements of
Qualified Entities
Almost all of the comments were positive and praised CMS' proposals
regarding how the qualified entity program would operate. Commenters
also had a range of suggestions for how CMS should administer the
program, including several comments on performance measurement in
general. We also received numerous comments on data privacy and
security, which are discussed in more detail in subsection D below.
1. Definitions
In the proposed rule, we defined a qualified entity as a public or
private entity that meets two standards. The first is that the entity
is qualified, as determined by the Secretary, to use claims data to
evaluate the performance of providers and suppliers on measures of
quality, efficiency, effectiveness, and resource use. The second is
that the entity agrees to meet the requirements described in Section
1874(e) of the Social Security Act and at Sec. Sec. 401.703-401.710 of
the proposed rule.
Comment: We received several comments, suggestions, and questions
regarding the use of the Medicare data qualified entities receive
through this program. Section 1874(e)(4)(B) of the Act specifies the
uses of the Medicare data. Some commenters requested that qualified
entities be allowed to use the data for purposes other than performance
reporting, such as internal analyses, pay-for-performance initiatives,
and provider tiering; other commenters requested that CMS clarify that
the data provided would be used for performance reporting only.
Response: The statute bars the re-use of the Medicare claims data
provided to qualified entities under section 1874(e) of the Social
Security Act (the Act). Section 1874(e)(4)(D) provides that the
qualified entity ``shall only use such data, and information derived
from such evaluation'' for performance reports on providers and
suppliers. Additionally, the Data Use Agreement (DUA, discussed in more
detail below) bars re-use of the data for other purposes; violation of
the DUA may result in a qualified entity's access to data under 1874(e)
of the Act being terminated. However, while the data itself and any
derivative data may only be used for creating the prescribed reports,
section 1874(e) does not address the use of the publically reported
result. Subject to any limitations imposed by other applicable laws
(for example, copyright laws), these publicly reported results
[[Page 76543]]
could be used by any party, including the qualified entity, for
activities such as internal analyses, pay-for-performance initiatives,
or provider tiering.
Qualified entities will not be allowed to do performance
measurement with Medicare data alone. Section 1874(e)(4)(B)(iii)
specifically provides that qualified entities must include ``claims
data from sources other than claims data under this title in the
evaluation of performance of providers of services and suppliers.'' We
have added a definition of ``claims data from other sources'' at Sec.
401.703(h).
We have made several technical changes to the definitions at Sec.
401.703 to reflect the regulatory interpretation of the statutory
provisions cited in the proposed rule. We have modified the definition
of a qualified entity to require the entity to agree to meet the
requirements in Sec. Sec. 401.705-401.721 of the final rule, removing
the proposed rule's reference to section 1874(e) of the Act. We have
also modified the definitions of provider and supplier; specifically we
have defined both terms in terms of the definitions for the identical
terms at Sec. 400.202.
We have also added a definition of clinical data. This addition is
discussed in further detail below.
2. Eligibility Criteria
In determining the eligibility standards for qualified entities we
sought to balance the needs to: (1) Ensure the production of timely,
high quality, and actionable reports on the performance of providers
and suppliers, (2) protect beneficiary privacy and security, and (3)
ensure providers and suppliers have an appropriate amount of time to
review the reports, appeal, and, if necessary, correct errors prior to
public reporting. We therefore proposed to evaluate an organization's
eligibility to serve as a qualified entity across three areas:
Organizational and governance capabilities, addition of claims data
from other sources, and data privacy and security.
Additionally, we proposed not to limit the number of qualified
entities eligible to serve in an area. Any entity that satisfactorily
meets the eligibility criteria would be able to participate in the
program.
Comment: We received several comments on the eligibility criteria
as a whole. Many commenters supported the proposed eligibility
standards; however others said the eligibility standards were too
prescriptive. Several commenters asked CMS to clarify qualified
entities' ability to combine expertise across more than one entity to
meet the requirements in the rule related to experience or amount of
other claims data.
Response: We thank commenters for their support for the eligibility
standards. While we understand that the eligibility standards
necessitate that prospective qualified entities have extensive
experience in performance measurement, access to data, and appropriate
privacy and security protocols, we believe these standards are
essential to ensure both the privacy and security of beneficiary data
and the acceptance of the program by providers and suppliers.
We clarify, however, that qualified entities do not need to be
composed of a single legal entity. A qualified entity applicant may
contract with other entities to achieve the ability to meet the
eligibility criteria. If an entity chooses to contract with one or more
other entities to meet the eligibility standards, the application must
be submitted by one lead entity. This lead entity must submit
documentation describing the contractual relationships that exist
between and among all entities applying together under the lead entity
to become a qualified entity. In addition, as discussed in subsection
D.1. below, contractors will be required to abide by the same privacy
and security requirements as the lead entity, including signing a data
use agreement prior to being given access to Medicare claims data or
beneficiary information. Contractors will also be subject to CMS
monitoring and their actions may result in sanctions and/or termination
of the qualified entity.
We believe that requiring contractual arrangements among the
members of such a group will ultimately protect both the providers and
suppliers receiving reports, as well as the beneficiaries seeking to
use this information to make health care decisions by ensuring that the
lead entity has partners with the necessary expertise to carry out the
duties of a qualified entity and that the qualified entity's partners
are committed to the project through legally enforceable agreements.
In a contractual arrangement, there would be breach of contract
liability if one of the members of the group fails to deliver, and
there would be the potential of collecting damages for that failure to
perform. Such damages would potentially provide the lead entity with
the resources that would be necessary for finding and hiring another
entity to carry out the functions of a contractor/subcontractor that
failed to perform. Any other less formal arrangement among a group of
entities that, in sum, possessed the requisite traits required of a
qualified entity, such as a partnership or other consortium-like
affiliation, would not offer the breach of contract protections that
would provide assurances that the entities listed as participants in
the group would in fact provide the services/skills/resources that the
qualified entity applicant asserts. In a non-contractual arrangement,
participating members of the group could stop performing at any time,
leaving the remainder of the group with little recourse and, possibly,
not qualified to carry on as a qualified entity. This could prevent the
issuance of the desired reports. It could also leave providers and
suppliers, as well as beneficiaries, without any recourse for remedying
reporting errors or answering questions related to the reports. This
would have a very negative effect on the program as a whole, and
jeopardize this important transparency effort.
We emphasize that a single entity may seek to fulfill all of the
eligibility standards; there is no requirement that a qualified entity
must be a group of two or more entities. However, we believe that more
potential qualified entities would apply if they use contractual
relationships to address any requirements that they may be lacking.
Comment: Several commenters suggested additions to the eligibility
standards. A handful of commenters recommended adding a public input
component as part of the eligibility process. Commenters also suggested
evaluating provider complaints against applicants when making
determinations about qualified entity eligibility. One commenter asked
CMS to create a provisional track for entities without the necessary
experience or the non-Medicare data to serve as a qualified entity in
the general program.
Response: Through evaluating each entity's (including the lead
entity's and any contractors') past experience, other claims data, and
privacy and security protocols, we are confident that entities approved
as qualified entities will meet the requirements of the program.
Extensive monitoring requirements for the lead entity and any
contractors, as well as the ability to terminate our agreement with a
qualified entity, will ensure that the highest standards are adhered to
by all qualified entities. However, we are interested in beneficiary
and/or provider complaints against a qualified entity once that entity
is approved. As discussed below in section II.F., we have included an
analysis of beneficiary and/or provider complaints as part of the
monitoring and performance assessment of qualified entities.
[[Page 76544]]
While we appreciate the interest in allowing a variety of
organizations to serve as qualified entities, we believe a provisional
track is not consistent with the requirement in the statute that
entities be qualified, as determined by the Secretary, to use claims
data to evaluate provider and supplier performance. We hope that the
discussion above, which notes that potential qualified entity
applicants may form contractual agreements to meet the eligibility
requirements, will allow entities with less experience or limited other
claims data to gain the necessary expertise or gather the needed data
to be approved as a qualified entities. We also have added a
conditional approval process, discussed in more detail below, for those
applicants that do not have access to claims data from other sources at
the time of their application.
Comment: We received several comments requesting CMS limit the
organizations eligible to serve as qualified entities to non-profit and
government organizations. However, we also received comments asking CMS
to continue to allow any organization that meets the eligibility
requirements and submits an application to serve as a qualified entity.
Response: On balance, we believe it is appropriate for CMS to
continue to allow any organization that meets the eligibility
requirements and the requirements at sections Sec. Sec. 401.703-
401.710 of the proposed rule to serve as a qualified entity, which
appear, as modified in the following discussion, in sections Sec. Sec.
401.705-401.721 of this final rule.
Comment: While we received several comments supporting our proposal
not to limit the number of qualified entities in a geographic region,
we also received comments suggesting we limit the number of qualified
entities eligible to serve in an area. Many of those who suggested
limiting the number of qualified entities in an area expressed concern
that allowing multiple qualified entities in a region would lead to
multiple reports on the same provider or supplier, which would confuse
both the individual or entity being measured and the consumer. One
commenter suggested CMS take a phased approach to the number of
qualified entities, allowing providers to get accustomed to measurement
before expanding the number of qualified entities.
Response: We acknowledge commenters' desire to limit the number of
reports on a provider or supplier; however, we do not anticipate many
regions will have multiple entities that meet the requirements to serve
as qualified entities. Specifically, it is difficult to imagine there
will be many areas where multiple organizations will possess sufficient
claims data from other sources. Additionally, we believe allowing all
eligible organizations to serve as qualified entities will encourage
innovation in measure development and performance reporting. In the
case that there are multiple organizations in an area that could serve
as individual qualified entities, we would like to reiterate that these
organizations could form contractual arrangements with each other and
apply for the program under a lead applicant.
a. Organizational and Governance Capabilities
Under organizational and governance capabilities, we proposed to
evaluate the applicant's capability to perform a variety of tasks
related to serving as a qualified entity. Tasks included the ability to
accurately calculate measures from claims data, successfully combine
claims data from different payers, design performance reports, prepare
an understandable description of measures, implement a report review
process for providers and suppliers, maintain a rigorous data privacy
and security program, and make reports containing provider and supplier
level data available to the public. We proposed to generally require
applicants to demonstrate expertise and sustained experience on each of
the criteria, which could be demonstrated by three or more years of
experience in each area. We also proposed to consider applications with
fewer years experience handling claims data and calculating measures,
and/or limited experience implementing or maintaining a report review
process for providers and suppliers as long as the applicant has
sufficient experience in all other areas.
Comment: Commenters had mixed opinions about the proposed
requirement of three or more years of experience. Commenters who did
not support a minimum three years experience were concerned about
limiting eligibility of otherwise viable entities. On the other hand,
commenters who strongly supported the eligibility criteria suggested
lengthening the time requirement to five years.
Response: While we are sensitive to the desire to allow all
interested organizations to serve as qualified entities, we believe
that many viable entities will possess three years of experience,
particularly now that we have clarified that a qualified entity may
contract with other entities in order to demonstrate required
experience. It is essential for the success of the qualified entity
program that organizations approved as qualified entities have the
necessary expertise and experience to successfully perform all the
functions required in the statute. We believe the experience
requirements we have included are sufficient to ensure organizations
approved as qualified entities possess the necessary experience to
successfully meet the requirements of the program.
Comment: Commenters suggested changes to specific tasks in the
organizational and governance capabilities section of the eligibility
criteria. Several commenters asked CMS to only require expertise in the
areas of measurement the entity is proposing to use instead of all four
areas of measurement: Quality, efficiency, effectiveness, and resource
use. Similarly, commenters also noted that not all measures require
risk-adjustment and requested CMS only require experience in risk-
adjustment if the entity is planning on using measures that incorporate
risk-adjustment. Commenters also recommended removing the requirement
that organizations have experience successfully combining claims data
from different payers, arguing that this requirement would necessitate
that applicants currently have data from two or more payers other than
Medicare.
Response: We agree with commenters about the proposal that would
have required expertise in all four areas of measurement. As a result,
we are modifying the eligibility requirements related to these areas of
performance measurement and will require all applicants to have
experience calculating quality measures, and, to the extent that they
propose using such measures, experience calculating efficiency,
effectiveness and resource use measures. Similarly, we will only
require entities to have experience with risk-adjustment, if they
propose using measures requiring risk adjustment. Finally, the law
requires that a qualified entity combine data from different payers, so
we will retain that requirement in this final rule.
Comment: One commenter requested that CMS only approve applicants
with a demonstrated track record of working with providers and
suppliers and helping them with quality improvement.
Response: While we hope this program will support quality
improvement efforts, the statute only requires qualified entities to
confidentially make reports available prior to publication and to allow
[[Page 76545]]
providers and suppliers the opportunity to request error correction. We
believe that our requirement that applicants submit documentation of
experience in both maintaining a process for providers and suppliers to
review their reports prior to publication, and providing timely
response to requests for error correction will be adequate to ensure an
applicant's ability to work with providers and suppliers to ensure the
availability of reports and appropriate correction mechanisms.
Comment: We received several comments on our proposal to require
applicants to disclose inappropriate disclosures of beneficiary
identifiable information. Specifically, one commenter suggested that
requiring disclosure of a 10-year privacy breach history is
unreasonable. Another commenter requested that CMS include a
requirement that applicants disclose confirmed violations of State
privacy laws, in addition to inappropriate disclosures of beneficiary
identifiable information.
Response: We believe that requiring an applicant to disclose 10
years' worth of inappropriate disclosures of beneficiary information is
a reasonable requirement, but we recognize that some applicants may not
have a 10 year history. For those entities that do not have a 10 year
history, we will require reporting the required information for the
length of time the organization has been in existence. We clarify,
however, that a qualified entity's application to receive Medicare data
will be evaluated based on all of the information submitted; a past
inappropriate disclosure of beneficiary identifiable information will
not automatically disqualify an entity from participation in the
program. If an entity's application lists these events, CMS will engage
in further discussions with that applicant to determine what corrective
processes the entity has put in place to avoid future inappropriate
disclosure of beneficiary identifiable information. We agree that
violations of State, as well as federal, privacy and security laws
should also be submitted to CMS and will add this requirement to the
eligibility criteria. For clarity, we have rephrased the proposed
language in Sec. 410.705(a)(1)(vii) that referred to violations of
State privacy laws or HIPAA violations to read ``violations of
applicable federal and State privacy and security laws and
regulations'' to encompass the full range of information privacy and
security laws and regulations at both the federal and State levels with
which the applicant may have to comply. In addition to demonstrating
experience and expertise, we also proposed to require qualified
entities to submit a business model for covering the cost of required
functions.
Comment: Some commenters argued that requiring prospective
applicants to submit a business model is too prescriptive, while others
were supportive of this requirement. A handful of commenters asked CMS
for guidance on financing mechanisms, as well as whether they could
change a fee for the reports or license the data for secondary use.
Response: In requiring submission of a business model, it was not
our intent to be overly prescriptive. Rather, we were seeking to ensure
that the qualified entities would have the resources necessary to carry
out what we expect would be a relatively resource-intensive and
important undertaking. We expect that by requiring submission of a
business plan qualified entities would be more likely to have a viable
business model under which they would be able to carry out their
obligations under the qualified entity program. We do not intend to
limit an organization's ability to change or adapt its business plan
once approved as a qualified entity. We only ask that the qualified
entity demonstrate that it has thought through what it would need to do
to succeed. Finally, as for financing mechanisms, we note that the
qualified entity program regulations do not generally place any added
limitations on what is otherwise feasible under applicable laws. For
example, the content of the publicly released reports will be subject
to existing laws on copyright. Qualified entities cannot, however,
charge providers or suppliers for the confidential copies of the pre-
publication reports that qualified entities are required to provide in
advance of publication. Furthermore, qualified entities must publically
report measure results free of charge and in a manner that is
consistent with the requirements in Section 1874(e)(4)(C) of the Act.
We encourage qualified entities to be innovative in creating business
models to support their efforts.
b. Addition of Claims Data From Other Sources
In accordance with the statutory requirements at section
1874(e)(4)(B)(iii), we proposed to require entities to have claims data
from non-title 18 (Medicare) sources to combine with Medicare data. We
proposed to require possession of such other data at the time of their
application. We defined claims data as administrative claims, meaning
data that is not chart-abstracted data, registry data, or data from
electronic health records. We proposed to require entities to
demonstrate to CMS that the other claims data they possess is
sufficient to address issues of sample size and reliability expressed
by stakeholders regarding the calculation of performance measures from
a single payer source. We also requested comment on whether CMS should
require entities to possess claims data from two or more other sources
to be eligible to serve as a qualified entity.
Comments: Some commenters were supportive of the requirement that
entities possess claims data from other sources at the time of
application, but others argued that this requirement is too restrictive
and not consistent with the intent of the statute. Specifically,
commenters argued that it might be difficult to acquire claims data
from other sources without approval from CMS to serve as a qualified
entity. Other commenters sought clarification on whether qualified
entities had to physically possess claims data from other sources or
whether agreements with owners of claims data from other sources and
proof of a functioning distributed data approach, meaning that claims
data from different sources residing at different physical locations as
long as measure results could be securely and accurately aggregated,
would suffice.
Response: While most organizations that are experienced in
performance measurement will already have claims data they are using
for performance measurement, we understand commenters' concerns about
the requirement that entities possess claims data from other sources at
the time of application. Therefore, for those applicants that do not
have access to other claims data at the time of their application, we
will create a conditional approval process. First, applicants that are
found to meet all the requirements of the program, but do not have
access to other claims data at the time of their application, will
receive a conditional acceptance. Then, once an entity with a
conditional acceptance gets access to adequate claims data from other
sources, it will submit documentation that the claims data from other
sources that it intends to combine with the Medicare data received
under this subpart address the methodological concerns regarding sample
size and reliability that have been expressed by stakeholders regarding
the calculation of performance measures from a single payer source. CMS
will review the documentation and if the amount of other claims data is
found to be sufficient, the entity will pay a fee equal to the cost of
CMS making the data
[[Page 76546]]
available and execute a Data Use Agreement (DUA) with CMS to be
approved as a qualified entity. A conditionally approved qualified
entity will not be eligible to receive Medicare claims data or the
beneficiary crosswalk (discussed further in Section D.1) until it has
received full approval, pays a fee equal to the cost of making the data
available, and signs a DUA.
This conditional approval process will be in addition to the normal
approval process that will remain in place for those applicants that
have access to a sufficient amount of other claims data at the time of
their application. Additionally, we want to clarify that distributed
data approaches, as described above, are permissible under the scope of
this program.
Comment: We received several comments asking CMS to clarify the
amount of other claims data applicants must possess. Commenters also
asked if CMS would consider Medicaid data to be other claims data.
Response: As stated in the proposed rule, we do not believe it is
feasible to establish an absolute threshold for a minimum amount of
additional claims data. Rather, we ask applicants to explain how the
data they do have for use in the qualified entity program will be
adequate to address the concerns about small sample size and
reliability that have been expressed by stakeholders regarding the
calculation of performance measures from a single payer source. Each
application will be evaluated on its collective merits, including the
amount of claims data from other sources and its explanation on why
that data, in combination with the requested Medicare data, is adequate
for the stated purposes of this program. ``Other claims data'' can
include Medicaid data as well as any private payer claims data.
Comment: We also received mixed comments on our proposal to require
organizations to have two or more data sources at the time of
application. Some commenters said this requirement seemed appropriate,
while others argued it was too burdensome. One commenter argued that
unless combined data represents at least 90 percent of a provider's
practice, any resulting quality measurements will not be meaningful.
Response: We based our proposal about acquiring data from two or
more sources on the interests of providers, suppliers, and consumers to
have reports that provide valid results that cover an adequate portion
of the providers' or suppliers' patients. However, in certain cases,
one source may provide a sufficient amount of other claims data such
that, when the other claims data is combined with Medicare data, it
covers a considerable portion of a provider's or supplier's patients.
We will therefore not require an applicant to have two sources of
additional claims data, but we note that claims data from two or more
sources is preferable to data from only one other source. We
acknowledge that it is important for the combined data to represent a
large portion of a provider's business, but believe an arbitrary
requirement of 90 percent is unnecessarily high, especially given that
the program is just beginning.
c. Data Privacy and Security
We proposed to require applicants to demonstrate their capabilities
to establish, maintain, and monitor a rigorous privacy and security
program, including programs to educate staff on privacy and data
security protocols.
Comments related to the proposed data privacy and security
eligibility criteria requirements are covered in the Data Security and
Privacy section below in section II.D. of this final rule.
3. Operating and Governance Requirements for Serving as a Qualified
Entity
We require documentation of operating and governance requirements
at the time of application for several key activities. We proposed that
applicants would submit as part of their application: (1) The measures
they intend to use, including methodologies and a rationale for using
the measure; (2) the report review process they would use with
providers and suppliers, including addressing requests for data and
error correction; and (3) a prototype for required reports, including
the methods for disseminating reports.
Comments: We received several comments that the submission of
measures and methodologies, as well as a prototype for reports at the
time of application is too burdensome. Additionally, commenters argued
that 90 days notice for approval of changes was too long and that
certain types of minor changes to the report prototype need not trigger
CMS approval. Several commenters also argued that submitting
specifications on standard measures is unnecessary since these measures
have established specifications and are generally publically available.
Response: We understand organizations' desire to have flexibility
in selecting measures and report formats. We also believe that making
these decisions is a key aspect of serving as a qualified entity and is
important enough to require the submission of proposed plans prior to
being approved as a qualified entity. However, we recognize commenters'
desire to ensure measures and report formats are approved and available
for use as quickly as possible. Therefore, we will change the timeframe
for CMS approval to 30 days. Qualified entities may change selected
measures, and may modify their report prototype, with 30 days notice to
CMS and CMS approval of the changes or modifications. We believe that
the majority of changes proposed by qualified entities will be
straightforward and CMS will be able to comfortably conduct a review
and approval within 30 days of submission; however, in certain
circumstances CMS may request an additional 30 days to approve more
wide-reaching changes or modifications. If a CMS decision on approval
or disapproval for a change or modification is not forthcoming within
30 days and CMS does not request an additional 30 days for review, the
change or modification shall be deemed to be approved.
We acknowledge the interest in only requiring CMS approval for
substantive changes in the prototype reports. However, as it is the
first year of the program, we are still determining the types of
changes to the prototype reports that qualified entities will need to
submit to CMS for approval. CMS is considering releasing guidance on
the types of changes to the report prototype that need not be submitted
once the qualified entity program has started.
We agree with commenters that including standard measure
specifications is unnecessary. Thus far, available standard measures
only include measures endorsed by the National Quality Forum and CMS
measures; and the specifications for these measures are available to
the public. Therefore, we will only require applicants to include
measure specifications for alternative measures. We will use future
rulemaking to address the submission of specifications for standard
measures if the public availability of standard measure specifications
changes in the future.
Comment: One commenter requested that CMS require each applicant to
submit an analytic plan clarifying its goals relative to the statute.
Response: We believe that the requirement for entities to submit a
rationale for selecting each measure, including its relationship to
existing measurement efforts, addresses the issue of an organization's
goals as they relate to the statute. We believe this is sufficient
documentation of an organization's plans.
Comment: One commenter requested that CMS require applicants to
submit
[[Page 76547]]
conflict of interest information. Commenters were concerned that
conflicts of interest could result in inaccurate or misleading
reporting. One commenter specifically requested that qualified entities
be required to attest that they have no relationship or affiliation
with any health plans, insurers, providers, suppliers, manufacturers or
other entities that may have an interest in or use for the data.
Response: We do not believe it is necessary for applicants to
submit information on conflicts of interest to CMS. We expect that many
qualified entities will have relationships with health plans, insurers,
providers and suppliers, and other entities that have an interest in or
use for the data in order to meet the requirements of the qualified
entity program, such as obtaining other claims data or disseminating
performance results. We believe the eligibility requirements and
monitoring requirements will ensure that the organizations who serve as
qualified entities comply with the requirements of the program.
B. Definition, Selection, and Use of Performance Measures
1. Standard and Alternative Measures
The statute permits qualified entities to use both standard and
alternative measures. We proposed to define standard measures as any
claims-based measure endorsed (or time-limited endorsed) by the entity
with a contract under section 1890(a) of the Act (currently the
National Quality Forum), any claims-based measure that is currently
being used in a CMS program that includes quality measurement, or any
measure developed pursuant to Section 931 of the Public Health Service
Act. The statute requires the Secretary to consult with appropriate
stakeholders as to whether the use of alternative measures would be
more valid, reliable, responsive to consumer preferences, cost-
effective, or relevant to dimensions of quality and resource use not
addressed by standard measures. In light of these requirements, we
proposed to define alternative measures as any claims-based measure
that, while not a standard measure, was adopted by the Secretary
through a notice and comment rulemaking process. Qualified entities
would submit proposed alternative measures to CMS who would then make
the proposed alternative measures available for stakeholder input via a
proposed rule, and, where appropriate, following receipt of public
comments, the Secretary would determine which alternative measures to
approve for use in the program.
Comment: Some commenters suggested that qualified entities be
allowed to calculate measures that are not based solely on claims data.
Specifically, commenters were interested in calculating measures that
involve combining claims data with clinical data (for example, registry
data or chart-abstracted data). Commenters argued that allowing
qualified entities to use these measures would expand the list of
available measures. Several commenters also expressed that the use of
these types of measures would help produce a more accurate picture of
provider and supplier performance.
Response: We recognize commenters' desire to use clinical data
combined with claims data when calculating standard and alternative
measures. Given the added value that clinical data brings to
performance measurement, whenever standard or alternative measures
provide for the use of clinical data, we will allow qualified entities
to use clinical data in combination with Medicare and other claims data
to calculate those standard and alternative measures. We have added a
definition of clinical data at Sec. 401.703(i), specifically clinical
data is registry data, chart-abstracted data, laboratory results,
electronic health record information, or other information relating to
the care or services provided to patients that is not included in
administrative claims data. Measurement efforts using clinical data
would only be supported under the qualified entity program if the
clinical data is combined with the qualified entity's Medicare and
other claims data to calculate the measures. These regulations do not
address the use and publication of purely clinical-based measures.
Furthermore, we recognize the near impossibility of combining
Medicare claims data with clinical data without an identifier to link
them. As a result, we are changing the proposed process for releasing
beneficiary identifiable information to allow--with strict privacy and
security standards--for the disclosure of identifiers to qualified
entities; this change is discussed in more detail in the Privacy and
Security requirements section below.
Comment: Many commenters were supportive of the alternative measure
review process. However, several commenters argued that the notice and
comment rulemaking process was overly burdensome on qualified entities,
would significantly restrict innovation in measure development and use,
and was contrary to the overall goals of the provision. Some commenters
proposed that qualified entities only be required to seek the
permission of local stakeholders before calculating and reporting
alternative measures. However, other commenters argued that the notice
and comment rulemaking process provided appropriate safeguards against
the public reporting of untested measures.
Response: We believe that the intent of the alternative measure
provision in statute is to promote innovation in claims-based
performance measurement, while ensuring that measures are not used in
the qualified entity program without proper testing and validation.
That said, in light of the comments received, we believe that greater
flexibility could be afforded to qualified entities to better balance
innovation with appropriate use. We are therefore adding additional
flexibility into the alternative measure process by adding a second
avenue by which to seek Secretarial approval of alternative measures.
In order to receive approval to use an alternative measure under this
new avenue, a qualified entity will need to submit documentation to CMS
outlining consultation and agreement with stakeholders in the
geographic region the qualified entity serves, and evidence that the
measure is ``more valid, reliable, responsive to consumer preferences,
cost-effective, or relevant to dimensions of quality and resource use
not addressed by such standard measures'' in accordance with the
statutory requirements at Section 1874(e)(4)(B)(ii)(II). Stakeholders
must include a valid cross representation of providers, suppliers,
employers, payers, and consumers. At a minimum, a qualified entity must
submit:
A description of the process by which the qualified entity
notified stakeholders of its intent to seek approval of an alternative
measure.
A list of stakeholders from whom feedback was solicited,
including the stakeholder names and each stakeholder's role in the
community.
A description of the discussion about the proposed
alternative measure, including a summary of all pertinent arguments for
and against use of the measure.
An explanation backed by scientific evidence that
demonstrates why the measure is ``more valid, reliable, responsive to
consumer preferences, cost-effective, or relevant to dimensions of
quality and resource use not addressed by [a] standard measure.''
CMS will review the submission and make a decision as to whether
the qualified entity has consulted the appropriate stakeholders and
whether the new measure meets the requirements for alternative measures
at Section 1874(e)(4)(B)(ii)(II) of the Act.
[[Page 76548]]
Qualified entities must send all the information required for approval
of an alternative measure to CMS at least 60 days prior to its intended
use of the measure. CMS will make every effort to ensure that measures
are approved during the 60 day period. If a CMS decision on approval or
disapproval for an alternative measure is not forthcoming within 60
days, the measure shall be deemed to be approved. However, CMS retains
the right to disapprove a measure if, even after 60 days, in accordance
with the statutory requirements at Section 1874(e)(4)(B)(ii)(II) it is
found to not be ``more valid, reliable, responsive to consumer
preferences, cost-effective, or relevant to dimensions of quality and
resource'' than a standard measure. Once a measure is approved CMS will
release the name of the measure, as well as the scientific evidence
that demonstrates why the measure is ``more valid, reliable, responsive
to consumer preferences, cost-effective, or relevant to dimensions of
quality and resource use not addressed by [a] standard measure.''
Alternative measures submitted and approved using this process may
only be used by the qualified entity that submitted the measure for
consideration because the stakeholder consultation approval process
only requires consultation with stakeholders in the geographic region
the qualified entity serves. If another qualified entity wishes to use
the same measure, it would need to consult with stakeholders in its own
community, and submit its own request for alternative measure approval
under the rulemaking or stakeholder consultation approval process.
However, we recognize that scientific evidence demonstrating that the
measure is ``more valid, reliable, responsive to consumer preferences,
cost-effective, or relevant to dimensions of quality and resource use
not addressed by [a] standard measure'' will not differ for a measure
in use across communities. Therefore, once an alternative measure is
approved for use via the stakeholder consultation approval process,
future requests for use of an identical measure will not need to
include the same explanation backed by scientific evidence that
demonstrates why the measure is ``more valid, reliable, responsive to
consumer preferences, cost-effective, or relevant to dimensions of
quality and resource use not addressed by [a] standard measure.''
However, if there is scientific evidence that has become available
since the measure was approved by CMS, the qualified entity seeking to
use that measure must conduct the necessary research and provide that
new scientific evidence to CMS.
We will also retain the notice and comment rulemaking process as a
second option for the approval of alternative measures. As discussed in
the proposed rule, alternative measures approved through notice and
comment rulemaking may be used by any qualified entity up until the
point that an equivalent standard measure for the particular clinical
area or condition becomes available.
Comment: One commenter suggested that the alternative measure
process as outlined conflicted with the process under Section 3014 of
the Affordable Care Act.
Response: Section 1874(e)(4)(B)(ii)(I) provides for the use of
standard measures such as the measures endorsed by the entity with a
contract under section 1890(a) of the Act (currently NQF) and measures
developed pursuant to section 931 of the Public Health Service Act.
Section 1874(e)(4)(B)(ii)(II) provides for use of additional measures
that are not approved by such entities. This latter category explicitly
provides for the approval and use of non-NQF standards. Furthermore,
section 3014 of the Affordable Care Act does not require the Secretary
to use the recognized standards by the entity with a contract under
section 1890(a) of the Act. It merely serves to provide recommendations
on appropriate standards to consider.
Comment: Several commenters questioned whether the requirement for
qualified entities to cease using alternative measures within six
months of an equivalent standard measure being endorsed was reasonable.
Response: We believe six months is a reasonable time period for
qualified entities to transition to using newly endorsed standard
measures equivalent to existing alternative measures or to submit
scientific justification to file a request for alternative measure
approval.
Comment: We received several comments on our definition of standard
measures. While many commenters were supportive of our definition, one
commenter suggested that we change our definition of standard measures
to include measures endorsed by consensus-based entities other than the
NQF. The commenter specifically mentioned the Patient Charter, a 2008
agreement among consumer, purchaser, provider and insurer groups on
principles to guide performance reporting. Other commenters asked if
all NQF-endorsed measures were standard measures. One commenter asked
that standard measures be limited to true outcome measures in order to
measure the effectiveness of care.
Response: We appreciate the suggestion to include measures endorsed
by consensus-based entities other than the NQF and have changed our
definition of standard measures to include such measures. Specifically,
we will now include as a standard measure any measure calculated in
full or in part from claims data that is endorsed by a consensus-based
entity, providing that the consensus-based entity has been approved as
such by CMS. Rather than defining consensus-based entities in advance,
CMS will approve organizations as consensus based entities on an as
needed basis.
To receive approval as a consensus-based entity, an organization
will need to submit information to CMS documenting their processes for
stakeholder consultation and measure approval. Such documentation must
show that the entity has a prescribed process for vetting and approving
measures that includes representation from all types of stakeholders
relevant to the topic being measured. The description of the approval
process must be publicly available and the stakeholder consultation
must be open to any that are interested in participating. Additionally,
organizations will only receive approval as a consensus-based entity if
all measure specifications are publicly available. Consensus-based
entities will receive approval for a time period of three years and
their endorsed measures will be made available to all qualified
entities. CMS will also make a list of approved consensus-based
entities available publicly. After three years, organizations will
simply have to resubmit documentation on their processes for
stakeholder consultation and measure again, noting any changes from
their original submission.
Regarding the request that we add a requirement that standard
measures be ``outcome measures,'' which we understand to mean measures
that evaluate final results, such as mortality rates, we feel that
imposing this requirement would substantially reduce the number of
available standard measures. Additionally, while we agree that outcome
measures may be better indicators of the effectiveness of care, we feel
process measures will also offer the public, as well as providers and
suppliers, important information on performance. Therefore, we have not
incorporated this suggestion.
Comment: One commenter suggested that the rule should permit the
use of composite measures.
[[Page 76549]]
Response: We believe that composite measures can be calculated and
reported under the revised alternative measure process we established
in this final rule.
Comment: One commenter suggested that the rule should permit
qualified entities to withdraw measures prior to public reporting if
the measure results turn out to be unreliable.
Response: We appreciate this suggestion; however, the statute
requires public reporting of all measures. Specifically, Section
1874(e)(4)(C)(iv) requires the reports be made available to the public,
while allowing for confidential review by providers and suppliers. We
note that this does not prohibit commentary on the measure and results
in the report. We hope that qualified entities will take the
requirement of public reporting into consideration when determining
which measures should be calculated under this program. We recognize
that there may be errors in measure calculation and believe that the
confidential reporting and appeals process will help qualified entities
discover and correct any errors in the calculation of measures.
Comment: We received a variety of comments on measurement
methodologies. Several commenters suggested that CMS should be more
proscriptive regarding the types of attribution, risk adjustment, and
benchmarking methods qualified entities should employ and that
methodology descriptions should be standardized across payers and
qualified entities. Commenters were also concerned about payment
standardization as it relates to efficiency and resource use measures.
Payment standardization is viewed as an important methodological
approach to normalize comparisons of resource use across providers and
suppliers. Several commenters also stressed the need for accurate
attribution and risk adjustment in general. One commenter asked if
methodologies employed by the qualified entity could change during the
three-year agreement period. One commenter urged CMS to require
qualified entities to submit to CMS a specific description of how it
will handle outlier providers and ensure that a report of a provider's
or supplier's performance is accurately adjusted as appropriate to
reflect characteristics of the patient population.
Response: The statute does not require CMS to be proscriptive in
this regard. Consistent with the statute, the proposed rule would
require qualified entities to submit to the Secretary a description of
methodologies that the qualified entity proposes to use to evaluate the
performance of providers and suppliers. The proposed rule would also
require qualified entities to include an understandable description of
their attribution, risk adjustment, and benchmarking methods so that
report recipients can properly assess such reports. We agree with
commenters that payment standardization is an important aspect of
measurement methodologies, and agree that payment standardization
methodologies should be included where appropriate. Therefore, we have
added a requirement that qualified entities include information on
payment standardization when appropriate.
Additionally, we feel that performance measurement is evolving, and
that clear standards for attribution, risk adjustment, and benchmarking
have not yet emerged, and therefore it would be inappropriate for CMS
to preemptively determine such standards. We are confident that as
qualified entities and the performance measurement environment matures
over the coming years methodologies will begin to coalesce around
clearly defined standards. As discussed above, qualified entities can
change methodologies during the three year agreement period provided
they give appropriate notice to CMS and receive CMS' approval.
Regarding outliers, we feel that this issue will be adequately
addressed in the requirements at Sec. 401.707(b)(5)(ii) for a
qualified entity to provide details on methodologies it intends to use
in creating reports with respect to benchmarking performance data,
including methods for creating peer groups, justification of minimum
sample size determinations, and methods for handling statistical
outliers, to both CMS and users of the reports.
Comment: One commenter asked about the release of the details of
proprietary methodologies and proprietary measure specifications to
CMS.
Response: While we understand the concerns about releasing
methodologies for proprietary measures, we believe that the goal of
this program is to increase transparency. As discussed above in section
II.A.3., we are not requiring qualified entities to submit measure
specifications for standard measures because, thus far, all
specifications for these measures are available to the public. However,
we believe that, in order for CMS to evaluate a qualified entity's
proposed plan for calculating measures, disclosure of proprietary
measure methodologies and proprietary specifications for alternative
measures to CMS as part of the application process is warranted. The
Trade Secrets Act (18 U.S.C. 1905) bars CMS from re-disclosing
proprietary information unless it is authorized to do so by law. Any
disclosure to CMS regarding measurement methodologies or specifications
will generally not be made public by CMS. As a result, we feel it is
appropriate to require the disclosure of detailed methodologies and
specifications for alternative measures to CMS as part of the
application.
Additionally, qualified entities will be required to disclose
proprietary measure methodologies to providers and suppliers as a part
of the confidential review process. We believe it is essential for
providers and suppliers to understand exactly how the measure is
calculated in order to review their results. To protect proprietary
methodologies, a qualified entity may choose to limit further
disclosure of proprietary measure methodologies, perhaps by requiring a
provider or supplier to execute a non-disclosure agreement as a
condition of that disclosure; however, the qualified entity must share
the proprietary measure methodologies with the provider or supplier
regardless of whether they are willing to execute a non-disclosure
agreement. If a qualified entity does not wish to share proprietary
measure methodologies with both CMS and providers or suppliers, it
should not seek approval to use those measures in the qualified entity
program.
Comment: One commenter suggested that all proposed measures, both
standard and alternative, be open for public review by providers and
suppliers prior to approval.
Response: We do not feel that this requirement is necessary.
Standard measures as currently defined have already been subject to
multi stakeholder input and approval either through the entity with a
contract under section 1890(a) of the Act (currently NQF) or through
public comment via notice and comment rulemaking in the case of CMS
measures. Also, any measures developed by a consensus based entity will
have gone through some form of stakeholder consultation. Thus far,
there have been no measures developed pursuant to section 931 of the
Public Health Service Act; however, section 931 requires consultation
with stakeholders during the quality measure development process.
Further, both of the alternative measure processes include requirements
regarding stakeholder input.
Comment: Several commenters urged CMS to provide a comprehensive
list of
[[Page 76550]]
the standard and alternative measures that qualified entities may use.
Response: We plan to release a list of standard measures to
potential qualified entity applicants prior to the start of the
program. We would like to note, however, that this list will be dynamic
since the entity with the contract under section 1890(a) of the Act
(currently NQF) is continually reviewing measures for endorsement and
CMS is continually undergoing rulemaking to add measures to our
programs. Additionally, as new consensus based entities are approved by
CMS, additional standard measures will be available for use by
qualified entities. We will also release a list of approved alternative
measures once alternative measures are approved. Qualified entities are
encouraged to check these lists frequently to ensure they have the most
accurate information regarding acceptable measures.
2. Reports and Reporting
Section 1874(e)(4)(C)(ii) of the Act requires qualified entities to
make their draft reports available in a confidential manner to
providers and suppliers identified in the reports before such reports
are released publicly in order to offer them an opportunity to review
these reports, and, if appropriate, appeal to request correction of any
errors. After reports have been shared confidentially with providers
and suppliers, and there has been an opportunity to have any errors
corrected, Section 1874(e)(4)(C)(iv) of the Act requires the reports to
be made available to the public.
As stated in the statute at Section 1874(e)(4)(C)(i) of the Act,
the reports must include ``an understandable description'' of the
measures, rationale for use, methodology (including risk-adjustment and
physician attribution methods), data specifications and limitations,
and sponsors. We interpreted ``an understandable description'' to mean
any descriptions that can be easily read and understood by a lay
person. Additionally, the reports to the public may only include data
on providers or suppliers at the provider or supplier level with no
claim or patient-level information to ensure beneficiary privacy.
We proposed requiring qualified entities to submit prototype
reports for both the reports they would send to providers and
suppliers, and the reports they would release to the public (if they
are different) in their application, including the narrative language
they plan to use in the reports to describe the data and results.
Comment: We received several comments about the reporting process
generally. One commenter asked that qualified entities be required to
report less frequently than once per year, as proposed. Other
commenters asked that qualified entities be required to report more
frequently than once per year. Yet other commenters expressed concern
about public reporting and asked that no measurement data be publicly
reported at all.
Response: The statute, at 1874(e)(C)(iv), requires qualified entity
reports to be made available to the public after they are made
available to providers and suppliers for review and requests for
corrections. We have no discretion to allow qualified entities to
produce reports for confidential use only. While the statute does not
mention any specific frequency of public reporting, we believe that
once per year is an appropriate requirement. Requiring public reporting
once per year strikes a balance between reporting frequently enough
that the information is actionable for consumers, and not reporting so
frequently that providers and suppliers constantly have to
confidentially review reports. However, we note that reporting once per
year is the minimum requirement. A qualified entity may choose to
report more frequently than once per year, as long as it is still able
to meet the requirement of allowing providers and suppliers the
opportunity to review and request error correction.
Comment: Commenters raised questions about the possibility of
providers and suppliers receiving multiple reports, which may
potentially contain contradictory or confusing performance measure
results. Some commenters requested that CMS standardize the report
formats among qualified entities to make them easier to interpret, and
others simply asked CMS to clarify how we will address this issue.
Response: As discussed in the proposed rule and above, we do not
intend to limit the number of qualified entities accepted for
participation into this program, and therefore, it is possible that
there will be more than one qualified entity working in the same
geographic area. While we are requiring qualified entities to submit
prototype reports for CMS approval before use, we do not intend to
standardize the reports. We believe this program is intended to
supplement measurement activity already ongoing at the community level,
and excessive CMS involvement will erode the relationships qualified
entities either already have, or will develop, with providers and
suppliers. This is precisely why providers and suppliers are afforded
the opportunity to review their reports and work through any issues
directly with the qualified entity, and not with CMS.
Comment: We received several comments regarding the provider or
supplier's role in the reporting process. One commenter stated that
providers and suppliers should be allowed to petition CMS to require
qualified entities to modify report formats. Another commenter
requested that qualified entities should be required to include
providers' or suppliers' comments in the public reports. And finally,
one commenter requested that qualified entities be required to be
capable of allowing providers and suppliers to download reports
electronically.
Response: As stated in the proposed rule, and discussed elsewhere
in this final rule, CMS' direct role in this program is relatively
limited, and includes only the functions necessary for reviewing
applications from qualified entities and providing standardized data
extracts to those entities that meet the requirements, as well as
describing the program to the public. We believe these comments about
issues related to how the qualified entities publicly report data are
outside the scope of CMS' statutory authority under section 1874(e).
Therefore, providers and suppliers will not be allowed to petition CMS
to change the reports, and a qualified entity will decide itself
whether to post comments in a public report or make its reports
available for download in an electronic format.
Comment: One commenter noted that the proposed rule could be
interpreted as requiring qualified entities to do all reporting at the
individual physician level. Another commenter noted that, in terms of
performance measurement, specialty hospitals need to be accounted for
differently.
Response: The statute does not specify the level at which reports
are to be generated (that is, individual physician, physician group,
integrated delivery system, etc.), nor does it specify the types of
providers and suppliers to be measured. A qualified entity may choose
to which providers and/or suppliers it will apply measures, and in so
doing, for which entities its reports will be generated. Reporting may
be at any level for which the measures can be used, but reports must be
devoid of patient identifiers to protect the identity of the
beneficiaries.
Comment: One commenter requested that CMS require qualified
entities to license or otherwise make available quality measures to
other entities that
[[Page 76551]]
have the ability to publish performance measurement information.
Response: As stated above, these regulations will generally not
place any added limitations on what is otherwise feasible under
applicable law (such as copyright law). Qualified entities cannot,
however, charge providers or suppliers for the confidential pre-
publication reports, and they must make reports available to the public
free of charge in accordance with section 1874(e)(4)(c)(iv).
C. Data Extraction and Dissemination
Section 1874(e)(3) of the Act requires the Secretary to provide
qualified entities with standardized extracts of claims data from
Medicare parts A, B, and D for one or more specified geographic areas
and time periods. For Medicare parts A and B, we proposed that these
data extracts would include information from all seven claim types that
are submitted for payment in the Medicare Fee-For-Service Program,
including both institutional and non-institutional claims.
Institutional claim types include inpatient hospital, outpatient
hospital, skilled nursing facility, home health, and hospice services,
whereas non-institutional claim types include physician/supplier and
durable medical equipment claims. Medicare institutional and non-
institutional claims include, but are not limited to, the following
data elements: Beneficiary ID, claim ID, the start and end dates of
service, the provider or supplier ID, the principal procedure and
diagnosis codes, the attending physician, other physicians, and the
claim payment type.
We proposed that qualified entities would also receive certain Part
D information for beneficiaries enrolled in the Medicare Fee-For-
Service Program. The Part D information is known as ``drug event''
information, as opposed to ``claims'' information, because prescription
drug coverage under Part D is provided by private insurance plans or
``Part D plan sponsors.'' Part D plans are responsible for paying a
claim for benefits at the pharmacy. The Part D plan then submits a
Prescription Drug Event record or ``PDE'' to CMS. The key data elements
in the Part D prescription drug event database include: Beneficiary ID,
prescriber ID, drug service date, drug product service ID, quantity
dispensed, days' supply, gross drug cost, brand name, generic name, and
drug strength. CMS will also include an indication if the drug is on
the formulary of the Part D plan.
In order to allow qualified entities to link Medicare claims for an
individual beneficiary, with appropriate security and privacy
protections, we proposed that all claims files would contain a unique
encrypted beneficiary identification (ID) number, rather than the
actual beneficiary Medicare Health Insurance Claim Number (HICN).
Comment: We received several comments regarding data extract
structure. A number of commenters requested clarification on how the
data linkage across data sets will be accomplished. Several comments
asked how qualified entities would identify the provider or supplier
associated with a claim. One commenter expressed concern that no
accurate or acceptable physician contact data base or directory is
currently available on a nationwide level. An additional comment asked
if CMS plans to make changes to the data in the CMS database if a
qualified entity, provider, or supplier determines there is an error in
the Medicare claims data.
Response: CMS understands the importance of linking beneficiaries
across Medicare data sets in a way that is secure and protects
beneficiaries' privacy. All claims files provided to qualified entities
will contain a unique encrypted beneficiary identification number that
will allow a qualified entity to link claims for an individual
beneficiary across all Medicare claim types and across all years. That
is, a unique encrypted beneficiary ID number will be assigned to an
individual beneficiary and will remain the same for that individual
beneficiary across Medicare claim types and years. This encrypted
beneficiary ID is unique to the qualified entity program and will be
included on each file the qualified entity receives. With appropriate
security and privacy protections, these files will also contain
beneficiary date of birth, race, and gender, important elements for
calculating performance measures.
Additionally, to allow qualified entities to identify the provider
or supplier associated with a claim, the files will contain the actual
provider or supplier ID or, where required by law, the National
Provider Identifier (NPI). Although, in HIPAA standard transactions the
NPI must be used in lieu of other provider numbers, CMS will also make
the Unique Physician Identification Number (UPIN) associated with the
claim available to qualified entities. CMS maintains both a publically
available query-only database and a publically available downloadable
file that links the NPI to other information on a provider such as the
provider name and mailing address. We believe that this national-level
database and downloadable file will allow qualified entities to
identify the provider or supplier associated with the claim.
Furthermore, given the eligibility requirements described above in
Section II.A.1.a., we expect approved qualified entities to have
experience in accurately identifying a provider or supplier across
multiple data sources.
As to reporting suspected issues with CMS data, CMS currently has a
process in place for reporting, tracking, and resolving potential
errors or issues identified in CMS data. Once approved, each qualified
entity will receive guidance and training in this area.
Comment: Several commenters raised concerns about some of the data
elements we proposed to release. A number of commenters expressed
concern on the release of drug cost information in the Part D data, as
well as the release of Part D plan identifiers. Additionally, a handful
of commenters suggested that private physician financial information
contained in the Part B data is protected from disclosure under the
Privacy Act.
Response: CMS is aware of the concerns and restrictions on
releasing certain Part D drug cost information. Given these concerns,
in the files provided to qualified entities, CMS will release the Total
Drug Cost element, which is derived from the sum of four elements:
Ingredient Cost, Dispensing Fee, Vaccine Administration Fee, and Total
Amount Attributable to Sales Tax. However, to protect the Part D plans'
proprietary cost information, these individual component costs will not
be released. We believe the aggregation of cost information will help
to ensure that the most confidential information--the separate amounts
paid by Part D sponsors for ingredient cost or dispensing fee--will not
be released. This approach is also consistent with the treatment of
these data under the regulations governing the use and disclosure of
Part D data for non-payment related purposes. See 73 FR 30,664, 30669
(May 28, 2008). Furthermore, the Part D data will not identify
individual Part D plans, but will include an encrypted plan ID number.
We believe this encryption will afford further protection for Part D
drug cost information.
While certain physician payment information contained in the Part B
claims data is protected from disclosure to the general public by court
injunctions entered in Florida Medical Association, Inc. v. Department
of Health, Education & Welfare, 479 F. Supp. 1291 (M.D. Fla. 1979), and
American Ass'n of Councils of Medical Staffs of Private Hospitals, Inc.
v. Health Care Financing Administration, No. 78-
[[Page 76552]]
1373 (E.D. La 1980), that protection is specific to disclosures under
the Freedom of Information Act (FOIA) exception to the Privacy Act at 5
U.S.C. 552a(b)(2). Disclosures made under the qualified entity program
under section 1874(e) of the Act are not FOIA-based disclosures.
Rather, they are ``routine use'' disclosures from the National Claims
History (NCH)--System No. 09-70-0558, Medicare Drug Data Processing
System (DDPS)--System No. 09-70-0553, Medicare Integrated Data
Repository (IDR)--System No. 09-70-0571, and Chronic Condition Data
Repository (CCDR)--System No. 09-70-0573 systems of records under the
Privacy Act and these implementing regulations. As such, they are not
subject to the injunction.
Comment: We received a variety of comments on technical assistance
for qualified entities. Several commenters asked that CMS provide
technical assistance, but not include it in the fee charged for the
data. Other commenters suggested that technical assistance would not be
needed.
Response: We plan to provide qualified entities with the option to
request technical assistance. Since we are removing all program
management costs from the fee we will charge qualified entities, see
discussion below at II.C.3., we do not plan to charge for these
services.
1. Number of Years of Data
CMS proposed to provide qualified entities with the most recent
three calendar years of Medicare final action data available at the
time the qualified entity is approved for participation in the program.
Comment: Comments from both potential qualified entities and
provider groups raised concerns about the timeliness of the data.
Commenters generally requested that CMS release data on a quarterly
basis or a rolling 12 month basis, with no more than a quarterly time
lag. One commenter suggested that CMS only provide qualified entities
with two calendar years of data because performance information
regarding care provided in 2008 is too outdated to be relevant for
providers or consumers.
Response: We agree with commenters, so we are modifying what we
proposed to make more timely data available to qualified entities. CMS
will provide qualified entities with the most recent available
historical data, which, for qualified entities approved at the
beginning of the program, we expect would include data for CY2009,
CY2010, and the first two quarters of 2011. Then, we would provide
quarterly data updates on a rolling basis.
2. Geographic Areas
CMS proposed to provide qualified entities with standardized data
extracts for either a single geographic area or multiple regions, and
to limit the provision of Medicare data to the geographic spread of the
qualified entity's other claims data. In the proposed rule, we sought
comment on releasing nationwide extracts of Medicare data.
Comment: Several commenters requested that CMS release nationwide
Medicare claims data. Some expected to conduct a nationwide performance
review program, but many were interested in calculating national
benchmarks. Commenters expressed feelings that national Medicare
benchmarks would foster greater consumer and provider understanding of
local measure results.
Response: For entities interested in conducting a nationwide
performance review program, we are unsure about the ability of any one
entity to assemble a sufficient amount of data nationally to justify a
nationwide release of Medicare data. If a qualified entity can
demonstrate it has a sufficient amount of data nationwide, however, CMS
will provide a 100% national extract.
We agree that nationwide data may assist qualified entities in
benchmarking their results. As a result, qualified entities will be
allowed to request a 5% national sample of Medicare claims for the
purposes of calculating national benchmarks. The 5% national sample of
claims will not include a crosswalk to beneficiary names and Health
Insurance Claim Numbers, discussed below in Section D.1, only the
encrypted beneficiary ID to allow linking across Medicare claims data
for measure calculation purposes. Qualified entities should provide a
justification of needing a 5% national sample with their request. We
will include a requirement in the Data Use Agreement (DUA, discussed in
more detail below) prohibiting qualified entities from re-identifying
claims included in the national sample they receive. Additionally, as
these files are already in existence because they are used for other
purposes, we anticipate that the cost of making this data available
will be nominal.
Comment: We received several comments on how CMS would determine
which claims apply to a certain geographic region. We also received
comments requesting that CMS not limit the provision of Medicare data
to the geographic spread of the qualified entity's other claims data.
Response: We will release claims based on the location of the
beneficiary residence, not the location of the provider or supplier
rendering the services. This will mean the qualified entity might not
receive all of the Medicare claims for a given provider or supplier.
While we recognize the desire to calculate performance measures for
areas outside the geographic spread of the qualified entity's other
claims data, we believe the intent of statute is for qualified entities
to combine other claims data from an area with Medicare claims data for
that same area to produce robust and actionable performance measures
for providers, suppliers, and consumers.
3. Cost To Obtain Data
Section 1874(e)(4)(A) of the Act requires qualified entities to pay
a fee for obtaining the data that is equal to the cost of making such
data available. In the proposed rule CMS interpreted the cost of making
the data available to include two parts: (1) The cost of running the
qualified entity program, including costs for processing applications,
monitoring qualified entities, and providing technical assistance, and
(2) the cost of creating a data set specific to each qualified entity's
requested geographic area and securely transmitting the data set to the
qualified entity. We estimated that the approximate cost to provide
data for 2.5 million beneficiaries to a qualified entity would be
$200,000. Approximately $75,000 of the $200,000 is cost of the claims
data and approximately $125,000 is the cost of making the data
available. We proposed that data costs would vary depending on the
amount of data requested.
Comment: Many commenters stated that CMS was being too broad in our
interpretation of the statutory requirement to charge qualified
entities for the cost of making the data available. Commenters
suggested that CMS only charge qualified entities for the cost of
generating the data, and not the cost of running the program. The
comments also noted that high cost would be a barrier to entry for non-
profit organizations and states.
Response: CMS concurs that there are public interests at stake that
justify narrowing the scope of what constitutes the cost of making this
data available. As such, we will drop the program management portion of
the costs from what is included in the data fee we will charge
qualified entities. We have also worked to identify several
efficiencies in data preparation and distribution that will
significantly reduce our initial
[[Page 76553]]
estimates for data costs. Our initial estimates were based on the fee
we charge researchers for similar data. However, because all qualified
entities will receive a standardized extract of the Medicare data, we
will not need to address each request for data on an individual basis
as we do with researchers, thereby significantly reducing the cost of
making the data available, particularly the costs of encrypting the
data.
We estimate that the total approximate costs to provide data for
2.5 million beneficiaries to qualified entities would be $40,000 in the
first year of the program. We estimate that the cost to provide ten
quarters (CY 2009, CY 2010, and Q1-Q2 CY2011) of data when the
qualified entity is first approved would be $24,000. Thereafter, in
2012 qualified entities would get 2 additional quarterly updates
covering the remainder of CY 2011, each for a fee of $8,000, bringing
the total cost of data for the first year of the program to $40,000.
After the first year, qualified entities would get quarterly updates,
each for a fee of $8,000, bringing the total cost to a qualified entity
for subsequent years of the program to $32,000. It is important to note
that all estimates of data costs are currently predicated on an
estimate of 25 qualified entities, so if fewer than 25 qualified
entities are approved, data costs per qualified entity will be higher,
and conversely, if greater than 25 are approved, the costs will be
lower. Additionally, data costs for qualified entities will vary
depending on the amount of Medicare claims data the qualified entity
requests (for example, more than one State, or a nationwide extract).
CMS also reserves the right to revise the cost of the data if
unanticipated expenses are determined in the future.
D. Data Security and Privacy
The subpart created by these regulations will create a new program
that provides for the release of Medicare beneficiary level data, with
appropriate privacy and security protections. We recognize that many
qualified entities will have had many years of experience using claims
data to produce performance reports on providers and suppliers.
Additionally, many qualified entities will have received data from
private health plans through agreements that will require that the
qualified entities observe certain security and privacy standards. We
also recognize that new organizations or combinations of organizations
may want to serve as qualified entities to produce performance reports.
While CMS is committed to ensuring the success of qualified entities in
combining Medicare data with claims data from other sources to create
comprehensive performance reports for providers and suppliers, CMS is
also committed to ensuring that the beneficiary-level data provided to
qualified entities is subject to stringent security and privacy
standards throughout all phases of the performance measure calculation,
confidential reporting, appeal, and public reporting processes.
In 2008, we published a regulation to permit Part D prescription
drug event data to be used for program monitoring, research, public
health, care coordination, quality improvement, population of personal
health records, and other purposes. See 73 FR 30664. We intend to
ensure that the release of Part D prescription drug event data under
this program complies with the requirements in the Part D data
regulation, including the minimum necessary data policy, and that
qualified entities take the necessary steps to ensure that any
prescription drug event data released to providers and suppliers as
part of the review, appeal, and error correction process are also
safeguarded to ensure the privacy and security of beneficiary
information.
Comment: Commenters were generally supportive of our intent to
ensure the privacy and security of Medicare data under this program. A
few commenters made specific suggestions regarding data privacy in
general. One commenter suggested we clarify the interaction of this
program and its data privacy and security requirements with State data
privacy laws and specifically requested that CMS promulgate regulations
that would preempt State law.
Response: On the issue of the interaction of this program with
State laws, we believe the issuance of universally applicable privacy
regulations that would preempt State laws is outside the scope of the
qualified entity program. Qualified entities will need to abide by
applicable state laws in addition to the requirements in this subpart.
1. Privacy and Security Requirements for Qualified Entities
We proposed to require that qualified entities have in place
security protections for all data released by CMS, and any derivative
files, including any Medicare claims data and any beneficiary
identifiable data.
We proposed that in order to be eligible to apply to receive
Medicare data as a qualified entity, the applicant must demonstrate its
capabilities to establish, maintain, and monitor a rigorous data
privacy and security program, including ensuring compliance with
submitted plans related to the privacy and security of data.
Additionally, we proposed a requirement that the applicant submit to
CMS a description of its rigorous data privacy and security policies
including enforcement mechanisms. As part of their applications,
qualified entities will also have to explain how they would ensure that
only the minimum necessary beneficiary identifiable data would be
disclosed to the provider or supplier in the event of a request by a
provider or supplier in the context of a confidential review of a
report, and how data would be securely transmitted to the provider or
supplier.
Comment: Commenters were generally supportive of requiring that
qualified entities have rigorous data privacy and security protocols in
place. Several commenters recommended that CMS require qualified
entities to impose the same data and security requirements on the
qualified entity's non-Medicare claims data as we require on the
Medicare claims data. One commenter suggested CMS require qualified
entities and other non-covered entities (that is, the small fraction of
providers who do not submit claims electronically, and are therefore
not subject to HIPAA) to enter into business associate agreements with
CMS, pursuant to HIPAA.
Response: We agree that the integrity of performance measurement
depends on the integrity of the data, and CMS intends to take very
seriously its role in ensuring qualified entities use Medicare data
appropriately. However, we do not have the statutory authority to
impose specific requirements on qualified entities with regard to the
privacy and security of their non-Medicare claims data. It is our
understanding that organizations will have executed contracts or other
agreements with the entities from which they receive the non-Medicare
claims data (for example, commercial insurance plans) that will contain
the privacy and security requirements regarding that data. Similarly,
we also cannot prescribe how or where a qualified entity stores its
non-Medicare data.
We seek to clarify the interaction between this program and HIPAA.
Some commenters thought that we could address the privacy and security
concerns related to qualified entities and other entities that are not
directly subject to HIPAA by making them CMS' business associates
(BAs). BAs are persons who or entities that use or disclose
individually identifiable health information in conducting functions or
[[Page 76554]]
activities on behalf of a covered entity (see the definition of a BA at
45 CFR 160.103), but qualified entities and providers and suppliers
subject to the qualified entity program cannot serve as BAs because
they are not doing their work on behalf of CMS as part of the Medicare
program. CMS is merely providing data to qualified entities in
accordance with the mandate in the Affordable Care Act, and, as such,
its disclosure of protected health information is permitted by the
HIPAA Privacy Rule as ``required by law'' (45 CFR 164.512(a)). That
said, we believe our thorough evaluation of applicant qualified
entities, the requirement to sign a Data Use Agreement (DUA), and
subjecting the qualified entities to ongoing monitoring will be
sufficient to ensure that qualified entities are appropriately using
the Medicare data, as well as appropriately disclosing the Medicare
data to providers and suppliers who request it.
We proposed to require each approved qualified entity sign a DUA,
which requires a level and scope of security that is not less than the
level and scope of security requirements established by the Office of
Management and Budget (OMB) in OMB Circular No. A-130, Appendix III--
Security of Federal Automated Information Systems (http://www.whitehouse.gov/omb/circulars/a130/a130.html) as well as Federal
Information Processing Standard 200 entitled ``Minimum Security
Requirements for Federal Information Systems'' (http://csrc.nist.gov/publications/fips/fips200/FIPS-200-final-march.pdf); and Special
Publication 800-53 ``Recommended Security Controls for Federal
Information Systems'' (http://csrc.nist.gov/publications/nistpubs/800-53-Rev2/sp800-53-rev2-final.pdf).
Comment: Commenters were in support of requiring qualified entities
to sign a DUA with CMS. One commenter suggested we ensure the DUA is
appropriate for this program, since the DUA cited in the proposed rule
was the current DUA used for research purposes. Another commenter
suggested CMS impose civil and criminal penalties on any qualified
entity that causes a data privacy breach or violation. In addition, one
commenter requested that we discuss how a qualified entity's existing
DUAs might interact with this program.
Response: We believe the requirement for each qualified entity to
sign a DUA will ensure a high level of privacy and security of the
Medicare data given to qualified entities. Because we have clarified
that qualified entities do not need to be composed of a single legal
entity, but may contract with other entities to achieve the ability to
meet the eligibility criteria, we also clarify that both the lead
entity as well as its contractors that are anticipated to use Medicare
claims data or beneficiary identifiable data are required to sign the
DUA. As discussed in the proposed rule, the DUA cited in the proposed
rule is the current research DUA. We intend to use the addendum feature
provided for in paragraph 12 of the document to address the specific
needs of the qualified entity program. With regard to the comment
suggesting imposition of civil and criminal penalties, we point out
that the DUA currently does, and will continue to have, enforcement
mechanisms including criminal penalties. CMS intends to make use of
these provisions in the event of a breach or violation. We do not have
the statutory authority to impose penalties beyond those already listed
in the DUA. Finally, we note that DUAs are specific to a particular
data disclosure from CMS to a data recipient. Any existing DUAs a
qualified entity may have in place will only affect the data received
under those DUAs. The qualified entity program DUA will govern
qualified entity program Medicare data.
Comment: We received some comments containing suggestions for
requirements CMS should impose on qualified entities with regard to
internal qualified entity operations. These suggestions included
requiring that qualified entities limit the number of staff with access
to identifiable information, and that qualified entities store Medicare
data separately from other claims data.
Response: The DUA, discussed above, contains provisions regarding
access to and storage of CMS data. The DUA requires the qualified
entity to limit access to the identifiable Medicare data to the minimum
number of individuals required to create the performance reports. The
DUA also requires the qualified entity to specify the site where the
data is to be stored and to grant CMS access to the site to confirm
compliance with the DUA. Additionally, as stated in the preamble to the
proposed rule, we believe the entities that will be successful
applicants to this program are entities that are experienced in
handling sensitive information and will have the appropriate internal
protocols and procedures in place.
We also sought public comment on the appropriateness of accepting
some form of independent accreditation or certification of compliance
with data privacy and security requirements from qualified entities,
and what that accreditation or certification might entail. The
accreditation or certification would need to be at a level and scope of
security that is not less than the level and scope of security
requirements described above.
Comment: We received no comments on this proposal.
Response: Since we received no comments, we will not require
qualified entities to have any kind of accreditation or certification
separate from CMS' process in reviewing the application and requiring a
signed DUA.
We proposed that all the Medicare claims data provided to qualified
entities would contain a unique encrypted beneficiary identification
number, which would enable the qualified entities to link all Medicare
claims for an individual beneficiary without knowing the identity (that
is, name or Medicare Health Insurance Claim Number) of the beneficiary.
We did not propose to send patient names with the claims data that
would be initially disclosed to qualified entities. However, we
recognized the need for beneficiary names to facilitate provider and
supplier appeals.
In the proposed rule, we considered three potential options for
sharing beneficiary identifiers with qualified entities, and by
extension, providers and suppliers. Under the first option, all
qualified entities would be provided with a crosswalk file, with
appropriate privacy and security protections, linking all encrypted
beneficiary identifiers to the patients' names for their Medicare data.
This would provide the qualified entity with identifiable data, but
qualified entities would be permitted to give to a provider or supplier
only the names of the beneficiaries included in that requester's
performance report. Under the second option, CMS would only provide
beneficiary names to qualified entities on a transactional basis for
the purposes of responding to specific requests for data by providers
and suppliers. Each request for beneficiary names would be addressed on
a case-by-case basis through the forwarding of each data request by the
qualified entity to CMS. CMS would then allow the qualified entity
access to the beneficiary names for the specific data request. Under
the third option, a provider or supplier who wishes to receive
beneficiary names would request the encrypted claims data from the
qualified entity as permitted under the statute. Then, the provider or
supplier would submit a request to CMS for the beneficiary names for
those specific claims and CMS would share the beneficiary names
directly with the provider or supplier. Under the third
[[Page 76555]]
option, the qualified entity would never have access to the beneficiary
names.
Comment: Comments were mixed between favoring the first option and
the second option. Very few commenters supported the third option. As
discussed above in Section II.B.1., some commenters were interested in
using measures that incorporate clinical data. A number of these
commenters noted that the information contained in the crosswalk under
option one (beneficiary names) would be necessary to their being able
to link claims data to clinical data. Several commenters also noted
that they would need an additional identifier, like the Medicare Health
Insurance Claim Number (HICN), if they were to ensure the accurate
linkage. Among other things, they asserted that the inclusion of
multiple identifiers would ensure that they could differentiate amongst
individuals with similar or identical names. Additionally, several
commenters noted that, in instances in which an individual moved from
coverage under one plan (for example, a private plan) to coverage under
another (for example, Medicare), they would need patient identifiers in
order to track the care provided to a patient over time. These
commenters also supported the first option since it would allow
qualified entities to match an individual's claims from other sources
with their Medicare claims data. Commenters also supported the first
option because it would allow qualified entities to quickly respond to
requests for the data from providers and suppliers, and argued that the
first option would be the least burdensome for qualified entities.
One commenter suggested we phase-in release of beneficiary-
identifiable information: In the first year, qualified entities would
receive the full crosswalk so they can easily respond to the
anticipated high volume of requests from providers and suppliers, but
in later years, after recipients are more familiar with the reports,
beneficiary-identifiable information would only be released on a
transactional basis. Still other commenters supported the second option
because they felt it offered an appropriate balance between ensuring
beneficiary privacy and allowing qualified entities to respond to
specific provider or supplier requests for beneficiary names.
Response: In response to the insights offered by the comments, we
plan to implement a modified version of the first option. While we had
thought that ``If one approaches this issue purely from the point of
view of the ability of qualified entities to engage in measure
calculation and reporting, beneficiary identifiable data is not
required'' (76 FR 33574), it is clear from the comments noted above
that beneficiary identifiable data, with appropriate privacy and
security protections, is required if clinical data is to be used or if
a qualified entity needs to link an individual's claims records across
plans as they move over time from plan to plan.
For example, a qualified entity could have private plan data for a
patient who was enrolled in a private health plan in 2009 and early
2010, but then in May 2010 enrolled in Medicare. To accurately
calculate measures, the qualified entity may need to be able to match
the private payer claims data that covers 2009 and January to April of
2010 for the patient with the Medicare claims data that covers May 2010
forward for the same patient. The beneficiary name alone would not be
sufficient to match patients between claims data sources because of the
high likelihood of duplicative names or naming variations in the data.
To accurately match claims data from multiple sources, the patient
social security number would be ideal. However, Medicare claims contain
the Medicare HICN, which for many beneficiaries is the beneficiary's
social security number plus a letter. In most cases the HICN will allow
qualified entities to differentiate between individuals, and may allow
for accurately matching claims data between sources in those instances
in which it does include the beneficiary's own social security number.
We acknowledge that there are cases where the HICN does not include the
beneficiary's social security number, for example, for beneficiaries
who qualify for Medicare through their spouse. In these cases, the
beneficiary name will be the best available identifier to use to match
records from multiple sources, but even if the HICN cannot be used to
match claims data between sources, it will still be needed to
differentiate individuals with similar names or naming variations.
In light of the overwhelming support for the release of a crosswalk
file in the comments, the likelihood that entities will need the
identifiers to combine clinical data or link claims records across
plans over time, the need for the identifiers to conduct the provider
and supplier review and appeal process, and the considerable costs that
would be entailed in building a case-by-case inquiry capability for
qualified entities, we will amend our proposal and adopt the policy of
automatically releasing a crosswalk file with appropriate privacy and
security protections linking the encrypted ID to both the beneficiary
name and the beneficiary Medicare HICN to all qualified entities. This
constitutes a modified version of option one.
We expect that our rigorous eligibility requirements, the
requirement that the lead entity, as well as any contractors who use
the data, sign a DUA, and comprehensive monitoring process will ensure
that any data shared with qualified entities are kept in a manner that
will not compromise beneficiary privacy. As noted above, an applicant
must have strict data privacy and security protocols in place to be
eligible to serve as a qualified entity. Furthermore, the DUA contains
a requirement that the qualified entity establish the ``appropriate
administrative, technical, and physical safeguards to protect the
confidentiality of the data and to prevent unauthorized use or access
to it'' and does not allow the data to be physically moved,
transmitted, or disclosed without written approval from CMS. The DUA
also allows CMS or the Office of the Inspector General to access the
site where the data is stored to confirm compliance with required
security standards. The DUA requires the qualified entity to limit
access to the data to the minimum amount of data and minimum number of
individuals necessary to achieve the purposes of the qualified entity
program. In the event that CMS determines or has a reasonable belief
that unauthorized uses, reuses, or disclosures of the data may have
taken place, the DUA allows CMS, among other things, to require the
destruction of all data files and to refuse to release further CMS data
to the qualified entity for any period of time. As noted above, the DUA
also contains criminal penalties, including fines and imprisonment, for
unauthorized disclosures of the data. The comprehensive qualified
entity monitoring program is discussed in more detail below in section
II.F. and includes CMS audits of qualified entities' use of the data,
site visits, and analysis of beneficiary and/or provider complaints
among other things.
As a result of the decision to release a crosswalk with appropriate
privacy and security protections to all qualified entities, qualified
entities will already be in possession of patients' names and HICNs at
the time providers and suppliers are reviewing draft reports and making
correction requests. We will ensure that the qualified entity program
DUA (discussed above) provides for qualified entities releasing names
only upon request by providers and suppliers
[[Page 76556]]
when that information is relevant to their review and requests for
correction.
We recognize that some may question why we are retaining our plan
to include an encrypted beneficiary identifier in the claims data if
every qualified entity will receive the crosswalk. We have two reasons
to separate the claims data from the beneficiary names and HICNs.
First, shipping the claims data separate from the crosswalk file adds
an additional level of security while the data is in transit. Second,
we believe that qualified entities may want to limit access to the
crosswalk file to ensure the utmost privacy and security of this data
and having two separate files will make this much easier.
It is also worth noting that CMS does not ship claims data without
first encrypting the data. Unlike encrypting an individual data
element, this process involves cryptographically scrambling the data so
that it cannot be correctly re-assembled (that is, deciphered) unless
the receiving party has the correct key. This protects the data while
it is in transit.
We hope that through implementing this modified version of option
one with appropriate privacy and security protections, qualified
entities will be able to link clinical data to claims data and match
claims data from other sources to Medicare claims data for the same
patient. Additionally, implementing a modified version of option one
allows qualified entities to quickly respond to requests from providers
or suppliers for beneficiary identifiers during the report review and
correction request process.
2. Privacy and Security Requirements of Data Released to Providers and
Suppliers
Section 1874(e)(4)(B)(v) of the Act requires qualified entities to
make the Medicare claims data they receive available to providers and
suppliers upon their request. We do not interpret this requirement to
mean that providers or suppliers could receive all Medicare claims data
for a given patient or patients. Rather, we proposed to require
qualified entities to provide, with appropriate privacy and security
protections, only the claims relevant to the particular measure or
measure results being appealed. Therefore, for example, a provider or
supplier requesting claims data in relation to a diabetes quality
measure would only receive the claims related to the calculation of
that quality measure. We realize this may result in providers or
suppliers receiving data related to claims submitted by another
provider or supplier. We solicited comment on any privacy or security
issues related to release of data to providers or suppliers.
Comment: We received several comments concerning the privacy and
security of the data released to providers and suppliers. One commenter
suggested we clarify exactly what data can be requested from the
qualified entity. And, as stated above, comments included the
suggestion that CMS require non-covered entities (that is, the small
fraction of providers who do not submit claims electronically, and are
therefore not subject to HIPAA) to enter into business associate
agreements with CMS, pursuant to HIPAA.
Response: Regarding the request for clarification about what data
can be released, we stated in the preamble to the proposed rule (at 76
FR 33577), that we believe that for many providers and suppliers, the
beneficiary name may be of more practical use in determining the
accuracy of the measure results than the underlying claims used to
calculate the measures. However, the statute does explicitly
acknowledge that upon request qualified entities would need to share
with providers or suppliers ``data made available under this
subsection.'' We would like to reiterate that we do not interpret this
provision to mean that providers or suppliers could receive all
Medicare claims data for a given patient or patients. Rather, we
interpret this to mean that, at the request of providers or suppliers,
qualified entities will provide only claims and/or beneficiary names
relevant to the particular measure or measure results that the provider
or supplier is appealing.
Since we made a technical change in the regulation text and removed
the reference to section 1874(e) from the definition of a qualified
entity (as noted above in Section II.A.1.), we have added the
requirement that qualified entities release Medicare claims to
providers and suppliers to the regulation text. We have added a
requirement in Sec. 401.717(c) that qualified entities, at the request
of a provider or supplier and with appropriate privacy and security
protections, release the Medicare claims and/or beneficiary names to
the provider or supplier, but we require qualified entities to only
release those claims and/or beneficiary names relevant to the measure
or measure results being appealed.
As stated above, we acknowledge that the providers and suppliers
who request data may or may not be covered entities under HIPAA. Also,
as noted above, a BA is limited to a person or an entity using or
disclosing individually identifiable health information on behalf of a
HIPAA covered entity. The qualified entity and providers and suppliers
in the qualified entity program are not going to be doing anything on
behalf of CMS or the Medicare program. They therefore cannot be BAs of
CMS by virtue of the qualified entity program.
3. Beneficiary Privacy and Security
Following provision of the performance reports on a confidential
basis to providers or suppliers, qualified entities are required to
make performance information public. In accordance with the statute, we
proposed to require that qualified entities ensure that all publicly
available reports do not contain beneficiary identifiable information.
Additionally, we proposed to prohibit qualified entities from
disclosing information in their publicly available reports that there
is a reasonable basis to believe can be used in combination with other
publicly available information to re-identify individual patients.
Comment: One commenter suggested we allow beneficiaries to opt-out
of having their data released under this program.
Response: We do not have the statutory authority to permit
beneficiaries to opt out of this program. However, we also note that
the intent of this program is to increase transparency and promote
innovation in measure development which we believe will contribute
significantly to improving beneficiary care in the long run. As
mentioned above, we also believe the final rule contains appropriate
beneficiary privacy protections and penalties for any misuse of the
data by qualified entities.
E. Confidential Opportunities To Review, Appeal, and Correct Errors
One important aspect of this program is ensuring that providers and
suppliers are afforded an opportunity to correct errors in the
reporting of their performance metrics. To meet the requirements in the
statute related to appeal and error correction, we proposed to require
applicants to include a plan for their report review, appeals, and
error correction process in their application. This plan would contain
several elements, including the means for sharing results
confidentially and the means by which a provider or supplier can
request and receive Medicare claims data. We proposed that qualified
entities would need to confidentially share measure results with
providers and suppliers at least 30 days prior to making the reports
public. We also proposed that qualified entities must inform providers
and suppliers
[[Page 76557]]
that the report would be made public on a certain date (at least 30
days after confidentially sharing the measure results), regardless of
the status of error correction.
Comment: We received several comments on the overall review,
appeals, and error correction process. Some commenters asked CMS to
standardize the process across qualified entities. On the other hand,
one commenter argued that if CMS both approves and audits the claims
and the qualified entity process for creating the reports, review by
providers and suppliers is unnecessary. Another commenter asked CMS to
require qualified entities to automatically provide the beneficiary
names to providers and suppliers. Several commenters asked CMS to
require qualified entities to announce publically on a Web site
supported by HHS or in notifications to major organizations that
represent providers and suppliers that have been evaluated by the
qualified entity, the availability of reports for confidential review.
Finally, several commenters suggested allowing qualified entities to
require that a provider or supplier document and authenticate their
identity and, if requesting data, their legal right to see the data, as
well as provide a secure communication process for transmission of
requested information.
Response: We believe an important aspect of the qualified entity
program is innovation, not only in the development of measures, but
also in the process for sharing measure results with physicians, as
well as the process for responding to requests for data and for error
correction. To reiterate, this is not a Medicare quality measurement
program--we are merely a data source for those who meet the
requirements laid out in this subpart. Qualified entities design their
programs within the statutory and regulatory limits, including crafting
their own confidential review, appeals, and error correction processes.
This will result in innovations that will improve the way providers and
suppliers receive reports and interact with the qualified entity. The
statute is clear in the requirement that qualified entities develop a
confidential review, appeals, and error correction process, so we do
not agree that this is an unnecessary part of the qualified entity
program. Furthermore, while we understand the interest in obtaining
beneficiary names automatically, protecting the privacy and security of
beneficiary identifiable information is required by the statute, as
well as being of the utmost importance to CMS. We feel that releasing
beneficiary names only at the request of a provider or supplier and
only for the measure or measure results being appealed strikes the
appropriate balance between protecting beneficiary privacy and allowing
providers and suppliers the opportunity to provide input on their
reports.
The statute requires that qualified entities make reports available
to providers and suppliers prior to the public release of reports.
Since each provider or supplier will confidentially receive any report
where they are identified, we see no need for qualified entities to
announce publically the availability of reports. Additionally, we
acknowledge the importance of ensuring the data is securely transmitted
to the correct provider or supplier. However, we believe that it is the
responsibility of the qualified entity to ensure that the data is
delivered using a secure method to the appropriate provider or supplier
and require applicants to describe their means of confidentially
sharing reports with providers and suppliers as part of their
application.
Comment: Many commenters argued that the proposed time period
between providers and suppliers confidentially receiving reports and
the qualified entity publically reporting results is too short.
Commenters suggested a time period of 60 or 90 days.
Response: We recognize, in light of the comments, that our proposal
may not have allowed providers and suppliers an appropriate amount of
time to review their confidential reports. However, we also recognize
the importance of ensuring that report results are released to the
public in a timely manner. Therefore, qualified entities must share
measures, measurement methodology, and measure results with providers
and suppliers at least 60 calendar days prior to making the measure
results public. Beginning on the date on which the qualified entity
sends the confidential reports to a provider or supplier, that provider
and supplier will have a minimum of 60 calendar days to review the
reports, make a request for the data, review the data, and, if
necessary, make a request for error correction. Qualified entities also
must inform providers and suppliers of the date the reports would be
made public at least 60 calendar days before making the reports public.
Additionally, the qualified entity must publically release reports on
the specified date regardless of the status of any requests for error
correction. We recognize that this process allows providers and
suppliers to make a request for the data or a request for error
correction up to the point the reports are made public; however, we
believe that it is up to the qualified entity and provider or supplier
to manage the timing of this process to ensure that they have adequate
time to request the data and, if necessary, request error
correction(s).
Comment: We received several comments on our proposal that
qualified entities publish reports on a certain date, regardless of the
status of requests for appeals or error correction. Several commenters
requested that CMS not allow qualified entities to publish measure
results until the request for error correction is resolved. Other
commenters recommended that we create a two-step track where if a
request cannot be resolved between the qualified entity and a provider
or supplier, the request is elevated to CMS for a final decision.
Furthermore, some commenters wanted CMS to require qualified entities
to publish provider or supplier comments in the report if a request is
not resolved at the time of report publication. One commenter requested
that CMS allow providers or suppliers to publicly defend themselves if
reports are published prior to resolving error correction requests. We
also received a comment suggesting CMS allow providers or suppliers to
appeal after reports are made public. Finally, one commenter asked CMS
to ensure that qualified entities have the appropriate amount of staff
to respond to appeals.
Response: We acknowledge the interest of providers and suppliers in
ensuring that any measure results reported publicly are correct.
However, as we mentioned in the proposed rule, we included this
requirement to prevent providers or suppliers from making spurious
requests for error correction to prevent the publication of measure
results. We will maintain our requirement that qualified entities
publicly report measure results on the date specified to the provider
or supplier when the report is sent for review (at least 60 days after
the date on which the confidential reports are sent to a provider or
supplier), regardless of the status of a request for error correction.
We hope that by extending the amount of time between confidentially
sharing reports with providers and suppliers and publically reporting
results to at least 60 calendar days, we are allowing both providers
and suppliers ample opportunity to resolve the appeals process. If an
appeal request is still outstanding at the time of public reporting, we
will maintain the requirement that qualified entities post publicly the
name and category of the appeal request for providers or suppliers
[[Page 76558]]
with outstanding requests for error correction, if feasible, but do not
believe that qualified entities should be required to publicly post
comments from providers or suppliers.
Additionally, since this program does not involve CMS contracting
with qualified entities to carry out a quality measurement program on
behalf of CMS, we do not believe it is appropriate for CMS to become
involved in the appeals and error correction process or to offer a
public forum for providers or suppliers to defend themselves. We
recognize the concern about ensuring that a qualified entity has the
appropriate staff to respond to requests for error correction. However,
we are certain that the rigorous application process will guarantee
that only qualified organizations receive Medicare claims data.
Additionally, we will be monitoring qualified entities to determine if
they are promptly responding to requests for data and requests for
error correction.
In the proposed rule, we acknowledged that CMS does not have the
statutory authority to require qualified entities to share their claims
data from other sources. We encouraged qualified entities to share this
data with providers or suppliers upon request.
Comment: We received multiple comments asking CMS to require
qualified entities to release their non-Medicare claims data to
providers or suppliers upon request. Some commenters requested that CMS
only approve entities who agreed to release their other claims data.
Response: We do not have the statutory authority to require
qualified entities to release their non-Medicare data. We hope that
qualified entities will choose to do so whenever it is legally
permitted, but are aware that their ability to release other claims
data is partially dependent on the terms of the arrangement the
qualified entity has with the entity from whom they received the data.
Comment: Commenters suggested we implement 2012 as a ``test year''
for the program and allow qualified entities to only produce
confidential performance reports without any public reporting.
Response: We do not have the statutory authority to implement a
``test year'' for this program. The statutory effective date of this
provision is January 1, 2012, and all requirements under the law are
applicable on that date.
F. Monitoring, Oversight, Sanctioning, and Termination
To ensure that qualified entities adhere to the highest standards,
we proposed a monitoring program that would assess compliance with the
requirements of the program and assess sanctions or termination as
deemed appropriate by CMS. We proposed that CMS, or one of its
designated contractors, would periodically audit (including site
visits) qualified entities for their use of the Medicare data to ensure
that the data is only being used for its intended purpose. We also
proposed to monitor the amount of claims data from other sources the
qualified entity is using in the production of performance reports
using documentation produced by the qualified entity or, at the
discretion of CMS, site visits. Additionally, we proposed to use
analysis of beneficiary and/or provider complaints to monitor and
assess the performance of qualified entities. We also proposed to
require qualified entities to submit an annual report covering program
adherence (for example, number of claims, market share, number of
measures) and engagement of providers and suppliers (for example,
requests for data, number of corrections, time to respond to requests
for appeal or error correction). Finally, we proposed requiring
qualified entities to submit to CMS information regarding any
inappropriate disclosures or uses of beneficiary identifiable data
pursuant to the requirements in the DUA.
Comment: We received many comments supporting our monitoring
program. Some commenters specifically supported the requirement that
qualified entities submit a report covering the engagement of providers
and suppliers. One commenter asked CMS to ensure that there is
appropriate funding for CMS to conduct the necessary qualified entity
monitoring activities.
Response: We would like to reiterate our commitment to ensuring the
successful implementation of this program and that all qualified
entities adhere to the highest standards, which includes ensuring that
we have the necessary funding to support a monitoring program.
Comment: Some commenters made suggestions about specific aspects of
the monitoring plan. One commenter suggested that qualified entities
only submit reports on program adherence and engagement of providers
and suppliers once every two years. Additionally, several commenters
requested CMS not include site visits as a part of monitoring because
it is too burdensome.
Response: We plan to maintain our proposed monitoring process and
note that, in the cases where a qualified entity is composed of a lead
entity and contractors, contractors will also be subject to CMS
monitoring. We believe that annual reports and site visits are
essential to allow CMS to best monitor the program and to both maximize
the appropriate use of Medicare data for the production of performance
reports and minimize the risk of inappropriate disclosure of
beneficiary information.
We proposed that a qualified entity must immediately inform CMS if
its amount of claims data from other sources decreases. We also
proposed to require that the qualified entity provide documentation
that the remaining non-Medicare claims data is still sufficient to
address methodological concerns regarding sample size and reliability
expressed by stakeholders regarding the calculation of performance
measures from a single source. As reflected at Sec. 401.706(c) of the
proposed rule, the qualified entity would no longer be able to issue a
report, use a measure, or share a report after the amount of claims
data from other sources decreases until CMS made an assessment as to
the sufficiency of the remaining data. If CMS determined that the
qualified entity's remaining claims data was not sufficient, we
proposed that the qualified entity would have 60 days to acquire new
data and submit new documentation to CMS. The qualified entity would
not be able to use Medicare data to issue reports, use measures, share
measures, or share a report during this time. If after re-submission of
documentation, CMS determined the qualified entity still did not
possess adequate data, we proposed to terminate the relationship with
the qualified entity. If after resubmission of documentation, CMS
determined that the qualified entity did possess sufficient data, we
proposed the qualified entity could resume all measurement and
reporting activities.
Comment: Commenters requested two changes to our proposed process
for addressing a decrease in the amount of other claims data. First,
several commenters suggested that qualified entities only be required
to stop measurement and reporting if the decrease in other claims data
is significant. Second, commenters requested more time for qualified
entities to acquire new data.
Response: While we recognize the interest in continuing measurement
efforts during this review process, we believe it is important for CMS
to make the determination as to whether the remaining claims data is
adequate to ensure that the methodological concerns regarding sample
size and reliability expressed by stakeholders regarding
[[Page 76559]]
calculation of performance measures from a single payer source. To
ensure that the decrease does not materially affect the validity of
measure results, we will maintain our proposal to require qualified
entities to stop all activities while CMS reviews the documentation
related to the decrease in other claims data; after the amount of
claims data from other sources decreases, the qualified entity would no
longer be able to create a report, use a measure, or share a report
(either confidentially or publically) using Medicare data until CMS
determines either that the remaining claims data is sufficient, or that
the qualified entity has collected adequate additional data to address
any deficiencies. That said, we recognize the request to extend the
amount of time a qualified entity has to acquire new data, so we will
extend this timeframe to 120 days.
We also proposed that if a qualified entity is not adhering to the
requirements of the program, CMS may take several enforcement actions,
such as providing a warning notice, requesting a corrective action
plan, placing an entity on a special monitoring plan, or terminating
the qualified entity. These enforcement actions are in addition to the
actions CMS may take if a qualified entity violates the DUA, as
discussed in more detail above in section II.D.1. The choice of
enforcement action would depend on the seriousness of the deficiency.
Any time a qualified entity is voluntarily or involuntarily terminated,
we proposed requiring the destruction or return of Medicare data within
30 days.
Comment: We received some comments stating that the proposed
penalties are not strict enough. Additionally, one commenter requested
that CMS provide for termination for inaccurate reporting or for
failing to make timely corrections upon providers' or suppliers'
request.
Response: We are limited by the statute in the penalties we can
impose on qualified entities who do not comply with the requirements of
the program. We note, however, that CMS does have additional
enforcement capabilities for violations of the DUA, including criminal
penalties. As CMS will require the lead entity, as well as any
contractors who have access to the Medicare claims data or beneficiary
identifiable data, to sign the DUA before CMS releases any data, these
penalties will apply to all organizations with access to the Medicare
data.
While CMS reserves the right to terminate a qualified entity for
inaccurate reporting, we believe that there are degrees of seriousness
in inaccurate reporting, and some situations may not warrant
termination, particularly if the inaccuracy was unintentional, CMS was
promptly identified, and the inaccuracy was promptly resolved. We will
therefore maintain our proposal to base our actions on the seriousness
of the deficiency.
Comment: Several commenters requested clarification on how long
qualified entities would be able to keep the Medicare data that they
receive under this program. One commenter suggested placing an outer
limit on retention of files.
Response: After carefully considering the beneficiary privacy and
security implications of our policy, we do not believe that qualified
entities must destroy or return Medicare data (including crosswalks)
provided under the qualified entity program unless they voluntarily
leave or are involuntarily terminated from the program. Qualified
entities will need to retain the Medicare data, with appropriate
privacy and security protections, in order to trend measure results
over time or to calculate measures that require a number of years of
data for measure calculation. We understand that this will mean that
qualified entities will also retain beneficiary identifiable data
(including that found in the crosswalks), but we believe that this
information will also be necessary to calculate measures that require a
number of years of claims data. We feel it is important to note that a
beneficiary's encrypted identifier will not change from year to year,
so unless a beneficiary dies or moves out of the geographic region, the
qualified entity will continue to need the crosswalk linking the
encrypted ID to the beneficiary HICN and name to carry out the
activities outlined above in our crosswalk discussion. We have
carefully considered the beneficiary privacy and security implications
of our policy, and note that the DUA remains in effect so long as the
qualified entity participates in the program. Furthermore, the
monitoring requirements described herein, as well as the requirement
that qualified entities reapply every three years as described below in
section II.G., should assist in ensuring that this data remains secure
and private. We would like to reiterate, however, that once an entity
voluntarily leaves or is involuntarily terminated from the program it
must destroy or return all CMS data provided under this subsection
within 30 days.
G. Qualified Entity Application Content
We proposed to develop an application process for organizations
interested in becoming qualified entities in which they would provide
certain specified information. We proposed applications and related
materials would be collected and reviewed once a year, at the close of
the first quarter of the calendar year. We proposed approval periods of
three years, followed by an opportunity to reapply.
Comment: We received comments containing suggestions for how CMS
could improve the application content and process. Specifically, one
commenter suggested using a standard electronic application.
Additionally, a commenter suggested that CMS accept applications on a
rolling basis. Another commenter preferred that CMS not require re-
application after three years.
Response: CMS appreciates and acknowledges the benefits of
accepting qualified entity applications on a rolling basis instead of
once annually. This would allow organizations to apply to be a
qualified entity as soon as they believe they meet all the eligibility
requirements, instead of requiring the organization to wait a year
until the next application cycle. We are therefore changing to a
rolling application process. We will also use an electronic
application.
While we understand the burdens that re-application will impose, we
also need to ensure that Medicare data are being used appropriately and
handled securely. While we believe the monitoring program described
above will help ensure qualified entities continue to meet the
requirements of the program, the application process covers
significantly more aspects of an organization's continuing ability to
serve as a qualified entity. Therefore, CMS believes that requiring re-
application every three years balances the burden on qualified entities
with the need to ensure Medicare data is being handled appropriately.
H. Other Comments
We received several additional suggestions for improvements to the
program regarding topics that were not specifically discussed in the
preamble to the proposed rule.
Comment: A few commenters advised that CMS require knowledge
sharing among qualified entities, rather than merely suggesting it.
Response: CMS agrees with commenters that performance improvement
will occur most rapidly in an open collaborative environment where
ideas and knowledge are shared
[[Page 76560]]
freely and openly. CMS will strongly encourage and facilitate, where
possible, collaborative knowledge sharing, but will not require it as a
condition of program participation.
Comment: Several commenters expressed concern about CMS conducting
performance analysis of providers and suppliers. Commenters also
expressed concern about performance measurement generally, and had
specific concerns about performance measurement based solely on claims
data.
Response: This program is not a CMS measurement program and,
therefore, CMS will not be conducting performance analysis of providers
and suppliers in this program. Rather qualified entities will combine
Medicare claims data supplied by CMS with other claims data to
calculate performance measures for providers and suppliers. We
recognize commenters' concerns about the limitations of performance
measurement based on claims data alone. Therefore, as discussed above
in section II.B.1, we will allow qualified entities to use measures
that incorporate clinical data, as long as the measure can be
calculated in part from Medicare and other claims data.
Comment: Commenters suggested CMS should undertake a public
education and outreach program to inform consumers about the qualified
entity program and explain the limitations of provider and supplier
performance measurement.
Response: We agree that CMS should inform consumers about the
qualified entity program. We also believe it is essential for CMS to be
transparent to beneficiaries and the general public about our plans for
sharing identifiable information, with appropriate privacy and security
protections, with qualified entities. CMS will publish educational
materials on the CMS Web site regarding the qualified entity program,
including a description of the beneficiary information that is being
shared with qualified entities and an explanation of the privacy and
security requirements, as well as the qualified entity monitoring
program and termination policies.
We also hope that qualified entities will engage in public
education and outreach in the communities where they serve. However, we
are not requiring qualified entities to do public outreach beyond
making the performance reports, with an understandable description of
the measures, available to the public after confidential review by
providers and suppliers.
Comment: One commenter requested that we clarify how performance
measurement information will be published.
Response: The statute requires that qualified entities allow
confidential review of the reports, that they be provided to the
public, and that the reports contain understandable descriptions of the
methodologies used. Qualified entities must receive approval of report
formats before they can be published, but each qualified entity has the
discretion to design reports and publish using the approved formats.
Comment: One commenter suggested that CMS make available the full
data set at no charge to recognized provider organizations such as the
American Medical Association and allow providers and suppliers to
analyze their data there.
Response: The statute does not permit CMS to release the data to
any entity other than those approved as qualified entities. However, as
stated in the preamble to the proposed rule, we are not placing any
restrictions on the types of organizations that can apply to be a
qualified entity. If a recognized provider organization meets the
eligibility criteria, it can become a qualified entity and receive
Medicare data. Additionally, the statute does not permit CMS to release
data at no charge. Section 1874(e)(4)(A) states that the data ``shall
be made available * * * at a fee equal to the cost of making such data
available.'' That said, as discussed in section II.C.3. above, we have
revised our method for pricing this data and we believe the data will
be significantly more affordable than originally proposed.
Comment: One commenter requested that CMS clarify that the data
released to qualified entities will not be subject to discovery or
admissible as evidence in judicial or administrative proceedings.
Response: The statute, at 1874(e)(4)(D), explicitly states,
``[d]ata released to a qualified entity under this subsection shall not
be subject to discovery or admission as evidence in judicial or
administrative proceedings without consent of the applicable provider
of services or supplier.'' We acknowledge that we did not address this
specific statement in the preamble to the proposed rule, but we believe
this statement is self-implementing in that it requires no further
explanation, and the data will not be subject to discovery or admission
as evidence absent the described consent(s).
Comment: One commenter asked CMS to clarify that these regulations
have no effect on any other programs in which Medicare claims data are
released. A second commenter requested that we ensure the program can
accommodate the transition to ICD-10.
Response: We clarify that this program will not have any effect on
other CMS programs in which Medicare claims data are released. CMS is
working to ensure that the transition to ICD-10 happens smoothly.
Comment: One commenter requested that CMS only allow measurement
and rating of providers and suppliers in situations where CMS pays for
the item or services.
Response: Medicare only pays claims for covered services and
supplies; if a service or supply is not covered, a claim will not
appear in the Medicare data. While a qualified entity could decide to
produce a measurement report based solely on its other claims data,
such reporting would be outside of the qualified entity program and the
reports would be outside of the reach of these regulations.
III. Provisions of the Final Regulations
For the most part, this final rule incorporates the provisions of
the proposed rule. Those provisions of this final rule that differ from
the proposed rule are as follows:
We have made technical changes to the definition of a
qualified entity, provider, and supplier to reflect regulatory
interpretation of the statutory provisions cited in the proposed rule.
We have also added a definition of claims data from other sources at
Sec. 401.703(h) and a definition of clinical data at Sec. 401.703(i).
We clarify that qualified entities do not need to be a
single organization. Applicants may contract with others to achieve the
ability to meet the eligibility criteria. Specifically, at Sec.
401.705(b) we allow entities to demonstrate expertise and experience
through activities it has conducted directly or through (a) contract(s)
with other public or private entities.
We changed our eligibility requirements at Sec.
401.705(a)(1) to only require that entities demonstrate expertise in
quality measurement and in the other three areas of measurement
(efficiency, effectiveness, and resource use) to the extent that they
propose to use such measures.
At Sec. 401.705(a)(1)(ii) we clarify that we only expect
applicants to submit a plan for a business model that is projected to
cover the costs of performing the required functions. We realize that
qualified entities may need to adapt this plan once they are approved
and do not intend to limit an entity's ability to adapt or change its
[[Page 76561]]
business plan once approved as a qualified entity.
We added language at Sec. 401.705(a)(1)(vii) that would
require qualified entities to also disclose any violations of
applicable federal and State privacy and security laws and regulations
for the preceding 10-year period, in addition to requiring qualified
entities to disclose any inappropriate disclosures of beneficiary
identifiable information for the preceding 10-year period. We also
clarified that for those entities that have not been in existence for
10 years, we will require a breach history for the length of time the
organization has been in existence.
We have revised the selection criteria to allow applicants
to apply and receive a conditional acceptance as a qualified entity if
they do not have adequate claims data from other sources at the time of
their application, but meet all the other selection requirements.
Since standard measure specifications are available to the
public at this time, we removed the requirement that qualified entities
submit measure specifications for standard measures the qualified
entity plans to calculate.
We clarified that these regulations do not place any added
limitations on the qualified entity's ability to copyright the content
of the publicly released reports. We noted, however that the qualified
entity must provide confidential reports to the subject providers and
suppliers free of charge and must provide the final reports to the
public free of change in a manner consistent with the requirements in
the qualified entity program statute.
At Sec. 401.711(a) we allow qualified entities to change
their list of proposed measures, proposed prototype report, and plans
for sharing reports with the public with 30 days notice to CMS, instead
of 90 days notice to CMS. We provide for a possible 30-day extension of
the review period where necessary. If a CMS decision on approval or
disapproval for a change or modification is not forthcoming within 30
days or CMS does not request an additional 30 days for review, the
change or modification shall be deemed to be approved.
We will allow qualified entities to use standard and
alternative measures calculated in full or in part from Medicare Parts
A and B claims, and Part D prescription drug event data and claims from
other sources. This means that qualified entities will be allowed to
calculate measures that include clinical data. As noted above, we have
added a definition of clinical data at Sec. 401.703(i).
We have added measures endorsed by a CMS-approved
consensus-based entity to the list of standard measures. CMS will
approve organizations as consensus-based entities based on review of
documentation of the consensus-based entity's measure approval process.
We have added a second process by which qualified entities
may seek approval to use alternative measures. Organizations and
individuals will still be able to submit alternative measures for
approval through the notice and comment rulemaking process. However, at
Sec. 401.715(b)(1)(ii), we also allow an entity to submit measures for
approval by the Secretary by submitting: (1) A description of the
process by which the qualified entity notified stakeholders (defined as
a valid cross representation of providers, suppliers, employers,
payers, and consumers) in the geographic region the qualified entity
serves of its intent to seek approval of an alternative measures; (2) a
list of stakeholders from whom feedback was solicited, including the
stakeholder names and each stakeholder's role in the community; (3) a
description of the discussion about the proposed alternative measure,
including a summary of all pertinent arguments for and against the
measure; and (4) unless CMS has already approved the same measure for
use by another qualified entity, an explanation backed by scientific
evidence that demonstrates why the measure meets the requirements for
alternative measures at Section 1874(e)(4)(B)(i)(II) of the Act. If a
qualified entity is seeking to use an alternative measure that CMS has
already approved for use by another qualified entity, the qualified
entity submitting the measure for approval must submit any additional
or new scientific evidence, if it is available. If a CMS decision on
approval or disapproval of measures submitted via the process at
401.715(b)(1)(ii) is not forthcoming 60 days after the submission of
the measure, the measure will be deemed approved. However, CMS retains
the right, even after 60 days, to direct the qualified entity to stop
using the measure if we subsequently find the measure does not meet the
requirements at Section 1874(e)(4)(B)(i)(II) of the Act.
We have identified efficiencies that will reduce the cost
of Medicare claims data under the qualified entity program, and we have
altered the dates of data that will be made available through this
program, thereby increasing the timeliness of that data.
We will allow qualified entities to purchase a 5 percent
national sample of Medicare claims data for the purpose of calculating
national benchmarks.
Using appropriate privacy and security protections, we
will provide qualified entities (that sign the DUA and meet all the
privacy and security requirements) with a crosswalk file linking
encrypted beneficiary ID to the beneficiary name and beneficiary Health
Insurance Claim Number.
At Sec. 401.717(a), we extended the time period between a
qualified entity sending a confidential report to a provider or
supplier and public reporting of measure results to at least 60
calendar days.
We will allow qualified entities 120 days to acquire new
data if the amount of other claims data they have decreases and CMS
determines the remaining amount of other claims data is not sufficient.
We changed our application process and will accept
applications on a rolling basis as discussed at Sec. 401.709(a).
IV. Collection of Information Requirements
Under the Paperwork Reduction Act of 1995, we are required to
provide 30-day notice in the Federal Register and solicit public
comment before a collection of information requirement is submitted to
the Office of Management and Budget (OMB) for review and approval. In
order to fairly evaluate whether an information collection should be
approved by OMB, section 3506(c)(2)(A) of the Paperwork Reduction Act
of 1995 requires that we solicit comment on the following issues:
The need for the information collection and its usefulness
in carrying out the proper functions of our agency.
The accuracy of our estimate of the information collection
burden.
The quality, utility, and clarity of the information to be
collected.
Recommendations to minimize the information collection
burden on the affected public, including automated collection
techniques.
We are soliciting public comment on each of these issues for the
following sections of this document that contain information collection
requirements (ICRs).
If finalized, these regulations would require an organization
seeking to receive data as a qualified entity to submit an application.
Specifically, an applicant must submit the information listed in
Sec. Sec. 401.705-401.709. The burden associated with this requirement
is the time and effort necessary to gather, process, and submit the
required information to CMS. We estimate that 35 organizations would
submit applications to receive data as qualified
[[Page 76562]]
entities. We further estimate that it would take each applicant 500
hours to gather, process and submit the required information. The total
estimated burden associated with this requirement is 500 hours per
applicant at an estimated cost of $795,641.
Section 401.713(a) states that as part of the application review
and approval process, a qualified entity would be required to execute a
Data Use Agreement (DUA) with CMS, that among other things, reaffirms
the statutory bar on the use of Medicare data for purposes other than
those referenced above. The burden associated with executing this DUA
is currently approved under OMB control number 0938-0734.
Section 401.709(f) would require qualified entities in good
standing to re-apply for qualified entity status 6 months before the
end of their three-year approval period. We estimate that 25 entities
would be required to comply with this requirement. We estimate that it
would take 120 hours to reapply to CMS. The total estimated burden
associated with this requirement is 120 hours at an estimated cost of
$136,396.
Section 410.719(b) requires qualified entities to submit annual
reports to CMS as part of CMS' ongoing monitoring of qualified entity
activities. We estimate that the 25 entities in the program will be
required to comply with this requirement. We estimate that it will take
150 hours to complete an annual monitoring report. The total estimated
burden associated with this requirement is 150 hours at $170,475.
Table 1--Estimated Annual Recordkeeping and Reporting Burden
--------------------------------------------------------------------------------------------------------------------------------------------------------
Hourly
Burden per Total labor cost Total labor Total
Regulation section(s) OMB control No. Respondents Responses response annual of cost of capital/ Total cost
(hours) burden reporting reporting maintenance ($)
(hours) ($) ($) * costs ($)
--------------------------------------------------------------------------------------------------------------------------------------------------------
Sec. 401.705(a)............. 0938-New....... 35 35 500 17,500 ** 795,641 0 795,641
Sec. 401.709(f)............. 0938-New....... 25 25 120 3,000 ** 136,396 0 136,396
Sec. 401.719(b)............. 0938-New....... 25 25 150 3,750 ** 170,475 0 170,475
-------------------------------------------------------------------------------------------------------------------------
Total..................... ............... 35 35 ........... 24,250 ........... ........... ........... 1,102,512
--------------------------------------------------------------------------------------------------------------------------------------------------------
* Total labor cost assuming 92% of total hours are professional and technical and 8% are legal.
** Wage rates vary by level of staff involved in complying with the information collection request (ICR).
To obtain copies of the supporting statement and any related forms
for the proposed paperwork collections referenced above, access CMS'
Web site at http://www.cms.gov/PaperworkReductionActof1995/PRAL/list.asp#TopOfPage or email your request, including your address, phone
number, OMB number, and CMS document identifier, to
Paperwork@cms.hhs.gov, or call the Reports Clearance Office at 410-786-
1326.
If you comment on these information collection and recordkeeping
requirements, please submit your comments to the Office of Information
and Regulatory Affairs, Office of Management and Budget,
Attention: CMS Desk Officer, CMS-5059-F.
Fax: (202) 395-6974; or
Email: OIRA_submission@omb.eop.gov.
V. Regulatory Impact Analysis
A. Response to Comments
We received several comments on the anticipated effects of the
program.
Comment: Several commenters argued that the cost of the data is too
high. As stated above, these commenters often recommended CMS remove
the data application costs or provide a sliding scale fee for the data,
charging non-profits and government organizations a lower fee.
Response: While we do not feel we were being too broad in our
interpretation of the statute, we recognize commenters' concerns and,
as discussed above, have removed the program management costs from the
fee we will charge for the data. As further addressed above, we have
also identified several efficiencies in the creation of the data files
which will further lower the cost of the data. However, we would like
to reiterate that these estimates are based on a qualified entity
program with 25 approved qualified entities. The cost of the data will
increase if fewer organizations are approved as qualified entities and
decrease if more organizations are approved as qualified entities
because the fixed costs of providing the data would be spread across
the total number of qualified entities.
Comment: We received a handful of comments stating that the
application process for qualified entities is too burdensome.
Response: As discussed above, we believe ensuring that
organizations approved as qualified entities are experienced in
performance measurement and reporting and have the necessary plans to
serve as a qualified entity is essential for the success of the
qualified entity program. Thus, we do not believe the application is
too burdensome.
Comment: We received several comments on the impact on providers
and suppliers. A number of commenters stated that the number of hours
estimated for a provider or supplier to review performance reports or
submit correction requests is too low. Many commenters also argued that
the hourly wage rate for physicians' offices is too low. Finally, a
number of comments suggested that providers and suppliers might hire
contractors to help with reviewing draft reports and requesting
corrections.
Response: While we understand that some providers and suppliers may
spend many hours reviewing reports and submitting correction requests,
we believe 5 hours reviewing reports is appropriate as an average. For
example, some providers and suppliers will spend less than an hour
reviewing their reports, but others may spend 10 hours. The same
situation applies for error correction requests. Some providers and
suppliers may only have concerns about one measure, and after seeing
the data may realize that their concerns were unfounded. However,
others may engage in a longer discourse with the qualified entity. On
average, we believe that providers and suppliers will spend
approximately 10 hours preparing and submitting error correction
requests. We do recognize that some providers and suppliers may choose
to hire contractors to assist in preparing and submitting a correction
request and have added this to the impact on providers and suppliers
discussed below.
Additionally, while we understand physicians' hourly wage exceeds
$30.90, we believe physicians are not the only ones in their offices
who will be reviewing the performance reports and
[[Page 76563]]
submitting correction requests. Some of this work may be done by other
physician office staff such as administrative staff, nurses, physician
assistants, and case workers. Therefore, we believe our average hourly
wage rate is appropriate to calculate the impact of this program on
providers and suppliers. Changes described in our response are
reflected in the remainder of the Regulatory Impact Analysis.
B. Overall Impact
We have examined the impacts of this rule as required by Executive
Order 12866 on Regulatory Planning and Review (September 30, 1993),
Executive Order 13563 on Improving Regulation and Regulatory Review
(January 18, 2011), the Regulatory Flexibility Act (RFA) (September 19,
1980, Pub. L. 96-354), section 1102(b) of the Social Security Act,
section 202 of the Unfunded Mandates Reform Act of 1995 (March 22,
1995, Pub. L. 104-4), Executive Order 13132 on Federalism (August 4,
1999), and the Congressional Review Act (5 U.S.C. 804(2)).
Executive Orders 12866 and 13563 direct agencies to assess all
costs and benefits of available regulatory alternatives and, if
regulation is necessary, to select regulatory approaches that maximize
net benefits (including potential economic, environmental, public
health and safety effects, distributive impacts, and equity). Executive
Order 13563 emphasizes the importance of quantifying both cost and
benefits, reducing costs, harmonizing rules, and promoting flexibility.
A regulatory impact analysis (RIA) must be prepared for major rules
with economically significant effects ($100 million or more in any 1
year). This final rule is not economically significant as measured by
the $100 million threshold, and hence not a major rule under the
Congressional Review Act. We estimate the total impact of this final
rule to be approximately $86 million. We provided a detailed assessment
of the impacts associated with this final rule, as noted below.
The RFA requires agencies to analyze options for regulatory relief
of small businesses, if a rule has a significant impact on a
substantial number of small entities. We estimate that two types of
entities may be affected by the program established by section 1874(e)
of the Act: Organizations that desire to operate as qualified entities
and the providers and suppliers who receive performance reports from
qualified entities. We anticipate that most providers and suppliers
receiving qualified entities' performance reports would be hospitals
and physicians. Many hospitals and most other health care providers and
suppliers are small entities, either by being nonprofit organizations
or by meeting the Small Business Administration definition of a small
business (having revenues of less than $34.5 million in any 1 year)
(for details, see the Small Business Administration's Web site at
http://sba.gov/idc/groups/public/documents/sba_homepage/serv_sstd_tablepdf.pdf (refer to the 620000 series). For purposes of the RFA,
physicians are considered small businesses if they generate revenues of
$10 million or less based on Small Business Administration size
standards. Approximately 95 percent of physicians are considered to be
small entities. We estimate that most hospitals and most other
providers are small entities as that term is used in the RFA (including
small businesses, nonprofit organizations, and small governmental
jurisdictions). However, because the total estimated impact would be
spread over a number of providers and suppliers, no one entity would
face a significant impact. Additionally, as CMS has reduced the cost of
the data for qualified entities, we do not anticipate that this rule
will have a significant impact on qualified entities. Therefore, the
Secretary has determined this final rule would not have a significant
impact on a substantial number of small entities. We have voluntarily
provided an analysis of the estimated impacts on qualified entities and
providers and suppliers below in section V.C., as well as alternatives
considered in section V.D.
In addition, section 1102(b) of the Act requires us to prepare a
regulatory impact analysis, if a rule may have a significant impact on
the operations of a substantial number of small rural hospitals. Any
such regulatory impact analysis must conform to the provisions of
section 604 of the RFA. For purposes of section 1102(b) of the Act, we
define a small rural hospital as a hospital that is located outside of
a metropolitan statistical area and has fewer than 100 beds. We do not
believe this final rule has impact on significant operations of a
substantial number of small rural hospitals because we anticipate that
most qualified entities would focus their performance evaluation
efforts on metropolitan areas where the majority of health services are
provided. Therefore, the Secretary has determined that this final rule
would not have a significant impact on the operations of a substantial
number of small rural hospitals.
Section 202 of the Unfunded Mandates Reform Act of 1995 (UMRA) also
requires that agencies assess anticipated costs and benefits before
issuing any rule whose mandates require spending in any 1 year of $100
million in 1995 dollars, updated annually for inflation. In 2011, that
threshold is approximately $136 million. This rule would not mandate
any requirements for State, local, or tribal governments in the
aggregate, or by the private sector, of $136 million. Specifically, as
explained below we anticipate the total impact of this final rule on
all parties to be approximately $86 million.
Executive Order 13132 establishes certain requirements that an
agency must meet when it promulgates a final rule that imposes
substantial direct requirement costs on State and local governments,
preempts State law, or otherwise has Federalism implications. We have
examined this final rule in accordance with Executive Order 13132 and
have determined that this regulation would not have any substantial
direct effect on State or local governments, preempt States, or
otherwise have a Federalism implication.
C. Anticipated Effects
a. Impact on Qualified Entities
Because section 1874(e) of the Act establishes a new program, there
is little quantitative information available to inform our estimates.
However, we believe that many or most qualified entities are likely to
resemble community quality collaborative programs such as participants
in the CMS Better Quality Information for Medicare Beneficiaries pilot
(https://www.cms.gov/BQI/) and the AHRQ Chartered Value Exchange (CVE)
program (http://www.ahrq.gov/qual/value/lncveover.htm). Community
quality collaboratives are community-based organizations of multiple
stakeholders that work together to transform health care at the local
level by promoting quality and efficiency of care, and by measuring and
publishing quality information. Consequently, we have examined
available information related to those programs to inform our
assumptions, although there is only limited available data that is
directly applicable to this analysis.
We estimate that 35 organizations would submit applications to
participate as qualified entities. We anticipate that the majority of
applicants would be nonprofit organizations such as existing community
collaboratives. In estimating qualified entity impacts, we used hourly
labor costs in several labor categories reported by the Bureau of Labor
Statistics (BLS) at http://
[[Page 76564]]
data.bls.gov/pdq/querytool.jsp?survey=ce. We used the annual rates for
2010, an update from the proposed rule where we used rates from 2009,
and added 33 percent for overhead and fringe benefit costs. These rates
are displayed in Table 2.
Table 2--Labor Rates for Qualified Entity Impact Estimates
----------------------------------------------------------------------------------------------------------------
2010 hourly
wage rate OH and fringe Total hourly
(BLS) (33%) costs
----------------------------------------------------------------------------------------------------------------
Professional & technical services............................... $34.63 $11.43 $46.06
Legal review.................................................... 35.98 11.87 47.85
Custom computer programming..................................... 40.50 13.37 53.87
Data processing & hosting....................................... 31.57 10.42 41.99
Other information services...................................... 33.55 11.07 44.62
----------------------------------------------------------------------------------------------------------------
We estimate that preparation of an application would require a
total of 500 hours of effort, requiring a combination of staff in the
professional and technical services and the legal labor categories.
We estimate that 25 of these applicants would be approved as
participating qualified entities, and that each qualified entity would
request Medicare claims data accompanied by payment for these data.
Because of the eligibility criteria we are proposing for qualified
entities, we believe that it is likely that all of these organizations
would already be performing work related to calculation of quality
measures and production of performance reports for health care
providers and suppliers, so the impact of the program established by
section 1874(e) of the Act would be an opportunity to add Medicare
claims data to their existing function.
The statute directs that the fees for these data be equal to the
government's cost to make the data available. We are proposing to
initially provide ten quarters of data to qualified entities with
quarterly updates thereafter. Based on CMS past experience providing
Medicare data to research entities, we estimate that the total
approximate costs to provide ten quarters (CY 2009, CY 2010, and Q1-Q2
CY2011) of data for 2.5 million beneficiaries to a qualified entity
would be $24,000. Qualified entities would also get 2 quarterly
updates, each for a fee of $8,000, during the year, bringing the total
cost of data for the first year of the program to $40,000 as shown in
Table 3.
We estimate that, on average, each qualified entity's activity to
analyze the Medicare claims data, calculate performance measures and
produce provider and supplier performance reports would require 5,500
hours of effort. We estimate that half of the qualified entities (13)
would propose alternative performance measures, which would involve an
additional 2,100 hours of effort for each entity.
We further estimate that, on average, each qualified entity would
expend 5,000 hours of effort processing providers' and suppliers'
appeals of their performance reports and producing revised reports, and
2,000 hours making information about the performance measures publicly
available. These estimates assume that, as discussed below in the
section on provider and supplier impacts, on average 25 percent of
providers and suppliers would appeal their results from a qualified
entity. These assumptions are based on a belief that in the first year
of the program many providers or suppliers would want to appeal their
results prior to performance reports being made available to the
public. Responding to these appeals in an appropriate manner would
require a significant investment of time on the part of qualified
entities. This equates to an average of four hours per appeal for each
qualified entity. We assume that the complexity of appeals would vary
greatly, and as such, the time required to address them would also vary
greatly. Many appeals may be able to be dealt with in an hour or less
while some appeals may require multiple meetings between the qualified
entity and the affected provider or supplier. On average however, we
believe that this is a realistic and reasonable estimate of the burden
of the appeals process on qualified entities. We discuss the burden of
the appeals process on providers and suppliers below.
We anticipate that qualified entities would expend 2,000 hours of
effort developing their proposed performance report. These estimated
hours are separated into labor categories in Table 3 below, with the
pertinent hourly labor rates and cost totals.
Finally, we estimate that each qualified entity would spend 255
hours of effort submitting information to CMS for monitoring purposes.
This would include audits and site visits as discussed above. It would
also include an annual report that contains measures of general program
adherence, measures of the provider and suppliers data sharing, error
correction, and appeals process, and measures of the success of the
program with consumers. Finally, qualified entities would be required
to notify CMS of inappropriate disclosures or use of beneficiary
identifiable data pursuant to the requirements in the DUA. We believe
that many of the required data elements in both the annual report and
the report generated in response to an inappropriate disclosure or use
of beneficiary identifiable data would be generated as a matter of
course by the qualified entities and therefore, would not require
significant additional effort. Based on the assumptions we have
described, we estimate the total impact on qualified entities for the
first year of the program to be a cost of $45,504,048.
[[Page 76565]]
Table 3--Impact on Qualified Entities for the First Year of the Program
[Impact on qualified entities]
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Hours
----------------------------------------------------------------
Activity Data Labor hourly Cost per Number of Total cost
Professional Legal Computer processing cost applicant applicants impact
and technical programming and hosting
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
APPLICATION COSTS
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Preparation of application by candidate qualified entities
a. Prepare draft application.................................... 360 .............. .............. .............. $46.06 $16,582 .............. ..............
b. Legal review................................................. .............. 40 .............. .............. 47.85 1,914 .............. ..............
c. Revisions to draft application............................... 60 .............. .............. .............. 46.06 2,764 .............. ..............
d. Senior management review and signature....................... 40 .............. .............. .............. 46.06 1,842 .............. ..............
Total: application preparation.................................. 460 40 .............. .............. .............. 23,102 35 $808,556
Medicare data purchase costs by approved qualified entities..... .............. .............. .............. .............. .............. 40,000 25 1,000,000
-------------------------------------------------------------------------------------------------------------------------------
Total: Applications......................................... .............. .............. .............. .............. .............. .............. .............. 1,808,556
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
QE OPERATIONS COSTS
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Database administration......................................... .............. .............. .............. 500 41.99 20,995 25 524,875
Data analysis/measure calculation/report preparation............ .............. .............. 2500 .............. 53.87 134,675 25 3,366,875
2500 41.99 104,975 25 2,624,375
Development and submission of alternative measures.............. 1000 .............. .............. .............. 46.06 46,060 13 598,780
100 1000 53.87 5,387 13 70,031
41.99 41,990 13 545,870
Qualified entity processing of provider or supplier appeals and 4000 .............. .............. .............. 46.06 184,240 25 4,606,000
report revision................................................ 1000 47.85 47,850 25 1,196,250
Development of proposed performance report formats.............. 1000 .............. .............. .............. 46.06 46,060 25 1,151,500
1000 53.87 53,870 25 1,346,750
Publication of performance reports.............................. .............. .............. 1000 .............. 53.87 53,870 25 1,346,750
1000 41.99 41,990 25 1,049,750
Monitoring...................................................... .............. .............. .............. 255 41.99 10,707 25 267,686
Computer hardware and processing................................ .............. .............. .............. .............. .............. 1,000,000 25 25,000,000
-------------------------------------------------------------------------------------------------------------------------------
Total: Operations........................................... .............. .............. .............. .............. .............. .............. .............. 43,695,492
-------------------------------------------------------------------------------------------------------------------------------
TOTAL QUALIFIED ENTITY IMPACTS (application plus .............. .............. .............. .............. .............. .............. .............. 45,504,048
operations)............................................
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
b. Impact on Health Care Providers and Suppliers
Table 4 reflects the hourly labor rates used in our estimate of the
impacts of the first year of section 1874(e) of the Act on health care
providers and suppliers, as well as the professional and technical
services of consultants. The rates in Table 4 are for 2010 and have
been updated from the proposed rule where we used rates for 2009. We
note that numerous health care payers, community quality
collaboratives, States, and other organizations are producing
performance measures for health care providers and suppliers using data
from other sources, and that providers and suppliers are already
receiving performance reports from these sources. We anticipate that
the Medicare claims data would merely be added to those existing
efforts to improve the statistical validity of the measure findings,
and therefore the impact of including Medicare claims data in these
existing performance reporting processes is likely to be marginal.
Additionally, while we acknowledge that reviewing and appealing the
reports will be a burden for providers and suppliers, we also note that
there are many benefits of this program for providers and suppliers, as
well as the Medicare program, consumers, and purchasers. As a result of
this program, providers and suppliers will likely receive one report
covering a majority of their patients, rather than a report from each
payer. Furthermore, the transparency of performance results will help
providers and suppliers improve quality and reduce costs.
[[Page 76566]]
Table 4--Labor Rates for Provider and Supplier Impact Estimates
----------------------------------------------------------------------------------------------------------------
Overhead and
2010 hourly wage fringe benefits Total hourly
rate (BLS) (33%) costs
----------------------------------------------------------------------------------------------------------------
Labor Rates for Provider and Supplier Impact Estimates
----------------------------------------------------------------------------------------------------------------
Physicians' offices.................................... $32.24 $10.64 $42.88
Hospitals.............................................. 27.42 9.05 36.47
Professional and technical services.................... 34.63 11.43 46.06
----------------------------------------------------------------------------------------------------------------
We anticipate that the impacts on providers and suppliers consist
of costs to review the performance reports generated by qualified
entities and, if they choose, appeal their performance calculations.
Based on a review of available information from the Better Quality
Information and the Charter Value Exchange programs, we estimate that,
on average, each qualified entity would distribute performance reports
to 5,000 health providers and suppliers. We anticipate that the largest
proportion of providers and suppliers would be physicians because they
comprise the largest group of providers and suppliers, and are a
primary focus of many recent performance evaluation efforts. Based on
our review of information from these existing programs, we assume that
95 percent of the recipients of performance reports (that is, an
average of 4,750 per qualified entity) would be physicians, and 5
percent (that is, an average of 250 per qualified entity) would be
hospitals and other suppliers. Providers and suppliers receive these
reports with no obligation to review them, but we assume that most
would do so to verify that their calculated performance measures
reflect their actual patients and health events. We estimate that, on
average, each provider or supplier would devote five hours to reviewing
these reports. This average reflects that some providers and suppliers
will spend less than half an hour reviewing reports, while others may
spend 10 hours.
We estimate that 25 percent of the providers and suppliers would
decide to appeal their performance calculations, and that preparing the
appeal would involve an average of ten hours of effort on the part of a
provider or supplier. We assume that 50 percent of the providers and
suppliers who decide to appeal would hire consultants to assist with
the appeals process. As with our assumptions regarding the level of
effort required by qualified entities in operating the appeals process,
we believe that this average covers a range of provider and supplier
efforts from those who would need just one or two hours to clarify any
questions or concerns regarding their performance reports to those who
would devote significant time and resources to the appeals process.
Using the hourly costs displayed in Table 4, the impacts on
providers and suppliers are calculated below in Table 5. Based on the
assumptions we have described, we estimate the total impact on
providers and suppliers for the first year of the program to be a cost
of $40,458,400.
As stated above in Table 3, we estimate the total impact on
qualified entities to be a cost of $45,504,048. Therefore, the total
impact on qualified entities and on providers and suppliers for the
first year of the program is estimated to be $85,962,448.
Table 5--Impact on Providers and Suppliers for the First Year of the Program
--------------------------------------------------------------------------------------------------------------------------------------------------------
Hours per provider Number of
---------------------------------------- providers Number of
Activity Professional Labor Cost per per qualified Total cost
Physician Hospitals and hourly cost applicant qualified entities impact
offices technical entity
--------------------------------------------------------------------------------------------------------------------------------------------------------
Impact on Providers and Suppliers
--------------------------------------------------------------------------------------------------------------------------------------------------------
Provider review of performance reports......... 5 ........... ............ $42.88 $214 4,750 25 $25,460,000
........... 5 ............ 36.47 182 250 25 1,139,688
Preparing and submitting appeal request to 10 ........... ............ 42.88 429 594 25 6,367,680
qualified entities............................
........... 10 ............ 36.47 365 31 25 282,643
........... ........... 10 46.06 461 626 25 7,208,390
--------------------------------------------------------------------------------------------------------
Total provider impacts..................... ........... ........... ............ ........... ........... ........... ........... 40,458,400
--------------------------------------------------------------------------------------------------------------------------------------------------------
D. Alternatives Considered
The statutory provisions that were added by section 1874(e) of the
Act are detailed and prescriptive about the eligibility for, and
requirements of the qualified entity program. Consequently, we believe
there are limited alternative approaches that would ensure program
success and statutory compliance. We considered proposing a less
comprehensive set of eligibility criteria for qualified entities (for
example, eliminating requirements that applicants demonstrate
capabilities related to calculation of measures, developing performance
reports, combining Medicare claims data with other claims, and data
privacy and security protection). While such an approach might have
reduced certain application and operating costs for these entities, we
did not adopt such an approach for several reasons. An important
consideration is the protection of beneficiary identifiable data. We
believe if we do not require qualified entities to provide sufficient
[[Page 76567]]
evidence of data privacy and security protection capabilities, there
would be increased risks related to the protection of beneficiary
identifiable data.
Additionally, we believe that requiring less stringent requirements
regarding the production and reporting of measures would lead to
increases in the number of provider and supplier appeals, and
consequently in appeals-related costs for providers, suppliers and
qualified entities. We expect that such a scenario would not support
the development of a cooperative relationship between qualified
entities and providers and suppliers.
E. Conclusion
As explained above, we estimate the total impact for the first year
of the program on qualified entities, providers and suppliers to be a
cost of $85,962,448. Based on these estimates, we conclude this final
rule does not reach the threshold for economically significant effects
and thus is not considered a major rule.
In accordance with the provisions of Executive Order 12866, this
regulation was reviewed by the Office of Management and Budget.
List of Subjects in 42 CFR Part 401
Claims, Freedom of information, Health facilities, Medicare,
Privacy.
For the reasons set forth in the preamble, the Centers for Medicare
& Medicaid Services amends 42 CFR chapter IV as set forth below:
PART 401--GENERAL ADMINISTRATIVE REQUIREMENTS
0
1. The authority citation for part 401 is revised to read as follows:
Authority: Secs. 1102, 1871, and 1874(e) of the Social Security
Act (42 U.S.C. 1302, 1395hh, and 1395w-5).
0
2. A new subpart G is added to part 401 to read as follows:
Subpart G--Availability of Medicare Data for Performance Measurement
Sec.
401.701 Purpose and scope.
401.703 Definitions.
401.705 Eligibility criteria for qualified entities.
401.707 Operating and governance requirements for qualified
entities.
401.709 The application process and requirements.
401.711 Updates to plans submitted as part of the application
process.
401.713 Ensuring the privacy and security of data.
401.715 Selection and use of performance measures.
401.717 Provider and supplier requests for error correction.
401.719 Monitoring and sanctioning of qualified entities.
401.721 Terminating an agreement with a qualified entity.
Subpart G--Availability of Medicare Data for Performance
Measurement
Sec. 401.701 Purpose and scope.
The regulations in this subpart implement section 1874(e) of the
Social Security Act as it applies to Medicare data made available to
qualified entities for the evaluation of the performance of providers
and suppliers.
Sec. 401.703 Definitions.
For purposes of this subpart:
(a) Qualified entity means either a single public or private
entity, or a lead entity and its contractors, that meets the following
requirements:
(1) Is qualified, as determined by the Secretary, to use claims
data to evaluate the performance of providers and suppliers on measures
of quality, efficiency, effectiveness, and resource use.
(2) Agrees to meet the requirements described in this subpart at
Sec. Sec. 401.705 through 401.721.
(b) Provider of services (referred to as a provider) has the same
meaning as the term ``provider'' in Sec. 400.202 of this chapter.
(c) Supplier has the same meaning as the term ``supplier'' at Sec.
400.202 of this chapter.
(d) Claim means an itemized billing statement from a provider or
supplier that, except in the context of Part D prescription drug event
data, requests payment for a list of services and supplies that were
furnished to a Medicare beneficiary in the Medicare fee-for-service
context, or to a participant in other insurance or entitlement program
contexts. In the Medicare program, claims files are available for each
institutional (inpatient, outpatient, skilled nursing facility,
hospice, or home health agency) and non-institutional (physician and
durable medical equipment providers and suppliers) claim type as well
as Medicare Part D Prescription Drug Event (PDE) data.
(e) Standardized data extract is a subset of Medicare claims data
that the Secretary would make available to qualified entities under
this subpart.
(f) Beneficiary identifiable data is any data that contains the
beneficiary's name, Medicare Health Insurance Claim Number (HICN), or
any other direct identifying factors, including, but not limited to
postal address or telephone number.
(g) Encrypted data is any data that does not contain the
beneficiary's name or any other direct identifying factors, but does
include a unique CMS-assigned beneficiary identifier that allows for
the linking of claims without divulging any direct identifier of the
beneficiary.
(h) Claims data from other sources means provider- or supplier-
identifiable claims data that an applicant or qualified entity has full
data usage right to due to its own operations or disclosures from
providers, suppliers, private payers, multi-payer databases, or other
sources.
(i) Clinical data is registry data, chart-abstracted data,
laboratory results, electronic health record information, or other
information relating to the care or services furnished to patients that
is not included in administrative claims data, but is available in
electronic form.
Sec. 401.705 Eligibility criteria for qualified entities.
(a) Eligibility criteria: To be eligible to apply to receive data
as a qualified entity under this subpart, an applicant generally must
demonstrate expertise and sustained experience, defined as 3 or more
years, in the following three areas, as applicable and appropriate to
the proposed use:
(1) Organizational and governance criteria, including:
(i) Expertise in the areas of measurement that they propose to use
in accurately calculating quality, and efficiency, effectiveness, or
resource use measures from claims data, including the following:
(A) Identifying an appropriate method to attribute a particular
patient's services to specific providers and suppliers.
(B) Ensuring the use of approaches to ensure statistical validity
such as a minimum number of observations or minimum denominator for
each measure.
(C) Using methods for risk-adjustment to account for variations in
both case-mix and severity among providers and suppliers.
(D) Identifying methods for handling outliers.
(E) Correcting measurement errors and assessing measure
reliability.
(F) Identifying appropriate peer groups of providers and suppliers
for meaningful comparisons.
(ii) A plan for a business model that is projected to cover the
costs of performing the required functions, including the fee for the
data.
(iii) Successfully combining claims data from different payers to
calculate performance reports.
(iv) Designing, and continuously improving the format of
performance reports on providers and suppliers.
[[Page 76568]]
(v) Preparing an understandable description of the measures used to
evaluate the performance of providers and suppliers so that consumers,
providers and suppliers, health plans, researchers, and other
stakeholders can assess performance reports.
(vi) Implementing and maintaining a process for providers and
suppliers identified in a report to review the report prior to
publication and providing a timely response to provider and supplier
inquiries regarding requests for data, error correction, and appeals.
(vii) Establishing, maintaining, and monitoring a rigorous data
privacy and security program, including disclosing to CMS any
inappropriate disclosures of beneficiary identifiable information,
violations of applicable federal and State privacy and security laws
and regulations for the preceding 10-year period (or, if the applicant
has not been in existence for 10 years, the length of time the
applicant has been an organization), and any corrective actions taken
to address the issues.
(viii) Accurately preparing performance reports on providers and
suppliers and making performance report information available to the
public in aggregate form, that is, at the provider or supplier level.
(2) Expertise in combining Medicare claims data with claims data
from other sources, including demonstrating to the Secretary's
satisfaction that the claims data from other sources that it intends to
combine with the Medicare data received under this subpart address the
methodological concerns regarding sample size and reliability that have
been expressed by stakeholders regarding the calculation of performance
measures from a single payer source.
(3) Expertise in establishing, documenting and implementing
rigorous data privacy and security policies including enforcement
mechanisms.
(b) Source of expertise and experience: An applicant may
demonstrate expertise and experience in any or all of the areas
described in paragraph (a) of this section through one of the
following:
(1) Activities it has conducted directly through its own staff.
(2) Contracts with other entities if the applicant is the lead
entity and includes documentation in its application of the contractual
arrangements that exist between it and any other entity whose expertise
and experience is relied upon in submitting the application.
Sec. 401.707 Operating and governance requirements for qualified
entities.
A qualified entity must meet the following operating and governance
requirements:
(a) Submit to CMS a list of all measures it intends to calculate
and report, the geographic areas it intends to serve, and the methods
of creating and disseminating reports. This list must include the
following information, as applicable and appropriate to the proposed
use:
(1) Name of the measure, and whether it is a standard or
alternative measure.
(2) Name of the measure developer/owner.
(3) If it is an alternative measure, measure specifications,
including numerator and denominator.
(4) The rationale for selecting each measure, including the
relationship to existing measurement efforts and the relevancy to the
population in the geographic area(s) the entity would serve, including
the following:
(i) A specific description of the geographic area or areas it
intends to serve.
(ii) A specific description of how each measure evaluates providers
and suppliers on quality, efficiency, effectiveness, and/or resource
use.
(5) A description of the methodologies it intends to use in
creating reports with respect to all of the following topics:
(i) Attribution of beneficiaries to providers and/or suppliers.
(ii) Benchmarking performance data, including the following:
(A) Methods for creating peer groups.
(B) Justification of any minimum sample size determinations made.
(C) Methods for handling statistical outliers.
(iii) Risk adjustment, where appropriate.
(iv) Payment standardization, where appropriate.
(b) Submit to CMS a description of the process it would establish
to allow providers and suppliers to view reports confidentially,
request data, and ask for the correction of errors before the reports
are made public.
(c) Submit to CMS a prototype report and a description of its plans
for making the reports available to the public.
(d) Submit to CMS information about the claims data it possesses
from other sources, as defined at Sec. 401.703(h), and documentation
of adequate rights to use the other claims data for the purposes of
this subpart.
(e) If requesting a 5 percent national sample to calculate
benchmarks for the specific measures it is using, submit to CMS a
justification for needing the file to calculate benchmarks.
Sec. 401.709 The application process and requirements.
(a) Application deadline. CMS accepts qualified entity applications
on a rolling basis after an application is made available on the CMS
Web site. CMS reviews applications in the order in which they are
received.
(b) Selection criteria. To be approved as a qualified entity under
this subpart, the applicant must meet one of the following:
(1) Standard approval process: Meet the eligibility and operational
and governance requirements, fulfill all of the application
requirements to CMS' satisfaction, and agree to pay a fee equal to the
cost of CMS making the data available. The applicant and each of its
contractors that are anticipated to have access to the Medicare data
must also execute a Data Use Agreement with CMS, that among other
things, reaffirms the statutory ban on the use of Medicare data
provided to the qualified entity by CMS under this subpart for purposes
other than those referenced in this subpart.
(2) Conditional approval process: Meet the eligibility and
operational and governance requirements, and fulfill all of the
application requirements to CMS' satisfaction, with the exception of
possession of sufficient claims data from other sources. Meeting these
requirements will result in a conditional approval as a qualified
entity. Entities gaining a conditional approval as a qualified entity
must meet the eligibility requirements related to claims data from
other sources the entity intends to combine with the Medicare data,
agree to pay a fee equal to the cost of CMS making the data available,
and execute a Data Use Agreement with CMS, that among other things,
reaffirms the statutory ban on the use of Medicare data provided to the
qualified entity by CMS under this subpart for purposes other than
those referenced in this subpart before receiving any Medicare data. If
the qualified entity is composed of lead entity with contractors, any
contractors that are anticipated to have access to the Medicare data
must also execute a Data Use Agreement with CMS.
(c) Duration of approval. CMS permits an entity to participate as a
qualified entity for a period of 3 years from the date of notification
of the application approval by CMS. The qualified entity must abide by
all CMS regulations and instructions. If the qualified entity wishes to
continue performing the tasks after the 3-year approval period, the
entity may re-apply for qualified entity status following the
procedures in paragraph (f) of this section.
[[Page 76569]]
(d) Reporting period. A qualified entity must produce reports on
the performance of providers and suppliers at least annually, beginning
in the calendar year after they are approved by CMS.
(e) The distribution of data.--(1) Initial data release. Once CMS
fully approves a qualified entity under this subpart, the qualified
entity must pay a fee equal to the cost of CMS making data available.
After the qualified entity pays the fee, CMS will release the
applicable encrypted claims data, as well as a file that crosswalks the
encrypted beneficiary ID to the beneficiary name and the Medicare HICN.
The data will be the most recent data available, and will be limited to
the geographic spread of the qualified entity's other claims data, as
determined by CMS.
(2) Subsequent data releases. After the first quarter of
participation, CMS will provide a qualified entity with the most recent
additional quarter of currently available data, as well as a table that
crosswalks the encrypted beneficiary ID to the beneficiary's name and
the Medicare HICN. Qualified entities are required to pay CMS a fee
equal to the cost of making data available before CMS will release the
most recent quarter of additional data to the qualified entity.
(f) Re-application. A qualified entity that is in good standing may
re-apply for qualified entity status. A qualified entity is considered
to be in good standing if it has had no violations of the requirements
in this subpart or if the qualified entity is addressing any past
deficiencies either on its own or through the implementation of a
corrective action plan. To re-apply a qualified entity must submit to
CMS documentation of any changes to what was included in its
previously-approved application. A re-applicant must submit this
documentation at least 6 months before the end of its 3-year approval
period and will be able to continue to serve as a qualified entity
until the re-application is either approved or denied by CMS. If the
re-application is denied, CMS will terminate its relationship with the
qualified entity and the qualified entity will be subject to the
requirements for return or destruction of data at Sec. 401.721(b).
Sec. 401.711 Updates to plans submitted as part of the application
process.
(a) If a qualified entity wishes to make changes to the following
parts of its previously-approved application:
(1) Its list of proposed measures--the qualified entity must send
all the information referenced in Sec. 401.707(a) for the new measures
to CMS at least 30 days before its intended confidential release to
providers and suppliers.
(2) Its proposed prototype report--the qualified entity must send
the new prototype report to CMS at least 30 days before its intended
confidential release to providers and suppliers.
(3) Its plans for sharing the reports with the public--the
qualified entity must send the new plans to CMS at least 30 days before
its intended confidential release to providers and suppliers.
(b) CMS will notify the qualified entity when the entity's proposed
changes are approved or denied for use, generally within 30 days of the
qualified entity submitting the changes to CMS. If a CMS decision on
approval or disapproval for a change is not forthcoming within 30 days
and CMS does not request an additional 30 days for review, the change
or modification shall be deemed to be approved.
(c) If the amount of claims data from other sources available to a
qualified entity decreases, the qualified entity must immediately
inform CMS and submit documentation that the remaining claims data from
other sources is sufficient to address the methodological concerns
regarding sample size and reliability. Under no circumstances may a
qualified entity use Medicare data to create a report, use a measure,
or share a report after the amount of claims data from other sources
available to a qualified entity decreases until CMS determines either
that the remaining claims data is sufficient or that the qualified
entity has collected adequate additional data to address any
deficiencies.
(1) If the qualified entity cannot submit the documentation
required in paragraph (c) of this section, or if CMS determines that
the remaining claims data is not sufficient, CMS will afford the
qualified entity up to 120 days to obtain additional claims to address
any deficiencies. If the qualified entity does not have access to
sufficient new data after that time, CMS will terminate its
relationship with the qualified entity.
(2) If CMS determines that the remaining claims data is sufficient,
the qualified entity may continue issuing reports, using measures, and
sharing reports.
Sec. 401.713 Ensuring the privacy and security of data.
(a) A qualified entity must comply with the data requirements in
its data use agreement (DUA) with CMS. Contractors of qualified
entities that are anticipated to have access to the Medicare claims
data or beneficiary identifiable data in the context of this program
are also required to execute and comply with the DUA. The DUA will
require the qualified entity to maintain privacy and security protocols
throughout the duration of the agreement with CMS and will ban the use
of data for purposes other than those set out in this subpart. The DUA
will also prohibit the use of unsecured telecommunications to transmit
CMS data and will specify the circumstances under which CMS data must
be stored and transmitted.
(b) A qualified entity must inform each beneficiary whose
beneficiary identifiable data has been (or is reasonably believed to
have been) inappropriately accessed, acquired, or disclosed in
accordance with the DUA.
(c) Contractor(s) must report to the qualified entity whenever
there is an incident where beneficiary identifiable data has been (or
is reasonably believed to have been) inappropriately accessed,
acquired, or disclosed.
Sec. 401.715 Selection and use of performance measures.
(a) Standard measures. A standard measure is a measure that can be
calculated in full or in part from claims data from other sources and
the standardized extracts of Medicare Parts A and B claims, and Part D
prescription drug event data and meets the following requirements:
(1) Meets one of the following criteria:
(i) Is endorsed by the entity with a contract under section 1890(a)
of the Social Security Act.
(ii) Is time-limited endorsed by the entity with a contract under
section 1890(a) of the Social Security Act until such time as the full
endorsement status is determined.
(iii) Is developed under section 931 of the Public Health Service
Act.
(iv) Can be calculated from standardized extracts of Medicare Parts
A or B claims or Part D prescription drug event data, was adopted
through notice-and-comment rulemaking, and is currently being used in
CMS programs that include quality measurement.
(v) Is endorsed by a CMS-approved consensus-based entity. CMS will
approve organizations as consensus-based entities based on review of
documentation of the consensus-based entity's measure approval process.
To receive approval as a consensus-based entity, an organization must
submit information to CMS documenting its processes for stakeholder
consultation and measures approval; an organization will only receive
approval as a consensus-based entity if all measure specifications are
publically available. An organization will retain CMS acceptance as a
consensus-based entity
[[Page 76570]]
for 3 years after the approval date, at which time CMS will review new
documentation of the consensus-based entity's measure approval process
for a new 3-year approval.
(2) Is used in a manner that follows the measure specifications as
written (or as adopted through notice-and-comment rulemaking),
including all numerator and denominator inclusions and exclusions,
measured time periods, and specified data sources.
(b) Alternative measure. (1) An alternative measure is a measure
that is not a standard measure, but that can be calculated in full, or
in part, from claims data from other sources and the standardized
extracts of Medicare Parts A and B claims, and Part D prescription drug
event data, and that meets one of the following criteria:
(i) Rulemaking process: Has been found by the Secretary, through a
notice-and comment-rulemaking process, to be more valid, reliable,
responsive to consumer preferences, cost-effective, or relevant to
dimensions of quality and resource use not addressed by standard
measures, and is used by a qualified entity in a manner that follows
the measure specifications as adopted through notice-and-comment
rulemaking, including all numerator and denominator inclusions and
exclusions, measured time periods, and specified data sources.
(ii) Stakeholder consultation approval process: Has been found by
the Secretary, using documentation submitted by a qualified entity that
outlines its consultation and agreement with stakeholders in its
community, to be more valid, responsive to consumer preferences, cost-
effective, or relevant to dimensions of quality and resource use not
addressed by standard measures, and is used by a qualified entity in a
manner that follows the measure specifications as submitted, including
all numerator and denominator inclusions and exclusions, measured time
periods, and specified data sources. If a CMS decision on approval or
disapproval of alternative measures submitted using the stakeholder
consultation approval process is not forthcoming within 60 days of
submission of the measure by the qualified entity, the measure will be
deemed approved. However, CMS retains the right to disapprove a measure
if, even after 60 days, we find it to not be ``more valid, reliable,
responsive to consumer preferences, cost-effective, or relevant to
dimensions of quality and resource'' than a standard measure.
(2) An alternative measure approved under the process at paragraph
(b)(1)(i) of this section may be used by any qualified entity. An
alternative measure approved under the process at paragraph (b)(1)(ii)
of this section may only be used by the qualified entity that submitted
the measure for consideration by the Secretary. A qualified entity may
use an alternative measure up until the point that an equivalent
standard measure for the particular clinical area or condition becomes
available at which point the qualified entity must switch to the
standard measure within 6 months or submit additional scientific
justification and receive approval, via either paragraphs (b)(1)(i) or
(b)(1)(ii) of this section, from the Secretary to continue using the
alternative measure.
(3) To submit an alternative measure for consideration under the
notice-and-comment-rulemaking process, for use in the calendar year
following the submission, an entity must submit the following
information by May 31st:
(i) The name of the alternative measure.
(ii) The name of the developer or owner of the alternative measure.
(iii) Detailed specifications for the alternative measure.
(iv) Evidence that use of the alternative measure would be more
valid, reliable, responsive to consumer preferences, cost-effective, or
relevant to dimensions of quality and resource use not addressed by
standard measures.
(4) To submit an alternative measure for consideration under the
documentation of stakeholder consultation approval process described in
paragraph (b)(1)(ii) of this section, for use once the measure is
approved by the Secretary, an entity must submit the following
information to CMS:
(i) The name of the alternative measure.
(ii) The name of the developer or owner of the alternative measure.
(iii) Detailed specifications for the alternative measure.
(iv) A description of the process by which the qualified entity
notified stakeholders in the geographic region it serves of its intent
to seek approval of an alternative measure. Stakeholders must include a
valid cross representation of providers, suppliers, payers, employers,
and consumers.
(v) A list of stakeholders from whom feedback was solicited,
including the stakeholders' names and roles in the community.
(vi) A description of the discussion about the proposed alternative
measure, including a summary of all pertinent arguments supporting and
opposing the measure.
(vii) Unless CMS has already approved the same measure for use by
another qualified entity, no new scientific evidence on the measure is
available, and the subsequent qualified entity wishes to rely upon the
scientific evidence submitted by the previously approved applicant, an
explanation backed by scientific evidence that demonstrates why the
measure is more valid, reliable, responsive to consumer preferences,
cost-effective, or relevant to dimensions of quality and resource use
not addressed by a standard measure.
Sec. 401.717 Provider and supplier requests for error correction.
(a) A qualified entity must confidentially share measures,
measurement methodologies, and measure results with providers and
suppliers at least 60 calendar days before making reports public. The
60 calendar days begin on the date on which qualified entities send the
confidential reports to providers and suppliers. A qualified entity
must inform providers and suppliers of the date the reports will be
made public at least 60 calendar days before making the reports public.
(b) Before making the reports public, a qualified entity must allow
providers and suppliers the opportunity to make a request for the data,
or to make a request for error correction, within 60 calendar days
after sending the confidential reports to providers or suppliers.
(c) During the 60 calendar days between sending a confidential
report on measure results and releasing the report to the public, the
qualified entity must, at the request of a provider or supplier and
with appropriate privacy and security protections, release the Medicare
claims data and beneficiary names to the provider or supplier.
Qualified entities may only provide the Medicare claims and/or
beneficiary names relevant to the particular measure or measure result
the provider or supplier is appealing.
(d) A qualified entity must inform providers and suppliers that
reports will be made public, including information related to the
status of any data or error correction requests, after the date
specified to the provider or supplier when the report is sent for
review and, if necessary, error correction requests (at least 60
calendar days after the report was originally sent to the providers and
suppliers), regardless of the status of any requests for error
correction.
(e) If a provider or supplier has a data or error correction
request outstanding at the time the reports become public, the
qualified entity must, if feasible, post publicly the name of the
appealing
[[Page 76571]]
provider or supplier and the category of the appeal request.
Sec. 401.719 Monitoring and sanctioning of qualified entities.
(a) CMS will monitor and assess the performance of qualified
entities and their contractors using the following methods:
(1) Audits.
(2) Submission of documentation of data sources and quantities of
data upon the request of CMS and/or site visits.
(3) Analysis of specific data reported to CMS by qualified entities
through annual reports (as described in paragraph (b) of this section)
and reports on inappropriate disclosures or uses of beneficiary
identifiable data (as described in paragraph (c) of this section).
(4) Analysis of complaints from beneficiaries and/or providers or
suppliers.
(b) A qualified entity must provide annual reports to CMS
containing information related to the following:
(1) General program adherence, including the following information:
(i) The number of Medicare and private claims combined.
(ii) The percent of the overall market share the number of claims
represent in the qualified entity's geographic area.
(iii) The number of measures calculated.
(iv) The number of providers and suppliers profiled by type of
provider and supplier.
(v) A measure of public use of the reports.
(2) The provider and supplier data sharing, error correction, and
appeals process, including the following information:
(i) The number of providers and suppliers requesting claims data.
(ii) The number of requests for claims data fulfilled.
(iii) The number of error corrections.
(iv) The type(s) of problem(s) leading to the request for error
correction.
(v) The amount of time to acknowledge the request for data or error
correction.
(vi) The amount of time to respond to the request for error
correction.
(vii) The number of requests for error correction resolved.
(c) A qualified entity must inform CMS of inappropriate disclosures
or uses of beneficiary identifiable data under the DUA.
(d) CMS may take the following actions against a qualified entity
if CMS determines that the qualified entity violated any of the
requirements of this subpart, regardless of how CMS learns of a
violation:
(1) Provide a warning notice to the qualified entity of the
specific concern, which indicates that future deficiencies could lead
to termination.
(2) Request a corrective action plan (CAP) from the qualified
entity.
(3) Place the qualified entity on a special monitoring plan.
(4) Terminate the qualified entity.
Sec. 401.721 Terminating an agreement with a qualified entity.
(a) Grounds for terminating a qualified entity agreement. CMS may
terminate an agreement with a qualified entity if CMS determines the
qualified entity or its contractor meets any of the following:
(1) Engages in one or more serious violations of the requirements
of this subpart.
(2) Fails to completely and accurately report information to CMS or
fails to make appropriate corrections in response to confidential
reviews by providers and suppliers in a timely manner.
(3) Fails to submit an approvable corrective action plan (CAP) as
prescribed by CMS, fails to implement an approved CAP, or fails to
demonstrate improved performance after the implementation of a CAP.
(4) Improperly uses or discloses claims information received from
CMS in violation of the requirements in this subpart.
(5) Based on its re-application, no longer meets the requirements
in this subpart.
(6) Fails to maintain adequate data from other sources in
accordance with Sec. 401.711(c).
(b) Return or destruction of CMS data upon voluntary or involuntary
termination from the qualified entity program:
(1) If CMS terminates a qualified entity's agreement, the qualified
entity and its contractors must immediately upon receipt of
notification of the termination commence returning or destroying any
and all CMS data (and any derivative files). In no instance can this
process exceed 30 days.
(2) If a qualified entity voluntarily terminates participation
under this subpart, it and its contractors must return to CMS, or
destroy, any and all CMS data in its possession within 30 days of
notifying CMS of its intent to end its participation.
(Catalog of Federal Domestic Assistance Program No. 93.773,
Medicare--Hospital Insurance; and Program No. 93.774, Medicare--
Supplementary Medical Insurance Program)
Dated: November 1, 2011.
Donald M. Berwick,
Administrator, Centers for Medicare & Medicaid Services.
Approved: November 29, 2011.
Kathleen Sebelius,
Secretary, Department of Health and Human Services.
[FR Doc. 2011-31232 Filed 12-5-11; 11:15 am]
BILLING CODE 4120-01-P