Privacy Act of 1974; Report of New System of Records, 26566-26569 [2016-10253]
Download as PDF
<![CDATA[
26566
Federal Register / Vol. 81, No. 85 / Tuesday, May 3, 2016 / Notices
II. Provisions of the Notice
asabaliauskas on DSK3SPTVN1PROD with NOTICES
A. Subject of Challenge Competition:
MIPS Mobile Challenge
1. Eligibility Rules for Participating in
the Competition
To be eligible to win a prize under
this challenge, participants (individual
or entity) must comply with each and
every rule set forth in this section:
1. Shall register to participate in the
competition under the rules
promulgated below by the Department
of Health and Human Services (HHS).
2. In the case of a private entity, shall
be incorporated in and maintain a
primary place of business in the United
States, and in the case of an individual,
whether participating individually or in
a group, shall be a citizen or permanent
resident of the United States.
3. HHS Employees may participate in
the MIPS Mobile Challenge, but may not
submit in the scope of their employment
and may not pursue an application
while in the federal workplace or while
on duty.
4. Shall not be an employee of the
CMS.
5. Federal grantees may not use
federal funds to develop the America
COMPETES Reauthorization Act of 2010
(Pub. L. 111–358, enacted January 4,
2011) (COMPETES Act) challenge
applications unless consistent with the
purpose of their grant award.
6. Federal contractors may not use
federal funds from a contract to develop
COMPETES Act challenge applications
or to fund efforts in support of a
COMPETES Act challenge submission.
7. Applicants must agree to provide
the federal government an irrevocable,
royalty-free, non-exclusive worldwide
license in the winning work(s) or
component parts thereof, in the event
that they are prize winner(s). HHS shall
be granted the rights to reproduce,
distribute copies to the public, publicly
display, create derivative works, and
publicly post, link to, and share the
winning work(s) or parts thereof.
A submission may be disqualified if,
in CMS’s sole judgment:
• Fails to function as expressed in the
detailed description,
• The detailed description is
significantly inaccurate or incomplete,
or
• Malware or other security threats
are present.
Participants agree that we may
conduct testing on the submitted code
to determine whether malware or other
security threats may be present such
that they may damage the equipment or
operating environments of the Federal
Government or those acting on its
behalf.
VerDate Sep<11>2014
18:53 May 02, 2016
Jkt 238001
An individual or entity shall not be
deemed ineligible because the
individual or entity used federal
facilities or consulted with federal
employees during a competition if the
facilities and employees are made
available to all individuals and entities
participating in the competition on an
equitable basis.
Challenge participants will sign a
liability release as part of the contest
registration process. The liability release
will use the following language:
By participating in this competition, I
agree to assume any and all risks and
waive claims against the federal
government and its related entities,
except in the case of willing
misconduct, for any injury, death,
damage, or loss of property, revenue, or
profits, whether direct, indirect, or
consequential, arising from my
participation in this prize contest,
whether the injury, death, damage, or
loss arises through negligence or
otherwise.
B. Registration Process for Participants
1. Amount of the Prize
The top 3 to 5 winners for phase I of
the challenge will be provided a
monetary cash prize totaling $10,000
per winner. The Phase II final challenge
winner will be provided a monetary
cash prize totaling $25,000.
• Phase 1
++ Ease in which a user can navigate
Usability and Design;
++ Evidence of design with User
feedback;
++ Innovation in Design; and
++ Look and Feel.
Fmt 4703
Sfmt 4703
III. Collection of Information
Requirements
This document does not impose
information collection requirements,
that is, reporting, recordkeeping or
third-party disclosure requirements.
Consequently, there is no need for
review by the Office of Management and
Budget under the authority of the
Paperwork Reduction Act of 1995 (44
U.S.C. 3501 et seq.).
Dated: April 20, 2016.
Andrew M. Slavitt,
Acting Administrator, Centers for Medicare
& Medicaid Services.
BILLING CODE 4120–01–P
Challenge submissions will be judged
by a panel selected by CMS with
relevant expertise in current CMS
reporting systems. The expert panel of
judges, qualified by training and
experience, will evaluate the
submissions on the criteria identified
below in this section. Judges will be fair
and impartial, may not have a personal
or financial interest in, or be an
employee, officer, director, or agent of,
any entity that is a registered participant
in the competition, and may not have a
personal or financial relationship with
an individual who is a registered
contestant. The panel will provide
expert advice on the merits of each
submission to CMS officials responsible
for final selections for award. Awardees
will be notified on or around the dates
listed in the ‘‘Date’’ section. Winners
will be selected based on the following
criteria:
Frm 00041
C. Additional Information
Challenge participants will draw from
existing information provided on
www.cms.gov and collaborate directly
with health professionals and/or end
users to build their application. The
participants will have access to
www.cms.gov and to end users.
Challenge details and registration are
located at www.challenge.gov.
[FR Doc. 2016–10301 Filed 5–2–16; 8:45 am]
2. How Winners Are Selected
PO 00000
• Phase 2
++ Ease in which a user can navigate
Usability and Design;
++ Evidence of design with User
feedback;
++ Innovation in Design;
++ Functionality/Accuracy; and
++ Look and Feel.
DEPARTMENT OF HEALTH AND
HUMAN SERVICES
Centers for Medicare & Medicaid
Services
Privacy Act of 1974; Report of New
System of Records
Department of Health and
Human Services (HHS), Centers for
Medicare & Medicaid Services (CMS).
ACTION: Notice of New System of
Records (SOR).
AGENCY:
In accordance with the
requirements of the Privacy Act of 1974,
we are proposing to establish a new
SOR titled, ‘‘CMS Risk Adjustment Data
Validation System (RAD–V),’’ System
No. 09–70–0511. Under § 1343 of the
Patient Protection and Affordable Care
Act (Pub. L. 111–148) as amended by
the Health Care and Education
Reconciliation Act of 2010 (Pub. L. 111–
152), (hereinafter, the ACA), and the
implementing regulations at 45 CFR part
153, data collected and maintained in
this system will be used to support the
audit functions of the risk adjustment
SUMMARY:
E:\FR\FM\03MYN1.SGM
03MYN1
asabaliauskas on DSK3SPTVN1PROD with NOTICES
Federal Register / Vol. 81, No. 85 / Tuesday, May 3, 2016 / Notices
program, including validation activities
under the risk adjustment data
validation program.
The goal of the risk adjustment
program is to provide payments to nongrandfathered health insurance issuers
in the individual and small group
markets that attract higher-risk
populations, including a validation
program to ensure the reliability of data
used as a basis for risk adjustment
payments and charges. Nongrandfathered plans are health plans
that came into existence after March 23,
2010. Insurers offering these plans were
required to modify them to follow the
ACA rules as of January 1, 2014.
The RAD–V system will contain
personally identifiable information (PII)
about individuals who are current or
former enrollees in non-grandfathered
health plans, including information
obtained through the risk adjustment
data validation process to establish the
relative deviation from the average. The
program and the system of record are
more thoroughly described in the
SUPPLEMENTARY INFORMATION section and
System of Records Notice below.
At this time, the only personally
identifiable information that will be
collected under this System will be
through the RAD–V, part of the risk
adjustment program.
DATES: This action will be effective
without further notice 30 days after
publication in the Federal Register or
40 days after providing a report of this
Notice to the Office of Management and
Budget and Congress, whichever is later.
Written comments should be submitted
within 30 days of publication in the
Federal Register. HHS may publish an
amended system of records notice
(SORN) in light of any comments
received.
ADDRESSES: Written comments can be
sent to: CMS Privacy Act Officer,
Division of Security, Privacy Policy &
Governance, Information Security &
Privacy Group, Office of Enterprise
Information, CMS, 7500 Security
Boulevard, Baltimore, MD 21244–1870,
Mailstop: N1–24–08, or by E-Mail to:
walter.stone@cms.hhs.gov. Comments
received will be available for review at
this location, by appointment, during
regular business hours, Monday through
Friday from 9:00 a.m.–3:00 p.m., Eastern
Time zone.
FOR INFORMATION CONTACT: Catherine
Anderson, RAD–V Mailbox Coordinator,
Division of Risk Adjustment Operations,
CCIIO, CMS, 7500 Security Boulevard,
Baltimore, Maryland 21244. The email
address is
CCIIOACARADataValidation@
cms.hhs.gov.
VerDate Sep<11>2014
18:53 May 02, 2016
Jkt 238001
Section
1343(b) of the ACA requires the
Secretary to establish criteria and
methods to carry out a risk adjustment
program. Section 1321(a)(1)(C) of the
ACA directs the Secretary to issue
regulations and set standards to
establish the risk adjustment program.
Consistent with § 1321(c)(1) of the ACA,
45 CFR 153.310(a) provides that HHS
will operate risk adjustment where a
State does not elect to administer the
risk adjustment program. The primary
goals of the risk adjustment program are
to assist health plans that provide
coverage to individuals with higher
health care costs and will help ensure
that those who are sick have access to
the coverage they need. The ACA’s risk
adjustment program also serves to level
the playing field inside and outside of
the individual and small group markets
in each state by stabilizing premiums.
Under 45 CFR 153.620(b), issuers of
risk adjustment covered plans must
maintain documents and records to
enable such evaluation, and must make
such records available to HHS upon
request for purposes of verification,
investigation, audit or other review. As
part of the risk adjustment data
validation program, HHS may audit an
issuer of a risk adjustment covered plan
to assess its compliance with the risk
adjustment requirements.
The state, or HHS on behalf of the
state, must ensure proper validation of
a statistically valid sample of risk
adjustment data from each issuer that
offers at least one risk adjustment
covered plan in that state, as well as an
administrative process to appeal
findings from the risk adjustment data
validation process. When HHS is
conducting the risk adjustment data
validation program, 45 CFR 153.620(a)
and 153.630(a), requires issuers of risk
adjustment covered plans to comply
with any request for data for any audit
or validation preformed, including
relevant source enrollment
documentation, all claims and
encounter data, and medical record
documentation.
Existing information privacy and
security standards, such as standards
under HIPAA and those detailed at 45
CFR 153.630(f)(2), which governs the
risk adjustment data validation program,
will apply to issuers and their initial
validation auditors. In order to
minimize the amount of individually
identifiable information collected, CMS
will use the smallest possible sample
size that will provide a statistically
valid sample, in accordance with the
regulations at 45 CFR 153.350(a).
SUPPLEMENTARY INFORMATION:
PO 00000
Frm 00042
Fmt 4703
Sfmt 4703
26567
The Privacy Act
The Privacy Act governs the
collection, maintenance, use, and
dissemination of certain information
about individuals by agencies of the
federal government. A system of records
is a group of any records under the
control of a federal agency from which
information about individuals is
retrieved by name or other personal
identifier. The Privacy Act requires each
agency to publish notice in the Federal
Register of the existence and character
of each system of records that the
agency maintains, including the name
and location of the system; the
categories of individuals whom records
are maintained; the categories, routine
uses, and sources of the records; the
agencies policies and practices
regarding storage retrieval, access
controls, and retention and disposal of
the records; and the title and business
address of the agency official to contact
with notification, access, and
amendment requests.
SYSTEM NUMBER:
09–70–0511.
SYSTEM NAME:
Risk Adjustment Data Validation
System (RAD–V), HHS/CMS/CCIIO.
SECURITY CLASSIFICATION:
Unclassified.
SYSTEM LOCATION:
The RAD–V will be physically located
at the CMS Data Center, 7500 Security
Boulevard, North Building, First Floor,
Baltimore, MD 21244–1850, and at
various contractor sites.
CATEGORIES OF INDIVIDUALS COVERED BY THE
SYSTEM:
The system will contain information
about individuals currently or
previously enrolled in a risk adjustment
covered plan as defined at 45 CFR
153.20, and individual providers of
medical or health care services.
CATEGORIES OF RECORDS IN THE SYSTEM:
CMS will collect demographic,
geographic, medical and/or health care
information, date of birth, gender, dates
of service about individuals that are
currently and previously enrolled in
risk adjustment covered plans. In
addition, CMS will collect identifiable
information about individual health
care providers, including but not
limited to name, ITIN or EIN, and NPI
numbers.
AUTHORITY FOR MAINTENANCE OF THE SYSTEM:
Authority for the maintenance of the
RAD–V is given under the provisions of
§§ 1321 and 1343 of the Patient
E:\FR\FM\03MYN1.SGM
03MYN1
26568
Federal Register / Vol. 81, No. 85 / Tuesday, May 3, 2016 / Notices
Protection and Affordable Care Act
(Pub. L. 111–148) as amended by the
Health Care and Education
Reconciliation Act of 2010 (Pub. L. 111–
152), and the Regulations at 45 CFR
153.350, 153.620, 153.630.
PURPOSE(S) OF THE SYSTEM:
The primary purpose of this system is
to collect and maintain necessary to
support the audit functions of the risk
adjustment programs, including
validation activities under the risk
adjustment data validation system
(RAD–V).
asabaliauskas on DSK3SPTVN1PROD with NOTICES
ROUTINE USES OF RECORDS MAINTAINED IN THE
SYSTEM, INCLUDING CATEGORIES OR USERS AND
THE PURPOSES OF SUCH USES:
A. Entities Who May Receive
Disclosures under Routine Uses Records
about an individual may be disclosed
from this system of records to the
following parties outside the agency,
without the individual’s consent, for
these purposes:
1. To CMS contractors who have been
engaged by the agency to assist in the
performance of a service related to this
collection and who need to have access
to the records in order to perform the
activity.
2. To a health insurance issuer
participating in the risk adjustment data
validation program or any agent,
contractor, sub-contractor or entity of
that health insurance issuer that has
entered into an agreement or contract
with the issuer to assist in compliance
with the risk adjustment data validation
program.
3. The Department of Justice (DOJ), a
court or an adjudicatory body when: a.
The agency or any component thereof,
or b. Any employee of the agency in his/
her official capacity, or c. Any employee
of the agency in his/her individual
capacity where the DOJ has agreed to
represent the employee, or d. The
United States Government is a party to
litigation or has an interest in such
litigation, and by careful review, CMS
determines that the records are both
relevant and necessary to the litigation
and that the use of such records by the
DOJ, a court or an adjudicatory body is
compatible for the purpose for which
the agency collected the records.
4. To a CMS contractor that assists in
the administration of a CMS
administered health benefits program,
when disclosure is deemed reasonably
necessary by CMS, to prevent, deter,
discover, detect, investigate, examine,
prosecute, sue with respect to, defend
against, correct, remedy, or otherwise
combat fraud or abuse in such program.
5. To another Federal agency or to an
instrumentality of any governmental
VerDate Sep<11>2014
18:53 May 02, 2016
Jkt 238001
jurisdiction within or under the control
of the United States (including any State
or local governmental agency), that
administers, or that has the authority to
investigate, potential fraud in the health
benefits program funded in whole or in
part by Federal funds, when disclosure
is deemed reasonably necessary by CMS
to prevent, deter, discover, detect,
investigate, examine, prosecute, sue
with respect to, defend against, correct,
remedy, or otherwise combat fraud or
abuse in such program.
6. To appropriate federal agencies and
Department contractors that have a need
to know the information for the purpose
of assisting the Department’s efforts to
respond to a suspected or confirmed
breach of the security or confidentiality
of information maintained in this
system of records, if the information
disclosed is relevant to and necessary
for that assistance; and information from
this system may become available to
U.S. Department of Homeland Security
(DHS) cyber security personnel if
captured in an intrusion detection
system used by HHS and DHS pursuant
to a DHS cyber security program that
monitors internet traffic to and from
federal government computer networks
to prevent a variety of types of
cybersecurity incidents.
Records may also be disclosed to
parties outside the agency, without the
individual’s consent, for any of the
purposes authorized directly in the
Privacy Act at 5 U.S.C § 552(a)(b)(1), (2)
and (b)(4)–(b)(12).
POLICIES AND PRACTICES FOR STORING,
RETRIEVING, ACCESSING, RETAINING, AND
DISPOSING OF RECORDS IN THE SYSTEM
STORAGE:
Archived records for the risk
adjustment data validation program will
be stored in electronic form in the HHS–
RADV Audit Tool maintained in the
Acumen Web Portal.
RETRIEVABILITY:
The data collected is retrieved by the
name of an individual, or by some other
identifying number, symbol, or other
identifying particular assigned to an
individual.
SAFEGUARDS:
CMS has safeguards in place for
authorized users and monitors such
users to ensure against excessive or
unauthorized use. Personnel having
access to the RAD–V have been trained
in the Privacy Act information privacy
and security requirements. Employees
who maintain records in this system are
instructed not to release data unless the
intended recipient agrees to implement
appropriate physical, technical, and
PO 00000
Frm 00043
Fmt 4703
Sfmt 4703
administrative safeguards sufficient to
protect the confidentiality, integrity and
availability of the information and
information systems, and to prevent
unauthorized access.
This system will conform to all
applicable Federal laws and regulation
and Federal, HHS and CMS policies and
standards as they relate to information
security and data privacy. These laws
and regulation mat apply but are not
limited to: the Privacy Act of 1974; the
Federal Information Security Act of
2002; the Computer Fraud and Abuse
Act of 1986; the Health Insurance
Portability and Accountability Act of
1996; the e-Government Act of 2002; the
Clinger-Cohen Act of 1996; the
Medicare Modernization Act of 2003,
and their corresponding implementing
regulations. OMB Circular A–130,
Management of Federal Resources,
Appendix III Security of Federal
Automated Information Resources also
applies, as well as Federal, HHS, and
CMS information system security and
privacy policies.
RETENTION AND DISPOSAL:
Records will be maintained until they
become inactive, at which time they
will be retired or destroyed in
accordance with published records
schedules of CMS, as approved by the
National Archives and Records
Administration, and following the
guidelines in National Institutes of
Science and Technology (NIST) Special
Publication 800–88, Guidelines for
Media Sanitation. Enrollee claims
records subject to a document
preservation order will be preserved
consistent with the terms of the court’s
order.
SYSTEM MANAGER AND ADDRESS:
Director, Division of Risk Adjustment
Operations, Payment Policy & Financial
Management Group, CCIIO, CMS, 7500
Security Boulevard, Baltimore, MD
21244.
NOTIFICATION PROCEDURE:
Individuals wishing to know if this
system contains records about them
should write to the System Manager and
include pertinent personally identifiable
information (which CMS recommends
be encrypted and properly transmitted)
to be used for retrieval of their records.
RECORD ACCESS PROCEDURE:
Individuals seeking access to records
about them in this system should follow
the same instructions indicated under
‘‘Notification Procedure’’ and
reasonably specify the record content
being sought. (These procedures are in
accordance with HHS regulations at 45
CFR 5b.5(a)(2).)
E:\FR\FM\03MYN1.SGM
03MYN1
26569
Federal Register / Vol. 81, No. 85 / Tuesday, May 3, 2016 / Notices
CONTESTING RECORD PROCEDURES:
Individuals seeking to contest the
content of information about them in
this system should follow the same
instructions indicated under
‘‘Notification Procedure.’’ The request
should: Reasonably identify the record
and specify the information being
contested; state the corrective action
sought; and provide the reasons for the
correction, with supporting justification.
(These procedures are in accordance
with HHS regulations at 45 CFR 5b.7.)
RECORD SOURCE CATEGORIES:
The RAD–V will contain individually
identifiable enrollment and
demographic information, claims and
encounter information and enrollees’
medical records provided by issuers of
risk adjustment covered plans. The
issuers will provide the information as
requested by CMS or a contractor on
CMS’ behalf.
SYSTEMS EXEMPTED FROM CERTAIN PROVISIONS
OF THE ACT:
None.
Dated: April 26, 2016.
Emery Csulak,
CMS Senior Official for Privacy, Centers for
Medicare & Medicaid Services.
[FR Doc. 2016–10253 Filed 5–2–16; 8:45 am]
BILLING CODE 4120–03–P
DEPARTMENT OF HEALTH AND
HUMAN SERVICES
Administration for Children and
Families
Submission for OMB Review;
Comment Request
Title: Procedures for Requests from
Tribal Lead Agencies to use Child Care
and Development Fund (CCDF) Funds
for Construction or Major Renovation of
Child Care Facilities.
OMB No.: 0970–0160.
Description: The Child Care and
Development Block Grant Act, as
amended, allows Indian Tribes to use
Child Care and Development Fund
(CCDF) grant awards for construction
and renovation of child care facilities. A
tribal grantee must first request and
receive approval from the
Administration for Children and
Families (ACF) before using CCDF funds
for construction or major renovation.
This information collection contains the
statutorily-mandated uniform
procedures for the solicitation and
consideration of requests, including
instructions for preparation of
environmental assessments in
conjunction with the National
Environmental Policy Act. The
proposed draft procedures update the
procedures that were originally issued
in August 1997 and last updated in
April 2013. Respondents will be CCDF
tribal grantees requesting to use CCDF
funds for construction or major
renovation.
Respondents: Tribal Child Care Lead
Agencies acting on behalf of Tribal
Governments.
ANNUAL BURDEN ESTIMATES
Number of
respondents
Number of
responses per
respondent
Average
burden hours
per response
Total burden
hours
Construction or Major Renovation of Tribal Child Care Facilities ...................
asabaliauskas on DSK3SPTVN1PROD with NOTICES
Instrument
5
1
20
100
Estimated Total Annual Burden
Hours: 100.
Additional Information: Copies of the
proposed collection may be obtained by
writing to the Administration for
Children and Families, Office of
Planning, Research and Evaluation, 330
C Street, Washington, DC 20201, Attn:
ACF Reports Clearance Officer. Email
address: infocollection@acf.hhs.gov. All
requests should be identified by the title
of the information collection.
OMB Comment: OMB is required to
make a decision concerning the
collection of information between 30
and 60 days after publication of this
document in the Federal Register.
Therefore, a comment is best assured of
having its full effect if OMB receives it
within 30 days of publication. Written
comments and recommendation for the
proposed information collection should
be sent directly to the following: Office
of Management and Budget, Paperwork
Reduction Project, Fax: 202–395–7285,
Email: OIRA_SUBMISSION@
OMB.EOP.GOV, Attn: Desk Officer for
VerDate Sep<11>2014
18:53 May 02, 2016
Jkt 238001
the Administration for Children and
Families.
Robert Sargis,
Reports Clearance Officer.
[FR Doc. 2016–10293 Filed 5–2–16; 8:45 am]
BILLING CODE 4184–01–P
DEPARTMENT OF HEALTH AND
HUMAN SERVICES
Administration for Community Living
Agency Information Collection
Activities; Proposed Extension With
No Changes of a Currently Approved
Collection; Comment Request; State
Program Report
Administration for Community
Living, HHS.
ACTION: Notice.
AGENCY:
The Administration for
Community Living (ACL) is announcing
an opportunity for public comment on
the proposed collection of certain
information by the agency. Under the
Paperwork Reduction Act of 1995 (the
PRA), Federal agencies are required to
publish notice in the Federal Register
concerning each proposed collection of
SUMMARY:
PO 00000
Frm 00044
Fmt 4703
Sfmt 4703
information, including each proposed
extension of an existing collection of
information, and to allow 60 days for
public comment in response to the
notice. This notice solicits comments on
the information collection requirements
relating to an extension with no changes
of a currently approved collection of the
Title III and VII State Program Report.
DATES: Submit written or electronic
comments on the collection of
information by July 5, 2016.
ADDRESSES: Submit electronic
comments on the collection of
information to: Elena.Fazio@
acl.hhs.gov.
Submit written comments on the
collection of information to: U.S.
Department of Health and Human
Services: Administration for
Community Living, Washington, DC
20201, Attention: Elena Fazio.
FOR FURTHER INFORMATION CONTACT:
Elena Fazio by telephone: (202) 795–
7343 or by email: Elena.Fazio@
acl.hhs.gov.
Under the
PRA (44 U.S.C. 3501–3520), Federal
agencies must obtain approval from the
Office of Management and Budget
(OMB) for each collection of
SUPPLEMENTARY INFORMATION:
E:\FR\FM\03MYN1.SGM
03MYN1
]]>Agencies
[Federal Register Volume 81, Number 85 (Tuesday, May 3, 2016)]
[Notices]
[Pages 26566-26569]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2016-10253]
-----------------------------------------------------------------------
DEPARTMENT OF HEALTH AND HUMAN SERVICES
Centers for Medicare & Medicaid Services
Privacy Act of 1974; Report of New System of Records
AGENCY: Department of Health and Human Services (HHS), Centers for
Medicare & Medicaid Services (CMS).
ACTION: Notice of New System of Records (SOR).
-----------------------------------------------------------------------
SUMMARY: In accordance with the requirements of the Privacy Act of
1974, we are proposing to establish a new SOR titled, ``CMS Risk
Adjustment Data Validation System (RAD-V),'' System No. 09-70-0511.
Under Sec. 1343 of the Patient Protection and Affordable Care Act
(Pub. L. 111-148) as amended by the Health Care and Education
Reconciliation Act of 2010 (Pub. L. 111-152), (hereinafter, the ACA),
and the implementing regulations at 45 CFR part 153, data collected and
maintained in this system will be used to support the audit functions
of the risk adjustment
[[Page 26567]]
program, including validation activities under the risk adjustment data
validation program.
The goal of the risk adjustment program is to provide payments to
non-grandfathered health insurance issuers in the individual and small
group markets that attract higher-risk populations, including a
validation program to ensure the reliability of data used as a basis
for risk adjustment payments and charges. Non-grandfathered plans are
health plans that came into existence after March 23, 2010. Insurers
offering these plans were required to modify them to follow the ACA
rules as of January 1, 2014.
The RAD-V system will contain personally identifiable information
(PII) about individuals who are current or former enrollees in non-
grandfathered health plans, including information obtained through the
risk adjustment data validation process to establish the relative
deviation from the average. The program and the system of record are
more thoroughly described in the SUPPLEMENTARY INFORMATION section and
System of Records Notice below.
At this time, the only personally identifiable information that
will be collected under this System will be through the RAD-V, part of
the risk adjustment program.
DATES: This action will be effective without further notice 30 days
after publication in the Federal Register or 40 days after providing a
report of this Notice to the Office of Management and Budget and
Congress, whichever is later. Written comments should be submitted
within 30 days of publication in the Federal Register. HHS may publish
an amended system of records notice (SORN) in light of any comments
received.
ADDRESSES: Written comments can be sent to: CMS Privacy Act Officer,
Division of Security, Privacy Policy & Governance, Information Security
& Privacy Group, Office of Enterprise Information, CMS, 7500 Security
Boulevard, Baltimore, MD 21244-1870, Mailstop: N1-24-08, or by E-Mail
to: walter.stone@cms.hhs.gov. Comments received will be available for
review at this location, by appointment, during regular business hours,
Monday through Friday from 9:00 a.m.-3:00 p.m., Eastern Time zone.
FOR INFORMATION CONTACT: Catherine Anderson, RAD-V Mailbox
Coordinator, Division of Risk Adjustment Operations, CCIIO, CMS, 7500
Security Boulevard, Baltimore, Maryland 21244. The email address is
CCIIOACARADataValidation@cms.hhs.gov.
SUPPLEMENTARY INFORMATION: Section 1343(b) of the ACA requires the
Secretary to establish criteria and methods to carry out a risk
adjustment program. Section 1321(a)(1)(C) of the ACA directs the
Secretary to issue regulations and set standards to establish the risk
adjustment program. Consistent with Sec. 1321(c)(1) of the ACA, 45 CFR
153.310(a) provides that HHS will operate risk adjustment where a State
does not elect to administer the risk adjustment program. The primary
goals of the risk adjustment program are to assist health plans that
provide coverage to individuals with higher health care costs and will
help ensure that those who are sick have access to the coverage they
need. The ACA's risk adjustment program also serves to level the
playing field inside and outside of the individual and small group
markets in each state by stabilizing premiums.
Under 45 CFR 153.620(b), issuers of risk adjustment covered plans
must maintain documents and records to enable such evaluation, and must
make such records available to HHS upon request for purposes of
verification, investigation, audit or other review. As part of the risk
adjustment data validation program, HHS may audit an issuer of a risk
adjustment covered plan to assess its compliance with the risk
adjustment requirements.
The state, or HHS on behalf of the state, must ensure proper
validation of a statistically valid sample of risk adjustment data from
each issuer that offers at least one risk adjustment covered plan in
that state, as well as an administrative process to appeal findings
from the risk adjustment data validation process. When HHS is
conducting the risk adjustment data validation program, 45 CFR
153.620(a) and 153.630(a), requires issuers of risk adjustment covered
plans to comply with any request for data for any audit or validation
preformed, including relevant source enrollment documentation, all
claims and encounter data, and medical record documentation.
Existing information privacy and security standards, such as
standards under HIPAA and those detailed at 45 CFR 153.630(f)(2), which
governs the risk adjustment data validation program, will apply to
issuers and their initial validation auditors. In order to minimize the
amount of individually identifiable information collected, CMS will use
the smallest possible sample size that will provide a statistically
valid sample, in accordance with the regulations at 45 CFR 153.350(a).
The Privacy Act
The Privacy Act governs the collection, maintenance, use, and
dissemination of certain information about individuals by agencies of
the federal government. A system of records is a group of any records
under the control of a federal agency from which information about
individuals is retrieved by name or other personal identifier. The
Privacy Act requires each agency to publish notice in the Federal
Register of the existence and character of each system of records that
the agency maintains, including the name and location of the system;
the categories of individuals whom records are maintained; the
categories, routine uses, and sources of the records; the agencies
policies and practices regarding storage retrieval, access controls,
and retention and disposal of the records; and the title and business
address of the agency official to contact with notification, access,
and amendment requests.
SYSTEM NUMBER:
09-70-0511.
SYSTEM NAME:
Risk Adjustment Data Validation System (RAD-V), HHS/CMS/CCIIO.
SECURITY CLASSIFICATION:
Unclassified.
SYSTEM LOCATION:
The RAD-V will be physically located at the CMS Data Center, 7500
Security Boulevard, North Building, First Floor, Baltimore, MD 21244-
1850, and at various contractor sites.
CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:
The system will contain information about individuals currently or
previously enrolled in a risk adjustment covered plan as defined at 45
CFR 153.20, and individual providers of medical or health care
services.
CATEGORIES OF RECORDS IN THE SYSTEM:
CMS will collect demographic, geographic, medical and/or health
care information, date of birth, gender, dates of service about
individuals that are currently and previously enrolled in risk
adjustment covered plans. In addition, CMS will collect identifiable
information about individual health care providers, including but not
limited to name, ITIN or EIN, and NPI numbers.
AUTHORITY FOR MAINTENANCE OF THE SYSTEM:
Authority for the maintenance of the RAD-V is given under the
provisions of Sec. Sec. 1321 and 1343 of the Patient
[[Page 26568]]
Protection and Affordable Care Act (Pub. L. 111-148) as amended by the
Health Care and Education Reconciliation Act of 2010 (Pub. L. 111-152),
and the Regulations at 45 CFR 153.350, 153.620, 153.630.
PURPOSE(S) OF THE SYSTEM:
The primary purpose of this system is to collect and maintain
necessary to support the audit functions of the risk adjustment
programs, including validation activities under the risk adjustment
data validation system (RAD-V).
ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES
OR USERS AND THE PURPOSES OF SUCH USES:
A. Entities Who May Receive Disclosures under Routine Uses Records
about an individual may be disclosed from this system of records to the
following parties outside the agency, without the individual's consent,
for these purposes:
1. To CMS contractors who have been engaged by the agency to assist
in the performance of a service related to this collection and who need
to have access to the records in order to perform the activity.
2. To a health insurance issuer participating in the risk
adjustment data validation program or any agent, contractor, sub-
contractor or entity of that health insurance issuer that has entered
into an agreement or contract with the issuer to assist in compliance
with the risk adjustment data validation program.
3. The Department of Justice (DOJ), a court or an adjudicatory body
when: a. The agency or any component thereof, or b. Any employee of the
agency in his/her official capacity, or c. Any employee of the agency
in his/her individual capacity where the DOJ has agreed to represent
the employee, or d. The United States Government is a party to
litigation or has an interest in such litigation, and by careful
review, CMS determines that the records are both relevant and necessary
to the litigation and that the use of such records by the DOJ, a court
or an adjudicatory body is compatible for the purpose for which the
agency collected the records.
4. To a CMS contractor that assists in the administration of a CMS
administered health benefits program, when disclosure is deemed
reasonably necessary by CMS, to prevent, deter, discover, detect,
investigate, examine, prosecute, sue with respect to, defend against,
correct, remedy, or otherwise combat fraud or abuse in such program.
5. To another Federal agency or to an instrumentality of any
governmental jurisdiction within or under the control of the United
States (including any State or local governmental agency), that
administers, or that has the authority to investigate, potential fraud
in the health benefits program funded in whole or in part by Federal
funds, when disclosure is deemed reasonably necessary by CMS to
prevent, deter, discover, detect, investigate, examine, prosecute, sue
with respect to, defend against, correct, remedy, or otherwise combat
fraud or abuse in such program.
6. To appropriate federal agencies and Department contractors that
have a need to know the information for the purpose of assisting the
Department's efforts to respond to a suspected or confirmed breach of
the security or confidentiality of information maintained in this
system of records, if the information disclosed is relevant to and
necessary for that assistance; and information from this system may
become available to U.S. Department of Homeland Security (DHS) cyber
security personnel if captured in an intrusion detection system used by
HHS and DHS pursuant to a DHS cyber security program that monitors
internet traffic to and from federal government computer networks to
prevent a variety of types of cybersecurity incidents.
Records may also be disclosed to parties outside the agency,
without the individual's consent, for any of the purposes authorized
directly in the Privacy Act at 5 U.S.C Sec. 552(a)(b)(1), (2) and
(b)(4)-(b)(12).
POLICIES AND PRACTICES FOR STORING, RETRIEVING, ACCESSING, RETAINING,
AND DISPOSING OF RECORDS IN THE SYSTEM
STORAGE:
Archived records for the risk adjustment data validation program
will be stored in electronic form in the HHS-RADV Audit Tool maintained
in the Acumen Web Portal.
RETRIEVABILITY:
The data collected is retrieved by the name of an individual, or by
some other identifying number, symbol, or other identifying particular
assigned to an individual.
SAFEGUARDS:
CMS has safeguards in place for authorized users and monitors such
users to ensure against excessive or unauthorized use. Personnel having
access to the RAD-V have been trained in the Privacy Act information
privacy and security requirements. Employees who maintain records in
this system are instructed not to release data unless the intended
recipient agrees to implement appropriate physical, technical, and
administrative safeguards sufficient to protect the confidentiality,
integrity and availability of the information and information systems,
and to prevent unauthorized access.
This system will conform to all applicable Federal laws and
regulation and Federal, HHS and CMS policies and standards as they
relate to information security and data privacy. These laws and
regulation mat apply but are not limited to: the Privacy Act of 1974;
the Federal Information Security Act of 2002; the Computer Fraud and
Abuse Act of 1986; the Health Insurance Portability and Accountability
Act of 1996; the e-Government Act of 2002; the Clinger-Cohen Act of
1996; the Medicare Modernization Act of 2003, and their corresponding
implementing regulations. OMB Circular A-130, Management of Federal
Resources, Appendix III Security of Federal Automated Information
Resources also applies, as well as Federal, HHS, and CMS information
system security and privacy policies.
RETENTION AND DISPOSAL:
Records will be maintained until they become inactive, at which
time they will be retired or destroyed in accordance with published
records schedules of CMS, as approved by the National Archives and
Records Administration, and following the guidelines in National
Institutes of Science and Technology (NIST) Special Publication 800-88,
Guidelines for Media Sanitation. Enrollee claims records subject to a
document preservation order will be preserved consistent with the terms
of the court's order.
SYSTEM MANAGER AND ADDRESS:
Director, Division of Risk Adjustment Operations, Payment Policy &
Financial Management Group, CCIIO, CMS, 7500 Security Boulevard,
Baltimore, MD 21244.
NOTIFICATION PROCEDURE:
Individuals wishing to know if this system contains records about
them should write to the System Manager and include pertinent
personally identifiable information (which CMS recommends be encrypted
and properly transmitted) to be used for retrieval of their records.
RECORD ACCESS PROCEDURE:
Individuals seeking access to records about them in this system
should follow the same instructions indicated under ``Notification
Procedure'' and reasonably specify the record content being sought.
(These procedures are in accordance with HHS regulations at 45 CFR
5b.5(a)(2).)
[[Page 26569]]
CONTESTING RECORD PROCEDURES:
Individuals seeking to contest the content of information about
them in this system should follow the same instructions indicated under
``Notification Procedure.'' The request should: Reasonably identify the
record and specify the information being contested; state the
corrective action sought; and provide the reasons for the correction,
with supporting justification. (These procedures are in accordance with
HHS regulations at 45 CFR 5b.7.)
RECORD SOURCE CATEGORIES:
The RAD-V will contain individually identifiable enrollment and
demographic information, claims and encounter information and
enrollees' medical records provided by issuers of risk adjustment
covered plans. The issuers will provide the information as requested by
CMS or a contractor on CMS' behalf.
SYSTEMS EXEMPTED FROM CERTAIN PROVISIONS OF THE ACT:
None.
Dated: April 26, 2016.
Emery Csulak,
CMS Senior Official for Privacy, Centers for Medicare & Medicaid
Services.
[FR Doc. 2016-10253 Filed 5-2-16; 8:45 am]
BILLING CODE 4120-03-P
