Privacy Act of 1974; Report of a Modified or Altered System of Records, 30943-30949 [E8-11949]

Agencies

• Centers for Medicare & Medicaid Services
• DEPARTMENT OF HEALTH AND HUMAN SERVICES

[Federal Register Volume 73, Number 104 (Thursday, May 29, 2008)]
[Notices]
[Pages 30943-30949]
From the Federal Register Online via the Government Printing Office [www.gpo.gov]
[FR Doc No: E8-11949]


-----------------------------------------------------------------------

DEPARTMENT OF HEALTH AND HUMAN SERVICES

Centers for Medicare & Medicaid Services


Privacy Act of 1974; Report of a Modified or Altered System of 
Records

AGENCY: Department of Health and Human Services (HHS), Centers for 
Medicare & Medicaid Services (CMS).

ACTION: Notice of a modified or altered system of records.

-----------------------------------------------------------------------

SUMMARY: The Privacy Act of 1974 and section 1106 of the Social 
Security Act (the Act) explain when and how CMS may use and disclose 
the personal data of people with Medicare. The Medicare Prescription 
Drug, Improvement, and Modernization Act of 2003 (MMA) (Pub. L. 108-
173) added requirements for releasing and using personal data. To meet 
these additional requirements, CMS proposes to modify the existing 
system of records (SOR) titled ``Medicare Drug Data Processing System 
(DDPS),'' System No. 09-70-0553, established at 70 FR 58436 (October 6, 
2005). Under this modification we are clarifying the statutory 
authorities for which these data are collected and disclosed. The 
original SOR notice cited the statutory section governing CMS's payment 
of Part D plan sponsors (Social Security Act Sec.  1860D-15) that 
limits the uses of the data collected to purposes related to plan 
payment and oversight of plan payment. However, the broad authority of 
Sec.  1860D-12(b)(3)(D) authorizes CMS to collect, use and disclose 
Part D data for broader purposes related to CMS's responsibilities for 
program administration and research. Furthermore the authority under 
Sec.  1106 of the Act allows the Secretary to use and disclose data 
pursuant to a regulation, which in this case would be 42 CFR 423.505. 
CMS has published a final rule in order to clarify our statutory 
authority and explain how we propose to implement the broad authority 
of Sec.  1860D-12(b)(3)(D) and 1106 of the Act. This SOR is being 
revised to reflect our intended use of this broader statutory 
authority.
    In addition to updating this SOR to reflect our broader statutory 
authority, CMS proposes to make the following modifications to the DDPS 
system:
     Revise published routine use number 1 to include CMS 
grantees that perform a task for the agency.
     Add a new routine use number 2 to allow the use and 
disclosure of information to other Federal and state agencies for 
accurate payment of

[[Page 30944]]

Medicare benefits; to fulfill a requirement or allowance of a Federal 
statute or regulation that implements a health benefits program funded 
in whole or in part with Federal funds; and to help Federal/state 
Medicaid programs that may need information from this system.
     Broaden the scope of routine use number 4 to allow the use 
and disclosure of specified data as described in CMS's Part D data 
final rule, 42 CFR 423.505(m) to other government agencies, States or 
external organizations, in accordance with the minimum data necessary 
policy and Federal law.
     Delete published routine use number 5 which authorizes 
disclosure to support constituent requests made to a congressional 
representative.
     Broaden the scope of routine use number 7 and 8, to 
include combating ``waste,'' in addition to fraud and abuse that result 
in unnecessary cost to federally-funded health benefit programs.
     Revise language regarding routine uses disclosures to 
explain the purpose of the routine use and make clear CMS's intention 
to use and disclose personal information contained in this system.
     Reorder and prioritize the routine uses.
     Update any sections of the system affected by the 
reorganization or revision of routine uses because of MMA provisions or 
regulations promulgated based on MMA provisions.
     Update language in the administrative sections to be 
consistent with language used in other CMS SORs.
    The primary purpose of this system is to collect, maintain, and 
process information on all Medicare covered, and as many non-covered 
drug events as possible, for people with Medicare who have enrolled 
into a Medicare Part D plan. The system helps CMS determine appropriate 
payment of covered drugs. It will also provide for processing, storing, 
and maintaining drug transaction data in a large-scale database, while 
putting data into data marts to support payment analysis. CMS would 
allow the expanded use and disclosure of information in this system to: 
(1) Support regulatory, analysis, oversight, reimbursement, 
operational, and policy functions performed within the agency or by a 
contractor, consultant, or a CMS grantee; (2) support another Federal 
and/or state agency, agency of a state government, an agency 
established by state law, or its fiscal agent; (3) assist Medicare Part 
D sponsors; (4) support an individual or organization with projects 
that provide transparency in health care on a broad-scale enabling 
consumers to compare the quality and price of health care services for 
a research, evaluation, or epidemiological or other project related to 
protecting the public's health, the prevention of disease or 
disability, the restoration or maintenance of health, or for payment 
related purposes; (5) assist Quality Improvement Organizations; (6) 
support lawsuits involving the agency; and (7) combat fraud, waste, and 
abuse in certain Federally funded health benefits programs.

DATES: Effective Dates: CMS filed a modified or altered system report 
with the Chair of the House Committee on Government Reform and 
Oversight, the Chair of the Senate Committee on Homeland Security & 
Governmental Affairs, and the Administrator, Office of Information and 
Regulatory Affairs, Office of Management and Budget (OMB) on May 22, 
2008. To ensure that all parties have adequate time in which to 
comment, the modified system, including routine uses, will become 
effective 30 days from the publication of the notice, or 40 days from 
the date it was submitted to OMB and Congress, whichever is later, 
unless CMS receives comments that require alterations to this notice.

ADDRESSES: The public should send comments to: CMS Privacy Officer, 
Division of Privacy Compliance, Enterprise Architecture and Strategy 
Group, Office of Information Services, CMS, Mail stop N2-04-27, 7500 
Security Boulevard, Baltimore, Maryland 21244-1850. Comments received 
will be available for review at this location, by appointment, during 
regular business hours, Monday through Friday from 9 a.m.-3 p.m., 
Eastern Time zone.

FOR FURTHER INFORMATION CONTACT: Alissa Deboy, Director, Division of 
Drug Plan Policy & Analysis, Medicare Drug Benefit Group, Centers for 
Beneficiary Choices, CMS, Room C1-26-26, 7500 Security Boulevard, 
Baltimore, Maryland 21244-1850. The telephone number is 410-786-6041 or 
e-mail at Alissa.Deboy@cms.hhs.gov.

SUPPLEMENTARY INFORMATION: In December 2003, Congress added Part D 
under Title XVIII when it passed the Medicare Prescription Drug, 
Improvement, and Modernization Act. The Act allows Medicare to pay 
plans to provide Part D prescription drug coverage as described in 
Title 42, Code of Federal Regulations (CFR) Sec.  423.301. The Act 
allows Medicare to pay Part D sponsors in one of four ways: 1. Direct 
subsidies; 2. Premium and cost-sharing subsidies for qualifying low-
income individuals (low-income subsidy); 3. Federal reinsurance 
subsidies; and 4. Risk-sharing. Throughout this notice, the term 
``sponsor'' means all entities that provide Part D prescription drug 
coverage and submit claims data to CMS for payment calculations.
    As a condition of payment, all Part D sponsors must submit data and 
information necessary for CMS to carry out payment provisions (Sec.  
1860D-15(c)(1)(C) and (d)(2) of the Act, and 42 CFR 423.322). In 
addition, these data may be disclosed to other entities, pursuant to 
Sec.  1860D-12(b)(3)(D) and 42 CFR 423.505(b)(8) and (f), (l), and (m)) 
for the purposes described in the routine uses described in this SOR 
notice. Furthermore, this data may be disclosed pursuant to Sec.  1106 
of the Act.
    This notice explains how CMS would collect data elements on Part D 
prescription drug events (PDE data, also called ``claims'' data) 
according to the statute. Data elements such as beneficiary, plan, 
pharmacy and prescriber identifiers would be used to validate claims 
and meet other legislative requirements or initiatives such as quality 
monitoring, program integrity, and payment oversight. In addition, the 
original 37 data elements submitted as part of the prescription drug 
event data would be used for other purposes as allowed by Sec.  1860D-
12 and its implementing regulations.
    In addition, summary prescription drug claim information based on 
the original 37 elements maintained in this system will be used to (1) 
generate reports to Congress and the public on overall statistics 
associated with the operation of the Medicare prescription drug 
program; (2) conduct evaluations of the overall Medicare program; (3) 
make legislative proposals to the Congress regarding Federal health 
care programs; (4) conduct demonstration and pilot projects and make 
recommendations for improving the economy, efficiency or effectiveness 
of the Medicare program; (5) support care coordination and disease 
management programs; (6) support quality improvement, performance 
measurement, and public reporting activities; (7) populate personal 
health care records; and (8) as otherwise permitted under 42 CFR 
423.505.
    In addition to the individually identifiable information identified 
in section I. B. (Data in the System) below, we will maintain the 
following data elements, which may be used under the authority of 
sections 1860D-12 and D-15 as noted above: Identification of pharmacy 
where the prescription was filled; indication of whether drug was 
compounded or mixed; indication of prescriber instruction regarding

[[Page 30945]]

substitution of generic equivalents or order to ``dispense as 
written;'' quantity dispensed (for example, number of tablets, grams, 
milliliters, or other unit); days supply; fill number; dispensing 
status and whether the full quantity is dispensed at one time, or the 
quantity is partially filled; identification of coverage status, such 
as whether the product dispensed is covered under the plan benefit 
package or under Part D or both. This code also identifies whether the 
drug is being covered as part of a Part D supplemental benefit; 
indication of whether unique pricing rules apply, for example because 
of an out-of-network or Medicare as Secondary Payer services; 
indication of whether the beneficiary has reached the annual out-of-
pocket threshold, which triggers reduced beneficiary cost-sharing and 
the reinsurance subsidy; ingredient cost of the product dispensed; 
dispensing fee paid to pharmacy; sales tax; for covered Part D drugs, 
the amount of gross drug costs that are both below and above the annual 
out-of-pocket threshold; amount paid by patient and not reimbursed by a 
third party (such as co-payments, coinsurance, or deductibles); amount 
of third party payment that would count toward a beneficiary's true 
out-of-pocket (TrOOP) costs in meeting the annual out-of-pocket 
threshold, such as payments on behalf of a beneficiary by a qualifying 
State Pharmacy Assistance Program (SPAP); low-income cost-sharing 
subsidy amount (if any); and reduction in patient liability due to non-
TrOOP-eligible payers paying on behalf of the beneficiary (which would 
exclude payers whose payments count toward a beneficiary's true out of 
pocket costs, such as SPAPs amounts paid by the plan for basic 
prescription drug coverage and amounts paid by plan for benefits beyond 
basic prescription drug coverage).

I. Description of the Modified System of Records

A. Statutory and Regulatory Basis for System

    This system is mandated and authorized under provisions of the 
Medicare Prescription Drug, Improvement, and Modernization Act, 
amending the Social Security Act by adding Part D under Title XVIII 
(Sec. Sec.  1860D-15(c)(1)(C) and (d)(2), as described in Title 42, 
Code of Federal Regulations (CFR) 423.301 et.seq. as well as1860D-
12(b)(3)(D) and 1106 of the Act, as described in 42 CFR 423.505(b)(8) 
and (f),(l), and (m).

B. Data in the System

    This system collects and maintains individually identifiable 
information on Medicare beneficiaries who have enrolled in a Medicare 
Part D plan and individually identifiable data on prescribing health 
care professionals and referring/servicing pharmacies. The data 
includes, but is not limited to, summary prescription drug claim data 
and individually identifiable beneficiary information such as: health 
insurance claim number, card holder identification number, date of 
service, gender, other identifying data, and optionally, the patient's 
date of birth. Identifying information of prescribing health care 
providers include the prescriber identification number and qualifier 
and the pharmacy service provider ID and qualifier.

II. Agency Policies, Procedures, and Restrictions on Routine Uses

    A. Below are CMS' policies and procedures for giving out 
individually identifiable information maintained in the system. CMS 
would only use and disclose the minimum data necessary to achieve the 
purpose of the DDPS if the following requirements are met:
    1. The information or use of the information is consistent with the 
reason that the data is being collected;
    2. The individually identifiable information is necessary to 
complete the project (taking into account the risk to the privacy of 
the individual);
    3. The organization receiving the information establishes 
administrative, technical, and physical protections to prevent 
unauthorized use of the information;
    4. The organization removes or destroys the information that allows 
the individual to be identified at the earliest time;
    5. The organization generally agrees to not use or disclose the 
information for any purpose other than the stated purpose under which 
the information was disclosed; and
    6. The data are valid and reliable.
    The Privacy Act allows CMS to give out identifiable and non-
identifiable information for routine uses without an individual's 
consent/authorization. The identifiable data described in this notice 
is listed under Section I. B. above.

III. Routine Uses of Data

    A. In addition to those entities specified in the Privacy Act of 
1974, CMS may use and disclose information from the DDPS without the 
consent of the individual for routine uses pursuant to sections 1860D-
15 and 1860D-12(b)(3)(D) of the Social Security Act . Below are the 
modified routine uses for releasing information without individual 
consent that CMS would add or modify in the DDPS.
    1. To support Agency contractors, consultants, or CMS grantees who 
have been engaged by the Agency to assist in accomplishment of a CMS 
function relating to the purposes for this SOR and who need to have 
access to the records in order to assist CMS.
    We contemplate disclosing information under this routine use only 
in situations in which CMS may enter into a contractual or similar 
agreement with a third party to assist in accomplishing a CMS function 
relating to purposes for this SOR.
    CMS occasionally contracts out or makes other arrangements for 
certain functions when doing so would contribute to effective and 
efficient operations. CMS must be able to give a contractor, 
consultant, or CMS grantee whatever information is necessary for the 
contractor, consultant, or grantee to fulfill its duties. In these 
situations, safeguards are provided in the contract/similar agreement 
prohibiting the contractor, consultant, or grantee from using or 
disclosing the information for any purpose other than that described in 
the contract/similar agreement and requires the contractor, consultant, 
or grantee to destroy all information at the completion of the contract 
or similar agreement.
    2. To assist another Federal or state agency, agency of a state 
government, an agency established by state law, or its fiscal agent to:
    a. Contribute to the accuracy of CMS' payment of Medicare benefits,
    b. Administer a Federal health benefits program or fulfill a 
Federal statute or regulatory requirement or allowance that implements 
a health benefits program funded in whole or in part with Federal 
funds,
    c. Access data required for Federal/state Medicaid programs, or
    Other Federal or state agencies in their administration of a 
Federal health program may require DDPS information in order to support 
evaluations and monitoring of Medicare claims information of 
beneficiaries, including proper reimbursement for services provided.
    In addition, disclosure under this routine use may be used by state 
agencies pursuant to agreements with the HHS for determining Medicare 
or Medicaid eligibility, for determining eligibility of recipients of 
assistance under titles IV, XVIII, and XIX of the Act, and for the 
administration and operation of the Medicare and Medicaid programs 
including quality

[[Page 30946]]

improvement and care coordination. Data will be disclosed to the state 
only on those individuals who are or were patients under the services 
of a program within the state or who are residents of that state.
    3. To support Part D Sponsors, pharmacy benefit managers, claims 
processors, and other Prescription Drug Event submitters, in protecting 
their own members (and former members for the periods enrolled in a 
given plan) against medical expenses of their enrollees without the 
beneficiary's authorization, and having knowledge of the occurrence of 
any event affecting (a) an individual's right to any such benefit or 
payment, or (b) the initial right to any such benefit or payment, for 
the purpose of coordination of benefits with the Medicare program and 
implementation of the Medicare Secondary Payer provision at 42 U.S.C. 
1395y (b). Information to be disclosed shall be limited to Medicare 
utilization data necessary to perform that specific function. In order 
to receive the information, they must agree to:
    a. Certify that the individual about whom the information is being 
provided is one of its insured or employees, or is insured and/or 
employed by another entity for whom they serve as a Third Party 
Administrator;
    b. Utilize the information solely for the purpose of processing the 
individual's insurance claims; and
    c. Safeguard the confidentiality of the data and prevent 
unauthorized access.
    Other insurers may need data in order to support evaluations and 
monitoring of Medicare claims information, including proper 
reimbursement for services.
    4. To assist an individual or organization with research, an 
evaluation, or an epidemiological or other project related to 
protecting the public's health, the prevention of disease or 
disability, restoration or maintenance of health, or for payment 
related purposes. This includes projects that provide transparency in 
health care on a broad-scale enabling consumers to compare the quality 
and price of health care services. CMS must:
    a. Determine if the use or disclosure of data violate legal 
limitations under which the record was provided, collected, or 
obtained;
    b. Determine that the purpose for the use or disclosure of 
information:
    (1) Cannot be reasonably accomplished unless the record is provided 
in individually identifiable form,
    (2) Is of sufficient importance to warrant the effect or risk on 
the privacy of the individual, and
    (3) Meets the objectives of the project;
    c. Requires the recipient of the information to:
    (1) Establish reasonable administrative, technical, and physical 
protections to prevent unauthorized use or disclosure of information,
    (2) Remove or destroy the information that allows the individual to 
be identified at the earliest time at which removal or destruction can 
be accomplished consistent with the purpose of the project, unless the 
recipient presents an adequate justification for retaining such 
information, and
    (3) No longer use or disclose information except:
    (a) In emergency circumstances affecting the health or safety of 
any individual;
    (b) For use in another research project, under these same 
conditions and with written CMS approval;
    (c) For an audit related to the research;
    (d) For disclosure to a properly identified person for the purpose 
of an audit related to the research project, if information that would 
enable research subjects to be identified is removed or destroyed at 
the earliest opportunity consistent with the purpose of the audit; or
    (e) When required by Federal law.
    d. Get signed, written statements from the entity receiving the 
information that they understand and will follow all provisions in this 
notice.
    e. Complete and submit a Data Use Agreement (CMS Form 0235) in 
accordance with current CMS policies.
    CMS anticipates that there will be many legitimate requests to use 
these data in projects that could ultimately improve the care provided 
to Medicare beneficiaries and the policy that governs the care.
    5. To support Quality Improvement Organizations (QIO) in the claims 
review process, or with studies or other review activities performed in 
accordance with Part B of Title XI of the Act. QIOs can also use the 
data for outreach activities to establish and maintain entitlement to 
Medicare benefits or health insurance plans.
    QIOs will work to implement quality improvement and performance 
measurement programs, provide consultation to CMS, its contractors, and 
to state agencies. QIOs will assist the state agencies in related 
monitoring and enforcement efforts, assist CMS and intermediaries in 
program integrity assessment, and prepare summary information for 
disclosure to CMS.
    6. To assist the Department of Justice (DOJ), court, or 
adjudicatory body when there is a lawsuit in which the Agency, any 
employee of the Agency in his or her official capacity or individual 
capacity (if the DOJ agrees to represent the employee), or the United 
States Government is a party or CMS' policies or operations could be 
affected by the outcome. The information must be both relevant and 
necessary to the lawsuit, and the use of the records is for a purpose 
that is compatible with the purpose for which CMS collected the 
records.
    Whenever CMS is involved in litigation, or occasionally when 
another party is involved in litigation and CMS' policies or operations 
could be affected by the outcome of the litigation, CMS would be able 
to disclose information to the DOJ, court, or adjudicatory body 
involved.
    7. To support a CMS contractor that assists in the administration 
of a CMS health benefits program or a grantee of a CMS-administered 
grant program if the information is necessary, in any capacity, to 
combat fraud, waste, or abuse in such program. CMS will only provide 
this information if CMS can enter into a contract or grant for this 
purpose.
    CMS must be able to give a contractor or CMS grantee necessary 
information in order to complete their contractual responsibilities. In 
these situations, protections are provided in the contract prohibiting 
the contractor or grantee from using or releasing the information for 
any purpose other than that described in the contract. It also requires 
the contractor or grantee to return or destroy all information when the 
contract ends.
    8. To support another Federal agency or any United States 
government jurisdiction (including any state or local governmental 
agency) if the information is necessary, in any capacity, to combat 
fraud, waste, or abuse in a health benefits program that is funded in 
whole or in part by Federal funds.
    Other agencies may require DDPS information for the purpose of 
combating fraud, waste, or abuse in such federally-funded programs.

B. Additional Circumstances Affecting Routine Use Disclosures

    To the extent this system contains Protected Health Information 
(PHI) as defined by HHS regulation ``Standards for Privacy of 
Individually Identifiable Health Information'' (45 CFR Parts 160 and 
164, Subparts A and E) 65 FR 82462 (December 28, 2000), use and 
disclosure of information that are otherwise allowed by these routine 
uses may only be made if, and as, permitted or required by the 
``Standards for Privacy

[[Page 30947]]

of Individually Identifiable Health Information.'' (See 45 CFR 
164.512(a)(1).)
    In addition, CMS will not give out information that is not directly 
identifiable if there is a possibility that a person with Medicare 
could be identified because the sample is small enough to identify 
participants. CMS would make exceptions if the information is needed 
for one of the routine uses or if it's required by law.

IV. Safeguards and Protections

    CMS has protections in place for authorized users to make sure they 
are properly using the data and there is no unauthorized use. Personnel 
having access to the system have been trained in the Privacy Act and 
information security requirements. Employees who maintain records in 
this system cannot use or disclose data until the recipient agrees to 
implement appropriate management, operational and technical safeguards 
that will protect the confidentiality, integrity, and availability of 
the information and information systems.
    This system would follow all applicable Federal laws and 
regulations, and Federal, HHS, and CMS security and data privacy 
policies and standards. These laws and regulations include but are not 
limited to: the Privacy Act of 1974; the Federal Information Security 
Management Act of 2002 (when applicable); the Computer Fraud and Abuse 
Act of 1986; the Health Insurance Portability and Accountability Act of 
1996; the E-Government Act of 2002, the Clinger-Cohen Act of 1996; the 
Medicare Modernization Act of 2003, and the corresponding implementing 
regulations. OMB Circular A-130, Management of Federal Resources, 
Appendix III, Security of Federal Automated Information Resources also 
applies. Federal, HHS, and CMS policies and standards include but are 
not limited to all pertinent National Institute of Standards and 
Technology publications, the HHS Information Systems Program Handbook, 
and the CMS Information Security Handbook.

V. Effects on Individual Rights

    CMS does not anticipate a negative effect on individual privacy as 
a result of giving out personal information from this system. CMS 
established this system in accordance with the principles and 
requirements of the Privacy Act and would collect, use, and disclose 
information that follow these requirements. CMS would only give out the 
minimum amount of personal data to achieve the purpose of the system. 
Use and disclosure of information from the system will be approved only 
to the extent necessary to accomplish the purpose of releasing the 
data. CMS has assigned a higher level of security clearance for the 
information maintained in this system in an effort to provide added 
security and protection of individuals' personal information and, if 
feasible, ask that once the information is no longer needed that it be 
returned or destroyed.
    CMS would take precautionary measures to minimize the risks of 
unauthorized access to the records and the potential harm to individual 
privacy, or other personal or property rights. CMS would collect only 
information necessary to perform the system's functions. In addition, 
CMS would only give out information if the individual, or his or her 
legal representative has given approval, or if allowed by one of the 
exceptions noted in the Privacy Act.

    Dated: May 22, 2008.
Charlene Frizzera,
Chief Operating Officer, Centers for Medicare & Medicaid Services.
SYSTEM NO.
    09-70-0553.

SYSTEM NAME:
    Medicare Drug Data Processing System (DDPS), HHS/CMS/CBC.

SECURITY CLASSIFICATION:
    Level Three Privacy Act Sensitive.

SYSTEM LOCATION:
    CMS Data Center, 7500 Security Boulevard, North Building, First 
Floor, Baltimore, Maryland 21244-1850 and at various contractor sites.

CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:
    This system collects and maintains individually identifiable 
information on all people with Medicare who have enrolled into a 
Medicare Part D plan and individually identifiable data on prescribing 
health care professional, referring/servicing physician, and providers.

CATEGORIES OF RECORDS IN THE SYSTEM:
    The data includes, but is not limited to, summary prescription drug 
claim data and individually identifiable beneficiary information such 
as: Beneficiary name, address, city, state, ZIP code, card holder 
identification number, date of service, gender, demographic, other 
identifying data, and optionally, the patient's date of birth. 
Identifying information of prescribing health care professional and 
providers of services and referring/servicing physician include 
provider/physician name, title, address, city, state, ZIP code, e-mail 
address, telephone numbers, fax number, state licensure number, Social 
Security Numbers, Federal tax identification numbers, prescriber 
identification number, assigned provider number (facility, referring/
servicing physician), Drug Enforcement Agency (DEA) assigned 
identification number, and numerous other data elements related to the 
processing of the prescription drug claim.

AUTHORITY FOR MAINTENANCE OF THE SYSTEM:
    This system is mandated under provisions of the Medicare 
Prescription Drug, Improvement, and Modernization Act, amending the 
Social Security Act by adding Part D under Title XVIII (Sec. Sec.  
1860D-15(c)(1)(C) and (d)(2)), as described in Title 42, Code of 
Federal Regulations (CFR) 423.301 et seq. as well as1860D-12(b)(3)(D) 
and 1106 of the Act, as described in 42 CFR 423.505(b)(8), (f), (l), 
and (m).

PURPOSE(S) OF THE SYSTEM:
    The primary purpose of this system is to collect, maintain, and 
process information on all Medicare covered, and as many non-covered 
drug events as possible, for people with Medicare who have enrolled 
into a Medicare Part D plan. The system will help CMS determine 
appropriate payment of covered drugs. It will also provide for 
processing, storing, and maintaining drug transaction data in a large-
scale database, while putting data into data marts to support payment 
analysis. CMS would allow the expanded release of information in this 
system to: (1) Support regulatory, analysis, oversight, reimbursement, 
operational and policy functions performed within the agency or by a 
contractor, consultant, or a CMS grantee; (2) help another Federal and/
or state agency, agency of a state government, an agency established by 
state law, or its fiscal agent; (3) assist Medicare Part D sponsors; 
(4) support an individual or organization with projects that provide 
transparency in health care on a broad-scale enabling consumers to 
compare the quality and price of health care services or for a 
research, evaluation, or epidemiological or other project related to 
protecting the public's health, the prevention of disease or 
disability, the restoration or maintenance of health, or for payment 
related purposes; (5) assist Quality Improvement Organizations; (6) 
support lawsuits involving the agency; and (7) combat fraud, waste, and 
abuse in certain Federally funded health benefits programs.

[[Page 30948]]

ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES 
OR USERS AND THE PURPOSES OF SUCH USES:
A. Entities Who May Receive Disclosures Under Routine Use:
    These routine uses specify circumstances, in addition to those 
provided by statute in the Privacy Act of 1974, under which CMS may use 
and disclose information from the DDPS without the consent of the 
individual to whom such information pertains. Each proposed disclosure 
of information under these routine uses will be evaluated to ensure 
that the disclosure is legally permissible, including but not limited 
to ensuring that the purpose of the disclosure is compatible with the 
purpose for which the information was collected. We propose to 
establish or modify the following routine use disclosures of 
information maintained in the system:
    1. To support Agency contractors, consultants, or CMS grantees who 
have been engaged by the Agency to assist in accomplishment of a CMS 
function relating to the purposes for this SOR and who need to have 
access to the records in order to assist CMS.
    2. To assist another Federal or state agency, agency of a state 
government, an agency established by state law, or its fiscal agent 
pursuant to agreements with CMS to:
    a. Contribute to the accuracy of CMS's payment of Medicare 
benefits;
    b. Administer a Federal health benefits program, or as necessary to 
enable such agency to fulfill a requirement of a Federal statute or 
regulation that implements a health benefits program funded in whole or 
in part with Federal funds; and/or
    c. Access data required for Federal/state Medicaid programs.
    3. To support Part D Prescription Drug sponsors, pharmacy benefit 
managers, claims processors, and other Prescription Drug Event 
submitters, in protecting their own members (and former members for the 
periods enrolled in a given plan) against medical expenses of their 
enrollees without the beneficiary's authorization, and having knowledge 
of the occurrence of any event affecting (a) an individual's right to 
any such benefit or payment, or (b) the initial right to any such 
benefit or payment, for the purpose of coordination of benefits with 
the Medicare program and implementation of the Medicare Secondary Payer 
provision at 42 U.S.C. 1395y(b). Information to be disclosed shall be 
limited to Medicare utilization data necessary to perform that specific 
function. In order to receive the information, they must agree to:
    a. Certify that the individual about whom the information is being 
provided is one of its insured or employees, or is insured and/or 
employed by another entity for whom they serve as a Third Party 
Administrator;
    b. Utilize the information solely for the purpose of processing the 
individual's insurance claims; and
    c. Safeguard the confidentiality of the data and prevent 
unauthorized access.
    4. To assist an individual or organization with research, an 
evaluation, or an epidemiological or other project related to 
protecting the public's health, the prevention of disease or 
disability, restoration or maintenance of health, or for payment 
related purposes. This includes projects that provide transparency in 
health care on a broad-scale enabling consumers to compare the quality 
and price of health care services. CMS must:
    a. Determine if the use or disclosure of data violate legal 
limitations under which the record was provided, collected, or 
obtained;
    b. Determine that the purpose for the use or disclosure of 
information:
    (1) Cannot be reasonably accomplished unless the record is provided 
in individually identifiable form;
    (2) Is of sufficient importance to warrant the effect or risk on 
the privacy of the individual; and
    (3) Meets the objectives of the project;
    c. Requires the recipient of the information to:
    (1) Establish reasonable administrative, technical, and physical 
protections to prevent unauthorized use or disclosure of information;
    (2) Remove or destroy the information that allows the individual to 
be identified at the earliest time at which removal or destruction can 
be accomplished consistent with the purpose of the project, unless the 
recipient presents an adequate justification for retaining such 
information; and
    (3) No longer use or disclose information except:
    (a) In emergency circumstances affecting the health or safety of 
any individual;
    (b) For use in another research project, under these same 
conditions and with written CMS approval;
    (c) For an audit related to the research;
    (d) For disclosure to a properly identified person for the purpose 
of an audit related to the research project, if information that would 
enable research subjects to be identified is removed or destroyed at 
the earliest opportunity consistent with the purpose of the audit; or
    (e) When required by Federal law.
    d. Get signed, written statements from the entity receiving the 
information that they understand and will follow all provisions in this 
notice.
    e. Complete and submit a Data Use Agreement (CMS Form 0235) in 
accordance with current CMS policies.
    5. To support Quality Improvement Organization (QIO) with claims 
review process or with studies or other review activities performed in 
accordance with Part B of Title XI of the Social Security Act. QIOs can 
also use the data for outreach activities to individuals for the 
purpose of establishing and maintaining their entitlement to Medicare 
benefits or health insurance plans.
    6. To assist the Department of Justice (DOJ), court, or 
adjudicatory body when there is a lawsuit in which the Agency, any 
employee of the Agency in his or her official capacity or individuals 
capacity (if the DOJ agrees to represent the employee), or the United 
States Government is a part of CMS' policies or operations could be 
affected by the outcome. The information must be both relevant and 
necessary to the lawsuit, and the use of records is for a purpose that 
is compatible with the purpose for which CMS collected records.
    7. To support a CMS contractor that assists in the administration 
of a CMS health benefits program, or a grantee of a CMS-administered 
grant program, if the information is necessary, in any capacity, to 
combat fraud, waste, or abuse in such program. CMS will only provide 
this information if CMS can enter into a contract or grant for this 
purpose.
    8. To support another Federal agency or any United States 
government jurisdiction (including any state, or local governmental 
agency), if the information is necessary, in any capacity to combat 
fraud, waste or abuse in a health benefits program funded in whole or 
in part by Federal funds.

B. Additional Circumstances Affecting Routine Use Disclosures:
    To the extent this system contains Protected Health Information 
(PHI) as defined by HHS regulation ``Standards for Privacy of 
Individually Identifiable Health Information'' (45 CFR Parts 160 and 
164, Subparts A and E) 65 FR 82462 (12-28-00) release of information 
that are otherwise allowed by these routine uses may only be made if, 
and as, permitted or required by the ``Standards for Privacy of 
Individually Identifiable Health Information.'' (See 45 CFR 164-512 
(a)(1).)
    In addition, CMS will not give out information that is not directly 
identifiable if there is a possibility that

[[Page 30949]]

a person with Medicare could be identified because the sample is small 
enough to identify participants. CMS would make exceptions if the 
information is needed for one of the routine uses or if it's required 
by law.

POLICIES AND PRACTICES FOR STORING, RETRIEVING, ACCESSING, RETAINING, 
AND DISPOSING OF RECORDS IN THE SYSTEM:
STORAGE:
    Records are stored on both tape cartridges (magnetic storage media) 
and in a DB2 relational database management environment (DASD data 
storage media).

RETRIEVABILITY:
    Information is most frequently retrieved by HICN, provider number 
(facility, physician, IDs), service dates, and beneficiary state code.

SAFEGUARDS AND PROTECTIONS:
    CMS has protections in place for authorized users to make sure they 
are properly using the data and there is no unauthorized use. Personnel 
having access to the system have been trained in the Privacy Act and 
information security requirements. Employees who maintain records in 
this system cannot use or disclose data until the recipient agrees to 
implement appropriate management, operational and technical safeguards 
that will protect the confidentiality, integrity, and availability of 
the information and information systems.
    This system would follow all applicable Federal laws and 
regulations, and Federal, HHS, and CMS security and data privacy 
policies and standards. These laws and regulations include but are not 
limited to: the Privacy Act of 1974; the Federal Information Security 
Management Act of 2002 (when applicable); the Computer Fraud and Abuse 
Act of 1986; the Health Insurance Portability and Accountability Act of 
1996; the E-Government Act of 2002, the Clinger-Cohen Act of 1996; the 
Medicare Modernization Act of 2003, and the corresponding implementing 
regulations. OMB Circular A-130, Management of Federal Resources, 
Appendix III, Security of Federal Automated Information Resources also 
applies. Federal, HHS, and CMS policies and standards include but are 
not limited to all pertinent National Institute of Standards and 
Technology publications, the HHS Information Systems Program Handbook, 
and the CMS Information Security Handbook.

RETENTION AND DISPOSAL:
    Records are maintained with identifiers for all transactions after 
they are entered into the system for a period of 20 years. Records are 
housed in both active and archival files. All claims-related records 
are encompassed by the document preservation order and will be retained 
until notification is received from the Department of Justice.

SYSTEM MANAGER AND ADDRESS:
    Director, Centers for Beneficiary Choices, CMS, Mail stop C5-19-07, 
7500 Security Boulevard, Baltimore, Maryland 21244-1850.

NOTIFICATION PROCEDURE:
    For purpose of notification, the subject individual should write to 
the system manager who will require the system name, and the retrieval 
selection criteria (e.g., HICN, facility/pharmacy number, service 
dates, etc.).

RECORD ACCESS PROCEDURE:
    For purpose of access, use the same procedures outlined in 
Notification Procedures above. Requestors should also reasonably 
specify the record contents being sought. (These procedures are in 
accordance with Department regulation 45 CFR 5b.5 (a)(2).)

CONTESTING RECORD PROCEDURES:
    The subject individual should contact the system manager named 
above, and reasonably identify the record and specify the information 
to be contested. State the corrective action sought and the reasons for 
the correction with supporting justification. (These procedures are in 
accordance with Department regulation 45 CFR 5b.7.)

RECORD SOURCE CATEGORIES:
    Summary prescription drug claim information contained in this 
system is obtained from the Part D Sponsor daily and monthly drug event 
transaction reports, Medicare Beneficiary Database (09-70-0530), and 
other payer information to be provided by the TROOP Facilitator.

SYSTEMS EXEMPTED FROM CERTAIN PROVISIONS OF THE ACT:
    None.

[FR Doc. E8-11949 Filed 5-28-08; 8:45 am]
BILLING CODE 4120-03-P