Privacy Act of 1974; Notice of Modified System of Records, 80412-80417 [E8-31146]

Download as PDF 80412 Federal Register / Vol. 73, No. 251 / Wednesday, December 31, 2008 / Notices Prevention and the Agency for Toxic Substances and Disease Registry. request for OMB approval of the proposed information collection. All comments will become a matter of public record. BILLING CODE 4160–90–M BILLING CODE 4163–18–P DEPARTMENT OF HEALTH AND HUMAN SERVICES DEPARTMENT OF HEALTH AND HUMAN SERVICES Centers for Disease Control and Prevention Centers for Medicare & Medicaid Services Board of Scientific Counselors, National Center for Injury Prevention and Control: Notice of Charter Amendment pwalker on PROD1PC71 with NOTICES Dated: December 17, 2008. Carolyn M. Clancy, Director. [FR Doc. E8–30762 Filed 12–30–08; 8:45 am] Dated: December 17, 2008. Elaine L. Baker, Director, Management Analysis and Services Office, Centers for Disease Control and Prevention. [FR Doc. E8–31111 Filed 12–30–08; 8:45 am] Privacy Act of 1974; Notice of Modified System of Records This gives notice under the Federal Advisory Committee Act (Pub. L. 92– 463) of October 6, 1972, that the statutory requirements of the Advisory Committee for Injury Prevention and Control (ACIPC) have been transferred to the Board of Scientific Counselors, National Center for Injury Prevention and Control (BSC, NCIPC). The ACIPC was established on October 18, 1988, in accordance with Public Law 92–463, as amended (5 U.S.C. App. 2). Section 394(a) of the Public Health Service Act, (42 U.S.C. 280b–2(a)), as amended, directed the Secretary, Department of Health and Human Services, acting through the Director, CDC, to establish an advisory committee to provide advice with respect to the prevention and control of injuries. On October 28, 1994, ACIPC was reestablished under statute. The responsibilities of ACIPC have been assumed by the BSC, NCIPC. By assuming the statutorily mandated responsibilities of ACIPC, the BSC, NCIPC will thereby become a statutorily mandated committee, continuing to serve the purposes set forth by Section 394(a) of the Public Health Service Act. For information, contact Gwendolyn Cattledge, Ph.D., Executive Secretary, Board of Scientific Counselors, National Center for Injury Prevention and Control, Centers for Disease Control and Prevention, Department of Health and Human Services, 4770 Buford Highway, Mailstop K02, Atlanta, Georgia 30341, telephone (770) 488–4655 or fax (770) 488–4422. The Director, Management Analysis and Services Office, has been delegated the authority to sign Federal Register notices pertaining to announcements of meetings and other committee management activities, for both the Centers for Disease Control and VerDate Aug<31>2005 17:41 Dec 30, 2008 Jkt 217001 AGENCY: Department of Health and Human Services (HHS), Centers for Medicare & Medicaid Services (CMS). ACTION: Notice of a Modified System of Records. SUMMARY: In accordance with the requirements of the Privacy Act of 1974, CMS is proposing to make minor amendments to an existing system of records (SOR) titled, ‘‘Performance Measurement and Reporting System (PMRS),’’ System No. 09–70–0584, published at 72 FR 52133 (September 12, 2007). PMRS serves as a master system of records to assist in projects that provide transparency in health care on a broad scale enabling consumers to compare the quality and price of health care services so that they can make informed choices among individual physicians, practitioners, and other providers of services. We are making minor amendments to PMRS to include two additional legal authorities: The Medicare, Medicaid, and SCHIP Extension Act of 2007 (MMSEA) (Pub. L. 110–173) and the Medicare Improvements for Patients and Providers Act of 2008 (MIPPA) (Pub. L. 110–275). Section 101(b) of the MMSEA amended section 1848(k)(2)(B) of the Social Security Act (the Act) (42 U.S.C. 1395w–4) and section 101(c) of division B of the Tax Relief and Health Care Act of 2006 to extend the Physician Quality Reporting Initiative (PQRI). MIPPA, effective July 15, 2008, extended the PQRI for 2010 and subsequent years and authorized a new incentive program for successful electronic prescribers under section 1848(m)(2) of the Act. In addition, the MIPPA requires the Secretary to post on the CMS Web site the names of eligible professionals or group practices who satisfactorily submit data on quality measures through PQRI and the names of those eligible professionals or group practices PO 00000 Frm 00052 Fmt 4703 Sfmt 4703 who are successful electronic prescribers. This requirement is codified at section 1848(m)(5)(G) of the Act. Accordingly, CMS is adding §§ 131 and 132 of MIPPA, § 101 of MMSEA, § 1848(k) of the Act, and § 1848(m) of the Act to the PMRS’ legal authority section. In addition, we are clarifying in this notice that the term, ‘‘performance measurement results’’ used in the PMRS includes, but is not limited to, submission of data on measures, eprescribing usage, frequency of reporting or performance, as well as rates or scores based on application of specific measures. We consider all of these types of information to be valid indicators of a physician’s, practitioner’s, or other provider’s commitment to and delivery of high quality, high value health care. The primary purpose of this system is to support the collection, maintenance, and processing of information to promote the delivery of high quality, efficient, effective, and economical health care services, and promoting the quality and efficiency of services of the type for which payment may be made under title XVIII by allowing for the establishment and implementation of performance measures, the provision of feedback to physicians, and public reporting of performance information. Information in this system will also be disclosed to: (1) Support regulatory, reimbursement, and policy functions performed for the Agency or by a contractor, consultant, or a CMS grantee; (2) assist another Federal and/ or state agency, agency of a state government, or an agency established by state law; (3) promote more informed choices by Medicare beneficiaries among their Medicare group options by making physician performance measurement information available to Medicare beneficiaries through a Web site and other forms of data dissemination; (4) provide CVEs and data aggregators with information that will assist in generating single or multipayer performance measurement results to promote transparency in health care to members of their community; (5) assist individual physicians, practitioners, providers of services, suppliers, laboratories, and other health care professionals who are participating in health care transparency projects; (6) assist individuals or organizations with projects that provide transparency in health care on a broad scale enabling consumers to compare the quality and price of health care services; or for research, evaluation, and epidemiological projects related to the prevention of disease or disability; E:\FR\FM\31DEN1.SGM 31DEN1 pwalker on PROD1PC71 with NOTICES Federal Register / Vol. 73, No. 251 / Wednesday, December 31, 2008 / Notices restoration or maintenance of health or for payment purposes; (7) assist Quality Improvement Organizations; (8) support litigation involving the agency; and (9) and (10) combat fraud, waste, and abuse in certain health benefits programs. We have provided background information about this modified system in the SUPPLEMENTARY INFORMATION section below DATES: Effective Dates: The minor amendments contained in this notice are effective upon publication in the Federal Register. FOR FURTHER INFORMATION CONTACT: Aucha Prachanronarong, Health Insurance Specialist, Division of Ambulatory Care and Measure Management, Quality Measurement and Health Assessment Group, Office of Clinical Standards and Quality, CMS, Room C1–23–14, 7500 Security Boulevard, Baltimore, Maryland 21244– 1850. The telephone number is (410) 786–1879 or contact Aucha.Prachanronarong@cms.hhs.gov. SUPPLEMENTARY INFORMATION: The Value-driven Health Care Initiative is designed to achieve four cornerstones: Interoperable health information technology (HIT); transparency of price information; transparency of quality information; and the use of incentives to promote high-quality and cost-efficient health care. Regional/local publicprivate collaboration is essential to the success of this Initiative. As such, the Initiative is encouraging the growth of regional public-private collaboratives that will be chartered by the Agency for Healthcare Research and Quality (AHRQ) to support and achieve the four cornerstones. Only mature, sustainable, multi-stakeholder entities that are committed to achieving the four cornerstones, including publicly reporting physician-level and other provider performance measurement information and facilitating the use of this information to improve the quality and efficiency of health care delivery, will become Chartered Value Exchanges (CVEs). Provided they meet certain criteria established by CMS and disclosure is consistent with the Privacy Act, the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule and other applicable laws, CMS may provide CVEs with patient deidentified Medicare-inclusive individual physician-level or group practice level performance measurement results. CMS also may provide physician and patient identifiable protected health claims data information to data aggregators that are HIPAA business associates of CMS VerDate Aug<31>2005 17:41 Dec 30, 2008 Jkt 217001 (including working with providers, payers, or other HIPAA covered entities) for purposes for generating these results. The patient de-identified results will be calculated using Medicare claims data based on consensus-based measures as determined by CMS, including but not limited to quality, resource use, efficiency, and utilization metrics. Available results may include single payer (i.e., Medicare only and private payer only performance measurement results) and/or multi-payer (i.e., results generated from merging or combining Medicare results with private payer results) patient de-identified, individual physician-level performance measurement results. CMS also may make patient de-identified and individual physician-level or group practice level performance measurement results available to Medicare beneficiaries, and others that meet CMS requirements for disclosure. CMS also has implemented a pilot project known as, ‘‘The Better Quality Information to Improve Care for Medicare Beneficiaries (BQI) Project’’ to develop a model to combine data, quality measurement, and public reporting. Through the BQI project, each pilot collaborative, as a QIO subcontractor, is combining private claims data with Medicare claims data and, in some cases, Medicaid claims data to produce single payer and/or multi-payer, patient de-identified, individual physician-level or group practice level performance measurement results using quality measures that are approved by CMS. These performance measurement results were made available to Medicare beneficiaries by CMS or a CMS contractor. In addition, as required by the Tax Relief and Health Care Act of 2006, CMS implemented a voluntary Physician Quality Reporting Initiative (PQRI). Under PQRI, eligible professionals who choose to participate and satisfactorily report on a designated set of quality measures for services paid under the Medicare Physician Fee Schedule and provided to Medicare beneficiaries under the traditional fee-for-service program, may earn an incentive payment. Participating eligible professionals whose Medicare patients in the traditional fee-for-service program fit the specifications of the PQRI quality measures will report the corresponding appropriate Common Procedural Terminology (CPT) Category II codes or G-codes on their claims or through qualified PQRI registries. In 2009, CMS also will implement an Electronic Prescribing (E-Prescribing) Incentive Program as required by the MIPPA. Eligible professionals who PO 00000 Frm 00053 Fmt 4703 Sfmt 4703 80413 choose to participate and are successful electronic prescribers may earn an incentive payment. MIPPA also requires CMS to publicly report the names of eligible professionals or group practices who satisfactorily submit data on quality measures through PQRI and the names of those eligible professionals or group practices who are successful eprescribers. CMS may publicly report additional performance information, including submission of data on measures, eprescribing usage, frequency of reporting or performance, as well as specific rates or scores based on application of specific measures. CMS considers all of these types of information to be valid indicators of a physician, practitioner, or other health care provider’s commitment to and delivery of high quality, high value health care. I. Description of the Proposed System of Records A. Statutory and Regulatory Basis for System Authority for the collection, maintenance, and disclosures from this system is given under provisions of §§ 1152, 1153(c), 1153(e), 1154, 1160, 1848(k), 1848(m), 1851(d) and 1862(g) of the Social Security Act; § 101 of division B of the Tax Relief and Health Care Act of 2006; § 101 of the Medicare, Medicaid, and SCHIP Extension Act of 2007, §§ 131 and 132 of MIPPA, and §§ 901, 912, and 914 of the Public Health Service Act. B. Collection and Maintenance of Data in the System The system contains single and multipayer, patient de-identified, individual physician-level performance measurement results as well as, patient identifiable clinical and claims information provided by individual physicians, practitioners and providers of services, individuals assigned to provider groups, insurance and provider associations, government agencies, accrediting and quality organizations, and others who are committed to improving the quality of physician services. This system contains the patient’s or beneficiary’s name, sex, health insurance claim number (HIC), Social Security Number (SSN), address, date of birth, medical record number(s), prior stay information, provider name and address, physician’s name, and/or identification number, date of admission or discharge, other health insurance, diagnosis, surgical procedures, and a statement of services rendered for related charges and other E:\FR\FM\31DEN1.SGM 31DEN1 80414 Federal Register / Vol. 73, No. 251 / Wednesday, December 31, 2008 / Notices data needed to substantiate claims. The system contains provider characteristics, prescriber identification number(s), assigned provider number(s) (facility, referring/servicing physician), and national drug code information, total charges, and Medicare payment amounts. II. Agency Policies, Procedures, and Restrictions on Routine Uses The Privacy Act permits us to disclose information without an individual’s consent/authorization if the information is to be used for a purpose that is compatible with the purpose(s) for which the information was collected. Any such disclosure of data is known as a ‘‘routine use.’’ The agency policies, procedures, and restriction on routine uses for the PMRS were published in the Federal Register on September 12, 2007. See 72 FR 52133 (Sept. 12, 2007) for further information. pwalker on PROD1PC71 with NOTICES III. Routine Use Disclosures of Data In the System For further information on the routine uses for the PMRS, please see 72 FR 52133. IV. Safeguards CMS has safeguards in place for authorized users and monitors such users to ensure against unauthorized use. Personnel having access to the system have been trained in the Privacy Act and information security requirements. Employees who maintain records in this system are instructed not to release data until the intended recipient agrees to implement appropriate management, operational and technical safeguards sufficient to protect the confidentiality, integrity and availability of the information and information systems and to prevent unauthorized access. This system will conform to all applicable Federal laws and regulations and Federal, HHS, and CMS policies and standards as they relate to information security and data privacy. These laws and regulations include but are not limited to: The Privacy Act of 1974; the Federal Information Security Management Act of 2002; the Computer Fraud and Abuse Act of 1986; the Health Insurance Portability and Accountability Act of 1996; the EGovernment Act of 2002, the ClingerCohen Act of 1996; the Medicare Modernization Act of 2003, and the corresponding implementing regulations. OMB Circular A–130, Management of Federal Resources, Appendix III, Security of Federal Automated Information Resources also applies. Federal, HHS, and CMS VerDate Aug<31>2005 17:41 Dec 30, 2008 Jkt 217001 policies and standards include but are not limited to: All pertinent National Institute of Standards and Technology publications; the HHS Information Systems Program Handbook and the CMS Information Security Handbook. V. Effects of the New System on the Rights of Individuals CMS proposes to establish this system in accordance with the principles and requirements of the Privacy Act and will collect, use, and disseminate information only as prescribed therein. We will only disclose the minimum personal data necessary to achieve the purpose of PMRS. Disclosure of information from the system will be approved only to the extent necessary to accomplish the purpose of the disclosure. CMS has assigned a higher level of security clearance for the information maintained in this system in an effort to provide added security and protection of data in this system. CMS will take precautionary measures to minimize the risks of unauthorized access to the records and the potential harm to individual privacy or other personal or property rights. CMS will collect only that information necessary to perform the system’s functions. In addition, CMS will make disclosure from the proposed system only with consent of the subject individual, or his/her legal representative, or in accordance with an applicable exception provision of the Privacy Act. CMS, therefore, does not anticipate an unfavorable effect on individual privacy as a result of the disclosure of information relating to individuals. measurement results as well as, clinical and claims information provided by individual physicians, practitioners and providers of services, individuals assigned to provider groups, insurance and provider associations, government agencies, accrediting and quality organizations, and others who are committed to improving the quality of physician, practitioner, and other providers’ services. CATEGORIES OF RECORDS IN THE SYSTEM: This system contains the patient’s or beneficiary’s name, sex, health insurance claim number (HIC), Social Security Number (SSN), address, date of birth, medical record number(s), prior stay information, provider name and address, physician’s name, and/or identification number, date of admission or discharge, other health insurance, diagnosis, surgical procedures, and a statement of services rendered for related charges and other data needed to substantiate claims. The system contains provider characteristics, prescriber identification number(s), assigned provider number(s) (facility, referring/servicing physician), and national drug code information, total charges, and Medicare payment amounts. AUTHORITY FOR MAINTENANCE OF THE SYSTEM: System No. 09–70–0584 Authority for the collection, maintenance, and disclosures from this system is given under provisions of §§ 1152, 1153(c), 1153(e), 1154, 1160, 1848(k), 1848(m), 1851(d) and 1862(g) of the Social Security Act; § 101 of division B of the Tax Relief and Health Care Act of 2006; § 101 of the Medicare, Medicaid, and SCHIP Extension Act of 2007, §§ 131 and 132 of the Medicare Improvements for Patients and Providers Act of 2008, and §§ 901, 912, and 914 of the Public Health Service Act. SYSTEM NAME: PURPOSE(S) OF THE SYSTEM: ‘‘Performance Measurement and Reporting System (PMRS),’’ HHS/CMS/ OCSQ. The primary purpose of this system is to support the collection, maintenance, and processing of information to promote the delivery of high quality, efficient, effective and economical delivery of health care services, and promoting the quality of services of the type for which payment may be made under title XVIII by allowing for the establishment and implementation of performance measures, provision of feedback to physicians, and public reporting of performance information. Information in this system will also be disclosed to: (1) Support regulatory, reimbursement, and policy functions performed for the Agency or by a contractor, consultant, or a CMS Dated: December 18, 2008. Charlene Frizzera, Chief Operating Officer, Centers for Medicare & Medicaid Services. SECURITY CLASSIFICATION: Level Three Privacy Act Sensitive. SYSTEM LOCATION: CMS Data Center, 7500 Security Boulevard, North Building, First Floor, Baltimore, Maryland 21244–1850 and at various contractor sites. CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM: The system contains single and multipayer, patient de-identified, individual physician, practitioner or other provider-level performance PO 00000 Frm 00054 Fmt 4703 Sfmt 4703 E:\FR\FM\31DEN1.SGM 31DEN1 Federal Register / Vol. 73, No. 251 / Wednesday, December 31, 2008 / Notices grantee; (2) assist another Federal and/ or state agency, agency of a state government, or an agency established by state law; (3) promote more informed choices by Medicare beneficiaries among their Medicare group options by making physician performance measurement information available to Medicare beneficiaries through a Web site and other forms of data dissemination; (4) provide CVEs and data aggregators with information that will assist in generating single or multipayer performance measurement results to promote transparency in health care to members of their community; (5) assist individual physicians, practitioners, providers of services, suppliers, laboratories, and other health care professionals who are participating in health care transparency projects; (6) assist individuals or organizations with projects that provide transparency in health care on a broad-scale enabling consumers to compare the quality and price of health care services; or for research, evaluation, and epidemiological projects related to the prevention of disease or disability; restoration or maintenance of health or for payment purposes; (7) assist Quality Improvement Organizations; (8) support litigation involving the agency; and (9) and (10) combat fraud, waste, and abuse in certain health benefits programs. pwalker on PROD1PC71 with NOTICES ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES OR USERS AND THE PURPOSES OF SUCH USES: A. Entities Who May Receive Disclosures Under Routine Use These routine uses specify circumstances, in addition to those provided by statute in the Privacy Act of 1974, under which CMS may release information from the PMRS without the consent/authorization of the individual to whom such information pertains. Each proposed disclosure of information under these routine uses will be evaluated to ensure that the disclosure is legally permissible, including but not limited to ensuring that the purpose of the disclosure is compatible with the purpose for which the information was collected. We propose to establish the following routine use disclosures of information maintained in the system: 1. To support Agency contractors, consultants, or CMS grantees who have been engaged by the Agency to assist in accomplishment of a CMS function relating to the purposes for this SOR and who need to have access to the records in order to assist CMS. 2. Pursuant to agreements with CMS to assist another Federal or state agency, agency of a state government, or an agency established by state law to: VerDate Aug<31>2005 17:41 Dec 30, 2008 Jkt 217001 a. Contribute to projects that provide transparency in health care on a broadscale enabling consumers to compare the quality and price of health care services, b. Contribute to the accuracy of CMS’s proper payment of Medicare benefits, c. Enable such agency to administer a Federal health benefits program, or as necessary to enable such agency to fulfill a requirement of a Federal statute or regulation that implements a health benefits program funded in whole or in part with Federal funds, and/or d. Assist Federal/state Medicaid programs which may require PMRS information for purposes related to this system. 3. To assist in making the individual physician-level performance measurement results available to Medicare beneficiaries, through a Web site and other forms of data dissemination, in order to promote more informed choices by Medicare beneficiaries among their Medicare coverage options. 4. To provide Chartered Value Exchanges (CVE) and data aggregators with information that will assist in generating single or multi-payer performance measurement results that will assist beneficiaries in making informed choices among individual physicians, practitioners and providers of services; enable consumers to compare the quality and price of health care services; and assist in providing transparency in health care at the local level if CMS: determines that the use or disclosure does not violate legal limitations under which the record was provided, collected, or obtained; a. Determines that the purpose for which the disclosure is to be made: (1) Is of sufficient importance to warrant the effect and/or risk on the privacy of the individual that additional exposure of the record might bring, and (2) There is reasonable probability that the objective for the use would be accomplished; b. Requires the recipient of the information to establish reasonable administrative, technical, and physical safeguards to prevent unauthorized use or disclosure of the record, c. Make no further use or disclosure of the record except: (1) For use in another project providing transparency in health care, under these same conditions, and with written authorization of CMS; (2) When required by law. d. Secures a written statement attesting to the information recipient’s understanding of and willingness to abide by these provisions. CVEs and PO 00000 Frm 00055 Fmt 4703 Sfmt 4703 80415 data aggregators should complete a Data Use Agreement (CMS Form 0235) in accordance with current CMS policies. 5. To assist individual physicians, practitioners, providers of services, suppliers, laboratories, and others health care professionals who are participating in health care transparency projects. 6. To assist an individual or organization with projects that provide transparency in health care on a broadscale enabling consumers to compare the quality and price of health care services; or for research, evaluation, and epidemiological projects related to the prevention of disease or disability; restoration or maintenance of health or for payment purposes if CMS: a. Determines that the use or disclosure does not violate legal limitations under which the record was provided, collected, or obtained; b. Determines that the purpose for which the disclosure is to be made: (1) Cannot be reasonably accomplished unless the record is provided in individually identifiable form, (2) Is of sufficient importance to warrant the effect and/or risk on the privacy of the individual that additional exposure of the record might bring, and (3) There is reasonable probability that the objective for the use would be accomplished; c. Requires the recipient of the information to: (1) Establish reasonable administrative, technical, and physical safeguards to prevent unauthorized use or disclosure of the record, and (2) Remove or destroy the information that allows the individual to be identified at the earliest time at which removal or destruction can be accomplished consistent with the purpose of the project, unless the recipient presents an adequate justification of a research or health nature for retaining such information, and (3) Make no further use or disclosure of the record except: (a) For disclosure to a properly identified person, for purposes of providing transparency in health care enabling consumers to compare the quality and price of health care services so that they can make informed choices among individual physicians, practitioners and providers of services; (b) In emergency circumstances affecting the health or safety of any individual; (c) For use in another research project, under these same conditions, and with written authorization of CMS; E:\FR\FM\31DEN1.SGM 31DEN1 pwalker on PROD1PC71 with NOTICES 80416 Federal Register / Vol. 73, No. 251 / Wednesday, December 31, 2008 / Notices (d) For disclosure to a properly identified person for the purpose of an audit related to the research project, if information that would enable research subjects to be identified is removed or destroyed at the earliest opportunity consistent with the purpose of the audit; or (e) When required by law. d. Secures a written statement attesting to the information recipient’s understanding of and willingness to abide by these provisions. Researchers should complete a Data Use Agreement (CMS Form 0235) in accordance with current CMS policies. 7. To support Quality Improvement Organizations (QIO) in connection with review of claims, or in connection with studies or other review activities conducted pursuant to Part B of Title XI of the Act and in performing affirmative outreach activities to individuals for the purpose of establishing and maintaining their entitlement to Medicare benefits or health insurance plans. 8. To support the Department of Justice (DOJ), court, or adjudicatory body when: a. The Agency or any component thereof, or b. Any employee of the Agency in his or her official capacity, or c. Any employee of the Agency in his or her individual capacity where the DOJ has agreed to represent the employee, or d. The United States Government, is a party to litigation or has an interest in such litigation, and by careful review, CMS determines that the records are both relevant and necessary to the litigation and that the use of such records by the DOJ, court or adjudicatory body is compatible with the purpose for which the agency collected the records. 9. To assist a CMS contractor (including, but not limited to MACs, fiscal intermediaries and carriers) that assists in the administration of a CMSadministered health benefits program, or to a grantee of a CMS-administered grant program, when disclosure is deemed reasonably necessary by CMS to prevent, deter, discover, detect, investigate, examine, prosecute, sue with respect to, defend against, correct, remedy, or otherwise combat fraud, waste or abuse in such program. 10. To assist another Federal agency or to an instrumentality of any governmental jurisdiction within or under the control of the United States (including any state or local governmental agency), that administers, or that has the authority to investigate potential fraud, waste or abuse in a health benefits program funded in VerDate Aug<31>2005 17:41 Dec 30, 2008 Jkt 217001 whole or in part by Federal funds, when disclosure is deemed reasonably necessary by CMS to prevent, deter, discover, detect, investigate, examine, prosecute, sue with respect to, defend against, correct, remedy, or otherwise combat fraud, waste or abuse in such programs. B. Additional Circumstances Affecting Routine Use Disclosures To the extent this system contains Protected Health Information (PHI) as defined by HHS regulation ‘‘Standards for Privacy of Individually Identifiable Health Information’’ (45 CFR Parts 160 and 164, Subparts A and E) 65 Fed. Reg. 82462 (12–28–00). Disclosures of such PHI that are otherwise authorized by these routine uses may only be made if, and as, permitted or required by the ‘‘Standards for Privacy of Individually Identifiable Health Information.’’ (See 45 CFR 164–512(a)(1).) POLICIES AND PRACTICES FOR STORING, RETRIEVING, ACCESSING, RETAINING, AND DISPOSING OF RECORDS IN THE SYSTEM: STORAGE: Records are stored on both tape cartridges (magnetic storage media) and in a DB2 relational database management environment (DASD data storage media). RETRIEVABILITY: Information is most frequently retrieved by HICN, provider number (facility, physician, IDs), service dates, and beneficiary state code. SAFEGUARDS: CMS has safeguards in place for authorized users and monitors such users to ensure against unauthorized use. Personnel having access to the system have been trained in the Privacy Act and information security requirements. Employees who maintain records in this system are instructed not to release data until the intended recipient agrees to implement appropriate management, operational and technical safeguards sufficient to protect the confidentiality, integrity and availability of the information and information systems and to prevent unauthorized access. This system will conform to all applicable Federal laws and regulations and Federal, HHS, and CMS policies and standards as they relate to information security and data privacy. These laws and regulations include but are not limited to: The Privacy Act of 1974; the Federal Information Security Management Act of 2002; the Computer Fraud and Abuse Act of 1986; the Health Insurance Portability and Accountability Act of 1996; the E- PO 00000 Frm 00056 Fmt 4703 Sfmt 4703 Government Act of 2002, the ClingerCohen Act of 1996; the Medicare Modernization Act of 2003, and the corresponding implementing regulations. OMB Circular A–130, Management of Federal Resources, Appendix III, Security of Federal Automated Information Resources also applies. Federal, HHS, and CMS policies and standards include but are not limited to: All pertinent National Institute of Standards and Technology publications; the HHS Information Systems Program Handbook and the CMS Information Security Handbook. RETENTION AND DISPOSAL: Records are maintained with identifiers for all transactions after they are entered into the system for a period of 20 years. Records are housed in both active and archival files. All claimsrelated records are encompassed by the document preservation order and will be retained until notification is received from the Department of Justice. SYSTEM MANAGER AND ADDRESS: Director, Quality Measurement and Health Assessment Group, Office of Clinical Standards and Quality, CMS, Room C1–23–14, 7500 Security Boulevard, Baltimore, Maryland 21244– 1850. NOTIFICATION PROCEDURE: For purpose of notification, the subject individual should write to the system manager who will require the system name, and the retrieval selection criteria (e.g., HICN, Provider number, etc.). RECORD ACCESS PROCEDURE: For purpose of access, use the same procedures outlined in Notification Procedures above. Requestors should also reasonably specify the record contents being sought. (These procedures are in accordance with Department regulation 45 CFR 5b.5(a)(2).) CONTESTING RECORD PROCEDURES: The subject individual should contact the system manager named above, and reasonably identify the record and specify the information to be contested. State the corrective action sought and the reasons for the correction with supporting justification. (These procedures are in accordance with Department regulation 45 CFR 5b.7.) RECORD SOURCE CATEGORIES: Medicare Beneficiary Database (09– 70–0536), National Claims History File (09–70–0558), and private physicians, private providers, laboratories, other providers and suppliers who are E:\FR\FM\31DEN1.SGM 31DEN1 Federal Register / Vol. 73, No. 251 / Wednesday, December 31, 2008 / Notices participating in health care transparency projects sponsored by the Agency. SYSTEMS EXEMPTED FROM CERTAIN PROVISIONS OF THE ACT: None. [FR Doc. E8–31146 Filed 12–30–08; 8:45 am] BILLING CODE 4120–03–P DEPARTMENT OF HEALTH AND HUMAN SERVICES National Institutes of Health Center for Scientific Review; Notice of Closed Meetings pwalker on PROD1PC71 with NOTICES Pursuant to section 10(d) of the Federal Advisory Committee Act, as amended (5 U.S.C. Appendix 2), notice is hereby given of the following meetings. The meetings will be closed to the public in accordance with the provisions set forth in sections 552b(c)(4) and 552b(c)(6), Title 5 U.S.C., as amended. The grant applications and the discussions could disclose confidential trade secrets or commercial property such as patentable material, and personal information concerning individuals associated with the grant applications, the disclosure of which would constitute a clearly unwarranted invasion of personal privacy. Name of Committee: Bioengineering Sciences & Technologies; Integrated Review Group Instrumentation and Systems Development Study Section. Date: January 20–21, 2009. Time: 7 p.m. to 5 p.m. Agenda: To review and evaluate grant applications. Place: Hotel Kabuki, 1625 Post Street, San Francisco, CA 94155. Contact Person: Marc Rigas, PhD, Scientific Review Officer, Center for Scientific Review, National Institutes of Health, 6701 Rockledge Drive, Room 5158, MSC 7849, Bethesda, MD 20892, 301–402–1074, rigasm@mail.nih.gov. Name of Committee: Center for Scientific Review Special Emphasis Panel; Research on Ethical Issues in Human Studies. Date: January 22, 2009. Time: 12 p.m. to 4 p.m. Agenda: To review and evaluate grant applications. Place: National Institutes of Health, 6701 Rockledge Drive, Bethesda, MD 20892, (Virtual Meeting). Contact Person: Ellen K. Schwartz, EDD, Scientific Review Officer, Center for Scientific Review, National Institutes of Health, 6701 Rockledge Drive, Room 3168, MSC 7770, Bethesda, MD 20892, 301–435– 0681, schwarte@csr.nih.gov. Name of Committee: Center for Scientific Review Special Emphasis Panel; Platelet Biology. Date: January 26, 2009. Time: 2 p.m. to 4 p.m. VerDate Aug<31>2005 17:41 Dec 30, 2008 Jkt 217001 Agenda: To review and evaluate grant applications. Place: National Institutes of Health, 6701 Rockledge Drive, Bethesda, MD 20892, (Telephone Conference Call). Contact Person: Manjit Hanspal, PhD, Scientific Review Officer, Center for Scientific Review, National Institutes of Health, 6701 Rockledge Drive, Room 4138, MSC 7804, Bethesda, MD 20892, 301–435– 1195, hanspalm@csr.nih.gov. Name of Committee: Bioengineering Sciences & Technologies Integrated Review Group; Nanotechnology Study Section. Date: January 28–29, 2009. Time: 8:30 a.m. to 5:30 p.m. Agenda: To review and evaluate grant applications. Place: Hilton Alexandria Old Town, 1767 King Street, Alexandria, VA 22314. Contact Person: Joseph D. Mosca, PhD, Scientific Review Officer, Center for Scientific Review, National Institutes of Health, 6701 Rockledge Drive, Room 5158, MSC 7808, Bethesda, MD 20892, (301) 435– 2344, moscajos@csr.nih.gov. Name of Committee: Molecular, Cellular and Developmental Neuroscience Integrated Review Group; Biophysics of Neural Systems Study Section. Date: January 29, 2009. Time: 8 a.m. to 8 p.m. Agenda: To review and evaluate grant applications. Place: Fairmont Hotel, 2401 M Street, NW., Washington, DC 20037. Contact Person: Geoffrey G. Schofield, PhD, Scientific Review Officer, Center for Scientific Review, National Institutes of Health, 6701 Rockledge Drive, Room 4040–A, MSC 7850, Bethesda, MD 20892, 301–435– 1235, geoffreys@csr.nih.gov. Name of Committee: Brain Disorders and Clinical Neuroscience Integrated Review Group; Clinical Neuroscience and Neurodegeneration Study Section. Date: January 29, 2009. Time: 8 a.m. to 5 p.m. Agenda: To review and evaluate grant applications. Place: Mark Hopkins San Francisco Hotel, One Nob Hill, San Francisco, CA 94108. Contact Person: Rene Etcheberrigaray, MD, Scientific Review Officer, Center for Scientific Review, National Institutes of Health, 6701 Rockledge Drive, Room 5196, MSC 7846, Bethesda, MD 20892, (301) 435– 1246, etcheber@csr.nih.gov. Name of Committee: Oncological Sciences Integrated Review Group; Cancer Biomarkers Study Section. Date: February 3–4, 2009. Time: 8 a.m. to 5 p.m. Agenda: To review and evaluate grant applications. Place: Holiday Inn Georgetown, 2101 Wisconsin Avenue, NW., Washington, DC 20007. Contact Person: Steven B. Scholnick, PhD, Scientific Review Officer, Center for Scientific Review, National Institutes of Health, 6701 Rockledge Drive, Room 6152, MSC 7804, Bethesda, MD 20892, 301–435– 1719, scholnis@csr.nih.gov. Name of Committee: Genes, Genomes, and Genetics Integrated Review Group; PO 00000 Frm 00057 Fmt 4703 Sfmt 4703 80417 Genomics, Computational Biology and Technology Study Section. Date: February 3–4, 2009. Time: 8:30 a.m. to 5 p.m. Agenda: To review and evaluate grant applications. Place: Hyatt Regency Bethesda, One Bethesda Metro Center, 7400 Wisconsin Avenue, Bethesda, MD 20814. Contact Person: Barbara J. Thomas, PhD, Scientific Review Officer, Center for Scientific Review, National Institutes of Health, 6701 Rockledge Drive, Room 2218, MSC 7890, Bethesda, MD 20892, 301–435– 0603, bthomas@csr.nih.gov. Name of Committee: Center for Scientific Review Special Emphasis Panel; Member Conflict: Mechanisms of Cancer Prevention. Date: February 3, 2009. Time: 1 p.m. to 3 p.m. Agenda: To review and evaluate grant applications. Place: National Institutes of Health, 6701 Rockledge Drive, Bethesda, MD 20892, (Telephone Conference Call). Contact Person: Zhiqiang Zou, MD, PhD, Scientific Review Officer, Center for Scientific Review, National Institutes of Health, 6701 Rockledge Drive, Room 6190, MSC 7804, Bethesda, MD 20892, 301–451– 0132, zouzhiq@csr.nih.gov. Name of Committee: Digestive Sciences Integrated Review Group; Xenobiotic and Nutrient Disposition and Action Study Section. Date: February 4, 2009. Time: 8 a.m. to 6 p.m. Agenda: To review and evaluate grant applications. Place: Hyatt Regency Bethesda, One Bethesda Metro Center, 7400 Wisconsin Avenue, Bethesda, MD 20814. Contact Person: Patricia Greenwel, PhD, Scientific Review Officer, Center for Scientific Review, National Institutes of Health, 6701 Rockledge Drive, Room 2172, MSC 7818, Bethesda, MD 20892, 301–435– 1169, greenwep@csr.nih.gov. Name of Committee: Health of the Population Integrated Review Group; Kidney, Nutrition, Obesity and Diabetes Study Section. Date: February 4–5, 2009. Time: 8 a.m. to 11 a.m. Agenda: To review and evaluate grant applications. Place: Bahia Resort Hotel, 998 W. Mission Bay Drive, San Diego, CA 92109. Contact Person: Fungai F. Chanetsa, PhD, Scientific Review Officer, Center for Scientific Review, National Institutes of Health, 6701 Rockledge Drive, Room 3135, MSC 7770, Bethesda, MD 20892, 301–435– 1262, chanetsaf@csr.nih.gov. Name of Committee: Bioengineering Sciences & Technologies Integrated Review Group; Gene and Drug Delivery Systems Study Section. Date: February 4–5, 2009. Time: 8 a.m. to 5 p.m. Agenda: To review and evaluate grant applications. Place: Sir Francis Drake Hotel, 450 Powell Street, San Francisco, CA 94102. Contact Person: Steven J. Zullo, PhD, Scientific Review Officer, Center for E:\FR\FM\31DEN1.SGM 31DEN1

Agencies

[Federal Register Volume 73, Number 251 (Wednesday, December 31, 2008)]
[Notices]
[Pages 80412-80417]
From the Federal Register Online via the Government Printing Office [www.gpo.gov]
[FR Doc No: E8-31146]


-----------------------------------------------------------------------

DEPARTMENT OF HEALTH AND HUMAN SERVICES

Centers for Medicare & Medicaid Services


Privacy Act of 1974; Notice of Modified System of Records

AGENCY: Department of Health and Human Services (HHS), Centers for 
Medicare & Medicaid Services (CMS).

ACTION: Notice of a Modified System of Records.

-----------------------------------------------------------------------

SUMMARY: In accordance with the requirements of the Privacy Act of 
1974, CMS is proposing to make minor amendments to an existing system 
of records (SOR) titled, ``Performance Measurement and Reporting System 
(PMRS),'' System No. 09-70-0584, published at 72 FR 52133 (September 
12, 2007). PMRS serves as a master system of records to assist in 
projects that provide transparency in health care on a broad scale 
enabling consumers to compare the quality and price of health care 
services so that they can make informed choices among individual 
physicians, practitioners, and other providers of services. We are 
making minor amendments to PMRS to include two additional legal 
authorities: The Medicare, Medicaid, and SCHIP Extension Act of 2007 
(MMSEA) (Pub. L. 110-173) and the Medicare Improvements for Patients 
and Providers Act of 2008 (MIPPA) (Pub. L. 110-275). Section 101(b) of 
the MMSEA amended section 1848(k)(2)(B) of the Social Security Act (the 
Act) (42 U.S.C. 1395w-4) and section 101(c) of division B of the Tax 
Relief and Health Care Act of 2006 to extend the Physician Quality 
Reporting Initiative (PQRI). MIPPA, effective July 15, 2008, extended 
the PQRI for 2010 and subsequent years and authorized a new incentive 
program for successful electronic prescribers under section 1848(m)(2) 
of the Act. In addition, the MIPPA requires the Secretary to post on 
the CMS Web site the names of eligible professionals or group practices 
who satisfactorily submit data on quality measures through PQRI and the 
names of those eligible professionals or group practices who are 
successful electronic prescribers. This requirement is codified at 
section 1848(m)(5)(G) of the Act. Accordingly, CMS is adding Sec. Sec.  
131 and 132 of MIPPA, Sec.  101 of MMSEA, Sec.  1848(k) of the Act, and 
Sec.  1848(m) of the Act to the PMRS' legal authority section.
    In addition, we are clarifying in this notice that the term, 
``performance measurement results'' used in the PMRS includes, but is 
not limited to, submission of data on measures, e-prescribing usage, 
frequency of reporting or performance, as well as rates or scores based 
on application of specific measures. We consider all of these types of 
information to be valid indicators of a physician's, practitioner's, or 
other provider's commitment to and delivery of high quality, high value 
health care.
    The primary purpose of this system is to support the collection, 
maintenance, and processing of information to promote the delivery of 
high quality, efficient, effective, and economical health care 
services, and promoting the quality and efficiency of services of the 
type for which payment may be made under title XVIII by allowing for 
the establishment and implementation of performance measures, the 
provision of feedback to physicians, and public reporting of 
performance information. Information in this system will also be 
disclosed to: (1) Support regulatory, reimbursement, and policy 
functions performed for the Agency or by a contractor, consultant, or a 
CMS grantee; (2) assist another Federal and/or state agency, agency of 
a state government, or an agency established by state law; (3) promote 
more informed choices by Medicare beneficiaries among their Medicare 
group options by making physician performance measurement information 
available to Medicare beneficiaries through a Web site and other forms 
of data dissemination; (4) provide CVEs and data aggregators with 
information that will assist in generating single or multi-payer 
performance measurement results to promote transparency in health care 
to members of their community; (5) assist individual physicians, 
practitioners, providers of services, suppliers, laboratories, and 
other health care professionals who are participating in health care 
transparency projects; (6) assist individuals or organizations with 
projects that provide transparency in health care on a broad scale 
enabling consumers to compare the quality and price of health care 
services; or for research, evaluation, and epidemiological projects 
related to the prevention of disease or disability;

[[Page 80413]]

restoration or maintenance of health or for payment purposes; (7) 
assist Quality Improvement Organizations; (8) support litigation 
involving the agency; and (9) and (10) combat fraud, waste, and abuse 
in certain health benefits programs. We have provided background 
information about this modified system in the Supplementary Information 
section below

DATES: Effective Dates: The minor amendments contained in this notice 
are effective upon publication in the Federal Register.

FOR FURTHER INFORMATION CONTACT: Aucha Prachanronarong, Health 
Insurance Specialist, Division of Ambulatory Care and Measure 
Management, Quality Measurement and Health Assessment Group, Office of 
Clinical Standards and Quality, CMS, Room C1-23-14, 7500 Security 
Boulevard, Baltimore, Maryland 21244-1850. The telephone number is 
(410) 786-1879 or contact Aucha.Prachanronarong@cms.hhs.gov.

SUPPLEMENTARY INFORMATION: The Value-driven Health Care Initiative is 
designed to achieve four cornerstones: Interoperable health information 
technology (HIT); transparency of price information; transparency of 
quality information; and the use of incentives to promote high-quality 
and cost-efficient health care. Regional/local public-private 
collaboration is essential to the success of this Initiative. As such, 
the Initiative is encouraging the growth of regional public-private 
collaboratives that will be chartered by the Agency for Healthcare 
Research and Quality (AHRQ) to support and achieve the four 
cornerstones. Only mature, sustainable, multi-stakeholder entities that 
are committed to achieving the four cornerstones, including publicly 
reporting physician-level and other provider performance measurement 
information and facilitating the use of this information to improve the 
quality and efficiency of health care delivery, will become Chartered 
Value Exchanges (CVEs).
    Provided they meet certain criteria established by CMS and 
disclosure is consistent with the Privacy Act, the Health Insurance 
Portability and Accountability Act (HIPAA) Privacy Rule and other 
applicable laws, CMS may provide CVEs with patient de-identified 
Medicare-inclusive individual physician-level or group practice level 
performance measurement results. CMS also may provide physician and 
patient identifiable protected health claims data information to data 
aggregators that are HIPAA business associates of CMS (including 
working with providers, payers, or other HIPAA covered entities) for 
purposes for generating these results. The patient de-identified 
results will be calculated using Medicare claims data based on 
consensus-based measures as determined by CMS, including but not 
limited to quality, resource use, efficiency, and utilization metrics. 
Available results may include single payer (i.e., Medicare only and 
private payer only performance measurement results) and/or multi-payer 
(i.e., results generated from merging or combining Medicare results 
with private payer results) patient de-identified, individual 
physician-level performance measurement results. CMS also may make 
patient de-identified and individual physician-level or group practice 
level performance measurement results available to Medicare 
beneficiaries, and others that meet CMS requirements for disclosure.
    CMS also has implemented a pilot project known as, ``The Better 
Quality Information to Improve Care for Medicare Beneficiaries (BQI) 
Project'' to develop a model to combine data, quality measurement, and 
public reporting. Through the BQI project, each pilot collaborative, as 
a QIO subcontractor, is combining private claims data with Medicare 
claims data and, in some cases, Medicaid claims data to produce single 
payer and/or multi-payer, patient de-identified, individual physician-
level or group practice level performance measurement results using 
quality measures that are approved by CMS. These performance 
measurement results were made available to Medicare beneficiaries by 
CMS or a CMS contractor.
    In addition, as required by the Tax Relief and Health Care Act of 
2006, CMS implemented a voluntary Physician Quality Reporting 
Initiative (PQRI). Under PQRI, eligible professionals who choose to 
participate and satisfactorily report on a designated set of quality 
measures for services paid under the Medicare Physician Fee Schedule 
and provided to Medicare beneficiaries under the traditional fee-for-
service program, may earn an incentive payment. Participating eligible 
professionals whose Medicare patients in the traditional fee-for-
service program fit the specifications of the PQRI quality measures 
will report the corresponding appropriate Common Procedural Terminology 
(CPT) Category II codes or G-codes on their claims or through qualified 
PQRI registries.
    In 2009, CMS also will implement an Electronic Prescribing (E-
Prescribing) Incentive Program as required by the MIPPA. Eligible 
professionals who choose to participate and are successful electronic 
prescribers may earn an incentive payment. MIPPA also requires CMS to 
publicly report the names of eligible professionals or group practices 
who satisfactorily submit data on quality measures through PQRI and the 
names of those eligible professionals or group practices who are 
successful e-prescribers.
    CMS may publicly report additional performance information, 
including submission of data on measures, e-prescribing usage, 
frequency of reporting or performance, as well as specific rates or 
scores based on application of specific measures. CMS considers all of 
these types of information to be valid indicators of a physician, 
practitioner, or other health care provider's commitment to and 
delivery of high quality, high value health care.

I. Description of the Proposed System of Records

A. Statutory and Regulatory Basis for System

    Authority for the collection, maintenance, and disclosures from 
this system is given under provisions of Sec. Sec.  1152, 1153(c), 
1153(e), 1154, 1160, 1848(k), 1848(m), 1851(d) and 1862(g) of the 
Social Security Act; Sec.  101 of division B of the Tax Relief and 
Health Care Act of 2006; Sec.  101 of the Medicare, Medicaid, and SCHIP 
Extension Act of 2007, Sec. Sec.  131 and 132 of MIPPA, and Sec. Sec.  
901, 912, and 914 of the Public Health Service Act.

B. Collection and Maintenance of Data in the System

    The system contains single and multi-payer, patient de-identified, 
individual physician-level performance measurement results as well as, 
patient identifiable clinical and claims information provided by 
individual physicians, practitioners and providers of services, 
individuals assigned to provider groups, insurance and provider 
associations, government agencies, accrediting and quality 
organizations, and others who are committed to improving the quality of 
physician services. This system contains the patient's or beneficiary's 
name, sex, health insurance claim number (HIC), Social Security Number 
(SSN), address, date of birth, medical record number(s), prior stay 
information, provider name and address, physician's name, and/or 
identification number, date of admission or discharge, other health 
insurance, diagnosis, surgical procedures, and a statement of services 
rendered for related charges and other

[[Page 80414]]

data needed to substantiate claims. The system contains provider 
characteristics, prescriber identification number(s), assigned provider 
number(s) (facility, referring/servicing physician), and national drug 
code information, total charges, and Medicare payment amounts.

II. Agency Policies, Procedures, and Restrictions on Routine Uses

    The Privacy Act permits us to disclose information without an 
individual's consent/authorization if the information is to be used for 
a purpose that is compatible with the purpose(s) for which the 
information was collected. Any such disclosure of data is known as a 
``routine use.'' The agency policies, procedures, and restriction on 
routine uses for the PMRS were published in the Federal Register on 
September 12, 2007. See 72 FR 52133 (Sept. 12, 2007) for further 
information.

III. Routine Use Disclosures of Data In the System

    For further information on the routine uses for the PMRS, please 
see 72 FR 52133.

IV. Safeguards

    CMS has safeguards in place for authorized users and monitors such 
users to ensure against unauthorized use. Personnel having access to 
the system have been trained in the Privacy Act and information 
security requirements. Employees who maintain records in this system 
are instructed not to release data until the intended recipient agrees 
to implement appropriate management, operational and technical 
safeguards sufficient to protect the confidentiality, integrity and 
availability of the information and information systems and to prevent 
unauthorized access.
    This system will conform to all applicable Federal laws and 
regulations and Federal, HHS, and CMS policies and standards as they 
relate to information security and data privacy. These laws and 
regulations include but are not limited to: The Privacy Act of 1974; 
the Federal Information Security Management Act of 2002; the Computer 
Fraud and Abuse Act of 1986; the Health Insurance Portability and 
Accountability Act of 1996; the E-Government Act of 2002, the Clinger-
Cohen Act of 1996; the Medicare Modernization Act of 2003, and the 
corresponding implementing regulations. OMB Circular A-130, Management 
of Federal Resources, Appendix III, Security of Federal Automated 
Information Resources also applies. Federal, HHS, and CMS policies and 
standards include but are not limited to: All pertinent National 
Institute of Standards and Technology publications; the HHS Information 
Systems Program Handbook and the CMS Information Security Handbook.

V. Effects of the New System on the Rights of Individuals

    CMS proposes to establish this system in accordance with the 
principles and requirements of the Privacy Act and will collect, use, 
and disseminate information only as prescribed therein. We will only 
disclose the minimum personal data necessary to achieve the purpose of 
PMRS. Disclosure of information from the system will be approved only 
to the extent necessary to accomplish the purpose of the disclosure. 
CMS has assigned a higher level of security clearance for the 
information maintained in this system in an effort to provide added 
security and protection of data in this system.
    CMS will take precautionary measures to minimize the risks of 
unauthorized access to the records and the potential harm to individual 
privacy or other personal or property rights. CMS will collect only 
that information necessary to perform the system's functions. In 
addition, CMS will make disclosure from the proposed system only with 
consent of the subject individual, or his/her legal representative, or 
in accordance with an applicable exception provision of the Privacy 
Act. CMS, therefore, does not anticipate an unfavorable effect on 
individual privacy as a result of the disclosure of information 
relating to individuals.

    Dated: December 18, 2008.
Charlene Frizzera,
Chief Operating Officer, Centers for Medicare & Medicaid Services.
System No. 09-70-0584

SYSTEM NAME:
    ``Performance Measurement and Reporting System (PMRS),'' HHS/CMS/
OCSQ.

SECURITY CLASSIFICATION:
    Level Three Privacy Act Sensitive.

SYSTEM LOCATION:
    CMS Data Center, 7500 Security Boulevard, North Building, First 
Floor, Baltimore, Maryland 21244-1850 and at various contractor sites.

CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:
    The system contains single and multi-payer, patient de-identified, 
individual physician, practitioner or other provider-level performance 
measurement results as well as, clinical and claims information 
provided by individual physicians, practitioners and providers of 
services, individuals assigned to provider groups, insurance and 
provider associations, government agencies, accrediting and quality 
organizations, and others who are committed to improving the quality of 
physician, practitioner, and other providers' services.

CATEGORIES OF RECORDS IN THE SYSTEM:
    This system contains the patient's or beneficiary's name, sex, 
health insurance claim number (HIC), Social Security Number (SSN), 
address, date of birth, medical record number(s), prior stay 
information, provider name and address, physician's name, and/or 
identification number, date of admission or discharge, other health 
insurance, diagnosis, surgical procedures, and a statement of services 
rendered for related charges and other data needed to substantiate 
claims. The system contains provider characteristics, prescriber 
identification number(s), assigned provider number(s) (facility, 
referring/servicing physician), and national drug code information, 
total charges, and Medicare payment amounts.

AUTHORITY FOR MAINTENANCE OF THE SYSTEM:
    Authority for the collection, maintenance, and disclosures from 
this system is given under provisions of Sec. Sec.  1152, 1153(c), 
1153(e), 1154, 1160, 1848(k), 1848(m), 1851(d) and 1862(g) of the 
Social Security Act; Sec.  101 of division B of the Tax Relief and 
Health Care Act of 2006; Sec.  101 of the Medicare, Medicaid, and SCHIP 
Extension Act of 2007, Sec. Sec.  131 and 132 of the Medicare 
Improvements for Patients and Providers Act of 2008, and Sec. Sec.  
901, 912, and 914 of the Public Health Service Act.

PURPOSE(S) OF THE SYSTEM:
    The primary purpose of this system is to support the collection, 
maintenance, and processing of information to promote the delivery of 
high quality, efficient, effective and economical delivery of health 
care services, and promoting the quality of services of the type for 
which payment may be made under title XVIII by allowing for the 
establishment and implementation of performance measures, provision of 
feedback to physicians, and public reporting of performance 
information. Information in this system will also be disclosed to: (1) 
Support regulatory, reimbursement, and policy functions performed for 
the Agency or by a contractor, consultant, or a CMS

[[Page 80415]]

grantee; (2) assist another Federal and/or state agency, agency of a 
state government, or an agency established by state law; (3) promote 
more informed choices by Medicare beneficiaries among their Medicare 
group options by making physician performance measurement information 
available to Medicare beneficiaries through a Web site and other forms 
of data dissemination; (4) provide CVEs and data aggregators with 
information that will assist in generating single or multi-payer 
performance measurement results to promote transparency in health care 
to members of their community; (5) assist individual physicians, 
practitioners, providers of services, suppliers, laboratories, and 
other health care professionals who are participating in health care 
transparency projects; (6) assist individuals or organizations with 
projects that provide transparency in health care on a broad-scale 
enabling consumers to compare the quality and price of health care 
services; or for research, evaluation, and epidemiological projects 
related to the prevention of disease or disability; restoration or 
maintenance of health or for payment purposes; (7) assist Quality 
Improvement Organizations; (8) support litigation involving the agency; 
and (9) and (10) combat fraud, waste, and abuse in certain health 
benefits programs.

ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES 
OR USERS AND THE PURPOSES OF SUCH USES:
    A. Entities Who May Receive Disclosures Under Routine Use

    These routine uses specify circumstances, in addition to those 
provided by statute in the Privacy Act of 1974, under which CMS may 
release information from the PMRS without the consent/authorization of 
the individual to whom such information pertains. Each proposed 
disclosure of information under these routine uses will be evaluated to 
ensure that the disclosure is legally permissible, including but not 
limited to ensuring that the purpose of the disclosure is compatible 
with the purpose for which the information was collected. We propose to 
establish the following routine use disclosures of information 
maintained in the system:
    1. To support Agency contractors, consultants, or CMS grantees who 
have been engaged by the Agency to assist in accomplishment of a CMS 
function relating to the purposes for this SOR and who need to have 
access to the records in order to assist CMS.
    2. Pursuant to agreements with CMS to assist another Federal or 
state agency, agency of a state government, or an agency established by 
state law to:
    a. Contribute to projects that provide transparency in health care 
on a broad-scale enabling consumers to compare the quality and price of 
health care services,
    b. Contribute to the accuracy of CMS's proper payment of Medicare 
benefits,
    c. Enable such agency to administer a Federal health benefits 
program, or as necessary to enable such agency to fulfill a requirement 
of a Federal statute or regulation that implements a health benefits 
program funded in whole or in part with Federal funds, and/or
    d. Assist Federal/state Medicaid programs which may require PMRS 
information for purposes related to this system.
    3. To assist in making the individual physician-level performance 
measurement results available to Medicare beneficiaries, through a Web 
site and other forms of data dissemination, in order to promote more 
informed choices by Medicare beneficiaries among their Medicare 
coverage options.
    4. To provide Chartered Value Exchanges (CVE) and data aggregators 
with information that will assist in generating single or multi-payer 
performance measurement results that will assist beneficiaries in 
making informed choices among individual physicians, practitioners and 
providers of services; enable consumers to compare the quality and 
price of health care services; and assist in providing transparency in 
health care at the local level if CMS:
    determines that the use or disclosure does not violate legal 
limitations under which the record was provided, collected, or 
obtained;
    a. Determines that the purpose for which the disclosure is to be 
made:
    (1) Is of sufficient importance to warrant the effect and/or risk 
on the privacy of the individual that additional exposure of the record 
might bring, and
    (2) There is reasonable probability that the objective for the use 
would be accomplished;
    b. Requires the recipient of the information to establish 
reasonable administrative, technical, and physical safeguards to 
prevent unauthorized use or disclosure of the record,
    c. Make no further use or disclosure of the record except:
    (1) For use in another project providing transparency in health 
care, under these same conditions, and with written authorization of 
CMS;
    (2) When required by law.
    d. Secures a written statement attesting to the information 
recipient's understanding of and willingness to abide by these 
provisions. CVEs and data aggregators should complete a Data Use 
Agreement (CMS Form 0235) in accordance with current CMS policies.
    5. To assist individual physicians, practitioners, providers of 
services, suppliers, laboratories, and others health care professionals 
who are participating in health care transparency projects.
    6. To assist an individual or organization with projects that 
provide transparency in health care on a broad-scale enabling consumers 
to compare the quality and price of health care services; or for 
research, evaluation, and epidemiological projects related to the 
prevention of disease or disability; restoration or maintenance of 
health or for payment purposes if CMS:
    a. Determines that the use or disclosure does not violate legal 
limitations under which the record was provided, collected, or 
obtained;
    b. Determines that the purpose for which the disclosure is to be 
made:
    (1) Cannot be reasonably accomplished unless the record is provided 
in individually identifiable form,
    (2) Is of sufficient importance to warrant the effect and/or risk 
on the privacy of the individual that additional exposure of the record 
might bring, and
    (3) There is reasonable probability that the objective for the use 
would be accomplished;
    c. Requires the recipient of the information to:
    (1) Establish reasonable administrative, technical, and physical 
safeguards to prevent unauthorized use or disclosure of the record, and
    (2) Remove or destroy the information that allows the individual to 
be identified at the earliest time at which removal or destruction can 
be accomplished consistent with the purpose of the project, unless the 
recipient presents an adequate justification of a research or health 
nature for retaining such information, and
    (3) Make no further use or disclosure of the record except:
    (a) For disclosure to a properly identified person, for purposes of 
providing transparency in health care enabling consumers to compare the 
quality and price of health care services so that they can make 
informed choices among individual physicians, practitioners and 
providers of services;
    (b) In emergency circumstances affecting the health or safety of 
any individual;
    (c) For use in another research project, under these same 
conditions, and with written authorization of CMS;

[[Page 80416]]

    (d) For disclosure to a properly identified person for the purpose 
of an audit related to the research project, if information that would 
enable research subjects to be identified is removed or destroyed at 
the earliest opportunity consistent with the purpose of the audit; or
    (e) When required by law.
    d. Secures a written statement attesting to the information 
recipient's understanding of and willingness to abide by these 
provisions. Researchers should complete a Data Use Agreement (CMS Form 
0235) in accordance with current CMS policies.
    7. To support Quality Improvement Organizations (QIO) in connection 
with review of claims, or in connection with studies or other review 
activities conducted pursuant to Part B of Title XI of the Act and in 
performing affirmative outreach activities to individuals for the 
purpose of establishing and maintaining their entitlement to Medicare 
benefits or health insurance plans.
    8. To support the Department of Justice (DOJ), court, or 
adjudicatory body when:
    a. The Agency or any component thereof, or
    b. Any employee of the Agency in his or her official capacity, or
    c. Any employee of the Agency in his or her individual capacity 
where the DOJ has agreed to represent the employee, or
    d. The United States Government,
    is a party to litigation or has an interest in such litigation, and 
by careful review, CMS determines that the records are both relevant 
and necessary to the litigation and that the use of such records by the 
DOJ, court or adjudicatory body is compatible with the purpose for 
which the agency collected the records.
    9. To assist a CMS contractor (including, but not limited to MACs, 
fiscal intermediaries and carriers) that assists in the administration 
of a CMS-administered health benefits program, or to a grantee of a 
CMS-administered grant program, when disclosure is deemed reasonably 
necessary by CMS to prevent, deter, discover, detect, investigate, 
examine, prosecute, sue with respect to, defend against, correct, 
remedy, or otherwise combat fraud, waste or abuse in such program.
    10. To assist another Federal agency or to an instrumentality of 
any governmental jurisdiction within or under the control of the United 
States (including any state or local governmental agency), that 
administers, or that has the authority to investigate potential fraud, 
waste or abuse in a health benefits program funded in whole or in part 
by Federal funds, when disclosure is deemed reasonably necessary by CMS 
to prevent, deter, discover, detect, investigate, examine, prosecute, 
sue with respect to, defend against, correct, remedy, or otherwise 
combat fraud, waste or abuse in such programs.

    B. Additional Circumstances Affecting Routine Use Disclosures

    To the extent this system contains Protected Health Information 
(PHI) as defined by HHS regulation ``Standards for Privacy of 
Individually Identifiable Health Information'' (45 CFR Parts 160 and 
164, Subparts A and E) 65 Fed. Reg. 82462 (12-28-00). Disclosures of 
such PHI that are otherwise authorized by these routine uses may only 
be made if, and as, permitted or required by the ``Standards for 
Privacy of Individually Identifiable Health Information.'' (See 45 CFR 
164-512(a)(1).)

POLICIES AND PRACTICES FOR STORING, RETRIEVING, ACCESSING, RETAINING, 
AND DISPOSING OF RECORDS IN THE SYSTEM:
STORAGE:
    Records are stored on both tape cartridges (magnetic storage media) 
and in a DB2 relational database management environment (DASD data 
storage media).

RETRIEVABILITY:
    Information is most frequently retrieved by HICN, provider number 
(facility, physician, IDs), service dates, and beneficiary state code.

SAFEGUARDS:
    CMS has safeguards in place for authorized users and monitors such 
users to ensure against unauthorized use. Personnel having access to 
the system have been trained in the Privacy Act and information 
security requirements. Employees who maintain records in this system 
are instructed not to release data until the intended recipient agrees 
to implement appropriate management, operational and technical 
safeguards sufficient to protect the confidentiality, integrity and 
availability of the information and information systems and to prevent 
unauthorized access.
    This system will conform to all applicable Federal laws and 
regulations and Federal, HHS, and CMS policies and standards as they 
relate to information security and data privacy. These laws and 
regulations include but are not limited to: The Privacy Act of 1974; 
the Federal Information Security Management Act of 2002; the Computer 
Fraud and Abuse Act of 1986; the Health Insurance Portability and 
Accountability Act of 1996; the E-Government Act of 2002, the Clinger-
Cohen Act of 1996; the Medicare Modernization Act of 2003, and the 
corresponding implementing regulations. OMB Circular A-130, Management 
of Federal Resources, Appendix III, Security of Federal Automated 
Information Resources also applies. Federal, HHS, and CMS policies and 
standards include but are not limited to: All pertinent National 
Institute of Standards and Technology publications; the HHS Information 
Systems Program Handbook and the CMS Information Security Handbook.

RETENTION AND DISPOSAL:
    Records are maintained with identifiers for all transactions after 
they are entered into the system for a period of 20 years. Records are 
housed in both active and archival files. All claims-related records 
are encompassed by the document preservation order and will be retained 
until notification is received from the Department of Justice.

SYSTEM MANAGER AND ADDRESS:
    Director, Quality Measurement and Health Assessment Group, Office 
of Clinical Standards and Quality, CMS, Room C1-23-14, 7500 Security 
Boulevard, Baltimore, Maryland 21244-1850.

NOTIFICATION PROCEDURE:
    For purpose of notification, the subject individual should write to 
the system manager who will require the system name, and the retrieval 
selection criteria (e.g., HICN, Provider number, etc.).

RECORD ACCESS PROCEDURE:
    For purpose of access, use the same procedures outlined in 
Notification Procedures above. Requestors should also reasonably 
specify the record contents being sought. (These procedures are in 
accordance with Department regulation 45 CFR 5b.5(a)(2).)

CONTESTING RECORD PROCEDURES:
    The subject individual should contact the system manager named 
above, and reasonably identify the record and specify the information 
to be contested. State the corrective action sought and the reasons for 
the correction with supporting justification. (These procedures are in 
accordance with Department regulation 45 CFR 5b.7.)

RECORD SOURCE CATEGORIES:
    Medicare Beneficiary Database (09-70-0536), National Claims History 
File (09-70-0558), and private physicians, private providers, 
laboratories, other providers and suppliers who are

[[Page 80417]]

participating in health care transparency projects sponsored by the 
Agency.

SYSTEMS EXEMPTED FROM CERTAIN PROVISIONS OF THE ACT:
    None.

[FR Doc. E8-31146 Filed 12-30-08; 8:45 am]
BILLING CODE 4120-03-P