Medicare Program; Availability of Medicare Data for Performance Measurement, 76542-76571 [2011-31232]

Agencies

• Centers for Medicare & Medicaid Services
• DEPARTMENT OF HEALTH AND HUMAN SERVICES

[Federal Register Volume 76, Number 235 (Wednesday, December 7, 2011)]
[Rules and Regulations]
[Pages 76542-76571]
From the Federal Register Online via the Government Printing Office [www.gpo.gov]
[FR Doc No: 2011-31232]



[[Page 76541]]

Vol. 76

Wednesday,

No. 235

December 7, 2011

Part III





Department of Health and Human Services





-----------------------------------------------------------------------





Centers for Medicare & Medicaid Services





-----------------------------------------------------------------------





42 CFR Part 401





 Medicare Program; Availability of Medicare Data for Performance 
Measurement; Final Rule

Federal Register / Vol. 76, No. 235 / Wednesday, December 7, 2011 / 
Rules and Regulations

[[Page 76542]]


-----------------------------------------------------------------------

DEPARTMENT OF HEALTH AND HUMAN SERVICES

Centers for Medicare & Medicaid Services

42 CFR Part 401

[CMS-5059-F]
RIN 0938-AQ17


Medicare Program; Availability of Medicare Data for Performance 
Measurement

AGENCY: Centers for Medicare & Medicaid Services (CMS), HHS.

ACTION: Final rule.

-----------------------------------------------------------------------

SUMMARY: This final rule implements Section 10332 of the Affordable 
Care Act regarding the release and use of standardized extracts of 
Medicare claims data for qualified entities to measure the performance 
of providers of services (referred to as providers) and suppliers. This 
rule explains how entities can become qualified by CMS to receive 
standardized extracts of claims data under Medicare Parts A, B, and D 
for the purpose of evaluation of the performance of providers and 
suppliers. This rule also lays out the criteria qualified entities must 
follow to protect the privacy of Medicare beneficiaries.

DATES: Effective Date: These regulations are effective January 6, 2012.

FOR FURTHER INFORMATION CONTACT: Colleen Bruce, (410) 786-5529.

SUPPLEMENTARY INFORMATION: 

I. Background

    The Patient Protection and Affordable Care Act (Pub. L. 111-148), 
enacted on March 23, 2010, and the Health Care and Education 
Reconciliation Act of 2010 (Pub. L. 111-152), enacted on March 30, 
2010, are collectively referred to in this final rule as the 
``Affordable Care Act.'' Effective January 1, 2012, section 10332 of 
the Affordable Care Act would amend section 1874 of the Social Security 
Act (the Act) by adding a new subsection (e) requiring standardized 
extracts of Medicare claims data under parts A, B, and D to be made 
available to ``qualified entities'' for the evaluation of the 
performance of providers and suppliers. Qualified entities may use the 
information obtained under section 1874(e) of the Act for the purpose 
of evaluating the performance of providers and suppliers, and to 
generate public reports regarding such performance. Qualified entities 
may receive data for one or more specified geographic areas and must 
pay a fee equal to the cost of making the data available. Congress also 
required that qualified entities combine claims data from sources other 
than Medicare with the Medicare data when evaluating the performance of 
providers and suppliers.
    Section 1874(e) of the Act requires potential qualified entities 
that wish to request data under this provision to submit an application 
to the Secretary that includes, among other things, a description of 
the methodologies that the applicant proposes to use to evaluate the 
performance of providers and suppliers in the geographic area(s) they 
select. Qualified entities generally must use standard measures for 
evaluating the performance of providers and suppliers unless the 
Secretary, in consultation with appropriate stakeholders, determines 
that use of alternative measures would be more valid, reliable, 
responsive to consumer preferences, cost-effective, or relevant to 
dimensions of quality and resource use not addressed by standard 
measures. Reports generated by the qualified entities may only include 
information on individual providers and suppliers in aggregate form, 
that is, at the provider or supplier level, and may not be released to 
the public until the providers and suppliers have had an opportunity to 
review them and, if necessary, ask for corrections. Congress included a 
provision at section 1874(e)(3) of the Act to allow the Secretary to 
take such actions as may be necessary to protect the identity of 
individuals entitled to or enrolled in Medicare.
    We believe the sharing of Medicare data with qualified entities 
through this program and the resulting reports produced by qualified 
entities will be an important driver of improving quality and reducing 
costs in Medicare, as well as for the health care system in general. 
Additionally, we believe this program will increase the transparency of 
provider and supplier performance, while ensuring beneficiary privacy.

II. Provisions of the Proposed Rule and Analysis of and Responses to 
Public Comments

    We received approximately 100 comments from a wide variety of 
individuals and organizations. About half of the comments were from 
providers and suppliers, or organizations representing providers and 
suppliers. The other half of the comments were from organizations 
engaged in performance measurement or data aggregation that may 
potentially be approved to receive Medicare data as qualified entities 
under this program. We also received a number of comments from consumer 
advocacy organizations.

A. Definition, Eligibility Criteria, and Operating Requirements of 
Qualified Entities

    Almost all of the comments were positive and praised CMS' proposals 
regarding how the qualified entity program would operate. Commenters 
also had a range of suggestions for how CMS should administer the 
program, including several comments on performance measurement in 
general. We also received numerous comments on data privacy and 
security, which are discussed in more detail in subsection D below.
1. Definitions
    In the proposed rule, we defined a qualified entity as a public or 
private entity that meets two standards. The first is that the entity 
is qualified, as determined by the Secretary, to use claims data to 
evaluate the performance of providers and suppliers on measures of 
quality, efficiency, effectiveness, and resource use. The second is 
that the entity agrees to meet the requirements described in Section 
1874(e) of the Social Security Act and at Sec. Sec.  401.703-401.710 of 
the proposed rule.
    Comment: We received several comments, suggestions, and questions 
regarding the use of the Medicare data qualified entities receive 
through this program. Section 1874(e)(4)(B) of the Act specifies the 
uses of the Medicare data. Some commenters requested that qualified 
entities be allowed to use the data for purposes other than performance 
reporting, such as internal analyses, pay-for-performance initiatives, 
and provider tiering; other commenters requested that CMS clarify that 
the data provided would be used for performance reporting only.
    Response: The statute bars the re-use of the Medicare claims data 
provided to qualified entities under section 1874(e) of the Social 
Security Act (the Act). Section 1874(e)(4)(D) provides that the 
qualified entity ``shall only use such data, and information derived 
from such evaluation'' for performance reports on providers and 
suppliers. Additionally, the Data Use Agreement (DUA, discussed in more 
detail below) bars re-use of the data for other purposes; violation of 
the DUA may result in a qualified entity's access to data under 1874(e) 
of the Act being terminated. However, while the data itself and any 
derivative data may only be used for creating the prescribed reports, 
section 1874(e) does not address the use of the publically reported 
result. Subject to any limitations imposed by other applicable laws 
(for example, copyright laws), these publicly reported results

[[Page 76543]]

could be used by any party, including the qualified entity, for 
activities such as internal analyses, pay-for-performance initiatives, 
or provider tiering.
    Qualified entities will not be allowed to do performance 
measurement with Medicare data alone. Section 1874(e)(4)(B)(iii) 
specifically provides that qualified entities must include ``claims 
data from sources other than claims data under this title in the 
evaluation of performance of providers of services and suppliers.'' We 
have added a definition of ``claims data from other sources'' at Sec.  
401.703(h).
    We have made several technical changes to the definitions at Sec.  
401.703 to reflect the regulatory interpretation of the statutory 
provisions cited in the proposed rule. We have modified the definition 
of a qualified entity to require the entity to agree to meet the 
requirements in Sec. Sec.  401.705-401.721 of the final rule, removing 
the proposed rule's reference to section 1874(e) of the Act. We have 
also modified the definitions of provider and supplier; specifically we 
have defined both terms in terms of the definitions for the identical 
terms at Sec.  400.202.
    We have also added a definition of clinical data. This addition is 
discussed in further detail below.
2. Eligibility Criteria
    In determining the eligibility standards for qualified entities we 
sought to balance the needs to: (1) Ensure the production of timely, 
high quality, and actionable reports on the performance of providers 
and suppliers, (2) protect beneficiary privacy and security, and (3) 
ensure providers and suppliers have an appropriate amount of time to 
review the reports, appeal, and, if necessary, correct errors prior to 
public reporting. We therefore proposed to evaluate an organization's 
eligibility to serve as a qualified entity across three areas: 
Organizational and governance capabilities, addition of claims data 
from other sources, and data privacy and security.
    Additionally, we proposed not to limit the number of qualified 
entities eligible to serve in an area. Any entity that satisfactorily 
meets the eligibility criteria would be able to participate in the 
program.
    Comment: We received several comments on the eligibility criteria 
as a whole. Many commenters supported the proposed eligibility 
standards; however others said the eligibility standards were too 
prescriptive. Several commenters asked CMS to clarify qualified 
entities' ability to combine expertise across more than one entity to 
meet the requirements in the rule related to experience or amount of 
other claims data.
    Response: We thank commenters for their support for the eligibility 
standards. While we understand that the eligibility standards 
necessitate that prospective qualified entities have extensive 
experience in performance measurement, access to data, and appropriate 
privacy and security protocols, we believe these standards are 
essential to ensure both the privacy and security of beneficiary data 
and the acceptance of the program by providers and suppliers.
    We clarify, however, that qualified entities do not need to be 
composed of a single legal entity. A qualified entity applicant may 
contract with other entities to achieve the ability to meet the 
eligibility criteria. If an entity chooses to contract with one or more 
other entities to meet the eligibility standards, the application must 
be submitted by one lead entity. This lead entity must submit 
documentation describing the contractual relationships that exist 
between and among all entities applying together under the lead entity 
to become a qualified entity. In addition, as discussed in subsection 
D.1. below, contractors will be required to abide by the same privacy 
and security requirements as the lead entity, including signing a data 
use agreement prior to being given access to Medicare claims data or 
beneficiary information. Contractors will also be subject to CMS 
monitoring and their actions may result in sanctions and/or termination 
of the qualified entity.
    We believe that requiring contractual arrangements among the 
members of such a group will ultimately protect both the providers and 
suppliers receiving reports, as well as the beneficiaries seeking to 
use this information to make health care decisions by ensuring that the 
lead entity has partners with the necessary expertise to carry out the 
duties of a qualified entity and that the qualified entity's partners 
are committed to the project through legally enforceable agreements.
    In a contractual arrangement, there would be breach of contract 
liability if one of the members of the group fails to deliver, and 
there would be the potential of collecting damages for that failure to 
perform. Such damages would potentially provide the lead entity with 
the resources that would be necessary for finding and hiring another 
entity to carry out the functions of a contractor/subcontractor that 
failed to perform. Any other less formal arrangement among a group of 
entities that, in sum, possessed the requisite traits required of a 
qualified entity, such as a partnership or other consortium-like 
affiliation, would not offer the breach of contract protections that 
would provide assurances that the entities listed as participants in 
the group would in fact provide the services/skills/resources that the 
qualified entity applicant asserts. In a non-contractual arrangement, 
participating members of the group could stop performing at any time, 
leaving the remainder of the group with little recourse and, possibly, 
not qualified to carry on as a qualified entity. This could prevent the 
issuance of the desired reports. It could also leave providers and 
suppliers, as well as beneficiaries, without any recourse for remedying 
reporting errors or answering questions related to the reports. This 
would have a very negative effect on the program as a whole, and 
jeopardize this important transparency effort.
    We emphasize that a single entity may seek to fulfill all of the 
eligibility standards; there is no requirement that a qualified entity 
must be a group of two or more entities. However, we believe that more 
potential qualified entities would apply if they use contractual 
relationships to address any requirements that they may be lacking.
    Comment: Several commenters suggested additions to the eligibility 
standards. A handful of commenters recommended adding a public input 
component as part of the eligibility process. Commenters also suggested 
evaluating provider complaints against applicants when making 
determinations about qualified entity eligibility. One commenter asked 
CMS to create a provisional track for entities without the necessary 
experience or the non-Medicare data to serve as a qualified entity in 
the general program.
    Response: Through evaluating each entity's (including the lead 
entity's and any contractors') past experience, other claims data, and 
privacy and security protocols, we are confident that entities approved 
as qualified entities will meet the requirements of the program. 
Extensive monitoring requirements for the lead entity and any 
contractors, as well as the ability to terminate our agreement with a 
qualified entity, will ensure that the highest standards are adhered to 
by all qualified entities. However, we are interested in beneficiary 
and/or provider complaints against a qualified entity once that entity 
is approved. As discussed below in section II.F., we have included an 
analysis of beneficiary and/or provider complaints as part of the 
monitoring and performance assessment of qualified entities.

[[Page 76544]]

    While we appreciate the interest in allowing a variety of 
organizations to serve as qualified entities, we believe a provisional 
track is not consistent with the requirement in the statute that 
entities be qualified, as determined by the Secretary, to use claims 
data to evaluate provider and supplier performance. We hope that the 
discussion above, which notes that potential qualified entity 
applicants may form contractual agreements to meet the eligibility 
requirements, will allow entities with less experience or limited other 
claims data to gain the necessary expertise or gather the needed data 
to be approved as a qualified entities. We also have added a 
conditional approval process, discussed in more detail below, for those 
applicants that do not have access to claims data from other sources at 
the time of their application.
    Comment: We received several comments requesting CMS limit the 
organizations eligible to serve as qualified entities to non-profit and 
government organizations. However, we also received comments asking CMS 
to continue to allow any organization that meets the eligibility 
requirements and submits an application to serve as a qualified entity.
    Response: On balance, we believe it is appropriate for CMS to 
continue to allow any organization that meets the eligibility 
requirements and the requirements at sections Sec. Sec.  401.703-
401.710 of the proposed rule to serve as a qualified entity, which 
appear, as modified in the following discussion, in sections Sec. Sec.  
401.705-401.721 of this final rule.
    Comment: While we received several comments supporting our proposal 
not to limit the number of qualified entities in a geographic region, 
we also received comments suggesting we limit the number of qualified 
entities eligible to serve in an area. Many of those who suggested 
limiting the number of qualified entities in an area expressed concern 
that allowing multiple qualified entities in a region would lead to 
multiple reports on the same provider or supplier, which would confuse 
both the individual or entity being measured and the consumer. One 
commenter suggested CMS take a phased approach to the number of 
qualified entities, allowing providers to get accustomed to measurement 
before expanding the number of qualified entities.
    Response: We acknowledge commenters' desire to limit the number of 
reports on a provider or supplier; however, we do not anticipate many 
regions will have multiple entities that meet the requirements to serve 
as qualified entities. Specifically, it is difficult to imagine there 
will be many areas where multiple organizations will possess sufficient 
claims data from other sources. Additionally, we believe allowing all 
eligible organizations to serve as qualified entities will encourage 
innovation in measure development and performance reporting. In the 
case that there are multiple organizations in an area that could serve 
as individual qualified entities, we would like to reiterate that these 
organizations could form contractual arrangements with each other and 
apply for the program under a lead applicant.
a. Organizational and Governance Capabilities
    Under organizational and governance capabilities, we proposed to 
evaluate the applicant's capability to perform a variety of tasks 
related to serving as a qualified entity. Tasks included the ability to 
accurately calculate measures from claims data, successfully combine 
claims data from different payers, design performance reports, prepare 
an understandable description of measures, implement a report review 
process for providers and suppliers, maintain a rigorous data privacy 
and security program, and make reports containing provider and supplier 
level data available to the public. We proposed to generally require 
applicants to demonstrate expertise and sustained experience on each of 
the criteria, which could be demonstrated by three or more years of 
experience in each area. We also proposed to consider applications with 
fewer years experience handling claims data and calculating measures, 
and/or limited experience implementing or maintaining a report review 
process for providers and suppliers as long as the applicant has 
sufficient experience in all other areas.
    Comment: Commenters had mixed opinions about the proposed 
requirement of three or more years of experience. Commenters who did 
not support a minimum three years experience were concerned about 
limiting eligibility of otherwise viable entities. On the other hand, 
commenters who strongly supported the eligibility criteria suggested 
lengthening the time requirement to five years.
    Response: While we are sensitive to the desire to allow all 
interested organizations to serve as qualified entities, we believe 
that many viable entities will possess three years of experience, 
particularly now that we have clarified that a qualified entity may 
contract with other entities in order to demonstrate required 
experience. It is essential for the success of the qualified entity 
program that organizations approved as qualified entities have the 
necessary expertise and experience to successfully perform all the 
functions required in the statute. We believe the experience 
requirements we have included are sufficient to ensure organizations 
approved as qualified entities possess the necessary experience to 
successfully meet the requirements of the program.
    Comment: Commenters suggested changes to specific tasks in the 
organizational and governance capabilities section of the eligibility 
criteria. Several commenters asked CMS to only require expertise in the 
areas of measurement the entity is proposing to use instead of all four 
areas of measurement: Quality, efficiency, effectiveness, and resource 
use. Similarly, commenters also noted that not all measures require 
risk-adjustment and requested CMS only require experience in risk-
adjustment if the entity is planning on using measures that incorporate 
risk-adjustment. Commenters also recommended removing the requirement 
that organizations have experience successfully combining claims data 
from different payers, arguing that this requirement would necessitate 
that applicants currently have data from two or more payers other than 
Medicare.
    Response: We agree with commenters about the proposal that would 
have required expertise in all four areas of measurement. As a result, 
we are modifying the eligibility requirements related to these areas of 
performance measurement and will require all applicants to have 
experience calculating quality measures, and, to the extent that they 
propose using such measures, experience calculating efficiency, 
effectiveness and resource use measures. Similarly, we will only 
require entities to have experience with risk-adjustment, if they 
propose using measures requiring risk adjustment. Finally, the law 
requires that a qualified entity combine data from different payers, so 
we will retain that requirement in this final rule.
    Comment: One commenter requested that CMS only approve applicants 
with a demonstrated track record of working with providers and 
suppliers and helping them with quality improvement.
    Response: While we hope this program will support quality 
improvement efforts, the statute only requires qualified entities to 
confidentially make reports available prior to publication and to allow

[[Page 76545]]

providers and suppliers the opportunity to request error correction. We 
believe that our requirement that applicants submit documentation of 
experience in both maintaining a process for providers and suppliers to 
review their reports prior to publication, and providing timely 
response to requests for error correction will be adequate to ensure an 
applicant's ability to work with providers and suppliers to ensure the 
availability of reports and appropriate correction mechanisms.
    Comment: We received several comments on our proposal to require 
applicants to disclose inappropriate disclosures of beneficiary 
identifiable information. Specifically, one commenter suggested that 
requiring disclosure of a 10-year privacy breach history is 
unreasonable. Another commenter requested that CMS include a 
requirement that applicants disclose confirmed violations of State 
privacy laws, in addition to inappropriate disclosures of beneficiary 
identifiable information.
    Response: We believe that requiring an applicant to disclose 10 
years' worth of inappropriate disclosures of beneficiary information is 
a reasonable requirement, but we recognize that some applicants may not 
have a 10 year history. For those entities that do not have a 10 year 
history, we will require reporting the required information for the 
length of time the organization has been in existence. We clarify, 
however, that a qualified entity's application to receive Medicare data 
will be evaluated based on all of the information submitted; a past 
inappropriate disclosure of beneficiary identifiable information will 
not automatically disqualify an entity from participation in the 
program. If an entity's application lists these events, CMS will engage 
in further discussions with that applicant to determine what corrective 
processes the entity has put in place to avoid future inappropriate 
disclosure of beneficiary identifiable information. We agree that 
violations of State, as well as federal, privacy and security laws 
should also be submitted to CMS and will add this requirement to the 
eligibility criteria. For clarity, we have rephrased the proposed 
language in Sec.  410.705(a)(1)(vii) that referred to violations of 
State privacy laws or HIPAA violations to read ``violations of 
applicable federal and State privacy and security laws and 
regulations'' to encompass the full range of information privacy and 
security laws and regulations at both the federal and State levels with 
which the applicant may have to comply. In addition to demonstrating 
experience and expertise, we also proposed to require qualified 
entities to submit a business model for covering the cost of required 
functions.
    Comment: Some commenters argued that requiring prospective 
applicants to submit a business model is too prescriptive, while others 
were supportive of this requirement. A handful of commenters asked CMS 
for guidance on financing mechanisms, as well as whether they could 
change a fee for the reports or license the data for secondary use.
    Response: In requiring submission of a business model, it was not 
our intent to be overly prescriptive. Rather, we were seeking to ensure 
that the qualified entities would have the resources necessary to carry 
out what we expect would be a relatively resource-intensive and 
important undertaking. We expect that by requiring submission of a 
business plan qualified entities would be more likely to have a viable 
business model under which they would be able to carry out their 
obligations under the qualified entity program. We do not intend to 
limit an organization's ability to change or adapt its business plan 
once approved as a qualified entity. We only ask that the qualified 
entity demonstrate that it has thought through what it would need to do 
to succeed. Finally, as for financing mechanisms, we note that the 
qualified entity program regulations do not generally place any added 
limitations on what is otherwise feasible under applicable laws. For 
example, the content of the publicly released reports will be subject 
to existing laws on copyright. Qualified entities cannot, however, 
charge providers or suppliers for the confidential copies of the pre-
publication reports that qualified entities are required to provide in 
advance of publication. Furthermore, qualified entities must publically 
report measure results free of charge and in a manner that is 
consistent with the requirements in Section 1874(e)(4)(C) of the Act. 
We encourage qualified entities to be innovative in creating business 
models to support their efforts.
b. Addition of Claims Data From Other Sources
    In accordance with the statutory requirements at section 
1874(e)(4)(B)(iii), we proposed to require entities to have claims data 
from non-title 18 (Medicare) sources to combine with Medicare data. We 
proposed to require possession of such other data at the time of their 
application. We defined claims data as administrative claims, meaning 
data that is not chart-abstracted data, registry data, or data from 
electronic health records. We proposed to require entities to 
demonstrate to CMS that the other claims data they possess is 
sufficient to address issues of sample size and reliability expressed 
by stakeholders regarding the calculation of performance measures from 
a single payer source. We also requested comment on whether CMS should 
require entities to possess claims data from two or more other sources 
to be eligible to serve as a qualified entity.
    Comments: Some commenters were supportive of the requirement that 
entities possess claims data from other sources at the time of 
application, but others argued that this requirement is too restrictive 
and not consistent with the intent of the statute. Specifically, 
commenters argued that it might be difficult to acquire claims data 
from other sources without approval from CMS to serve as a qualified 
entity. Other commenters sought clarification on whether qualified 
entities had to physically possess claims data from other sources or 
whether agreements with owners of claims data from other sources and 
proof of a functioning distributed data approach, meaning that claims 
data from different sources residing at different physical locations as 
long as measure results could be securely and accurately aggregated, 
would suffice.
    Response: While most organizations that are experienced in 
performance measurement will already have claims data they are using 
for performance measurement, we understand commenters' concerns about 
the requirement that entities possess claims data from other sources at 
the time of application. Therefore, for those applicants that do not 
have access to other claims data at the time of their application, we 
will create a conditional approval process. First, applicants that are 
found to meet all the requirements of the program, but do not have 
access to other claims data at the time of their application, will 
receive a conditional acceptance. Then, once an entity with a 
conditional acceptance gets access to adequate claims data from other 
sources, it will submit documentation that the claims data from other 
sources that it intends to combine with the Medicare data received 
under this subpart address the methodological concerns regarding sample 
size and reliability that have been expressed by stakeholders regarding 
the calculation of performance measures from a single payer source. CMS 
will review the documentation and if the amount of other claims data is 
found to be sufficient, the entity will pay a fee equal to the cost of 
CMS making the data

[[Page 76546]]

available and execute a Data Use Agreement (DUA) with CMS to be 
approved as a qualified entity. A conditionally approved qualified 
entity will not be eligible to receive Medicare claims data or the 
beneficiary crosswalk (discussed further in Section D.1) until it has 
received full approval, pays a fee equal to the cost of making the data 
available, and signs a DUA.
    This conditional approval process will be in addition to the normal 
approval process that will remain in place for those applicants that 
have access to a sufficient amount of other claims data at the time of 
their application. Additionally, we want to clarify that distributed 
data approaches, as described above, are permissible under the scope of 
this program.
    Comment: We received several comments asking CMS to clarify the 
amount of other claims data applicants must possess. Commenters also 
asked if CMS would consider Medicaid data to be other claims data.
    Response: As stated in the proposed rule, we do not believe it is 
feasible to establish an absolute threshold for a minimum amount of 
additional claims data. Rather, we ask applicants to explain how the 
data they do have for use in the qualified entity program will be 
adequate to address the concerns about small sample size and 
reliability that have been expressed by stakeholders regarding the 
calculation of performance measures from a single payer source. Each 
application will be evaluated on its collective merits, including the 
amount of claims data from other sources and its explanation on why 
that data, in combination with the requested Medicare data, is adequate 
for the stated purposes of this program. ``Other claims data'' can 
include Medicaid data as well as any private payer claims data.
    Comment: We also received mixed comments on our proposal to require 
organizations to have two or more data sources at the time of 
application. Some commenters said this requirement seemed appropriate, 
while others argued it was too burdensome. One commenter argued that 
unless combined data represents at least 90 percent of a provider's 
practice, any resulting quality measurements will not be meaningful.
    Response: We based our proposal about acquiring data from two or 
more sources on the interests of providers, suppliers, and consumers to 
have reports that provide valid results that cover an adequate portion 
of the providers' or suppliers' patients. However, in certain cases, 
one source may provide a sufficient amount of other claims data such 
that, when the other claims data is combined with Medicare data, it 
covers a considerable portion of a provider's or supplier's patients. 
We will therefore not require an applicant to have two sources of 
additional claims data, but we note that claims data from two or more 
sources is preferable to data from only one other source. We 
acknowledge that it is important for the combined data to represent a 
large portion of a provider's business, but believe an arbitrary 
requirement of 90 percent is unnecessarily high, especially given that 
the program is just beginning.
c. Data Privacy and Security
    We proposed to require applicants to demonstrate their capabilities 
to establish, maintain, and monitor a rigorous privacy and security 
program, including programs to educate staff on privacy and data 
security protocols.
    Comments related to the proposed data privacy and security 
eligibility criteria requirements are covered in the Data Security and 
Privacy section below in section II.D. of this final rule.
3. Operating and Governance Requirements for Serving as a Qualified 
Entity
    We require documentation of operating and governance requirements 
at the time of application for several key activities. We proposed that 
applicants would submit as part of their application: (1) The measures 
they intend to use, including methodologies and a rationale for using 
the measure; (2) the report review process they would use with 
providers and suppliers, including addressing requests for data and 
error correction; and (3) a prototype for required reports, including 
the methods for disseminating reports.
    Comments: We received several comments that the submission of 
measures and methodologies, as well as a prototype for reports at the 
time of application is too burdensome. Additionally, commenters argued 
that 90 days notice for approval of changes was too long and that 
certain types of minor changes to the report prototype need not trigger 
CMS approval. Several commenters also argued that submitting 
specifications on standard measures is unnecessary since these measures 
have established specifications and are generally publically available.
    Response: We understand organizations' desire to have flexibility 
in selecting measures and report formats. We also believe that making 
these decisions is a key aspect of serving as a qualified entity and is 
important enough to require the submission of proposed plans prior to 
being approved as a qualified entity. However, we recognize commenters' 
desire to ensure measures and report formats are approved and available 
for use as quickly as possible. Therefore, we will change the timeframe 
for CMS approval to 30 days. Qualified entities may change selected 
measures, and may modify their report prototype, with 30 days notice to 
CMS and CMS approval of the changes or modifications. We believe that 
the majority of changes proposed by qualified entities will be 
straightforward and CMS will be able to comfortably conduct a review 
and approval within 30 days of submission; however, in certain 
circumstances CMS may request an additional 30 days to approve more 
wide-reaching changes or modifications. If a CMS decision on approval 
or disapproval for a change or modification is not forthcoming within 
30 days and CMS does not request an additional 30 days for review, the 
change or modification shall be deemed to be approved.
    We acknowledge the interest in only requiring CMS approval for 
substantive changes in the prototype reports. However, as it is the 
first year of the program, we are still determining the types of 
changes to the prototype reports that qualified entities will need to 
submit to CMS for approval. CMS is considering releasing guidance on 
the types of changes to the report prototype that need not be submitted 
once the qualified entity program has started.
    We agree with commenters that including standard measure 
specifications is unnecessary. Thus far, available standard measures 
only include measures endorsed by the National Quality Forum and CMS 
measures; and the specifications for these measures are available to 
the public. Therefore, we will only require applicants to include 
measure specifications for alternative measures. We will use future 
rulemaking to address the submission of specifications for standard 
measures if the public availability of standard measure specifications 
changes in the future.
    Comment: One commenter requested that CMS require each applicant to 
submit an analytic plan clarifying its goals relative to the statute.
    Response: We believe that the requirement for entities to submit a 
rationale for selecting each measure, including its relationship to 
existing measurement efforts, addresses the issue of an organization's 
goals as they relate to the statute. We believe this is sufficient 
documentation of an organization's plans.
    Comment: One commenter requested that CMS require applicants to 
submit

[[Page 76547]]

conflict of interest information. Commenters were concerned that 
conflicts of interest could result in inaccurate or misleading 
reporting. One commenter specifically requested that qualified entities 
be required to attest that they have no relationship or affiliation 
with any health plans, insurers, providers, suppliers, manufacturers or 
other entities that may have an interest in or use for the data.
    Response: We do not believe it is necessary for applicants to 
submit information on conflicts of interest to CMS. We expect that many 
qualified entities will have relationships with health plans, insurers, 
providers and suppliers, and other entities that have an interest in or 
use for the data in order to meet the requirements of the qualified 
entity program, such as obtaining other claims data or disseminating 
performance results. We believe the eligibility requirements and 
monitoring requirements will ensure that the organizations who serve as 
qualified entities comply with the requirements of the program.

B. Definition, Selection, and Use of Performance Measures

1. Standard and Alternative Measures
    The statute permits qualified entities to use both standard and 
alternative measures. We proposed to define standard measures as any 
claims-based measure endorsed (or time-limited endorsed) by the entity 
with a contract under section 1890(a) of the Act (currently the 
National Quality Forum), any claims-based measure that is currently 
being used in a CMS program that includes quality measurement, or any 
measure developed pursuant to Section 931 of the Public Health Service 
Act. The statute requires the Secretary to consult with appropriate 
stakeholders as to whether the use of alternative measures would be 
more valid, reliable, responsive to consumer preferences, cost-
effective, or relevant to dimensions of quality and resource use not 
addressed by standard measures. In light of these requirements, we 
proposed to define alternative measures as any claims-based measure 
that, while not a standard measure, was adopted by the Secretary 
through a notice and comment rulemaking process. Qualified entities 
would submit proposed alternative measures to CMS who would then make 
the proposed alternative measures available for stakeholder input via a 
proposed rule, and, where appropriate, following receipt of public 
comments, the Secretary would determine which alternative measures to 
approve for use in the program.
    Comment: Some commenters suggested that qualified entities be 
allowed to calculate measures that are not based solely on claims data. 
Specifically, commenters were interested in calculating measures that 
involve combining claims data with clinical data (for example, registry 
data or chart-abstracted data). Commenters argued that allowing 
qualified entities to use these measures would expand the list of 
available measures. Several commenters also expressed that the use of 
these types of measures would help produce a more accurate picture of 
provider and supplier performance.
    Response: We recognize commenters' desire to use clinical data 
combined with claims data when calculating standard and alternative 
measures. Given the added value that clinical data brings to 
performance measurement, whenever standard or alternative measures 
provide for the use of clinical data, we will allow qualified entities 
to use clinical data in combination with Medicare and other claims data 
to calculate those standard and alternative measures. We have added a 
definition of clinical data at Sec.  401.703(i), specifically clinical 
data is registry data, chart-abstracted data, laboratory results, 
electronic health record information, or other information relating to 
the care or services provided to patients that is not included in 
administrative claims data. Measurement efforts using clinical data 
would only be supported under the qualified entity program if the 
clinical data is combined with the qualified entity's Medicare and 
other claims data to calculate the measures. These regulations do not 
address the use and publication of purely clinical-based measures.
    Furthermore, we recognize the near impossibility of combining 
Medicare claims data with clinical data without an identifier to link 
them. As a result, we are changing the proposed process for releasing 
beneficiary identifiable information to allow--with strict privacy and 
security standards--for the disclosure of identifiers to qualified 
entities; this change is discussed in more detail in the Privacy and 
Security requirements section below.
    Comment: Many commenters were supportive of the alternative measure 
review process. However, several commenters argued that the notice and 
comment rulemaking process was overly burdensome on qualified entities, 
would significantly restrict innovation in measure development and use, 
and was contrary to the overall goals of the provision. Some commenters 
proposed that qualified entities only be required to seek the 
permission of local stakeholders before calculating and reporting 
alternative measures. However, other commenters argued that the notice 
and comment rulemaking process provided appropriate safeguards against 
the public reporting of untested measures.
    Response: We believe that the intent of the alternative measure 
provision in statute is to promote innovation in claims-based 
performance measurement, while ensuring that measures are not used in 
the qualified entity program without proper testing and validation. 
That said, in light of the comments received, we believe that greater 
flexibility could be afforded to qualified entities to better balance 
innovation with appropriate use. We are therefore adding additional 
flexibility into the alternative measure process by adding a second 
avenue by which to seek Secretarial approval of alternative measures. 
In order to receive approval to use an alternative measure under this 
new avenue, a qualified entity will need to submit documentation to CMS 
outlining consultation and agreement with stakeholders in the 
geographic region the qualified entity serves, and evidence that the 
measure is ``more valid, reliable, responsive to consumer preferences, 
cost-effective, or relevant to dimensions of quality and resource use 
not addressed by such standard measures'' in accordance with the 
statutory requirements at Section 1874(e)(4)(B)(ii)(II). Stakeholders 
must include a valid cross representation of providers, suppliers, 
employers, payers, and consumers. At a minimum, a qualified entity must 
submit:
     A description of the process by which the qualified entity 
notified stakeholders of its intent to seek approval of an alternative 
measure.
     A list of stakeholders from whom feedback was solicited, 
including the stakeholder names and each stakeholder's role in the 
community.
     A description of the discussion about the proposed 
alternative measure, including a summary of all pertinent arguments for 
and against use of the measure.
     An explanation backed by scientific evidence that 
demonstrates why the measure is ``more valid, reliable, responsive to 
consumer preferences, cost-effective, or relevant to dimensions of 
quality and resource use not addressed by [a] standard measure.''
    CMS will review the submission and make a decision as to whether 
the qualified entity has consulted the appropriate stakeholders and 
whether the new measure meets the requirements for alternative measures 
at Section 1874(e)(4)(B)(ii)(II) of the Act.

[[Page 76548]]

Qualified entities must send all the information required for approval 
of an alternative measure to CMS at least 60 days prior to its intended 
use of the measure. CMS will make every effort to ensure that measures 
are approved during the 60 day period. If a CMS decision on approval or 
disapproval for an alternative measure is not forthcoming within 60 
days, the measure shall be deemed to be approved. However, CMS retains 
the right to disapprove a measure if, even after 60 days, in accordance 
with the statutory requirements at Section 1874(e)(4)(B)(ii)(II) it is 
found to not be ``more valid, reliable, responsive to consumer 
preferences, cost-effective, or relevant to dimensions of quality and 
resource'' than a standard measure. Once a measure is approved CMS will 
release the name of the measure, as well as the scientific evidence 
that demonstrates why the measure is ``more valid, reliable, responsive 
to consumer preferences, cost-effective, or relevant to dimensions of 
quality and resource use not addressed by [a] standard measure.''
    Alternative measures submitted and approved using this process may 
only be used by the qualified entity that submitted the measure for 
consideration because the stakeholder consultation approval process 
only requires consultation with stakeholders in the geographic region 
the qualified entity serves. If another qualified entity wishes to use 
the same measure, it would need to consult with stakeholders in its own 
community, and submit its own request for alternative measure approval 
under the rulemaking or stakeholder consultation approval process. 
However, we recognize that scientific evidence demonstrating that the 
measure is ``more valid, reliable, responsive to consumer preferences, 
cost-effective, or relevant to dimensions of quality and resource use 
not addressed by [a] standard measure'' will not differ for a measure 
in use across communities. Therefore, once an alternative measure is 
approved for use via the stakeholder consultation approval process, 
future requests for use of an identical measure will not need to 
include the same explanation backed by scientific evidence that 
demonstrates why the measure is ``more valid, reliable, responsive to 
consumer preferences, cost-effective, or relevant to dimensions of 
quality and resource use not addressed by [a] standard measure.'' 
However, if there is scientific evidence that has become available 
since the measure was approved by CMS, the qualified entity seeking to 
use that measure must conduct the necessary research and provide that 
new scientific evidence to CMS.
    We will also retain the notice and comment rulemaking process as a 
second option for the approval of alternative measures. As discussed in 
the proposed rule, alternative measures approved through notice and 
comment rulemaking may be used by any qualified entity up until the 
point that an equivalent standard measure for the particular clinical 
area or condition becomes available.
    Comment: One commenter suggested that the alternative measure 
process as outlined conflicted with the process under Section 3014 of 
the Affordable Care Act.
    Response: Section 1874(e)(4)(B)(ii)(I) provides for the use of 
standard measures such as the measures endorsed by the entity with a 
contract under section 1890(a) of the Act (currently NQF) and measures 
developed pursuant to section 931 of the Public Health Service Act. 
Section 1874(e)(4)(B)(ii)(II) provides for use of additional measures 
that are not approved by such entities. This latter category explicitly 
provides for the approval and use of non-NQF standards. Furthermore, 
section 3014 of the Affordable Care Act does not require the Secretary 
to use the recognized standards by the entity with a contract under 
section 1890(a) of the Act. It merely serves to provide recommendations 
on appropriate standards to consider.
    Comment: Several commenters questioned whether the requirement for 
qualified entities to cease using alternative measures within six 
months of an equivalent standard measure being endorsed was reasonable.
    Response: We believe six months is a reasonable time period for 
qualified entities to transition to using newly endorsed standard 
measures equivalent to existing alternative measures or to submit 
scientific justification to file a request for alternative measure 
approval.
    Comment: We received several comments on our definition of standard 
measures. While many commenters were supportive of our definition, one 
commenter suggested that we change our definition of standard measures 
to include measures endorsed by consensus-based entities other than the 
NQF. The commenter specifically mentioned the Patient Charter, a 2008 
agreement among consumer, purchaser, provider and insurer groups on 
principles to guide performance reporting. Other commenters asked if 
all NQF-endorsed measures were standard measures. One commenter asked 
that standard measures be limited to true outcome measures in order to 
measure the effectiveness of care.
    Response: We appreciate the suggestion to include measures endorsed 
by consensus-based entities other than the NQF and have changed our 
definition of standard measures to include such measures. Specifically, 
we will now include as a standard measure any measure calculated in 
full or in part from claims data that is endorsed by a consensus-based 
entity, providing that the consensus-based entity has been approved as 
such by CMS. Rather than defining consensus-based entities in advance, 
CMS will approve organizations as consensus based entities on an as 
needed basis.
    To receive approval as a consensus-based entity, an organization 
will need to submit information to CMS documenting their processes for 
stakeholder consultation and measure approval. Such documentation must 
show that the entity has a prescribed process for vetting and approving 
measures that includes representation from all types of stakeholders 
relevant to the topic being measured. The description of the approval 
process must be publicly available and the stakeholder consultation 
must be open to any that are interested in participating. Additionally, 
organizations will only receive approval as a consensus-based entity if 
all measure specifications are publicly available. Consensus-based 
entities will receive approval for a time period of three years and 
their endorsed measures will be made available to all qualified 
entities. CMS will also make a list of approved consensus-based 
entities available publicly. After three years, organizations will 
simply have to resubmit documentation on their processes for 
stakeholder consultation and measure again, noting any changes from 
their original submission.
    Regarding the request that we add a requirement that standard 
measures be ``outcome measures,'' which we understand to mean measures 
that evaluate final results, such as mortality rates, we feel that 
imposing this requirement would substantially reduce the number of 
available standard measures. Additionally, while we agree that outcome 
measures may be better indicators of the effectiveness of care, we feel 
process measures will also offer the public, as well as providers and 
suppliers, important information on performance. Therefore, we have not 
incorporated this suggestion.
    Comment: One commenter suggested that the rule should permit the 
use of composite measures.

[[Page 76549]]

    Response: We believe that composite measures can be calculated and 
reported under the revised alternative measure process we established 
in this final rule.
    Comment: One commenter suggested that the rule should permit 
qualified entities to withdraw measures prior to public reporting if 
the measure results turn out to be unreliable.
    Response: We appreciate this suggestion; however, the statute 
requires public reporting of all measures. Specifically, Section 
1874(e)(4)(C)(iv) requires the reports be made available to the public, 
while allowing for confidential review by providers and suppliers. We 
note that this does not prohibit commentary on the measure and results 
in the report. We hope that qualified entities will take the 
requirement of public reporting into consideration when determining 
which measures should be calculated under this program. We recognize 
that there may be errors in measure calculation and believe that the 
confidential reporting and appeals process will help qualified entities 
discover and correct any errors in the calculation of measures.
    Comment: We received a variety of comments on measurement 
methodologies. Several commenters suggested that CMS should be more 
proscriptive regarding the types of attribution, risk adjustment, and 
benchmarking methods qualified entities should employ and that 
methodology descriptions should be standardized across payers and 
qualified entities. Commenters were also concerned about payment 
standardization as it relates to efficiency and resource use measures. 
Payment standardization is viewed as an important methodological 
approach to normalize comparisons of resource use across providers and 
suppliers. Several commenters also stressed the need for accurate 
attribution and risk adjustment in general. One commenter asked if 
methodologies employed by the qualified entity could change during the 
three-year agreement period. One commenter urged CMS to require 
qualified entities to submit to CMS a specific description of how it 
will handle outlier providers and ensure that a report of a provider's 
or supplier's performance is accurately adjusted as appropriate to 
reflect characteristics of the patient population.
    Response: The statute does not require CMS to be proscriptive in 
this regard. Consistent with the statute, the proposed rule would 
require qualified entities to submit to the Secretary a description of 
methodologies that the qualified entity proposes to use to evaluate the 
performance of providers and suppliers. The proposed rule would also 
require qualified entities to include an understandable description of 
their attribution, risk adjustment, and benchmarking methods so that 
report recipients can properly assess such reports. We agree with 
commenters that payment standardization is an important aspect of 
measurement methodologies, and agree that payment standardization 
methodologies should be included where appropriate. Therefore, we have 
added a requirement that qualified entities include information on 
payment standardization when appropriate.
    Additionally, we feel that performance measurement is evolving, and 
that clear standards for attribution, risk adjustment, and benchmarking 
have not yet emerged, and therefore it would be inappropriate for CMS 
to preemptively determine such standards. We are confident that as 
qualified entities and the performance measurement environment matures 
over the coming years methodologies will begin to coalesce around 
clearly defined standards. As discussed above, qualified entities can 
change methodologies during the three year agreement period provided 
they give appropriate notice to CMS and receive CMS' approval. 
Regarding outliers, we feel that this issue will be adequately 
addressed in the requirements at Sec.  401.707(b)(5)(ii) for a 
qualified entity to provide details on methodologies it intends to use 
in creating reports with respect to benchmarking performance data, 
including methods for creating peer groups, justification of minimum 
sample size determinations, and methods for handling statistical 
outliers, to both CMS and users of the reports.
    Comment: One commenter asked about the release of the details of 
proprietary methodologies and proprietary measure specifications to 
CMS.
    Response: While we understand the concerns about releasing 
methodologies for proprietary measures, we believe that the goal of 
this program is to increase transparency. As discussed above in section 
II.A.3., we are not requiring qualified entities to submit measure 
specifications for standard measures because, thus far, all 
specifications for these measures are available to the public. However, 
we believe that, in order for CMS to evaluate a qualified entity's 
proposed plan for calculating measures, disclosure of proprietary 
measure methodologies and proprietary specifications for alternative 
measures to CMS as part of the application process is warranted. The 
Trade Secrets Act (18 U.S.C. 1905) bars CMS from re-disclosing 
proprietary information unless it is authorized to do so by law. Any 
disclosure to CMS regarding measurement methodologies or specifications 
will generally not be made public by CMS. As a result, we feel it is 
appropriate to require the disclosure of detailed methodologies and 
specifications for alternative measures to CMS as part of the 
application.
    Additionally, qualified entities will be required to disclose 
proprietary measure methodologies to providers and suppliers as a part 
of the confidential review process. We believe it is essential for 
providers and suppliers to understand exactly how the measure is 
calculated in order to review their results. To protect proprietary 
methodologies, a qualified entity may choose to limit further 
disclosure of proprietary measure methodologies, perhaps by requiring a 
provider or supplier to execute a non-disclosure agreement as a 
condition of that disclosure; however, the qualified entity must share 
the proprietary measure methodologies with the provider or supplier 
regardless of whether they are willing to execute a non-disclosure 
agreement. If a qualified entity does not wish to share proprietary 
measure methodologies with both CMS and providers or suppliers, it 
should not seek approval to use those measures in the qualified entity 
program.
    Comment: One commenter suggested that all proposed measures, both 
standard and alternative, be open for public review by providers and 
suppliers prior to approval.
    Response: We do not feel that this requirement is necessary. 
Standard measures as currently defined have already been subject to 
multi stakeholder input and approval either through the entity with a 
contract under section 1890(a) of the Act (currently NQF) or through 
public comment via notice and comment rulemaking in the case of CMS 
measures. Also, any measures developed by a consensus based entity will 
have gone through some form of stakeholder consultation. Thus far, 
there have been no measures developed pursuant to section 931 of the 
Public Health Service Act; however, section 931 requires consultation 
with stakeholders during the quality measure development process. 
Further, both of the alternative measure processes include requirements 
regarding stakeholder input.
    Comment: Several commenters urged CMS to provide a comprehensive 
list of

[[Page 76550]]

the standard and alternative measures that qualified entities may use.
    Response: We plan to release a list of standard measures to 
potential qualified entity applicants prior to the start of the 
program. We would like to note, however, that this list will be dynamic 
since the entity with the contract under section 1890(a) of the Act 
(currently NQF) is continually reviewing measures for endorsement and 
CMS is continually undergoing rulemaking to add measures to our 
programs. Additionally, as new consensus based entities are approved by 
CMS, additional standard measures will be available for use by 
qualified entities. We will also release a list of approved alternative 
measures once alternative measures are approved. Qualified entities are 
encouraged to check these lists frequently to ensure they have the most 
accurate information regarding acceptable measures.
2. Reports and Reporting
    Section 1874(e)(4)(C)(ii) of the Act requires qualified entities to 
make their draft reports available in a confidential manner to 
providers and suppliers identified in the reports before such reports 
are released publicly in order to offer them an opportunity to review 
these reports, and, if appropriate, appeal to request correction of any 
errors. After reports have been shared confidentially with providers 
and suppliers, and there has been an opportunity to have any errors 
corrected, Section 1874(e)(4)(C)(iv) of the Act requires the reports to 
be made available to the public.
    As stated in the statute at Section 1874(e)(4)(C)(i) of the Act, 
the reports must include ``an understandable description'' of the 
measures, rationale for use, methodology (including risk-adjustment and 
physician attribution methods), data specifications and limitations, 
and sponsors. We interpreted ``an understandable description'' to mean 
any descriptions that can be easily read and understood by a lay 
person. Additionally, the reports to the public may only include data 
on providers or suppliers at the provider or supplier level with no 
claim or patient-level information to ensure beneficiary privacy.
    We proposed requiring qualified entities to submit prototype 
reports for both the reports they would send to providers and 
suppliers, and the reports they would release to the public (if they 
are different) in their application, including the narrative language 
they plan to use in the reports to describe the data and results.
    Comment: We received several comments about the reporting process 
generally. One commenter asked that qualified entities be required to 
report less frequently than once per year, as proposed. Other 
commenters asked that qualified entities be required to report more 
frequently than once per year. Yet other commenters expressed concern 
about public reporting and asked that no measurement data be publicly 
reported at all.
    Response: The statute, at 1874(e)(C)(iv), requires qualified entity 
reports to be made available to the public after they are made 
available to providers and suppliers for review and requests for 
corrections. We have no discretion to allow qualified entities to 
produce reports for confidential use only. While the statute does not 
mention any specific frequency of public reporting, we believe that 
once per year is an appropriate requirement. Requiring public reporting 
once per year strikes a balance between reporting frequently enough 
that the information is actionable for consumers, and not reporting so 
frequently that providers and suppliers constantly have to 
confidentially review reports. However, we note that reporting once per 
year is the minimum requirement. A qualified entity may choose to 
report more frequently than once per year, as long as it is still able 
to meet the requirement of allowing providers and suppliers the 
opportunity to review and request error correction.
    Comment: Commenters raised questions about the possibility of 
providers and suppliers receiving multiple reports, which may 
potentially contain contradictory or confusing performance measure 
results. Some commenters reques