Privacy Act of 1974; Report of New System of Records, 32547-32550 [2014-13012]

Agencies

• Centers for Medicare & Medicaid Services
• DEPARTMENT OF HEALTH AND HUMAN SERVICES

[Federal Register Volume 79, Number 108 (Thursday, June 5, 2014)]
[Notices]
[Pages 32547-32550]
From the Federal Register Online via the Government Printing Office [www.gpo.gov]
[FR Doc No: 2014-13012]


=======================================================================
-----------------------------------------------------------------------

DEPARTMENT OF HEALTH AND HUMAN SERVICES

Centers for Medicare & Medicaid Services


Privacy Act of 1974; Report of New System of Records

AGENCY:  Centers for Medicare & Medicaid Services (CMS), Department of 
Health and Human Services (HHS).

ACTION: Notice of a New System of Records (SOR).

-----------------------------------------------------------------------

SUMMARY: In accordance with the requirements of the Privacy Act of 
1974, CMS is establishing a new SOR titled, ``Open Payments,'' System 
No. 09-70-0507, to implement the requirements in Section 6002 of the 
Patient Protection and Affordable Care Act of 2010 (ACA) (Pub. L. 111-
148), which added section 1128G to the Social Security Act (the Act). 
The Open Payments program requires applicable manufacturers and 
applicable Group Purchasing Organizations (GPOs) to report payments and 
other transfers of value to covered physician recipients as defined by 
42 CFR 403.902, as well as certain ownership or investment interests 
held by physicians and/or their immediate family members in such 
applicable manufacturers and/or applicable GPOs. CMS is required to 
publish the data submitted by applicable manufacturers or GPOs on a 
public Web site.

DATES: Effective Dates: July 7, 2014. Written comments should be 
submitted on or before the effective date. HHS/CMS/Center for Program 
Integrity (CPI) may publish an amended SORN in light of any comments 
received.

ADDRESSES: The public should address comments to: CMS Privacy Officer, 
Privacy Policy Compliance Group, Office of E-Health Standards & 
Services, Office of Enterprise Management, CMS, 7500 Security 
Boulevard, Baltimore, MD 21244-1870, Mailstop: S2-24-25, Office: (410) 
786-5357, Email: walter.stone@cms.hhs.gov. Comments received will be 
available for review at this location, by appointment, during regular 
business hours, Monday through Friday from 9:00 a.m.-3:00 p.m., Eastern 
Time zone.

FOR FURTHER INFORMATION CONTACT:  Data Sharing and Partnership Group, 
Center for Program Integrity, Centers for Medicare & Medicaid Services, 
7210 Ambassador Road, Mail Stop AR-18-50, Baltimore, MD 21244. Email: 
veronika.peleshchukfradlin@cms.hhs.gov.

SUPPLEMENTARY INFORMATION: Applicable Manufacturers and/or applicable 
GPOs are required to report payments and other transfers of value to 
covered physician recipients. Additionally, applicable manufacturers 
and/or applicable GPOs are required to report information pertaining to 
certain ownership or investment interests held by physicians and/or 
their immediate family members in such applicable manufacturers and/or 
applicable GPOs. Such reports are to be made annually to CMS in an 
electronic format. Applicable Manufacturers and/or applicable GPOs are 
subject to civil monetary penalties for failing to comply with the 
reporting requirements. CMS will publish the reported data on a public 
Web site. The data must be downloadable, easily searchable, and 
aggregated. In addition, CMS must submit annual reports to the Congress 
and each state summarizing the data reported.
    Title 42 Code of Federal Regulations (CFR) 403.908(g) provides 
covered physician recipients and physicians who are owners or investors 
a 45-day review period to review data submitted about them and submit 
corrections prior to the data becoming available to the public. 
Additionally, 42 CFR 403.908(g)(3)(iv) and (v) provides covered 
physician recipients and physicians who are owners or investors an 
opportunity to dispute the accuracy of such information. Covered 
physician recipients and physician owners or investors will indicate 
which information regarding a specific payment or other transfer of 
value is being disputed. Applicable Manufacturers and/or applicable 
GPOs will receive a notification that a covered physician recipient 
and/or a physician who is an owner or investor is disputing reported 
information. The dispute resolution process is between the applicable 
manufacturers and/or the applicable GPOs, and the covered physician 
recipients and physicians who are owners or investors. If a dispute is 
resolved or if errors/omissions are discovered, the applicable 
manufacturer or applicable GPO is required to submit corrected data to 
CMS. Upon receipt, CMS notifies the affected covered physician 
recipient and/or the physician who is an owner or investor that the 
additional information has been submitted and is available for review. 
CMS updates the Web site at least once annually with corrected 
information.

The Privacy Act

    The Privacy Act governs the collection, maintenance, use, and 
dissemination of certain information about individuals by agencies of 
the Federal Government.

[[Page 32548]]

    A ``SOR'' is a group of any records under the control of a Federal 
agency from which information about individuals is retrieved by name or 
other personal identifier. The Privacy Act requires each agency to 
publish in the Federal Register a description of the type and character 
of each system of records that the agency maintains, and the routine 
uses that are contained in each system to make agency recordkeeping 
practices transparent, to notify individuals regarding the uses to 
which their records are put, and to assist individuals to more easily 
find such files within the agency.
System Number: 09-70-0507

System Name:
    Open Payments System.

Security Classification:
    Unclassified.

System Location:
    Lockheed Martin's Virtual Data Center hosted by Terremark Network 
Access Point (NAP) of the National Capital Region (NCR) facility 
located at Culpeper, Virginia and CMS Data Center, Baltimore, Maryland 
21244-1850.

Categories Of Individuals Covered By The System:
    The system will contain information about the following categories 
of individuals covered by the Open Payments program: (1) Physicians and 
authorized representatives of physicians and teaching hospitals and, 
(2) any applicable manufacturers and applicable GPO system users.

Categories Of Records In The System:
    Information collected about applicable manufacturers or applicable 
GPOs includes but is not limited to profile information for the company 
and users interacting with the Open Payments system on the applicable 
manufacturers or applicable GPOs' behalf. Such information includes but 
may not be limited to user first name and last name, business contact 
information and job title.
    Information collected about physicians in the Open Payments system 
includes but is not limited to physician's name, specialty, business 
address, business phone number, National Provider Identifier (NPI) 
number, state license numbers, types and descriptions as to the nature 
and form of payments received from applicable manufacturers or 
applicable GPOs, amounts of payments, natures and context of payments 
and dates of payments. With respect to payments that were made in 
relation to a particular covered drug, device, biological, or medical 
supply, the name of that covered drug, device, biological, or medical 
supply shall also be reported. With respect to physicians who hold 
certain ownership or investment interests in such manufacturers and/or 
GPOs, or who have immediate family members who hold such ownership or 
investment interests in such manufacturers and/or GPOs, collected 
information will include the dollar amount invested; the value and 
terms of such ownership or investment, and information pertaining to 
any payment or other transfer of value provided to a physician holding 
such an ownership interest.
    Teaching hospital information also includes profile information for 
the users interacting with the Open Payments system on the hospital's 
behalf. Such information includes but may not be limited to user's 
first name and last name, business contact information, and job title.

Authority For Maintenance Of The System:
    Authority for the SOR is given by Title 42 U.S.C. Sec.  1128G [42 
U.S.C. 1320a-7h].

Purpose(S) Of The System:
    The purpose(s) of this SOR is to maintain information submitted by 
applicable manufacturers and/or applicable GPOs regarding payments or 
other transfers of value provided to covered physician recipients, as 
well as certain ownership or investment interests in such entities held 
by physicians and/or their immediate family members. CMS may use 
information from this system to: (1) Support regulatory, reimbursement, 
and policy functions performed by Agency contractors, consultants, or 
CMS grantees; (2) assist Federal agencies and their fiscal agents in 
performing the statutory functions of the Open Payments; (3) assist 
applicable manufacturers or applicable GPOs with the statutory 
reporting requirements; (4) comply with the requirements of 42 U.S.C. 
1320a-7h, and publish the information submitted on a public Web site; 
(5) support research and program evaluation activities; (6) support 
litigation involving the agency; (7) assist with fraud, waste, and 
abuse detection and prevention activities; (8) assist agencies, 
entities, contractors, or persons tasked with the response and remedial 
efforts in the event of a breach of information, and (9) assist the 
U.S. Department of Homeland Security (DHS) cyber security personnel.

Routine Uses Of Records Maintained In The System, Including Categories 
Or Users And The Purposes Of Such Uses:
    These routine uses specify circumstances, in addition to those 
provided by statute in the Privacy Act of 1974, under which CMS may 
release information from Open Payments without the consent of the 
individual to whom such information pertains. Each proposed disclosure 
of information under these routine uses will be evaluated to ensure 
that the disclosure is legally permissible, including but not limited 
to ensuring that the purpose of the disclosure is compatible with the 
purpose for which the information was collected. We propose to 
establish the following routine use disclosures of information 
maintained in the system:
    1. To support Agency personnel, contractors, consultants, or CMS 
grantees who have been engaged by the Agency to assist in 
accomplishment of a CMS function relating to the purposes for this 
collection and who need to have access to the records in order to 
assist CMS.
    2. To assist another Federal, agency of a State government, an 
agency established by State law, or its fiscal agents with information 
that is necessary and/or required in order to perform the statutory 
functions of Open Payments.
    3. To provide applicable manufacturers and applicable GPOs with 
information they need to meet any statutory requirements of the 
program, assist with other reports as required by CMS, and to assist in 
the implementation of statutory reporting requirements.
    4. To comply with the requirements of Section 6002 of the ACA and 
42 CFR Part 403 to publish payment or other transfers of value and 
investment interest information submitted by applicable manufacturers 
or applicable GPOs on a public Web site. CMS will notify covered 
recipients, physician owners and investors, and applicable 
manufacturers or applicable GPOs when data are available for public 
viewing via a public announcements and listserv messages.
    5. To support an individual or organization for research, program 
evaluation or epidemiological projects related to transparency 
initiatives around financial relationships between drug and medical 
device manufacturers and physicians, and teaching hospitals.
    6. To provide information to the U.S. Department of Justice (DOJ), 
a court, or an adjudicatory body when (a) the Agency or any component 
thereof, or (b) any employee of the Agency in his or her official 
capacity, or (c) any

[[Page 32549]]

employee of the Agency in his or her individual capacity where the DOJ 
has agreed to represent the employee, or (d) the United States 
Government, is a party to litigation or has an interest in such 
litigation, and by careful review, CMS determines that the records are 
both relevant and necessary to the litigation and that the use of such 
records by the DOJ, court, or adjudicatory body is compatible with the 
purpose for which the agency collected the records;
    7. To assist a CMS contractor (including, but not limited to 
Medicare Administrative Contractors, fiscal intermediaries, and 
carriers) that assists in the administration of a CMS-administered 
health benefits program, or to a grantee of a CMS-administered grant 
program, when disclosure is deemed reasonably necessary by CMS to 
prevent, deter, discover, detect, investigate, examine, prosecute, sue 
with respect to, defend against, correct, remedy, or otherwise combat 
fraud, waste or abuse in such program;
    8. To assist another Federal agency or to an instrumentality of any 
governmental jurisdiction within or under the control of the United 
States (including any state or local governmental agency), that 
administers or that has the authority to investigate potential fraud, 
waste or abuse in a health benefits program funded in whole or in part 
by Federal funds, when disclosure is deemed reasonably necessary by CMS 
to prevent, deter, discover, detect, investigate, examine, prosecute, 
sue with respect to, defend against, correct, remedy, or otherwise 
combat fraud, waste or abuse in such programs;
    9. To disclose records to appropriate Federal agencies and 
Department contractors that have a need to know the information for the 
purpose of assisting the Department's efforts to respond to a suspected 
or confirmed breach of the security or confidentiality of information 
maintained in this system of records, and the information disclosed is 
relevant and necessary for that assistance; and
    10. To assist the U.S. Department of Homeland Security (DHS) cyber 
security personnel, if captured in an intrusion detection system used 
by HHS and DHS pursuant to the Einstein 2 program.

Policies And Practices For Storing, Retrieving, Accessing, Retaining, 
And Disposing Of Records In The System.
Storage:
    All records are stored is a relational database in CMS Virtual Data 
Center hosted by Terremark Network Access Point (NAP) of the National 
Capital Region (NCR) facility located at Culpeper, Virginia.

Retrievability:
    Information about physicians and their authorized representatives 
may be retrieved by any of these personal identifiers: physicians' 
name, address, license number, or National Provider Identifier (NPI). 
Profile information about applicable manufacturer and GPO system users 
may be retrieved by these identifiers: applicable manufacturers or 
applicable GPOs' DUNS, name and address. Information may be extracted 
through a backend database access or through a business intelligence 
reporting tool by authorized personnel.

Safeguards:
    Personnel having access to the system have been trained in the 
Privacy Act and information security requirements. Employees who 
maintain records in this system are instructed not to release data 
until the intended recipient agrees to implement appropriate 
management, operational and technical safeguards sufficient to protect 
the confidentiality, integrity and availability of the information and 
information systems and to prevent unauthorized access.
    Access to records in the Open Payments database system will be 
limited to CMS personnel and contractors through password security, 
encryption, firewalls, and secured operating system. Any electronic 
copies which contain information about an individual at CMS and 
contractor locations will be kept in secure electronic files.

Retention And Disposal:
    All records in the Open Payments database will be maintained for a 
period of up to 10 years from the end of the calendar year in which 
files were made publically available on CMS Web site. Any records that 
are needed longer, such as audit or other exceptions, will be retained 
until such matters are resolved.

System Manager And Address:
    Director, Data Sharing and Partnership Group, Center for Program 
Integrity, Centers for Medicare & Medicaid Services, 7210 Ambassador 
Road, Mail Stop AR-18-50, Baltimore, MD 21244.

Notification Procedure:
    Physician covered recipients and physicians who are owners or 
investors, as well as members of their immediate families will be 
notified by CMS via an online posting and notifications on CMS's 
listservs. They may also register with CMS to receive notification 
about the review processes.

Record Access Procedure:
    Physician covered recipients and physicians who are owners or 
investors, as well as representatives from teaching hospitals, 
applicable manufacturers and GPOs will be able log into the Open 
Payments system through a secure Web site to directly view records 
pertaining to them for the previous reporting year as well as access 
their profile information.

Contesting Record Procedures:
    Title 42 Code of Federal Regulations (CFR.) Sec.  403.908(g) 
provides covered physician recipients and physicians who are owners or 
investors, as well as teaching hospitals, a 45-day review period to 
review data submitted about them and dispute its accuracy and 
completeness prior to the data becoming available to the public. 
Additionally, 42 CFR 403.908(g) (3) (iv) and (v) provides covered 
physician recipients and physicians who are owners or investors an 
opportunity to dispute the accuracy of such information. Covered 
recipients and physicians who are owners or investors will indicate 
which information regarding a specific payment or other transfer of 
value is being disputed. Applicable Manufacturers and/or applicable 
GPOs will receive a notification that a covered recipient or physician 
owner or investor is disputing reported information. The dispute 
resolution process is between applicable manufacturers, applicable 
GPOs, covered recipients and physician owners or investors. When a 
dispute is resolved and/or errors or omissions are discovered, 42 C.F.R 
Sec.  403.908(g)(4) and (h)(1) require the applicable manufacturer or 
applicable GPO to submit corrected data to CMS. Upon receipt, CMS 
notifies the affected covered recipient or physicians who are owner or 
investor that the additional information has been submitted and is 
available for review. CMS updates the Web site at least once annually 
with corrected information after the initial publication.

Record Source Categories:
    Information collected and maintained in this database is submitted 
by applicable manufacturers and/or applicable GPOs.

Exemptions Claimed For This System:
    None.


[[Page 32550]]


    Dated: May 30, 2014.
Niall Brennan,
Acting Director, Offices of Enterprise Management, Centers for Medicare 
& Medicaid Services.
[FR Doc. 2014-13012 Filed 5-30-14; 5:00 pm]
BILLING CODE 4120-03-P