Privacy Act of 1974; Report of Modified System of Records, 64802-64805 [2014-25937]

Download as PDF 64802 Federal Register / Vol. 79, No. 211 / Friday, October 31, 2014 / Notices asabaliauskas on DSK5VPTVN1PROD with NOTICES capacity, the expansion may occur only in facilities on the hospital’s main campus and may not result in the number of operating rooms, procedure rooms, and beds for which the hospital is licensed exceeding 200 percent of the hospital’s baseline number of operating rooms, procedure rooms, and beds (§ 411.362(c)(6)). Our decision to grant or deny a hospital’s request for an exception to the prohibition on expansion of facility capacity will be published in the Federal Register in accordance with our regulations at § 411.362(c)(7). III. Public Response to Notice With Comment Period On May 12, 2014, we published a notice in the Federal Register (79 FR 26969) entitled, Request for an Exception to the Prohibition on Expansion of Facility Capacity under the Hospital Ownership and Rural Provider Exceptions to the Physician Self-Referral Prohibition. In the May 12, 2014 notice we stated that as permitted by section 1877(i)(3) of the Act and our regulations at § 411.362(c), the following physician-owned hospital requested an exception to the prohibition on expansion of facility capacity: Name of Facility: Lake Pointe Medical Center. Location: 6800 Scenic Drive, Rowlett, Texas 75088–4552 (Rockwall County). Basis for Exception Request: High Medicaid Facility. In the May 12, 2014 notice we also solicited comments from individuals and entities in the community in which Lake Pointe Medical Center is located. Eighty-four comments were submitted under docket number for the notice (CMS–2014–0061). Eighty-three of those comments advocated that a different physician-owned hospital in another county be allowed to expand under the expansion exception process. Those comments were not relevant to the Lake Pointe Medical Center request, and we have not considered them in deciding the request. The only remaining comment urged CMS to evaluate whether Lake Pointe Medical Center is a ‘‘high Medicaid facility’’ using data that our regulations do not permit us to consider. On August 4, 2014, as required by § 411.362(c)(5)(ii), we notified Lake Pointe Medical Center that we received comments in response to the May 12, 2014 notice and that these comments were available for public viewing at http://www.regulations.gov. Lake Pointe Medical Center submitted a rebuttal statement on August 13, 2014. The statement indicated that the comments raised no issues of law or fact that in VerDate Sep<11>2014 18:51 Oct 30, 2014 Jkt 235001 any way contradict Lake Pointe Medical Center’s assertion that it meets all of the statutory and regulatory requirements to qualify as a high Medicaid facility. On September 3, 2014, at the close of the 30-day rebuttal period, CMS deemed the request complete pursuant to § 411.362(c)(5)(ii). IV. Decision This final notice announces our decision to approve the request from Lake Pointe Medical Center for an exception to the prohibition against expansion of facility capacity. As set forth in our current regulations and public guidance documents, Lake Pointe Medical Center submitted the data and certifications necessary to demonstrate that it satisfies the criteria to qualify as a high Medicaid facility. Further, our regulations do not permit us to consider the data recommended by the one relevant comment. Therefore, in accordance with section 1877(i)(3) of the Act, we have granted the request from Lake Pointe Medical Center for an exception to the expansion of facility capacity prohibition based on the following criteria: • The hospital is not the sole hospital in Rockwall, Texas, the county in which it is located; • The hospital certified that it does not discriminate against beneficiaries of Federal health care programs and does not permit physicians practicing at the hospital to discriminate against such beneficiaries; and • With respect to each of the 3 most recent fiscal years for which data were available as of the date the hospital submitted its request, the hospital has an annual percent of total inpatient admissions under Medicaid that is estimated to be greater than such percent with respect to such admissions for any other hospital located in Rockwall County, Texas, the county in which the hospital is located. Our approval grants the request of Lake Pointe Medical Center to add a total of 36 beds. Pursuant to § 411.362(c)(6), the expansion may occur only in facilities on the hospital’s main campus and may not result in the number of operating rooms, procedure rooms, and beds for which the hospital is licensed exceeding 200 percent of the hospital’s baseline number of operating rooms, procedure rooms, and beds. Lake Pointe Medical Center certified that its baseline number of operating rooms, procedure rooms, and beds for which it was licensed as of March 23, 2010, was 129. Accordingly, we find that granting the additional 36 beds will not result in an aggregate number of operating rooms, procedure rooms, and beds for which PO 00000 Frm 00062 Fmt 4703 Sfmt 4703 the hospital is licensed that exceeds 200 percent of the hospital’s baseline. IV. Collection of Information Requirements This document does not impose information collection and recordkeeping requirements. Consequently, it need not be reviewed by the Office of Management and Budget under the authority of the Paperwork Reduction Act of 1995 (44 U.S.C. 35). Dated: October 22, 2014. Marilyn Tavenner, Administrator, Centers for Medicare & Medicaid Services. [FR Doc. 2014–25940 Filed 10–30–14; 8:45 am] BILLING CODE P DEPARTMENT OF HEALTH AND HUMAN SERVICES Centers for Medicare & Medicaid Services Privacy Act of 1974; Report of Modified System of Records Centers for Medicare & Medicaid Services (CMS), Department of Health and Human Services (HHS). ACTION: Notice of a Modified System of Records (SOR). AGENCY: In accordance with the requirements of the Privacy Act of 1974, we are proposing to modify an existing SOR titled, ‘‘Chronic Condition Data Repository (CCDR), System No. 09–70– 0573’’ last published at 71 FR 54495, September 15, 2006. The current name of the SOR, Chronic Condition Data Repository, was developed during the planning and development stages of the system. Upon the implementation and throughout the operations and maintenance stages of the system, the system has been referred to as the Chronic Condition Warehouse (CCW) in common usage and written references. In keeping with this current usage, we will modify the name of this SOR to read, and from this point forward will refer to the system as: ‘‘Chronic Condition Warehouse (CCW).’’ We propose to broaden the scope of the system to include data that can be easily linked, at the individual patient level, to all Medicare and Medicaid claims, enrollment and/or eligibility data, nursing home and home health assessments, and CMS beneficiary survey data. Accordingly, we are updating the Authority Section to include Title XVIII of the Social Security Act as amended (the Act); Section 1902(a)(6) of the Act; Section SUMMARY: E:\FR\FM\31OCN1.SGM 31OCN1 asabaliauskas on DSK5VPTVN1PROD with NOTICES Federal Register / Vol. 79, No. 211 / Friday, October 31, 2014 / Notices 1142(c)(6) of the Act; and Title IV of the Balanced Budget Act (Pub. L. 105–33). The Record Source Categories section will be modified to include data from two new systems of records: the CMS Encounter Data System, System No. 09– 70–0506, and the National Death Index, System No. 09–20–0166. These modifications will make the CCW a more useful tool by which to support research, policy analysis, quality improvement activities, and demonstrations that attempt to foster a better understanding of how to improve the quality of life and contain the health care costs of the chronically ill. We propose to modify existing Routine Use Number 1, to limit disclosures only to contractors of CMS. We also propose to add two new routine uses. Specifically, we propose adding a routine use to permit disclosures to healthcare providers who seek patient information for use in care coordination and quality improvement activities as described at 45 CFR 164.506(c)(4). This routine use will be added as Routine Use Number 4. We also propose adding a routine use to support public or private Qualified Entities (QEs) that use Medicare claims data to evaluate the performance of providers of services and suppliers on measures of quality, efficiency, effectiveness, and resource use. This routine use will be added as routine use number 6. Finally, we are modifying the language in Routine Use Number 3 to include grantees of CMS administered grant programs and have made minor grammatical changes to Routine Use Number 10. These modifications will provide a better explanation as to the need for the routine use, and to clearly state CMS’s intention when making disclosures of individually identifiable information contained in this system. We have provided background information about the modified system in the SUPPLEMENTARY INFORMATION section below. Although the Privacy Act requires only that the ‘‘Routine Use’’ section of the system of records notice be published for comment, CMS invites comments on all portions of this notice. See the Effective Dates section for information on the comment period. DATES: Effective Dates: CMS filed a modified SOR report with the Chair of the House Committee on Government Reform and Oversight, the Chair of the Senate Committee on Homeland Security and Government Affairs, and the Administrator, Office of Information and Regulatory Affairs, Office of Management and Budget (OMB) on September 16, 2014. To ensure that all parties have adequate time in which to VerDate Sep<11>2014 18:51 Oct 30, 2014 Jkt 235001 comment, the modified notice will become effective 30 days from the publication of the notice, or 40 days from the date it was submitted to OMB and the Congress, whichever is later. We may defer implementation of this modified system or one or more of the new routine uses listed below if we receive comments that persuade us to defer implementation. ADDRESSES: The public should address comments to: CMS Privacy Officer, Privacy Policy Compliance Group, Office of E-Health Standards & Services, Office of Enterprise Management, CMS, 7500 Security Boulevard, Baltimore, MD 21244–1870, Mailstop: S2–24–25, Office: (410) 786–5357, E-Mail: walter.stone@cms.hhs.gov. Comments received will be available for review at this location, by appointment, during regular business hours, Monday through Friday from 9:00 a.m.–3:00 p.m., Eastern Time zone. FOR FURTHER INFORMATION CONTACT: Michelle Seal, Health Insurance Specialist, Division of Research Data Development (DRDD), Data Development and Services Group, Office of Information Products and Data Analytics (OIPDA), OEM, CMS, Mail Stop B2–29–04, 7500 Security Boulevard, Baltimore, MD 21244–1850. Office Phone: 410–786–3679, Email address: michelle.seal@cms.hhs.gov. SUPPLEMENTARY INFORMATION: The CCW will house data that will be easily linked, at the individual patient level, for all Medicare and Medicaid claims, enrollment and/or eligibility data, nursing home and home health assessments, and CMS beneficiary survey data. This data repository will transform and summarize this administrative health and health insurance information into data which will support research, policy analysis, quality improvement activities, demonstrations, and studies. These are aimed at improving the quality of care and reducing the cost of care for chronically ill Medicare beneficiaries and Medicaid recipients. The repository is designed to encourage research and innovation that will reduce program spending, inform policy analyses, make current Medicare and Medicaid program data more readily available to researchers to study chronic illness in the Medicare and Medicaid populations, and improve process time for research data requests by refocusing on analytic, as opposed to operational considerations. The repository will also use utilize data analytic tools to organize and transform diagnostic information on a beneficiary’s Medicare or Medicaid PO 00000 Frm 00063 Fmt 4703 Sfmt 4703 64803 claims into information about their chronic medical conditions. The Virtual Research Data Center (VRDC), an analytic tool, provides a secure mechanism for accessing and analyzing data within the environment instead of sending physical data files to researchers for analysis at their site. The workbench analytic tool provides users with the ability to create a custom sample of individuals and view associated claims within the VRDC environment. Analysis of data using these tools increases the privacy and security of the data. The Privacy Act The Privacy Act governs the collection, maintenance, use, and dissemination of certain information about individuals by agencies of the Federal Government. A ‘‘SOR’’ is a group of any records under the control of a Federal agency from which information about individuals is retrieved by name or other personal identifier. The Privacy Act requires each agency to publish in the Federal Register a description of the type and character of each system of records that the agency maintains, and the routine uses that are contained in each system to make agency recordkeeping practices transparent, to notify individuals regarding the uses to which their records are put, and to assist individuals to more easily find such files within the agency. SYSTEM NUMBER: 09–70–0573 SYSTEM NAME: ‘‘Chronic Condition Warehouse’’ (CCW) HHS/CMS/OEM. SECURITY CLASSIFICATION: Unclassified SYSTEM LOCATION: CMS Data Center, 7500 Security Boulevard, North Building, First Floor, Baltimore, Maryland 21244–1850, and at various contractor sites. CATEGORIES OF INDIVIDUALS IN THE SYSTEM: CCW will collect and maintain individually identifiable and other data collected on Medicare beneficiaries, Medicaid recipients, and individually identifiable data on certain health care professionals. CATEGORIES OF RECORDS IN THE SYSTEM: The collected information will include, but is not limited to, individually identifiable Medicare and Medicaid claims, enrollment, and eligibility data, including names, addresses, health insurance claims numbers, social security numbers, race/ E:\FR\FM\31OCN1.SGM 31OCN1 64804 Federal Register / Vol. 79, No. 211 / Friday, October 31, 2014 / Notices ethnicity data, gender, date of birth, Medicare Part A, B and C enrollment information, prescription drug coverage information, surgical procedures, diagnoses, provider name(s), unique provider identification numbers, National Provider Identification Numbers (NPI) as well as clinical assessment and outcome measures, and demographic, health/well-being, and background information relating to Medicare and Medicaid issues. AUTHORITY FOR MAINTENANCE OF THE SYSTEM: The CCW is authorized by Sections 723 of the Medicare Prescription Drug Improvement and Modernization Act of 2003 (MMA) (Pub. L. 108–173), which was enacted into law on December 8, 2003, and amended Title XVIII of the Social Security Act (the Act); Section 1902(a)(6) of the Act; Section 1142(c)(6) of the Act; and Title IV of the Balanced Budget Act (Pub. L. 105–33). PURPOSE(S) OF THE SYSTEM: The purpose of this system is to support research, policy analysis, quality improvement activities, and demonstrations that attempt to foster a better understanding of how to improve the quality of life and contain the health care costs of the chronically ill. This system will utilize data analytic tools to support accessing data by chronic conditions and process complex customized data requests related to chronic illnesses. ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES OR USERS AND THE PURPOSES OF SUCH USES: asabaliauskas on DSK5VPTVN1PROD with NOTICES A. ENTITIES WHO MAY RECEIVE DISCLOSURES UNDER ROUTINE USE The Privacy Act allows CMS to disclose information without an individual’s consent if the information is to be used for a purpose that is compatible with the purpose(s) for which the information was collected. Any such compatible use of data is known as a ‘‘routine use’’. The proposed routine uses in this system meet the compatibility requirement of the Privacy Act. We are proposing to establish the following routine use disclosures of information maintained in the system: 1. To CMS contractors who have been engaged by the agency to assist in the performance of a service related to this collection and who need to have access to the records in order to perform the activity. 2. To another Federal or state agency to: a. Contribute to the accuracy of CMS’s proper payment of Medicare benefits; b. Enable such agency to administer a Federal health benefits program, or, as VerDate Sep<11>2014 18:51 Oct 30, 2014 Jkt 235001 necessary, to enable such agency to fulfill a requirement of a Federal statute or regulation that implements a health benefits program funded in whole or in part with Federal funds; and/or c. Assist Federal and/or state officials carrying out the Medicaid program. 3. To an individual or organization including grantees of a CMS administered grant program that require individually identifiable health information for use in research projects including any evaluation project related to the prevention of disease or disability, the restoration or maintenance of health, or payment reform related projects that produces generalizable knowledge. 4. To a healthcare provider who seeks patient information for use in care coordination and quality improvement activities as described at 45 CFR 164.506(c)(4); 5. To Quality Improvement Organizations (QIO) in connection with review of claims, or in connection with studies or other review activities conducted pursuant to Part B of Title XI of the Act, and in performing affirmative outreach activities to individuals for the purpose of establishing and maintaining their entitlement to Medicare benefits or health insurance plans. 6. To a public or private Qualified Entity (QE) that uses Medicare claims data to evaluate the performance of providers of services and suppliers on measures of quality, efficiency, effectiveness, and resource use; and who agrees to meet the requirements regarding the transparency of their methods and their use and protection of Medicare data. 7. To the Department of Justice (DOJ), court or adjudicatory body when: a. The agency or any component thereof, or b. Any employee of the agency in his or her official capacity, or c. Any employee of the agency in his or her individual capacity where the DOJ has agreed to represent the employee, or d. The United States Government, is a party to litigation or has an interest in such litigation, and, by careful review, CMS determines that the records are both relevant and necessary to the litigation and that the use of such records by the DOJ, court or adjudicatory body is compatible with the purpose for which the agency collected the records. 8. To a CMS contractor (including, but not necessarily limited to, Medicare Administrative Contractors (MACs)) that assists in the administration of a CMSadministered health benefits program, when disclosure is deemed reasonably necessary by CMS to prevent, deter, discover, detect, investigate, examine, prosecute, sue with respect to, defend PO 00000 Frm 00064 Fmt 4703 Sfmt 4703 against, correct, remedy, or otherwise combat fraud or abuse in such program. 9. To another Federal agency or to an instrumentality of any governmental jurisdiction within or under the control of the United States (including any State or local governmental agency), that administers, or that has the authority to investigate potential fraud or abuse in, a health benefits program funded in whole or in part by Federal funds, when disclosure is deemed reasonably necessary by CMS to prevent, deter, discover, detect, investigate, examine, prosecute, sue with respect to, defend against, correct, remedy, or otherwise combat fraud or abuse in such programs. 10. To Federal Departments, agencies and their contractors that have a need to know the information for the purpose of assisting the Department’s efforts to respond to a suspected or confirmed breach of the security or confidentiality of information maintained in this system of records, where the information disclosed is relevant to and necessary for that assistance. 11. To the U.S. Department of Homeland Security (DHS) cyber security personnel, if captured in an intrusion detection system used by HHS and DHS pursuant to the Einstein 2 program. 12. To public health authorities, and those entities acting under a delegation of authority from a public health authority, when requesting beneficiaryidentifiable information to carry out statutorily-authorized public health activities pertaining to emergency preparedness and response. B. ADDITIONAL CIRCUMSTANCES AFFECTING DISCLOSURE OF PII DATA: To the extent that the individual claims records in this system contain Protected Health Information (PHI) as defined by HHS regulation ‘‘Standards for Privacy of Individually Identifiable Health Information’’ (45 CFR parts 160 and 164, Subparts A and E), disclosures of such PHI that are otherwise authorized by these routine uses may only be made if, and as, permitted or required by the ‘‘Standards for Privacy of Individually Identifiable Health Information’’ (see 45 CFR 164–512 (a) (1)). In addition, HHS policy will be to prohibit release even of data not directly identifiable with a particular individual, except pursuant to one of the routine uses or if required by law, if CMS determines there is a possibility that a particular individual can be identified through implicit deduction based on small cell sizes (instances where the patient population is so small that individuals could, because of the small E:\FR\FM\31OCN1.SGM 31OCN1 Federal Register / Vol. 79, No. 211 / Friday, October 31, 2014 / Notices size, use this information to deduce the identity of a particular individual). may make searching for a record easier and prevent delay). RETENTION AND DISPOSAL: RECORD ACCESS PROCEDURE: CMS will retain information for a total period not to exceed 30 years. All claims-related records are encompassed by the document preservation order and will be retained until notification is received from DOJ. An individual seeking access to records about him or her in this system should use the same procedures outlined in Notification Procedures above. The requestor should also reasonably specify the record contents being sought. (These procedures are in accordance with Department regulation 45 CFR 5b.5(a)(2).) RETRIEVING, ACCESSING, RETAINING, AND DISPOSING OF RECORDS IN THE SYSTEM: STORAGE: CONTESTING RECORD PROCEDURES: All records are stored on electronic media. RETRIEVABILITY: The collected data are retrieved by an individual identifier; e.g., beneficiary, recipient or provider name, HICN, or unique provider identification number (NPI). SAFEGUARDS: CMS has safeguards in place for authorized users and monitors such users to ensure against excessive or unauthorized use. Personnel having access to the system have been trained in the Privacy Act and information security requirements. Employees who maintain records in this system are instructed not to release data until the intended recipient agrees to implement appropriate management, operational and technical safeguards sufficient to protect the confidentiality, integrity and availability of the information and information systems and to prevent unauthorized access. This system will conform to all applicable Federal laws and regulations and Federal, HHS, and CMS policies and standards as they relate to information security and data privacy. These laws and regulations may apply but are not limited to: The Privacy Act of 1974; and the Federal Information Department regulation 45 CFR 5b.7. SYSTEM MANAGER AND ADDRESS: Director, Data Development and Services Group, Office of Information Products and Data Analytics (OIPDA), OEM, Mail Stop B2–29–04, CMS, 7500 Security Boulevard, Baltimore, MD 21244–1849. asabaliauskas on DSK5VPTVN1PROD with NOTICES NOTIFICATION PROCEDURE: An individual record subject who wishes to know if this system contains records about him or her should write to the system manager who will require the system name, HICN, and for verification purposes, the subject individual’s name (woman’s maiden name, if applicable), and SSN (furnishing the SSN is voluntary, but it VerDate Sep<11>2014 18:51 Oct 30, 2014 Jkt 235001 To contest a record, the subject individual should contact the system manager named above, and reasonably identify the record and specify the information to be contested. The individual should state the corrective action sought and the reasons for the correction with supporting justification. (These procedures are in accordance with Department regulation 45 CFR 5b.7.) RECORDS SOURCE CATEGORIES: Frm 00065 Fmt 4703 Sfmt 4703 and Assessment Information Set, System No. 09–70–0522 (72 FR 63906 (November 13, 2007)); and Integrated Data Repository, System No. 09–70– 0571 (71 FR 74915 (December 13, 2006)); Provider Enrollment Chain and Ownership System, System No. 09–70– 0532 (71 FR 60536 (October 13, 2006); Medicare and Medicaid Electronic Health Record (EHR) Incentive Program National Level Repository, System No. 09–70–0587 (75 FR 73095 (November 29, 2010)); Performance Measurement and Reporting System, System No. 09– 70–0584 (74 FR 17672 (April 16, 2009)); Encounter Data System, 09–70–0506 (79 FR 34539 (June 17, 2014)); and National Death Index, 09–20–0166 (49 FR 37692 (September 25, 1984)). SYSTEMS EXEMPTED FROM CERTAIN PROVISIONS OF THE ACT: None. Celeste Dade-Vinson, Health Insurance Specialist, Centers for Medicare & Medicaid Services. [FR Doc. 2014–25937 Filed 10–30–14; 8:45 am] The data collected and maintained in this system are retrieved from the following databases: Medicare Drug Data Processing System, System No. 09– 70–0553 (73 FR 30943 (May 29, 2008)); Medicare Beneficiary Database, System No. 09–70–0536 (71 FR 70396 (December 4, 2006)); Medicare Advantage Prescription Drug System, System No. 09–70–0588 (76 FR 47190 (August 4, 2011)); Medicaid Statistical Information System, System No. 09–70– 0541 (71 FR 65527 (November 8, 2006)); Retiree Drug Subsidy Program, System No. 09–70–0550 (70 FR 41035 (July 15, 2005)); Common Working File, System No. 09–70–0526 (71 FR 64955 (November 6, 2006)); National Claims History, System No. 09–70–0558 (71 FR 67137 11/20/2006 (November 20, 2006)); Enrollment Database, System No. 09–70–0502 (73 FR 10249 2/26/ 2008 (February 26, 2008)); Carrier Medicare Claims Record, System No. 09–70–0501 (71 FR 64968 11/6/2006 (November 6, 2006)); Intermediary Medicare Claims Record, System No. 09–70–0503 (71 FR 648961 (November 6, 2006)); Unique Physician/Provider Identification Number, System No. 09– 70–0525 (71 FR 66535 (November 15, 2006)); Medicare Supplier Identification File, System No. 09–70–0530 (71 FR 70404 (December 4, 2006)), A Current Beneficiary Survey, System No. 09–70– 0519 (71 FR 60722 (October 16, 2006)); National Plan & Provider Enumerator System, System No. 09–70–0555, (75 FR 30411 (June 1, 2010)); Long Term Care MDS, System No. 09–70–0528 (72 FR 12801 (March 19, 2007)); HHA Outcome PO 00000 64805 BILLING CODE 4120–03–P DEPARTMENT OF HEALTH AND HUMAN SERVICES Food and Drug Administration [Docket No. FDA–2014–N–1072] Agency Information Collection Activities; Submission for Office of Management and Budget Review; Comment Request; Application for Participation in the Food and Drug Administration Commissioner’s Fellowship Program AGENCY: Food and Drug Administration, HHS. ACTION: Notice. The Food and Drug Administration (FDA) is announcing that a proposed collection of information has been submitted to the Office of Management and Budget (OMB) for review and clearance under the Paperwork Reduction Act of 1995. DATES: Fax written comments on the collection of information by December 1, 2014. ADDRESSES: To ensure that comments on the information collection are received, OMB recommends that written comments be faxed to the Office of Information and Regulatory Affairs, OMB, Attn: FDA Desk Officer, FAX: 202–395–7285, or emailed to oira_ submission@omb.eop.gov. All comments should be identified with the OMB control number 0910—New and SUMMARY: E:\FR\FM\31OCN1.SGM 31OCN1

Agencies

[Federal Register Volume 79, Number 211 (Friday, October 31, 2014)]
[Notices]
[Pages 64802-64805]
From the Federal Register Online via the Government Printing Office [www.gpo.gov]
[FR Doc No: 2014-25937]


-----------------------------------------------------------------------

DEPARTMENT OF HEALTH AND HUMAN SERVICES

Centers for Medicare & Medicaid Services


Privacy Act of 1974; Report of Modified System of Records

AGENCY: Centers for Medicare & Medicaid Services (CMS), Department of 
Health and Human Services (HHS).

ACTION: Notice of a Modified System of Records (SOR).

-----------------------------------------------------------------------

SUMMARY: In accordance with the requirements of the Privacy Act of 
1974, we are proposing to modify an existing SOR titled, ``Chronic 
Condition Data Repository (CCDR), System No. 09-70-0573'' last 
published at 71 FR 54495, September 15, 2006. The current name of the 
SOR, Chronic Condition Data Repository, was developed during the 
planning and development stages of the system. Upon the implementation 
and throughout the operations and maintenance stages of the system, the 
system has been referred to as the Chronic Condition Warehouse (CCW) in 
common usage and written references. In keeping with this current 
usage, we will modify the name of this SOR to read, and from this point 
forward will refer to the system as: ``Chronic Condition Warehouse 
(CCW).''
    We propose to broaden the scope of the system to include data that 
can be easily linked, at the individual patient level, to all Medicare 
and Medicaid claims, enrollment and/or eligibility data, nursing home 
and home health assessments, and CMS beneficiary survey data. 
Accordingly, we are updating the Authority Section to include Title 
XVIII of the Social Security Act as amended (the Act); Section 
1902(a)(6) of the Act; Section

[[Page 64803]]

1142(c)(6) of the Act; and Title IV of the Balanced Budget Act (Pub. L. 
105-33). The Record Source Categories section will be modified to 
include data from two new systems of records: the CMS Encounter Data 
System, System No. 09-70-0506, and the National Death Index, System No. 
09-20-0166. These modifications will make the CCW a more useful tool by 
which to support research, policy analysis, quality improvement 
activities, and demonstrations that attempt to foster a better 
understanding of how to improve the quality of life and contain the 
health care costs of the chronically ill.
    We propose to modify existing Routine Use Number 1, to limit 
disclosures only to contractors of CMS. We also propose to add two new 
routine uses. Specifically, we propose adding a routine use to permit 
disclosures to healthcare providers who seek patient information for 
use in care coordination and quality improvement activities as 
described at 45 CFR 164.506(c)(4). This routine use will be added as 
Routine Use Number 4. We also propose adding a routine use to support 
public or private Qualified Entities (QEs) that use Medicare claims 
data to evaluate the performance of providers of services and suppliers 
on measures of quality, efficiency, effectiveness, and resource use. 
This routine use will be added as routine use number 6.
    Finally, we are modifying the language in Routine Use Number 3 to 
include grantees of CMS administered grant programs and have made minor 
grammatical changes to Routine Use Number 10. These modifications will 
provide a better explanation as to the need for the routine use, and to 
clearly state CMS's intention when making disclosures of individually 
identifiable information contained in this system.
    We have provided background information about the modified system 
in the Supplementary Information section below. Although the Privacy 
Act requires only that the ``Routine Use'' section of the system of 
records notice be published for comment, CMS invites comments on all 
portions of this notice. See the Effective Dates section for 
information on the comment period.

DATES: Effective Dates: CMS filed a modified SOR report with the Chair 
of the House Committee on Government Reform and Oversight, the Chair of 
the Senate Committee on Homeland Security and Government Affairs, and 
the Administrator, Office of Information and Regulatory Affairs, Office 
of Management and Budget (OMB) on September 16, 2014. To ensure that 
all parties have adequate time in which to comment, the modified notice 
will become effective 30 days from the publication of the notice, or 40 
days from the date it was submitted to OMB and the Congress, whichever 
is later. We may defer implementation of this modified system or one or 
more of the new routine uses listed below if we receive comments that 
persuade us to defer implementation.

ADDRESSES: The public should address comments to: CMS Privacy Officer, 
Privacy Policy Compliance Group, Office of E-Health Standards & 
Services, Office of Enterprise Management, CMS, 7500 Security 
Boulevard, Baltimore, MD 21244-1870, Mailstop: S2-24-25, Office: (410) 
786-5357, E-Mail: walter.stone@cms.hhs.gov. Comments received will be 
available for review at this location, by appointment, during regular 
business hours, Monday through Friday from 9:00 a.m.-3:00 p.m., Eastern 
Time zone.

FOR FURTHER INFORMATION CONTACT: Michelle Seal, Health Insurance 
Specialist, Division of Research Data Development (DRDD), Data 
Development and Services Group, Office of Information Products and Data 
Analytics (OIPDA), OEM, CMS, Mail Stop B2-29-04, 7500 Security 
Boulevard, Baltimore, MD 21244-1850. Office Phone: 410-786-3679, Email 
address: michelle.seal@cms.hhs.gov.

SUPPLEMENTARY INFORMATION: The CCW will house data that will be easily 
linked, at the individual patient level, for all Medicare and Medicaid 
claims, enrollment and/or eligibility data, nursing home and home 
health assessments, and CMS beneficiary survey data. This data 
repository will transform and summarize this administrative health and 
health insurance information into data which will support research, 
policy analysis, quality improvement activities, demonstrations, and 
studies. These are aimed at improving the quality of care and reducing 
the cost of care for chronically ill Medicare beneficiaries and 
Medicaid recipients.
    The repository is designed to encourage research and innovation 
that will reduce program spending, inform policy analyses, make current 
Medicare and Medicaid program data more readily available to 
researchers to study chronic illness in the Medicare and Medicaid 
populations, and improve process time for research data requests by 
refocusing on analytic, as opposed to operational considerations. The 
repository will also use utilize data analytic tools to organize and 
transform diagnostic information on a beneficiary's Medicare or 
Medicaid claims into information about their chronic medical 
conditions.
    The Virtual Research Data Center (VRDC), an analytic tool, provides 
a secure mechanism for accessing and analyzing data within the 
environment instead of sending physical data files to researchers for 
analysis at their site. The workbench analytic tool provides users with 
the ability to create a custom sample of individuals and view 
associated claims within the VRDC environment. Analysis of data using 
these tools increases the privacy and security of the data.

The Privacy Act

    The Privacy Act governs the collection, maintenance, use, and 
dissemination of certain information about individuals by agencies of 
the Federal Government.
    A ``SOR'' is a group of any records under the control of a Federal 
agency from which information about individuals is retrieved by name or 
other personal identifier. The Privacy Act requires each agency to 
publish in the Federal Register a description of the type and character 
of each system of records that the agency maintains, and the routine 
uses that are contained in each system to make agency recordkeeping 
practices transparent, to notify individuals regarding the uses to 
which their records are put, and to assist individuals to more easily 
find such files within the agency.
SYSTEM NUMBER: 09-70-0573

SYSTEM NAME:
    ``Chronic Condition Warehouse'' (CCW) HHS/CMS/OEM.

SECURITY CLASSIFICATION:
    Unclassified

SYSTEM LOCATION:
    CMS Data Center, 7500 Security Boulevard, North Building, First 
Floor, Baltimore, Maryland 21244-1850, and at various contractor sites.

CATEGORIES OF INDIVIDUALS IN THE SYSTEM:
    CCW will collect and maintain individually identifiable and other 
data collected on Medicare beneficiaries, Medicaid recipients, and 
individually identifiable data on certain health care professionals.

CATEGORIES OF RECORDS IN THE SYSTEM:
    The collected information will include, but is not limited to, 
individually identifiable Medicare and Medicaid claims, enrollment, and 
eligibility data, including names, addresses, health insurance claims 
numbers, social security numbers, race/

[[Page 64804]]

ethnicity data, gender, date of birth, Medicare Part A, B and C 
enrollment information, prescription drug coverage information, 
surgical procedures, diagnoses, provider name(s), unique provider 
identification numbers, National Provider Identification Numbers (NPI) 
as well as clinical assessment and outcome measures, and demographic, 
health/well-being, and background information relating to Medicare and 
Medicaid issues.

AUTHORITY FOR MAINTENANCE OF THE SYSTEM:
    The CCW is authorized by Sections 723 of the Medicare Prescription 
Drug Improvement and Modernization Act of 2003 (MMA) (Pub. L. 108-173), 
which was enacted into law on December 8, 2003, and amended Title XVIII 
of the Social Security Act (the Act); Section 1902(a)(6) of the Act; 
Section 1142(c)(6) of the Act; and Title IV of the Balanced Budget Act 
(Pub. L. 105-33).

PURPOSE(S) OF THE SYSTEM:
    The purpose of this system is to support research, policy analysis, 
quality improvement activities, and demonstrations that attempt to 
foster a better understanding of how to improve the quality of life and 
contain the health care costs of the chronically ill. This system will 
utilize data analytic tools to support accessing data by chronic 
conditions and process complex customized data requests related to 
chronic illnesses.

ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES 
OR USERS AND THE PURPOSES OF SUCH USES:
A. Entities Who May Receive Disclosures under Routine Use
    The Privacy Act allows CMS to disclose information without an 
individual's consent if the information is to be used for a purpose 
that is compatible with the purpose(s) for which the information was 
collected. Any such compatible use of data is known as a ``routine 
use''. The proposed routine uses in this system meet the compatibility 
requirement of the Privacy Act. We are proposing to establish the 
following routine use disclosures of information maintained in the 
system:
    1. To CMS contractors who have been engaged by the agency to assist 
in the performance of a service related to this collection and who need 
to have access to the records in order to perform the activity.
    2. To another Federal or state agency to:
    a. Contribute to the accuracy of CMS's proper payment of Medicare 
benefits;
    b. Enable such agency to administer a Federal health benefits 
program, or, as necessary, to enable such agency to fulfill a 
requirement of a Federal statute or regulation that implements a health 
benefits program funded in whole or in part with Federal funds; and/or
    c. Assist Federal and/or state officials carrying out the Medicaid 
program.
    3. To an individual or organization including grantees of a CMS 
administered grant program that require individually identifiable 
health information for use in research projects including any 
evaluation project related to the prevention of disease or disability, 
the restoration or maintenance of health, or payment reform related 
projects that produces generalizable knowledge.
    4. To a healthcare provider who seeks patient information for use 
in care coordination and quality improvement activities as described at 
45 CFR 164.506(c)(4);
    5. To Quality Improvement Organizations (QIO) in connection with 
review of claims, or in connection with studies or other review 
activities conducted pursuant to Part B of Title XI of the Act, and in 
performing affirmative outreach activities to individuals for the 
purpose of establishing and maintaining their entitlement to Medicare 
benefits or health insurance plans.
    6. To a public or private Qualified Entity (QE) that uses Medicare 
claims data to evaluate the performance of providers of services and 
suppliers on measures of quality, efficiency, effectiveness, and 
resource use; and who agrees to meet the requirements regarding the 
transparency of their methods and their use and protection of Medicare 
data.
    7. To the Department of Justice (DOJ), court or adjudicatory body 
when: a. The agency or any component thereof, or b. Any employee of the 
agency in his or her official capacity, or c. Any employee of the 
agency in his or her individual capacity where the DOJ has agreed to 
represent the employee, or d. The United States Government, is a party 
to litigation or has an interest in such litigation, and, by careful 
review, CMS determines that the records are both relevant and necessary 
to the litigation and that the use of such records by the DOJ, court or 
adjudicatory body is compatible with the purpose for which the agency 
collected the records.
    8. To a CMS contractor (including, but not necessarily limited to, 
Medicare Administrative Contractors (MACs)) that assists in the 
administration of a CMS- administered health benefits program, when 
disclosure is deemed reasonably necessary by CMS to prevent, deter, 
discover, detect, investigate, examine, prosecute, sue with respect to, 
defend against, correct, remedy, or otherwise combat fraud or abuse in 
such program.
    9. To another Federal agency or to an instrumentality of any 
governmental jurisdiction within or under the control of the United 
States (including any State or local governmental agency), that 
administers, or that has the authority to investigate potential fraud 
or abuse in, a health benefits program funded in whole or in part by 
Federal funds, when disclosure is deemed reasonably necessary by CMS to 
prevent, deter, discover, detect, investigate, examine, prosecute, sue 
with respect to, defend against, correct, remedy, or otherwise combat 
fraud or abuse in such programs.
    10. To Federal Departments, agencies and their contractors that 
have a need to know the information for the purpose of assisting the 
Department's efforts to respond to a suspected or confirmed breach of 
the security or confidentiality of information maintained in this 
system of records, where the information disclosed is relevant to and 
necessary for that assistance.
    11. To the U.S. Department of Homeland Security (DHS) cyber 
security personnel, if captured in an intrusion detection system used 
by HHS and DHS pursuant to the Einstein 2 program.
    12. To public health authorities, and those entities acting under a 
delegation of authority from a public health authority, when requesting 
beneficiary-identifiable information to carry out statutorily-
authorized public health activities pertaining to emergency 
preparedness and response.

B. ADDITIONAL CIRCUMSTANCES AFFECTING DISCLOSURE OF PII DATA:
    To the extent that the individual claims records in this system 
contain Protected Health Information (PHI) as defined by HHS regulation 
``Standards for Privacy of Individually Identifiable Health 
Information'' (45 CFR parts 160 and 164, Subparts A and E), disclosures 
of such PHI that are otherwise authorized by these routine uses may 
only be made if, and as, permitted or required by the ``Standards for 
Privacy of Individually Identifiable Health Information'' (see 45 CFR 
164-512 (a) (1)).
    In addition, HHS policy will be to prohibit release even of data 
not directly identifiable with a particular individual, except pursuant 
to one of the routine uses or if required by law, if CMS determines 
there is a possibility that a particular individual can be identified 
through implicit deduction based on small cell sizes (instances where 
the patient population is so small that individuals could, because of 
the small

[[Page 64805]]

size, use this information to deduce the identity of a particular 
individual).

RETENTION AND DISPOSAL:
    CMS will retain information for a total period not to exceed 30 
years. All claims-related records are encompassed by the document 
preservation order and will be retained until notification is received 
from DOJ.

RETRIEVING, ACCESSING, RETAINING, AND DISPOSING OF RECORDS IN THE 
SYSTEM:
STORAGE:
    All records are stored on electronic media.

RETRIEVABILITY:
    The collected data are retrieved by an individual identifier; e.g., 
beneficiary, recipient or provider name, HICN, or unique provider 
identification number (NPI).

SAFEGUARDS:
    CMS has safeguards in place for authorized users and monitors such 
users to ensure against excessive or unauthorized use. Personnel having 
access to the system have been trained in the Privacy Act and 
information security requirements. Employees who maintain records in 
this system are instructed not to release data until the intended 
recipient agrees to implement appropriate management, operational and 
technical safeguards sufficient to protect the confidentiality, 
integrity and availability of the information and information systems 
and to prevent unauthorized access.
    This system will conform to all applicable Federal laws and 
regulations and Federal, HHS, and CMS policies and standards as they 
relate to information security and data privacy. These laws and 
regulations may apply but are not limited to: The Privacy Act of 1974; 
and the Federal Information Department regulation 45 CFR 5b.7.

SYSTEM MANAGER AND ADDRESS:
    Director, Data Development and Services Group, Office of 
Information Products and Data Analytics (OIPDA), OEM, Mail Stop B2-29-
04, CMS, 7500 Security Boulevard, Baltimore, MD 21244-1849.

NOTIFICATION PROCEDURE:
    An individual record subject who wishes to know if this system 
contains records about him or her should write to the system manager 
who will require the system name, HICN, and for verification purposes, 
the subject individual's name (woman's maiden name, if applicable), and 
SSN (furnishing the SSN is voluntary, but it may make searching for a 
record easier and prevent delay).

RECORD ACCESS PROCEDURE:
    An individual seeking access to records about him or her in this 
system should use the same procedures outlined in Notification 
Procedures above. The requestor should also reasonably specify the 
record contents being sought. (These procedures are in accordance with 
Department regulation 45 CFR 5b.5(a)(2).)

CONTESTING RECORD PROCEDURES:
    To contest a record, the subject individual should contact the 
system manager named above, and reasonably identify the record and 
specify the information to be contested. The individual should state 
the corrective action sought and the reasons for the correction with 
supporting justification. (These procedures are in accordance with 
Department regulation 45 CFR 5b.7.)

RECORDS SOURCE CATEGORIES:
    The data collected and maintained in this system are retrieved from 
the following databases: Medicare Drug Data Processing System, System 
No. 09-70-0553 (73 FR 30943 (May 29, 2008)); Medicare Beneficiary 
Database, System No. 09-70-0536 (71 FR 70396 (December 4, 2006)); 
Medicare Advantage Prescription Drug System, System No. 09-70-0588 (76 
FR 47190 (August 4, 2011)); Medicaid Statistical Information System, 
System No. 09-70-0541 (71 FR 65527 (November 8, 2006)); Retiree Drug 
Subsidy Program, System No. 09-70-0550 (70 FR 41035 (July 15, 2005)); 
Common Working File, System No. 09-70-0526 (71 FR 64955 (November 6, 
2006)); National Claims History, System No. 09-70-0558 (71 FR 67137 11/
20/2006 (November 20, 2006)); Enrollment Database, System No. 09-70-
0502 (73 FR 10249 2/26/2008 (February 26, 2008)); Carrier Medicare 
Claims Record, System No. 09-70-0501 (71 FR 64968 11/6/2006 (November 
6, 2006)); Intermediary Medicare Claims Record, System No. 09-70-0503 
(71 FR 648961 (November 6, 2006)); Unique Physician/Provider 
Identification Number, System No. 09-70-0525 (71 FR 66535 (November 15, 
2006)); Medicare Supplier Identification File, System No. 09-70-0530 
(71 FR 70404 (December 4, 2006)), A Current Beneficiary Survey, System 
No. 09-70-0519 (71 FR 60722 (October 16, 2006)); National Plan & 
Provider Enumerator System, System No. 09-70-0555, (75 FR 30411 (June 
1, 2010)); Long Term Care MDS, System No. 09-70-0528 (72 FR 12801 
(March 19, 2007)); HHA Outcome and Assessment Information Set, System 
No. 09-70-0522 (72 FR 63906 (November 13, 2007)); and Integrated Data 
Repository, System No. 09-70-0571 (71 FR 74915 (December 13, 2006)); 
Provider Enrollment Chain and Ownership System, System No. 09-70-0532 
(71 FR 60536 (October 13, 2006); Medicare and Medicaid Electronic 
Health Record (EHR) Incentive Program National Level Repository, System 
No. 09-70-0587 (75 FR 73095 (November 29, 2010)); Performance 
Measurement and Reporting System, System No. 09-70-0584 (74 FR 17672 
(April 16, 2009)); Encounter Data System, 09-70-0506 (79 FR 34539 (June 
17, 2014)); and National Death Index, 09-20-0166 (49 FR 37692 
(September 25, 1984)).

SYSTEMS EXEMPTED FROM CERTAIN PROVISIONS OF THE ACT:
    None.

Celeste Dade-Vinson,
Health Insurance Specialist, Centers for Medicare & Medicaid Services.
[FR Doc. 2014-25937 Filed 10-30-14; 8:45 am]
BILLING CODE 4120-03-P