Medicare Program: Expanding Uses of Medicare Data by Qualified Entities, 5397-5417 [2016-01790]
Agencies
[Federal Register Volume 81, Number 21 (Tuesday, February 2, 2016)] [Proposed Rules] [Pages 5397-5417] From the Federal Register Online via the Government Publishing Office [www.gpo.gov] [FR Doc No: 2016-01790] ======================================================================= ----------------------------------------------------------------------- DEPARTMENT OF HEALTH AND HUMAN SERVICES Centers for Medicare & Medicaid Services 42 CFR Part 401 [CMS-5061-P] RIN 0938-AS66 Medicare Program: Expanding Uses of Medicare Data by Qualified Entities AGENCY: Centers for Medicare & Medicaid Services (CMS), HHS. ACTION: Proposed rule. ----------------------------------------------------------------------- SUMMARY: This proposed rule would implement new statutory requirements that would expand how qualified entities may use and disclose data under the qualified entity program to the extent consistent with applicable program requirements and other applicable laws, including information, privacy, security and disclosure laws. In doing so, this proposed rule would explain how qualified entities may create non- public analyses and provide or sell such analyses to authorized users, as well as how qualified entities may provide or sell combined data, or provide Medicare claims data alone at no cost, to certain authorized users. This proposed rule would also implement certain privacy and security requirements, and impose assessments on qualified entities if the qualified entity or the authorized user violates the terms of a data use agreement (DUA) required by the qualified entity program. DATES: To be assured consideration, comments must be received at one of the addresses provided below, no later than 5 p.m. on March 29, 2016. ADDRESSES: In commenting, please refer to file code CMS-5061-P. Because of staff and resource limitations, we cannot accept comments by facsimile (FAX) transmission. You may submit comments in one of four ways (please choose only one of the ways listed): 1. Electronically. You may submit electronic comments on this regulation to https://www.regulations.gov. Follow the ``Submit a comment'' instructions. 2. By regular mail. You may mail written comments to the following address only: Centers for Medicare & Medicaid Services, Department of Health and Human Services, Attention: CMS-5061-P, P.O. Box 8010, Baltimore, MD 21244-1850. Please allow sufficient time for mailed comments to be received before the close of the comment period. 3. By express or overnight mail. You may send written comments to the following address only: Centers for Medicare & Medicaid Services, Department of Health and Human Services, Attention: CMS-5061-P, Mail Stop C4-26-05, 7500 Security Boulevard, Baltimore, MD 21244-1850. 4. By hand or courier. Alternatively, you may deliver (by hand or courier) your written comments only to the following addresses prior to the close of the comment period: a. For delivery in Washington, DC--Centers for Medicare & Medicaid Services, Department of Health and Human Services, Room 445-G, Hubert H. Humphrey Building, 200 Independence Avenue SW., Washington, DC 20201. (Because access to the interior of the Hubert H. Humphrey Building is not readily available to persons without Federal government identification, commenters are encouraged to leave their comments in the CMS drop slots located in the main lobby of the building. A stamp- in clock is available for persons wishing to retain a proof of filing by stamping in and retaining an extra copy of the comments being filed.) b. For delivery in Baltimore, MD--Centers for Medicare & Medicaid Services, Department of Health and Human Services, 7500 Security Boulevard, Baltimore, MD 21244-1850. If you intend to deliver your comments to the Baltimore address, call telephone number (410) 786-9994 in advance to schedule your arrival with one of our staff members. Comments erroneously mailed to the addresses indicated as appropriate for hand or courier delivery may be delayed and received after the comment period. For information on viewing public comments, see the beginning of the SUPPLEMENTARY INFORMATION section. FOR FURTHER INFORMATION CONTACT: Allison Oelschlaeger, (202) 690-8257. Kari Gaare, (410) 786-8612. SUPPLEMENTARY INFORMATION: Inspection of Public Comments: All comments received before the close of the comment period are available for viewing by the public, including any personally identifiable or confidential business information that is included in a comment. We post all comments received before the close of the comment period on the following Web site as soon as possible after they have been received: https://www.regulations.gov. Follow the search instructions on that Web site to view public comments. Comments received timely will also be available for public inspection as they are received, generally beginning approximately 3 weeks after publication of a document, at the headquarters of the Centers for Medicare & Medicaid Services, 7500 Security Boulevard, Baltimore, Maryland 21244, Monday through Friday of each week from 8:30 a.m. to 4 p.m. To schedule an appointment to view public comments, phone 1-800-743-3951. I. Background On April 16, 2015, the Medicare Access and CHIP Reauthorization Act of 2015 (MACRA) (Pub. L. 114-10) was enacted. The law included a provision, Section 105, Expanding the Availability of Medicare Data, which takes effect on July 1, 2016. This section expands how qualified entities will be allowed to use and disclose data under the qualified entity program, including data subject to section 1874(e) of the Social Security Act (the Act), to the extent consistent with other applicable laws, including information, privacy, security and disclosure laws. The Qualified Entity program was established by Section 10332 of the Patient Protection and Affordable Care Act (Affordable Care Act) (Pub. L. 111-148). The implementing regulations, which became effective January 6, 2012, are found in subpart G of 42 CFR part 401 (76 FR 76542). Under those provisions, CMS provides standardized extracts of Medicare Part A and B claims data and Part D drug event data [[Page 5398]] (hereinafter collectively referred to as Medicare claims data) covering one or more geographic regions to qualified entities at a fee equal to the cost of producing the data. Under the original statutory provisions, such Medicare claims data must be combined with other non- Medicare claims data and may only be used to evaluate the performance of providers and suppliers. The measures, methodologies and results that comprise such evaluations are subject to review and correction by the subject providers and suppliers, after which the results are to be disseminated in public reports. Those wishing to become qualified entities are required to apply to the program. Currently, thirteen organizations have applied and received approval to be a qualified entity. Of these organizations, two have completed public reporting while the other eleven are in various stages of preparing for public reporting. While we have been pleased with the participation in the program so far, we expect that the changes required by MACRA will increase interest in the program. Under section 105 of MACRA, effective July 1, 2016, qualified entities will be allowed to use the combined data and information derived from the evaluations described in 1874(e)(4)(D) of the Act to conduct non-public analyses and provide or sell these analyses to authorized users for non-public use in accordance with the program requirements and other applicable laws. In highlighting the need to comply with other applicable laws, we particularly note that any qualified entity that is a covered entity or business associate as defined in the Health Insurance Portability and Accountability Act of 1996 (``HIPAA'') regulations at 45 CFR 160.103 will need to ensure compliance with any applicable HIPAA requirements, including the bar on the sale of Protected Health Information. In addition, qualified entities will be permitted to provide or sell the combined data, or provide the Medicare claims data alone at no cost, again, in accordance with the program requirements and other applicable laws, to providers, suppliers, hospital associations, and medical societies. Qualified entities that elect to provide or sell analyses and/or data under these new provisions will be subject to an assessment if they or the authorized users to whom they disclose beneficiary identifiable data in the form of analyses or raw data act in a manner that violates the terms of a program-required Qualified EntityData Use Agreement (QE DUA). Furthermore, qualified entities that make analyses or data available under these new provisions will be subject to new annual reporting requirements to aid CMS in monitoring compliance with the program requirements. These new annual reporting requirements will only apply to qualified entities that choose to provide or sell non-public analyses and/or provide or sell combined data, or provide Medicare claims data alone at no cost. We believe these changes to the qualified entity program will be important in driving higher quality, lower cost care in Medicare and the health system in general. We also believe that these changes will drive renewed interest in the qualified entity program, leading to more transparency regarding provider and supplier performance and innovative uses of data that will result in improvements to the healthcare delivery system while still ensuring appropriate privacy and security protections for beneficiary-identifiable data. II. Provisions of the Proposed Regulations To implement the new statutory provisions of section 105 of MACRA, we propose to amend and make conforming changes to Part 401 Subpart G, ``Availability of Medicare Data for Performance Measurement.'' Throughout the preamble, we identify options and alternatives to the provisions we propose. We strongly encourage comments on our proposed approach, as well as any alternatives. A. Non-Public Analyses Section 105(a)(1) of MACRA expands how qualified entities will be allowed to use and disclose the combined data and any information derived from the evaluations described in section 1874(e)(4)(D) of the Act. The section provides for such data's use and/or disclosure in additional non-public analyses that may be given or, in certain circumstances, sold to authorized users in accordance with program requirements and other applicable laws, including information, privacy, security, and disclosure laws. An authorized user is defined at Sec. 401.703(j) and the definition is discussed below in section II.C. The new proposals regarding the disclosure and/or sale of combined data or the disclosure of Medicare data at no cost are discussed below in section II.B. To implement the non-public analyses provisions, we propose to add a new Sec. 401.716. Under Sec. 401.716, paragraph (a) would provide for the qualified entity's use of the combined data or information derived from the evaluations described in section 1874(e)(4)(D) of the Act to create non-public analyses. Paragraph (b) would provide for the provision or sale of these analyses to authorized users in accordance with the program requirements discussed later in this section, as well as other applicable laws. 1. Additional Analyses We propose at Sec. 401.703(q) to define combined data as a set of CMS claims data provided under subpart G combined with a subset of claims data from at least one of the other claims data sources described in Sec. 401.707(d). Sec. 401.707(d) requires qualified entities to submit to CMS information on the claims data it possesses from other sources, that is, any other provider-identifiable or supplier-identifiable data for which the qualified entity has full data usage rights. In defining the term in this manner, we are not proposing to establish a minimum amount of data that must be included in the combined data set from other sources, but, as we noted in our December 7, 2011 final rule (76 FR 76542), we believe that the requirement to use combined data is likely to lead to increased validity and reliability of the performance findings through the use of larger and more diverse samples. As such, we expect qualified entities will choose to use sufficient claims data from other sources to ensure such validity and reliability. That said, we recognize that there may be instances in which other sources of claims data (for example, Medicaid or private payer data) may be of limited value. For instance, depending on the other claims data a given qualified entity may hold, Medicare data may provide the best opportunity to conduct analyses on chronically ill or other resource-intensive populations that may not be commonly represented in other sources of claims data. Thus, while the statute requires the use of combined data for the analyses, it does not specify the minimum amount of data from other sources to qualify as combined data, and, as we believe it would be difficult to establish a threshold given the variability in the analyses that the qualified entities may conduct, we propose not to adopt any minimum standard for the amount of other sources of claims data that must be included in a combined data set. We are requesting comments on this proposal as well as suggestions for other possible alternatives or options. 2. Limitations on the Qualified Entities With Respect to the Sale and Provision of Non-Public Analyses MACRA imposes a number of limitations on qualified entities with [[Page 5399]] respect to the sale and provision of non-public analyses. It mandates that a qualified entity may not provide or sell non-public analyses to a health insurance issuer unless the issuer is providing the qualified entity with claims data under section 1874(e)(4)(B)(iii) of the Act. In doing so, the statute does not specify the minimum amount of data that the issuer must be providing to the qualified entity. We considered not imposing a threshold on the amount of data being provided by the issuer, but decided that specifying a threshold would encourage issuers to submit data to the qualified entity to be included in the public performance reports, increasing the reports' reliability and sample size. As a result, we propose at Sec. 401.716(b)(1) to limit qualified entities to only providing or selling non-public analyses to issuers after they provide the qualified entity with claims data that represents a majority of the issuers' covered lives in the geographic region and during the time frame of the non-public analyses requested by the issuer. For example, if an issuer requested non-public analyses using the combined data for the first 6 months of 2015 in Minnesota, it would need to provide the qualified entity with data that represents over 50 percent of the issuer's covered lives during those 6 months in Minnesota. We believe this threshold will ensure that issuers submit a large portion of their data to the qualified entity without requiring them to share data for their entire population in order to be eligible to receive non-public analyses. We seek comment on whether the threshold of a majority of the issuer's covered lives in the desired geographic area during the time frame covered by the non-public analyses requested by the issuer is too high or low, as well as other alternatives to specify the amount of data the issuer must provide to a qualified entity to be eligible to receive or purchase non-public analyses. Section 105(a)(3) of MACRA imposes additional requirements on the dissemination of non-public analyses or data that contain information that individually identify a patient. Because we define the term ``patient'' later in this section and in a manner that does not relate to de-identification of individually identifiable information, we will use the word beneficiary in relation to de-identification rather than patient. In light of these MACRA provisions, as well as our belief that protecting the privacy and security of beneficiaries' information is of the utmost importance and our belief that identifiable information on individual beneficiaries would generally not be needed by authorized users, we propose to impose limits on the content of the non-public analyses. In doing so, we recognize that when non-public analyses are provided or sold to a provider or supplier, individually identifying information such as name, age, gender, or date of birth may be essential for the provider or supplier to proactively use the information gleaned from the analyses. For example, a provider may not know who a patient is based on the unique identifier assigned by the payer and as a result would not be able to use the analyses to improve care or better coordinate care with other providers for that patient. In addition, there is a high likelihood that providers may have patients with the same or similar names, so age or date of birth may be necessary to identify the patient in the analyses. We therefore propose at Sec. 401.716(b)(2) to limit the provision or sale of non-public analyses that individually identify a beneficiary to providers or suppliers with whom the subject individual(s) have established a patient relationship. While the term ``patient'' is commonly used in the provision of healthcare, reasonable minds may differ on the periodicity with which an individual must have contact with a provider or supplier to maintain a ``patient'' relationship. Depending on individual practice or applicable laws, a person may still be considered a patient of a provider or supplier even though a number of years have passed since they were seen or provided services by the provider or supplier. However, when the individual has not visited a provider or supplier in a number of years, analyses that contain individually identifiable information about that patient may not be very useful, as any care coordination or quality improvement efforts would, presumably, require continued contact with that patient. Therefore, for the purposes of this program, we propose to define patient as an individual who has visited the provider or supplier for a face-to-face or telehealth appointment at least once in the past 12 months. This definition is similar to that used in the Medicare Shared Savings Program which assigns beneficiaries to Accountable Care Organizations based on services delivered in the past 12 months. We also believe this definition will ensure that providers and suppliers are able to receive information about patients they are actively treating. We seek comments on this proposal, particularly any beneficiary concerns if we were to implement this proposal, and any reasonable alternatives to this proposal that might address those concerns. Except when patient-identifiable non-public analyses are shared with the patient's provider or supplier as described above, we propose at Sec. 401.716(b)(3) to require that all non-public analyses must be beneficiary de-identified using the de-identification standards in the HIPAA Privacy Rule at 45 CFR 164.514(b). De-identification under this standard requires the removal of specified data elements or reliance on a statistical analysis that concludes that the information is unlikely to be able to be used alone or in combination with other available information to identify/re-identify the patient subjects of the data. The statistical de-identification approach may be more difficult because an entity may not have access to an expert capable of performing the analysis in accordance with HIPAA Rules, but we believe that the protections afforded by HIPAA-like standards of de- identification are appropriate, as HIPAA has, in many ways, established a reasoned and appropriate privacy and security floor for the health care industry. That said, the framework for de-identification that is laid out in the HIPAA Privacy Rule represents a widely accepted industry standard for de-identification, so we think its concepts are appropriate for adoption into this program. Additional information on the HIPAA de-identification standards can be found on the HHS Office for Civil Rights Web site at https://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/De-identification/guidance.html. We seek comment on this proposal and whether another set of de- identification standards would be more appropriate to ensure that non- public analyses do not contain information that individually identifies a beneficiary, except as provided for above where the individual is a patient of the provider or supplier who is receiving the analyses, and how qualified entities that are HIPAA-covered entities could comply with such alternate qualified entity program standards while still meeting any applicable HIPAA obligations. In addition, section 105(a)(6) of MACRA preserves providers' and suppliers' opportunity to review analyses (now including non-public analyses) that individually identify the provider or supplier. As such, we propose at Sec. 401.716(b)(4) to bar qualified entities' disclosure of non-public analyses that individually identify a provider or supplier unless: (a) The analysis only individually [[Page 5400]] identifies the singular recipient of the analysis or (b) each provider or supplier who is individually identified in a non-public analysis that identifies multiple providers/suppliers has been afforded an opportunity to review the aspects of the analysis about them, and, if applicable, request error correction. We describe the proposed appeal and error correction process in more detail in section II.A.4 below. 3. Limitations on the Authorized User While CMS has been granted statutory authority to impose requirements and limitations on the qualified entity, it has limited authority to oversee authorized users. As such, this proposed regulatory scheme is generally structured to require the qualified entity to ensure authorized users' compliance with the concepts laid out in MACRA through contractual means. In keeping with this, we propose at Sec. 401.716(b)(2) and Sec. 401.716(c) to require the qualified entity's use of legally binding agreements with any authorized users to whom it provides or sells the non-public analyses. Types of Legally Binding Agreements For non-public analyses that include patient identifiable data, we propose at Sec. 401.716(b)(2) to require the qualified entity to enter into a QE DUA with any authorized users as a pre-condition to providing or selling such non-public analyses. As we are also proposing to require use of the QE DUA in the context of the provision or sale of combined data, or the provision of Medicare data at no cost, we discuss the QE DUA in the data disclosure discussion in section II.B below. For non-public analyses that include beneficiary de-identified data, we propose at Sec. 401.716(c) to require the qualified entity to enter into a contractually binding non-public analyses agreement with any authorized users as a pre-condition to providing or selling such non- public analyses. A discussion of the proposed requirements for the non- public analyses agreements follows in this section. We believe that the use of the non-public analyses agreement when authorized users receive non-public analyses containing de-identified data and the QE DUA when authorized users receive non-public analyses that contain patient identifiable information are the best mechanisms for ensuring that both qualified entities and authorized users are aware of and compliant with the data use and disclosure limitations established by MACRA. We seek comment on whether the non-public analyses agreement and the QE DUA are the best mechanisms to ensure compliance with these restrictions given the authorities established by MACRA. Requirements in the Non-Public Analyses Agreement The statute generally allows qualified entities to provide or sell their non-public analyses to authorized users for non-public use, but it bars use or disclosure of such analyses for marketing (see section 105(a)(3)(c) of MACRA). Such analyses therefore may include, but would not be limited to analyses intended to assist providers' and suppliers' development of, and participation in, quality and patient care improvement activities, including development of new models of care. But, while many types of non-public analyses could lead to improvements in the health care delivery system, certain types of analyses could cause harm to patients or lead to additional fraud and/or abuse concerns for the delivery system. Therefore, despite the breadth of the statutory authority, we believe it is important to establish additional limits on the non-public analyses, given the expansive types of non- public analyses that could be conducted by the qualified entities if no limits are placed on such analyses, and the potential deleterious consequences of some such analyses. With this in mind, we propose at Sec. 401.716(c)(1) that the non- public analyses agreement require that non-public analyses conducted using combined data or the information derived from the evaluations described in section 1874(e)(4)(D) of the Act may not be used or disclosed for the following purposes: marketing, harming or seeking to harm patients and other individuals both within and outside the healthcare system regardless of whether their data are included in the analyses (for example, an employer using the analyses to attempt to identify and fire employees with high healthcare costs), or effectuating or seeking opportunities to effectuate fraud and/or abuse in the healthcare system (for example, a provider using the analyses to identify ways to submit fraudulent claims that might not be caught by auditing software). Rather than developing a new definition for marketing under this program, we propose at Sec. 401.703(s) to generally define marketing using the definition at 45 CFR 164.501 in the HIPAA Privacy Rule. Under this definition, marketing means making a communication about a product or service that encourages recipients of the communication to purchase or use the product or service. In doing so, we note that the HIPAA Privacy Rule also includes a general restriction on use of an individual's Protected Health Information (PHI) for marketing. Given the similarities between the use and disclosure of PHI under HIPAA and the data sharing limitations under this program, we believe the definition of marketing in HIPAA should also generally be used for this program, but, given the categorical statutory bar on marketing in this program, we are not proposing a consent exception to the bar like that seen in the HIPAA Privacy Rule. We also believe that use of this HIPAA definition as modified will simplify compliance with the qualified entity program requirements, especially decisions regarding what is and is not considered marketing. We seek comment on the proposal to use this definition as modified from HIPAA for the purposes of this program. The proposed restrictions on using analyses and/or derivative data, meaning data gleaned from the analyses, that would or could be used to exploit patients or other individuals or to effectuate fraud and/or abuse in the healthcare system are intended to ensure that the analyses are unlikely to result in physical or financial harm to patients or other individuals within or outside the health care delivery system. We seek comments on these proposals as well as whether there are other restrictions that should be imposed to limit potential physical or financial harm to patients or other individuals within or outside the healthcare system. Section 105(a)(1)(B)(i) of MACRA requires that any non-public analyses provided or sold to an employer may only be used by the employer for the purposes of providing health insurance to employees and retirees of the employer. We believe this limit should also apply to ``dependents'' of either category whenever the employer offers coverage for family members who are neither employees nor retirees. As such, we further propose that if the qualified entity is providing or selling non-public analyses to an employer that this requirement be included in the non-public analyses agreement. We seek comment on whether the resulting non-public analyses agreement between the qualified entity and the employer is the best mechanism to ensure compliance with this restriction given the authorities established by MACRA. The statute also contains limitations on the re-disclosure of non- public analyses provided or sold to authorized users at section 105(a)(5) of MACRA. Under that provision, re-disclosure is limited to authorized users who are a provider or supplier. Furthermore, these [[Page 5401]] providers and suppliers are to limit any re-disclosures to instances in which the recipient would use the non-public analyses for provider/ supplier ``performance improvement.'' As many if not most providers and suppliers that receive non-public analyses from the qualified entity will be HIPAA-covered entities, we propose to limit performance improvement re-disclosures to those that would support quality assessment and improvement, and care coordination activities by or on behalf of the eligible downstream provider or supplier. For example, providers may need to share the non-public analyses or derivative data with someone working on their behalf to carry out such quality assessment and improvement or care coordination activities. That is, if they are a HIPAA-covered entity, they may wish to share the non-public analyses or derivative data with their business associate. Such a scenario could arise when a consultant is hired to assist the provider/ supplier in interpreting the non-public analyses, or in determining what changes in the delivery of care are needed to assess or improve the quality of care, or to better coordinate care. Another example is if the provider or supplier wants to share the non-public analyses with other treating providers/suppliers for quality assessment and improvement or care coordination purposes. In addition, especially under circumstances in which patient identifiable data is included in the non-public analysis, we recognize that there are instances in which a provider or supplier may be required to produce information to a regulatory authority as required by a statute or regulation. For example, a HIPAA-covered entity may be required to produce PHI to the Secretary for purposes of an investigation of a potential HIPAA violation. Therefore, for purposes of this qualified entity program, we propose to adopt the HIPAA definition of ``required by law'' at 45 CFR 164.103 so as to allow for such mandatory disclosures. As defined at 45 CFR 164.103, ``required by law'' means any mandate in law that compels an entity to make a use or disclosure of PHI that is enforceable in a court of law (including disclosures compelled by court order, statute, or regulation). An example would be a court order to turn over medical records as part of litigation. Another common example would be disclosures required by the regulations governing the submission of a claim for payment for Medicare fee-for-service covered services. As a result, we propose at Sec. 401.716(c)(3)(i) to require qualified entities to include in the non-public analysis agreement a requirement to limit re-disclosure of non-public analyses or derivative data to instances in which the authorized user is a provider or supplier, and the re-disclosure is as a covered entity would be permitted under 45 CFR 164.506(c)(4)(i) or 164.502(e)(1). Accordingly, a qualified entity may only re-disclose individually identifiable health information to a covered entity for the purposes of the covered entity's quality assessment and improvement or for the purposes of care coordination activities, where that entity has a patient relationship with the individual who is the subject of the information, or to a business associate of such a covered entity under a written contract as defined at 45 CFR 164.502(e)(1). Furthermore, as section 105(a)(5)(A) of MACRA states that the analyses generally may not be re-disclosed or released to the public, we generally propose at Sec. 401.716(c)(3)(ii) to require qualified entities to use non-public analyses agreements to explicitly bar authorized users from any other re-disclosure of the non-public analyses or any derivative data except to the extent a disclosure qualifies as a ``required by law'' disclosure. We seek comment on our proposal to require qualified entities to contractually limit re-disclosures of beneficiary de-identified non-public analyses or any derivative data other than as described above. As discussed above, the non-public analyses agreement can only be used in the disclosure of analyses that include beneficiary de- identified data. However, even though the analyses subject to a non- public analyses agreement are beneficiary de-identified, we believe that additional restrictions on the authorized user are necessary to ensure appropriate privacy and security protections for our beneficiaries. We therefore propose at Sec. 401.716(c)(5) to require qualified entities to impose a legally enforceable bar on the authorized user's use or disclosure of any non-public analyses (or data or analyses derived from such non-public analyses) to re-identify or attempt to re-identify any individual whose data is included in the analyses or any derivative data. We believe this additional level of privacy and security protection is necessary to protect beneficiaries. We seek comment on this proposal. Finally, we propose at Sec. 401.716(d)(6) to require qualified entities to use their non-public analyses agreements to bind their non- public analyses recipients to reporting any violation of the terms of that non-public analyses agreement to the qualified entity. As explained below in Section D, qualified entities will be expected to report on these violations as part of their annual reporting to CMS. Even though the analyses covered by the non-public analyses agreement will be de-identified, due to the risk of re-identification of beneficiary information, we still believe that this requirement is essential to our ability to monitor and ensure the privacy and security of beneficiary information. We seek comment on these proposals. 4. Confidential Opportunity To Review, Appeal, and Correct Analyses As noted briefly above, section 105(a)(6) of MACRA directs us to ensure that qualified entities provide providers and suppliers who are individually identified in a non-public analysis with an opportunity to review and request corrections before the qualified entity provides or sells the non-public analyses to an authorized user. But, as noted above, we have proposed one exception to this general rule in cases where the analysis only individually identifies the (singular) provider or supplier who is being provided or sold the analysis. In all other cases, we propose that the qualified entity must follow the confidential review, appeal, and error correction requirements in section 1874(e)(4)(C)(ii) of the Act. Specifically, we propose at Sec. 401.717(f) that a qualified entity generally must comply with the same error corrections process and timelines as are required for public performance reporting before disclosing non-public analyses. This process includes confidentially sharing the measures, measure methodologies and measure results that comprise such evaluations with providers and suppliers at least 60 calendar days before providing or selling the analyses to one or more authorized users. During these 60 calendar days, the provider or supplier may make a request for the Medicare claims data and beneficiary names that may be needed to confirm statements about the care that they delivered to their patients. If the provider or supplier requests such data, the qualified entity must release the Medicare claims and beneficiary names relevant to what is said about the requesting provider/supplier in the draft non-public analyses. We believe that for many providers and suppliers, a beneficiary's name will be of more practical use in determining the accuracy of analyses than the underlying claims used in the analyses. The sharing of such data must be done via a secure mechanism that is suitable for transmitting or providing access to individually identifiable [[Page 5402]] health information. The qualified entity also must ensure that the provider or supplier has been notified of the date on which the analyses will be shared with the authorized user. If any requests for error correction are not resolved by the date on which the analyses are to be shared, the qualified entity may release the analyses, but must inform the authorized user that the analyses are still under appeal, and the reason for the appeal. We believe that the process we established for review and error correction for public performance reporting finds the right balance between allowing providers and suppliers the opportunity to review the non-public analyses while also ensuring that the information is disseminated in a timely manner. However, we have had limited public reporting thus far to confirm this. Furthermore, using the same process for review and error correction for non-public analyses and the public reports creates continuity and a balance between the needs and interests of providers and suppliers and those of the qualified entities, authorized users and the public. We also believe that using the same timeframes and requirements will simplify the review process for providers and suppliers. We seek comment on our proposal generally to require qualified entities to comply with the same error corrections process and timelines as are required for public performance reporting when sharing analyses that individually identify a provider or supplier. Although we do not believe that we have statutory authority to require it given that section 1874(e) of the Act only covers the disclosure of Medicare claims data, to the extent permitted by applicable law, we strongly encourage qualified entities to also share the claims data from other sources with providers and suppliers if they ask for the underlying data used for the analyses. B. Dissemination of Data and the Use of QE DUAs for Data Dissemination and Patient-Identifiable Non-Public Analyses Subject to other applicable law, section 105(a)(2) of MACRA expands the permissible uses and disclosures of data by a qualified entity to include providing or selling combined data for non-public use to certain authorized users, including providers of services, suppliers, medical societies, and hospital associations. Subject to the same limits, it also permits a qualified entity to provide Medicare claims data for non-public use to these authorized users; however, a qualified entity may not charge a fee for providing such Medicare claims data. But, in order to provide or sell combined data or Medicare data, section 501(a)(4) of MACRA instructs the qualified entity to enter into a DUA with their intended data recipient(s). 1. General Requirements for Data Dissemination To implement these provisions in MACRA, we propose at Sec. 401.718(a) to provide that, subject to other applicable laws (including applicable information, privacy, security and disclosure laws) and certain defined program requirements, including that the data be used only for non-public purposes, a qualified entity may provide or sell combined data or provide Medicare claims data at no cost to certain authorized users, including providers of services, suppliers, medical societies, and hospital associations. Where a qualified entity is a HIPAA-covered entity or is acting as a business associate, compliance with other applicable laws will include the need to ensure that it fulfills the requirements under the HIPAA Privacy Rule, including the bar on the sale of PHI. We note that we propose definitions for authorized user, medical societies, and hospital associations in section II.C below, and have already proposed a definition for combined data in section II.A above. 2. Limitations on the Qualified Entity Regarding Data Disclosure The statute places a number of limitations on the sale or provision of combined data and the provision of Medicare claims data by qualified entities, including generally barring the disclosure of beneficiary identifiable data obtained through the qualified entity program. Therefore, in keeping with our other proposals at Sec. 401.716(b)(3), we propose at Sec. 401.718(b)(1) to generally require that any combined data or Medicare claims data that is provided to an authorized user by a qualified entity under subpart G be beneficiary de-identified in accordance with the de-identification standards in the HIPAA Privacy Rule at 45 CFR 164.514(b). As noted above, we believe that the HIPAA Privacy Rule de-identification standard represents a widely accepted industry standard for de-identification, so we think its concepts are appropriate for adoption under the qualified entity program. We do recognize, however, that providers or suppliers with current treatment relationships with the patient subjects of such data may desire and benefit from receiving data that contains individually identifiable information about those patients. Therefore, we also propose an exception at Sec. 401.718(b)(2) that would allow a qualified entity to provide or sell patient identifiable combined data/ and or provide patient identifiable Medicare claims data at no cost to an individual or entity that is a provider or supplier if the provider or supplier has a patient relationship with every patient about whom individually identifiable information is provided and the disclosure is consistent with applicable law. MACRA also requires qualified entities to bind the recipients of their data to a DUA that will govern the use and, where applicable, re- disclosure of any data received through this program prior to the provision or sale of such data to an authorized user. Therefore, we further propose at Sec. 401.718(c), to require that a qualified entity impose certain contractually binding use/re-disclosure requirements as a condition of providing and/or selling combined data and/or providing Medicare claims data to an authorized user. The following section provides the proposed requirements for such DUAs between qualified entities and authorized users. 3. Data Use Agreement Section 501(a)(4) of MACRA requires execution of a DUA as a precondition to a qualified entity's provision or sale of data to an authorized user. The DUA must address the use and, if applicable, re- disclosure of the data, and the applicable privacy and security requirements that must be established and maintained by or for the authorized user. The statute also imposes a number of other limitations on the authorized user. But, while CMS has authority to impose requirements on the qualified entity, we must rely upon the qualified entity to impose legally enforceable obligations on the authorized users. Therefore, in Sec. 401.713(a), we propose certain clarifying changes that will recognize that there are now two distinct DUAs in the qualified entity program--the CMS DUA, which is the agreement between CMS and a qualified entity, and what we will refer to as the QE DUA, which will be the legally binding agreement between a qualified entity and an authorized user. We are not proposing any changes to the requirements for the CMS DUA, but rather are clarifying that there are now two DUAs--the CMS DUA and the QE DUA. Furthermore, in Sec. 401.713(d), we propose a number of provisions that address the privacy and security of the combined data and/or the Medicare [[Page 5403]] claims data and/or non-public analyses that contain patient identifiable data. These provisions require the qualified entity to condition the disclosure of data on the imposition of contractually binding limits on the permissible uses and re-disclosures that can be made of the combined data and/or the Medicare claims data and/or non- public analyses that contain patient identifiable data and/or any derivative data. Such contractually binding provisions would be included in the QE DUA. First, we propose to require that the QE DUA contain certain limitations on the authorized user's use of the combined data and/or Medicare claims data and/or non-public analyses that contain patient identifiable data and/or any derivative data. In Sec. 401.713(d)(1), we propose that the QE DUA limit authorized users use of the combined data and/or Medicare claims data and/or non-public analyses that contain patient identifiable data and/or any derivative data to the purposes described in the first or second paragraph of the definition of ``health care operations'' under 45 CFR 164.501, or that which qualifies as ``fraud and abuse detection or compliance activities'' under 45 CFR 164.506(c)(4). If finalized, this means that authorized users would only be permitted to use the combined data and/or Medicare claims data and/or non-public analyses that contain patient identifiable data and/or any derivative data provided by the qualified entity for quality assessment and improvement activities, care coordination activities, including the review of provider or supplier performance, and/or for fraud, waste, and abuse detection and compliance purposes. We believe these uses need to be permitted to support quality improvement and care coordination activities, as well as efforts to ensure fraud, waste, and abuse detection and compliance, and that these uses should encompass the full range of activities for which the authorized users will legitimately need the combined data and/or Medicare claims data and/or non-public analyses that contain patient identifiable data and/or any derivative data. We also propose to require that all other uses and disclosures of combined data and/or Medicare claims data and/or non-public analyses that contain patient identifiable data and/or any derivative data be forbidden except to the extent a disclosure qualifies as a ``required by law'' disclosure. The statute also prohibits the authorized user from using the combined data and/or Medicare claims data for marketing purposes. We therefore propose at Sec. 401.713(d)(2) to require qualified entities to use the QE DUA to contractually prohibit the authorized users from using the combined data and/or Medicare claims data and/or non-public analyses that contain patient identifiable data and/or any derivative data for marketing purposes. As noted above, we propose to define ``marketing'' as it is defined in the HIPAA Privacy Rule, but, given the statutory bar, we do not propose to adopt an exception to the bar for ``consent''-based marketing. As noted above, HIPAA provides well- recognized standards for the appropriate use and disclosure of certain individually identifiable health information, and we believe that the HIPAA definition for ``marketing'' is appropriate for the qualified entity program as well. For additional information and guidance on the HIPAA Privacy Rule, including guidance on what constitutes marketing, please visit the HHS Office for Civil Rights Web site at https://www.hhs.gov/ocr/privacy/. Furthermore, we propose to require qualified entities' use of the QE DUA to address minimum privacy and security standards. CMS is committed to protecting the privacy and security of beneficiary- identifiable data when it is disseminated, including when it is in the hands of authorized users. This is especially important as there are no guarantees that authorized users will be subject to the HIPAA Privacy and Security Rules. Therefore, we propose at Sec. 401.713(d)(3) to require qualified entities to contractually bind authorized users using the QE DUA to protect patient identifiable combined data and/or Medicare data, any patient identifiable derivative data, and/or non- public analyses that contain patient identifiable data, with at least the privacy and security protections that would be required of covered entities and their business associates under HIPAA Privacy and Security Rules. Additional guidance on the Security rule can be found on the Office for Civil Rights Web site at https://www.hhs.gov/ocr/privacy/hipaa/. Such protections would apply when using, disclosing, or maintaining patient identifiable data, regardless of whether the authorized user is a HIPAA Covered Entity or business associate. In addition, we propose to require that the QE DUA contain provisions that require that the authorized user maintain written privacy and security policies and procedures that ensure compliance with these HIPAA-based privacy and security standards and the other standards required under this subpart for the duration of the QE DUA, or for so long as they hold combined data and/or Medicare claims data and/or non-public analyses that contain patient identifiable data and/or any derivative data that was subject to the QE DUA, should return/destruction of the combined data and/or Medicare claims data and/or non-public analyses that contain patient identifiable data and/or any derivative data not be feasible as of the expiration of the QE DUA. Furthermore, we propose to require QE DUA provisions detailing such policies and procedures must survive termination of the QE DUA, whether for cause or not. We believe that requiring compliance with these HIPAA Privacy and Security Rule concepts outside of the HIPAA context will provide the needed protection for the combined data, Medicare claims data, and/or non-public analyses that contain patient identifiable data and/or any derivative data provided or sold to authorized users under the qualified entity program. We also propose at Sec. 401.713(d)(7) to require that the qualified entity use the QE DUA to contractually bind an authorized user as a condition of receiving combined data and/or Medicare claims data and/or non-public analyses that contain patient identifiable data and/or any derivative data under the qualified entity program to notify the qualified entity of any violations of the QE DUA. Violations might include reportable breaches of data, such as those defined in the HIPAA Breach Rule, or other violations of QE DUA provisions. The QE DUA also will require the authorized user to fully cooperate in the qualified entity's effort to mitigate any harm that may result from such violations, as well as any assistance the qualified entity may request to fulfill the qualified entity's obligations under this subpart. We request comment on whether the proposed privacy and security requirements are appropriate and adequate, or whether there are more appropriate standards or additional protections that are advisable. MACRA section 105(a)(5) directs that any combined data, Medicare claims data, and/or non-public analyses that contain patient identifiable data and/or any derivative data provided or sold under this program to authorized users is to be non-public, and it requires the imposition of re-disclosure limitations on authorized users. Under those provisions, qualified entities may only permit providers and suppliers to re-disclose combined data and/or Medicare claims data and/ or non-public analyses that contain patient identifiable data and/or any derivative data for the [[Page 5404]] purposes of performance improvement and care coordination. We propose to require qualified entities to include provisions in their QE DUA that contractually limit the re-disclosure and/or linking of combined data, Medicare claims data, and/or non-public analyses that contain patient identifiable data and/or any derivative data provided or sold under this program. We therefore propose at Sec. 401.713(d)(4) to require that the qualified entity include a provision in its QE DUAs that prohibits the authorized user from re-disclosing or making public any combined data, Medicare claims data, and/or non-public analyses that contain patient identifiable data and/or any derivative data subject to QE DUA except as provided under the QE DUA. Furthermore, we propose at Sec. 401.713(d)(5) to require that the qualified entity use the QE DUA to limit provider's and supplier's re-disclosures to a covered entity pursuant to 45 CFR 164.506(c)(4)(i) or 164.502(e)(1). Therefore, a provider or supplier would only be permitted to re-disclose combined data, Medicare claims data, and/or non-public analyses that contain patient identifiable data and/or any derivative data, subject to the QE DUA, to a covered entity for activities focused on quality assessment and improvement, including the review of provider or supplier performance or a business associate of the provider or supplier. We also propose to require re-disclosure when required by law. We propose these limitations in an effort to ensure that the combined data, Medicare claims data, and/or non-public analyses that contain patient identifiable data will be protected in the hands of the downstream entity despite these regulations not reaching such individuals/entities directly. We believe that limiting downstream re-disclosures to entities that are subject to the HIPAA Privacy and Security rules will ensure that the combined data and/or Medicare claims data and/or non- public analyses that contain patient identifiable data and/or any derivative data is appropriately maintained, used, and disclosed. We seek comment on whether the proposed re-disclosure requirements should be more restrictive or should be broadened to allow for additional re- disclosure. We also propose to require qualified entities to impose a contractual bar using their QE DUA on the downstream recipients' linking of the re-disclosed combined data, Medicare claims data, and/or non-public analyses that contain patient identifiable data and/or any derivative data to any other identifiable source of information. The only exception to this general policy would be if a provider or supplier were to receive identifiable information limited to their/its own patients. We request comment on whether an authorized user should be permitted to link combined data, Medicare claims data, and/or non- public analyses that contain patient identifiable data and/or any derivative data with other data sources, and whether the proposed provisions are adequate to protect the privacy and security of the combined data, Medicare claims data, and/or non-public analyses that contain patient identifiable data and/or any derivative data given to downstream users. C. Authorized Users 1. Definition of Authorized User As discussed above, section 105(a)(1) of MACRA permits qualified entities to provide or sell non-public analyses to authorized users. In addition, section 105(a)(2) of MACRA permits qualified entities to provide or sell combined data, or to provide Medicare data at no cost, only to certain authorized users. These include providers, suppliers, medical societies, and hospital associations. Section 105(a)(9)(A) of MACRA defines authorized users as:A provider of services. A supplier. An employer (as defined in section 3(5) of the Employee Retirement Insurance Security Act of 1974). A health insurance issuer (as defined in section 2791 of the Public Health Service Act). A medical society or hospital association. Any entity not yet described in clauses (i) through (v) that is approved by the Secretary (other than an employer or health insurance issuer not described in clauses (iii) and (iv), respectively, as determined by the Secretary). We propose a definition for authorized user at Sec. 401.703(k) that is consistent with these statutory provisions. Specifically, we define an authorized user as: (1) A provider; (2) a supplier; (3) an employer; (4) a health insurance issuer; (5) a medical society; (6) a hospital association; (7) a health care professional association; or (8) a state agency. We also propose definitions for entities that are authorized users, but are not yet defined within this subpart. Therefore, we propose definitions for employer, health insurance issuer, medical society, hospital association, a healthcare professional association, and a state agency. 2. Definition of Employer We have proposed a definition for employer at Sec. 401.703(k) that is consistent with existing statutory provisions. Specifically, we propose to define an employer as having the same meaning as the term ``employer'' defined in section 3(5) of the Employee Retirement Insurance Security Act of 1974. Under that provision, an employer means any person acting directly as an employer, or indirectly in the interest of an employer, in relation to an employee benefit plan; and includes a group or association of employers acting for an employer in such capacity. 3. Definition of Health Insurance Issuer We have also proposed a definition for health insurance issuer at Sec. 401.703(l) that is consistent with existing statutory provisions. Specifically, we propose to define a health insurance issuer as having the same meaning as the term ``health insurance issuer'' defined in section 2791(b)(2) of the Public Health Service Act. Under that provision, health insurance issuer means an insurance company, insurance service, or insurance organization (including an HMO) that is licensed to engage in the business of insurance in a State and is subject to State law that regulates insurance. Such term does not include a group health plan. 4. Definition of ``Medical Society'' We propose to define ``medical society'' at Sec. 401.703(m) as a nonprofit organization or association that provides unified representation for a large number of physicians at the national or state level and whose membership is comprised of a majority of physicians. We conducted extensive research to develop this definition, including reviewing mission statements of national and state healthcare professional associations and medical societies, as well as state laws. While we were unable to identify a commonly recognized definition of ``medical society,'' our research did reveal a number of common themes that shaped our proposed definition of medical society. We propose to define medical society as comprised of a majority of physicians, based on state law definitions around the practice of medicine. Although medical societies may also include non-physician members, due to the strong emphasis on physicians as practitioners of medicine, we propose that a medical society's [[Page 5405]] membership must be comprised of a majority of physicians. Medical societies often serve as the consensus voice of their members in matters related to their profession, the patient-physician relationship, and other issues pertaining to the practice of medicine. Therefore, we propose that medical societies be at the national or state level as we believe these larger groups will have the capacity to act on the data and analyses available through this program, and to do so in accordance with the statute and the implementing regulations. While we recognize that there are many local medical societies (for example, regional and county) performing similar functions to their national and state counterparts, we propose to maintain the definition of a medical society at the national or state level to reduce redundancy in the dissemination of data. State societies often serve as federations of local medical societies, and therefore, any use of the data by state societies could benefit their constituent local organizations. We also propose that these organizations be nonprofit as many of the existing medical societies are nonprofit organizations. In addition, because medical societies will be eligible to receive non- public analyses and data, we believe it is important that these entities be nonprofit to ensure that data provided under this program are used to support quality improvement and assessment activities with their members rather than for profit driven purposes. 5. Definition of ``Hospital Association'' We propose to define a ``hospital association'' at Sec. 401.703(n) as a nonprofit organization or association that provides unified representation for a large number of hospitals or health systems at a national or state level and whose membership is comprised of a majority of hospitals and health systems. For purposes of this definition, we propose to give hospitals the same meaning as SSA Sec. 1861(e), 42 U.S.C. 1395x(e). We propose to include health systems in this definition as our review of national and state hospital associations member lists revealed that these larger organizations (that are generally comprised of healthcare facilities, such as surgical centers and long terms care facilities, as well as hospitals) were members. Due to their membership status in existing hospital associations, we find it appropriate to propose their inclusion into this definition. Hospital associations often serve as the consensus voice of their members in matters related to their facilities, quality and affordability of services, and other issues regarding the provision of health care. Therefore, we propose that hospital associations at the national or state level be included in this definition as we believe that these larger groups will have the capacity to act on the data, and to do so in accordance with the statute and implementing regulations. While we recognize that there are many local hospital associations (for example, regional and county) performing similar functions to their national and state counterparts, we proposed to maintain the definition at the national or state level to reduce redundancy. State- level hospital associations are often affiliated with those local associations, and therefore, any use of the data by state hospital associations could benefit those affiliated associations. We also propose that these organizations be nonprofit as many of the existing hospital associations are nonprofit organizations. In addition, because hospital associations will be eligible to receive non-public analyses and data, we believe it is important that these entities be nonprofit to ensure that data provided under this program are used to support quality improvement and assessment activities with their members rather than for profit driven purposes. 6. Definition of ``Healthcare Provider and/or Supplier Association'' We recognize that within the field of health care, there are many other suppliers and providers beyond physicians, hospitals, and health systems. These entities also form organizations for the betterment of their professions and to improve the quality of patient care. We believe these types of entities would also benefit from the opportunity to purchase or receive non-public analyses and data from qualified entities. While the term ``healthcare professional association'' is not specifically included in the definition of authorized user, the Secretary, in the exercise of her discretion pursuant to 105(a)(9)(A)(vi) of MACRA, proposes to include these organizations as authorized users. Therefore, we propose to define ``healthcare provider and/or supplier association'' at Sec. 401.703(o) as a nonprofit organization or association that represents suppliers and providers at the national or state level and whose membership is comprised of a majority of suppliers or providers. Similar to the themes that emerge for medical societies and hospital associations, we believe these organizations and associations often serve as the consensus voice of their members in matters related to their respective professions, and that representation at the national or state level is most appropriate as we believe that these larger groups will
This site is protected by reCAPTCHA and the Google
Privacy Policy and
Terms of Service apply.