Medicare Program: Expanding Uses of Medicare Data by Qualified Entities, 44455-44482 [2016-15708]
Download as PDF
Vol. 81
Thursday,
No. 130
July 7, 2016
Part III
Department of Health and Human Services
sradovich on DSK3GDR082PROD with RULES3
Centers for Medicare & Medicaid Services
42 CFR Part 401
Medicare Program: Expanding Uses of Medicare Data by Qualified Entities;
Final Rule
VerDate Sep<11>2014
17:38 Jul 06, 2016
Jkt 238001
PO 00000
Frm 00001
Fmt 4717
Sfmt 4717
E:\FR\FM\07JYR3.SGM
07JYR3
44456
Federal Register / Vol. 81, No. 130 / Thursday, July 7, 2016 / Rules and Regulations
DEPARTMENT OF HEALTH AND
HUMAN SERVICES
Centers for Medicare & Medicaid
Services
42 CFR Part 401
[CMS–5061–F]
RIN 0938–AS66
Medicare Program: Expanding Uses of
Medicare Data by Qualified Entities
Centers for Medicare &
Medicaid Services (CMS), HHS.
ACTION: Final rule.
AGENCY:
This final rule implements
requirements under Section 105 of the
Medicare Access and CHIP
Reauthorization Act of 2015 that expand
how qualified entities may use and
disclose data under the qualified entity
program to the extent consistent with
applicable program requirements and
other applicable laws, including
information, privacy, security and
disclosure laws. This rule also explains
how qualified entities may create nonpublic analyses and provide or sell such
analyses to authorized users, as well as
how qualified entities may provide or
sell combined data, or provide Medicare
claims data alone at no cost, to certain
authorized users. In addition, this rule
implements certain privacy and security
requirements, and imposes assessments
on qualified entities if the qualified
entity or the authorized user violates the
terms of a data use agreement required
by the qualified entity program.
DATES: These regulations are effective
on September 6, 2016.
FOR FURTHER INFORMATION CONTACT:
Allison Oelschlaeger, (202) 690–8257.
Kari Gaare, (410) 786–8612.
SUPPLEMENTARY INFORMATION:
sradovich on DSK3GDR082PROD with RULES3
SUMMARY:
I. Background
On April 16, 2015, the Medicare
Access and CHIP Reauthorization Act of
2015 (MACRA) (Pub. L. 114–10) was
enacted. The law included a provision,
Section 105, Expanding the Availability
of Medicare Data, which takes effect on
July 1, 2016. This section expands how
qualified entities will be allowed to use
and disclose data under the qualified
entity program, including data subject to
section 1874(e) of the Social Security
Act (the Act), to the extent consistent
with other applicable laws, including
information, privacy, security and
disclosure laws.
The Qualified Entity program was
established by Section 10332 of the
Patient Protection and Affordable Care
Act (Affordable Care Act) (Pub. L. 111–
VerDate Sep<11>2014
17:38 Jul 06, 2016
Jkt 238001
148). The implementing regulations,
which became effective January 6, 2012,
are found in subpart G of 42 CFR part
401 (76 FR 76542). Under those
provisions, CMS provides standardized
extracts of Medicare Part A and B claims
data and Part D drug event data
(hereinafter collectively referred to as
Medicare claims data) covering one or
more geographic regions to qualified
entities at a fee equal to the cost of
producing the data. Under the original
statutory provisions, such Medicare
claims data must be combined with
other non-Medicare claims data and
may only be used to evaluate the
performance of providers and suppliers.
The measures, methodologies and
results that comprise such evaluations
are subject to review and correction by
the subject providers and suppliers,
after which the results are to be
disseminated in public reports.
Those wishing to become qualified
entities are required to apply to the
program. Currently, fourteen
organizations have applied and received
approval to be a qualified entity. Of
these organizations, two have completed
public reporting while the other twelve
are in various stages of preparing for
public reporting. While we have been
pleased with the participation in the
program so far, we expect that the
changes required by MACRA will
increase interest in the program.
Under section 105 of MACRA,
effective July 1, 2016, qualified entities
will be allowed to use the combined
data and information derived from the
evaluations described in 1874(e)(4)(D) of
the Act to conduct non-public analyses
and provide or sell these analyses to
authorized users for non-public use in
accordance with the program
requirements and other applicable laws.
In highlighting the need to comply with
other applicable laws, we particularly
note that any qualified entity that is a
covered entity or business associate as
defined in the Health Insurance
Portability and Accountability Act of
1996 (‘‘HIPAA’’) regulations at 45 CFR
160.103 will need to ensure compliance
with any applicable HIPAA
requirements, including the restriction
on the sale of protected health
information (PHI) without authorization
at 45 CFR 164.502(a)(5)(ii).
In addition, qualified entities will be
permitted to provide or sell the
combined data, or provide the Medicare
claims data alone at no cost, again, in
accordance with the program
requirements and other applicable laws,
to providers, suppliers, hospital
associations, and medical societies.
Qualified entities that elect to provide
or sell analyses and/or data under these
PO 00000
Frm 00002
Fmt 4701
Sfmt 4700
new provisions will be subject to an
assessment if they or the authorized
users to whom they disclose patientidentifiable data in the form of analyses
or raw data act in a manner that violates
the terms of a program–required
Qualified Entity Data Use Agreement
(QE DUA). Furthermore, qualified
entities that make analyses or data
available under these new provisions
will be subject to new annual reporting
requirements to aid CMS in monitoring
compliance with the program
requirements. These new annual
reporting requirements will only apply
to qualified entities that choose to
provide or sell non-public analyses and/
or provide or sell combined data, or
provide Medicare claims data alone at
no cost.
We believe these changes to the
qualified entity program will be
important in driving higher quality,
lower cost care in Medicare and the
health system in general. We also
believe that these changes will increase
interest in the qualified entity program,
leading to more transparency regarding
provider and supplier performance and
innovative uses of data that will result
in improvements to the healthcare
delivery system while still ensuring
appropriate privacy and security
protections for beneficiary-identifiable
data.
II. Provisions of the Proposed
Regulations and Responses to Public
Comments
In the February 2, 2016 Federal
Register (81 FR 5397), we published the
proposed rule entitled, ‘‘Expanding
Uses of Medicare Data by Qualified
Entities.’’ We provided a 60-day public
comment period.
In the proposed rule, to implement
the new statutory provisions of section
105 of MACRA, we proposed to amend
and make conforming changes to part
401, subpart G, ‘‘Availability of
Medicare Data for Performance
Measurement.’’ We received
approximately 50 comments on the
proposed rule from a wide variety of
individuals and organizations. Many of
the comments were from providers or
suppliers, or organizations representing
providers and suppliers. We also
received a number of comments from
organizations engaged in performance
measurement or data aggregation, some
of whom are already qualified entities
and others who may apply to be
qualified entities in the future. Other
comments came from registries, state
Medicaid agencies, issuers, and
individuals.
Many of the comments were positive
and praised CMS for the proposed
E:\FR\FM\07JYR3.SGM
07JYR3
Federal Register / Vol. 81, No. 130 / Thursday, July 7, 2016 / Rules and Regulations
sradovich on DSK3GDR082PROD with RULES3
changes to the qualified entity program.
Commenters also had a range of
suggestions for changes to program
requirements around the provision or
sale of non-public analyses and data.
We received a number of comments on
expanding the data available to
qualified entities to include claims data
under Medicaid and the Children’s
Health Insurance Program (CHIP). In
addition, we received a number of
comments on the disclosure of data to
qualified clinical data registries for
quality improvement and patient safety
activities.
A more detailed summary of the
public comments and our responses can
be found below in the appropriate
sections of this final rule.
A. Non-Public Analyses
In accordance with Section 105(a)(1)
of MACRA, we proposed to allow for
the qualified entity’s use of the
combined data or information derived
from the evaluations described in
section 1874(e)(4)(D) of the Act to create
non-public analyses and provide for the
provision or sale of these analyses to
authorized users in accordance with the
program requirements discussed later in
this section, as well as other applicable
laws.
Comment: Commenters generally
supported the proposal to allow
qualified entities to create non-public
analyses and either provide or sell these
analyses. One commenter suggested that
CMS expressly state at § 401.716(a) that
qualified entities may provide or sell the
non-public analyses. Another
commenter recommended that CMS
clarify that the non-public analyses are
not subject to discovery or admittance
into evidence in any judicial or
administrative proceeding.
Response: We thank commenters for
their support of the provision or sale of
non-public analyses. Since the intent of
this section is to allow qualified entities
to both provide and sell non-public
analyses in accordance with program
requirements and other applicable laws,
we have made changes to the regulation
text to expressly state as much.
The statute, at 1874(e)(4)(D) of the
Act, explicitly states, ‘‘data released to
a qualified entity under this subsection
shall not be subject to discovery or
admission as evidence in judicial or
administrative proceedings without
consent of the applicable provider or
supplier.’’ We believe this statutory
shield only applies to data released to
the qualified entity under 1874(e) and
when that data is in the possession of
the qualified entity. Once the Medicare
data is used to create non-public
analyses and those non-public analyses
VerDate Sep<11>2014
17:38 Jul 06, 2016
Jkt 238001
are shared with authorized users, we do
not believe the statutory shield applies.
1. Additional Analyses
In the proposed rule, we defined
combined data as a set of CMS claims
data provided under subpart G
combined with a subset of claims data
from at least one of the other claims data
sources described in § 401.707(d). We
did not propose to establish a minimum
amount of data that must be included in
the combined data set from other
sources.
Comment: We received numerous
comments on the definition of
combined data. Many commenters
recommended that CMS alter the
definition of combined data to allow
qualified entities to combine the
Medicare data with clinical data for the
creation of non-public analyses. These
commenters stated that clinical data can
help facilitate more appropriate
analyses of provider resource use than
just claims data alone. One commenter
suggested that the definition of
combined data also include consumer,
socio-demographic, and other types of
patient and provider-level data. Other
commenters suggested that CMS clarify
that combined data must, at a minimum,
be comprised of CMS claims data
merged with claims data from other
sources, but other data may also be
included in this combined data. One
commenter agreed with the proposed
definition of combined data.
Response: Section 105(a)(1)(A) of
MACRA requires that the non-public
analyses be based on the combined data
described in 1874(e)(4)(B)(iii) as ‘‘data
made available under this subsection
with claims data from sources other
than claims data under this title’’. Given
these statutory limitations, we do not
believe we can modify the definition of
combined data.
However, we do recognize the value
of combining claims data with clinical
data for the development of non-public
analyses and believe the use of clinical
data in non-public analyses can
significantly improve the value of these
analyses to support quality and patient
improvement activities. Clinical data
such as laboratory test results or
radiology and pathology reports, can
add useful information about a patient’s
chronic condition burden, health status,
and other factors that are not available
in claims data. We can also see some
value in combining consumer, sociodemographic, and other types of patient
and provider level data with the
Medicare data. As a result, we do want
to clarify, that combined data requires at
a minimum that the CMS claims data be
combined with other sources of claims
PO 00000
Frm 00003
Fmt 4701
Sfmt 4700
44457
data, but that this does not prevent the
qualified entity from merging other data
(for example, clinical, consumer, or
socio-demographic data) with the
combined data for the development of
non-public analyses.
Comment: Several commenters
suggested that CMS require qualified
entities to make public a list of the
claims data it receives from CMS and
the data it intends to combine with the
CMS claims data for non-public
analyses. One commenter suggested that
this public release of information also
include the percent of the cohort for
analysis that each source is
contributing.
Response: We are very committed to
greater data transparency and all
qualified entities are required to
publicly report on provider performance
as part of their participation in the
program. However, we do not see
significant value in requiring qualified
entities to publicly report on the other
sources of data used in non-public
analyses since the analyses themselves
will not be released publicly.
Comment: Several commenters stated
that they supported the proposal not to
establish a threshold for the minimum
amount of data that must be included in
the combined data set from other
sources.
Response: We thank commenters for
their support.
Comment: A few commenters
recommended that the requirement to
use combined data not preclude
Medicare-only analyses. These
commenters stated that Medicare-only
analyses such as segmenting provider
and supplier performance evaluations
by payer type or conducting
longitudinal analysis of differences in
cost and quality for certain conditions
by payer type would have significant
value for many authorized users.
Response: We recognize the value of
Medicare-only analyses, especially to
help providers and suppliers
understand how quality and costs differ
across their patient population. In
addition, as the CMS Innovation Center
continues to develop and test new
models of care, qualified entities may
play a role in conducting analyses to
help providers and suppliers better
manage patient outcomes and costs
under a different payment model. As a
result, we want to clarify that the
requirement to use combined data does
not prevent qualified entities from
providing or selling analyses that allow
the authorized user to drill down by
payer type to Medicare-only results. For
example, a qualified entity may provide
or sell a provider a report that includes
the provider’s overall score on certain
E:\FR\FM\07JYR3.SGM
07JYR3
44458
Federal Register / Vol. 81, No. 130 / Thursday, July 7, 2016 / Rules and Regulations
sradovich on DSK3GDR082PROD with RULES3
quality and resource use measures
(using combined data) and then presents
scores for each of these measures by
payer type (including a Medicare feefor-service category).
2. Limitations on the Qualified Entities
With Respect to the Sale and Provision
of Non-Public Analyses
In accordance with section 105(a)(1)
of MACRA, we proposed a number of
limitations on qualified entities with
respect to the sale and provision of nonpublic analyses.
First, we proposed to limit qualified
entities to only providing or selling nonpublic analyses to issuers after the
issuer provides the qualified entity with
claims data that represents a majority of
the issuers’ covered lives in the
geographic region and during the time
frame of the non-public analyses
requested by the issuer.
Comment: Many commenters
supported the requirement of issuers to
submit data to the qualified entity in
order to receive analyses, but
commenters had differing
recommendations on the threshold of a
majority of the issuers’ covered lives. A
number of commenters stated that CMS
should not impose a threshold on the
amount of data issuers must submit to
a qualified entity to receive analyses.
These commenters stated that the
responsibility to ensure appropriate
sample size for analyses should rest
with the qualified entity. However,
another commenter recommended that
CMS require an issuer to provide the
qualified entity with data on all of its
covered lives for the geographic region
and during the time frame of the nonpublic analyses requested. This
commenter stated that requiring 100
percent of an issuer’s covered lives
would allow for more complete
analyses. One commenter supported the
threshold of the majority of an issuers
covered lives, but stated that CMS
should allow a health insurance issuer
to request a non-public analysis for a
geographic region outside the issuer’s
area of coverage, provided the issuer
supplies claims data for a majority of
the covered lives for the time period
requested in all regions where it
provides coverage. This commenter
noted that analyses for other geographic
regions may be beneficial to smaller,
regional health insurance issuers
interested in cost and utilization in a
comparable region or looking to expand
their areas of coverage. Another
commenter supported the threshold, but
recommended that CMS create an
exceptions process for cases where
legitimate and important analyses, such
as identifying providers treating orphan
VerDate Sep<11>2014
17:38 Jul 06, 2016
Jkt 238001
diseases or analysis fundamental for a
health plan issuer to enter a new
market, that could not meet the
proposed threshold. Finally, one
commenter stated that CMS should
allow qualified entities discretion to
provide or sell analyses to health
insurance issuers who have made a
good faith commitment to providing the
qualified entity with claims data that
represents a majority of the health
insurance issuer’s covered lives by a
certain future date.
Response: As we stated in the
proposed rule, we considered not
applying a threshold on the amount of
data being provided by the issuer, but
decided that specifying a threshold
would encourage issuers to submit data
to the qualified entity to be included in
the public performance reports,
increasing the reports’ reliability. We
believe this rationale still applies, and
we still believe that there are a number
of situations where requiring the issuer
to provide 100 percent of their data for
a given time period and geographic
region is not feasible for the issuer.
Based on comments, we revisited
whether, on balance, requiring issuers to
submit data that represents a majority of
their covered lives in the geographic
region and during the time frame of the
non-public analyses requested by the
issuer is generally the most appropriate
threshold. In doing so, we recognized
that in some cases an issuer may wish
to have analyses for a geographic region
where it does not provide coverage.
However, we believe that in those
instances the issuer should not be able
to receive analyses due to the
requirement at section 105(a)(1)(B)(ii) of
MACRA, that a qualified entity may
only provide or sell analyses to issuers
that have provided the qualified entity
with data. Therefore, we are modifying
our proposed requirement around the
issuer’s claims data submission
threshold to clarify that qualified
entities may not provide or sell analyses
to issuers when the analyses include
geographic areas where the issuer does
not offer coverage.
We would like to clarify, however,
that the requirement that an issuer
provide the qualified entity with claims
data for at least 50 percent of its covered
lives for the time period and geographic
region covered by the analyses does not
mean that all analyses provided or sold
to the issuer would need to be based on
analyses that considered at least 50
percent of the issuers’ covered lives. So
long as Medicare data is combined with
other claims data to create the analyses,
certain analyses, such as those on rare
diseases, could be based only on a
subset of the Medicare claims data and
PO 00000
Frm 00004
Fmt 4701
Sfmt 4700
other claims data collected by the
qualified entity. For example, an issuer
could provide data for at least 50
percent of their covered lives for the
time period and geographic region of the
non-public analyses to a qualified
entity. The qualified entity could then
use a subset of that data, such as
patients with a specific rare disease,
combine it with Medicare data for
patients with that rare disease, and
provide or sell analyses about patients
with the rare disease to the issuer. We
would like to note, however, that
qualified entities will need to be careful
when producing analyses for issuers
based on small populations and limited
claims data to ensure that the resulting
analyses truly are patient de-identified.
We understand the desire to create an
exceptions process to allow issuers who
do not contribute a majority of their
covered lives in the geographic region
and during the timeframe of the nonpublic analyses requested by the issuer
to receive analyses. However, we
believe that imposing a standard
threshold for issuer covered lives across
all qualified entities and issuers is the
simplest and least administratively
burdensome method to ensure equal
treatment of qualified entities and
issuers under this program.
We also understand the interest in
allowing qualified entities to provide or
sell analyses to health insurance issuers
who have made a good faith
commitment to provide the qualified
entity with claims data for the majority
of their covered lives in the geographic
region and during the time frame of the
non-public analyses requested by the
issuer. However, we believe that this
type of policy could reduce the
incentives for issuers to share their data
with the qualified entity.
Comment: Several commenters
recommended that CMS provide
additional clarity around the
requirements for issuers’ claims data
submissions to the qualified entity. One
commenter stated that qualified entities
should be allowed to meet the covered
lives threshold regardless of whether
they have obtained the claims
information directly from the issuer or
indirectly from a third party. Several
commenters recommended that CMS
provide additional details on the term
covered lives to clarify how this would
be assessed in certain circumstances,
such as when an issuer is a secondary
payer or a member is not enrolled for a
full year.
Response: Qualified entities may only
provide or sell analyses to an issuer if
it receives claims data from the issuer.
Such data can be provided directly by
the issuer, or it can be submitted on the
E:\FR\FM\07JYR3.SGM
07JYR3
sradovich on DSK3GDR082PROD with RULES3
Federal Register / Vol. 81, No. 130 / Thursday, July 7, 2016 / Rules and Regulations
issuer’s behalf by an issuer’s business
associate. Regardless, the qualified
entity is responsible for ensuring that
the issuer or the issuer’s business
associate is truly providing the qualified
entity with claims data for a majority of
the issuer’s covered lives in the
geographic region and during the
timeframe of the non-public analyses
requested by the issuer.
We recognize the desire to allow use
of data from other sources to meet the
issuer’s claims submission threshold.
However, due to the statutory limits on
to whom the qualified entity may
release patient identifiable data, we do
not believe it would be possible for an
issuer to ever verify whether the data
the qualified entity holds is
representative of the majority of the
issuer’s covered lives in the applicable
geographic region during the applicable
time frame unless the issuer or its
business associate was the source of
such data.
Regarding the definition of covered
lives, we recognize that there is no
commonly accepted definition of
covered lives. We plan to rely on the
methods of calculating covered lives
established in regulations promulgated
by the Internal Revenue Service (IRS) in
December of 2012. These regulations at
26 CFR 46.4375–1(c)(2) offer issuers
four methods for calculating the average
number of lives covered under a
specified health insurance policy—(1)
the actual count method, (2) the
snapshot method, (3) the member
months method, and (4) the state form
method—and provide both the
calculation method and an example for
each of the four methods for counting
covered lives. These calculations all
only apply to health insurance policies
and we would like to clarify that the
calculation of covered lives for purposes
of the qualified entity program does not
include dental, disability, or life
insurance policies. We have modified
the regulatory text at § 401.716(b)(1) to
refer directly to the IRS regulations.
Second, we proposed that except
when patient-identifiable non-public
analyses are shared with the patient’s
provider or supplier, all non-public
analyses must be patient de-identified
using the de-identification standards in
the HIPAA Privacy Rule at 45 CFR
164.514(b). Additional information on
the HIPAA de-identification standards
can be found on the HHS Office for Civil
Rights Web site at https://www.hhs.gov/
hipaa/for-professionals/privacy/specialtopics/de-identification/. We
also proposed a definition for patient.
Comment: Many commenters stated
that they agreed with CMS’ proposal
that analyses must be de-identified
VerDate Sep<11>2014
17:38 Jul 06, 2016
Jkt 238001
unless the recipient is the patient’s
provider or supplier. One commenter
suggested that CMS allow other
authorized users to receive patientidentifiable analyses, stating that
patient-identifiable data will be equally
valuable to the additional proposed
authorized users, and that patients can
also directly benefit from the sharing of
patient-identifiable data beyond
suppliers and providers.
Response: We thank commenters for
their support. While we can see some
advantages to sharing patientidentifiable analyses with other types of
authorized users, the statutory language
at Section 105(a)(3)(B) of MACRA states
that analyses may not contain any
information that individually identifies
a patient unless the analyses are
provided or sold to the patient’s
provider or supplier. Given the statutory
requirements, we are finalizing our
proposal that patient-identifiable
analyses should only be shared with the
patient’s provider or supplier.
Comment: Many commenters stated
that they agreed with the proposal to
use the de-identification standards in
the HIPAA Privacy Rule. However, one
commenter suggested that CMS modify
the HIPAA de-identification standards
to allow inclusion of full patient fivedigit zip code without population
thresholds and inclusion of the month
element for all dates directly related to
a patient, including date of death but
excepting date of birth. This commenter
stated that this additional information
would empower providers and
suppliers to fully evaluate their care and
quality improvement efforts on a timely
and ongoing basis with insight into
geographic and temporal factors and
patterns.
Response: The framework for deidentification that is described in the
HIPAA Privacy Rule represents an
industry standard for de-identification
of health information. Additional
information on the HIPAA deidentification standards can be found on
the HHS Office for Civil Rights Web site
at https://www.hhs.gov/hipaa/forprofessionals/privacy/special-topics/deidentification/. We believe
that modifying this framework for the
purposes of the qualified entity program
would be likely to create confusion
among qualified entities and authorized
users, many of whom are or will be
HIPAA covered entities or their
business associates.
Comment: One commenter noted a
technical issue at § 401.716(b)(3) where
the text inappropriately referenced
§ 401.716(c)(2). One commenter
suggested CMS clarify whether the data
used in the analysis needs to be de-
PO 00000
Frm 00005
Fmt 4701
Sfmt 4700
44459
identified at the time of the analysis or
whether the analysis itself has to be deidentified at the time it is shared with
an authorized user.
Response: We thank the commenter
for noting this technical issue and have
fixed the reference to § 401.716(b)(2).
We would also like to clarify that the
data used by the qualified entity to
conduct the analyses does not need to
be de-identified, but the analyses must
be patient de-identified before they are
shared with or sold to an authorized
user unless the recipient is the patient’s
provider or supplier.
Comment: We received a number of
comments on the definition of a patient.
Many commenters stated that the time
period of 12 months for a face-to-face or
telehealth appointment was not
sufficient. One commenter
recommended extending the period to
18 months, while several other
commenters suggested a timeframe of 24
months. These commenters noted that
stabilized patients do not necessarily
visit their physician every year. Another
commenter suggested that a patient be
defined as an individual who has
visited the provider or supplier at least
once during the timeframe for which the
analysis is being conducted.
Response: We acknowledge that
healthy patients may not visit a provider
or supplier every year. As a result, we
are changing the definition of a patient
to have a timeframe of the past 24
months for a face-to-face or telehealth
appointment.
Comment: One commenter
recommended that the definition of a
patient be expanded beyond an
affiliation with a provider or supplier to
an affiliation with an issuer, employer,
or state agency or any other authorized
user.
Response: As noted above, we believe
Section 105(a)(3)(B) of MACRA only
permits patient-identifiable information
to be shared by a qualified entity with
the patient’s provider or supplier.
Third, we proposed to bar qualified
entities’ disclosure of non-public
analyses that individually identify a
provider or supplier unless: (a) The
analysis only individually identifies the
singular recipient of the analysis or (b)
each provider or supplier who is
individually identified in a non-public
analysis that identifies multiple
providers/suppliers has been afforded
an opportunity to review the aspects of
the analysis about them, and, if
applicable, request error correction. We
describe the proposed appeal and error
correction process in more detail in
section II.A.4 below.
Comment: Several commenters
recommended that providers and
E:\FR\FM\07JYR3.SGM
07JYR3
sradovich on DSK3GDR082PROD with RULES3
44460
Federal Register / Vol. 81, No. 130 / Thursday, July 7, 2016 / Rules and Regulations
suppliers should not have the
opportunity to review and request error
correction for analyses that individually
identify the provider or supplier. These
commenters noted in particular that
analyses identifying fraud or abuse
should not be reviewed by the provider
in advance of being shared with the
authorized user. One commenter
suggested that a review and error
corrections process for non-public
reports only be triggered when a
provider or supplier is individually
identified and his or her performance is
evaluated in the manner described in
section 1874(e)(4)(C). Another
commenter recommended that when a
group of providers are identified as part
of a practice group (that is, part of the
same Tax Identification Number), and
prior consent by the providers has been
obtained, the practice group should be
considered the entity that can receive
analyses for the individual providers in
the practice.
Response: We believe that Section
105(a)(6) of MACRA requires that
qualified entities allow providers and
suppliers an opportunity to review
analyses that individually identify the
provider or supplier and, if necessary,
and, when needed, request error
correction in the analyses. In addition,
regardless of the statutory requirements,
we believe that providers and suppliers
should not be evaluated by a qualified
entity without having a chance to
review and, when needed, request error
correction in the analyses. For example,
it would not be fair for an issuer to
move a provider to a different network
tier based on analyses that did not
correctly attribute patients to that
provider. We recognize that the review
and corrections process may lead to
some limitations in the development of
certain types of analyses, such as those
identifying fraud and abuse. However,
we believe that creating different
standards for different types of analyses
would be too administratively complex
to implement, and could create tensions
between providers and suppliers and
qualified entities over whether an
analysis warranted review by the
provider or supplier before it was
shared with an authorized user.
However, we recognize that in many
cases providers or suppliers may wish
to allow certain authorized users to
receive analyses without the need for a
review process. For example, clinicians
that are part of a group practice may
want to allow their practice manager,
who may be functioning as the
clinician’s business associate, to receive
analyses without first going through a
provider/supplier review or being
subject to a request for correction. We
VerDate Sep<11>2014
17:38 Jul 06, 2016
Jkt 238001
believe that the decision about who
should be able to receive analyses that
individually identify a provider or
supplier without such review and
opportunity to correct should rest with
the individual provider or supplier. As
a result, we are adding a third exception
to the bar on disclosure of non-public
analyses that individually identify a
provider or supplier to allow providers
or suppliers to designate, in writing, the
authorized user(s) that may receive
analyses from the qualified entity
without first giving the provider or
supplier individually identified in the
analysis/es the opportunity to review
the analyses, and, if applicable, request
error correction.
Comment: One commenter
recommended that CMS add clarity to
what it means to ‘‘individually identify’’
a provider or supplier and stated that
the definition should indicate that to
individually identify means to use
direct identifiers such as name or
provider number for a provider or
supplier that is an individual person.
This commenter suggested that naming
a physician group or clinic that is not
itself a provider or supplier (but that
may be comprised of individual
providers or suppliers) would not count
as individually identifying a provider or
supplier. Another commenter suggested
that the review and corrections process
only apply to the entity that the
analyses focus on. For example, if the
qualified entity is conducting analyses
of episodes of care for patients with
joint replacement at a given hospital,
the analyses may include findings on
many different providers and suppliers,
such as surgeons, skilled nursing
facilities, home health agencies, and
others. In this case, the commenter
recommended that only the hospital be
given the opportunity to review and
request correction of errors.
Response: Regardless of whether they
are an individual clinician, group
practice, or facility and regardless of
whether they are the direct subject of
the report, we believe section 105(a)(6)
of MACRA requires that qualified
entities allow providers and suppliers
the opportunity to review and request
correction of errors in analyses that
identify the provider or supplier. Group
practice and facility-level providers and
suppliers, as well as those indirectly
evaluated in analyses, face as much
reputational harm from the
dissemination of incorrect information
about care delivery and costs as
individual clinicians or those directly
evaluated in the analyses. We have
added language to clarify this
requirement at § 401.716(b)(4).
PO 00000
Frm 00006
Fmt 4701
Sfmt 4700
Comment: One commenter suggested
that CMS implement a process to
proactively educate providers and
suppliers regarding the review,
corrections, and appeals process for
non-public analyses.
Response: We believe that many
qualified entities that decide to disclose
analyses that individually identify a
provider or supplier will choose to do
an education campaign with providers
and suppliers in their region to ensure
that any necessary review and error
correction processes go smoothly. This
will allow the qualified entity to build
a direct relationship with the provider
or supplier. In addition, since providers
and suppliers are one of the types of
authorized users that qualified entities
can provide or sell non-public analyses
and data to, we believe that qualified
entities will proactively attempt to build
strong relationships with the provider
and supplier community in their region.
As a result, while we see a small role
for CMS to play in educating providers
and suppliers about the review and
error correction process through our
usual provider outreach channels, we
believe qualified entities will play the
main role in provider and supplier
education about the review, corrections,
and appeals process.
Comment: Several commenters
suggested additional limitations that
CMS should impose on qualified
entities with respect to the disclosure of
non-public analyses. One commenter
recommended that CMS require
qualified entities to provide authorized
users with a detailed methodology of
statistical analyses to ensure their
validity. This commenter also stated
that CMS should require qualified
entities to follow an appropriate
methodology in attributing costs to
providers. Another commenter
suggested that evaluations of physician
performance should be required to have
data from at least two sources.
Response: With regard to the
suggestions around statistical validity
and cost attribution, we believe that
these are issues that the qualified entity
should discuss directly with the
authorized user who is receiving or
purchasing the analyses. We expect that
most, if not all, authorized users will
expect the qualified entity to include
some description of the methodology for
the analyses along with the report, but
that the level of detail and content
needed by each authorized user may
vary. In addition, authorized users may
have different ideas about the most
appropriate method for cost attribution
and we believe that they should be able
to work with the qualified entity to
make a determination for how to
E:\FR\FM\07JYR3.SGM
07JYR3
Federal Register / Vol. 81, No. 130 / Thursday, July 7, 2016 / Rules and Regulations
attribute costs to providers and
suppliers. On the issue of requiring at
least two sources of data, we believe
that section 105(a)(1)(A) of MACRA
requires that the non-public analyses be
based on the combined data described
in 1874(e)(4)(B)(iii) as ‘‘data made
available under this subsection with
claims data from sources other than
claims data under this title’’.
sradovich on DSK3GDR082PROD with RULES3
3. Limitations on the Authorized User
We proposed to require the qualified
entity’s use of legally binding
agreements with any authorized users to
whom it provides or sells non-public
analyses. For non-public analyses that
only include patient de-identified data,
we proposed to require the qualified
entity to enter into a contractually
binding non-public analyses agreement
with any authorized users as a precondition to providing or selling such
non-public analyses.
Comment: Several commenters stated
that they supported the use of a legally
binding agreement between the
qualified entity and the authorized user.
One commenter suggested that CMS
develop a standard non-public analyses
agreement for qualified entities to use
with authorized users.
Response: We thank commenters for
their support of this proposal. We
believe that many qualified entities will
have existing agreements with
authorized users that cover the use and
disclosure of analyses related to their
claims data from other sources. While
there may be some value in providing
organizations new to this type of work
a template for the agreement, we believe
that qualified entities would be better
served by engaging with their own legal
counsel to ensure the agreement meets
their specific needs.
For non-public analyses that include
patient identifiable data, we proposed to
require the qualified entity to enter into
a qualified entity Data Use Agreement
(QE DUA) with any authorized users as
a pre-condition to providing or selling
such non-public analyses. As we also
proposed to require use of the QE DUA
in the context of the provision or sale
of combined data, or the provision of
Medicare data at no cost, we discuss our
proposals related to the QE DUA and
associated comments in the data
disclosure discussion in section II.B
below.
Requirements in the Non-Public
Analyses Agreement
The statute generally allows qualified
entities to provide or sell their nonpublic analyses to authorized users for
non-public use, but it bars use or
disclosure of such analyses for
VerDate Sep<11>2014
17:38 Jul 06, 2016
Jkt 238001
marketing (see section 105(a)(3)(c) of
MACRA). We proposed additional
limits on the non-public analyses, given
the expansive types of non-public
analyses that could be conducted by the
qualified entities if no limits are placed
on such analyses, and the potential
deleterious consequences of some such
analyses.
First, we proposed that the non-public
analyses agreement require that nonpublic analyses conducted using
combined data or the information
derived from the evaluations described
in section 1874(e)(4)(D) of the Act may
not be used or disclosed for the
following purposes: Marketing, harming
or seeking to harm patients and other
individuals both within and outside the
healthcare system regardless of whether
their data are included in the analyses
(for example, an employer using the
analyses to attempt to identify and fire
employees with high healthcare costs),
or effectuating or seeking opportunities
to effectuate fraud and/or abuse in the
healthcare system (for example, a
provider using the analyses to identify
ways to submit fraudulent claims that
might not be caught by auditing
software). We also proposed to adopt
the definition of marketing at 45 CFR
164.501 in the HIPAA Privacy Rule.
Comment: Many commenters stated
that they supported the proposed
restrictions on the use of the non-public
analyses. One commenter suggested that
CMS provide greater clarification on
what would constitute harm to patients
and other individuals both within and
outside the healthcare system. This
commenter suggested that harm should
include activities that would create
overly tiered networks that could
exclude high quality providers, as well
as efforts to limit patient access to
certain treatments or drugs or steer
patients to certain practices based solely
on cost.
Response: We thank commenters for
their support of the restrictions on the
use of the analyses. On further
consideration, we agree that the
industry may benefit from additional
guidance regarding these restrictions.
Therefore, we anticipate providing
additional sub-regulatory guidance on
the standards adopted in this rule for
the Qualified Entity Certification
Program Web site at https://
www.qemedicaredata.org/SitePages/
home.aspx.
As we did not receive any comments
on the proposed definition of marketing,
we will finalize the definition without
modification.
Second, in accordance with section
105(a)(1)(B)(i) of MACRA, we proposed
to require that any non-public analyses
PO 00000
Frm 00007
Fmt 4701
Sfmt 4700
44461
provided or sold to an employer may
only be used by the employer for the
purposes of providing health insurance
to employees and retirees of the
employer. We also further proposed that
if the qualified entity is providing or
selling non-public analyses to an
employer that this requirement be
included in the non-public analyses
agreement. We did not receive any
comments on this proposal, so are
finalizing it without modification.
We also proposed to require qualified
entities to include in the non-public
analysis agreement a requirement to
limit re-disclosure of non-public
analyses or derivative data to instances
in which the authorized user is a
provider or supplier, and the redisclosure is as a covered entity would
be permitted under 45 CFR
164.506(c)(4)(i) or 164.502(e)(1).
Accordingly, a provider or supplier may
only re-disclose -identifiable health
information to a covered entity for the
purposes of the covered entity’s quality
assessment and improvement or for the
purposes of care coordination activities,
where that entity has a patient
relationship with the individual who is
the subject of the information, or to a
business associate of such a covered
entity under a written contract. We also
generally proposed to require qualified
entities to use a non-public analyses
agreement to explicitly bar authorized
users that are not providers or suppliers
from re-disclosure of the non-public
analyses or any derivative data except to
the extent a disclosure qualifies as a
‘‘required by law’’ disclosure.
Comment: Several commenters
suggested that authorized users be
allowed to re-disclose analyses in order
to publish research findings provided
the analyses do not individually
identify a provider. These commenters
noted that public health interests can be
served by allowing the disclosure of
research findings to the public. One
commenter recommended allowing
broad re-disclosure of analyses when
the information is beneficiary deidentified, stating that this is necessary
to reduce cost and improve patient care
across the healthcare system. Several
commenters suggested that authorized
users be allowed to re-disclose analyses
for the purposes of developing products
or services, such as analytic tools,
algorithms, and other innovations for
improving health outcomes.
Response: The statutory language at
section 105(a)(5) of MACRA states that
authorized users may not re-disclose or
make public any analyses, with the
exception of allowing providers and
suppliers to re-disclose analyses, as
determined by the Secretary, for the
E:\FR\FM\07JYR3.SGM
07JYR3
44462
Federal Register / Vol. 81, No. 130 / Thursday, July 7, 2016 / Rules and Regulations
sradovich on DSK3GDR082PROD with RULES3
purposes of care coordination and
performance improvement activities. As
a result, we are finalizing the proposed
language on re-disclosure of analyses
without modification. However, we
would like to note that CMS currently
makes data available to researchers
outside of this qualified entity program,
including those interested in developing
products or tools. Individuals and
organizations interested in accessing
CMS data for research purposes should
visit the Research Data Assistance
Center (ResDAC) at www.resdac.org for
more information.
Fourth, we proposed to require
qualified entities to impose a legally
enforceable bar on the authorized user’s
linking de-identified analyses (or data or
analyses derived from such non-public
analyses) to any other identifiable
source of information or in any other
way attempting to identify any
individual whose de-identified data is
included in the analyses or any
derivative data.
Comment: One commenter stated that
an authorized user should be allowed to
link the analyses that contain patient
identifiers or any derivative data with
other sources when this information is
limited to their own patients.
Response: We would like to highlight
that the restriction on linking analyses
only applies to de-identified analyses.
To the extent providers and suppliers
are receiving identifiable information on
their own patients, the restriction on
linking to any other identifiable source
of information does not apply.
Finally, we proposed to require
qualified entities to use their non-public
analyses agreements to bind their nonpublic analyses recipients to reporting
any violation of the terms of that nonpublic analyses agreement to the
qualified entity. We did not receive any
comments on this proposal, so are
finalizing it without modification.
4. Confidential Opportunity To Review,
Appeal, and Correct Analyses
In accordance, with section 105(a)(6)
of MACRA, we proposed that the
qualified entity must follow the
confidential review, appeal, and error
correction requirements established at
401.717(f) under section
1874(e)(4)(C)(ii) of the Act.
Comment: We received a wideranging set of comments on the
proposed review and corrections
process. Several commenters supported
the proposed review and corrections
process. Many commenters suggested
changes to the review process for nonpublic analyses. In general these
commenters cited the burden of the
proposed process for qualified entities
VerDate Sep<11>2014
17:38 Jul 06, 2016
Jkt 238001
and recommended options to make the
process less burdensome. However,
other commenters focused on the need
for providers and suppliers to have
enough time to ensure the analyses are
accurate.
Several commenters suggested
provider or supplier notification as the
first step for review of non-public
analyses. One commenter recommended
creating an alternative approach to
individualized appeals, such as an
accreditation process. Another
commenter suggested that when a nonpublic analysis is released to one or
more authorized users, or when a nonpublic analysis is subsequently used for
a public report, the qualified entity need
only provide an opportunity for the
provider or supplier to have reviewed
and, if necessary, requested error
correction once before the initial release
of the analysis. Another commenter
recommended that providers and
suppliers only be given one chance to
request error correction of the
underlying data, after which the data
could be used in any future non-public
analyses.
A few commenters suggested that a
60-day period to review the analyses
may not be sufficient. On the other
hand, several commenters suggested a
30-day review period for non-public
analyses, while another commenter
suggested giving providers and
suppliers an ongoing right to review the
analyses and request error correction.
Response: We appreciate commenters’
concerns about allowing providers and
suppliers the necessary time to review
analyses as well as the concerns about
the burden on qualified entities of
implementing the public reporting
review and corrections process for nonpublic analyses. However, as noted in
the proposed rule, we also believe using
the same process for review and error
correction for both the non-public
analyses and the public reports creates
continuity and a balance between the
needs and interests of providers and
suppliers and those of the qualified
entities, authorized users, and the
public.
That said, on further consideration,
we believe that the addition of a
procedural step whereby the qualified
entity would confidentially notify a
provider or supplier about the nonpublic analyses and give the provider or
supplier the opportunity to opt-in to the
review and error correction process
established at § 401.717(a) through (e) is
both consistent with the statute and has
the potential to reduce the burden on
both qualified entities and providers
and suppliers. In some cases,
notification may be sufficient to meet
PO 00000
Frm 00008
Fmt 4701
Sfmt 4700
the needs of a provider or supplier and,
as a result, the provider or supplier will
choose not to opt-in to the review and
correction process, reducing the
paperwork and resource burden for both
the qualified entity and the provider/
supplier. In addition, where the
analyses are similar to previous analyses
or use data the provider or supplier has
already corrected, the provider or
supplier may also choose not to review
the analyses.
Under this procedural step, a
qualified entity must confidentially
notify a provider or supplier that nonpublic analyses that individually
identify the provider or supplier are
going to be released at least 65 calendar
days before disclosing the analyses to
the authorized user. The first five days
of the 65 day period is intended to allow
time to notify the provider or supplier,
and to allow them time to respond to
the qualified entity. The next sixty days
are reflective of the sixty day review
period in § 401.717(a) through (e). The
confidential notification about the nonpublic analyses should include a short
summary of the analyses (which must
include the measures being calculated,
but does not have to include the
methodologies and measure results), the
process for the provider or supplier to
request the analyses, the authorized
users receiving the analyses, and the
date on which the qualified entity will
release the analyses to the authorized
users. This notification can cover
multiple non-public analyses that use
different datasets and measures. The 65day period begins on the date the
qualified entity sends or emails the
notification to providers and suppliers.
As we presume some qualified entities
may utilize National Provider Identifier
(NPI) data as a means of contacting
providers and suppliers, we would like
to use this opportunity to remind
providers and suppliers of the need to
keep their NPI information up-to-date.
At any point during this 65-day
period, the qualified entity must allow
the provider or supplier to opt-in to the
review and error correction process
established at § 401.717(a) through (e)
and request copies of the analyses and,
where applicable, access to the data
used in the analyses, and to request the
correction of any errors in the analyses.
However, if the provider or supplier
chooses to opt-in to the review and
correction process more than 5 days into
the notification period, the time for the
review and correction process is
shortened from regulatory 60 days in
§ 401.717(a) through (e) to the number
of days remaining between the provider
or supplier opt-in date and the release
E:\FR\FM\07JYR3.SGM
07JYR3
Federal Register / Vol. 81, No. 130 / Thursday, July 7, 2016 / Rules and Regulations
sradovich on DSK3GDR082PROD with RULES3
date specified in the confidential
notification.
We understand the desire to create an
alternative approach to individualized
appeals, such as an accreditation
process, however, we believe the
statutory language at Section 105(a)(6)
of MACRA requires that qualified
entities allow providers and suppliers
an opportunity to review analyses that
individually identify the provider or
supplier and, if necessary, and, when
needed, request error correction in the
analyses. In addition, as stated above,
regardless of the statutory requirements,
we believe that providers and suppliers
should not be evaluated by a qualified
entity without having a chance to
review and, when needed, request error
correction in the analyses.
Comment: One commenter
recommended that qualified entities not
be allowed to provide or sell analyses to
an authorized use while an error
correction request is outstanding.
Response: We acknowledge the
interest of providers and suppliers in
ensuring that any analyses correctly
represent their care delivery patterns
and costs. However, we are concerned
that providers and suppliers may make
spurious requests for error correction in
order to prevent the authorized user
from receiving the analyses. As a result,
we will maintain the provisions that
allow qualified entities to release the
non-public analyses after the 65-day
period regardless of the status of error
corrections. As with the public
reporting, the qualified entity must
inform the authorized user if a request
for error correction is outstanding when
the analyses are delivered to the
authorized user, and, if applicable,
provide corrected analyses if corrections
are ultimately made.
B. Dissemination of Data and the Use of
QE DUAs for Data Dissemination and
Patient-Identifiable Non-Public
Analyses
Subject to other applicable law,
section 105(a)(2) of MACRA expands
the permissible uses and disclosures of
data by a qualified entity to include
providing or, where applicable, selling
combined data for non-public use to
certain authorized users, including
providers of services, suppliers, medical
societies, and hospital associations for
use in developing and participating in
quality and patient care improvement
activities. Section 105(a)(3)(B) of
MACRA. Subject to the same limits, it
also permits a qualified entity to
provide Medicare claims data for nonpublic use to these authorized users;
however, a qualified entity may not
charge a fee for providing such
VerDate Sep<11>2014
17:38 Jul 06, 2016
Jkt 238001
Medicare claims data. In addition, in
order to provide or sell combined data
or Medicare data, section 105(a)(4) of
MACRA instructs the qualified entity to
enter into a DUA with their intended
data recipient(s).
1. General Requirements for Data
Dissemination
To implement the provisions in
Section 105(b) of MACRA, we proposed
to provide that, subject to other
applicable laws (including applicable
information, privacy, security and
disclosure laws) and certain defined
program requirements, including that
the data be used only for non-public
purposes, a qualified entity may provide
or sell combined data or provide
Medicare claims data at no cost to
certain authorized users, including
providers of services, suppliers, medical
societies, and hospital associations.
Where a qualified entity is a HIPAAcovered entity or is acting as a business
associate, compliance with other
applicable laws will include the need to
ensure that it fulfills the requirements
under the HIPAA Privacy Rule,
including the restriction on the sale of
PHI at 45 CFR 164.502(a)(5)(ii).
Comment: Several commenters stated
that CMS should provide additional
clarity on the term no cost as it relates
to the provision of Medicare data. For
example, commenters stated that
qualified entities may wish to charge a
fee for entering into a data use
agreement with an authorized user, but
then not charge for the data. In addition,
some of these commenters
recommended that CMS allow qualified
entities to recoup the costs associated
with providing Medicare data at no cost.
These commenters stated that there is a
cost associated with providing claims
data to authorized users, such as staff
time to create the data extract and
encrypt the file.
Response: We understand that
qualified entities will face costs
providing Medicare data to authorized
users. However, section 105(a)(2)(C) of
MACRA expressly states that, if a
qualified entity were to elect to make
Medicare claims data available, such
data must be ‘‘provided’’ at no cost. We
believe that the paperwork and
processing costs associated with
accepting and fulfilling Medicare claims
data requests are an integral part of the
‘‘provision’’ of data. As such, qualified
entities may not charge authorized users
for the Medicare data itself or any
activity associated with requests for or
the fulfillment of Medicare data requests
(such as the processing of a data use
agreement). However, we also note that
the qualified entity is not required to
PO 00000
Frm 00009
Fmt 4701
Sfmt 4700
44463
offer authorized users the opportunity to
request Medicare claims data. Qualified
entities may choose to only offer
authorized users the opportunity to
receive or purchase combined data.
Qualified entities may also choose not
to allow authorized users to request data
at all.
Comment: One commenter suggested
that CMS require qualified entities to
sell the combined data at a reasonable
price which reflects their actual cost.
Response: We appreciate the
commenter’s interest in ensuring
qualified entities charge authorized
users reasonable fees for combined data.
However, we believe that qualified
entities should be allowed to determine
the appropriate fee to charge authorized
users for access to the combined data. If
qualified entities set their prices too
high authorized users have the choice of
not buying the data, or potentially
obtaining the data from another
qualified entity with more reasonable
pricing.
Comment: One commenter
recommended that CMS provide
additional clarity on the threshold for
the amount of other data that must be
combined with the Medicare data in
order for the qualified entity to sell the
combined data.
Response: As discussed above, we
have not established a threshold for the
amount of other data that must be
combined with the Medicare data. It is
our expectation that qualified entities
will use sufficient claims data from
other sources to ensure validity and
reliability.
2. Limitations on the Qualified Entity
Regarding Data Disclosure
In accordance with section 105(a)(2),
we proposed to place a number of
limitations on the sale or provision of
combined data and the provision of
Medicare claims data by qualified
entities, including generally barring the
disclosure of patient-identifiable data
obtained through the qualified entity
program.
Comment: Several commenters stated
that CMS should provide additional
clarity around whether the data must go
through a review and corrections
process before it is disclosed to an
authorized user. One commenter
recommended that providers and
suppliers be allowed to review, appeal,
and correct the data before it is
disclosed.
Response: Section 105(a)(6) of
MACRA only requires a review and
corrections process when a qualified
entity is providing or selling an analysis
to an authorized user. While we
understand that some providers and
E:\FR\FM\07JYR3.SGM
07JYR3
sradovich on DSK3GDR082PROD with RULES3
44464
Federal Register / Vol. 81, No. 130 / Thursday, July 7, 2016 / Rules and Regulations
suppliers may wish to ensure that their
data is correct before it is shared with
an authorized user, we believe that this
process would be very rigorous and
burdensome for the qualified entity and
would have little value for most
providers and suppliers.
We proposed to require any combined
data or Medicare claims data that is
provided to an authorized user by a
qualified entity under subpart G be
beneficiary de-identified in accordance
with the de-identification standards in
the HIPAA Privacy Rule at 45 CFR
164.514(b). We also proposed an
exception that would allow a qualified
entity to provide or sell patientidentifiable combined data and/or
provide patient-identifiable Medicare
claims data at no cost to an individual
or entity that is a provider or supplier
if the provider or supplier has a patient
relationship with every patient about
whom individually identifiable
information is provided and the
disclosure is consistent with applicable
law.
Comment: Several commenters agreed
with the proposal to only allow
identifiable data to be disclosed to
providers or suppliers with whom the
identified individuals have a patient
relationship. One commenter suggested
that qualified entities be allowed to
share limited data sets (as defined in
HIPAA) with providers and suppliers
for individuals who are not their
patients. Another commenter
recommended that qualified entities be
allowed to disclose patient-identifiable
data to health plans.
Response: Section 105(a)(3) of
MACRA requires that data disclosed to
an authorized user not contain
information that individually identifies
a patient unless the data is being shared
with that patient’s provider or supplier.
We further note that limited data sets
include indirect identifiers, and, as
such, are subject to that mandate. While
we can imagine that health systems
would be interested in conducting
population-wide analyses that look at
disease incidence or care delivery
patterns, we believe these types of
analyses can be conducted using deidentified data. In addition, authorized
users that may not receive patientidentifiable data, such as issuers, could
ask the qualified entity to conduct
analyses on these topics, and purchase
or receive the patient-deidentified
analyses that result from such efforts.
Second, we proposed to require
qualified entities to bind the recipients
of their data to a DUA that will govern
the use and, where applicable, redisclosure of any data received through
VerDate Sep<11>2014
17:38 Jul 06, 2016
Jkt 238001
this program prior to the provision or
sale of such data to an authorized user.
Comment: Several commenters stated
that they agreed with the proposal to
require qualified entities to bind
authorized users who receive data to a
DUA. One commenter recommended
that when the required ‘‘QE DUA’’ (the
DUA between the Qualified Entity (QE)
and the Authorized User) provisions
already exist in another contract
between the qualified entity and the
authorized user, the qualified entity
should not be required to re-paper those
terms.
Response: We thank commenters for
their support of this proposal. In cases
where all the terms of the QE DUA at
§ 401.713(d) are contained in a
contractually binding agreement
between the qualified entity and the
authorized user, we do not intend to
require the qualified entity to re-paper
that agreement as a QE DUA.
3. Data Use Agreement (DUA)
A qualified entity must enter a DUA
with CMS as a condition of receiving
Medicare data. Furthermore, in
accordance with Section 105(a)(4) of
MACRA, we proposed to require the
execution of a DUA as a precondition to
a qualified entity’s provision or sale of
data to an authorized user. As discussed
above, we also proposed to require the
qualified entity to enter into a DUA with
any authorized user as a pre-condition
to providing or selling non-public
analyses that include patientidentifiable data. To help differentiate
the DUA between CMS and the
qualified entity from the DUAs between
the qualified entity and the authorized
user, we proposed certain clarifying
changes that recognize that there are
now two distinct DUAs in the qualified
entity program—the CMS DUA, which
is the agreement between CMS and a
qualified entity, and what we will refer
to as the QE DUA, which will be the
legally binding agreement between a
qualified entity and an authorized user.
Comment: Several commenters had
overall comments on the QE DUA. One
commenter recommended that CMS
create a standard QE DUA. Another
commenter stated that the data released
to authorized users should not be
subject to discovery or admitted into
evidence without the provider or
supplier’s consent. A few commenters
suggested that the QE DUA include a
provision that prevents the disclosure of
competitively sensitive data, such as
Part D bid information. Finally, one
commenter suggested that authorized
users should have some direct
responsibility for actions that run afoul
of contractual requirements.
PO 00000
Frm 00010
Fmt 4701
Sfmt 4700
Response: As noted above, qualified
entities may have existing agreements
with authorized users where all
required QE DUA elements are covered,
and we are not requiring re-papering in
those instances. Furthermore, also as
noted above, we believe that qualified
entities without existing agreements
would be better served by engaging with
their own legal counsel to ensure the QE
DUA meets their specific needs.
As discussed above, we believe the
statutory requirement that data not be
subject to discovery or admitted into
evidence without the provider or
supplier’s consent only applies to data
released to the qualified entity under
1874(e) and when that data is in the
possession of the qualified entity.
Regarding concerns about disclosure
of competitively sensitive information,
qualified entities only receive Medicare
Parts A and B claims data and certain
Part D drug event data from CMS. In
addition, we only provide qualified
entities with aggregated Part D cost
information, not the proprietary
individual component costs. As a result,
we do not believe there is a risk that
qualified entities would be in a position
to disclose competitively sensitive
information to authorized users.
Finally, as we stated in the proposed
rule, we only have authority to impose
requirements on the qualified entity. As
a result, we must rely on the qualified
entity to impose legally enforceable
obligations on the authorized user.
Requirements in the QE DUA
In § 401.713(d), we proposed a
number of contractually binding
provisions that would be included in
the QE DUA. First, we proposed to
require that the QE DUA contain certain
limitations on the authorized user’s use
of the combined data and/or Medicare
claims data and/or non-public analyses
that contain patient-identifiable data
and/or any derivative data (hereinafter
referred to as data subject to the QE
DUA) to those purposes described in the
first or second paragraph of the
definition of ‘‘healthcare operations’’
under 45 CFR 164.501, or that which
qualifies as ‘‘fraud and abuse detection
or compliance activities’’ under 45 CFR
164.506(c)(4). We also proposed to
require that all other uses and
disclosures of data subject to the QE
DUA be prohibited except to the extent
a disclosure qualifies as a ‘‘required by
law’’ disclosure. We did not receive any
comments on our proposal to allow
authorized users to use the data subject
to the QE DUA for the purposes
described in the first or second
paragraph of the definition of
‘‘healthcare operations’’ under 45 CFR
E:\FR\FM\07JYR3.SGM
07JYR3
sradovich on DSK3GDR082PROD with RULES3
Federal Register / Vol. 81, No. 130 / Thursday, July 7, 2016 / Rules and Regulations
164.501. Therefore, we are finalizing our
proposal. In doing so, we identified
inadvertent drafting errors in the
proposed regulatory text at
§ 401.713(d)(1)(i)(A) and (B) (misidentifying which activities fell into
which paragraphs of 45 CFR 164.501).
We have therefore corrected those draft
regulatory provisions to conform the
new 42 CFR 401.713(d)(1)(i)(A) and (B)
with the content of the first and second
paragraphs of the definition of health
care operations under 45 CFR 164.501.
Comment: We received several
comments on allowing authorized users
to use the data subject to the QE DUA
for purposes which qualify as ‘‘fraud
and abuse detection or compliance
activities’’ under 45 CFR 164.506(c)(4).
Several commenters stated that the
allowing use of the data subject to the
QE DUA for fraud and abuse detection
is unwarranted and without basis in the
statutory text. However, another
commenter explicitly supported use of
the data subject to the QE DUA to
bolster efforts to fight fraud. One
commenter suggested the addition of
‘‘waste’’ detection as an allowed use of
the data subject to the QE DUA.
Response: We believe that section
105(a)(3)(A)(ii) of MACRA is illustrative
(providing for certain non-public uses
‘‘including’’ certain cross-referenced
activities). It does not prevent use of the
data for fraud and abuse detection and
compliance activities. As a result, we
are finalizing our proposal to allow
authorized users to use the data subject
to the QE DUA for fraud and abuse
detection. While we can understand the
interest in adding waste detection to the
list of allowed uses of the data subject
to the QE DUA, we believe it is best to
stay consistent with the language
established in HIPAA since many of
other authorized users receiving data
subject to the QE DUA are also HIPAA
covered entities.
Comment: One commenter suggested
that authorized users also be allowed to
use the data subject to the QE DUA for
‘‘treatment’’ as defined under 45 CFR
164.501.
Response: We agree that use of the
data subject to the QE DUA for
treatment purposes is a valid possible
use of the data and consistent with the
statute. As a result, we have modified
the language at § 401.713(d)(1)(i) to
include treatment.
We also proposed to require qualified
entities to use the QE DUA to
contractually prohibit the authorized
users from using the data subject to the
QE DUA for marketing purposes. We
did not receive any comments on this
proposal, and are finalizing it without
modification.
VerDate Sep<11>2014
17:38 Jul 06, 2016
Jkt 238001
We proposed at § 401.713(d)(3) to
require qualified entities to
contractually bind authorized users
using the QE DUA to protect patientidentifiable data subject to the QE DUA,
with at least the privacy and security
protections that would be required of
covered entities and their business
associates under the HIPAA Privacy and
Security Rules. We proposed to require
that the QE DUA contain provisions that
require that the authorized user
maintain written privacy and security
policies and procedures that ensure
compliance with these HIPAA-based
privacy and security standards and the
other standards required under this
subpart for the duration of the QE DUA.
We also proposed to require QE DUA
provisions detailing such policies and
procedures survive termination of the
QE DUA, whether for cause or not.
Comment: One commenter suggested
that CMS clarify that the QE DUA by
itself does not make the authorized user
a covered entity or business associate
under HIPAA if the authorized user
does not otherwise meet those
definitions.
Response: We wish to clarify that this
rule does not comment on whether an
entity is a covered entity or business
associate under HIPAA. We are simply
requiring the authorized users to
comply with the privacy and security
protections required of covered entities
and their business associates under the
HIPAA Privacy and Security Rules (that
is, the authorized users must comply
with those provisions as if they were
acting in the capacity of a covered entity
or business associate dealing with
protected health information). We feel
that such standards represent an
industry-wide standard for the
protection of patient-identifiable data,
and note that this requirement would be
in keeping with section 105(a)(4) of
MACRA.
We also proposed at § 401.713(d)(7) to
require that the qualified entity use the
QE DUA to contractually bind an
authorized user as a condition of
receiving data subject to the QE DUA
under the qualified entity program to
notify the qualified entity of any
violations of the QE DUA. We did not
receive any comments on this proposal,
so are finalizing it without modification.
In addition, we proposed at
§ 401.713(d)(4) to require that the
qualified entity include a provision in
its QE DUAs that prohibits the
authorized user from re-disclosing or
making public data subject to the QE
DUA except as provided in paragraph
(d)(5). We proposed at § 401.713(d)(5) to
require that the qualified entity use the
QE DUA to limit provider’s and
PO 00000
Frm 00011
Fmt 4701
Sfmt 4700
44465
supplier’s re-disclosures to a covered
entity pursuant to 45 CFR
164.506(c)(4)(i) or 164.502(e)(1).
Therefore, a provider or supplier would
generally only be permitted to redisclose data subject to the QE DUA to
a covered entity or its business associate
for activities focused on that covered
entity’s quality assessment and
improvement, including the review of
provider or supplier performance. We
also proposed to require re-disclosure
when required by law.
Comment: Several commenters stated
that they supported CMS’ proposals
related to re-disclosure of data. One
commenter suggested that providers and
suppliers be allowed to re-disclose data
for direct patient care and issues of
patient safety. Another commenter
recommended that any authorized user
be allowed to re-disclose de-identified
data for the purposes of publishing deidentified statistical results.
Response: We thank commenters for
their support of the re-disclosure
proposals. While we can understand
interest in explicitly referencing issues
of patient safety, we do not believe it is
necessary given that the first paragraph
of the definition of healthcare
operations includes patient safety
activities and, thus issues of patient
safety are permitted reasons for redisclosure of the data. However, we
recognize that as proposed, providers
and suppliers would not be allowed to
re-disclose the data subject to the QE
DUA for treatment purposes. As a result,
we are modifying the language at
§ 401.713(d)(5)(i) to allow providers and
suppliers to re-disclose data subject to
the QE DUA as a covered entity would
be permitted to disclose PHI under 45
CFR 164.506(c)(2), which allows a
covered entity to disclose data for the
treatment activities of a healthcare
provider.
Regarding the recommendation to
allow for re-disclosure of de-identified
data in order to publish statistical
results, we do not believe that this
purpose is consistent with section
105(a)(5)(A) of the MACRA statute,
which explicitly states that an
authorized user who is provided or sold
data shall not make public such data or
any analysis using such data.
We also proposed to require qualified
entities to impose a contractual bar
using the QE DUA on the downstream
recipients’ linking of the re-disclosed
data subject to the QE DUA to any other
identifiable source of information. The
only exception to this general policy
would be if a provider or supplier were
to receive identifiable information
limited to its own patients.
E:\FR\FM\07JYR3.SGM
07JYR3
44466
Federal Register / Vol. 81, No. 130 / Thursday, July 7, 2016 / Rules and Regulations
Comment: Several commenters stated
that they supported the proposals
related to linking the data. One
commenter suggested that business
associates of providers or suppliers be
allowed to link the data subject to the
QE DUA. Another commenter
recommended that authorized users be
allowed to link the patient de-identified
data so long as the intent or result is not
to re-identify patients and the resulting
data set meets the HIPAA standard for
de-identification.
Response: We would like to clarify
that the prohibition on linking only
applies to patient de-identified data
subject to the QE DUA. To the extent
that a provider or supplier receives
patient-identifiable data subject to the
QE DUA and discloses that data to a
business associate as allowed under
§ 401.713(d)(5)(i), that provider or
supplier may request that the business
associate link the data subject to the QE
DUA to another data source.
While we understand that some
authorized users may wish to link the
de-identified data subject to the QE
DUA, we believe that this creates too
much risk of inadvertent reidentification. However, instead of
linking the data themselves, authorized
users could choose to share their
additional data, in accordance with
applicable law, with the qualified entity
who could link this new data source to
the existing data and then create deidentified analyses to share with the
authorized user.
sradovich on DSK3GDR082PROD with RULES3
C. Authorized Users
1. Definition of Authorized User
Section 105(a)(9)(A) of MACRA
defines authorized users as: A provider
of services, a supplier, an employer (as
defined in section 3(5) of the Employee
Retirement Insurance Security Act of
1974), a health insurance issuer (as
defined in section 2791 of the Public
Health Service act), a medical society or
hospital association, and any other
entity that is approved by the Secretary.
We proposed a definition for authorized
user at § 401.703(k) that is consistent
with Section 105(a)(9)(A) of MACRA
and includes two additional types of
entities beyond those established in the
statute—healthcare professional
associations and state agencies.
Specifically, we proposed to define an
authorized user as: (1) A provider; (2) a
supplier; (3) an employer; (4) a health
insurance issuer; (5) a medical society;
(6) a hospital association; (7) a
healthcare professional association; or
(8) a state agency.
Comment: Commenters had a wide
ranging list of suggested additions to the
VerDate Sep<11>2014
17:38 Jul 06, 2016
Jkt 238001
definition of an authorized users,
including: Other types of associations
and partnership groups whose missions
support the permitted data uses, entities
with expertise in quality measure
development, organizations engaged in
research, federal agencies, regional
health improvement collaboratives, and
the Indian Health Service (and Indian
Health programs). Several commenters
also suggested that CMS create a process
for qualified entities to seek approval for
additional authorized users that may not
fit into the regulatory definitions.
Response: We recognize that many
organizations are interested in accessing
analyses provided by the qualified
entity. However, CMS believes we must
maintain a carefully curated list of
authorized users to prevent the
monitoring of the qualified entity
program from becoming too
cumbersome. As a result, we are only
adding federal agencies, including, but
not limited to the Indian Health Service
(and Indian Health programs), to the
definition of authorized users. Similar
to state agencies, we believe that federal
agencies, particularly those that provide
healthcare services such as the Indian
Health Service and the U.S. Department
of Veteran Affairs are important partners
with CMS in transforming the
healthcare delivery system and could
substantially benefit from access to
analyses to help improve quality and
reduce costs, especially for individuals
who utilize their services. On the other
hand, we believe many of the other
suggested authorized users do not
represent well defined groups, which
could lead to significant confusion as to
which entities fall within the group and
which do not. In addition, as we noted
above, the statute is explicit in its
prohibition of releasing the analyses or
data to the public, so the addition of any
authorized user with a research aim is
not consistent with the parameters of
the program.
We believe a separate approval
process would be very costly for CMS
and create additional burdens for
qualified entities. We also believe that a
standard list of authorized users is the
simplest and least administratively
burdensome method to ensure equal
treatment of qualified entities. Because
many of the suggested authorized users
do not represent well defined groups,
we would envision an approval process
for each entity requesting analyses,
which would potentially be more
burdensome for smaller regional
qualified entities that do not have the
time or resources to devote to the
approval process. Furthermore, we have
an existing process through which
entities can obtain Medicare data for
PO 00000
Frm 00012
Fmt 4701
Sfmt 4700
research purposes. More information on
accessing CMS data for research can be
found on the ResDAC Web site at
www.resdac.org.
Comment: Several commenters
suggested that other organizations
beyond providers, suppliers, hospital
associations, and medical societies be
allowed to access data. A few
commenters suggested any entity should
be allowed to access de-identified data.
Another commenter recommended the
creation of a new authorized user called
a healthcare provider or supplier
collaborator and defined as an
organization or entity that does not
directly treat patients, but works closely
with the provider or supplier in
connection with treatment of patients.
Response: Section 105 (a)(2)(A)(i)
only allows for the disclosure of data to
a provider of services, a supplier, and a
medical society or hospital association.
Comment: Several commenters
suggested that authorized users that are
allowed to act on behalf of their
subparts (for example, Accountable Care
Organizations) or business associates as
defined in HIPAA should be allowed to
receive data and/or analyses directly.
Response: We do not intend to
prevent organizations acting under a
contract with an authorized user from
receiving data or the analyses on behalf
of the authorized user. Therefore, we
have modified the definition of
authorized user to include contractors,
including, where applicable, business
associates as that term is defined at 45
CFR 160.103. An authorized user is now
defined as a third party and its
contractors (including, where
applicable, business associates as that
term is defined at 45 CFR 160.103) that
need analyses or data covered by this
section to carry out work on behalf of
that third party (meaning not the
qualified entity or the qualified entity’s
contractors) to whom/which the
qualified entity provides or sells data as
permitted under this subpart.
Authorized user third parties are limited
to the following entities: A provider, a
supplier, a medical society, a hospital
association, an employer, a health
insurance issuer, a healthcare provider
and/or supplier association, a state
entity, a federal agency.
We would like to note that with this
change to the definition of authorized
user a qualified entity is now also liable
for the actions of the third party’s
contractors who enter into a QE DUA
with the qualified entity.
Comment: One commenter suggested
a modification to the definition of
provider to include dieticians, social
workers, case management nurses, and
other allied health professionals.
E:\FR\FM\07JYR3.SGM
07JYR3
Federal Register / Vol. 81, No. 130 / Thursday, July 7, 2016 / Rules and Regulations
Response: The current definition of a
supplier is a physician or other
practitioner that furnishes healthcare
services under Medicare. To the extent
that dieticians, social workers, case
management nurses, and other allied
health professionals are furnishing
healthcare services under Medicare,
they would already be considered
suppliers. If they are not furnishing
services under Medicare, we do not
believe the analyses or data based on
Medicare claims data will hold much
value for improving care delivery or
reducing costs, and so we decline
expanding the definition to include
them.
sradovich on DSK3GDR082PROD with RULES3
2. Definition of Employer
We proposed to define an employer as
having the same meaning as the term
‘‘employer’’ defined in Section 3(5) of
the Employee Retirement Insurance
Security Act of 1974.
Comment: One commenter suggested
that the definition of employer should
not include any third-party consultant
or wellness program vendors.
Response: As noted above, we believe
authorized users should be allowed to
share analyses and data with contractors
who need such information to conduct
work on their behalf. Therefore, we
modified the definition of authorized
user to include contractors. To the
extent a wellness vendor is an
employer’s contractor, the vendor will
be required to sign a non-public
analyses agreement and will be bound
to only use and disclose the analyses in
a manner consistent with the provisions
of that agreement. We would also like to
point out that as specified in
§ 401.716(c)(2), employers, and their
contractors, may only use the analyses
for the purposes of providing health
insurance to employees, retirees, or
dependents of employees.
3. Definition of Health Insurance Issuer
We proposed to define a health
insurance issuer as having the same
meaning as the term ‘‘health insurance
issuer’’ defined in Section 2791(b)(2) of
the Public Health Service Act.
Comment: One commenter suggested
that the definition of health insurance
issuer should not include any thirdparty consultant or wellness program
vendors.
Response: As with employers, we
believe issuers should be allowed to
share analyses and data with contractors
who need such information to conduct
work on their behalf. Therefore, as
stated above, we have modified the
definition of authorized user. To the
extent a wellness vendor is an issuer’s
contractor, the vendor will be required
VerDate Sep<11>2014
17:38 Jul 06, 2016
Jkt 238001
to sign a non-public analyses agreement
and will be bound to only use and
disclose the analyses in a manner
consistent with the provisions of that
agreement.
4. Definition of ‘‘Medical Society’’
We proposed to define a medical
society as a non-profit organization or
association that provides unified
representation for a large number of
physicians at the national or state level
and whose membership is comprised
mainly of physicians.
Comment: One commenter requested
that CMS provide an example of a
medical society.
Response: We would consider the
American Medical Association or the
American Academy of Family
Physicians to be national-level medical
societies. At the state-level, the Medical
Association of the State of Alabama is
an example of a medical society under
this definition.
5. Definition of ‘‘Hospital Association’’
We proposed to define a hospital
association as a non-profit organization
or association that provides unified
representation for a large number of
hospitals or health systems at the
national or state level and whose
membership is comprised of a majority
of hospitals and health systems.
Comment: One commenter requested
that CMS provide an example of a
hospital association.
Response: We would consider the
American Hospital Association or the
Federation of American Hospitals to be
national hospital associations. At the
state-level, the Hospital and
Healthsystem Association of
Pennsylvania is an example of a
hospital association under this
definition.
Comment: Several commenters
suggested that the definition of hospital
association be expanded to include
associations at the local level and
quality organizations that are affiliated
with, but have separate 501(c)(3)
numbers from their state hospital
association.
Response: CMS recognizes that local
hospital associations may work more
closely on issues such as quality
improvement with hospitals and health
systems in their area than state or
national associations. As a result, we
have modified the definition of hospital
association to include local-level
organizations. However, we do not
believe that the MACRA statute at
105(a)(9)(v) intends for quality
organizations affiliated with a hospital
association to be considered a hospital
association since the language only
PO 00000
Frm 00013
Fmt 4701
Sfmt 4700
44467
refers to hospital association and does
not reference quality organizations. To
the extent that these quality
organizations are doing work on behalf
of the state hospital association under
contract, and that work requires access
to such data or analyses, these quality
organizations would be considered
authorized users and would be required
to enter into a QE DUA and/or nonpublic analyses agreement with the
qualified entity.
6. Definition of ‘‘Healthcare Provider
and/or Supplier Association’’
We proposed to define a healthcare
provider and/or supplier association as
a non-profit organization or association
that represents providers and suppliers
at the national or state level and whose
membership is comprised of a majority
of providers and/or suppliers. We did
not receive any comments on this
definition, so are finalizing it without
modification.
7. Definition of ‘‘State Agency’’
We proposed to define a state agency
as any office, department, division,
bureau, board, commission, agency,
institution, or committee within the
executive branch of a state government.
Comment: One commenter stated that
state agencies should be limited to those
entities that promote care quality and
patient care improvement activities.
Another commenter recommended that
the term state agency be changed to state
entity to help avoid conflict with statespecific references to the word
‘‘agency.’’ One commenter suggested
CMS provide clarity on whether the
definition of state agency includes
political subdivisions of the state.
Response: We do not believe that state
agencies should be limited to those
entities focused on care quality and
patient care improvement. There are a
wide-array of uses of the non-public
analyses by states who are CMS’
partners in transforming the healthcare
delivery system. We do appreciate the
comment related to the use of the term
agency at the state-level, and have
modified this term in the regulations to
be ‘‘state entity.’’ In addition, to provide
clarity, we note that we did not intend
for the definition of state agency to
include political subdivisions of a state,
such as a county, city, town, or village,
and as a result have not added these to
the definition.
D. Annual Report Requirements
1. Reporting Requirements for Analyses
Section 105(a)(8) of MACRA expands
the information that a qualified entity
must report annually to the Secretary if
E:\FR\FM\07JYR3.SGM
07JYR3
sradovich on DSK3GDR082PROD with RULES3
44468
Federal Register / Vol. 81, No. 130 / Thursday, July 7, 2016 / Rules and Regulations
a qualified entity provides or sells nonpublic analyses. Therefore, consistent
with these requirements, we proposed
to require that the qualified entity
provide a summary of the non-public
analyses provided or sold under this
subpart, including specific information
about the number of analyses, the
number of purchasers of such analyses,
the types of authorized users that
purchased analyses, the total amount of
fees received for such analyses. We also
proposed to require the qualified entity
to provide a description of the topics
and purposes of such analyses. In
addition, we proposed to require a
qualified entity to provide information
on QE DUA and non-public analyses
agreement violations.
Comment: Several commenters
suggested additions to the reporting
requirements for analyses. One
commenter suggested that qualified
entities include the specific entities to
whom analyses were provided or sold as
well as more detailed pricing
information. Another commenter
recommended the addition of the
frequency and nature of requests for
error correction, and how often analyses
are disclosed with unresolved requests
for error correction.
Response: We believe that Section
105(a)(8)(A) of MACRA intends for
qualified entities to provide a summary
of the analyses and that the specific
details of the entities who received
analyses or the pricing information for
analyses are not consistent with that
intent. We do believe there is value in
monitoring requests for error correction
to ensure that qualified entities are not
releasing analyses that consistently have
requests for error correction, which
could indicate a qualified entities’ poor
use of the Medicare data; however, we
believe the requirement to provide this
information, with the exception of how
often analyses are disclosed with
unresolved requests for error correction,
already exists as part of the annual
reporting requirements under
§ 401.719(b)(2). We believe including
how often analyses are disclosed with
unresolved error requests in the annual
reports is important because it allows
CMS to track possible poor use of the
Medicare data by qualified entities.
Therefore, we have added the
requirement to report the number of
analyses disclosed with unresolved
requests for error correction at
§ 401.719(b)(3)(iii).
Comment: One commenter suggested
that the annual reports be made public.
Response: We recognize that in some
cases the annual reports may contain
sensitive commercial information and,
as a result, we do not believe the reports
VerDate Sep<11>2014
17:38 Jul 06, 2016
Jkt 238001
should be made public. We would like
to clarify, however, that anytime CMS
receives a request for information under
the Freedom of Information Act (FOIA),
the agency always evaluates whether the
information is subject to one of the
FOIA exemptions, including Exemption
4, which protects commercial or
financial information that is privileged
and confidential. We welcome
identification of any materials within
such reports that the qualified entity
believes are subject to a FOIA
exemption, and the rationale therefore.
2. Reporting Requirements for Data
Section 105(a)(8) of MACRA also
requires a qualified entity to submit a
report annually if it provides or sells
data. Therefore, consistent with the
statutory requirements, we also
proposed to require qualified entities
that provide or sell data under this
subpart to provide the following
information as part of its annual report:
Information on the entities who
received data, the uses of the data, the
total amount of fees received for
providing, selling, or sharing the data,
and any QE DUA violations.
Comment: Several of the comments
on reporting requirements for data were
the same as those for analyses addressed
above. One commenter suggested the
addition of information on authorized
user data breaches to the annual report.
Another commenter stated that the
annual reporting requirements for data
may contain sensitive commercial
information that may be subject to
confidentiality provisions between the
qualified entity and applicable
authorized users.
Response: We believe that data
breaches should be reported to CMS in
a much timelier manner than the annual
report. As discussed above, the QE DUA
requires authorized users to notify the
qualified entity of any violations of the
QE DUA and to comply with the breach
provisions governing qualified entities.
As a result, we do not believe this
element is needed in the annual report.
We recognize that some of the
information we proposed to require of
qualified entities in their annual reports
will be sensitive commercial
information. As noted above, anytime
CMS receives a request for information
under the FOIA, the agency always
evaluates whether the information is
subject to one of the FOIA exemptions,
including Exemption 4, which protects
commercial or financial information
that is privileged and confidential.
Contractual confidentiality provisions
between authorized users and qualified
entities will not negate CMS’ obligations
under FOIA, but we welcome
PO 00000
Frm 00014
Fmt 4701
Sfmt 4700
identification of any materials within
such reports that the qualified entity
believes are subject to a FOIA
exemption, and the rationale therefore.
E. Assessment for a Breach
1. Violation of a DUA
Section 105(a)(7) of MACRA requires
the Secretary to impose an assessment
on a qualified entity in the case of a
‘‘breach’’ of a CMS DUA between the
Secretary and a qualified entity or a
breach of a QE DUA between a qualified
entity and an authorized user. Because
the term ‘‘breach’’ is defined in HIPAA,
and this definition is not consistent
with the use of the term for this
program, we proposed instead to adopt
the term ‘‘violation’’ when referring to a
‘‘breach’’ of a DUA for purposes of this
program. We also proposed to define a
‘‘violation’’ to mean a failure to comply
with a requirement in a CMS DUA or
QE DUA. We also proposed to impose
an assessment on any qualified entity
that violates a CMS DUA or fails to
ensure that their authorized users and
their contractors/business associates do
not violate a QE DUA.
Comment: A few commenters
recommended that CMS further define
and provide examples of what would
constitute a DUA violation. Another
commenter suggested CMS expand the
definition of a violation so that both the
qualified entity and the authorized user
may be held responsible for a breach.
Response: While we recognize that
not all terms of the DUAs are equal
regarding the risk to the privacy and
security of the Medicare data, we
believe the aggravating and mitigating
circumstances discussed in more detail
below provide us the flexibility to
ensure the assessment amount is
consistent with the nature of the
violation. One example of a violation
would be knowingly releasing patient
names and other protected health
information for marketing purposes.
Another example of a violation would
be sharing individually identifiable
information for an individual who does
not meet the definition of a patient with
a supplier.
While we recognize that it may be the
authorized user who is responsible for
the violation, we believe Section
105(a)(7) of MACRA does not give us
the authority to impose an assessment
on the authorized user. However, we do
believe that the qualified entity could
include terms in their agreement with
the authorized user to require the
authorized user to pay the assessment if
the authorized user is responsible for
the violation.
E:\FR\FM\07JYR3.SGM
07JYR3
Federal Register / Vol. 81, No. 130 / Thursday, July 7, 2016 / Rules and Regulations
MACRA provides guidance only on
the assessment amount and what
triggers an assessment, but it does not
dictate the procedures for imposing
such assessments. We therefore
proposed to model qualified entity
program procedures on certain relevant
provisions of Section 1128A of the Act
(Civil Money Penalties) and part 402
(Civil Money Penalties, Assessments,
and Exclusions) including the process
and procedures for calculating the
assessment, notifying a qualified entity
of a violation, collecting the assessment,
and providing qualified entities an
appeals process.
sradovich on DSK3GDR082PROD with RULES3
2. Amount of Assessment
Section 105(a)(7)(B) of MACRA
specifies that when a violation occurs,
the assessment is to be calculated based
on the number of affected individuals
who are entitled to, or enrolled in,
benefits under part A of title XVIII of the
Act, or enrolled in part B of such title.
Assessments can be up to $100 per
affected individual, but, given the broad
discretion in establishing some lesser
amount, we looked to part 402 as a
model for proposing aggravating and
mitigating circumstances that would be
considered when calculating the
assessment amount per impacted
individual. However, violations under
section 105(a)(7)(B) of MACRA are
considered point-in-time violations, not
continuing violations.
Number of Individuals
We proposed at § 401.719(d)(5)(i) that
CMS will calculate the amount of the
assessment of up to $100 per individual
entitled to, or enrolled in part A of title
XVIII of the Act and/or enrolled in part
B of such title whose data was
implicated in the violation.
We generally proposed to determine
the number of potentially affected
individuals by looking at the number of
beneficiaries whose Medicare claims
information was provided either by
CMS to the qualified entity or by the
qualified entity to the authorized user in
the form of individually identifiable or
de-identified data sets that were
potentially affected by the violation.
We proposed that a single beneficiary,
regardless of the number of times their
information appears in a singular nonpublic report or dataset, would only
count towards the calculation of an
assessment for a violation once. For
qualified entities that provide or sell
subsets of the dataset that CMS
provided to them, combined
information, or non-public analyses, we
proposed to require that the qualified
entity provide the Secretary with an
accurate number of beneficiaries whose
VerDate Sep<11>2014
17:38 Jul 06, 2016
Jkt 238001
data was sold or provided to the
authorized user and, thereby,
potentially affected by the violation. In
those instances in which the qualified
entity is unable to establish a reliable
number of potentially affected
beneficiaries, we proposed to impose
the assessment based on the total
number of beneficiaries that were
included in the data set(s) that was/were
transferred to the qualified entity under
the CMS DUA.
Assessment Amount per Impacted
Individual
As noted above, MACRA allows an
assessment in the amount of up to $100
per potentially affected individual. We
therefore proposed to draw on 42 CFR
part 402 to specify the factors and
circumstances that will be considered in
determining the assessment amount per
potentially affected individual.
We proposed at § 401.719(d)(5)(i)(A)
that the following basic factors be
considered in establishing the
assessment amount per potentially
affected individual: (1) The nature and
extent of the violation; (2) the nature
and extent of the harm or potential harm
resulting from the violation; and (3) the
degree of culpability and history of prior
violations.
In addition, in considering these basic
factors and determining the amount of
the assessment per potentially affected
individual, we proposed to take into
account certain aggravating and
mitigating circumstances.
We proposed at
§ 401.719(d)(5)(i)(B)(1) that CMS
consider certain aggravating
circumstances in determining the
amount per potentially affected
individual, including the following:
Whether there were several types of
violations, occurring over a lengthy
period of time; whether there were
many violations or the nature and
circumstances indicate a pattern of
violations; and whether the nature of
the violation had the potential or
actually resulted in harm to
beneficiaries.
In addition, we proposed at
§ 401.719(d)(5)(i)(B)(2) that CMS take
into account certain mitigating
circumstances in determining the
amount per potentially affected
individual, including the following:
Whether the violations subject to the
imposition of an assessment were few in
number, of the same type, and occurring
within a short period of time, and/or
whether the violation was the result of
an unintentional and unrecognized error
and the qualified entity took corrective
steps immediately after discovering the
error.
PO 00000
Frm 00015
Fmt 4701
Sfmt 4700
44469
Comment: One commenter suggested
that CMS allow the qualified entity to
take corrective action in the case of a
minor violation. Another commenter
recommended that CMS impose a limit
on the assessment amount because not
specifying a maximum assessment
amount could create a barrier to entry
for entities interested in the program.
One commenter stated they supported
the statutorily set assessment of $100
per affected individual because it
creates a strong incentives for excellent
data security.
Response: We recognize the need for
a corrective action process and have
already established one at
§ 401.719(d)(1) through (3) that applies
regardless of the amount of the
assessment. We appreciate commenters
concerns about creating a barrier for
entry, but agree that allowing for an
assessment of up to $100 per affected
individual creates strong incentives for
the qualified entity to ensure the
privacy and security of the Medicare
data. We believe the basic, aggravating,
and mitigating circumstances provide
CMS with the flexibility to set the
assessment value appropriately given
the nature of the violation and the
qualified entity’s history with
violations.
3. Notice of Determination
We looked to the relevant provisions
in 42 CFR part 402 and Section 1128A
of the Act to frame proposals regarding
the specific elements that would be
included in the notice of determination.
To that end, we proposed at
§ 401.719(d)(5)(ii) that the Secretary
would provide notice of a determination
to a qualified entity by certified mail
with return receipt requested. The
notice of determination would include
information on (1) the assessment
amount, (2) the statutory and regulatory
bases for the assessment, (3) a
description of the violations upon
which the assessment was proposed, (4)
information concerning response to the
notice, and (5) the means by which the
qualified entity must pay the assessment
if they do not intend to request a
hearing in accordance with procedures
established at Section 1128A of the Act
and implemented in 42 CFR part 1005.
We did not receive any comments on
this proposal so are finalizing it without
modification.
4. Failure To Request a Hearing
We also looked to the relevant
provisions in 42 CFR part 402 and
section 1128A of the Act to inform our
proposals regarding what happens when
a hearing is not requested.
E:\FR\FM\07JYR3.SGM
07JYR3
44470
Federal Register / Vol. 81, No. 130 / Thursday, July 7, 2016 / Rules and Regulations
We proposed at § 401.719(d)(5)(iii)
that an assessment will become final if
a qualified entity does not request a
hearing within 60 days of receipt of the
notice of the proposed determination.
At this point, CMS would impose the
proposed assessment. CMS would notify
the qualified entity, by certified mail
with return receipt, of the assessment
and the means by which the qualified
entity may pay the assessment. Under
these proposals, a qualified entity
would not have the right to appeal an
assessment unless it has requested a
hearing within 60 days of receipt of the
notice of the proposed determination.
We did not receive any comments on
these proposals so are finalizing them
without modification.
sradovich on DSK3GDR082PROD with RULES3
5. When an Assessment Is Collectible
We again looked to the relevant
provisions in 42 CFR part 402 and
section 1128A of the Act to inform our
proposed policies regarding when an
assessment becomes collectible.
We proposed at § 401.719(d)(5)(iv)
that an assessment becomes collectible
after the earliest of the following
situations: (1) On the 61st day after the
qualified entity receives CMS’s notice of
proposed determination under
§ 401.719(d)(5)(ii), if the entity does not
request a hearing; (2) immediately after
the qualified entity abandons or waives
its appeal right at any administrative
level; (3) 30 days after the qualified
entity receives the Administrative Law
Judge’s (ALJ) decision imposing an
assessment under § 1005.20(d), if the
qualified entity has not requested a
review before the Department Appeal
Board (DAB); or (4) 60 days after the
qualified entity receives the DAB’s
decision imposing an assessment if the
qualified entity has not requested a stay
of the decision under § 1005.22(b). We
did not receive any comments on this
proposal so are finalizing it without
modification.
6. Collection of an Assessment
We also looked to the relevant
provisions in 42 CFR part 402 and
section 1128A of the Act in framing our
proposals regarding the collection of an
Assessment.
We proposed at § 401.719(d)(5)(v) that
CMS be responsible for collecting any
assessment once a determination is
made final by HHS. In addition, we
proposed that the General Counsel may
compromise an assessment imposed
under this part, after consulting with
CMS or Office of Inspector General
(OIG), and the Federal government may
recover the assessment in a civil action
brought in the United States district
court for the district where the claim
VerDate Sep<11>2014
17:38 Jul 06, 2016
Jkt 238001
was presented or where the qualified
entity resides. We also proposed that the
United States may deduct the amount of
an assessment when finally determined,
or the amount agreed upon in
compromise, from any sum then or later
owing the qualified entity. Finally, we
proposed that matters that were raised
or that could have been raised in a
hearing before an ALJ or in an appeal
under section 1128A(e) of the Act may
not be raised as a defense in a civil
action by the United States to collect an
assessment. We did not receive any
comments on these proposals so are
finalizing them without modification.
F. Termination of Qualified Entity
Agreement
We proposed at § 401.721(a)(7) that
CMS may unilaterally terminate the
qualified entity’s agreement and trigger
the data destruction requirements in the
CMS DUA if CMS determines through
our monitoring program at § 401.717(a)
and (b) that a qualified entity or its
contractor fails to monitor authorized
users’ compliance with the terms of
their QE DUAs or non-public analysis
use agreements. We stated in the
proposed rule that we believe this
proposed provision is consistent with
the intent of MACRA to ensure the
protection of data and analyses
provided by qualified entities to
authorized users under this subpart.
Comment: One commenter stated that
CMS should have a violation corrections
period prior to terminating a qualified
entity. Another commenter
recommended that CMS carefully
monitor all aspects of the qualified
entity program and related authorized
user activities to minimize the risk of
unintended consequences.
Response: We currently have a
process in place to require qualified
entities to develop a corrective action
plan or to put qualified entities on a
special monitoring plan if we determine
that the qualified entity violated any
terms of the program. In addition, we
already have a number of mechanisms
in place to monitor qualified entities
participating in the program including
audits, site visits, and required
reporting. We believe the additional
annual reporting elements described
above will ensure that we can continue
to monitor qualified entities
appropriately given the changes to the
program. As a result, we are finalizing
our proposed language on termination
of a qualified entity’s agreement at
§ 401.721(a)(7).
G. Additional Data
Section 105(c) of MACRA expands, at
the discretion of the Secretary, the data
PO 00000
Frm 00016
Fmt 4701
Sfmt 4700
that the Secretary may make available to
qualified entities, including
standardized extracts of claims data
under titles XIX (Medicaid) and XXI
(the Children’s Health Insurance
Program, CHIP) for one or more
specified geographic areas and time
periods as may be requested by the
qualified entity. However, due to issues
involving Medicaid data submitted to
CMS, including lack of data timeliness
and overall data quality, we proposed
not to expand the data available to
qualified entities from CMS and instead
suggested that qualified entities would
be better off seeking Medicaid and/or
CHIP data through the State Medicaid
Agencies.
Comment: Many commenters
recommended that CMS expand the
data available to qualified entities to
include Medicaid and CHIP data. These
commenters noted the additional
burden of having to request the data
from each state individually. On the
other hand, one commenter stated that
they agreed with CMS’ proposal not to
expand access to Medicaid and/or CHIP
data.
Response: As some commenters
noted, we have been working with states
to transform our Medicaid Statistical
Information System (MSIS) to address
concerns regarding data timeliness and
quality. This is essential for the
Medicaid program to keep pace with the
data needed to improve quality of care,
track enrollment and utilization of
services, improve program integrity, and
support states and other stakeholders
need for information about Medicaid
and CHIP. This new data set is known
as Transformed MSIS (T–MSIS). The T–
MSIS data set contains enhanced
information about beneficiary eligibility,
beneficiary and provider enrollment,
service utilization, claims and managed
care data, and expenditure data for
Medicaid and CHIP. We are currently
working with states to help them
transition from MSIS to T–MSIS.
We recognize commenters’ interest in
accessing Medicaid and CHIP data from
CMS rather than going to each state
individually. We believe that T–MSIS
can create a framework for CMS
collection of Medicaid and CHIP data
that addresses many of the concerns
about the timeliness and quality of the
MSIS data that we raised in the
proposed rule. As a result, we anticipate
future rulemaking to make Medicaid
and CHIP data available to qualified
entities when the T–MSIS data becomes
available and is determined to be of
sufficient quality for use in public
provider performance reporting.
Comment: One commenter suggested
that CMS also allow qualified entities to
E:\FR\FM\07JYR3.SGM
07JYR3
Federal Register / Vol. 81, No. 130 / Thursday, July 7, 2016 / Rules and Regulations
sradovich on DSK3GDR082PROD with RULES3
request access to Medicare Advantage
data.
Response: We believe section
1874(e)(3) of the Act only allows for the
disclosure of Medicare claims data
under Parts A, B, and D, as well as
Medicaid and/or CHIP claims data.
H. Qualified Clinical Data Registries
Section 105(b) of MACRA allows
qualified clinical data registries to
request access to Medicare data for the
purposes of linking the data with
clinical outcomes data and performing
risk-adjusted, scientifically valid
analyses, and research to support
quality improvement or patient safety.
The CMS research data disclosure
policies already allow qualified clinical
data registries to request Medicare data
for research purposes. More information
on accessing CMS data for research can
be found on the ResDAC Web site at
www.resdac.org. Given the existing
research request processes and
procedures, we proposed not to adopt
any new policies or procedures
regarding qualified clinical data
registries’ access to Medicare claims
data for quality improvement or patient
safety analyses.
Comment: Several commenters
recommended that CMS offer qualified
clinical data registries an alternative
path to the research request process to
allow them to access CMS data for
quality improvement and patient safety
activities. Commenters stated that
qualified clinical data registries need
data to conduct quality improvement
activities that will improve patient care
and that, in many cases, this work is not
consistent with the research request
process requirement that the work to
contribute to generalizable knowledge.
Response: We recognize that the
research request pathway may not be
consistent with types of analyses
qualified clinical data registries
envision conducting using the CMS
data. As a result, we are modifying the
regulations to allow qualified clinical
data registries to serve as quasi-qualified
entities, provided the qualified clinical
data registry agrees to meet all the
requirements in this subpart with the
exception of the requirement at
§ 401.707(d) that the organization
submit information about the claims
data it possesses from other sources. In
addition, for the purposes of qualified
clinical data registries acting as quasi
qualified entities under the qualified
entity program requirements, we define
combined data as, at a minimum, a set
of CMS claims data provided under
subpart G combined with clinical data
or a subset of clinical data. Since the
language at section 105(b) of MACRA
VerDate Sep<11>2014
17:38 Jul 06, 2016
Jkt 238001
does not reference section 1874(e)(4)(d)
of the Act, which provides parameters
for the definition of combined data for
the purposes of the qualified entity
program, we do not believe these
requirements for combined data apply
to qualified clinical data registries
serving as quasi qualified entities.
We believe that the requirements of
the qualified entity program, which was
created to allow for provider
performance reporting, also create an
appropriate framework for qualified
clinical data registries to conduct
analyses to support quality
improvement and patient safety. In
addition, we believe that the new
parameters of the qualified entity
program, discussed in detail above,
would allow qualified clinical data
registries to work directly with
providers and suppliers on issues
related to quality improvement and
patient safety. Qualified clinical data
registries could also elect to become
qualified entities and work with
providers and suppliers in accordance
with applicable laws to develop new
quality measures in the context of
nonpublic analyses that could then be
used across the healthcare system to
measure provider and supplier
performance.
Comment: Several commenters
suggested that CMS make the Social
Security Death Master File available to
qualified clinical data registries to allow
for enhanced accuracy of patient
outcomes information.
Response: We recognize that death
information is a key aspect of analyses
of patient outcomes, but CMS does not
have the authority to disclose the Social
Security Death Master File to qualified
clinical data registries. However, CMS
has date of death information for
Medicare patients and we include this
date of death information on the data
files that are shared with qualified
entities and those that would be shared
with qualified clinical data registries.
I. Other Comments
We received several additional
suggestions for improvements to the
program regarding topics that were not
specifically discussed in the preamble
to the proposed rule.
Comment: Several commenters raised
issues related to qualified entity
application process. One commenter
suggested CMS make the application
process and costs for becoming a
qualified entity more transparent. A few
commenters suggested that CMS offer
qualified entities better technical
assistance on the security certification
step of the approval process. One
commenter recommended that CMS
PO 00000
Frm 00017
Fmt 4701
Sfmt 4700
44471
streamline the application process for
applicants that already have
certifications or accreditations that
demonstrate a high level of security.
Response: We thank commenters for
their feedback on the qualified entity
application process. We believe the
issues raised by commenters on this
topic are outside the scope of this final
rule. However, we are always looking
for ways to improve the program and
will take these comments into
consideration.
Comment: Some commenters
addressed general program requirements
of the qualified entity program. One
commenter suggested that qualified
entities that focus on certain clinical
conditions should not have to meet the
same threshold for amount of other
claims data. Another commenter
recommended that CMS allow statelevel public reporting in the qualified
entity program. A few commenters
stated that CMS should provide
qualified entities with access to timelier
Medicare data. One commenter stated
that some of the existing provisions in
the CMS DUA conflict with
requirements in HIPAA, specifically the
requirement to destroy data if and when
an organization leaves the program.
Response: We have not established a
threshold for the minimum amount of
other claims an organization needs to
become a qualified entity. Instead, we
ask applicants to explain how the data
they do have for use in the qualified
entity program will be adequate to
address concerns about sample size and
reliability that have been expressed by
stakeholders regarding the calculation of
performance measures from a single
payer source. Each application is
evaluated on its collective merit,
including the amount of claims data
from other sources, and its explanation
of why that data in combination with
the requested Medicare data is adequate
for the stated purposes of the program.
We also do not prohibit qualified
entities from publicly reporting their
findings regarding provider and
supplier performance at the state-level.
Qualified entities are allowed to report
on providers and suppliers at any level
for which the measures can be used,
provided the statutory and regulatory
requirements are met, including that no
patient information is disclosed.
We currently make data available to
qualified entities on quarterly basis. We
believe the timeliness of this data strikes
the right balance between data
completeness and data timeliness.
Finally, we do not believe that
requirements in the CMS DUA are
inconsistent with HIPAA. We use a very
similar DUA to share data with HIPAA-
E:\FR\FM\07JYR3.SGM
07JYR3
sradovich on DSK3GDR082PROD with RULES3
44472
Federal Register / Vol. 81, No. 130 / Thursday, July 7, 2016 / Rules and Regulations
covered providers and suppliers who
are participating in Innovation Center
models. We do recognize that some
qualified entities may have trouble
incorporating the Medicare data into
their data systems because they may not
be able to ensure the destruction of this
data once it is linked with other data
maintained by the qualified entity.
However, we believe that requiring
destruction of the data if a qualified
entity leaves the program is important
for ensuring the privacy and security of
CMS data.
Comment: One commenter suggested
that CMS clarify how FOIA may or may
not apply to data or reports submitted
by qualified entities. Another
commenter recommended that CMS
clarify how the changes to the qualified
entity program intersect with other
statutory and regulatory requirements.
Response: As we noted above, any
information that we collect from
qualified entities is subject to FOIA.
However, any time we receive a request
for information under FOIA, we always
evaluate whether the information is
subject to one of the FOIA exemptions,
including Exemption 4, which protects
commercial or financial information
that is privileged and confidential.
We are not able to address the breadth
and scope of laws with which the
qualified entity program requirements
may intersect in this rule. Such analyses
require case-by-case assessment of the
facts at hand, and depending on
jurisdiction, may vary based on which
state laws apply. Entities should consult
with their legal counsel to advise them
on what laws apply to them, and to
what effect.
Comment: One commenter suggested
that the release of Part D data to
qualified entities should be tailored to
protect the viability of the Part D
program.
Response: We are committed to
ensuring that commercially sensitive
information from the Part D program is
protected. As we stated in the previous
final rule on the qualified entity
program, published on December 7,
2011, we are aware of the concerns
related to, and restrictions governing the
release of certain Part D drug cost
information. Due to these concerns, we
only release the Total Drug Cost element
to qualified entities. We do not release
the four subcomponents of drug cost:
Ingredient cost, dispensing fee, vaccine
administration fee, and total amount
attributable to sales tax.
Comment: One commenter stated that
the rule does not address how states that
have all payer claims databases (APCDs)
can access Medicare data.
VerDate Sep<11>2014
17:38 Jul 06, 2016
Jkt 238001
Response: We do not believe that state
APCDs are prohibited from becoming
qualified entities. However, state APCDs
with an interest in conducting research
rather than provider performance
reporting can also request data from
CMS via the research request process.
Organizations interested in accessing
CMS data for research should visit
www.resdac.org.
Comment: One commenter stated that
CMS should adopt a new version of the
claims form that includes a field for
unique device identifiers.
Response: This comment is outside
the scope of the qualified entity rule.
That said, CMS uses claims that comply
with the HIPAA standard transactions
regulations (45 CFR part 162). Any
changes to forms would be achieved
through rulemaking under those
provisions.
Comment: Several commenters stated
that they had concerns about the
security of the Medicare data.
Response: We are committed to
ensuring the privacy and security of all
data and we believe the existing and
new program requirements create an
appropriate framework for maintaining
the security of data disclosed to
qualified entities. Organizations
applying to become qualified entities
currently go through a rigorous security
review during the application process.
In addition, we monitor qualified
entities closely to ensure that they
continue to maintain appropriate data
security standards once approved. As
discussed above, we have also
established data security protections
that qualified entities must meet when
sharing data with authorized users,
including a requirement that the
authorized user report any breaches to
the qualified entity (and that the
qualified entity report the breaches to
CMS).
Comment: Several commenters
recommended that CMS clarify that
organizations already approved as
qualified entities would be allowed to
begin using the Medicare data for the
uses described in this final rule,
regardless of whether the qualified
entity has generated a public report.
Response: We would like to clarify
that once these regulations become
effective, organizations approved as
qualified entities will be allowed to use
the Medicare data to create non-public
analyses and provide or sell such
analyses to authorized users, as well
provide or sell combined data, or
provide Medicare claims data alone at
no cost, to certain authorized users.
However, we believe that public
reporting is a very important aspect of
participation in the qualified entity
PO 00000
Frm 00018
Fmt 4701
Sfmt 4700
program and would like to remind
qualified entities about the provision at
§ 401.709(d) which requires qualified
entities to produce public reports at
least annually.
III. Provisions of the Final Rule
For the most part, this final rule
incorporates the provisions of the
proposed rule. Those provisions of this
final rule that differ from the proposed
rule are as follows:
• We modified the definition of
authorized user at § 401.703(j) to:
Include a federal agency, change the
term ‘‘state agency’’ to ‘‘state entity’’ to
provide additional clarity, and include
any contractors (or business associates)
that need analyses or data to carry out
work on behalf of authorized user third
parties.
• We modified the definition of
hospital association at § 401.703(n) to
include organizations or associations at
the local level.
• At § 401.703(r), we modified the
definition of patient to extend the
window for a face-to-face or telehealth
appointment to at least once in the past
24 months.
• We added activities that qualify as
treatment under 45 CFR 164.501 to
permitted uses of the data subject to the
QE DUA.
• We modified the terms of the QE
DUA to permit authorized users to redisclose data subject to the QE DUA as
a covered entity would be permitted to
disclose PHI for treatment activities, as
allowed under 45 CFR 164.506(c)(2).
• At § 401.716(b)(2), we modified the
requirements to clarify that a qualified
entity may not provide or sell a nonpublic analysis to an issuer for a
geographic area where the issuer does
not provide coverage and, thus, does not
have any covered lives to contribute to
the analyses.
• At § 401.716(b)(4)(iii), we allowed
for the disclosure of non-public analyses
that individually identify a provider or
supplier if every provider or supplier
identified in the analysis has notified
the qualified entity that analyses may be
disclosed to that authorized user
without prior review by the provider or
supplier.
• We added a procedural step to the
review and error correction process for
non-public analyses at § 401.717(f) to
include confidential notification of the
provider or supplier.
• We added a new provision at
§ 401.722(a) to allow a qualified clinical
data registry that agrees to meet the
requirements in this subpart, with the
exception of the requirement to submit
information on the claims data from
other sources it possesses, to request
E:\FR\FM\07JYR3.SGM
07JYR3
Federal Register / Vol. 81, No. 130 / Thursday, July 7, 2016 / Rules and Regulations
sradovich on DSK3GDR082PROD with RULES3
access to Medicare data as a quasiqualified entity.
IV. Collection of Information
Requirements
Under the Paperwork Reduction Act
of 1995, we are required to provide 30day notice in the Federal Register and
solicit public comment before a
collection of information requirement is
submitted to the Office of Management
and Budget (OMB) for review and
approval. In order to fairly evaluate
whether an information collection
should be approved by OMB, section
3506(c)(2)(A) of the Paperwork
Reduction Act of 1995 requires that we
solicit comment on the following issues:
• The need for the information
collection and its usefulness in carrying
out the proper functions of our agency.
• The accuracy of our estimate of the
information collection burden.
• The quality, utility, and clarity of
the information to be collected.
• Recommendations to minimize the
information collection burden on the
affected public, including automated
collection techniques.
We solicited public comment on each
of these issues for the following sections
of this document that contain
information collection requirements
(ICRs).
Proposed § 401.718(c) and
§ 401.716(b)(2)(ii) require a qualified
entity to enter into a QE DUA with an
authorized user prior to providing or
selling data or selling a non-public
analyses that contains individually
identifiable beneficiary information.
Proposed § 401.713(d) requires specific
provisions in the QE DUA. Proposed
§ 401.716(c) requires a qualified entity
to enter into a non-public analyses
agreement with the authorized user as a
pre-condition to providing or selling deidentified analyses. We estimate that it
will take each qualified entity a total of
40 hours to develop the QE DUA and
non-public analyses agreement. Of the
40 hours, we estimate it will take a
professional/technical services
employee with an hourly labor cost of
$75.08 a total of 20 hours to develop
both the QE DUA and non-public
analyses agreement and estimate that it
will require a total of 20 hours of legal
review at an hourly labor cost of $77.16
for both the QE DUA and non-public
analyses agreement. We also estimate
that it will take each qualified entity 2
hours to process and maintain each QE
DUA or non-public analyses agreement
with an authorized user by a
professional/technical service employee
with an hourly labor cost of $75.08.
While there may be two different staff
positions that perform these duties (one
VerDate Sep<11>2014
17:38 Jul 06, 2016
Jkt 238001
that is responsible for processing the QE
DUAs and/or non-public analyses
agreement and one that is responsible
for maintaining the QE DUA and/or
non-public analyses agreement), we
believe that both positions would fall
under the professional/technical
services employee labor category with
an hourly labor cost of $75.08. There are
currently 15 qualified entities; however
we estimate that number will increase to
20 if these proposals are finalized. This
number includes qualified entities and
‘‘quasi qualified entities’’ (meaning
qualified clinical data registries that are
approved under § 401.722(a) as
described in this preamble), which we
hereinafter collectively refer to as
‘‘qualified entity’’. This would mean
that to develop each QE DUA and nonpublic analysis agreement, the burden
cost per qualified entity would be
$3,045 with a total estimated burden for
all 15 qualified entities of $45,675. This
does not include the two hours to
process and maintain each QE DUA.
As discussed in the regulatory impact
analysis below, we estimate that each
qualified entity would need to process
and maintain 70 QE DUAs or nonpublic analyses agreements as some
authorized users may receive both
datasets and a non-public analyses and
would only need to execute one QE
DUA. We estimate that it will take each
qualified entity 2 hours to process and
maintain each QE DUA or non-public
analyses agreement. This would mean
the burden cost per qualified entity to
process and maintain 70 QE DUAs or
non-public analyses agreements would
be $10,511 with a total estimated
burden for all 15 qualified entities of
$157, 668. While we anticipate that the
requirement to create a QE DUA and/or
non-public analyses agreement will only
be incurred once by a qualified entity,
we believe that the requirement to
process and maintain the QE DUAs and/
or non-public analyses will be an
ongoing cost.
These regulations would also require
a qualified entity to submit additional
information as part of its annual report
to CMS. A qualified entity is currently
required to submit an annual report to
CMS under § 401.719(b). Proposed
§ 401.719(b)(3) and (4) provide for
additional reporting requirements if a
qualified entity chooses to provide or
sell analyses and/or data to authorized
users. The burden associated with this
requirement is the time and effort
necessary to gather, process, and submit
the required information to CMS. As
noted above, there are currently 15
qualified entities; however we estimate
that number will increase to 20 if these
proposals are finalized. Some qualified
PO 00000
Frm 00019
Fmt 4701
Sfmt 4700
44473
entities may not want to bear the risk of
the potential assessments and have been
able to accomplish their program goals
under other CMS data sharing programs,
therefore some qualified entities may
not elect to provide or sell analyses and/
or data to authorized users. As a result,
we estimate that 15 qualified entities
will choose to provide or sell analyses
and/or data to authorized users, and
therefore, would be required to comply
with these additional reporting
requirements within the first three years
of the program. We further estimate that
it would take each qualified entity 50
hours to gather, process, and submit the
required information. We estimate that
it will take each qualified entity 34
hours to gather the required
information, 15 hours to process the
information, and 1 hour to submit the
information to CMS. We believe a
professional or technical services
employee of the qualified entity with an
hourly labor cost of $75.08 will fulfill
these additional annual report
requirements. We estimate that 15
qualified entities will need to comply
with this requirement and that the total
estimated burden associated with this
requirement is $56,310. We requested
comment on the type of employee and
the number of hours that will be needed
to fulfill these additional annual
reporting requirements.
As a reminder, the final rule for the
qualified entity program, published
December 7, 2011, included information
about the burden associated with the
provisions in that rule. Specifically,
§§ 401.705 through 401.709 provide the
application and reapplication
requirements for qualified entities. The
burden associated with these
requirements is currently approved
under OMB control number 0938–1144
with an expiration date of May 31, 2018.
This package accounts for 35 responses.
Section 401.713(a) states that as part of
the application review and approval
process, a qualified entity would be
required to execute a DUA with CMS,
that among other things, reaffirms the
statutory bar on the use of Medicare
data for purposes other than those
referenced above. The burden associated
with executing this DUA is currently
approved under OMB control number
0938–0734 with an expiration date of
December 31, 2017. This package
accounts for 9,240 responses (this
package covers all CMS DUAs, not only
DUAs under the qualified entity
program). We currently have 15
qualified entities and estimate it will
increase to 20 so we have not surpassed
the previously approved numbers.
We based the hourly labor costs on
those reported by the Bureau of Labor
E:\FR\FM\07JYR3.SGM
07JYR3
44474
Federal Register / Vol. 81, No. 130 / Thursday, July 7, 2016 / Rules and Regulations
Statistics (BLS) at https://data.bls.gov/
pdq/querytool.jsp?survey=ce for this
labor category. We used the annual rate
for 2014 and added 100 percent for
overhead and fringe benefit costs.
TABLE 1—COLLECTION OF INFORMATION
Total annual
burden
(hours)
Hourly labor
cost of
reporting
($) *
20
300
75.08
22,524
22,524
1
70
20
2
300
2,100
77.16
75.08
23,148
157,668
23,148
157,668
15
1
50
750
75.08
56,310
56,310
15
73
....................
3,450
....................
....................
259,650
Number of
respondents
Number of
responses
per
respondent
Regulation section(s)
OMB Control
No.
§ 401.718, § 401.716, and § 401.713 (DUA
and non-public analyses agreement Development).
§ 401.718 and § 401.716 (Legal Review) ....
§ 401.718 and § 401.716 (Processing and
Maintenance).
§ 401.719(b) .................................................
0938 New ........
15
1
0938 New ........
0938 New ........
15
15
0938 New ........
Total .....................................................
.........................
Burden per
response
(hours)
Total labor
cost of
reporting
($)
Total cost
($)
* The values listed are based on 100 percent overhead and fringe benefit calculations.
Note: There are no capital/maintenance costs associated with the information collection requirements contained in this rule; therefore, we have removed the associated column from Table 1.
If you comment on these information
collection and recordkeeping
requirements, please submit your
comments to the Office of Information
and Regulatory Affairs, Office of
Management and Budget,
Attention: CMS Desk Officer, CMS–
5061–F
Fax: (202) 395–6974; or
Email: OIRA_submission@omb.eop.gov
sradovich on DSK3GDR082PROD with RULES3
V. Regulatory Impact Statement
In accordance with the provisions of
Executive Order 12866, this regulation
was reviewed by the Office of
Management and Budget.
A. Response to Comments
We received a few comments on the
anticipated effects of these
modifications to the qualified entity
program.
Comment: One commenter suggested
that it would take each qualified entity
an estimated 60 hours to develop and
review the QE DUA and non-public
analyses agreement. Of those 60 hours,
30 hours would be to develop the QE
DUA and non-public analyses
agreement and 30 would be needed for
legal review. In addition, the commenter
estimated that it would take each
qualified entity 3 hours to process and
maintain each QE DUA and non-public
analyses agreement.
Response: In the proposed rule, we
estimated that it would take each
qualified entity 40 hours to develop and
review the QE DUA and non-public
analyses agreement. Of those 40 hours,
20 hours would be needed to develop
the QE DUA and non-public analyses
agreement and 20 hours would be
needed for legal review. We also
estimated that it would take 2 hours to
process and maintain each QE DUA and
non-public analyses agreement. We
recognize that some qualified entities
VerDate Sep<11>2014
17:38 Jul 06, 2016
Jkt 238001
may spend more hours than other
qualified entities to develop, process,
and maintain QE DUAs and non-public
analyses agreements. For example, some
qualified entities may spend 60 hours to
develop the QE DUA and non-public
analyses agreement and other qualified
entities will spend 30 hours. However,
we believe that 40 hours to develop the
QE DUA and the non-public analyses
agreement and 2 hours to process each
QE DUA and the non-public analyses
agreement is a reasonable average.
Comment: We received a few
comments about the impact on
providers and suppliers. One
commenter suggested that CMS
reconsider the assumption that all 1500
small rural hospitals would not be
impacted by this rule and that the 3
hour average estimate for providers and
suppliers to review non-public analyses
appears too low. Another commenter
suggested that CMS monitor provider
burden as expanded data access unfolds
and the number of qualified entities and
authorized users begin to grow.
Response: We appreciate commenters’
concerns about the potential impact on
providers and suppliers. As discussed
above in section II.A.4, we made
procedural changes to the proposed
review and corrections process for nonpublic analyses in order to reduce
burden to both qualified entities and
providers and suppliers. As a first step
of the review and correction process, the
qualified entity would be required to
notify the provider or supplier that
analyses that individually identify the
provider or supplier are going to be
released to an authorized user and allow
the provider or supplier to opt-in to the
review and corrections process at
§ 401.717(a) through (e). This
notification should include a short
summary of the analyses, the process for
the provider or supplier to request the
PO 00000
Frm 00020
Fmt 4701
Sfmt 4700
analyses, and the date on which the
qualified entity will release the analyses
to the authorized user. This date should
be at least 65 calendar days from the
date the provider or supplier is notified
of the analyses.
Given these procedural changes to the
review and corrections process in the
context of the non-public analyses, we
believe that the 3 hours average estimate
for providers and suppliers to review
non-public analyses is a sufficient
estimate of provider and supplier
burden. This average takes into account
the range of potential cases given the
new review and corrections process. In
some cases, for example, notification
may be sufficient to meet the needs of
providers or suppliers. In other cases,
however, where the analyses are similar
to previous analyses or use data the
provider or supplier has already
corrected, the provider or supplier may
choose not to review the analyses. In
addition, as discussed in the proposed
rule, even if a provider or supplier
requests the non-public analyses, there
will be variability in the amount of time
providers or suppliers will need for the
review and corrections process.
As discussed in the proposed rule, we
do not anticipate this rule will have a
significant impact on the operations of
a substantial number of small rural
hospitals because we anticipate that
most qualified entities will focus their
performance evaluation efforts on
metropolitan areas where the majority of
health services are provided. In
addition, given the limited number of
health services provided in rural
regions, we anticipate that any analyses
that included rural regions would not
individually identify the providers or
suppliers, but rather focus on regional
or state metrics. As suggested by a
commenter, we will monitor provider
burden as the number of qualified
E:\FR\FM\07JYR3.SGM
07JYR3
Federal Register / Vol. 81, No. 130 / Thursday, July 7, 2016 / Rules and Regulations
entities grows and more non-public
analyses are provided to authorized
users.
sradovich on DSK3GDR082PROD with RULES3
B. Overall Impact
We have examined the impacts of this
rule as required by Executive Order
12866 on Regulatory Planning and
Review (September 30, 1993), the
Regulatory Flexibility Act (RFA)
(September 19, 1980, 96), section
1102(b) of the Act, section 202 of the
Unfunded Mandates Reform Act of 1995
(Pub. L. 104–4), Executive Order 13132
on Federalism (August 4, 1999), and the
Congressional Review Act (5 U.S.C.
804(2)).
Executive Order 12866 directs
agencies to assess all costs and benefits
of available regulatory alternatives and,
if regulation is necessary, to select
regulatory approaches that maximize
net benefits (including potential
economic, environmental, public health
and safety effects, distributive impacts,
and equity). A regulatory impact
analysis (RIA) must be prepared for
major rules with economically
significant effects ($100 million or more
in any 1 year). For the reasons discussed
below, we estimate that the total impact
of this final rule will be less than $58
million and therefore, it will not reach
the threshold for economically
significant effects and is not considered
a major rule.
The RFA requires agencies to analyze
options for regulatory relief of small
businesses, if a rule has a significant
impact on a substantial number of small
entities. For purposes of the RFA, we
estimate that most hospitals and most
other providers are small entities as that
term is used in the RFA (including
small businesses, nonprofit
organizations, and small governmental
jurisdictions). However, since the total
estimated impact of this rule is less than
$100 million, and the total estimated
impact will be spread over 82,500
providers and suppliers (who are the
subject of reports), no one entity will
face significant impact. Of the 82,500
providers, we estimate that 78,605 will
be physician offices that have average
annual receipts of $11 million and 4,125
will be hospitals that have average
annual receipts of $38.5 million. As
discussed below, the estimated cost per
provider is $8,426 (see table 5 below)
and the estimated cost per hospital is
$6,523 (see table 5 below). For both
types of entities, these costs will be a
very small percentage of overall
receipts. Thus, we are not preparing an
analysis of options for regulatory relief
of small businesses because we have
determined that this rule will not have
VerDate Sep<11>2014
17:38 Jul 06, 2016
Jkt 238001
a significant economic impact on a
substantial number of small entities.
For section 105(a) of MACRA, we
estimate that two types of entities may
be affected by the additional program
opportunities: Qualified entities that
choose to provide or sell non-public
analyses or data to authorized users; and
providers and suppliers who are
identified in the non-public analyses
create by qualified entities and provided
or sold to authorized users.
We anticipate that most providers and
suppliers that may be identified in
qualified entities’ non-public analyses
will be hospitals and physicians. Many
hospitals and most other healthcare
providers and suppliers are small
entities, either by being nonprofit
organizations or by meeting the Small
Business Administration definition of a
small business (having revenues of less
than $38.5 million in any 1 year) (for
details see the Small Business
Administration’s Web site at https://
www.sba.gov/sites/default/files/files/
Size_Standards_Table.pdf (refer to the
620000 series). For purposes of the RFA,
physicians are considered small
businesses if they generate revenues of
$11 million or less based on Small
Business Administration size standards.
Approximately 95 percent of physicians
are considered to be small entities.
The analysis and discussion provided
in this section and elsewhere in this
final rule complies with the RFA
requirements. Because we acknowledge
that many of the affected entities are
small entities, the analysis discussed
throughout the preamble of this final
rule constitutes our regulatory flexibility
analysis for the remaining provisions
and addresses comments received on
these issues.
In addition, section 1102(b) of the Act
requires us to prepare a regulatory
impact analysis, if a rule may have a
significant impact on the operations of
a substantial number of small rural
hospitals. Any such regulatory impact
analysis must conform to the provisions
of section 604 of the RFA. For purposes
of section 1102(b) of the Act, we define
a small rural hospital as a hospital that
is located outside of a metropolitan
statistical area and has fewer than 100
beds. We do not believe this final rule
has impact on significant operations of
a substantial number of small rural
hospitals because we anticipate that
most qualified entities will focus their
performance evaluation efforts on
metropolitan areas where the majority of
health services are provided. As a result,
this rule will not have a significant
impact on small rural hospitals.
Therefore, the Secretary has determined
that this final rule will not have a
PO 00000
Frm 00021
Fmt 4701
Sfmt 4700
44475
significant impact on the operations of
a substantial number of small rural
hospitals.
Section 202 of the Unfunded
Mandates Reform Act of 1995 (UMRA)
also requires that agencies assess
anticipated costs and benefits before
issuing any rule whose mandates
require spending in any 1 year of $100
million in 1995 dollars, updated
annually for inflation. In 2016, that
threshold is approximately $146
million. This final rule will not impose
spending costs on state, local, or tribal
governments in the aggregate, or by the
private sector, of $146 million or more.
Specifically, as explained below we
anticipate the total impact of this rule
on all parties to be approximately $58
million.
Executive Order 13132 establishes
certain requirements that an agency
must meet when it promulgates a
proposed rule (and subsequent final
rule) that imposes substantial direct
requirement costs on State and local
governments, preempts State law, or
otherwise has Federalism implications.
We have examined this final rule in
accordance with Executive Order 13132
and have determined that this
regulation will not have any substantial
direct effect on State or local
governments, preempt States, or
otherwise have a Federalism
implication.
C. Anticipated Effects
1. Impact on Qualified Entities
Because section 105(a) of MACRA
allows qualified entities to use the data
in new ways to provide or sell nonpublic analyses or data to authorized
users, there is little quantitative
information to inform our estimates on
the number of analyses and datasets that
the qualified entity costs may provide or
sell or on the costs associated with the
creation of the non-public analyses or
datasets. Therefore, we look to the
estimates from the original qualified
entity rules to estimate the number of
hours that it may take to create nonpublic analyses, to process provider/
supplier appeals and revisions, and to
complete annual reports. We also
looked to the Centers for Medicare and
Medicaid’s cost of providing data to
qualified entities since qualified
entities’ data fees are equal to the
government’s cost to make the data
available.
There are currently 15 qualified
entities and these qualified entities all
are in different stages of the qualified
entity program. For example, some
qualified entities have released public
reports and some qualified entities are
E:\FR\FM\07JYR3.SGM
07JYR3
44476
Federal Register / Vol. 81, No. 130 / Thursday, July 7, 2016 / Rules and Regulations
still completing the security
requirements in order to receive
Medicare data. Given the requirements
in the different phases and the current
status of the qualified entities, we
estimate that 11 qualified entities will
be able to provide or sell analyses and/
or data to authorized users within the
first year of the program, and therefore,
will be incurring extra costs. As
discussed above, we believe the total
number of qualified entities will
ultimately grow to 20 in subsequent
years, with 15 entities providing or
selling analyses and/or data to
authorized users. In estimating qualified
entity impacts, we used hourly labor
costs in several labor categories reported
by the Bureau of Labor Statistics (BLS)
at https://data.bls.gov/pdq/
querytool.jsp?survey=ce. We used the
annual rates for 2014 and added 100
percent for overhead and fringe benefit
costs. These rates are displayed in Table
2.
TABLE 2—LABOR RATES FOR QUALIFIED ENTITY IMPACT ESTIMATES
2014
Hourly wage
rate
(BLS)
sradovich on DSK3GDR082PROD with RULES3
Professional and technical services ............................................................................................
Legal review .................................................................................................................................
Custom computer programming ..................................................................................................
Data processing and hosting .......................................................................................................
Other information services ...........................................................................................................
We estimate that within the first year
that 11 qualified entities will provide or
sell on average 55 non-public analyses
or provide or sell 35 datasets. We do not
believe the number of datasets and nonpublic analyses per qualified entity will
change in future years of the program.
In the original proposed rule for the
qualified entity program (76 FR 33566),
we estimated that each qualified
entities’ activities to analyze the
Medicare claims data, calculate
performance measures and produce
public provider performance reports
will require 5,500 hours of effort per
qualified entity. We anticipate under
this final rule that implements section
105(a) of MACRA that qualified entities
will base the non-public analyses on
their public performance reports.
Therefore, the creation of the non-public
analyses will require much less effort
and only require a fraction of the time
it takes to produce the public reports.
We estimate that a qualified entity’s
activities for each non-public analysis to
analyze the Medicare claims data,
calculate performance measures, and
produce the report will require 320
hours, between five and six percent of
the time to produce the public reports.
We anticipate that half of this time will
be spent on data analysis, measure
calculation, and report creation and the
other half on data processing.
We anticipate that within the first
year of the program a qualified entity
will, on average, provide one-year
VerDate Sep<11>2014
17:38 Jul 06, 2016
Jkt 238001
datasets containing all data types for a
cohort of 750,000 to 1.75 million
beneficiaries to 35 authorized users. We
estimate that it will require 226 hours to
create each dataset that will be provided
to an authorized user. We looked to the
Centers for Medicare and Medicaid
Centers’ data costs and time to estimate
a qualified entity’s costs and time to
create datasets. While the majority of
the time will be devoted to computer
processing, we anticipate about 100
hours will be spent on computer
programming, particularly if the
qualified entity is de-identiying the
data.
We further estimate that, on average,
each qualified entity will expend 7,500
hours of effort processing providers’ and
suppliers’ appeals of their performance
reports and producing revised reports,
including legal review of the appeals
and revised reports. These estimates
assume that, as discussed below in the
section on provider and supplier
impacts, on average 25 percent of
providers and suppliers will appeal
their results from a qualified entity.
Responding to these appeals in an
appropriate manner will require a
significant investment of time on the
part of qualified entities. This equates to
an average of four hours per appeal for
each qualified entity. These estimates
are similar to those in the Qualified
Entities final rule. We assume that the
complexity of appeals will vary greatly,
and as such, the time required to
PO 00000
Frm 00022
Fmt 4701
Sfmt 4700
$37.54
38.58
43.05
34.02
39.72
OH and
fringe
(100%)
$37.54
38.58
43.05
34.02
39.72
Total hourly
costs
$75.08
77.16
86.10
68.04
79.44
address them will also vary greatly.
Many appeals may be able to be dealt
with in an hour or less while some
appeals may require multiple meetings
between the qualified entity and the
affected provider or supplier. On
average, however, we believe that this is
a reasonable estimate of the burden of
the appeals process on qualified
entities. We discuss the burden of the
appeals process on providers and
suppliers below.
We estimate that each qualified entity
will spend 40 hours creating a nonpublic analyses agreement template and
a QE DUA. We also estimate that it will
take a qualified entity 2 hours to process
a QE DUA or non-public analyses
agreement.
Finally, we estimate that each
qualified entity will spend 50 hours on
the additional annual reporting
requirements.
Qualified entities will be required to
notify CMS of inappropriate disclosures
or use of beneficiary identifiable data
pursuant to the requirements in the
CMS DUA. We believe that the report
generated in response to an
inappropriate disclosure or use of
beneficiary identifiable data will be
generated as a matter of course by the
qualified entities and therefore, will not
require significant additional effort.
Based on the assumptions we have
described, we estimate the total impact
on qualified entities for the first year of
the program to be a cost of $27,925,198.
E:\FR\FM\07JYR3.SGM
07JYR3
44477
Federal Register / Vol. 81, No. 130 / Thursday, July 7, 2016 / Rules and Regulations
TABLE 3—IMPACT ON QUALIFIED ENTITIES FOR THE FIRST YEAR OF THE PROGRAM
Hours
Activity
Professional
and
technical
Computer
programming
Legal
Data
processsing
and hosting
Labor hourly
cost
Cost per
authorized
user
Number of
authorized
users
Number of
qualified
entities
Total cost
impact
[Impact on Qualified Entities]
Dissemination of Data
Data processing & hosting ........
Computer programming ............
....................
....................
....................
....................
....................
100
126
....................
$68.04
86.10
$8,573
8,610
35
35
11
11
$3,300,620
3,314,850
Total: Dissemination of
Data ................................
....................
....................
....................
....................
....................
....................
....................
....................
$6,615,470
Non-Public Analyses
Data analysis/measure calculation/report preparation ...........
Data Processing and hosting ....
....................
....................
160
....................
....................
160
86.10
68.04
13,776
10,886
55
55
11
11
8,334,480
6,586,272
....................
Total: Non-public Analyses
....................
....................
....................
....................
....................
....................
....................
....................
....................
14,920,752
Processing of Provider Appeals and Report Revision
Qualified entity processing of
provider appeals and report
revision ..................................
Qualified entity legal analysis of
provider appeals and report
revisions .................................
....................
....................
....................
75.08
412,940
....................
11
4,542,340
....................
2,000
....................
....................
77.16
154,320
....................
11
1,697,520
....................
Total: Qualified entity processing of provider appeals and report revision
5,500
....................
....................
....................
....................
....................
....................
....................
6,239,860
QE DUA and Non-Public Analyses Agreements
QE DUA and Non-public analyses:
Development of the QE
DUA and non-public
analyses agreement .......
Legal review of the QE
DUA and non-public
analyses agreement .......
Processing QE DUA and
non-public analyses
agreement ......................
Total QE DUA and
non-public analyses
agreements .............
Additional Annual Report
Requirements .................
Total qualified entity
Impacts ....................
20
....................
....................
....................
75.08
1502
....................
11
16,518
....................
20
....................
....................
77.16
1,543
....................
11
16,975
2
....................
....................
....................
75.08
150
70
11
115,623
....................
....................
....................
....................
....................
....................
....................
....................
149,116
50
....................
....................
....................
75.08
3,754
....................
11
41,294
....................
....................
....................
....................
....................
....................
....................
....................
27,966,492
2. Impact on Healthcare Providers and
Suppliers
We note that numerous healthcare
payers, community quality
collaboratives, States, and other
organizations are producing
performance measures for healthcare
providers and suppliers using data from
other sources, and that providers and
suppliers are already receiving
performance reports from these sources.
We anticipate that the review of nonpublic analyses will merely be added to
those existing efforts to improve the
statistical validity of the measure
findings.
Table 4 reflects the hourly labor rates
used in our estimate of the impacts of
the first year of section 105(a) of
MACRA on healthcare providers and
suppliers.
sradovich on DSK3GDR082PROD with RULES3
TABLE 4—LABOR RATES FOR PROVIDER AND SUPPLIER IMPACT ESTIMATES
2014
Hourly wage
rate
(BLS)
Physicians’ offices .......................................................................................................................
Hospitals ......................................................................................................................................
VerDate Sep<11>2014
17:38 Jul 06, 2016
Jkt 238001
PO 00000
Frm 00023
Fmt 4701
Sfmt 4700
E:\FR\FM\07JYR3.SGM
$38.27
29.65
07JYR3
Overhead and
fringe benefits
(100%)
$38.27
29.65
Total hourly
costs
$76.54
59.30
44478
Federal Register / Vol. 81, No. 130 / Thursday, July 7, 2016 / Rules and Regulations
We anticipate that the impacts on
providers and suppliers consist of costs
to review the performance reports
generated by qualified entities and, if
they choose, appeal the performance
calculations. We believe, on average,
each qualified entity will produce nonpublic analyses that in total include
information on 7,500 health providers
and suppliers. This is based on
estimates in the qualified entity final
rule, but also include an increase of 50
percent because we believe that more
providers and suppliers will be
included in the non-public analyses. We
anticipate that the largest proportion of
providers and suppliers will be
physicians because they comprise the
largest group of providers and suppliers,
and are a primary focus of many recent
performance evaluation efforts. We also
believe that many providers and
suppliers will be the recipients of the
non-public analyses in order to support
their own performance improvement
activities, and therefore, there will be no
requirement for a correction or appeals
process. As discussed above, there is no
requirement for a corrections or appeals
process where the analysis only
individually identifies the (singular)
provider or supplier who is being
provided or sold the analysis. Based on
our review of information from existing
programs, we assume that 95 percent of
the recipients of performance reports
(that is, an average of 7,125 per qualified
entity) will be physicians, and 5 percent
(that is, an average of 375 per qualified
entity) will be hospitals and other
suppliers. Providers and suppliers
receive these reports with no obligation
to review them, but we assume that
most will do so to verify that their
calculated performance measures reflect
their actual patients and health events.
Because these non-public analyses will
be based on the same underlying data as
the public performance reports, we
estimate that it will take less time for
providers or suppliers to review these
analyses and generate an appeal. We
estimate that, on average, each provider
or supplier will devote three hours to
reviewing these analyses. We also
estimate that 25 percent of the providers
and suppliers will decide to appeal their
performance calculations, and that
preparing the appeal will involve an
average of seven hours of effort on the
part of a provider or supplier. As with
our assumptions regarding the level of
effort required by qualified entities in
operating the appeals process, we
believe that this average covers a range
of provider efforts from providers who
will need just one or two hours to
clarify any questions or concerns
regarding their performance reports to
providers who will devote significant
time and resources to the appeals
process.
Using the hourly costs displayed in
Table 4, the impacts on providers and
suppliers are calculated below in Table
5. Based on the assumptions we have
described, we estimate the total impact
on providers for the first year of the
program to be a cost of $29,690,386.
As stated above in Table 3, we
estimate the total impact on qualified
entities to be a cost of $27,966,492.
Therefore, the total impact on qualified
entities and on providers and suppliers
for the first year of the program is
estimated to be $57,656,878.
TABLE 5—IMPACT ON PROVIDERS AND SUPPLIERS FOR THE FIRST YEAR OF THE PROGRAM
Hours per provider
Activity
Physician
offices
Labor hourly
cost
Hospitals
Cost per
provider
Number of
providers
per qualified
entity
Number of
qualified
entities
Total cost
impact
[Impact on Providers and Suppliers]
Physician office review of performance
reports ..................................................
Hospital review of performance reports ...
Physician office preparing and submitting
appeal requests to qualified entities ....
Hospital preparing and submitting appeal
requests to qualified entities ................
Total Impact on Providers and Suppliers ..............................................
3
....................
....................
3
$76.54
59.30
$230
178
7,125
375
11
11
$18,026,250
734,250
7
....................
76.54
536
1,781
11
10,500,776
....................
7
59.30
415
94
11
429,110
....................
....................
....................
....................
....................
....................
29,690,386
sradovich on DSK3GDR082PROD with RULES3
D. Alternatives Considered
The statutory provisions added by
section 105(a) of MACRA are detailed
and prescriptive about the permissible
uses of the data under the Qualified
Entity Program. We believe there are
limited approaches that will ensure
statutory compliance. We considered
less prescriptive requirements on the
provisions that will need to be included
in the agreements between qualified
entities and authorized users that
received or purchased analyses or data.
For example, we could have required
less strenuous data privacy and security
protections such as not setting a
minimum standard for protection of
beneficiary identifiable data or nonpublic analyses. In addition, we could
VerDate Sep<11>2014
17:38 Jul 06, 2016
Jkt 238001
have reduced additional restrictions on
re-disclosure or permitted data or
analyses to be re-disclosed to additional
downstream users. While these
approaches might reduce costs for
qualified entities, we did not adopt such
an approach because of the importance
of protecting beneficiary data. We
believe if we do not require qualified
entities to provide sufficient evidence of
data privacy and security protection
capabilities, there will be increased
risks related to the protection of
beneficiary identifiable data.
E. Conclusion
As explained above, we estimate the
total impact for the first year of the
program on qualified entities and
PO 00000
Frm 00024
Fmt 4701
Sfmt 4700
providers to be a cost of $57,656,878.
While we anticipate the number of
qualified entities to increase slightly, we
do not anticipate significant growth in
the qualified entity program given the
qualified entity program requirements,
as well as other existing programs that
allow entities to obtain Medicare data.
Based on these estimates, we conclude
this final rule does not reach the
threshold for economically significant
effects and thus is not considered a
major rule.
In accordance with the provisions of
Executive Order 12866, this regulation
was reviewed by the Office of
Management and Budget.
E:\FR\FM\07JYR3.SGM
07JYR3
Federal Register / Vol. 81, No. 130 / Thursday, July 7, 2016 / Rules and Regulations
List of Subjects in 42 CFR Part 401
Claims, Freedom of information,
Health facilities, Medicare, Privacy.
For the reasons set forth in the
preamble, the Centers for Medicare &
Medicaid Services amends 42 CFR part
401 as set forth below:
PART 401—GENERAL
ADMINISTRATIVE REQUIREMENTS
1. The authority citation for part 401
is revised to read as follows:
■
Authority: Secs. 1102, 1871, and 1874(e)
of the Social Security Act (42 U.S.C. 1302,
1395hh, and 1395w–5) and sec. 105, Pub. L.
114–10, 129 Stat. 87.
2. Section 401.703 is amended by
adding paragraphs (j) through (u) to read
as follows:
■
§ 401.703
Definitions.
sradovich on DSK3GDR082PROD with RULES3
*
*
*
*
*
(j) Authorized user is a third party and
its contractors (including, where
applicable, business associates as that
term is defined at 45 CFR 160.103) that
need analyses or data covered by this
section to carry out work on behalf of
that third party (meaning not the
qualified entity or the qualified entity’s
contractors) to whom/which the
qualified entity provides or sells data as
permitted under this subpart.
Authorized user third parties are limited
to the following entities:
(1) A provider.
(2) A supplier.
(3) A medical society.
(4) A hospital association.
(5) An employer.
(6) A health insurance issuer.
(7) A healthcare provider and/or
supplier association.
(8) A state entity.
(9) A federal agency.
(k) Employer has the same meaning as
the term ‘‘employer’’ as defined in
section 3(5) of the Employee Retirement
Insurance Security Act of 1974.
(l) Health insurance issuer has the
same meaning as the term ‘‘health
insurance issuer’’ as defined in section
2791 of the Public Health Service Act.
(m) Medical society means a nonprofit
organization or association that provides
unified representation and advocacy for
physicians at the national or state level
and whose membership is comprised of
a majority of physicians.
(n) Hospital association means a
nonprofit organization or association
that provides unified representation and
advocacy for hospitals or health systems
at a national, state, or local level and
whose membership is comprised of a
majority of hospitals and health
systems.
VerDate Sep<11>2014
17:38 Jul 06, 2016
Jkt 238001
(o) Healthcare Provider and/or
Supplier Association means a nonprofit
organization or association that provides
unified representation and advocacy for
providers and suppliers at the national
or state level and whose membership is
comprised of a majority of suppliers or
providers.
(p) State Entity means any office,
department, division, bureau, board,
commission, agency, institution, or
committee within the executive branch
of a state government.
(q) Combined data means, at a
minimum, a set of CMS claims data
provided under this subpart combined
with claims data, or a subset of claims
data from at least one of the other claims
data sources described in § 401.707(d).
(r) Patient means an individual who
has visited the provider or supplier for
a face-to-face or telehealth appointment
at least once in the past 24 months.
(s) Marketing means the same as the
term ‘‘marketing’’ at 45 CFR 164.501
without the exception to the bar for
‘‘consent’’ based marketing.
(t) Violation means a failure to
comply with a requirement of a CMS
DUA (CMS data use agreement) or QE
DUA (qualified entity data use
agreement).
(u) Required by law means the same
as the phrase ‘‘required by law’’ at 45
CFR 164.103.
■ 3. Section 401.713 is amended by
revising paragraph (a) and adding
paragraph (d) to read as follows:
§ 401.713 Ensuring the privacy and
security of data.
(a) Data use agreement between CMS
and a qualified entity. A qualified entity
must comply with the data requirements
in its data use agreement with CMS
(hereinafter the CMS DUA). Contractors
(including, where applicable, business
associates) of qualified entities that are
anticipated to have access to the
Medicare claims data or beneficiary
identifiable data in the context of this
program are also required to execute
and comply with the CMS DUA. The
CMS DUA will require the qualified
entity to maintain privacy and security
protocols throughout the duration of the
agreement with CMS, and will ban the
use or disclosure of Medicare data or
any derivative data for purposes other
than those set out in this subpart. The
CMS DUA will also prohibit the use of
unsecured telecommunications to
transmit such data, and will specify the
circumstances under which such data
must be stored and may be transmitted.
*
*
*
*
*
(d) Data use agreement between a
qualified entity and an authorized user.
In addition to meeting the other
PO 00000
Frm 00025
Fmt 4701
Sfmt 4700
44479
requirements of this subpart, and as a
pre-condition of selling or disclosing
any combined data or any Medicare
claims data (or any beneficiaryidentifiable derivative data of either
kind) and as a pre-condition of selling
or disclosing non-public analyses that
include individually identifiable
beneficiary data, the qualified entity
must enter a DUA (hereinafter the QE
DUA) with the authorized user. Among
other things laid out in this subpart,
such QE DUA must contractually bind
the authorized user (including any
contractors or business associates
described in the definition of authorized
user) to the following:
(1)(i) The authorized user may be
permitted to use such data and nonpublic analyses in a manner that a
HIPAA Covered Entity could do under
the following provisions:
(A) Activities falling under paragraph
(1) of the definition of ‘‘health care
operations’’ under 45 CFR 164.501:
Quality improvement activities,
including care coordination activities
and efforts to track and manage medical
costs; patient-safety activities;
population-based activities such as
those aimed at improving patient safety,
quality of care, or population health,
including the development of new
models of care, the development of
means to expand coverage and improve
access to healthcare, the development of
means of reducing healthcare
disparities, and the development or
improvement of methods of payment or
coverage policies.
(B) Activities falling under paragraph
(2) of the definition of ‘‘health care
operations’’ under 45 CFR 164.501:
Reviewing the competence or
qualifications of health care
professionals, evaluating practitioner
and provider performance, health plan
performance, conducting training
programs in which students, trainees, or
practitioners in areas of health care
learn under supervision to practice or
improve their skills as health care
providers, training of non-health care
professionals, accreditation,
certification, licensing, or credentialing
activities.
(C) Activities that qualify as ‘‘fraud
and abuse detection or compliance
activities’’ under 45 CFR
164.506(c)(4)(ii).
(D) Activities that qualify as
‘‘treatment’’ under 45 CFR 164.501.
(ii) All other uses and disclosures of
such data and/or such non-public
analyses must be forbidden except to
the extent a disclosure qualifies as a
‘‘required by law’’ disclosure as defined
at 45 CFR 164.103.
E:\FR\FM\07JYR3.SGM
07JYR3
sradovich on DSK3GDR082PROD with RULES3
44480
Federal Register / Vol. 81, No. 130 / Thursday, July 7, 2016 / Rules and Regulations
(2) The authorized user is prohibited
from using or disclosing the data or nonpublic analyses for marketing purposes
as defined at § 401.703(s).
(3) The authorized user is required to
ensure adequate privacy and security
protection for such data and non-public
analyses. At a minimum, regardless of
whether the authorized user is a HIPAA
covered entity, such protections of
beneficiary identifiable data must be at
least as protective as what is required of
covered entities and their business
associates regarding protected health
information (PHI) under the HIPAA
Privacy and Security Rules. In all cases,
these requirements must be imposed for
the life of such beneficiary identifiable
data or non-public analyses and/or any
derivative data, that is until all copies
of such data or non-public analyses are
returned or destroyed. Such duties must
be written in such a manner as to
survive termination of the QE DUA,
whether for cause or not.
(4) Except as provided for in
paragraph (d)(5) of this section, the
authorized user must be prohibited from
re-disclosing or making public any such
data or non-public analyses.
(5)(i) At the qualified entity’s
discretion, it may permit an authorized
user that is a provider as defined in
§ 401.703(b) or a supplier as defined in
§ 401.703(c), to re-disclose such data
and non-public analyses as a covered
entity will be permitted to disclose PHI
under 45 CFR 164.506(c)(4)(i), under 45
CFR 164.506(c)(2), or under 45 CFR
164.502(e)(1).
(ii) All other uses and disclosures of
such data and/or such non-public
analyses is forbidden except to the
extent a disclosure qualifies as a
‘‘required by law’’ disclosure.
(6) Authorized users who/that receive
the beneficiary de-identified combined
data or Medicare data as contemplated
under § 401.718 are contractually
prohibited from linking the beneficiary
de-identified data to any other
identifiable source of information, and
must be contractually barred from
attempting any other means of reidentifying any individual whose data is
included in such data.
(7) The QE DUA must bind authorized
user(s) to notifying the qualified entity
of any violations of the QE DUA, and it
must require the full cooperation of the
authorized user in the qualified entity’s
efforts to mitigate any harm that may
result from such violations, or to
comply with the breach provisions
governing qualified entities under this
subpart.
■ 4. Section 401.716 is added to read as
follows:
VerDate Sep<11>2014
17:38 Jul 06, 2016
Jkt 238001
§ 401.716
Non-public analyses.
(a) General. So long as it meets the
other requirements of this subpart, and
subject to the limits in paragraphs (b)
and (c) of this section, the qualified
entity may use the combined data to
create non-public analyses in addition
to performance measures and provide or
sell these non-public analyses to
authorized users (including any
contractors or business associates
described in the definition of authorized
user).
(b) Limitations on a qualified entity.
In addition to meeting the other
requirements of this subpart, a qualified
entity must comply with the following
limitations as a pre-condition of
dissemination or selling non-public
analyses to an authorized user:
(1) A qualified entity may only
provide or sell a non-public analysis to
a health insurance issuer as defined in
§ 401.703(l), after the health insurance
issuer or a business associate of that
health insurance issuer has provided the
qualified entity with claims data that
represents a majority of the health
insurance issuer’s covered lives, using
one of the four methods of calculating
covered lives established at 26 CFR
46.4375–1(c)(2), for the time period and
geographic region covered by the issuerrequested non-public analyses. A
qualified entity may not provide or sell
a non-public analysis to a health
insurance issuer if the issuer does not
have any covered lives in the geographic
region covered by the issuer-requested
non-public analysis.
(2) Analyses that contain information
that individually identifies one or more
beneficiaries may only be disclosed to a
provider or supplier (as defined at
§ 401.703(b) and (c)) when both of the
following conditions are met:
(i) The analyses only contain
identifiable information on beneficiaries
with whom the provider or supplier
have a patient relationship as defined at
§ 401.703(r).
(ii) A QE DUA as defined at
§ 401.713(d) is executed between the
qualified entity and the provider or
supplier prior to making any
individually identifiable beneficiary
information available to the provider or
supplier.
(3) Except as specified under
paragraph (b)(2) of this section, all
analyses must be limited to beneficiary
de-identified data. Regardless of the
HIPAA covered entity or business
associate status of the qualified entity
and/or the authorized user, deidentification must be determined based
on the standards for HIPAA covered
entities found at 45 CFR 164.514(b).
PO 00000
Frm 00026
Fmt 4701
Sfmt 4700
(4) Analyses that contain information
that individually identifies a provider or
supplier (regardless of the level of the
provider or supplier, that is, individual
clinician, group of clinicians, or
integrated delivery system) may not be
disclosed unless one of the following
three conditions apply:
(i) The analysis only individually
identifies the provider or supplier that
is being supplied the analysis.
(ii) Every provider or supplier
individually identified in the analysis
has been afforded the opportunity to
appeal or correct errors using the
process at § 401.717(f).
(iii) Every provider or supplier
individually identified in the analysis
has notified the qualified entity, in
writing, that analyses can be disclosed
to the authorized user without first
going through the appeal and error
correction process at § 401.717(f).
(c) Non-public analyses agreement
between a qualified entity and an
authorized user for beneficiary deidentified non-public analyses
disclosures. In addition to the other
requirements of this subpart, a qualified
entity must enter a contractually
binding non-public analyses agreement
with the authorized user (including any
contractors or business associates
described in the definition of authorized
user) as a pre-condition to providing or
selling de-identified analyses. Such
non-public analyses agreement must
contain the following provisions:
(1) The authorized user may not use
the analyses or derivative data for the
following purposes:
(i) Marketing, as defined at
§ 401.703(s).
(ii) Harming or seeking to harm
patients or other individuals both
within and outside the healthcare
system regardless of whether their data
are included in the analyses.
(iii) Effectuating or seeking
opportunities to effectuate fraud and/or
abuse in the healthcare system.
(2) If the authorized user is an
employer as defined in § 401.703(k), the
authorized user may only use the
analyses or derivative data for purposes
of providing health insurance to
employees, retirees, or dependents of
employees or retirees of that employer.
(3)(i) At the qualified entity’s
discretion, it may permit an authorized
user that is a provider as defined in
§ 401.703(b) or a supplier as defined in
§ 401.703(c), to re-disclose the deidentified analyses or derivative data, as
a covered entity will be permitted under
45 CFR 164.506(c)(4)(i), or under 45
CFR 164.502(e)(1).
(ii) All other uses and disclosures of
such data and/or such non-public
E:\FR\FM\07JYR3.SGM
07JYR3
Federal Register / Vol. 81, No. 130 / Thursday, July 7, 2016 / Rules and Regulations
analyses is forbidden except to the
extent a disclosure qualifies as a
‘‘required by law’’ disclosure.
(4) If the authorized user is not a
provider or supplier, the authorized
user may not re-disclose or make public
any non-public analyses or derivative
data except as required by law.
(5) The authorized user may not link
the de-identified analyses to any other
identifiable source of information and
may not in any other way attempt to
identify any individual whose deidentified data is included in the
analyses.
(6) The authorized user must notify
the qualified entity of any DUA
violations, and it must fully cooperate
with the qualified entity’s efforts to
mitigate any harm that may result from
such violations.
5. Section 401.717 is amended by
adding paragraph (f) to read as follows:
■
§ 401.717 Provider and supplier requests
for error correction.
sradovich on DSK3GDR082PROD with RULES3
*
*
*
*
*
(f) A qualified entity must comply
with the following requirements before
disclosing non-public analyses, as
defined at § 401.716, which contain
information that individually identifies
a provider or supplier:
(1) A qualified entity must
confidentially notify a provider or
supplier that non-public analyses that
individually identify the provider or
supplier are going to be released to an
authorized user at least 65 calendar days
before disclosing the analyses. This
confidential notification must include a
short summary of the analyses
(including the measures calculated), the
process for the provider or supplier to
request the analyses, the authorized
users receiving the analyses, and the
date on which the qualified entity will
release the analyses to the authorized
user.
(2) A qualified entity must allow
providers and suppliers the opportunity
to opt-in to the review and correction
process as defined in paragraphs (a)
through (e) of this section, anytime
during the 65 calendar days. If a
provider or supplier chooses to opt-in to
the review and correction process more
than 5 days into the notification period,
the time for the review and correction
process is shortened from 60 days to the
number of days between the provider or
supplier opt-in date and the release date
specified in the confidential
notification.
6. Section 401.718 is added to read as
follows:
■
VerDate Sep<11>2014
17:38 Jul 06, 2016
Jkt 238001
§ 401.718
Dissemination of data.
(a) General. Subject to the other
requirements in this subpart, the
requirements in paragraphs (b) and (c)
of this section and any other applicable
laws or contractual agreements, a
qualified entity may provide or sell
combined data or provide Medicare data
at no cost to authorized users defined at
§ 401.703(b), (c), (m), and (n).
(b) Data—(1) De-identification. Except
as specified in paragraph (b)(2) of this
section, any data provided or sold by a
qualified entity to an authorized user
must be limited to beneficiary deidentified data. De-identification must
be determined based on the deidentification standards for HIPAA
covered entities found at 45 CFR
164.514(b).
(2) Exception. If such disclosure will
be consistent with all applicable laws,
data that individually identifies a
beneficiary may only be disclosed to a
provider or supplier (as defined at
§ 401.703(b) and (c)) with whom the
identifiable individuals in such data
have a current patient relationship as
defined at § 401.703(r).
(c) Data use agreement between a
qualified entity and an authorized user.
A qualified entity must contractually
require an authorized user to comply
with the requirements in § 401.713(d)
prior to providing or selling data to an
authorized user under § 401.718.
■ 7. Section 401.719 is amended by
adding paragraphs (b)(3) and (4) and
(d)(5) to read as follows:
§ 401.719 Monitoring and sanctioning of
qualified entities.
*
*
*
*
*
(b) * * *
(3) Non-public analyses provided or
sold to authorized users under this
subpart, including the following
information:
(i) A summary of the analyses
provided or sold, including—
(A) The number of analyses.
(B) The number of purchasers of such
analyses.
(C) The types of authorized users that
purchased analyses.
(D) The total amount of fees received
for such analyses.
(E) QE DUA or non-public analyses
agreement violations.
(ii) A description of the topics and
purposes of such analyses.
(iii) The number of analyses disclosed
with unresolved requests for error
correction.
(4) Data provided or sold to
authorized users under this subpart,
including the following information:
(i) The entities who received data.
(ii) The basis under which each entity
received such data.
PO 00000
Frm 00027
Fmt 4701
Sfmt 4700
44481
(iii) The total amount of fees received
for providing, selling, or sharing the
data.
(iv) QE DUA violations.
*
*
*
*
*
(d) * * *
(5) In the case of a violation, as
defined at § 401.703(t), of the CMS DUA
or the QE DUA, CMS will impose an
assessment on a qualified entity in
accordance with the following:
(i) Amount of assessment. CMS will
calculate the amount of the assessment
of up to $100 per individual entitled to,
or enrolled for, benefits under part A of
title XVIII of the Social Security Act or
enrolled for benefits under Part B of
such title whose data was implicated in
the violation based on the following:
(A) Basic factors. In determining the
amount per impacted individual, CMS
takes into account the following:
(1) The nature and the extent of the
violation.
(2) The nature and the extent of the
harm or potential harm resulting from
the violation.
(3) The degree of culpability and the
history of prior violations.
(B) Criteria to be considered. In
establishing the basic factors, CMS
considers the following circumstances:
(1) Aggravating circumstances.
Aggravating circumstances include the
following:
(i) There were several types of
violations occurring over a lengthy
period of time.
(ii) There were many of these
violations or the nature and
circumstances indicate a pattern of
violations.
(iii) The nature of the violation had
the potential or actually resulted in
harm to beneficiaries.
(2) Mitigating circumstances.
Mitigating circumstances include the
following:
(i) All of the violations subject to the
imposition of an assessment were few in
number, of the same type, and occurring
within a short period of time.
(ii) The violation was the result of an
unintentional and unrecognized error
and the qualified entity took corrective
steps immediately after discovering the
error.
(C) Effects of aggravating or mitigating
circumstances. In determining the
amount of the assessment to be imposed
under paragraph (d)(5)(i)(A) of this
section:
(1) If there are substantial or several
mitigating circumstance, the aggregate
amount of the assessment is set at an
amount sufficiently below the
maximum permitted by paragraph
(d)(5)(i)(A) of this section to reflect the
mitigating circumstances.
E:\FR\FM\07JYR3.SGM
07JYR3
44482
Federal Register / Vol. 81, No. 130 / Thursday, July 7, 2016 / Rules and Regulations
sradovich on DSK3GDR082PROD with RULES3
(2) If there are substantial or several
aggravating circumstances, the aggregate
amount of the assessment is set at an
amount at or sufficiently close to the
maximum permitted by paragraph
(d)(5)(i)(A) of this section to reflect the
aggravating circumstances.
(D) The standards set for the qualified
entity in this paragraph are binding,
except to the extent that—
(1) The amount imposed is not less
than the approximate amount required
to fully compensate the United States,
or any State, for its damages and costs,
tangible and intangible, including but
not limited to the costs attributable to
the investigation, prosecution, and
administrative review of the case.
(2) Nothing in this section limits the
authority of CMS to settle any issue or
case as provided by part 1005 of this
title or to compromise any assessment
as provided by paragraph (d)(5)(ii)(E) of
this section.
(ii) Notice of determination. CMS
must propose an assessment in
accordance with this paragraph (d)(5),
by notifying the qualified entity by
certified mail, return receipt requested.
Such notice must include the following
information:
(A) The assessment amount.
(B) The statutory and regulatory bases
for the assessment.
(C) A description of the violations
upon which the assessment was
proposed.
(D) Any mitigating or aggravating
circumstances that CMS considered
when it calculated the amount of the
proposed assessment.
(E) Information concerning response
to the notice, including:
(1) A specific statement of the
respondent’s right to a hearing in
accordance with procedures established
at Section 1128A of the Act and
implemented in 42 CFR part 1005.
(2) A statement that failure to respond
within 60 days renders the proposed
determination final and permits the
imposition of the proposed assessment.
(3) A statement that the debt may be
collected through an administrative
offset.
(4) In the case of a respondent that has
an agreement under section 1866 of the
Act, notice that imposition of an
VerDate Sep<11>2014
17:38 Jul 06, 2016
Jkt 238001
exclusion may result in termination of
the provider’s agreement in accordance
with section 1866(b)(2)(C) of the Act.
(F) The means by which the qualified
entity may pay the amount if they do
not intend to request a hearing.
(iii) Failure to request a hearing. If the
qualified entity does not request a
hearing within 60 days of receipt of the
notice of proposed determination, any
assessment becomes final and CMS may
impose the proposed assessment.
(A) CMS notifies the qualified entity,
by certified mail with return receipt
requested, of any assessment that has
been imposed and of the means by
which the qualified entity may satisfy
the judgment.
(B) The qualified entity has no right
to appeal an assessment for which the
qualified entity has not requested a
hearing.
(iv) When an assessment is collectible.
An assessment becomes collectible after
the earliest of the following:
(A) Sixty (60) days after the qualified
entity receives CMS’s notice of
proposed determination under
paragraph (d)(5)(ii) of this section, if the
qualified entity has not requested a
hearing.
(B) Immediately after the qualified
entity abandons or waives its appeal
right at any administrative level.
(C) Thirty (30) days after the qualified
entity receives the ALJ’s decision
imposing an assessment under
§ 1005.20(d) of this title, if the qualified
entity has not requested a review before
the DAB.
(D) Sixty (60) days after the qualified
entity receives the DAB’s decision
imposing an assessment if the qualified
entity has not requested a stay of the
decision under § 1005.22(b) of this title.
(v) Collection of an assessment. Once
a determination by HHS has become
final, CMS is responsible for the
collection of any assessment.
(A) The General Counsel may
compromise an assessment imposed
under this part, after consulting with
CMS or OIG, and the Federal
government may recover the assessment
in a civil action brought in the United
States district court for the district
where the claim was presented or where
the qualified entity resides.
PO 00000
Frm 00028
Fmt 4701
Sfmt 9990
(B) The United States or a state agency
may deduct the amount of an
assessment when finally determined, or
the amount agreed upon in compromise,
from any sum then or later owing the
qualified entity.
(C) Matters that were raised or that
could have been raised in a hearing
before an ALJ or in an appeal under
section 1128A(e) of the Act may not be
raised as a defense in a civil action by
the United States to collect an
assessment.
8. Section 401.721 is amended by
adding paragraph (a)(7) to read as
follows:
■
§ 401.721 Terminating an agreement with a
qualified entity.
(a) * * *
(7) Fails to ensure authorized users
comply with their QE DUAs or analysis
use agreements.
*
*
*
*
*
9. Section 401.722 is added to read as
follows:
■
§ 401.722
Qualified clinical data registries.
(a) A qualified clinical data registry
that agrees to meet all the requirements
in this subpart, with the exception of
§ 401.707(d), may request access to
Medicare data as a quasi qualified entity
in accordance with such qualified entity
program requirements.
(b) Notwithstanding § 401.703(q)
(generally defining combined data), for
purposes of qualified clinical data
registries acting as quasi qualified
entities under the qualified entity
program requirements, combined data
means, at a minimum, a set of CMS
claims data provided under this subpart
combined with clinical data or a subset
of clinical data.
Dated: June 22, 2016.
Andrew M. Slavitt,
Acting Administrator, Centers for Medicare
& Medicaid Services.
Dated: June 28, 2016.
Sylvia M. Burwell,
Secretary, Department of Health and Human
Services.
[FR Doc. 2016–15708 Filed 7–1–16; 11:15 am]
BILLING CODE 4120–01–P
E:\FR\FM\07JYR3.SGM
07JYR3
Agencies
[Federal Register Volume 81, Number 130 (Thursday, July 7, 2016)]
[Rules and Regulations]
[Pages 44455-44482]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2016-15708]
[[Page 44455]]
Vol. 81
Thursday,
No. 130
July 7, 2016
Part III
Department of Health and Human Services
-----------------------------------------------------------------------
Centers for Medicare & Medicaid Services
-----------------------------------------------------------------------
42 CFR Part 401
Medicare Program: Expanding Uses of Medicare Data by Qualified
Entities; Final Rule
Federal Register / Vol. 81 , No. 130 / Thursday, July 7, 2016 / Rules
and Regulations
[[Page 44456]]
-----------------------------------------------------------------------
DEPARTMENT OF HEALTH AND HUMAN SERVICES
Centers for Medicare & Medicaid Services
42 CFR Part 401
[CMS-5061-F]
RIN 0938-AS66
Medicare Program: Expanding Uses of Medicare Data by Qualified
Entities
AGENCY: Centers for Medicare & Medicaid Services (CMS), HHS.
ACTION: Final rule.
-----------------------------------------------------------------------
SUMMARY: This final rule implements requirements under Section 105 of
the Medicare Access and CHIP Reauthorization Act of 2015 that expand
how qualified entities may use and disclose data under the qualified
entity program to the extent consistent with applicable program
requirements and other applicable laws, including information, privacy,
security and disclosure laws. This rule also explains how qualified
entities may create non-public analyses and provide or sell such
analyses to authorized users, as well as how qualified entities may
provide or sell combined data, or provide Medicare claims data alone at
no cost, to certain authorized users. In addition, this rule implements
certain privacy and security requirements, and imposes assessments on
qualified entities if the qualified entity or the authorized user
violates the terms of a data use agreement required by the qualified
entity program.
DATES: These regulations are effective on September 6, 2016.
FOR FURTHER INFORMATION CONTACT: Allison Oelschlaeger, (202) 690-8257.
Kari Gaare, (410) 786-8612.
SUPPLEMENTARY INFORMATION:
I. Background
On April 16, 2015, the Medicare Access and CHIP Reauthorization Act
of 2015 (MACRA) (Pub. L. 114-10) was enacted. The law included a
provision, Section 105, Expanding the Availability of Medicare Data,
which takes effect on July 1, 2016. This section expands how qualified
entities will be allowed to use and disclose data under the qualified
entity program, including data subject to section 1874(e) of the Social
Security Act (the Act), to the extent consistent with other applicable
laws, including information, privacy, security and disclosure laws.
The Qualified Entity program was established by Section 10332 of
the Patient Protection and Affordable Care Act (Affordable Care Act)
(Pub. L. 111-148). The implementing regulations, which became effective
January 6, 2012, are found in subpart G of 42 CFR part 401 (76 FR
76542). Under those provisions, CMS provides standardized extracts of
Medicare Part A and B claims data and Part D drug event data
(hereinafter collectively referred to as Medicare claims data) covering
one or more geographic regions to qualified entities at a fee equal to
the cost of producing the data. Under the original statutory
provisions, such Medicare claims data must be combined with other non-
Medicare claims data and may only be used to evaluate the performance
of providers and suppliers. The measures, methodologies and results
that comprise such evaluations are subject to review and correction by
the subject providers and suppliers, after which the results are to be
disseminated in public reports.
Those wishing to become qualified entities are required to apply to
the program. Currently, fourteen organizations have applied and
received approval to be a qualified entity. Of these organizations, two
have completed public reporting while the other twelve are in various
stages of preparing for public reporting. While we have been pleased
with the participation in the program so far, we expect that the
changes required by MACRA will increase interest in the program.
Under section 105 of MACRA, effective July 1, 2016, qualified
entities will be allowed to use the combined data and information
derived from the evaluations described in 1874(e)(4)(D) of the Act to
conduct non-public analyses and provide or sell these analyses to
authorized users for non-public use in accordance with the program
requirements and other applicable laws. In highlighting the need to
comply with other applicable laws, we particularly note that any
qualified entity that is a covered entity or business associate as
defined in the Health Insurance Portability and Accountability Act of
1996 (``HIPAA'') regulations at 45 CFR 160.103 will need to ensure
compliance with any applicable HIPAA requirements, including the
restriction on the sale of protected health information (PHI) without
authorization at 45 CFR 164.502(a)(5)(ii).
In addition, qualified entities will be permitted to provide or
sell the combined data, or provide the Medicare claims data alone at no
cost, again, in accordance with the program requirements and other
applicable laws, to providers, suppliers, hospital associations, and
medical societies. Qualified entities that elect to provide or sell
analyses and/or data under these new provisions will be subject to an
assessment if they or the authorized users to whom they disclose
patient-identifiable data in the form of analyses or raw data act in a
manner that violates the terms of a program-required Qualified Entity
Data Use Agreement (QE DUA). Furthermore, qualified entities that make
analyses or data available under these new provisions will be subject
to new annual reporting requirements to aid CMS in monitoring
compliance with the program requirements. These new annual reporting
requirements will only apply to qualified entities that choose to
provide or sell non-public analyses and/or provide or sell combined
data, or provide Medicare claims data alone at no cost.
We believe these changes to the qualified entity program will be
important in driving higher quality, lower cost care in Medicare and
the health system in general. We also believe that these changes will
increase interest in the qualified entity program, leading to more
transparency regarding provider and supplier performance and innovative
uses of data that will result in improvements to the healthcare
delivery system while still ensuring appropriate privacy and security
protections for beneficiary-identifiable data.
II. Provisions of the Proposed Regulations and Responses to Public
Comments
In the February 2, 2016 Federal Register (81 FR 5397), we published
the proposed rule entitled, ``Expanding Uses of Medicare Data by
Qualified Entities.'' We provided a 60-day public comment period.
In the proposed rule, to implement the new statutory provisions of
section 105 of MACRA, we proposed to amend and make conforming changes
to part 401, subpart G, ``Availability of Medicare Data for Performance
Measurement.'' We received approximately 50 comments on the proposed
rule from a wide variety of individuals and organizations. Many of the
comments were from providers or suppliers, or organizations
representing providers and suppliers. We also received a number of
comments from organizations engaged in performance measurement or data
aggregation, some of whom are already qualified entities and others who
may apply to be qualified entities in the future. Other comments came
from registries, state Medicaid agencies, issuers, and individuals.
Many of the comments were positive and praised CMS for the proposed
[[Page 44457]]
changes to the qualified entity program. Commenters also had a range of
suggestions for changes to program requirements around the provision or
sale of non-public analyses and data. We received a number of comments
on expanding the data available to qualified entities to include claims
data under Medicaid and the Children's Health Insurance Program (CHIP).
In addition, we received a number of comments on the disclosure of data
to qualified clinical data registries for quality improvement and
patient safety activities.
A more detailed summary of the public comments and our responses
can be found below in the appropriate sections of this final rule.
A. Non-Public Analyses
In accordance with Section 105(a)(1) of MACRA, we proposed to allow
for the qualified entity's use of the combined data or information
derived from the evaluations described in section 1874(e)(4)(D) of the
Act to create non-public analyses and provide for the provision or sale
of these analyses to authorized users in accordance with the program
requirements discussed later in this section, as well as other
applicable laws.
Comment: Commenters generally supported the proposal to allow
qualified entities to create non-public analyses and either provide or
sell these analyses. One commenter suggested that CMS expressly state
at Sec. 401.716(a) that qualified entities may provide or sell the
non-public analyses. Another commenter recommended that CMS clarify
that the non-public analyses are not subject to discovery or admittance
into evidence in any judicial or administrative proceeding.
Response: We thank commenters for their support of the provision or
sale of non-public analyses. Since the intent of this section is to
allow qualified entities to both provide and sell non-public analyses
in accordance with program requirements and other applicable laws, we
have made changes to the regulation text to expressly state as much.
The statute, at 1874(e)(4)(D) of the Act, explicitly states, ``data
released to a qualified entity under this subsection shall not be
subject to discovery or admission as evidence in judicial or
administrative proceedings without consent of the applicable provider
or supplier.'' We believe this statutory shield only applies to data
released to the qualified entity under 1874(e) and when that data is in
the possession of the qualified entity. Once the Medicare data is used
to create non-public analyses and those non-public analyses are shared
with authorized users, we do not believe the statutory shield applies.
1. Additional Analyses
In the proposed rule, we defined combined data as a set of CMS
claims data provided under subpart G combined with a subset of claims
data from at least one of the other claims data sources described in
Sec. 401.707(d). We did not propose to establish a minimum amount of
data that must be included in the combined data set from other sources.
Comment: We received numerous comments on the definition of
combined data. Many commenters recommended that CMS alter the
definition of combined data to allow qualified entities to combine the
Medicare data with clinical data for the creation of non-public
analyses. These commenters stated that clinical data can help
facilitate more appropriate analyses of provider resource use than just
claims data alone. One commenter suggested that the definition of
combined data also include consumer, socio-demographic, and other types
of patient and provider-level data. Other commenters suggested that CMS
clarify that combined data must, at a minimum, be comprised of CMS
claims data merged with claims data from other sources, but other data
may also be included in this combined data. One commenter agreed with
the proposed definition of combined data.
Response: Section 105(a)(1)(A) of MACRA requires that the non-
public analyses be based on the combined data described in
1874(e)(4)(B)(iii) as ``data made available under this subsection with
claims data from sources other than claims data under this title''.
Given these statutory limitations, we do not believe we can modify the
definition of combined data.
However, we do recognize the value of combining claims data with
clinical data for the development of non-public analyses and believe
the use of clinical data in non-public analyses can significantly
improve the value of these analyses to support quality and patient
improvement activities. Clinical data such as laboratory test results
or radiology and pathology reports, can add useful information about a
patient's chronic condition burden, health status, and other factors
that are not available in claims data. We can also see some value in
combining consumer, socio-demographic, and other types of patient and
provider level data with the Medicare data. As a result, we do want to
clarify, that combined data requires at a minimum that the CMS claims
data be combined with other sources of claims data, but that this does
not prevent the qualified entity from merging other data (for example,
clinical, consumer, or socio-demographic data) with the combined data
for the development of non-public analyses.
Comment: Several commenters suggested that CMS require qualified
entities to make public a list of the claims data it receives from CMS
and the data it intends to combine with the CMS claims data for non-
public analyses. One commenter suggested that this public release of
information also include the percent of the cohort for analysis that
each source is contributing.
Response: We are very committed to greater data transparency and
all qualified entities are required to publicly report on provider
performance as part of their participation in the program. However, we
do not see significant value in requiring qualified entities to
publicly report on the other sources of data used in non-public
analyses since the analyses themselves will not be released publicly.
Comment: Several commenters stated that they supported the proposal
not to establish a threshold for the minimum amount of data that must
be included in the combined data set from other sources.
Response: We thank commenters for their support.
Comment: A few commenters recommended that the requirement to use
combined data not preclude Medicare-only analyses. These commenters
stated that Medicare-only analyses such as segmenting provider and
supplier performance evaluations by payer type or conducting
longitudinal analysis of differences in cost and quality for certain
conditions by payer type would have significant value for many
authorized users.
Response: We recognize the value of Medicare-only analyses,
especially to help providers and suppliers understand how quality and
costs differ across their patient population. In addition, as the CMS
Innovation Center continues to develop and test new models of care,
qualified entities may play a role in conducting analyses to help
providers and suppliers better manage patient outcomes and costs under
a different payment model. As a result, we want to clarify that the
requirement to use combined data does not prevent qualified entities
from providing or selling analyses that allow the authorized user to
drill down by payer type to Medicare-only results. For example, a
qualified entity may provide or sell a provider a report that includes
the provider's overall score on certain
[[Page 44458]]
quality and resource use measures (using combined data) and then
presents scores for each of these measures by payer type (including a
Medicare fee-for-service category).
2. Limitations on the Qualified Entities With Respect to the Sale and
Provision of Non-Public Analyses
In accordance with section 105(a)(1) of MACRA, we proposed a number
of limitations on qualified entities with respect to the sale and
provision of non-public analyses.
First, we proposed to limit qualified entities to only providing or
selling non-public analyses to issuers after the issuer provides the
qualified entity with claims data that represents a majority of the
issuers' covered lives in the geographic region and during the time
frame of the non-public analyses requested by the issuer.
Comment: Many commenters supported the requirement of issuers to
submit data to the qualified entity in order to receive analyses, but
commenters had differing recommendations on the threshold of a majority
of the issuers' covered lives. A number of commenters stated that CMS
should not impose a threshold on the amount of data issuers must submit
to a qualified entity to receive analyses. These commenters stated that
the responsibility to ensure appropriate sample size for analyses
should rest with the qualified entity. However, another commenter
recommended that CMS require an issuer to provide the qualified entity
with data on all of its covered lives for the geographic region and
during the time frame of the non-public analyses requested. This
commenter stated that requiring 100 percent of an issuer's covered
lives would allow for more complete analyses. One commenter supported
the threshold of the majority of an issuers covered lives, but stated
that CMS should allow a health insurance issuer to request a non-public
analysis for a geographic region outside the issuer's area of coverage,
provided the issuer supplies claims data for a majority of the covered
lives for the time period requested in all regions where it provides
coverage. This commenter noted that analyses for other geographic
regions may be beneficial to smaller, regional health insurance issuers
interested in cost and utilization in a comparable region or looking to
expand their areas of coverage. Another commenter supported the
threshold, but recommended that CMS create an exceptions process for
cases where legitimate and important analyses, such as identifying
providers treating orphan diseases or analysis fundamental for a health
plan issuer to enter a new market, that could not meet the proposed
threshold. Finally, one commenter stated that CMS should allow
qualified entities discretion to provide or sell analyses to health
insurance issuers who have made a good faith commitment to providing
the qualified entity with claims data that represents a majority of the
health insurance issuer's covered lives by a certain future date.
Response: As we stated in the proposed rule, we considered not
applying a threshold on the amount of data being provided by the
issuer, but decided that specifying a threshold would encourage issuers
to submit data to the qualified entity to be included in the public
performance reports, increasing the reports' reliability. We believe
this rationale still applies, and we still believe that there are a
number of situations where requiring the issuer to provide 100 percent
of their data for a given time period and geographic region is not
feasible for the issuer. Based on comments, we revisited whether, on
balance, requiring issuers to submit data that represents a majority of
their covered lives in the geographic region and during the time frame
of the non-public analyses requested by the issuer is generally the
most appropriate threshold. In doing so, we recognized that in some
cases an issuer may wish to have analyses for a geographic region where
it does not provide coverage. However, we believe that in those
instances the issuer should not be able to receive analyses due to the
requirement at section 105(a)(1)(B)(ii) of MACRA, that a qualified
entity may only provide or sell analyses to issuers that have provided
the qualified entity with data. Therefore, we are modifying our
proposed requirement around the issuer's claims data submission
threshold to clarify that qualified entities may not provide or sell
analyses to issuers when the analyses include geographic areas where
the issuer does not offer coverage.
We would like to clarify, however, that the requirement that an
issuer provide the qualified entity with claims data for at least 50
percent of its covered lives for the time period and geographic region
covered by the analyses does not mean that all analyses provided or
sold to the issuer would need to be based on analyses that considered
at least 50 percent of the issuers' covered lives. So long as Medicare
data is combined with other claims data to create the analyses, certain
analyses, such as those on rare diseases, could be based only on a
subset of the Medicare claims data and other claims data collected by
the qualified entity. For example, an issuer could provide data for at
least 50 percent of their covered lives for the time period and
geographic region of the non-public analyses to a qualified entity. The
qualified entity could then use a subset of that data, such as patients
with a specific rare disease, combine it with Medicare data for
patients with that rare disease, and provide or sell analyses about
patients with the rare disease to the issuer. We would like to note,
however, that qualified entities will need to be careful when producing
analyses for issuers based on small populations and limited claims data
to ensure that the resulting analyses truly are patient de-identified.
We understand the desire to create an exceptions process to allow
issuers who do not contribute a majority of their covered lives in the
geographic region and during the timeframe of the non-public analyses
requested by the issuer to receive analyses. However, we believe that
imposing a standard threshold for issuer covered lives across all
qualified entities and issuers is the simplest and least
administratively burdensome method to ensure equal treatment of
qualified entities and issuers under this program.
We also understand the interest in allowing qualified entities to
provide or sell analyses to health insurance issuers who have made a
good faith commitment to provide the qualified entity with claims data
for the majority of their covered lives in the geographic region and
during the time frame of the non-public analyses requested by the
issuer. However, we believe that this type of policy could reduce the
incentives for issuers to share their data with the qualified entity.
Comment: Several commenters recommended that CMS provide additional
clarity around the requirements for issuers' claims data submissions to
the qualified entity. One commenter stated that qualified entities
should be allowed to meet the covered lives threshold regardless of
whether they have obtained the claims information directly from the
issuer or indirectly from a third party. Several commenters recommended
that CMS provide additional details on the term covered lives to
clarify how this would be assessed in certain circumstances, such as
when an issuer is a secondary payer or a member is not enrolled for a
full year.
Response: Qualified entities may only provide or sell analyses to
an issuer if it receives claims data from the issuer. Such data can be
provided directly by the issuer, or it can be submitted on the
[[Page 44459]]
issuer's behalf by an issuer's business associate. Regardless, the
qualified entity is responsible for ensuring that the issuer or the
issuer's business associate is truly providing the qualified entity
with claims data for a majority of the issuer's covered lives in the
geographic region and during the timeframe of the non-public analyses
requested by the issuer.
We recognize the desire to allow use of data from other sources to
meet the issuer's claims submission threshold. However, due to the
statutory limits on to whom the qualified entity may release patient
identifiable data, we do not believe it would be possible for an issuer
to ever verify whether the data the qualified entity holds is
representative of the majority of the issuer's covered lives in the
applicable geographic region during the applicable time frame unless
the issuer or its business associate was the source of such data.
Regarding the definition of covered lives, we recognize that there
is no commonly accepted definition of covered lives. We plan to rely on
the methods of calculating covered lives established in regulations
promulgated by the Internal Revenue Service (IRS) in December of 2012.
These regulations at 26 CFR 46.4375-1(c)(2) offer issuers four methods
for calculating the average number of lives covered under a specified
health insurance policy--(1) the actual count method, (2) the snapshot
method, (3) the member months method, and (4) the state form method--
and provide both the calculation method and an example for each of the
four methods for counting covered lives. These calculations all only
apply to health insurance policies and we would like to clarify that
the calculation of covered lives for purposes of the qualified entity
program does not include dental, disability, or life insurance
policies. We have modified the regulatory text at Sec. 401.716(b)(1)
to refer directly to the IRS regulations.
Second, we proposed that except when patient-identifiable non-
public analyses are shared with the patient's provider or supplier, all
non-public analyses must be patient de-identified using the de-
identification standards in the HIPAA Privacy Rule at 45 CFR
164.514(b). Additional information on the HIPAA de-identification
standards can be found on the HHS Office for Civil Rights Web site at
https://www.hhs.gov/hipaa/for-professionals/privacy/special-topics/de-identification/. We also proposed a definition for patient.
Comment: Many commenters stated that they agreed with CMS' proposal
that analyses must be de-identified unless the recipient is the
patient's provider or supplier. One commenter suggested that CMS allow
other authorized users to receive patient-identifiable analyses,
stating that patient-identifiable data will be equally valuable to the
additional proposed authorized users, and that patients can also
directly benefit from the sharing of patient-identifiable data beyond
suppliers and providers.
Response: We thank commenters for their support. While we can see
some advantages to sharing patient-identifiable analyses with other
types of authorized users, the statutory language at Section
105(a)(3)(B) of MACRA states that analyses may not contain any
information that individually identifies a patient unless the analyses
are provided or sold to the patient's provider or supplier. Given the
statutory requirements, we are finalizing our proposal that patient-
identifiable analyses should only be shared with the patient's provider
or supplier.
Comment: Many commenters stated that they agreed with the proposal
to use the de-identification standards in the HIPAA Privacy Rule.
However, one commenter suggested that CMS modify the HIPAA de-
identification standards to allow inclusion of full patient five-digit
zip code without population thresholds and inclusion of the month
element for all dates directly related to a patient, including date of
death but excepting date of birth. This commenter stated that this
additional information would empower providers and suppliers to fully
evaluate their care and quality improvement efforts on a timely and
ongoing basis with insight into geographic and temporal factors and
patterns.
Response: The framework for de-identification that is described in
the HIPAA Privacy Rule represents an industry standard for de-
identification of health information. Additional information on the
HIPAA de-identification standards can be found on the HHS Office for
Civil Rights Web site at https://www.hhs.gov/hipaa/for-professionals/privacy/special-topics/de-identification/. We believe that
modifying this framework for the purposes of the qualified entity
program would be likely to create confusion among qualified entities
and authorized users, many of whom are or will be HIPAA covered
entities or their business associates.
Comment: One commenter noted a technical issue at Sec.
401.716(b)(3) where the text inappropriately referenced Sec.
401.716(c)(2). One commenter suggested CMS clarify whether the data
used in the analysis needs to be de-identified at the time of the
analysis or whether the analysis itself has to be de-identified at the
time it is shared with an authorized user.
Response: We thank the commenter for noting this technical issue
and have fixed the reference to Sec. 401.716(b)(2). We would also like
to clarify that the data used by the qualified entity to conduct the
analyses does not need to be de-identified, but the analyses must be
patient de-identified before they are shared with or sold to an
authorized user unless the recipient is the patient's provider or
supplier.
Comment: We received a number of comments on the definition of a
patient. Many commenters stated that the time period of 12 months for a
face-to-face or telehealth appointment was not sufficient. One
commenter recommended extending the period to 18 months, while several
other commenters suggested a timeframe of 24 months. These commenters
noted that stabilized patients do not necessarily visit their physician
every year. Another commenter suggested that a patient be defined as an
individual who has visited the provider or supplier at least once
during the timeframe for which the analysis is being conducted.
Response: We acknowledge that healthy patients may not visit a
provider or supplier every year. As a result, we are changing the
definition of a patient to have a timeframe of the past 24 months for a
face-to-face or telehealth appointment.
Comment: One commenter recommended that the definition of a patient
be expanded beyond an affiliation with a provider or supplier to an
affiliation with an issuer, employer, or state agency or any other
authorized user.
Response: As noted above, we believe Section 105(a)(3)(B) of MACRA
only permits patient-identifiable information to be shared by a
qualified entity with the patient's provider or supplier.
Third, we proposed to bar qualified entities' disclosure of non-
public analyses that individually identify a provider or supplier
unless: (a) The analysis only individually identifies the singular
recipient of the analysis or (b) each provider or supplier who is
individually identified in a non-public analysis that identifies
multiple providers/suppliers has been afforded an opportunity to review
the aspects of the analysis about them, and, if applicable, request
error correction. We describe the proposed appeal and error correction
process in more detail in section II.A.4 below.
Comment: Several commenters recommended that providers and
[[Page 44460]]
suppliers should not have the opportunity to review and request error
correction for analyses that individually identify the provider or
supplier. These commenters noted in particular that analyses
identifying fraud or abuse should not be reviewed by the provider in
advance of being shared with the authorized user. One commenter
suggested that a review and error corrections process for non-public
reports only be triggered when a provider or supplier is individually
identified and his or her performance is evaluated in the manner
described in section 1874(e)(4)(C). Another commenter recommended that
when a group of providers are identified as part of a practice group
(that is, part of the same Tax Identification Number), and prior
consent by the providers has been obtained, the practice group should
be considered the entity that can receive analyses for the individual
providers in the practice.
Response: We believe that Section 105(a)(6) of MACRA requires that
qualified entities allow providers and suppliers an opportunity to
review analyses that individually identify the provider or supplier
and, if necessary, and, when needed, request error correction in the
analyses. In addition, regardless of the statutory requirements, we
believe that providers and suppliers should not be evaluated by a
qualified entity without having a chance to review and, when needed,
request error correction in the analyses. For example, it would not be
fair for an issuer to move a provider to a different network tier based
on analyses that did not correctly attribute patients to that provider.
We recognize that the review and corrections process may lead to some
limitations in the development of certain types of analyses, such as
those identifying fraud and abuse. However, we believe that creating
different standards for different types of analyses would be too
administratively complex to implement, and could create tensions
between providers and suppliers and qualified entities over whether an
analysis warranted review by the provider or supplier before it was
shared with an authorized user.
However, we recognize that in many cases providers or suppliers may
wish to allow certain authorized users to receive analyses without the
need for a review process. For example, clinicians that are part of a
group practice may want to allow their practice manager, who may be
functioning as the clinician's business associate, to receive analyses
without first going through a provider/supplier review or being subject
to a request for correction. We believe that the decision about who
should be able to receive analyses that individually identify a
provider or supplier without such review and opportunity to correct
should rest with the individual provider or supplier. As a result, we
are adding a third exception to the bar on disclosure of non-public
analyses that individually identify a provider or supplier to allow
providers or suppliers to designate, in writing, the authorized user(s)
that may receive analyses from the qualified entity without first
giving the provider or supplier individually identified in the
analysis/es the opportunity to review the analyses, and, if applicable,
request error correction.
Comment: One commenter recommended that CMS add clarity to what it
means to ``individually identify'' a provider or supplier and stated
that the definition should indicate that to individually identify means
to use direct identifiers such as name or provider number for a
provider or supplier that is an individual person. This commenter
suggested that naming a physician group or clinic that is not itself a
provider or supplier (but that may be comprised of individual providers
or suppliers) would not count as individually identifying a provider or
supplier. Another commenter suggested that the review and corrections
process only apply to the entity that the analyses focus on. For
example, if the qualified entity is conducting analyses of episodes of
care for patients with joint replacement at a given hospital, the
analyses may include findings on many different providers and
suppliers, such as surgeons, skilled nursing facilities, home health
agencies, and others. In this case, the commenter recommended that only
the hospital be given the opportunity to review and request correction
of errors.
Response: Regardless of whether they are an individual clinician,
group practice, or facility and regardless of whether they are the
direct subject of the report, we believe section 105(a)(6) of MACRA
requires that qualified entities allow providers and suppliers the
opportunity to review and request correction of errors in analyses that
identify the provider or supplier. Group practice and facility-level
providers and suppliers, as well as those indirectly evaluated in
analyses, face as much reputational harm from the dissemination of
incorrect information about care delivery and costs as individual
clinicians or those directly evaluated in the analyses. We have added
language to clarify this requirement at Sec. 401.716(b)(4).
Comment: One commenter suggested that CMS implement a process to
proactively educate providers and suppliers regarding the review,
corrections, and appeals process for non-public analyses.
Response: We believe that many qualified entities that decide to
disclose analyses that individually identify a provider or supplier
will choose to do an education campaign with providers and suppliers in
their region to ensure that any necessary review and error correction
processes go smoothly. This will allow the qualified entity to build a
direct relationship with the provider or supplier. In addition, since
providers and suppliers are one of the types of authorized users that
qualified entities can provide or sell non-public analyses and data to,
we believe that qualified entities will proactively attempt to build
strong relationships with the provider and supplier community in their
region. As a result, while we see a small role for CMS to play in
educating providers and suppliers about the review and error correction
process through our usual provider outreach channels, we believe
qualified entities will play the main role in provider and supplier
education about the review, corrections, and appeals process.
Comment: Several commenters suggested additional limitations that
CMS should impose on qualified entities with respect to the disclosure
of non-public analyses. One commenter recommended that CMS require
qualified entities to provide authorized users with a detailed
methodology of statistical analyses to ensure their validity. This
commenter also stated that CMS should require qualified entities to
follow an appropriate methodology in attributing costs to providers.
Another commenter suggested that evaluations of physician performance
should be required to have data from at least two sources.
Response: With regard to the suggestions around statistical
validity and cost attribution, we believe that these are issues that
the qualified entity should discuss directly with the authorized user
who is receiving or purchasing the analyses. We expect that most, if
not all, authorized users will expect the qualified entity to include
some description of the methodology for the analyses along with the
report, but that the level of detail and content needed by each
authorized user may vary. In addition, authorized users may have
different ideas about the most appropriate method for cost attribution
and we believe that they should be able to work with the qualified
entity to make a determination for how to
[[Page 44461]]
attribute costs to providers and suppliers. On the issue of requiring
at least two sources of data, we believe that section 105(a)(1)(A) of
MACRA requires that the non-public analyses be based on the combined
data described in 1874(e)(4)(B)(iii) as ``data made available under
this subsection with claims data from sources other than claims data
under this title''.
3. Limitations on the Authorized User
We proposed to require the qualified entity's use of legally
binding agreements with any authorized users to whom it provides or
sells non-public analyses. For non-public analyses that only include
patient de-identified data, we proposed to require the qualified entity
to enter into a contractually binding non-public analyses agreement
with any authorized users as a pre-condition to providing or selling
such non-public analyses.
Comment: Several commenters stated that they supported the use of a
legally binding agreement between the qualified entity and the
authorized user. One commenter suggested that CMS develop a standard
non-public analyses agreement for qualified entities to use with
authorized users.
Response: We thank commenters for their support of this proposal.
We believe that many qualified entities will have existing agreements
with authorized users that cover the use and disclosure of analyses
related to their claims data from other sources. While there may be
some value in providing organizations new to this type of work a
template for the agreement, we believe that qualified entities would be
better served by engaging with their own legal counsel to ensure the
agreement meets their specific needs.
For non-public analyses that include patient identifiable data, we
proposed to require the qualified entity to enter into a qualified
entity Data Use Agreement (QE DUA) with any authorized users as a pre-
condition to providing or selling such non-public analyses. As we also
proposed to require use of the QE DUA in the context of the provision
or sale of combined data, or the provision of Medicare data at no cost,
we discuss our proposals related to the QE DUA and associated comments
in the data disclosure discussion in section II.B below.
Requirements in the Non-Public Analyses Agreement
The statute generally allows qualified entities to provide or sell
their non-public analyses to authorized users for non-public use, but
it bars use or disclosure of such analyses for marketing (see section
105(a)(3)(c) of MACRA). We proposed additional limits on the non-public
analyses, given the expansive types of non-public analyses that could
be conducted by the qualified entities if no limits are placed on such
analyses, and the potential deleterious consequences of some such
analyses.
First, we proposed that the non-public analyses agreement require
that non-public analyses conducted using combined data or the
information derived from the evaluations described in section
1874(e)(4)(D) of the Act may not be used or disclosed for the following
purposes: Marketing, harming or seeking to harm patients and other
individuals both within and outside the healthcare system regardless of
whether their data are included in the analyses (for example, an
employer using the analyses to attempt to identify and fire employees
with high healthcare costs), or effectuating or seeking opportunities
to effectuate fraud and/or abuse in the healthcare system (for example,
a provider using the analyses to identify ways to submit fraudulent
claims that might not be caught by auditing software). We also proposed
to adopt the definition of marketing at 45 CFR 164.501 in the HIPAA
Privacy Rule.
Comment: Many commenters stated that they supported the proposed
restrictions on the use of the non-public analyses. One commenter
suggested that CMS provide greater clarification on what would
constitute harm to patients and other individuals both within and
outside the healthcare system. This commenter suggested that harm
should include activities that would create overly tiered networks that
could exclude high quality providers, as well as efforts to limit
patient access to certain treatments or drugs or steer patients to
certain practices based solely on cost.
Response: We thank commenters for their support of the restrictions
on the use of the analyses. On further consideration, we agree that the
industry may benefit from additional guidance regarding these
restrictions. Therefore, we anticipate providing additional sub-
regulatory guidance on the standards adopted in this rule for the
Qualified Entity Certification Program Web site at https://www.qemedicaredata.org/SitePages/home.aspx.
As we did not receive any comments on the proposed definition of
marketing, we will finalize the definition without modification.
Second, in accordance with section 105(a)(1)(B)(i) of MACRA, we
proposed to require that any non-public analyses provided or sold to an
employer may only be used by the employer for the purposes of providing
health insurance to employees and retirees of the employer. We also
further proposed that if the qualified entity is providing or selling
non-public analyses to an employer that this requirement be included in
the non-public analyses agreement. We did not receive any comments on
this proposal, so are finalizing it without modification.
We also proposed to require qualified entities to include in the
non-public analysis agreement a requirement to limit re-disclosure of
non-public analyses or derivative data to instances in which the
authorized user is a provider or supplier, and the re-disclosure is as
a covered entity would be permitted under 45 CFR 164.506(c)(4)(i) or
164.502(e)(1). Accordingly, a provider or supplier may only re-disclose
-identifiable health information to a covered entity for the purposes
of the covered entity's quality assessment and improvement or for the
purposes of care coordination activities, where that entity has a
patient relationship with the individual who is the subject of the
information, or to a business associate of such a covered entity under
a written contract. We also generally proposed to require qualified
entities to use a non-public analyses agreement to explicitly bar
authorized users that are not providers or suppliers from re-disclosure
of the non-public analyses or any derivative data except to the extent
a disclosure qualifies as a ``required by law'' disclosure.
Comment: Several commenters suggested that authorized users be
allowed to re-disclose analyses in order to publish research findings
provided the analyses do not individually identify a provider. These
commenters noted that public health interests can be served by allowing
the disclosure of research findings to the public. One commenter
recommended allowing broad re-disclosure of analyses when the
information is beneficiary de-identified, stating that this is
necessary to reduce cost and improve patient care across the healthcare
system. Several commenters suggested that authorized users be allowed
to re-disclose analyses for the purposes of developing products or
services, such as analytic tools, algorithms, and other innovations for
improving health outcomes.
Response: The statutory language at section 105(a)(5) of MACRA
states that authorized users may not re-disclose or make public any
analyses, with the exception of allowing providers and suppliers to re-
disclose analyses, as determined by the Secretary, for the
[[Page 44462]]
purposes of care coordination and performance improvement activities.
As a result, we are finalizing the proposed language on re-disclosure
of analyses without modification. However, we would like to note that
CMS currently makes data available to researchers outside of this
qualified entity program, including those interested in developing
products or tools. Individuals and organizations interested in
accessing CMS data for research purposes should visit the Research Data
Assistance Center (ResDAC) at www.resdac.org for more information.
Fourth, we proposed to require qualified entities to impose a
legally enforceable bar on the authorized user's linking de-identified
analyses (or data or analyses derived from such non-public analyses) to
any other identifiable source of information or in any other way
attempting to identify any individual whose de-identified data is
included in the analyses or any derivative data.
Comment: One commenter stated that an authorized user should be
allowed to link the analyses that contain patient identifiers or any
derivative data with other sources when this information is limited to
their own patients.
Response: We would like to highlight that the restriction on
linking analyses only applies to de-identified analyses. To the extent
providers and suppliers are receiving identifiable information on their
own patients, the restriction on linking to any other identifiable
source of information does not apply.
Finally, we proposed to require qualified entities to use their
non-public analyses agreements to bind their non-public analyses
recipients to reporting any violation of the terms of that non-public
analyses agreement to the qualified entity. We did not receive any
comments on this proposal, so are finalizing it without modification.
4. Confidential Opportunity To Review, Appeal, and Correct Analyses
In accordance, with section 105(a)(6) of MACRA, we proposed that
the qualified entity must follow the confidential review, appeal, and
error correction requirements established at 401.717(f) under section
1874(e)(4)(C)(ii) of the Act.
Comment: We received a wide-ranging set of comments on the proposed
review and corrections process. Several commenters supported the
proposed review and corrections process. Many commenters suggested
changes to the review process for non-public analyses. In general these
commenters cited the burden of the proposed process for qualified
entities and recommended options to make the process less burdensome.
However, other commenters focused on the need for providers and
suppliers to have enough time to ensure the analyses are accurate.
Several commenters suggested provider or supplier notification as
the first step for review of non-public analyses. One commenter
recommended creating an alternative approach to individualized appeals,
such as an accreditation process. Another commenter suggested that when
a non-public analysis is released to one or more authorized users, or
when a non-public analysis is subsequently used for a public report,
the qualified entity need only provide an opportunity for the provider
or supplier to have reviewed and, if necessary, requested error
correction once before the initial release of the analysis. Another
commenter recommended that providers and suppliers only be given one
chance to request error correction of the underlying data, after which
the data could be used in any future non-public analyses.
A few commenters suggested that a 60-day period to review the
analyses may not be sufficient. On the other hand, several commenters
suggested a 30-day review period for non-public analyses, while another
commenter suggested giving providers and suppliers an ongoing right to
review the analyses and request error correction.
Response: We appreciate commenters' concerns about allowing
providers and suppliers the necessary time to review analyses as well
as the concerns about the burden on qualified entities of implementing
the public reporting review and corrections process for non-public
analyses. However, as noted in the proposed rule, we also believe using
the same process for review and error correction for both the non-
public analyses and the public reports creates continuity and a balance
between the needs and interests of providers and suppliers and those of
the qualified entities, authorized users, and the public.
That said, on further consideration, we believe that the addition
of a procedural step whereby the qualified entity would confidentially
notify a provider or supplier about the non-public analyses and give
the provider or supplier the opportunity to opt-in to the review and
error correction process established at Sec. 401.717(a) through (e) is
both consistent with the statute and has the potential to reduce the
burden on both qualified entities and providers and suppliers. In some
cases, notification may be sufficient to meet the needs of a provider
or supplier and, as a result, the provider or supplier will choose not
to opt-in to the review and correction process, reducing the paperwork
and resource burden for both the qualified entity and the provider/
supplier. In addition, where the analyses are similar to previous
analyses or use data the provider or supplier has already corrected,
the provider or supplier may also choose not to review the analyses.
Under this procedural step, a qualified entity must confidentially
notify a provider or supplier that non-public analyses that
individually identify the provider or supplier are going to be released
at least 65 calendar days before disclosing the analyses to the
authorized user. The first five days of the 65 day period is intended
to allow time to notify the provider or supplier, and to allow them
time to respond to the qualified entity. The next sixty days are
reflective of the sixty day review period in Sec. 401.717(a) through
(e). The confidential notification about the non-public analyses should
include a short summary of the analyses (which must include the
measures being calculated, but does not have to include the
methodologies and measure results), the process for the provider or
supplier to request the analyses, the authorized users receiving the
analyses, and the date on which the qualified entity will release the
analyses to the authorized users. This notification can cover multiple
non-public analyses that use different datasets and measures. The 65-
day period begins on the date the qualified entity sends or emails the
notification to providers and suppliers. As we presume some qualified
entities may utilize National Provider Identifier (NPI) data as a means
of contacting providers and suppliers, we would like to use this
opportunity to remind providers and suppliers of the need to keep their
NPI information up-to-date.
At any point during this 65-day period, the qualified entity must
allow the provider or supplier to opt-in to the review and error
correction process established at Sec. 401.717(a) through (e) and
request copies of the analyses and, where applicable, access to the
data used in the analyses, and to request the correction of any errors
in the analyses. However, if the provider or supplier chooses to opt-in
to the review and correction process more than 5 days into the
notification period, the time for the review and correction process is
shortened from regulatory 60 days in Sec. 401.717(a) through (e) to
the number of days remaining between the provider or supplier opt-in
date and the release
[[Page 44463]]
date specified in the confidential notification.
We understand the desire to create an alternative approach to
individualized appeals, such as an accreditation process, however, we
believe the statutory language at Section 105(a)(6) of MACRA requires
that qualified entities allow providers and suppliers an opportunity to
review analyses that individually identify the provider or supplier
and, if necessary, and, when needed, request error correction in the
analyses. In addition, as stated above, regardless of the statutory
requirements, we believe that providers and suppliers should not be
evaluated by a qualified entity without having a chance to review and,
when needed, request error correction in the analyses.
Comment: One commenter recommended that qualified entities not be
allowed to provide or sell analyses to an authorized use while an error
correction request is outstanding.
Response: We acknowledge the interest of providers and suppliers in
ensuring that any analyses correctly represent their care delivery
patterns and costs. However, we are concerned that providers and
suppliers may make spurious requests for error correction in order to
prevent the authorized user from receiving the analyses. As a result,
we will maintain the provisions that allow qualified entities to
release the non-public analyses after the 65-day period regardless of
the status of error corrections. As with the public reporting, the
qualified entity must inform the authorized user if a request for error
correction is outstanding when the analyses are delivered to the
authorized user, and, if applicable, provide corrected analyses if
corrections are ultimately made.
B. Dissemination of Data and the Use of QE DUAs for Data Dissemination
and Patient-Identifiable Non-Public Analyses
Subject to other applicable law, section 105(a)(2) of MACRA expands
the permissible uses and disclosures of data by a qualified entity to
include providing or, where applicable, selling combined data for non-
public use to certain authorized users, including providers of
services, suppliers, medical societies, and hospital associations for
use in developing and participating in quality and patient care
improvement activities. Section 105(a)(3)(B) of MACRA. Subject to the
same limits, it also permits a qualified entity to provide Medicare
claims data for non-public use to these authorized users; however, a
qualified entity may not charge a fee for providing such Medicare
claims data. In addition, in order to provide or sell combined data or
Medicare data, section 105(a)(4) of MACRA instructs the qualified
entity to enter into a DUA with their intended data recipient(s).
1. General Requirements for Data Dissemination
To implement the provisions in Section 105(b) of MACRA, we proposed
to provide that, subject to other applicable laws (including applicable
information, privacy, security and disclosure laws) and certain defined
program requirements, including that the data be used only for non-
public purposes, a qualified entity may provide or sell combined data
or provide Medicare claims data at no cost to certain authorized users,
including providers of services, suppliers, medical societies, and
hospital associations. Where a qualified entity is a HIPAA-covered
entity or is acting as a business associate, compliance with other
applicable laws will include the need to ensure that it fulfills the
requirements under the HIPAA Privacy Rule, including the restriction on
the sale of PHI at 45 CFR 164.502(a)(5)(ii).
Comment: Several commenters stated that CMS should provide
additional clarity on the term no cost as it relates to the provision
of Medicare data. For example, commenters stated that qualified
entities may wish to charge a fee for entering into a data use
agreement with an authorized user, but then not charge for the data. In
addition, some of these commenters recommended that CMS allow qualified
entities to recoup the costs associated with providing Medicare data at
no cost. These commenters stated that there is a cost associated with
providing claims data to authorized users, such as staff time to create
the data extract and encrypt the file.
Response: We understand that qualified entities will face costs
providing Medicare data to authorized users. However, section
105(a)(2)(C) of MACRA expressly states that, if a qualified entity were
to elect to make Medicare claims data available, such data must be
``provided'' at no cost. We believe that the paperwork and processing
costs associated with accepting and fulfilling Medicare claims data
requests are an integral part of the ``provision'' of data. As such,
qualified entities may not charge authorized users for the Medicare
data itself or any activity associated with requests for or the
fulfillment of Medicare data requests (such as the processing of a data
use agreement). However, we also note that the qualified entity is not
required to offer authorized users the opportunity to request Medicare
claims data. Qualified entities may choose to only offer authorized
users the opportunity to receive or purchase combined data. Qualified
entities may also choose not to allow authorized users to request data
at all.
Comment: One commenter suggested that CMS require qualified
entities to sell the combined data at a reasonable price which reflects
their actual cost.
Response: We appreciate the commenter's interest in ensuring
qualified entities charge authorized users reasonable fees for combined
data. However, we believe that qualified entities should be allowed to
determine the appropriate fee to charge authorized users for access to
the combined data. If qualified entities set their prices too high
authorized users have the choice of not buying the data, or potentially
obtaining the data from another qualified entity with more reasonable
pricing.
Comment: One commenter recommended that CMS provide additional
clarity on the threshold for the amount of other data that must be
combined with the Medicare data in order for the qualified entity to
sell the combined data.
Response: As discussed above, we have not established a threshold
for the amount of other data that must be combined with the Medicare
data. It is our expectation that qualified entities will use sufficient
claims data from other sources to ensure validity and reliability.
2. Limitations on the Qualified Entity Regarding Data Disclosure
In accordance with section 105(a)(2), we proposed to place a number
of limitations on the sale or provision of combined data and the
provision of Medicare claims data by qualified entities, including
generally barring the disclosure of patient-identifiable data obtained
through the qualified entity program.
Comment: Several commenters stated that CMS should provide
additional clarity around whether the data must go through a review and
corrections process before it is disclosed to an authorized user. One
commenter recommended that providers and suppliers be allowed to
review, appeal, and correct the data before it is disclosed.
Response: Section 105(a)(6) of MACRA only requires a review and
corrections process when a qualified entity is providing or selling an
analysis to an authorized user. While we understand that some providers
and
[[Page 44464]]
suppliers may wish to ensure that their data is correct before it is
shared with an authorized user, we believe that this process would be
very rigorous and burdensome for the qualified entity and would have
little value for most providers and suppliers.
We proposed to require any combined data or Medicare claims data
that is provided to an authorized user by a qualified entity under
subpart G be beneficiary de-identified in accordance with the de-
identification standards in the HIPAA Privacy Rule at 45 CFR
164.514(b). We also proposed an exception that would allow a qualified
entity to provide or sell patient-identifiable combined data and/or
provide patient-identifiable Medicare claims data at no cost to an
individual or entity that is a provider or supplier if the provider or
supplier has a patient relationship with every patient about whom
individually identifiable information is provided and the disclosure is
consistent with applicable law.
Comment: Several commenters agreed with the proposal to only allow
identifiable data to be disclosed to providers or suppliers with whom
the identified individuals have a patient relationship. One commenter
suggested that qualified entities be allowed to share limited data sets
(as defined in HIPAA) with providers and suppliers for individuals who
are not their patients. Another commenter recommended that qualified
entities be allowed to disclose patient-identifiable data to health
plans.
Response: Section 105(a)(3) of MACRA requires that data disclosed
to an authorized user not contain information that individually
identifies a patient unless the data is being shared with that
patient's provider or supplier. We further note that limited data sets
include indirect identifiers, and, as such, are subject to that
mandate. While we can imagine that health systems would be interested
in conducting population-wide analyses that look at disease incidence
or care delivery patterns, we believe these types of analyses can be
conducted using de-identified data. In addition, authorized users that
may not receive patient-identifiable data, such as issuers, could ask
the qualified entity to conduct analyses on these topics, and purchase
or receive the patient-deidentified analyses that result from such
efforts.
Second, we proposed to require qualified entities to bind the
recipients of their data to a DUA that will govern the use and, where
applicable, re-disclosure of any data received through this program
prior to the provision or sale of such data to an authorized user.
Comment: Several commenters stated that they agreed with the
proposal to require qualified entities to bind authorized users who
receive data to a DUA. One commenter recommended that when the required
``QE DUA'' (the DUA between the Qualified Entity (QE) and the
Authorized User) provisions already exist in another contract between
the qualified entity and the authorized user, the qualified entity
should not be required to re-paper those terms.
Response: We thank commenters for their support of this proposal.
In cases where all the terms of the QE DUA at Sec. 401.713(d) are
contained in a contractually binding agreement between the qualified
entity and the authorized user, we do not intend to require the
qualified entity to re-paper that agreement as a QE DUA.
3. Data Use Agreement (DUA)
A qualified entity must enter a DUA with CMS as a condition of
receiving Medicare data. Furthermore, in accordance with Section
105(a)(4) of MACRA, we proposed to require the execution of a DUA as a
precondition to a qualified entity's provision or sale of data to an
authorized user. As discussed above, we also proposed to require the
qualified entity to enter into a DUA with any authorized user as a pre-
condition to providing or selling non-public analyses that include
patient-identifiable data. To help differentiate the DUA between CMS
and the qualified entity from the DUAs between the qualified entity and
the authorized user, we proposed certain clarifying changes that
recognize that there are now two distinct DUAs in the qualified entity
program--the CMS DUA, which is the agreement between CMS and a
qualified entity, and what we will refer to as the QE DUA, which will
be the legally binding agreement between a qualified entity and an
authorized user.
Comment: Several commenters had overall comments on the QE DUA. One
commenter recommended that CMS create a standard QE DUA. Another
commenter stated that the data released to authorized users should not
be subject to discovery or admitted into evidence without the provider
or supplier's consent. A few commenters suggested that the QE DUA
include a provision that prevents the disclosure of competitively
sensitive data, such as Part D bid information. Finally, one commenter
suggested that authorized users should have some direct responsibility
for actions that run afoul of contractual requirements.
Response: As noted above, qualified entities may have existing
agreements with authorized users where all required QE DUA elements are
covered, and we are not requiring re-papering in those instances.
Furthermore, also as noted above, we believe that qualified entities
without existing agreements would be better served by engaging with
their own legal counsel to ensure the QE DUA meets their specific
needs.
As discussed above, we believe the statutory requirement that data
not be subject to discovery or admitted into evidence without the
provider or supplier's consent only applies to data released to the
qualified entity under 1874(e) and when that data is in the possession
of the qualified entity.
Regarding concerns about disclosure of competitively sensitive
information, qualified entities only receive Medicare Parts A and B
claims data and certain Part D drug event data from CMS. In addition,
we only provide qualified entities with aggregated Part D cost
information, not the proprietary individual component costs. As a
result, we do not believe there is a risk that qualified entities would
be in a position to disclose competitively sensitive information to
authorized users.
Finally, as we stated in the proposed rule, we only have authority
to impose requirements on the qualified entity. As a result, we must
rely on the qualified entity to impose legally enforceable obligations
on the authorized user.
Requirements in the QE DUA
In Sec. 401.713(d), we proposed a number of contractually binding
provisions that would be included in the QE DUA. First, we proposed to
require that the QE DUA contain certain limitations on the authorized
user's use of the combined data and/or Medicare claims data and/or non-
public analyses that contain patient-identifiable data and/or any
derivative data (hereinafter referred to as data subject to the QE DUA)
to those purposes described in the first or second paragraph of the
definition of ``healthcare operations'' under 45 CFR 164.501, or that
which qualifies as ``fraud and abuse detection or compliance
activities'' under 45 CFR 164.506(c)(4). We also proposed to require
that all other uses and disclosures of data subject to the QE DUA be
prohibited except to the extent a disclosure qualifies as a ``required
by law'' disclosure. We did not receive any comments on our proposal to
allow authorized users to use the data subject to the QE DUA for the
purposes described in the first or second paragraph of the definition
of ``healthcare operations'' under 45 CFR
[[Page 44465]]
164.501. Therefore, we are finalizing our proposal. In doing so, we
identified inadvertent drafting errors in the proposed regulatory text
at Sec. 401.713(d)(1)(i)(A) and (B) (mis-identifying which activities
fell into which paragraphs of 45 CFR 164.501). We have therefore
corrected those draft regulatory provisions to conform the new 42 CFR
401.713(d)(1)(i)(A) and (B) with the content of the first and second
paragraphs of the definition of health care operations under 45 CFR
164.501.
Comment: We received several comments on allowing authorized users
to use the data subject to the QE DUA for purposes which qualify as
``fraud and abuse detection or compliance activities'' under 45 CFR
164.506(c)(4). Several commenters stated that the allowing use of the
data subject to the QE DUA for fraud and abuse detection is unwarranted
and without basis in the statutory text. However, another commenter
explicitly supported use of the data subject to the QE DUA to bolster
efforts to fight fraud. One commenter suggested the addition of
``waste'' detection as an allowed use of the data subject to the QE
DUA.
Response: We believe that section 105(a)(3)(A)(ii) of MACRA is
illustrative (providing for certain non-public uses ``including''
certain cross-referenced activities). It does not prevent use of the
data for fraud and abuse detection and compliance activities. As a
result, we are finalizing our proposal to allow authorized users to use
the data subject to the QE DUA for fraud and abuse detection. While we
can understand the interest in adding waste detection to the list of
allowed uses of the data subject to the QE DUA, we believe it is best
to stay consistent with the language established in HIPAA since many of
other authorized users receiving data subject to the QE DUA are also
HIPAA covered entities.
Comment: One commenter suggested that authorized users also be
allowed to use the data subject to the QE DUA for ``treatment'' as
defined under 45 CFR 164.501.
Response: We agree that use of the data subject to the QE DUA for
treatment purposes is a valid possible use of the data and consistent
with the statute. As a result, we have modified the language at Sec.
401.713(d)(1)(i) to include treatment.
We also proposed to require qualified entities to use the QE DUA to
contractually prohibit the authorized users from using the data subject
to the QE DUA for marketing purposes. We did not receive any comments
on this proposal, and are finalizing it without modification.
We proposed at Sec. 401.713(d)(3) to require qualified entities to
contractually bind authorized users using the QE DUA to protect
patient-identifiable data subject to the QE DUA, with at least the
privacy and security protections that would be required of covered
entities and their business associates under the HIPAA Privacy and
Security Rules. We proposed to require that the QE DUA contain
provisions that require that the authorized user maintain written
privacy and security policies and procedures that ensure compliance
with these HIPAA-based privacy and security standards and the other
standards required under this subpart for the duration of the QE DUA.
We also proposed to require QE DUA provisions detailing such policies
and procedures survive termination of the QE DUA, whether for cause or
not.
Comment: One commenter suggested that CMS clarify that the QE DUA
by itself does not make the authorized user a covered entity or
business associate under HIPAA if the authorized user does not
otherwise meet those definitions.
Response: We wish to clarify that this rule does not comment on
whether an entity is a covered entity or business associate under
HIPAA. We are simply requiring the authorized users to comply with the
privacy and security protections required of covered entities and their
business associates under the HIPAA Privacy and Security Rules (that
is, the authorized users must comply with those provisions as if they
were acting in the capacity of a covered entity or business associate
dealing with protected health information). We feel that such standards
represent an industry-wide standard for the protection of patient-
identifiable data, and note that this requirement would be in keeping
with section 105(a)(4) of MACRA.
We also proposed at Sec. 401.713(d)(7) to require that the
qualified entity use the QE DUA to contractually bind an authorized
user as a condition of receiving data subject to the QE DUA under the
qualified entity program to notify the qualified entity of any
violations of the QE DUA. We did not receive any comments on this
proposal, so are finalizing it without modification.
In addition, we proposed at Sec. 401.713(d)(4) to require that the
qualified entity include a provision in its QE DUAs that prohibits the
authorized user from re-disclosing or making public data subject to the
QE DUA except as provided in paragraph (d)(5). We proposed at Sec.
401.713(d)(5) to require that the qualified entity use the QE DUA to
limit provider's and supplier's re-disclosures to a covered entity
pursuant to 45 CFR 164.506(c)(4)(i) or 164.502(e)(1). Therefore, a
provider or supplier would generally only be permitted to re-disclose
data subject to the QE DUA to a covered entity or its business
associate for activities focused on that covered entity's quality
assessment and improvement, including the review of provider or
supplier performance. We also proposed to require re-disclosure when
required by law.
Comment: Several commenters stated that they supported CMS'
proposals related to re-disclosure of data. One commenter suggested
that providers and suppliers be allowed to re-disclose data for direct
patient care and issues of patient safety. Another commenter
recommended that any authorized user be allowed to re-disclose de-
identified data for the purposes of publishing de-identified
statistical results.
Response: We thank commenters for their support of the re-
disclosure proposals. While we can understand interest in explicitly
referencing issues of patient safety, we do not believe it is necessary
given that the first paragraph of the definition of healthcare
operations includes patient safety activities and, thus issues of
patient safety are permitted reasons for re-disclosure of the data.
However, we recognize that as proposed, providers and suppliers would
not be allowed to re-disclose the data subject to the QE DUA for
treatment purposes. As a result, we are modifying the language at Sec.
401.713(d)(5)(i) to allow providers and suppliers to re-disclose data
subject to the QE DUA as a covered entity would be permitted to
disclose PHI under 45 CFR 164.506(c)(2), which allows a covered entity
to disclose data for the treatment activities of a healthcare provider.
Regarding the recommendation to allow for re-disclosure of de-
identified data in order to publish statistical results, we do not
believe that this purpose is consistent with section 105(a)(5)(A) of
the MACRA statute, which explicitly states that an authorized user who
is provided or sold data shall not make public such data or any
analysis using such data.
We also proposed to require qualified entities to impose a
contractual bar using the QE DUA on the downstream recipients' linking
of the re-disclosed data subject to the QE DUA to any other
identifiable source of information. The only exception to this general
policy would be if a provider or supplier were to receive identifiable
information limited to its own patients.
[[Page 44466]]
Comment: Several commenters stated that they supported the
proposals related to linking the data. One commenter suggested that
business associates of providers or suppliers be allowed to link the
data subject to the QE DUA. Another commenter recommended that
authorized users be allowed to link the patient de-identified data so
long as the intent or result is not to re-identify patients and the
resulting data set meets the HIPAA standard for de-identification.
Response: We would like to clarify that the prohibition on linking
only applies to patient de-identified data subject to the QE DUA. To
the extent that a provider or supplier receives patient-identifiable
data subject to the QE DUA and discloses that data to a business
associate as allowed under Sec. 401.713(d)(5)(i), that provider or
supplier may request that the business associate link the data subject
to the QE DUA to another data source.
While we understand that some authorized users may wish to link the
de-identified data subject to the QE DUA, we believe that this creates
too much risk of inadvertent re-identification. However, instead of
linking the data themselves, authorized users could choose to share
their additional data, in accordance with applicable law, with the
qualified entity who could link this new data source to the existing
data and then create de-identified analyses to share with the
authorized user.
C. Authorized Users
1. Definition of Authorized User
Section 105(a)(9)(A) of MACRA defines authorized users as: A
provider of services, a supplier, an employer (as defined in section
3(5) of the Employee Retirement Insurance Security Act of 1974), a
health insurance issuer (as defined in section 2791 of the Public
Health Service act), a medical society or hospital association, and any
other entity that is approved by the Secretary. We proposed a
definition for authorized user at Sec. 401.703(k) that is consistent
with Section 105(a)(9)(A) of MACRA and includes two additional types of
entities beyond those established in the statute--healthcare
professional associations and state agencies. Specifically, we proposed
to define an authorized user as: (1) A provider; (2) a supplier; (3) an
employer; (4) a health insurance issuer; (5) a medical society; (6) a
hospital association; (7) a healthcare professional association; or (8)
a state agency.
Comment: Commenters had a wide ranging list of suggested additions
to the definition of an authorized users, including: Other types of
associations and partnership groups whose missions support the
permitted data uses, entities with expertise in quality measure
development, organizations engaged in research, federal agencies,
regional health improvement collaboratives, and the Indian Health
Service (and Indian Health programs). Several commenters also suggested
that CMS create a process for qualified entities to seek approval for
additional authorized users that may not fit into the regulatory
definitions.
Response: We recognize that many organizations are interested in
accessing analyses provided by the qualified entity. However, CMS
believes we must maintain a carefully curated list of authorized users
to prevent the monitoring of the qualified entity program from becoming
too cumbersome. As a result, we are only adding federal agencies,
including, but not limited to the Indian Health Service (and Indian
Health programs), to the definition of authorized users. Similar to
state agencies, we believe that federal agencies, particularly those
that provide healthcare services such as the Indian Health Service and
the U.S. Department of Veteran Affairs are important partners with CMS
in transforming the healthcare delivery system and could substantially
benefit from access to analyses to help improve quality and reduce
costs, especially for individuals who utilize their services. On the
other hand, we believe many of the other suggested authorized users do
not represent well defined groups, which could lead to significant
confusion as to which entities fall within the group and which do not.
In addition, as we noted above, the statute is explicit in its
prohibition of releasing the analyses or data to the public, so the
addition of any authorized user with a research aim is not consistent
with the parameters of the program.
We believe a separate approval process would be very costly for CMS
and create additional burdens for qualified entities. We also believe
that a standard list of authorized users is the simplest and least
administratively burdensome method to ensure equal treatment of
qualified entities. Because many of the suggested authorized users do
not represent well defined groups, we would envision an approval
process for each entity requesting analyses, which would potentially be
more burdensome for smaller regional qualified entities that do not
have the time or resources to devote to the approval process.
Furthermore, we have an existing process through which entities can
obtain Medicare data for research purposes. More information on
accessing CMS data for research can be found on the ResDAC Web site at
www.resdac.org.
Comment: Several commenters suggested that other organizations
beyond providers, suppliers, hospital associations, and medical
societies be allowed to access data. A few commenters suggested any
entity should be allowed to access de-identified data. Another
commenter recommended the creation of a new authorized user called a
healthcare provider or supplier collaborator and defined as an
organization or entity that does not directly treat patients, but works
closely with the provider or supplier in connection with treatment of
patients.
Response: Section 105 (a)(2)(A)(i) only allows for the disclosure
of data to a provider of services, a supplier, and a medical society or
hospital association.
Comment: Several commenters suggested that authorized users that
are allowed to act on behalf of their subparts (for example,
Accountable Care Organizations) or business associates as defined in
HIPAA should be allowed to receive data and/or analyses directly.
Response: We do not intend to prevent organizations acting under a
contract with an authorized user from receiving data or the analyses on
behalf of the authorized user. Therefore, we have modified the
definition of authorized user to include contractors, including, where
applicable, business associates as that term is defined at 45 CFR
160.103. An authorized user is now defined as a third party and its
contractors (including, where applicable, business associates as that
term is defined at 45 CFR 160.103) that need analyses or data covered
by this section to carry out work on behalf of that third party
(meaning not the qualified entity or the qualified entity's
contractors) to whom/which the qualified entity provides or sells data
as permitted under this subpart. Authorized user third parties are
limited to the following entities: A provider, a supplier, a medical
society, a hospital association, an employer, a health insurance
issuer, a healthcare provider and/or supplier association, a state
entity, a federal agency.
We would like to note that with this change to the definition of
authorized user a qualified entity is now also liable for the actions
of the third party's contractors who enter into a QE DUA with the
qualified entity.
Comment: One commenter suggested a modification to the definition
of provider to include dieticians, social workers, case management
nurses, and other allied health professionals.
[[Page 44467]]
Response: The current definition of a supplier is a physician or
other practitioner that furnishes healthcare services under Medicare.
To the extent that dieticians, social workers, case management nurses,
and other allied health professionals are furnishing healthcare
services under Medicare, they would already be considered suppliers. If
they are not furnishing services under Medicare, we do not believe the
analyses or data based on Medicare claims data will hold much value for
improving care delivery or reducing costs, and so we decline expanding
the definition to include them.
2. Definition of Employer
We proposed to define an employer as having the same meaning as the
term ``employer'' defined in Section 3(5) of the Employee Retirement
Insurance Security Act of 1974.
Comment: One commenter suggested that the definition of employer
should not include any third-party consultant or wellness program
vendors.
Response: As noted above, we believe authorized users should be
allowed to share analyses and data with contractors who need such
information to conduct work on their behalf. Therefore, we modified the
definition of authorized user to include contractors. To the extent a
wellness vendor is an employer's contractor, the vendor will be
required to sign a non-public analyses agreement and will be bound to
only use and disclose the analyses in a manner consistent with the
provisions of that agreement. We would also like to point out that as
specified in Sec. 401.716(c)(2), employers, and their contractors, may
only use the analyses for the purposes of providing health insurance to
employees, retirees, or dependents of employees.
3. Definition of Health Insurance Issuer
We proposed to define a health insurance issuer as having the same
meaning as the term ``health insurance issuer'' defined in Section
2791(b)(2) of the Public Health Service Act.
Comment: One commenter suggested that the definition of health
insurance issuer should not include any third-party consultant or
wellness program vendors.
Response: As with employers, we believe issuers should be allowed
to share analyses and data with contractors who need such information
to conduct work on their behalf. Therefore, as stated above, we have
modified the definition of authorized user. To the extent a wellness
vendor is an issuer's contractor, the vendor will be required to sign a
non-public analyses agreement and will be bound to only use and
disclose the analyses in a manner consistent with the provisions of
that agreement.
4. Definition of ``Medical Society''
We proposed to define a medical society as a non-profit
organization or association that provides unified representation for a
large number of physicians at the national or state level and whose
membership is comprised mainly of physicians.
Comment: One commenter requested that CMS provide an example of a
medical society.
Response: We would consider the American Medical Association or the
American Academy of Family Physicians to be national-level medical
societies. At the state-level, the Medical Association of the State of
Alabama is an example of a medical society under this definition.
5. Definition of ``Hospital Association''
We proposed to define a hospital association as a non-profit
organization or association that provides unified representation for a
large number of hospitals or health systems at the national or state
level and whose membership is comprised of a majority of hospitals and
health systems.
Comment: One commenter requested that CMS provide an example of a
hospital association.
Response: We would consider the American Hospital Association or
the Federation of American Hospitals to be national hospital
associations. At the state-level, the Hospital and Healthsystem
Association of Pennsylvania is an example of a hospital association
under this definition.
Comment: Several commenters suggested that the definition of
hospital association be expanded to include associations at the local
level and quality organizations that are affiliated with, but have
separate 501(c)(3) numbers from their state hospital association.
Response: CMS recognizes that local hospital associations may work
more closely on issues such as quality improvement with hospitals and
health systems in their area than state or national associations. As a
result, we have modified the definition of hospital association to
include local-level organizations. However, we do not believe that the
MACRA statute at 105(a)(9)(v) intends for quality organizations
affiliated with a hospital association to be considered a hospital
association since the language only refers to hospital association and
does not reference quality organizations. To the extent that these
quality organizations are doing work on behalf of the state hospital
association under contract, and that work requires access to such data
or analyses, these quality organizations would be considered authorized
users and would be required to enter into a QE DUA and/or non-public
analyses agreement with the qualified entity.
6. Definition of ``Healthcare Provider and/or Supplier Association''
We proposed to define a healthcare provider and/or supplier
association as a non-profit organization or association that represents
providers and suppliers at the national or state level and whose
membership is comprised of a majority of providers and/or suppliers. We
did not receive any comments on this definition, so are finalizing it
without modification.
7. Definition of ``State Agency''
We proposed to define a state agency as any office, department,
division, bureau, board, commission, agency, institution, or committee
within the executive branch of a state government.
Comment: One commenter stated that state agencies should be limited
to those entities that promote care quality and patient care
improvement activities. Another commenter recommended that the term
state agency be changed to state entity to help avoid conflict with
state-specific references to the word ``agency.'' One commenter
suggested CMS provide clarity on whether the definition of state agency
includes political subdivisions of the state.
Response: We do not believe that state agencies should be limited
to those entities focused on care quality and patient care improvement.
There are a wide-array of uses of the non-public analyses by states who
are CMS' partners in transforming the healthcare delivery system. We do
appreciate the comment related to the use of the term agency at the
state-level, and have modified this term in the regulations to be
``state entity.'' In addition, to provide clarity, we note that we did
not intend for the definition of state agency to include political
subdivisions of a state, such as a county, city, town, or village, and
as a result have not added these to the definition.
D. Annual Report Requirements
1. Reporting Requirements for Analyses
Section 105(a)(8) of MACRA expands the information that a qualified
entity must report annually to the Secretary if
[[Page 44468]]
a qualified entity provides or sells non-public analyses. Therefore,
consistent with these requirements, we proposed to require that the
qualified entity provide a summary of the non-public analyses provided
or sold under this subpart, including specific information about the
number of analyses, the number of purchasers of such analyses, the
types of authorized users that purchased analyses, the total amount of
fees received for such analyses. We also proposed to require the
qualified entity to provide a description of the topics and purposes of
such analyses. In addition, we proposed to require a qualified entity
to provide information on QE DUA and non-public analyses agreement
violations.
Comment: Several commenters suggested additions to the reporting
requirements for analyses. One commenter suggested that qualified
entities include the specific entities to whom analyses were provided
or sold as well as more detailed pricing information. Another commenter
recommended the addition of the frequency and nature of requests for
error correction, and how often analyses are disclosed with unresolved
requests for error correction.
Response: We believe that Section 105(a)(8)(A) of MACRA intends for
qualified entities to provide a summary of the analyses and that the
specific details of the entities who received analyses or the pricing
information for analyses are not consistent with that intent. We do
believe there is value in monitoring requests for error correction to
ensure that qualified entities are not releasing analyses that
consistently have requests for error correction, which could indicate a
qualified entities' poor use of the Medicare data; however, we believe
the requirement to provide this information, with the exception of how
often analyses are disclosed with unresolved requests for error
correction, already exists as part of the annual reporting requirements
under Sec. 401.719(b)(2). We believe including how often analyses are
disclosed with unresolved error requests in the annual reports is
important because it allows CMS to track possible poor use of the
Medicare data by qualified entities. Therefore, we have added the
requirement to report the number of analyses disclosed with unresolved
requests for error correction at Sec. 401.719(b)(3)(iii).
Comment: One commenter suggested that the annual reports be made
public.
Response: We recognize that in some cases the annual reports may
contain sensitive commercial information and, as a result, we do not
believe the reports should be made public. We would like to clarify,
however, that anytime CMS receives a request for information under the
Freedom of Information Act (FOIA), the agency always evaluates whether
the information is subject to one of the FOIA exemptions, including
Exemption 4, which protects commercial or financial information that is
privileged and confidential. We welcome identification of any materials
within such reports that the qualified entity believes are subject to a
FOIA exemption, and the rationale therefore.
2. Reporting Requirements for Data
Section 105(a)(8) of MACRA also requires a qualified entity to
submit a report annually if it provides or sells data. Therefore,
consistent with the statutory requirements, we also proposed to require
qualified entities that provide or sell data under this subpart to
provide the following information as part of its annual report:
Information on the entities who received data, the uses of the data,
the total amount of fees received for providing, selling, or sharing
the data, and any QE DUA violations.
Comment: Several of the comments on reporting requirements for data
were the same as those for analyses addressed above. One commenter
suggested the addition of information on authorized user data breaches
to the annual report. Another commenter stated that the annual
reporting requirements for data may contain sensitive commercial
information that may be subject to confidentiality provisions between
the qualified entity and applicable authorized users.
Response: We believe that data breaches should be reported to CMS
in a much timelier manner than the annual report. As discussed above,
the QE DUA requires authorized users to notify the qualified entity of
any violations of the QE DUA and to comply with the breach provisions
governing qualified entities. As a result, we do not believe this
element is needed in the annual report.
We recognize that some of the information we proposed to require of
qualified entities in their annual reports will be sensitive commercial
information. As noted above, anytime CMS receives a request for
information under the FOIA, the agency always evaluates whether the
information is subject to one of the FOIA exemptions, including
Exemption 4, which protects commercial or financial information that is
privileged and confidential. Contractual confidentiality provisions
between authorized users and qualified entities will not negate CMS'
obligations under FOIA, but we welcome identification of any materials
within such reports that the qualified entity believes are subject to a
FOIA exemption, and the rationale therefore.
E. Assessment for a Breach
1. Violation of a DUA
Section 105(a)(7) of MACRA requires the Secretary to impose an
assessment on a qualified entity in the case of a ``breach'' of a CMS
DUA between the Secretary and a qualified entity or a breach of a QE
DUA between a qualified entity and an authorized user. Because the term
``breach'' is defined in HIPAA, and this definition is not consistent
with the use of the term for this program, we proposed instead to adopt
the term ``violation'' when referring to a ``breach'' of a DUA for
purposes of this program. We also proposed to define a ``violation'' to
mean a failure to comply with a requirement in a CMS DUA or QE DUA. We
also proposed to impose an assessment on any qualified entity that
violates a CMS DUA or fails to ensure that their authorized users and
their contractors/business associates do not violate a QE DUA.
Comment: A few commenters recommended that CMS further define and
provide examples of what would constitute a DUA violation. Another
commenter suggested CMS expand the definition of a violation so that
both the qualified entity and the authorized user may be held
responsible for a breach.
Response: While we recognize that not all terms of the DUAs are
equal regarding the risk to the privacy and security of the Medicare
data, we believe the aggravating and mitigating circumstances discussed
in more detail below provide us the flexibility to ensure the
assessment amount is consistent with the nature of the violation. One
example of a violation would be knowingly releasing patient names and
other protected health information for marketing purposes. Another
example of a violation would be sharing individually identifiable
information for an individual who does not meet the definition of a
patient with a supplier.
While we recognize that it may be the authorized user who is
responsible for the violation, we believe Section 105(a)(7) of MACRA
does not give us the authority to impose an assessment on the
authorized user. However, we do believe that the qualified entity could
include terms in their agreement with the authorized user to require
the authorized user to pay the assessment if the authorized user is
responsible for the violation.
[[Page 44469]]
MACRA provides guidance only on the assessment amount and what
triggers an assessment, but it does not dictate the procedures for
imposing such assessments. We therefore proposed to model qualified
entity program procedures on certain relevant provisions of Section
1128A of the Act (Civil Money Penalties) and part 402 (Civil Money
Penalties, Assessments, and Exclusions) including the process and
procedures for calculating the assessment, notifying a qualified entity
of a violation, collecting the assessment, and providing qualified
entities an appeals process.
2. Amount of Assessment
Section 105(a)(7)(B) of MACRA specifies that when a violation
occurs, the assessment is to be calculated based on the number of
affected individuals who are entitled to, or enrolled in, benefits
under part A of title XVIII of the Act, or enrolled in part B of such
title. Assessments can be up to $100 per affected individual, but,
given the broad discretion in establishing some lesser amount, we
looked to part 402 as a model for proposing aggravating and mitigating
circumstances that would be considered when calculating the assessment
amount per impacted individual. However, violations under section
105(a)(7)(B) of MACRA are considered point-in-time violations, not
continuing violations.
Number of Individuals
We proposed at Sec. 401.719(d)(5)(i) that CMS will calculate the
amount of the assessment of up to $100 per individual entitled to, or
enrolled in part A of title XVIII of the Act and/or enrolled in part B
of such title whose data was implicated in the violation.
We generally proposed to determine the number of potentially
affected individuals by looking at the number of beneficiaries whose
Medicare claims information was provided either by CMS to the qualified
entity or by the qualified entity to the authorized user in the form of
individually identifiable or de-identified data sets that were
potentially affected by the violation.
We proposed that a single beneficiary, regardless of the number of
times their information appears in a singular non-public report or
dataset, would only count towards the calculation of an assessment for
a violation once. For qualified entities that provide or sell subsets
of the dataset that CMS provided to them, combined information, or non-
public analyses, we proposed to require that the qualified entity
provide the Secretary with an accurate number of beneficiaries whose
data was sold or provided to the authorized user and, thereby,
potentially affected by the violation. In those instances in which the
qualified entity is unable to establish a reliable number of
potentially affected beneficiaries, we proposed to impose the
assessment based on the total number of beneficiaries that were
included in the data set(s) that was/were transferred to the qualified
entity under the CMS DUA.
Assessment Amount per Impacted Individual
As noted above, MACRA allows an assessment in the amount of up to
$100 per potentially affected individual. We therefore proposed to draw
on 42 CFR part 402 to specify the factors and circumstances that will
be considered in determining the assessment amount per potentially
affected individual.
We proposed at Sec. 401.719(d)(5)(i)(A) that the following basic
factors be considered in establishing the assessment amount per
potentially affected individual: (1) The nature and extent of the
violation; (2) the nature and extent of the harm or potential harm
resulting from the violation; and (3) the degree of culpability and
history of prior violations.
In addition, in considering these basic factors and determining the
amount of the assessment per potentially affected individual, we
proposed to take into account certain aggravating and mitigating
circumstances.
We proposed at Sec. 401.719(d)(5)(i)(B)(1) that CMS consider
certain aggravating circumstances in determining the amount per
potentially affected individual, including the following: Whether there
were several types of violations, occurring over a lengthy period of
time; whether there were many violations or the nature and
circumstances indicate a pattern of violations; and whether the nature
of the violation had the potential or actually resulted in harm to
beneficiaries.
In addition, we proposed at Sec. 401.719(d)(5)(i)(B)(2) that CMS
take into account certain mitigating circumstances in determining the
amount per potentially affected individual, including the following:
Whether the violations subject to the imposition of an assessment were
few in number, of the same type, and occurring within a short period of
time, and/or whether the violation was the result of an unintentional
and unrecognized error and the qualified entity took corrective steps
immediately after discovering the error.
Comment: One commenter suggested that CMS allow the qualified
entity to take corrective action in the case of a minor violation.
Another commenter recommended that CMS impose a limit on the assessment
amount because not specifying a maximum assessment amount could create
a barrier to entry for entities interested in the program. One
commenter stated they supported the statutorily set assessment of $100
per affected individual because it creates a strong incentives for
excellent data security.
Response: We recognize the need for a corrective action process and
have already established one at Sec. 401.719(d)(1) through (3) that
applies regardless of the amount of the assessment. We appreciate
commenters concerns about creating a barrier for entry, but agree that
allowing for an assessment of up to $100 per affected individual
creates strong incentives for the qualified entity to ensure the
privacy and security of the Medicare data. We believe the basic,
aggravating, and mitigating circumstances provide CMS with the
flexibility to set the assessment value appropriately given the nature
of the violation and the qualified entity's history with violations.
3. Notice of Determination
We looked to the relevant provisions in 42 CFR part 402 and Section
1128A of the Act to frame proposals regarding the specific elements
that would be included in the notice of determination. To that end, we
proposed at Sec. 401.719(d)(5)(ii) that the Secretary would provide
notice of a determination to a qualified entity by certified mail with
return receipt requested. The notice of determination would include
information on (1) the assessment amount, (2) the statutory and
regulatory bases for the assessment, (3) a description of the
violations upon which the assessment was proposed, (4) information
concerning response to the notice, and (5) the means by which the
qualified entity must pay the assessment if they do not intend to
request a hearing in accordance with procedures established at Section
1128A of the Act and implemented in 42 CFR part 1005. We did not
receive any comments on this proposal so are finalizing it without
modification.
4. Failure To Request a Hearing
We also looked to the relevant provisions in 42 CFR part 402 and
section 1128A of the Act to inform our proposals regarding what happens
when a hearing is not requested.
[[Page 44470]]
We proposed at Sec. 401.719(d)(5)(iii) that an assessment will
become final if a qualified entity does not request a hearing within 60
days of receipt of the notice of the proposed determination. At this
point, CMS would impose the proposed assessment. CMS would notify the
qualified entity, by certified mail with return receipt, of the
assessment and the means by which the qualified entity may pay the
assessment. Under these proposals, a qualified entity would not have
the right to appeal an assessment unless it has requested a hearing
within 60 days of receipt of the notice of the proposed determination.
We did not receive any comments on these proposals so are finalizing
them without modification.
5. When an Assessment Is Collectible
We again looked to the relevant provisions in 42 CFR part 402 and
section 1128A of the Act to inform our proposed policies regarding when
an assessment becomes collectible.
We proposed at Sec. 401.719(d)(5)(iv) that an assessment becomes
collectible after the earliest of the following situations: (1) On the
61st day after the qualified entity receives CMS's notice of proposed
determination under Sec. 401.719(d)(5)(ii), if the entity does not
request a hearing; (2) immediately after the qualified entity abandons
or waives its appeal right at any administrative level; (3) 30 days
after the qualified entity receives the Administrative Law Judge's
(ALJ) decision imposing an assessment under Sec. 1005.20(d), if the
qualified entity has not requested a review before the Department
Appeal Board (DAB); or (4) 60 days after the qualified entity receives
the DAB's decision imposing an assessment if the qualified entity has
not requested a stay of the decision under Sec. 1005.22(b). We did not
receive any comments on this proposal so are finalizing it without
modification.
6. Collection of an Assessment
We also looked to the relevant provisions in 42 CFR part 402 and
section 1128A of the Act in framing our proposals regarding the
collection of an Assessment.
We proposed at Sec. 401.719(d)(5)(v) that CMS be responsible for
collecting any assessment once a determination is made final by HHS. In
addition, we proposed that the General Counsel may compromise an
assessment imposed under this part, after consulting with CMS or Office
of Inspector General (OIG), and the Federal government may recover the
assessment in a civil action brought in the United States district
court for the district where the claim was presented or where the
qualified entity resides. We also proposed that the United States may
deduct the amount of an assessment when finally determined, or the
amount agreed upon in compromise, from any sum then or later owing the
qualified entity. Finally, we proposed that matters that were raised or
that could have been raised in a hearing before an ALJ or in an appeal
under section 1128A(e) of the Act may not be raised as a defense in a
civil action by the United States to collect an assessment. We did not
receive any comments on these proposals so are finalizing them without
modification.
F. Termination of Qualified Entity Agreement
We proposed at Sec. 401.721(a)(7) that CMS may unilaterally
terminate the qualified entity's agreement and trigger the data
destruction requirements in the CMS DUA if CMS determines through our
monitoring program at Sec. 401.717(a) and (b) that a qualified entity
or its contractor fails to monitor authorized users' compliance with
the terms of their QE DUAs or non-public analysis use agreements. We
stated in the proposed rule that we believe this proposed provision is
consistent with the intent of MACRA to ensure the protection of data
and analyses provided by qualified entities to authorized users under
this subpart.
Comment: One commenter stated that CMS should have a violation
corrections period prior to terminating a qualified entity. Another
commenter recommended that CMS carefully monitor all aspects of the
qualified entity program and related authorized user activities to
minimize the risk of unintended consequences.
Response: We currently have a process in place to require qualified
entities to develop a corrective action plan or to put qualified
entities on a special monitoring plan if we determine that the
qualified entity violated any terms of the program. In addition, we
already have a number of mechanisms in place to monitor qualified
entities participating in the program including audits, site visits,
and required reporting. We believe the additional annual reporting
elements described above will ensure that we can continue to monitor
qualified entities appropriately given the changes to the program. As a
result, we are finalizing our proposed language on termination of a
qualified entity's agreement at Sec. 401.721(a)(7).
G. Additional Data
Section 105(c) of MACRA expands, at the discretion of the
Secretary, the data that the Secretary may make available to qualified
entities, including standardized extracts of claims data under titles
XIX (Medicaid) and XXI (the Children's Health Insurance Program, CHIP)
for one or more specified geographic areas and time periods as may be
requested by the qualified entity. However, due to issues involving
Medicaid data submitted to CMS, including lack of data timeliness and
overall data quality, we proposed not to expand the data available to
qualified entities from CMS and instead suggested that qualified
entities would be better off seeking Medicaid and/or CHIP data through
the State Medicaid Agencies.
Comment: Many commenters recommended that CMS expand the data
available to qualified entities to include Medicaid and CHIP data.
These commenters noted the additional burden of having to request the
data from each state individually. On the other hand, one commenter
stated that they agreed with CMS' proposal not to expand access to
Medicaid and/or CHIP data.
Response: As some commenters noted, we have been working with
states to transform our Medicaid Statistical Information System (MSIS)
to address concerns regarding data timeliness and quality. This is
essential for the Medicaid program to keep pace with the data needed to
improve quality of care, track enrollment and utilization of services,
improve program integrity, and support states and other stakeholders
need for information about Medicaid and CHIP. This new data set is
known as Transformed MSIS (T-MSIS). The T-MSIS data set contains
enhanced information about beneficiary eligibility, beneficiary and
provider enrollment, service utilization, claims and managed care data,
and expenditure data for Medicaid and CHIP. We are currently working
with states to help them transition from MSIS to T-MSIS.
We recognize commenters' interest in accessing Medicaid and CHIP
data from CMS rather than going to each state individually. We believe
that T-MSIS can create a framework for CMS collection of Medicaid and
CHIP data that addresses many of the concerns about the timeliness and
quality of the MSIS data that we raised in the proposed rule. As a
result, we anticipate future rulemaking to make Medicaid and CHIP data
available to qualified entities when the T-MSIS data becomes available
and is determined to be of sufficient quality for use in public
provider performance reporting.
Comment: One commenter suggested that CMS also allow qualified
entities to
[[Page 44471]]
request access to Medicare Advantage data.
Response: We believe section 1874(e)(3) of the Act only allows for
the disclosure of Medicare claims data under Parts A, B, and D, as well
as Medicaid and/or CHIP claims data.
H. Qualified Clinical Data Registries
Section 105(b) of MACRA allows qualified clinical data registries
to request access to Medicare data for the purposes of linking the data
with clinical outcomes data and performing risk-adjusted,
scientifically valid analyses, and research to support quality
improvement or patient safety. The CMS research data disclosure
policies already allow qualified clinical data registries to request
Medicare data for research purposes. More information on accessing CMS
data for research can be found on the ResDAC Web site at
www.resdac.org. Given the existing research request processes and
procedures, we proposed not to adopt any new policies or procedures
regarding qualified clinical data registries' access to Medicare claims
data for quality improvement or patient safety analyses.
Comment: Several commenters recommended that CMS offer qualified
clinical data registries an alternative path to the research request
process to allow them to access CMS data for quality improvement and
patient safety activities. Commenters stated that qualified clinical
data registries need data to conduct quality improvement activities
that will improve patient care and that, in many cases, this work is
not consistent with the research request process requirement that the
work to contribute to generalizable knowledge.
Response: We recognize that the research request pathway may not be
consistent with types of analyses qualified clinical data registries
envision conducting using the CMS data. As a result, we are modifying
the regulations to allow qualified clinical data registries to serve as
quasi-qualified entities, provided the qualified clinical data registry
agrees to meet all the requirements in this subpart with the exception
of the requirement at Sec. 401.707(d) that the organization submit
information about the claims data it possesses from other sources. In
addition, for the purposes of qualified clinical data registries acting
as quasi qualified entities under the qualified entity program
requirements, we define combined data as, at a minimum, a set of CMS
claims data provided under subpart G combined with clinical data or a
subset of clinical data. Since the language at section 105(b) of MACRA
does not reference section 1874(e)(4)(d) of the Act, which provides
parameters for the definition of combined data for the purposes of the
qualified entity program, we do not believe these requirements for
combined data apply to qualified clinical data registries serving as
quasi qualified entities.
We believe that the requirements of the qualified entity program,
which was created to allow for provider performance reporting, also
create an appropriate framework for qualified clinical data registries
to conduct analyses to support quality improvement and patient safety.
In addition, we believe that the new parameters of the qualified entity
program, discussed in detail above, would allow qualified clinical data
registries to work directly with providers and suppliers on issues
related to quality improvement and patient safety. Qualified clinical
data registries could also elect to become qualified entities and work
with providers and suppliers in accordance with applicable laws to
develop new quality measures in the context of nonpublic analyses that
could then be used across the healthcare system to measure provider and
supplier performance.
Comment: Several commenters suggested that CMS make the Social
Security Death Master File available to qualified clinical data
registries to allow for enhanced accuracy of patient outcomes
information.
Response: We recognize that death information is a key aspect of
analyses of patient outcomes, but CMS does not have the authority to
disclose the Social Security Death Master File to qualified clinical
data registries. However, CMS has date of death information for
Medicare patients and we include this date of death information on the
data files that are shared with qualified entities and those that would
be shared with qualified clinical data registries.
I. Other Comments
We received several additional suggestions for improvements to the
program regarding topics that were not specifically discussed in the
preamble to the proposed rule.
Comment: Several commenters raised issues related to qualified
entity application process. One commenter suggested CMS make the
application process and costs for becoming a qualified entity more
transparent. A few commenters suggested that CMS offer qualified
entities better technical assistance on the security certification step
of the approval process. One commenter recommended that CMS streamline
the application process for applicants that already have certifications
or accreditations that demonstrate a high level of security.
Response: We thank commenters for their feedback on the qualified
entity application process. We believe the issues raised by commenters
on this topic are outside the scope of this final rule. However, we are
always looking for ways to improve the program and will take these
comments into consideration.
Comment: Some commenters addressed general program requirements of
the qualified entity program. One commenter suggested that qualified
entities that focus on certain clinical conditions should not have to
meet the same threshold for amount of other claims data. Another
commenter recommended that CMS allow state-level public reporting in
the qualified entity program. A few commenters stated that CMS should
provide qualified entities with access to timelier Medicare data. One
commenter stated that some of the existing provisions in the CMS DUA
conflict with requirements in HIPAA, specifically the requirement to
destroy data if and when an organization leaves the program.
Response: We have not established a threshold for the minimum
amount of other claims an organization needs to become a qualified
entity. Instead, we ask applicants to explain how the data they do have
for use in the qualified entity program will be adequate to address
concerns about sample size and reliability that have been expressed by
stakeholders regarding the calculation of performance measures from a
single payer source. Each application is evaluated on its collective
merit, including the amount of claims data from other sources, and its
explanation of why that data in combination with the requested Medicare
data is adequate for the stated purposes of the program.
We also do not prohibit qualified entities from publicly reporting
their findings regarding provider and supplier performance at the
state-level. Qualified entities are allowed to report on providers and
suppliers at any level for which the measures can be used, provided the
statutory and regulatory requirements are met, including that no
patient information is disclosed.
We currently make data available to qualified entities on quarterly
basis. We believe the timeliness of this data strikes the right balance
between data completeness and data timeliness.
Finally, we do not believe that requirements in the CMS DUA are
inconsistent with HIPAA. We use a very similar DUA to share data with
HIPAA-
[[Page 44472]]
covered providers and suppliers who are participating in Innovation
Center models. We do recognize that some qualified entities may have
trouble incorporating the Medicare data into their data systems because
they may not be able to ensure the destruction of this data once it is
linked with other data maintained by the qualified entity. However, we
believe that requiring destruction of the data if a qualified entity
leaves the program is important for ensuring the privacy and security
of CMS data.
Comment: One commenter suggested that CMS clarify how FOIA may or
may not apply to data or reports submitted by qualified entities.
Another commenter recommended that CMS clarify how the changes to the
qualified entity program intersect with other statutory and regulatory
requirements.
Response: As we noted above, any information that we collect from
qualified entities is subject to FOIA. However, any time we receive a
request for information under FOIA, we always evaluate whether the
information is subject to one of the FOIA exemptions, including
Exemption 4, which protects commercial or financial information that is
privileged and confidential.
We are not able to address the breadth and scope of laws with which
the qualified entity program requirements may intersect in this rule.
Such analyses require case-by-case assessment of the facts at hand, and
depending on jurisdiction, may vary based on which state laws apply.
Entities should consult with their legal counsel to advise them on what
laws apply to them, and to what effect.
Comment: One commenter suggested that the release of Part D data to
qualified entities should be tailored to protect the viability of the
Part D program.
Response: We are committed to ensuring that commercially sensitive
information from the Part D program is protected. As we stated in the
previous final rule on the qualified entity program, published on
December 7, 2011, we are aware of the concerns related to, and
restrictions governing the release of certain Part D drug cost
information. Due to these concerns, we only release the Total Drug Cost
element to qualified entities. We do not release the four subcomponents
of drug cost: Ingredient cost, dispensing fee, vaccine administration
fee, and total amount attributable to sales tax.
Comment: One commenter stated that the rule does not address how
states that have all payer claims databases (APCDs) can access Medicare
data.
Response: We do not believe that state APCDs are prohibited from
becoming qualified entities. However, state APCDs with an interest in
conducting research rather than provider performance reporting can also
request data from CMS via the research request process. Organizations
interested in accessing CMS data for research should visit
www.resdac.org.
Comment: One commenter stated that CMS should adopt a new version
of the claims form that includes a field for unique device identifiers.
Response: This comment is outside the scope of the qualified entity
rule. That said, CMS uses claims that comply with the HIPAA standard
transactions regulations (45 CFR part 162). Any changes to forms would
be achieved through rulemaking under those provisions.
Comment: Several commenters stated that they had concerns about the
security of the Medicare data.
Response: We are committed to ensuring the privacy and security of
all data and we believe the existing and new program requirements
create an appropriate framework for maintaining the security of data
disclosed to qualified entities. Organizations applying to become
qualified entities currently go through a rigorous security review
during the application process. In addition, we monitor qualified
entities closely to ensure that they continue to maintain appropriate
data security standards once approved. As discussed above, we have also
established data security protections that qualified entities must meet
when sharing data with authorized users, including a requirement that
the authorized user report any breaches to the qualified entity (and
that the qualified entity report the breaches to CMS).
Comment: Several commenters recommended that CMS clarify that
organizations already approved as qualified entities would be allowed
to begin using the Medicare data for the uses described in this final
rule, regardless of whether the qualified entity has generated a public
report.
Response: We would like to clarify that once these regulations
become effective, organizations approved as qualified entities will be
allowed to use the Medicare data to create non-public analyses and
provide or sell such analyses to authorized users, as well provide or
sell combined data, or provide Medicare claims data alone at no cost,
to certain authorized users. However, we believe that public reporting
is a very important aspect of participation in the qualified entity
program and would like to remind qualified entities about the provision
at Sec. 401.709(d) which requires qualified entities to produce public
reports at least annually.
III. Provisions of the Final Rule
For the most part, this final rule incorporates the provisions of
the proposed rule. Those provisions of this final rule that differ from
the proposed rule are as follows:
We modified the definition of authorized user at Sec.
401.703(j) to: Include a federal agency, change the term ``state
agency'' to ``state entity'' to provide additional clarity, and include
any contractors (or business associates) that need analyses or data to
carry out work on behalf of authorized user third parties.
We modified the definition of hospital association at
Sec. 401.703(n) to include organizations or associations at the local
level.
At Sec. 401.703(r), we modified the definition of patient
to extend the window for a face-to-face or telehealth appointment to at
least once in the past 24 months.
We added activities that qualify as treatment under 45 CFR
164.501 to permitted uses of the data subject to the QE DUA.
We modified the terms of the QE DUA to permit authorized
users to re-disclose data subject to the QE DUA as a covered entity
would be permitted to disclose PHI for treatment activities, as allowed
under 45 CFR 164.506(c)(2).
At Sec. 401.716(b)(2), we modified the requirements to
clarify that a qualified entity may not provide or sell a non-public
analysis to an issuer for a geographic area where the issuer does not
provide coverage and, thus, does not have any covered lives to
contribute to the analyses.
At Sec. 401.716(b)(4)(iii), we allowed for the disclosure
of non-public analyses that individually identify a provider or
supplier if every provider or supplier identified in the analysis has
notified the qualified entity that analyses may be disclosed to that
authorized user without prior review by the provider or supplier.
We added a procedural step to the review and error
correction process for non-public analyses at Sec. 401.717(f) to
include confidential notification of the provider or supplier.
We added a new provision at Sec. 401.722(a) to allow a
qualified clinical data registry that agrees to meet the requirements
in this subpart, with the exception of the requirement to submit
information on the claims data from other sources it possesses, to
request
[[Page 44473]]
access to Medicare data as a quasi-qualified entity.
IV. Collection of Information Requirements
Under the Paperwork Reduction Act of 1995, we are required to
provide 30-day notice in the Federal Register and solicit public
comment before a collection of information requirement is submitted to
the Office of Management and Budget (OMB) for review and approval. In
order to fairly evaluate whether an information collection should be
approved by OMB, section 3506(c)(2)(A) of the Paperwork Reduction Act
of 1995 requires that we solicit comment on the following issues:
The need for the information collection and its usefulness
in carrying out the proper functions of our agency.
The accuracy of our estimate of the information collection
burden.
The quality, utility, and clarity of the information to be
collected.
Recommendations to minimize the information collection
burden on the affected public, including automated collection
techniques.
We solicited public comment on each of these issues for the
following sections of this document that contain information collection
requirements (ICRs).
Proposed Sec. 401.718(c) and Sec. 401.716(b)(2)(ii) require a
qualified entity to enter into a QE DUA with an authorized user prior
to providing or selling data or selling a non-public analyses that
contains individually identifiable beneficiary information. Proposed
Sec. 401.713(d) requires specific provisions in the QE DUA. Proposed
Sec. 401.716(c) requires a qualified entity to enter into a non-public
analyses agreement with the authorized user as a pre-condition to
providing or selling de-identified analyses. We estimate that it will
take each qualified entity a total of 40 hours to develop the QE DUA
and non-public analyses agreement. Of the 40 hours, we estimate it will
take a professional/technical services employee with an hourly labor
cost of $75.08 a total of 20 hours to develop both the QE DUA and non-
public analyses agreement and estimate that it will require a total of
20 hours of legal review at an hourly labor cost of $77.16 for both the
QE DUA and non-public analyses agreement. We also estimate that it will
take each qualified entity 2 hours to process and maintain each QE DUA
or non-public analyses agreement with an authorized user by a
professional/technical service employee with an hourly labor cost of
$75.08. While there may be two different staff positions that perform
these duties (one that is responsible for processing the QE DUAs and/or
non-public analyses agreement and one that is responsible for
maintaining the QE DUA and/or non-public analyses agreement), we
believe that both positions would fall under the professional/technical
services employee labor category with an hourly labor cost of $75.08.
There are currently 15 qualified entities; however we estimate that
number will increase to 20 if these proposals are finalized. This
number includes qualified entities and ``quasi qualified entities''
(meaning qualified clinical data registries that are approved under
Sec. 401.722(a) as described in this preamble), which we hereinafter
collectively refer to as ``qualified entity''. This would mean that to
develop each QE DUA and non-public analysis agreement, the burden cost
per qualified entity would be $3,045 with a total estimated burden for
all 15 qualified entities of $45,675. This does not include the two
hours to process and maintain each QE DUA.
As discussed in the regulatory impact analysis below, we estimate
that each qualified entity would need to process and maintain 70 QE
DUAs or non-public analyses agreements as some authorized users may
receive both datasets and a non-public analyses and would only need to
execute one QE DUA. We estimate that it will take each qualified entity
2 hours to process and maintain each QE DUA or non-public analyses
agreement. This would mean the burden cost per qualified entity to
process and maintain 70 QE DUAs or non-public analyses agreements would
be $10,511 with a total estimated burden for all 15 qualified entities
of $157, 668. While we anticipate that the requirement to create a QE
DUA and/or non-public analyses agreement will only be incurred once by
a qualified entity, we believe that the requirement to process and
maintain the QE DUAs and/or non-public analyses will be an ongoing
cost.
These regulations would also require a qualified entity to submit
additional information as part of its annual report to CMS. A qualified
entity is currently required to submit an annual report to CMS under
Sec. 401.719(b). Proposed Sec. 401.719(b)(3) and (4) provide for
additional reporting requirements if a qualified entity chooses to
provide or sell analyses and/or data to authorized users. The burden
associated with this requirement is the time and effort necessary to
gather, process, and submit the required information to CMS. As noted
above, there are currently 15 qualified entities; however we estimate
that number will increase to 20 if these proposals are finalized. Some
qualified entities may not want to bear the risk of the potential
assessments and have been able to accomplish their program goals under
other CMS data sharing programs, therefore some qualified entities may
not elect to provide or sell analyses and/or data to authorized users.
As a result, we estimate that 15 qualified entities will choose to
provide or sell analyses and/or data to authorized users, and
therefore, would be required to comply with these additional reporting
requirements within the first three years of the program. We further
estimate that it would take each qualified entity 50 hours to gather,
process, and submit the required information. We estimate that it will
take each qualified entity 34 hours to gather the required information,
15 hours to process the information, and 1 hour to submit the
information to CMS. We believe a professional or technical services
employee of the qualified entity with an hourly labor cost of $75.08
will fulfill these additional annual report requirements. We estimate
that 15 qualified entities will need to comply with this requirement
and that the total estimated burden associated with this requirement is
$56,310. We requested comment on the type of employee and the number of
hours that will be needed to fulfill these additional annual reporting
requirements.
As a reminder, the final rule for the qualified entity program,
published December 7, 2011, included information about the burden
associated with the provisions in that rule. Specifically, Sec. Sec.
401.705 through 401.709 provide the application and reapplication
requirements for qualified entities. The burden associated with these
requirements is currently approved under OMB control number 0938-1144
with an expiration date of May 31, 2018. This package accounts for 35
responses. Section 401.713(a) states that as part of the application
review and approval process, a qualified entity would be required to
execute a DUA with CMS, that among other things, reaffirms the
statutory bar on the use of Medicare data for purposes other than those
referenced above. The burden associated with executing this DUA is
currently approved under OMB control number 0938-0734 with an
expiration date of December 31, 2017. This package accounts for 9,240
responses (this package covers all CMS DUAs, not only DUAs under the
qualified entity program). We currently have 15 qualified entities and
estimate it will increase to 20 so we have not surpassed the previously
approved numbers.
We based the hourly labor costs on those reported by the Bureau of
Labor
[[Page 44474]]
Statistics (BLS) at https://data.bls.gov/pdq/querytool.jsp?survey=ce for
this labor category. We used the annual rate for 2014 and added 100
percent for overhead and fringe benefit costs.
Table 1--Collection of Information
--------------------------------------------------------------------------------------------------------------------------------------------------------
Hourly
Number of Burden per Total labor cost Total labor
Regulation section(s) OMB Control No. Number of responses response annual of cost of Total cost
respondents per (hours) burden reporting reporting ($)
respondent (hours) ($) * ($)
--------------------------------------------------------------------------------------------------------------------------------------------------------
Sec. 401.718, Sec. 401.716, and 0938 New............... 15 1 20 300 75.08 22,524 22,524
Sec. 401.713 (DUA and non-public
analyses agreement Development).
Sec. 401.718 and Sec. 401.716 0938 New............... 15 1 20 300 77.16 23,148 23,148
(Legal Review).
Sec. 401.718 and Sec. 401.716 0938 New............... 15 70 2 2,100 75.08 157,668 157,668
(Processing and Maintenance).
Sec. 401.719(b)................... 0938 New............... 15 1 50 750 75.08 56,310 56,310
------------------------------------------------------------------------------------------
Total........................... ....................... 15 73 ........... 3,450 ........... ........... 259,650
--------------------------------------------------------------------------------------------------------------------------------------------------------
* The values listed are based on 100 percent overhead and fringe benefit calculations.
Note: There are no capital/maintenance costs associated with the information collection requirements contained in this rule; therefore, we have removed
the associated column from Table 1.
If you comment on these information collection and recordkeeping
requirements, please submit your comments to the Office of Information
and Regulatory Affairs, Office of Management and Budget,
Attention: CMS Desk Officer, CMS-5061-F
Fax: (202) 395-6974; or
Email: OIRA_submission@omb.eop.gov
V. Regulatory Impact Statement
In accordance with the provisions of Executive Order 12866, this
regulation was reviewed by the Office of Management and Budget.
A. Response to Comments
We received a few comments on the anticipated effects of these
modifications to the qualified entity program.
Comment: One commenter suggested that it would take each qualified
entity an estimated 60 hours to develop and review the QE DUA and non-
public analyses agreement. Of those 60 hours, 30 hours would be to
develop the QE DUA and non-public analyses agreement and 30 would be
needed for legal review. In addition, the commenter estimated that it
would take each qualified entity 3 hours to process and maintain each
QE DUA and non-public analyses agreement.
Response: In the proposed rule, we estimated that it would take
each qualified entity 40 hours to develop and review the QE DUA and
non-public analyses agreement. Of those 40 hours, 20 hours would be
needed to develop the QE DUA and non-public analyses agreement and 20
hours would be needed for legal review. We also estimated that it would
take 2 hours to process and maintain each QE DUA and non-public
analyses agreement. We recognize that some qualified entities may spend
more hours than other qualified entities to develop, process, and
maintain QE DUAs and non-public analyses agreements. For example, some
qualified entities may spend 60 hours to develop the QE DUA and non-
public analyses agreement and other qualified entities will spend 30
hours. However, we believe that 40 hours to develop the QE DUA and the
non-public analyses agreement and 2 hours to process each QE DUA and
the non-public analyses agreement is a reasonable average.
Comment: We received a few comments about the impact on providers
and suppliers. One commenter suggested that CMS reconsider the
assumption that all 1500 small rural hospitals would not be impacted by
this rule and that the 3 hour average estimate for providers and
suppliers to review non-public analyses appears too low. Another
commenter suggested that CMS monitor provider burden as expanded data
access unfolds and the number of qualified entities and authorized
users begin to grow.
Response: We appreciate commenters' concerns about the potential
impact on providers and suppliers. As discussed above in section
II.A.4, we made procedural changes to the proposed review and
corrections process for non-public analyses in order to reduce burden
to both qualified entities and providers and suppliers. As a first step
of the review and correction process, the qualified entity would be
required to notify the provider or supplier that analyses that
individually identify the provider or supplier are going to be released
to an authorized user and allow the provider or supplier to opt-in to
the review and corrections process at Sec. 401.717(a) through (e).
This notification should include a short summary of the analyses, the
process for the provider or supplier to request the analyses, and the
date on which the qualified entity will release the analyses to the
authorized user. This date should be at least 65 calendar days from the
date the provider or supplier is notified of the analyses.
Given these procedural changes to the review and corrections
process in the context of the non-public analyses, we believe that the
3 hours average estimate for providers and suppliers to review non-
public analyses is a sufficient estimate of provider and supplier
burden. This average takes into account the range of potential cases
given the new review and corrections process. In some cases, for
example, notification may be sufficient to meet the needs of providers
or suppliers. In other cases, however, where the analyses are similar
to previous analyses or use data the provider or supplier has already
corrected, the provider or supplier may choose not to review the
analyses. In addition, as discussed in the proposed rule, even if a
provider or supplier requests the non-public analyses, there will be
variability in the amount of time providers or suppliers will need for
the review and corrections process.
As discussed in the proposed rule, we do not anticipate this rule
will have a significant impact on the operations of a substantial
number of small rural hospitals because we anticipate that most
qualified entities will focus their performance evaluation efforts on
metropolitan areas where the majority of health services are provided.
In addition, given the limited number of health services provided in
rural regions, we anticipate that any analyses that included rural
regions would not individually identify the providers or suppliers, but
rather focus on regional or state metrics. As suggested by a commenter,
we will monitor provider burden as the number of qualified
[[Page 44475]]
entities grows and more non-public analyses are provided to authorized
users.
B. Overall Impact
We have examined the impacts of this rule as required by Executive
Order 12866 on Regulatory Planning and Review (September 30, 1993), the
Regulatory Flexibility Act (RFA) (September 19, 1980, 96), section
1102(b) of the Act, section 202 of the Unfunded Mandates Reform Act of
1995 (Pub. L. 104-4), Executive Order 13132 on Federalism (August 4,
1999), and the Congressional Review Act (5 U.S.C. 804(2)).
Executive Order 12866 directs agencies to assess all costs and
benefits of available regulatory alternatives and, if regulation is
necessary, to select regulatory approaches that maximize net benefits
(including potential economic, environmental, public health and safety
effects, distributive impacts, and equity). A regulatory impact
analysis (RIA) must be prepared for major rules with economically
significant effects ($100 million or more in any 1 year). For the
reasons discussed below, we estimate that the total impact of this
final rule will be less than $58 million and therefore, it will not
reach the threshold for economically significant effects and is not
considered a major rule.
The RFA requires agencies to analyze options for regulatory relief
of small businesses, if a rule has a significant impact on a
substantial number of small entities. For purposes of the RFA, we
estimate that most hospitals and most other providers are small
entities as that term is used in the RFA (including small businesses,
nonprofit organizations, and small governmental jurisdictions).
However, since the total estimated impact of this rule is less than
$100 million, and the total estimated impact will be spread over 82,500
providers and suppliers (who are the subject of reports), no one entity
will face significant impact. Of the 82,500 providers, we estimate that
78,605 will be physician offices that have average annual receipts of
$11 million and 4,125 will be hospitals that have average annual
receipts of $38.5 million. As discussed below, the estimated cost per
provider is $8,426 (see table 5 below) and the estimated cost per
hospital is $6,523 (see table 5 below). For both types of entities,
these costs will be a very small percentage of overall receipts. Thus,
we are not preparing an analysis of options for regulatory relief of
small businesses because we have determined that this rule will not
have a significant economic impact on a substantial number of small
entities.
For section 105(a) of MACRA, we estimate that two types of entities
may be affected by the additional program opportunities: Qualified
entities that choose to provide or sell non-public analyses or data to
authorized users; and providers and suppliers who are identified in the
non-public analyses create by qualified entities and provided or sold
to authorized users.
We anticipate that most providers and suppliers that may be
identified in qualified entities' non-public analyses will be hospitals
and physicians. Many hospitals and most other healthcare providers and
suppliers are small entities, either by being nonprofit organizations
or by meeting the Small Business Administration definition of a small
business (having revenues of less than $38.5 million in any 1 year)
(for details see the Small Business Administration's Web site at
https://www.sba.gov/sites/default/files/files/Size_Standards_Table.pdf
(refer to the 620000 series). For purposes of the RFA, physicians are
considered small businesses if they generate revenues of $11 million or
less based on Small Business Administration size standards.
Approximately 95 percent of physicians are considered to be small
entities.
The analysis and discussion provided in this section and elsewhere
in this final rule complies with the RFA requirements. Because we
acknowledge that many of the affected entities are small entities, the
analysis discussed throughout the preamble of this final rule
constitutes our regulatory flexibility analysis for the remaining
provisions and addresses comments received on these issues.
In addition, section 1102(b) of the Act requires us to prepare a
regulatory impact analysis, if a rule may have a significant impact on
the operations of a substantial number of small rural hospitals. Any
such regulatory impact analysis must conform to the provisions of
section 604 of the RFA. For purposes of section 1102(b) of the Act, we
define a small rural hospital as a hospital that is located outside of
a metropolitan statistical area and has fewer than 100 beds. We do not
believe this final rule has impact on significant operations of a
substantial number of small rural hospitals because we anticipate that
most qualified entities will focus their performance evaluation efforts
on metropolitan areas where the majority of health services are
provided. As a result, this rule will not have a significant impact on
small rural hospitals. Therefore, the Secretary has determined that
this final rule will not have a significant impact on the operations of
a substantial number of small rural hospitals.
Section 202 of the Unfunded Mandates Reform Act of 1995 (UMRA) also
requires that agencies assess anticipated costs and benefits before
issuing any rule whose mandates require spending in any 1 year of $100
million in 1995 dollars, updated annually for inflation. In 2016, that
threshold is approximately $146 million. This final rule will not
impose spending costs on state, local, or tribal governments in the
aggregate, or by the private sector, of $146 million or more.
Specifically, as explained below we anticipate the total impact of this
rule on all parties to be approximately $58 million.
Executive Order 13132 establishes certain requirements that an
agency must meet when it promulgates a proposed rule (and subsequent
final rule) that imposes substantial direct requirement costs on State
and local governments, preempts State law, or otherwise has Federalism
implications. We have examined this final rule in accordance with
Executive Order 13132 and have determined that this regulation will not
have any substantial direct effect on State or local governments,
preempt States, or otherwise have a Federalism implication.
C. Anticipated Effects
1. Impact on Qualified Entities
Because section 105(a) of MACRA allows qualified entities to use
the data in new ways to provide or sell non-public analyses or data to
authorized users, there is little quantitative information to inform
our estimates on the number of analyses and datasets that the qualified
entity costs may provide or sell or on the costs associated with the
creation of the non-public analyses or datasets. Therefore, we look to
the estimates from the original qualified entity rules to estimate the
number of hours that it may take to create non-public analyses, to
process provider/supplier appeals and revisions, and to complete annual
reports. We also looked to the Centers for Medicare and Medicaid's cost
of providing data to qualified entities since qualified entities' data
fees are equal to the government's cost to make the data available.
There are currently 15 qualified entities and these qualified
entities all are in different stages of the qualified entity program.
For example, some qualified entities have released public reports and
some qualified entities are
[[Page 44476]]
still completing the security requirements in order to receive Medicare
data. Given the requirements in the different phases and the current
status of the qualified entities, we estimate that 11 qualified
entities will be able to provide or sell analyses and/or data to
authorized users within the first year of the program, and therefore,
will be incurring extra costs. As discussed above, we believe the total
number of qualified entities will ultimately grow to 20 in subsequent
years, with 15 entities providing or selling analyses and/or data to
authorized users. In estimating qualified entity impacts, we used
hourly labor costs in several labor categories reported by the Bureau
of Labor Statistics (BLS) at https://data.bls.gov/pdq/querytool.jsp?survey=ce. We used the annual rates for 2014 and added
100 percent for overhead and fringe benefit costs. These rates are
displayed in Table 2.
Table 2--Labor Rates for Qualified Entity Impact Estimates
----------------------------------------------------------------------------------------------------------------
2014 Hourly
wage rate OH and fringe Total hourly
(BLS) (100%) costs
----------------------------------------------------------------------------------------------------------------
Professional and technical services............................. $37.54 $37.54 $75.08
Legal review.................................................... 38.58 38.58 77.16
Custom computer programming..................................... 43.05 43.05 86.10
Data processing and hosting..................................... 34.02 34.02 68.04
Other information services...................................... 39.72 39.72 79.44
----------------------------------------------------------------------------------------------------------------
We estimate that within the first year that 11 qualified entities
will provide or sell on average 55 non-public analyses or provide or
sell 35 datasets. We do not believe the number of datasets and non-
public analyses per qualified entity will change in future years of the
program.
In the original proposed rule for the qualified entity program (76
FR 33566), we estimated that each qualified entities' activities to
analyze the Medicare claims data, calculate performance measures and
produce public provider performance reports will require 5,500 hours of
effort per qualified entity. We anticipate under this final rule that
implements section 105(a) of MACRA that qualified entities will base
the non-public analyses on their public performance reports. Therefore,
the creation of the non-public analyses will require much less effort
and only require a fraction of the time it takes to produce the public
reports. We estimate that a qualified entity's activities for each non-
public analysis to analyze the Medicare claims data, calculate
performance measures, and produce the report will require 320 hours,
between five and six percent of the time to produce the public reports.
We anticipate that half of this time will be spent on data analysis,
measure calculation, and report creation and the other half on data
processing.
We anticipate that within the first year of the program a qualified
entity will, on average, provide one-year datasets containing all data
types for a cohort of 750,000 to 1.75 million beneficiaries to 35
authorized users. We estimate that it will require 226 hours to create
each dataset that will be provided to an authorized user. We looked to
the Centers for Medicare and Medicaid Centers' data costs and time to
estimate a qualified entity's costs and time to create datasets. While
the majority of the time will be devoted to computer processing, we
anticipate about 100 hours will be spent on computer programming,
particularly if the qualified entity is de-identiying the data.
We further estimate that, on average, each qualified entity will
expend 7,500 hours of effort processing providers' and suppliers'
appeals of their performance reports and producing revised reports,
including legal review of the appeals and revised reports. These
estimates assume that, as discussed below in the section on provider
and supplier impacts, on average 25 percent of providers and suppliers
will appeal their results from a qualified entity. Responding to these
appeals in an appropriate manner will require a significant investment
of time on the part of qualified entities. This equates to an average
of four hours per appeal for each qualified entity. These estimates are
similar to those in the Qualified Entities final rule. We assume that
the complexity of appeals will vary greatly, and as such, the time
required to address them will also vary greatly. Many appeals may be
able to be dealt with in an hour or less while some appeals may require
multiple meetings between the qualified entity and the affected
provider or supplier. On average, however, we believe that this is a
reasonable estimate of the burden of the appeals process on qualified
entities. We discuss the burden of the appeals process on providers and
suppliers below.
We estimate that each qualified entity will spend 40 hours creating
a non-public analyses agreement template and a QE DUA. We also estimate
that it will take a qualified entity 2 hours to process a QE DUA or
non-public analyses agreement.
Finally, we estimate that each qualified entity will spend 50 hours
on the additional annual reporting requirements.
Qualified entities will be required to notify CMS of inappropriate
disclosures or use of beneficiary identifiable data pursuant to the
requirements in the CMS DUA. We believe that the report generated in
response to an inappropriate disclosure or use of beneficiary
identifiable data will be generated as a matter of course by the
qualified entities and therefore, will not require significant
additional effort. Based on the assumptions we have described, we
estimate the total impact on qualified entities for the first year of
the program to be a cost of $27,925,198.
[[Page 44477]]
Table 3--Impact on Qualified Entities for the First Year of the Program
--------------------------------------------------------------------------------------------------------------------------------------------------------
Hours
-----------------------------------------------------
Data Labor Cost per Number of Number of Total cost
Activity Professional Computer processsing hourly cost authorized authorized qualified impact
and Legal programming and user users entities
technical hosting
--------------------------------------------------------------------------------------------------------------------------------------------------------
[Impact on Qualified Entities]
--------------------------------------------------------------------------------------------------------------------------------------------------------
Dissemination of Data
--------------------------------------------------------------------------------------------------------------------------------------------------------
Data processing & hosting......... ............ ........... ........... 126 $68.04 $8,573 35 11 $3,300,620
Computer programming.............. ............ ........... 100 ........... 86.10 8,610 35 11 3,314,850
---------------------------------------------------------------------------------------------------------------------
Total: Dissemination of Data.. ............ ........... ........... ........... ........... ........... ........... ........... $6,615,470
--------------------------------------------------------------------------------------------------------------------------------------------------------
Non-Public Analyses
--------------------------------------------------------------------------------------------------------------------------------------------------------
Data analysis/measure calculation/ ............ ........... 160 ........... 86.10 13,776 55 11 8,334,480
report preparation...............
Data Processing and hosting....... ............ ........... ........... 160 68.04 10,886 55 11 6,586,272
---------------------------------------------------------------------------------------------------------------------
Total: Non-public Analyses.... ............ ........... ........... ........... ........... ........... ........... ........... 14,920,752
--------------------------------------------------------------------------------------------------------------------------------------------------------
Processing of Provider Appeals and Report Revision
--------------------------------------------------------------------------------------------------------------------------------------------------------
Qualified entity processing of 5,500 ........... ........... ........... 75.08 412,940 ........... 11 4,542,340
provider appeals and report
revision.........................
Qualified entity legal analysis of ............ 2,000 ........... ........... 77.16 154,320 ........... 11 1,697,520
provider appeals and report
revisions........................
---------------------------------------------------------------------------------------------------------------------
Total: Qualified entity ............ ........... ........... ........... ........... ........... ........... ........... 6,239,860
processing of provider
appeals and report revision..
--------------------------------------------------------------------------------------------------------------------------------------------------------
QE DUA and Non-Public Analyses Agreements
--------------------------------------------------------------------------------------------------------------------------------------------------------
QE DUA and Non-public analyses:
Development of the QE DUA and 20 ........... ........... ........... 75.08 1502 ........... 11 16,518
non-public analyses agreement
Legal review of the QE DUA and ............ 20 ........... ........... 77.16 1,543 ........... 11 16,975
non-public analyses agreement
Processing QE DUA and non- 2 ........... ........... ........... 75.08 150 70 11 115,623
public analyses agreement....
---------------------------------------------------------------------------------------------------------------------
Total QE DUA and non- ............ ........... ........... ........... ........... ........... ........... ........... 149,116
public analyses
agreements...............
Additional Annual Report 50 ........... ........... ........... 75.08 3,754 ........... 11 41,294
Requirements.................
---------------------------------------------------------------------------------------------------------------------
Total qualified entity ............ ........... ........... ........... ........... ........... ........... ........... 27,966,492
Impacts..................
--------------------------------------------------------------------------------------------------------------------------------------------------------
2. Impact on Healthcare Providers and Suppliers
We note that numerous healthcare payers, community quality
collaboratives, States, and other organizations are producing
performance measures for healthcare providers and suppliers using data
from other sources, and that providers and suppliers are already
receiving performance reports from these sources. We anticipate that
the review of non-public analyses will merely be added to those
existing efforts to improve the statistical validity of the measure
findings.
Table 4 reflects the hourly labor rates used in our estimate of the
impacts of the first year of section 105(a) of MACRA on healthcare
providers and suppliers.
Table 4--Labor Rates for Provider and Supplier Impact Estimates
----------------------------------------------------------------------------------------------------------------
Overhead and
2014 Hourly fringe Total hourly
wage rate benefits costs
(BLS) (100%)
----------------------------------------------------------------------------------------------------------------
Physicians' offices............................................. $38.27 $38.27 $76.54
Hospitals....................................................... 29.65 29.65 59.30
----------------------------------------------------------------------------------------------------------------
[[Page 44478]]
We anticipate that the impacts on providers and suppliers consist
of costs to review the performance reports generated by qualified
entities and, if they choose, appeal the performance calculations. We
believe, on average, each qualified entity will produce non-public
analyses that in total include information on 7,500 health providers
and suppliers. This is based on estimates in the qualified entity final
rule, but also include an increase of 50 percent because we believe
that more providers and suppliers will be included in the non-public
analyses. We anticipate that the largest proportion of providers and
suppliers will be physicians because they comprise the largest group of
providers and suppliers, and are a primary focus of many recent
performance evaluation efforts. We also believe that many providers and
suppliers will be the recipients of the non-public analyses in order to
support their own performance improvement activities, and therefore,
there will be no requirement for a correction or appeals process. As
discussed above, there is no requirement for a corrections or appeals
process where the analysis only individually identifies the (singular)
provider or supplier who is being provided or sold the analysis. Based
on our review of information from existing programs, we assume that 95
percent of the recipients of performance reports (that is, an average
of 7,125 per qualified entity) will be physicians, and 5 percent (that
is, an average of 375 per qualified entity) will be hospitals and other
suppliers. Providers and suppliers receive these reports with no
obligation to review them, but we assume that most will do so to verify
that their calculated performance measures reflect their actual
patients and health events. Because these non-public analyses will be
based on the same underlying data as the public performance reports, we
estimate that it will take less time for providers or suppliers to
review these analyses and generate an appeal. We estimate that, on
average, each provider or supplier will devote three hours to reviewing
these analyses. We also estimate that 25 percent of the providers and
suppliers will decide to appeal their performance calculations, and
that preparing the appeal will involve an average of seven hours of
effort on the part of a provider or supplier. As with our assumptions
regarding the level of effort required by qualified entities in
operating the appeals process, we believe that this average covers a
range of provider efforts from providers who will need just one or two
hours to clarify any questions or concerns regarding their performance
reports to providers who will devote significant time and resources to
the appeals process.
Using the hourly costs displayed in Table 4, the impacts on
providers and suppliers are calculated below in Table 5. Based on the
assumptions we have described, we estimate the total impact on
providers for the first year of the program to be a cost of
$29,690,386.
As stated above in Table 3, we estimate the total impact on
qualified entities to be a cost of $27,966,492. Therefore, the total
impact on qualified entities and on providers and suppliers for the
first year of the program is estimated to be $57,656,878.
Table 5--Impact on Providers and Suppliers for the First Year of the Program
--------------------------------------------------------------------------------------------------------------------------------------------------------
Hours per provider Number of
-------------------------- providers Number of
Activity Labor Cost per per qualified Total cost
Physician Hospitals hourly cost provider qualified entities impact
offices entity
--------------------------------------------------------------------------------------------------------------------------------------------------------
[Impact on Providers and Suppliers]
--------------------------------------------------------------------------------------------------------------------------------------------------------
Physician office review of performance reports............... 3 ........... $76.54 $230 7,125 11 $18,026,250
Hospital review of performance reports....................... ........... 3 59.30 178 375 11 734,250
Physician office preparing and submitting appeal requests to 7 ........... 76.54 536 1,781 11 10,500,776
qualified entities..........................................
Hospital preparing and submitting appeal requests to ........... 7 59.30 415 94 11 429,110
qualified entities..........................................
------------------------------------------------------------------------------------------
Total Impact on Providers and Suppliers.................. ........... ........... ........... ........... ........... ........... 29,690,386
--------------------------------------------------------------------------------------------------------------------------------------------------------
D. Alternatives Considered
The statutory provisions added by section 105(a) of MACRA are
detailed and prescriptive about the permissible uses of the data under
the Qualified Entity Program. We believe there are limited approaches
that will ensure statutory compliance. We considered less prescriptive
requirements on the provisions that will need to be included in the
agreements between qualified entities and authorized users that
received or purchased analyses or data. For example, we could have
required less strenuous data privacy and security protections such as
not setting a minimum standard for protection of beneficiary
identifiable data or non-public analyses. In addition, we could have
reduced additional restrictions on re-disclosure or permitted data or
analyses to be re-disclosed to additional downstream users. While these
approaches might reduce costs for qualified entities, we did not adopt
such an approach because of the importance of protecting beneficiary
data. We believe if we do not require qualified entities to provide
sufficient evidence of data privacy and security protection
capabilities, there will be increased risks related to the protection
of beneficiary identifiable data.
E. Conclusion
As explained above, we estimate the total impact for the first year
of the program on qualified entities and providers to be a cost of
$57,656,878. While we anticipate the number of qualified entities to
increase slightly, we do not anticipate significant growth in the
qualified entity program given the qualified entity program
requirements, as well as other existing programs that allow entities to
obtain Medicare data. Based on these estimates, we conclude this final
rule does not reach the threshold for economically significant effects
and thus is not considered a major rule.
In accordance with the provisions of Executive Order 12866, this
regulation was reviewed by the Office of Management and Budget.
[[Page 44479]]
List of Subjects in 42 CFR Part 401
Claims, Freedom of information, Health facilities, Medicare,
Privacy.
For the reasons set forth in the preamble, the Centers for Medicare
& Medicaid Services amends 42 CFR part 401 as set forth below:
PART 401--GENERAL ADMINISTRATIVE REQUIREMENTS
0
1. The authority citation for part 401 is revised to read as follows:
Authority: Secs. 1102, 1871, and 1874(e) of the Social Security
Act (42 U.S.C. 1302, 1395hh, and 1395w-5) and sec. 105, Pub. L. 114-
10, 129 Stat. 87.
0
2. Section 401.703 is amended by adding paragraphs (j) through (u) to
read as follows:
Sec. 401.703 Definitions.
* * * * *
(j) Authorized user is a third party and its contractors
(including, where applicable, business associates as that term is
defined at 45 CFR 160.103) that need analyses or data covered by this
section to carry out work on behalf of that third party (meaning not
the qualified entity or the qualified entity's contractors) to whom/
which the qualified entity provides or sells data as permitted under
this subpart. Authorized user third parties are limited to the
following entities:
(1) A provider.
(2) A supplier.
(3) A medical society.
(4) A hospital association.
(5) An employer.
(6) A health insurance issuer.
(7) A healthcare provider and/or supplier association.
(8) A state entity.
(9) A federal agency.
(k) Employer has the same meaning as the term ``employer'' as
defined in section 3(5) of the Employee Retirement Insurance Security
Act of 1974.
(l) Health insurance issuer has the same meaning as the term
``health insurance issuer'' as defined in section 2791 of the Public
Health Service Act.
(m) Medical society means a nonprofit organization or association
that provides unified representation and advocacy for physicians at the
national or state level and whose membership is comprised of a majority
of physicians.
(n) Hospital association means a nonprofit organization or
association that provides unified representation and advocacy for
hospitals or health systems at a national, state, or local level and
whose membership is comprised of a majority of hospitals and health
systems.
(o) Healthcare Provider and/or Supplier Association means a
nonprofit organization or association that provides unified
representation and advocacy for providers and suppliers at the national
or state level and whose membership is comprised of a majority of
suppliers or providers.
(p) State Entity means any office, department, division, bureau,
board, commission, agency, institution, or committee within the
executive branch of a state government.
(q) Combined data means, at a minimum, a set of CMS claims data
provided under this subpart combined with claims data, or a subset of
claims data from at least one of the other claims data sources
described in Sec. 401.707(d).
(r) Patient means an individual who has visited the provider or
supplier for a face-to-face or telehealth appointment at least once in
the past 24 months.
(s) Marketing means the same as the term ``marketing'' at 45 CFR
164.501 without the exception to the bar for ``consent'' based
marketing.
(t) Violation means a failure to comply with a requirement of a CMS
DUA (CMS data use agreement) or QE DUA (qualified entity data use
agreement).
(u) Required by law means the same as the phrase ``required by
law'' at 45 CFR 164.103.
0
3. Section 401.713 is amended by revising paragraph (a) and adding
paragraph (d) to read as follows:
Sec. 401.713 Ensuring the privacy and security of data.
(a) Data use agreement between CMS and a qualified entity. A
qualified entity must comply with the data requirements in its data use
agreement with CMS (hereinafter the CMS DUA). Contractors (including,
where applicable, business associates) of qualified entities that are
anticipated to have access to the Medicare claims data or beneficiary
identifiable data in the context of this program are also required to
execute and comply with the CMS DUA. The CMS DUA will require the
qualified entity to maintain privacy and security protocols throughout
the duration of the agreement with CMS, and will ban the use or
disclosure of Medicare data or any derivative data for purposes other
than those set out in this subpart. The CMS DUA will also prohibit the
use of unsecured telecommunications to transmit such data, and will
specify the circumstances under which such data must be stored and may
be transmitted.
* * * * *
(d) Data use agreement between a qualified entity and an authorized
user. In addition to meeting the other requirements of this subpart,
and as a pre-condition of selling or disclosing any combined data or
any Medicare claims data (or any beneficiary-identifiable derivative
data of either kind) and as a pre-condition of selling or disclosing
non-public analyses that include individually identifiable beneficiary
data, the qualified entity must enter a DUA (hereinafter the QE DUA)
with the authorized user. Among other things laid out in this subpart,
such QE DUA must contractually bind the authorized user (including any
contractors or business associates described in the definition of
authorized user) to the following:
(1)(i) The authorized user may be permitted to use such data and
non-public analyses in a manner that a HIPAA Covered Entity could do
under the following provisions:
(A) Activities falling under paragraph (1) of the definition of
``health care operations'' under 45 CFR 164.501: Quality improvement
activities, including care coordination activities and efforts to track
and manage medical costs; patient-safety activities; population-based
activities such as those aimed at improving patient safety, quality of
care, or population health, including the development of new models of
care, the development of means to expand coverage and improve access to
healthcare, the development of means of reducing healthcare
disparities, and the development or improvement of methods of payment
or coverage policies.
(B) Activities falling under paragraph (2) of the definition of
``health care operations'' under 45 CFR 164.501: Reviewing the
competence or qualifications of health care professionals, evaluating
practitioner and provider performance, health plan performance,
conducting training programs in which students, trainees, or
practitioners in areas of health care learn under supervision to
practice or improve their skills as health care providers, training of
non-health care professionals, accreditation, certification, licensing,
or credentialing activities.
(C) Activities that qualify as ``fraud and abuse detection or
compliance activities'' under 45 CFR 164.506(c)(4)(ii).
(D) Activities that qualify as ``treatment'' under 45 CFR 164.501.
(ii) All other uses and disclosures of such data and/or such non-
public analyses must be forbidden except to the extent a disclosure
qualifies as a ``required by law'' disclosure as defined at 45 CFR
164.103.
[[Page 44480]]
(2) The authorized user is prohibited from using or disclosing the
data or non-public analyses for marketing purposes as defined at Sec.
401.703(s).
(3) The authorized user is required to ensure adequate privacy and
security protection for such data and non-public analyses. At a
minimum, regardless of whether the authorized user is a HIPAA covered
entity, such protections of beneficiary identifiable data must be at
least as protective as what is required of covered entities and their
business associates regarding protected health information (PHI) under
the HIPAA Privacy and Security Rules. In all cases, these requirements
must be imposed for the life of such beneficiary identifiable data or
non-public analyses and/or any derivative data, that is until all
copies of such data or non-public analyses are returned or destroyed.
Such duties must be written in such a manner as to survive termination
of the QE DUA, whether for cause or not.
(4) Except as provided for in paragraph (d)(5) of this section, the
authorized user must be prohibited from re-disclosing or making public
any such data or non-public analyses.
(5)(i) At the qualified entity's discretion, it may permit an
authorized user that is a provider as defined in Sec. 401.703(b) or a
supplier as defined in Sec. 401.703(c), to re-disclose such data and
non-public analyses as a covered entity will be permitted to disclose
PHI under 45 CFR 164.506(c)(4)(i), under 45 CFR 164.506(c)(2), or under
45 CFR 164.502(e)(1).
(ii) All other uses and disclosures of such data and/or such non-
public analyses is forbidden except to the extent a disclosure
qualifies as a ``required by law'' disclosure.
(6) Authorized users who/that receive the beneficiary de-identified
combined data or Medicare data as contemplated under Sec. 401.718 are
contractually prohibited from linking the beneficiary de-identified
data to any other identifiable source of information, and must be
contractually barred from attempting any other means of re-identifying
any individual whose data is included in such data.
(7) The QE DUA must bind authorized user(s) to notifying the
qualified entity of any violations of the QE DUA, and it must require
the full cooperation of the authorized user in the qualified entity's
efforts to mitigate any harm that may result from such violations, or
to comply with the breach provisions governing qualified entities under
this subpart.
0
4. Section 401.716 is added to read as follows:
Sec. 401.716 Non-public analyses.
(a) General. So long as it meets the other requirements of this
subpart, and subject to the limits in paragraphs (b) and (c) of this
section, the qualified entity may use the combined data to create non-
public analyses in addition to performance measures and provide or sell
these non-public analyses to authorized users (including any
contractors or business associates described in the definition of
authorized user).
(b) Limitations on a qualified entity. In addition to meeting the
other requirements of this subpart, a qualified entity must comply with
the following limitations as a pre-condition of dissemination or
selling non-public analyses to an authorized user:
(1) A qualified entity may only provide or sell a non-public
analysis to a health insurance issuer as defined in Sec. 401.703(l),
after the health insurance issuer or a business associate of that
health insurance issuer has provided the qualified entity with claims
data that represents a majority of the health insurance issuer's
covered lives, using one of the four methods of calculating covered
lives established at 26 CFR 46.4375-1(c)(2), for the time period and
geographic region covered by the issuer-requested non-public analyses.
A qualified entity may not provide or sell a non-public analysis to a
health insurance issuer if the issuer does not have any covered lives
in the geographic region covered by the issuer-requested non-public
analysis.
(2) Analyses that contain information that individually identifies
one or more beneficiaries may only be disclosed to a provider or
supplier (as defined at Sec. 401.703(b) and (c)) when both of the
following conditions are met:
(i) The analyses only contain identifiable information on
beneficiaries with whom the provider or supplier have a patient
relationship as defined at Sec. 401.703(r).
(ii) A QE DUA as defined at Sec. 401.713(d) is executed between
the qualified entity and the provider or supplier prior to making any
individually identifiable beneficiary information available to the
provider or supplier.
(3) Except as specified under paragraph (b)(2) of this section, all
analyses must be limited to beneficiary de-identified data. Regardless
of the HIPAA covered entity or business associate status of the
qualified entity and/or the authorized user, de-identification must be
determined based on the standards for HIPAA covered entities found at
45 CFR 164.514(b).
(4) Analyses that contain information that individually identifies
a provider or supplier (regardless of the level of the provider or
supplier, that is, individual clinician, group of clinicians, or
integrated delivery system) may not be disclosed unless one of the
following three conditions apply:
(i) The analysis only individually identifies the provider or
supplier that is being supplied the analysis.
(ii) Every provider or supplier individually identified in the
analysis has been afforded the opportunity to appeal or correct errors
using the process at Sec. 401.717(f).
(iii) Every provider or supplier individually identified in the
analysis has notified the qualified entity, in writing, that analyses
can be disclosed to the authorized user without first going through the
appeal and error correction process at Sec. 401.717(f).
(c) Non-public analyses agreement between a qualified entity and an
authorized user for beneficiary de-identified non-public analyses
disclosures. In addition to the other requirements of this subpart, a
qualified entity must enter a contractually binding non-public analyses
agreement with the authorized user (including any contractors or
business associates described in the definition of authorized user) as
a pre-condition to providing or selling de-identified analyses. Such
non-public analyses agreement must contain the following provisions:
(1) The authorized user may not use the analyses or derivative data
for the following purposes:
(i) Marketing, as defined at Sec. 401.703(s).
(ii) Harming or seeking to harm patients or other individuals both
within and outside the healthcare system regardless of whether their
data are included in the analyses.
(iii) Effectuating or seeking opportunities to effectuate fraud
and/or abuse in the healthcare system.
(2) If the authorized user is an employer as defined in Sec.
401.703(k), the authorized user may only use the analyses or derivative
data for purposes of providing health insurance to employees, retirees,
or dependents of employees or retirees of that employer.
(3)(i) At the qualified entity's discretion, it may permit an
authorized user that is a provider as defined in Sec. 401.703(b) or a
supplier as defined in Sec. 401.703(c), to re-disclose the de-
identified analyses or derivative data, as a covered entity will be
permitted under 45 CFR 164.506(c)(4)(i), or under 45 CFR 164.502(e)(1).
(ii) All other uses and disclosures of such data and/or such non-
public
[[Page 44481]]
analyses is forbidden except to the extent a disclosure qualifies as a
``required by law'' disclosure.
(4) If the authorized user is not a provider or supplier, the
authorized user may not re-disclose or make public any non-public
analyses or derivative data except as required by law.
(5) The authorized user may not link the de-identified analyses to
any other identifiable source of information and may not in any other
way attempt to identify any individual whose de-identified data is
included in the analyses.
(6) The authorized user must notify the qualified entity of any DUA
violations, and it must fully cooperate with the qualified entity's
efforts to mitigate any harm that may result from such violations.
0
5. Section 401.717 is amended by adding paragraph (f) to read as
follows:
Sec. 401.717 Provider and supplier requests for error correction.
* * * * *
(f) A qualified entity must comply with the following requirements
before disclosing non-public analyses, as defined at Sec. 401.716,
which contain information that individually identifies a provider or
supplier:
(1) A qualified entity must confidentially notify a provider or
supplier that non-public analyses that individually identify the
provider or supplier are going to be released to an authorized user at
least 65 calendar days before disclosing the analyses. This
confidential notification must include a short summary of the analyses
(including the measures calculated), the process for the provider or
supplier to request the analyses, the authorized users receiving the
analyses, and the date on which the qualified entity will release the
analyses to the authorized user.
(2) A qualified entity must allow providers and suppliers the
opportunity to opt-in to the review and correction process as defined
in paragraphs (a) through (e) of this section, anytime during the 65
calendar days. If a provider or supplier chooses to opt-in to the
review and correction process more than 5 days into the notification
period, the time for the review and correction process is shortened
from 60 days to the number of days between the provider or supplier
opt-in date and the release date specified in the confidential
notification.
0
6. Section 401.718 is added to read as follows:
Sec. 401.718 Dissemination of data.
(a) General. Subject to the other requirements in this subpart, the
requirements in paragraphs (b) and (c) of this section and any other
applicable laws or contractual agreements, a qualified entity may
provide or sell combined data or provide Medicare data at no cost to
authorized users defined at Sec. 401.703(b), (c), (m), and (n).
(b) Data--(1) De-identification. Except as specified in paragraph
(b)(2) of this section, any data provided or sold by a qualified entity
to an authorized user must be limited to beneficiary de-identified
data. De-identification must be determined based on the de-
identification standards for HIPAA covered entities found at 45 CFR
164.514(b).
(2) Exception. If such disclosure will be consistent with all
applicable laws, data that individually identifies a beneficiary may
only be disclosed to a provider or supplier (as defined at Sec.
401.703(b) and (c)) with whom the identifiable individuals in such data
have a current patient relationship as defined at Sec. 401.703(r).
(c) Data use agreement between a qualified entity and an authorized
user. A qualified entity must contractually require an authorized user
to comply with the requirements in Sec. 401.713(d) prior to providing
or selling data to an authorized user under Sec. 401.718.
0
7. Section 401.719 is amended by adding paragraphs (b)(3) and (4) and
(d)(5) to read as follows:
Sec. 401.719 Monitoring and sanctioning of qualified entities.
* * * * *
(b) * * *
(3) Non-public analyses provided or sold to authorized users under
this subpart, including the following information:
(i) A summary of the analyses provided or sold, including--
(A) The number of analyses.
(B) The number of purchasers of such analyses.
(C) The types of authorized users that purchased analyses.
(D) The total amount of fees received for such analyses.
(E) QE DUA or non-public analyses agreement violations.
(ii) A description of the topics and purposes of such analyses.
(iii) The number of analyses disclosed with unresolved requests for
error correction.
(4) Data provided or sold to authorized users under this subpart,
including the following information:
(i) The entities who received data.
(ii) The basis under which each entity received such data.
(iii) The total amount of fees received for providing, selling, or
sharing the data.
(iv) QE DUA violations.
* * * * *
(d) * * *
(5) In the case of a violation, as defined at Sec. 401.703(t), of
the CMS DUA or the QE DUA, CMS will impose an assessment on a qualified
entity in accordance with the following:
(i) Amount of assessment. CMS will calculate the amount of the
assessment of up to $100 per individual entitled to, or enrolled for,
benefits under part A of title XVIII of the Social Security Act or
enrolled for benefits under Part B of such title whose data was
implicated in the violation based on the following:
(A) Basic factors. In determining the amount per impacted
individual, CMS takes into account the following:
(1) The nature and the extent of the violation.
(2) The nature and the extent of the harm or potential harm
resulting from the violation.
(3) The degree of culpability and the history of prior violations.
(B) Criteria to be considered. In establishing the basic factors,
CMS considers the following circumstances:
(1) Aggravating circumstances. Aggravating circumstances include
the following:
(i) There were several types of violations occurring over a lengthy
period of time.
(ii) There were many of these violations or the nature and
circumstances indicate a pattern of violations.
(iii) The nature of the violation had the potential or actually
resulted in harm to beneficiaries.
(2) Mitigating circumstances. Mitigating circumstances include the
following:
(i) All of the violations subject to the imposition of an
assessment were few in number, of the same type, and occurring within a
short period of time.
(ii) The violation was the result of an unintentional and
unrecognized error and the qualified entity took corrective steps
immediately after discovering the error.
(C) Effects of aggravating or mitigating circumstances. In
determining the amount of the assessment to be imposed under paragraph
(d)(5)(i)(A) of this section:
(1) If there are substantial or several mitigating circumstance,
the aggregate amount of the assessment is set at an amount sufficiently
below the maximum permitted by paragraph (d)(5)(i)(A) of this section
to reflect the mitigating circumstances.
[[Page 44482]]
(2) If there are substantial or several aggravating circumstances,
the aggregate amount of the assessment is set at an amount at or
sufficiently close to the maximum permitted by paragraph (d)(5)(i)(A)
of this section to reflect the aggravating circumstances.
(D) The standards set for the qualified entity in this paragraph
are binding, except to the extent that--
(1) The amount imposed is not less than the approximate amount
required to fully compensate the United States, or any State, for its
damages and costs, tangible and intangible, including but not limited
to the costs attributable to the investigation, prosecution, and
administrative review of the case.
(2) Nothing in this section limits the authority of CMS to settle
any issue or case as provided by part 1005 of this title or to
compromise any assessment as provided by paragraph (d)(5)(ii)(E) of
this section.
(ii) Notice of determination. CMS must propose an assessment in
accordance with this paragraph (d)(5), by notifying the qualified
entity by certified mail, return receipt requested. Such notice must
include the following information:
(A) The assessment amount.
(B) The statutory and regulatory bases for the assessment.
(C) A description of the violations upon which the assessment was
proposed.
(D) Any mitigating or aggravating circumstances that CMS considered
when it calculated the amount of the proposed assessment.
(E) Information concerning response to the notice, including:
(1) A specific statement of the respondent's right to a hearing in
accordance with procedures established at Section 1128A of the Act and
implemented in 42 CFR part 1005.
(2) A statement that failure to respond within 60 days renders the
proposed determination final and permits the imposition of the proposed
assessment.
(3) A statement that the debt may be collected through an
administrative offset.
(4) In the case of a respondent that has an agreement under section
1866 of the Act, notice that imposition of an exclusion may result in
termination of the provider's agreement in accordance with section
1866(b)(2)(C) of the Act.
(F) The means by which the qualified entity may pay the amount if
they do not intend to request a hearing.
(iii) Failure to request a hearing. If the qualified entity does
not request a hearing within 60 days of receipt of the notice of
proposed determination, any assessment becomes final and CMS may impose
the proposed assessment.
(A) CMS notifies the qualified entity, by certified mail with
return receipt requested, of any assessment that has been imposed and
of the means by which the qualified entity may satisfy the judgment.
(B) The qualified entity has no right to appeal an assessment for
which the qualified entity has not requested a hearing.
(iv) When an assessment is collectible. An assessment becomes
collectible after the earliest of the following:
(A) Sixty (60) days after the qualified entity receives CMS's
notice of proposed determination under paragraph (d)(5)(ii) of this
section, if the qualified entity has not requested a hearing.
(B) Immediately after the qualified entity abandons or waives its
appeal right at any administrative level.
(C) Thirty (30) days after the qualified entity receives the ALJ's
decision imposing an assessment under Sec. 1005.20(d) of this title,
if the qualified entity has not requested a review before the DAB.
(D) Sixty (60) days after the qualified entity receives the DAB's
decision imposing an assessment if the qualified entity has not
requested a stay of the decision under Sec. 1005.22(b) of this title.
(v) Collection of an assessment. Once a determination by HHS has
become final, CMS is responsible for the collection of any assessment.
(A) The General Counsel may compromise an assessment imposed under
this part, after consulting with CMS or OIG, and the Federal government
may recover the assessment in a civil action brought in the United
States district court for the district where the claim was presented or
where the qualified entity resides.
(B) The United States or a state agency may deduct the amount of an
assessment when finally determined, or the amount agreed upon in
compromise, from any sum then or later owing the qualified entity.
(C) Matters that were raised or that could have been raised in a
hearing before an ALJ or in an appeal under section 1128A(e) of the Act
may not be raised as a defense in a civil action by the United States
to collect an assessment.
0
8. Section 401.721 is amended by adding paragraph (a)(7) to read as
follows:
Sec. 401.721 Terminating an agreement with a qualified entity.
(a) * * *
(7) Fails to ensure authorized users comply with their QE DUAs or
analysis use agreements.
* * * * *
0
9. Section 401.722 is added to read as follows:
Sec. 401.722 Qualified clinical data registries.
(a) A qualified clinical data registry that agrees to meet all the
requirements in this subpart, with the exception of Sec. 401.707(d),
may request access to Medicare data as a quasi qualified entity in
accordance with such qualified entity program requirements.
(b) Notwithstanding Sec. 401.703(q) (generally defining combined
data), for purposes of qualified clinical data registries acting as
quasi qualified entities under the qualified entity program
requirements, combined data means, at a minimum, a set of CMS claims
data provided under this subpart combined with clinical data or a
subset of clinical data.
Dated: June 22, 2016.
Andrew M. Slavitt,
Acting Administrator, Centers for Medicare & Medicaid Services.
Dated: June 28, 2016.
Sylvia M. Burwell,
Secretary, Department of Health and Human Services.
[FR Doc. 2016-15708 Filed 7-1-16; 11:15 am]
BILLING CODE 4120-01-P