Privacy Act of 1974; System of Records., 6587-6591 [2018-02933]

Download as PDF 6587 Federal Register / Vol. 83, No. 31 / Wednesday, February 14, 2018 / Notices REPORTING REQUIREMENTS—Continued Number of respondents Regulatory/section requirements Responses per respondent Total annual responses Hours per response Total hour burden 57.310(b)(1)(vi), Notification of Delinquent Accounts .......... 57.310(b)(1)(x), Credit Bureau Notification .......................... 57.310(b)(4)(i), Write-off of Uncollectible Loans .................. 57.311(a), Disability Cancellation ........................................ 57.315(a)(1)(ii), Administrative Hearings ............................. 57.316a, Administrative Hearings ........................................ 348 348 23 16 0 0 42.5 709.0 1.0 1.0 0.0 0.0 14,790 246,732 23 16 0 0 0.04 0.006 3.00 1.00 0.00 0.00 592 1,480 69 16 0 0 NSL Subtotal ................................................................. * 348 ........................ 277,382 ........................ 7,567 * Includes active and closing schools. Amy McNulty. Acting Director, Division of the Executive Secretariat. [FR Doc. 2018–02958 Filed 2–13–18; 8:45 am] BILLING CODE 4165–15–P DEPARTMENT OF HEALTH AND HUMAN SERVICES Privacy Act of 1974; System of Records. Centers for Medicare & Medicaid Services (CMS), Department of Health and Human Services (HHS). ACTION: Notice of a New System of Records. AGENCY: The Department of Health and Human Services (HHS), Centers for Medicare & Medicaid Services (CMS) proposes to establish a new system of records subject to the Privacy Act, System No. 09–70–0539, titled ‘‘Quality Payment Program (QPP).’’ The new system of records will cover quality and performance data collected and used by CMS in determining merit-based payment adjustments for health care services provided by clinicians to Medicare beneficiaries, and in providing expert feedback to clinicians and third party data submitters for the purpose of helping clinicians provide high-value care to patients. DATES: In accordance with 5 U.S.C. 552a(e)(4) and (11), this notice is effective upon publication, subject to a 30-day period in which to comment on the routine uses, described below. Please submit any comments by March 16, 2018. ADDRESSES: Written comments should be submitted by mail or email to: CMS Privacy Act Officer, Division of Security, Privacy Policy & Governance, Information Security & Privacy Group, Office of Information Technology, CMS, 7500 Security Boulevard, Baltimore, MD 21244–1870, Location N1-14–56, or walter.stone@cms.hhs.gov. Comments received will be available for review daltland on DSKBBV9HB2PROD with NOTICES SUMMARY: VerDate Sep<11>2014 22:07 Feb 13, 2018 Jkt 244001 without redaction unless otherwise advised by the commenter at this location, by appointment, during regular business hours, Monday through Friday from 9:00 a.m.–3:00 p.m., Eastern Time zone. FOR FURTHER INFORMATION CONTACT: General questions about the new system of records should be submitted by mail or email to: Michelle Peterman, Health Insurance Specialist, Division of Electronic Clinician and Quality, Quality Measurement and Value-Based Incentives Group, Center for Clinical Standards and Quality, CMS, 7500 Security Boulevard, Baltimore, MD 21244–1870, Mailstop: S3–02–01, or michelle.peterman@cms.hhs.gov. SUPPLEMENTARY INFORMATION: I. Background on the New Quality Payment Program Supported by the New System of Records The Medicare Access and CHIP Reauthorization Act of 2015 (MACRA) amended title XVIII of the Social Security Act (the Act) to repeal the way physicians were paid under the previous Sustainable Growth Rate (SOR) formula and replaced it with a new approach known as the Quality Payment Program. The Quality Payment Program streamlines and consolidates components of three existing incentive programs that reward high-value patient centered care: (1) Physician Quality Reporting System (PQRS) (§ 1848(k) and (m) of the Act (42 U.S.C. 1395w–4)), (2) Medicare Electronic Health Records (EHR) Incentive Program for Eligible Professionals (§ 1848(0) of the Act), and (3) Physician Value-Based Payment Modifier (VM) (§ 1848(p) of the Act). For more information, see rulemakings implementing the existing programs, at 80 Fed. Reg. 71135 (November 16, 2015) (PQRS); 80 FR 62761 (October 16, 2015) (EHR); and 80 FR 71273 (November 16, 2015) (VM). There are two separate pathways within the Quality Payment Program, Advanced Alternative Payment Models PO 00000 Frm 00081 Fmt 4703 Sfmt 4703 (Advanced APM) and Merit-based Incentive Payment System (MIPS), both of which contribute toward the goal of seamless integration of the Quality Payment Program into clinical practice workflows. MIPS provides clinicians measures and activities to assist them in providing high-value, patient-centered care to Medicare patients, and to encourage and reward their use of the same. The participants generate and submit to CMS data on health care coordination. The data will be submitted to CMS by eligible clinicians and approved third party data submitters (for example, registries which collect and submit disease tracking data; health information technology (IT) vendors which submit data from clinicians’ Certified Electronic Health Record Technology (CEHRT) systems). The data will include information about, and will be retrieved by personal identifiers for: (1) The clinicians, (2) any third party data submitters who are individuals (e.g., sole proprietor vendors), (3) individuals who submit data for clinicians or third party data submitters as their representatives or contact persons, and (4) Medicare beneficiaries and any nonMedicare beneficiaries receiving the health care services referenced in the Quality Payment Program data. The records are described below. The data submission process will require that clinicians and third party submitters use their identifying and contact information, tax identification number (TIN/EIN), national provider identifier (NPI), and information about health care services provided to patients for the performance categories of the MIPS including (1) quality-including a set of evidence-based, specialty-specific standards; (2) cost of services provided; (3) improvement activities that improved or are likely to improve clinical practice or care delivery; and (4) advancing care information which focuses on the use of CEHRT to support interoperability and avoid E:\FR\FM\14FEN1.SGM 14FEN1 6588 Federal Register / Vol. 83, No. 31 / Wednesday, February 14, 2018 / Notices redundancies. Except for specific measures or activities identified and published in the Federal Register by November 1 of each year, there are no changes in Calendar Year (CY) 2017 with respect to the collection and use of Privacy Act records associated with these activities in the QPP system of record notice (SORN) other than what is collected by the overlapping SORNs described below. There were no changes to the Call for Quality Measures process in the CY 2018 rule and so there are no changes to the use or additional collection of Privacy Act records related to the four performance categories. Payment adjustments for eligible clinicians do not begin until CY 2019 and at that time any additional Privacy Act records associated with those payment adjustments based on their performance during the applicable performance period will be described if needed in an update to this SORN. MIPS quality and performance data used in the program will be reported to CMS by eligible clinicians and approved third party data submitters of the types described in 42 CFR 414.1400. The data will pertain to health care services provided to Medicare beneficiaries, but may also include data about nonMedicare patients. As mentioned above, except for specific measures or activities identified and published in the Federal Register by November 1 of each year, there are no changes in CY 2017 with respect to the collection and use of Privacy Act records associated with these activities in the QPP SORN other than what is collected by the overlapping SORNs described below. daltland on DSKBBV9HB2PROD with NOTICES II. Related Systems of Records Supporting the Existing PQRS, EHR, and VM Programs The PQRS, EHR, and VM programs each maintain records subject to the Privacy Act which are maintained in existing systems of records; these systems of records will necessarily overlap with this system of records until the existing programs fully sunset. Therefore, these SORNs cover the Quality Payment Program Privacy Act records until the QPP SORN is finalized: 1. PQRS: ‘‘Performance Measurement and Reporting System (PMRS),’’ System No. 09–70–0584, last published at 73 FR 80412 (December 31, 2008); 2. EHR: ‘‘Medicare and Medicaid Electronic Health Record (EHR) Incentive Program National Level Repository’’ System No. 09–70–0587, last published at 75 FR 73095 (November 29, 2010); 3. VM: ‘‘Medicare Multi-Carrier Claims System (MCS),’’ System No. 09– VerDate Sep<11>2014 22:07 Feb 13, 2018 Jkt 244001 70–0501, last published at 71 FR 64968 (November 6, 2006); and 4. VM: ‘‘Fiscal Intermediary Shared System (FISS),’’ System No. 09–70– 0503, last published at 71 FR 64961 (November 6, 2006). The Performance Measurement and Reporting System (PMRS) SORN covers the Better Quality Information (BQI) to Improve Care for Medicare Beneficiaries Project, the Electronic Prescribing (EPrescribing) Incentive Program, and the PQRS. The BQI to Improve Care for Medicare Beneficiaries Project and the E-Prescribing Incentive Program have fully sunsetted. The PQRS program’s last reporting year was CY 2016. However, Privacy Act records related to the PQRS program will continue to be utilized for several additional years to assess payment adjustments in CY 2018 and data as needed. The Medicare and Medicaid Electronic Health Record (EHR) Incentive Program National Level Repository SORN covers the Medicare and Medicaid EHR Incentive Programs. The Medicare EHR Incentive program’s last payment year was CY 2016. However, Privacy Act records related to the Medicare EHR Incentive program will continue to be utilized for several additional years to assess data as needed. In addition, the Medicare EHR Incentive for eligible hospitals and critical access hospitals (CAHs) and the Medicaid EHR Incentive program are active programs. Therefore, the EHR SORN will not be rescinded. The SORNs that cover the VM program will not be rescinded as they are applicable to many CMS programs. The Quality Payment Program will continue to evolve over multiple years to accommodate payment policy implementations and take advantage of new system capabilities. This SORN will be similarly reviewed and updated to reflect significant changes, including the sunsetting of the existing programs and disposition of the records covered by the existing SORNs, when they occur. III. Related Rulemakings and Information Collections Requirements for submitting data about improvement activities did not exist in the legacy programs replaced by MIPS, and CMS does not have historical data which is directly relevant. However, the Privacy Act records collected through these legacy programs are the same data elements that are used for the Quality Payment Program in CY 2017 and 2018 although the specific uses for the previous programs may be more expansive. To date, participants in the Quality Payment Program have registered, have selected measures and PO 00000 Frm 00082 Fmt 4703 Sfmt 4703 are submitting data beginning in 2018 as individuals, as part of a group or as part of a virtual group—a scenario not provided through the legacy SORNs. The primary purpose of the PMRS system of records, entitled ‘‘Performance Measurement and Reporting System (PMRS),’’ is to support the collection, maintenance, and processing of information to promote the delivery of high quality, efficient, effective, and economical health care services, and promote the quality and efficiency of services of the type for which payment may be made under title XVIII by allowing for the establishment and implementation of performance measures, the provision of feedback to physicians, and public reporting of performance information. The primary purpose of the EHR system of records, entitled ‘‘Medicare and Medicaid Electronic Health Record (EHR) Incentive Program National Level Repository,’’ called the National Level Repository or NLR, is to collect, maintain, and process information that is required for the Medicare and Medicaid EHR Incentive Programs. The primary purpose of the VM program covered by the systems of records entitled, ‘‘Medicare MultiCarrier Claims System (MCS) and the Fiscal Intermediary Shared System (FISS),’’ is to identify and associate a provider (physician or individual provider) to their registration and their reports, known as the Quality and Resource Use Report (QRUR). QRUR is a report given to providers on quality of care and cost performance. In most cases, systems of records maintain Tax Identification Number (TIN) and the name of the organization. In very few cases, providers may be using their Social Security number (SSN) as Billing TIN. As discussed above the programs covered by the PMRS SORN have sunsetted; however, the final payment year for the PQRS program is CY 2018 requiring the PMRS SORN to remain in effect until all pertinent data has been utilized. The EHR SORN and VM SORNs will not be rescinded as there are programs covered by these SORNs that are currently active and have no plans to sunset. Once the PQRS program sunsets the records will be dispositioned entirely into the QPP system of records under NARA CMS Records Schedule: DAA– 0440–2015–0009–003. The retention period for these records is 10 years. Because the PMRS and the QPP systems of records maintain identical records for the categories of individuals covered by the respective system of records and also overlap for purposes of E:\FR\FM\14FEN1.SGM 14FEN1 Federal Register / Vol. 83, No. 31 / Wednesday, February 14, 2018 / Notices making payment based on quality measures and improvement activities (though not with the same percentages of activity weighting or payment calculation), the routine uses for disclosures of records in the system of records and uses of records in the system of records are the same. Categories of individuals covered by the system of records will expand under the QPP SORN to include all-payer data. All of the routine uses either are necessary and proper or are compatible with the original collection purpose of encouraging and rewarding clinicians’ use of measures and activities that help them provide high-value, patientcentered care to Medicare beneficiaries. Dated: February 1, 2018. Emery Csulak, Director, Information Security Privacy Group, and Senior Official for Privacy, Centers for Medicare & Medicaid Services. SYSTEM NAME AND NUMBER ‘‘Quality Payment Program (QPP)’’, HHS/CMS/CCSQ System No. 09–70– 0539. SECURITY CLASSIFICATION: Unclassified. SYSTEM LOCATION: The address of the agency component responsible for the system of records is: CMS Data Center, 7500 Security Boulevard, North Building, First Floor, Baltimore, Maryland 21244–1850. SYSTEM MANAGER(S): The agency official who is responsible for the system of records is: Director, Quality Measurement and Value-based Incentives Group, CCSQ, CMS, Room C1–23–14, 7500 Security Boulevard, Baltimore, Maryland 21244–1870. AUTHORITY FOR MAINTENANCE OF THE SYSTEM: Provisions of the Social Security Act codified at 42 U.S.C. §§ 1320c–3, 13951, 1395w–4, 1395w–21, and 1395y. daltland on DSKBBV9HB2PROD with NOTICES PURPOSE(S) OF THE SYSTEM: The purposes for which HHS/CMS will use the records are: • To be utilized for program management and administration purposes; • To determine payment adjustments for health care services provided by clinicians to Medicare beneficiaries; • To provide expert feedback to clinicians and third party data submitters, in order to help clinicians provide high-value, patient-centered care to Medicare beneficiaries; • To make clinician-level performance measure results available to Medicare patients and caregivers VerDate Sep<11>2014 22:07 Feb 13, 2018 Jkt 244001 through Physician Compare, as defined via regulation, either on public profile pages or via the Downloadable Database housed on data.medicare.gov for the purpose of promoting more informed health care choices for people with Medicare; and • To provide relevant records to other Federal and state agencies which administer federally-funded health benefit programs; Quality Improvement Networks that review claims and conduct outreach and reviews; and individuals and organizations that assist consumers, to use for program administrative purposes and in health, disease, and payment-related research, evaluation, outreach, and transparency projects. CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM: The records will be about these categories of individuals involved in the Quality Payment Program: • Eligible clinicians (such as, physicians, physician assistants, nurse practitioners) who submit quality and performance data to CMS under the Program; • Any third party data submitters of the types described in 42 CFR 414.1400 who are individuals (e.g., sole proprietor health IT or survey vendors) and submit data to the Program; • Individuals who submit data for clinicians and third party data submitters (i.e., as their representatives or contact persons); and • Medicare beneficiaries (and any non-Medicare beneficiaries) receiving the health care services referenced in the data submitted to CMS under the Program. CATEGORIES OF RECORDS IN THE SYSTEM: The system will include these categories of records: • Records about clinicians. These will include identifying information and contact information (such as the clinician’s name, address, phone number, email address, date of birth, business address, tax identification number (TIN/EIN), national provider identifier (NPI), Social Security number (SSN), prescriber identification number, and other assigned clinician numbers) and information about health care services the clinician provided to Medicare beneficiaries (and any nonMedicare beneficiaries) and the measures and activities the clinician used in providing the services. • Records about any third party data submitters who are individuals (for example, sole proprietor health IT or survey vendors). These records will include the third party’s name, email address, business address, and TIN/EIN. PO 00000 Frm 00083 Fmt 4703 Sfmt 4703 6589 • Records about individuals who submit data for clinicians and third party data submitters. These will include the representative’s name and contact information such as address, TIN/EIN, email address, and business address. • Records about Medicare beneficiaries (and any non-Medicare beneficiaries). These will include the beneficiary’s identifying and health information, i.e. name, address, date of birth, gender, ethnicity, health care utilization and claims data, health insurance claim number (HICN), Medicare beneficiary identifier (MBI), and SSN. • Records about other payer payment arrangements. These will include other payer payment arrangement information submitted by non-Medicare payers to determine whether a payment arrangement meets the Other Payer Advanced Alternative Payment Model (APM) criteria. These records will include payer identifying information, payment arrangement information, supporting documentation, and a certification statement. RECORD SOURCE CATEGORIES: The sources of the records covered by this system of records are (1) clinicians, (2) third party data submitters, and (3) individuals who submit data for clinicians or third party data submitters. ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES OF USERS AND PURPOSES OF SUCH USES: A. These routine uses specify circumstances, in addition to those provided by statute in the Privacy Act of 1974, under which CMS may disclose records from the Quality Payment Program to a party outside HHS without the prior, written consent of the individual to whom such information pertains. 1. Records may be disclosed to agency contractors (including, but not limited to, Medicare Administrative Contractors (MACs), fiscal intermediaries, and carriers) that assist in the health operations of a CMS-administered health benefits program, to CMS consultants, or to a grantee of a CMSadministered grant program, who have been engaged by the agency to assist in accomplishment of a CMS function relating to the purposes for this system of records and who need to have access to the records in order to assist CMS. Such disclosures include (but are not limited to) disclosures deemed reasonably necessary by CMS to prevent, deter, discover, detect, investigate, examine, prosecute, sue with respect to, defend against, correct, E:\FR\FM\14FEN1.SGM 14FEN1 daltland on DSKBBV9HB2PROD with NOTICES 6590 Federal Register / Vol. 83, No. 31 / Wednesday, February 14, 2018 / Notices remedy, or otherwise combat fraud, waste, or abuse in such program. 2. Records may be disclosed to another Federal or state agency to the extent deemed necessary to: (a) Contribute to the accuracy of CMS’ proper payment of Medicare benefits; (b) enable such agency to administer a Federal health benefits program, or as necessary to enable such agency to fulfill a requirement of a Federal statute or regulation that implements health benefit programs funded in whole or in part with Federal funds; and/or (c) assist state Medicaid programs which may require Quality Payment Program information. 3. Clinician-level performance measurement results may be made available to the public, through Physician Compare, as defined via regulation, either on public profile pages or via the Downloadable Database housed on data.medicare.gov for the purpose of promoting more informed health care choices for people with Medicare. 4. Records may be disclosed to MIPSeligible clinicians and eligible entities in order to provide them with expert feedback, and records may be disclosed to CMS authorized entities participating in health care transparency projects. 5. Records may be disclosed to organizations that assist consumers in comparing the quality and price of health care services, and/or that use such information for purposes related to prevention of disease or disability, or restoration or maintenance of health. 6. Records may be disclosed to organizations for research, evaluation, and projects involving payment issues. 7. Records may be disclosed to Beneficiary and Family Centered Care (BFCC)-QIOs, Quality Innovation Network-QIOs (QIN–QIOs), the Small, Underserved, and Rural Support (SURS) technical assistance contractors, and the Practice Transformation Networks (PTNs) under the Transforming Clinical Practice Initiative (TCPI) for purposes of: (a) Identifying clinicians who are included in the Quality Payment Program, specifically the MIPS track, based on the low-volume threshold; (b) determining the appropriate form of Technical Assistance based on practice size and clinician need; (c) providing eligibility information to clinicians interested in forming a virtual group; (d) transitioning clinician referrals from the Quality Payment Program Service Center to the appropriate Technical Assistance channel; (e) performing proactive outreach and engagement activities for the purpose of helping MIPS eligible clinicians participate in the program; (f) developing educational VerDate Sep<11>2014 22:07 Feb 13, 2018 Jkt 244001 tools and resources; (g) monitoring annual MIPS eligible clinician performance; (h) assessing future need based on a MIPS eligible clinician’s Final Score; (i) tracking non-MIPS eligible clinicians who voluntarily report measures and activities to MIPS; and (j) assisting MIPS eligible clinicians transition into an Advanced APM. 8. Records may be disclosed to the Department of Justice (DOJ), a court, or an adjudicatory body when: (a) The Agency or any component thereof, (b) any employee of the Agency in his or her official capacity, (c) any employee of the Agency in his or her individual capacity where the DOJ has agreed to represent the employee, or (d) the United States Government, is a party to litigation or has an interest in such litigation, and by careful review, CMS determines that the records are both relevant and necessary to the litigation. 9. Records may be disclosed to another Federal agency or to an instrumentality of any governmental jurisdiction within or under the control of the United States (including any state or local governmental agency), that administers, or that has the authority to investigate potential fraud, waste, or abuse in, a health benefits program funded in whole or in part by Federal funds, when disclosure is deemed reasonably necessary by CMS to prevent, deter, discover, detect, investigate, examine, prosecute, sue with respect to, defend against, correct, remedy, or otherwise combat fraud, waste, or abuse in such programs. 10. Records may be disclosed to appropriate agencies, entities, and persons when (a) HHS suspects or has confirmed that there has been a breach of the system of records; (b) HHS has determined that as a result of the suspected or confirmed breach there is a risk of harm to individuals, HHS (including its information systems, programs, and operations), the Federal government, or national security; and (c) the disclosure made to such agencies, entities, and persons is reasonably necessary to assist in connection with HHS’ efforts to respond to the suspected or confirmed breach or to prevent, minimize, or remedy such harm. 11. Records may be disclosed to another Federal agency or Federal entity, when HHS determines that information from this system of records is reasonably necessary to as.sist the recipient agency or entity in (a) responding to a suspected or confirmed breach or (b) preventing, minimizing, or remedying the risk of harm to individuals, the recipient agency or entity (including its information systems, programs, and operations), the PO 00000 Frm 00084 Fmt 4703 Sfmt 4703 Federal government, or national security, resulting from a suspected or confirmed breach. 12. Records may be disclosed to the U.S. Department of Homeland Security (OHS) if captured in an intrusion detection system used by HHS and OHS pursuant to a OHS cybersecurity program that monitors internet traffic to and from Federal government computer networks to prevent a variety of types of cybersecurity incidents. B. Additional Circumstances Affecting Routine Use Disclosures: To the extent this system contains Protected Health Information (PHI) as defined by HHS regulation ‘‘Standards for Privacy oflndividually Identifiable Health Information’’ (45 CFR parts 160 and 164, Subparts A and E), disclosures of such PHI that are otherwise authorized by these routine uses may only be made if, and as, permitted or required by the ‘‘Standards for Privacy of Individually Identifiable Health Information’’ (see 45 CFR 164.512(a)(l)). POLICIES AND PRACTICES FOR STORAGE OF RECORDS: The records will be stored electronically or on magnetic media or paper. POLICIES AND PRACTICES FOR RETRIEVAL OF RECORDS: The data collected on clinicians will be retrieved by the clinician’s name, address, NPI, TIN/EIN and other identifying provider numbers. Information about third party data submitters who are individuals will be retrieved by name, address, and TIN/ EIN. Records about contact persons will be retrieved by name, email address and business address. The data collected on Medicare beneficiaries (and any nonMedicare beneficiaries) will be retrieved by the beneficiary’s name, Medicare beneficiary identifier (MBI), health insurance claim number (HICN), SSN, address, and date of birth. POLICIES AND PRACTICES FOR RETENTION AND DISPOSAL OF RECORDS: A records disposition schedule for the Quality Payment Program is pending submission to and approval by the National Archives and Records Administration (NARA); until NARA approval is obtained, CMS will retain the records indefinitely. CMS is proposing a retention period of approximately 10 years for these records under the NARA CMS Records Schedule: DAA–0440–2015–0009–0003. Any claims-related records that become encompassed by a document preservation order may be retained longer (i.e., until notification is received from the Department of Justice). E:\FR\FM\14FEN1.SGM 14FEN1 Federal Register / Vol. 83, No. 31 / Wednesday, February 14, 2018 / Notices ADMINISTRATIVE, TECHNICAL, AND PHYSICAL SAFEGUARDS: Safeguards will conform to the HHS Information Security and Privacy Program, https://www.hhs.gov/ocio/ securityprivacy/. Information will be safeguarded in accordance with applicable Federal laws and regulations and Federal, HHS, and CMS policies and standards, including, all pertinent National Institutes of Standards and Technology (NIST) publications, and 0MB Circular A–130. Records will be protected from unauthorized access through appropriate administrative, physical, and technical safeguards. These safeguards include protecting the facilities where records are stored or accessed with security guards, badges, and cameras; securing hard-copy records in locked file cabinets, file rooms, or offices during off-duty hours; controlling access to physical locations where records are maintained and used by means of combination locks and identification badges issued only to authorized users; limiting access to electronic databases to authorized users based on roles and two-factor authentication (user ID and password); using a secured operating system protected by encryption, firewalls, and intrusion detection systems; requiring encryption for records stored on removable media; and training personnel in Privacy Act and information security requirements. Records that are eligible for destruction will be disposed of using secure destruction methods prescribed by NIST SP 800–88. RECORD ACCESS PROCEDURES: An individual seeking access to a record about him or her in this system should write to tbe System Manager indicated above, who will require the individual’s name and particulars necessary to distinguish between records on subject individuals with the same name, such as NPI or TIN. The requestor should also reasonably specify the record(s) to which access is sought. (These procedures are in accordance with Department regulation 45 CFR 5b.5(a)(2)). daltland on DSKBBV9HB2PROD with NOTICES CONTESTING RECORD PROCEDURES: Any subject individual may request that his record be corrected or amended if he believes that the record is not accurate, timely, complete, or relevant or necessary to accomplish a Department function. A subject individual making a request to amend or correct his record shall address his request to the responsible System Manager as stated above, in writing. The subject individual shall specify in each VerDate Sep<11>2014 22:07 Feb 13, 2018 Jkt 244001 request: (I) The system of records from which the record is retrieved; (2) The particular record which he is seeking to correct or amend; (3) Whether he is seeking an addition to or a deletion or substitution of the record; and, (4) His reasons for requesting correction or amendment of the record. (These procedures are in accordance with Department regulation 45 CFR Sb.7). NOTIFICATION PROCEDURES: Individuals wishing to know if this system contains records about them should write to the System Manager indicated above and follow the same instructions under Record Access Procedures. EXEMPTIONS PROMULGATED FOR THE SYSTEM: None. HISTORY: None. [FR Doc. 2018–02933 Filed 2–13–18; 8:45 am] BILLING CODE 4120–03–P DEPARTMENT OF HEALTH AND HUMAN SERVICES Privacy Act of 1974; System of Records Office of the Assistant Secretary for Administration (ASA), Department of Health and Human Services (HHS). ACTION: Notice of modified systems of records. AGENCY: The Department of Health and Human Services (HHS) proposes to modify all of its systems of records to add two security-related routine uses which are needed to improve federal agencies’ ability to detect and address actual and suspected breaches of personally identifiable information (PII) in Privacy Act systems of records. The routine uses are explained in the Supplementary Information section of this notice. DATES: This notice will become effective 30 days after publication, unless the Department makes changes based on comments received. Written comments should be submitted on or before the effective date. ADDRESSES: The public should address written comments to Beth Kramer, HHS Privacy Act Officer, by mail or email, at HHS.ACFO@hhs.gov, or FOIA/PA Division, Suite 729H, 200 Independence Avenue SW, Washington, DC 20201. FOR FURTHER INFORMATION CONTACT: General questions may be submitted to Beth Kramer, HHS Privacy Act Officer, by mail or email, at HHS.ACFO@ SUMMARY: PO 00000 Frm 00085 Fmt 4703 Sfmt 4703 6591 hhs.gov, or FOIA/PA Division, Suite 729H, 200 Independence Avenue SW, Washington, DC 20201. SUPPLEMENTARY INFORMATION: The Privacy Act (5 U.S.C. 552a), at subsection (b)(3), requires each agency to publish, for public notice and comment, routine uses describing any disclosures of information about an individual that the agency intends to make from a Privacy Act system of records without the individual’s prior written consent, other than those which are authorized directly in the Privacy Act at subsections (b)(1)–(2) and (b)(4)– (12). The Privacy Act defines ‘‘routine use’’ at subsection (a)(7) to mean a disclosure for a purpose compatible with the purpose for which the record was collected. In accordance with Office of Management and Budget (OMB) Memorandum M–17–12, issued January 3, 2017, titled ‘‘Preparing for and Responding to a Breach of Personally Identifiable Information,’’ HHS is adding the following two routine uses to all of its system of records notices (SORNs) to authorize HHS to disclose information from each system of records when necessary to obtain assistance with a suspected or confirmed breach of PII or to assist another agency in its response to a breach. The first routine use is a revised version of a routine use prescribed in 2007, in former OMB Memorandum M–07–16. The second routine use is new: ‘‘To appropriate agencies, entities, and persons when (1) HHS suspects or has confirmed that there has been a breach of the system of records; (2) HHS has determined that as a result of the suspected or confirmed breach there is a risk of harm to individuals, HHS (including its information systems, programs, and operations), the federal government, or national security; and (3) the disclosure made to such agencies, entities, and persons is reasonably necessary to assist in connection with HHS’s efforts to respond to the suspected or confirmed breach or to prevent, minimize, or remedy such harm.’’ ‘‘To another federal agency or federal entity, when HHS determines that information from this system of records is reasonably necessary to assist the recipient agency or entity in (1) responding to a suspected or confirmed breach or (2) preventing, minimizing, or remedying the risk of harm to individuals, the recipient agency or entity (including its information systems, programs, and operations), the federal government, or national security, resulting from a suspected or confirmed breach.’’ Both routine uses are compatible with the purposes for which PII is collected in the affected systems of records, because individuals whose PII is included in any federal record system E:\FR\FM\14FEN1.SGM 14FEN1

Agencies

[Federal Register Volume 83, Number 31 (Wednesday, February 14, 2018)]
[Notices]
[Pages 6587-6591]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2018-02933]


-----------------------------------------------------------------------

DEPARTMENT OF HEALTH AND HUMAN SERVICES


Privacy Act of 1974; System of Records.

AGENCY: Centers for Medicare & Medicaid Services (CMS), Department of 
Health and Human Services (HHS).

ACTION: Notice of a New System of Records.

-----------------------------------------------------------------------

SUMMARY: The Department of Health and Human Services (HHS), Centers for 
Medicare & Medicaid Services (CMS) proposes to establish a new system 
of records subject to the Privacy Act, System No. 09-70-0539, titled 
``Quality Payment Program (QPP).'' The new system of records will cover 
quality and performance data collected and used by CMS in determining 
merit-based payment adjustments for health care services provided by 
clinicians to Medicare beneficiaries, and in providing expert feedback 
to clinicians and third party data submitters for the purpose of 
helping clinicians provide high-value care to patients.

DATES: In accordance with 5 U.S.C. 552a(e)(4) and (11), this notice is 
effective upon publication, subject to a 30-day period in which to 
comment on the routine uses, described below. Please submit any 
comments by March 16, 2018.

ADDRESSES: Written comments should be submitted by mail or email to: 
CMS Privacy Act Officer, Division of Security, Privacy Policy & 
Governance, Information Security & Privacy Group, Office of Information 
Technology, CMS, 7500 Security Boulevard, Baltimore, MD 21244-1870, 
Location N1-14-56, or [email protected]. Comments received will 
be available for review without redaction unless otherwise advised by 
the commenter at this location, by appointment, during regular business 
hours, Monday through Friday from 9:00 a.m.-3:00 p.m., Eastern Time 
zone.

FOR FURTHER INFORMATION CONTACT: General questions about the new system 
of records should be submitted by mail or email to: Michelle Peterman, 
Health Insurance Specialist, Division of Electronic Clinician and 
Quality, Quality Measurement and Value-Based Incentives Group, Center 
for Clinical Standards and Quality, CMS, 7500 Security Boulevard, 
Baltimore, MD 21244-1870, Mailstop: S3-02-01, or 
[email protected].

SUPPLEMENTARY INFORMATION: 

I. Background on the New Quality Payment Program Supported by the New 
System of Records

    The Medicare Access and CHIP Reauthorization Act of 2015 (MACRA) 
amended title XVIII of the Social Security Act (the Act) to repeal the 
way physicians were paid under the previous Sustainable Growth Rate 
(SOR) formula and replaced it with a new approach known as the Quality 
Payment Program. The Quality Payment Program streamlines and 
consolidates components of three existing incentive programs that 
reward high-value patient centered care: (1) Physician Quality 
Reporting System (PQRS) (Sec.  1848(k) and (m) of the Act (42 U.S.C. 
1395w-4)), (2) Medicare Electronic Health Records (EHR) Incentive 
Program for Eligible Professionals (Sec.  1848(0) of the Act), and (3) 
Physician Value-Based Payment Modifier (VM) (Sec.  1848(p) of the Act). 
For more information, see rulemakings implementing the existing 
programs, at 80 Fed. Reg. 71135 (November 16, 2015) (PQRS); 80 FR 62761 
(October 16, 2015) (EHR); and 80 FR 71273 (November 16, 2015) (VM).
    There are two separate pathways within the Quality Payment Program, 
Advanced Alternative Payment Models (Advanced APM) and Merit-based 
Incentive Payment System (MIPS), both of which contribute toward the 
goal of seamless integration of the Quality Payment Program into 
clinical practice workflows. MIPS provides clinicians measures and 
activities to assist them in providing high-value, patient-centered 
care to Medicare patients, and to encourage and reward their use of the 
same. The participants generate and submit to CMS data on health care 
coordination. The data will be submitted to CMS by eligible clinicians 
and approved third party data submitters (for example, registries which 
collect and submit disease tracking data; health information technology 
(IT) vendors which submit data from clinicians' Certified Electronic 
Health Record Technology (CEHRT) systems). The data will include 
information about, and will be retrieved by personal identifiers for: 
(1) The clinicians, (2) any third party data submitters who are 
individuals (e.g., sole proprietor vendors), (3) individuals who submit 
data for clinicians or third party data submitters as their 
representatives or contact persons, and (4) Medicare beneficiaries and 
any non-Medicare beneficiaries receiving the health care services 
referenced in the Quality Payment Program data. The records are 
described below.
    The data submission process will require that clinicians and third 
party submitters use their identifying and contact information, tax 
identification number (TIN/EIN), national provider identifier (NPI), 
and information about health care services provided to patients for the 
performance categories of the MIPS including (1) quality-including a 
set of evidence-based, specialty-specific standards; (2) cost of 
services provided; (3) improvement activities that improved or are 
likely to improve clinical practice or care delivery; and (4) advancing 
care information which focuses on the use of CEHRT to support 
interoperability and avoid

[[Page 6588]]

redundancies. Except for specific measures or activities identified and 
published in the Federal Register by November 1 of each year, there are 
no changes in Calendar Year (CY) 2017 with respect to the collection 
and use of Privacy Act records associated with these activities in the 
QPP system of record notice (SORN) other than what is collected by the 
overlapping SORNs described below. There were no changes to the Call 
for Quality Measures process in the CY 2018 rule and so there are no 
changes to the use or additional collection of Privacy Act records 
related to the four performance categories. Payment adjustments for 
eligible clinicians do not begin until CY 2019 and at that time any 
additional Privacy Act records associated with those payment 
adjustments based on their performance during the applicable 
performance period will be described if needed in an update to this 
SORN. MIPS quality and performance data used in the program will be 
reported to CMS by eligible clinicians and approved third party data 
submitters of the types described in 42 CFR 414.1400. The data will 
pertain to health care services provided to Medicare beneficiaries, but 
may also include data about non-Medicare patients. As mentioned above, 
except for specific measures or activities identified and published in 
the Federal Register by November 1 of each year, there are no changes 
in CY 2017 with respect to the collection and use of Privacy Act 
records associated with these activities in the QPP SORN other than 
what is collected by the overlapping SORNs described below.

II. Related Systems of Records Supporting the Existing PQRS, EHR, and 
VM Programs

    The PQRS, EHR, and VM programs each maintain records subject to the 
Privacy Act which are maintained in existing systems of records; these 
systems of records will necessarily overlap with this system of records 
until the existing programs fully sunset. Therefore, these SORNs cover 
the Quality Payment Program Privacy Act records until the QPP SORN is 
finalized:
    1. PQRS: ``Performance Measurement and Reporting System (PMRS),'' 
System No. 09-70-0584, last published at 73 FR 80412 (December 31, 
2008);
    2. EHR: ``Medicare and Medicaid Electronic Health Record (EHR) 
Incentive Program National Level Repository'' System No. 09-70-0587, 
last published at 75 FR 73095 (November 29, 2010);
    3. VM: ``Medicare Multi-Carrier Claims System (MCS),'' System No. 
09-70-0501, last published at 71 FR 64968 (November 6, 2006); and
    4. VM: ``Fiscal Intermediary Shared System (FISS),'' System No. 09-
70-0503, last published at 71 FR 64961 (November 6, 2006).
    The Performance Measurement and Reporting System (PMRS) SORN covers 
the Better Quality Information (BQI) to Improve Care for Medicare 
Beneficiaries Project, the Electronic Prescribing (E-Prescribing) 
Incentive Program, and the PQRS. The BQI to Improve Care for Medicare 
Beneficiaries Project and the E-Prescribing Incentive Program have 
fully sunsetted. The PQRS program's last reporting year was CY 2016. 
However, Privacy Act records related to the PQRS program will continue 
to be utilized for several additional years to assess payment 
adjustments in CY 2018 and data as needed. The Medicare and Medicaid 
Electronic Health Record (EHR) Incentive Program National Level 
Repository SORN covers the Medicare and Medicaid EHR Incentive 
Programs. The Medicare EHR Incentive program's last payment year was CY 
2016. However, Privacy Act records related to the Medicare EHR 
Incentive program will continue to be utilized for several additional 
years to assess data as needed. In addition, the Medicare EHR Incentive 
for eligible hospitals and critical access hospitals (CAHs) and the 
Medicaid EHR Incentive program are active programs. Therefore, the EHR 
SORN will not be rescinded. The SORNs that cover the VM program will 
not be rescinded as they are applicable to many CMS programs.
    The Quality Payment Program will continue to evolve over multiple 
years to accommodate payment policy implementations and take advantage 
of new system capabilities. This SORN will be similarly reviewed and 
updated to reflect significant changes, including the sunsetting of the 
existing programs and disposition of the records covered by the 
existing SORNs, when they occur.

III. Related Rulemakings and Information Collections

    Requirements for submitting data about improvement activities did 
not exist in the legacy programs replaced by MIPS, and CMS does not 
have historical data which is directly relevant. However, the Privacy 
Act records collected through these legacy programs are the same data 
elements that are used for the Quality Payment Program in CY 2017 and 
2018 although the specific uses for the previous programs may be more 
expansive. To date, participants in the Quality Payment Program have 
registered, have selected measures and are submitting data beginning in 
2018 as individuals, as part of a group or as part of a virtual group--
a scenario not provided through the legacy SORNs.
    The primary purpose of the PMRS system of records, entitled 
``Performance Measurement and Reporting System (PMRS),'' is to support 
the collection, maintenance, and processing of information to promote 
the delivery of high quality, efficient, effective, and economical 
health care services, and promote the quality and efficiency of 
services of the type for which payment may be made under title XVIII by 
allowing for the establishment and implementation of performance 
measures, the provision of feedback to physicians, and public reporting 
of performance information.
    The primary purpose of the EHR system of records, entitled 
``Medicare and Medicaid Electronic Health Record (EHR) Incentive 
Program National Level Repository,'' called the National Level 
Repository or NLR, is to collect, maintain, and process information 
that is required for the Medicare and Medicaid EHR Incentive Programs.
    The primary purpose of the VM program covered by the systems of 
records entitled, ``Medicare Multi-Carrier Claims System (MCS) and the 
Fiscal Intermediary Shared System (FISS),'' is to identify and 
associate a provider (physician or individual provider) to their 
registration and their reports, known as the Quality and Resource Use 
Report (QRUR). QRUR is a report given to providers on quality of care 
and cost performance. In most cases, systems of records maintain Tax 
Identification Number (TIN) and the name of the organization. In very 
few cases, providers may be using their Social Security number (SSN) as 
Billing TIN.
    As discussed above the programs covered by the PMRS SORN have 
sunsetted; however, the final payment year for the PQRS program is CY 
2018 requiring the PMRS SORN to remain in effect until all pertinent 
data has been utilized. The EHR SORN and VM SORNs will not be rescinded 
as there are programs covered by these SORNs that are currently active 
and have no plans to sunset.
    Once the PQRS program sunsets the records will be dispositioned 
entirely into the QPP system of records under NARA CMS Records 
Schedule: DAA-0440-2015-0009-003. The retention period for these 
records is 10 years.
    Because the PMRS and the QPP systems of records maintain identical 
records for the categories of individuals covered by the respective 
system of records and also overlap for purposes of

[[Page 6589]]

making payment based on quality measures and improvement activities 
(though not with the same percentages of activity weighting or payment 
calculation), the routine uses for disclosures of records in the system 
of records and uses of records in the system of records are the same. 
Categories of individuals covered by the system of records will expand 
under the QPP SORN to include all-payer data.
    All of the routine uses either are necessary and proper or are 
compatible with the original collection purpose of encouraging and 
rewarding clinicians' use of measures and activities that help them 
provide high-value, patient-centered care to Medicare beneficiaries.

    Dated: February 1, 2018.
Emery Csulak,
Director, Information Security Privacy Group, and Senior Official for 
Privacy, Centers for Medicare & Medicaid Services.
SYSTEM NAME AND NUMBER
    ``Quality Payment Program (QPP)'', HHS/CMS/CCSQ System No. 09-70-
0539.

SECURITY CLASSIFICATION:
    Unclassified.

SYSTEM LOCATION:
    The address of the agency component responsible for the system of 
records is: CMS Data Center, 7500 Security Boulevard, North Building, 
First Floor, Baltimore, Maryland 21244-1850.

SYSTEM MANAGER(S):
    The agency official who is responsible for the system of records 
is: Director, Quality Measurement and Value-based Incentives Group, 
CCSQ, CMS, Room C1-23-14, 7500 Security Boulevard, Baltimore, Maryland 
21244-1870.

AUTHORITY FOR MAINTENANCE OF THE SYSTEM:
    Provisions of the Social Security Act codified at 42 U.S.C. 
Sec. Sec.  1320c-3, 13951, 1395w-4, 1395w-21, and 1395y.

PURPOSE(S) OF THE SYSTEM:
    The purposes for which HHS/CMS will use the records are:
     To be utilized for program management and administration 
purposes;
     To determine payment adjustments for health care services 
provided by clinicians to Medicare beneficiaries;
     To provide expert feedback to clinicians and third party 
data submitters, in order to help clinicians provide high-value, 
patient-centered care to Medicare beneficiaries;
     To make clinician-level performance measure results 
available to Medicare patients and caregivers through Physician 
Compare, as defined via regulation, either on public profile pages or 
via the Downloadable Database housed on data.medicare.gov for the 
purpose of promoting more informed health care choices for people with 
Medicare; and
     To provide relevant records to other Federal and state 
agencies which administer federally-funded health benefit programs; 
Quality Improvement Networks that review claims and conduct outreach 
and reviews; and individuals and organizations that assist consumers, 
to use for program administrative purposes and in health, disease, and 
payment-related research, evaluation, outreach, and transparency 
projects.

CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:
    The records will be about these categories of individuals involved 
in the Quality Payment Program:
     Eligible clinicians (such as, physicians, physician 
assistants, nurse practitioners) who submit quality and performance 
data to CMS under the Program;
     Any third party data submitters of the types described in 
42 CFR 414.1400 who are individuals (e.g., sole proprietor health IT or 
survey vendors) and submit data to the Program;
     Individuals who submit data for clinicians and third party 
data submitters (i.e., as their representatives or contact persons); 
and
     Medicare beneficiaries (and any non-Medicare 
beneficiaries) receiving the health care services referenced in the 
data submitted to CMS under the Program.

CATEGORIES OF RECORDS IN THE SYSTEM:
    The system will include these categories of records:
     Records about clinicians. These will include identifying 
information and contact information (such as the clinician's name, 
address, phone number, email address, date of birth, business address, 
tax identification number (TIN/EIN), national provider identifier 
(NPI), Social Security number (SSN), prescriber identification number, 
and other assigned clinician numbers) and information about health care 
services the clinician provided to Medicare beneficiaries (and any non-
Medicare beneficiaries) and the measures and activities the clinician 
used in providing the services.
     Records about any third party data submitters who are 
individuals (for example, sole proprietor health IT or survey vendors). 
These records will include the third party's name, email address, 
business address, and TIN/EIN.
     Records about individuals who submit data for clinicians 
and third party data submitters. These will include the 
representative's name and contact information such as address, TIN/EIN, 
email address, and business address.
     Records about Medicare beneficiaries (and any non-Medicare 
beneficiaries). These will include the beneficiary's identifying and 
health information, i.e. name, address, date of birth, gender, 
ethnicity, health care utilization and claims data, health insurance 
claim number (HICN), Medicare beneficiary identifier (MBI), and SSN.
     Records about other payer payment arrangements. These will 
include other payer payment arrangement information submitted by non-
Medicare payers to determine whether a payment arrangement meets the 
Other Payer Advanced Alternative Payment Model (APM) criteria. These 
records will include payer identifying information, payment arrangement 
information, supporting documentation, and a certification statement.

RECORD SOURCE CATEGORIES:
    The sources of the records covered by this system of records are 
(1) clinicians, (2) third party data submitters, and (3) individuals 
who submit data for clinicians or third party data submitters.

ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES 
OF USERS AND PURPOSES OF SUCH USES:
    A. These routine uses specify circumstances, in addition to those 
provided by statute in the Privacy Act of 1974, under which CMS may 
disclose records from the Quality Payment Program to a party outside 
HHS without the prior, written consent of the individual to whom such 
information pertains.
    1. Records may be disclosed to agency contractors (including, but 
not limited to, Medicare Administrative Contractors (MACs), fiscal 
intermediaries, and carriers) that assist in the health operations of a 
CMS-administered health benefits program, to CMS consultants, or to a 
grantee of a CMS-administered grant program, who have been engaged by 
the agency to assist in accomplishment of a CMS function relating to 
the purposes for this system of records and who need to have access to 
the records in order to assist CMS. Such disclosures include (but are 
not limited to) disclosures deemed reasonably necessary by CMS to 
prevent, deter, discover, detect, investigate, examine, prosecute, sue 
with respect to, defend against, correct,

[[Page 6590]]

remedy, or otherwise combat fraud, waste, or abuse in such program.
    2. Records may be disclosed to another Federal or state agency to 
the extent deemed necessary to: (a) Contribute to the accuracy of CMS' 
proper payment of Medicare benefits; (b) enable such agency to 
administer a Federal health benefits program, or as necessary to enable 
such agency to fulfill a requirement of a Federal statute or regulation 
that implements health benefit programs funded in whole or in part with 
Federal funds; and/or (c) assist state Medicaid programs which may 
require Quality Payment Program information.
    3. Clinician-level performance measurement results may be made 
available to the public, through Physician Compare, as defined via 
regulation, either on public profile pages or via the Downloadable 
Database housed on data.medicare.gov for the purpose of promoting more 
informed health care choices for people with Medicare.
    4. Records may be disclosed to MIPS-eligible clinicians and 
eligible entities in order to provide them with expert feedback, and 
records may be disclosed to CMS authorized entities participating in 
health care transparency projects.
    5. Records may be disclosed to organizations that assist consumers 
in comparing the quality and price of health care services, and/or that 
use such information for purposes related to prevention of disease or 
disability, or restoration or maintenance of health.
    6. Records may be disclosed to organizations for research, 
evaluation, and projects involving payment issues.
    7. Records may be disclosed to Beneficiary and Family Centered Care 
(BFCC)-QIOs, Quality Innovation Network-QIOs (QIN-QIOs), the Small, 
Underserved, and Rural Support (SURS) technical assistance contractors, 
and the Practice Transformation Networks (PTNs) under the Transforming 
Clinical Practice Initiative (TCPI) for purposes of: (a) Identifying 
clinicians who are included in the Quality Payment Program, 
specifically the MIPS track, based on the low-volume threshold; (b) 
determining the appropriate form of Technical Assistance based on 
practice size and clinician need; (c) providing eligibility information 
to clinicians interested in forming a virtual group; (d) transitioning 
clinician referrals from the Quality Payment Program Service Center to 
the appropriate Technical Assistance channel; (e) performing proactive 
outreach and engagement activities for the purpose of helping MIPS 
eligible clinicians participate in the program; (f) developing 
educational tools and resources; (g) monitoring annual MIPS eligible 
clinician performance; (h) assessing future need based on a MIPS 
eligible clinician's Final Score; (i) tracking non-MIPS eligible 
clinicians who voluntarily report measures and activities to MIPS; and 
(j) assisting MIPS eligible clinicians transition into an Advanced APM.
    8. Records may be disclosed to the Department of Justice (DOJ), a 
court, or an adjudicatory body when: (a) The Agency or any component 
thereof, (b) any employee of the Agency in his or her official 
capacity, (c) any employee of the Agency in his or her individual 
capacity where the DOJ has agreed to represent the employee, or (d) the 
United States Government, is a party to litigation or has an interest 
in such litigation, and by careful review, CMS determines that the 
records are both relevant and necessary to the litigation.
    9. Records may be disclosed to another Federal agency or to an 
instrumentality of any governmental jurisdiction within or under the 
control of the United States (including any state or local governmental 
agency), that administers, or that has the authority to investigate 
potential fraud, waste, or abuse in, a health benefits program funded 
in whole or in part by Federal funds, when disclosure is deemed 
reasonably necessary by CMS to prevent, deter, discover, detect, 
investigate, examine, prosecute, sue with respect to, defend against, 
correct, remedy, or otherwise combat fraud, waste, or abuse in such 
programs.
    10. Records may be disclosed to appropriate agencies, entities, and 
persons when (a) HHS suspects or has confirmed that there has been a 
breach of the system of records; (b) HHS has determined that as a 
result of the suspected or confirmed breach there is a risk of harm to 
individuals, HHS (including its information systems, programs, and 
operations), the Federal government, or national security; and (c) the 
disclosure made to such agencies, entities, and persons is reasonably 
necessary to assist in connection with HHS' efforts to respond to the 
suspected or confirmed breach or to prevent, minimize, or remedy such 
harm.
    11. Records may be disclosed to another Federal agency or Federal 
entity, when HHS determines that information from this system of 
records is reasonably necessary to as.sist the recipient agency or 
entity in (a) responding to a suspected or confirmed breach or (b) 
preventing, minimizing, or remedying the risk of harm to individuals, 
the recipient agency or entity (including its information systems, 
programs, and operations), the Federal government, or national 
security, resulting from a suspected or confirmed breach.
    12. Records may be disclosed to the U.S. Department of Homeland 
Security (OHS) if captured in an intrusion detection system used by HHS 
and OHS pursuant to a OHS cybersecurity program that monitors internet 
traffic to and from Federal government computer networks to prevent a 
variety of types of cybersecurity incidents.
    B. Additional Circumstances Affecting Routine Use Disclosures: To 
the extent this system contains Protected Health Information (PHI) as 
defined by HHS regulation ``Standards for Privacy oflndividually 
Identifiable Health Information'' (45 CFR parts 160 and 164, Subparts A 
and E), disclosures of such PHI that are otherwise authorized by these 
routine uses may only be made if, and as, permitted or required by the 
``Standards for Privacy of Individually Identifiable Health 
Information'' (see 45 CFR 164.512(a)(l)).

POLICIES AND PRACTICES FOR STORAGE OF RECORDS:
    The records will be stored electronically or on magnetic media or 
paper.

POLICIES AND PRACTICES FOR RETRIEVAL OF RECORDS:
    The data collected on clinicians will be retrieved by the 
clinician's name, address, NPI, TIN/EIN and other identifying provider 
numbers. Information about third party data submitters who are 
individuals will be retrieved by name, address, and TIN/EIN. Records 
about contact persons will be retrieved by name, email address and 
business address. The data collected on Medicare beneficiaries (and any 
non-Medicare beneficiaries) will be retrieved by the beneficiary's 
name, Medicare beneficiary identifier (MBI), health insurance claim 
number (HICN), SSN, address, and date of birth.

POLICIES AND PRACTICES FOR RETENTION AND DISPOSAL OF RECORDS:
    A records disposition schedule for the Quality Payment Program is 
pending submission to and approval by the National Archives and Records 
Administration (NARA); until NARA approval is obtained, CMS will retain 
the records indefinitely. CMS is proposing a retention period of 
approximately 10 years for these records under the NARA CMS Records 
Schedule: DAA-0440-2015-0009-0003. Any claims-related records that 
become encompassed by a document preservation order may be retained 
longer (i.e., until notification is received from the Department of 
Justice).

[[Page 6591]]

ADMINISTRATIVE, TECHNICAL, AND PHYSICAL SAFEGUARDS:
    Safeguards will conform to the HHS Information Security and Privacy 
Program, https://www.hhs.gov/ocio/securityprivacy/. 
Information will be safeguarded in accordance with applicable Federal 
laws and regulations and Federal, HHS, and CMS policies and standards, 
including, all pertinent National Institutes of Standards and 
Technology (NIST) publications, and 0MB Circular A-130. Records will be 
protected from unauthorized access through appropriate administrative, 
physical, and technical safeguards. These safeguards include protecting 
the facilities where records are stored or accessed with security 
guards, badges, and cameras; securing hard-copy records in locked file 
cabinets, file rooms, or offices during off-duty hours; controlling 
access to physical locations where records are maintained and used by 
means of combination locks and identification badges issued only to 
authorized users; limiting access to electronic databases to authorized 
users based on roles and two-factor authentication (user ID and 
password); using a secured operating system protected by encryption, 
firewalls, and intrusion detection systems; requiring encryption for 
records stored on removable media; and training personnel in Privacy 
Act and information security requirements. Records that are eligible 
for destruction will be disposed of using secure destruction methods 
prescribed by NIST SP 800-88.

RECORD ACCESS PROCEDURES:
    An individual seeking access to a record about him or her in this 
system should write to tbe System Manager indicated above, who will 
require the individual's name and particulars necessary to distinguish 
between records on subject individuals with the same name, such as NPI 
or TIN. The requestor should also reasonably specify the record(s) to 
which access is sought. (These procedures are in accordance with 
Department regulation 45 CFR 5b.5(a)(2)).

CONTESTING RECORD PROCEDURES:
    Any subject individual may request that his record be corrected or 
amended if he believes that the record is not accurate, timely, 
complete, or relevant or necessary to accomplish a Department function. 
A subject individual making a request to amend or correct his record 
shall address his request to the responsible System Manager as stated 
above, in writing. The subject individual shall specify in each 
request: (I) The system of records from which the record is retrieved; 
(2) The particular record which he is seeking to correct or amend; (3) 
Whether he is seeking an addition to or a deletion or substitution of 
the record; and, (4) His reasons for requesting correction or amendment 
of the record. (These procedures are in accordance with Department 
regulation 45 CFR Sb.7).

NOTIFICATION PROCEDURES:
    Individuals wishing to know if this system contains records about 
them should write to the System Manager indicated above and follow the 
same instructions under Record Access Procedures.

EXEMPTIONS PROMULGATED FOR THE SYSTEM:
    None.

HISTORY:
    None.

[FR Doc. 2018-02933 Filed 2-13-18; 8:45 am]
 BILLING CODE 4120-03-P


This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.