Your World of Legal Intelligence
 United States | 1-800-335-6202

Medicare Program: Expanding Uses of Medicare Data by Qualified Entities

As Enacted ( Federal Register) Cited authorities 9 Cited in Related
Vincent

Federal Register, Volume 81 Issue 21 (Tuesday, February 2, 2016)

Federal Register Volume 81, Number 21 (Tuesday, February 2, 2016)

Proposed Rules

Pages 5397-5417

From the Federal Register Online via the Government Publishing Office www.gpo.gov

FR Doc No: 2016-01790

=======================================================================

-----------------------------------------------------------------------

DEPARTMENT OF HEALTH AND HUMAN SERVICES

Centers for Medicare & Medicaid Services

42 CFR Part 401

CMS-5061-P

RIN 0938-AS66

Medicare Program: Expanding Uses of Medicare Data by Qualified Entities

AGENCY: Centers for Medicare & Medicaid Services (CMS), HHS.

ACTION: Proposed rule.

-----------------------------------------------------------------------

SUMMARY: This proposed rule would implement new statutory requirements that would expand how qualified entities may use and disclose data under the qualified entity program to the extent consistent with applicable program requirements and other applicable laws, including information, privacy, security and disclosure laws. In doing so, this proposed rule would explain how qualified entities may create non-

public analyses and provide or sell such analyses to authorized users, as well as how qualified entities may provide or sell combined data, or provide Medicare claims data alone at no cost, to certain authorized users. This proposed rule would also implement certain privacy and security requirements, and impose assessments on qualified entities if the qualified entity or the authorized user violates the terms of a data use agreement (DUA) required by the qualified entity program.

DATES: To be assured consideration, comments must be received at one of the addresses provided below, no later than 5 p.m. on March 29, 2016.

ADDRESSES: In commenting, please refer to file code CMS-5061-P. Because of staff and resource limitations, we cannot accept comments by facsimile (FAX) transmission.

You may submit comments in one of four ways (please choose only one of the ways listed):

  1. Electronically. You may submit electronic comments on this regulation to http://www.regulations.gov. Follow the ``Submit a comment'' instructions.

  2. By regular mail. You may mail written comments to the following address only: Centers for Medicare & Medicaid Services, Department of Health and Human Services, Attention: CMS-5061-P, P.O. Box 8010, Baltimore, MD 21244-1850.

    Please allow sufficient time for mailed comments to be received before the close of the comment period.

  3. By express or overnight mail. You may send written comments to the following address only: Centers for Medicare & Medicaid Services, Department of Health and Human Services, Attention: CMS-5061-P, Mail Stop C4-26-05, 7500 Security Boulevard, Baltimore, MD 21244-1850.

  4. By hand or courier. Alternatively, you may deliver (by hand or courier) your written comments only to the following addresses prior to the close of the comment period:

    1. For delivery in Washington, DC--Centers for Medicare & Medicaid Services, Department of Health and Human Services, Room 445-G, Hubert H. Humphrey Building, 200 Independence Avenue SW., Washington, DC 20201.

      (Because access to the interior of the Hubert H. Humphrey Building is not readily available to persons without Federal government identification, commenters are encouraged to leave their comments in the CMS drop slots located in the main lobby of the building. A stamp-

      in clock is available for persons wishing to retain a proof of filing by stamping in and retaining an extra copy of the comments being filed.)

    2. For delivery in Baltimore, MD--Centers for Medicare & Medicaid Services, Department of Health and Human Services, 7500 Security Boulevard, Baltimore, MD 21244-1850.

      If you intend to deliver your comments to the Baltimore address, call telephone number (410) 786-9994 in advance to schedule your arrival with one of our staff members.

      Comments erroneously mailed to the addresses indicated as appropriate for hand or courier delivery may be delayed and received after the comment period.

      For information on viewing public comments, see the beginning of the SUPPLEMENTARY INFORMATION section.

      FOR FURTHER INFORMATION CONTACT: Allison Oelschlaeger, (202) 690-8257. Kari Gaare, (410) 786-8612.

      SUPPLEMENTARY INFORMATION:

      Inspection of Public Comments: All comments received before the close of the comment period are available for viewing by the public, including any personally identifiable or confidential business information that is included in a comment. We post all comments received before the close of the comment period on the following Web site as soon as possible after they have been received: http://www.regulations.gov. Follow the search instructions on that Web site to view public comments.

      Comments received timely will also be available for public inspection as they are received, generally beginning approximately 3 weeks after publication of a document, at the headquarters of the Centers for Medicare & Medicaid Services, 7500 Security Boulevard, Baltimore, Maryland 21244, Monday through Friday of each week from 8:30 a.m. to 4 p.m. To schedule an appointment to view public comments, phone 1-800-743-3951.

      1. Background

        On April 16, 2015, the Medicare Access and CHIP Reauthorization Act of 2015 (MACRA) (Pub. L. 114-10) was enacted. The law included a provision, Section 105, Expanding the Availability of Medicare Data, which takes effect on July 1, 2016. This section expands how qualified entities will be allowed to use and disclose data under the qualified entity program, including data subject to section 1874(e) of the Social Security Act (the Act), to the extent consistent with other applicable laws, including information, privacy, security and disclosure laws.

        The Qualified Entity program was established by Section 10332 of the Patient Protection and Affordable Care Act (Affordable Care Act) (Pub. L. 111-148). The implementing regulations, which became effective January 6, 2012, are found in subpart G of 42 CFR part 401 (76 FR 76542). Under those provisions, CMS provides standardized extracts of Medicare Part A and B claims data and Part D drug event data

        Page 5398

        (hereinafter collectively referred to as Medicare claims data) covering one or more geographic regions to qualified entities at a fee equal to the cost of producing the data. Under the original statutory provisions, such Medicare claims data must be combined with other non-

        Medicare claims data and may only be used to evaluate the performance of providers and suppliers. The measures, methodologies and results that comprise such evaluations are subject to review and correction by the subject providers and suppliers, after which the results are to be disseminated in public reports.

        Those wishing to become qualified entities are required to apply to the program. Currently, thirteen organizations have applied and received approval to be a qualified entity. Of these organizations, two have completed public reporting while the other eleven are in various stages of preparing for public reporting. While we have been pleased with the participation in the program so far, we expect that the changes required by MACRA will increase interest in the program.

        Under section 105 of MACRA, effective July 1, 2016, qualified entities will be allowed to use the combined data and information derived from the evaluations described in 1874(e)(4)(D) of the Act to conduct non-public analyses and provide or sell these analyses to authorized users for non-public use in accordance with the program requirements and other applicable laws. In highlighting the need to comply with other applicable laws, we particularly note that any qualified entity that is a covered entity or business associate as defined in the Health Insurance Portability and Accountability Act of 1996 (``HIPAA'') regulations at 45 CFR 160.103 will need to ensure compliance with any applicable HIPAA requirements, including the bar on the sale of Protected Health Information.

        In addition, qualified entities will be permitted to provide or sell the combined data, or provide the Medicare claims data alone at no cost, again, in accordance with the program requirements and other applicable laws, to providers, suppliers, hospital associations, and medical societies. Qualified entities that elect to provide or sell analyses and/or data under these new provisions will be subject to an assessment if they or the authorized users to whom they disclose beneficiary identifiable data in the form of analyses or raw data act in a manner that violates the terms of a program-required Qualified EntityData Use Agreement (QE DUA). Furthermore, qualified entities that make analyses or data available under these new provisions will be subject to new annual reporting requirements to aid CMS in monitoring compliance with the program requirements. These new annual reporting requirements will only apply to qualified entities that choose to provide or sell non-public analyses and/or provide or sell combined data, or provide Medicare claims data alone at no cost.

        We believe these changes to the qualified entity program will be important in driving higher quality, lower cost care in Medicare and the health system in general. We also believe that these changes will drive renewed interest in the qualified entity program, leading to more transparency regarding provider and supplier performance and innovative uses of data that will result in improvements to the healthcare delivery system while still ensuring appropriate privacy and security protections for beneficiary-identifiable data.

      2. Provisions of the Proposed Regulations

        To implement the new statutory provisions of section 105 of MACRA, we propose to amend and make conforming changes to Part 401 Subpart G, ``Availability of Medicare Data for Performance Measurement.'' Throughout the preamble, we identify options and alternatives to the provisions we propose. We strongly encourage comments on our proposed approach, as well as any alternatives.

        1. Non-Public Analyses

        Section 105(a)(1) of MACRA expands how qualified entities will be allowed to use and disclose the combined data and any information derived from the evaluations described in section 1874(e)(4)(D) of the Act. The section provides for such data's use and/or disclosure in additional non-public analyses that may be given or, in certain circumstances, sold to authorized users in accordance with program requirements and other applicable laws, including information, privacy, security, and disclosure laws. An authorized user is defined at Sec. 401.703(j) and the definition is discussed below in section II.C. The new proposals regarding the disclosure and/or sale of combined data or the disclosure of Medicare data at no cost are discussed below in section II.B.

        To implement the non-public analyses provisions, we propose to add a new Sec. 401.716. Under Sec. 401.716, paragraph (a) would provide for the qualified entity's use of the combined data or information derived from the evaluations described in section 1874(e)(4)(D) of the Act to create non-public analyses. Paragraph (b) would provide for the provision or sale of these analyses to authorized users in accordance with the program requirements discussed later in this section, as well as other applicable laws.

  5. Additional Analyses

    We propose at Sec. 401.703(q) to define combined data as a set of CMS claims data provided under subpart G combined with a subset of claims data from at least one of the other claims data sources described in Sec. 401.707(d). Sec. 401.707(d) requires qualified entities to submit to CMS information on the claims data it possesses from other sources, that is, any other provider-identifiable or supplier-identifiable data for which the qualified entity has full data usage rights. In defining the term in this manner, we are not proposing to establish a minimum amount of data that must be included in the combined data set from other sources, but, as we noted in our December 7, 2011 final rule (76 FR 76542), we believe that the requirement to use combined data is likely to lead to increased validity and reliability of the performance findings through the use of larger and more diverse samples. As such, we expect qualified entities will choose to use sufficient claims data from other sources to ensure such validity and reliability. That said, we recognize that there may be instances in which other sources of claims data (for example, Medicaid or private payer data) may be of limited value. For instance, depending on the other claims data a given qualified entity may hold, Medicare data may provide the best opportunity to conduct analyses on chronically ill or other resource-intensive populations that may not be commonly represented in other sources of claims data. Thus, while the statute requires the use of combined data for the analyses, it does not specify the minimum amount of data from other sources to qualify as combined data, and, as we believe it would be difficult to establish a threshold given the variability in the analyses that the qualified entities may conduct, we propose not to adopt any minimum standard for the amount of other sources of claims data that must be included in a combined data set. We are requesting comments on this proposal as well as suggestions for other possible alternatives or options.

  6. Limitations on the Qualified Entities With Respect to the Sale and Provision of Non-Public Analyses

    MACRA imposes a number of limitations on qualified entities with

    Page 5399

    respect to the sale and provision of non-public analyses. It mandates that a qualified entity may not provide or sell non-public analyses to a health insurance issuer unless the issuer is providing the qualified entity with claims data under section 1874(e)(4)(B)(iii) of the Act. In doing so, the statute does not specify the minimum amount of data that the issuer must be providing to the qualified entity. We considered not imposing a threshold on the amount of data being provided by the issuer, but decided that specifying a threshold would encourage issuers to submit data to the qualified entity to be included in the public performance reports, increasing the reports' reliability and sample size. As a result, we propose at Sec. 401.716(b)(1) to limit qualified entities to only providing or selling non-public analyses to issuers after they provide the qualified entity with claims data that represents a majority of the issuers' covered lives in the geographic region and during the time frame of the non-public analyses requested by the issuer. For example, if an issuer requested non-public analyses using the combined data for the first 6 months of 2015 in Minnesota, it would need to provide the qualified entity with data that represents over 50 percent of the issuer's covered lives during those 6 months in Minnesota. We believe this threshold will ensure that issuers submit a large portion of their data to the qualified entity without requiring them to share data for their entire population in order to be eligible to receive non-public analyses. We seek comment on whether the threshold of a majority of the issuer's covered lives in the desired geographic area during the time frame covered by the non-public analyses requested by the issuer is too high or low, as well as other alternatives to specify the amount of data the issuer must provide to a qualified entity to be eligible to receive or purchase non-public analyses.

    Section 105(a)(3) of MACRA imposes additional requirements on the dissemination of non-public analyses or data that contain information that individually identify a patient. Because we define the term ``patient'' later in this section and in a manner that does not relate to de-identification of individually identifiable information, we will use the word beneficiary in relation to de-identification rather than patient. In light of these MACRA provisions, as well as our belief that protecting the privacy and security of beneficiaries' information is of the utmost importance and our belief that identifiable information on individual beneficiaries would generally not be needed by authorized users, we propose to impose limits on the content of the non-public analyses. In doing so, we recognize that when non-public analyses are provided or sold to a provider or supplier, individually identifying information such as name, age, gender, or date of birth may be essential for the provider or supplier to proactively use the information gleaned from the analyses. For example, a provider may not know who a patient is based on the unique identifier assigned by the payer and as a result would not be able to use the analyses to improve care or better coordinate care with other providers for that patient. In addition, there is a high likelihood that providers may have patients with the same or similar names, so age or date of birth may be necessary to identify the patient in the analyses. We therefore propose at Sec. 401.716(b)(2) to limit the provision or sale of non-public analyses that individually identify a beneficiary to providers or suppliers with whom the subject individual(s) have established a patient relationship.

    While the term ``patient'' is commonly used in the provision of healthcare, reasonable minds may differ on the periodicity with which an individual must have contact with a provider or supplier to maintain a ``patient'' relationship. Depending on individual practice or applicable laws, a person may still be considered a patient of a provider or supplier even though a number of years have passed since they were seen or provided services by the provider or supplier. However, when the individual has not visited a provider or supplier in a number of years, analyses that contain individually identifiable information about that patient may not be very useful, as any care coordination or quality improvement efforts would, presumably, require continued contact with that patient. Therefore, for the purposes of this program, we propose to define patient as an individual who has visited the provider or supplier for a face-to-face or telehealth appointment at least once in the past 12 months. This definition is similar to that used in the Medicare Shared Savings Program which assigns beneficiaries to Accountable Care Organizations based on services delivered in the past 12 months. We also believe this definition will ensure that providers and suppliers are able to receive information about patients they are actively treating. We seek comments on this proposal, particularly any beneficiary concerns if we were to implement this proposal, and any reasonable alternatives to this proposal that might address those concerns.

    Except when patient-identifiable non-public analyses are shared with the patient's provider or supplier as described above, we propose at Sec. 401.716(b)(3) to require that all non-public analyses must be beneficiary de-identified using the de-identification standards in the HIPAA Privacy Rule at 45 CFR 164.514(b). De-identification under this standard requires the removal of specified data elements or reliance on a statistical analysis that concludes that the information is unlikely to be able to be used alone or in combination with other available information to identify/re-identify the patient subjects of the data. The statistical de-identification approach may be more difficult because an entity may not have access to an expert capable of performing the analysis in accordance with HIPAA Rules, but we believe that the protections afforded by HIPAA-like standards of de-

    identification are appropriate, as HIPAA has, in many ways, established a reasoned and appropriate privacy and security floor for the health care industry. That said, the framework for de-identification that is laid out in the HIPAA Privacy Rule represents a widely accepted industry standard for de-identification, so we think its concepts are appropriate for adoption into this program. Additional information on the HIPAA de-identification standards can be found on the HHS Office for Civil Rights Web site at http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/De-identification/guidance.html.

    We seek comment on this proposal and whether another set of de-

    identification standards would be more appropriate to ensure that non-

    public analyses do not contain information that individually identifies a beneficiary, except as provided for above where the individual is a patient of the provider or supplier who is receiving the analyses, and how qualified entities that are HIPAA-covered entities could comply with such alternate qualified entity program standards while still meeting any applicable HIPAA obligations.

    In addition, section 105(a)(6) of MACRA preserves providers' and suppliers' opportunity to review analyses (now including non-public analyses) that individually identify the provider or supplier. As such, we propose at Sec. 401.716(b)(4) to bar qualified entities' disclosure of non-public analyses that individually identify a provider or supplier unless: (a) The analysis only individually

    Page 5400

    identifies the singular recipient of the analysis or (b) each provider or supplier who is individually identified in a non-public analysis that identifies multiple providers/suppliers has been afforded an opportunity to review the aspects of the analysis about them, and, if applicable, request error correction. We describe the proposed appeal and error correction process in more detail in section II.A.4 below.

  7. Limitations on the Authorized User

    While CMS has been granted statutory authority to impose requirements and limitations on the qualified entity, it has limited authority to oversee authorized users. As such, this proposed regulatory scheme is generally structured to require the qualified entity to ensure authorized users' compliance with the concepts laid out in MACRA through contractual means. In keeping with this, we propose at Sec. 401.716(b)(2) and Sec. 401.716(c) to require the qualified entity's use of legally binding agreements with any authorized users to whom it provides or sells the non-public analyses.

    Types of Legally Binding Agreements

    For non-public analyses that include patient identifiable data, we propose at Sec. 401.716(b)(2) to require the qualified entity to enter into a QE DUA with any authorized users as a pre-condition to providing or selling such non-public analyses. As we are also proposing to require use of the QE DUA in the context of the provision or sale of combined data, or the provision of Medicare data at no cost, we discuss the QE DUA in the data disclosure discussion in section II.B below. For non-public analyses that include beneficiary de-identified data, we propose at Sec. 401.716(c) to require the qualified entity to enter into a contractually binding non-public analyses agreement with any authorized users as a pre-condition to providing or selling such non-

    public analyses. A discussion of the proposed requirements for the non-

    public analyses agreements follows in this section.

    We believe that the use of the non-public analyses agreement when authorized users receive non-public analyses containing de-identified data and the QE DUA when authorized users receive non-public analyses that contain patient identifiable information are the best mechanisms for ensuring that both qualified entities and authorized users are aware of and compliant with the data use and disclosure limitations established by MACRA. We seek comment on whether the non-public analyses agreement and the QE DUA are the best mechanisms to ensure compliance with these restrictions given the authorities established by MACRA.

    Requirements in the Non-Public Analyses Agreement

    The statute generally allows qualified entities to provide or sell their non-public analyses to authorized users for non-public use, but it bars use or disclosure of such analyses for marketing (see section 105(a)(3)(c) of MACRA). Such analyses therefore may include, but would not be limited to analyses intended to assist providers' and suppliers' development of, and participation in, quality and patient care improvement activities, including development of new models of care. But, while many types of non-public analyses could lead to improvements in the health care delivery system, certain types of analyses could cause harm to patients or lead to additional fraud and/or abuse concerns for the delivery system. Therefore, despite the breadth of the statutory authority, we believe it is important to establish additional limits on the non-public analyses, given the expansive types of non-

    public analyses that could be conducted by the qualified entities if no limits are placed on such analyses, and the potential deleterious consequences of some such analyses.

    With this in mind, we propose at Sec. 401.716(c)(1) that the non-

    public analyses agreement require that non-public analyses conducted using combined data or the information derived from the evaluations described in section 1874(e)(4)(D) of the Act may not be used or disclosed for the following purposes: marketing, harming or seeking to harm patients and other individuals both within and outside the healthcare system regardless of whether their data are included in the analyses (for example, an employer using the analyses to attempt to identify and fire employees with high healthcare costs), or effectuating or seeking opportunities to effectuate fraud and/or abuse in the healthcare system (for example, a provider using the analyses to identify ways to submit fraudulent claims that might not be caught by auditing software).

    Rather than developing a new definition for marketing under this program, we propose at Sec. 401.703(s) to generally define marketing using the definition at 45 CFR 164.501 in the HIPAA Privacy Rule. Under this definition, marketing means making a communication about a product or service that encourages recipients of the communication to purchase or use the product or service. In doing so, we note that the HIPAA Privacy Rule also includes a general restriction on use of an individual's Protected Health Information (PHI) for marketing. Given the similarities between the use and disclosure of PHI under HIPAA and the data sharing limitations under this program, we believe the definition of marketing in HIPAA should also generally be used for this program, but, given the categorical statutory bar on marketing in this program, we are not proposing a consent exception to the bar like that seen in the HIPAA Privacy Rule. We also believe that use of this HIPAA definition as modified will simplify compliance with the qualified entity program requirements, especially decisions regarding what is and is not considered marketing. We seek comment on the proposal to use this definition as modified from HIPAA for the purposes of this program.

    The proposed restrictions on using analyses and/or derivative data, meaning data gleaned from the analyses, that would or could be used to exploit patients or other individuals or to effectuate fraud and/or abuse in the healthcare system are intended to ensure that the analyses are unlikely to result in physical or financial harm to patients or other individuals within or outside the health care delivery system. We seek comments on these proposals as well as whether there are other restrictions that should be imposed to limit potential physical or financial harm to patients or other individuals within or outside the healthcare system.

    Section 105(a)(1)(B)(i) of MACRA requires that any non-public analyses provided or sold to an employer may only be used by the employer for the purposes of providing health insurance to employees and retirees of the employer. We believe this limit should also apply to ``dependents'' of either category whenever the employer offers coverage for family members who are neither employees nor retirees. As such, we further propose that if the qualified entity is providing or selling non-public analyses to an employer that this requirement be included in the non-public analyses agreement. We seek comment on whether the resulting non-public analyses agreement between the qualified entity and the employer is the best mechanism to ensure compliance with this restriction given the authorities established by MACRA.

    The statute also contains limitations on the re-disclosure of non-

    public analyses provided or sold to authorized users at section 105(a)(5) of MACRA. Under that provision, re-disclosure is limited to authorized users who are a provider or supplier. Furthermore, these

    Page 5401

    providers and suppliers are to limit any re-disclosures to instances in which the recipient would use the non-public analyses for provider/

    supplier ``performance improvement.'' As many if not most providers and suppliers that receive non-public analyses from the qualified entity will be HIPAA-covered entities, we propose to limit performance improvement re-disclosures to those that would support quality assessment and improvement, and care coordination activities by or on behalf of the eligible downstream provider or supplier. For example, providers may need to share the non-public analyses or derivative data with someone working on their behalf to carry out such quality assessment and improvement or care coordination activities. That is, if they are a HIPAA-covered entity, they may wish to share the non-public analyses or derivative data with their business associate. Such a scenario could arise when a consultant is hired to assist the provider/

    supplier in interpreting the non-public analyses, or in determining what changes in the delivery of care are needed to assess or improve the quality of care, or to better coordinate care. Another example is if the provider or supplier wants to share the non-public analyses with other treating providers/suppliers for quality assessment and improvement or care coordination purposes.

    In addition, especially under circumstances in which patient identifiable data is included in the non-public analysis, we recognize that there are instances in which a provider or supplier may be required to produce information to a regulatory authority as required by a statute or regulation. For example, a HIPAA-covered entity may be required to produce PHI to the Secretary for purposes of an investigation of a potential HIPAA violation. Therefore, for purposes of this qualified entity program, we propose to adopt the HIPAA definition of ``required by law'' at 45 CFR 164.103 so as to allow for such mandatory disclosures. As defined at 45 CFR 164.103, ``required by law'' means any mandate in law that compels an entity to make a use or disclosure of PHI that is enforceable in a court of law (including disclosures compelled by court order, statute, or regulation). An example would be a court order to turn over medical records as part of litigation. Another common example would be disclosures required by the regulations governing the submission of a claim for payment for Medicare fee-for-service covered services.

    As a result, we propose at Sec. 401.716(c)(3)(i) to require qualified entities to include in the non-public analysis agreement a requirement to limit re-disclosure of non-public analyses or derivative data to instances in which the authorized user is a provider or supplier, and the re-disclosure is as a covered entity would be permitted under 45 CFR 164.506(c)(4)(i) or 164.502(e)(1). Accordingly, a qualified entity may only re-disclose individually identifiable health information to a covered entity for the purposes of the covered entity's quality assessment and improvement or for the purposes of care coordination activities, where that entity has a patient relationship with the individual who is the subject of the information, or to a business associate of such a covered entity under a written contract as defined at 45 CFR 164.502(e)(1). Furthermore, as section 105(a)(5)(A) of MACRA states that the analyses generally may not be re-disclosed or released to the public, we generally propose at Sec. 401.716(c)(3)(ii) to require qualified entities to use non-public analyses agreements to explicitly bar authorized users from any other re-disclosure of the non-public analyses or any derivative data except to the extent a disclosure qualifies as a ``required by law'' disclosure. We seek comment on our proposal to require qualified entities to contractually limit re-disclosures of beneficiary de-identified non-public analyses or any derivative data other than as described above.

    As discussed above, the non-public analyses agreement can only be used in the disclosure of analyses that include beneficiary de-

    identified data. However, even though the analyses subject to a non-

    public analyses agreement are beneficiary de-identified, we believe that additional restrictions on the authorized user are necessary to ensure appropriate privacy and security protections for our beneficiaries. We therefore propose at Sec. 401.716(c)(5) to require qualified entities to impose a legally enforceable bar on the authorized user's use or disclosure of any non-public analyses (or data or analyses derived from such non-public analyses) to re-identify or attempt to re-identify any individual whose data is included in the analyses or any derivative data. We believe this additional level of privacy and security protection is necessary to protect beneficiaries. We seek comment on this proposal.

    Finally, we propose at Sec. 401.716(d)(6) to require qualified entities to use their non-public analyses agreements to bind their non-

    public analyses recipients to reporting any violation of the terms of that non-public analyses agreement to the qualified entity. As explained below in Section D, qualified entities will be expected to report on these violations as part of their annual reporting to CMS. Even though the analyses covered by the non-public analyses agreement will be de-identified, due to the risk of re-identification of beneficiary information, we still believe that this requirement is essential to our ability to monitor and ensure the privacy and security of beneficiary information. We seek comment on these proposals.

  8. Confidential Opportunity To Review, Appeal, and Correct Analyses

    As noted briefly above, section 105(a)(6) of MACRA directs us to ensure that qualified entities provide providers and suppliers who are individually identified in a non-public analysis with an opportunity to review and request corrections before the qualified entity provides or sells the non-public analyses to an authorized user. But, as noted above, we have proposed one exception to this general rule in cases where the analysis only individually identifies the (singular) provider or supplier who is being provided or sold the analysis. In all other cases, we propose that the qualified entity must follow the confidential review, appeal, and error correction requirements in section 1874(e)(4)(C)(ii) of the Act.

    Specifically, we propose at Sec. 401.717(f) that a qualified entity generally must comply with the same error corrections process and timelines as are required for public performance reporting before disclosing non-public analyses. This process includes confidentially sharing the measures, measure methodologies and measure results that comprise such evaluations with providers and suppliers at least 60 calendar days before providing or selling the analyses to one or more authorized users. During these 60 calendar days, the provider or supplier may make a request for the Medicare claims data and beneficiary names that may be needed to confirm statements about the care that they delivered to their patients. If the provider or supplier requests such data, the qualified entity must release the Medicare claims and beneficiary names relevant to what is said about the requesting provider/supplier in the draft non-public analyses. We believe that for many providers and suppliers, a beneficiary's name will be of more practical use in determining the accuracy of analyses than the underlying claims used in the analyses. The sharing of such data must be done via a secure mechanism that is suitable for transmitting or providing access to individually identifiable

    Page 5402

    health information. The qualified entity also must ensure that the provider or supplier has been notified of the date on which the analyses will be shared with the authorized user. If any requests for error correction are not resolved by the date on which the analyses are to be shared, the qualified entity may release the analyses, but must inform the authorized user that the analyses are still under appeal, and the reason for the appeal.

    We believe that the process we established for review and error correction for public performance reporting finds the right balance between allowing providers and suppliers the opportunity to review the non-public analyses while also ensuring that the information is disseminated in a timely manner. However, we have had limited public reporting thus far to confirm this. Furthermore, using the same process for review and error correction for non-public analyses and the public reports creates continuity and a balance between the needs and interests of providers and suppliers and those of the qualified entities, authorized users and the public. We also believe that using the same timeframes and requirements will simplify the review process for providers and suppliers. We seek comment on our proposal generally to require qualified entities to comply with the same error corrections process and timelines as are required for public performance reporting when sharing analyses that individually identify a provider or supplier.

    Although we do not believe that we have statutory authority to require it given that section 1874(e) of the Act only covers the disclosure of Medicare claims data, to the extent permitted by applicable law, we strongly encourage qualified entities to also share the claims data from other sources with providers and suppliers if they ask for the underlying data used for the analyses.

    1. Dissemination of Data and the Use of QE DUAs for Data Dissemination and Patient-Identifiable Non-Public Analyses

    Subject to other applicable law, section 105(a)(2) of MACRA expands the permissible uses and disclosures of data by a qualified entity to include providing or selling combined data for non-public use to certain authorized users, including providers of services, suppliers, medical societies, and hospital associations. Subject to the same limits, it also permits a qualified entity to provide Medicare claims data for non-public use to these authorized users; however, a qualified entity may not charge a fee for providing such Medicare claims data. But, in order to provide or sell combined data or Medicare data, section 501(a)(4) of MACRA instructs the qualified entity to enter into a DUA with their intended data recipient(s).

  9. General Requirements for Data Dissemination

    To implement these provisions in MACRA, we propose at Sec. 401.718(a) to provide that, subject to other applicable laws (including applicable information, privacy, security and disclosure laws) and certain defined program requirements, including that the data be used only for non-public purposes, a qualified entity may provide or sell combined data or provide Medicare claims data at no cost to certain authorized users, including providers of services, suppliers, medical societies, and hospital associations. Where a qualified entity is a HIPAA-covered entity or is acting as a business associate, compliance with other applicable laws will include the need to ensure that it fulfills the requirements under the HIPAA Privacy Rule, including the bar on the sale of PHI.

    We note that we propose definitions for authorized user, medical societies, and hospital associations in section II.C below, and have already proposed a definition for combined data in section II.A above.

  10. Limitations on the Qualified Entity Regarding Data Disclosure

    The statute places a number of limitations on the sale or provision of combined data and the provision of Medicare claims data by qualified entities, including generally barring the disclosure of beneficiary identifiable data obtained through the qualified entity program. Therefore, in keeping with our other proposals at Sec. 401.716(b)(3), we propose at Sec. 401.718(b)(1) to generally require that any combined data or Medicare claims data that is provided to an authorized user by a qualified entity under subpart G be beneficiary de-identified in accordance with the de-identification standards in the HIPAA Privacy Rule at 45 CFR 164.514(b). As noted above, we believe that the HIPAA Privacy Rule de-identification standard represents a widely accepted industry standard for de-identification, so we think its concepts are appropriate for adoption under the qualified entity program.

    We do recognize, however, that providers or suppliers with current treatment relationships with the patient subjects of such data may desire and benefit from receiving data that contains individually identifiable information about those patients. Therefore, we also propose an exception at Sec. 401.718(b)(2) that would allow a qualified entity to provide or sell patient identifiable combined data/

    and or provide patient identifiable Medicare claims data at no cost to an individual or entity that is a provider or supplier if the provider or supplier has a patient relationship with every patient about whom individually identifiable information is provided and the disclosure is consistent with applicable law.

    MACRA also requires qualified entities to bind the recipients of their data to a DUA that will govern the use and, where applicable, re-

    disclosure of any data received through this program prior to the provision or sale of such data to an authorized user. Therefore, we further propose at Sec. 401.718(c), to require that a qualified entity impose certain contractually binding use/re-disclosure requirements as a condition of providing and/or selling combined data and/or providing Medicare claims data to an authorized user. The following section provides the proposed requirements for such DUAs between qualified entities and authorized users.

  11. Data Use Agreement

    Section 501(a)(4) of MACRA requires execution of a DUA as a precondition to a qualified entity's provision or sale of data to an authorized user. The DUA must address the use and, if applicable, re-

    disclosure of the data, and the applicable privacy and security requirements that must be established and maintained by or for the authorized user. The statute also imposes a number of other limitations on the authorized user. But, while CMS has authority to impose requirements on the qualified entity, we must rely upon the qualified entity to impose legally enforceable obligations on the authorized users.

    Therefore, in Sec. 401.713(a), we propose certain clarifying changes that will recognize that there are now two distinct DUAs in the qualified entity program--the CMS DUA, which is the agreement between CMS and a qualified entity, and what we will refer to as the QE DUA, which will be the legally binding agreement between a qualified entity and an authorized user. We are not proposing any changes to the requirements for the CMS DUA, but rather are clarifying that there are now two DUAs--the CMS DUA and the QE DUA.

    Furthermore, in Sec. 401.713(d), we propose a number of provisions that address the privacy and security of the combined data and/or the Medicare

    Page 5403

    claims data and/or non-public analyses that contain patient identifiable data. These provisions require the qualified entity to condition the disclosure of data on the imposition of contractually binding limits on the permissible uses and re-disclosures that can be made of the combined data and/or the Medicare claims data and/or non-

    public analyses that contain patient identifiable data and/or any derivative data. Such contractually binding provisions would be included in the QE DUA.

    First, we propose to require that the QE DUA contain certain limitations on the authorized user's use of the combined data and/or Medicare claims data and/or non-public analyses that contain patient identifiable data and/or any derivative data. In Sec. 401.713(d)(1), we propose that the QE DUA limit authorized users use of the combined data and/or Medicare claims data and/or non-public analyses that contain patient identifiable data and/or any derivative data to the purposes described in the first or second paragraph of the definition of ``health care operations'' under 45 CFR 164.501, or that which qualifies as ``fraud and abuse detection or compliance activities'' under 45 CFR 164.506(c)(4). If finalized, this means that authorized users would only be permitted to use the combined data and/or Medicare claims data and/or non-public analyses that contain patient identifiable data and/or any derivative data provided by the qualified entity for quality assessment and improvement activities, care coordination activities, including the review of provider or supplier performance, and/or for fraud, waste, and abuse detection and compliance purposes. We believe these uses need to be permitted to support quality improvement and care coordination activities, as well as efforts to ensure fraud, waste, and abuse detection and compliance, and that these uses should encompass the full range of activities for which the authorized users will legitimately need the combined data and/or Medicare claims data and/or non-public analyses that contain patient identifiable data and/or any derivative data. We also propose to require that all other uses and disclosures of combined data and/or Medicare claims data and/or non-public analyses that contain patient identifiable data and/or any derivative data be forbidden except to the extent a disclosure qualifies as a ``required by law'' disclosure.

    The statute also prohibits the authorized user from using the combined data and/or Medicare claims data for marketing purposes. We therefore propose at Sec. 401.713(d)(2) to require qualified entities to use the QE DUA to contractually prohibit the authorized users from using the combined data and/or Medicare claims data and/or non-public analyses that contain patient identifiable data and/or any derivative data for marketing purposes. As noted above, we propose to define ``marketing'' as it is defined in the HIPAA Privacy Rule, but, given the statutory bar, we do not propose to adopt an exception to the bar for ``consent''-based marketing. As noted above, HIPAA provides well-

    recognized standards for the appropriate use and disclosure of certain individually identifiable health information, and we believe that the HIPAA definition for ``marketing'' is appropriate for the qualified entity program as well. For additional information and guidance on the HIPAA Privacy Rule, including guidance on what constitutes marketing, please visit the HHS Office for Civil Rights Web site at http://www.hhs.gov/ocr/privacy/.

    Furthermore, we propose to require qualified entities' use of the QE DUA to address minimum privacy and security standards. CMS is committed to protecting the privacy and security of beneficiary-

    identifiable data when it is disseminated, including when it is in the hands of authorized users. This is especially important as there are no guarantees that authorized users will be subject to the HIPAA Privacy and Security Rules. Therefore, we propose at Sec. 401.713(d)(3) to require qualified entities to contractually bind authorized users using the QE DUA to protect patient identifiable combined data and/or Medicare data, any patient identifiable derivative data, and/or non-

    public analyses that contain patient identifiable data, with at least the privacy and security protections that would be required of covered entities and their business associates under HIPAA Privacy and Security Rules. Additional guidance on the Security rule can be found on the Office for Civil Rights Web site at http://www.hhs.gov/ocr/privacy/hipaa/. Such protections would apply when using, disclosing, or maintaining patient identifiable data, regardless of whether the authorized user is a HIPAA Covered Entity or business associate. In addition, we propose to require that the QE DUA contain provisions that require that the authorized user maintain written privacy and security policies and procedures that ensure compliance with these HIPAA-based privacy and security standards and the other standards required under this subpart for the duration of the QE DUA, or for so long as they hold combined data and/or Medicare claims data and/or non-public analyses that contain patient identifiable data and/or any derivative data that was subject to the QE DUA, should return/destruction of the combined data and/or Medicare claims data and/or non-public analyses that contain patient identifiable data and/or any derivative data not be feasible as of the expiration of the QE DUA.

    Furthermore, we propose to require QE DUA provisions detailing such policies and procedures must survive termination of the QE DUA, whether for cause or not. We believe that requiring compliance with these HIPAA Privacy and Security Rule concepts outside of the HIPAA context will provide the needed protection for the combined data, Medicare claims data, and/or non-public analyses that contain patient identifiable data and/or any derivative data provided or sold to authorized users under the qualified entity program.

    We also propose at Sec. 401.713(d)(7) to require that the qualified entity use the QE DUA to contractually bind an authorized user as a condition of receiving combined data and/or Medicare claims data and/or non-public analyses that contain patient identifiable data and/or any derivative data under the qualified entity program to notify the qualified entity of any violations of the QE DUA. Violations might include reportable breaches of data, such as those defined in the HIPAA Breach Rule, or other violations of QE DUA provisions. The QE DUA also will require the authorized user to fully cooperate in the qualified entity's effort to mitigate any harm that may result from such violations, as well as any assistance the qualified entity may request to fulfill the qualified entity's obligations under this subpart.

    We request comment on whether the proposed privacy and security requirements are appropriate and adequate, or whether there are more appropriate standards or additional protections that are advisable.

    MACRA section 105(a)(5) directs that any combined data, Medicare claims data, and/or non-public analyses that contain patient identifiable data and/or any derivative data provided or sold under this program to authorized users is to be non-public, and it requires the imposition of re-disclosure limitations on authorized users. Under those provisions, qualified entities may only permit providers and suppliers to re-disclose combined data and/or Medicare claims data and/

    or non-public analyses that contain patient identifiable data and/or any derivative data for the

    Page 5404

    purposes of performance improvement and care coordination. We propose to require qualified entities to include provisions in their QE DUA that contractually limit the re-disclosure and/or linking of combined data, Medicare claims data, and/or non-public analyses that contain patient identifiable data and/or any derivative data provided or sold under this program.

    We therefore propose at Sec. 401.713(d)(4) to require that the qualified entity include a provision in its QE DUAs that prohibits the authorized user from re-disclosing or making public any combined data, Medicare claims data, and/or non-public analyses that contain patient identifiable data and/or any derivative data subject to QE DUA except as provided under the QE DUA. Furthermore, we propose at Sec. 401.713(d)(5) to require that the qualified entity use the QE DUA to limit provider's and supplier's re-disclosures to a covered entity pursuant to 45 CFR 164.506(c)(4)(i) or 164.502(e)(1). Therefore, a provider or supplier would only be permitted to re-disclose combined data, Medicare claims data, and/or non-public analyses that contain patient identifiable data and/or any derivative data, subject to the QE DUA, to a covered entity for activities focused on quality assessment and improvement, including the review of provider or supplier performance or a business associate of the provider or supplier. We also propose to require re-disclosure when required by law. We propose these limitations in an effort to ensure that the combined data, Medicare claims data, and/or non-public analyses that contain patient identifiable data will be protected in the hands of the downstream entity despite these regulations not reaching such individuals/entities directly. We believe that limiting downstream re-disclosures to entities that are subject to the HIPAA Privacy and Security rules will ensure that the combined data and/or Medicare claims data and/or non-

    public analyses that contain patient identifiable data and/or any derivative data is appropriately maintained, used, and disclosed. We seek comment on whether the proposed re-disclosure requirements should be more restrictive or should be broadened to allow for additional re-

    disclosure.

    We also propose to require qualified entities to impose a contractual bar using their QE DUA on the downstream recipients' linking of the re-disclosed combined data, Medicare claims data, and/or non-public analyses that contain patient identifiable data and/or any derivative data to any other identifiable source of information. The only exception to this general policy would be if a provider or supplier were to receive identifiable information limited to their/its own patients. We request comment on whether an authorized user should be permitted to link combined data, Medicare claims data, and/or non-

    public analyses that contain patient identifiable data and/or any derivative data with other data sources, and whether the proposed provisions are adequate to protect the privacy and security of the combined data, Medicare claims data, and/or non-public analyses that contain patient identifiable data and/or any derivative data given to downstream users.

    1. Authorized Users

  12. Definition of Authorized User

    As discussed above, section 105(a)(1) of MACRA permits qualified entities to provide or sell non-public analyses to authorized users. In addition, section 105(a)(2) of MACRA permits qualified entities to provide or sell combined data, or to provide Medicare data at no cost, only to certain authorized users. These include providers, suppliers, medical societies, and hospital associations.

    Section 105(a)(9)(A) of MACRA defines authorized users as:

    A provider of services.

    A supplier.

    An employer (as defined in section 3(5) of the Employee Retirement Insurance Security Act of 1974).

    A health insurance issuer (as defined in section 2791 of the Public Health Service Act).

    A medical society or hospital association.

    Any entity not yet described in clauses (i) through (v) that is approved by the Secretary (other than an employer or health insurance issuer not described in clauses (iii) and (iv), respectively, as determined by the Secretary).

    We propose a definition for authorized user at Sec. 401.703(k) that is consistent with these statutory provisions. Specifically, we define an authorized user as: (1) A provider; (2) a supplier; (3) an employer; (4) a health insurance issuer; (5) a medical society; (6) a hospital association; (7) a health care professional association; or (8) a state agency.

    We also propose definitions for entities that are authorized users, but are not yet defined within this subpart. Therefore, we propose definitions for employer, health insurance issuer, medical society, hospital association, a healthcare professional association, and a state agency.

  13. Definition of Employer

    We have proposed a definition for employer at Sec. 401.703(k) that is consistent with existing statutory provisions. Specifically, we propose to define an employer as having the same meaning as the term ``employer'' defined in section 3(5) of the Employee Retirement Insurance Security Act of 1974. Under that provision, an employer means any person acting directly as an employer, or indirectly in the interest of an employer, in relation to an employee benefit plan; and includes a group or association of employers acting for an employer in such capacity.

  14. Definition of Health Insurance Issuer

    We have also proposed a definition for health insurance issuer at Sec. 401.703(l) that is consistent with existing statutory provisions. Specifically, we propose to define a health insurance issuer as having the same meaning as the term ``health insurance issuer'' defined in section 2791(b)(2) of the Public Health Service Act. Under that provision, health insurance issuer means an insurance company, insurance service, or insurance organization (including an HMO) that is licensed to engage in the business of insurance in a State and is subject to State law that regulates insurance. Such term does not include a group health plan.

  15. Definition of ``Medical Society''

    We propose to define ``medical society'' at Sec. 401.703(m) as a nonprofit organization or association that provides unified representation for a large number of physicians at the national or state level and whose membership is comprised of a majority of physicians.

    We conducted extensive research to develop this definition, including reviewing mission statements of national and state healthcare professional associations and medical societies, as well as state laws. While we were unable to identify a commonly recognized definition of ``medical society,'' our research did reveal a number of common themes that shaped our proposed definition of medical society.

    We propose to define medical society as comprised of a majority of physicians, based on state law definitions around the practice of medicine. Although medical societies may also include non-physician members, due to the strong emphasis on physicians as practitioners of medicine, we propose that a medical society's

    Page 5405

    membership must be comprised of a majority of physicians. Medical societies often serve as the consensus voice of their members in matters related to their profession, the patient-physician relationship, and other issues pertaining to the practice of medicine. Therefore, we propose that medical societies be at the national or state level as we believe these larger groups will have the capacity to act on the data and analyses available through this program, and to do so in accordance with the statute and the implementing regulations.

    While we recognize that there are many local medical societies (for example, regional and county) performing similar functions to their national and state counterparts, we propose to maintain the definition of a medical society at the national or state level to reduce redundancy in the dissemination of data. State societies often serve as federations of local medical societies, and therefore, any use of the data by state societies could benefit their constituent local organizations.

    We also propose that these organizations be nonprofit as many of the existing medical societies are nonprofit organizations. In addition, because medical societies will be eligible to receive non-

    public analyses and data, we believe it is important that these entities be nonprofit to ensure that data provided under this program are used to support quality improvement and assessment activities with their members rather than for profit driven purposes.

  16. Definition of ``Hospital Association''

    We propose to define a ``hospital association'' at Sec. 401.703(n) as a nonprofit organization or association that provides unified representation for a large number of hospitals or health systems at a national or state level and whose membership is comprised of a majority of hospitals and health systems.

    For purposes of this definition, we propose to give hospitals the same meaning as SSA Sec. 1861(e), 42 U.S.C. 1395x(e). We propose to include health systems in this definition as our review of national and state hospital associations member lists revealed that these larger organizations (that are generally comprised of healthcare facilities, such as surgical centers and long terms care facilities, as well as hospitals) were members. Due to their membership status in existing hospital associations, we find it appropriate to propose their inclusion into this definition. Hospital associations often serve as the consensus voice of their members in matters related to their facilities, quality and affordability of services, and other issues regarding the provision of health care. Therefore, we propose that hospital associations at the national or state level be included in this definition as we believe that these larger groups will have the capacity to act on the data, and to do so in accordance with the statute and implementing regulations.

    While we recognize that there are many local hospital associations (for example, regional and county) performing similar functions to their national and state counterparts, we proposed to maintain the definition at the national or state level to reduce redundancy. State-

    level hospital associations are often affiliated with those local associations, and therefore, any use of the data by state hospital associations could benefit those affiliated associations.

    We also propose that these organizations be nonprofit as many of the existing hospital associations are nonprofit organizations. In addition, because hospital associations will be eligible to receive non-public analyses and data, we believe it is important that these entities be nonprofit to ensure that data provided under this program are used to support quality improvement and assessment activities with their members rather than for profit driven purposes.

  17. Definition of ``Healthcare Provider and/or Supplier Association''

    We recognize that within the field of health care, there are many other suppliers and providers beyond physicians, hospitals, and health systems. These entities also form organizations for the betterment of their professions and to improve the quality of patient care. We believe these types of entities would also benefit from the opportunity to purchase or receive non-public analyses and data from qualified entities.

    While the term ``healthcare professional association'' is not specifically included in the definition of authorized user, the Secretary, in the exercise of her discretion pursuant to 105(a)(9)(A)(vi) of MACRA, proposes to include these organizations as authorized users. Therefore, we propose to define ``healthcare provider and/or supplier association'' at Sec. 401.703(o) as a nonprofit organization or association that represents suppliers and providers at the national or state level and whose membership is comprised of a majority of suppliers or providers. Similar to the themes that emerge for medical societies and hospital associations, we believe these organizations and associations often serve as the consensus voice of their members in matters related to their respective professions, and that representation at the national or state level is most appropriate as we believe that these larger groups will have the capacity to act on the data and analyses available through this program, and to do so in accordance with the statute and the implementing regulations.

  18. Definition of ``State Agency''

    While state agencies were not specifically included in the definition of authorized user at section 105(a)(9) of MACRA, we believe that state agencies would benefit from the ability to purchase or receive non-public analyses from qualified entities. States are important partners with CMS in transforming the health care delivery system, and these analyses would have the potential to help states improve the quality of care and reduce costs. Therefore, the Secretary, in the exercise of her discretion pursuant to 105(a)(9)(A)(vi) of MACRA, proposes to include state agencies within the definition of authorized user and to define it at Sec. 401.703(p) as any office, department, division, bureau, board, commission, agency, institution, or committee within the executive branch of a state government.

    Because there is currently no federal definition of a state agency, we looked to state laws for definitions. While states differ in the definition of state agency, we propose to exclude the judiciary and legislative branches from our proposed definition of state agency under this subpart. We believe that entities within the executive branch of a state government, for example state Medicaid agencies or state public health departments, will have the greatest interest in and need to receive these analyses. We solicit comment on whether we should expand the definition to include other branches of state government or should further limit the definition of state agency to only certain agencies, such as those working to regulate the health and/or insurance industry.

    We invite comments on the proposed definitions for authorized user, medical society, hospital association, healthcare professional association, and state agency.

    1. Annual Report Requirements

  19. Reporting Requirements for Analyses

    Section 105(a)(8) of MACRA expands the information that a qualified entity must report annually to the Secretary if

    Page 5406

    a qualified entity provides or sells non-public analyses. Specifically, it requires the qualified entity to provide a summary of the analyses provided or sold, including information on the number of such analyses, the number of purchasers of such analyses, and the total amount of fees received for such analyses. It also requires the qualified entity to provide a description of the topics and purposes of such analyses. Furthermore, the Secretary may impose other reporting requirements, as appropriate.

    In Sec. 401.719(b)(3), we propose the annual reporting requirements that a qualified entity must perform if it provides or sells non-public analyses under this subpart. Consistent with the statutory requirements, we propose to require that the qualified entity provide a summary of the non-public analyses provided or sold under this subpart, including specific information about the number of analyses, the number of purchasers of such analyses, the types of authorized users that purchased analyses, the total amount of fees received for such analyses. We also propose to require the qualified entity to provide a description of the topics and purposes of such analyses. In addition, we propose to require a qualified entity to provide information on QE DUA and non-public analyses agreement violations.

  20. Reporting Requirements for Data

    Section 105(a)(8) of MACRA also requires a qualified entity to submit a report annually if it provides or sells data. It specifically requires information on the entities who received data under section 105(a)(2) of MACRA, the uses of the data, and the total amount of fees received for providing, selling, or sharing the data. In addition, the Secretary may require additional information as determined appropriate.

    Therefore, in Sec. 401.719(b)(4), we also propose to require qualified entities that provide or sell data under this subpart to provide the following information as part of its annual report: Information on the entities who received data, the uses of the data, the total amount of fees received for providing, selling, or sharing the data, and any QE DUA violations.

    We do not propose to require any additional information at this time; however, we seek comment on whether any additional information should be collected in the future.

    1. Assessment for a Breach

  21. Violation of a DUA

    Section 105(a)(7) of MACRA requires the Secretary to impose an assessment on a qualified entity in the case of a ``breach'' of a CMS DUA between the Secretary and a qualified entity or a breach of a QE DUA between a qualified entity and an authorized user. Because the term ``breach'' is defined in HIPAA, and this definition is not consistent with the use of the term for this program, we propose instead to adopt the term ``violation'' when referring to a ``breach'' of a DUA for purposes of this program. We anticipate this will reduce the potential for confusion. Therefore in Sec. 401.703(t), we propose to define the term ``violation'' to mean a failure to comply with a requirement in a CMS DUA or QE DUA. We request comments on the proposed definition of violation.

    We also propose at Sec. 401.719(d)(5) to impose an assessment on any qualified entity that violates a CMS DUA or fails to ensure that their authorized users do not violate a QE DUA.

    MACRA provides guidance only on the assessment amount and what triggers an assessment, but it does not dictate the procedures for imposing such assessments. We therefore propose to adopt certain relevant provisions of section 1128A of the Social Security Act (the Act) (Civil Money Penalties) and part 402 (Civil Money Penalties, Assessments, and Exclusions) to specify the process and procedures for calculating the assessment, notifying a qualified entity of a violation, collecting the assessment, and providing qualified entities an appeals process.

  22. Amount of Assessment

    Section 105(a)(7)(B) of MACRA specifies that when a violation occurs, the assessment is to be calculated based on the number of affected individuals who are entitled to, or enrolled in, benefits under part A of title XVIII of the Act, or enrolled in part B of such title. Affected individuals are those whose information, either identifiable or de-identified, was provided to a qualified entity or an authorized user under a DUA. Assessments can be up to $100 per affected individual, but, given the broad discretion in establishing some lesser amount, we looked to part 402 as a model for proposing aggravating and mitigating circumstances that would be considered when calculating the assessment amount per impacted individual. However, violations under section 105(a)(7)(B) of MACRA are considered point-in-time violations, not continuing violations.

    Number of Individuals

    We propose at Sec. 401.719(d)(5)(i) that CMS will calculate the amount of the assessment of up to $100 per individual entitled to, or enrolled in part A of title XVIII of the Act and/or enrolled in part B of such title whose data was implicated in the violation.

    We generally propose to determine the number of potentially affected individuals by looking at the number of beneficiaries whose Medicare claims information was provided either by CMS to the qualified entity or by the qualified entity to the authorized user in the form of individually identifiable or de-identified data sets that were potentially affected by the violation.

    We recognize that, depending on the number and types of datasets requested, a single beneficiary may appear multiple times within a dataset or non-public analysis. We propose that a single beneficiary, regardless of the number of times their information appears in a singular non-public report or dataset, would only count towards the calculation of an assessment for a violation once. We propose to use the unique beneficiary identification number in the Chronic Conditions Warehouse (CCW) to establish the number of beneficiaries that were included in a given dataset that was transferred to the qualified entity, and subsequently re-disclosed in accordance with this subpart. For qualified entities that provide or sell subsets of the dataset that CMS provided to them, combined information, or non-public analyses, we propose to require that the qualified entity provide the Secretary with an accurate number of beneficiaries whose data was sold or provided to the authorized user and, thereby, potentially affected by the violation. In those instances in which the qualified entity is unable to establish a reliable number of potentially affected beneficiaries, we propose to impose the assessment based on the total number of beneficiaries that were included in the data set(s) that was/were transferred to the qualified entity under that DUA.

    Assessment Amount per Impacted Individual

    MACRA allows an assessment in the amount of up to $100 per potentially affected individual. We therefore propose to draw on factors established in 42 CFR part 402 to specify the factors and circumstances that will be considered in determining the assessment amount per potentially affected individual.

    Page 5407

    We propose at Sec. 401.719(d)(5)(i)(A) that the following basic factors be considered in establishing the assessment amount per potentially affected individual: (1) The nature and extent of the violation; (2) the nature and extent of the harm or potential harm resulting from the violation; and (3) the degree of culpability and history of prior violations.

    In addition, in considering these basic factors and determining the amount of the assessment per potentially affected individual, we propose to take into account certain aggravating and mitigating circumstances.

    We propose at Sec. 401.719(d)(5)(i)(B)(1) that CMS consider certain aggravating circumstances in determining the amount per potentially affected individual, including the following: Whether there were several types of violations, occurring over a lengthy period of time; whether there were many violations or the nature and circumstances indicate a pattern of violations; and whether the nature of the violation had the potential or actually resulted in harm to beneficiaries.

    In addition, we propose at Sec. 401.719(d)(5)(i)(B)(2) that CMS take into account certain mitigating circumstances in determining the amount per potentially affected individual, including the following: Whether all of the violations subject to the imposition of an assessment were few in number, of the same type, and occurring within a short period of time, and/or whether the violation was the result of an unintentional and unrecognized error and the qualified entity took corrective steps immediately after discovering the error.

    We request comment on the proposed method for calculating the number of individuals. In addition, we request comments on whether the proposed factors for determining the amount of the assessment per potentially affected individual are sufficient, or whether additional factors should be considered. We also request comment on the proposed basic, aggravating, and mitigating factors.

  23. Notice of Determination

    We looked to the relevant provisions in 42 CFR part 402 and Section 1128A of the Act to frame proposals regarding the specific elements that would be included in the notice of determination. To that end, we propose at Sec. 401.719(d)(5)(ii) that the Secretary would provide notice of a determination to a qualified entity by certified mail with return receipt requested. The notice of determination would include information on (1) the assessment amount, (2) the statutory and regulatory bases for the assessment, (3) a description of the violations upon which the assessment was proposed, (4) information concerning response to the notice, and (5) the means by which the qualified entity must pay the assessment if they do not intend to request a hearing in accordance with procedures established at Section 1128A of the Act and implemented in 42 CFR part 1005.

    We believe this information will provide a qualified entity with sufficient information to understand why an assessment was imposed and how the amount of the assessment was calculated. We seek comment regarding these proposals, including whether any additional information should be provided in the notice of determination.

  24. Failure To Request a Hearing

    We also looked to the relevant provisions in 42 CFR part 402 and section 1128A of the Act to inform our proposals regarding what happens when a hearing is not requested.

    We propose at Sec. 401.719(d)(5)(iii) that an assessment will become final if a qualified entity does not request a hearing within 60 days of receipt of the notice of the proposed determination. At this point, CMS would impose the proposed assessment. CMS would notify the qualified entity, by certified mail with return receipt, of the assessment and the means by which the qualified entity may pay the assessment. Under these proposals a qualified entity would not have the right to appeal an assessment unless it has requested a hearing within 60 days of receipt of the notice of the proposed determination.

  25. When an Assessment Is Collectible

    We again looked to the relevant provisions in 42 CFR part 402 and section 1128A of the Act to inform our proposed policies regarding when an assessment becomes collectible.

    We propose at Sec. 401.719(d)(5)(iv) that an assessment becomes collectible after the earliest of the following situations: (1) On the 61st day after the qualified entity receives CMS's notice of proposed determination under Sec. 401.719(d)(5)(ii), if the entity does not request a hearing; (2) immediately after the qualified entity abandons or waives its appeal right at any administrative level; (3) 30 days after the qualified entity receives the Administrative Law Judge's (ALJ) decision imposing an assessment under Sec. 1005.20(d), if the qualified entity has not requested a review before the Department Appeal Board (DAB); or (4) 60 days after the qualified entity receives the DAB's decision imposing an assessment if the qualified entity has not requested a stay of the decision under Sec. 1005.22(b).

  26. Collection of an Assessment

    We also looked to the relevant provisions in 42 CFR part 402 and section 1128A of the Act in framing our proposals regarding the collection of an Assessment.

    We propose at Sec. 401.719(d)(5)(v) that CMS be responsible for collecting any assessment once a determination is made final by HHS. In addition, we propose that the General Counsel may compromise an assessment imposed under this part, after consulting with CMS or Office of Inspector General (OIG), and the Federal government may recover the assessment in a civil action brought in the United States district court for the district where the claim was presented or where the qualified entity resides. We also propose that the United States may deduct the amount of an assessment when finally determined, or the amount agreed upon in compromise, from any sum then or later owing the qualified entity. Finally, we propose that matters that were raised or that could have been raised in a hearing before an ALJ or in an appeal under section 1128A(e) of the Act may not be raised as a defense in a civil action by the United States to collect an assessment.

    We seek comments on these proposals.

    1. Termination of Qualified Entity Agreement

      We propose at Sec. 401.721(a)(7) that CMS may unilaterally terminate the qualified entity's agreement and trigger the data destruction requirements in the CMS DUA if CMS determines that a qualified entity or its contractor fails to monitor authorized users' compliance with the terms of their QE DUAs or non-public analysis use agreements. We believe this proposed provision is consistent with the intent of MACRA to ensure the protection of data and analyses provided by qualified entities to authorized users under this subpart. We request comments on this proposed provision.

    2. Additional Data

      Section 105(c) of MACRA expands, at the discretion of the Secretary, the data that the Secretary may make available to qualified entities, including standardized extracts of claims data under titles XIX (Medicaid) and XXI (the Children's Health Insurance Program, CHIP) for one or more specified geographic areas and time periods as may be requested by the

      Page 5408

      qualified entity. Currently, CMS is only required to provide qualified entities with standardized extracts of claims data from Medicare Parts A, B, and D. While CMS has data for Medicare and Medicaid/CHIP, the timeliness and quality of data differs significantly between the programs.

      Medicare is a national program that is administered by CMS and, as a result, the claims data are available on a relatively timely basis, and guidelines about claims submission and data cleaning are consistent across the entire program. Medicaid and CHIP, however, are state-run programs where the states submit data to CMS. Each state's Medicaid agency collects enrollment and claims data for persons enrolled in Medicaid and CHIP. These data are collected in the state's Medicaid Management Information System (MMIS). Each state's MMIS is tailored to the needs of that state's Medicaid program. In partnership with the states, the federal government does manage aspects of the Medicaid program, and works with the various Medicaid State Agencies to monitor health care delivery and payment on a national level. To aid in that work the data in the MMIS are converted into a national standard and submitted to CMS via the Medicaid and CHIP Statistical Information System (MSIS). But the MSIS data (enrollment and claims data) are only reported to CMS on a quarterly basis, and the MSIS data can be challenging to use due to the data representing a mixture of time periods.

      Given the difficulties in using the MSIS data, the timeliness issues with our Medicaid data, and the variation of time periods reflected in our data, we believe that qualified entities would be better off seeking Medicaid and/or CHIP data through the State Medicaid Agencies. As a result, we propose not to expand the data available to qualified entities from CMS.

    3. Qualified Clinical Data Registries

      Section 105(b) of MACRA allows qualified clinical data registries to request access to Medicare data for the purposes of linking the data with clinical outcomes data and performing risk-adjusted, scientifically valid analyses, and research to support quality improvement or patient safety. The CMS research data disclosure policies already allow qualified clinical data registries to request Medicare data for these purposes, as well as other types of research. More information on accessing CMS data for research can be found on the Research Data Assistance Center (ResDAC) Web site at www.resdac.org. Given these existing processes and procedures, we propose not to adopt any new policies or procedures regarding qualified clinical data registries' access to Medicare claims data for quality improvement or patient safety research.

      1. Collection of Information Requirements

        Under the Paperwork Reduction Act of 1995, we are required to provide 60-day notice in the Federal Register and solicit public comment before a collection of information requirement is submitted to the Office of Management and Budget (OMB) for review and approval. In order to fairly evaluate whether an information collection should be approved by OMB, section 3506(c)(2)(A) of the Paperwork Reduction Act of 1995 requires that we solicit comment on the following issues:

        The need for the information collection and its usefulness in carrying out the proper functions of our agency.

        The accuracy of our estimate of the information collection burden.

        The quality, utility, and clarity of the information to be collected.

        Recommendations to minimize the information collection burden on the affected public, including automated collection techniques.

        We are soliciting public comment on each of these issues for the following sections of this proposed rule that contain information collection requirements (ICRs).

        Proposed Sec. 401.718(c) and Sec. 401.716(b)(2)(ii) require a qualified entity to enter into a QE DUA with an authorized user prior to providing or selling data or selling a non-public analyses that contains individually identifiable beneficiary information. Proposed Sec. 401.713(d) requires specific provisions in the QE DUA. Proposed Sec. 401.716(c) requires a qualified entity to enter into a non-public analyses agreement with the authorized user as a pre-condition to providing or selling de-identified analyses. We estimate that it will take each qualified entity a total of 40 hours to develop the QE DUA and non-public analyses agreement. Of the 40 hours, we estimate it will take a professional/technical services employee with an hourly labor cost of $75.08 a total of 20 hours to develop both the QE DUA and non-

        public analyses agreement and estimate that it will require a total of 20 hours of legal review at an hourly labor cost of $77.16 for both the QE DUA and non-public analyses agreement. We also estimate that it will take each qualified entity 2 hours to process and maintain each QE DUA or non-public analyses agreement with an authorized user by a professional/technical service employee with an hourly labor cost of $75.08. While there may be two different staff positions that perform these duties (one that is responsible for processing the QE DUAs and/or non-public analyses agreement and one that is responsible for maintaining the QE DUA and/or non-public analyses agreement), we believe that both positions would fall under the professional/technical services employee labor category with an hourly labor cost of $75.08. This would mean that to develop each QE DUA and non-public analysis agreement, the burden cost per qualified entity would be $3,045 with a total estimated burden for all 15 qualified entities of $45,675. This does not include the two hours to process and maintain each QE DUA.

        As discussed in the regulatory impact analysis below, we estimate that each qualified entity would need to process and maintain 70 QE DUAs or non-public analyses agreements as some authorized users may receive both datasets and a non-public analyses and would only need to execute one QE DUA. We estimate that it will take each qualified entity 2 hours to process and maintain each QE DUA or non-public analyses agreement. This would mean the burden cost per qualified entity to process and maintain 70 QE DUAs or non-public analyses agreements would be $10,511 with a total estimated burden for all 15 qualified entities of $157,668. While we anticipate that the requirement to create a QE DUA and/or non-public analyses agreement will only be incurred once by a qualified entity, we believe that the requirement to process and maintain the QE DUAs and/or non-public analyses will be an ongoing cost. We request comment on the number of hours that will be needed to create and process the QE DUA and non-public analyses agreement.

        If finalized, these regulations would also require a qualified entity to submit additional information as part of its annual report to CMS. A qualified entity is currently required to submit an annual report to CMS under Sec. 401.719(b). Proposed Sec. 401.719(b)(3) and (4) provide for additional reporting requirements if a qualified entity chooses to provide or sell analyses and/or data to authorized users. The burden associated with this requirement is the time and effort necessary to gather, process, and submit the required information to CMS. There are currently 13 qualified entities; however we estimate that number will increase to 20 if these proposals are finalized. Some qualified entities may not want to bear the risk of the potential assessments and

        Page 5409

        have been able to accomplish their program goals under other CMS data sharing programs, therefore some qualified entities may not elect to provide or sell analyses and/or data to authorized users. As a result, we estimate that 15 qualified entities will choose to provide or sell analyses and/or data to authorized users, and therefore, would be required to comply with these additional reporting requirements within the first three years of the program. We further estimate that it would take each qualified entity 50 hours to gather, process, and submit the required information. We estimate that it will take each qualified entity 34 hours to gather the required information, 15 hours to process the information, and 1 hour to submit the information to CMS. We believe a professional or technical services employee of the qualified entity with an hourly labor cost of $75.08 will fulfill these additional annual report requirements. We estimate that 15 qualified entities will need to comply with this requirement and that the total estimated burden associated with this requirement is $56,310. We request comment on the type of employee and the number of hours that will be needed to fulfill these additional annual reporting requirements.

        As a reminder, the final rule for the qualified entity program, published December 7, 2011, included information about the burden associated with the provisions in that rule. Specifically, Sections 401.705-401.709 provide the application and reapplication requirements for qualified entities. The burden associated with these requirements is currently approved under OMB control number 0938-1144 with an expiration date of May 31, 2018. This package accounts for 35 responses. Section 401.713(a) states that as part of the application review and approval process, a qualified entity would be required to execute a DUA with CMS, that among other things, reaffirms the statutory bar on the use of Medicare data for purposes other than those referenced above. The burden associated with executing this DUA is currently approved under OMB control number 0938-0734 with an expiration date of December 31, 2017. This package accounts for 9,240 responses (this package covers all CMS DUAs, not only DUAs under the qualified entity program). We currently have 13 qualified entities and estimate it will increase to 20 so we have not surpassed the previously approved numbers.

        We based the hourly labor costs on those reported by the Bureau of Labor Statistics (BLS) at http://data.bls.gov/pdq/querytool.jsp?survey=ce for this labor category. We used the annual rate for 2014 and added 100 percent for overhead and fringe benefit costs.

        Table 1--Collection of Information

        --------------------------------------------------------------------------------------------------------------------------------------------------------

        Hourly Total

        Number of Burden per Total labor cost labor cost

        Regulation section(s) OMB control No. Number of responses response annual of of Total cost

        respondents per (hours) burden reporting reporting ($)

        respondent (hours) ($) * ($)

        --------------------------------------------------------------------------------------------------------------------------------------------------------

        Sec. 401.718, Sec. 401.716, and Sec. 0938--New................ 15 1 20 300 75.08 22,524 22,524

        401.713 (DUA and non-public analyses

        agreement Development).

        Sec. 401.718 and Sec. 401.716 (Legal 0938--New................ 15 1 20 300 77.16 23,148 23,148

        Review).

        Sec. 401.718 and Sec. 401.716 0938--New................ 15 70 2 2,100 75.08 157,668 157,668

        (Processing and Maintenance).

        Sec. 401.719(b)....................... 0938--New................ 15 1 50 750 75.08 56,310 56,310

        ------------------------------------------------------------------------------------

        Total............................... ......................... 15 73 .......... 3,450 .......... .......... 259,650

        --------------------------------------------------------------------------------------------------------------------------------------------------------

        * The values listed are based on 100 percent overhead and fringe benefit calculations.

        Note: There are no capital/maintenance costs associated with the information collection requirements contained in this rule; therefore, we have removed

        the associated column from Table 1.

        If you comment on these information collection and recordkeeping requirements, please submit your comments electronically as specified in the ADDRESSES section of this proposed rule.

        Comments must be received on/by April 4, 2016.

      2. Response to Comments

        Because of the large number of public comments we normally receive on Federal Register documents, we are not able to acknowledge or respond to them individually. We will consider all comments we receive by the date and time specified in the DATES section of this preamble, and, when we proceed with a subsequent document, we will respond to the comments in the preamble to that document.

      3. Regulatory Impact Statement

        In accordance with the provisions of Executive Order 12866, this regulation was reviewed by the Office of Management and Budget.

    4. Overall Impact

      We have examined the impacts of this rule as required by Executive Order 12866 on Regulatory Planning and Review (September 30, 1993), the Regulatory Flexibility Act (RFA) (September 19, 1980, 96), section 1102(b) of the Act, section 202 of the Unfunded Mandates Reform Act of 1995 (Pub. L. 104-4), Executive Order 13132 on Federalism (August 4, 1999), and the Congressional Review Act (5 U.S.C. 804(2)). Executive Order 12866 directs agencies to assess all costs and benefits of available regulatory alternatives and, if regulation is necessary, to select regulatory approaches that maximize net benefits (including potential economic, environmental, public health and safety effects, distributive impacts, and equity). A regulatory impact analysis (RIA) must be prepared for major rules with economically significant effects ($100 million or more in any 1 year). For the reasons discussed below, we estimate that the total impact of this proposed rule would be less than $58 million and therefore, it would not reach the threshold for economically significant effects and is not considered a major rule.

      The RFA requires agencies to analyze options for regulatory relief of small businesses, if a rule has a significant impact on a substantial number of small entities. For purposes of the RFA, we estimate that most hospitals and most other providers are small entities as that term is used in the RFA (including small businesses, nonprofit organizations, and small governmental jurisdictions). However, since the total estimated impact of this rule is less than $100 million, and the total estimated impact would be spread over 82,500 providers and suppliers (who are the subject of reports), no one entity would face significant impact. Of the 82,500 providers, we estimate that 78,605

      Page 5410

      would be physician offices that have average annual receipts of $11 million and 4,125 would be hospitals that have average annual receipts of $38.5 million. As discussed below, the estimated cost per provider is $8,426 (see table 5 below) and the estimated cost per hospital is $6,523 (see table 5 below). For both types of entities, these costs would be a very small percentage of overall receipts. Thus, we are not preparing an analysis of options for regulatory relief of small businesses because we have determined that this rule would not have a significant economic impact on a substantial number of small entities.

      For section 105(a) of MACRA, we estimate that two types of entities may be affected by the additional program opportunities: Qualified entities that choose to provide or sell non-public analyses or data to authorized users; and providers and suppliers who are identified in the non-public analyses create by qualified entities and provided or sold to authorized users.

      We anticipate that most providers and suppliers that may be identified in qualified entities' non-public analyses would be hospitals and physicians. Many hospitals and most other health care providers and suppliers are small entities, either by being nonprofit organizations or by meeting the Small Business Administration definition of a small business (having revenues of less than $38.5 million in any 1 year) (for details see the Small Business Administration's Web site at https://www.sba.gov/sites/default/files/files/Size_Standards_Table.pdf (refer to the 620000 series). For purposes of the RFA, physicians are considered small businesses if they generate revenues of $11 million or less based on Small Business Administration size standards. Approximately 95 percent of physicians are considered to be small entities.

      The analysis and discussion provided in this section and elsewhere in this proposed rule complies with the RFA requirements. Because we acknowledge that many of the affected entities are small entities, the analysis discussed throughout the preamble of this proposed rule constitutes our regulatory flexibility analysis for the remaining provisions and addresses comments received on these issues.

      In addition, section 1102(b) of the Act requires us to prepare a regulatory impact analysis, if a rule may have a significant impact on the operations of a substantial number of small rural hospitals. Any such regulatory impact analysis must conform to the provisions of section 603 of the RFA. For purposes of section 1102(b) of the Act, we define a small rural hospital as a hospital that is located outside of a metropolitan statistical area and has fewer than 100 beds. We do not believe this proposed rule has impact on significant operations of a substantial number of small rural hospitals because we anticipate that most qualified entities would focus their performance evaluation efforts on metropolitan areas where the majority of health services are provided. As a result, this rule would not have a significant impact on small rural hospitals. Therefore, the Secretary has determined that this proposed rule would not have a significant impact on the operations of a substantial number of small rural hospitals.

      Section 202 of the Unfunded Mandates Reform Act of 1995 (UMRA) also requires that agencies assess anticipated costs and benefits before issuing any rule whose mandates require spending in any 1 year of $100 million in 1995 dollars, updated annually for inflation. In 2015, that threshold is approximately $144 million. This proposed rule will not impose spending costs on state, local, or tribal governments in the aggregate, or by the private sector, of $144 million or more. Specifically, as explained below we anticipate the total impact of this rule on all parties to be approximately $58 million.

      Executive Order 13132 establishes certain requirements that an agency must meet when it promulgates a proposed rule (and subsequent final rule) that imposes substantial direct requirement costs on State and local governments, preempts State law, or otherwise has Federalism implications. We have examined this proposed rule in accordance with Executive Order 13132 and have determined that this regulation would not have any substantial direct effect on State or local governments, preempt States, or otherwise have a Federalism implication.

    5. Anticipated Effects

  27. Impact on Qualified Entities

    Because section 105(a) of MACRA allows qualified entities to use the data in new ways to provide or sell non-public analyses or data to authorized users, there is little quantitative information to inform our estimates on the number of analyses and datasets that the qualified entity costs may provide or sell or on the costs associated with the creation of the non-public analyses or datasets. Therefore, we look to the estimates from the original qualified entity rules to estimate the number of hours that it may take to create non-public analyses and to process provider appeals and revisions. We also looked to the Centers for Medicare and Medicaid's cost of providing data to qualified entities since qualified entities' data fees are equal to the government's cost to make the data available.

    There are currently 13 qualified entities and these qualified entities all are in different stages of the qualified entity program. For example, some qualified entities have released public reports and some qualified entities are still completing the security requirements in order to receive CMS data. Given the requirements in the different phases and the current status of the qualified entities, we estimate that 11 qualified entities will be able to provide or sell analyses and/or data to authorized users within the first year of the program, and therefore, would be incurring extra costs. As discussed above, we believe the total number of qualified entities will ultimately grow to 20 in subsequent years, with 15 entities providing or selling analyses and/or data to authorized users. In estimating qualified entity impacts, we used hourly labor costs in several labor categories reported by the Bureau of Labor Statistics (BLS) at http://data.bls.gov/pdq/querytool.jsp?survey=ce. We used the annual rates for 2014 and added 100 percent for overhead and fringe benefit costs. These rates are displayed in Table 2.

    Table 2--Labor Rates for Qualified Entity Impact Estimates

    ----------------------------------------------------------------------------------------------------------------

    2014 hourly

    wage rate OH and fringe Total hourly

    (BLS) (100%) costs

    ----------------------------------------------------------------------------------------------------------------

    Professional and technical services............................. $37.54 $37.54 $75.08

    Legal review.................................................... 38.58 38.58 77.16

    Custom computer programming..................................... 43.05 43.05 86.10

    Data processing and hosting..................................... 34.02 34.02 68.04

    Page 5411

    Other information services...................................... 39.72 39.72 79.44

    ----------------------------------------------------------------------------------------------------------------

    We estimate that within the first year that 11 qualified entities will provide or sell on average 55 non-public analyses or provide or sell 35 datasets. We do not believe the number of datasets and non-

    public analyses per qualified entity will change in future years of the program. We seek comment on the number of non-public analyses or datasets that a qualified entity will create and provide or sell within the first year and future years.

    In the original proposed rule for the qualified entity program (76 FR 33566), we estimated that each qualified entities' activities to analyze the Medicare claims data, calculate performance measures and produce public provider performance reports would require 5,500 hours of effort per qualified entity. We anticipate under this proposed rule that implements section 105(a) of MACRA that qualified entities will base the non-public analyses on their public performance reports. Therefore, the creation of the non-public analyses will require much less effort and only require a fraction of the time it takes to produce the public reports. We estimate that a qualified entity's activities for each non-public analysis to analyze the Medicare claims data, calculate performance measures, and produce the report would require 320 hours, between five and six percent of the time to produce the public reports. We anticipate that half of this time will be spent on data analysis, measure calculation, and report creation and the other half on data processing. We request comment on the level of effort to create the non-public analyses.

    We anticipate that within the first year of the program a qualified entity will, on average, provide one-year datasets containing all data types for a cohort of 750,000 to 1.75 million beneficiaries to 35 authorized users. We estimate that it will require 226 hours to create each dataset that will be provided to an authorized user. We looked to the Centers for Medicare and Medicaid Centers' data costs and time to estimate a qualified entity's costs and time to create datasets. While the majority of the time will be devoted to computer processing, we anticipate about 100 hours will be spent on computer programming, particularly if the qualified entity is de-identiying the data. We seek comment of the level of effort required to create each dataset and the number of authorized users that will obtain or purchases data from a qualified entity.

    We further estimate that, on average, each qualified entity would expend 7,500 hours of effort processing providers' and suppliers' appeals of their performance reports and producing revised reports, including legal review of the appeals and revised reports. These estimates assume that, as discussed below in the section on provider and supplier impacts, on average 25 percent of providers and suppliers would appeal their results from a qualified entity. Responding to these appeals in an appropriate manner would require a significant investment of time on the part of qualified entities. This equates to an average of four hours per appeal for each qualified entity. These estimates are similar to those in the Qualified Entities final rule. We assume that the complexity of appeals would vary greatly, and as such, the time required to address them would also vary greatly. Many appeals may be able to be dealt with in an hour or less while some appeals may require multiple meetings between the qualified entity and the affected provider or supplier. On average, however, we believe that this is a reasonable estimate of the burden of the appeals process on qualified entities. We discuss the burden of the appeals process on providers and suppliers below.

    We estimate that each qualified entity would spend 40 hours creating a non-public analyses agreement template and a QE DUA. We also estimate that it would take a qualified entity 2 hours to process a QE DUA or non-public analyses agreement.

    Finally, we estimate that each qualified entity would spend 50 hours on the additional annual reporting requirements.

    Qualified entities would be required to notify CMS of inappropriate disclosures or use of beneficiary identifiable data pursuant to the requirements in the CMS DUA. We believe that the report generated in response to an inappropriate disclosure or use of beneficiary identifiable data would be generated as a matter of course by the qualified entities and therefore, would not require significant additional effort. Based on the assumptions we have described, we estimate the total impact on qualified entities for the first year of the program to be a cost of $27,925,198.

    Table 3--Impact on Qualified Entities for the First Year of the Program

    --------------------------------------------------------------------------------------------------------------------------------------------------------

    Impact on qualified entities

    ---------------------------------------------------------------------------------------------------------------------------------------------------------

    Hours

    ----------------------------------------------------- Cost per Number of Number of

    Activity Professional Data Labor authorized authorized qualified Total cost

    and Legal Computer processing hourly cost user users entities impact

    technical programming and hosting

    --------------------------------------------------------------------------------------------------------------------------------------------------------

    Dissemination of Data:

    Data processing & hosting..... ............ ........... ........... 126 $68.04 $8,573 35 11 $3,300,620

    Computer programming.......... ............ ........... 100 ........... 86.10 8,610 35 11 3,314,850

    ---------------------------------------------------------------------------------------------------------------------

    Total: Dissemination of ............ ........... ........... ........... ........... ........... ........... ........... 6,615,470

    Data.....................

    Non-Public Analyses:

    Data analysis/measure ............ ........... 160 ........... 86.10 13,776 55 11 8,334,480

    calculation/report

    preparation..................

    Page 5412

    Data Processing and hosting... ............ ........... ........... 160 68.04 10,886 55 11 6,586,272

    ---------------------------------------------------------------------------------------------------------------------

    Total Non-public Analyses. ............ ........... ........... ........... ........... ........... ........... ........... 14,920,752

    Qualified entity processing of 5,500 ........... ........... ........... 75.08 412,940 ........... 11 4,542,340

    provider appeals and report

    revision.........................

    Qualified entity legal analysis of ............ 2,000 ........... ........... 77.16 154,320 ........... 11 1,697,520

    provider appeals and report

    revisions........................

    ---------------------------------------------------------------------------------------------------------------------

    Total qualified entity processing ............ ........... ........... ........... ........... ........... ........... ........... 6,239,860

    of provider appeals and report

    revision.........................

    QE DUA and Non-public analyses:

    Development of the QE DUA and 20 ........... ........... ........... 75.08 1,502 ........... 11 16,518

    non-public analyses agreement

    Legal review of the QE DUA and ............ 20 ........... ........... 77.16 1,543 ........... 11 16,975

    non-public analyses agreement

    Processing QE DUA and non- 2 ........... ........... ........... 75.08 150 70 11 115,623

    public analyses agreement....

    ---------------------------------------------------------------------------------------------------------------------

    Total QE DUA and non- ............ ........... ........... ........... ........... ........... ........... ........... 149,116

    public analyses

    agreements...............

    Additional Annual Report 50 ........... ........... ........... 75.08 3,754 ........... 11 41,294

    Requirements.....................

    ---------------------------------------------------------------------------------------------------------------------

    Total qualified entity Impacts ............ ........... ........... ........... ........... ........... ........... ........... 27,966,492

    --------------------------------------------------------------------------------------------------------------------------------------------------------

  28. Impact on Health Care Providers and Suppliers

    We note that numerous health care payers, community quality collaboratives, States, and other organizations are producing performance measures for health care providers and suppliers using data from other sources, and that providers and suppliers are already receiving performance reports from these sources. We anticipate that the review of non-public analyses would merely be added to those existing efforts to improve the statistical validity of the measure findings. However, we invite comments on the impact of this new voluntary program.

    Table 4 reflects the hourly labor rates used in our estimate of the impacts of the first year of section 105(a) of MACRA on health care providers and suppliers.

    Table 4--Labor Rates for Provider and Supplier Impact Estimates

    ----------------------------------------------------------------------------------------------------------------

    Overhead and

    2014 hourly fringe Total hourly

    wage rate benefits costs

    (BLS) (100%)

    ----------------------------------------------------------------------------------------------------------------

    Physicians' offices............................................. $38.27 $38.27 $76.54

    Hospitals....................................................... 29.65 29.65 59.30

    ----------------------------------------------------------------------------------------------------------------

    We anticipate that the impacts on providers and suppliers consist of costs to review the performance reports generated by qualified entities and, if they choose, appeal the performance calculations. We believe, on average, each qualified entity would produce non-public analyses that in total include information on 7,500 health providers and suppliers. This is based on estimates in the qualified entity final rule, but also include an increase of 50 percent because we believe that more providers and suppliers will be included in the non-public analyses. We anticipate that the largest proportion of providers and suppliers would be physicians because they comprise the largest group of providers and suppliers, and are a primary focus of many recent performance evaluation efforts. We also believe that many providers and suppliers will be the recipients of the non-public analyses in order to support their own performance improvement activities, and therefore, there would be no requirement for a correction or appeals process. As discussed above, there is no requirement for a corrections or appeals process where the analysis only individually identifies the (singular) provider or supplier who is being provided or sold the analysis.

    Page 5413

    Based on our review of information from existing programs, we assume that 95 percent of the recipients of performance reports (that is, an average of 7,125 per qualified entity) would be physicians, and 5 percent (that is, an average of 375 per qualified entity) would be hospitals and other suppliers. Providers and suppliers receive these reports with no obligation to review them, but we assume that most would do so to verify that their calculated performance measures reflect their actual patients and health events. Because these non-

    public analyses will be based on the same underlying data as the public performance reports, we estimate that it would take less time for providers or suppliers to review theses analyses and generate an appeal. We estimate that, on average, each provider or supplier would devote three hours to reviewing these analyses. We also estimate that 25 percent of the providers and suppliers would decide to appeal their performance calculations, and that preparing the appeal would involve an average of seven hours of effort on the part of a provider or supplier. As with our assumptions regarding the level of effort required by qualified entities in operating the appeals process, we believe that this average covers a range of provider efforts from providers who would need just one or two hours to clarify any questions or concerns regarding their performance reports to providers who would devote significant time and resources to the appeals process.

    Using the hourly costs displayed in Table 4, the impacts on providers and suppliers are calculated below in Table 5. Based on the assumptions we have described, we estimate the total impact on providers for the first year of the program to be a cost of $29,690,386.

    As stated above in Table 3, we estimate the total impact on qualified entities to be a cost of $27,966,492. Therefore, the total impact on qualified entities and on providers and suppliers for the first year of the program is estimated to be $57,656,878.

    Table 5--Impact on Providers and Suppliers for the First Year of the Program

    --------------------------------------------------------------------------------------------------------------------------------------------------------

    Impact on Providers and Suppliers

    ---------------------------------------------------------------------------------------------------------------------------------------------------------

    Hours per provider Number of

    -------------------------------- Labor hourly Cost per providers per Number of Total cost

    Activity Physician cost provider qualified qualified impact

    offices Hospitals entity entities

    --------------------------------------------------------------------------------------------------------------------------------------------------------

    Physician office review of performance 3 .............. 76.54 $230 7,125 11 $18,026,250

    reports................................

    Hospital review of performance reports.. .............. 3 59.30 178 375 11 734,250

    Physician office preparing and 7 .............. 76.54 536 1,781 11 10,500,776

    submitting appeal requests to qualified

    entities...............................

    Hospital preparing and submitting appeal .............. 7 59.30 415 94 11 429,110

    requests to qualified entities.........

    ---------------------------------------------------------------------------------------------------------------

    Total Impact on Providers and .............. .............. .............. .............. .............. .............. 29,690,386

    Suppliers..........................

    --------------------------------------------------------------------------------------------------------------------------------------------------------

    1. Alternatives Considered

      The statutory provisions added by section 105(a) of MACRA are detailed and prescriptive about the permissible uses of the data under the Qualified Entity Program. We believe there are limited approaches that would ensure statutory compliance. We considered proposing less prescriptive requirements on the provisions that would need to be included in the agreements between qualified entities and authorized users that received or purchased analyses or data. For example, we could have required less strenuous data privacy and security protections such as not setting a minimum standard for protection of beneficiary identifiable data or non-public analyses. In addition, we could have reduced additional restrictions on re-disclosure or permitted data or analyses to be re-disclosed to additional downstream users. While these approaches might reduce costs for qualified entities, we did not adopt such an approach because of the importance of protecting beneficiary data. We believe if we do not require qualified entities to provide sufficient evidence of data privacy and security protection capabilities, there would be increased risks related to the protection of beneficiary identifiable data.

    2. Conclusion

      As explained above, we estimate the total impact for the first year of the program on qualified entities and providers to be a cost of $57,656,878. While we anticipate the number of qualified entities to increase slightly, we do not anticipate significant growth in the qualified entity program given the qualified entity program requirements, as well as other existing programs that allow entities to obtain Medicare data. Based on these estimates, we conclude this proposed rule does not reach the threshold for economically significant effects and thus is not considered a major rule.

      In accordance with the provisions of Executive Order 12866, this regulation was reviewed by the Office of Management and Budget.

      List of Subjects in 42 CFR Part 401

      Claims, Freedom of information, Health facilities, Medicare, Privacy.

      For the reasons set forth in the preamble, the Centers for Medicare & Medicaid Services proposes to amend 42 CFR part 401 as set forth below:

      PART 401--GENERAL ADMINISTRATIVE REQUIREMENTS

      0

  29. The authority citation for part 401 is revised to read as follows:

    Authority: Secs. 1102, 1871, and 1874(e) of the Social Security Act (42 U.S.C. 1302,

    Page 5414

    1395hh, and 1395w-5) and section 105 of the Medicare Access and CHIP Reauthorization Act of 2015 (Pub. L. 114-10).

    0

  30. Section 401.703 is amended by adding paragraphs (j) through (u) to read as follows:

    Sec. 401.703 Definitions.

    * * * * *

    (j) Authorized user is a third party (meaning not the qualified entity or its contractors) to whom/which the qualified entity provides or sells data as permitted under this subpart. Authorized users are limited to the following entities:

    (1) A provider.

    (2) A supplier.

    (3) A medical society.

    (4) A hospital association.

    (5) An employer.

    (6) A health insurance issuer.

    (7) A healthcare provider and/or supplier association.

    (8) A state agency.

    (k) Employer has the same meaning as the term ``employer'' as defined in section 3(5) of the Employee Retirement Insurance Security Act of 1974.

    (l) Health insurance issuer has the same meaning as the term ``health insurance issuer'' as defined in section 2791 of the Public Health Service Act.

    (m) Medical society means a nonprofit organization or association that provides unified representation and advocacy for physicians at the national or state level and whose membership is comprised of a majority of physicians.

    (n) Hospital association means a nonprofit organization or association that provides unified representation and advocacy for hospitals or health systems at a national or state level and whose membership is comprised of a majority of hospitals and health systems.

    (o) Healthcare Provider and/or Supplier Association means a nonprofit organization or association that provides unified representation and advocacy for providers and suppliers at the national or state level and whose membership is comprised of a majority of suppliers or providers.

    (p) State Agency means any office, department, division, bureau, board, commission, agency, institution, or committee within the executive branch of a state government.

    (q) Combined data means a set of CMS claims data provided under subpart G combined with claims data, or a subset of claims data from at least one of the other claims data sources described in Sec. 401.707(d).

    (r) Patient means an individual who has visited the provider or supplier for a face-to-face or telehealth appointment at least once in the past 12 months.

    (s) Marketing means the same as the term ``marketing'' at 45 CFR 164.501 without the exception to the bar for ``consent'' based marketing.

    (t) Violation means a failure to comply with a requirement of a CMS DUA or QE DUA.

    (u) Required by law means the same as the phrase ``required by law'' at 45 CFR 164.103.

    0

  31. Section 401.713 is amended by revising paragraph (a) and adding paragraph (d) to read as follows:

    Sec. 401.713 Ensuring the privacy and security of data.

    (a) Data Use Agreement between CMS and a qualified entity. A qualified entity must comply with the data requirements in its data use agreement with CMS (hereinafter the CMS DUA). Contractors of qualified entities that are anticipated to have access to the Medicare claims data or beneficiary identifiable data in the context of this program are also required to execute and comply with the CMS DUA. The CMS DUA will require the qualified entity to maintain privacy and security protocols throughout the duration of the agreement with CMS, and will ban the use or disclosure of CMS data or any derivative data for purposes other than those set out in this subpart. The CMS DUA will also prohibit the use of unsecured telecommunications to transmit such data, and will specify the circumstances under which such data must be stored and may be transmitted.

    * * * * *

    (d) Data Use Agreement between a qualified entity and an authorized user. In addition to meeting the other requirements of this subpart, and as a pre-condition of selling or disclosing any combined data or any Medicare claims data (or any beneficiary-identifiable derivative data of either kind) and as a pre-condition of selling or disclosing non-public analyses that include individually identifiable beneficiary data, the qualified entity must enter a DUA (hereinafter the QE DUA) with the authorized user. Among other things laid out in this subpart, such QE DUA must contractually bind the authorized user to the following:

    (1)(i) The authorized user may be permitted to use such data and non-public analyses in a manner that a HIPAA Covered Entity could do under the following provisions:

    (A) Activities falling under the first paragraph of the definition of ``health care operations'' under 45 CFR 164.501: Quality improvement activities, including care coordination activities and efforts to track and manage medical costs.

    (B) Activities falling under the second paragraph of the definition of ``health care operations'' under 45 CFR 164.501: Population-based activities such as those aimed at improving patient safety, quality of care, or population health, including the development of new models of care, the development of means to expand coverage and improve access to healthcare, the development of means of reducing health care disparities, and the development or improvement of methods of payment or coverage policies.

    (C) Activities that qualify as ``fraud and abuse detection or compliance activities'' under 45 CFR 164.506(c)(4)(ii).

    (ii) All other uses and disclosures of such data and/or such non-

    public analyses must be forbidden except to the extent a disclosure qualifies as a ``required by law'' disclosure.

    (2) The authorized user is prohibited from using or disclosing the data or non-public analyses for marketing purposes as defined at Sec. 401.703(s).

    (3) The authorized user is required to ensure adequate privacy and security protection for such data and non-public analyses. At a minimum, regardless of whether the authorized user is a HIPAA covered entity, such protections of beneficiary identifiable data must be at least as protective as what is required of covered entities regarding protected health information (PHI) under the HIPAA Privacy and Security Rules. In all cases, these requirements must be imposed for the life of such beneficiary identifiable data or non-public analyses and/or any derivative data, that is until all copies of such data or non-public analyses are returned or destroyed. Such duties must be written in such a manner as to survive termination of the QE DUA, whether for cause or not.

    (4) Except as provided for in paragraph (d)(5) of this section, the authorized user must be prohibited from re-disclosing or making public any such data or non-public analyses.

    (5)(i) At the qualified entity's discretion, it may permit an authorized user that is a provider as defined in Sec. 401.703(b) or a supplier as defined in Sec. 401.703(c), to re-disclose such data and non-public analyses as a covered entity would be permitted to disclose PHI under 45 CFR 164.506(c)(4)(i)), or under 45 CFR 164.502(e)(1).

    (ii) All other uses and disclosures of such data and/or such non-

    public analyses is forbidden except to the extent a disclosure qualifies as a ``required by law'' disclosure.

    (6) Authorized users who/that receive the beneficiary de-identified combined data or Medicare data as contemplated

    Page 5415

    under Sec. 401.718 are contractually prohibited from linking the beneficiary de-identified data to any other identifiable source of information, and must be contractually barred from attempting any other means of re-identifying any individual whose data is included in such data.

    (7) The QE DUA must bind authorized user(s) to notifying the qualified entity of any violations of the QE DUA, and it must require the full cooperation of the authorized user in the qualified entity's efforts to mitigate any harm that may result from such violations, or to comply with the breach provisions governing qualified entities under this subpart.

    0

  32. Section 401.716 is added to read as follows:

    Sec. 401.716 Non-public analyses.

    (a) General. So long as it meets the other requirements of this subpart, and subject to the limits in paragraphs (b) and (c) of this section, the qualified entity may use the combined data to create non-

    public analyses in addition to performance measures.

    (b) Limitations on a qualified entity. In addition to meeting the other requirements of this subpart, a qualified entity must comply with the following limitations as a pre-condition of dissemination or selling non-public analyses to an authorized user:

    (1) A qualified entity may only provide or sell a non-public analysis to a health insurance issuer as defined in Sec. 401.703(l), after the health insurance issuer has provided the qualified entity with claims data that represents a majority of the health insurance issuer's covered lives for the time period and geographic region covered by the issuer-requested non-public analyses.

    (2) Analyses that contain information that individually identifies one or more beneficiaries may only be disclosed to a provider or supplier (as defined at Sec. 401.703(b) and (c)) when the following conditions are met:

    (i) The analyses only contain identifiable information on beneficiaries with whom the provider or supplier have a patient relationship as defined at Sec. 401.703(r), and

    (ii) a QE DUA as defined at Sec. 401.713(d) is executed between the qualified entity and the provider or supplier prior to making any individually identifiable beneficiary information available to the provider or supplier.

    (3) Except as specified under paragraph (c)(2) of this section, all analyses must be limited to beneficiary de-identified data. Regardless of the HIPAA covered entity or business associate status of the qualified entity and/or the authorized user, de-identification must be determined based on the standards for HIPAA covered entities found at 45 CFR 164.514(b).

    (4) Analyses that contain information that individually identifies a provider or supplier may not be disclosed unless:

    (i) The analysis only individually identifies the provider or supplier that is being supplied the analysis, or

    (ii) Every provider or supplier individually identified in the analysis has been afforded the opportunity to appeal or correct errors using the process at Sec. 401.717(f).

    (c) Non-public analyses agreement between a qualified entity and an authorized user for beneficiary de-identified non-public analyses disclosures. In addition to the other requirements of this subpart, a qualified entity must enter a contractually binding non-public analyses agreement with the authorized user as a pre-condition to providing or selling de-identified analyses. Such non-public analyses agreement must contain the following provisions:

    (1) The authorized user may not use the analyses or derivative data for the following purposes:

    (i) Marketing, as defined at Sec. 401.703(s).

    (ii) Harming or seeking to harm patients or other individuals both within and outside the healthcare system regardless of whether their data are included in the analyses.

    (iii) Effectuating or seeking opportunities to effectuate fraud and/or abuse in the health care system.

    (2) If the authorized user is an employer as defined in Sec. 401.703(k), the authorized user may only use the analyses or derivative data for purposes of providing health insurance to employees, retirees, or dependents of employees or retirees of that employer.

    (3)(i) At the qualified entity's discretion, it may permit an authorized user that is a provider as defined in Sec. 401.703(b) or a supplier as defined in Sec. 401.703(c), to re-disclose the de-

    identified analyses or derivative data, as a covered entity would be permitted under 45 CFR 164.506(c)(4)(i), or under 45 CFR 164.502(e)(1).

    (ii) All other uses and disclosures of such data and/or such non-

    public analyses is forbidden except to the extent a disclosure qualifies as a ``required by law'' disclosure.

    (4) If the authorized user is not a provider or supplier, the authorized user may not re-disclose or make public any non-public analyses or derivative data except as required by law.

    (5) The authorized user may not link the de-identified analyses to any other identifiable source of information and may not in any other way attempt to identify any individual whose de-identified data is included in the analyses.

    (6) The authorized user must notify the qualified entity of any DUA violations, and it must fully cooperate with the qualified entity's efforts to mitigate any harm that may result from such violations.

    0

  33. Section 401.717 is amended by adding paragraph (f) to read as follows:

    Sec. 401.717 Provider and supplier requests for error correction.

    * * * * *

    (f) A qualified entity also must comply with paragraphs (a) through (e) of this section before disclosing non-public analyses, as defined at Sec. 401.716, that contain information that individually identifies a provider or supplier.

    0

  34. Section 401.718 is added to read as follows:

    Sec. 401.718 Dissemination of data.

    (a) General. Subject to the other requirements in this subpart, the requirements in paragraphs (b) and (c) of this section and any other applicable laws or contractual agreements, a qualified entity may provide or sell combined data, or provide Medicare data at no cost to authorized users defined at Sec. 401.703(b), (c), (m), and (n).

    (b) Data--(1) De-identification. Except as specified in paragraph (b)(2) of this section, any data provided or sold by a qualified entity to an authorized user must be limited to beneficiary de-identified data. De-identification must be determined based on the de-

    identification standards for HIPAA covered entities found at Sec. 164.514(b).

    (2) Exception. If such disclosure would be consistent with all applicable laws, data that individually identifies a beneficiary may only be disclosed to a provider or supplier (as defined at Sec. 401.703(b) and (c)) with whom the identifiable individuals in such data have a current patient relationship as defined at Sec. 401.703(r).

    (c) Data Use Agreement between a qualified entity and an authorized user. A qualified entity must contractually require an authorized user to comply with the requirements in Sec. 401.713(d) prior to providing or selling data to an authorized user under Sec. 401.718.

    0

  35. Section 401.719 is amended by adding paragraphs (b)(3) and (4) and (d)(5) to read as follows:

    Page 5416

    Sec. 401.719 Monitoring and sanctioning of qualified entities.

    * * * * *

    (b) * * *

    (3) Non-public analyses provided or sold to authorized users under this subpart, including the following information:

    (i) A summary of the analyses provided or sold, including--

    (A) The number of analyses.

    (B) The number of purchasers of such analyses.

    (C) The types of authorized users that purchased analyses.

    (D) The total amount of fees received for such analyses.

    (E) QE DUA or non-public analyses agreement violations.

    (ii) A description of the topics and purposes of such analyses.

    (4) Data provided or sold to authorized users under this subpart, including the following information:

    (i) The entities who received data.

    (ii) The basis under which each entity received such data.

    (iii) The total amount of fees received for providing, selling, or sharing the data.

    (iv) QE DUA violations.

    * * * * *

    (d) * * *

    (5) In the case of a violation, as defined at Sec. 401.703(t) of the CMS DUA or the QE DUA, CMS will impose an assessment on a qualified entity in accordance with the following:

    (i) Amount of Assessment. CMS will calculate the amount of the assessment of up to $100 per individual entitled to, or enrolled for, benefits under part A of title XVIII of the Social Security Act or enrolled for benefits under part B of such title whose data was implicated in the violation based on the following:

    (A) Basic Factors. In determining the amount per impacted individual, CMS takes into account the following:

    (1) The nature and the extent of the violation.

    (2) The nature and the extent of the harm or potential harm resulting from the violation.

    (3) The degree of culpability and the history of prior violations.

    (B) Criteria to be considered. In establishing the basic factors, CMS considers the following circumstances, including:

    (1) Aggravating Circumstances. Aggravating circumstances include the following:

    (i) There were several types of violations occurring over a lengthy period of time.

    (ii) There were many of these violations or the nature and circumstances indicate a pattern of violations.

    (iii) The nature of the violation had the potential or actually resulted in harm to beneficiaries.

    (2) Mitigating circumstances. Mitigating circumstances include the following:

    (i) All of the violations subject to the imposition of an assessment were few in number, of the same type, and occurring within a short period of time.

    (ii) The violation was the result of an unintentional and unrecognized error and the qualified entity took corrective steps immediately after discovering the error.

    (C) Effects of aggravating or mitigating circumstances. In determining the amount of the assessment to be imposed under (d)(5)(i)(A) of this section.

    (1) If there are substantial or several mitigating circumstance, the aggregate amount of the assessment is set at an amount sufficiently below the maximum permitted by (d)(5)(A) of this section to reflect the mitigating circumstances.

    (2) If there are substantial or several aggravating circumstances, the aggregate amount of the assessment is set at an amount at or sufficiently close to the maximum permitted by (d)(5)(i)(A) of this section to reflect the aggravating circumstances.

    (D) The standards set for the qualified entity in this paragraph are binding, except to the extent that--

    (1) The amount imposed is not less than the approximate amount required to fully compensate the United States, or any State, for its damages and costs, tangible and intangible, including but not limited to the costs attributable to the investigation, prosecution, and administrative review of the case.

    (2) Nothing in this section limits the authority of CMS to settle any issue or case as provided by part 1005 of this title or to compromise any assessment as provided by (d)(5)(E) of this section.

    (ii) Notice of Determination. CMS must propose an assessment in accordance with this paragraph, by notifying the qualified entity by certified mail, return receipt requested. Such notice must include the following information:

    (A) The assessment amount.

    (B) The statutory and regulatory bases for the assessment.

    (C) A description of the violations upon which the assessment was proposed.

    (D) Any mitigating or aggravating circumstances that CMS considered when it calculated the amount of the proposed assessment.

    (E) Information concerning response to the notice, including:

    (1) A specific statement of the respondent's right to a hearing in accordance with procedures established at Section 1128A of the Act and implemented in 42 CFR part 1005.

    (2) A statement that failure to respond within 60 days renders the proposed determination final and permits the imposition of the proposed assessment.

    (3) A statement that the debt may be collected through an administrative offset.

    (4) In the case of a respondent that has an agreement under section 1866 of the Act, notice that imposition of an exclusion may result in termination of the provider's agreement in accordance with section 1866(b)(2)(C) of the Act.

    (F) The means by which the qualified entity may pay the amount if they do not intend to request a hearing.

    (iii) Failure to request a hearing. If the qualified entity does not request a hearing within 60 days of receipt of the notice of proposed determination specified in the preceding paragraph, any assessment becomes final and CMS may impose the proposed assessment.

    (A) CMS notifies the qualified entity, by certified mail with return receipt requested, of any assessment that has been imposed and of the means by which the qualified entity may satisfy the judgment.

    (B) The qualified entity has no right to appeal an assessment for which the qualified entity has not requested a hearing.

    (iv) When an assessment is collectible. An assessment becomes collectible after the earliest of the following:

    (A) 60 days after the qualified entity receives CMS's notice of proposed determination under (d)(5)(ii) of this section, if the qualified entity has not requested a hearing.

    (B) Immediately after the qualified entity abandons or waives its appeal right at any administrative level.

    (C) 30 days after the qualified entity receives the ALJ's decision imposing an assessment under Sec. 1005.20(d) of this title, if the qualified entity has not requested a review before the DAB.

    (D) 60 days after the qualified entity receives the DAB's decision imposing an assessment if the qualified entity has not requested a stay of the decision under Sec. 1005.22(b) of this title.

    (v) Collection of an assessment. Once a determination by HHS has become final, CMS is responsible for the collection of any assessment.

    (A) The General Counsel may compromise an assessment imposed under this part, after consulting with CMS or OIG, and the Federal government may recover the assessment in a civil action brought in the United

    Page 5417

    States district court for the district where the claim was presented or where the qualified entity resides.

    (B) The United States or a state agency may deduct the amount of an assessment when finally determined, or the amount agreed upon in compromise, from any sum then or later owing the qualified entity.

    (C) Matters that were raised or that could have been raised in a hearing before an ALJ or in an appeal under section 1128A(e) of the Act may not be raised as a defense in a civil action by the United States to collect an assessment.

    0

  36. Section 401.721 is amended by adding paragraph (a)(7) to read as follows:

    Sec. 401.721 Terminating an agreement with a qualified entity.

    (a) * * *

    (7) Fails to ensure authorized users comply with their QE DUAs or analysis use agreements.

    * * * * *

    Dated: October 15, 2015.

    Andrew M. Slavitt,

    Acting Administrator, Centers for Medicare & Medicaid Services.

    Dated: January 27, 2016.

    Sylvia M. Burwell,

    Secretary, Department of Health and Human Services.

    FR Doc. 2016-01790 Filed 1-29-16; 11:15 am

    BILLING CODE 4120-01-P

VLEX uses login cookies to provide you with a better browsing experience. If you click on 'Accept' or continue browsing this site we consider that you accept our cookie policy. ACCEPT