Your World of Legal Intelligence
 United States | 1-800-335-6202

Privacy Act of 1974; Report of New System of Records

As Enacted ( Federal Register) Cited authorities 2 Cited in Related
Vincent

Federal Register, Volume 79 Issue 108 (Thursday, June 5, 2014)

Federal Register Volume 79, Number 108 (Thursday, June 5, 2014)

Notices

Pages 32547-32550

From the Federal Register Online via the Government Printing Office www.gpo.gov

FR Doc No: 2014-13012

=======================================================================

-----------------------------------------------------------------------

DEPARTMENT OF HEALTH AND HUMAN SERVICES

Centers for Medicare & Medicaid Services

Privacy Act of 1974; Report of New System of Records

AGENCY: Centers for Medicare & Medicaid Services (CMS), Department of Health and Human Services (HHS).

ACTION: Notice of a New System of Records (SOR).

-----------------------------------------------------------------------

SUMMARY: In accordance with the requirements of the Privacy Act of 1974, CMS is establishing a new SOR titled, ``Open Payments,'' System No. 09-70-0507, to implement the requirements in Section 6002 of the Patient Protection and Affordable Care Act of 2010 (ACA) (Pub. L. 111-

148), which added section 1128G to the Social Security Act (the Act). The Open Payments program requires applicable manufacturers and applicable Group Purchasing Organizations (GPOs) to report payments and other transfers of value to covered physician recipients as defined by 42 CFR 403.902, as well as certain ownership or investment interests held by physicians and/or their immediate family members in such applicable manufacturers and/or applicable GPOs. CMS is required to publish the data submitted by applicable manufacturers or GPOs on a public Web site.

DATES: Effective Dates: July 7, 2014. Written comments should be submitted on or before the effective date. HHS/CMS/Center for Program Integrity (CPI) may publish an amended SORN in light of any comments received.

ADDRESSES: The public should address comments to: CMS Privacy Officer, Privacy Policy Compliance Group, Office of E-Health Standards & Services, Office of Enterprise Management, CMS, 7500 Security Boulevard, Baltimore, MD 21244-1870, Mailstop: S2-24-25, Office: (410) 786-5357, Email: walter.stone@cms.hhs.gov. Comments received will be available for review at this location, by appointment, during regular business hours, Monday through Friday from 9:00 a.m.-3:00 p.m., Eastern Time zone.

FOR FURTHER INFORMATION CONTACT: Data Sharing and Partnership Group, Center for Program Integrity, Centers for Medicare & Medicaid Services, 7210 Ambassador Road, Mail Stop AR-18-50, Baltimore, MD 21244. Email: veronika.peleshchukfradlin@cms.hhs.gov.

SUPPLEMENTARY INFORMATION: Applicable Manufacturers and/or applicable GPOs are required to report payments and other transfers of value to covered physician recipients. Additionally, applicable manufacturers and/or applicable GPOs are required to report information pertaining to certain ownership or investment interests held by physicians and/or their immediate family members in such applicable manufacturers and/or applicable GPOs. Such reports are to be made annually to CMS in an electronic format. Applicable Manufacturers and/or applicable GPOs are subject to civil monetary penalties for failing to comply with the reporting requirements. CMS will publish the reported data on a public Web site. The data must be downloadable, easily searchable, and aggregated. In addition, CMS must submit annual reports to the Congress and each state summarizing the data reported.

Title 42 Code of Federal Regulations (CFR) 403.908(g) provides covered physician recipients and physicians who are owners or investors a 45-day review period to review data submitted about them and submit corrections prior to the data becoming available to the public. Additionally, 42 CFR 403.908(g)(3)(iv) and (v) provides covered physician recipients and physicians who are owners or investors an opportunity to dispute the accuracy of such information. Covered physician recipients and physician owners or investors will indicate which information regarding a specific payment or other transfer of value is being disputed. Applicable Manufacturers and/or applicable GPOs will receive a notification that a covered physician recipient and/or a physician who is an owner or investor is disputing reported information. The dispute resolution process is between the applicable manufacturers and/or the applicable GPOs, and the covered physician recipients and physicians who are owners or investors. If a dispute is resolved or if errors/omissions are discovered, the applicable manufacturer or applicable GPO is required to submit corrected data to CMS. Upon receipt, CMS notifies the affected covered physician recipient and/or the physician who is an owner or investor that the additional information has been submitted and is available for review. CMS updates the Web site at least once annually with corrected information.

The Privacy Act

The Privacy Act governs the collection, maintenance, use, and dissemination of certain information about individuals by agencies of the Federal Government.

Page 32548

A ``SOR'' is a group of any records under the control of a Federal agency from which information about individuals is retrieved by name or other personal identifier. The Privacy Act requires each agency to publish in the Federal Register a description of the type and character of each system of records that the agency maintains, and the routine uses that are contained in each system to make agency recordkeeping practices transparent, to notify individuals regarding the uses to which their records are put, and to assist individuals to more easily find such files within the agency.

System Number: 09-70-0507

System Name:

Open Payments System.

Security Classification:

Unclassified.

System Location:

Lockheed Martin's Virtual Data Center hosted by Terremark Network Access Point (NAP) of the National Capital Region (NCR) facility located at Culpeper, Virginia and CMS Data Center, Baltimore, Maryland 21244-1850.

Categories Of Individuals Covered By The System:

The system will contain information about the following categories of individuals covered by the Open Payments program: (1) Physicians and authorized representatives of physicians and teaching hospitals and, (2) any applicable manufacturers and applicable GPO system users.

Categories Of Records In The System:

Information collected about applicable manufacturers or applicable GPOs includes but is not limited to profile information for the company and users interacting with the Open Payments system on the applicable manufacturers or applicable GPOs' behalf. Such information includes but may not be limited to user first name and last name, business contact information and job title.

Information collected about physicians in the Open Payments system includes but is not limited to physician's name, specialty, business address, business phone number, National Provider Identifier (NPI) number, state license numbers, types and descriptions as to the nature and form of payments received from applicable manufacturers or applicable GPOs, amounts of payments, natures and context of payments and dates of payments. With respect to payments that were made in relation to a particular covered drug, device, biological, or medical supply, the name of that covered drug, device, biological, or medical supply shall also be reported. With respect to physicians who hold certain ownership or investment interests in such manufacturers and/or GPOs, or who have immediate family members who hold such ownership or investment interests in such manufacturers and/or GPOs, collected information will include the dollar amount invested; the value and terms of such ownership or investment, and information pertaining to any payment or other transfer of value provided to a physician holding such an ownership interest.

Teaching hospital information also includes profile information for the users interacting with the Open Payments system on the hospital's behalf. Such information includes but may not be limited to user's first name and last name, business contact information, and job title.

Authority For Maintenance Of The System:

Authority for the SOR is given by Title 42 U.S.C. Sec. 1128G 42 U.S.C. 1320a-7h.

Purpose(S) Of The System:

The purpose(s) of this SOR is to maintain information submitted by applicable manufacturers and/or applicable GPOs regarding payments or other transfers of value provided to covered physician recipients, as well as certain ownership or investment interests in such entities held by physicians and/or their immediate family members. CMS may use information from this system to: (1) Support regulatory, reimbursement, and policy functions performed by Agency contractors, consultants, or CMS grantees; (2) assist Federal agencies and their fiscal agents in performing the statutory functions of the Open Payments; (3) assist applicable manufacturers or applicable GPOs with the statutory reporting requirements; (4) comply with the requirements of 42 U.S.C. 1320a-7h, and publish the information submitted on a public Web site; (5) support research and program evaluation activities; (6) support litigation involving the agency; (7) assist with fraud, waste, and abuse detection and prevention activities; (8) assist agencies, entities, contractors, or persons tasked with the response and remedial efforts in the event of a breach of information, and (9) assist the U.S. Department of Homeland Security (DHS) cyber security personnel.

Routine Uses Of Records Maintained In The System, Including Categories Or Users And The Purposes Of Such Uses:

These routine uses specify circumstances, in addition to those provided by statute in the Privacy Act of 1974, under which CMS may release information from Open Payments without the consent of the individual to whom such information pertains. Each proposed disclosure of information under these routine uses will be evaluated to ensure that the disclosure is legally permissible, including but not limited to ensuring that the purpose of the disclosure is compatible with the purpose for which the information was collected. We propose to establish the following routine use disclosures of information maintained in the system:

  1. To support Agency personnel, contractors, consultants, or CMS grantees who have been engaged by the Agency to assist in accomplishment of a CMS function relating to the purposes for this collection and who need to have access to the records in order to assist CMS.

  2. To assist another Federal, agency of a State government, an agency established by State law, or its fiscal agents with information that is necessary and/or required in order to perform the statutory functions of Open Payments.

  3. To provide applicable manufacturers and applicable GPOs with information they need to meet any statutory requirements of the program, assist with other reports as required by CMS, and to assist in the implementation of statutory reporting requirements.

  4. To comply with the requirements of Section 6002 of the ACA and 42 CFR Part 403 to publish payment or other transfers of value and investment interest information submitted by applicable manufacturers or applicable GPOs on a public Web site. CMS will notify covered recipients, physician owners and investors, and applicable manufacturers or applicable GPOs when data are available for public viewing via a public announcements and listserv messages.

  5. To support an individual or organization for research, program evaluation or epidemiological projects related to transparency initiatives around financial relationships between drug and medical device manufacturers and physicians, and teaching hospitals.

  6. To provide information to the U.S. Department of Justice (DOJ), a court, or an adjudicatory body when (a) the Agency or any component thereof, or (b) any employee of the Agency in his or her official capacity, or (c) any

    Page 32549

    employee of the Agency in his or her individual capacity where the DOJ has agreed to represent the employee, or (d) the United States Government, is a party to litigation or has an interest in such litigation, and by careful review, CMS determines that the records are both relevant and necessary to the litigation and that the use of such records by the DOJ, court, or adjudicatory body is compatible with the purpose for which the agency collected the records;

  7. To assist a CMS contractor (including, but not limited to Medicare Administrative Contractors, fiscal intermediaries, and carriers) that assists in the administration of a CMS-administered health benefits program, or to a grantee of a CMS-administered grant program, when disclosure is deemed reasonably necessary by CMS to prevent, deter, discover, detect, investigate, examine, prosecute, sue with respect to, defend against, correct, remedy, or otherwise combat fraud, waste or abuse in such program;

  8. To assist another Federal agency or to an instrumentality of any governmental jurisdiction within or under the control of the United States (including any state or local governmental agency), that administers or that has the authority to investigate potential fraud, waste or abuse in a health benefits program funded in whole or in part by Federal funds, when disclosure is deemed reasonably necessary by CMS to prevent, deter, discover, detect, investigate, examine, prosecute, sue with respect to, defend against, correct, remedy, or otherwise combat fraud, waste or abuse in such programs;

  9. To disclose records to appropriate Federal agencies and Department contractors that have a need to know the information for the purpose of assisting the Department's efforts to respond to a suspected or confirmed breach of the security or confidentiality of information maintained in this system of records, and the information disclosed is relevant and necessary for that assistance; and

  10. To assist the U.S. Department of Homeland Security (DHS) cyber security personnel, if captured in an intrusion detection system used by HHS and DHS pursuant to the Einstein 2 program.

    Policies And Practices For Storing, Retrieving, Accessing, Retaining, And Disposing Of Records In The System.

    Storage:

    All records are stored is a relational database in CMS Virtual Data Center hosted by Terremark Network Access Point (NAP) of the National Capital Region (NCR) facility located at Culpeper, Virginia.

    Retrievability:

    Information about physicians and their authorized representatives may be retrieved by any of these personal identifiers: physicians' name, address, license number, or National Provider Identifier (NPI). Profile information about applicable manufacturer and GPO system users may be retrieved by these identifiers: applicable manufacturers or applicable GPOs' DUNS, name and address. Information may be extracted through a backend database access or through a business intelligence reporting tool by authorized personnel.

    Safeguards:

    Personnel having access to the system have been trained in the Privacy Act and information security requirements. Employees who maintain records in this system are instructed not to release data until the intended recipient agrees to implement appropriate management, operational and technical safeguards sufficient to protect the confidentiality, integrity and availability of the information and information systems and to prevent unauthorized access.

    Access to records in the Open Payments database system will be limited to CMS personnel and contractors through password security, encryption, firewalls, and secured operating system. Any electronic copies which contain information about an individual at CMS and contractor locations will be kept in secure electronic files.

    Retention And Disposal:

    All records in the Open Payments database will be maintained for a period of up to 10 years from the end of the calendar year in which files were made publically available on CMS Web site. Any records that are needed longer, such as audit or other exceptions, will be retained until such matters are resolved.

    System Manager And Address:

    Director, Data Sharing and Partnership Group, Center for Program Integrity, Centers for Medicare & Medicaid Services, 7210 Ambassador Road, Mail Stop AR-18-50, Baltimore, MD 21244.

    Notification Procedure:

    Physician covered recipients and physicians who are owners or investors, as well as members of their immediate families will be notified by CMS via an online posting and notifications on CMS's listservs. They may also register with CMS to receive notification about the review processes.

    Record Access Procedure:

    Physician covered recipients and physicians who are owners or investors, as well as representatives from teaching hospitals, applicable manufacturers and GPOs will be able log into the Open Payments system through a secure Web site to directly view records pertaining to them for the previous reporting year as well as access their profile information.

    Contesting Record Procedures:

    Title 42 Code of Federal Regulations (CFR.) Sec. 403.908(g) provides covered physician recipients and physicians who are owners or investors, as well as teaching hospitals, a 45-day review period to review data submitted about them and dispute its accuracy and completeness prior to the data becoming available to the public. Additionally, 42 CFR 403.908(g) (3) (iv) and (v) provides covered physician recipients and physicians who are owners or investors an opportunity to dispute the accuracy of such information. Covered recipients and physicians who are owners or investors will indicate which information regarding a specific payment or other transfer of value is being disputed. Applicable Manufacturers and/or applicable GPOs will receive a notification that a covered recipient or physician owner or investor is disputing reported information. The dispute resolution process is between applicable manufacturers, applicable GPOs, covered recipients and physician owners or investors. When a dispute is resolved and/or errors or omissions are discovered, 42 C.F.R Sec. 403.908(g)(4) and (h)(1) require the applicable manufacturer or applicable GPO to submit corrected data to CMS. Upon receipt, CMS notifies the affected covered recipient or physicians who are owner or investor that the additional information has been submitted and is available for review. CMS updates the Web site at least once annually with corrected information after the initial publication.

    Record Source Categories:

    Information collected and maintained in this database is submitted by applicable manufacturers and/or applicable GPOs.

    Exemptions Claimed For This System:

    None.

    Page 32550

    Dated: May 30, 2014.

    Niall Brennan,

    Acting Director, Offices of Enterprise Management, Centers for Medicare & Medicaid Services.

    FR Doc. 2014-13012 Filed 5-30-14; 5:00 pm

    BILLING CODE 4120-03-P

VLEX uses login cookies to provide you with a better browsing experience. If you click on 'Accept' or continue browsing this site we consider that you accept our cookie policy. ACCEPT