Skip to Content
Rule

Medicare Program; Availability of Medicare Data for Performance Measurement

Action

Final Rule.

Summary

This final rule implements Section 10332 of the Affordable Care Act regarding the release and use of standardized extracts of Medicare claims data for qualified entities to measure the performance of providers of services (referred to as providers) and suppliers. This rule explains how entities can become qualified by CMS to receive standardized extracts of claims data under Medicare Parts A, B, and D for the purpose of evaluation of the performance of providers and suppliers. This rule also lays out the criteria qualified entities must follow to protect the privacy of Medicare beneficiaries.

Unified Agenda

 

Table of Contents Back to Top

Tables Back to Top

DATES: Back to Top

Effective Date: These regulations are effective January 6, 2012.

FOR FURTHER INFORMATION CONTACT: Back to Top

Colleen Bruce, (410) 786-5529.

SUPPLEMENTARY INFORMATION: Back to Top

I. Background Back to Top

The Patient Protection and Affordable Care Act (Pub. L. 111-148), enacted on March 23, 2010, and the Health Care and Education Reconciliation Act of 2010 (Pub. L. 111-152), enacted on March 30, 2010, are collectively referred to in this final rule as the “Affordable Care Act.” Effective January 1, 2012, section 10332 of the Affordable Care Act would amend section 1874 of the Social Security Act (the Act) by adding a new subsection (e) requiring standardized extracts of Medicare claims data under parts A, B, and D to be made available to “qualified entities” for the evaluation of the performance of providers and suppliers. Qualified entities may use the information obtained under section 1874(e) of the Act for the purpose of evaluating the performance of providers and suppliers, and to generate public reports regarding such performance. Qualified entities may receive data for one or more specified geographic areas and must pay a fee equal to the cost of making the data available. Congress also required that qualified entities combine claims data from sources other than Medicare with the Medicare data when evaluating the performance of providers and suppliers.

Section 1874(e) of the Act requires potential qualified entities that wish to request data under this provision to submit an application to the Secretary that includes, among other things, a description of the methodologies that the applicant proposes to use to evaluate the performance of providers and suppliers in the geographic area(s) they select. Qualified entities generally must use standard measures for evaluating the performance of providers and suppliers unless the Secretary, in consultation with appropriate stakeholders, determines that use of alternative measures would be more valid, reliable, responsive to consumer preferences, cost-effective, or relevant to dimensions of quality and resource use not addressed by standard measures. Reports generated by the qualified entities may only include information on individual providers and suppliers in aggregate form, that is, at the provider or supplier level, and may not be released to the public until the providers and suppliers have had an opportunity to review them and, if necessary, ask for corrections. Congress included a provision at section 1874(e)(3) of the Act to allow the Secretary to take such actions as may be necessary to protect the identity of individuals entitled to or enrolled in Medicare.

We believe the sharing of Medicare data with qualified entities through this program and the resulting reports produced by qualified entities will be an important driver of improving quality and reducing costs in Medicare, as well as for the health care system in general. Additionally, we believe this program will increase the transparency of provider and supplier performance, while ensuring beneficiary privacy.

II. Provisions of the Proposed Rule and Analysis of and Responses to Public Comments Back to Top

We received approximately 100 comments from a wide variety of individuals and organizations. About half of the comments were from providers and suppliers, or organizations representing providers and suppliers. The other half of the comments were from organizations engaged in performance measurement or data aggregation that may potentially be approved to receive Medicare data as qualified entities under this program. We also received a number of comments from consumer advocacy organizations.

A. Definition, Eligibility Criteria, and Operating Requirements of Qualified Entities

Almost all of the comments were positive and praised CMS' proposals regarding how the qualified entity program would operate. Commenters also had a range of suggestions for how CMS should administer the program, including several comments on performance measurement in general. We also received numerous comments on data privacy and security, which are discussed in more detail in subsection D below.

1. Definitions

In the proposed rule, we defined a qualified entity as a public or private entity that meets two standards. The first is that the entity is qualified, as determined by the Secretary, to use claims data to evaluate the performance of providers and suppliers on measures of quality, efficiency, effectiveness, and resource use. The second is that the entity agrees to meet the requirements described in Section 1874(e) of the Social Security Act and at §§ 401.703-401.710 of the proposed rule.

Comment: We received several comments, suggestions, and questions regarding the use of the Medicare data qualified entities receive through this program. Section 1874(e)(4)(B) of the Act specifies the uses of the Medicare data. Some commenters requested that qualified entities be allowed to use the data for purposes other than performance reporting, such as internal analyses, pay-for-performance initiatives, and provider tiering; other commenters requested that CMS clarify that the data provided would be used for performance reporting only.

Response: The statute bars the re-use of the Medicare claims data provided to qualified entities under section 1874(e) of the Social Security Act (the Act). Section 1874(e)(4)(D) provides that the qualified entity “shall only use such data, and information derived from such evaluation” for performance reports on providers and suppliers. Additionally, the Data Use Agreement (DUA, discussed in more detail below) bars re-use of the data for other purposes; violation of the DUA may result in a qualified entity's access to data under 1874(e) of the Act being terminated. However, while the data itself and any derivative data may only be used for creating the prescribed reports, section 1874(e) does not address the use of the publically reported result. Subject to any limitations imposed by other applicable laws (for example, copyright laws), these publicly reported results could be used by any party, including the qualified entity, for activities such as internal analyses, pay-for-performance initiatives, or provider tiering.

Qualified entities will not be allowed to do performance measurement with Medicare data alone. Section 1874(e)(4)(B)(iii) specifically provides that qualified entities must include “claims data from sources other than claims data under this title in the evaluation of performance of providers of services and suppliers.” We have added a definition of “claims data from other sources” at § 401.703(h).

We have made several technical changes to the definitions at § 401.703 to reflect the regulatory interpretation of the statutory provisions cited in the proposed rule. We have modified the definition of a qualified entity to require the entity to agree to meet the requirements in §§ 401.705-401.721 of the final rule, removing the proposed rule's reference to section 1874(e) of the Act. We have also modified the definitions of provider and supplier; specifically we have defined both terms in terms of the definitions for the identical terms at § 400.202.

We have also added a definition of clinical data. This addition is discussed in further detail below.

2. Eligibility Criteria

In determining the eligibility standards for qualified entities we sought to balance the needs to: (1) Ensure the production of timely, high quality, and actionable reports on the performance of providers and suppliers, (2) protect beneficiary privacy and security, and (3) ensure providers and suppliers have an appropriate amount of time to review the reports, appeal, and, if necessary, correct errors prior to public reporting. We therefore proposed to evaluate an organization's eligibility to serve as a qualified entity across three areas: Organizational and governance capabilities, addition of claims data from other sources, and data privacy and security.

Additionally, we proposed not to limit the number of qualified entities eligible to serve in an area. Any entity that satisfactorily meets the eligibility criteria would be able to participate in the program.

Comment: We received several comments on the eligibility criteria as a whole. Many commenters supported the proposed eligibility standards; however others said the eligibility standards were too prescriptive. Several commenters asked CMS to clarify qualified entities' ability to combine expertise across more than one entity to meet the requirements in the rule related to experience or amount of other claims data.

Response: We thank commenters for their support for the eligibility standards. While we understand that the eligibility standards necessitate that prospective qualified entities have extensive experience in performance measurement, access to data, and appropriate privacy and security protocols, we believe these standards are essential to ensure both the privacy and security of beneficiary data and the acceptance of the program by providers and suppliers.

We clarify, however, that qualified entities do not need to be composed of a single legal entity. A qualified entity applicant may contract with other entities to achieve the ability to meet the eligibility criteria. If an entity chooses to contract with one or more other entities to meet the eligibility standards, the application must be submitted by one lead entity. This lead entity must submit documentation describing the contractual relationships that exist between and among all entities applying together under the lead entity to become a qualified entity. In addition, as discussed in subsection D.1. below, contractors will be required to abide by the same privacy and security requirements as the lead entity, including signing a data use agreement prior to being given access to Medicare claims data or beneficiary information. Contractors will also be subject to CMS monitoring and their actions may result in sanctions and/or termination of the qualified entity.

We believe that requiring contractual arrangements among the members of such a group will ultimately protect both the providers and suppliers receiving reports, as well as the beneficiaries seeking to use this information to make health care decisions by ensuring that the lead entity has partners with the necessary expertise to carry out the duties of a qualified entity and that the qualified entity's partners are committed to the project through legally enforceable agreements.

In a contractual arrangement, there would be breach of contract liability if one of the members of the group fails to deliver, and there would be the potential of collecting damages for that failure to perform. Such damages would potentially provide the lead entity with the resources that would be necessary for finding and hiring another entity to carry out the functions of a contractor/subcontractor that failed to perform. Any other less formal arrangement among a group of entities that, in sum, possessed the requisite traits required of a qualified entity, such as a partnership or other consortium-like affiliation, would not offer the breach of contract protections that would provide assurances that the entities listed as participants in the group would in fact provide the services/skills/resources that the qualified entity applicant asserts. In a non-contractual arrangement, participating members of the group could stop performing at any time, leaving the remainder of the group with little recourse and, possibly, not qualified to carry on as a qualified entity. This could prevent the issuance of the desired reports. It could also leave providers and suppliers, as well as beneficiaries, without any recourse for remedying reporting errors or answering questions related to the reports. This would have a very negative effect on the program as a whole, and jeopardize this important transparency effort.

We emphasize that a single entity may seek to fulfill all of the eligibility standards; there is no requirement that a qualified entity must be a group of two or more entities. However, we believe that more potential qualified entities would apply if they use contractual relationships to address any requirements that they may be lacking.

Comment: Several commenters suggested additions to the eligibility standards. A handful of commenters recommended adding a public input component as part of the eligibility process. Commenters also suggested evaluating provider complaints against applicants when making determinations about qualified entity eligibility. One commenter asked CMS to create a provisional track for entities without the necessary experience or the non-Medicare data to serve as a qualified entity in the general program.

Response: Through evaluating each entity's (including the lead entity's and any contractors') past experience, other claims data, and privacy and security protocols, we are confident that entities approved as qualified entities will meet the requirements of the program. Extensive monitoring requirements for the lead entity and any contractors, as well as the ability to terminate our agreement with a qualified entity, will ensure that the highest standards are adhered to by all qualified entities. However, we are interested in beneficiary and/or provider complaints against a qualified entity once that entity is approved. As discussed below in section II.F., we have included an analysis of beneficiary and/or provider complaints as part of the monitoring and performance assessment of qualified entities.

While we appreciate the interest in allowing a variety of organizations to serve as qualified entities, we believe a provisional track is not consistent with the requirement in the statute that entities be qualified, as determined by the Secretary, to use claims data to evaluate provider and supplier performance. We hope that the discussion above, which notes that potential qualified entity applicants may form contractual agreements to meet the eligibility requirements, will allow entities with less experience or limited other claims data to gain the necessary expertise or gather the needed data to be approved as a qualified entities. We also have added a conditional approval process, discussed in more detail below, for those applicants that do not have access to claims data from other sources at the time of their application.

Comment: We received several comments requesting CMS limit the organizations eligible to serve as qualified entities to non-profit and government organizations. However, we also received comments asking CMS to continue to allow any organization that meets the eligibility requirements and submits an application to serve as a qualified entity.

Response: On balance, we believe it is appropriate for CMS to continue to allow any organization that meets the eligibility requirements and the requirements at sections §§ 401.703-401.710 of the proposed rule to serve as a qualified entity, which appear, as modified in the following discussion, in sections §§ 401.705-401.721 of this final rule.

Comment: While we received several comments supporting our proposal not to limit the number of qualified entities in a geographic region, we also received comments suggesting we limit the number of qualified entities eligible to serve in an area. Many of those who suggested limiting the number of qualified entities in an area expressed concern that allowing multiple qualified entities in a region would lead to multiple reports on the same provider or supplier, which would confuse both the individual or entity being measured and the consumer. One commenter suggested CMS take a phased approach to the number of qualified entities, allowing providers to get accustomed to measurement before expanding the number of qualified entities.

Response: We acknowledge commenters' desire to limit the number of reports on a provider or supplier; however, we do not anticipate many regions will have multiple entities that meet the requirements to serve as qualified entities. Specifically, it is difficult to imagine there will be many areas where multiple organizations will possess sufficient claims data from other sources. Additionally, we believe allowing all eligible organizations to serve as qualified entities will encourage innovation in measure development and performance reporting. In the case that there are multiple organizations in an area that could serve as individual qualified entities, we would like to reiterate that these organizations could form contractual arrangements with each other and apply for the program under a lead applicant.

a. Organizational and Governance Capabilities

Under organizational and governance capabilities, we proposed to evaluate the applicant's capability to perform a variety of tasks related to serving as a qualified entity. Tasks included the ability to accurately calculate measures from claims data, successfully combine claims data from different payers, design performance reports, prepare an understandable description of measures, implement a report review process for providers and suppliers, maintain a rigorous data privacy and security program, and make reports containing provider and supplier level data available to the public. We proposed to generally require applicants to demonstrate expertise and sustained experience on each of the criteria, which could be demonstrated by three or more years of experience in each area. We also proposed to consider applications with fewer years experience handling claims data and calculating measures, and/or limited experience implementing or maintaining a report review process for providers and suppliers as long as the applicant has sufficient experience in all other areas.

Comment: Commenters had mixed opinions about the proposed requirement of three or more years of experience. Commenters who did not support a minimum three years experience were concerned about limiting eligibility of otherwise viable entities. On the other hand, commenters who strongly supported the eligibility criteria suggested lengthening the time requirement to five years.

Response: While we are sensitive to the desire to allow all interested organizations to serve as qualified entities, we believe that many viable entities will possess three years of experience, particularly now that we have clarified that a qualified entity may contract with other entities in order to demonstrate required experience. It is essential for the success of the qualified entity program that organizations approved as qualified entities have the necessary expertise and experience to successfully perform all the functions required in the statute. We believe the experience requirements we have included are sufficient to ensure organizations approved as qualified entities possess the necessary experience to successfully meet the requirements of the program.

Comment: Commenters suggested changes to specific tasks in the organizational and governance capabilities section of the eligibility criteria. Several commenters asked CMS to only require expertise in the areas of measurement the entity is proposing to use instead of all four areas of measurement: Quality, efficiency, effectiveness, and resource use. Similarly, commenters also noted that not all measures require risk-adjustment and requested CMS only require experience in risk-adjustment if the entity is planning on using measures that incorporate risk-adjustment. Commenters also recommended removing the requirement that organizations have experience successfully combining claims data from different payers, arguing that this requirement would necessitate that applicants currently have data from two or more payers other than Medicare.

Response: We agree with commenters about the proposal that would have required expertise in all four areas of measurement. As a result, we are modifying the eligibility requirements related to these areas of performance measurement and will require all applicants to have experience calculating quality measures, and, to the extent that they propose using such measures, experience calculating efficiency, effectiveness and resource use measures. Similarly, we will only require entities to have experience with risk-adjustment, if they propose using measures requiring risk adjustment. Finally, the law requires that a qualified entity combine data from different payers, so we will retain that requirement in this final rule.

Comment: One commenter requested that CMS only approve applicants with a demonstrated track record of working with providers and suppliers and helping them with quality improvement.

Response: While we hope this program will support quality improvement efforts, the statute only requires qualified entities to confidentially make reports available prior to publication and to allow providers and suppliers the opportunity to request error correction. We believe that our requirement that applicants submit documentation of experience in both maintaining a process for providers and suppliers to review their reports prior to publication, and providing timely response to requests for error correction will be adequate to ensure an applicant's ability to work with providers and suppliers to ensure the availability of reports and appropriate correction mechanisms.

Comment: We received several comments on our proposal to require applicants to disclose inappropriate disclosures of beneficiary identifiable information. Specifically, one commenter suggested that requiring disclosure of a 10-year privacy breach history is unreasonable. Another commenter requested that CMS include a requirement that applicants disclose confirmed violations of State privacy laws, in addition to inappropriate disclosures of beneficiary identifiable information.

Response: We believe that requiring an applicant to disclose 10 years' worth of inappropriate disclosures of beneficiary information is a reasonable requirement, but we recognize that some applicants may not have a 10 year history. For those entities that do not have a 10 year history, we will require reporting the required information for the length of time the organization has been in existence. We clarify, however, that a qualified entity's application to receive Medicare data will be evaluated based on all of the information submitted; a past inappropriate disclosure of beneficiary identifiable information will not automatically disqualify an entity from participation in the program. If an entity's application lists these events, CMS will engage in further discussions with that applicant to determine what corrective processes the entity has put in place to avoid future inappropriate disclosure of beneficiary identifiable information. We agree that violations of State, as well as federal, privacy and security laws should also be submitted to CMS and will add this requirement to the eligibility criteria. For clarity, we have rephrased the proposed language in § 410.705(a)(1)(vii) that referred to violations of State privacy laws or HIPAA violations to read “violations of applicable federal and State privacy and security laws and regulations” to encompass the full range of information privacy and security laws and regulations at both the federal and State levels with which the applicant may have to comply. In addition to demonstrating experience and expertise, we also proposed to require qualified entities to submit a business model for covering the cost of required functions.

Comment: Some commenters argued that requiring prospective applicants to submit a business model is too prescriptive, while others were supportive of this requirement. A handful of commenters asked CMS for guidance on financing mechanisms, as well as whether they could change a fee for the reports or license the data for secondary use.

Response: In requiring submission of a business model, it was not our intent to be overly prescriptive. Rather, we were seeking to ensure that the qualified entities would have the resources necessary to carry out what we expect would be a relatively resource-intensive and important undertaking. We expect that by requiring submission of a business plan qualified entities would be more likely to have a viable business model under which they would be able to carry out their obligations under the qualified entity program. We do not intend to limit an organization's ability to change or adapt its business plan once approved as a qualified entity. We only ask that the qualified entity demonstrate that it has thought through what it would need to do to succeed. Finally, as for financing mechanisms, we note that the qualified entity program regulations do not generally place any added limitations on what is otherwise feasible under applicable laws. For example, the content of the publicly released reports will be subject to existing laws on copyright. Qualified entities cannot, however, charge providers or suppliers for the confidential copies of the pre-publication reports that qualified entities are required to provide in advance of publication. Furthermore, qualified entities must publically report measure results free of charge and in a manner that is consistent with the requirements in Section 1874(e)(4)(C) of the Act. We encourage qualified entities to be innovative in creating business models to support their efforts.

b. Addition of Claims Data From Other Sources

In accordance with the statutory requirements at section 1874(e)(4)(B)(iii), we proposed to require entities to have claims data from non-title 18 (Medicare) sources to combine with Medicare data. We proposed to require possession of such other data at the time of their application. We defined claims data as administrative claims, meaning data that is not chart-abstracted data, registry data, or data from electronic health records. We proposed to require entities to demonstrate to CMS that the other claims data they possess is sufficient to address issues of sample size and reliability expressed by stakeholders regarding the calculation of performance measures from a single payer source. We also requested comment on whether CMS should require entities to possess claims data from two or more other sources to be eligible to serve as a qualified entity.

Comments: Some commenters were supportive of the requirement that entities possess claims data from other sources at the time of application, but others argued that this requirement is too restrictive and not consistent with the intent of the statute. Specifically, commenters argued that it might be difficult to acquire claims data from other sources without approval from CMS to serve as a qualified entity. Other commenters sought clarification on whether qualified entities had to physically possess claims data from other sources or whether agreements with owners of claims data from other sources and proof of a functioning distributed data approach, meaning that claims data from different sources residing at different physical locations as long as measure results could be securely and accurately aggregated, would suffice.

Response: While most organizations that are experienced in performance measurement will already have claims data they are using for performance measurement, we understand commenters' concerns about the requirement that entities possess claims data from other sources at the time of application. Therefore, for those applicants that do not have access to other claims data at the time of their application, we will create a conditional approval process. First, applicants that are found to meet all the requirements of the program, but do not have access to other claims data at the time of their application, will receive a conditional acceptance. Then, once an entity with a conditional acceptance gets access to adequate claims data from other sources, it will submit documentation that the claims data from other sources that it intends to combine with the Medicare data received under this subpart address the methodological concerns regarding sample size and reliability that have been expressed by stakeholders regarding the calculation of performance measures from a single payer source. CMS will review the documentation and if the amount of other claims data is found to be sufficient, the entity will pay a fee equal to the cost of CMS making the data available and execute a Data Use Agreement (DUA) with CMS to be approved as a qualified entity. A conditionally approved qualified entity will not be eligible to receive Medicare claims data or the beneficiary crosswalk (discussed further in Section D.1) until it has received full approval, pays a fee equal to the cost of making the data available, and signs a DUA.

This conditional approval process will be in addition to the normal approval process that will remain in place for those applicants that have access to a sufficient amount of other claims data at the time of their application. Additionally, we want to clarify that distributed data approaches, as described above, are permissible under the scope of this program.

Comment: We received several comments asking CMS to clarify the amount of other claims data applicants must possess. Commenters also asked if CMS would consider Medicaid data to be other claims data.

Response: As stated in the proposed rule, we do not believe it is feasible to establish an absolute threshold for a minimum amount of additional claims data. Rather, we ask applicants to explain how the data they do have for use in the qualified entity program will be adequate to address the concerns about small sample size and reliability that have been expressed by stakeholders regarding the calculation of performance measures from a single payer source. Each application will be evaluated on its collective merits, including the amount of claims data from other sources and its explanation on why that data, in combination with the requested Medicare data, is adequate for the stated purposes of this program. “Other claims data” can include Medicaid data as well as any private payer claims data.

Comment: We also received mixed comments on our proposal to require organizations to have two or more data sources at the time of application. Some commenters said this requirement seemed appropriate, while others argued it was too burdensome. One commenter argued that unless combined data represents at least 90 percent of a provider's practice, any resulting quality measurements will not be meaningful.

Response: We based our proposal about acquiring data from two or more sources on the interests of providers, suppliers, and consumers to have reports that provide valid results that cover an adequate portion of the providers' or suppliers' patients. However, in certain cases, one source may provide a sufficient amount of other claims data such that, when the other claims data is combined with Medicare data, it covers a considerable portion of a provider's or supplier's patients. We will therefore not require an applicant to have two sources of additional claims data, but we note that claims data from two or more sources is preferable to data from only one other source. We acknowledge that it is important for the combined data to represent a large portion of a provider's business, but believe an arbitrary requirement of 90 percent is unnecessarily high, especially given that the program is just beginning.

c. Data Privacy and Security

We proposed to require applicants to demonstrate their capabilities to establish, maintain, and monitor a rigorous privacy and security program, including programs to educate staff on privacy and data security protocols.

Comments related to the proposed data privacy and security eligibility criteria requirements are covered in the Data Security and Privacy section below in section II.D. of this final rule.

3. Operating and Governance Requirements for Serving as a Qualified Entity

We require documentation of operating and governance requirements at the time of application for several key activities. We proposed that applicants would submit as part of their application: (1) The measures they intend to use, including methodologies and a rationale for using the measure; (2) the report review process they would use with providers and suppliers, including addressing requests for data and error correction; and (3) a prototype for required reports, including the methods for disseminating reports.

Comments: We received several comments that the submission of measures and methodologies, as well as a prototype for reports at the time of application is too burdensome. Additionally, commenters argued that 90 days notice for approval of changes was too long and that certain types of minor changes to the report prototype need not trigger CMS approval. Several commenters also argued that submitting specifications on standard measures is unnecessary since these measures have established specifications and are generally publically available.

Response: We understand organizations' desire to have flexibility in selecting measures and report formats. We also believe that making these decisions is a key aspect of serving as a qualified entity and is important enough to require the submission of proposed plans prior to being approved as a qualified entity. However, we recognize commenters' desire to ensure measures and report formats are approved and available for use as quickly as possible. Therefore, we will change the timeframe for CMS approval to 30 days. Qualified entities may change selected measures, and may modify their report prototype, with 30 days notice to CMS and CMS approval of the changes or modifications. We believe that the majority of changes proposed by qualified entities will be straightforward and CMS will be able to comfortably conduct a review and approval within 30 days of submission; however, in certain circumstances CMS may request an additional 30 days to approve more wide-reaching changes or modifications. If a CMS decision on approval or disapproval for a change or modification is not forthcoming within 30 days and CMS does not request an additional 30 days for review, the change or modification shall be deemed to be approved.

We acknowledge the interest in only requiring CMS approval for substantive changes in the prototype reports. However, as it is the first year of the program, we are still determining the types of changes to the prototype reports that qualified entities will need to submit to CMS for approval. CMS is considering releasing guidance on the types of changes to the report prototype that need not be submitted once the qualified entity program has started.

We agree with commenters that including standard measure specifications is unnecessary. Thus far, available standard measures only include measures endorsed by the National Quality Forum and CMS measures; and the specifications for these measures are available to the public. Therefore, we will only require applicants to include measure specifications for alternative measures. We will use future rulemaking to address the submission of specifications for standard measures if the public availability of standard measure specifications changes in the future.

Comment: One commenter requested that CMS require each applicant to submit an analytic plan clarifying its goals relative to the statute.

Response: We believe that the requirement for entities to submit a rationale for selecting each measure, including its relationship to existing measurement efforts, addresses the issue of an organization's goals as they relate to the statute. We believe this is sufficient documentation of an organization's plans.

Comment: One commenter requested that CMS require applicants to submit conflict of interest information. Commenters were concerned that conflicts of interest could result in inaccurate or misleading reporting. One commenter specifically requested that qualified entities be required to attest that they have no relationship or affiliation with any health plans, insurers, providers, suppliers, manufacturers or other entities that may have an interest in or use for the data.

Response: We do not believe it is necessary for applicants to submit information on conflicts of interest to CMS. We expect that many qualified entities will have relationships with health plans, insurers, providers and suppliers, and other entities that have an interest in or use for the data in order to meet the requirements of the qualified entity program, such as obtaining other claims data or disseminating performance results. We believe the eligibility requirements and monitoring requirements will ensure that the organizations who serve as qualified entities comply with the requirements of the program.

B. Definition, Selection, and Use of Performance Measures

1. Standard and Alternative Measures

The statute permits qualified entities to use both standard and alternative measures. We proposed to define standard measures as any claims-based measure endorsed (or time-limited endorsed) by the entity with a contract under section 1890(a) of the Act (currently the National Quality Forum), any claims-based measure that is currently being used in a CMS program that includes quality measurement, or any measure developed pursuant to Section 931 of the Public Health Service Act. The statute requires the Secretary to consult with appropriate stakeholders as to whether the use of alternative measures would be more valid, reliable, responsive to consumer preferences, cost-effective, or relevant to dimensions of quality and resource use not addressed by standard measures. In light of these requirements, we proposed to define alternative measures as any claims-based measure that, while not a standard measure, was adopted by the Secretary through a notice and comment rulemaking process. Qualified entities would submit proposed alternative measures to CMS who would then make the proposed alternative measures available for stakeholder input via a proposed rule, and, where appropriate, following receipt of public comments, the Secretary would determine which alternative measures to approve for use in the program.

Comment: Some commenters suggested that qualified entities be allowed to calculate measures that are not based solely on claims data. Specifically, commenters were interested in calculating measures that involve combining claims data with clinical data (for example, registry data or chart-abstracted data). Commenters argued that allowing qualified entities to use these measures would expand the list of available measures. Several commenters also expressed that the use of these types of measures would help produce a more accurate picture of provider and supplier performance.

Response: We recognize commenters' desire to use clinical data combined with claims data when calculating standard and alternative measures. Given the added value that clinical data brings to performance measurement, whenever standard or alternative measures provide for the use of clinical data, we will allow qualified entities to use clinical data in combination with Medicare and other claims data to calculate those standard and alternative measures. We have added a definition of clinical data at § 401.703(i), specifically clinical data is registry data, chart-abstracted data, laboratory results, electronic health record information, or other information relating to the care or services provided to patients that is not included in administrative claims data. Measurement efforts using clinical data would only be supported under the qualified entity program if the clinical data is combined with the qualified entity's Medicare and other claims data to calculate the measures. These regulations do not address the use and publication of purely clinical-based measures.

Furthermore, we recognize the near impossibility of combining Medicare claims data with clinical data without an identifier to link them. As a result, we are changing the proposed process for releasing beneficiary identifiable information to allow—with strict privacy and security standards—for the disclosure of identifiers to qualified entities; this change is discussed in more detail in the Privacy and Security requirements section below.

Comment: Many commenters were supportive of the alternative measure review process. However, several commenters argued that the notice and comment rulemaking process was overly burdensome on qualified entities, would significantly restrict innovation in measure development and use, and was contrary to the overall goals of the provision. Some commenters proposed that qualified entities only be required to seek the permission of local stakeholders before calculating and reporting alternative measures. However, other commenters argued that the notice and comment rulemaking process provided appropriate safeguards against the public reporting of untested measures.

Response: We believe that the intent of the alternative measure provision in statute is to promote innovation in claims-based performance measurement, while ensuring that measures are not used in the qualified entity program without proper testing and validation. That said, in light of the comments received, we believe that greater flexibility could be afforded to qualified entities to better balance innovation with appropriate use. We are therefore adding additional flexibility into the alternative measure process by adding a second avenue by which to seek Secretarial approval of alternative measures. In order to receive approval to use an alternative measure under this new avenue, a qualified entity will need to submit documentation to CMS outlining consultation and agreement with stakeholders in the geographic region the qualified entity serves, and evidence that the measure is “more valid, reliable, responsive to consumer preferences, cost-effective, or relevant to dimensions of quality and resource use not addressed by such standard measures” in accordance with the statutory requirements at Section 1874(e)(4)(B)(ii)(II). Stakeholders must include a valid cross representation of providers, suppliers, employers, payers, and consumers. At a minimum, a qualified entity must submit:

  • A description of the process by which the qualified entity notified stakeholders of its intent to seek approval of an alternative measure.
  • A list of stakeholders from whom feedback was solicited, including the stakeholder names and each stakeholder's role in the community.
  • A description of the discussion about the proposed alternative measure, including a summary of all pertinent arguments for and against use of the measure.
  • An explanation backed by scientific evidence that demonstrates why the measure is “more valid, reliable, responsive to consumer preferences, cost-effective, or relevant to dimensions of quality and resource use not addressed by [a] standard measure.”

CMS will review the submission and make a decision as to whether the qualified entity has consulted the appropriate stakeholders and whether the new measure meets the requirements for alternative measures at Section 1874(e)(4)(B)(ii)(II) of the Act. Qualified entities must send all the information required for approval of an alternative measure to CMS at least 60 days prior to its intended use of the measure. CMS will make every effort to ensure that measures are approved during the 60 day period. If a CMS decision on approval or disapproval for an alternative measure is not forthcoming within 60 days, the measure shall be deemed to be approved. However, CMS retains the right to disapprove a measure if, even after 60 days, in accordance with the statutory requirements at Section 1874(e)(4)(B)(ii)(II) it is found to not be “more valid, reliable, responsive to consumer preferences, cost-effective, or relevant to dimensions of quality and resource” than a standard measure. Once a measure is approved CMS will release the name of the measure, as well as the scientific evidence that demonstrates why the measure is “more valid, reliable, responsive to consumer preferences, cost-effective, or relevant to dimensions of quality and resource use not addressed by [a] standard measure.”

Alternative measures submitted and approved using this process may only be used by the qualified entity that submitted the measure for consideration because the stakeholder consultation approval process only requires consultation with stakeholders in the geographic region the qualified entity serves. If another qualified entity wishes to use the same measure, it would need to consult with stakeholders in its own community, and submit its own request for alternative measure approval under the rulemaking or stakeholder consultation approval process. However, we recognize that scientific evidence demonstrating that the measure is “more valid, reliable, responsive to consumer preferences, cost-effective, or relevant to dimensions of quality and resource use not addressed by [a] standard measure” will not differ for a measure in use across communities. Therefore, once an alternative measure is approved for use via the stakeholder consultation approval process, future requests for use of an identical measure will not need to include the same explanation backed by scientific evidence that demonstrates why the measure is “more valid, reliable, responsive to consumer preferences, cost-effective, or relevant to dimensions of quality and resource use not addressed by [a] standard measure.” However, if there is scientific evidence that has become available since the measure was approved by CMS, the qualified entity seeking to use that measure must conduct the necessary research and provide that new scientific evidence to CMS.

We will also retain the notice and comment rulemaking process as a second option for the approval of alternative measures. As discussed in the proposed rule, alternative measures approved through notice and comment rulemaking may be used by any qualified entity up until the point that an equivalent standard measure for the particular clinical area or condition becomes available.

Comment: One commenter suggested that the alternative measure process as outlined conflicted with the process under Section 3014 of the Affordable Care Act.

Response: Section 1874(e)(4)(B)(ii)(I) provides for the use of standard measures such as the measures endorsed by the entity with a contract under section 1890(a) of the Act (currently NQF) and measures developed pursuant to section 931 of the Public Health Service Act. Section 1874(e)(4)(B)(ii)(II) provides for use of additional measures that are not approved by such entities. This latter category explicitly provides for the approval and use of non-NQF standards. Furthermore, section 3014 of the Affordable Care Act does not require the Secretary to use the recognized standards by the entity with a contract under section 1890(a) of the Act. It merely serves to provide recommendations on appropriate standards to consider.

Comment: Several commenters questioned whether the requirement for qualified entities to cease using alternative measures within six months of an equivalent standard measure being endorsed was reasonable.

Response: We believe six months is a reasonable time period for qualified entities to transition to using newly endorsed standard measures equivalent to existing alternative measures or to submit scientific justification to file a request for alternative measure approval.

Comment: We received several comments on our definition of standard measures. While many commenters were supportive of our definition, one commenter suggested that we change our definition of standard measures to include measures endorsed by consensus-based entities other than the NQF. The commenter specifically mentioned the Patient Charter, a 2008 agreement among consumer, purchaser, provider and insurer groups on principles to guide performance reporting. Other commenters asked if all NQF-endorsed measures were standard measures. One commenter asked that standard measures be limited to true outcome measures in order to measure the effectiveness of care.

Response: We appreciate the suggestion to include measures endorsed by consensus-based entities other than the NQF and have changed our definition of standard measures to include such measures. Specifically, we will now include as a standard measure any measure calculated in full or in part from claims data that is endorsed by a consensus-based entity, providing that the consensus-based entity has been approved as such by CMS. Rather than defining consensus-based entities in advance, CMS will approve organizations as consensus based entities on an as needed basis.

To receive approval as a consensus-based entity, an organization will need to submit information to CMS documenting their processes for stakeholder consultation and measure approval. Such documentation must show that the entity has a prescribed process for vetting and approving measures that includes representation from all types of stakeholders relevant to the topic being measured. The description of the approval process must be publicly available and the stakeholder consultation must be open to any that are interested in participating. Additionally, organizations will only receive approval as a consensus-based entity if all measure specifications are publicly available. Consensus-based entities will receive approval for a time period of three years and their endorsed measures will be made available to all qualified entities. CMS will also make a list of approved consensus-based entities available publicly. After three years, organizations will simply have to resubmit documentation on their processes for stakeholder consultation and measure again, noting any changes from their original submission.

Regarding the request that we add a requirement that standard measures be “outcome measures,” which we understand to mean measures that evaluate final results, such as mortality rates, we feel that imposing this requirement would substantially reduce the number of available standard measures. Additionally, while we agree that outcome measures may be better indicators of the effectiveness of care, we feel process measures will also offer the public, as well as providers and suppliers, important information on performance. Therefore, we have not incorporated this suggestion.

Comment: One commenter suggested that the rule should permit the use of composite measures.

Response: We believe that composite measures can be calculated and reported under the revised alternative measure process we established in this final rule.

Comment: One commenter suggested that the rule should permit qualified entities to withdraw measures prior to public reporting if the measure results turn out to be unreliable.

Response: We appreciate this suggestion; however, the statute requires public reporting of all measures. Specifically, Section 1874(e)(4)(C)(iv) requires the reports be made available to the public, while allowing for confidential review by providers and suppliers. We note that this does not prohibit commentary on the measure and results in the report. We hope that qualified entities will take the requirement of public reporting into consideration when determining which measures should be calculated under this program. We recognize that there may be errors in measure calculation and believe that the confidential reporting and appeals process will help qualified entities discover and correct any errors in the calculation of measures.

Comment: We received a variety of comments on measurement methodologies. Several commenters suggested that CMS should be more proscriptive regarding the types of attribution, risk adjustment, and benchmarking methods qualified entities should employ and that methodology descriptions should be standardized across payers and qualified entities. Commenters were also concerned about payment standardization as it relates to efficiency and resource use measures. Payment standardization is viewed as an important methodological approach to normalize comparisons of resource use across providers and suppliers. Several commenters also stressed the need for accurate attribution and risk adjustment in general. One commenter asked if methodologies employed by the qualified entity could change during the three-year agreement period. One commenter urged CMS to require qualified entities to submit to CMS a specific description of how it will handle outlier providers and ensure that a report of a provider's or supplier's performance is accurately adjusted as appropriate to reflect characteristics of the patient population.

Response: The statute does not require CMS to be proscriptive in this regard. Consistent with the statute, the proposed rule would require qualified entities to submit to the Secretary a description of methodologies that the qualified entity proposes to use to evaluate the performance of providers and suppliers. The proposed rule would also require qualified entities to include an understandable description of their attribution, risk adjustment, and benchmarking methods so that report recipients can properly assess such reports. We agree with commenters that payment standardization is an important aspect of measurement methodologies, and agree that payment standardization methodologies should be included where appropriate. Therefore, we have added a requirement that qualified entities include information on payment standardization when appropriate.

Additionally, we feel that performance measurement is evolving, and that clear standards for attribution, risk adjustment, and benchmarking have not yet emerged, and therefore it would be inappropriate for CMS to preemptively determine such standards. We are confident that as qualified entities and the performance measurement environment matures over the coming years methodologies will begin to coalesce around clearly defined standards. As discussed above, qualified entities can change methodologies during the three year agreement period provided they give appropriate notice to CMS and receive CMS' approval. Regarding outliers, we feel that this issue will be adequately addressed in the requirements at § 401.707(b)(5)(ii) for a qualified entity to provide details on methodologies it intends to use in creating reports with respect to benchmarking performance data, including methods for creating peer groups, justification of minimum sample size determinations, and methods for handling statistical outliers, to both CMS and users of the reports.

Comment: One commenter asked about the release of the details of proprietary methodologies and proprietary measure specifications to CMS.

Response: While we understand the concerns about releasing methodologies for proprietary measures, we believe that the goal of this program is to increase transparency. As discussed above in section II.A.3., we are not requiring qualified entities to submit measure specifications for standard measures because, thus far, all specifications for these measures are available to the public. However, we believe that, in order for CMS to evaluate a qualified entity's proposed plan for calculating measures, disclosure of proprietary measure methodologies and proprietary specifications for alternative measures to CMS as part of the application process is warranted. The Trade Secrets Act (18 U.S.C. 1905) bars CMS from re-disclosing proprietary information unless it is authorized to do so by law. Any disclosure to CMS regarding measurement methodologies or specifications will generally not be made public by CMS. As a result, we feel it is appropriate to require the disclosure of detailed methodologies and specifications for alternative measures to CMS as part of the application.

Additionally, qualified entities will be required to disclose proprietary measure methodologies to providers and suppliers as a part of the confidential review process. We believe it is essential for providers and suppliers to understand exactly how the measure is calculated in order to review their results. To protect proprietary methodologies, a qualified entity may choose to limit further disclosure of proprietary measure methodologies, perhaps by requiring a provider or supplier to execute a non-disclosure agreement as a condition of that disclosure; however, the qualified entity must share the proprietary measure methodologies with the provider or supplier regardless of whether they are willing to execute a non-disclosure agreement. If a qualified entity does not wish to share proprietary measure methodologies with both CMS and providers or suppliers, it should not seek approval to use those measures in the qualified entity program.

Comment: One commenter suggested that all proposed measures, both standard and alternative, be open for public review by providers and suppliers prior to approval.

Response: We do not feel that this requirement is necessary. Standard measures as currently defined have already been subject to multi stakeholder input and approval either through the entity with a contract under section 1890(a) of the Act (currently NQF) or through public comment via notice and comment rulemaking in the case of CMS measures. Also, any measures developed by a consensus based entity will have gone through some form of stakeholder consultation. Thus far, there have been no measures developed pursuant to section 931 of the Public Health Service Act; however, section 931 requires consultation with stakeholders during the quality measure development process. Further, both of the alternative measure processes include requirements regarding stakeholder input.

Comment: Several commenters urged CMS to provide a comprehensive list of the standard and alternative measures that qualified entities may use.

Response: We plan to release a list of standard measures to potential qualified entity applicants prior to the start of the program. We would like to note, however, that this list will be dynamic since the entity with the contract under section 1890(a) of the Act (currently NQF) is continually reviewing measures for endorsement and CMS is continually undergoing rulemaking to add measures to our programs. Additionally, as new consensus based entities are approved by CMS, additional standard measures will be available for use by qualified entities. We will also release a list of approved alternative measures once alternative measures are approved. Qualified entities are encouraged to check these lists frequently to ensure they have the most accurate information regarding acceptable measures.

2. Reports and Reporting

Section 1874(e)(4)(C)(ii) of the Act requires qualified entities to make their draft reports available in a confidential manner to providers and suppliers identified in the reports before such reports are released publicly in order to offer them an opportunity to review these reports, and, if appropriate, appeal to request correction of any errors. After reports have been shared confidentially with providers and suppliers, and there has been an opportunity to have any errors corrected, Section 1874(e)(4)(C)(iv) of the Act requires the reports to be made available to the public.

As stated in the statute at Section 1874(e)(4)(C)(i) of the Act, the reports must include “an understandable description” of the measures, rationale for use, methodology (including risk-adjustment and physician attribution methods), data specifications and limitations, and sponsors. We interpreted “an understandable description” to mean any descriptions that can be easily read and understood by a lay person. Additionally, the reports to the public may only include data on providers or suppliers at the provider or supplier level with no claim or patient-level information to ensure beneficiary privacy.

We proposed requiring qualified entities to submit prototype reports for both the reports they would send to providers and suppliers, and the reports they would release to the public (if they are different) in their application, including the narrative language they plan to use in the reports to describe the data and results.

Comment: We received several comments about the reporting process generally. One commenter asked that qualified entities be required to report less frequently than once per year, as proposed. Other commenters asked that qualified entities be required to report more frequently than once per year. Yet other commenters expressed concern about public reporting and asked that no measurement data be publicly reported at all.

Response: The statute, at 1874(e)(C)(iv), requires qualified entity reports to be made available to the public after they are made available to providers and suppliers for review and requests for corrections. We have no discretion to allow qualified entities to produce reports for confidential use only. While the statute does not mention any specific frequency of public reporting, we believe that once per year is an appropriate requirement. Requiring public reporting once per year strikes a balance between reporting frequently enough that the information is actionable for consumers, and not reporting so frequently that providers and suppliers constantly have to confidentially review reports. However, we note that reporting once per year is the minimum requirement. A qualified entity may choose to report more frequently than once per year, as long as it is still able to meet the requirement of allowing providers and suppliers the opportunity to review and request error correction.

Comment: Commenters raised questions about the possibility of providers and suppliers receiving multiple reports, which may potentially contain contradictory or confusing performance measure results. Some commenters requested that CMS standardize the report formats among qualified entities to make them easier to interpret, and others simply asked CMS to clarify how we will address this issue.

Response: As discussed in the proposed rule and above, we do not intend to limit the number of qualified entities accepted for participation into this program, and therefore, it is possible that there will be more than one qualified entity working in the same geographic area. While we are requiring qualified entities to submit prototype reports for CMS approval before use, we do not intend to standardize the reports. We believe this program is intended to supplement measurement activity already ongoing at the community level, and excessive CMS involvement will erode the relationships qualified entities either already have, or will develop, with providers and suppliers. This is precisely why providers and suppliers are afforded the opportunity to review their reports and work through any issues directly with the qualified entity, and not with CMS.

Comment: We received several comments regarding the provider or supplier's role in the reporting process. One commenter stated that providers and suppliers should be allowed to petition CMS to require qualified entities to modify report formats. Another commenter requested that qualified entities should be required to include providers' or suppliers' comments in the public reports. And finally, one commenter requested that qualified entities be required to be capable of allowing providers and suppliers to download reports electronically.

Response: As stated in the proposed rule, and discussed elsewhere in this final rule, CMS' direct role in this program is relatively limited, and includes only the functions necessary for reviewing applications from qualified entities and providing standardized data extracts to those entities that meet the requirements, as well as describing the program to the public. We believe these comments about issues related to how the qualified entities publicly report data are outside the scope of CMS' statutory authority under section 1874(e). Therefore, providers and suppliers will not be allowed to petition CMS to change the reports, and a qualified entity will decide itself whether to post comments in a public report or make its reports available for download in an electronic format.

Comment: One commenter noted that the proposed rule could be interpreted as requiring qualified entities to do all reporting at the individual physician level. Another commenter noted that, in terms of performance measurement, specialty hospitals need to be accounted for differently.

Response: The statute does not specify the level at which reports are to be generated (that is, individual physician, physician group, integrated delivery system, etc.), nor does it specify the types of providers and suppliers to be measured. A qualified entity may choose to which providers and/or suppliers it will apply measures, and in so doing, for which entities its reports will be generated. Reporting may be at any level for which the measures can be used, but reports must be devoid of patient identifiers to protect the identity of the beneficiaries.

Comment: One commenter requested that CMS require qualified entities to license or otherwise make available quality measures to other entities that have the ability to publish performance measurement information.

Response: As stated above, these regulations will generally not place any added limitations on what is otherwise feasible under applicable law (such as copyright law). Qualified entities cannot, however, charge providers or suppliers for the confidential pre-publication reports, and they must make reports available to the public free of charge in accordance with section 1874(e)(4)(c)(iv).

C. Data Extraction and Dissemination

Section 1874(e)(3) of the Act requires the Secretary to provide qualified entities with standardized extracts of claims data from Medicare parts A, B, and D for one or more specified geographic areas and time periods. For Medicare parts A and B, we proposed that these data extracts would include information from all seven claim types that are submitted for payment in the Medicare Fee-For-Service Program, including both institutional and non-institutional claims. Institutional claim types include inpatient hospital, outpatient hospital, skilled nursing facility, home health, and hospice services, whereas non-institutional claim types include physician/supplier and durable medical equipment claims. Medicare institutional and non-institutional claims include, but are not limited to, the following data elements: Beneficiary ID, claim ID, the start and end dates of service, the provider or supplier ID, the principal procedure and diagnosis codes, the attending physician, other physicians, and the claim payment type.

We proposed that qualified entities would also receive certain Part D information for beneficiaries enrolled in the Medicare Fee-For-Service Program. The Part D information is known as “drug event” information, as opposed to “claims” information, because prescription drug coverage under Part D is provided by private insurance plans or “Part D plan sponsors.” Part D plans are responsible for paying a claim for benefits at the pharmacy. The Part D plan then submits a Prescription Drug Event record or “PDE” to CMS. The key data elements in the Part D prescription drug event database include: Beneficiary ID, prescriber ID, drug service date, drug product service ID, quantity dispensed, days' supply, gross drug cost, brand name, generic name, and drug strength. CMS will also include an indication if the drug is on the formulary of the Part D plan.

In order to allow qualified entities to link Medicare claims for an individual beneficiary, with appropriate security and privacy protections, we proposed that all claims files would contain a unique encrypted beneficiary identification (ID) number, rather than the actual beneficiary Medicare Health Insurance Claim Number (HICN).

Comment: We received several comments regarding data extract structure. A number of commenters requested clarification on how the data linkage across data sets will be accomplished. Several comments asked how qualified entities would identify the provider or supplier associated with a claim. One commenter expressed concern that no accurate or acceptable physician contact data base or directory is currently available on a nationwide level. An additional comment asked if CMS plans to make changes to the data in the CMS database if a qualified entity, provider, or supplier determines there is an error in the Medicare claims data.

Response: CMS understands the importance of linking beneficiaries across Medicare data sets in a way that is secure and protects beneficiaries' privacy. All claims files provided to qualified entities will contain a unique encrypted beneficiary identification number that will allow a qualified entity to link claims for an individual beneficiary across all Medicare claim types and across all years. That is, a unique encrypted beneficiary ID number will be assigned to an individual beneficiary and will remain the same for that individual beneficiary across Medicare claim types and years. This encrypted beneficiary ID is unique to the qualified entity program and will be included on each file the qualified entity receives. With appropriate security and privacy protections, these files will also contain beneficiary date of birth, race, and gender, important elements for calculating performance measures.

Additionally, to allow qualified entities to identify the provider or supplier associated with a claim, the files will contain the actual provider or supplier ID or, where required by law, the National Provider Identifier (NPI). Although, in HIPAA standard transactions the NPI must be used in lieu of other provider numbers, CMS will also make the Unique Physician Identification Number (UPIN) associated with the claim available to qualified entities. CMS maintains both a publically available query-only database and a publically available downloadable file that links the NPI to other information on a provider such as the provider name and mailing address. We believe that this national-level database and downloadable file will allow qualified entities to identify the provider or supplier associated with the claim. Furthermore, given the eligibility requirements described above in Section II.A.1.a., we expect approved qualified entities to have experience in accurately identifying a provider or supplier across multiple data sources.

As to reporting suspected issues with CMS data, CMS currently has a process in place for reporting, tracking, and resolving potential errors or issues identified in CMS data. Once approved, each qualified entity will receive guidance and training in this area.

Comment: Several commenters raised concerns about some of the data elements we proposed to release. A number of commenters expressed concern on the release of drug cost information in the Part D data, as well as the release of Part D plan identifiers. Additionally, a handful of commenters suggested that private physician financial information contained in the Part B data is protected from disclosure under the Privacy Act.

Response: CMS is aware of the concerns and restrictions on releasing certain Part D drug cost information. Given these concerns, in the files provided to qualified entities, CMS will release the Total Drug Cost element, which is derived from the sum of four elements: Ingredient Cost, Dispensing Fee, Vaccine Administration Fee, and Total Amount Attributable to Sales Tax. However, to protect the Part D plans' proprietary cost information, these individual component costs will not be released. We believe the aggregation of cost information will help to ensure that the most confidential information—the separate amounts paid by Part D sponsors for ingredient cost or dispensing fee—will not be released. This approach is also consistent with the treatment of these data under the regulations governing the use and disclosure of Part D data for non-payment related purposes. See 73 FR 30,664, 30669 (May 28, 2008). Furthermore, the Part D data will not identify individual Part D plans, but will include an encrypted plan ID number. We believe this encryption will afford further protection for Part D drug cost information.

While certain physician payment information contained in the Part B claims data is protected from disclosure to the general public by court injunctions entered in Florida Medical Association, Inc. v. Department of Health, Education & Welfare, 479 F. Supp. 1291 (M.D. Fla. 1979), and American Ass'n of Councils of Medical Staffs of Private Hospitals, Inc. v. Health Care Financing Administration, No. 78- 1373 (E.D. La 1980), that protection is specific to disclosures under the Freedom of Information Act (FOIA) exception to the Privacy Act at 5 U.S.C. 552a(b)(2). Disclosures made under the qualified entity program under section 1874(e) of the Act are not FOIA-based disclosures. Rather, they are “routine use” disclosures from the National Claims History (NCH)—System No. 09-70-0558, Medicare Drug Data Processing System (DDPS)—System No. 09-70-0553, Medicare Integrated Data Repository (IDR)—System No. 09-70-0571, and Chronic Condition Data Repository (CCDR)—System No. 09-70-0573 systems of records under the Privacy Act and these implementing regulations. As such, they are not subject to the injunction.

Comment: We received a variety of comments on technical assistance for qualified entities. Several commenters asked that CMS provide technical assistance, but not include it in the fee charged for the data. Other commenters suggested that technical assistance would not be needed.

Response: We plan to provide qualified entities with the option to request technical assistance. Since we are removing all program management costs from the fee we will charge qualified entities, see discussion below at II.C.3., we do not plan to charge for these services.

1. Number of Years of Data

CMS proposed to provide qualified entities with the most recent three calendar years of Medicare final action data available at the time the qualified entity is approved for participation in the program.

Comment: Comments from both potential qualified entities and provider groups raised concerns about the timeliness of the data. Commenters generally requested that CMS release data on a quarterly basis or a rolling 12 month basis, with no more than a quarterly time lag. One commenter suggested that CMS only provide qualified entities with two calendar years of data because performance information regarding care provided in 2008 is too outdated to be relevant for providers or consumers.

Response: We agree with commenters, so we are modifying what we proposed to make more timely data available to qualified entities. CMS will provide qualified entities with the most recent available historical data, which, for qualified entities approved at the beginning of the program, we expect would include data for CY2009, CY2010, and the first two quarters of 2011. Then, we would provide quarterly data updates on a rolling basis.

2. Geographic Areas

CMS proposed to provide qualified entities with standardized data extracts for either a single geographic area or multiple regions, and to limit the provision of Medicare data to the geographic spread of the qualified entity's other claims data. In the proposed rule, we sought comment on releasing nationwide extracts of Medicare data.

Comment: Several commenters requested that CMS release nationwide Medicare claims data. Some expected to conduct a nationwide performance review program, but many were interested in calculating national benchmarks. Commenters expressed feelings that national Medicare benchmarks would foster greater consumer and provider understanding of local measure results.

Response: For entities interested in conducting a nationwide performance review program, we are unsure about the ability of any one entity to assemble a sufficient amount of data nationally to justify a nationwide release of Medicare data. If a qualified entity can demonstrate it has a sufficient amount of data nationwide, however, CMS will provide a 100% national extract.

We agree that nationwide data may assist qualified entities in benchmarking their results. As a result, qualified entities will be allowed to request a 5% national sample of Medicare claims for the purposes of calculating national benchmarks. The 5% national sample of claims will not include a crosswalk to beneficiary names and Health Insurance Claim Numbers, discussed below in Section D.1, only the encrypted beneficiary ID to allow linking across Medicare claims data for measure calculation purposes. Qualified entities should provide a justification of needing a 5% national sample with their request. We will include a requirement in the Data Use Agreement (DUA, discussed in more detail below) prohibiting qualified entities from re-identifying claims included in the national sample they receive. Additionally, as these files are already in existence because they are used for other purposes, we anticipate that the cost of making this data available will be nominal.

Comment: We received several comments on how CMS would determine which claims apply to a certain geographic region. We also received comments requesting that CMS not limit the provision of Medicare data to the geographic spread of the qualified entity's other claims data.

Response: We will release claims based on the location of the beneficiary residence, not the location of the provider or supplier rendering the services. This will mean the qualified entity might not receive all of the Medicare claims for a given provider or supplier.

While we recognize the desire to calculate performance measures for areas outside the geographic spread of the qualified entity's other claims data, we believe the intent of statute is for qualified entities to combine other claims data from an area with Medicare claims data for that same area to produce robust and actionable performance measures for providers, suppliers, and consumers.

3. Cost To Obtain Data

Section 1874(e)(4)(A) of the Act requires qualified entities to pay a fee for obtaining the data that is equal to the cost of making such data available. In the proposed rule CMS interpreted the cost of making the data available to include two parts: (1) The cost of running the qualified entity program, including costs for processing applications, monitoring qualified entities, and providing technical assistance, and (2) the cost of creating a data set specific to each qualified entity's requested geographic area and securely transmitting the data set to the qualified entity. We estimated that the approximate cost to provide data for 2.5 million beneficiaries to a qualified entity would be $200,000. Approximately $75,000 of the $200,000 is cost of the claims data and approximately $125,000 is the cost of making the data available. We proposed that data costs would vary depending on the amount of data requested.

Comment: Many commenters stated that CMS was being too broad in our interpretation of the statutory requirement to charge qualified entities for the cost of making the data available. Commenters suggested that CMS only charge qualified entities for the cost of generating the data, and not the cost of running the program. The comments also noted that high cost would be a barrier to entry for non-profit organizations and states.

Response: CMS concurs that there are public interests at stake that justify narrowing the scope of what constitutes the cost of making this data available. As such, we will drop the program management portion of the costs from what is included in the data fee we will charge qualified entities. We have also worked to identify several efficiencies in data preparation and distribution that will significantly reduce our initial estimates for data costs. Our initial estimates were based on the fee we charge researchers for similar data. However, because all qualified entities will receive a standardized extract of the Medicare data, we will not need to address each request for data on an individual basis as we do with researchers, thereby significantly reducing the cost of making the data available, particularly the costs of encrypting the data.

We estimate that the total approximate costs to provide data for 2.5 million beneficiaries to qualified entities would be $40,000 in the first year of the program. We estimate that the cost to provide ten quarters (CY 2009, CY 2010, and Q1-Q2 CY2011) of data when the qualified entity is first approved would be $24,000. Thereafter, in 2012 qualified entities would get 2 additional quarterly updates covering the remainder of CY 2011, each for a fee of $8,000, bringing the total cost of data for the first year of the program to $40,000. After the first year, qualified entities would get quarterly updates, each for a fee of $8,000, bringing the total cost to a qualified entity for subsequent years of the program to $32,000. It is important to note that all estimates of data costs are currently predicated on an estimate of 25 qualified entities, so if fewer than 25 qualified entities are approved, data costs per qualified entity will be higher, and conversely, if greater than 25 are approved, the costs will be lower. Additionally, data costs for qualified entities will vary depending on the amount of Medicare claims data the qualified entity requests (for example, more than one State, or a nationwide extract). CMS also reserves the right to revise the cost of the data if unanticipated expenses are determined in the future.

D. Data Security and Privacy

The subpart created by these regulations will create a new program that provides for the release of Medicare beneficiary level data, with appropriate privacy and security protections. We recognize that many qualified entities will have had many years of experience using claims data to produce performance reports on providers and suppliers. Additionally, many qualified entities will have received data from private health plans through agreements that will require that the qualified entities observe certain security and privacy standards. We also recognize that new organizations or combinations of organizations may want to serve as qualified entities to produce performance reports. While CMS is committed to ensuring the success of qualified entities in combining Medicare data with claims data from other sources to create comprehensive performance reports for providers and suppliers, CMS is also committed to ensuring that the beneficiary-level data provided to qualified entities is subject to stringent security and privacy standards throughout all phases of the performance measure calculation, confidential reporting, appeal, and public reporting processes.

In 2008, we published a regulation to permit Part D prescription drug event data to be used for program monitoring, research, public health, care coordination, quality improvement, population of personal health records, and other purposes. See 73 FR 30664. We intend to ensure that the release of Part D prescription drug event data under this program complies with the requirements in the Part D data regulation, including the minimum necessary data policy, and that qualified entities take the necessary steps to ensure that any prescription drug event data released to providers and suppliers as part of the review, appeal, and error correction process are also safeguarded to ensure the privacy and security of beneficiary information.

Comment: Commenters were generally supportive of our intent to ensure the privacy and security of Medicare data under this program. A few commenters made specific suggestions regarding data privacy in general. One commenter suggested we clarify the interaction of this program and its data privacy and security requirements with State data privacy laws and specifically requested that CMS promulgate regulations that would preempt State law.

Response: On the issue of the interaction of this program with State laws, we believe the issuance of universally applicable privacy regulations that would preempt State laws is outside the scope of the qualified entity program. Qualified entities will need to abide by applicable state laws in addition to the requirements in this subpart.

1. Privacy and Security Requirements for Qualified Entities

We proposed to require that qualified entities have in place security protections for all data released by CMS, and any derivative files, including any Medicare claims data and any beneficiary identifiable data.

We proposed that in order to be eligible to apply to receive Medicare data as a qualified entity, the applicant must demonstrate its capabilities to establish, maintain, and monitor a rigorous data privacy and security program, including ensuring compliance with submitted plans related to the privacy and security of data. Additionally, we proposed a requirement that the applicant submit to CMS a description of its rigorous data privacy and security policies including enforcement mechanisms. As part of their applications, qualified entities will also have to explain how they would ensure that only the minimum necessary beneficiary identifiable data would be disclosed to the provider or supplier in the event of a request by a provider or supplier in the context of a confidential review of a report, and how data would be securely transmitted to the provider or supplier.

Comment: Commenters were generally supportive of requiring that qualified entities have rigorous data privacy and security protocols in place. Several commenters recommended that CMS require qualified entities to impose the same data and security requirements on the qualified entity's non-Medicare claims data as we require on the Medicare claims data. One commenter suggested CMS require qualified entities and other non-covered entities (that is, the small fraction of providers who do not submit claims electronically, and are therefore not subject to HIPAA) to enter into business associate agreements with CMS, pursuant to HIPAA.

Response: We agree that the integrity of performance measurement depends on the integrity of the data, and CMS intends to take very seriously its role in ensuring qualified entities use Medicare data appropriately. However, we do not have the statutory authority to impose specific requirements on qualified entities with regard to the privacy and security of their non-Medicare claims data. It is our understanding that organizations will have executed contracts or other agreements with the entities from which they receive the non-Medicare claims data (for example, commercial insurance plans) that will contain the privacy and security requirements regarding that data. Similarly, we also cannot prescribe how or where a qualified entity stores its non-Medicare data.

We seek to clarify the interaction between this program and HIPAA. Some commenters thought that we could address the privacy and security concerns related to qualified entities and other entities that are not directly subject to HIPAA by making them CMS' business associates (BAs). BAs are persons who or entities that use or disclose individually identifiable health information in conducting functions or activities on behalf of a covered entity (see the definition of a BA at 45 CFR 160.103), but qualified entities and providers and suppliers subject to the qualified entity program cannot serve as BAs because they are not doing their work on behalf of CMS as part of the Medicare program. CMS is merely providing data to qualified entities in accordance with the mandate in the Affordable Care Act, and, as such, its disclosure of protected health information is permitted by the HIPAA Privacy Rule as “required by law” (45 CFR 164.512(a)). That said, we believe our thorough evaluation of applicant qualified entities, the requirement to sign a Data Use Agreement (DUA), and subjecting the qualified entities to ongoing monitoring will be sufficient to ensure that qualified entities are appropriately using the Medicare data, as well as appropriately disclosing the Medicare data to providers and suppliers who request it.

We proposed to require each approved qualified entity sign a DUA, which requires a level and scope of security that is not less than the level and scope of security requirements established by the Office of Management and Budget (OMB) in OMB Circular No. A-130, Appendix III—Security of Federal Automated Information Systems (http://www.whitehouse.gov/omb/circulars/a130/a130.html) as well as Federal Information Processing Standard 200 entitled “Minimum Security Requirements for Federal Information Systems” (http://csrc.nist.gov/publications/fips/fips200/FIPS-200-final-march.pdf); and Special Publication 800-53 “Recommended Security Controls for Federal Information Systems” (http://csrc.nist.gov/publications/nistpubs/800-53-Rev2/sp800-53-rev2-final.pdf).

Comment: Commenters were in support of requiring qualified entities to sign a DUA with CMS. One commenter suggested we ensure the DUA is appropriate for this program, since the DUA cited in the proposed rule was the current DUA used for research purposes. Another commenter suggested CMS impose civil and criminal penalties on any qualified entity that causes a data privacy breach or violation. In addition, one commenter requested that we discuss how a qualified entity's existing DUAs might interact with this program.

Response: We believe the requirement for each qualified entity to sign a DUA will ensure a high level of privacy and security of the Medicare data given to qualified entities. Because we have clarified that qualified entities do not need to be composed of a single legal entity, but may contract with other entities to achieve the ability to meet the eligibility criteria, we also clarify that both the lead entity as well as its contractors that are anticipated to use Medicare claims data or beneficiary identifiable data are required to sign the DUA. As discussed in the proposed rule, the DUA cited in the proposed rule is the current research DUA. We intend to use the addendum feature provided for in paragraph 12 of the document to address the specific needs of the qualified entity program. With regard to the comment suggesting imposition of civil and criminal penalties, we point out that the DUA currently does, and will continue to have, enforcement mechanisms including criminal penalties. CMS intends to make use of these provisions in the event of a breach or violation. We do not have the statutory authority to impose penalties beyond those already listed in the DUA. Finally, we note that DUAs are specific to a particular data disclosure from CMS to a data recipient. Any existing DUAs a qualified entity may have in place will only affect the data received under those DUAs. The qualified entity program DUA will govern qualified entity program Medicare data.

Comment: We received some comments containing suggestions for requirements CMS should impose on qualified entities with regard to internal qualified entity operations. These suggestions included requiring that qualified entities limit the number of staff with access to identifiable information, and that qualified entities store Medicare data separately from other claims data.

Response: The DUA, discussed above, contains provisions regarding access to and storage of CMS data. The DUA requires the qualified entity to limit access to the identifiable Medicare data to the minimum number of individuals required to create the performance reports. The DUA also requires the qualified entity to specify the site where the data is to be stored and to grant CMS access to the site to confirm compliance with the DUA. Additionally, as stated in the preamble to the proposed rule, we believe the entities that will be successful applicants to this program are entities that are experienced in handling sensitive information and will have the appropriate internal protocols and procedures in place.

We also sought public comment on the appropriateness of accepting some form of independent accreditation or certification of compliance with data privacy and security requirements from qualified entities, and what that accreditation or certification might entail. The accreditation or certification would need to be at a level and scope of security that is not less than the level and scope of security requirements described above.

Comment: We received no comments on this proposal.

Response: Since we received no comments, we will not require qualified entities to have any kind of accreditation or certification separate from CMS' process in reviewing the application and requiring a signed DUA.

We proposed that all the Medicare claims data provided to qualified entities would contain a unique encrypted beneficiary identification number, which would enable the qualified entities to link all Medicare claims for an individual beneficiary without knowing the identity (that is, name or Medicare Health Insurance Claim Number) of the beneficiary. We did not propose to send patient names with the claims data that would be initially disclosed to qualified entities. However, we recognized the need for beneficiary names to facilitate provider and supplier appeals.

In the proposed rule, we considered three potential options for sharing beneficiary identifiers with qualified entities, and by extension, providers and suppliers. Under the first option, all qualified entities would be provided with a crosswalk file, with appropriate privacy and security protections, linking all encrypted beneficiary identifiers to the patients' names for their Medicare data. This would provide the qualified entity with identifiable data, but qualified entities would be permitted to give to a provider or supplier only the names of the beneficiaries included in that requester's performance report. Under the second option, CMS would only provide beneficiary names to qualified entities on a transactional basis for the purposes of responding to specific requests for data by providers and suppliers. Each request for beneficiary names would be addressed on a case-by-case basis through the forwarding of each data request by the qualified entity to CMS. CMS would then allow the qualified entity access to the beneficiary names for the specific data request. Under the third option, a provider or supplier who wishes to receive beneficiary names would request the encrypted claims data from the qualified entity as permitted under the statute. Then, the provider or supplier would submit a request to CMS for the beneficiary names for those specific claims and CMS would share the beneficiary names directly with the provider or supplier. Under the third option, the qualified entity would never have access to the beneficiary names.

Comment: Comments were mixed between favoring the first option and the second option. Very few commenters supported the third option. As discussed above in Section II.B.1., some commenters were interested in using measures that incorporate clinical data. A number of these commenters noted that the information contained in the crosswalk under option one (beneficiary names) would be necessary to their being able to link claims data to clinical data. Several commenters also noted that they would need an additional identifier, like the Medicare Health Insurance Claim Number (HICN), if they were to ensure the accurate linkage. Among other things, they asserted that the inclusion of multiple identifiers would ensure that they could differentiate amongst individuals with similar or identical names. Additionally, several commenters noted that, in instances in which an individual moved from coverage under one plan (for example, a private plan) to coverage under another (for example, Medicare), they would need patient identifiers in order to track the care provided to a patient over time. These commenters also supported the first option since it would allow qualified entities to match an individual's claims from other sources with their Medicare claims data. Commenters also supported the first option because it would allow qualified entities to quickly respond to requests for the data from providers and suppliers, and argued that the first option would be the least burdensome for qualified entities.

One commenter suggested we phase-in release of beneficiary-identifiable information: In the first year, qualified entities would receive the full crosswalk so they can easily respond to the anticipated high volume of requests from providers and suppliers, but in later years, after recipients are more familiar with the reports, beneficiary-identifiable information would only be released on a transactional basis. Still other commenters supported the second option because they felt it offered an appropriate balance between ensuring beneficiary privacy and allowing qualified entities to respond to specific provider or supplier requests for beneficiary names.

Response: In response to the insights offered by the comments, we plan to implement a modified version of the first option. While we had thought that “If one approaches this issue purely from the point of view of the ability of qualified entities to engage in measure calculation and reporting, beneficiary identifiable data is not required” (76 FR 33574), it is clear from the comments noted above that beneficiary identifiable data, with appropriate privacy and security protections, is required if clinical data is to be used or if a qualified entity needs to link an individual's claims records across plans as they move over time from plan to plan.

For example, a qualified entity could have private plan data for a patient who was enrolled in a private health plan in 2009 and early 2010, but then in May 2010 enrolled in Medicare. To accurately calculate measures, the qualified entity may need to be able to match the private payer claims data that covers 2009 and January to April of 2010 for the patient with the Medicare claims data that covers May 2010 forward for the same patient. The beneficiary name alone would not be sufficient to match patients between claims data sources because of the high likelihood of duplicative names or naming variations in the data. To accurately match claims data from multiple sources, the patient social security number would be ideal. However, Medicare claims contain the Medicare HICN, which for many beneficiaries is the beneficiary's social security number plus a letter. In most cases the HICN will allow qualified entities to differentiate between individuals, and may allow for accurately matching claims data between sources in those instances in which it does include the beneficiary's own social security number. We acknowledge that there are cases where the HICN does not include the beneficiary's social security number, for example, for beneficiaries who qualify for Medicare through their spouse. In these cases, the beneficiary name will be the best available identifier to use to match records from multiple sources, but even if the HICN cannot be used to match claims data between sources, it will still be needed to differentiate individuals with similar names or naming variations.

In light of the overwhelming support for the release of a crosswalk file in the comments, the likelihood that entities will need the identifiers to combine clinical data or link claims records across plans over time, the need for the identifiers to conduct the provider and supplier review and appeal process, and the considerable costs that would be entailed in building a case-by-case inquiry capability for qualified entities, we will amend our proposal and adopt the policy of automatically releasing a crosswalk file with appropriate privacy and security protections linking the encrypted ID to both the beneficiary name and the beneficiary Medicare HICN to all qualified entities. This constitutes a modified version of option one.

We expect that our rigorous eligibility requirements, the requirement that the lead entity, as well as any contractors who use the data, sign a DUA, and comprehensive monitoring process will ensure that any data shared with qualified entities are kept in a manner that will not compromise beneficiary privacy. As noted above, an applicant must have strict data privacy and security protocols in place to be eligible to serve as a qualified entity. Furthermore, the DUA contains a requirement that the qualified entity establish the “appropriate administrative, technical, and physical safeguards to protect the confidentiality of the data and to prevent unauthorized use or access to it” and does not allow the data to be physically moved, transmitted, or disclosed without written approval from CMS. The DUA also allows CMS or the Office of the Inspector General to access the site where the data is stored to confirm compliance with required security standards. The DUA requires the qualified entity to limit access to the data to the minimum amount of data and minimum number of individuals necessary to achieve the purposes of the qualified entity program. In the event that CMS determines or has a reasonable belief that unauthorized uses, reuses, or disclosures of the data may have taken place, the DUA allows CMS, among other things, to require the destruction of all data files and to refuse to release further CMS data to the qualified entity for any period of time. As noted above, the DUA also contains criminal penalties, including fines and imprisonment, for unauthorized disclosures of the data. The comprehensive qualified entity monitoring program is discussed in more detail below in section II.F. and includes CMS audits of qualified entities' use of the data, site visits, and analysis of beneficiary and/or provider complaints among other things.

As a result of the decision to release a crosswalk with appropriate privacy and security protections to all qualified entities, qualified entities will already be in possession of patients' names and HICNs at the time providers and suppliers are reviewing draft reports and making correction requests. We will ensure that the qualified entity program DUA (discussed above) provides for qualified entities releasing names only upon request by providers and suppliers when that information is relevant to their review and requests for correction.

We recognize that some may question why we are retaining our plan to include an encrypted beneficiary identifier in the claims data if every qualified entity will receive the crosswalk. We have two reasons to separate the claims data from the beneficiary names and HICNs. First, shipping the claims data separate from the crosswalk file adds an additional level of security while the data is in transit. Second, we believe that qualified entities may want to limit access to the crosswalk file to ensure the utmost privacy and security of this data and having two separate files will make this much easier.

It is also worth noting that CMS does not ship claims data without first encrypting the data. Unlike encrypting an individual data element, this process involves cryptographically scrambling the data so that it cannot be correctly re-assembled (that is, deciphered) unless the receiving party has the correct key. This protects the data while it is in transit.

We hope that through implementing this modified version of option one with appropriate privacy and security protections, qualified entities will be able to link clinical data to claims data and match claims data from other sources to Medicare claims data for the same patient. Additionally, implementing a modified version of option one allows qualified entities to quickly respond to requests from providers or suppliers for beneficiary identifiers during the report review and correction request process.

2. Privacy and Security Requirements of Data Released to Providers and Suppliers

Section 1874(e)(4)(B)(v) of the Act requires qualified entities to make the Medicare claims data they receive available to providers and suppliers upon their request. We do not interpret this requirement to mean that providers or suppliers could receive all Medicare claims data for a given patient or patients. Rather, we proposed to require qualified entities to provide, with appropriate privacy and security protections, only the claims relevant to the particular measure or measure results being appealed. Therefore, for example, a provider or supplier requesting claims data in relation to a diabetes quality measure would only receive the claims related to the calculation of that quality measure. We realize this may result in providers or suppliers receiving data related to claims submitted by another provider or supplier. We solicited comment on any privacy or security issues related to release of data to providers or suppliers.

Comment: We received several comments concerning the privacy and security of the data released to providers and suppliers. One commenter suggested we clarify exactly what data can be requested from the qualified entity. And, as stated above, comments included the suggestion that CMS require non-covered entities (that is, the small fraction of providers who do not submit claims electronically, and are therefore not subject to HIPAA) to enter into business associate agreements with CMS, pursuant to HIPAA.

Response: Regarding the request for clarification about what data can be released, we stated in the preamble to the proposed rule (at 76 FR 33577), that we believe that for many providers and suppliers, the beneficiary name may be of more practical use in determining the accuracy of the measure results than the underlying claims used to calculate the measures. However, the statute does explicitly acknowledge that upon request qualified entities would need to share with providers or suppliers “data made available under this subsection.” We would like to reiterate that we do not interpret this provision to mean that providers or suppliers could receive all Medicare claims data for a given patient or patients. Rather, we interpret this to mean that, at the request of providers or suppliers, qualified entities will provide only claims and/or beneficiary names relevant to the particular measure or measure results that the provider or supplier is appealing.

Since we made a technical change in the regulation text and removed the reference to section 1874(e) from the definition of a qualified entity (as noted above in Section II.A.1.), we have added the requirement that qualified entities release Medicare claims to providers and suppliers to the regulation text. We have added a requirement in § 401.717(c) that qualified entities, at the request of a provider or supplier and with appropriate privacy and security protections, release the Medicare claims and/or beneficiary names to the provider or supplier, but we require qualified entities to only release those claims and/or beneficiary names relevant to the measure or measure results being appealed.

As stated above, we acknowledge that the providers and suppliers who request data may or may not be covered entities under HIPAA. Also, as noted above, a BA is limited to a person or an entity using or disclosing individually identifiable health information on behalf of a HIPAA covered entity. The qualified entity and providers and suppliers in the qualified entity program are not going to be doing anything on behalf of CMS or the Medicare program. They therefore cannot be BAs of CMS by virtue of the qualified entity program.

3. Beneficiary Privacy and Security

Following provision of the performance reports on a confidential basis to providers or suppliers, qualified entities are required to make performance information public. In accordance with the statute, we proposed to require that qualified entities ensure that all publicly available reports do not contain beneficiary identifiable information. Additionally, we proposed to prohibit qualified entities from disclosing information in their publicly available reports that there is a reasonable basis to believe can be used in combination with other publicly available information to re-identify individual patients.

Comment: One commenter suggested we allow beneficiaries to opt-out of having their data released under this program.

Response: We do not have the statutory authority to permit beneficiaries to opt out of this program. However, we also note that the intent of this program is to increase transparency and promote innovation in measure development which we believe will contribute significantly to improving beneficiary care in the long run. As mentioned above, we also believe the final rule contains appropriate beneficiary privacy protections and penalties for any misuse of the data by qualified entities.

E. Confidential Opportunities To Review, Appeal, and Correct Errors

One important aspect of this program is ensuring that providers and suppliers are afforded an opportunity to correct errors in the reporting of their performance metrics. To meet the requirements in the statute related to appeal and error correction, we proposed to require applicants to include a plan for their report review, appeals, and error correction process in their application. This plan would contain several elements, including the means for sharing results confidentially and the means by which a provider or supplier can request and receive Medicare claims data. We proposed that qualified entities would need to confidentially share measure results with providers and suppliers at least 30 days prior to making the reports public. We also proposed that qualified entities must inform providers and suppliers that the report would be made public on a certain date (at least 30 days after confidentially sharing the measure results), regardless of the status of error correction.

Comment: We received several comments on the overall review, appeals, and error correction process. Some commenters asked CMS to standardize the process across qualified entities. On the other hand, one commenter argued that if CMS both approves and audits the claims and the qualified entity process for creating the reports, review by providers and suppliers is unnecessary. Another commenter asked CMS to require qualified entities to automatically provide the beneficiary names to providers and suppliers. Several commenters asked CMS to require qualified entities to announce publically on a Web site supported by HHS or in notifications to major organizations that represent providers and suppliers that have been evaluated by the qualified entity, the availability of reports for confidential review. Finally, several commenters suggested allowing qualified entities to require that a provider or supplier document and authenticate their identity and, if requesting data, their legal right to see the data, as well as provide a secure communication process for transmission of requested information.

Response: We believe an important aspect of the qualified entity program is innovation, not only in the development of measures, but also in the process for sharing measure results with physicians, as well as the process for responding to requests for data and for error correction. To reiterate, this is not a Medicare quality measurement program—we are merely a data source for those who meet the requirements laid out in this subpart. Qualified entities design their programs within the statutory and regulatory limits, including crafting their own confidential review, appeals, and error correction processes. This will result in innovations that will improve the way providers and suppliers receive reports and interact with the qualified entity. The statute is clear in the requirement that qualified entities develop a confidential review, appeals, and error correction process, so we do not agree that this is an unnecessary part of the qualified entity program. Furthermore, while we understand the interest in obtaining beneficiary names automatically, protecting the privacy and security of beneficiary identifiable information is required by the statute, as well as being of the utmost importance to CMS. We feel that releasing beneficiary names only at the request of a provider or supplier and only for the measure or measure results being appealed strikes the appropriate balance between protecting beneficiary privacy and allowing providers and suppliers the opportunity to provide input on their reports.

The statute requires that qualified entities make reports available to providers and suppliers prior to the public release of reports. Since each provider or supplier will confidentially receive any report where they are identified, we see no need for qualified entities to announce publically the availability of reports. Additionally, we acknowledge the importance of ensuring the data is securely transmitted to the correct provider or supplier. However, we believe that it is the responsibility of the qualified entity to ensure that the data is delivered using a secure method to the appropriate provider or supplier and require applicants to describe their means of confidentially sharing reports with providers and suppliers as part of their application.

Comment: Many commenters argued that the proposed time period between providers and suppliers confidentially receiving reports and the qualified entity publically reporting results is too short. Commenters suggested a time period of 60 or 90 days.

Response: We recognize, in light of the comments, that our proposal may not have allowed providers and suppliers an appropriate amount of time to review their confidential reports. However, we also recognize the importance of ensuring that report results are released to the public in a timely manner. Therefore, qualified entities must share measures, measurement methodology, and measure results with providers and suppliers at least 60 calendar days prior to making the measure results public. Beginning on the date on which the qualified entity sends the confidential reports to a provider or supplier, that provider and supplier will have a minimum of 60 calendar days to review the reports, make a request for the data, review the data, and, if necessary, make a request for error correction. Qualified entities also must inform providers and suppliers of the date the reports would be made public at least 60 calendar days before making the reports public. Additionally, the qualified entity must publically release reports on the specified date regardless of the status of any requests for error correction. We recognize that this process allows providers and suppliers to make a request for the data or a request for error correction up to the point the reports are made public; however, we believe that it is up to the qualified entity and provider or supplier to manage the timing of this process to ensure that they have adequate time to request the data and, if necessary, request error correction(s).

Comment: We received several comments on our proposal that qualified entities publish reports on a certain date, regardless of the status of requests for appeals or error correction. Several commenters requested that CMS not allow qualified entities to publish measure results until the request for error correction is resolved. Other commenters recommended that we create a two-step track where if a request cannot be resolved between the qualified entity and a provider or supplier, the request is elevated to CMS for a final decision. Furthermore, some commenters wanted CMS to require qualified entities to publish provider or supplier comments in the report if a request is not resolved at the time of report publication. One commenter requested that CMS allow providers or suppliers to publicly defend themselves if reports are published prior to resolving error correction requests. We also received a comment suggesting CMS allow providers or suppliers to appeal after reports are made public. Finally, one commenter asked CMS to ensure that qualified entities have the appropriate amount of staff to respond to appeals.

Response: We acknowledge the interest of providers and suppliers in ensuring that any measure results reported publicly are correct. However, as we mentioned in the proposed rule, we included this requirement to prevent providers or suppliers from making spurious requests for error correction to prevent the publication of measure results. We will maintain our requirement that qualified entities publicly report measure results on the date specified to the provider or supplier when the report is sent for review (at least 60 days after the date on which the confidential reports are sent to a provider or supplier), regardless of the status of a request for error correction. We hope that by extending the amount of time between confidentially sharing reports with providers and suppliers and publically reporting results to at least 60 calendar days, we are allowing both providers and suppliers ample opportunity to resolve the appeals process. If an appeal request is still outstanding at the time of public reporting, we will maintain the requirement that qualified entities post publicly the name and category of the appeal request for providers or suppliers with outstanding requests for error correction, if feasible, but do not believe that qualified entities should be required to publicly post comments from providers or suppliers.

Additionally, since this program does not involve CMS contracting with qualified entities to carry out a quality measurement program on behalf of CMS, we do not believe it is appropriate for CMS to become involved in the appeals and error correction process or to offer a public forum for providers or suppliers to defend themselves. We recognize the concern about ensuring that a qualified entity has the appropriate staff to respond to requests for error correction. However, we are certain that the rigorous application process will guarantee that only qualified organizations receive Medicare claims data. Additionally, we will be monitoring qualified entities to determine if they are promptly responding to requests for data and requests for error correction.

In the proposed rule, we acknowledged that CMS does not have the statutory authority to require qualified entities to share their claims data from other sources. We encouraged qualified entities to share this data with providers or suppliers upon request.

Comment: We received multiple comments asking CMS to require qualified entities to release their non-Medicare claims data to providers or suppliers upon request. Some commenters requested that CMS only approve entities who agreed to release their other claims data.

Response: We do not have the statutory authority to require qualified entities to release their non-Medicare data. We hope that qualified entities will choose to do so whenever it is legally permitted, but are aware that their ability to release other claims data is partially dependent on the terms of the arrangement the qualified entity has with the entity from whom they received the data.

Comment: Commenters suggested we implement 2012 as a “test year” for the program and allow qualified entities to only produce confidential performance reports without any public reporting.

Response: We do not have the statutory authority to implement a “test year” for this program. The statutory effective date of this provision is January 1, 2012, and all requirements under the law are applicable on that date.

F. Monitoring, Oversight, Sanctioning, and Termination

To ensure that qualified entities adhere to the highest standards, we proposed a monitoring program that would assess compliance with the requirements of the program and assess sanctions or termination as deemed appropriate by CMS. We proposed that CMS, or one of its designated contractors, would periodically audit (including site visits) qualified entities for their use of the Medicare data to ensure that the data is only being used for its intended purpose. We also proposed to monitor the amount of claims data from other sources the qualified entity is using in the production of performance reports using documentation produced by the qualified entity or, at the discretion of CMS, site visits. Additionally, we proposed to use analysis of beneficiary and/or provider complaints to monitor and assess the performance of qualified entities. We also proposed to require qualified entities to submit an annual report covering program adherence (for example, number of claims, market share, number of measures) and engagement of providers and suppliers (for example, requests for data, number of corrections, time to respond to requests for appeal or error correction). Finally, we proposed requiring qualified entities to submit to CMS information regarding any inappropriate disclosures or uses of beneficiary identifiable data pursuant to the requirements in the DUA.

Comment: We received many comments supporting our monitoring program. Some commenters specifically supported the requirement that qualified entities submit a report covering the engagement of providers and suppliers. One commenter asked CMS to ensure that there is appropriate funding for CMS to conduct the necessary qualified entity monitoring activities.

Response: We would like to reiterate our commitment to ensuring the successful implementation of this program and that all qualified entities adhere to the highest standards, which includes ensuring that we have the necessary funding to support a monitoring program.

Comment: Some commenters made suggestions about specific aspects of the monitoring plan. One commenter suggested that qualified entities only submit reports on program adherence and engagement of providers and suppliers once every two years. Additionally, several commenters requested CMS not include site visits as a part of monitoring because it is too burdensome.

Response: We plan to maintain our proposed monitoring process and note that, in the cases where a qualified entity is composed of a lead entity and contractors, contractors will also be subject to CMS monitoring. We believe that annual reports and site visits are essential to allow CMS to best monitor the program and to both maximize the appropriate use of Medicare data for the production of performance reports and minimize the risk of inappropriate disclosure of beneficiary information.

We proposed that a qualified entity must immediately inform CMS if its amount of claims data from other sources decreases. We also proposed to require that the qualified entity provide documentation that the remaining non-Medicare claims data is still sufficient to address methodological concerns regarding sample size and reliability expressed by stakeholders regarding the calculation of performance measures from a single source. As reflected at § 401.706(c) of the proposed rule, the qualified entity would no longer be able to issue a report, use a measure, or share a report after the amount of claims data from other sources decreases until CMS made an assessment as to the sufficiency of the remaining data. If CMS determined that the qualified entity's remaining claims data was not sufficient, we proposed that the qualified entity would have 60 days to acquire new data and submit new documentation to CMS. The qualified entity would not be able to use Medicare data to issue reports, use measures, share measures, or share a report during this time. If after re-submission of documentation, CMS determined the qualified entity still did not possess adequate data, we proposed to terminate the relationship with the qualified entity. If after resubmission of documentation, CMS determined that the qualified entity did possess sufficient data, we proposed the qualified entity could resume all measurement and reporting activities.

Comment: Commenters requested two changes to our proposed process for addressing a decrease in the amount of other claims data. First, several commenters suggested that qualified entities only be required to stop measurement and reporting if the decrease in other claims data is significant. Second, commenters requested more time for qualified entities to acquire new data.

Response: While we recognize the interest in continuing measurement efforts during this review process, we believe it is important for CMS to make the determination as to whether the remaining claims data is adequate to ensure that the methodological concerns regarding sample size and reliability expressed by stakeholders regarding calculation of performance measures from a single payer source. To ensure that the decrease does not materially affect the validity of measure results, we will maintain our proposal to require qualified entities to stop all activities while CMS reviews the documentation related to the decrease in other claims data; after the amount of claims data from other sources decreases, the qualified entity would no longer be able to create a report, use a measure, or share a report (either confidentially or publically) using Medicare data until CMS determines either that the remaining claims data is sufficient, or that the qualified entity has collected adequate additional data to address any deficiencies. That said, we recognize the request to extend the amount of time a qualified entity has to acquire new data, so we will extend this timeframe to 120 days.

We also proposed that if a qualified entity is not adhering to the requirements of the program, CMS may take several enforcement actions, such as providing a warning notice, requesting a corrective action plan, placing an entity on a special monitoring plan, or terminating the qualified entity. These enforcement actions are in addition to the actions CMS may take if a qualified entity violates the DUA, as discussed in more detail above in section II.D.1. The choice of enforcement action would depend on the seriousness of the deficiency. Any time a qualified entity is voluntarily or involuntarily terminated, we proposed requiring the destruction or return of Medicare data within 30 days.

Comment: We received some comments stating that the proposed penalties are not strict enough. Additionally, one commenter requested that CMS provide for termination for inaccurate reporting or for failing to make timely corrections upon providers' or suppliers' request.

Response: We are limited by the statute in the penalties we can impose on qualified entities who do not comply with the requirements of the program. We note, however, that CMS does have additional enforcement capabilities for violations of the DUA, including criminal penalties. As CMS will require the lead entity, as well as any contractors who have access to the Medicare claims data or beneficiary identifiable data, to sign the DUA before CMS releases any data, these penalties will apply to all organizations with access to the Medicare data.

While CMS reserves the right to terminate a qualified entity for inaccurate reporting, we believe that there are degrees of seriousness in inaccurate reporting, and some situations may not warrant termination, particularly if the inaccuracy was unintentional, CMS was promptly identified, and the inaccuracy was promptly resolved. We will therefore maintain our proposal to base our actions on the seriousness of the deficiency.

Comment: Several commenters requested clarification on how long qualified entities would be able to keep the Medicare data that they receive under this program. One commenter suggested placing an outer limit on retention of files.

Response: After carefully considering the beneficiary privacy and security implications of our policy, we do not believe that qualified entities must destroy or return Medicare data (including crosswalks) provided under the qualified entity program unless they voluntarily leave or are involuntarily terminated from the program. Qualified entities will need to retain the Medicare data, with appropriate privacy and security protections, in order to trend measure results over time or to calculate measures that require a number of years of data for measure calculation. We understand that this will mean that qualified entities will also retain beneficiary identifiable data (including that found in the crosswalks), but we believe that this information will also be necessary to calculate measures that require a number of years of claims data. We feel it is important to note that a beneficiary's encrypted identifier will not change from year to year, so unless a beneficiary dies or moves out of the geographic region, the qualified entity will continue to need the crosswalk linking the encrypted ID to the beneficiary HICN and name to carry out the activities outlined above in our crosswalk discussion. We have carefully considered the beneficiary privacy and security implications of our policy, and note that the DUA remains in effect so long as the qualified entity participates in the program. Furthermore, the monitoring requirements described herein, as well as the requirement that qualified entities reapply every three years as described below in section II.G., should assist in ensuring that this data remains secure and private. We would like to reiterate, however, that once an entity voluntarily leaves or is involuntarily terminated from the program it must destroy or return all CMS data provided under this subsection within 30 days.

G. Qualified Entity Application Content

We proposed to develop an application process for organizations interested in becoming qualified entities in which they would provide certain specified information. We proposed applications and related materials would be collected and reviewed once a year, at the close of the first quarter of the calendar year. We proposed approval periods of three years, followed by an opportunity to reapply.

Comment: We received comments containing suggestions for how CMS could improve the application content and process. Specifically, one commenter suggested using a standard electronic application. Additionally, a commenter suggested that CMS accept applications on a rolling basis. Another commenter preferred that CMS not require re-application after three years.

Response: CMS appreciates and acknowledges the benefits of accepting qualified entity applications on a rolling basis instead of once annually. This would allow organizations to apply to be a qualified entity as soon as they believe they meet all the eligibility requirements, instead of requiring the organization to wait a year until the next application cycle. We are therefore changing to a rolling application process. We will also use an electronic application.

While we understand the burdens that re-application will impose, we also need to ensure that Medicare data are being used appropriately and handled securely. While we believe the monitoring program described above will help ensure qualified entities continue to meet the requirements of the program, the application process covers significantly more aspects of an organization's continuing ability to serve as a qualified entity. Therefore, CMS believes that requiring re-application every three years balances the burden on qualified entities with the need to ensure Medicare data is being handled appropriately.

H. Other Comments

We received several additional suggestions for improvements to the program regarding topics that were not specifically discussed in the preamble to the proposed rule.

Comment: A few commenters advised that CMS require knowledge sharing among qualified entities, rather than merely suggesting it.

Response: CMS agrees with commenters that performance improvement will occur most rapidly in an open collaborative environment where ideas and knowledge are shared freely and openly. CMS will strongly encourage and facilitate, where possible, collaborative knowledge sharing, but will not require it as a condition of program participation.

Comment: Several commenters expressed concern about CMS conducting performance analysis of providers and suppliers. Commenters also expressed concern about performance measurement generally, and had specific concerns about performance measurement based solely on claims data.

Response: This program is not a CMS measurement program and, therefore, CMS will not be conducting performance analysis of providers and suppliers in this program. Rather qualified entities will combine Medicare claims data supplied by CMS with other claims data to calculate performance measures for providers and suppliers. We recognize commenters' concerns about the limitations of performance measurement based on claims data alone. Therefore, as discussed above in section II.B.1, we will allow qualified entities to use measures that incorporate clinical data, as long as the measure can be calculated in part from Medicare and other claims data.

Comment: Commenters suggested CMS should undertake a public education and outreach program to inform consumers about the qualified entity program and explain the limitations of provider and supplier performance measurement.

Response: We agree that CMS should inform consumers about the qualified entity program. We also believe it is essential for CMS to be transparent to beneficiaries and the general public about our plans for sharing identifiable information, with appropriate privacy and security protections, with qualified entities. CMS will publish educational materials on the CMS Web site regarding the qualified entity program, including a description of the beneficiary information that is being shared with qualified entities and an explanation of the privacy and security requirements, as well as the qualified entity monitoring program and termination policies.

We also hope that qualified entities will engage in public education and outreach in the communities where they serve. However, we are not requiring qualified entities to do public outreach beyond making the performance reports, with an understandable description of the measures, available to the public after confidential review by providers and suppliers.

Comment: One commenter requested that we clarify how performance measurement information will be published.

Response: The statute requires that qualified entities allow confidential review of the reports, that they be provided to the public, and that the reports contain understandable descriptions of the methodologies used. Qualified entities must receive approval of report formats before they can be published, but each qualified entity has the discretion to design reports and publish using the approved formats.

Comment: One commenter suggested that CMS make available the full data set at no charge to recognized provider organizations such as the American Medical Association and allow providers and suppliers to analyze their data there.

Response: The statute does not permit CMS to release the data to any entity other than those approved as qualified entities. However, as stated in the preamble to the proposed rule, we are not placing any restrictions on the types of organizations that can apply to be a qualified entity. If a recognized provider organization meets the eligibility criteria, it can become a qualified entity and receive Medicare data. Additionally, the statute does not permit CMS to release data at no charge. Section 1874(e)(4)(A) states that the data “shall be made available * * * at a fee equal to the cost of making such data available.” That said, as discussed in section II.C.3. above, we have revised our method for pricing this data and we believe the data will be significantly more affordable than originally proposed.

Comment: One commenter requested that CMS clarify that the data released to qualified entities will not be subject to discovery or admissible as evidence in judicial or administrative proceedings.

Response: The statute, at 1874(e)(4)(D), explicitly states, “[d]ata released to a qualified entity under this subsection shall not be subject to discovery or admission as evidence in judicial or administrative proceedings without consent of the applicable provider of services or supplier.” We acknowledge that we did not address this specific statement in the preamble to the proposed rule, but we believe this statement is self-implementing in that it requires no further explanation, and the data will not be subject to discovery or admission as evidence absent the described consent(s).

Comment: One commenter asked CMS to clarify that these regulations have no effect on any other programs in which Medicare claims data are released. A second commenter requested that we ensure the program can accommodate the transition to ICD-10.

Response: We clarify that this program will not have any effect on other CMS programs in which Medicare claims data are released. CMS is working to ensure that the transition to ICD-10 happens smoothly.

Comment: One commenter requested that CMS only allow measurement and rating of providers and suppliers in situations where CMS pays for the item or services.

Response: Medicare only pays claims for covered services and supplies; if a service or supply is not covered, a claim will not appear in the Medicare data. While a qualified entity could decide to produce a measurement report based solely on its other claims data, such reporting would be outside of the qualified entity program and the reports would be outside of the reach of these regulations.

III. Provisions of the Final Regulations Back to Top

For the most part, this final rule incorporates the provisions of the proposed rule. Those provisions of this final rule that differ from the proposed rule are as follows:

  • We have made technical changes to the definition of a qualified entity, provider, and supplier to reflect regulatory interpretation of the statutory provisions cited in the proposed rule. We have also added a definition of claims data from other sources at § 401.703(h) and a definition of clinical data at § 401.703(i).
  • We clarify that qualified entities do not need to be a single organization. Applicants may contract with others to achieve the ability to meet the eligibility criteria. Specifically, at § 401.705(b) we allow entities to demonstrate expertise and experience through activities it has conducted directly or through (a) contract(s) with other public or private entities.
  • We changed our eligibility requirements at § 401.705(a)(1) to only require that entities demonstrate expertise in quality measurement and in the other three areas of measurement (efficiency, effectiveness, and resource use) to the extent that they propose to use such measures.
  • At § 401.705(a)(1)(ii) we clarify that we only expect applicants to submit a plan for a business model that is projected to cover the costs of performing the required functions. We realize that qualified entities may need to adapt this plan once they are approved and do not intend to limit an entity's ability to adapt or change its business plan once approved as a qualified entity.
  • We added language at § 401.705(a)(1)(vii) that would require qualified entities to also disclose any violations of applicable federal and State privacy and security laws and regulations for the preceding 10-year period, in addition to requiring qualified entities to disclose any inappropriate disclosures of beneficiary identifiable information for the preceding 10-year period. We also clarified that for those entities that have not been in existence for 10 years, we will require a breach history for the length of time the organization has been in existence.
  • We have revised the selection criteria to allow applicants to apply and receive a conditional acceptance as a qualified entity if they do not have adequate claims data from other sources at the time of their application, but meet all the other selection requirements.
  • Since standard measure specifications are available to the public at this time, we removed the requirement that qualified entities submit measure specifications for standard measures the qualified entity plans to calculate.
  • We clarified that these regulations do not place any added limitations on the qualified entity's ability to copyright the content of the publicly released reports. We noted, however that the qualified entity must provide confidential reports to the subject providers and suppliers free of charge and must provide the final reports to the public free of change in a manner consistent with the requirements in the qualified entity program statute.
  • At § 401.711(a) we allow qualified entities to change their list of proposed measures, proposed prototype report, and plans for sharing reports with the public with 30 days notice to CMS, instead of 90 days notice to CMS. We provide for a possible 30-day extension of the review period where necessary. If a CMS decision on approval or disapproval for a change or modification is not forthcoming within 30 days or CMS does not request an additional 30 days for review, the change or modification shall be deemed to be approved.
  • We will allow qualified entities to use standard and alternative measures calculated in full or in part from Medicare Parts A and B claims, and Part D prescription drug event data and claims from other sources. This means that qualified entities will be allowed to calculate measures that include clinical data. As noted above, we have added a definition of clinical data at § 401.703(i).
  • We have added measures endorsed by a CMS-approved consensus-based entity to the list of standard measures. CMS will approve organizations as consensus-based entities based on review of documentation of the consensus-based entity's measure approval process.
  • We have added a second process by which qualified entities may seek approval to use alternative measures. Organizations and individuals will still be able to submit alternative measures for approval through the notice and comment rulemaking process. However, at § 401.715(b)(1)(ii), we also allow an entity to submit measures for approval by the Secretary by submitting: (1) A description of the process by which the qualified entity notified stakeholders (defined as a valid cross representation of providers, suppliers, employers, payers, and consumers) in the geographic region the qualified entity serves of its intent to seek approval of an alternative measures; (2) a list of stakeholders from whom feedback was solicited, including the stakeholder names and each stakeholder's role in the community; (3) a description of the discussion about the proposed alternative measure, including a summary of all pertinent arguments for and against the measure; and (4) unless CMS has already approved the same measure for use by another qualified entity, an explanation backed by scientific evidence that demonstrates why the measure meets the requirements for alternative measures at Section 1874(e)(4)(B)(i)(II) of the Act. If a qualified entity is seeking to use an alternative measure that CMS has already approved for use by another qualified entity, the qualified entity submitting the measure for approval must submit any additional or new scientific evidence, if it is available. If a CMS decision on approval or disapproval of measures submitted via the process at 401.715(b)(1)(ii) is not forthcoming 60 days after the submission of the measure, the measure will be deemed approved. However, CMS retains the right, even after 60 days, to direct the qualified entity to stop using the measure if we subsequently find the measure does not meet the requirements at Section 1874(e)(4)(B)(i)(II) of the Act.
  • We have identified efficiencies that will reduce the cost of Medicare claims data under the qualified entity program, and we have altered the dates of data that will be made available through this program, thereby increasing the timeliness of that data.
  • We will allow qualified entities to purchase a 5 percent national sample of Medicare claims data for the purpose of calculating national benchmarks.
  • Using appropriate privacy and security protections, we will provide qualified entities (that sign the DUA and meet all the privacy and security requirements) with a crosswalk file linking encrypted beneficiary ID to the beneficiary name and beneficiary Health Insurance Claim Number.
  • At § 401.717(a), we extended the time period between a qualified entity sending a confidential report to a provider or supplier and public reporting of measure results to at least 60 calendar days.
  • We will allow qualified entities 120 days to acquire new data if the amount of other claims data they have decreases and CMS determines the remaining amount of other claims data is not sufficient.
  • We changed our application process and will accept applications on a rolling basis as discussed at § 401.709(a).

IV. Collection of Information Requirements Back to Top

Under the Paperwork Reduction Act of 1995, we are required to provide 30-day notice in the Federal Register and solicit public comment before a collection of information requirement is submitted to the Office of Management and Budget (OMB) for review and approval. In order to fairly evaluate whether an information collection should be approved by OMB, section 3506(c)(2)(A) of the Paperwork Reduction Act of 1995 requires that we solicit comment on the following issues:

  • The need for the information collection and its usefulness in carrying out the proper functions of our agency.
  • The accuracy of our estimate of the information collection burden.
  • The quality, utility, and clarity of the information to be collected.
  • Recommendations to minimize the information collection burden on the affected public, including automated collection techniques.

We are soliciting public comment on each of these issues for the following sections of this document that contain information collection requirements (ICRs).

If finalized, these regulations would require an organization seeking to receive data as a qualified entity to submit an application. Specifically, an applicant must submit the information listed in §§ 401.705-401.709. The burden associated with this requirement is the time and effort necessary to gather, process, and submit the required information to CMS. We estimate that 35 organizations would submit applications to receive data as qualified entities. We further estimate that it would take each applicant 500 hours to gather, process and submit the required information. The total estimated burden associated with this requirement is 500 hours per applicant at an estimated cost of $795,641.

Section 401.713(a) states that as part of the application review and approval process, a qualified entity would be required to execute a Data Use Agreement (DUA) with CMS, that among other things, reaffirms the statutory bar on the use of Medicare data for purposes other than those referenced above. The burden associated with executing this DUA is currently approved under OMB control number 0938-0734.

Section 401.709(f) would require qualified entities in good standing to re-apply for qualified entity status 6 months before the end of their three-year approval period. We estimate that 25 entities would be required to comply with this requirement. We estimate that it would take 120 hours to reapply to CMS. The total estimated burden associated with this requirement is 120 hours at an estimated cost of $136,396.

Section 410.719(b) requires qualified entities to submit annual reports to CMS as part of CMS' ongoing monitoring of qualified entity activities. We estimate that the 25 entities in the program will be required to comply with this requirement. We estimate that it will take 150 hours to complete an annual monitoring report. The total estimated burden associated with this requirement is 150 hours at $170,475.

Table 1—Estimated Annual Recordkeeping and Reporting Burden Back to Top
Regulation section(s) OMB control No. Respondents Responses Burden per response (hours) Total annual burden (hours) Hourly labor cost of reporting ($) Total labor cost of reporting ($) * Total capital/ maintenance costs ($) Total cost ($)
* Total labor cost assuming 92% of total hours are professional and technical and 8% are legal.
** Wage rates vary by level of staff involved in complying with the information collection request (ICR).
§ 401.705(a) 0938-New 35 35 500 17,500 ** 795,641 0 795,641
§ 401.709(f) 0938-New 25 25 120 3,000 ** 136,396 0 136,396
§ 401.719(b) 0938-New 25 25 150 3,750 ** 170,475 0 170,475
Total 35 35 24,250 1,102,512

To obtain copies of the supporting statement and any related forms for the proposed paperwork collections referenced above, access CMS' Web site at http://www.cms.gov/PaperworkReductionActof1995/PRAL/list.asp#TopOfPage or email your request, including your address, phone number, OMB number, and CMS document identifier, to Paperwork@cms.hhs.gov, or call the Reports Clearance Office at 410-786-1326.

If you comment on these information collection and recordkeeping requirements, please submit your comments to the Office of Information and Regulatory Affairs, Office of Management and Budget,

Attention: CMS Desk Officer, CMS-5059-F.

Fax: (202) 395-6974; or

Email: OIRA_submission@omb.eop.gov.

V. Regulatory Impact Analysis Back to Top

A. Response to Comments

We received several comments on the anticipated effects of the program.

Comment: Several commenters argued that the cost of the data is too high. As stated above, these commenters often recommended CMS remove the data application costs or provide a sliding scale fee for the data, charging non-profits and government organizations a lower fee.

Response: While we do not feel we were being too broad in our interpretation of the statute, we recognize commenters' concerns and, as discussed above, have removed the program management costs from the fee we will charge for the data. As further addressed above, we have also identified several efficiencies in the creation of the data files which will further lower the cost of the data. However, we would like to reiterate that these estimates are based on a qualified entity program with 25 approved qualified entities. The cost of the data will increase if fewer organizations are approved as qualified entities and decrease if more organizations are approved as qualified entities because the fixed costs of providing the data would be spread across the total number of qualified entities.

Comment: We received a handful of comments stating that the application process for qualified entities is too burdensome.

Response: As discussed above, we believe ensuring that organizations approved as qualified entities are experienced in performance measurement and reporting and have the necessary plans to serve as a qualified entity is essential for the success of the qualified entity program. Thus, we do not believe the application is too burdensome.

Comment: We received several comments on the impact on providers and suppliers. A number of commenters stated that the number of hours estimated for a provider or supplier to review performance reports or submit correction requests is too low. Many commenters also argued that the hourly wage rate for physicians' offices is too low. Finally, a number of comments suggested that providers and suppliers might hire contractors to help with reviewing draft reports and requesting corrections.

Response: While we understand that some providers and suppliers may spend many hours reviewing reports and submitting correction requests, we believe 5 hours reviewing reports is appropriate as an average. For example, some providers and suppliers will spend less than an hour reviewing their reports, but others may spend 10 hours. The same situation applies for error correction requests. Some providers and suppliers may only have concerns about one measure, and after seeing the data may realize that their concerns were unfounded. However, others may engage in a longer discourse with the qualified entity. On average, we believe that providers and suppliers will spend approximately 10 hours preparing and submitting error correction requests. We do recognize that some providers and suppliers may choose to hire contractors to assist in preparing and submitting a correction request and have added this to the impact on providers and suppliers discussed below.

Additionally, while we understand physicians' hourly wage exceeds $30.90, we believe physicians are not the only ones in their offices who will be reviewing the performance reports and submitting correction requests. Some of this work may be done by other physician office staff such as administrative staff, nurses, physician assistants, and case workers. Therefore, we believe our average hourly wage rate is appropriate to calculate the impact of this program on providers and suppliers. Changes described in our response are reflected in the remainder of the Regulatory Impact Analysis.

B. Overall Impact

We have examined the impacts of this rule as required by Executive Order 12866 on Regulatory Planning and Review (September 30, 1993), Executive Order 13563 on Improving Regulation and Regulatory Review (January 18, 2011), the Regulatory Flexibility Act (RFA) (September 19, 1980, 96), section 1102(b) of the Social Security Act, section 202 of the Unfunded Mandates Reform Act of 1995 (March 22, 1995, Pub. L. 104-4), Executive Order 13132 on Federalism (August 4, 1999), and the Congressional Review Act (5 U.S.C. 804(2)).

Executive Orders 12866 and 13563 direct agencies to assess all costs and benefits of available regulatory alternatives and, if regulation is necessary, to select regulatory approaches that maximize net benefits (including potential economic, environmental, public health and safety effects, distributive impacts, and equity). Executive Order 13563 emphasizes the importance of quantifying both cost and benefits, reducing costs, harmonizing rules, and promoting flexibility. A regulatory impact analysis (RIA) must be prepared for major rules with economically significant effects ($100 million or more in any 1 year). This final rule is not economically significant as measured by the $100 million threshold, and hence not a major rule under the Congressional Review Act. We estimate the total impact of this final rule to be approximately $86 million. We provided a detailed assessment of the impacts associated with this final rule, as noted below.

The RFA requires agencies to analyze options for regulatory relief of small businesses, if a rule has a significant impact on a substantial number of small entities. We estimate that two types of entities may be affected by the program established by section 1874(e) of the Act: Organizations that desire to operate as qualified entities and the providers and suppliers who receive performance reports from qualified entities. We anticipate that most providers and suppliers receiving qualified entities' performance reports would be hospitals and physicians. Many hospitals and most other health care providers and suppliers are small entities, either by being nonprofit organizations or by meeting the Small Business Administration definition of a small business (having revenues of less than $34.5 million in any 1 year) (for details, see the Small Business Administration's Web site at http://sba.gov/idc/groups/public/documents/sba_homepage/serv_sstd_tablepdf.pdf (refer to the 620000 series). For purposes of the RFA, physicians are considered small businesses if they generate revenues of $10 million or less based on Small Business Administration size standards. Approximately 95 percent of physicians are considered to be small entities. We estimate that most hospitals and most other providers are small entities as that term is used in the RFA (including small businesses, nonprofit organizations, and small governmental jurisdictions). However, because the total estimated impact would be spread over a number of providers and suppliers, no one entity would face a significant impact. Additionally, as CMS has reduced the cost of the data for qualified entities, we do not anticipate that this rule will have a significant impact on qualified entities. Therefore, the Secretary has determined this final rule would not have a significant impact on a substantial number of small entities. We have voluntarily provided an analysis of the estimated impacts on qualified entities and providers and suppliers below in section V.C., as well as alternatives considered in section V.D.

In addition, section 1102(b) of the Act requires us to prepare a regulatory impact analysis, if a rule may have a significant impact on the operations of a substantial number of small rural hospitals. Any such regulatory impact analysis must conform to the provisions of section 604 of the RFA. For purposes of section 1102(b) of the Act, we define a small rural hospital as a hospital that is located outside of a metropolitan statistical area and has fewer than 100 beds. We do not believe this final rule has impact on significant operations of a substantial number of small rural hospitals because we anticipate that most qualified entities would focus their performance evaluation efforts on metropolitan areas where the majority of health services are provided. Therefore, the Secretary has determined that this final rule would not have a significant impact on the operations of a substantial number of small rural hospitals.

Section 202 of the Unfunded Mandates Reform Act of 1995 (UMRA) also requires that agencies assess anticipated costs and benefits before issuing any rule whose mandates require spending in any 1 year of $100 million in 1995 dollars, updated annually for inflation. In 2011, that threshold is approximately $136 million. This rule would not mandate any requirements for State, local, or tribal governments in the aggregate, or by the private sector, of $136 million. Specifically, as explained below we anticipate the total impact of this final rule on all parties to be approximately $86 million.

Executive Order 13132 establishes certain requirements that an agency must meet when it promulgates a final rule that imposes substantial direct requirement costs on State and local governments, preempts State law, or otherwise has Federalism implications. We have examined this final rule in accordance with Executive Order 13132 and have determined that this regulation would not have any substantial direct effect on State or local governments, preempt States, or otherwise have a Federalism implication.

C. Anticipated Effects

a. Impact on Qualified Entities

Because section 1874(e) of the Act establishes a new program, there is little quantitative information available to inform our estimates. However, we believe that many or most qualified entities are likely to resemble community quality collaborative programs such as participants in the CMS Better Quality Information for Medicare Beneficiaries pilot (https://www.cms.gov/BQI/) and the AHRQ Chartered Value Exchange (CVE) program (http://www.ahrq.gov/qual/value/lncveover.htm). Community quality collaboratives are community-based organizations of multiple stakeholders that work together to transform health care at the local level by promoting quality and efficiency of care, and by measuring and publishing quality information. Consequently, we have examined available information related to those programs to inform our assumptions, although there is only limited available data that is directly applicable to this analysis.

We estimate that 35 organizations would submit applications to participate as qualified entities. We anticipate that the majority of applicants would be nonprofit organizations such as existing community collaboratives. In estimating qualified entity impacts, we used hourly labor costs in several labor categories reported by the Bureau of Labor Statistics (BLS) at http:// data.bls.gov/pdq/querytool.jsp?survey=ce. We used the annual rates for 2010, an update from the proposed rule where we used rates from 2009, and added 33 percent for overhead and fringe benefit costs. These rates are displayed in Table 2.

Table 2—Labor Rates for Qualified Entity Impact Estimates Back to Top
2010 hourly wage rate (BLS) OH and fringe (33%) Total hourly costs
Professional & technical services $34.63 $11.43 $46.06
Legal review 35.98 11.87 47.85
Custom computer programming 40.50 13.37 53.87
Data processing & hosting 31.57 10.42 41.99
Other information services 33.55 11.07 44.62

We estimate that preparation of an application would require a total of 500 hours of effort, requiring a combination of staff in the professional and technical services and the legal labor categories.

We estimate that 25 of these applicants would be approved as participating qualified entities, and that each qualified entity would request Medicare claims data accompanied by payment for these data. Because of the eligibility criteria we are proposing for qualified entities, we believe that it is likely that all of these organizations would already be performing work related to calculation of quality measures and production of performance reports for health care providers and suppliers, so the impact of the program established by section 1874(e) of the Act would be an opportunity to add Medicare claims data to their existing function.

The statute directs that the fees for these data be equal to the government's cost to make the data available. We are proposing to initially provide ten quarters of data to qualified entities with quarterly updates thereafter. Based on CMS past experience providing Medicare data to research entities, we estimate that the total approximate costs to provide ten quarters (CY 2009, CY 2010, and Q1-Q2 CY2011) of data for 2.5 million beneficiaries to a qualified entity would be $24,000. Qualified entities would also get 2 quarterly updates, each for a fee of $8,000, during the year, bringing the total cost of data for the first year of the program to $40,000 as shown in Table 3.

We estimate that, on average, each qualified entity's activity to analyze the Medicare claims data, calculate performance measures and produce provider and supplier performance reports would require 5,500 hours of effort. We estimate that half of the qualified entities (13) would propose alternative performance measures, which would involve an additional 2,100 hours of effort for each entity.

We further estimate that, on average, each qualified entity would expend 5,000 hours of effort processing providers' and suppliers' appeals of their performance reports and producing revised reports, and 2,000 hours making information about the performance measures publicly available. These estimates assume that, as discussed below in the section on provider and supplier impacts, on average 25 percent of providers and suppliers would appeal their results from a qualified entity. These assumptions are based on a belief that in the first year of the program many providers or suppliers would want to appeal their results prior to performance reports being made available to the public. Responding to these appeals in an appropriate manner would require a significant investment of time on the part of qualified entities. This equates to an average of four hours per appeal for each qualified entity. We assume that the complexity of appeals would vary greatly, and as such, the time required to address them would also vary greatly. Many appeals may be able to be dealt with in an hour or less while some appeals may require multiple meetings between the qualified entity and the affected provider or supplier. On average however, we believe that this is a realistic and reasonable estimate of the burden of the appeals process on qualified entities. We discuss the burden of the appeals process on providers and suppliers below.

We anticipate that qualified entities would expend 2,000 hours of effort developing their proposed performance report. These estimated hours are separated into labor categories in Table 3 below, with the pertinent hourly labor rates and cost totals.

Finally, we estimate that each qualified entity would spend 255 hours of effort submitting information to CMS for monitoring purposes. This would include audits and site visits as discussed above. It would also include an annual report that contains measures of general program adherence, measures of the provider and suppliers data sharing, error correction, and appeals process, and measures of the success of the program with consumers. Finally, qualified entities would be required to notify CMS of inappropriate disclosures or use of beneficiary identifiable data pursuant to the requirements in the DUA. We believe that many of the required data elements in both the annual report and the report generated in response to an inappropriate disclosure or use of beneficiary identifiable data would be generated as a matter of course by the qualified entities and therefore, would not require significant additional effort. Based on the assumptions we have described, we estimate the total impact on qualified entities for the first year of the program to be a cost of $45,504,048.

Table 3—Impact on Qualified Entities for the First Year of the Program Back to Top
Activity Hours Labor hourly cost Cost per applicant Number of applicants Total cost impact
Professional and technical Legal Computer programming Data processing and hosting
[Impact on qualified entities]
APPLICATION COSTS                
Preparation of application by candidate qualified entities                
a. Prepare draft application 360 $46.06 $16,582
b. Legal review 40 47.85 1,914
c. Revisions to draft application 60 46.06 2,764
d. Senior management review and signature 40 46.06 1,842
Total: application preparation 460 40 23,102 35 $808,556
Medicare data purchase costs by approved qualified entities 40,000 25 1,000,000
Total: Applications 1,808,556
QE OPERATIONS COSTS                
Database administration 500 41.99 20,995 25 524,875
Data analysis/measure calculation/report preparation 2500 2500 53.87 41.99 134,675 104,975 25 25 3,366,875 2,624,375
Development and submission of alternative measures 1000 100 1000 46.06 53.87 41.99 46,060 5,387 41,990 13 13 13 598,780 70,031 545,870
Qualified entity processing of provider or supplier appeals and report revision 4000 1000 46.06 47.85 184,240 47,850 25 25 4,606,000 1,196,250
Development of proposed performance report formats 1000 1000 46.06 53.87 46,060 53,870 25 25 1,151,500 1,346,750
Publication of performance reports 1000 1000 53.87 41.99 53,870 41,990 25 25 1,346,750 1,049,750
Monitoring 255 41.99 10,707 25 267,686
Computer hardware and processing 1,000,000 25 25,000,000
Total: Operations 43,695,492
TOTAL QUALIFIED ENTITY IMPACTS (application plus operations) 45,504,048

b. Impact on Health Care Providers and Suppliers

Table 4 reflects the hourly labor rates used in our estimate of the impacts of the first year of section 1874(e) of the Act on health care providers and suppliers, as well as the professional and technical services of consultants. The rates in Table 4 are for 2010 and have been updated from the proposed rule where we used rates for 2009. We note that numerous health care payers, community quality collaboratives, States, and other organizations are producing performance measures for health care providers and suppliers using data from other sources, and that providers and suppliers are already receiving performance reports from these sources. We anticipate that the Medicare claims data would merely be added to those existing efforts to improve the statistical validity of the measure findings, and therefore the impact of including Medicare claims data in these existing performance reporting processes is likely to be marginal. Additionally, while we acknowledge that reviewing and appealing the reports will be a burden for providers and suppliers, we also note that there are many benefits of this program for providers and suppliers, as well as the Medicare program, consumers, and purchasers. As a result of this program, providers and suppliers will likely receive one report covering a majority of their patients, rather than a report from each payer. Furthermore, the transparency of performance results will help providers and suppliers improve quality and reduce costs.

Table 4—Labor Rates for Provider and Supplier Impact Estimates Back to Top
2010 hourly wage rate (BLS) Overhead and fringe benefits (33%) Total hourly costs
Labor Rates for Provider and Supplier Impact Estimates      
Physicians' offices $32.24 $10.64 $42.88
Hospitals 27.42 9.05 36.47
Professional and technical services 34.63 11.43 46.06

We anticipate that the impacts on providers and suppliers consist of costs to review the performance reports generated by qualified entities and, if they choose, appeal their performance calculations. Based on a review of available information from the Better Quality Information and the Charter Value Exchange programs, we estimate that, on average, each qualified entity would distribute performance reports to 5,000 health providers and suppliers. We anticipate that the largest proportion of providers and suppliers would be physicians because they comprise the largest group of providers and suppliers, and are a primary focus of many recent performance evaluation efforts. Based on our review of information from these existing programs, we assume that 95 percent of the recipients of performance reports (that is, an average of 4,750 per qualified entity) would be physicians, and 5 percent (that is, an average of 250 per qualified entity) would be hospitals and other suppliers. Providers and suppliers receive these reports with no obligation to review them, but we assume that most would do so to verify that their calculated performance measures reflect their actual patients and health events. We estimate that, on average, each provider or supplier would devote five hours to reviewing these reports. This average reflects that some providers and suppliers will spend less than half an hour reviewing reports, while others may spend 10 hours.

We estimate that 25 percent of the providers and suppliers would decide to appeal their performance calculations, and that preparing the appeal would involve an average of ten hours of effort on the part of a provider or supplier. We assume that 50 percent of the providers and suppliers who decide to appeal would hire consultants to assist with the appeals process. As with our assumptions regarding the level of effort required by qualified entities in operating the appeals process, we believe that this average covers a range of provider and supplier efforts from those who would need just one or two hours to clarify any questions or concerns regarding their performance reports to those who would devote significant time and resources to the appeals process.

Using the hourly costs displayed in Table 4, the impacts on providers and suppliers are calculated below in Table 5. Based on the assumptions we have described, we estimate the total impact on providers and suppliers for the first year of the program to be a cost of $40,458,400.

As stated above in Table 3, we estimate the total impact on qualified entities to be a cost of $45,504,048. Therefore, the total impact on qualified entities and on providers and suppliers for the first year of the program is estimated to be $85,962,448.

Table 5—Impact on Providers and Suppliers for the First Year of the Program Back to Top
Activity Hours per provider Labor hourly cost Cost per applicant Number of providers per qualified entity Number of qualified entities Total cost impact
Physician offices Hospitals Professional and technical
Impact on Providers and Suppliers                
Provider review of performance reports 5 $42.88 $214 4,750 25 $25,460,000
5 36.47 182 250 25 1,139,688
Preparing and submitting appeal request to qualified entities 10 42.88 429 594 25 6,367,680
10 36.47 365 31 25 282,643
10 46.06 461 626 25 7,208,390
Total provider impacts 40,458,400

D. Alternatives Considered

The statutory provisions that were added by section 1874(e) of the Act are detailed and prescriptive about the eligibility for, and requirements of the qualified entity program. Consequently, we believe there are limited alternative approaches that would ensure program success and statutory compliance. We considered proposing a less comprehensive set of eligibility criteria for qualified entities (for example, eliminating requirements that applicants demonstrate capabilities related to calculation of measures, developing performance reports, combining Medicare claims data with other claims, and data privacy and security protection). While such an approach might have reduced certain application and operating costs for these entities, we did not adopt such an approach for several reasons. An important consideration is the protection of beneficiary identifiable data. We believe if we do not require qualified entities to provide sufficient evidence of data privacy and security protection capabilities, there would be increased risks related to the protection of beneficiary identifiable data.

Additionally, we believe that requiring less stringent requirements regarding the production and reporting of measures would lead to increases in the number of provider and supplier appeals, and consequently in appeals-related costs for providers, suppliers and qualified entities. We expect that such a scenario would not support the development of a cooperative relationship between qualified entities and providers and suppliers.

E. Conclusion

As explained above, we estimate the total impact for the first year of the program on qualified entities, providers and suppliers to be a cost of $85,962,448. Based on these estimates, we conclude this final rule does not reach the threshold for economically significant effects and thus is not considered a major rule.

In accordance with the provisions of Executive Order 12866, this regulation was reviewed by the Office of Management and Budget.

List of Subjects in 42 CFR Part 401 Back to Top

For the reasons set forth in the preamble, the Centers for Medicare & Medicaid Services amends 42 CFR chapter IV as set forth below:

begin regulatory text

PART 401—GENERAL ADMINISTRATIVE REQUIREMENTS Back to Top

1.The authority citation for part 401 is revised to read as follows:

Authority:

Secs. 1102, 1871, and 1874(e) of the Social Security Act (42 U.S.C. 1302, 1395hh, and 1395w-5).

2.A new subpart G is added to part 401 to read as follows:

Subpart G—Availability of Medicare Data for Performance Measurement Back to Top

§ 401.701 Purpose and scope.

The regulations in this subpart implement section 1874(e) of the Social Security Act as it applies to Medicare data made available to qualified entities for the evaluation of the performance of providers and suppliers.

§ 401.703 Definitions.

For purposes of this subpart:

(a) Qualified entity means either a single public or private entity, or a lead entity and its contractors, that meets the following requirements:

(1) Is qualified, as determined by the Secretary, to use claims data to evaluate the performance of providers and suppliers on measures of quality, efficiency, effectiveness, and resource use.

(2) Agrees to meet the requirements described in this subpart at §§ 401.705 through 401.721.

(b) Provider of services (referred to as a provider) has the same meaning as the term “provider” in § 400.202 of this chapter.

(c) Supplier has the same meaning as the term “supplier” at § 400.202 of this chapter.

(d) Claim means an itemized billing statement from a provider or supplier that, except in the context of Part D prescription drug event data, requests payment for a list of services and supplies that were furnished to a Medicare beneficiary in the Medicare fee-for-service context, or to a participant in other insurance or entitlement program contexts. In the Medicare program, claims files are available for each institutional (inpatient, outpatient, skilled nursing facility, hospice, or home health agency) and non-institutional (physician and durable medical equipment providers and suppliers) claim type as well as Medicare Part D Prescription Drug Event (PDE) data.

(e) Standardized data extract is a subset of Medicare claims data that the Secretary would make available to qualified entities under this subpart.

(f) Beneficiary identifiable data is any data that contains the beneficiary's name, Medicare Health Insurance Claim Number (HICN), or any other direct identifying factors, including, but not limited to postal address or telephone number.

(g) Encrypted data is any data that does not contain the beneficiary's name or any other direct identifying factors, but does include a unique CMS-assigned beneficiary identifier that allows for the linking of claims without divulging any direct identifier of the beneficiary.

(h) Claims data from other sources means provider- or supplier-identifiable claims data that an applicant or qualified entity has full data usage right to due to its own operations or disclosures from providers, suppliers, private payers, multi-payer databases, or other sources.

(i) Clinical data is registry data, chart-abstracted data, laboratory results, electronic health record information, or other information relating to the care or services furnished to patients that is not included in administrative claims data, but is available in electronic form.

§ 401.705 Eligibility criteria for qualified entities.

(a) Eligibility criteria: To be eligible to apply to receive data as a qualified entity under this subpart, an applicant generally must demonstrate expertise and sustained experience, defined as 3 or more years, in the following three areas, as applicable and appropriate to the proposed use:

(1) Organizational and governance criteria, including:

(i) Expertise in the areas of measurement that they propose to use in accurately calculating quality, and efficiency, effectiveness, or resource use measures from claims data, including the following:

(A) Identifying an appropriate method to attribute a particular patient's services to specific providers and suppliers.

(B) Ensuring the use of approaches to ensure statistical validity such as a minimum number of observations or minimum denominator for each measure.

(C) Using methods for risk-adjustment to account for variations in both case-mix and severity among providers and suppliers.

(D) Identifying methods for handling outliers.

(E) Correcting measurement errors and assessing measure reliability.

(F) Identifying appropriate peer groups of providers and suppliers for meaningful comparisons.

(ii) A plan for a business model that is projected to cover the costs of performing the required functions, including the fee for the data.

(iii) Successfully combining claims data from different payers to calculate performance reports.

(iv) Designing, and continuously improving the format of performance reports on providers and suppliers.

(v) Preparing an understandable description of the measures used to evaluate the performance of providers and suppliers so that consumers, providers and suppliers, health plans, researchers, and other stakeholders can assess performance reports.

(vi) Implementing and maintaining a process for providers and suppliers identified in a report to review the report prior to publication and providing a timely response to provider and supplier inquiries regarding requests for data, error correction, and appeals.

(vii) Establishing, maintaining, and monitoring a rigorous data privacy and security program, including disclosing to CMS any inappropriate disclosures of beneficiary identifiable information, violations of applicable federal and State privacy and security laws and regulations for the preceding 10-year period (or, if the applicant has not been in existence for 10 years, the length of time the applicant has been an organization), and any corrective actions taken to address the issues.

(viii) Accurately preparing performance reports on providers and suppliers and making performance report information available to the public in aggregate form, that is, at the provider or supplier level.

(2) Expertise in combining Medicare claims data with claims data from other sources, including demonstrating to the Secretary's satisfaction that the claims data from other sources that it intends to combine with the Medicare data received under this subpart address the methodological concerns regarding sample size and reliability that have been expressed by stakeholders regarding the calculation of performance measures from a single payer source.

(3) Expertise in establishing, documenting and implementing rigorous data privacy and security policies including enforcement mechanisms.

(b) Source of expertise and experience: An applicant may demonstrate expertise and experience in any or all of the areas described in paragraph (a) of this section through one of the following:

(1) Activities it has conducted directly through its own staff.

(2) Contracts with other entities if the applicant is the lead entity and includes documentation in its application of the contractual arrangements that exist between it and any other entity whose expertise and experience is relied upon in submitting the application.

§ 401.707 Operating and governance requirements for qualified entities.

A qualified entity must meet the following operating and governance requirements:

(a) Submit to CMS a list of all measures it intends to calculate and report, the geographic areas it intends to serve, and the methods of creating and disseminating reports. This list must include the following information, as applicable and appropriate to the proposed use:

(1) Name of the measure, and whether it is a standard or alternative measure.

(2) Name of the measure developer/owner.

(3) If it is an alternative measure, measure specifications, including numerator and denominator.

(4) The rationale for selecting each measure, including the relationship to existing measurement efforts and the relevancy to the population in the geographic area(s) the entity would serve, including the following:

(i) A specific description of the geographic area or areas it intends to serve.

(ii) A specific description of how each measure evaluates providers and suppliers on quality, efficiency, effectiveness, and/or resource use.

(5) A description of the methodologies it intends to use in creating reports with respect to all of the following topics:

(i) Attribution of beneficiaries to providers and/or suppliers.

(ii) Benchmarking performance data, including the following:

(A) Methods for creating peer groups.

(B) Justification of any minimum sample size determinations made.

(C) Methods for handling statistical outliers.

(iii) Risk adjustment, where appropriate.

(iv) Payment standardization, where appropriate.

(b) Submit to CMS a description of the process it would establish to allow providers and suppliers to view reports confidentially, request data, and ask for the correction of errors before the reports are made public.

(c) Submit to CMS a prototype report and a description of its plans for making the reports available to the public.

(d) Submit to CMS information about the claims data it possesses from other sources, as defined at § 401.703(h), and documentation of adequate rights to use the other claims data for the purposes of this subpart.

(e) If requesting a 5 percent national sample to calculate benchmarks for the specific measures it is using, submit to CMS a justification for needing the file to calculate benchmarks.

§ 401.709 The application process and requirements.

(a) Application deadline. CMS accepts qualified entity applications on a rolling basis after an application is made available on the CMS Web site. CMS reviews applications in the order in which they are received.

(b) Selection criteria. To be approved as a qualified entity under this subpart, the applicant must meet one of the following:

(1) Standard approval process: Meet the eligibility and operational and governance requirements, fulfill all of the application requirements to CMS' satisfaction, and agree to pay a fee equal to the cost of CMS making the data available. The applicant and each of its contractors that are anticipated to have access to the Medicare data must also execute a Data Use Agreement with CMS, that among other things, reaffirms the statutory ban on the use of Medicare data provided to the qualified entity by CMS under this subpart for purposes other than those referenced in this subpart.

(2) Conditional approval process: Meet the eligibility and operational and governance requirements, and fulfill all of the application requirements to CMS' satisfaction, with the exception of possession of sufficient claims data from other sources. Meeting these requirements will result in a conditional approval as a qualified entity. Entities gaining a conditional approval as a qualified entity must meet the eligibility requirements related to claims data from other sources the entity intends to combine with the Medicare data, agree to pay a fee equal to the cost of CMS making the data available, and execute a Data Use Agreement with CMS, that among other things, reaffirms the statutory ban on the use of Medicare data provided to the qualified entity by CMS under this subpart for purposes other than those referenced in this subpart before receiving any Medicare data. If the qualified entity is composed of lead entity with contractors, any contractors that are anticipated to have access to the Medicare data must also execute a Data Use Agreement with CMS.

(c) Duration of approval. CMS permits an entity to participate as a qualified entity for a period of 3 years from the date of notification of the application approval by CMS. The qualified entity must abide by all CMS regulations and instructions. If the qualified entity wishes to continue performing the tasks after the 3-year approval period, the entity may re-apply for qualified entity status following the procedures in paragraph (f) of this section.

(d) Reporting period. A qualified entity must produce reports on the performance of providers and suppliers at least annually, beginning in the calendar year after they are approved by CMS.

(e) The distribution of data.—(1) Initial data release. Once CMS fully approves a qualified entity under this subpart, the qualified entity must pay a fee equal to the cost of CMS making data available. After the qualified entity pays the fee, CMS will release the applicable encrypted claims data, as well as a file that crosswalks the encrypted beneficiary ID to the beneficiary name and the Medicare HICN. The data will be the most recent data available, and will be limited to the geographic spread of the qualified entity's other claims data, as determined by CMS.

(2) Subsequent data releases. After the first quarter of participation, CMS will provide a qualified entity with the most recent additional quarter of currently available data, as well as a table that crosswalks the encrypted beneficiary ID to the beneficiary's name and the Medicare HICN. Qualified entities are required to pay CMS a fee equal to the cost of making data available before CMS will release the most recent quarter of additional data to the qualified entity.

(f) Re-application. A qualified entity that is in good standing may re-apply for qualified entity status. A qualified entity is considered to be in good standing if it has had no violations of the requirements in this subpart or if the qualified entity is addressing any past deficiencies either on its own or through the implementation of a corrective action plan. To re-apply a qualified entity must submit to CMS documentation of any changes to what was included in its previously-approved application. A re-applicant must submit this documentation at least 6 months before the end of its 3-year approval period and will be able to continue to serve as a qualified entity until the re-application is either approved or denied by CMS. If the re-application is denied, CMS will terminate its relationship with the qualified entity and the qualified entity will be subject to the requirements for return or destruction of data at § 401.721(b).

§ 401.711 Updates to plans submitted as part of the application process.

(a) If a qualified entity wishes to make changes to the following parts of its previously-approved application:

(1) Its list of proposed measures—the qualified entity must send all the information referenced in § 401.707(a) for the new measures to CMS at least 30 days before its intended confidential release to providers and suppliers.

(2) Its proposed prototype report—the qualified entity must send the new prototype report to CMS at least 30 days before its intended confidential release to providers and suppliers.

(3) Its plans for sharing the reports with the public—the qualified entity must send the new plans to CMS at least 30 days before its intended confidential release to providers and suppliers.

(b) CMS will notify the qualified entity when the entity's proposed changes are approved or denied for use, generally within 30 days of the qualified entity submitting the changes to CMS. If a CMS decision on approval or disapproval for a change is not forthcoming within 30 days and CMS does not request an additional 30 days for review, the change or modification shall be deemed to be approved.

(c) If the amount of claims data from other sources available to a qualified entity decreases, the qualified entity must immediately inform CMS and submit documentation that the remaining claims data from other sources is sufficient to address the methodological concerns regarding sample size and reliability. Under no circumstances may a qualified entity use Medicare data to create a report, use a measure, or share a report after the amount of claims data from other sources available to a qualified entity decreases until CMS determines either that the remaining claims data is sufficient or that the qualified entity has collected adequate additional data to address any deficiencies.

(1) If the qualified entity cannot submit the documentation required in paragraph (c) of this section, or if CMS determines that the remaining claims data is not sufficient, CMS will afford the qualified entity up to 120 days to obtain additional claims to address any deficiencies. If the qualified entity does not have access to sufficient new data after that time, CMS will terminate its relationship with the qualified entity.

(2) If CMS determines that the remaining claims data is sufficient, the qualified entity may continue issuing reports, using measures, and sharing reports.

§ 401.713 Ensuring the privacy and security of data.

(a) A qualified entity must comply with the data requirements in its data use agreement (DUA) with CMS. Contractors of qualified entities that are anticipated to have access to the Medicare claims data or beneficiary identifiable data in the context of this program are also required to execute and comply with the DUA. The DUA will require the qualified entity to maintain privacy and security protocols throughout the duration of the agreement with CMS and will ban the use of data for purposes other than those set out in this subpart. The DUA will also prohibit the use of unsecured telecommunications to transmit CMS data and will specify the circumstances under which CMS data must be stored and transmitted.

(b) A qualified entity must inform each beneficiary whose beneficiary identifiable data has been (or is reasonably believed to have been) inappropriately accessed, acquired, or disclosed in accordance with the DUA.

(c) Contractor(s) must report to the qualified entity whenever there is an incident where beneficiary identifiable data has been (or is reasonably believed to have been) inappropriately accessed, acquired, or disclosed.

§ 401.715 Selection and use of performance measures.

(a) Standard measures. A standard measure is a measure that can be calculated in full or in part from claims data from other sources and the standardized extracts of Medicare Parts A and B claims, and Part D prescription drug event data and meets the following requirements:

(1) Meets one of the following criteria:

(i) Is endorsed by the entity with a contract under section 1890(a) of the Social Security Act.

(ii) Is time-limited endorsed by the entity with a contract under section 1890(a) of the Social Security Act until such time as the full endorsement status is determined.

(iii) Is developed under section 931 of the Public Health Service Act.

(iv) Can be calculated from standardized extracts of Medicare Parts A or B claims or Part D prescription drug event data, was adopted through notice-and-comment rulemaking, and is currently being used in CMS programs that include quality measurement.

(v) Is endorsed by a CMS-approved consensus-based entity. CMS will approve organizations as consensus-based entities based on review of documentation of the consensus-based entity's measure approval process. To receive approval as a consensus-based entity, an organization must submit information to CMS documenting its processes for stakeholder consultation and measures approval; an organization will only receive approval as a consensus-based entity if all measure specifications are publically available. An organization will retain CMS acceptance as a consensus-based entity for 3 years after the approval date, at which time CMS will review new documentation of the consensus-based entity's measure approval process for a new 3-year approval.

(2) Is used in a manner that follows the measure specifications as written (or as adopted through notice-and-comment rulemaking), including all numerator and denominator inclusions and exclusions, measured time periods, and specified data sources.

(b) Alternative measure. (1) An alternative measure is a measure that is not a standard measure, but that can be calculated in full, or in part, from claims data from other sources and the standardized extracts of Medicare Parts A and B claims, and Part D prescription drug event data, and that meets one of the following criteria:

(i) Rulemaking process: Has been found by the Secretary, through a notice-and comment-rulemaking process, to be more valid, reliable, responsive to consumer preferences, cost-effective, or relevant to dimensions of quality and resource use not addressed by standard measures, and is used by a qualified entity in a manner that follows the measure specifications as adopted through notice-and-comment rulemaking, including all numerator and denominator inclusions and exclusions, measured time periods, and specified data sources.

(ii) Stakeholder consultation approval process: Has been found by the Secretary, using documentation submitted by a qualified entity that outlines its consultation and agreement with stakeholders in its community, to be more valid, responsive to consumer preferences, cost-effective, or relevant to dimensions of quality and resource use not addressed by standard measures, and is used by a qualified entity in a manner that follows the measure specifications as submitted, including all numerator and denominator inclusions and exclusions, measured time periods, and specified data sources. If a CMS decision on approval or disapproval of alternative measures submitted using the stakeholder consultation approval process is not forthcoming within 60 days of submission of the measure by the qualified entity, the measure will be deemed approved. However, CMS retains the right to disapprove a measure if, even after 60 days, we find it to not be “more valid, reliable, responsive to consumer preferences, cost-effective, or relevant to dimensions of quality and resource” than a standard measure.

(2) An alternative measure approved under the process at paragraph (b)(1)(i) of this section may be used by any qualified entity. An alternative measure approved under the process at paragraph (b)(1)(ii) of this section may only be used by the qualified entity that submitted the measure for consideration by the Secretary. A qualified entity may use an alternative measure up until the point that an equivalent standard measure for the particular clinical area or condition becomes available at which point the qualified entity must switch to the standard measure within 6 months or submit additional scientific justification and receive approval, via either paragraphs (b)(1)(i) or (b)(1)(ii) of this section, from the Secretary to continue using the alternative measure.

(3) To submit an alternative measure for consideration under the notice-and-comment-rulemaking process, for use in the calendar year following the submission, an entity must submit the following information by May 31st:

(i) The name of the alternative measure.

(ii) The name of the developer or owner of the alternative measure.

(iii) Detailed specifications for the alternative measure.

(iv) Evidence that use of the alternative measure would be more valid, reliable, responsive to consumer preferences, cost-effective, or relevant to dimensions of quality and resource use not addressed by standard measures.

(4) To submit an alternative measure for consideration under the documentation of stakeholder consultation approval process described in paragraph (b)(1)(ii) of this section, for use once the measure is approved by the Secretary, an entity must submit the following information to CMS:

(i) The name of the alternative measure.

(ii) The name of the developer or owner of the alternative measure.

(iii) Detailed specifications for the alternative measure.

(iv) A description of the process by which the qualified entity notified stakeholders in the geographic region it serves of its intent to seek approval of an alternative measure. Stakeholders must include a valid cross representation of providers, suppliers, payers, employers, and consumers.

(v) A list of stakeholders from whom feedback was solicited, including the stakeholders' names and roles in the community.

(vi) A description of the discussion about the proposed alternative measure, including a summary of all pertinent arguments supporting and opposing the measure.

(vii) Unless CMS has already approved the same measure for use by another qualified entity, no new scientific evidence on the measure is available, and the subsequent qualified entity wishes to rely upon the scientific evidence submitted by the previously approved applicant, an explanation backed by scientific evidence that demonstrates why the measure is more valid, reliable, responsive to consumer preferences, cost-effective, or relevant to dimensions of quality and resource use not addressed by a standard measure.

§ 401.717 Provider and supplier requests for error correction.

(a) A qualified entity must confidentially share measures, measurement methodologies, and measure results with providers and suppliers at least 60 calendar days before making reports public. The 60 calendar days begin on the date on which qualified entities send the confidential reports to providers and suppliers. A qualified entity must inform providers and suppliers of the date the reports will be made public at least 60 calendar days before making the reports public.

(b) Before making the reports public, a qualified entity must allow providers and suppliers the opportunity to make a request for the data, or to make a request for error correction, within 60 calendar days after sending the confidential reports to providers or suppliers.

(c) During the 60 calendar days between sending a confidential report on measure results and releasing the report to the public, the qualified entity must, at the request of a provider or supplier and with appropriate privacy and security protections, release the Medicare claims data and beneficiary names to the provider or supplier. Qualified entities may only provide the Medicare claims and/or beneficiary names relevant to the particular measure or measure result the provider or supplier is appealing.

(d) A qualified entity must inform providers and suppliers that reports will be made public, including information related to the status of any data or error correction requests, after the date specified to the provider or supplier when the report is sent for review and, if necessary, error correction requests (at least 60 calendar days after the report was originally sent to the providers and suppliers), regardless of the status of any requests for error correction.

(e) If a provider or supplier has a data or error correction request outstanding at the time the reports become public, the qualified entity must, if feasible, post publicly the name of the appealing provider or supplier and the category of the appeal request.

§ 401.719 Monitoring and sanctioning of qualified entities.

(a) CMS will monitor and assess the performance of qualified entities and their contractors using the following methods:

(1) Audits.

(2) Submission of documentation of data sources and quantities of data upon the request of CMS and/or site visits.

(3) Analysis of specific data reported to CMS by qualified entities through annual reports (as described in paragraph (b) of this section) and reports on inappropriate disclosures or uses of beneficiary identifiable data (as described in paragraph (c) of this section).

(4) Analysis of complaints from beneficiaries and/or providers or suppliers.

(b) A qualified entity must provide annual reports to CMS containing information related to the following:

(1) General program adherence, including the following information:

(i) The number of Medicare and private claims combined.

(ii) The percent of the overall market share the number of claims represent in the qualified entity's geographic area.

(iii) The number of measures calculated.

(iv) The number of providers and suppliers profiled by type of provider and supplier.

(v) A measure of public use of the reports.

(2) The provider and supplier data sharing, error correction, and appeals process, including the following information:

(i) The number of providers and suppliers requesting claims data.

(ii) The number of requests for claims data fulfilled.

(iii) The number of error corrections.

(iv) The type(s) of problem(s) leading to the request for error correction.

(v) The amount of time to acknowledge the request for data or error correction.

(vi) The amount of time to respond to the request for error correction.

(vii) The number of requests for error correction resolved.

(c) A qualified entity must inform CMS of inappropriate disclosures or uses of beneficiary identifiable data under the DUA.

(d) CMS may take the following actions against a qualified entity if CMS determines that the qualified entity violated any of the requirements of this subpart, regardless of how CMS learns of a violation:

(1) Provide a warning notice to the qualified entity of the specific concern, which indicates that future deficiencies could lead to termination.

(2) Request a corrective action plan (CAP) from the qualified entity.

(3) Place the qualified entity on a special monitoring plan.

(4) Terminate the qualified entity.

§ 401.721 Terminating an agreement with a qualified entity.

(a) Grounds for terminating a qualified entity agreement. CMS may terminate an agreement with a qualified entity if CMS determines the qualified entity or its contractor meets any of the following:

(1) Engages in one or more serious violations of the requirements of this subpart.

(2) Fails to completely and accurately report information to CMS or fails to make appropriate corrections in response to confidential reviews by providers and suppliers in a timely manner.

(3) Fails to submit an approvable corrective action plan (CAP) as prescribed by CMS, fails to implement an approved CAP, or fails to demonstrate improved performance after the implementation of a CAP.

(4) Improperly uses or discloses claims information received from CMS in violation of the requirements in this subpart.

(5) Based on its re-application, no longer meets the requirements in this subpart.

(6) Fails to maintain adequate data from other sources in accordance with § 401.711(c).

(b) Return or destruction of CMS data upon voluntary or involuntary termination from the qualified entity program:

(1) If CMS terminates a qualified entity's agreement, the qualified entity and its contractors must immediately upon receipt of notification of the termination commence returning or destroying any and all CMS data (and any derivative files). In no instance can this process exceed 30 days.

(2) If a qualified entity voluntarily terminates participation under this subpart, it and its contractors must return to CMS, or destroy, any and all CMS data in its possession within 30 days of notifying CMS of its intent to end its participation.

end regulatory text

(Catalog of Federal Domestic Assistance Program No. 93.773, Medicare—Hospital Insurance; and Program No. 93.774, Medicare—Supplementary Medical Insurance Program)

Dated: November 1, 2011.

Donald M. Berwick,

Administrator, Centers for Medicare & Medicaid Services.

Approved: November 29, 2011.

Kathleen Sebelius,

Secretary, Department of Health and Human Services.

[FR Doc. 2011-31232 Filed 12-5-11; 11:15 am]

BILLING CODE 4120-01-P

Site Feedback