Skip to Content

Notice

Privacy Act of 1974; Report of a Modified or Altered System of Records

Document Details

Information about this document as published in the Federal Register.

Published Document

This document has been published in the Federal Register. Use the PDF linked in the document sidebar for the official electronic format.

Start Preamble

AGENCY:

Department of Health and Human Services (HHS), Centers for Medicare & Medicaid Services (CMS).

ACTION:

Notice of a modified or altered system of records.

SUMMARY:

The Privacy Act of 1974 and section 1106 of the Social Security Act (the Act) explain when and how CMS may use and disclose the personal data of people with Medicare. The Medicare Prescription Drug, Improvement, and Modernization Act of 2003 (MMA) (Pub. L. 108-173) added requirements for releasing and using personal data. To meet these additional requirements, CMS proposes to modify the existing system of records (SOR) titled “Medicare Drug Data Processing System (DDPS),” System No. 09-70-0553, established at 70 FR 58436 (October 6, 2005). Under this modification we are clarifying the statutory authorities for which these data are collected and disclosed. The original SOR notice cited the statutory section governing CMS's payment of Part D plan sponsors (Social Security Act § 1860D-15) that limits the uses of the data collected to purposes related to plan payment and oversight of plan payment. However, the broad authority of § 1860D-12(b)(3)(D) authorizes CMS to collect, use and disclose Part D data for broader purposes related to CMS's responsibilities for program administration and research. Furthermore the authority under § 1106 of the Act allows the Secretary to use and disclose data pursuant to a regulation, which in this case would be 42 CFR 423.505. CMS has published a final rule in order to clarify our statutory authority and explain how we propose to implement the broad authority of § 1860D-12(b)(3)(D) and 1106 of the Act. This SOR is being revised to reflect our intended use of this broader statutory authority.

In addition to updating this SOR to reflect our broader statutory authority, CMS proposes to make the following modifications to the DDPS system:

  • Revise published routine use number 1 to include CMS grantees that perform a task for the agency.
  • Add a new routine use number 2 to allow the use and disclosure of information to other Federal and state agencies for accurate payment of Start Printed Page 30944Medicare benefits; to fulfill a requirement or allowance of a Federal statute or regulation that implements a health benefits program funded in whole or in part with Federal funds; and to help Federal/state Medicaid programs that may need information from this system.
  • Broaden the scope of routine use number 4 to allow the use and disclosure of specified data as described in CMS's Part D data final rule, 42 CFR 423.505(m) to other government agencies, States or external organizations, in accordance with the minimum data necessary policy and Federal law.
  • Delete published routine use number 5 which authorizes disclosure to support constituent requests made to a congressional representative.
  • Broaden the scope of routine use number 7 and 8, to include combating “waste,” in addition to fraud and abuse that result in unnecessary cost to federally-funded health benefit programs.
  • Revise language regarding routine uses disclosures to explain the purpose of the routine use and make clear CMS's intention to use and disclose personal information contained in this system.
  • Reorder and prioritize the routine uses.
  • Update any sections of the system affected by the reorganization or revision of routine uses because of MMA provisions or regulations promulgated based on MMA provisions.
  • Update language in the administrative sections to be consistent with language used in other CMS SORs.

The primary purpose of this system is to collect, maintain, and process information on all Medicare covered, and as many non-covered drug events as possible, for people with Medicare who have enrolled into a Medicare Part D plan. The system helps CMS determine appropriate payment of covered drugs. It will also provide for processing, storing, and maintaining drug transaction data in a large-scale database, while putting data into data marts to support payment analysis. CMS would allow the expanded use and disclosure of information in this system to: (1) Support regulatory, analysis, oversight, reimbursement, operational, and policy functions performed within the agency or by a contractor, consultant, or a CMS grantee; (2) support another Federal and/or state agency, agency of a state government, an agency established by state law, or its fiscal agent; (3) assist Medicare Part D sponsors; (4) support an individual or organization with projects that provide transparency in health care on a broad-scale enabling consumers to compare the quality and price of health care services for a research, evaluation, or epidemiological or other project related to protecting the public's health, the prevention of disease or disability, the restoration or maintenance of health, or for payment related purposes; (5) assist Quality Improvement Organizations; (6) support lawsuits involving the agency; and (7) combat fraud, waste, and abuse in certain Federally funded health benefits programs.

DATES:

Effective Dates: CMS filed a modified or altered system report with the Chair of the House Committee on Government Reform and Oversight, the Chair of the Senate Committee on Homeland Security & Governmental Affairs, and the Administrator, Office of Information and Regulatory Affairs, Office of Management and Budget (OMB) on May 22, 2008. To ensure that all parties have adequate time in which to comment, the modified system, including routine uses, will become effective 30 days from the publication of the notice, or 40 days from the date it was submitted to OMB and Congress, whichever is later, unless CMS receives comments that require alterations to this notice.

ADDRESSES:

The public should send comments to: CMS Privacy Officer, Division of Privacy Compliance, Enterprise Architecture and Strategy Group, Office of Information Services, CMS, Mail stop N2-04-27, 7500 Security Boulevard, Baltimore, Maryland 21244-1850. Comments received will be available for review at this location, by appointment, during regular business hours, Monday through Friday from 9 a.m.-3 p.m., Eastern Time zone.

Start Further Info

FOR FURTHER INFORMATION CONTACT:

Alissa Deboy, Director, Division of Drug Plan Policy & Analysis, Medicare Drug Benefit Group, Centers for Beneficiary Choices, CMS, Room C1-26-26, 7500 Security Boulevard, Baltimore, Maryland 21244-1850. The telephone number is 410-786-6041 or e-mail at Alissa.Deboy@cms.hhs.gov.

End Further Info End Preamble Start Supplemental Information

SUPPLEMENTARY INFORMATION:

In December 2003, Congress added Part D under Title XVIII when it passed the Medicare Prescription Drug, Improvement, and Modernization Act. The Act allows Medicare to pay plans to provide Part D prescription drug coverage as described in Title 42, Code of Federal Regulations (CFR) § 423.301. The Act allows Medicare to pay Part D sponsors in one of four ways: 1. Direct subsidies; 2. Premium and cost-sharing subsidies for qualifying low-income individuals (low-income subsidy); 3. Federal reinsurance subsidies; and 4. Risk-sharing. Throughout this notice, the term “sponsor” means all entities that provide Part D prescription drug coverage and submit claims data to CMS for payment calculations.

As a condition of payment, all Part D sponsors must submit data and information necessary for CMS to carry out payment provisions (§ 1860D-15(c)(1)(C) and (d)(2) of the Act, and 42 CFR 423.322). In addition, these data may be disclosed to other entities, pursuant to § 1860D-12(b)(3)(D) and 42 CFR 423.505(b)(8) and (f), (l), and (m)) for the purposes described in the routine uses described in this SOR notice. Furthermore, this data may be disclosed pursuant to § 1106 of the Act.

This notice explains how CMS would collect data elements on Part D prescription drug events (PDE data, also called “claims” data) according to the statute. Data elements such as beneficiary, plan, pharmacy and prescriber identifiers would be used to validate claims and meet other legislative requirements or initiatives such as quality monitoring, program integrity, and payment oversight. In addition, the original 37 data elements submitted as part of the prescription drug event data would be used for other purposes as allowed by § 1860D-12 and its implementing regulations.

In addition, summary prescription drug claim information based on the original 37 elements maintained in this system will be used to (1) generate reports to Congress and the public on overall statistics associated with the operation of the Medicare prescription drug program; (2) conduct evaluations of the overall Medicare program; (3) make legislative proposals to the Congress regarding Federal health care programs; (4) conduct demonstration and pilot projects and make recommendations for improving the economy, efficiency or effectiveness of the Medicare program; (5) support care coordination and disease management programs; (6) support quality improvement, performance measurement, and public reporting activities; (7) populate personal health care records; and (8) as otherwise permitted under 42 CFR 423.505.

In addition to the individually identifiable information identified in section I. B. (Data in the System) below, we will maintain the following data elements, which may be used under the authority of sections 1860D-12 and D-15 as noted above: Identification of pharmacy where the prescription was filled; indication of whether drug was compounded or mixed; indication of prescriber instruction regarding Start Printed Page 30945substitution of generic equivalents or order to “dispense as written;” quantity dispensed (for example, number of tablets, grams, milliliters, or other unit); days supply; fill number; dispensing status and whether the full quantity is dispensed at one time, or the quantity is partially filled; identification of coverage status, such as whether the product dispensed is covered under the plan benefit package or under Part D or both. This code also identifies whether the drug is being covered as part of a Part D supplemental benefit; indication of whether unique pricing rules apply, for example because of an out-of-network or Medicare as Secondary Payer services; indication of whether the beneficiary has reached the annual out-of-pocket threshold, which triggers reduced beneficiary cost-sharing and the reinsurance subsidy; ingredient cost of the product dispensed; dispensing fee paid to pharmacy; sales tax; for covered Part D drugs, the amount of gross drug costs that are both below and above the annual out-of-pocket threshold; amount paid by patient and not reimbursed by a third party (such as co-payments, coinsurance, or deductibles); amount of third party payment that would count toward a beneficiary's true out-of-pocket (TrOOP) costs in meeting the annual out-of-pocket threshold, such as payments on behalf of a beneficiary by a qualifying State Pharmacy Assistance Program (SPAP); low-income cost-sharing subsidy amount (if any); and reduction in patient liability due to non-TrOOP-eligible payers paying on behalf of the beneficiary (which would exclude payers whose payments count toward a beneficiary's true out of pocket costs, such as SPAPs amounts paid by the plan for basic prescription drug coverage and amounts paid by plan for benefits beyond basic prescription drug coverage).

I. Description of the Modified System of Records

A. Statutory and Regulatory Basis for System

This system is mandated and authorized under provisions of the Medicare Prescription Drug, Improvement, and Modernization Act, amending the Social Security Act by adding Part D under Title XVIII (§§ 1860D-15(c)(1)(C) and (d)(2), as described in Title 42, Code of Federal Regulations (CFR) 423.301 et.seq. as well as1860D-12(b)(3)(D) and 1106 of the Act, as described in 42 CFR 423.505(b)(8) and (f),(l), and (m).

B. Data in the System

This system collects and maintains individually identifiable information on Medicare beneficiaries who have enrolled in a Medicare Part D plan and individually identifiable data on prescribing health care professionals and referring/servicing pharmacies. The data includes, but is not limited to, summary prescription drug claim data and individually identifiable beneficiary information such as: health insurance claim number, card holder identification number, date of service, gender, other identifying data, and optionally, the patient's date of birth. Identifying information of prescribing health care providers include the prescriber identification number and qualifier and the pharmacy service provider ID and qualifier.

II. Agency Policies, Procedures, and Restrictions on Routine Uses

A. Below are CMS' policies and procedures for giving out individually identifiable information maintained in the system. CMS would only use and disclose the minimum data necessary to achieve the purpose of the DDPS if the following requirements are met:

1. The information or use of the information is consistent with the reason that the data is being collected;

2. The individually identifiable information is necessary to complete the project (taking into account the risk to the privacy of the individual);

3. The organization receiving the information establishes administrative, technical, and physical protections to prevent unauthorized use of the information;

4. The organization removes or destroys the information that allows the individual to be identified at the earliest time;

5. The organization generally agrees to not use or disclose the information for any purpose other than the stated purpose under which the information was disclosed; and

6. The data are valid and reliable.

The Privacy Act allows CMS to give out identifiable and non-identifiable information for routine uses without an individual's consent/authorization. The identifiable data described in this notice is listed under Section I. B. above.

III. Routine Uses of Data

A. In addition to those entities specified in the Privacy Act of 1974, CMS may use and disclose information from the DDPS without the consent of the individual for routine uses pursuant to sections 1860D-15 and 1860D-12(b)(3)(D) of the Social Security Act . Below are the modified routine uses for releasing information without individual consent that CMS would add or modify in the DDPS.

1. To support Agency contractors, consultants, or CMS grantees who have been engaged by the Agency to assist in accomplishment of a CMS function relating to the purposes for this SOR and who need to have access to the records in order to assist CMS.

We contemplate disclosing information under this routine use only in situations in which CMS may enter into a contractual or similar agreement with a third party to assist in accomplishing a CMS function relating to purposes for this SOR.

CMS occasionally contracts out or makes other arrangements for certain functions when doing so would contribute to effective and efficient operations. CMS must be able to give a contractor, consultant, or CMS grantee whatever information is necessary for the contractor, consultant, or grantee to fulfill its duties. In these situations, safeguards are provided in the contract/similar agreement prohibiting the contractor, consultant, or grantee from using or disclosing the information for any purpose other than that described in the contract/similar agreement and requires the contractor, consultant, or grantee to destroy all information at the completion of the contract or similar agreement.

2. To assist another Federal or state agency, agency of a state government, an agency established by state law, or its fiscal agent to:

a. Contribute to the accuracy of CMS' payment of Medicare benefits,

b. Administer a Federal health benefits program or fulfill a Federal statute or regulatory requirement or allowance that implements a health benefits program funded in whole or in part with Federal funds,

c. Access data required for Federal/state Medicaid programs, or

Other Federal or state agencies in their administration of a Federal health program may require DDPS information in order to support evaluations and monitoring of Medicare claims information of beneficiaries, including proper reimbursement for services provided.

In addition, disclosure under this routine use may be used by state agencies pursuant to agreements with the HHS for determining Medicare or Medicaid eligibility, for determining eligibility of recipients of assistance under titles IV, XVIII, and XIX of the Act, and for the administration and operation of the Medicare and Medicaid programs including quality Start Printed Page 30946improvement and care coordination. Data will be disclosed to the state only on those individuals who are or were patients under the services of a program within the state or who are residents of that state.

3. To support Part D Sponsors, pharmacy benefit managers, claims processors, and other Prescription Drug Event submitters, in protecting their own members (and former members for the periods enrolled in a given plan) against medical expenses of their enrollees without the beneficiary's authorization, and having knowledge of the occurrence of any event affecting (a) an individual's right to any such benefit or payment, or (b) the initial right to any such benefit or payment, for the purpose of coordination of benefits with the Medicare program and implementation of the Medicare Secondary Payer provision at 42 U.S.C. 1395y (b). Information to be disclosed shall be limited to Medicare utilization data necessary to perform that specific function. In order to receive the information, they must agree to:

a. Certify that the individual about whom the information is being provided is one of its insured or employees, or is insured and/or employed by another entity for whom they serve as a Third Party Administrator;

b. Utilize the information solely for the purpose of processing the individual's insurance claims; and

c. Safeguard the confidentiality of the data and prevent unauthorized access.

Other insurers may need data in order to support evaluations and monitoring of Medicare claims information, including proper reimbursement for services.

4. To assist an individual or organization with research, an evaluation, or an epidemiological or other project related to protecting the public's health, the prevention of disease or disability, restoration or maintenance of health, or for payment related purposes. This includes projects that provide transparency in health care on a broad-scale enabling consumers to compare the quality and price of health care services. CMS must:

a. Determine if the use or disclosure of data violate legal limitations under which the record was provided, collected, or obtained;

b. Determine that the purpose for the use or disclosure of information:

(1) Cannot be reasonably accomplished unless the record is provided in individually identifiable form,

(2) Is of sufficient importance to warrant the effect or risk on the privacy of the individual, and

(3) Meets the objectives of the project;

c. Requires the recipient of the information to:

(1) Establish reasonable administrative, technical, and physical protections to prevent unauthorized use or disclosure of information,

(2) Remove or destroy the information that allows the individual to be identified at the earliest time at which removal or destruction can be accomplished consistent with the purpose of the project, unless the recipient presents an adequate justification for retaining such information, and

(3) No longer use or disclose information except:

(a) In emergency circumstances affecting the health or safety of any individual;

(b) For use in another research project, under these same conditions and with written CMS approval;

(c) For an audit related to the research;

(d) For disclosure to a properly identified person for the purpose of an audit related to the research project, if information that would enable research subjects to be identified is removed or destroyed at the earliest opportunity consistent with the purpose of the audit; or

(e) When required by Federal law.

d. Get signed, written statements from the entity receiving the information that they understand and will follow all provisions in this notice.

e. Complete and submit a Data Use Agreement (CMS Form 0235) in accordance with current CMS policies.

CMS anticipates that there will be many legitimate requests to use these data in projects that could ultimately improve the care provided to Medicare beneficiaries and the policy that governs the care.

5. To support Quality Improvement Organizations (QIO) in the claims review process, or with studies or other review activities performed in accordance with Part B of Title XI of the Act. QIOs can also use the data for outreach activities to establish and maintain entitlement to Medicare benefits or health insurance plans.

QIOs will work to implement quality improvement and performance measurement programs, provide consultation to CMS, its contractors, and to state agencies. QIOs will assist the state agencies in related monitoring and enforcement efforts, assist CMS and intermediaries in program integrity assessment, and prepare summary information for disclosure to CMS.

6. To assist the Department of Justice (DOJ), court, or adjudicatory body when there is a lawsuit in which the Agency, any employee of the Agency in his or her official capacity or individual capacity (if the DOJ agrees to represent the employee), or the United States Government is a party or CMS' policies or operations could be affected by the outcome. The information must be both relevant and necessary to the lawsuit, and the use of the records is for a purpose that is compatible with the purpose for which CMS collected the records.

Whenever CMS is involved in litigation, or occasionally when another party is involved in litigation and CMS' policies or operations could be affected by the outcome of the litigation, CMS would be able to disclose information to the DOJ, court, or adjudicatory body involved.

7. To support a CMS contractor that assists in the administration of a CMS health benefits program or a grantee of a CMS-administered grant program if the information is necessary, in any capacity, to combat fraud, waste, or abuse in such program. CMS will only provide this information if CMS can enter into a contract or grant for this purpose.

CMS must be able to give a contractor or CMS grantee necessary information in order to complete their contractual responsibilities. In these situations, protections are provided in the contract prohibiting the contractor or grantee from using or releasing the information for any purpose other than that described in the contract. It also requires the contractor or grantee to return or destroy all information when the contract ends.

8. To support another Federal agency or any United States government jurisdiction (including any state or local governmental agency) if the information is necessary, in any capacity, to combat fraud, waste, or abuse in a health benefits program that is funded in whole or in part by Federal funds.

Other agencies may require DDPS information for the purpose of combating fraud, waste, or abuse in such federally-funded programs.

B. Additional Circumstances Affecting Routine Use Disclosures

To the extent this system contains Protected Health Information (PHI) as defined by HHS regulation “Standards for Privacy of Individually Identifiable Health Information” (45 CFR Parts 160 and 164, Subparts A and E) 65 FR 82462 (December 28, 2000), use and disclosure of information that are otherwise allowed by these routine uses may only be made if, and as, permitted or required by the “Standards for Privacy Start Printed Page 30947of Individually Identifiable Health Information.” (See 45 CFR 164.512(a)(1).)

In addition, CMS will not give out information that is not directly identifiable if there is a possibility that a person with Medicare could be identified because the sample is small enough to identify participants. CMS would make exceptions if the information is needed for one of the routine uses or if it's required by law.

IV. Safeguards and Protections

CMS has protections in place for authorized users to make sure they are properly using the data and there is no unauthorized use. Personnel having access to the system have been trained in the Privacy Act and information security requirements. Employees who maintain records in this system cannot use or disclose data until the recipient agrees to implement appropriate management, operational and technical safeguards that will protect the confidentiality, integrity, and availability of the information and information systems.

This system would follow all applicable Federal laws and regulations, and Federal, HHS, and CMS security and data privacy policies and standards. These laws and regulations include but are not limited to: the Privacy Act of 1974; the Federal Information Security Management Act of 2002 (when applicable); the Computer Fraud and Abuse Act of 1986; the Health Insurance Portability and Accountability Act of 1996; the E-Government Act of 2002, the Clinger-Cohen Act of 1996; the Medicare Modernization Act of 2003, and the corresponding implementing regulations. OMB Circular A-130, Management of Federal Resources, Appendix III, Security of Federal Automated Information Resources also applies. Federal, HHS, and CMS policies and standards include but are not limited to all pertinent National Institute of Standards and Technology publications, the HHS Information Systems Program Handbook, and the CMS Information Security Handbook.

V. Effects on Individual Rights

CMS does not anticipate a negative effect on individual privacy as a result of giving out personal information from this system. CMS established this system in accordance with the principles and requirements of the Privacy Act and would collect, use, and disclose information that follow these requirements. CMS would only give out the minimum amount of personal data to achieve the purpose of the system. Use and disclosure of information from the system will be approved only to the extent necessary to accomplish the purpose of releasing the data. CMS has assigned a higher level of security clearance for the information maintained in this system in an effort to provide added security and protection of individuals' personal information and, if feasible, ask that once the information is no longer needed that it be returned or destroyed.

CMS would take precautionary measures to minimize the risks of unauthorized access to the records and the potential harm to individual privacy, or other personal or property rights. CMS would collect only information necessary to perform the system's functions. In addition, CMS would only give out information if the individual, or his or her legal representative has given approval, or if allowed by one of the exceptions noted in the Privacy Act.

Start Signature

Dated: May 22, 2008.

Charlene Frizzera,

Chief Operating Officer, Centers for Medicare & Medicaid Services.

End Signature

SYSTEM NO.

09-70-0553.

SYSTEM NAME:

Medicare Drug Data Processing System (DDPS), HHS/CMS/CBC.

SECURITY CLASSIFICATION:

Level Three Privacy Act Sensitive.

SYSTEM LOCATION:

CMS Data Center, 7500 Security Boulevard, North Building, First Floor, Baltimore, Maryland 21244-1850 and at various contractor sites.

CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:

This system collects and maintains individually identifiable information on all people with Medicare who have enrolled into a Medicare Part D plan and individually identifiable data on prescribing health care professional, referring/servicing physician, and providers.

CATEGORIES OF RECORDS IN THE SYSTEM:

The data includes, but is not limited to, summary prescription drug claim data and individually identifiable beneficiary information such as: Beneficiary name, address, city, state, ZIP code, card holder identification number, date of service, gender, demographic, other identifying data, and optionally, the patient's date of birth. Identifying information of prescribing health care professional and providers of services and referring/servicing physician include provider/physician name, title, address, city, state, ZIP code, e-mail address, telephone numbers, fax number, state licensure number, Social Security Numbers, Federal tax identification numbers, prescriber identification number, assigned provider number (facility, referring/servicing physician), Drug Enforcement Agency (DEA) assigned identification number, and numerous other data elements related to the processing of the prescription drug claim.

AUTHORITY FOR MAINTENANCE OF THE SYSTEM:

This system is mandated under provisions of the Medicare Prescription Drug, Improvement, and Modernization Act, amending the Social Security Act by adding Part D under Title XVIII (§§ 1860D-15(c)(1)(C) and (d)(2)), as described in Title 42, Code of Federal Regulations (CFR) 423.301 et seq. as well as1860D-12(b)(3)(D) and 1106 of the Act, as described in 42 CFR 423.505(b)(8), (f), (l), and (m).

PURPOSE(S) OF THE SYSTEM:

The primary purpose of this system is to collect, maintain, and process information on all Medicare covered, and as many non-covered drug events as possible, for people with Medicare who have enrolled into a Medicare Part D plan. The system will help CMS determine appropriate payment of covered drugs. It will also provide for processing, storing, and maintaining drug transaction data in a large-scale database, while putting data into data marts to support payment analysis. CMS would allow the expanded release of information in this system to: (1) Support regulatory, analysis, oversight, reimbursement, operational and policy functions performed within the agency or by a contractor, consultant, or a CMS grantee; (2) help another Federal and/or state agency, agency of a state government, an agency established by state law, or its fiscal agent; (3) assist Medicare Part D sponsors; (4) support an individual or organization with projects that provide transparency in health care on a broad-scale enabling consumers to compare the quality and price of health care services or for a research, evaluation, or epidemiological or other project related to protecting the public's health, the prevention of disease or disability, the restoration or maintenance of health, or for payment related purposes; (5) assist Quality Improvement Organizations; (6) support lawsuits involving the agency; and (7) combat fraud, waste, and abuse in certain Federally funded health benefits programs.Start Printed Page 30948

ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES OR USERS AND THE PURPOSES OF SUCH USES:

A. Entities Who May Receive Disclosures Under Routine Use:

These routine uses specify circumstances, in addition to those provided by statute in the Privacy Act of 1974, under which CMS may use and disclose information from the DDPS without the consent of the individual to whom such information pertains. Each proposed disclosure of information under these routine uses will be evaluated to ensure that the disclosure is legally permissible, including but not limited to ensuring that the purpose of the disclosure is compatible with the purpose for which the information was collected. We propose to establish or modify the following routine use disclosures of information maintained in the system:

1. To support Agency contractors, consultants, or CMS grantees who have been engaged by the Agency to assist in accomplishment of a CMS function relating to the purposes for this SOR and who need to have access to the records in order to assist CMS.

2. To assist another Federal or state agency, agency of a state government, an agency established by state law, or its fiscal agent pursuant to agreements with CMS to:

a. Contribute to the accuracy of CMS's payment of Medicare benefits;

b. Administer a Federal health benefits program, or as necessary to enable such agency to fulfill a requirement of a Federal statute or regulation that implements a health benefits program funded in whole or in part with Federal funds; and/or

c. Access data required for Federal/state Medicaid programs.

3. To support Part D Prescription Drug sponsors, pharmacy benefit managers, claims processors, and other Prescription Drug Event submitters, in protecting their own members (and former members for the periods enrolled in a given plan) against medical expenses of their enrollees without the beneficiary's authorization, and having knowledge of the occurrence of any event affecting (a) an individual's right to any such benefit or payment, or (b) the initial right to any such benefit or payment, for the purpose of coordination of benefits with the Medicare program and implementation of the Medicare Secondary Payer provision at 42 U.S.C. 1395y(b). Information to be disclosed shall be limited to Medicare utilization data necessary to perform that specific function. In order to receive the information, they must agree to:

a. Certify that the individual about whom the information is being provided is one of its insured or employees, or is insured and/or employed by another entity for whom they serve as a Third Party Administrator;

b. Utilize the information solely for the purpose of processing the individual's insurance claims; and

c. Safeguard the confidentiality of the data and prevent unauthorized access.

4. To assist an individual or organization with research, an evaluation, or an epidemiological or other project related to protecting the public's health, the prevention of disease or disability, restoration or maintenance of health, or for payment related purposes. This includes projects that provide transparency in health care on a broad-scale enabling consumers to compare the quality and price of health care services. CMS must:

a. Determine if the use or disclosure of data violate legal limitations under which the record was provided, collected, or obtained;

b. Determine that the purpose for the use or disclosure of information:

(1) Cannot be reasonably accomplished unless the record is provided in individually identifiable form;

(2) Is of sufficient importance to warrant the effect or risk on the privacy of the individual; and

(3) Meets the objectives of the project;

c. Requires the recipient of the information to:

(1) Establish reasonable administrative, technical, and physical protections to prevent unauthorized use or disclosure of information;

(2) Remove or destroy the information that allows the individual to be identified at the earliest time at which removal or destruction can be accomplished consistent with the purpose of the project, unless the recipient presents an adequate justification for retaining such information; and

(3) No longer use or disclose information except:

(a) In emergency circumstances affecting the health or safety of any individual;

(b) For use in another research project, under these same conditions and with written CMS approval;

(c) For an audit related to the research;

(d) For disclosure to a properly identified person for the purpose of an audit related to the research project, if information that would enable research subjects to be identified is removed or destroyed at the earliest opportunity consistent with the purpose of the audit; or

(e) When required by Federal law.

d. Get signed, written statements from the entity receiving the information that they understand and will follow all provisions in this notice.

e. Complete and submit a Data Use Agreement (CMS Form 0235) in accordance with current CMS policies.

5. To support Quality Improvement Organization (QIO) with claims review process or with studies or other review activities performed in accordance with Part B of Title XI of the Social Security Act. QIOs can also use the data for outreach activities to individuals for the purpose of establishing and maintaining their entitlement to Medicare benefits or health insurance plans.

6. To assist the Department of Justice (DOJ), court, or adjudicatory body when there is a lawsuit in which the Agency, any employee of the Agency in his or her official capacity or individuals capacity (if the DOJ agrees to represent the employee), or the United States Government is a part of CMS' policies or operations could be affected by the outcome. The information must be both relevant and necessary to the lawsuit, and the use of records is for a purpose that is compatible with the purpose for which CMS collected records.

7. To support a CMS contractor that assists in the administration of a CMS health benefits program, or a grantee of a CMS-administered grant program, if the information is necessary, in any capacity, to combat fraud, waste, or abuse in such program. CMS will only provide this information if CMS can enter into a contract or grant for this purpose.

8. To support another Federal agency or any United States government jurisdiction (including any state, or local governmental agency), if the information is necessary, in any capacity to combat fraud, waste or abuse in a health benefits program funded in whole or in part by Federal funds.

B. Additional Circumstances Affecting Routine Use Disclosures:

To the extent this system contains Protected Health Information (PHI) as defined by HHS regulation “Standards for Privacy of Individually Identifiable Health Information” (45 CFR Parts 160 and 164, Subparts A and E) 65 FR 82462 (12-28-00) release of information that are otherwise allowed by these routine uses may only be made if, and as, permitted or required by the “Standards for Privacy of Individually Identifiable Health Information.” (See 45 CFR 164-512 (a)(1).)

In addition, CMS will not give out information that is not directly identifiable if there is a possibility that Start Printed Page 30949a person with Medicare could be identified because the sample is small enough to identify participants. CMS would make exceptions if the information is needed for one of the routine uses or if it's required by law.

POLICIES AND PRACTICES FOR STORING, RETRIEVING, ACCESSING, RETAINING, AND DISPOSING OF RECORDS IN THE SYSTEM:

STORAGE:

Records are stored on both tape cartridges (magnetic storage media) and in a DB2 relational database management environment (DASD data storage media).

RETRIEVABILITY:

Information is most frequently retrieved by HICN, provider number (facility, physician, IDs), service dates, and beneficiary state code.

SAFEGUARDS AND PROTECTIONS:

CMS has protections in place for authorized users to make sure they are properly using the data and there is no unauthorized use. Personnel having access to the system have been trained in the Privacy Act and information security requirements. Employees who maintain records in this system cannot use or disclose data until the recipient agrees to implement appropriate management, operational and technical safeguards that will protect the confidentiality, integrity, and availability of the information and information systems.

This system would follow all applicable Federal laws and regulations, and Federal, HHS, and CMS security and data privacy policies and standards. These laws and regulations include but are not limited to: the Privacy Act of 1974; the Federal Information Security Management Act of 2002 (when applicable); the Computer Fraud and Abuse Act of 1986; the Health Insurance Portability and Accountability Act of 1996; the E-Government Act of 2002, the Clinger-Cohen Act of 1996; the Medicare Modernization Act of 2003, and the corresponding implementing regulations. OMB Circular A-130, Management of Federal Resources, Appendix III, Security of Federal Automated Information Resources also applies. Federal, HHS, and CMS policies and standards include but are not limited to all pertinent National Institute of Standards and Technology publications, the HHS Information Systems Program Handbook, and the CMS Information Security Handbook.

RETENTION AND DISPOSAL:

Records are maintained with identifiers for all transactions after they are entered into the system for a period of 20 years. Records are housed in both active and archival files. All claims-related records are encompassed by the document preservation order and will be retained until notification is received from the Department of Justice.

SYSTEM MANAGER AND ADDRESS:

Director, Centers for Beneficiary Choices, CMS, Mail stop C5-19-07, 7500 Security Boulevard, Baltimore, Maryland 21244-1850.

NOTIFICATION PROCEDURE:

For purpose of notification, the subject individual should write to the system manager who will require the system name, and the retrieval selection criteria (e.g., HICN, facility/pharmacy number, service dates, etc.).

RECORD ACCESS PROCEDURE:

For purpose of access, use the same procedures outlined in Notification Procedures above. Requestors should also reasonably specify the record contents being sought. (These procedures are in accordance with Department regulation 45 CFR 5b.5 (a)(2).)

CONTESTING RECORD PROCEDURES:

The subject individual should contact the system manager named above, and reasonably identify the record and specify the information to be contested. State the corrective action sought and the reasons for the correction with supporting justification. (These procedures are in accordance with Department regulation 45 CFR 5b.7.)

RECORD SOURCE CATEGORIES:

Summary prescription drug claim information contained in this system is obtained from the Part D Sponsor daily and monthly drug event transaction reports, Medicare Beneficiary Database (09-70-0530), and other payer information to be provided by the TROOP Facilitator.

SYSTEMS EXEMPTED FROM CERTAIN PROVISIONS OF THE ACT:

None.

End Supplemental Information

[FR Doc. E8-11949 Filed 5-28-08; 8:45 am]

BILLING CODE 4120-03-P