Skip to Content

Notice

Privacy Act of 1974; Notice of Modified System of Records

Document Details

Information about this document as published in the Federal Register.

Published Document

This document has been published in the Federal Register. Use the PDF linked in the document sidebar for the official electronic format.

Start Preamble

AGENCY:

Department of Health and Human Services (HHS), Centers for Medicare & Medicaid Services (CMS).

ACTION:

Notice of a modified system of records.

SUMMARY:

In accordance with the requirements of the Privacy Act of 1974, CMS is proposing to make minor amendments to an existing system of records (SOR) titled, “Performance Measurement and Reporting System (PMRS),” System No. 09-70-0584, published at 72 Federal Register 52133 (September 12, 2007), as amended by 73 Federal Register 80412 (December 31, 2008). PMRS serves as a master system of records to assist in projects that provide transparency in health care on a broad-scale enabling consumers to compare the quality and price of health care services so that they can make informed choices among individual physicians, practitioners, and other providers of services. We are making minor amendments to PMRS to include an additional legal authority: Section 109 of the Tax Relief and Health Care Act of 2006 (TRHCA) (Pub. L. 109-432). Section 109 of the TRHCA amended Section 1833(t) of the Social Security Act (42 U.S.C. 1395l(t)). This section mandates the establishment of a program for quality data reporting for hospital outpatient services and allow for the establishment of a program to require quality data reporting for ambulatory surgical center services. Accordingly, CMS is adding section 109 of TRCHA (42 U.S.C. 1395l(t)) and section 1833(t) of the Act to the PMRS' legal authority section.

The primary purpose of this system is explained in 72 FR 52133 (2007) and 73 FR 80412 (2008). We have provided background information about this modified system in the SUPPLEMENTARY INFORMATION section below.

DATES:

Effective Dates: The minor amendments contained in this notice are effective upon publication in the Federal Register.

Start Further Info

FOR FURTHER INFORMATION CONTACT:

Aucha Prachanronarong, Health Insurance Specialist, Division of Ambulatory Care and Measure Management, Quality Measurement and Health Assessment Group, Office of Clinical Standards and Quality, CMS, Room C1-23-14, 7500 Security Start Printed Page 17673Boulevard, Baltimore, Maryland 21244-1850. The telephone number is (410) 786-1879 or contact Aucha.Prachanronarong@cms.hhs.gov. For further information on this system as it relates to Hospital Outpatient Quality Data Reporting, please contact Anita Bhatia, Health Insurance Specialist, Division of Quality Improvement Policy for Acute Care, Quality Improvement Group, Office of Clinical Standards and Quality, CMS, Room C1-23-14, 7500 Security Boulevard, Baltimore, Maryland 21244-1850. The telephone number is (410) 786-7236 or contact Anita.Bhatia@cms.hhs.gov.

End Further Info End Preamble Start Supplemental Information

SUPPLEMENTARY INFORMATION:

As required by TRHCA, CMS implemented a Hospital Outpatient Quality Data Reporting Program (HOP QDRP). Under the HOP QDRP, providers who successfully submit quality data on a designated set of quality measures receive the full annual market basket update rather than an update reduced by two percent. As a part of this program, CMS or its contractors may request a limited number of physician and patient-identifiable patient records to validate the accuracy of information submitted under the program. In this notice, CMS is adding this legal authority (section 1833(t) of the Social Security Act; 109 of division B of the Tax Relief and Health Care Act of 2006) to the Authority section of the PMRS SOR notice.

I. Description of the Modified System of Records

A. Statutory and Regulatory Basis for System

The “Authority” section of PMRS system of records notice is amended to read: Authority for the collection, maintenance, and disclosures from this system is given under provisions of sections 1152, 1153 (c), 1153(e), 1154, 1160, 1833(t), 1848(k), 1848(m), 1851(d) and 1862(g) of the Social Security Act; sections 101 and 109 of division B of the Tax Relief and Health Care Act of 2006; section 101 of the Medicare, Medicaid, and SCHIP Extension Act of 2007, sections 131 and 132 of MIPPA, and sections 901, 912, and 914 of the Public Health Service Act.

B. Collection and Maintenance of Data in the System

The system contains single and multi-payer, patient de-identified, individual physician-level performance measurement results as well as, patient identifiable clinical and claims information provided by individual physicians, practitioners and providers of services, individuals assigned to provider groups, insurance and provider associations, government agencies, accrediting and quality organizations, and others who are committed to improving the quality of physician services. This system contains the patient's or beneficiary's name, sex, health insurance claim number (HIC), Social Security Number (SSN), address, date of birth, medical record number(s), prior stay information, provider name and address, physician's name, and/or identification number, date of admission or discharge, other health insurance, diagnosis, surgical procedures, and a statement of services rendered for related charges and other data needed to substantiate claims. The system contains provider characteristics, prescriber identification number(s), assigned provider number(s) (facility, referring/servicing physician), and national drug code information, total charges, and Medicare payment amounts.

II. Agency Policies, Procedures, and Restrictions on Routine Uses

The Privacy Act permits us to disclose information without an individual's consent/authorization if the information is to be used for a purpose that is compatible with the purpose(s) for which the information was collected. Any such disclosure of data is known as a “routine use.” The agency policies, procedures, and restriction on routine uses for the PMRS were published in the Federal Register on September 12, 2007. See 72 FR 52133 (Sept. 12, 2007) for further information.

III. Routine Use Disclosures of Data in the System

For further information on the routine uses for the PMRS, please see 72 FR 52133 and 80 FR 80412.

IV. Safeguards

CMS has safeguards in place for authorized users and monitors such users to ensure against unauthorized use. Personnel having access to the system have been trained in the Privacy Act and information security requirements. Employees who maintain records in this system are instructed not to release data until the intended recipient agrees to implement appropriate management, operational and technical safeguards sufficient to protect the confidentiality, integrity and availability of the information and information systems and to prevent unauthorized access.

This system will conform to all applicable Federal laws and regulations and Federal, HHS, and CMS policies and standards as they relate to information security and data privacy. These laws and regulations include but are not limited to: the Privacy Act of 1974; the Federal Information Security Management Act of 2002; the Computer Fraud and Abuse Act of 1986; the Health Insurance Portability and Accountability Act of 1996; the E-Government Act of 2002, the Clinger-Cohen Act of 1996; the Medicare Modernization Act of 2003, and the corresponding implementing regulations. OMB Circular A-130, Management of Federal Resources, Appendix III, Security of Federal Automated Information Resources also applies. Federal, HHS, and CMS policies and standards include but are not limited to: All pertinent National Institute of Standards and Technology publications; the HHS Information Systems Program Handbook and the CMS Information Security Handbook.

V. Effects of the Modified System on the Rights of Individuals

CMS proposes to amend this system in accordance with the principles and requirements of the Privacy Act and will collect, use, and disseminate information only as prescribed therein. We will only disclose the minimum personal data necessary to achieve the purpose of PMRS. Disclosure of information from the system will be approved only to the extent necessary to accomplish the purpose of the disclosure. CMS has assigned a higher level of security clearance for the information maintained in this system in an effort to provide added security and protection of data in this system.

CMS will take precautionary measures to minimize the risks of unauthorized access to the records and the potential harm to individual privacy or other personal or property rights. CMS will collect only that information necessary to perform the system's functions. In addition, CMS will make disclosure from the proposed system only with consent of the subject individual, or his/her legal representative, or in accordance with an applicable exception provision of the Privacy Act. CMS, therefore, does not anticipate an unfavorable effect on individual privacy as a result of the disclosure of information relating to individuals.

Start Signature

Dated: April 8, 2009.

Michelle Snyder,

Acting Deputy Administrator, Centers for Medicare & Medicaid Services.

End Signature

SYSTEM No.:

09-70-0584.Start Printed Page 17674

SYSTEM NAME:

“Performance Measurement and Reporting System (PMRS),” HHS/CMS/OCSQ.

SECURITY CLASSIFICATION:

Level Three Privacy Act Sensitive.

SYSTEM LOCATION:

CMS Data Center, 7500 Security Boulevard, North Building, First Floor, Baltimore, Maryland 21244-1850 and at various contractor sites.

CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:

The system contains single and multi-payer, patient de-identified, individual physician, practitioner or other provider-level performance measurement results as well as, clinical and claims information provided by individual physicians, practitioners and providers of services, individuals assigned to provider groups, insurance and provider associations, government agencies, accrediting and quality organizations, and others who are committed to improving the quality of physician, practitioner, and other providers services.

CATEGORIES OF RECORDS IN THE SYSTEM:

This system contains the patient's or beneficiary's name, sex, health insurance claim number (HIC), Social Security Number (SSN), address, date of birth, medical record number(s), prior stay information, provider name and address, physician's name, and/or identification number, date of admission or discharge, other health insurance, diagnosis, surgical procedures, and a statement of services rendered for related charges and other data needed to substantiate claims. The system contains provider characteristics, prescriber identification number(s), assigned provider number(s) (facility, referring/servicing physician), and national drug code information, total charges, and Medicare payment amounts.

AUTHORITY FOR MAINTENANCE OF THE SYSTEM:

Authority for the collection, maintenance, and disclosures from this system is given under provisions of sections 1152, 1153(c), 1153(e), 1154, 1160, 1833(t), 1848(k), 1848(m), 1851(d) and 1862(g) of the Social Security Act; sections 101 and 109 of division B of the Tax Relief and Health Care Act of 2006; section 101 of the Medicare, Medicaid, and SCHIP Extension Act of 2007, sections 131 and 132 of MIPPA, and sections 901, 912, and 914 of the Public Health Service Act.

PURPOSE (S) OF THE SYSTEM:

The primary purpose of this system is to support the collection, maintenance, and processing of information to promote the delivery of high quality, efficient, effective and economical delivery of health care services, and promoting the quality of services of the type for which payment may be made under title XVIII by allowing for the establishment and implementation of performance measures, provision of feedback to physicians, and public reporting of performance information. Information in this system will also be disclosed to: (1) Support regulatory, reimbursement, and policy functions performed for the Agency or by a contractor, consultant, or a CMS grantee; (2) assist another Federal and/or state agency, agency of a state government, or an agency established by state law; (3) promote more informed choices by Medicare beneficiaries among their Medicare group options by making physician performance measurement information available to Medicare beneficiaries through a website and other forms of data dissemination; (4) provide CVEs and data aggregators with information that will assist in generating single or multi-payer performance measurement results to promote transparency in health care to members of their community; (5) assist individual physicians, practitioners, providers of services, suppliers, laboratories, and others health care professionals who are participating in health care transparency projects; (6) assist individuals or organizations with projects that provide transparency in health care on a broad-scale enabling consumers to compare the quality and price of health care services; or for research, evaluation, and epidemiological projects related to the prevention of disease or disability; restoration or maintenance of health or for payment purposes; (7) assist Quality Improvement Organizations; (8) support litigation involving the agency; and (9) and (10) combat fraud, waste, and abuse in certain health benefits programs.

ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES OR USERS AND THE PURPOSES OF SUCH USES:

A. Entities Who May Receive Disclosures Under Routine Use

These routine uses specify circumstances, in addition to those provided by statute in the Privacy Act of 1974, under which CMS may release information from the PMRS without the consent/authorization of the individual to whom such information pertains. Each proposed disclosure of information under these routine uses will be evaluated to ensure that the disclosure is legally permissible, including but not limited to ensuring that the purpose of the disclosure is compatible with the purpose for which the information was collected. We propose to establish the following routine use disclosures of information maintained in the system:

1. To support Agency contractors, consultants, or CMS grantees who have been engaged by the Agency to assist in accomplishment of a CMS function relating to the purposes for this SOR and who need to have access to the records in order to assist CMS.

2. Pursuant to agreements with CMS to assist another Federal or state agency, agency of a state government, or an agency established by state law to:

a. contribute to projects that provide transparency in health care on a broad-scale enabling consumers to compare the quality and price of health care services,

b. contribute to the accuracy of CMS's proper payment of Medicare benefits,

c. enable such agency to administer a Federal health benefits program, or as necessary to enable such agency to fulfill a requirement of a Federal statute or regulation that implements a health benefits program funded in whole or in part with Federal funds, and/or

d. assist Federal/state Medicaid programs which may require PMRS information for purposes related to this system.

3. To assist in making the individual physician-level performance measurement results available to Medicare beneficiaries, through a website and other forms of data dissemination, in order to promote more informed choices by Medicare beneficiaries among their Medicare coverage options.

4. To provide Chartered Value Exchanges (CVE) and data aggregators with information that will assist in generating single or multi-payer performance measurement results that will assist beneficiaries in making informed choices among individual physicians, practitioners and providers of services; enable consumers to compare the quality and price of health care services; and assist in providing transparency in health care at the local level if CMS:

a. determines that the use or disclosure does not violate legal limitations under which the record was provided, collected, or obtained;

b. determines that the purpose for which the disclosure is to be made:

(1) is of sufficient importance to warrant the effect and/or risk on the privacy of the individual that additional exposure of the record might bring, andStart Printed Page 17675

(2) there is reasonable probability that the objective for the use would be accomplished;

c. requires the recipient of the information to establish reasonable administrative, technical, and physical safeguards to prevent unauthorized use or disclosure of the record,

d. make no further use or disclosure of the record except:

(1) for use in another project providing transparency in health care, under these same conditions, and with written authorization of CMS;

(2) when required by law.

e. secures a written statement attesting to the information recipient's understanding of and willingness to abide by these provisions. CVEs and data aggregators should complete a Data Use Agreement (CMS Form 0235) in accordance with current CMS policies.

5. To assist individual physicians, practitioners, providers of services, suppliers, laboratories, and others health care professionals who are participating in health care transparency projects.

6. To assist an individual or organization with projects that provide transparency in health care on a broad-scale enabling consumers to compare the quality and price of health care services; or for research, evaluation, and epidemiological projects related to the prevention of disease or disability; restoration or maintenance of health or for payment purposes if CMS:

a. determines that the use or disclosure does not violate legal limitations under which the record was provided, collected, or obtained;

b. determines that the purpose for which the disclosure is to be made:

(1) cannot be reasonably accomplished unless the record is provided in individually identifiable form,

(2) is of sufficient importance to warrant the effect and/or risk on the privacy of the individual that additional exposure of the record might bring, and

(3) there is reasonable probability that the objective for the use would be accomplished;

c. requires the recipient of the information to:

(1) establish reasonable administrative, technical, and physical safeguards to prevent unauthorized use or disclosure of the record, and

(2) remove or destroy the information that allows the individual to be identified at the earliest time at which removal or destruction can be accomplished consistent with the purpose of the project, unless the recipient presents an adequate justification of a research or health nature for retaining such information, and

(3) make no further use or disclosure of the record except:

(a) for disclosure to a properly identified person, for purposes of providing transparency in health care enabling consumers to compare the quality and price of health care services so that they can make informed choices among individual physicians, practitioners and providers of services;

(b) in emergency circumstances affecting the health or safety of any individual;

(c) for use in another research project, under these same conditions, and with written authorization of CMS;

(d) for disclosure to a properly identified person for the purpose of an audit related to the research project, if information that would enable research subjects to be identified is removed or destroyed at the earliest opportunity consistent with the purpose of the audit; or

(e) when required by law.

d. secures a written statement attesting to the information recipient's understanding of and willingness to abide by these provisions. Researchers should complete a Data Use Agreement (CMS Form 0235) in accordance with current CMS policies.

7. To support Quality Improvement Organizations (QIO) in connection with review of claims, or in connection with studies or other review activities conducted pursuant to Part B of Title XI of the Act and in performing affirmative outreach activities to individuals for the purpose of establishing and maintaining their entitlement to Medicare benefits or health insurance plans.

8. To support the Department of Justice (DOJ), court, or adjudicatory body when:

a. the Agency or any component thereof, or

b. any employee of the Agency in his or her official capacity, or

c. any employee of the Agency in his or her individual capacity where the DOJ has agreed to represent the employee, or

d. the United States Government,

is a party to litigation or has an interest in such litigation, and by careful review, CMS determines that the records are both relevant and necessary to the litigation and that the use of such records by the DOJ, court or adjudicatory body is compatible with the purpose for which the agency collected the records.

9. To assist a CMS contractor (including, but not limited to MACs, fiscal intermediaries and carriers) that assists in the administration of a CMS-administered health benefits program, or to a grantee of a CMS-administered grant program, when disclosure is deemed reasonably necessary by CMS to prevent, deter, discover, detect, investigate, examine, prosecute, sue with respect to, defend against, correct, remedy, or otherwise combat fraud, waste or abuse in such program.

10. To assist another Federal agency or to an instrumentality of any governmental jurisdiction within or under the control of the United States (including any state or local governmental agency), that administers, or that has the authority to investigate potential fraud, waste or abuse in a health benefits program funded in whole or in part by Federal funds, when disclosure is deemed reasonably necessary by CMS to prevent, deter, discover, detect, investigate, examine, prosecute, sue with respect to, defend against, correct, remedy, or otherwise combat fraud, waste or abuse in such programs.

B. Additional Circumstances Affecting Routine Use Disclosures

To the extent this system contains Protected Health Information (PHI) as defined by HHS regulation “Standards for Privacy of Individually Identifiable Health Information” (45 CFR Parts 160 and 164, Subparts A and E) 65 FR 82462 (12-28-00). Disclosures of such PHI that are otherwise authorized by these routine uses may only be made if, and as, permitted or required by the “Standards for Privacy of Individually Identifiable Health Information.” (See 45 CFR 164-512(a)(1).)

POLICIES AND PRACTICES FOR STORING, RETRIEVING, ACCESSING, RETAINING, AND DISPOSING OF RECORDS IN THE SYSTEM:

STORAGE:

Records are stored on both tape cartridges (magnetic storage media) and in a DB2 relational database management environment (DASD data storage media).

RETRIEVABILITY:

Information is most frequently retrieved by HICN, provider number (facility, physician, IDs), service dates, and beneficiary state code.

SAFEGUARDS:

CMS has safeguards in place for authorized users and monitors such users to ensure against unauthorized use. Personnel having access to the system have been trained in the Privacy Act and information security requirements. Employees who maintain records in this system are instructed not to release data until the intended recipient agrees to implement Start Printed Page 17676appropriate management, operational and technical safeguards sufficient to protect the confidentiality, integrity and availability of the information and information systems and to prevent unauthorized access.

This system will conform to all applicable Federal laws and regulations and Federal, HHS, and CMS policies and standards as they relate to information security and data privacy. These laws and regulations include but are not limited to: the Privacy Act of 1974; the Federal Information Security Management Act of 2002; the Computer Fraud and Abuse Act of 1986; the Health Insurance Portability and Accountability Act of 1996; the E-Government Act of 2002, the Clinger-Cohen Act of 1996; the Medicare Modernization Act of 2003, and the corresponding implementing regulations. OMB Circular A-130, Management of Federal Resources, Appendix III, Security of Federal Automated Information Resources also applies. Federal, HHS, and CMS policies and standards include but are not limited to: All pertinent National Institute of Standards and Technology publications; the HHS Information Systems Program Handbook and the CMS Information Security Handbook.

RETENTION AND DISPOSAL:

Records are maintained with identifiers for all transactions after they are entered into the system for a period of 20 years. Records are housed in both active and archival files. All claims-related records are encompassed by the document preservation order and will be retained until notification is received from the Department of Justice.

SYSTEM MANAGER AND ADDRESS:

Director, Quality Measurement and Health Assessment Group, Office of Clinical Standards and Quality, CMS, Room C1-23-14, 7500 Security Boulevard, Baltimore, Maryland 21244-1850.

NOTIFICATION PROCEDURE:

For purpose of notification, the subject individual should write to the system manager who will require the system name, and the retrieval selection criteria (e.g., HICN, Provider number, etc.).

RECORD ACCESS PROCEDURE:

For purpose of access, use the same procedures outlined in Notification Procedures above. Requestors should also reasonably specify the record contents being sought. (These procedures are in accordance with Department regulation 45 CFR 5b.5(a)(2).)

CONTESTING RECORD PROCEDURES:

The subject individual should contact the system manager named above, and reasonably identify the record and specify the information to be contested. State the corrective action sought and the reasons for the correction with supporting justification. (These procedures are in accordance with Department regulation 45 CFR 5b.7.)

RECORD SOURCE CATEGORIES:

Medicare Beneficiary Database (09-70-0536), National Claims History File (09-70-0558), and private physicians, private providers, laboratories, other providers and suppliers who are participating in health care transparency projects sponsored by the Agency.

SYSTEMS EXEMPTED FROM CERTAIN PROVISIONS OF THE ACT:

None.

End Supplemental Information

[FR Doc. E9-8736 Filed 4-15-09; 8:45 am]

BILLING CODE 4120-03-P