Skip to Content

Notice

Privacy Act of 1974; Report of a New System of Records

Document Details

Information about this document as published in the Federal Register.

Published Document

This document has been published in the Federal Register. Use the PDF linked in the document sidebar for the official electronic format.

Start Preamble

AGENCY:

Centers for Medicare & Medicaid Services (CMS), Department of Health and Human Services (HHS).

ACTION:

Notice to establish a new system of records.

SUMMARY:

In accordance with the requirements of the Privacy Act of 1974, CMS is establishing a new system of records to support its shared savings programs, the first of which are the Medicare Shared Savings Program and Pioneer ACO Model (collectively referred to as the ACO program). The ACO program implements recent health care reform provisions of the Patient Protection and Affordable Care Act (PPACA), amending the Social Security Act (the Act). The system of records will contain personally identifiable information (PII) about certain individuals who participate in, or whose PII is used to determine eligibility of an Accountable Care Organization (ACO) to participate in, a shared savings program; i.e., Medicare fee-for-service (FFS) beneficiaries, sole proprietor health care ACO participants and ACO suppliers/providers, key leaders and managers of accountable care organizations (ACOs), and contact persons for ACOs. The program and the system of records are more thoroughly described in the Supplementary Information section and System of Records Notice (SORN), below.

Start Printed Page 58008

DATES:

CMS filed a new system report with the Chair of the House Committee on Government Reform and Oversight, the Chair of the Senate Committee on Homeland Security & Governmental Affairs, and the Administrator, Office of Information and Regulatory Affairs, Office of Management and Budget (OMB) on September 14, 2011. To ensure that all parties have adequate time in which to comment, the new system, including routine uses, will become effective October 19, 2011. If CMS receives comments that require alterations to this notice, we will publish a revised notice in the Federal Register.

ADDRESSES:

The public should send comments to: CMS Privacy Officer, Division of Information Security & Privacy Management, Enterprise Architecture and Strategy Group, Office of Information Services, CMS, Room N1-24-08, 7500 Security Boulevard, Baltimore, Maryland 21244-1850. Comments received will be available for review at this location, by appointment, during regular business hours, Monday through Friday from 9 a.m.-3 p.m., Eastern Time zone.

Start Further Info

FOR FURTHER INFORMATION CONTACT:

For Medicare Shared Savings Program: Rebecca Weiss, Program Analyst, Performance-Based Payment Policy Staff, Center for Medicare, Centers for Medicare & Medicaid Services, 7500 Security Boulevard, Mail-stop: C5-15-12, Baltimore, MD 21244-1850. Office: 410-786-8084, Facsimile: (410) 786-8005, E-mail address: aco@cms.hhs.gov.

For Pioneer Aco Model: Alli Chandra, Health Insurance Specialist, Center for Medicare and Medicaid Innovation, Centers for Medicare & Medicaid Services, 7500 Security Boulevard, Mailstop: S3-13-05, Baltimore, MD 21244-1850. Office Ph: 410-786-1132, Facsimile: (410) 786-0487, E-mail address: alli.chandra@cms.hhs.gov.

End Further Info End Preamble Start Supplemental Information

SUPPLEMENTARY INFORMATION:

This System of Records Notice (SORN) addresses a new system which HHS is establishing to support CMS shared savings programs created as a result of the Patient Protection and Affordable Care Act (Pub. L. 111-148), the first of which are the Medicare Shared Savings Program and Pioneer ACO Model (ACO program) described in more detail below.

I. Medicare Shared Savings Program

The recently passed health care reform bill, the Affordable Care Act (PPACA) (Pub. L. 111-148), contains provisions that seek to reward quality care and takes steps toward paying for high quality and efficient care. One of these provisions, Section 3022, amended Title XVIII of the Social Security Act (the Act) (42 U.S.C. 1395 et seq.) by adding new section 1899 to the Act to establish a shared savings program (SSP) that promotes accountability for a patient population, coordinates items and services under Parts A and B, and encourages investment in infrastructure and redesigned care processes for high quality and efficient service delivery. Specifically:

  • Section 1899(a)(1) of the Act requires the Secretary to establish the shared savings program no later than January 1, 2012. Section 1899(a)(1) (A) of the Act further provides that, “groups of providers of services and suppliers meeting criteria specified by the Secretary may work together to manage and coordinate care for Medicare fee-for-service (FFS) beneficiaries through an accountable care organization (ACO).”
  • Section 1899(a)(1)(B) of the Act provides that ACOs that meet quality performance standards established by the Secretary are eligible to receive payments for “shared savings.”

The Shared Savings Program is a voluntary program. The statute provides that, to participate in the program, an ACO must “provide the Secretary with such information regarding the ACO professionals participating in the ACO as the Secretary determines necessary to support the assignment of Medicare fee-for-service beneficiaries to an ACO, the implementation of quality and other reporting requirements * * * and the determination of payments for shared savings.” The statute requires an ACO to meet certain eligibility criteria including, but not limited to, having “a formal legal structure that would allow the organization to receive and distribute payments for shared savings,” having “in place a leadership and management structure that includes clinical and administrative systems,” and demonstrating “to the Secretary that it meets patient-centeredness criteria specific by the Secretary.” In addition, the ACO must agree to participate for not less than 3 years, have a formal legal structure including primary care providers sufficient for the care of not less than 5000 beneficiaries, and meet others requirements.

The statute defines an ACO as organization of health care providers that agrees to become accountable for the quality, cost, and overall care of Medicare beneficiaries who are enrolled in the traditional fee-for-service program who are assigned to it. The statute states that there are many types of organizational arrangements for eligibility to become an ACO, as determined appropriate by the Secretary.

To qualify for shared savings payments, the ACO must meet specific cost and quality benchmarks. Quality performance standards will be determined by the Secretary and may include measures of clinical processes and outcomes, patient and/or caregiver experience, and utilization measures. An ACO will be eligible to receive a share (a percentage, and any limits, to be determined by the Secretary) of any savings if the actual per capita expenditures of its assigned Medicare beneficiaries are a sufficient percentage below its specified benchmark amount. The benchmark for each ACO will be based on the most recent available three years of per-beneficiary expenditures for Parts A and B services for Medicare FFS beneficiaries assigned to the ACO. The benchmark for each ACO will be adjusted for beneficiary characteristics and other factors as determined by the Secretary, and updated by the projected absolute amount of growth in national per capita expenditures for Parts A and B.

II. Pioneer ACO Model

Another provision of the Affordable Care Act (PPACA), Section 3021, amended Title XVIII of the Social Security Act (the Act) (42 U.S.C. 1395 et seq.) by adding new section 1899 to the Act to establish the Center for Medicare and Medicaid Innovation (Innovation Center). The Innovation Center is tasked with development of the Pioneer ACO Model. Under the Pioneer ACO Model, the Innovation Center will engage up to 30 highly experienced provider organizations in testing alternative payment models that include escalating financial accountability and substantial quality/patient experience standards (“outcomes based arrangements”). CMS intends to pursue payment models that (1) i nclude escalating levels of financial accountability through successive performance periods during the Participation Agreement; (2) provide a transition to Population-Based Payment by the third performance period, and (3) are projected by CMS to generate Medicare savings by the end of the second performance period.

III. The Privacy Act

The Privacy Act (5 U.S.C. 552a) governs the means by which the United States Government collects, maintains, and uses personally identifiable information (PII) in a system of records. A “system of records” is a group of any records under the control of a Federal Start Printed Page 58009agency from which information about individuals is retrieved by name or other personal identifier. The Privacy Act requires each agency to publish in the Federal Register a system of records notice (SORN) identifying and describing each system of records the agency maintains, including the purposes for which the agency uses PII in the system, the routine uses for which the agency discloses such information outside the agency, and how individual record subjects can exercise their rights under the Privacy Act (e.g., to determine if the system contains information about them).

The Privacy Act permits an agency to disclose information about an individual (PII) without that individual's consent if the information is to be used for a purpose that is compatible with the purpose(s) for which the information was collected. Any such disclosure of PII is known as a “routine use.” HHS/CMS will only release PII from this system as provided in the “Routine Uses” section below. Both identifiable and non-identifiable data may be disclosed under a routine use. HHS/CMS will only disclose the minimum PII necessary to achieve the purpose of the routine use, after determining that:

  • The use or disclosure is consistent with the reason that the PII was collected;
  • The purpose for which the disclosure is to be made can only be accomplished if the record is provided in individually identifiable form;
  • The purpose for which the disclosure is to be made is of sufficient importance to warrant the effect on and/or risk to the privacy of the individual that additional exposure of the record might bring;
  • There is a strong probability that the proposed use of the data would in fact accomplish the stated purpose(s); and
  • The data are valid and reliable.

Additionally, HHS/CMS will require the information recipient to:

  • Establish administrative, technical, and physical safeguards to prevent unauthorized use or disclosure of the record;
  • Remove or destroy at the earliest time all individually-identifiable information; and
  • Agree to not use or disclose the information for any purpose other than the stated purpose under which the information was disclosed.

SYSTEM NUMBER:

09-70-0598

SYSTEM NAME:

ACO Database System HHS/CMS/CM and HHS/CMS/CMMI.

SECURITY CLASSIFICATION:

Sensitive, unclassified.

SYSTEM LOCATION:

CMS Data Center, 7500 Security Boulevard, North Building, First Floor, Baltimore, Maryland 21244-1850 and at various accountable care organization (ACO) locations and contractor sites.

CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:

The system will contain personally identifiable information (PII) about the following categories of individuals who participate in, or whose PII is used to determine eligibility of an ACO to participate in, a Health and Human Services (HHS) Centers for Medicare & Medicaid Services (CMS) Medicare shared savings program:

  • Medicare fee-for-service (FFS) beneficiaries who receive health care services coordinated and managed by a group of health care providers and suppliers organized to receive shared savings incentive payments, as an accountable care organization (ACO).
  • Any providers or suppliers participating in an ACO who are sole proprietorships, for whom certain business-identifying information may therefore constitute personally identifiable information.
  • Key leaders and managers of an ACO who provide certain personally identifiable information that is used to determine the ACO's eligibility to participate in the program.
  • Any contact persons for an ACO who provide contact information for use in contacting them for information about the ACO.

CATEGORIES OF RECORDS IN THE SYSTEM:

This system may include, but will not necessarily be limited to, the following categories of records, containing PII (or possible PII) data elements such as the following:

  • Medicare fee-for-service (FFS) beneficiary claims records, containing the beneficiary's name, gender, Health Insurance Claim Number (HICN) (which could be the beneficiary's Social Security Number), address, date of birth and description of provided services.
  • ACO eligibility and contact records, containing the ACO name and address (which could be the home address of a key leader or manager of the ACO); ACO participant or ACO provider/supplier names and addresses (which could include home addresses for any sole proprietor providers/suppliers in the ACO); ACO participant Tax Identification Number (TIN) (which could be a Social Security Number for a sole proprietor ACO participant or ACO provider/supplier in the ACO); National Provider Identifier (NPI) (which is considered PII for an individual provider/supplier); and (for individuals serving as key leaders or managers of an ACO) the individual's name and address (which could be a home address).

AUTHORITY FOR MAINTENANCE OF THE SYSTEM:

The Patient Protection and Affordable Care Act (Pub. L. 111-148), which amended Title XVIII of the Social Security Act (the Act) (42 U.S.C. 1395 et seq.) to add new section 1899 to the Act to establish a Medicare Shared Savings Program (MSSP); and Section 3021 of the Patient Protection and Affordable Care Act, which amended Title XI of the Social Security Act (the Act) (42 U.S.C. 1301 et seq.) to add new section 1115A to the Act to establish the Center for Medicare and Medicaid Innovation.

PURPOSE(S) OF THE SYSTEM:

The system will enable the HHS Centers for Medicare & Medicaid Services (CMS) to administer the ACO program. Relevant HHS personnel, and any CMS contractors, grantees and consultants assisting them, will use personally identifiable information (PII) from this system on a “need to know” basis for these purposes:

  • Beneficiary claims information and ACO eligibility and contact information will be used to support the regulatory, reimbursement and policy functions of shared savings programs and to combat fraud, waste and abuse in certain health benefits programs.

ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES OR USERS AND THE PURPOSES OF SUCH USES:

Any of the PII from this system may be disclosed outside HHS for these routine uses:

1. To obtain assistance from other Federal agencies that help HHS, pursuant to agreements with CMS, to determine the eligibility of ACO applicants to participate in the program. For example, a TIN (which may be a Social Security Number) may be shared with the U.S. Federal Trade Commission (FTC) and the U.S. Department of Justice (DOJ) for purposes of obtaining their assessment of the ACO applicant's market share status.

2. To provide ACOs with information they need to meet requirements and Start Printed Page 58010implement quality and other reporting requirements of the program.

3. To provide information to the U.S. Department of Justice (DOJ), a court, or an adjudicatory body when (a) the Agency or any component thereof, or (b) any employee of the Agency in his or her official capacity, or (c) any employee of the Agency in his or her individual capacity where the DOJ has agreed to represent the employee, or (d) the United State Government, is a party to litigation or has an interest in such litigation, and by careful review, CMS determines that the records are both relevant and necessary to the litigation and that the use of such records by the DOJ, court, or adjudicatory body is compatible with the purpose for which the agency collected the records.

4. To assist another Federal agency or an instrumentality of any governmental jurisdiction within or under the control of the United States (including any state or local governmental agency), that administers or that has the authority to investigate potential fraud, waste or abuse in a health benefits program funded in whole or in part by Federal funds, when disclosure is deemed reasonably necessary by CMS to prevent, deter, discover, detect, investigate, examine, prosecute, sue with respect to, defend against, correct, remedy, or otherwise combat fraud, waste or abuse in such programs.

5. To assist appropriate Federal agencies and HHS contractors that have a need to know the information for the purpose of assisting HHS's efforts to respond to a suspected or confirmed breach of the security or confidentiality of information maintained in this system of records, provided that the information disclosed is relevant and necessary for that assistance.

Additional Circumstances Affecting Disclosure of PII About Beneficiaries:

To the extent that the beneficiary claims records in this system contain Protected Health Information (PHI) as defined by HHS regulation “Standards for Privacy of Individually Identifiable Health Information” (45 CFR parts 160 and 164, subparts A and E), disclosures of such PHI that are otherwise authorized by these routine uses may only be made if, and as, permitted or required by the “Standards for Privacy of Individually Identifiable Health Information” (see 45 CFR 164-512 (a) (1)). In addition, HHS policy will be to prohibit release even of data not directly identifiable with a particular beneficiary, except pursuant to one of the routine uses or if required by law, if HHS determines there is a possibility that a particular beneficiary can be identified through implicit deduction based on small cell sizes (instances where the patient population is so small that individuals could, because of the small size, use this information to deduce the identity of a particular beneficiary).

POLICIES AND PRACTICES FOR STORING, RETRIEVING, ACCESSING, RETAINING, AND DISPOSING OF RECORDS IN THE SYSTEM—

STORAGE:

Electronic records will be stored on both tape cartridges (magnetic storage media) and in a in a DB2 and/or Oracle relational database management environment (DASD data storage media). Any hard copies of ACO program-related records containing PII at HHS/CMS, ACO and contractor locations will be kept in hard-copy file folders locked in secure file cabinets during non-duty hours.

RETRIEVABILITY:

Information may be retrieved by any of these personal identifiers: ACO participant TIN (which could be a sole proprietor provider/supplier's Social Security Number), National Provider Identifier (NPI), or beneficiary Health Insurance Claim Number (HICN)) (which may be the beneficiary's Social Security Number).

SAFEGUARDS:

Personnel having access to the system have been trained in the Privacy Act and information security requirements. Employees who maintain records in this system are instructed not to release data until the intended recipient agrees to implement appropriate management, operational and technical safeguards sufficient to protect the confidentiality, integrity and availability of the information and information systems and to prevent unauthorized access.

Access to records in the ACO Database System will be limited to CMS personnel, and any contractors, grantees and consultants assisting them, through password security, encryption, firewalls, and secured operating system.

Future system enhancements may allow for ACOs, ACO participants or ACO provider/suppliers, and beneficiaries to be external users of the system, for purposes of viewing and inputting their records in this system. Access controls will ensure that each external user is restricted to viewing only the user's own records, not records pertaining to other users.

Any electronic or hard copies of ACO program-related records containing PII at HHS/CMS, an ACO, and any contractor, grantee or consultant locations will be kept in secure electronic files or in hard-copy file folders locked in secure file cabinets during non-duty hours.

RETENTION AND DISPOSAL:

Records containing PII will be maintained for a period of up to 10 years after entry in the database. Any records that are needed longer, such as to resolve claims and audit exceptions or to prosecute fraud, will be retained until such matters are resolved. Beneficiary claims records are currently subject to a document preservation order and will be preserved indefinitely pending further notice from the U.S. Department of Justice.

SYSTEM MANAGER AND ADDRESS:

Director, Performance-Based Payment Policy Staff, Center for Medicare, Centers for Medicare & Medicaid Services, 7500 Security Boulevard, Mail stop: C5-15-12, Baltimore, MD 21244-1850; and

Director, Pioneer ACO Model, Center for Medicare and Medicaid Innovation, Centers for Medicare and Medicaid Services, Mailstop: S3-13-05, 7500 Security Boulevard, Baltimore, MD 21244-1850.

NOTIFICATION PROCEDURE:

Individuals wishing to know if this system contains records about them should write to one of the system managers and include the pertinent personal identifier used for retrieval of their records (i.e., TIN, NPI or beneficiary Health Insurance Claim Number).

RECORD ACCESS PROCEDURE:

Individuals seeking access to records about them in this system should follow the same instructions indicated under “Notification Procedure” and reasonably specify the record contents being sought. (These procedures are in accordance with Department regulation 45 CFR 5b.5 (a)(2).)

CONTESTING RECORD PROCEDURES:

Individuals seeking to contest the content of information about them in this system should follow the same instructions indicated under “Notification Procedure.” The request should reasonably identify the record and specify the information being contested, state the corrective action sought, and provide the reasons for the correction, with supporting justification. (These procedures are in accordance with Department regulation 45 CFR 5b.7.)

RECORD SOURCE CATEGORIES:

Personally identifiable information in this database is obtained from the Start Printed Page 58011Medicare Beneficiary Database (MBD) (09-70-0536), from the National Claims History File (NCH) (09-70-0558), and from ACOs that provide the information as required to perform the statutory functions of beneficiary assignment, implementation of quality and other reporting requirements, and determination of shared savings.

EXEMPTIONS CLAIMED FOR THIS SYSTEM:

None.

Start Signature

Dated: September 14, 2011.

Michelle Snyder,

Deputy Chief Operating Officer, Centers for Medicare & Medicaid Services.

End Signature End Supplemental Information

[FR Doc. 2011-23959 Filed 9-15-11; 11:15 am]

BILLING CODE 4120-03-P