Skip to Content


Privacy Act of 1974; Report of New System of Records

Document Details

Information about this document as published in the Federal Register.

Document Statistics
Document page views are updated periodically throughout the day and are cumulative counts for this document including its time on Public Inspection. Counts are subject to sampling, reprocessing and revision (up or down) throughout the day.
Published Document

This document has been published in the Federal Register. Use the PDF linked in the document sidebar for the official electronic format.

Start Preamble


Department of Health and Human Services (HHS), Centers for Medicare & Medicaid Services (CMS).


Notice of a new system of records.


In accordance with the requirements of the Privacy Act of 1974, CMS is establishing a new system of records (SOR) titled, “Long Term Care Hospitals Quality Reporting Program (LTCH QRP),” System No. 09-70-0539. The new system will support a new quality reporting program for Long Term Care Hospitals (LTCH) created pursuant to Section 3004 of the Patient Protection and Affordable Care Act of 2010 (ACA) (Pub. L. 111-148), amending the Social Security Act (the Act) (42 U.S.C. 1886(m)).


Effective Dates: Effective 30 days after publication. Written comments should be submitted on or before the effective date. HHS/CMS/CCSQ may publish an amended SORN in light of any comments received.


The public should address comments to: CMS Privacy Officer, Privacy Policy Compliance Group, Office of E-Health Standards & Services, Office of Enterprise Management, Centers for Medicare & Medicaid Services, 7500 Security Boulevard, Baltimore, MD 21244-1870, Mailstop: S2-24-25, Office: (410) 786-5357, Facsimile: (410) 786-1347, E-Mail: Comments received will be available for review at this location, by appointment, during regular business hours, Monday through Friday from 9:00 a.m.-3:00 p.m., Eastern Time zone.

Start Further Info


Caroline Gallaher, Nurse Consultant, CMS, Centers for Clinical Standards and Quality, Quality Measurement & Health Assessment Group, Division of Chronic & Post-Acute Care, 7500 Security Boulevard, Mail Stop S3-02-01, Baltimore, MD 21244-1850. Office: 410-786-8705, Facsimile: (410) 786-8532, Email address:

End Further Info End Preamble Start Supplemental Information


I. Background on the LTCH QRP System

The ACA directs the Secretary of HHS to compile, and eventually publish, quality measure data, measuring the quality of care provided to patients in LTCHs. The quality measure data is required to be valid, meaningful, and feasible to collect, and to address symptom management, patient preferences and avoidable adverse events. Although CMS administers the LTCH QRP, information is also collected on LTCH patients who may not be Medicare beneficiaries.

CMS created the LTCH QRP System (the System) to house the data sets needed for the Program. The first quality measure for which CMS has begun compiling data under the Program is “the Percent of Patient Residents with Pressure Ulcers That Are New or Worsened.” CMS developed the “LTCH Continuity Assessment Record & Evaluation (CARE) Data Set” (LTCH CARE Data Set) as the vehicle by which the System will collect pressure ulcer quality measure data from LTCH patients and LTCH providers, after determining that there were no existing suitable data sets that could be leveraged to supply quality measure data about pressure ulcers in the LTCH setting. As additional quality measures are added to the Program, data items will be added the LTCH CARE data set to compile quality measure data about other conditions.

II. Personally Identifiable Information in LTCH

Most of the personally identifiable information (PII) in LTCH will be about LTCH patients; however, certain information may be collected about providers who work in LTCHs that may be considered to be PII (i.e., National Provider Identifier (NPI), personal contact information, and Social Security Number (SSN), if used for business purposes). At this time, the LTCH CARE Data Set includes these components: (1) Condition (i.e., pressure ulcer) documentation; (2) selected covariates related to the condition; and (3) patient demographic information. The PII in LTCH, and how it may be used and disclosed, is more fully described in the System of Records Notice (SORN), below. LTCH data when published on the Internet will be in aggregate form and will not contain any personally identifiable data elements.

III. The Privacy Act

The Privacy Act (5 U.S.C. 552a) governs the means by which the United States Government collects, maintains, and uses personally identifiable information (PII) in a system of records. A “system of records” is a group of any records under the control of a Federal agency from which information about individuals is retrieved by name or other personal identifier. The Privacy Act requires each agency to publish in the Federal Register a system of records notice (SORN) identifying and describing each system of records the agency maintains, including the purposes for which the agency uses PII in the system, the routine uses for which the agency discloses such information outside the agency, and how individual record subjects can exercise their rights under the Privacy Act (e.g., to determine if the system contains information about them).




“Long Term Care Hospitals Quality Reporting Program (LTCH QRP)” HHS/CMS/CCSQ.




CMS Data Center, 7500 Security Boulevard, North Building, First Floor, Baltimore, Maryland 21244-1850, and at various LTCHs and contractor sites.


The system will contain personally identifiable information (PII) about the following categories of individuals who participate in or are involved with the LTCH QRP: LTCH patients and Medicare beneficiaries, who receive health care services coordinated and managed by LTCHs; any providers and or any contact persons for a LTCH who provide home or personal contact information.


This system will include the following categories of records, containing, but not necessarily limited to, the following PII data elements: Patient/beneficiary condition, selected covariates about the condition, and patient/beneficiary demographic records containing the patient/beneficiary's name, gender, beneficiary's Health Insurance Claim Number (HICN) or Start Printed Page 8537patient's SSN, address, and date of birth. LTCH provider records, containing the provider's name, address, and the Taxpayer Identification Number (TIN), which could be a Social Security Number (SSN); and National Provider Identifier (NPI).


Section 3004 of the Patient Protection and Affordable Care Act of 2010 (Pub. L. 111-148), amending the Social Security Act (42 U.S.C. 1886(m)).


CMS will use this system to compile quality measure data, measuring the quality of care provided to patients in LTCHs. CMS will or may use personally identifiable information from this system to: (1) Support regulatory, reimbursement, and policy functions performed by Agency contractors, consultants, or CMS grantees; (2) assist federal and state agencies and their fiscal agents to perform the statutory functions of the LTCH QRP; (3) assist LTCHs with the statutory reporting requirements; (4) support research, evaluation, or epidemiological projects related to the prevention of disease or disability, or the restoration or maintenance of health, and for payment related projects; (5) support the functions of Quality Improvement Organizations; (6) support the functions of national accrediting organizations; (7) support litigation involving the agency; (8) combat fraud, waste, and abuse in certain health benefits programs, (9) assist agencies, entities, contractors, or persons tasked with the response and remedial efforts in the event of a breach of information, and (10) assist the U.S. Department of Homeland Security (DHS) cyber security personnel.


A. Entities Who May Receive Disclosures Under Routine Use

These routine uses specify circumstances, in addition to those provided by statute in the Privacy Act of 1974, under which CMS may release information from LTCH without the consent of the individual to whom such information pertains. Each proposed disclosure of information under these routine uses will be evaluated to ensure that the disclosure is legally permissible, including but not limited to ensuring that the purpose of the disclosure is compatible with the purpose for which the information was collected. We propose to establish the following routine use disclosures of information maintained in the system:

1. To support Agency contractors, consultants, or CMS grantees who have been engaged by the Agency to assist in accomplishment of a CMS function relating to the purposes for this collection and who need to have access to the records in order to assist CMS.

2. To assist another Federal, agency of a State government, an agency established by State law, or its fiscal agents with information that is necessary and/or required in order to perform the statutory functions of the LTCH QRP;

3. To provide LTCHs with information they need to meet any statutory requirements of the program, assist with other reports as required by CMS, and to assist in the implementation of quality standards.

4. To support an individual or organization for research, as well as evaluation or epidemiological projects related to the prevention of disease or disability, the restoration or maintenance of health, or for understanding and improving payment projects.

5. To support Quality Improvement Organizations (QIO) in connection with review of claims, or in connection with studies or other review activities conducted pursuant to Part B of Title XI of the Act, and in performing affirmative outreach activities to individuals for the purpose of establishing and maintaining their entitlement to Medicare benefits or health insurance plans.

6. To assist national accrediting organization(s) whose accredited facilities are presumed to meet certain Medicare requirements (e.g., the Joint Commission for the Accreditation of Healthcare Organizations, the American Osteopathic Association, or the Commission on Accreditation of Rehabilitation Facilities).

7. To provide information to the U.S. Department of Justice (DOJ), a court, or an adjudicatory body when (a) the Agency or any component thereof, or (b) any employee of the Agency in his or her official capacity, or (c) any employee of the Agency in his or her individual capacity where the DOJ has agreed to represent the employee, or (d) the United State Government, is a party to litigation or has an interest in such litigation, and by careful review, CMS determines that the records are both relevant and necessary to the litigation and that the use of such records by the DOJ, court, or adjudicatory body is compatible with the purpose for which the agency collected the records.

8. To assist a CMS contractor (including, but not limited to Medicare Administrative Contractors, fiscal intermediaries, and carriers) that assists in the administration of a CMS-administered health benefits program, or to a grantee of a CMS-administered grant program, when disclosure is deemed reasonably necessary by CMS to prevent, deter, discover, detect, investigate, examine, prosecute, sue with respect to, defend against, correct, remedy, or otherwise combat fraud, waste or abuse in such program.

9. To assist another Federal agency or to an instrumentality of any governmental jurisdiction within or under the control of the United States (including any state or local governmental agency), that administers or that has the authority to investigate potential fraud, waste or abuse in a health benefits program funded in whole or in part by Federal funds, when disclosure is deemed reasonably necessary by CMS to prevent, deter, discover, detect, investigate, examine, prosecute, sue with respect to, defend against, correct, remedy, or otherwise combat fraud, waste or abuse in such programs.

10. To disclose records to appropriate Federal agencies and Department contractors that have a need to know the information for the purpose of assisting the Department's efforts to respond to a suspected or confirmed breach of the security or confidentiality of information maintained in this system of records, and the information disclosed is relevant and necessary for that assistance.

11. To assist the U.S. Department of Homeland Security (DHS) cyber security personnel, if captured in an intrusion detection system used by HHS and DHS pursuant to the Einstein 2 program.


To the extent that the individual claims records in this system contain Protected Health Information (PHI) as defined by HHS regulation “Standards for Privacy of Individually Identifiable Health Information” (45 CFR Parts 160 and 164, Subparts A and E), disclosures of such PHI that are otherwise authorized by these routine uses may only be made if, and as, permitted or required by the “Standards for Privacy of Individually Identifiable Health Information” (see 45 CFR 164-512(a)(1)).

In addition, HHS policy will be to prohibit release even of data not directly identifiable with a particular individual, except pursuant to one of the routine uses or if required by law, if CMS determines there is a possibility that a particular individual can be identified through implicit deduction based on small cell sizes (instances where the Start Printed Page 8538patient population is so small that individuals could, because of the small size, use this information to deduce the identity of a particular individual).



All records are stored on magnetic media.


Information may be retrieved by any of these personal identifiers: provider's TIN (which could be a SSN); National Provider Identifier (NPI); Patient's SSN or a Beneficiary's HICN; a patient's or beneficiary's name in combination with the patient's or beneficiary's date of birth.


Personnel having access to the system have been trained in the Privacy Act and information security requirements. Employees who maintain records in this system are instructed not to release data until the intended recipient agrees to implement appropriate management, operational and technical safeguards sufficient to protect the confidentiality, integrity and availability of the information and information systems and to prevent unauthorized access. Access to records in the LTCH database system will be limited to CMS personnel and contractors through password security, encryption, firewalls, and secured operating system. Any electronic or hard copies of financial-related records containing PII at CMS and contractor locations will be kept in secure electronic files or in file folders locked in secure file cabinets during non-duty hours.


Records containing PII will be maintained for a period of up to 10 years after entry in the database. Any such records that are needed longer, such as to resolve claims and audit exceptions or to prosecute fraud, will be retained until such matters are resolved. Beneficiary claims records are currently subject to a document preservation order and will be preserved indefinitely pending further notice from the U.S. Department of Justice.


Director, Division of Chronic & Post-Acute Care, Quality Measurement & Health Assessment Group, Center for Clinical Standards and Quality, Centers for Medicare & Medicaid Services, 7500 Security Boulevard, Mail Stop S3-02-01, Baltimore, MD 21244-1850.


An individual record subject who wishes to know if this system contains records about him or her should write to the system manager who will require the system name, HICN, and for verification purposes, the subject individual's name (woman's maiden name, if applicable), and SSN (furnishing the SSN is voluntary, but it may make searching for a record easier and prevent delay).


An individual seeking access to records about him or her in this system should use the same procedures outlined in Notification Procedures above. The requestor should also reasonably specify the record contents being sought. (These procedures are in accordance with Department regulation 45 CFR 5b.5(a)(2).)


To contest a record, the subject individual should contact the system manager named above, and reasonably identify the record and specify the information to be contested. The individual should state the corrective action sought and the reasons for the correction with supporting justification. (These procedures are in accordance with Department regulation 45 CFR 5b.7.)


Personally identifiable information in this database is collected by LTCH providers from and about LTCH patients and beneficiaries by means of the LTCH CARE Data Set. LTCH data is reported to CMS from LTCH providers through an on-line system known as LTCH Assessment Submission Entry and Reporting (LASER).



Start Signature

Dated: January 10, 2013.

Michelle Snyder,

Deputy Chief Operating Officer, Centers for Medicare & Medicaid Services.

End Signature End Supplemental Information

[FR Doc. 2013-02669 Filed 2-5-13; 8:45 am]