Skip to Content

Notice

Privacy Act of 1974; Report of New System of Records

Document Details

Information about this document as published in the Federal Register.

Published Document

This document has been published in the Federal Register. Use the PDF linked in the document sidebar for the official electronic format.

Start Preamble

AGENCY:

Centers for Medicare & Medicaid Services (CMS), Department of Health and Human Services (HHS).

ACTION:

Notice of New System of Records (SOR).

SUMMARY:

In accordance with the requirements of the Privacy Act of 1974, we are proposing to establish a new SOR, titled “CMS Encounter Data System (EDS)”, System No. 09-70-0506. CMS intends to collect encounter data, or data on each item or service delivered to enrollees of Medicare Advantage (MA) plans offered by MA organizations as defined at Title 42, Code of Federal Regulation (CFR), § 422.4. Pursuant to 42 CFR 422.310, each MA organization must submit encounter data to CMS that is used to determine the risk adjustment factors for payment, updating the risk adjustment model, calculating Medicare Disproportionate Share Hospital (DSH) percentages, Medicare coverage purposes, and quality review and improvement activities. Encounter data will be collected and maintained in the EDS.

Under the authority granted in Section 1115 of the Social Security Act (the Act), CMS is authorized to conduct experimental, pilot or demonstration Start Printed Page 34540projects. CMS is conducting a demonstration project under the Financial Alignment Initiative to test a new capitated payment system and item/service delivery model designed to lower costs and improve the quality of care for individuals eligible for both Medicare and Medicaid (dual eligibles). CMS and the participating State Medicaid agency jointly contract with health plans (known as Medicare-Medicaid Plans or “MMPs”). MMPs are paid monthly on a capitated basis and are required to submit to CMS comprehensive encounter data on each item or service provided to each enrollee, including both Medicare and Medicaid items and services. The program and the SOR are more thoroughly described in the Supplemental Information section and System of Records Notice (SORN), below.

DATES:

Effective 30 days after publication. Written comments should be submitted on or before the effective date. HHS/CMS/CM may publish an amended SORN in light of any comments received.

ADDRESSES:

The public should send comments to: CMS Privacy Officer, Division of Privacy Policy, Privacy Policy and Compliance Group, Office of E-Health Standards and Services, Offices of Enterprise Management, CMS, Room S2-24-25, 7500 Security Boulevard, Baltimore, Maryland 21244-1850. Comments received will be available for review at this location, by appointment, during regular business hours, Monday through Friday from 9:00 a.m.-3:00 p.m., Eastern Time zone.

Start Further Info

FOR FURTHER INFORMATION CONTACT:

Shari Kosko, Division of Encounter Data and Risk Adjustment Operations, Medicare Plan Payment Group, Center for Medicare, Centers for Medicare & Medicaid Services, Mail Stop C1-13-07, 7500 Security Boulevard, Baltimore, Maryland 21244-1850. The telephone number is (410) 786-6159 or email: Shari.Kosko@cms.hhs.gov.

End Further Info End Preamble Start Supplemental Information

SUPPLEMENTARY INFORMATION:

Medicare beneficiaries who receive both Part A and Part B benefits may elect to receive their Medicare coverage by enrolling in a plan offered by a MA organization or certain other Medicare private plans. MA plans must provide all Medicare-covered items and services, and may also provide additional benefits not covered by Original Medicare. CMS pays MA organizations on a monthly capitated rate for each beneficiary enrolled, and the MA organizations are responsible for paying providers for items and services that are provided to enrolled beneficiaries. All MA organizations are required to submit encounter data that CMS uses to adjust the advanced monthly payments made to the MA organization.

CMS will collect encounter data for all items and services provided to MA plan enrollees covered by all MA organizations in the states where the demonstration projects are being conducted. In the case of cost plans, only encounter data for items and services covered by the plans will be collected. None of the data that will be included in the EDS will come from Medicare Part A or Part B data, nor will any additional identifiers be provided in the EDS data submitted by the MA organizations. However, the data submitted to EDS will be provided into the Integrated Data Repository (IDR) and will be available along with Medicare Part A and Part B data.

Beginning with calendar year 2007, 100 percent of monthly payments to MA organizations have been subject to adjustment based on risk adjustment factors. Given the increased importance of the accuracy of our risk adjustment methodology, CMS amended 42 CFR 422.310 in August of 2008 to authorize the collection of data from MA organizations regarding each item and service provided to a MA plan enrollee. Once encounter data for MA enrollees are available in the EDS, CMS will have beneficiary-specific information on the utilization of items and services by MA plan enrollees. These data will primarily be used to develop and calibrate the CMS hierarchical condition categories (CMS-HCC) for risk adjustment models using MA patterns of diagnoses and expenditures. These new models will be used to calculate the risk adjustment factors used to adjust advanced monthly payments to MA plans made by CMS on behalf of beneficiaries. The data will also be used for other purposes such as calculating Disproportionate Share Hospital (DSH) payments and quality improvement activities, etc. as outlined in 42 CFR 422.310(f).

The types of MA organizations that CMS collects encounter data from include: coordinated care plans (including Special Needs Plans), private fee for service plans, and a combination of a MA Medical Savings Account (MSA) and a contribution into a MA MSA established in accordance with 42 CFR 422.262. These categories also include Medicare Advantage-Prescription Drug plans, Program-of-All-Inclusive-Care-for-the-Elderly-(PACE) organizations, Employer Group Health Plans (EGHPs), Section 1833 health care prepayment plans (HCPPs) and Section 1876 plans operated by an HMO or Competitive Medical Plan (HMO/CMP) (42 U.S.C. 1833 and 42 U.S.C. 1876, referred to collectively as “cost plans”).

The encounter data that CMS collects includes, the identity of the Medicare beneficiary, the provider, the place of service, and the item or service provided. In addition to identifying information about the beneficiary and provider, other significant data elements submitted by the MA organization include, claim pricing information, contact information, service provider information, revenue center codes, modifiers, Healthcare Common Procedure Coding System (HCPCS) codes, and Current Procedural Terminology (CPT) codes.

The Privacy Act

The Privacy Act (5 U.S.C. 552a) governs the means by which the United States Government maintains personally identifiable information (PII) in a system of records. A “system of records” is a group of any records under the control of a Federal agency from which information about individuals is retrieved by name or other personal identifier. The Privacy Act requires each agency to publish in the Federal Register a system of records notice (SORN) identifying and describing each system of records the agency maintains, including a description of the categories of records maintained in the system, the source(s) of records in the system, the purposes for which the agency uses PII in the system, the routine uses for which the agency discloses such information outside the agency, and how individual record subjects can exercise their rights under the Privacy Act (e.g., to determine if the system contains information about them).

SYSTEM NUMBER: 09-70-0506

SYSTEM NAME:

CMS Encounter Data System (EDS), HHS/CMS/CM.

SECURITY CLASSIFICATION:

Sensitive, unclassified.

SYSTEM LOCATION:

CMS Data Center, 7500 Security Boulevard, North Building, First Floor, Baltimore, Maryland 21244-1850; CDS Columbia Data Center EDC2, I-20 at Alpine Road, AA-278, Columbia, SC 29219; and at various contractor sites.

CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:

Information maintained in this system includes identifying information of individuals and beneficiaries who have enrolled in a MA plan (including coordinated care plans, Special Needs Start Printed Page 34541Plans, private fee for service plans, Medicare Medical Savings Accounts, PACE organizations, MMPs, and MA-PD plans) (Medicare Advantage plus Part D plans) (collectively, “MA plan enrollees”), whose information is reported by a Medicare provider, supplier, physician, or other practitioner. It also includes identifying information of those health care professionals who provide the items or services to individuals during a service year.

CATEGORIES OF RECORDS IN THE SYSTEM:

The system contains the name and other identifying information of the MA plan enrollee, beneficiary; and the name, work address, work phone number, social security number, National Provider Identification Number (NPI) of servicing providers, supplier, physician, or other practitioner. CMS will collect the admission date, discharge date, health insurance claim number (HICN), Medicare hospital number/CCN (CMS Certification Number) and other identifying demographics of individuals necessary to characterize the context and purposes of each item and service provided to a Medicare enrollee by a provider, supplier, physician, or other practitioner. MA plans will make data collection changes from 5 data elements currently collected to all of the required data elements on the HIPAA 5010 version of the X12 standards.

AUTHORITY FOR MAINTENANCE OF THE SYSTEM:

Section 1853(a)(3)(B) of the Act requires that MA organizations and certain other private Medicare plans submit data regarding inpatient hospital and other services that CMS deems necessary to risk adjust these payments. The final 2009 Inpatient Prospective Payment System rule (73 FR 48757, August 19, 2008) modified 42 CFR 422.310 to clarify that the Secretary has the authority to require MA organizations and other private plans to submit encounter data for each item and service provided to a MA plan enrollee. Information for the Financial Alignment Initiative is being collected from MA plans that provide an integrated set of Medicare and Medicaid services through the demonstration project authorized under section 1115 of the Act.

PURPOSE(S) OF THE SYSTEM:

The primary purpose of the SOR is to collect and maintain encounter data for each item and service provided to MA plan enrollees reported by a Medicare provider, supplier, physician, or other practitioner. CMS will collect information necessary to determine the risk adjustment factors used to adjust payments, calculate Medicare DSH percentages, conduct quality review and improvement activities, and for other Medicare coverage purposes. Information retrieved from this SOR will also be disseminated or disclosed to: (1) Support regulatory, reimbursement, and policy functions performed within the Agency or by a contractor, consultant, or a CMS grantee; (2) assist another Federal agency, agency of a state government, an agency established by state law, or its fiscal agent; (3) assist MA plans with required collection of encounter data obtained from the provider, supplier, physician, or other practitioner that furnished the item or service; (4) support an individual or organization for a research; (5) support litigation involving the Agency related to this SOR; (6) to assist a contractor combat fraud, waste, and abuse in certain health care programs; (7) to assist another Federal agency combat fraud, waste, and abuse; (8) to assist appropriate Federal agencies and CMS contractors and consultants to assist in CMS' efforts to respond to a suspected or confirmed breach; (9) assist the U.S. Department of Homeland Security (DHS) cyber security personnel; and (10) assist with emergency preparedness.

ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES OR USERS AND THE PURPOSES OF SUCH USES:

Entities Who May Receive Disclosures Under Routine Uses

These routine uses specify circumstances, in addition to those provided by statute in the Privacy Act of 1974, under which CMS may release information from the EDS without the consent of the individual to whom such information pertains. Each proposed disclosure of information under these routine uses will be evaluated to ensure that the disclosure is legally permissible under 42 CFR 422.310, including but not limited to ensuring that the purpose of the disclosure is compatible with the purpose for which the information was collected. We propose to establish the following routine use disclosures of information maintained in the system:

1. To Agency contractors, consultants, or CMS grantees who have been engaged by the Agency in order to support them in accomplishment of a CMS function relating to the purposes for this collection and who need to have access to the records in order to assist CMS.

2. To another Federal agency, agency of a state government, an agency established by state law, or its fiscal agent in order to:

a. Contribute to the accuracy of CMS' proper payment of Medicare benefits,

b. enable such agency to administer a Federal health benefits program, or as necessary to enable such agency to fulfill a requirement of a Federal statute or regulation that implements a health benefits program funded in whole or in part with Federal funds, and/or

c. fulfill oversight, regulatory, or policy functions performed by such agency.

3. To assist MA plans with the required collection of encounter data, which is to be obtained from the provider, supplier, physician, or other practitioner that furnished the item or service.

4. To an individual or organization to support or assist them with (a) a research, evaluation or epidemiological project related to the prevention of disease or disability, the restoration or maintenance of health, (b) payment related projects, and (c) analysis of the provision of health services.

5. To provide information to the U.S. Department of Justice (DOJ), a court, or an adjudicatory body when (a) CMS or any component thereof, or (b) any employee of CMS in his or her official capacity, or (c) any employee of CMS in his or her individual capacity where the DOJ has agreed to represent the employee, or (d) the United States Government, is a party to litigation or has an interest in such litigation, and by careful review, CMS determines that the records are both relevant and necessary to the litigation and that the use of such records by the DOJ, court, or adjudicatory body is compatible with the purpose for which the agency collected the records.

6. To a CMS contractor (including but not limited to Medicare Administrative Contractors) that assists in the administration of a CMS-administered health benefits program, or to a grantee of a CMS-administered grant program, when disclosure is deemed reasonably necessary by CMS to prevent, deter, discover, detect, investigate, examine, prosecute, sue with respect to, defend against, correct, remedy, or otherwise combat fraud, waste or abuse in such program.

7. To another Federal agency or to an instrumentality of any governmental jurisdiction within or under the control of the United States (including any state or local governmental agency), that administers or that has the authority to investigate potential fraud, waste or abuse in a health benefits program funded in whole or in part by Federal funds, when disclosure is deemed reasonably necessary by CMS to prevent, deter, discover, detect, Start Printed Page 34542investigate, examine, prosecute, sue with respect to, defend against, correct, remedy, or otherwise combat fraud, waste or abuse in such programs.

8. To appropriate Federal agencies and CMS contractors and consultants that have a need to know the information for the purpose of assisting CMS' efforts to respond to a suspected or confirmed breach of the security or confidentiality of information maintained in this SOR, provided that the information disclosed is relevant and necessary for that assistance.

9. To the U.S. Department of Homeland Security (DHS) cyber security personnel, if captured in an intrusion detection system used by HHS and DHS pursuant to the Einstein 2 programs.

10. To disclose the personally identifiable information of MA plan enrollees to public health authorities, and those entities acting under a delegation of authority from a public health authority, when requesting such information to carry out statutorily-authorized public health activities pertaining to emergency preparedness and response. Disclosures under this routine use will be limited to “public health authorities”, “public health activities”, and “minimum necessary data”, as defined in the HIPAA Privacy Rule (45 CFR 154.502, 164.512(b), 164.502(b) and 164.514(d)(3)(iii)(A)).

POLICIES AND PRACTICES FOR STORING, RETRIEVING, ACCESSING, RETAINING, AND DISPOSING OF RECORDS IN THE SYSTEM

STORAGE:

All records are stored on magnetic media.

RETRIEVABILITY:

All records are accessible by NPI/NPPES or by beneficiary HICN. This system supports both on-line and batch access. The EDS system itself does not provide reporting capabilities. All reporting functionality can be found in the IDR.

SAFEGUARDS:

Personnel having access to the system have been trained in the Privacy Act and information security requirements. Employees who maintain records in this system are instructed not to release data until the intended recipient agrees to implement appropriate management, operational, and technical safeguards sufficient to protect the confidentiality, integrity and availability of the information and information systems, and to prevent unauthorized access. Access to records in the EDS will be limited to CMS personnel and approved contractors.

RETENTION AND DISPOSAL:

Records containing PII will be maintained for a period of up to 10 years after entry in the database. Any such records that are needed longer, such as to resolve claims and audit exceptions or to prosecute fraud, will be retained until such matters are resolved. Enrollee claims records are currently subject to a document preservation order and will be preserved indefinitely pending further notice from the DOJ.

SYSTEM MANAGER AND ADDRESS:

Director, Division of Risk Adjustment Payment and Policy, Medicare Plan Payment Group, Center for Medicare, Centers for Medicare & Medicaid Services.

NOTIFICATION PROCEDURE:

Individuals wishing to know if this system contains records about them should write to the system managers and include the pertinent personal identifier used for retrieval of their records (i.e., TIN, NPI or HICN).

RECORD ACCESS PROCEDURE:

Individuals seeking access to records about them in this system should follow the same instructions indicated under “Notification Procedure” and reasonably specify the record contents being sought. (These procedures are in accordance with HHS Privacy Act regulations at 45 CFR 5b.5 (a)(2)).

CONTESTING RECORD PROCEDURES:

Individuals seeking to contest the content of information about them in this system should follow the same instructions indicated under “Notification Procedure.” The request should reasonably identify the record and specify the information being contested; state the corrective actions sought, and provide the reasons for the correction, with supporting justification. (These procedures are in accordance with HHS Privacy Act regulations at 45 CFR 5b.7).

RECORD SOURCE CATEGORIES:

Sources of information contained in this records system include data collected from MA organizations and encounter data obtained from the provider, supplier, physician, or other practitioner that furnished the item or service.

SYSTEMS EXEMPTED FROM CERTAIN PROVISIONS OF THE ACT:

None.

Start Signature

Celeste Dade-Vinson,

Health Insurance Specialist, Centers for Medicare & Medicaid Services.

End Signature End Supplemental Information

[FR Doc. 2014-14038 Filed 6-16-14; 8:45 am]

BILLING CODE 4120-03-P