Skip to Content

Notice

Privacy Act of 1974; Report of Modified System of Records

Document Details

Information about this document as published in the Federal Register.

Published Document

This document has been published in the Federal Register. Use the PDF linked in the document sidebar for the official electronic format.

Start Preamble

AGENCY:

Centers for Medicare & Medicaid Services (CMS), Department of Health and Human Services (HHS).

ACTION:

Notice of a Modified System of Records (SOR).

SUMMARY:

In accordance with the requirements of the Privacy Act of 1974, we are proposing to modify an existing SOR titled, “Chronic Condition Data Repository (CCDR), System No. 09-70-0573” last published at 71 FR 54495, September 15, 2006. The current name of the SOR, Chronic Condition Data Repository, was developed during the planning and development stages of the system. Upon the implementation and throughout the operations and maintenance stages of the system, the system has been referred to as the Chronic Condition Warehouse (CCW) in common usage and written references. In keeping with this current usage, we will modify the name of this SOR to read, and from this point forward will refer to the system as: “Chronic Condition Warehouse (CCW).”

We propose to broaden the scope of the system to include data that can be easily linked, at the individual patient level, to all Medicare and Medicaid claims, enrollment and/or eligibility data, nursing home and home health assessments, and CMS beneficiary survey data. Accordingly, we are updating the Authority Section to include Title XVIII of the Social Security Act as amended (the Act); Section 1902(a)(6) of the Act; Section Start Printed Page 648031142(c)(6) of the Act; and Title IV of the Balanced Budget Act (Pub. L. 105-33). The Record Source Categories section will be modified to include data from two new systems of records: the CMS Encounter Data System, System No. 09-70-0506, and the National Death Index, System No. 09-20-0166. These modifications will make the CCW a more useful tool by which to support research, policy analysis, quality improvement activities, and demonstrations that attempt to foster a better understanding of how to improve the quality of life and contain the health care costs of the chronically ill.

We propose to modify existing Routine Use Number 1, to limit disclosures only to contractors of CMS. We also propose to add two new routine uses. Specifically, we propose adding a routine use to permit disclosures to healthcare providers who seek patient information for use in care coordination and quality improvement activities as described at 45 CFR 164.506(c)(4). This routine use will be added as Routine Use Number 4. We also propose adding a routine use to support public or private Qualified Entities (QEs) that use Medicare claims data to evaluate the performance of providers of services and suppliers on measures of quality, efficiency, effectiveness, and resource use. This routine use will be added as routine use number 6.

Finally, we are modifying the language in Routine Use Number 3 to include grantees of CMS administered grant programs and have made minor grammatical changes to Routine Use Number 10. These modifications will provide a better explanation as to the need for the routine use, and to clearly state CMS's intention when making disclosures of individually identifiable information contained in this system.

We have provided background information about the modified system in the Supplementary Information section below. Although the Privacy Act requires only that the “Routine Use” section of the system of records notice be published for comment, CMS invites comments on all portions of this notice. See the Effective Dates section for information on the comment period.

DATES:

Effective Dates: CMS filed a modified SOR report with the Chair of the House Committee on Government Reform and Oversight, the Chair of the Senate Committee on Homeland Security and Government Affairs, and the Administrator, Office of Information and Regulatory Affairs, Office of Management and Budget (OMB) on September 16, 2014. To ensure that all parties have adequate time in which to comment, the modified notice will become effective 30 days from the publication of the notice, or 40 days from the date it was submitted to OMB and the Congress, whichever is later. We may defer implementation of this modified system or one or more of the new routine uses listed below if we receive comments that persuade us to defer implementation.

ADDRESSES:

The public should address comments to: CMS Privacy Officer, Privacy Policy Compliance Group, Office of E-Health Standards & Services, Office of Enterprise Management, CMS, 7500 Security Boulevard, Baltimore, MD 21244-1870, Mailstop: S2-24-25, Office: (410) 786-5357, E-Mail: walter.stone@cms.hhs.gov. Comments received will be available for review at this location, by appointment, during regular business hours, Monday through Friday from 9:00 a.m.-3:00 p.m., Eastern Time zone.

Start Further Info

FOR FURTHER INFORMATION CONTACT:

Michelle Seal, Health Insurance Specialist, Division of Research Data Development (DRDD), Data Development and Services Group, Office of Information Products and Data Analytics (OIPDA), OEM, CMS, Mail Stop B2-29-04, 7500 Security Boulevard, Baltimore, MD 21244-1850. Office Phone: 410-786-3679, Email address: michelle.seal@cms.hhs.gov.

End Further Info End Preamble Start Supplemental Information

SUPPLEMENTARY INFORMATION:

The CCW will house data that will be easily linked, at the individual patient level, for all Medicare and Medicaid claims, enrollment and/or eligibility data, nursing home and home health assessments, and CMS beneficiary survey data. This data repository will transform and summarize this administrative health and health insurance information into data which will support research, policy analysis, quality improvement activities, demonstrations, and studies. These are aimed at improving the quality of care and reducing the cost of care for chronically ill Medicare beneficiaries and Medicaid recipients.

The repository is designed to encourage research and innovation that will reduce program spending, inform policy analyses, make current Medicare and Medicaid program data more readily available to researchers to study chronic illness in the Medicare and Medicaid populations, and improve process time for research data requests by refocusing on analytic, as opposed to operational considerations. The repository will also use utilize data analytic tools to organize and transform diagnostic information on a beneficiary's Medicare or Medicaid claims into information about their chronic medical conditions.

The Virtual Research Data Center (VRDC), an analytic tool, provides a secure mechanism for accessing and analyzing data within the environment instead of sending physical data files to researchers for analysis at their site. The workbench analytic tool provides users with the ability to create a custom sample of individuals and view associated claims within the VRDC environment. Analysis of data using these tools increases the privacy and security of the data.

The Privacy Act

The Privacy Act governs the collection, maintenance, use, and dissemination of certain information about individuals by agencies of the Federal Government.

A “SOR” is a group of any records under the control of a Federal agency from which information about individuals is retrieved by name or other personal identifier. The Privacy Act requires each agency to publish in the Federal Register a description of the type and character of each system of records that the agency maintains, and the routine uses that are contained in each system to make agency recordkeeping practices transparent, to notify individuals regarding the uses to which their records are put, and to assist individuals to more easily find such files within the agency.

SYSTEM NUMBER: 09-70-0573

SYSTEM NAME:

“Chronic Condition Warehouse” (CCW) HHS/CMS/OEM.

SECURITY CLASSIFICATION:

Unclassified

SYSTEM LOCATION:

CMS Data Center, 7500 Security Boulevard, North Building, First Floor, Baltimore, Maryland 21244-1850, and at various contractor sites.

CATEGORIES OF INDIVIDUALS IN THE SYSTEM:

CCW will collect and maintain individually identifiable and other data collected on Medicare beneficiaries, Medicaid recipients, and individually identifiable data on certain health care professionals.

CATEGORIES OF RECORDS IN THE SYSTEM:

The collected information will include, but is not limited to, individually identifiable Medicare and Medicaid claims, enrollment, and eligibility data, including names, addresses, health insurance claims numbers, social security numbers, race/Start Printed Page 64804ethnicity data, gender, date of birth, Medicare Part A, B and C enrollment information, prescription drug coverage information, surgical procedures, diagnoses, provider name(s), unique provider identification numbers, National Provider Identification Numbers (NPI) as well as clinical assessment and outcome measures, and demographic, health/well-being, and background information relating to Medicare and Medicaid issues.

AUTHORITY FOR MAINTENANCE OF THE SYSTEM:

The CCW is authorized by Sections 723 of the Medicare Prescription Drug Improvement and Modernization Act of 2003 (MMA) (Pub. L. 108-173), which was enacted into law on December 8, 2003, and amended Title XVIII of the Social Security Act (the Act); Section 1902(a)(6) of the Act; Section 1142(c)(6) of the Act; and Title IV of the Balanced Budget Act (Pub. L. 105-33).

PURPOSE(S) OF THE SYSTEM:

The purpose of this system is to support research, policy analysis, quality improvement activities, and demonstrations that attempt to foster a better understanding of how to improve the quality of life and contain the health care costs of the chronically ill. This system will utilize data analytic tools to support accessing data by chronic conditions and process complex customized data requests related to chronic illnesses.

ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES OR USERS AND THE PURPOSES OF SUCH USES:

A. Entities Who May Receive Disclosures under Routine Use

The Privacy Act allows CMS to disclose information without an individual's consent if the information is to be used for a purpose that is compatible with the purpose(s) for which the information was collected. Any such compatible use of data is known as a “routine use”. The proposed routine uses in this system meet the compatibility requirement of the Privacy Act. We are proposing to establish the following routine use disclosures of information maintained in the system:

1. To CMS contractors who have been engaged by the agency to assist in the performance of a service related to this collection and who need to have access to the records in order to perform the activity.

2. To another Federal or state agency to:

a. Contribute to the accuracy of CMS's proper payment of Medicare benefits;

b. Enable such agency to administer a Federal health benefits program, or, as necessary, to enable such agency to fulfill a requirement of a Federal statute or regulation that implements a health benefits program funded in whole or in part with Federal funds; and/or

c. Assist Federal and/or state officials carrying out the Medicaid program.

3. To an individual or organization including grantees of a CMS administered grant program that require individually identifiable health information for use in research projects including any evaluation project related to the prevention of disease or disability, the restoration or maintenance of health, or payment reform related projects that produces generalizable knowledge.

4. To a healthcare provider who seeks patient information for use in care coordination and quality improvement activities as described at 45 CFR 164.506(c)(4);

5. To Quality Improvement Organizations (QIO) in connection with review of claims, or in connection with studies or other review activities conducted pursuant to Part B of Title XI of the Act, and in performing affirmative outreach activities to individuals for the purpose of establishing and maintaining their entitlement to Medicare benefits or health insurance plans.

6. To a public or private Qualified Entity (QE) that uses Medicare claims data to evaluate the performance of providers of services and suppliers on measures of quality, efficiency, effectiveness, and resource use; and who agrees to meet the requirements regarding the transparency of their methods and their use and protection of Medicare data.

7. To the Department of Justice (DOJ), court or adjudicatory body when: a. The agency or any component thereof, or b. Any employee of the agency in his or her official capacity, or c. Any employee of the agency in his or her individual capacity where the DOJ has agreed to represent the employee, or d. The United States Government, is a party to litigation or has an interest in such litigation, and, by careful review, CMS determines that the records are both relevant and necessary to the litigation and that the use of such records by the DOJ, court or adjudicatory body is compatible with the purpose for which the agency collected the records.

8. To a CMS contractor (including, but not necessarily limited to, Medicare Administrative Contractors (MACs)) that assists in the administration of a CMS- administered health benefits program, when disclosure is deemed reasonably necessary by CMS to prevent, deter, discover, detect, investigate, examine, prosecute, sue with respect to, defend against, correct, remedy, or otherwise combat fraud or abuse in such program.

9. To another Federal agency or to an instrumentality of any governmental jurisdiction within or under the control of the United States (including any State or local governmental agency), that administers, or that has the authority to investigate potential fraud or abuse in, a health benefits program funded in whole or in part by Federal funds, when disclosure is deemed reasonably necessary by CMS to prevent, deter, discover, detect, investigate, examine, prosecute, sue with respect to, defend against, correct, remedy, or otherwise combat fraud or abuse in such programs.

10. To Federal Departments, agencies and their contractors that have a need to know the information for the purpose of assisting the Department's efforts to respond to a suspected or confirmed breach of the security or confidentiality of information maintained in this system of records, where the information disclosed is relevant to and necessary for that assistance.

11. To the U.S. Department of Homeland Security (DHS) cyber security personnel, if captured in an intrusion detection system used by HHS and DHS pursuant to the Einstein 2 program.

12. To public health authorities, and those entities acting under a delegation of authority from a public health authority, when requesting beneficiary-identifiable information to carry out statutorily-authorized public health activities pertaining to emergency preparedness and response.

B. ADDITIONAL CIRCUMSTANCES AFFECTING DISCLOSURE OF PII DATA:

To the extent that the individual claims records in this system contain Protected Health Information (PHI) as defined by HHS regulation “Standards for Privacy of Individually Identifiable Health Information” (45 CFR parts 160 and 164, Subparts A and E), disclosures of such PHI that are otherwise authorized by these routine uses may only be made if, and as, permitted or required by the “Standards for Privacy of Individually Identifiable Health Information” (see 45 CFR 164-512 (a) (1)).

In addition, HHS policy will be to prohibit release even of data not directly identifiable with a particular individual, except pursuant to one of the routine uses or if required by law, if CMS determines there is a possibility that a particular individual can be identified through implicit deduction based on small cell sizes (instances where the patient population is so small that individuals could, because of the small Start Printed Page 64805size, use this information to deduce the identity of a particular individual).

RETENTION AND DISPOSAL:

CMS will retain information for a total period not to exceed 30 years. All claims-related records are encompassed by the document preservation order and will be retained until notification is received from DOJ.

RETRIEVING, ACCESSING, RETAINING, AND DISPOSING OF RECORDS IN THE SYSTEM:

STORAGE:

All records are stored on electronic media.

RETRIEVABILITY:

The collected data are retrieved by an individual identifier; e.g., beneficiary, recipient or provider name, HICN, or unique provider identification number (NPI).

SAFEGUARDS:

CMS has safeguards in place for authorized users and monitors such users to ensure against excessive or unauthorized use. Personnel having access to the system have been trained in the Privacy Act and information security requirements. Employees who maintain records in this system are instructed not to release data until the intended recipient agrees to implement appropriate management, operational and technical safeguards sufficient to protect the confidentiality, integrity and availability of the information and information systems and to prevent unauthorized access.

This system will conform to all applicable Federal laws and regulations and Federal, HHS, and CMS policies and standards as they relate to information security and data privacy. These laws and regulations may apply but are not limited to: The Privacy Act of 1974; and the Federal Information Department regulation 45 CFR 5b.7.

SYSTEM MANAGER AND ADDRESS:

Director, Data Development and Services Group, Office of Information Products and Data Analytics (OIPDA), OEM, Mail Stop B2-29-04, CMS, 7500 Security Boulevard, Baltimore, MD 21244-1849.

NOTIFICATION PROCEDURE:

An individual record subject who wishes to know if this system contains records about him or her should write to the system manager who will require the system name, HICN, and for verification purposes, the subject individual's name (woman's maiden name, if applicable), and SSN (furnishing the SSN is voluntary, but it may make searching for a record easier and prevent delay).

RECORD ACCESS PROCEDURE:

An individual seeking access to records about him or her in this system should use the same procedures outlined in Notification Procedures above. The requestor should also reasonably specify the record contents being sought. (These procedures are in accordance with Department regulation 45 CFR 5b.5(a)(2).)

CONTESTING RECORD PROCEDURES:

To contest a record, the subject individual should contact the system manager named above, and reasonably identify the record and specify the information to be contested. The individual should state the corrective action sought and the reasons for the correction with supporting justification. (These procedures are in accordance with Department regulation 45 CFR 5b.7.)

RECORDS SOURCE CATEGORIES:

The data collected and maintained in this system are retrieved from the following databases: Medicare Drug Data Processing System, System No. 09-70-0553 (73 FR 30943 (May 29, 2008)); Medicare Beneficiary Database, System No. 09-70-0536 (71 FR 70396 (December 4, 2006)); Medicare Advantage Prescription Drug System, System No. 09-70-0588 (76 FR 47190 (August 4, 2011)); Medicaid Statistical Information System, System No. 09-70-0541 (71 FR 65527 (November 8, 2006)); Retiree Drug Subsidy Program, System No. 09-70-0550 (70 FR 41035 (July 15, 2005)); Common Working File, System No. 09-70-0526 (71 FR 64955 (November 6, 2006)); National Claims History, System No. 09-70-0558 (71 FR 67137 11/20/2006 (November 20, 2006)); Enrollment Database, System No. 09-70-0502 (73 FR 10249 2/26/2008 (February 26, 2008)); Carrier Medicare Claims Record, System No. 09-70-0501 (71 FR 64968 11/6/2006 (November 6, 2006)); Intermediary Medicare Claims Record, System No. 09-70-0503 (71 FR 648961 (November 6, 2006)); Unique Physician/Provider Identification Number, System No. 09-70-0525 (71 FR 66535 (November 15, 2006)); Medicare Supplier Identification File, System No. 09-70-0530 (71 FR 70404 (December 4, 2006)), A Current Beneficiary Survey, System No. 09-70-0519 (71 FR 60722 (October 16, 2006)); National Plan & Provider Enumerator System, System No. 09-70-0555, (75 FR 30411 (June 1, 2010)); Long Term Care MDS, System No. 09-70-0528 (72 FR 12801 (March 19, 2007)); HHA Outcome and Assessment Information Set, System No. 09-70-0522 (72 FR 63906 (November 13, 2007)); and Integrated Data Repository, System No. 09-70-0571 (71 FR 74915 (December 13, 2006)); Provider Enrollment Chain and Ownership System, System No. 09-70-0532 (71 FR 60536 (October 13, 2006); Medicare and Medicaid Electronic Health Record (EHR) Incentive Program National Level Repository, System No. 09-70-0587 (75 FR 73095 (November 29, 2010)); Performance Measurement and Reporting System, System No. 09-70-0584 (74 FR 17672 (April 16, 2009)); Encounter Data System, 09-70-0506 (79 FR 34539 (June 17, 2014)); and National Death Index, 09-20-0166 (49 FR 37692 (September 25, 1984)).

SYSTEMS EXEMPTED FROM CERTAIN PROVISIONS OF THE ACT:

None.

Start Signature

Celeste Dade-Vinson,

Health Insurance Specialist, Centers for Medicare & Medicaid Services.

End Signature End Supplemental Information

[FR Doc. 2014-25937 Filed 10-30-14; 8:45 am]

BILLING CODE 4120-03-P