Skip to Content

Rule

Medicare Program: Expanding Uses of Medicare Data by Qualified Entities

Document Details

Information about this document as published in the Federal Register.

Document Statistics
Document page views are updated periodically throughout the day and are cumulative counts for this document including its time on Public Inspection. Counts are subject to sampling, reprocessing and revision (up or down) throughout the day.
Enhanced Content

Relevant information about this document from Regulations.gov provides additional context. This information is not part of the official Federal Register document.

Published Document

This document has been published in the Federal Register. Use the PDF linked in the document sidebar for the official electronic format.

Start Preamble Start Printed Page 44456

AGENCY:

Centers for Medicare & Medicaid Services (CMS), HHS.

ACTION:

Final rule.

SUMMARY:

This final rule implements requirements under Section 105 of the Medicare Access and CHIP Reauthorization Act of 2015 that expand how qualified entities may use and disclose data under the qualified entity program to the extent consistent with applicable program requirements and other applicable laws, including information, privacy, security and disclosure laws. This rule also explains how qualified entities may create non-public analyses and provide or sell such analyses to authorized users, as well as how qualified entities may provide or sell combined data, or provide Medicare claims data alone at no cost, to certain authorized users. In addition, this rule implements certain privacy and security requirements, and imposes assessments on qualified entities if the qualified entity or the authorized user violates the terms of a data use agreement required by the qualified entity program.

DATES:

These regulations are effective on September 6, 2016.

Start Further Info

FOR FURTHER INFORMATION CONTACT:

Allison Oelschlaeger, (202) 690-8257. Kari Gaare, (410) 786-8612.

End Further Info End Preamble Start Supplemental Information

SUPPLEMENTARY INFORMATION:

I. Background

On April 16, 2015, the Medicare Access and CHIP Reauthorization Act of 2015 (MACRA) (Pub. L. 114-10) was enacted. The law included a provision, Section 105, Expanding the Availability of Medicare Data, which takes effect on July 1, 2016. This section expands how qualified entities will be allowed to use and disclose data under the qualified entity program, including data subject to section 1874(e) of the Social Security Act (the Act), to the extent consistent with other applicable laws, including information, privacy, security and disclosure laws.

The Qualified Entity program was established by Section 10332 of the Patient Protection and Affordable Care Act (Affordable Care Act) (Pub. L. 111-148). The implementing regulations, which became effective January 6, 2012, are found in subpart G of 42 CFR part 401 (76 FR 76542). Under those provisions, CMS provides standardized extracts of Medicare Part A and B claims data and Part D drug event data (hereinafter collectively referred to as Medicare claims data) covering one or more geographic regions to qualified entities at a fee equal to the cost of producing the data. Under the original statutory provisions, such Medicare claims data must be combined with other non-Medicare claims data and may only be used to evaluate the performance of providers and suppliers. The measures, methodologies and results that comprise such evaluations are subject to review and correction by the subject providers and suppliers, after which the results are to be disseminated in public reports.

Those wishing to become qualified entities are required to apply to the program. Currently, fourteen organizations have applied and received approval to be a qualified entity. Of these organizations, two have completed public reporting while the other twelve are in various stages of preparing for public reporting. While we have been pleased with the participation in the program so far, we expect that the changes required by MACRA will increase interest in the program.

Under section 105 of MACRA, effective July 1, 2016, qualified entities will be allowed to use the combined data and information derived from the evaluations described in 1874(e)(4)(D) of the Act to conduct non-public analyses and provide or sell these analyses to authorized users for non-public use in accordance with the program requirements and other applicable laws. In highlighting the need to comply with other applicable laws, we particularly note that any qualified entity that is a covered entity or business associate as defined in the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) regulations at 45 CFR 160.103 will need to ensure compliance with any applicable HIPAA requirements, including the restriction on the sale of protected health information (PHI) without authorization at 45 CFR 164.502(a)(5)(ii).

In addition, qualified entities will be permitted to provide or sell the combined data, or provide the Medicare claims data alone at no cost, again, in accordance with the program requirements and other applicable laws, to providers, suppliers, hospital associations, and medical societies. Qualified entities that elect to provide or sell analyses and/or data under these new provisions will be subject to an assessment if they or the authorized users to whom they disclose patient-identifiable data in the form of analyses or raw data act in a manner that violates the terms of a program-required Qualified Entity Data Use Agreement (QE DUA). Furthermore, qualified entities that make analyses or data available under these new provisions will be subject to new annual reporting requirements to aid CMS in monitoring compliance with the program requirements. These new annual reporting requirements will only apply to qualified entities that choose to provide or sell non-public analyses and/or provide or sell combined data, or provide Medicare claims data alone at no cost.

We believe these changes to the qualified entity program will be important in driving higher quality, lower cost care in Medicare and the health system in general. We also believe that these changes will increase interest in the qualified entity program, leading to more transparency regarding provider and supplier performance and innovative uses of data that will result in improvements to the healthcare delivery system while still ensuring appropriate privacy and security protections for beneficiary-identifiable data.

II. Provisions of the Proposed Regulations and Responses to Public Comments

In the February 2, 2016 Federal Register (81 FR 5397), we published the proposed rule entitled, “Expanding Uses of Medicare Data by Qualified Entities.” We provided a 60-day public comment period.

In the proposed rule, to implement the new statutory provisions of section 105 of MACRA, we proposed to amend and make conforming changes to part 401, subpart G, “Availability of Medicare Data for Performance Measurement.” We received approximately 50 comments on the proposed rule from a wide variety of individuals and organizations. Many of the comments were from providers or suppliers, or organizations representing providers and suppliers. We also received a number of comments from organizations engaged in performance measurement or data aggregation, some of whom are already qualified entities and others who may apply to be qualified entities in the future. Other comments came from registries, state Medicaid agencies, issuers, and individuals.

Many of the comments were positive and praised CMS for the proposed Start Printed Page 44457changes to the qualified entity program. Commenters also had a range of suggestions for changes to program requirements around the provision or sale of non-public analyses and data. We received a number of comments on expanding the data available to qualified entities to include claims data under Medicaid and the Children's Health Insurance Program (CHIP). In addition, we received a number of comments on the disclosure of data to qualified clinical data registries for quality improvement and patient safety activities.

A more detailed summary of the public comments and our responses can be found below in the appropriate sections of this final rule.

A. Non-Public Analyses

In accordance with Section 105(a)(1) of MACRA, we proposed to allow for the qualified entity's use of the combined data or information derived from the evaluations described in section 1874(e)(4)(D) of the Act to create non-public analyses and provide for the provision or sale of these analyses to authorized users in accordance with the program requirements discussed later in this section, as well as other applicable laws.

Comment: Commenters generally supported the proposal to allow qualified entities to create non-public analyses and either provide or sell these analyses. One commenter suggested that CMS expressly state at § 401.716(a) that qualified entities may provide or sell the non-public analyses. Another commenter recommended that CMS clarify that the non-public analyses are not subject to discovery or admittance into evidence in any judicial or administrative proceeding.

Response: We thank commenters for their support of the provision or sale of non-public analyses. Since the intent of this section is to allow qualified entities to both provide and sell non-public analyses in accordance with program requirements and other applicable laws, we have made changes to the regulation text to expressly state as much.

The statute, at 1874(e)(4)(D) of the Act, explicitly states, “data released to a qualified entity under this subsection shall not be subject to discovery or admission as evidence in judicial or administrative proceedings without consent of the applicable provider or supplier.” We believe this statutory shield only applies to data released to the qualified entity under 1874(e) and when that data is in the possession of the qualified entity. Once the Medicare data is used to create non-public analyses and those non-public analyses are shared with authorized users, we do not believe the statutory shield applies.

1. Additional Analyses

In the proposed rule, we defined combined data as a set of CMS claims data provided under subpart G combined with a subset of claims data from at least one of the other claims data sources described in § 401.707(d). We did not propose to establish a minimum amount of data that must be included in the combined data set from other sources.

Comment: We received numerous comments on the definition of combined data. Many commenters recommended that CMS alter the definition of combined data to allow qualified entities to combine the Medicare data with clinical data for the creation of non-public analyses. These commenters stated that clinical data can help facilitate more appropriate analyses of provider resource use than just claims data alone. One commenter suggested that the definition of combined data also include consumer, socio-demographic, and other types of patient and provider-level data. Other commenters suggested that CMS clarify that combined data must, at a minimum, be comprised of CMS claims data merged with claims data from other sources, but other data may also be included in this combined data. One commenter agreed with the proposed definition of combined data.

Response: Section 105(a)(1)(A) of MACRA requires that the non-public analyses be based on the combined data described in 1874(e)(4)(B)(iii) as “data made available under this subsection with claims data from sources other than claims data under this title”. Given these statutory limitations, we do not believe we can modify the definition of combined data.

However, we do recognize the value of combining claims data with clinical data for the development of non-public analyses and believe the use of clinical data in non-public analyses can significantly improve the value of these analyses to support quality and patient improvement activities. Clinical data such as laboratory test results or radiology and pathology reports, can add useful information about a patient's chronic condition burden, health status, and other factors that are not available in claims data. We can also see some value in combining consumer, socio-demographic, and other types of patient and provider level data with the Medicare data. As a result, we do want to clarify, that combined data requires at a minimum that the CMS claims data be combined with other sources of claims data, but that this does not prevent the qualified entity from merging other data (for example, clinical, consumer, or socio-demographic data) with the combined data for the development of non-public analyses.

Comment: Several commenters suggested that CMS require qualified entities to make public a list of the claims data it receives from CMS and the data it intends to combine with the CMS claims data for non-public analyses. One commenter suggested that this public release of information also include the percent of the cohort for analysis that each source is contributing.

Response: We are very committed to greater data transparency and all qualified entities are required to publicly report on provider performance as part of their participation in the program. However, we do not see significant value in requiring qualified entities to publicly report on the other sources of data used in non-public analyses since the analyses themselves will not be released publicly.

Comment: Several commenters stated that they supported the proposal not to establish a threshold for the minimum amount of data that must be included in the combined data set from other sources.

Response: We thank commenters for their support.

Comment: A few commenters recommended that the requirement to use combined data not preclude Medicare-only analyses. These commenters stated that Medicare-only analyses such as segmenting provider and supplier performance evaluations by payer type or conducting longitudinal analysis of differences in cost and quality for certain conditions by payer type would have significant value for many authorized users.

Response: We recognize the value of Medicare-only analyses, especially to help providers and suppliers understand how quality and costs differ across their patient population. In addition, as the CMS Innovation Center continues to develop and test new models of care, qualified entities may play a role in conducting analyses to help providers and suppliers better manage patient outcomes and costs under a different payment model. As a result, we want to clarify that the requirement to use combined data does not prevent qualified entities from providing or selling analyses that allow the authorized user to drill down by payer type to Medicare-only results. For example, a qualified entity may provide or sell a provider a report that includes the provider's overall score on certain Start Printed Page 44458quality and resource use measures (using combined data) and then presents scores for each of these measures by payer type (including a Medicare fee-for-service category).

2. Limitations on the Qualified Entities With Respect to the Sale and Provision of Non-Public Analyses

In accordance with section 105(a)(1) of MACRA, we proposed a number of limitations on qualified entities with respect to the sale and provision of non-public analyses.

First, we proposed to limit qualified entities to only providing or selling non-public analyses to issuers after the issuer provides the qualified entity with claims data that represents a majority of the issuers' covered lives in the geographic region and during the time frame of the non-public analyses requested by the issuer.

Comment: Many commenters supported the requirement of issuers to submit data to the qualified entity in order to receive analyses, but commenters had differing recommendations on the threshold of a majority of the issuers' covered lives. A number of commenters stated that CMS should not impose a threshold on the amount of data issuers must submit to a qualified entity to receive analyses. These commenters stated that the responsibility to ensure appropriate sample size for analyses should rest with the qualified entity. However, another commenter recommended that CMS require an issuer to provide the qualified entity with data on all of its covered lives for the geographic region and during the time frame of the non-public analyses requested. This commenter stated that requiring 100 percent of an issuer's covered lives would allow for more complete analyses. One commenter supported the threshold of the majority of an issuers covered lives, but stated that CMS should allow a health insurance issuer to request a non-public analysis for a geographic region outside the issuer's area of coverage, provided the issuer supplies claims data for a majority of the covered lives for the time period requested in all regions where it provides coverage. This commenter noted that analyses for other geographic regions may be beneficial to smaller, regional health insurance issuers interested in cost and utilization in a comparable region or looking to expand their areas of coverage. Another commenter supported the threshold, but recommended that CMS create an exceptions process for cases where legitimate and important analyses, such as identifying providers treating orphan diseases or analysis fundamental for a health plan issuer to enter a new market, that could not meet the proposed threshold. Finally, one commenter stated that CMS should allow qualified entities discretion to provide or sell analyses to health insurance issuers who have made a good faith commitment to providing the qualified entity with claims data that represents a majority of the health insurance issuer's covered lives by a certain future date.

Response: As we stated in the proposed rule, we considered not applying a threshold on the amount of data being provided by the issuer, but decided that specifying a threshold would encourage issuers to submit data to the qualified entity to be included in the public performance reports, increasing the reports' reliability. We believe this rationale still applies, and we still believe that there are a number of situations where requiring the issuer to provide 100 percent of their data for a given time period and geographic region is not feasible for the issuer. Based on comments, we revisited whether, on balance, requiring issuers to submit data that represents a majority of their covered lives in the geographic region and during the time frame of the non-public analyses requested by the issuer is generally the most appropriate threshold. In doing so, we recognized that in some cases an issuer may wish to have analyses for a geographic region where it does not provide coverage. However, we believe that in those instances the issuer should not be able to receive analyses due to the requirement at section 105(a)(1)(B)(ii) of MACRA, that a qualified entity may only provide or sell analyses to issuers that have provided the qualified entity with data. Therefore, we are modifying our proposed requirement around the issuer's claims data submission threshold to clarify that qualified entities may not provide or sell analyses to issuers when the analyses include geographic areas where the issuer does not offer coverage.

We would like to clarify, however, that the requirement that an issuer provide the qualified entity with claims data for at least 50 percent of its covered lives for the time period and geographic region covered by the analyses does not mean that all analyses provided or sold to the issuer would need to be based on analyses that considered at least 50 percent of the issuers' covered lives. So long as Medicare data is combined with other claims data to create the analyses, certain analyses, such as those on rare diseases, could be based only on a subset of the Medicare claims data and other claims data collected by the qualified entity. For example, an issuer could provide data for at least 50 percent of their covered lives for the time period and geographic region of the non-public analyses to a qualified entity. The qualified entity could then use a subset of that data, such as patients with a specific rare disease, combine it with Medicare data for patients with that rare disease, and provide or sell analyses about patients with the rare disease to the issuer. We would like to note, however, that qualified entities will need to be careful when producing analyses for issuers based on small populations and limited claims data to ensure that the resulting analyses truly are patient de-identified.

We understand the desire to create an exceptions process to allow issuers who do not contribute a majority of their covered lives in the geographic region and during the timeframe of the non-public analyses requested by the issuer to receive analyses. However, we believe that imposing a standard threshold for issuer covered lives across all qualified entities and issuers is the simplest and least administratively burdensome method to ensure equal treatment of qualified entities and issuers under this program.

We also understand the interest in allowing qualified entities to provide or sell analyses to health insurance issuers who have made a good faith commitment to provide the qualified entity with claims data for the majority of their covered lives in the geographic region and during the time frame of the non-public analyses requested by the issuer. However, we believe that this type of policy could reduce the incentives for issuers to share their data with the qualified entity.

Comment: Several commenters recommended that CMS provide additional clarity around the requirements for issuers' claims data submissions to the qualified entity. One commenter stated that qualified entities should be allowed to meet the covered lives threshold regardless of whether they have obtained the claims information directly from the issuer or indirectly from a third party. Several commenters recommended that CMS provide additional details on the term covered lives to clarify how this would be assessed in certain circumstances, such as when an issuer is a secondary payer or a member is not enrolled for a full year.

Response: Qualified entities may only provide or sell analyses to an issuer if it receives claims data from the issuer. Such data can be provided directly by the issuer, or it can be submitted on the Start Printed Page 44459issuer's behalf by an issuer's business associate. Regardless, the qualified entity is responsible for ensuring that the issuer or the issuer's business associate is truly providing the qualified entity with claims data for a majority of the issuer's covered lives in the geographic region and during the timeframe of the non-public analyses requested by the issuer.

We recognize the desire to allow use of data from other sources to meet the issuer's claims submission threshold. However, due to the statutory limits on to whom the qualified entity may release patient identifiable data, we do not believe it would be possible for an issuer to ever verify whether the data the qualified entity holds is representative of the majority of the issuer's covered lives in the applicable geographic region during the applicable time frame unless the issuer or its business associate was the source of such data.

Regarding the definition of covered lives, we recognize that there is no commonly accepted definition of covered lives. We plan to rely on the methods of calculating covered lives established in regulations promulgated by the Internal Revenue Service (IRS) in December of 2012. These regulations at 26 CFR 46.4375-1(c)(2) offer issuers four methods for calculating the average number of lives covered under a specified health insurance policy—(1) the actual count method, (2) the snapshot method, (3) the member months method, and (4) the state form method—and provide both the calculation method and an example for each of the four methods for counting covered lives. These calculations all only apply to health insurance policies and we would like to clarify that the calculation of covered lives for purposes of the qualified entity program does not include dental, disability, or life insurance policies. We have modified the regulatory text at § 401.716(b)(1) to refer directly to the IRS regulations.

Second, we proposed that except when patient-identifiable non-public analyses are shared with the patient's provider or supplier, all non-public analyses must be patient de-identified using the de-identification standards in the HIPAA Privacy Rule at 45 CFR 164.514(b). Additional information on the HIPAA de-identification standards can be found on the HHS Office for Civil Rights Web site at http://www.hhs.gov/​hipaa/​for-professionals/​privacy/​special-topics/​de-identification/​index.html. We also proposed a definition for patient.

Comment: Many commenters stated that they agreed with CMS' proposal that analyses must be de-identified unless the recipient is the patient's provider or supplier. One commenter suggested that CMS allow other authorized users to receive patient-identifiable analyses, stating that patient-identifiable data will be equally valuable to the additional proposed authorized users, and that patients can also directly benefit from the sharing of patient-identifiable data beyond suppliers and providers.

Response: We thank commenters for their support. While we can see some advantages to sharing patient-identifiable analyses with other types of authorized users, the statutory language at Section 105(a)(3)(B) of MACRA states that analyses may not contain any information that individually identifies a patient unless the analyses are provided or sold to the patient's provider or supplier. Given the statutory requirements, we are finalizing our proposal that patient-identifiable analyses should only be shared with the patient's provider or supplier.

Comment: Many commenters stated that they agreed with the proposal to use the de-identification standards in the HIPAA Privacy Rule. However, one commenter suggested that CMS modify the HIPAA de-identification standards to allow inclusion of full patient five-digit zip code without population thresholds and inclusion of the month element for all dates directly related to a patient, including date of death but excepting date of birth. This commenter stated that this additional information would empower providers and suppliers to fully evaluate their care and quality improvement efforts on a timely and ongoing basis with insight into geographic and temporal factors and patterns.

Response: The framework for de-identification that is described in the HIPAA Privacy Rule represents an industry standard for de-identification of health information. Additional information on the HIPAA de-identification standards can be found on the HHS Office for Civil Rights Web site at http://www.hhs.gov/​hipaa/​for-professionals/​privacy/​special-topics/​de-identification/​index.html. We believe that modifying this framework for the purposes of the qualified entity program would be likely to create confusion among qualified entities and authorized users, many of whom are or will be HIPAA covered entities or their business associates.

Comment: One commenter noted a technical issue at § 401.716(b)(3) where the text inappropriately referenced § 401.716(c)(2). One commenter suggested CMS clarify whether the data used in the analysis needs to be de-identified at the time of the analysis or whether the analysis itself has to be de-identified at the time it is shared with an authorized user.

Response: We thank the commenter for noting this technical issue and have fixed the reference to § 401.716(b)(2). We would also like to clarify that the data used by the qualified entity to conduct the analyses does not need to be de-identified, but the analyses must be patient de-identified before they are shared with or sold to an authorized user unless the recipient is the patient's provider or supplier.

Comment: We received a number of comments on the definition of a patient. Many commenters stated that the time period of 12 months for a face-to-face or telehealth appointment was not sufficient. One commenter recommended extending the period to 18 months, while several other commenters suggested a timeframe of 24 months. These commenters noted that stabilized patients do not necessarily visit their physician every year. Another commenter suggested that a patient be defined as an individual who has visited the provider or supplier at least once during the timeframe for which the analysis is being conducted.

Response: We acknowledge that healthy patients may not visit a provider or supplier every year. As a result, we are changing the definition of a patient to have a timeframe of the past 24 months for a face-to-face or telehealth appointment.

Comment: One commenter recommended that the definition of a patient be expanded beyond an affiliation with a provider or supplier to an affiliation with an issuer, employer, or state agency or any other authorized user.

Response: As noted above, we believe Section 105(a)(3)(B) of MACRA only permits patient-identifiable information to be shared by a qualified entity with the patient's provider or supplier.

Third, we proposed to bar qualified entities' disclosure of non-public analyses that individually identify a provider or supplier unless: (a) The analysis only individually identifies the singular recipient of the analysis or (b) each provider or supplier who is individually identified in a non-public analysis that identifies multiple providers/suppliers has been afforded an opportunity to review the aspects of the analysis about them, and, if applicable, request error correction. We describe the proposed appeal and error correction process in more detail in section II.A.4 below.

Comment: Several commenters recommended that providers and Start Printed Page 44460suppliers should not have the opportunity to review and request error correction for analyses that individually identify the provider or supplier. These commenters noted in particular that analyses identifying fraud or abuse should not be reviewed by the provider in advance of being shared with the authorized user. One commenter suggested that a review and error corrections process for non-public reports only be triggered when a provider or supplier is individually identified and his or her performance is evaluated in the manner described in section 1874(e)(4)(C). Another commenter recommended that when a group of providers are identified as part of a practice group (that is, part of the same Tax Identification Number), and prior consent by the providers has been obtained, the practice group should be considered the entity that can receive analyses for the individual providers in the practice.

Response: We believe that Section 105(a)(6) of MACRA requires that qualified entities allow providers and suppliers an opportunity to review analyses that individually identify the provider or supplier and, if necessary, and, when needed, request error correction in the analyses. In addition, regardless of the statutory requirements, we believe that providers and suppliers should not be evaluated by a qualified entity without having a chance to review and, when needed, request error correction in the analyses. For example, it would not be fair for an issuer to move a provider to a different network tier based on analyses that did not correctly attribute patients to that provider. We recognize that the review and corrections process may lead to some limitations in the development of certain types of analyses, such as those identifying fraud and abuse. However, we believe that creating different standards for different types of analyses would be too administratively complex to implement, and could create tensions between providers and suppliers and qualified entities over whether an analysis warranted review by the provider or supplier before it was shared with an authorized user.

However, we recognize that in many cases providers or suppliers may wish to allow certain authorized users to receive analyses without the need for a review process. For example, clinicians that are part of a group practice may want to allow their practice manager, who may be functioning as the clinician's business associate, to receive analyses without first going through a provider/supplier review or being subject to a request for correction. We believe that the decision about who should be able to receive analyses that individually identify a provider or supplier without such review and opportunity to correct should rest with the individual provider or supplier. As a result, we are adding a third exception to the bar on disclosure of non-public analyses that individually identify a provider or supplier to allow providers or suppliers to designate, in writing, the authorized user(s) that may receive analyses from the qualified entity without first giving the provider or supplier individually identified in the analysis/es the opportunity to review the analyses, and, if applicable, request error correction.

Comment: One commenter recommended that CMS add clarity to what it means to “individually identify” a provider or supplier and stated that the definition should indicate that to individually identify means to use direct identifiers such as name or provider number for a provider or supplier that is an individual person. This commenter suggested that naming a physician group or clinic that is not itself a provider or supplier (but that may be comprised of individual providers or suppliers) would not count as individually identifying a provider or supplier. Another commenter suggested that the review and corrections process only apply to the entity that the analyses focus on. For example, if the qualified entity is conducting analyses of episodes of care for patients with joint replacement at a given hospital, the analyses may include findings on many different providers and suppliers, such as surgeons, skilled nursing facilities, home health agencies, and others. In this case, the commenter recommended that only the hospital be given the opportunity to review and request correction of errors.

Response: Regardless of whether they are an individual clinician, group practice, or facility and regardless of whether they are the direct subject of the report, we believe section 105(a)(6) of MACRA requires that qualified entities allow providers and suppliers the opportunity to review and request correction of errors in analyses that identify the provider or supplier. Group practice and facility-level providers and suppliers, as well as those indirectly evaluated in analyses, face as much reputational harm from the dissemination of incorrect information about care delivery and costs as individual clinicians or those directly evaluated in the analyses. We have added language to clarify this requirement at § 401.716(b)(4).

Comment: One commenter suggested that CMS implement a process to proactively educate providers and suppliers regarding the review, corrections, and appeals process for non-public analyses.

Response: We believe that many qualified entities that decide to disclose analyses that individually identify a provider or supplier will choose to do an education campaign with providers and suppliers in their region to ensure that any necessary review and error correction processes go smoothly. This will allow the qualified entity to build a direct relationship with the provider or supplier. In addition, since providers and suppliers are one of the types of authorized users that qualified entities can provide or sell non-public analyses and data to, we believe that qualified entities will proactively attempt to build strong relationships with the provider and supplier community in their region. As a result, while we see a small role for CMS to play in educating providers and suppliers about the review and error correction process through our usual provider outreach channels, we believe qualified entities will play the main role in provider and supplier education about the review, corrections, and appeals process.

Comment: Several commenters suggested additional limitations that CMS should impose on qualified entities with respect to the disclosure of non-public analyses. One commenter recommended that CMS require qualified entities to provide authorized users with a detailed methodology of statistical analyses to ensure their validity. This commenter also stated that CMS should require qualified entities to follow an appropriate methodology in attributing costs to providers. Another commenter suggested that evaluations of physician performance should be required to have data from at least two sources.

Response: With regard to the suggestions around statistical validity and cost attribution, we believe that these are issues that the qualified entity should discuss directly with the authorized user who is receiving or purchasing the analyses. We expect that most, if not all, authorized users will expect the qualified entity to include some description of the methodology for the analyses along with the report, but that the level of detail and content needed by each authorized user may vary. In addition, authorized users may have different ideas about the most appropriate method for cost attribution and we believe that they should be able to work with the qualified entity to make a determination for how to Start Printed Page 44461attribute costs to providers and suppliers. On the issue of requiring at least two sources of data, we believe that section 105(a)(1)(A) of MACRA requires that the non-public analyses be based on the combined data described in 1874(e)(4)(B)(iii) as “data made available under this subsection with claims data from sources other than claims data under this title”.

3. Limitations on the Authorized User

We proposed to require the qualified entity's use of legally binding agreements with any authorized users to whom it provides or sells non-public analyses. For non-public analyses that only include patient de-identified data, we proposed to require the qualified entity to enter into a contractually binding non-public analyses agreement with any authorized users as a pre-condition to providing or selling such non-public analyses.

Comment: Several commenters stated that they supported the use of a legally binding agreement between the qualified entity and the authorized user. One commenter suggested that CMS develop a standard non-public analyses agreement for qualified entities to use with authorized users.

Response: We thank commenters for their support of this proposal. We believe that many qualified entities will have existing agreements with authorized users that cover the use and disclosure of analyses related to their claims data from other sources. While there may be some value in providing organizations new to this type of work a template for the agreement, we believe that qualified entities would be better served by engaging with their own legal counsel to ensure the agreement meets their specific needs.

For non-public analyses that include patient identifiable data, we proposed to require the qualified entity to enter into a qualified entity Data Use Agreement (QE DUA) with any authorized users as a pre-condition to providing or selling such non-public analyses. As we also proposed to require use of the QE DUA in the context of the provision or sale of combined data, or the provision of Medicare data at no cost, we discuss our proposals related to the QE DUA and associated comments in the data disclosure discussion in section II.B below.

Requirements in the Non-Public Analyses Agreement

The statute generally allows qualified entities to provide or sell their non-public analyses to authorized users for non-public use, but it bars use or disclosure of such analyses for marketing (see section 105(a)(3)(c) of MACRA). We proposed additional limits on the non-public analyses, given the expansive types of non-public analyses that could be conducted by the qualified entities if no limits are placed on such analyses, and the potential deleterious consequences of some such analyses.

First, we proposed that the non-public analyses agreement require that non-public analyses conducted using combined data or the information derived from the evaluations described in section 1874(e)(4)(D) of the Act may not be used or disclosed for the following purposes: Marketing, harming or seeking to harm patients and other individuals both within and outside the healthcare system regardless of whether their data are included in the analyses (for example, an employer using the analyses to attempt to identify and fire employees with high healthcare costs), or effectuating or seeking opportunities to effectuate fraud and/or abuse in the healthcare system (for example, a provider using the analyses to identify ways to submit fraudulent claims that might not be caught by auditing software). We also proposed to adopt the definition of marketing at 45 CFR 164.501 in the HIPAA Privacy Rule.

Comment: Many commenters stated that they supported the proposed restrictions on the use of the non-public analyses. One commenter suggested that CMS provide greater clarification on what would constitute harm to patients and other individuals both within and outside the healthcare system. This commenter suggested that harm should include activities that would create overly tiered networks that could exclude high quality providers, as well as efforts to limit patient access to certain treatments or drugs or steer patients to certain practices based solely on cost.

Response: We thank commenters for their support of the restrictions on the use of the analyses. On further consideration, we agree that the industry may benefit from additional guidance regarding these restrictions. Therefore, we anticipate providing additional sub-regulatory guidance on the standards adopted in this rule for the Qualified Entity Certification Program Web site at https://www.qemedicaredata.org/​SitePages/​home.aspx.

As we did not receive any comments on the proposed definition of marketing, we will finalize the definition without modification.

Second, in accordance with section 105(a)(1)(B)(i) of MACRA, we proposed to require that any non-public analyses provided or sold to an employer may only be used by the employer for the purposes of providing health insurance to employees and retirees of the employer. We also further proposed that if the qualified entity is providing or selling non-public analyses to an employer that this requirement be included in the non-public analyses agreement. We did not receive any comments on this proposal, so are finalizing it without modification.

We also proposed to require qualified entities to include in the non-public analysis agreement a requirement to limit re-disclosure of non-public analyses or derivative data to instances in which the authorized user is a provider or supplier, and the re-disclosure is as a covered entity would be permitted under 45 CFR 164.506(c)(4)(i) or 164.502(e)(1). Accordingly, a provider or supplier may only re-disclose -identifiable health information to a covered entity for the purposes of the covered entity's quality assessment and improvement or for the purposes of care coordination activities, where that entity has a patient relationship with the individual who is the subject of the information, or to a business associate of such a covered entity under a written contract. We also generally proposed to require qualified entities to use a non-public analyses agreement to explicitly bar authorized users that are not providers or suppliers from re-disclosure of the non-public analyses or any derivative data except to the extent a disclosure qualifies as a “required by law” disclosure.

Comment: Several commenters suggested that authorized users be allowed to re-disclose analyses in order to publish research findings provided the analyses do not individually identify a provider. These commenters noted that public health interests can be served by allowing the disclosure of research findings to the public. One commenter recommended allowing broad re-disclosure of analyses when the information is beneficiary de-identified, stating that this is necessary to reduce cost and improve patient care across the healthcare system. Several commenters suggested that authorized users be allowed to re-disclose analyses for the purposes of developing products or services, such as analytic tools, algorithms, and other innovations for improving health outcomes.

Response: The statutory language at section 105(a)(5) of MACRA states that authorized users may not re-disclose or make public any analyses, with the exception of allowing providers and suppliers to re-disclose analyses, as determined by the Secretary, for the Start Printed Page 44462purposes of care coordination and performance improvement activities. As a result, we are finalizing the proposed language on re-disclosure of analyses without modification. However, we would like to note that CMS currently makes data available to researchers outside of this qualified entity program, including those interested in developing products or tools. Individuals and organizations interested in accessing CMS data for research purposes should visit the Research Data Assistance Center (ResDAC) at www.resdac.org for more information.

Fourth, we proposed to require qualified entities to impose a legally enforceable bar on the authorized user's linking de-identified analyses (or data or analyses derived from such non-public analyses) to any other identifiable source of information or in any other way attempting to identify any individual whose de-identified data is included in the analyses or any derivative data.

Comment: One commenter stated that an authorized user should be allowed to link the analyses that contain patient identifiers or any derivative data with other sources when this information is limited to their own patients.

Response: We would like to highlight that the restriction on linking analyses only applies to de-identified analyses. To the extent providers and suppliers are receiving identifiable information on their own patients, the restriction on linking to any other identifiable source of information does not apply.

Finally, we proposed to require qualified entities to use their non-public analyses agreements to bind their non-public analyses recipients to reporting any violation of the terms of that non-public analyses agreement to the qualified entity. We did not receive any comments on this proposal, so are finalizing it without modification.

4. Confidential Opportunity To Review, Appeal, and Correct Analyses

In accordance, with section 105(a)(6) of MACRA, we proposed that the qualified entity must follow the confidential review, appeal, and error correction requirements established at 401.717(f) under section 1874(e)(4)(C)(ii) of the Act.

Comment: We received a wide-ranging set of comments on the proposed review and corrections process. Several commenters supported the proposed review and corrections process. Many commenters suggested changes to the review process for non-public analyses. In general these commenters cited the burden of the proposed process for qualified entities and recommended options to make the process less burdensome. However, other commenters focused on the need for providers and suppliers to have enough time to ensure the analyses are accurate.

Several commenters suggested provider or supplier notification as the first step for review of non-public analyses. One commenter recommended creating an alternative approach to individualized appeals, such as an accreditation process. Another commenter suggested that when a non-public analysis is released to one or more authorized users, or when a non-public analysis is subsequently used for a public report, the qualified entity need only provide an opportunity for the provider or supplier to have reviewed and, if necessary, requested error correction once before the initial release of the analysis. Another commenter recommended that providers and suppliers only be given one chance to request error correction of the underlying data, after which the data could be used in any future non-public analyses.

A few commenters suggested that a 60-day period to review the analyses may not be sufficient. On the other hand, several commenters suggested a 30-day review period for non-public analyses, while another commenter suggested giving providers and suppliers an ongoing right to review the analyses and request error correction.

Response: We appreciate commenters' concerns about allowing providers and suppliers the necessary time to review analyses as well as the concerns about the burden on qualified entities of implementing the public reporting review and corrections process for non-public analyses. However, as noted in the proposed rule, we also believe using the same process for review and error correction for both the non-public analyses and the public reports creates continuity and a balance between the needs and interests of providers and suppliers and those of the qualified entities, authorized users, and the public.

That said, on further consideration, we believe that the addition of a procedural step whereby the qualified entity would confidentially notify a provider or supplier about the non-public analyses and give the provider or supplier the opportunity to opt-in to the review and error correction process established at § 401.717(a) through (e) is both consistent with the statute and has the potential to reduce the burden on both qualified entities and providers and suppliers. In some cases, notification may be sufficient to meet the needs of a provider or supplier and, as a result, the provider or supplier will choose not to opt-in to the review and correction process, reducing the paperwork and resource burden for both the qualified entity and the provider/supplier. In addition, where the analyses are similar to previous analyses or use data the provider or supplier has already corrected, the provider or supplier may also choose not to review the analyses.

Under this procedural step, a qualified entity must confidentially notify a provider or supplier that non-public analyses that individually identify the provider or supplier are going to be released at least 65 calendar days before disclosing the analyses to the authorized user. The first five days of the 65 day period is intended to allow time to notify the provider or supplier, and to allow them time to respond to the qualified entity. The next sixty days are reflective of the sixty day review period in § 401.717(a) through (e). The confidential notification about the non-public analyses should include a short summary of the analyses (which must include the measures being calculated, but does not have to include the methodologies and measure results), the process for the provider or supplier to request the analyses, the authorized users receiving the analyses, and the date on which the qualified entity will release the analyses to the authorized users. This notification can cover multiple non-public analyses that use different datasets and measures. The 65-day period begins on the date the qualified entity sends or emails the notification to providers and suppliers. As we presume some qualified entities may utilize National Provider Identifier (NPI) data as a means of contacting providers and suppliers, we would like to use this opportunity to remind providers and suppliers of the need to keep their NPI information up-to-date.

At any point during this 65-day period, the qualified entity must allow the provider or supplier to opt-in to the review and error correction process established at § 401.717(a) through (e) and request copies of the analyses and, where applicable, access to the data used in the analyses, and to request the correction of any errors in the analyses. However, if the provider or supplier chooses to opt-in to the review and correction process more than 5 days into the notification period, the time for the review and correction process is shortened from regulatory 60 days in § 401.717(a) through (e) to the number of days remaining between the provider or supplier opt-in date and the release Start Printed Page 44463date specified in the confidential notification.

We understand the desire to create an alternative approach to individualized appeals, such as an accreditation process, however, we believe the statutory language at Section 105(a)(6) of MACRA requires that qualified entities allow providers and suppliers an opportunity to review analyses that individually identify the provider or supplier and, if necessary, and, when needed, request error correction in the analyses. In addition, as stated above, regardless of the statutory requirements, we believe that providers and suppliers should not be evaluated by a qualified entity without having a chance to review and, when needed, request error correction in the analyses.

Comment: One commenter recommended that qualified entities not be allowed to provide or sell analyses to an authorized use while an error correction request is outstanding.

Response: We acknowledge the interest of providers and suppliers in ensuring that any analyses correctly represent their care delivery patterns and costs. However, we are concerned that providers and suppliers may make spurious requests for error correction in order to prevent the authorized user from receiving the analyses. As a result, we will maintain the provisions that allow qualified entities to release the non-public analyses after the 65-day period regardless of the status of error corrections. As with the public reporting, the qualified entity must inform the authorized user if a request for error correction is outstanding when the analyses are delivered to the authorized user, and, if applicable, provide corrected analyses if corrections are ultimately made.

B. Dissemination of Data and the Use of QE DUAs for Data Dissemination and Patient-Identifiable Non-Public Analyses

Subject to other applicable law, section 105(a)(2) of MACRA expands the permissible uses and disclosures of data by a qualified entity to include providing or, where applicable, selling combined data for non-public use to certain authorized users, including providers of services, suppliers, medical societies, and hospital associations for use in developing and participating in quality and patient care improvement activities. Section 105(a)(3)(B) of MACRA. Subject to the same limits, it also permits a qualified entity to provide Medicare claims data for non-public use to these authorized users; however, a qualified entity may not charge a fee for providing such Medicare claims data. In addition, in order to provide or sell combined data or Medicare data, section 105(a)(4) of MACRA instructs the qualified entity to enter into a DUA with their intended data recipient(s).

1. General Requirements for Data Dissemination

To implement the provisions in Section 105(b) of MACRA, we proposed to provide that, subject to other applicable laws (including applicable information, privacy, security and disclosure laws) and certain defined program requirements, including that the data be used only for non-public purposes, a qualified entity may provide or sell combined data or provide Medicare claims data at no cost to certain authorized users, including providers of services, suppliers, medical societies, and hospital associations. Where a qualified entity is a HIPAA-covered entity or is acting as a business associate, compliance with other applicable laws will include the need to ensure that it fulfills the requirements under the HIPAA Privacy Rule, including the restriction on the sale of PHI at 45 CFR 164.502(a)(5)(ii).

Comment: Several commenters stated that CMS should provide additional clarity on the term no cost as it relates to the provision of Medicare data. For example, commenters stated that qualified entities may wish to charge a fee for entering into a data use agreement with an authorized user, but then not charge for the data. In addition, some of these commenters recommended that CMS allow qualified entities to recoup the costs associated with providing Medicare data at no cost. These commenters stated that there is a cost associated with providing claims data to authorized users, such as staff time to create the data extract and encrypt the file.

Response: We understand that qualified entities will face costs providing Medicare data to authorized users. However, section 105(a)(2)(C) of MACRA expressly states that, if a qualified entity were to elect to make Medicare claims data available, such data must be “provided” at no cost. We believe that the paperwork and processing costs associated with accepting and fulfilling Medicare claims data requests are an integral part of the “provision” of data. As such, qualified entities may not charge authorized users for the Medicare data itself or any activity associated with requests for or the fulfillment of Medicare data requests (such as the processing of a data use agreement). However, we also note that the qualified entity is not required to offer authorized users the opportunity to request Medicare claims data. Qualified entities may choose to only offer authorized users the opportunity to receive or purchase combined data. Qualified entities may also choose not to allow authorized users to request data at all.

Comment: One commenter suggested that CMS require qualified entities to sell the combined data at a reasonable price which reflects their actual cost.

Response: We appreciate the commenter's interest in ensuring qualified entities charge authorized users reasonable fees for combined data. However, we believe that qualified entities should be allowed to determine the appropriate fee to charge authorized users for access to the combined data. If qualified entities set their prices too high authorized users have the choice of not buying the data, or potentially obtaining the data from another qualified entity with more reasonable pricing.

Comment: One commenter recommended that CMS provide additional clarity on the threshold for the amount of other data that must be combined with the Medicare data in order for the qualified entity to sell the combined data.

Response: As discussed above, we have not established a threshold for the amount of other data that must be combined with the Medicare data. It is our expectation that qualified entities will use sufficient claims data from other sources to ensure validity and reliability.

2. Limitations on the Qualified Entity Regarding Data Disclosure

In accordance with section 105(a)(2), we proposed to place a number of limitations on the sale or provision of combined data and the provision of Medicare claims data by qualified entities, including generally barring the disclosure of patient-identifiable data obtained through the qualified entity program.

Comment: Several commenters stated that CMS should provide additional clarity around whether the data must go through a review and corrections process before it is disclosed to an authorized user. One commenter recommended that providers and suppliers be allowed to review, appeal, and correct the data before it is disclosed.

Response: Section 105(a)(6) of MACRA only requires a review and corrections process when a qualified entity is providing or selling an analysis to an authorized user. While we understand that some providers and Start Printed Page 44464suppliers may wish to ensure that their data is correct before it is shared with an authorized user, we believe that this process would be very rigorous and burdensome for the qualified entity and would have little value for most providers and suppliers.

We proposed to require any combined data or Medicare claims data that is provided to an authorized user by a qualified entity under subpart G be beneficiary de-identified in accordance with the de-identification standards in the HIPAA Privacy Rule at 45 CFR 164.514(b). We also proposed an exception that would allow a qualified entity to provide or sell patient-identifiable combined data and/or provide patient-identifiable Medicare claims data at no cost to an individual or entity that is a provider or supplier if the provider or supplier has a patient relationship with every patient about whom individually identifiable information is provided and the disclosure is consistent with applicable law.

Comment: Several commenters agreed with the proposal to only allow identifiable data to be disclosed to providers or suppliers with whom the identified individuals have a patient relationship. One commenter suggested that qualified entities be allowed to share limited data sets (as defined in HIPAA) with providers and suppliers for individuals who are not their patients. Another commenter recommended that qualified entities be allowed to disclose patient-identifiable data to health plans.

Response: Section 105(a)(3) of MACRA requires that data disclosed to an authorized user not contain information that individually identifies a patient unless the data is being shared with that patient's provider or supplier. We further note that limited data sets include indirect identifiers, and, as such, are subject to that mandate. While we can imagine that health systems would be interested in conducting population-wide analyses that look at disease incidence or care delivery patterns, we believe these types of analyses can be conducted using de-identified data. In addition, authorized users that may not receive patient-identifiable data, such as issuers, could ask the qualified entity to conduct analyses on these topics, and purchase or receive the patient-deidentified analyses that result from such efforts.

Second, we proposed to require qualified entities to bind the recipients of their data to a DUA that will govern the use and, where applicable, re-disclosure of any data received through this program prior to the provision or sale of such data to an authorized user.

Comment: Several commenters stated that they agreed with the proposal to require qualified entities to bind authorized users who receive data to a DUA. One commenter recommended that when the required “QE DUA” (the DUA between the Qualified Entity (QE) and the Authorized User) provisions already exist in another contract between the qualified entity and the authorized user, the qualified entity should not be required to re-paper those terms.

Response: We thank commenters for their support of this proposal. In cases where all the terms of the QE DUA at § 401.713(d) are contained in a contractually binding agreement between the qualified entity and the authorized user, we do not intend to require the qualified entity to re-paper that agreement as a QE DUA.

3. Data Use Agreement (DUA)

A qualified entity must enter a DUA with CMS as a condition of receiving Medicare data. Furthermore, in accordance with Section 105(a)(4) of MACRA, we proposed to require the execution of a DUA as a precondition to a qualified entity's provision or sale of data to an authorized user. As discussed above, we also proposed to require the qualified entity to enter into a DUA with any authorized user as a pre-condition to providing or selling non-public analyses that include patient-identifiable data. To help differentiate the DUA between CMS and the qualified entity from the DUAs between the qualified entity and the authorized user, we proposed certain clarifying changes that recognize that there are now two distinct DUAs in the qualified entity program—the CMS DUA, which is the agreement between CMS and a qualified entity, and what we will refer to as the QE DUA, which will be the legally binding agreement between a qualified entity and an authorized user.

Comment: Several commenters had overall comments on the QE DUA. One commenter recommended that CMS create a standard QE DUA. Another commenter stated that the data released to authorized users should not be subject to discovery or admitted into evidence without the provider or supplier's consent. A few commenters suggested that the QE DUA include a provision that prevents the disclosure of competitively sensitive data, such as Part D bid information. Finally, one commenter suggested that authorized users should have some direct responsibility for actions that run afoul of contractual requirements.

Response: As noted above, qualified entities may have existing agreements with authorized users where all required QE DUA elements are covered, and we are not requiring re-papering in those instances. Furthermore, also as noted above, we believe that qualified entities without existing agreements would be better served by engaging with their own legal counsel to ensure the QE DUA meets their specific needs.

As discussed above, we believe the statutory requirement that data not be subject to discovery or admitted into evidence without the provider or supplier's consent only applies to data released to the qualified entity under 1874(e) and when that data is in the possession of the qualified entity.

Regarding concerns about disclosure of competitively sensitive information, qualified entities only receive Medicare Parts A and B claims data and certain Part D drug event data from CMS. In addition, we only provide qualified entities with aggregated Part D cost information, not the proprietary individual component costs. As a result, we do not believe there is a risk that qualified entities would be in a position to disclose competitively sensitive information to authorized users.

Finally, as we stated in the proposed rule, we only have authority to impose requirements on the qualified entity. As a result, we must rely on the qualified entity to impose legally enforceable obligations on the authorized user.

Requirements in the QE DUA

In § 401.713(d), we proposed a number of contractually binding provisions that would be included in the QE DUA. First, we proposed to require that the QE DUA contain certain limitations on the authorized user's use of the combined data and/or Medicare claims data and/or non-public analyses that contain patient-identifiable data and/or any derivative data (hereinafter referred to as data subject to the QE DUA) to those purposes described in the first or second paragraph of the definition of “healthcare operations” under 45 CFR 164.501, or that which qualifies as “fraud and abuse detection or compliance activities” under 45 CFR 164.506(c)(4). We also proposed to require that all other uses and disclosures of data subject to the QE DUA be prohibited except to the extent a disclosure qualifies as a “required by law” disclosure. We did not receive any comments on our proposal to allow authorized users to use the data subject to the QE DUA for the purposes described in the first or second paragraph of the definition of “healthcare operations” under 45 CFR Start Printed Page 44465164.501. Therefore, we are finalizing our proposal. In doing so, we identified inadvertent drafting errors in the proposed regulatory text at § 401.713(d)(1)(i)(A) and (B) (mis-identifying which activities fell into which paragraphs of 45 CFR 164.501). We have therefore corrected those draft regulatory provisions to conform the new 42 CFR 401.713(d)(1)(i)(A) and (B) with the content of the first and second paragraphs of the definition of health care operations under 45 CFR 164.501.

Comment: We received several comments on allowing authorized users to use the data subject to the QE DUA for purposes which qualify as “fraud and abuse detection or compliance activities” under 45 CFR 164.506(c)(4). Several commenters stated that the allowing use of the data subject to the QE DUA for fraud and abuse detection is unwarranted and without basis in the statutory text. However, another commenter explicitly supported use of the data subject to the QE DUA to bolster efforts to fight fraud. One commenter suggested the addition of “waste” detection as an allowed use of the data subject to the QE DUA.

Response: We believe that section 105(a)(3)(A)(ii) of MACRA is illustrative (providing for certain non-public uses “including” certain cross-referenced activities). It does not prevent use of the data for fraud and abuse detection and compliance activities. As a result, we are finalizing our proposal to allow authorized users to use the data subject to the QE DUA for fraud and abuse detection. While we can understand the interest in adding waste detection to the list of allowed uses of the data subject to the QE DUA, we believe it is best to stay consistent with the language established in HIPAA since many of other authorized users receiving data subject to the QE DUA are also HIPAA covered entities.

Comment: One commenter suggested that authorized users also be allowed to use the data subject to the QE DUA for “treatment” as defined under 45 CFR 164.501.

Response: We agree that use of the data subject to the QE DUA for treatment purposes is a valid possible use of the data and consistent with the statute. As a result, we have modified the language at § 401.713(d)(1)(i) to include treatment.

We also proposed to require qualified entities to use the QE DUA to contractually prohibit the authorized users from using the data subject to the QE DUA for marketing purposes. We did not receive any comments on this proposal, and are finalizing it without modification.

We proposed at § 401.713(d)(3) to require qualified entities to contractually bind authorized users using the QE DUA to protect patient-identifiable data subject to the QE DUA, with at least the privacy and security protections that would be required of covered entities and their business associates under the HIPAA Privacy and Security Rules. We proposed to require that the QE DUA contain provisions that require that the authorized user maintain written privacy and security policies and procedures that ensure compliance with these HIPAA-based privacy and security standards and the other standards required under this subpart for the duration of the QE DUA. We also proposed to require QE DUA provisions detailing such policies and procedures survive termination of the QE DUA, whether for cause or not.

Comment: One commenter suggested that CMS clarify that the QE DUA by itself does not make the authorized user a covered entity or business associate under HIPAA if the authorized user does not otherwise meet those definitions.

Response: We wish to clarify that this rule does not comment on whether an entity is a covered entity or business associate under HIPAA. We are simply requiring the authorized users to comply with the privacy and security protections required of covered entities and their business associates under the HIPAA Privacy and Security Rules (that is, the authorized users must comply with those provisions as if they were acting in the capacity of a covered entity or business associate dealing with protected health information). We feel that such standards represent an industry-wide standard for the protection of patient-identifiable data, and note that this requirement would be in keeping with section 105(a)(4) of MACRA.

We also proposed at § 401.713(d)(7) to require that the qualified entity use the QE DUA to contractually bind an authorized user as a condition of receiving data subject to the QE DUA under the qualified entity program to notify the qualified entity of any violations of the QE DUA. We did not receive any comments on this proposal, so are finalizing it without modification.

In addition, we proposed at § 401.713(d)(4) to require that the qualified entity include a provision in its QE DUAs that prohibits the authorized user from re-disclosing or making public data subject to the QE DUA except as provided in paragraph (d)(5). We proposed at § 401.713(d)(5) to require that the qualified entity use the QE DUA to limit provider's and supplier's re-disclosures to a covered entity pursuant to 45 CFR 164.506(c)(4)(i) or 164.502(e)(1). Therefore, a provider or supplier would generally only be permitted to re-disclose data subject to the QE DUA to a covered entity or its business associate for activities focused on that covered entity's quality assessment and improvement, including the review of provider or supplier performance. We also proposed to require re-disclosure when required by law.

Comment: Several commenters stated that they supported CMS' proposals related to re-disclosure of data. One commenter suggested that providers and suppliers be allowed to re-disclose data for direct patient care and issues of patient safety. Another commenter recommended that any authorized user be allowed to re-disclose de-identified data for the purposes of publishing de-identified statistical results.

Response: We thank commenters for their support of the re-disclosure proposals. While we can understand interest in explicitly referencing issues of patient safety, we do not believe it is necessary given that the first paragraph of the definition of healthcare operations includes patient safety activities and, thus issues of patient safety are permitted reasons for re-disclosure of the data. However, we recognize that as proposed, providers and suppliers would not be allowed to re-disclose the data subject to the QE DUA for treatment purposes. As a result, we are modifying the language at § 401.713(d)(5)(i) to allow providers and suppliers to re-disclose data subject to the QE DUA as a covered entity would be permitted to disclose PHI under 45 CFR 164.506(c)(2), which allows a covered entity to disclose data for the treatment activities of a healthcare provider.

Regarding the recommendation to allow for re-disclosure of de-identified data in order to publish statistical results, we do not believe that this purpose is consistent with section 105(a)(5)(A) of the MACRA statute, which explicitly states that an authorized user who is provided or sold data shall not make public such data or any analysis using such data.

We also proposed to require qualified entities to impose a contractual bar using the QE DUA on the downstream recipients' linking of the re-disclosed data subject to the QE DUA to any other identifiable source of information. The only exception to this general policy would be if a provider or supplier were to receive identifiable information limited to its own patients.Start Printed Page 44466

Comment: Several commenters stated that they supported the proposals related to linking the data. One commenter suggested that business associates of providers or suppliers be allowed to link the data subject to the QE DUA. Another commenter recommended that authorized users be allowed to link the patient de-identified data so long as the intent or result is not to re-identify patients and the resulting data set meets the HIPAA standard for de-identification.

Response: We would like to clarify that the prohibition on linking only applies to patient de-identified data subject to the QE DUA. To the extent that a provider or supplier receives patient-identifiable data subject to the QE DUA and discloses that data to a business associate as allowed under § 401.713(d)(5)(i), that provider or supplier may request that the business associate link the data subject to the QE DUA to another data source.

While we understand that some authorized users may wish to link the de-identified data subject to the QE DUA, we believe that this creates too much risk of inadvertent re-identification. However, instead of linking the data themselves, authorized users could choose to share their additional data, in accordance with applicable law, with the qualified entity who could link this new data source to the existing data and then create de-identified analyses to share with the authorized user.

C. Authorized Users

1. Definition of Authorized User

Section 105(a)(9)(A) of MACRA defines authorized users as: A provider of services, a supplier, an employer (as defined in section 3(5) of the Employee Retirement Insurance Security Act of 1974), a health insurance issuer (as defined in section 2791 of the Public Health Service act), a medical society or hospital association, and any other entity that is approved by the Secretary. We proposed a definition for authorized user at § 401.703(k) that is consistent with Section 105(a)(9)(A) of MACRA and includes two additional types of entities beyond those established in the statute—healthcare professional associations and state agencies. Specifically, we proposed to define an authorized user as: (1) A provider; (2) a supplier; (3) an employer; (4) a health insurance issuer; (5) a medical society; (6) a hospital association; (7) a healthcare professional association; or (8) a state agency.

Comment: Commenters had a wide ranging list of suggested additions to the definition of an authorized users, including: Other types of associations and partnership groups whose missions support the permitted data uses, entities with expertise in quality measure development, organizations engaged in research, federal agencies, regional health improvement collaboratives, and the Indian Health Service (and Indian Health programs). Several commenters also suggested that CMS create a process for qualified entities to seek approval for additional authorized users that may not fit into the regulatory definitions.

Response: We recognize that many organizations are interested in accessing analyses provided by the qualified entity. However, CMS believes we must maintain a carefully curated list of authorized users to prevent the monitoring of the qualified entity program from becoming too cumbersome. As a result, we are only adding federal agencies, including, but not limited to the Indian Health Service (and Indian Health programs), to the definition of authorized users. Similar to state agencies, we believe that federal agencies, particularly those that provide healthcare services such as the Indian Health Service and the U.S. Department of Veteran Affairs are important partners with CMS in transforming the healthcare delivery system and could substantially benefit from access to analyses to help improve quality and reduce costs, especially for individuals who utilize their services. On the other hand, we believe many of the other suggested authorized users do not represent well defined groups, which could lead to significant confusion as to which entities fall within the group and which do not. In addition, as we noted above, the statute is explicit in its prohibition of releasing the analyses or data to the public, so the addition of any authorized user with a research aim is not consistent with the parameters of the program.

We believe a separate approval process would be very costly for CMS and create additional burdens for qualified entities. We also believe that a standard list of authorized users is the simplest and least administratively burdensome method to ensure equal treatment of qualified entities. Because many of the suggested authorized users do not represent well defined groups, we would envision an approval process for each entity requesting analyses, which would potentially be more burdensome for smaller regional qualified entities that do not have the time or resources to devote to the approval process. Furthermore, we have an existing process through which entities can obtain Medicare data for research purposes. More information on accessing CMS data for research can be found on the ResDAC Web site at www.resdac.org.

Comment: Several commenters suggested that other organizations beyond providers, suppliers, hospital associations, and medical societies be allowed to access data. A few commenters suggested any entity should be allowed to access de-identified data. Another commenter recommended the creation of a new authorized user called a healthcare provider or supplier collaborator and defined as an organization or entity that does not directly treat patients, but works closely with the provider or supplier in connection with treatment of patients.

Response: Section 105 (a)(2)(A)(i) only allows for the disclosure of data to a provider of services, a supplier, and a medical society or hospital association.

Comment: Several commenters suggested that authorized users that are allowed to act on behalf of their subparts (for example, Accountable Care Organizations) or business associates as defined in HIPAA should be allowed to receive data and/or analyses directly.

Response: We do not intend to prevent organizations acting under a contract with an authorized user from receiving data or the analyses on behalf of the authorized user. Therefore, we have modified the definition of authorized user to include contractors, including, where applicable, business associates as that term is defined at 45 CFR 160.103. An authorized user is now defined as a third party and its contractors (including, where applicable, business associates as that term is defined at 45 CFR 160.103) that need analyses or data covered by this section to carry out work on behalf of that third party (meaning not the qualified entity or the qualified entity's contractors) to whom/which the qualified entity provides or sells data as permitted under this subpart. Authorized user third parties are limited to the following entities: A provider, a supplier, a medical society, a hospital association, an employer, a health insurance issuer, a healthcare provider and/or supplier association, a state entity, a federal agency.

We would like to note that with this change to the definition of authorized user a qualified entity is now also liable for the actions of the third party's contractors who enter into a QE DUA with the qualified entity.

Comment: One commenter suggested a modification to the definition of provider to include dieticians, social workers, case management nurses, and other allied health professionals.Start Printed Page 44467

Response: The current definition of a supplier is a physician or other practitioner that furnishes healthcare services under Medicare. To the extent that dieticians, social workers, case management nurses, and other allied health professionals are furnishing healthcare services under Medicare, they would already be considered suppliers. If they are not furnishing services under Medicare, we do not believe the analyses or data based on Medicare claims data will hold much value for improving care delivery or reducing costs, and so we decline expanding the definition to include them.

2. Definition of Employer

We proposed to define an employer as having the same meaning as the term “employer” defined in Section 3(5) of the Employee Retirement Insurance Security Act of 1974.

Comment: One commenter suggested that the definition of employer should not include any third-party consultant or wellness program vendors.

Response: As noted above, we believe authorized users should be allowed to share analyses and data with contractors who need such information to conduct work on their behalf. Therefore, we modified the definition of authorized user to include contractors. To the extent a wellness vendor is an employer's contractor, the vendor will be required to sign a non-public analyses agreement and will be bound to only use and disclose the analyses in a manner consistent with the provisions of that agreement. We would also like to point out that as specified in § 401.716(c)(2), employers, and their contractors, may only use the analyses for the purposes of providing health insurance to employees, retirees, or dependents of employees.

3. Definition of Health Insurance Issuer

We proposed to define a health insurance issuer as having the same meaning as the term “health insurance issuer” defined in Section 2791(b)(2) of the Public Health Service Act.

Comment: One commenter suggested that the definition of health insurance issuer should not include any third-party consultant or wellness program vendors.

Response: As with employers, we believe issuers should be allowed to share analyses and data with contractors who need such information to conduct work on their behalf. Therefore, as stated above, we have modified the definition of authorized user. To the extent a wellness vendor is an issuer's contractor, the vendor will be required to sign a non-public analyses agreement and will be bound to only use and disclose the analyses in a manner consistent with the provisions of that agreement.

4. Definition of “Medical Society”

We proposed to define a medical society as a non-profit organization or association that provides unified representation for a large number of physicians at the national or state level and whose membership is comprised mainly of physicians.

Comment: One commenter requested that CMS provide an example of a medical society.

Response: We would consider the American Medical Association or the American Academy of Family Physicians to be national-level medical societies. At the state-level, the Medical Association of the State of Alabama is an example of a medical society under this definition.

5. Definition of “Hospital Association”

We proposed to define a hospital association as a non-profit organization or association that provides unified representation for a large number of hospitals or health systems at the national or state level and whose membership is comprised of a majority of hospitals and health systems.

Comment: One commenter requested that CMS provide an example of a hospital association.

Response: We would consider the American Hospital Association or the Federation of American Hospitals to be national hospital associations. At the state-level, the Hospital and Healthsystem Association of Pennsylvania is an example of a hospital association under this definition.

Comment: Several commenters suggested that the definition of hospital association be expanded to include associations at the local level and quality organizations that are affiliated with, but have separate 501(c)(3) numbers from their state hospital association.

Response: CMS recognizes that local hospital associations may work more closely on issues such as quality improvement with hospitals and health systems in their area than state or national associations. As a result, we have modified the definition of hospital association to include local-level organizations. However, we do not believe that the MACRA statute at 105(a)(9)(v) intends for quality organizations affiliated with a hospital association to be considered a hospital association since the language only refers to hospital association and does not reference quality organizations. To the extent that these quality organizations are doing work on behalf of the state hospital association under contract, and that work requires access to such data or analyses, these quality organizations would be considered authorized users and would be required to enter into a QE DUA and/or non-public analyses agreement with the qualified entity.

6. Definition of “Healthcare Provider and/or Supplier Association”

We proposed to define a healthcare provider and/or supplier association as a non-profit organization or association that represents providers and suppliers at the national or state level and whose membership is comprised of a majority of providers and/or suppliers. We did not receive any comments on this definition, so are finalizing it without modification.

7. Definition of “State Agency”

We proposed to define a state agency as any office, department, division, bureau, board, commission, agency, institution, or committee within the executive branch of a state government.

Comment: One commenter stated that state agencies should be limited to those entities that promote care quality and patient care improvement activities. Another commenter recommended that the term state agency be changed to state entity to help avoid conflict with state-specific references to the word “agency.” One commenter suggested CMS provide clarity on whether the definition of state agency includes political subdivisions of the state.

Response: We do not believe that state agencies should be limited to those entities focused on care quality and patient care improvement. There are a wide-array of uses of the non-public analyses by states who are CMS' partners in transforming the healthcare delivery system. We do appreciate the comment related to the use of the term agency at the state-level, and have modified this term in the regulations to be “state entity.” In addition, to provide clarity, we note that we did not intend for the definition of state agency to include political subdivisions of a state, such as a county, city, town, or village, and as a result have not added these to the definition.

D. Annual Report Requirements

1. Reporting Requirements for Analyses

Section 105(a)(8) of MACRA expands the information that a qualified entity must report annually to the Secretary if Start Printed Page 44468a qualified entity provides or sells non-public analyses. Therefore, consistent with these requirements, we proposed to require that the qualified entity provide a summary of the non-public analyses provided or sold under this subpart, including specific information about the number of analyses, the number of purchasers of such analyses, the types of authorized users that purchased analyses, the total amount of fees received for such analyses. We also proposed to require the qualified entity to provide a description of the topics and purposes of such analyses. In addition, we proposed to require a qualified entity to provide information on QE DUA and non-public analyses agreement violations.

Comment: Several commenters suggested additions to the reporting requirements for analyses. One commenter suggested that qualified entities include the specific entities to whom analyses were provided or sold as well as more detailed pricing information. Another commenter recommended the addition of the frequency and nature of requests for error correction, and how often analyses are disclosed with unresolved requests for error correction.

Response: We believe that Section 105(a)(8)(A) of MACRA intends for qualified entities to provide a summary of the analyses and that the specific details of the entities who received analyses or the pricing information for analyses are not consistent with that intent. We do believe there is value in monitoring requests for error correction to ensure that qualified entities are not releasing analyses that consistently have requests for error correction, which could indicate a qualified entities' poor use of the Medicare data; however, we believe the requirement to provide this information, with the exception of how often analyses are disclosed with unresolved requests for error correction, already exists as part of the annual reporting requirements under § 401.719(b)(2). We believe including how often analyses are disclosed with unresolved error requests in the annual reports is important because it allows CMS to track possible poor use of the Medicare data by qualified entities. Therefore, we have added the requirement to report the number of analyses disclosed with unresolved requests for error correction at § 401.719(b)(3)(iii).

Comment: One commenter suggested that the annual reports be made public.

Response: We recognize that in some cases the annual reports may contain sensitive commercial information and, as a result, we do not believe the reports should be made public. We would like to clarify, however, that anytime CMS receives a request for information under the Freedom of Information Act (FOIA), the agency always evaluates whether the information is subject to one of the FOIA exemptions, including Exemption 4, which protects commercial or financial information that is privileged and confidential. We welcome identification of any materials within such reports that the qualified entity believes are subject to a FOIA exemption, and the rationale therefore.

2. Reporting Requirements for Data

Section 105(a)(8) of MACRA also requires a qualified entity to submit a report annually if it provides or sells data. Therefore, consistent with the statutory requirements, we also proposed to require qualified entities that provide or sell data under this subpart to provide the following information as part of its annual report: Information on the entities who received data, the uses of the data, the total amount of fees received for providing, selling, or sharing the data, and any QE DUA violations.

Comment: Several of the comments on reporting requirements for data were the same as those for analyses addressed above. One commenter suggested the addition of information on authorized user data breaches to the annual report. Another commenter stated that the annual reporting requirements for data may contain sensitive commercial information that may be subject to confidentiality provisions between the qualified entity and applicable authorized users.

Response: We believe that data breaches should be reported to CMS in a much timelier manner than the annual report. As discussed above, the QE DUA requires authorized users to notify the qualified entity of any violations of the QE DUA and to comply with the breach provisions governing qualified entities. As a result, we do not believe this element is needed in the annual report.

We recognize that some of the information we proposed to require of qualified entities in their annual reports will be sensitive commercial information. As noted above, anytime CMS receives a request for information under the FOIA, the agency always evaluates whether the information is subject to one of the FOIA exemptions, including Exemption 4, which protects commercial or financial information that is privileged and confidential. Contractual confidentiality provisions between authorized users and qualified entities will not negate CMS' obligations under FOIA, but we welcome identification of any materials within such reports that the qualified entity believes are subject to a FOIA exemption, and the rationale therefore.

E. Assessment for a Breach

1. Violation of a DUA

Section 105(a)(7) of MACRA requires the Secretary to impose an assessment on a qualified entity in the case of a “breach” of a CMS DUA between the Secretary and a qualified entity or a breach of a QE DUA between a qualified entity and an authorized user. Because the term “breach” is defined in HIPAA, and this definition is not consistent with the use of the term for this program, we proposed instead to adopt the term “violation” when referring to a “breach” of a DUA for purposes of this program. We also proposed to define a “violation” to mean a failure to comply with a requirement in a CMS DUA or QE DUA. We also proposed to impose an assessment on any qualified entity that violates a CMS DUA or fails to ensure that their authorized users and their contractors/business associates do not violate a QE DUA.

Comment: A few commenters recommended that CMS further define and provide examples of what would constitute a DUA violation. Another commenter suggested CMS expand the definition of a violation so that both the qualified entity and the authorized user may be held responsible for a breach.

Response: While we recognize that not all terms of the DUAs are equal regarding the risk to the privacy and security of the Medicare data, we believe the aggravating and mitigating circumstances discussed in more detail below provide us the flexibility to ensure the assessment amount is consistent with the nature of the violation. One example of a violation would be knowingly releasing patient names and other protected health information for marketing purposes. Another example of a violation would be sharing individually identifiable information for an individual who does not meet the definition of a patient with a supplier.

While we recognize that it may be the authorized user who is responsible for the violation, we believe Section 105(a)(7) of MACRA does not give us the authority to impose an assessment on the authorized user. However, we do believe that the qualified entity could include terms in their agreement with the authorized user to require the authorized user to pay the assessment if the authorized user is responsible for the violation.Start Printed Page 44469

MACRA provides guidance only on the assessment amount and what triggers an assessment, but it does not dictate the procedures for imposing such assessments. We therefore proposed to model qualified entity program procedures on certain relevant provisions of Section 1128A of the Act (Civil Money Penalties) and part 402 (Civil Money Penalties, Assessments, and Exclusions) including the process and procedures for calculating the assessment, notifying a qualified entity of a violation, collecting the assessment, and providing qualified entities an appeals process.

2. Amount of Assessment

Section 105(a)(7)(B) of MACRA specifies that when a violation occurs, the assessment is to be calculated based on the number of affected individuals who are entitled to, or enrolled in, benefits under part A of title XVIII of the Act, or enrolled in part B of such title. Assessments can be up to $100 per affected individual, but, given the broad discretion in establishing some lesser amount, we looked to part 402 as a model for proposing aggravating and mitigating circumstances that would be considered when calculating the assessment amount per impacted individual. However, violations under section 105(a)(7)(B) of MACRA are considered point-in-time violations, not continuing violations.

Number of Individuals

We proposed at § 401.719(d)(5)(i) that CMS will calculate the amount of the assessment of up to $100 per individual entitled to, or enrolled in part A of title XVIII of the Act and/or enrolled in part B of such title whose data was implicated in the violation.

We generally proposed to determine the number of potentially affected individuals by looking at the number of beneficiaries whose Medicare claims information was provided either by CMS to the qualified entity or by the qualified entity to the authorized user in the form of individually identifiable or de-identified data sets that were potentially affected by the violation.

We proposed that a single beneficiary, regardless of the number of times their information appears in a singular non-public report or dataset, would only count towards the calculation of an assessment for a violation once. For qualified entities that provide or sell subsets of the dataset that CMS provided to them, combined information, or non-public analyses, we proposed to require that the qualified entity provide the Secretary with an accurate number of beneficiaries whose data was sold or provided to the authorized user and, thereby, potentially affected by the violation. In those instances in which the qualified entity is unable to establish a reliable number of potentially affected beneficiaries, we proposed to impose the assessment based on the total number of beneficiaries that were included in the data set(s) that was/were transferred to the qualified entity under the CMS DUA.

Assessment Amount per Impacted Individual

As noted above, MACRA allows an assessment in the amount of up to $100 per potentially affected individual. We therefore proposed to draw on 42 CFR part 402 to specify the factors and circumstances that will be considered in determining the assessment amount per potentially affected individual.

We proposed at § 401.719(d)(5)(i)(A) that the following basic factors be considered in establishing the assessment amount per potentially affected individual: (1) The nature and extent of the violation; (2) the nature and extent of the harm or potential harm resulting from the violation; and (3) the degree of culpability and history of prior violations.

In addition, in considering these basic factors and determining the amount of the assessment per potentially affected individual, we proposed to take into account certain aggravating and mitigating circumstances.

We proposed at § 401.719(d)(5)(i)(B)(1) that CMS consider certain aggravating circumstances in determining the amount per potentially affected individual, including the following: Whether there were several types of violations, occurring over a lengthy period of time; whether there were many violations or the nature and circumstances indicate a pattern of violations; and whether the nature of the violation had the potential or actually resulted in harm to beneficiaries.

In addition, we proposed at § 401.719(d)(5)(i)(B)(2) that CMS take into account certain mitigating circumstances in determining the amount per potentially affected individual, including the following: Whether the violations subject to the imposition of an assessment were few in number, of the same type, and occurring within a short period of time, and/or whether the violation was the result of an unintentional and unrecognized error and the qualified entity took corrective steps immediately after discovering the error.

Comment: One commenter suggested that CMS allow the qualified entity to take corrective action in the case of a minor violation. Another commenter recommended that CMS impose a limit on the assessment amount because not specifying a maximum assessment amount could create a barrier to entry for entities interested in the program. One commenter stated they supported the statutorily set assessment of $100 per affected individual because it creates a strong incentives for excellent data security.

Response: We recognize the need for a corrective action process and have already established one at § 401.719(d)(1) through (3) that applies regardless of the amount of the assessment. We appreciate commenters concerns about creating a barrier for entry, but agree that allowing for an assessment of up to $100 per affected individual creates strong incentives for the qualified entity to ensure the privacy and security of the Medicare data. We believe the basic, aggravating, and mitigating circumstances provide CMS with the flexibility to set the assessment value appropriately given the nature of the violation and the qualified entity's history with violations.

3. Notice of Determination

We looked to the relevant provisions in 42 CFR part 402 and Section 1128A of the Act to frame proposals regarding the specific elements that would be included in the notice of determination. To that end, we proposed at § 401.719(d)(5)(ii) that the Secretary would provide notice of a determination to a qualified entity by certified mail with return receipt requested. The notice of determination would include information on (1) the assessment amount, (2) the statutory and regulatory bases for the assessment, (3) a description of the violations upon which the assessment was proposed, (4) information concerning response to the notice, and (5) the means by which the qualified entity must pay the assessment if they do not intend to request a hearing in accordance with procedures established at Section 1128A of the Act and implemented in 42 CFR part 1005. We did not receive any comments on this proposal so are finalizing it without modification.

4. Failure To Request a Hearing

We also looked to the relevant provisions in 42 CFR part 402 and section 1128A of the Act to inform our proposals regarding what happens when a hearing is not requested.Start Printed Page 44470

We proposed at § 401.719(d)(5)(iii) that an assessment will become final if a qualified entity does not request a hearing within 60 days of receipt of the notice of the proposed determination. At this point, CMS would impose the proposed assessment. CMS would notify the qualified entity, by certified mail with return receipt, of the assessment and the means by which the qualified entity may pay the assessment. Under these proposals, a qualified entity would not have the right to appeal an assessment unless it has requested a hearing within 60 days of receipt of the notice of the proposed determination. We did not receive any comments on these proposals so are finalizing them without modification.

5. When an Assessment Is Collectible

We again looked to the relevant provisions in 42 CFR part 402 and section 1128A of the Act to inform our proposed policies regarding when an assessment becomes collectible.

We proposed at § 401.719(d)(5)(iv) that an assessment becomes collectible after the earliest of the following situations: (1) On the 61st day after the qualified entity receives CMS's notice of proposed determination under § 401.719(d)(5)(ii), if the entity does not request a hearing; (2) immediately after the qualified entity abandons or waives its appeal right at any administrative level; (3) 30 days after the qualified entity receives the Administrative Law Judge's (ALJ) decision imposing an assessment under § 1005.20(d), if the qualified entity has not requested a review before the Department Appeal Board (DAB); or (4) 60 days after the qualified entity receives the DAB's decision imposing an assessment if the qualified entity has not requested a stay of the decision under § 1005.22(b). We did not receive any comments on this proposal so are finalizing it without modification.

6. Collection of an Assessment

We also looked to the relevant provisions in 42 CFR part 402 and section 1128A of the Act in framing our proposals regarding the collection of an Assessment.

We proposed at § 401.719(d)(5)(v) that CMS be responsible for collecting any assessment once a determination is made final by HHS. In addition, we proposed that the General Counsel may compromise an assessment imposed under this part, after consulting with CMS or Office of Inspector General (OIG), and the Federal government may recover the assessment in a civil action brought in the United States district court for the district where the claim was presented or where the qualified entity resides. We also proposed that the United States may deduct the amount of an assessment when finally determined, or the amount agreed upon in compromise, from any sum then or later owing the qualified entity. Finally, we proposed that matters that were raised or that could have been raised in a hearing before an ALJ or in an appeal under section 1128A(e) of the Act may not be raised as a defense in a civil action by the United States to collect an assessment. We did not receive any comments on these proposals so are finalizing them without modification.

F. Termination of Qualified Entity Agreement

We proposed at § 401.721(a)(7) that CMS may unilaterally terminate the qualified entity's agreement and trigger the data destruction requirements in the CMS DUA if CMS determines through our monitoring program at § 401.717(a) and (b) that a qualified entity or its contractor fails to monitor authorized users' compliance with the terms of their QE DUAs or non-public analysis use agreements. We stated in the proposed rule that we believe this proposed provision is consistent with the intent of MACRA to ensure the protection of data and analyses provided by qualified entities to authorized users under this subpart.

Comment: One commenter stated that CMS should have a violation corrections period prior to terminating a qualified entity. Another commenter recommended that CMS carefully monitor all aspects of the qualified entity program and related authorized user activities to minimize the risk of unintended consequences.

Response: We currently have a process in place to require qualified entities to develop a corrective action plan or to put qualified entities on a special monitoring plan if we determine that the qualified entity violated any terms of the program. In addition, we already have a number of mechanisms in place to monitor qualified entities participating in the program including audits, site visits, and required reporting. We believe the additional annual reporting elements described above will ensure that we can continue to monitor qualified entities appropriately given the changes to the program. As a result, we are finalizing our proposed language on termination of a qualified entity's agreement at § 401.721(a)(7).

G. Additional Data

Section 105(c) of MACRA expands, at the discretion of the Secretary, the data that the Secretary may make available to qualified entities, including standardized extracts of claims data under titles XIX (Medicaid) and XXI (the Children's Health Insurance Program, CHIP) for one or more specified geographic areas and time periods as may be requested by the qualified entity. However, due to issues involving Medicaid data submitted to CMS, including lack of data timeliness and overall data quality, we proposed not to expand the data available to qualified entities from CMS and instead suggested that qualified entities would be better off seeking Medicaid and/or CHIP data through the State Medicaid Agencies.

Comment: Many commenters recommended that CMS expand the data available to qualified entities to include Medicaid and CHIP data. These commenters noted the additional burden of having to request the data from each state individually. On the other hand, one commenter stated that they agreed with CMS' proposal not to expand access to Medicaid and/or CHIP data.

Response: As some commenters noted, we have been working with states to transform our Medicaid Statistical Information System (MSIS) to address concerns regarding data timeliness and quality. This is essential for the Medicaid program to keep pace with the data needed to improve quality of care, track enrollment and utilization of services, improve program integrity, and support states and other stakeholders need for information about Medicaid and CHIP. This new data set is known as Transformed MSIS (T-MSIS). The T-MSIS data set contains enhanced information about beneficiary eligibility, beneficiary and provider enrollment, service utilization, claims and managed care data, and expenditure data for Medicaid and CHIP. We are currently working with states to help them transition from MSIS to T-MSIS.

We recognize commenters' interest in accessing Medicaid and CHIP data from CMS rather than going to each state individually. We believe that T-MSIS can create a framework for CMS collection of Medicaid and CHIP data that addresses many of the concerns about the timeliness and quality of the MSIS data that we raised in the proposed rule. As a result, we anticipate future rulemaking to make Medicaid and CHIP data available to qualified entities when the T-MSIS data becomes available and is determined to be of sufficient quality for use in public provider performance reporting.

Comment: One commenter suggested that CMS also allow qualified entities to Start Printed Page 44471request access to Medicare Advantage data.

Response: We believe section 1874(e)(3) of the Act only allows for the disclosure of Medicare claims data under Parts A, B, and D, as well as Medicaid and/or CHIP claims data.

H. Qualified Clinical Data Registries

Section 105(b) of MACRA allows qualified clinical data registries to request access to Medicare data for the purposes of linking the data with clinical outcomes data and performing risk-adjusted, scientifically valid analyses, and research to support quality improvement or patient safety. The CMS research data disclosure policies already allow qualified clinical data registries to request Medicare data for research purposes. More information on accessing CMS data for research can be found on the ResDAC Web site at www.resdac.org. Given the existing research request processes and procedures, we proposed not to adopt any new policies or procedures regarding qualified clinical data registries' access to Medicare claims data for quality improvement or patient safety analyses.

Comment: Several commenters recommended that CMS offer qualified clinical data registries an alternative path to the research request process to allow them to access CMS data for quality improvement and patient safety activities. Commenters stated that qualified clinical data registries need data to conduct quality improvement activities that will improve patient care and that, in many cases, this work is not consistent with the research request process requirement that the work to contribute to generalizable knowledge.

Response: We recognize that the research request pathway may not be consistent with types of analyses qualified clinical data registries envision conducting using the CMS data. As a result, we are modifying the regulations to allow qualified clinical data registries to serve as quasi-qualified entities, provided the qualified clinical data registry agrees to meet all the requirements in this subpart with the exception of the requirement at § 401.707(d) that the organization submit information about the claims data it possesses from other sources. In addition, for the purposes of qualified clinical data registries acting as quasi qualified entities under the qualified entity program requirements, we define combined data as, at a minimum, a set of CMS claims data provided under subpart G combined with clinical data or a subset of clinical data. Since the language at section 105(b) of MACRA does not reference section 1874(e)(4)(d) of the Act, which provides parameters for the definition of combined data for the purposes of the qualified entity program, we do not believe these requirements for combined data apply to qualified clinical data registries serving as quasi qualified entities.

We believe that the requirements of the qualified entity program, which was created to allow for provider performance reporting, also create an appropriate framework for qualified clinical data registries to conduct analyses to support quality improvement and patient safety. In addition, we believe that the new parameters of the qualified entity program, discussed in detail above, would allow qualified clinical data registries to work directly with providers and suppliers on issues related to quality improvement and patient safety. Qualified clinical data registries could also elect to become qualified entities and work with providers and suppliers in accordance with applicable laws to develop new quality measures in the context of nonpublic analyses that could then be used across the healthcare system to measure provider and supplier performance.

Comment: Several commenters suggested that CMS make the Social Security Death Master File available to qualified clinical data registries to allow for enhanced accuracy of patient outcomes information.

Response: We recognize that death information is a key aspect of analyses of patient outcomes, but CMS does not have the authority to disclose the Social Security Death Master File to qualified clinical data registries. However, CMS has date of death information for Medicare patients and we include this date of death information on the data files that are shared with qualified entities and those that would be shared with qualified clinical data registries.

I. Other Comments

We received several additional suggestions for improvements to the program regarding topics that were not specifically discussed in the preamble to the proposed rule.

Comment: Several commenters raised issues related to qualified entity application process. One commenter suggested CMS make the application process and costs for becoming a qualified entity more transparent. A few commenters suggested that CMS offer qualified entities better technical assistance on the security certification step of the approval process. One commenter recommended that CMS streamline the application process for applicants that already have certifications or accreditations that demonstrate a high level of security.

Response: We thank commenters for their feedback on the qualified entity application process. We believe the issues raised by commenters on this topic are outside the scope of this final rule. However, we are always looking for ways to improve the program and will take these comments into consideration.

Comment: Some commenters addressed general program requirements of the qualified entity program. One commenter suggested that qualified entities that focus on certain clinical conditions should not have to meet the same threshold for amount of other claims data. Another commenter recommended that CMS allow state-level public reporting in the qualified entity program. A few commenters stated that CMS should provide qualified entities with access to timelier Medicare data. One commenter stated that some of the existing provisions in the CMS DUA conflict with requirements in HIPAA, specifically the requirement to destroy data if and when an organization leaves the program.

Response: We have not established a threshold for the minimum amount of other claims an organization needs to become a qualified entity. Instead, we ask applicants to explain how the data they do have for use in the qualified entity program will be adequate to address concerns about sample size and reliability that have been expressed by stakeholders regarding the calculation of performance measures from a single payer source. Each application is evaluated on its collective merit, including the amount of claims data from other sources, and its explanation of why that data in combination with the requested Medicare data is adequate for the stated purposes of the program.

We also do not prohibit qualified entities from publicly reporting their findings regarding provider and supplier performance at the state-level. Qualified entities are allowed to report on providers and suppliers at any level for which the measures can be used, provided the statutory and regulatory requirements are met, including that no patient information is disclosed.

We currently make data available to qualified entities on quarterly basis. We believe the timeliness of this data strikes the right balance between data completeness and data timeliness.

Finally, we do not believe that requirements in the CMS DUA are inconsistent with HIPAA. We use a very similar DUA to share data with HIPAA-Start Printed Page 44472covered providers and suppliers who are participating in Innovation Center models. We do recognize that some qualified entities may have trouble incorporating the Medicare data into their data systems because they may not be able to ensure the destruction of this data once it is linked with other data maintained by the qualified entity. However, we believe that requiring destruction of the data if a qualified entity leaves the program is important for ensuring the privacy and security of CMS data.

Comment: One commenter suggested that CMS clarify how FOIA may or may not apply to data or reports submitted by qualified entities. Another commenter recommended that CMS clarify how the changes to the qualified entity program intersect with other statutory and regulatory requirements.

Response: As we noted above, any information that we collect from qualified entities is subject to FOIA. However, any time we receive a request for information under FOIA, we always evaluate whether the information is subject to one of the FOIA exemptions, including Exemption 4, which protects commercial or financial information that is privileged and confidential.

We are not able to address the breadth and scope of laws with which the qualified entity program requirements may intersect in this rule. Such analyses require case-by-case assessment of the facts at hand, and depending on jurisdiction, may vary based on which state laws apply. Entities should consult with their legal counsel to advise them on what laws apply to them, and to what effect.

Comment: One commenter suggested that the release of Part D data to qualified entities should be tailored to protect the viability of the Part D program.

Response: We are committed to ensuring that commercially sensitive information from the Part D program is protected. As we stated in the previous final rule on the qualified entity program, published on December 7, 2011, we are aware of the concerns related to, and restrictions governing the release of certain Part D drug cost information. Due to these concerns, we only release the Total Drug Cost element to qualified entities. We do not release the four subcomponents of drug cost: Ingredient cost, dispensing fee, vaccine administration fee, and total amount attributable to sales tax.

Comment: One commenter stated that the rule does not address how states that have all payer claims databases (APCDs) can access Medicare data.

Response: We do not believe that state APCDs are prohibited from becoming qualified entities. However, state APCDs with an interest in conducting research rather than provider performance reporting can also request data from CMS via the research request process. Organizations interested in accessing CMS data for research should visit www.resdac.org.

Comment: One commenter stated that CMS should adopt a new version of the claims form that includes a field for unique device identifiers.

Response: This comment is outside the scope of the qualified entity rule. That said, CMS uses claims that comply with the HIPAA standard transactions regulations (45 CFR part 162). Any changes to forms would be achieved through rulemaking under those provisions.

Comment: Several commenters stated that they had concerns about the security of the Medicare data.

Response: We are committed to ensuring the privacy and security of all data and we believe the existing and new program requirements create an appropriate framework for maintaining the security of data disclosed to qualified entities. Organizations applying to become qualified entities currently go through a rigorous security review during the application process. In addition, we monitor qualified entities closely to ensure that they continue to maintain appropriate data security standards once approved. As discussed above, we have also established data security protections that qualified entities must meet when sharing data with authorized users, including a requirement that the authorized user report any breaches to the qualified entity (and that the qualified entity report the breaches to CMS).

Comment: Several commenters recommended that CMS clarify that organizations already approved as qualified entities would be allowed to begin using the Medicare data for the uses described in this final rule, regardless of whether the qualified entity has generated a public report.

Response: We would like to clarify that once these regulations become effective, organizations approved as qualified entities will be allowed to use the Medicare data to create non-public analyses and provide or sell such analyses to authorized users, as well provide or sell combined data, or provide Medicare claims data alone at no cost, to certain authorized users. However, we believe that public reporting is a very important aspect of participation in the qualified entity program and would like to remind qualified entities about the provision at § 401.709(d) which requires qualified entities to produce public reports at least annually.

III. Provisions of the Final Rule

For the most part, this final rule incorporates the provisions of the proposed rule. Those provisions of this final rule that differ from the proposed rule are as follows:

  • We modified the definition of authorized user at § 401.703(j) to: Include a federal agency, change the term “state agency” to “state entity” to provide additional clarity, and include any contractors (or business associates) that need analyses or data to carry out work on behalf of authorized user third parties.
  • We modified the definition of hospital association at § 401.703(n) to include organizations or associations at the local level.
  • At § 401.703(r), we modified the definition of patient to extend the window for a face-to-face or telehealth appointment to at least once in the past 24 months.
  • We added activities that qualify as treatment under 45 CFR 164.501 to permitted uses of the data subject to the QE DUA.
  • We modified the terms of the QE DUA to permit authorized users to re-disclose data subject to the QE DUA as a covered entity would be permitted to disclose PHI for treatment activities, as allowed under 45 CFR 164.506(c)(2).
  • At § 401.716(b)(2), we modified the requirements to clarify that a qualified entity may not provide or sell a non-public analysis to an issuer for a geographic area where the issuer does not provide coverage and, thus, does not have any covered lives to contribute to the analyses.
  • At § 401.716(b)(4)(iii), we allowed for the disclosure of non-public analyses that individually identify a provider or supplier if every provider or supplier identified in the analysis has notified the qualified entity that analyses may be disclosed to that authorized user without prior review by the provider or supplier.
  • We added a procedural step to the review and error correction process for non-public analyses at § 401.717(f) to include confidential notification of the provider or supplier.
  • We added a new provision at § 401.722(a) to allow a qualified clinical data registry that agrees to meet the requirements in this subpart, with the exception of the requirement to submit information on the claims data from other sources it possesses, to request Start Printed Page 44473access to Medicare data as a quasi-qualified entity.

IV. Collection of Information Requirements

Under the Paperwork Reduction Act of 1995, we are required to provide 30-day notice in the Federal Register and solicit public comment before a collection of information requirement is submitted to the Office of Management and Budget (OMB) for review and approval. In order to fairly evaluate whether an information collection should be approved by OMB, section 3506(c)(2)(A) of the Paperwork Reduction Act of 1995 requires that we solicit comment on the following issues:

  • The need for the information collection and its usefulness in carrying out the proper functions of our agency.
  • The accuracy of our estimate of the information collection burden.
  • The quality, utility, and clarity of the information to be collected.
  • Recommendations to minimize the information collection burden on the affected public, including automated collection techniques.

We solicited public comment on each of these issues for the following sections of this document that contain information collection requirements (ICRs).

Proposed § 401.718(c) and § 401.716(b)(2)(ii) require a qualified entity to enter into a QE DUA with an authorized user prior to providing or selling data or selling a non-public analyses that contains individually identifiable beneficiary information. Proposed § 401.713(d) requires specific provisions in the QE DUA. Proposed § 401.716(c) requires a qualified entity to enter into a non-public analyses agreement with the authorized user as a pre-condition to providing or selling de-identified analyses. We estimate that it will take each qualified entity a total of 40 hours to develop the QE DUA and non-public analyses agreement. Of the 40 hours, we estimate it will take a professional/technical services employee with an hourly labor cost of $75.08 a total of 20 hours to develop both the QE DUA and non-public analyses agreement and estimate that it will require a total of 20 hours of legal review at an hourly labor cost of $77.16 for both the QE DUA and non-public analyses agreement. We also estimate that it will take each qualified entity 2 hours to process and maintain each QE DUA or non-public analyses agreement with an authorized user by a professional/technical service employee with an hourly labor cost of $75.08. While there may be two different staff positions that perform these duties (one that is responsible for processing the QE DUAs and/or non-public analyses agreement and one that is responsible for maintaining the QE DUA and/or non-public analyses agreement), we believe that both positions would fall under the professional/technical services employee labor category with an hourly labor cost of $75.08. There are currently 15 qualified entities; however we estimate that number will increase to 20 if these proposals are finalized. This number includes qualified entities and “quasi qualified entities” (meaning qualified clinical data registries that are approved under § 401.722(a) as described in this preamble), which we hereinafter collectively refer to as “qualified entity”. This would mean that to develop each QE DUA and non-public analysis agreement, the burden cost per qualified entity would be $3,045 with a total estimated burden for all 15 qualified entities of $45,675. This does not include the two hours to process and maintain each QE DUA.

As discussed in the regulatory impact analysis below, we estimate that each qualified entity would need to process and maintain 70 QE DUAs or non-public analyses agreements as some authorized users may receive both datasets and a non-public analyses and would only need to execute one QE DUA. We estimate that it will take each qualified entity 2 hours to process and maintain each QE DUA or non-public analyses agreement. This would mean the burden cost per qualified entity to process and maintain 70 QE DUAs or non-public analyses agreements would be $10,511 with a total estimated burden for all 15 qualified entities of $157, 668. While we anticipate that the requirement to create a QE DUA and/or non-public analyses agreement will only be incurred once by a qualified entity, we believe that the requirement to process and maintain the QE DUAs and/or non-public analyses will be an ongoing cost.

These regulations would also require a qualified entity to submit additional information as part of its annual report to CMS. A qualified entity is currently required to submit an annual report to CMS under § 401.719(b). Proposed § 401.719(b)(3) and (4) provide for additional reporting requirements if a qualified entity chooses to provide or sell analyses and/or data to authorized users. The burden associated with this requirement is the time and effort necessary to gather, process, and submit the required information to CMS. As noted above, there are currently 15 qualified entities; however we estimate that number will increase to 20 if these proposals are finalized. Some qualified entities may not want to bear the risk of the potential assessments and have been able to accomplish their program goals under other CMS data sharing programs, therefore some qualified entities may not elect to provide or sell analyses and/or data to authorized users. As a result, we estimate that 15 qualified entities will choose to provide or sell analyses and/or data to authorized users, and therefore, would be required to comply with these additional reporting requirements within the first three years of the program. We further estimate that it would take each qualified entity 50 hours to gather, process, and submit the required information. We estimate that it will take each qualified entity 34 hours to gather the required information, 15 hours to process the information, and 1 hour to submit the information to CMS. We believe a professional or technical services employee of the qualified entity with an hourly labor cost of $75.08 will fulfill these additional annual report requirements. We estimate that 15 qualified entities will need to comply with this requirement and that the total estimated burden associated with this requirement is $56,310. We requested comment on the type of employee and the number of hours that will be needed to fulfill these additional annual reporting requirements.

As a reminder, the final rule for the qualified entity program, published December 7, 2011, included information about the burden associated with the provisions in that rule. Specifically, §§ 401.705 through 401.709 provide the application and reapplication requirements for qualified entities. The burden associated with these requirements is currently approved under OMB control number 0938-1144 with an expiration date of May 31, 2018. This package accounts for 35 responses. Section 401.713(a) states that as part of the application review and approval process, a qualified entity would be required to execute a DUA with CMS, that among other things, reaffirms the statutory bar on the use of Medicare data for purposes other than those referenced above. The burden associated with executing this DUA is currently approved under OMB control number 0938-0734 with an expiration date of December 31, 2017. This package accounts for 9,240 responses (this package covers all CMS DUAs, not only DUAs under the qualified entity program). We currently have 15 qualified entities and estimate it will increase to 20 so we have not surpassed the previously approved numbers.

We based the hourly labor costs on those reported by the Bureau of Labor Start Printed Page 44474Statistics (BLS) at http://data.bls.gov/​pdq/​querytool.jsp?​survey=​ce for this labor category. We used the annual rate for 2014 and added 100 percent for overhead and fringe benefit costs.

Table 1—Collection of Information

Regulation section(s)OMB Control No.Number of respondentsNumber of responses per respondentBurden per response (hours)Total annual burden (hours)Hourly labor cost of reporting ($) *Total labor cost of reporting ($)Total cost ($)
§ 401.718, § 401.716, and § 401.713 (DUA and non-public analyses agreement Development)0938 New1512030075.0822,52422,524
§ 401.718 and § 401.716 (Legal Review)0938 New1512030077.1623,14823,148
§ 401.718 and § 401.716 (Processing and Maintenance)0938 New157022,10075.08157,668157,668
§ 401.719(b)0938 New1515075075.0856,31056,310
Total15733,450259,650
* The values listed are based on 100 percent overhead and fringe benefit calculations.
Note: There are no capital/maintenance costs associated with the information collection requirements contained in this rule; therefore, we have removed the associated column from Table 1.

If you comment on these information collection and recordkeeping requirements, please submit your comments to the Office of Information and Regulatory Affairs, Office of Management and Budget,

Attention: CMS Desk Officer, CMS-5061-F

Fax: (202) 395-6974; or

Email: OIRA_submission@omb.eop.gov

V. Regulatory Impact Statement

In accordance with the provisions of Executive Order 12866, this regulation was reviewed by the Office of Management and Budget.

A. Response to Comments

We received a few comments on the anticipated effects of these modifications to the qualified entity program.

Comment: One commenter suggested that it would take each qualified entity an estimated 60 hours to develop and review the QE DUA and non-public analyses agreement. Of those 60 hours, 30 hours would be to develop the QE DUA and non-public analyses agreement and 30 would be needed for legal review. In addition, the commenter estimated that it would take each qualified entity 3 hours to process and maintain each QE DUA and non-public analyses agreement.

Response: In the proposed rule, we estimated that it would take each qualified entity 40 hours to develop and review the QE DUA and non-public analyses agreement. Of those 40 hours, 20 hours would be needed to develop the QE DUA and non-public analyses agreement and 20 hours would be needed for legal review. We also estimated that it would take 2 hours to process and maintain each QE DUA and non-public analyses agreement. We recognize that some qualified entities may spend more hours than other qualified entities to develop, process, and maintain QE DUAs and non-public analyses agreements. For example, some qualified entities may spend 60 hours to develop the QE DUA and non-public analyses agreement and other qualified entities will spend 30 hours. However, we believe that 40 hours to develop the QE DUA and the non-public analyses agreement and 2 hours to process each QE DUA and the non-public analyses agreement is a reasonable average.

Comment: We received a few comments about the impact on providers and suppliers. One commenter suggested that CMS reconsider the assumption that all 1500 small rural hospitals would not be impacted by this rule and that the 3 hour average estimate for providers and suppliers to review non-public analyses appears too low. Another commenter suggested that CMS monitor provider burden as expanded data access unfolds and the number of qualified entities and authorized users begin to grow.

Response: We appreciate commenters' concerns about the potential impact on providers and suppliers. As discussed above in section II.A.4, we made procedural changes to the proposed review and corrections process for non-public analyses in order to reduce burden to both qualified entities and providers and suppliers. As a first step of the review and correction process, the qualified entity would be required to notify the provider or supplier that analyses that individually identify the provider or supplier are going to be released to an authorized user and allow the provider or supplier to opt-in to the review and corrections process at § 401.717(a) through (e). This notification should include a short summary of the analyses, the process for the provider or supplier to request the analyses, and the date on which the qualified entity will release the analyses to the authorized user. This date should be at least 65 calendar days from the date the provider or supplier is notified of the analyses.

Given these procedural changes to the review and corrections process in the context of the non-public analyses, we believe that the 3 hours average estimate for providers and suppliers to review non-public analyses is a sufficient estimate of provider and supplier burden. This average takes into account the range of potential cases given the new review and corrections process. In some cases, for example, notification may be sufficient to meet the needs of providers or suppliers. In other cases, however, where the analyses are similar to previous analyses or use data the provider or supplier has already corrected, the provider or supplier may choose not to review the analyses. In addition, as discussed in the proposed rule, even if a provider or supplier requests the non-public analyses, there will be variability in the amount of time providers or suppliers will need for the review and corrections process.

As discussed in the proposed rule, we do not anticipate this rule will have a significant impact on the operations of a substantial number of small rural hospitals because we anticipate that most qualified entities will focus their performance evaluation efforts on metropolitan areas where the majority of health services are provided. In addition, given the limited number of health services provided in rural regions, we anticipate that any analyses that included rural regions would not individually identify the providers or suppliers, but rather focus on regional or state metrics. As suggested by a commenter, we will monitor provider burden as the number of qualified Start Printed Page 44475entities grows and more non-public analyses are provided to authorized users.

B. Overall Impact

We have examined the impacts of this rule as required by Executive Order 12866 on Regulatory Planning and Review (September 30, 1993), the Regulatory Flexibility Act (RFA) (September 19, 1980, 96), section 1102(b) of the Act, section 202 of the Unfunded Mandates Reform Act of 1995 (Pub. L. 104-4), Executive Order 13132 on Federalism (August 4, 1999), and the Congressional Review Act (5 U.S.C. 804(2)).

Executive Order 12866 directs agencies to assess all costs and benefits of available regulatory alternatives and, if regulation is necessary, to select regulatory approaches that maximize net benefits (including potential economic, environmental, public health and safety effects, distributive impacts, and equity). A regulatory impact analysis (RIA) must be prepared for major rules with economically significant effects ($100 million or more in any 1 year). For the reasons discussed below, we estimate that the total impact of this final rule will be less than $58 million and therefore, it will not reach the threshold for economically significant effects and is not considered a major rule.

The RFA requires agencies to analyze options for regulatory relief of small businesses, if a rule has a significant impact on a substantial number of small entities. For purposes of the RFA, we estimate that most hospitals and most other providers are small entities as that term is used in the RFA (including small businesses, nonprofit organizations, and small governmental jurisdictions). However, since the total estimated impact of this rule is less than $100 million, and the total estimated impact will be spread over 82,500 providers and suppliers (who are the subject of reports), no one entity will face significant impact. Of the 82,500 providers, we estimate that 78,605 will be physician offices that have average annual receipts of $11 million and 4,125 will be hospitals that have average annual receipts of $38.5 million. As discussed below, the estimated cost per provider is $8,426 (see table 5 below) and the estimated cost per hospital is $6,523 (see table 5 below). For both types of entities, these costs will be a very small percentage of overall receipts. Thus, we are not preparing an analysis of options for regulatory relief of small businesses because we have determined that this rule will not have a significant economic impact on a substantial number of small entities.

For section 105(a) of MACRA, we estimate that two types of entities may be affected by the additional program opportunities: Qualified entities that choose to provide or sell non-public analyses or data to authorized users; and providers and suppliers who are identified in the non-public analyses create by qualified entities and provided or sold to authorized users.

We anticipate that most providers and suppliers that may be identified in qualified entities' non-public analyses will be hospitals and physicians. Many hospitals and most other healthcare providers and suppliers are small entities, either by being nonprofit organizations or by meeting the Small Business Administration definition of a small business (having revenues of less than $38.5 million in any 1 year) (for details see the Small Business Administration's Web site at https://www.sba.gov/​sites/​default/​files/​files/​Size_​Standards_​Table.pdf (refer to the 620000 series). For purposes of the RFA, physicians are considered small businesses if they generate revenues of $11 million or less based on Small Business Administration size standards. Approximately 95 percent of physicians are considered to be small entities.

The analysis and discussion provided in this section and elsewhere in this final rule complies with the RFA requirements. Because we acknowledge that many of the affected entities are small entities, the analysis discussed throughout the preamble of this final rule constitutes our regulatory flexibility analysis for the remaining provisions and addresses comments received on these issues.

In addition, section 1102(b) of the Act requires us to prepare a regulatory impact analysis, if a rule may have a significant impact on the operations of a substantial number of small rural hospitals. Any such regulatory impact analysis must conform to the provisions of section 604 of the RFA. For purposes of section 1102(b) of the Act, we define a small rural hospital as a hospital that is located outside of a metropolitan statistical area and has fewer than 100 beds. We do not believe this final rule has impact on significant operations of a substantial number of small rural hospitals because we anticipate that most qualified entities will focus their performance evaluation efforts on metropolitan areas where the majority of health services are provided. As a result, this rule will not have a significant impact on small rural hospitals. Therefore, the Secretary has determined that this final rule will not have a significant impact on the operations of a substantial number of small rural hospitals.

Section 202 of the Unfunded Mandates Reform Act of 1995 (UMRA) also requires that agencies assess anticipated costs and benefits before issuing any rule whose mandates require spending in any 1 year of $100 million in 1995 dollars, updated annually for inflation. In 2016, that threshold is approximately $146 million. This final rule will not impose spending costs on state, local, or tribal governments in the aggregate, or by the private sector, of $146 million or more. Specifically, as explained below we anticipate the total impact of this rule on all parties to be approximately $58 million.

Executive Order 13132 establishes certain requirements that an agency must meet when it promulgates a proposed rule (and subsequent final rule) that imposes substantial direct requirement costs on State and local governments, preempts State law, or otherwise has Federalism implications. We have examined this final rule in accordance with Executive Order 13132 and have determined that this regulation will not have any substantial direct effect on State or local governments, preempt States, or otherwise have a Federalism implication.

C. Anticipated Effects

1. Impact on Qualified Entities

Because section 105(a) of MACRA allows qualified entities to use the data in new ways to provide or sell non-public analyses or data to authorized users, there is little quantitative information to inform our estimates on the number of analyses and datasets that the qualified entity costs may provide or sell or on the costs associated with the creation of the non-public analyses or datasets. Therefore, we look to the estimates from the original qualified entity rules to estimate the number of hours that it may take to create non-public analyses, to process provider/supplier appeals and revisions, and to complete annual reports. We also looked to the Centers for Medicare and Medicaid's cost of providing data to qualified entities since qualified entities' data fees are equal to the government's cost to make the data available.

There are currently 15 qualified entities and these qualified entities all are in different stages of the qualified entity program. For example, some qualified entities have released public reports and some qualified entities are Start Printed Page 44476still completing the security requirements in order to receive Medicare data. Given the requirements in the different phases and the current status of the qualified entities, we estimate that 11 qualified entities will be able to provide or sell analyses and/or data to authorized users within the first year of the program, and therefore, will be incurring extra costs. As discussed above, we believe the total number of qualified entities will ultimately grow to 20 in subsequent years, with 15 entities providing or selling analyses and/or data to authorized users. In estimating qualified entity impacts, we used hourly labor costs in several labor categories reported by the Bureau of Labor Statistics (BLS) at http://data.bls.gov/​pdq/​querytool.jsp?​survey=​ce. We used the annual rates for 2014 and added 100 percent for overhead and fringe benefit costs. These rates are displayed in Table 2.

Table 2—Labor Rates for Qualified Entity Impact Estimates

2014 Hourly wage rate (BLS)OH and fringe (100%)Total hourly costs
Professional and technical services$37.54$37.54$75.08
Legal review38.5838.5877.16
Custom computer programming43.0543.0586.10
Data processing and hosting34.0234.0268.04
Other information services39.7239.7279.44

We estimate that within the first year that 11 qualified entities will provide or sell on average 55 non-public analyses or provide or sell 35 datasets. We do not believe the number of datasets and non-public analyses per qualified entity will change in future years of the program.

In the original proposed rule for the qualified entity program (76 FR 33566), we estimated that each qualified entities' activities to analyze the Medicare claims data, calculate performance measures and produce public provider performance reports will require 5,500 hours of effort per qualified entity. We anticipate under this final rule that implements section 105(a) of MACRA that qualified entities will base the non-public analyses on their public performance reports. Therefore, the creation of the non-public analyses will require much less effort and only require a fraction of the time it takes to produce the public reports. We estimate that a qualified entity's activities for each non-public analysis to analyze the Medicare claims data, calculate performance measures, and produce the report will require 320 hours, between five and six percent of the time to produce the public reports. We anticipate that half of this time will be spent on data analysis, measure calculation, and report creation and the other half on data processing.

We anticipate that within the first year of the program a qualified entity will, on average, provide one-year datasets containing all data types for a cohort of 750,000 to 1.75 million beneficiaries to 35 authorized users. We estimate that it will require 226 hours to create each dataset that will be provided to an authorized user. We looked to the Centers for Medicare and Medicaid Centers' data costs and time to estimate a qualified entity's costs and time to create datasets. While the majority of the time will be devoted to computer processing, we anticipate about 100 hours will be spent on computer programming, particularly if the qualified entity is de-identiying the data.

We further estimate that, on average, each qualified entity will expend 7,500 hours of effort processing providers' and suppliers' appeals of their performance reports and producing revised reports, including legal review of the appeals and revised reports. These estimates assume that, as discussed below in the section on provider and supplier impacts, on average 25 percent of providers and suppliers will appeal their results from a qualified entity. Responding to these appeals in an appropriate manner will require a significant investment of time on the part of qualified entities. This equates to an average of four hours per appeal for each qualified entity. These estimates are similar to those in the Qualified Entities final rule. We assume that the complexity of appeals will vary greatly, and as such, the time required to address them will also vary greatly. Many appeals may be able to be dealt with in an hour or less while some appeals may require multiple meetings between the qualified entity and the affected provider or supplier. On average, however, we believe that this is a reasonable estimate of the burden of the appeals process on qualified entities. We discuss the burden of the appeals process on providers and suppliers below.

We estimate that each qualified entity will spend 40 hours creating a non-public analyses agreement template and a QE DUA. We also estimate that it will take a qualified entity 2 hours to process a QE DUA or non-public analyses agreement.

Finally, we estimate that each qualified entity will spend 50 hours on the additional annual reporting requirements.

Qualified entities will be required to notify CMS of inappropriate disclosures or use of beneficiary identifiable data pursuant to the requirements in the CMS DUA. We believe that the report generated in response to an inappropriate disclosure or use of beneficiary identifiable data will be generated as a matter of course by the qualified entities and therefore, will not require significant additional effort. Based on the assumptions we have described, we estimate the total impact on qualified entities for the first year of the program to be a cost of $27,925,198.Start Printed Page 44477

Table 3—Impact on Qualified Entities for the First Year of the Program

ActivityHoursLabor hourly costCost per authorized userNumber of authorized usersNumber of qualified entitiesTotal cost impact
Professional and technicalLegalComputer programmingData processsing and hosting
[Impact on Qualified Entities]
Dissemination of Data
Data processing & hosting126$68.04$8,5733511$3,300,620
Computer programming10086.108,61035113,314,850
Total: Dissemination of Data$6,615,470
Non-Public Analyses
Data analysis/measure calculation/report preparation16086.1013,77655118,334,480
Data Processing and hosting16068.0410,88655116,586,272
Total: Non-public Analyses14,920,752
Processing of Provider Appeals and Report Revision
Qualified entity processing of provider appeals and report revision5,50075.08412,940114,542,340
Qualified entity legal analysis of provider appeals and report revisions2,00077.16154,320111,697,520
Total: Qualified entity processing of provider appeals and report revision6,239,860
QE DUA and Non-Public Analyses Agreements
QE DUA and Non-public analyses:
Development of the QE DUA and non-public analyses agreement2075.0815021116,518
Legal review of the QE DUA and non-public analyses agreement2077.161,5431116,975
Processing QE DUA and non-public analyses agreement275.081507011115,623
Total QE DUA and non-public analyses agreements149,116
Additional Annual Report Requirements5075.083,7541141,294
Total qualified entity Impacts27,966,492

2. Impact on Healthcare Providers and Suppliers

We note that numerous healthcare payers, community quality collaboratives, States, and other organizations are producing performance measures for healthcare providers and suppliers using data from other sources, and that providers and suppliers are already receiving performance reports from these sources. We anticipate that the review of non-public analyses will merely be added to those existing efforts to improve the statistical validity of the measure findings.

Table 4 reflects the hourly labor rates used in our estimate of the impacts of the first year of section 105(a) of MACRA on healthcare providers and suppliers.

Table 4—Labor Rates for Provider and Supplier Impact Estimates

2014 Hourly wage rate (BLS)Overhead and fringe benefits (100%)Total hourly costs
Physicians' offices$38.27$38.27$76.54
Hospitals29.6529.6559.30
Start Printed Page 44478

We anticipate that the impacts on providers and suppliers consist of costs to review the performance reports generated by qualified entities and, if they choose, appeal the performance calculations. We believe, on average, each qualified entity will produce non-public analyses that in total include information on 7,500 health providers and suppliers. This is based on estimates in the qualified entity final rule, but also include an increase of 50 percent because we believe that more providers and suppliers will be included in the non-public analyses. We anticipate that the largest proportion of providers and suppliers will be physicians because they comprise the largest group of providers and suppliers, and are a primary focus of many recent performance evaluation efforts. We also believe that many providers and suppliers will be the recipients of the non-public analyses in order to support their own performance improvement activities, and therefore, there will be no requirement for a correction or appeals process. As discussed above, there is no requirement for a corrections or appeals process where the analysis only individually identifies the (singular) provider or supplier who is being provided or sold the analysis. Based on our review of information from existing programs, we assume that 95 percent of the recipients of performance reports (that is, an average of 7,125 per qualified entity) will be physicians, and 5 percent (that is, an average of 375 per qualified entity) will be hospitals and other suppliers. Providers and suppliers receive these reports with no obligation to review them, but we assume that most will do so to verify that their calculated performance measures reflect their actual patients and health events. Because these non-public analyses will be based on the same underlying data as the public performance reports, we estimate that it will take less time for providers or suppliers to review these analyses and generate an appeal. We estimate that, on average, each provider or supplier will devote three hours to reviewing these analyses. We also estimate that 25 percent of the providers and suppliers will decide to appeal their performance calculations, and that preparing the appeal will involve an average of seven hours of effort on the part of a provider or supplier. As with our assumptions regarding the level of effort required by qualified entities in operating the appeals process, we believe that this average covers a range of provider efforts from providers who will need just one or two hours to clarify any questions or concerns regarding their performance reports to providers who will devote significant time and resources to the appeals process.

Using the hourly costs displayed in Table 4, the impacts on providers and suppliers are calculated below in Table 5. Based on the assumptions we have described, we estimate the total impact on providers for the first year of the program to be a cost of $29,690,386.

As stated above in Table 3, we estimate the total impact on qualified entities to be a cost of $27,966,492. Therefore, the total impact on qualified entities and on providers and suppliers for the first year of the program is estimated to be $57,656,878.

Table 5—Impact on Providers and Suppliers for the First Year of the Program

ActivityHours per providerLabor hourly costCost per providerNumber of providers per qualified entityNumber of qualified entitiesTotal cost impact
Physician officesHospitals
[Impact on Providers and Suppliers]
Physician office review of performance reports3$76.54$2307,12511$18,026,250
Hospital review of performance reports359.3017837511734,250
Physician office preparing and submitting appeal requests to qualified entities776.545361,7811110,500,776
Hospital preparing and submitting appeal requests to qualified entities759.304159411429,110
Total Impact on Providers and Suppliers29,690,386

D. Alternatives Considered

The statutory provisions added by section 105(a) of MACRA are detailed and prescriptive about the permissible uses of the data under the Qualified Entity Program. We believe there are limited approaches that will ensure statutory compliance. We considered less prescriptive requirements on the provisions that will need to be included in the agreements between qualified entities and authorized users that received or purchased analyses or data. For example, we could have required less strenuous data privacy and security protections such as not setting a minimum standard for protection of beneficiary identifiable data or non-public analyses. In addition, we could have reduced additional restrictions on re-disclosure or permitted data or analyses to be re-disclosed to additional downstream users. While these approaches might reduce costs for qualified entities, we did not adopt such an approach because of the importance of protecting beneficiary data. We believe if we do not require qualified entities to provide sufficient evidence of data privacy and security protection capabilities, there will be increased risks related to the protection of beneficiary identifiable data.

E. Conclusion

As explained above, we estimate the total impact for the first year of the program on qualified entities and providers to be a cost of $57,656,878. While we anticipate the number of qualified entities to increase slightly, we do not anticipate significant growth in the qualified entity program given the qualified entity program requirements, as well as other existing programs that allow entities to obtain Medicare data. Based on these estimates, we conclude this final rule does not reach the threshold for economically significant effects and thus is not considered a major rule.

In accordance with the provisions of Executive Order 12866, this regulation was reviewed by the Office of Management and Budget.

Start List of Subjects Start Printed Page 44479

List of Subjects in 42 CFR Part 401

  • Claims
  • Freedom of information
  • Health facilities
  • Medicare
  • Privacy
End List of Subjects

For the reasons set forth in the preamble, the Centers for Medicare & Medicaid Services amends 42 CFR part 401 as set forth below:

Start Part

PART 401—GENERAL ADMINISTRATIVE REQUIREMENTS

End Part Start Amendment Part

1. The authority citation for part 401 is revised to read as follows:

End Amendment Part Start Authority

Authority: Secs. 1102, 1871, and 1874(e) of the Social Security Act (42 U.S.C. 1302, 1395hh, and 1395w-5) and sec. 105, Pub. L. 114-10, 129 Stat. 87.

End Authority Start Amendment Part

2. Section 401.703 is amended by adding paragraphs (j) through (u) to read as follows:

End Amendment Part
Definitions.
* * * * *

(j) Authorized user is a third party and its contractors (including, where applicable, business associates as that term is defined at 45 CFR 160.103) that need analyses or data covered by this section to carry out work on behalf of that third party (meaning not the qualified entity or the qualified entity's contractors) to whom/which the qualified entity provides or sells data as permitted under this subpart. Authorized user third parties are limited to the following entities:

(1) A provider.

(2) A supplier.

(3) A medical society.

(4) A hospital association.

(5) An employer.

(6) A health insurance issuer.

(7) A healthcare provider and/or supplier association.

(8) A state entity.

(9) A federal agency.

(k) Employer has the same meaning as the term “employer” as defined in section 3(5) of the Employee Retirement Insurance Security Act of 1974.

(l) Health insurance issuer has the same meaning as the term “health insurance issuer” as defined in section 2791 of the Public Health Service Act.

(m) Medical society means a nonprofit organization or association that provides unified representation and advocacy for physicians at the national or state level and whose membership is comprised of a majority of physicians.

(n) Hospital association means a nonprofit organization or association that provides unified representation and advocacy for hospitals or health systems at a national, state, or local level and whose membership is comprised of a majority of hospitals and health systems.

(o) Healthcare Provider and/or Supplier Association means a nonprofit organization or association that provides unified representation and advocacy for providers and suppliers at the national or state level and whose membership is comprised of a majority of suppliers or providers.

(p) State Entity means any office, department, division, bureau, board, commission, agency, institution, or committee within the executive branch of a state government.

(q) Combined data means, at a minimum, a set of CMS claims data provided under this subpart combined with claims data, or a subset of claims data from at least one of the other claims data sources described in § 401.707(d).

(r) Patient means an individual who has visited the provider or supplier for a face-to-face or telehealth appointment at least once in the past 24 months.

(s) Marketing means the same as the term “marketing” at 45 CFR 164.501 without the exception to the bar for “consent” based marketing.

(t) Violation means a failure to comply with a requirement of a CMS DUA (CMS data use agreement) or QE DUA (qualified entity data use agreement).

(u) Required by law means the same as the phrase “required by law” at 45 CFR 164.103.

Start Amendment Part

3. Section 401.713 is amended by revising paragraph (a) and adding paragraph (d) to read as follows:

End Amendment Part
Ensuring the privacy and security of data.

(a) Data use agreement between CMS and a qualified entity. A qualified entity must comply with the data requirements in its data use agreement with CMS (hereinafter the CMS DUA). Contractors (including, where applicable, business associates) of qualified entities that are anticipated to have access to the Medicare claims data or beneficiary identifiable data in the context of this program are also required to execute and comply with the CMS DUA. The CMS DUA will require the qualified entity to maintain privacy and security protocols throughout the duration of the agreement with CMS, and will ban the use or disclosure of Medicare data or any derivative data for purposes other than those set out in this subpart. The CMS DUA will also prohibit the use of unsecured telecommunications to transmit such data, and will specify the circumstances under which such data must be stored and may be transmitted.

* * * * *

(d) Data use agreement between a qualified entity and an authorized user. In addition to meeting the other requirements of this subpart, and as a pre-condition of selling or disclosing any combined data or any Medicare claims data (or any beneficiary-identifiable derivative data of either kind) and as a pre-condition of selling or disclosing non-public analyses that include individually identifiable beneficiary data, the qualified entity must enter a DUA (hereinafter the QE DUA) with the authorized user. Among other things laid out in this subpart, such QE DUA must contractually bind the authorized user (including any contractors or business associates described in the definition of authorized user) to the following:

(1)(i) The authorized user may be permitted to use such data and non-public analyses in a manner that a HIPAA Covered Entity could do under the following provisions:

(A) Activities falling under paragraph (1) of the definition of “health care operations” under 45 CFR 164.501: Quality improvement activities, including care coordination activities and efforts to track and manage medical costs; patient-safety activities; population-based activities such as those aimed at improving patient safety, quality of care, or population health, including the development of new models of care, the development of means to expand coverage and improve access to healthcare, the development of means of reducing healthcare disparities, and the development or improvement of methods of payment or coverage policies.

(B) Activities falling under paragraph (2) of the definition of “health care operations” under 45 CFR 164.501: Reviewing the competence or qualifications of health care professionals, evaluating practitioner and provider performance, health plan performance, conducting training programs in which students, trainees, or practitioners in areas of health care learn under supervision to practice or improve their skills as health care providers, training of non-health care professionals, accreditation, certification, licensing, or credentialing activities.

(C) Activities that qualify as “fraud and abuse detection or compliance activities” under 45 CFR 164.506(c)(4)(ii).

(D) Activities that qualify as “treatment” under 45 CFR 164.501.

(ii) All other uses and disclosures of such data and/or such non-public analyses must be forbidden except to the extent a disclosure qualifies as a “required by law” disclosure as defined at 45 CFR 164.103.Start Printed Page 44480

(2) The authorized user is prohibited from using or disclosing the data or non-public analyses for marketing purposes as defined at § 401.703(s).

(3) The authorized user is required to ensure adequate privacy and security protection for such data and non-public analyses. At a minimum, regardless of whether the authorized user is a HIPAA covered entity, such protections of beneficiary identifiable data must be at least as protective as what is required of covered entities and their business associates regarding protected health information (PHI) under the HIPAA Privacy and Security Rules. In all cases, these requirements must be imposed for the life of such beneficiary identifiable data or non-public analyses and/or any derivative data, that is until all copies of such data or non-public analyses are returned or destroyed. Such duties must be written in such a manner as to survive termination of the QE DUA, whether for cause or not.

(4) Except as provided for in paragraph (d)(5) of this section, the authorized user must be prohibited from re-disclosing or making public any such data or non-public analyses.

(5)(i) At the qualified entity's discretion, it may permit an authorized user that is a provider as defined in § 401.703(b) or a supplier as defined in § 401.703(c), to re-disclose such data and non-public analyses as a covered entity will be permitted to disclose PHI under 45 CFR 164.506(c)(4)(i), under 45 CFR 164.506(c)(2), or under 45 CFR 164.502(e)(1).

(ii) All other uses and disclosures of such data and/or such non-public analyses is forbidden except to the extent a disclosure qualifies as a “required by law” disclosure.

(6) Authorized users who/that receive the beneficiary de-identified combined data or Medicare data as contemplated under § 401.718 are contractually prohibited from linking the beneficiary de-identified data to any other identifiable source of information, and must be contractually barred from attempting any other means of re-identifying any individual whose data is included in such data.

(7) The QE DUA must bind authorized user(s) to notifying the qualified entity of any violations of the QE DUA, and it must require the full cooperation of the authorized user in the qualified entity's efforts to mitigate any harm that may result from such violations, or to comply with the breach provisions governing qualified entities under this subpart.

Start Amendment Part

4. Section 401.716 is added to read as follows:

End Amendment Part
Non-public analyses.

(a) General. So long as it meets the other requirements of this subpart, and subject to the limits in paragraphs (b) and (c) of this section, the qualified entity may use the combined data to create non-public analyses in addition to performance measures and provide or sell these non-public analyses to authorized users (including any contractors or business associates described in the definition of authorized user).

(b) Limitations on a qualified entity. In addition to meeting the other requirements of this subpart, a qualified entity must comply with the following limitations as a pre-condition of dissemination or selling non-public analyses to an authorized user:

(1) A qualified entity may only provide or sell a non-public analysis to a health insurance issuer as defined in § 401.703(l), after the health insurance issuer or a business associate of that health insurance issuer has provided the qualified entity with claims data that represents a majority of the health insurance issuer's covered lives, using one of the four methods of calculating covered lives established at 26 CFR 46.4375-1(c)(2), for the time period and geographic region covered by the issuer-requested non-public analyses. A qualified entity may not provide or sell a non-public analysis to a health insurance issuer if the issuer does not have any covered lives in the geographic region covered by the issuer-requested non-public analysis.

(2) Analyses that contain information that individually identifies one or more beneficiaries may only be disclosed to a provider or supplier (as defined at § 401.703(b) and (c)) when both of the following conditions are met:

(i) The analyses only contain identifiable information on beneficiaries with whom the provider or supplier have a patient relationship as defined at § 401.703(r).

(ii) A QE DUA as defined at § 401.713(d) is executed between the qualified entity and the provider or supplier prior to making any individually identifiable beneficiary information available to the provider or supplier.

(3) Except as specified under paragraph (b)(2) of this section, all analyses must be limited to beneficiary de-identified data. Regardless of the HIPAA covered entity or business associate status of the qualified entity and/or the authorized user, de-identification must be determined based on the standards for HIPAA covered entities found at 45 CFR 164.514(b).

(4) Analyses that contain information that individually identifies a provider or supplier (regardless of the level of the provider or supplier, that is, individual clinician, group of clinicians, or integrated delivery system) may not be disclosed unless one of the following three conditions apply:

(i) The analysis only individually identifies the provider or supplier that is being supplied the analysis.

(ii) Every provider or supplier individually identified in the analysis has been afforded the opportunity to appeal or correct errors using the process at § 401.717(f).

(iii) Every provider or supplier individually identified in the analysis has notified the qualified entity, in writing, that analyses can be disclosed to the authorized user without first going through the appeal and error correction process at § 401.717(f).

(c) Non-public analyses agreement between a qualified entity and an authorized user for beneficiary de-identified non-public analyses disclosures. In addition to the other requirements of this subpart, a qualified entity must enter a contractually binding non-public analyses agreement with the authorized user (including any contractors or business associates described in the definition of authorized user) as a pre-condition to providing or selling de-identified analyses. Such non-public analyses agreement must contain the following provisions:

(1) The authorized user may not use the analyses or derivative data for the following purposes:

(i) Marketing, as defined at § 401.703(s).

(ii) Harming or seeking to harm patients or other individuals both within and outside the healthcare system regardless of whether their data are included in the analyses.

(iii) Effectuating or seeking opportunities to effectuate fraud and/or abuse in the healthcare system.

(2) If the authorized user is an employer as defined in § 401.703(k), the authorized user may only use the analyses or derivative data for purposes of providing health insurance to employees, retirees, or dependents of employees or retirees of that employer.

(3)(i) At the qualified entity's discretion, it may permit an authorized user that is a provider as defined in § 401.703(b) or a supplier as defined in § 401.703(c), to re-disclose the de-identified analyses or derivative data, as a covered entity will be permitted under 45 CFR 164.506(c)(4)(i), or under 45 CFR 164.502(e)(1).

(ii) All other uses and disclosures of such data and/or such non-public Start Printed Page 44481analyses is forbidden except to the extent a disclosure qualifies as a “required by law” disclosure.

(4) If the authorized user is not a provider or supplier, the authorized user may not re-disclose or make public any non-public analyses or derivative data except as required by law.

(5) The authorized user may not link the de-identified analyses to any other identifiable source of information and may not in any other way attempt to identify any individual whose de-identified data is included in the analyses.

(6) The authorized user must notify the qualified entity of any DUA violations, and it must fully cooperate with the qualified entity's efforts to mitigate any harm that may result from such violations.

Start Amendment Part

5. Section 401.717 is amended by adding paragraph (f) to read as follows:

End Amendment Part
Provider and supplier requests for error correction.
* * * * *

(f) A qualified entity must comply with the following requirements before disclosing non-public analyses, as defined at § 401.716, which contain information that individually identifies a provider or supplier:

(1) A qualified entity must confidentially notify a provider or supplier that non-public analyses that individually identify the provider or supplier are going to be released to an authorized user at least 65 calendar days before disclosing the analyses. This confidential notification must include a short summary of the analyses (including the measures calculated), the process for the provider or supplier to request the analyses, the authorized users receiving the analyses, and the date on which the qualified entity will release the analyses to the authorized user.

(2) A qualified entity must allow providers and suppliers the opportunity to opt-in to the review and correction process as defined in paragraphs (a) through (e) of this section, anytime during the 65 calendar days. If a provider or supplier chooses to opt-in to the review and correction process more than 5 days into the notification period, the time for the review and correction process is shortened from 60 days to the number of days between the provider or supplier opt-in date and the release date specified in the confidential notification.

Start Amendment Part

6. Section 401.718 is added to read as follows:

End Amendment Part
Dissemination of data.

(a) General. Subject to the other requirements in this subpart, the requirements in paragraphs (b) and (c) of this section and any other applicable laws or contractual agreements, a qualified entity may provide or sell combined data or provide Medicare data at no cost to authorized users defined at § 401.703(b), (c), (m), and (n).

(b) Data— (1) De-identification. Except as specified in paragraph (b)(2) of this section, any data provided or sold by a qualified entity to an authorized user must be limited to beneficiary de-identified data. De-identification must be determined based on the de-identification standards for HIPAA covered entities found at 45 CFR 164.514(b).

(2) Exception. If such disclosure will be consistent with all applicable laws, data that individually identifies a beneficiary may only be disclosed to a provider or supplier (as defined at § 401.703(b) and (c)) with whom the identifiable individuals in such data have a current patient relationship as defined at § 401.703(r).

(c) Data use agreement between a qualified entity and an authorized user. A qualified entity must contractually require an authorized user to comply with the requirements in § 401.713(d) prior to providing or selling data to an authorized user under § 401.718.

Start Amendment Part

7. Section 401.719 is amended by adding paragraphs (b)(3) and (4) and (d)(5) to read as follows:

End Amendment Part
Monitoring and sanctioning of qualified entities.
* * * * *

(b) * * *

(3) Non-public analyses provided or sold to authorized users under this subpart, including the following information:

(i) A summary of the analyses provided or sold, including—

(A) The number of analyses.

(B) The number of purchasers of such analyses.

(C) The types of authorized users that purchased analyses.

(D) The total amount of fees received for such analyses.

(E) QE DUA or non-public analyses agreement violations.

(ii) A description of the topics and purposes of such analyses.

(iii) The number of analyses disclosed with unresolved requests for error correction.

(4) Data provided or sold to authorized users under this subpart, including the following information:

(i) The entities who received data.

(ii) The basis under which each entity received such data.

(iii) The total amount of fees received for providing, selling, or sharing the data.

(iv) QE DUA violations.

* * * * *

(d) * * *

(5) In the case of a violation, as defined at § 401.703(t), of the CMS DUA or the QE DUA, CMS will impose an assessment on a qualified entity in accordance with the following:

(i) Amount of assessment. CMS will calculate the amount of the assessment of up to $100 per individual entitled to, or enrolled for, benefits under part A of title XVIII of the Social Security Act or enrolled for benefits under Part B of such title whose data was implicated in the violation based on the following:

(A) Basic factors. In determining the amount per impacted individual, CMS takes into account the following:

(1) The nature and the extent of the violation.

(2) The nature and the extent of the harm or potential harm resulting from the violation.

(3) The degree of culpability and the history of prior violations.

(B) Criteria to be considered. In establishing the basic factors, CMS considers the following circumstances:

(1) Aggravating circumstances. Aggravating circumstances include the following:

(i) There were several types of violations occurring over a lengthy period of time.

(ii) There were many of these violations or the nature and circumstances indicate a pattern of violations.

(iii) The nature of the violation had the potential or actually resulted in harm to beneficiaries.

(2) Mitigating circumstances. Mitigating circumstances include the following:

(i) All of the violations subject to the imposition of an assessment were few in number, of the same type, and occurring within a short period of time.

(ii) The violation was the result of an unintentional and unrecognized error and the qualified entity took corrective steps immediately after discovering the error.

(C) Effects of aggravating or mitigating circumstances. In determining the amount of the assessment to be imposed under paragraph (d)(5)(i)(A) of this section:

(1) If there are substantial or several mitigating circumstance, the aggregate amount of the assessment is set at an amount sufficiently below the maximum permitted by paragraph (d)(5)(i)(A) of this section to reflect the mitigating circumstances.Start Printed Page 44482

(2) If there are substantial or several aggravating circumstances, the aggregate amount of the assessment is set at an amount at or sufficiently close to the maximum permitted by paragraph (d)(5)(i)(A) of this section to reflect the aggravating circumstances.

(D) The standards set for the qualified entity in this paragraph are binding, except to the extent that—

(1) The amount imposed is not less than the approximate amount required to fully compensate the United States, or any State, for its damages and costs, tangible and intangible, including but not limited to the costs attributable to the investigation, prosecution, and administrative review of the case.

(2) Nothing in this section limits the authority of CMS to settle any issue or case as provided by part 1005 of this title or to compromise any assessment as provided by paragraph (d)(5)(ii)(E) of this section.

(ii) Notice of determination. CMS must propose an assessment in accordance with this paragraph (d)(5), by notifying the qualified entity by certified mail, return receipt requested. Such notice must include the following information:

(A) The assessment amount.

(B) The statutory and regulatory bases for the assessment.

(C) A description of the violations upon which the assessment was proposed.

(D) Any mitigating or aggravating circumstances that CMS considered when it calculated the amount of the proposed assessment.

(E) Information concerning response to the notice, including:

(1) A specific statement of the respondent's right to a hearing in accordance with procedures established at Section 1128A of the Act and implemented in 42 CFR part 1005.

(2) A statement that failure to respond within 60 days renders the proposed determination final and permits the imposition of the proposed assessment.

(3) A statement that the debt may be collected through an administrative offset.

(4) In the case of a respondent that has an agreement under section 1866 of the Act, notice that imposition of an exclusion may result in termination of the provider's agreement in accordance with section 1866(b)(2)(C) of the Act.

(F) The means by which the qualified entity may pay the amount if they do not intend to request a hearing.

(iii) Failure to request a hearing. If the qualified entity does not request a hearing within 60 days of receipt of the notice of proposed determination, any assessment becomes final and CMS may impose the proposed assessment.

(A) CMS notifies the qualified entity, by certified mail with return receipt requested, of any assessment that has been imposed and of the means by which the qualified entity may satisfy the judgment.

(B) The qualified entity has no right to appeal an assessment for which the qualified entity has not requested a hearing.

(iv) When an assessment is collectible. An assessment becomes collectible after the earliest of the following:

(A) Sixty (60) days after the qualified entity receives CMS's notice of proposed determination under paragraph (d)(5)(ii) of this section, if the qualified entity has not requested a hearing.

(B) Immediately after the qualified entity abandons or waives its appeal right at any administrative level.

(C) Thirty (30) days after the qualified entity receives the ALJ's decision imposing an assessment under § 1005.20(d) of this title, if the qualified entity has not requested a review before the DAB.

(D) Sixty (60) days after the qualified entity receives the DAB's decision imposing an assessment if the qualified entity has not requested a stay of the decision under § 1005.22(b) of this title.

(v) Collection of an assessment. Once a determination by HHS has become final, CMS is responsible for the collection of any assessment.

(A) The General Counsel may compromise an assessment imposed under this part, after consulting with CMS or OIG, and the Federal government may recover the assessment in a civil action brought in the United States district court for the district where the claim was presented or where the qualified entity resides.

(B) The United States or a state agency may deduct the amount of an assessment when finally determined, or the amount agreed upon in compromise, from any sum then or later owing the qualified entity.

(C) Matters that were raised or that could have been raised in a hearing before an ALJ or in an appeal under section 1128A(e) of the Act may not be raised as a defense in a civil action by the United States to collect an assessment.

Start Amendment Part

8. Section 401.721 is amended by adding paragraph (a)(7) to read as follows:

End Amendment Part
Terminating an agreement with a qualified entity.

(a) * * *

(7) Fails to ensure authorized users comply with their QE DUAs or analysis use agreements.

* * * * *
Start Amendment Part

9. Section 401.722 is added to read as follows:

End Amendment Part
Qualified clinical data registries.

(a) A qualified clinical data registry that agrees to meet all the requirements in this subpart, with the exception of § 401.707(d), may request access to Medicare data as a quasi qualified entity in accordance with such qualified entity program requirements.

(b) Notwithstanding § 401.703(q) (generally defining combined data), for purposes of qualified clinical data registries acting as quasi qualified entities under the qualified entity program requirements, combined data means, at a minimum, a set of CMS claims data provided under this subpart combined with clinical data or a subset of clinical data.

Start Signature

Dated: June 22, 2016.

Andrew M. Slavitt,

Acting Administrator, Centers for Medicare & Medicaid Services.

Dated: June 28, 2016.

Sylvia M. Burwell,

Secretary, Department of Health and Human Services.

End Signature End Supplemental Information

[FR Doc. 2016-15708 Filed 7-1-16; 11:15 am]

BILLING CODE 4120-01-P