AGENCY:

Centers for Medicare & Medicaid Services (CMS), Department of Health and Human Services (HHS).

ACTION:

Notice of a New System of Records.

SUMMARY:

The Department of Health and Human Services (HHS), Centers for Medicare & Medicaid Services (CMS) proposes to establish a new system of records subject to the Privacy Act, System No. 09-70-0539, titled “Quality Payment Program (QPP).” The new system of records will cover quality and performance data collected and used by CMS in determining merit-based payment adjustments for health care services provided by clinicians to Medicare beneficiaries, and in providing expert feedback to clinicians and third party data submitters for the purpose of helping clinicians provide high-value care to patients.

DATES:

In accordance with 5 U.S.C. 552a(e)(4) and (11), this notice is effective upon publication, subject to a 30-day period in which to comment on the routine uses, described below. Please submit any comments by March 16, 2018.

ADDRESSES:

Written comments should be submitted by mail or email to: CMS Privacy Act Officer, Division of Security, Privacy Policy & Governance, Information Security & Privacy Group, Office of Information Technology, CMS, 7500 Security Boulevard, Baltimore, MD 21244-1870, Location N1-14-56, or walter.stone@cms.hhs.gov. Comments received will be available for review without redaction unless otherwise advised by the commenter at this location, by appointment, during regular business hours, Monday through Friday from 9:00 a.m.-3:00 p.m., Eastern Time zone.

FOR FURTHER INFORMATION CONTACT:

General questions about the new system of records should be submitted by mail or email to: Michelle Peterman, Health Insurance Specialist, Division of Electronic Clinician and Quality, Quality Measurement and Value-Based Incentives Group, Center for Clinical Standards and Quality, CMS, 7500 Security Boulevard, Baltimore, MD 21244-1870, Mailstop: S3-02-01, or michelle.peterman@cms.hhs.gov.

SUPPLEMENTARY INFORMATION:

I. Background on the New Quality Payment Program Supported by the New System of Records

The Medicare Access and CHIP Reauthorization Act of 2015 (MACRA) amended title XVIII of the Social Security Act (the Act) to repeal the way physicians were paid under the previous Sustainable Growth Rate (SOR) formula and replaced it with a new approach known as the Quality Payment Program. The Quality Payment Program streamlines and consolidates components of three existing incentive programs that reward high-value patient centered care: (1) Physician Quality Reporting System (PQRS) (§ 1848(k) and (m) of the Act (42 U.S.C. 1395w-4)), (2) Medicare Electronic Health Records (EHR) Incentive Program for Eligible Professionals (§ 1848(0) of the Act), and (3) Physician Value-Based Payment Modifier (VM) (§ 1848(p) of the Act). For more information, see rulemakings implementing the existing programs, at 80 Fed. Reg. 71135 (November 16, 2015) (PQRS); 80 FR 62761 (October 16, 2015) (EHR); and 80 FR 71273 (November 16, 2015) (VM).

There are two separate pathways within the Quality Payment Program, Advanced Alternative Payment Models (Advanced APM) and Merit-based Incentive Payment System (MIPS), both of which contribute toward the goal of seamless integration of the Quality Payment Program into clinical practice workflows. MIPS provides clinicians measures and activities to assist them in providing high-value, patient-centered care to Medicare patients, and to encourage and reward their use of the same. The participants generate and submit to CMS data on health care coordination. The data will be submitted to CMS by eligible clinicians and approved third party data submitters (for example, registries which collect and submit disease tracking data; health information technology (IT) vendors which submit data from clinicians' Certified Electronic Health Record Technology (CEHRT) systems). The data will include information about, and will be retrieved by personal identifiers for: (1) The clinicians, (2) any third party data submitters who are individuals (e.g., sole proprietor vendors), (3) individuals who submit data for clinicians or third party data submitters as their representatives or contact persons, and (4) Medicare beneficiaries and any non-Medicare beneficiaries receiving the health care services referenced in the Quality Payment Program data. The records are described below.

The data submission process will require that clinicians and third party submitters use their identifying and contact information, tax identification number (TIN/EIN), national provider identifier (NPI), and information about health care services provided to patients for the performance categories of the MIPS including (1) quality-including a set of evidence-based, specialty-specific standards; (2) cost of services provided; (3) improvement activities that improved or are likely to improve clinical practice or care delivery; and (4) advancing care information which focuses on the use of CEHRT to support interoperability and avoid Start Printed Page 6588redundancies. Except for specific measures or activities identified and published in the Federal Register by November 1 of each year, there are no changes in Calendar Year (CY) 2017 with respect to the collection and use of Privacy Act records associated with these activities in the QPP system of record notice (SORN) other than what is collected by the overlapping SORNs described below. There were no changes to the Call for Quality Measures process in the CY 2018 rule and so there are no changes to the use or additional collection of Privacy Act records related to the four performance categories. Payment adjustments for eligible clinicians do not begin until CY 2019 and at that time any additional Privacy Act records associated with those payment adjustments based on their performance during the applicable performance period will be described if needed in an update to this SORN. MIPS quality and performance data used in the program will be reported to CMS by eligible clinicians and approved third party data submitters of the types described in 42 CFR 414.1400. The data will pertain to health care services provided to Medicare beneficiaries, but may also include data about non-Medicare patients. As mentioned above, except for specific measures or activities identified and published in the Federal Register by November 1 of each year, there are no changes in CY 2017 with respect to the collection and use of Privacy Act records associated with these activities in the QPP SORN other than what is collected by the overlapping SORNs described below.

II. Related Systems of Records Supporting the Existing PQRS, EHR, and VM Programs

The PQRS, EHR, and VM programs each maintain records subject to the Privacy Act which are maintained in existing systems of records; these systems of records will necessarily overlap with this system of records until the existing programs fully sunset. Therefore, these SORNs cover the Quality Payment Program Privacy Act records until the QPP SORN is finalized:

1. PQRS: “Performance Measurement and Reporting System (PMRS),” System No. 09-70-0584, last published at 73 FR 80412 (December 31, 2008);

2. EHR: “Medicare and Medicaid Electronic Health Record (EHR) Incentive Program National Level Repository” System No. 09-70-0587, last published at 75 FR 73095 (November 29, 2010);

3. VM: “Medicare Multi-Carrier Claims System (MCS),” System No. 09-70-0501, last published at 71 FR 64968 (November 6, 2006); and

4. VM: “Fiscal Intermediary Shared System (FISS),” System No. 09-70-0503, last published at 71 FR 64961 (November 6, 2006).

The Performance Measurement and Reporting System (PMRS) SORN covers the Better Quality Information (BQI) to Improve Care for Medicare Beneficiaries Project, the Electronic Prescribing (E-Prescribing) Incentive Program, and the PQRS. The BQI to Improve Care for Medicare Beneficiaries Project and the E-Prescribing Incentive Program have fully sunsetted. The PQRS program's last reporting year was CY 2016. However, Privacy Act records related to the PQRS program will continue to be utilized for several additional years to assess payment adjustments in CY 2018 and data as needed. The Medicare and Medicaid Electronic Health Record (EHR) Incentive Program National Level Repository SORN covers the Medicare and Medicaid EHR Incentive Programs. The Medicare EHR Incentive program's last payment year was CY 2016. However, Privacy Act records related to the Medicare EHR Incentive program will continue to be utilized for several additional years to assess data as needed. In addition, the Medicare EHR Incentive for eligible hospitals and critical access hospitals (CAHs) and the Medicaid EHR Incentive program are active programs. Therefore, the EHR SORN will not be rescinded. The SORNs that cover the VM program will not be rescinded as they are applicable to many CMS programs.

The Quality Payment Program will continue to evolve over multiple years to accommodate payment policy implementations and take advantage of new system capabilities. This SORN will be similarly reviewed and updated to reflect significant changes, including the sunsetting of the existing programs and disposition of the records covered by the existing SORNs, when they occur.

III. Related Rulemakings and Information Collections

Requirements for submitting data about improvement activities did not exist in the legacy programs replaced by MIPS, and CMS does not have historical data which is directly relevant. However, the Privacy Act records collected through these legacy programs are the same data elements that are used for the Quality Payment Program in CY 2017 and 2018 although the specific uses for the previous programs may be more expansive. To date, participants in the Quality Payment Program have registered, have selected measures and are submitting data beginning in 2018 as individuals, as part of a group or as part of a virtual group—a scenario not provided through the legacy SORNs.

The primary purpose of the PMRS system of records, entitled “Performance Measurement and Reporting System (PMRS),” is to support the collection, maintenance, and processing of information to promote the delivery of high quality, efficient, effective, and economical health care services, and promote the quality and efficiency of services of the type for which payment may be made under title XVIII by allowing for the establishment and implementation of performance measures, the provision of feedback to physicians, and public reporting of performance information.

The primary purpose of the EHR system of records, entitled “Medicare and Medicaid Electronic Health Record (EHR) Incentive Program National Level Repository,” called the National Level Repository or NLR, is to collect, maintain, and process information that is required for the Medicare and Medicaid EHR Incentive Programs.

The primary purpose of the VM program covered by the systems of records entitled, “Medicare Multi-Carrier Claims System (MCS) and the Fiscal Intermediary Shared System (FISS),” is to identify and associate a provider (physician or individual provider) to their registration and their reports, known as the Quality and Resource Use Report (QRUR). QRUR is a report given to providers on quality of care and cost performance. In most cases, systems of records maintain Tax Identification Number (TIN) and the name of the organization. In very few cases, providers may be using their Social Security number (SSN) as Billing TIN.

As discussed above the programs covered by the PMRS SORN have sunsetted; however, the final payment year for the PQRS program is CY 2018 requiring the PMRS SORN to remain in effect until all pertinent data has been utilized. The EHR SORN and VM SORNs will not be rescinded as there are programs covered by these SORNs that are currently active and have no plans to sunset.

Once the PQRS program sunsets the records will be dispositioned entirely into the QPP system of records under NARA CMS Records Schedule: DAA-0440-2015-0009-003. The retention period for these records is 10 years.

Because the PMRS and the QPP systems of records maintain identical records for the categories of individuals covered by the respective system of records and also overlap for purposes of Start Printed Page 6589making payment based on quality measures and improvement activities (though not with the same percentages of activity weighting or payment calculation), the routine uses for disclosures of records in the system of records and uses of records in the system of records are the same. Categories of individuals covered by the system of records will expand under the QPP SORN to include all-payer data.

All of the routine uses either are necessary and proper or are compatible with the original collection purpose of encouraging and rewarding clinicians' use of measures and activities that help them provide high-value, patient-centered care to Medicare beneficiaries.

SYSTEM NAME AND NUMBER

“Quality Payment Program (QPP)”, HHS/CMS/CCSQ System No. 09-70-0539.

SECURITY CLASSIFICATION:

Unclassified.

SYSTEM LOCATION:

The address of the agency component responsible for the system of records is: CMS Data Center, 7500 Security Boulevard, North Building, First Floor, Baltimore, Maryland 21244-1850.

SYSTEM MANAGER(S):

The agency official who is responsible for the system of records is: Director, Quality Measurement and Value-based Incentives Group, CCSQ, CMS, Room C1-23-14, 7500 Security Boulevard, Baltimore, Maryland 21244-1870.

AUTHORITY FOR MAINTENANCE OF THE SYSTEM:

Provisions of the Social Security Act codified at 42 U.S.C. §§ 1320c-3, 13951, 1395w-4, 1395w-21, and 1395y.

PURPOSE(S) OF THE SYSTEM:

The purposes for which HHS/CMS will use the records are:

• To be utilized for program management and administration purposes;
• To determine payment adjustments for health care services provided by clinicians to Medicare beneficiaries;
• To provide expert feedback to clinicians and third party data submitters, in order to help clinicians provide high-value, patient-centered care to Medicare beneficiaries;
• To make clinician-level performance measure results available to Medicare patients and caregivers through Physician Compare, as defined via regulation, either on public profile pages or via the Downloadable Database housed on data.medicare.gov for the purpose of promoting more informed health care choices for people with Medicare; and
• To provide relevant records to other Federal and state agencies which administer federally-funded health benefit programs; Quality Improvement Networks that review claims and conduct outreach and reviews; and individuals and organizations that assist consumers, to use for program administrative purposes and in health, disease, and payment-related research, evaluation, outreach, and transparency projects.

CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:

The records will be about these categories of individuals involved in the Quality Payment Program:

• Eligible clinicians (such as, physicians, physician assistants, nurse practitioners) who submit quality and performance data to CMS under the Program;
• Any third party data submitters of the types described in 42 CFR 414.1400 who are individuals (e.g., sole proprietor health IT or survey vendors) and submit data to the Program;
• Individuals who submit data for clinicians and third party data submitters (i.e., as their representatives or contact persons); and
• Medicare beneficiaries (and any non-Medicare beneficiaries) receiving the health care services referenced in the data submitted to CMS under the Program.

CATEGORIES OF RECORDS IN THE SYSTEM:

The system will include these categories of records:

• Records about clinicians. These will include identifying information and contact information (such as the clinician's name, address, phone number, email address, date of birth, business address, tax identification number (TIN/EIN), national provider identifier (NPI), Social Security number (SSN), prescriber identification number, and other assigned clinician numbers) and information about health care services the clinician provided to Medicare beneficiaries (and any non-Medicare beneficiaries) and the measures and activities the clinician used in providing the services.
• Records about any third party data submitters who are individuals (for example, sole proprietor health IT or survey vendors). These records will include the third party's name, email address, business address, and TIN/EIN.
• Records about individuals who submit data for clinicians and third party data submitters. These will include the representative's name and contact information such as address, TIN/EIN, email address, and business address.
• Records about Medicare beneficiaries (and any non-Medicare beneficiaries). These will include the beneficiary's identifying and health information, i.e. name, address, date of birth, gender, ethnicity, health care utilization and claims data, health insurance claim number (HICN), Medicare beneficiary identifier (MBI), and SSN.
• Records about other payer payment arrangements. These will include other payer payment arrangement information submitted by non-Medicare payers to determine whether a payment arrangement meets the Other Payer Advanced Alternative Payment Model (APM) criteria. These records will include payer identifying information, payment arrangement information, supporting documentation, and a certification statement.

RECORD SOURCE CATEGORIES:

The sources of the records covered by this system of records are (1) clinicians, (2) third party data submitters, and (3) individuals who submit data for clinicians or third party data submitters.

ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES OF USERS AND PURPOSES OF SUCH USES:

A. These routine uses specify circumstances, in addition to those provided by statute in the Privacy Act of 1974, under which CMS may disclose records from the Quality Payment Program to a party outside HHS without the prior, written consent of the individual to whom such information pertains.

1. Records may be disclosed to agency contractors (including, but not limited to, Medicare Administrative Contractors (MACs), fiscal intermediaries, and carriers) that assist in the health operations of a CMS-administered health benefits program, to CMS consultants, or to a grantee of a CMS-administered grant program, who have been engaged by the agency to assist in accomplishment of a CMS function relating to the purposes for this system of records and who need to have access to the records in order to assist CMS. Such disclosures include (but are not limited to) disclosures deemed reasonably necessary by CMS to prevent, deter, discover, detect, investigate, examine, prosecute, sue with respect to, defend against, correct, Start Printed Page 6590remedy, or otherwise combat fraud, waste, or abuse in such program.

2. Records may be disclosed to another Federal or state agency to the extent deemed necessary to: (a) Contribute to the accuracy of CMS' proper payment of Medicare benefits; (b) enable such agency to administer a Federal health benefits program, or as necessary to enable such agency to fulfill a requirement of a Federal statute or regulation that implements health benefit programs funded in whole or in part with Federal funds; and/or (c) assist state Medicaid programs which may require Quality Payment Program information.

3. Clinician-level performance measurement results may be made available to the public, through Physician Compare, as defined via regulation, either on public profile pages or via the Downloadable Database housed on data.medicare.gov for the purpose of promoting more informed health care choices for people with Medicare.

4. Records may be disclosed to MIPS-eligible clinicians and eligible entities in order to provide them with expert feedback, and records may be disclosed to CMS authorized entities participating in health care transparency projects.

5. Records may be disclosed to organizations that assist consumers in comparing the quality and price of health care services, and/or that use such information for purposes related to prevention of disease or disability, or restoration or maintenance of health.

6. Records may be disclosed to organizations for research, evaluation, and projects involving payment issues.

7. Records may be disclosed to Beneficiary and Family Centered Care (BFCC)-QIOs, Quality Innovation Network-QIOs (QIN-QIOs), the Small, Underserved, and Rural Support (SURS) technical assistance contractors, and the Practice Transformation Networks (PTNs) under the Transforming Clinical Practice Initiative (TCPI) for purposes of: (a) Identifying clinicians who are included in the Quality Payment Program, specifically the MIPS track, based on the low-volume threshold; (b) determining the appropriate form of Technical Assistance based on practice size and clinician need; (c) providing eligibility information to clinicians interested in forming a virtual group; (d) transitioning clinician referrals from the Quality Payment Program Service Center to the appropriate Technical Assistance channel; (e) performing proactive outreach and engagement activities for the purpose of helping MIPS eligible clinicians participate in the program; (f) developing educational tools and resources; (g) monitoring annual MIPS eligible clinician performance; (h) assessing future need based on a MIPS eligible clinician's Final Score; (i) tracking non-MIPS eligible clinicians who voluntarily report measures and activities to MIPS; and (j) assisting MIPS eligible clinicians transition into an Advanced APM.

8. Records may be disclosed to the Department of Justice (DOJ), a court, or an adjudicatory body when: (a) The Agency or any component thereof, (b) any employee of the Agency in his or her official capacity, (c) any employee of the Agency in his or her individual capacity where the DOJ has agreed to represent the employee, or (d) the United States Government, is a party to litigation or has an interest in such litigation, and by careful review, CMS determines that the records are both relevant and necessary to the litigation.

9. Records may be disclosed to another Federal agency or to an instrumentality of any governmental jurisdiction within or under the control of the United States (including any state or local governmental agency), that administers, or that has the authority to investigate potential fraud, waste, or abuse in, a health benefits program funded in whole or in part by Federal funds, when disclosure is deemed reasonably necessary by CMS to prevent, deter, discover, detect, investigate, examine, prosecute, sue with respect to, defend against, correct, remedy, or otherwise combat fraud, waste, or abuse in such programs.

10. Records may be disclosed to appropriate agencies, entities, and persons when (a) HHS suspects or has confirmed that there has been a breach of the system of records; (b) HHS has determined that as a result of the suspected or confirmed breach there is a risk of harm to individuals, HHS (including its information systems, programs, and operations), the Federal government, or national security; and (c) the disclosure made to such agencies, entities, and persons is reasonably necessary to assist in connection with HHS' efforts to respond to the suspected or confirmed breach or to prevent, minimize, or remedy such harm.

11. Records may be disclosed to another Federal agency or Federal entity, when HHS determines that information from this system of records is reasonably necessary to as.sist the recipient agency or entity in (a) responding to a suspected or confirmed breach or (b) preventing, minimizing, or remedying the risk of harm to individuals, the recipient agency or entity (including its information systems, programs, and operations), the Federal government, or national security, resulting from a suspected or confirmed breach.

12. Records may be disclosed to the U.S. Department of Homeland Security (OHS) if captured in an intrusion detection system used by HHS and OHS pursuant to a OHS cybersecurity program that monitors internet traffic to and from Federal government computer networks to prevent a variety of types of cybersecurity incidents.

B. Additional Circumstances Affecting Routine Use Disclosures: To the extent this system contains Protected Health Information (PHI) as defined by HHS regulation “Standards for Privacy oflndividually Identifiable Health Information” (45 CFR parts 160 and 164, Subparts A and E), disclosures of such PHI that are otherwise authorized by these routine uses may only be made if, and as, permitted or required by the “Standards for Privacy of Individually Identifiable Health Information” (see 45 CFR 164.512(a)(l)).

POLICIES AND PRACTICES FOR STORAGE OF RECORDS:

The records will be stored electronically or on magnetic media or paper.

POLICIES AND PRACTICES FOR RETRIEVAL OF RECORDS:

The data collected on clinicians will be retrieved by the clinician's name, address, NPI, TIN/EIN and other identifying provider numbers. Information about third party data submitters who are individuals will be retrieved by name, address, and TIN/EIN. Records about contact persons will be retrieved by name, email address and business address. The data collected on Medicare beneficiaries (and any non-Medicare beneficiaries) will be retrieved by the beneficiary's name, Medicare beneficiary identifier (MBI), health insurance claim number (HICN), SSN, address, and date of birth.

POLICIES AND PRACTICES FOR RETENTION AND DISPOSAL OF RECORDS:

A records disposition schedule for the Quality Payment Program is pending submission to and approval by the National Archives and Records Administration (NARA); until NARA approval is obtained, CMS will retain the records indefinitely. CMS is proposing a retention period of approximately 10 years for these records under the NARA CMS Records Schedule: DAA-0440-2015-0009-0003. Any claims-related records that become encompassed by a document preservation order may be retained longer (i.e., until notification is received from the Department of Justice).Start Printed Page 6591

ADMINISTRATIVE, TECHNICAL, AND PHYSICAL SAFEGUARDS:

Safeguards will conform to the HHS Information Security and Privacy Program, http://www.hhs.gov/​ocio/​securityprivacy/​index.html. Information will be safeguarded in accordance with applicable Federal laws and regulations and Federal, HHS, and CMS policies and standards, including, all pertinent National Institutes of Standards and Technology (NIST) publications, and 0MB Circular A-130. Records will be protected from unauthorized access through appropriate administrative, physical, and technical safeguards. These safeguards include protecting the facilities where records are stored or accessed with security guards, badges, and cameras; securing hard-copy records in locked file cabinets, file rooms, or offices during off-duty hours; controlling access to physical locations where records are maintained and used by means of combination locks and identification badges issued only to authorized users; limiting access to electronic databases to authorized users based on roles and two-factor authentication (user ID and password); using a secured operating system protected by encryption, firewalls, and intrusion detection systems; requiring encryption for records stored on removable media; and training personnel in Privacy Act and information security requirements. Records that are eligible for destruction will be disposed of using secure destruction methods prescribed by NIST SP 800-88.

RECORD ACCESS PROCEDURES:

An individual seeking access to a record about him or her in this system should write to tbe System Manager indicated above, who will require the individual's name and particulars necessary to distinguish between records on subject individuals with the same name, such as NPI or TIN. The requestor should also reasonably specify the record(s) to which access is sought. (These procedures are in accordance with Department regulation 45 CFR 5b.5(a)(2)).

CONTESTING RECORD PROCEDURES:

Any subject individual may request that his record be corrected or amended if he believes that the record is not accurate, timely, complete, or relevant or necessary to accomplish a Department function. A subject individual making a request to amend or correct his record shall address his request to the responsible System Manager as stated above, in writing. The subject individual shall specify in each request: (I) The system of records from which the record is retrieved; (2) The particular record which he is seeking to correct or amend; (3) Whether he is seeking an addition to or a deletion or substitution of the record; and, (4) His reasons for requesting correction or amendment of the record. (These procedures are in accordance with Department regulation 45 CFR Sb.7).

NOTIFICATION PROCEDURES:

Individuals wishing to know if this system contains records about them should write to the System Manager indicated above and follow the same instructions under Record Access Procedures.

EXEMPTIONS PROMULGATED FOR THE SYSTEM:

None.

HISTORY:

None.