2011-14003. Medicare Program; Availability of Medicare Data for Performance Measurement  

  • Start Preamble Start Printed Page 33566

    AGENCY:

    Centers for Medicare & Medicaid Services (CMS), HHS.

    ACTION:

    Proposed rule.

    SUMMARY:

    This rule proposes to implement new statutory requirements regarding the release and use of standardized extracts of Medicare claims data to measure the performance of providers and suppliers in ways that protect patient privacy. This rule explains how entities can become qualified by CMS to receive standardized extracts of claims data under Medicare Parts A, B, and D for the purpose of evaluation of the performance of providers of services and suppliers.

    DATES:

    To be assured consideration, comments must be received at one of the addresses provided below, no later than 5 p.m. on August 8, 2011.

    ADDRESSES:

    In commenting, please refer to file code CMS-5059-P. Because of staff and resource limitations, we cannot accept comments by facsimile (FAX) transmission.

    You may submit comments in one of four ways (please choose only one of the ways listed):

    1. Electronically. You may submit electronic comments on this regulation to http://www.regulations.gov. Follow the “Submit a comment” instructions.

    2. By regular mail. You may mail written comments to the following address ONLY: Centers for Medicare & Medicaid Services, Department of Health and Human Services, Attention: CMS-5059-P, P.O. Box 8012, Baltimore, MD 21244-1850.

    Please allow sufficient time for mailed comments to be received before the close of the comment period.

    3. By express or overnight mail. You may send written comments to the following address ONLY: Centers for Medicare & Medicaid Services, Department of Health and Human Services, Attention: CMS-5059-P, Mail Stop C4-26-05, 7500 Security Boulevard, Baltimore, MD 21244-1850.

    4. By hand or courier. Alternatively, you may deliver (by hand or courier) your written comments ONLY to the following addresses prior to the close of the comment period: a. For delivery in Washington, DC— Centers for Medicare & Medicaid Services, Department of Health and Human Services, Room 445-G, Hubert H. Humphrey Building, 200 Independence Avenue, SW., Washington, DC 20201.

    (Because access to the interior of the Hubert H. Humphrey Building is not readily available to persons without Federal Government identification, commenters are encouraged to leave their comments in the CMS drop slots located in the main lobby of the building. A stamp-in clock is available for persons wishing to retain a proof of filing by stamping in and retaining an extra copy of the comments being filed.)

    b. For delivery in Baltimore, MD—Centers for Medicare & Medicaid Services, Department of Health and Human Services, 7500 Security Boulevard, Baltimore, MD 21244-1850.

    If you intend to deliver your comments to the Baltimore address, please call telephone number (410) 786-9994 in advance to schedule your arrival with one of our staff members.

    Comments erroneously mailed to the addresses indicated as appropriate for hand or courier delivery may be delayed and received after the comment period.

    For information on viewing public comments, see the beginning of the SUPPLEMENTARY INFORMATION section.

    Start Further Info

    FOR FURTHER INFORMATION CONTACT:

    Colleen Bruce, (410) 786-5529.

    End Further Info End Preamble Start Supplemental Information

    SUPPLEMENTARY INFORMATION:

    Inspection of Public Comments: All comments received before the close of the comment period are available for viewing by the public, including any personally identifiable or confidential business information that is included in a comment. We post all comments received before the close of the comment period on the following Web site as soon as possible after they have been received at: http://www.regulations.gov. Follow the search instructions on that Web site to view public comments.

    Comments received in a timely fashion would also be available for public inspection as they are received, generally beginning approximately 3 weeks after publication of a document, at the headquarters of the Centers for Medicare & Medicaid Services, 7500 Security Boulevard, Baltimore, Maryland 21244, Monday through Friday of each week from 8:30 a.m. to 4 p.m. To schedule an appointment to view public comments, phone 1-800-743-3951.

    I. Background

    On March 23, 2010, the Patient Protection and Affordable Care Act, (“Affordable Care Act”) Public Law 111-148, was enacted. Effective January 1, 2012, section 10332 of the Affordable Care Act would amend section 1874 of the Social Security Act (the Act) by adding a new subsection (e) requiring standardized extracts of Medicare claims data under parts A, B, and D be made available to “qualified entities” for the evaluation of the performance of providers of services and suppliers. Such a disclosure is permitted under the Privacy Rule issued under the Health Insurance Portability and Accountability Act as a disclosure “required by law.” Qualified entities may use the information obtained under section 1874(e) of the Act for the sole purpose of evaluating the performance of providers of services and suppliers, and to generate specified public reports. Qualified entities may receive data for one or more specified geographic areas and must pay a fee equal to the cost of making the data available. Congress also required that qualified entities combine claims data from sources other than Medicare with the Medicare data when evaluating the performance of providers of services and suppliers. Potential qualified entities that wish to request data under these provisions would have to submit an application to the Secretary that includes, among other things, a description of the methodologies that the applicant proposes to use to evaluate the performance of providers of services and suppliers in the geographic area(s) they select. Qualified entities would generally be required to use standard measures for evaluating the performance of providers of services and suppliers unless the Secretary, in consultation with appropriate stakeholders, determines that use of alternative measures would be more valid, reliable, responsive to consumer preferences, cost-effective, or relevant to dimensions of quality and resource use not addressed by standard measures. Reports generated by the qualified entities may only include information on individual providers of services and suppliers in aggregate form, that is, at the provider of services or supplier level, and may not be released to the public until the providers of services and suppliers have had an opportunity to review them and ask for corrections. Congress included a provision at section 1874(e)(3) of the Act to allow the Secretary to take such actions as may be necessary to protect the identity of individuals entitled to or enrolled in Medicare.Start Printed Page 33567

    We believe the sharing of Medicare data with qualified entities through this program and the resulting reports produced by qualified entities would be an important driver of improving quality and reducing costs in Medicare, as well as for the healthcare system in general. Additionally, we believe this program would increase the transparency of provider and supplier performance, while ensuring beneficiary privacy.

    II. Provisions of the Proposed Rule

    To implement the new statutory provisions of section 1874(e) of the Act, we are proposing to revise Part 401 by adding a new subpart G, “Availability of Medicare Data for Performance Measurement.” The proposals in this rule would be consistent with section 10332 of the Affordable Care Act. Throughout the preamble, we identify options and alternatives to the provisions we propose. We have attempted to take into consideration comments received during the listening session on September 20, 2010. However, we strongly encourage comments on our proposed approach and on alternatives that would help us implement the appropriate requirements and regulatory provisions under section 1874(e) of the Act.

    A. Considerations for the Definition, Eligibility Criteria, and Operating Requirements of Qualified Entities

    1. Definitions

    Section 1874(e)(1) of the Act requires the Secretary to make available to qualified entities data for the evaluation of the performance of providers of services and suppliers, as proposed at Subpart G of this proposed rule. Section 1874(e)(2) of the Act defines a qualified entity as a public or private entity that:

    • Is qualified (as determined by the Secretary) to use claims data to evaluate the performance of providers of services and suppliers on measures of quality, efficiency, effectiveness, and resource use; and
    • Agrees to meet the requirements described in section 1874(e)(4) of the Act and meets such other requirements as the Secretary may specify, such as ensuring security of data.

    We have proposed a definition that is consistent with these statutory provisions at 42 CFR 401.702(a). Specifically, we have defined a qualified entity as a public or private entity that: (1) is qualified, as determined by the Secretary, to use claims data to evaluate the performance of providers of services and suppliers on measures of quality, efficiency, effectiveness, and resources use, and (2) agrees to meet the requirements of the Act and meets stated regulatory requirements at §§ 401.703 through 401.710.

    2. Eligibility Criteria

    As amended, section 1874(e)(2)(A) of the Act provides the Secretary with discretion to establish criteria to determine whether an entity is qualified to use claims data to evaluate the performance of providers of services and suppliers. In determining the qualified entity eligibility requirements, we sought to balance the need to ensure the production of timely, high quality, usable reports on providers of services and suppliers with the need to protect the privacy and security of beneficiary identifiable data and the need to ensure providers of services and suppliers have the opportunity to review the reports, appeal, and correct errors prior to public release.

    We are proposing at § 401.703 to evaluate an organization's eligibility qualifications across three areas: organizational and governance capabilities, addition of claims data from other sources, and data privacy and security. In determining an applicant's eligibility, potential qualified entities would be evaluated individually to ensure they are prepared to meet the requirements in the statute for serving as a qualified entity. We are not planning to limit the number of qualified entities. Any entity that meets the eligibility criteria would be able to become a qualified entity.

    a. Organizational and Governance Capabilities

    Section 1874(e)(2)(A) of the Act gives the Secretary the authority to establish the criteria to determine whether an entity is qualified to fulfill the requirements of the statute. We propose to thoroughly evaluate potential qualified entities on their organizational and governance capabilities to perform all of the following tasks:

    • Accurately calculating quality, efficiency, effectiveness, and resource use measures from claims data, including:

    ○ Identifying an appropriate method to attribute a particular patient's services to specific providers of services and suppliers.

    ○ Ensuring the use of approaches to ensure statistical validity such as a minimum number of observations or minimum denominator for each measure.

    ○ Using methods for risk-adjustment to account for variation in both case-mix and severity among providers of services and suppliers.

    ○ Identifying methods for handling outliers.

    ○ Correcting measurement errors and assessing measure reliability.

    ○ Identifying appropriate peer groups of providers and suppliers for meaningful comparisons.

    • Successfully combining claims data from different payers to calculate performance reports.
    • Designing, and continuously improving the format of performance reports on providers of services and suppliers.
    • Preparing an understandable description of the measures used to evaluate the performance of providers of services and suppliers so that consumers, providers of services and suppliers, health plans, researchers, and other stakeholders can assess performance reports.
    • Implementing and maintaining a process for providers of services and suppliers identified in a report to review the report prior to publication, and providing timely responses to provider of services and supplier inquiries regarding requests for data, error correction, and appeals.
    • Establishing, maintaining, and monitoring a rigorous data privacy and security program, including disclosing to CMS in its application any inappropriate disclosures of beneficiary identifiable information or HIPAA violations for the preceding 10-year period, and any corrective actions taken to address such issues.
    • Accurately preparing performance reports on providers of services and suppliers and making performance report information available to the public in aggregate form, that is, at the provider of services or supplier level.

    Applicants would generally be expected to demonstrate expertise and sustained experience on each of these criteria. Generally, an applicant would be considered to have demonstrated expertise and sustained experience on these criteria if the applicant can show that it has been handling claims data and calculating performance measures for a period of at least three years. We believe that to be a successful qualified entity, an applicant would need to have an established track record of profiling providers of services and suppliers. However, we propose to consider applicants with fewer years of experience in handling claims data and calculating performance measures, or limited experience implementing and maintaining a process for providers of services and suppliers to request error correction if the applicant has sufficient Start Printed Page 33568experience in the other areas described above. In all other areas, applicants must demonstrate expertise and sustained experience as stated above. We seek comment on our approach to evaluating qualified entities, and whether three years of demonstrated expertise is sufficient to ensure that only the highest quality entities are admitted to this program.

    We note that several of the tasks that are required of the qualified entities necessitate expertise and careful attention to the required processes as outlined below. Due to the importance of ensuring that the qualified entity is able to achieve the goals of the program, we wish to ensure that the qualified entities have the resources to meet their obligations to measure providers of services and suppliers and publish reports under the statute. Therefore, we propose that qualified entity applicants would also need to submit a description of the business model they plan to use for covering the costs of performing the required functions listed below, including paying the fee for the data. We solicit comment on our proposal.

    b. Addition of Claims Data From Other Sources

    Section 1874(e)(1) and Section 1874(e)(3) of the Act require the Secretary to provide standardized extracts of claims data under Medicare Parts A, B, and D for one or more specified geographic areas and time periods to qualified entities so they can use the information in concert with other claims data to evaluate the performance of providers and suppliers. As discussed in section II.B. below, the qualified entities are to evaluate the performance of providers of services and suppliers using measures that may be calculated from the claims data only. At § 401.702(d), we propose to define claims data, whether from Medicare claims or other sources, to be administrative claims data only, meaning, itemized billing statements from providers of services and suppliers that, except in the context of Part D drug event data, request reimbursement for a list of services and supplies that were provided to a Medicare beneficiary in the fee-for-service context or to a participant in another insurance or entitlement program. Claims data would need to have characteristics and variables similar to the data discussed in section II.C. below. Data from other sources, such as registry data, chart abstracted data, or data from electronic medical records would not be considered claims data.

    Section 1874(e)(4)(B)(iii) of the Act requires qualified entities to combine Medicare data made available under this section with claims data from sources other than Medicare in their performance evaluations of providers of services or suppliers. We believe that this provision was intended to make Medicare data available to those already working with other claims data in order to increase sample sizes used to calculate measures and evaluate the performance of providers of services and suppliers. This belief is based on past experiences where measurement entities have expressed an interest in obtaining Medicare data to combine with other claims data to improve the population sample upon which their performance findings are based, and to address concerns expressed by stakeholders regarding small sample sizes in performance reports generated from a single payer source. The relative size of Medicare enrollment makes it one of the largest payers in any given market.

    In addition, since Medicare serves an older population with declining health, using claims data from Medicare would provide more opportunities to assess care provided to the chronically ill and other resource-intensive populations than is found in other claims data. The goal expressed by those seeking this data in the past has been that Medicare data, when coupled with other claims data, can provide measurement initiatives with greatly increased sample sizes upon which to calculate more reliable performance results.

    The statute requires the inclusion of claims data from other sources, but it does not specify a minimum amount of such data to qualify as a qualified entity. CMS has considered how to best ensure that Medicare data is combined with a sufficient amount of other claims data to meaningfully address some of the concerns regarding sample size and reliability outlined above. We are proposing at § 401.703(a)(2) that applicants demonstrate to CMS that the claims data from other sources, which they are combining with Medicare data, addresses the concerns regarding sample size and reliability expressed by multiple stakeholders regarding the calculation of performance measures from a single payer source. In order to ensure that Medicare data is only made available to qualified entities that have additional claims data from other sources, applicants would not be approved as qualified entities unless they possess the claims data from other sources at the time of their application, and that data meets the requirements outlined above.

    We considered imposing a specific threshold amount of additional claims data, but we believe that it would be difficult to precisely establish a threshold amount of data to address concerns about small sample sizes and reliability. We are requesting comments on this policy decision, as well as suggestions for other possible options or alternatives. We are also considering a proposal to require qualified entities to have claims data from two or more other sources. For example, a qualified entity would need to have claims data from two private payers, or one private payer and Medicaid claims data, in order to be eligible to receive Medicare data. We believe that a requirement for claims data from two or more other sources may help further alleviate some of the methodological issues associated with performance measurement based on single-source data. Measurement of a provider of services or supplier based on one other source plus Medicare may still not represent enough of a provider of services' or supplier's patient population to provide meaningful data that would help improve performance. We are considering a proposal to require claims data from two or more other sources to ensure that performance reports produced by qualified entities are as fair a representation as possible of any provider of services' or suppliers' practice to encourage behavior change. We seek comments on this alternative proposal of requiring claims data from two or more other sources to be combined with Medicare claims data, and whether there are particular challenges associated with requiring claims data from multiple sources before a qualified entity can participate in this program.

    c. Data Privacy and Security

    It is of the utmost importance to CMS that beneficiary identifiable Medicare data remain private and secure. Section 1874(e)(3) of the Act requires the Secretary to take actions necessary to protect the identity of individuals entitled to or enrolled in our programs.

    In order to fulfill this obligation, we are proposing at § 401.703(a)(3) to require that applicants demonstrate that they have rigorous privacy and security practices in place to protect the data released to them and have programs in place to train staff on data privacy protections and general data security protocols. Applicants would not be eligible to serve as qualified entities unless CMS determines that they have thoroughly documented data privacy and security practices including enforcement mechanisms. The data privacy and security requirements for qualified entities are discussed in detail at Section II.D.Start Printed Page 33569

    3. Proposed Operating and Governance Requirements for Serving as a Qualified Entity

    CMS recognizes that applicants may not have fully developed plans for every aspect of serving as a qualified entity; however, there are key aspects that we believe are important enough to require the submission of proposed plans as a condition of being approved as a qualified entity. Specifically, we propose at § 401.704 that applicants would submit, as part of their application: (1) The measures they intend to use, including, among other things, the methods of creating and disseminating reports; (2) the report review process they would use to afford providers of services and suppliers with reports confidentially prior to public release, including addressing report recipient requests for data and for error correction; (3) a prototype for the required reports, including any narrative language, and dissemination plans for providing reports to the public. Additional information regarding the application requirements may be found in section II.G. below.

    B. Considerations for the Definition, Selection, and Use of Performance Measures by Qualified Entities

    Section 1874(e)(2)(A) of the Act requires qualified entities be qualified to use claims data to evaluate the performance of providers of services and suppliers using measures of quality, efficiency, effectiveness, and resource use. Specifically, section 1874(e)(4)(B)(ii)(I) of the Act requires qualified entities requesting standardized extracts of Medicare claims to use standard measures, if available, such as measures endorsed by the entity with a contract under section 1890(a) of the Act, and measures developed pursuant to section 931 of the Public Health Service Act. Section 1874(e)(4)(B)(ii)(II) of the Act also provides for the use of alternative measures by qualified entities if the Secretary, in consultation with appropriate stakeholders, determines that use of such alternative measures would be more valid, reliable, responsive to consumer preferences, cost-effective, or relevant to dimensions of quality and resource use not addressed by the standard measures. Qualified entities may only use standard or approved alternative measures to evaluate the performance of providers of services and suppliers using claims data from Medicare parts A, B, or D.

    1. Proposed Definition of, and Process for Identifying and Approving Standard Measures for Use by Qualified Entities

    For purposes of a qualified entity selecting and using measures to evaluate the performance of providers of services and suppliers, we propose to define at § 401.708(a) a “standard measure” to be a measure that can be calculated using only claims data and that is—(1) endorsed by the entity with a contract under section 1890(a) of the Act; (2) developed pursuant to section 931 of the Public Health Service Act; or (3) was adopted through notice and comment rulemaking and is currently being used in a CMS program that includes performance measurement, even if it is not endorsed by the entity with a contract under section 1890(a) of the Act.

    Currently, the entity with a contract under section 1890(a) of the Act is the National Quality Forum (NQF). NQF uses its formal Consensus Development Process to evaluate and endorse consensus standards, including performance measures, on an ongoing basis. It is viewed as a trusted partner in ensuring that any nationally endorsed provider of services and supplier performance measures are subject to rigorous multi-stakeholder scrutiny to ensure they are scientifically valid, address clear performance improvement needs and can be calculated in a manner that does not impose undue burden on providers and suppliers. There are currently hundreds of NQF-endorsed quality measures covering a range of clinicians, settings, and specialties, although not all of these measures can be calculated using only claims data.

    A list of currently NQF-endorsed performance measures can be obtained from the NQF Web site at http://www.qualityforum.org/​Measures_​List.aspx. We propose to define any measure endorsed by the entity with a contract under section 1890(a) of the Act which can be calculated from standardized extracts of Medicare parts A, B, or D claims as a standard measure. In addition to endorsed NQF measures, we propose to also define a measure which can be calculated from standardized extracts of Medicare parts A, B, or D claims data that has time-limited NQF endorsement as a standard measure. Measures that are time-limited endorsed that were not developed pursuant to section 931 of the Public Health Service Act, or that are being used by a CMS program that includes performance measurement, would only be considered standard measures until such time as the NQF determines their endorsement status. Time-limited endorsed measures that ultimately receive endorsement would remain standard measures for as long as they remain endorsed, and time-limited endorsed measures that do not ultimately receive endorsement would lose their status as standard measures unless they were developed pursuant to section 931 of the Public Health Service Act, or can be calculated from standardized extracts of Medicare parts A, B, or D claims data, were adopted through notice and comments rulemaking, and are being used in a CMS program that includes quality measurement. Time-limited measures that do not receive NQF endorsement and that were not developed pursuant to Section 931 of the Public Health Act, or are not used in a CMS program that includes performance measurement could however, be submitted for approval as alternative measures through the alternative measure process outlined below at II.B.2.

    Section 931 of the Public Health Service Act, as added by Section 3013 of the Affordable Care Act supports the development, improvement, update, or expansion of quality measures for use in Federal health programs. To date, no measures have been developed under this provision. We propose that any measures developed or updated under this provision would also be considered standard measures regardless of their NQF endorsement status, as long as the measures can be calculated from the standardized extracts of Medicare parts A, B, and D claims data available to the qualified entity.

    We also propose to include in the definition of standard measure any measure that was adopted through notice and comment rulemaking and that is currently used in a CMS program that involves performance measurement, even if it is not NQF-endorsed or developed under section 931 of the Public Health Service Act, as long as the measure can be calculated from the standardized extracts of Medicare parts A, B, and D claims data available to the qualified entity. For example, several measures in the hospital Inpatient Quality Reporting program beginning in FY 2012 (foreign object retained after surgery, air embolism, catheter-associated urinary tract infection, blood incompatibility, pressure ulcer stages III and IV, falls and trauma, manifestations of poor glycemic control, and vascular catheter associated infection) fit this criteria.

    The notice and comment rulemaking process includes a public comment period in which stakeholders are able to express their views regarding the proposed measures. Measures Start Printed Page 33570implemented via the rulemaking process are not finalized until the public comment period closes, the comments are reviewed and considered, and a final rule is published. Because the notice and comment rulemaking process involves extensive opportunity for public input, we believe that measures used in CMS programs, regardless of whether they are endorsed by the NQF or developed under section 931 of the Public Health Service Act, have been subjected to sufficient scrutiny that they can be considered standard measures. We propose to make a list of measures that meet the requirements of being adopted through notice and comment rulemaking and currently being used in a CMS program that includes performance measurement, available in subregulatory guidance.

    In using any standard measure, we propose to require that the qualified entity must follow the measure specifications as written, including all numerator and denominator inclusions and exclusions, measured time periods, and specified data sources. We recognize that some measure specifications may require additional customization to implement in specific contexts, but such customization should not change the defined numerator, denominator, and exclusion criteria for the measure.

    We invite comments on the proposed definition of standard measures and the proposed requirement for qualified entities to follow the measure specifications as written.

    2. Proposed Definition of, and Process for Identifying and Approving Alternative Measures for Use by Qualified Entities

    We also recognize that a qualified entity may wish to measure performance in an area for which there are no standard measures. We note that there are several areas of performance measurement with very few available measures that meet the definition of a standard measure as proposed above. We hope to encourage innovation in the development of new claims-based measures to evaluate the performance of providers of services and suppliers through the use of alternative measures. While the statute does not require the Secretary to allow the use of alternative measures, we believe that allowing qualified entities to propose the use of alternative measures encourages the development of additional claims-based performance measures.

    For qualified entities wishing to use alternative measures, we propose to adopt an alternative measure selection process through future notice and comment rulemaking that would subject proposed alternative measures to public comment after qualified entities propose candidate alternative measures for the Secretary's consideration. At § 401.708(b)(1), we propose to define “alternative measure” as a measure that is not a standard measure, but that can be calculated using only standardized extracts of Medicare parts A, B, and D claims, and that has been found by the Secretary to be more valid, reliable, responsive to consumer preferences, cost effective, or relevant to dimensions of quality and resource use not addressed by standard measures.

    As discussed above, section 1874(e)(4)(B)(ii)(II) of the Act permits the use of alternative measures if the proposed alternative measure is more valid, reliable, responsive to consumer preferences, cost-effective, or relevant to dimensions of quality and resource use than existing claims-based standard measures. If there is a claims-based standard measure for the clinical area or topic(s) that the qualified entity chooses to measure, we propose that the qualified entity must use the standard measure in lieu of any alternative measures, unless the qualified entity can provide detailed scientific justification for asserting that the proposed alternative measure in that clinical area or topic is more valid, reliable, responsive to consumer preferences, cost-effective, or relevant to dimensions of quality and resource use than the existing claims-based standard measure, and such assertions are accepted through the notice and comment rulemaking process outlined below.

    Similarly, in the case where a standard measure was not previously available for a particular clinical area or condition, but such a measure subsequently becomes available, we propose that qualified entities must cease use of the alternative measure and switch to the standard measure within 6 months (for example, if a standard measure becomes available in February 2013, either through being endorsed by the entity with a contract under section 1890(a) of the Act, developed pursuant to section 931 of the Public Health Service Act, or adopted through notice and comment rulemaking to be used in a CMS program that includes performance measurement, qualified entities would have to begin using the standard measure instead of the alternative measure in any reports by August 2013). If the qualified entity wishes to continue to use the alternative measure, then it must provide the scientific justification outlined above to obtain approval for the use of alternative measures when a standard measure for the clinical area or condition(s) that the qualified entity chooses to measure is available.

    In order to provide us with the information necessary to determine whether an alternative measure is more valid, reliable, responsive to consumer preferences, cost-effective, or relevant to dimensions of quality and resource use not addressed by the standard measures as required by section 1874(e)(4)(B)(ii)(II) of the Act, we propose that the qualified entity would need to submit to the Secretary the following information about a proposed alternative measure:

    • The name of the alternative measure that the qualified entity is requesting the Secretary to consider as an alternative measure.
    • The name of the alternative measure's developer or owner.
    • Detailed specifications for the alternative measure.
    • Information demonstrating how the alternative measure is more valid, reliable, responsive to consumer preferences, cost-effective, or relevant to dimensions of quality and resource use not addressed by standard measures.

    We solicit comments on our proposals regarding alternative measures, and we welcome comments on whether any additional information regarding proposed alternative measures should be required in order to request the Secretary's consideration of a candidate alternative measure.

    Section 1874(e)(4)(B)(ii)(II) of the Act further requires the Secretary to review the candidate alternative measures in consultation with appropriate stakeholders in order to determine if an alternative measure would be more valid, reliable, responsive to consumer preferences, cost-effective or relevant to dimensions of quality and resource use not addressed by standard measures. In order to obtain consultation with appropriate stakeholders, we propose that once all qualified entities have submitted the above information regarding a proposed alternative measures, we would use the notice and comment rulemaking process to obtain public comment on approving the measures as alternative measures. We solicit comment on our proposal to engage in consultation with appropriate stakeholders through notice and comment rulemaking and we also welcome comments on alternative processes to consider for meeting the stakeholder consultation requirement.

    The statute requires the Secretary to make the final determination regarding whether an alternative measure is more valid, reliable, responsive to consumer Start Printed Page 33571preferences, cost-effective, or relevant to dimensions of quality and resource use not addressed by standard measures. The Secretary would consider the information received from the qualified entity and other stakeholders during the notice and comment rulemaking process in order to determine whether a proposed alternative measure meets the statutory criteria for approval as an alternative measure. Once an alternative measure has been approved by the Secretary, the alternative measure would be available for use by all qualified entities, not just the submitting entity.

    Any measure that is not approved as an alternative measure may not be used to evaluate the performance of providers of services and suppliers using data from the qualified entity program. In the event additional information is available for an alternative measure that was previously denied approval, the alternative measure may be resubmitted to the Secretary for consideration.

    Because our proposals for the approval process of alternative measures would require notice and comment rulemaking, it would be logistically challenging for alternative measures to be approved in time to enable measure calculation and reporting of alternative measures in the first year of the program. While qualified entities would be able to submit alternative measures for consideration during the first year of the program, the approval process would likely not conclude in time to use the alternative measure in the first year of the program.

    Depending on the volume and timing of alternative measure submissions, we anticipate conducting the notice and comment rulemaking process on an annual basis. We are proposing to establish an annual deadline of May 31 for the submission of proposed alternative quality measures in order to allow for the measures to go through notice and comment rulemaking prior to the start of the next calendar year. The notice and comment rulemaking period generally takes 6 months from the publication of a proposed rule to the effective date of a final rule, so the alternative measures submitted by May 31 would be ready for use in the following calendar year, i.e., a measure submitted by May 31, 2012 would be available for calendar year 2013. If no proposed alternative measures are received by the annual deadline, we would not publish a rule. Proposed alternative measures submitted after the annual deadline would be considered for rulemaking during the following calendar year.

    We believe this proposed approach is adequate because:

    • We have proposed an expansive definition of what constitutes a standard measure (including non-NQF endorsed measures which can be calculated from standardized extracts of Medicare parts A, B, and D claims if they were adopted through notice and comment rulemaking and are currently being used in CMS programs that include quality measurement), and this would greatly increase the number of standard measures available for use by qualified entities.
    • It is appropriate for qualified entities to focus on well established measures that are either NQF-endorsed or used in CMS programs in their first year of operation as qualified entities.

    We solicit comment on our proposals regarding the approval process for alternative measures.

    As with standard measures, when using an alternative measure approved by the Secretary, we propose to require that the qualified entity follow the measure specifications as written, including all numerator and denominator inclusions and exclusions, measured time periods, and specified data sources. We recognize that some measure specifications may require additional customization to implement the measure in specific contexts, but such customization should not change the defined numerator, denominator, and exclusion criteria for the measure. We invite comments on the proposed requirement for qualified entities to follow the measure specifications as written.

    3. Selection and Justification of Measures by Qualified Entities

    We propose, at § 401.704(a), to require that qualified entities provide a description of each standard or alternative measure they plan to use to calculate the performance of providers of services and suppliers as part of their application. This description should include the name of the measure, the name of the measure developer/owner, and the measure specifications including the numerator and the denominator. In addition, we propose to require an explanation of the applicant's rationale for selecting the measure, which would include a description of the relationship of any proposed measure (standard or alternative) to existing measurement efforts, and the relevancy of each proposed measure to the population(s) in the geographic area(s) the applicant is proposing to serve. The rationale would also include a specific description of the geographic area(s) the applicant intends to serve and a specific description of how each measure evaluates providers of services and suppliers on quality, efficiency, effectiveness, and/or resource use. Finally, we propose to require an applicant to provide a description of the methodologies it intends to use in creating reports with respect to attribution of beneficiaries to providers of services and suppliers, benchmarking performance data, and severity and case-mix adjustments.

    We propose at § 401.706(a)(1) to allow a qualified entity to calculate and report measures that were not included in its initial application if the qualified entity submits the information described above about the additional measure(s) to CMS no less than ninety (90) days prior to the anticipated date for the confidential distribution of reports using those measures to providers of services and suppliers. We would review this information and approve or disapprove the use of the measure. We propose barring qualified entities from using a measure that has not been approved by CMS, even if CMS' review takes longer than ninety days.

    4. Methodologies Used in Performance Reports

    Section 1874(e)(4)(B)(I) of the Act requires qualified entities to submit a description of the methodologies that they would use to evaluate the performance of providers services and suppliers. In keeping with this requirement, we have proposed § 401.704(a)(5), which requires an applicant to submit a description of methodologies it intends to use in creating reports. We believe, however, that a review of methodologies is inadequate in the absence of a review of the abilities of the qualified entity to appropriately apply those methodologies. Therefore, we propose at § 401.703(a)(1) that in order to be eligible to serve as a qualified entity, applicants must demonstrate expertise and sustained experience in several areas necessary for performance measurement.

    5. Reports and Reporting

    Section 1874(e)(4)(C)(ii) of the Act requires qualified entities to make their draft reports available in a confidential manner to providers of services and suppliers identified in the reports before such reports are released publicly in order to offer them an opportunity to review these reports, and, if appropriate, appeal to request correction of any errors. We propose to require the qualified entities to include a plan for establishing and maintaining these appeal and correction processes in their Start Printed Page 33572application materials, as we have stated in proposed § 401.704(b). The plan must clearly describe how the qualified entity would make providers of services and suppliers aware of the process and establish procedures, including timeframes, for how providers of services and suppliers can request data from the qualified entity and request error corrections in the reports before the reports are made public.

    After reports have been shared confidentially with providers of services and suppliers, and any errors have been corrected, Section 1874(e)(4)(C)(iv) of the Act requires the reports to be made available to the public. As discussed further below in Section II.E., in cases where provider requests for error correction cannot be resolved prior to a date specified by the qualified entity (at least 30 business days after the report was originally shared with providers of services and suppliers), the reports would be released publically with information that a provider of services or supplier error correction is ongoing. As stated in the statute at Section 1874(e)(4)(C)(iii) of the Act, the reports must include “an understandable description” of the measures, rationale for use, methodology (including risk-adjustment and physician attribution), data specifications and limitations, and sponsors. We interpret “an understandable description” to mean any descriptions that can be easily read and understood by a lay person. Additionally, the reports to the public may only include data on providers of services or suppliers at the provider of services or supplier level with no claim or person-level information to ensure beneficiary privacy.

    Pursuant to Section 1874(e)(4)(B)(vi) of the Act, we propose requiring qualified entities to submit prototype reports for both the reports they would send to providers of services and suppliers, and the reports they would release to the public (if they are different) in their application, including the narrative language they plan to use in the reports to describe the data and results. The prototype report should also contain an easily comprehensible description of the proposed measures, the rationale for the use of those measures, a description of the methodologies to be used, and a description of the data specifications and limitations.

    We have given extensive consideration to when in the process qualified entities should submit these prototype reports to CMS. One option would be for qualified entities to submit prototype reports with their applications to become qualified entities. As outlined above, one of the eligibility criteria for qualified entities is demonstrated expertise and experience in designing, disseminating, and continuously improving performance reports to providers of services and suppliers. Given this criteria, it seems reasonable to assume that qualified entities would be in a position to provide CMS with prototype reports at the time of their applications.

    A countervailing argument would be that qualified entities may need some time working with Medicare data and claims data from other sources before they would be in a position to identify an appropriate format for the required performance reports. This scenario would support requiring the submission of the prototype report sometime after an organization has been approved as a qualified entity, but at a time prior to the confidential release to providers of services and suppliers. Under this scenario, the qualified entity would receive Medicare data without having to demonstrate that they had considered how they could use that data to produce measure results.

    While we believe that qualified entities may identify changes that would be necessary as they work with the data, we believe that it is appropriate to expect that they have sufficiently considered these reporting obligations as they consider their desires to apply for qualified entity status, and that such considerations would include at least an initial concept of what they could provide in the reports. Therefore, despite the concern that qualified entities would need some time with the data to identify the appropriate format for reports, we believe that qualified entities should have the expertise and skills to be able to submit prototype reports at the time of their applications to become qualified entities.

    In recognition of the advances that could be made to these prototypes as the qualified entities work, we propose, at § 401.706(a)(2), providing for a process whereby they can modify the initial prototypes as long as these modifications are submitted to, and approved by, CMS. We propose requiring these submissions no less than 90 days prior to the confidential release of report to providers of services and suppliers. We would review the modified prototype report and make a determination regarding the use of the new report. This determination would be based on the extent to which the proposed changes make the description of the measures used in the report more understandable. We propose barring qualified entities from using a report that has not been approved by CMS, even if CMS' review takes longer than 90 days.

    In addition, we propose to require the submission of plans for making the reports available to the public at the time of application. To the extent that the report formats or delivery mechanisms differ from those proposed at the time of application, we propose to also require an explanation and justification of those differences no less than 90 days prior to the release of differing report formats or delivery mechanisms.

    Finally, at § 401.705(d) we propose requiring qualified entities to produce reports on the performance of providers of services and suppliers at a minimum of at least once a year. If CMS provides qualified entities with yearly updates to the data, as discussed below, we believe qualified entities should be expected to use the updates to produce performance reports. We seek comments on these proposals.

    C. Data Extraction and Dissemination

    Section 1874(e)(3) of the Act requires the Secretary to provide qualified entities with standardized extracts of claims data from Medicare parts A, B, and D for one or more specified geographic areas and time periods. These data extracts would include information from all seven claim types that are submitted for payment in the Medicare Fee-For-Service Program. Information extracted from institutional claims includes inpatient hospital, outpatient hospital, skilled nursing facility, home health, and hospice services. Information extracted from non-institutional claims includes physician/supplier and durable medical equipment claims. These files contain only final action claims, meaning non-rejected claims for which a payment has been made. All disputes and adjustments have been resolved and details clarified.

    Medicare institutional and non-institutional claims include, but are not limited to, the following data elements: beneficiary ID, claim ID, the start and end dates of service, the provider or supplier ID, the principal procedure and diagnosis codes, the attending physician, other physicians, and the claim payment type.

    Qualified entities would also be eligible to receive certain Part D claims information for beneficiaries enrolled in the Medicare Fee-For-Service Program. This type of information is known as “drug event” information, as opposed to “claims” information, because prescription drug coverage under Part D is provided by private insurance plans. Start Printed Page 33573These plans have varied pricing methods, and often pay capitated rates. We note that the use of the term “drug event” does not mean this database includes information about adverse reactions to drugs. The key data elements for this database include: beneficiary ID, prescriber ID, drug service date, drug product service ID, quantity dispensed, days' supply, gross drug cost brand name, generic name, drug strength, and indication if the drug is on the formulary of the Part D plan.

    All claims files would contain a unique encrypted beneficiary identification number that would allow a qualified entity to link claims for an individual beneficiary. These files would not contain the actual beneficiary Medicare Health Insurance Claim Number.

    A comprehensive record layout for all three of these databases is offered at http://www.ccwdata.org/​variables/​var_​claim_​files.php for institutional claims, http://www.ccwdata.org/​variables/​var_​claim_​files2.php for non-intuitional claims, and http://www.ccwdata.org/​variables/​var_​ptd_​event.php for Part D drug events.

    The institutional claims database includes the following files:

    Inpatient claim file: The Inpatient claim file contains final action claims data submitted by inpatient hospital providers for reimbursement of facility costs. Some of the information contained in this file includes diagnosis, (ICD-9 diagnosis), procedure (ICD-9 procedure code), Medicare Severity—Diagnosis Related Group (MS-DRG), dates of service, reimbursement amount, and hospital provider information. Each observation in this file is at the claim level.

    Skilled Nursing Facility claim file: The Skilled Nursing Facility (SNF) claim file contains final action claims data submitted by SNF providers. Some of the information contained in this file includes diagnosis and procedure (ICD-9 diagnosis and ICD-9 procedure code), dates of service, reimbursement amount, and SNF provider number. Each observation in this file is at the claim level.

    Outpatient claim file: The Outpatient claim file contains final action claims data submitted by institutional outpatient providers. Examples of institutional outpatient providers include hospital outpatient departments, rural health clinics, renal dialysis facilities, outpatient rehabilitation facilities, comprehensive outpatient rehabilitation facilities, and community mental health centers. Some of the information contained in this file includes diagnosis and procedure (ICD-9 diagnosis, Healthcare Common Procedure Coding System (HCPCS) codes), dates of service, reimbursement amount, outpatient provider number, and revenue center codes. Each observation in this file is at the claim level.

    Home Health Agency claim file: The Home Health Agency (HHA) claim file contains final action claims data submitted by HHA providers. Some of the information contained in this file includes the number of visits, type of visit (skilled-nursing care, home health aides, physical therapy, speech therapy, occupational therapy, and medical social services), diagnosis (ICD-9 diagnosis), dates of visits, reimbursement amount, and HHA provider number. Each observation in this file is at the claim level.

    Hospice claim file: The Hospice claim file contains final action claims data submitted by Hospice providers. Some of the information contained in this file includes the level of hospice care received (for example, routine home care, inpatient respite care), terminal diagnosis (ICD-9 diagnosis), dates of service, reimbursement amount, and Hospice provider number. Each observation in this file is at the claim level.

    The non-institutional claims database includes the following files:

    Carrier claim file: The Carrier claim file contains final action claims data submitted by non-institutional providers. Examples of non-institutional providers include physicians, physician assistants, clinical social workers, nurse practitioners, independent clinical laboratories, ambulance providers, and free-standing ambulatory surgical centers. Some of the information contained in this file includes diagnosis and procedure (ICD-9 diagnosis, Healthcare Common Procedure Coding System (HCPCS) codes), dates of service, reimbursement amount, and non-institutional provider numbers (for example, UPIN, PIN, NPI). Each observation in this file is at the claim level.

    Durable Medical Equipment claim file: The Durable Medical Equipment (DME) claim file contains final action claims data submitted by Durable Medical Equipment suppliers. Some of the information contained in this file includes diagnosis, (ICD-9 diagnosis), services provided (Healthcare Common Procedure Coding System (HCPCS) codes), dates of service, reimbursement amount, and DME provider number. Each observation in this file is at the claim level.

    The Part D database includes the following file:

    Drug Event Database: The drug event database includes the following: encrypted beneficiary identifier, date of service, drug product dispensed, drug quantity, number of days supply of product, drug costs, beneficiary and other payer cost-sharing, formulary tier and utilization management, Part D benefit phase, encrypted pharmacy identifier, encrypted prescriber identifier, and encrypted plan identifier.

    We plan to provide identical standard data extracts to all qualified entities, that is, all extracts would include the same data elements and the same record layout. CMS does not plan to provide any customized data files to qualified entities under section 1874(e) of the Act. It would be the responsibility of the qualified entities to create customized analytical files and databases to support their calculation of performance measures for providers of services and suppliers.

    We seek comment on whether qualified entities would require any technical assistance to aid in understanding and working with Medicare data, what type of technical assistance would be beneficial, and whether we should include technical assistance in the fee charged for the data (see Section II.C.3. below). We plan to encourage the development of a voluntary knowledge sharing mechanism for qualified entities to communicate with each other regarding best practices for calculating measures, designing reports, and other important elements of this program. We seek comments on whether technical assistance is needed and how such a voluntary knowledge sharing mechanism would best be designed and operated.

    1. Number of Years of Data

    Section 1874(e)(3) of the Act requires the Secretary to provide standardized extracts to qualified entities containing data from specific time periods. CMS is proposing to provide qualified entities with the most recent three years of Medicare data available at the time the qualified entity is approved for participation in the program. For example, if a qualified entity applies and is approved for participation in 2012, data for calendar years 2008, 2009, and 2010 would be provided since they would be the most recent final action claims data available. Thereafter, CMS proposes to provide qualified entities with the most recent additional year of data on a yearly basis.Start Printed Page 33574

    2. Geographic Areas

    Section 1874(e)(3) of the Act requires the Secretary to provide standardized extracts to qualified entities containing data for specific geographic areas. CMS is proposing that qualified entities receive standardized data extracts for a single geographic area or multiple regions. We propose to limit the provision of Medicare data to the geographic spread of the qualified entity's other claims data. For example, if a qualified entity has a sufficient amount of claims data from other sources (as determined by CMS during the application process) for people in Maryland, CMS would provide Medicare data for the state of Maryland.

    During the September 20, 2010 public listening session for section 10332 of the Affordable Care Act, CMS received suggestions to release nationwide Medicare claims if the data are necessary for qualified entities to evaluate the performance of the providers of services and suppliers at a national level. In this proposed rule, we are requesting comments as to whether CMS should provide an option for the release of nationwide Medicare data. We specifically welcome comments regarding how the qualified entities would obtain a sufficient amount of non-Medicare nationwide claims data to include in the evaluation of providers of services and suppliers and how the qualified entities would implement and manage a nationwide provider of services and suppliers confidential review and appeal process.

    3. Cost To Obtain the Data

    Section 1874(e)(4)(A) of the Act requires qualified entities to pay a fee for obtaining the data that is equal to the cost of making such data available. We interpret the cost of making the data available broadly, to include the cost of providing the technical assistance (described above), the cost of processing qualified entities' applications, and the costs of monitoring qualified entities to ensure appropriate use of the data and appropriate adherence to data privacy and security standards. This monitoring may include, but is not limited to, periodic requests for documentation relating to privacy and security policies and procedures. The data fees would vary in accordance with the amount of data requested by the qualified entities. CMS would provide each prospective qualified entity with the actual cost of obtaining the data they request, and post on the CMS Web site examples of data requests and what each costs. However, based on our past experience providing Medicare data to research entities, we estimate that the approximate costs to provide three years of data for 2.5 million beneficiaries to a qualified entity would be $200,000. Approximately $75,000 of the $200,000 is the cost of the claims data, while $125,000 is the cost of making the data available including the cost of processing applications and data requests, providing technical assistance, and monitoring. Therefore, to provide a qualified entity with three years of data for 5.0 million beneficiaries, the approximate costs would be $275,000 ($150,000 for the data and $125,000 for the program costs).

    Qualified entities would be expected to pay the fee annually. However, after the first year, costs would be lower since qualified entities would only be receiving one year of Medicare claims data. We solicit comment on the prospective fee amount and the ability of prospective applicants to pay it.

    We note that the creation and dissemination of nationwide extracts of Medicare data (mentioned above) would significantly increase the cost to any qualified entity seeking such nationwide data of obtaining and processing Medicare data. As stated above, we seek comment on the likelihood of a qualified entity having sufficient other claims data to meet the requirements to receive a nationwide extract of Medicare data.

    D. Data Security and Privacy

    This provision creates a new program that provides for the release of Medicare beneficiary level data to private entities that are not enrolled in Medicare. We recognize that many approved qualified entities would be organizations with many years of experience in using claims data to produce performance reports on providers of services and suppliers, and, as such, may have existing agreements with private health plans who provide them data regarding the data security and privacy standards they must observe. While CMS is committed to ensuring the success of qualified entities in combining Medicare data with claims data from other sources to create comprehensive performance reports for providers of services and suppliers, CMS is also committed to ensuring that the beneficiary level data provided to qualified entities is subject to stringent security and privacy standards throughout all phases of the performance measure calculation, confidential reporting, appeal, and public reporting processes.

    In addition to the statutory requirements contained in section 1874(e)(4) of the Act, qualified entities must meet any requirements that are adopted by the Secretary under section 1874(e)(2)(B) of the Act, which provides for the adoption of “such other requirements as the Secretary may specify.” In accordance with the explicit language of the statute, such “other requirements” may include security requirements for the data. Furthermore, section 1874(e)(3) of the Act requires the Secretary to take such actions as deemed necessary to protect the identity of individuals entitled to or enrolled in Medicare Parts A, B or D. As such, the Secretary is authorized to impose privacy and security requirements on qualified entities as a condition of participating in this program.

    We have considered whether qualified entities would require beneficiary identifiable data to calculate measures. As defined at § 401.702(f) we interpret beneficiary identifiable data to mean data that permits a qualified entity to determine the name, or name and other direct identifying factors (for example, race, sex, age, address) of an individual beneficiary. If one approaches this issue purely from the point of view of the ability of qualified entities to engage in measure calculation and reporting, beneficiary identifiable data is not required. Qualified entities would be able to engage in measure calculation and reporting with files containing an encrypted beneficiary identifier. For this reason, we propose to include in any data files provided to qualified entities an encrypted beneficiary identifier that would permit linking of claims for the same beneficiary across multiple files and multiple years without identifying individual beneficiaries.

    While we realize that the statute permits providers of services and suppliers to request of qualified entities the Medicare claims data underlying their measure results, we anticipate that it would be difficult for providers of services and suppliers to identify errors in measurement in the absence of patient names. For example, a report from a qualified entity might indicate to a provider that only 50 percent of their assigned diabetic patients received recommended Hba1c tests in a given year. In the absence of patient names, we believe that it would be difficult for the provider to tell whether there were errors in how the measure result was calculated. Specifically, a provider may feel that there is an error in the underlying claims data that has inappropriately lowered their measure result. This could happen for a number of reasons. The provider may have conducted a Hba1c test but for some reason may not have submitted that Start Printed Page 33575claim for payment, or may have submitted the claim for payment and it does not appear in the claims data provided to qualified entities due to an error. Additionally, a claims-based quality measure may not have fully captured the exclusion criteria that apply to many quality measures. For example, a qualified entity may, using available claims data, conclude that a provider has not provided a mammogram to an eligible patient. However, the patient may have undergone mastectomy surgery in previous years and therefore no longer be eligible for inclusion in the denominator for the breast cancer screening measure.

    For these reasons we believe that if a provider has a list of patient names associated with a measure result, it gives them the ability to cross reference the patient name against medical records in an effort to assess if there is missing clinical information that could be shared with the qualified entity in order to improve the accuracy of their results.

    As a result, we believe that on balance, it may be appropriate to provide qualified entities with the beneficiary names if it is requested as described below, in order to enable adequate review opportunities for providers of services and suppliers and to promote increased provider acceptance of, and trust in claims-based quality measures.

    While we believe that these contemplated disclosures are important to the success of the program, we also recognize the importance of protecting beneficiary data. In 2008, we published a regulation to permit Part D drug event data to be used for program monitoring, research, public health, care coordination, quality improvement, population of personal health records, and other purposes. See 73 FR 30664. As discussed in the regulation, we sought to balance access to the data with protections for beneficiary privacy and commercially-sensitive plan data to safeguard public health and permit broader public knowledge about the operations of the Part D program. Under the qualified entity program, release of Part D data is needed for provider performance evaluation, and provider performance evaluation is necessary for care coordination and quality improvement. We intend to ensure that Part D data released by CMS under this program complies with the requirements in the Part D data regulation, and that qualified entities take the necessary steps to ensure that any prescription drug data released to providers of services and suppliers as part of the review, appeal, and error corrections process is also safeguarded to ensure privacy and security of beneficiary information.

    Additionally, as discussed further in II.D.2. below, we believe that the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security rules would also provide a degree of protection for this information, especially when it is in the hands of providers of services and suppliers. CMS is committed to protecting the privacy and security of beneficiary identifiable data provided to qualified entities whether they are subject to HIPAA or not. Such data are carefully protected by a number of laws and policies, including HIPAA, when it is in the hands of CMS or one of its contractors. While qualified entities would not legally be a contractor of CMS and therefore would not be subject to these laws and policies, we believe that these protections should not cease merely because CMS is making these data available to another entity for other purposes that are perceived to have a public benefit.

    As described below, we propose to require qualified entities to apply privacy and security protections similar to those we require when we make beneficiary claims data available to external organizations for research purposes. To ensure that qualified entities apply appropriate privacy and security protections, we are proposing that approved qualified entities be required to execute a Data Use Agreement (DUA), described below, before receipt of any CMS data (the DUA is available at http://www.cms.gov/​cmsforms/​downloads/​cms-r-0235.pdf). We note that this DUA contains significant penalties for inappropriate disclosures of the data, including both civil monetary penalties and criminal penalties. We seek comment on our proposal to apply privacy and security protections to qualified entities that are similar to those we require when we make beneficiary claims data available to external organizations for research purposes.

    As described above, we do not propose to send the data in a fully identifiable format when we send it to the qualified entity. All of the Medicare claims data provided to qualified entities would be furnished in a data set that contains a unique encrypted beneficiary identification number which would enable the qualified entities to link all claims for an individual beneficiary without knowing the identity (that is, name and other identifying characteristics) of the beneficiary.

    We are considering three potential options for sharing beneficiary names with qualified entities, and by extension, providers of services and suppliers. Under the first option, qualified entities would be provided with a crosswalk file linking all encrypted beneficiary identifiers to the patients' names for their Medicare data. We realize that this makes a large amount of data identifiable by the qualified entity. However, qualified entities would be permitted to give to a provider of services or supplier only the names of those beneficiaries included in that requester's performance report. Further, the qualified entity would only be permitted to provide the claims relevant to the particular measure or measure result that the provider of services or supplier is appealing, as is discussed in more detail below at section II.D.2.

    Under the second option, CMS would only provide beneficiary names to qualified entities on a transactional basis for the purposes of responding to specific requests for data by providers of services and suppliers. Each request for beneficiary names would be addressed on a case-by-case basis through the forwarding of each data request by the qualified entity to CMS. The qualified entity would receive beneficiary names only for those claims that were included in the requester's report and would be expected to destroy the identifiable data after responding to the providers' request for this data. We believe that this approach better safeguards any potential threats to beneficiary privacy.

    Under the third option, a provider of services or supplier who wishes to receive beneficiary names would request the encrypted claims data from the qualified entity as permitted under the statute. The provider of services or supplier would then submit a request to CMS for the beneficiary names for those specific claims.

    We believe that all three approaches have pros and cons. The first option is the least resource intensive from the perspective of both CMS and qualified entities. However, this option creates legitimate privacy concerns because it results in more data becoming identifiable to the qualified entity than is necessary to respond to the requests of specific providers of services or suppliers request for beneficiary names. The second option would be potentially more resource intensive for both CMS and qualified entities, but we believe it addresses many of the concerns posed by the first option because it would result in beneficiary names being made available only on an as-needed basis. The third option would also be Start Printed Page 33576potentially more resource intensive for CMS and more resource intensive for providers of services and suppliers because providers of services and suppliers would have to engage in a two-step process involving both a qualified entity and CMS to obtain the requested data. We believe this may disrupt the relationship between the qualified entity and the provider of services or supplier, which is important for error correction and confidence in measure results.

    Having considered these things, we propose the second option because we believe it represents the best compromise between adequately safeguarding beneficiary privacy and fostering strong and productive relationships between qualified entities and providers of services and suppliers. If a qualified entity receives a request for data from a provider of services or supplier, we propose that the qualified entity would be required to submit a request to CMS in writing with a signed provider of services or supplier request appended as an attachment. However, we seek comment on all three options, as well as suggestions for other approaches not proposed here.

    1. Privacy and Security Requirements for Qualified Entities

    We are proposing to require that qualified entities have in place security protections for all data released by CMS, and any derivative files, including any Medicare claims data and any beneficiary identifiable data. As part of their applications, qualified entities would have to explain how they would ensure that only the minimum necessary beneficiary identifiable data would be disclosed to the provider of services or supplier in the event of a request by a provider of services or supplier, and how data would be securely transmitted to the provider.

    In fulfilling these requirements, we are proposing at § 401.703(a)(1)(viii), that in order to be eligible to apply to receive Medicare data as a qualified entity, the applicant must demonstrate its capabilities to establish, maintain, and monitor a rigorous data privacy and security program, including ensuring compliance with plans related to the privacy and security of data. Additionally, § 401.703(a)(3) requires the applicant to submit to CMS a description of its rigorous data privacy and security policies including enforcement mechanisms.

    As noted above, we intend to provide a DUA to potential qualified entities at the time of their application. This DUA would be CMS' current standard data use agreement for research disclosures (available at http://www.cms.gov/​cmsforms/​downloads/​cms-r-0235.pdf), but would be customized for the purposes of the qualified entity program through addenda to paragraph 12, which allows CMS to add attachments to the DUA to address the specific needs of the data recipient. We seek comment on the current DUA and any modifications that might be necessary for the purposes of providing data to qualified entities.

    Specifically, the current DUA requires a level and scope of security that is not less than the level and scope of security requirements established by the Office of Management and Budget (OMB) in OMB Circular No. A-130, Appendix III—Security of Federal Automated Information Systems (http://www.whitehouse.gov/​omb/​circulars/​a130/​a130.html) as well as Federal Information Processing Standard 200 entitled “Minimum Security Requirements for Federal Information Systems” (http://csrc.nist.gov/​publications/​fips/​fips200/​FIPS-200-final-march.pdf); and Special Publication 800-53 “Recommended Security Controls for Federal Information Systems” (http://csrc.nist.gov/​publications/​nistpubs/​800-53-Rev2/​sp800-53-rev2-final.pdf).

    We propose prohibiting the use of unsecured telecommunications to transmit beneficiary identifiable data or deducible information derived from any CMS data file(s).

    Further, we propose to require qualified entities to disclose as part of their data privacy and security policies the circumstances under which data provided by CMS would be stored and/or transmitted.

    We propose to require compliance with the listed OMB and NIST requirements in all of the qualified entities' activities with CMS data received through the qualified entity program, including but not limited to the receipt, storage, and possession of these data for purposes of calculating and reporting performance measures, beginning with the qualified entities' receipt of encrypted file(s) from CMS.

    We propose to require qualified entities to ensure that they bind any contractors or subcontractors that are working on behalf of the qualified entities to these same limitations and requirements. We propose that, if approved, qualified entities would have to attest that they have extended and applied CMS' security requirements to their contractors before receiving CMS data. We solicit comments on our proposals.

    In order to meet the requirements in § 401.707 to establish, maintain, and monitor a security and privacy program, and to assure data are kept private and secure, we propose to require qualified entities to maintain their privacy and security programs throughout the duration of their participation as qualified entities, and through their winding down of business as a qualified entity, including the return or destruction of CMS data and any and all derivative files. Failure to comply with these requirements would result in a qualified entity being disqualified from further participation in the program. We propose to require the return or destruction of all CMS data files and derivative files in the possession of the qualified entity or its contractors and subcontractors within 30 days of any disqualification from the program or voluntary withdrawal from the program.

    Finally, we are seeking public comment on the appropriateness of accepting some form of independent accreditation or certification of compliance with data privacy and security requirements from qualified entities, and what that accreditation or certification might entail. The accreditation or certification would need to be at a level and scope of security that is not less than the level and scope of security requirements described above.

    2. Privacy and Security of Data Released to Providers of Services and Suppliers

    We have also considered how to ensure the security and privacy of the beneficiary identifiable data after it has been placed in the hands of a provider of services or supplier during the report review and error correction process. We believe that the HIPAA Privacy and Security rules would apply to a majority of providers of services and suppliers who would receive beneficiary identifiable data from qualified entities. We base this belief on CMS' claims processing experience. Due to the statutory requirement that Medicare claims be filed electronically, the electronic claim filing rates are very high. However, there are exceptions to electronic filing. For example, certain small providers are exempt. For institutional claim billers (for example, hospitals, SNFs, HHAs) the rate of providers filing electronically is approximately 99.9 percent, and for non-institutional claims (for example, physicians, other practitioners, labs, ambulance) the rate is 98.2 percent.

    By law, providers that transmit any beneficiary identifiable health information in the context of an electronic transaction for which there is a HIPAA standard transaction are HIPAA covered entities that are subject Start Printed Page 33577to the HIPAA Security and Privacy rules. Providers of services and suppliers that are already subject to the HIPAA Privacy and Security rules are required to have policies and procedures in place to protect the privacy and security of beneficiary identifiable data. We believe that the HIPAA Privacy and Security rules provide an appropriate level of protection of beneficiary identifiable data received by a provider of services or supplier from a qualified entity as the result of an appeal process or error correction request.

    However, qualified entities may generate performance reports for providers of services and suppliers not subject to HIPAA. For those few providers that are not subject to HIPAA because they do not transmit beneficiary identifiable health information in the context of an electronic transaction for which there is a HIPAA standard transaction, we propose to require that qualified entities include a plan in their application materials for assuring protection of the data that is released as a part of the measure report review process, such as requiring a signed privacy and security agreement between the qualified entity and the provider of services or supplier that includes the same privacy and security protections as the qualified entity is subject to under the DUA it enters into with CMS. We believe that the few providers this affects would be willing to enter into such agreements, and that this would ensure that beneficiary level data that is given to a provider of services or supplier through an appeals process would remain secure and protected, and only used for purposes related to the appeal. We seek comments on these proposals.

    Section 1874(e)(4)(B)(v) of the Act requires qualified entities to make the Medicare claims data they receive available to providers of services and suppliers. We believe that for many providers of services and suppliers, the beneficiary name may be of more practical use in determining the accuracy of the measures results than the underlying claims used to calculate the measures. However, the statute does explicitly acknowledge that upon request qualified entities would need to share with providers of services or suppliers “data made available under this subsection.” We would like to make it clear that we do not interpret this provision to mean that providers could receive all Medicare claims data for a given patient or patients. Rather, we interpret this to mean that in certain circumstances, qualified entities may have to provide all the claims relevant to the particular measure or measure results the provider of services or supplier is appealing. Therefore, a provider requesting claims data in relation to a diabetes quality measure would only receive the claims related to the calculation of that quality measure. We realize this may result in providers of services or suppliers receiving claims submitted by another provider. For example, the provider that performs a test on a patient may not be the provider who is ultimately determined by the qualified entity to be responsible for the care of that patient. Therefore, if the responsible provider requests access to the underlying claims data informing their measure results, some of that claims data may be from other providers. We solicit comment on any privacy or security issues related to this situation.

    We also believe that the intent of this program is not just for qualified entities to engage in measure calculation and reporting to providers, but for the reports generated by qualified entities to result in meaningful quality improvement activities by providers. As a result, we believe that it is appropriate for providers of services and suppliers to use the claims data and beneficiary name received as part of an appeal to engage in quality improvement activities as long as the quality improvement work is in accordance with the HIPAA limitations discussed herein.

    3. Beneficiary Privacy and Security Concerns

    Following provision of the performance reports on a confidential basis to providers of services or suppliers, qualified entities are required to make performance information public. We note that the publication is only of aggregated, non-beneficiary identifiable data that would not be able to be reidentifed (for example, a provider conducted an annual HbA1C test for 70 percent of their diabetic patients). We propose to require that qualified entities ensure that all publicly available reports do not contain beneficiary identifiable information. Additionally, we propose to prohibit qualified entities from disclosing information in their publicly available reports that there is a reasonable basis to believe can be used in combination with other publicly available information to re-identify individual patients. We expect that this reporting of aggregate non-identifiable data should not compromise beneficiary privacy.

    We also propose requiring qualified entities to have in place a process to respond to beneficiary queries or complaints regarding the privacy and security of their data. In addition, we propose to require qualified entities to inform beneficiaries of a breach pursuant to the requirements in paragraph 13 of the DUA. Finally, we propose below at section F of the preamble that qualified entities submit information on privacy or security breaches to CMS, to allow CMS to monitor qualified entity actions in this area. We seek comments on these proposals.

    E. Confidential Opportunities to Review, Appeal, and Correct Reports

    The statute describes two requirements to ensure that providers of services and suppliers are afforded an opportunity to provide input on the reporting of their performance metrics. Section 1874(e)(4)(C)(ii) of the Act requires qualified entities to make their reports available confidentially to providers of services and suppliers identified in the reports prior to the public release of such reports, and to offer them the opportunity to appeal and correct errors. Additionally, section 1874(e)(4)(B)(v) of the Act requires qualified entities to release relevant Medicare claims data that was made available to them under section 1874 of the Act to providers of services and suppliers who request it. We interpret this section of the Act to indicate that qualified entities must provide relevant data made available to them under this subsection to any provider of services or supplier identified in the qualified entity's report who requests such data. By relevant data, we mean the underlying claims data used to calculate the results for any measure that a provider wishes to appeal. We assume that the reason providers of services and suppliers would make requests for data is so they can appeal and request the correction of errors in their reports.

    To ensure that qualified entities have a method to address these two requirements, we propose, at § 401.704(b), to require that applicants include a plan for their process for confidential report review, appeals, and error correction processes in their application materials.

    We are proposing that these plans would contain several elements. First, a qualified entity would need to provide for a means of informing providers of services and suppliers of the specific steps that were taken in order to generate their performance reports in order for providers of services and suppliers to be able to understand their performance reports. We propose requiring that this plan include an Start Printed Page 33578explanation of the measurement methodology, estimates of statistical reliability, and information on how to interpret the results to help providers of services and suppliers understand their performance relative to others. To the greatest extent possible, these explanations and information should be written using a language and formats that are as easily understood as possible. As discussed below, the qualified entity would also be required to have a plan for informing providers of services or suppliers about their rights to request data, appeal the reports, and request error correction.

    Second, the qualified entity would be required to describe the means by which providers of services and suppliers may request the Medicare data that was used to calculate the performance measures they wish to appeal and, if necessary, correct. The qualified entities would be required to describe how they would ensure that the information that is shared would be limited to those beneficiaries included in the requestor's performance report and only contains those claims relevant to the particular measure(s) being appealed.

    Third, as discussed above in this section, we are proposing to require that qualified entities describe their means of confidentially sharing results with providers of services and suppliers (for example secure Web site or e-mail) in their application. Qualified entities would be required to use secure methods suitable for transmitting or otherwise providing secure access to identifiable health information to providers of services or suppliers. We seek comment on the appropriate secure methods that should be required for sharing the information with providers of services or suppliers, such as two factor authentication.

    Fourth, we propose to require a description of the means by which providers of services and suppliers can submit appeals for error correction. This process must describe the timeframes for providers of services or suppliers to submit requests for data and requests for error correction. The timeframes must meet several parameters. We believe these timeframes are reasonable because they balance the need for careful review by providers of services and suppliers with one of the main intents of the program, which is to make performance information available to the public. Qualified entities must share measures, measurement methodology, and measure results with providers of services and suppliers at least 30 business days prior to making measure results public. Additionally, qualified entities must allow providers of services and suppliers at least 10 business days to make a request for data, and an additional 10 business days for a provider to request an error correction. Per the qualified entity's request, the provider of services or supplier may be required to provide comments, additional data, or documentation for consideration.

    Fifth, the qualified entity must make clear to providers of services and suppliers that reports would be made public after a specified date (at a minimum 30 business days after sharing measure results with providers of services and suppliers), regardless of the status of any providers of services or suppliers' requests for error correction. We propose to encourage qualified entities to dedicate appropriate resources, including qualified staff, to resolving good faith questions regarding performance results to both parties' satisfaction whenever possible. If the request for a data or error correction is still outstanding at the time of making the reports public, we propose the qualified entity must, if feasible, post publicly the name of the appealing provider and a description of the appeal request. While we understand that this proposal means that some provider of services and supplier requests for error correction might not be resolved prior to publication of the results, we have included this requirement to ensure that providers do not make spurious requests for error correction to prevent the publication of measure results. We want to ensure that providers of services and suppliers have the opportunity to correct their results in situations where there are errors, but also ensure that performance results are released in a timely manner.

    CMS proposes to monitor the number of provider appeals for each qualified entity, both as a mechanism for ensuring the overall quality of individual qualified entity reporting mechanisms and to identify any situations where providers of services or suppliers might be appealing on spurious grounds so that CMS can determine whether to further investigate any such situations.

    Finally, qualified entities must describe the means by which they would notify the provider of services or supplier of the outcome of the request for error correction and basis for the decision.

    We request comments on our proposed approach to requiring potential qualified entities to describe their processes for providers of services and suppliers to review reports confidentially, request data, and appeal to the qualified entity for error correction in their applications.

    Additionally, although we do not have the statutory authority to require it, we strongly encourage qualified entities to share not only Medicare data but also their claims data from other sources with providers of services and suppliers, if they ask to correct an error or appeal their results on specific measures.

    F. Monitoring, Oversight, Sanctioning, and Termination

    CMS is committed to ensuring the successful implementation of this program, maximizing the appropriate use of Medicare data for the production of performance reports, while minimizing the risk of inappropriate disclosure of beneficiary information. Section 1874(e)(2)(B) of the Act authorizes CMS to require qualified entities to meet any other requirements we specify, “such as ensuring the security of data.” We have outlined a range of requirements in this rule that qualified entities would be expected to meet and maintain on an ongoing basis. In order to ensure that the highest standards are adhered to by all qualified entities, we are proposing a monitoring program which would assess qualified entities' compliance with the requirements laid out in this rule and assess sanctions or termination as deemed appropriate by CMS. We are proposing at § 401.710(a)(1) that CMS, or one of its designated contractors, would periodically audit qualified entities use of Medicare data for the production of performance reports on providers of services or suppliers to ensure that the Medicare data is being used only for its intended purpose, that is, in combination with claims data from other sources to calculate and report either standard or alternative claims-based measures to providers of services and suppliers. We propose that these audits be done at the discretion of CMS.

    We also propose that CMS would monitor the amount of claims data from other sources being used in the production of performance reports to ensure that it is equal to or greater than the amount promised by the qualified entity in its application. This would require production of documentation on data sources and quantities of data, and may necessitate a site visit to the qualified entity by data experts. Again, if CMS finds that qualified entities are not, in fact, calculating performance reports using the amount and type of data specified in its initial application that would also be grounds for sanction or termination.

    We recognize that in certain circumstances the amount of claims data from other sources a qualified Start Printed Page 33579entity has access to may decrease. For example, a qualified entity may lose access to a data set in the second year of their participation in the program or may discover that some of the other claims data they possess is inaccurate and therefore unusable. In these cases, we propose that the qualified entity must immediately inform CMS of the reduction in the amount of other claims data it possesses and provide documentation that the remaining other claims data is still sufficient to address the concerns regarding sample size and reliability expressed by stakeholders regarding the calculation of performance measures from a single payer source. We would review this information and determine whether the qualified entity may continue to participate in the program. If CMS determines the amount of data is not sufficient to meet the requirements, the qualified entity would have 60 days to acquire new claims data and submit documentation to CMS. Under no circumstances may a qualified entity issue a report, use a measure, or share a report during this 60 day period. If after the 60 days, the qualified entity does not have access to new data or if CMS decides the qualified entity still does not possess an adequate amount of additional claims data, CMS would terminate its relationship with the qualified entity. We solicit comments on our proposal for regarding the CMS response to a decrease in the amount of claims data possessed by a qualified entity.

    We propose requiring qualified entities to submit an annual report to CMS covering two topics, as described in further detail below: (1) General program adherence and (2) engagement of providers of services and suppliers.

    1. General Program Adherence: To monitor general program adherence, we propose that qualified entities would submit an annual report containing the number of Medicare and other claims combined, the percent of the overall market share the number of claims represents in the qualified entity's area, the number of measures calculated, the number of providers of services and suppliers profiled by type of provider and supplier, and a measure of the public use of the reports (for example, the number of Web site hits).

    2. Engagement of Providers of Services and Suppliers: We believe that one of the most important outcomes of this program would be the engagement of providers of services and suppliers with qualified entities to improve health care quality and efficiency. We want to ensure that qualified entities engage providers of services and suppliers in a constructive and respectful manner, and diligently work to address the concerns of the providers of services or suppliers throughout any appeal and error correction processes. Therefore, we are also proposing to impose reporting requirements so that CMS would be able to monitor the requests from providers of services and suppliers for information, error correction, and appeals, as well as the responsiveness of the qualified entity to those requests. In order to permit CMS to monitor these requests, we propose that qualified entities would provide a yearly report to CMS regarding: (1) The number of requests for data and the number of requests fulfilled; (2) the number of subsequent error corrections; (3) the type of problem(s) leading to the appeal or request for error correction; (4) the time for the qualified entity to acknowledge the request for data or error correction; (5) the time for the qualified entity to respond to the request for appeal or error correction; and (6) the number of requests for appeal or error correction that are resolved.

    As stated above, CMS is committed to ensuring that qualified entities protect the privacy and security of beneficiary information. To monitor qualified entities actions in this area, we are proposing that qualified entities would submit to CMS information regarding any inappropriate disclosures or uses of beneficiary identifiable data pursuant to the requirements in the DUA. We solicit comment on our proposal as well as other indicators that would demonstrate that a qualified entity is appropriately responding to the requests from providers of services or suppliers.

    If, based upon the monitoring activities described above or by any other manner, we conclude that a qualified entity is not adequately observing the requirements of the program we propose that CMS, in its sole discretion, may take any or all of the following actions:

    • Provide a warning notice, which indicates that future deficiencies could lead to termination, to the qualified entity of the specific performance concern;
    • Request a corrective action plan (CAP) from the qualified entity;
    • Place the qualified entity on a special monitoring plan;
    • Terminate the qualified entity.

    The level of sanctions and/or termination would depend on an assessment by CMS of the seriousness of the observed deficiency or deficiencies by the qualified entity. One or more disclosures of beneficiary identifiable information would likely to result in termination. Additionally, since the statute explicitly bars the reuse of Medicare claims for purposes other than generating performance reports, we propose CMS terminate its relationship with the qualified entity in the event of reuse of Medicare claims. Other deficiencies that may be the result of employee error and can be easily corrected in the future would likely just result in a warning notice. However, as noted above, any time the qualified entity is terminated we propose to require the destruction or return of any Medicare data within 30 days.

    G. Qualified Entity Application Content

    In accordance with these proposals, if finalized, CMS proposes to develop an application process for potential qualified entities that would require the following information:

    1. Applicant name and entity description.

    2. A description of the applicant's organizational and governance qualifications as laid out in Section II.A.2. above and at § 401.703(a)(1).

    3. A description of the business model the applicant plans to use for covering the costs of the required functions.

    4. A description of the additional claims data the applicant would use in combination with the requested Medicare data, and the amount of data that would be combined with Medicare data.

    5. A description of geographic area(s) for which Medicare data would be requested.

    6. Documentation of its proposed data privacy and security policies and enforcement mechanisms.

    7. A description of the proposed measures it intends to calculate and report, including the name of the measure, the name of the measure developer, the measure specifications, the rationale for selecting those measures including the relationship of the measures to existing measurement efforts and the relevancy to the proposed population in the proposed geographic area, and a description of the methodologies it intends to use in creating reports; if seeking approval of an alternative measure, documentation that the proposed alternative measure has been accepted by the Secretary as an alternative measure through notice and comment rulemaking.

    8. A description of the process it would establish to allow providers of services and suppliers to review draft reports confidentially, request data and appeal to correct errors before the reports are made public.

    9. A prototype report for reporting findings to providers of services and suppliers, and if different, to consumers, Start Printed Page 33580including any standard explanatory language (narrative), an easily comprehensible description of the proposed measures, the rationale for use of those measures, a description of the methodologies to be used, and a description of the data specifications and limitations, as well as a dissemination plan for reports.

    We propose to assess the veracity of each applicant's assertions through a comprehensive review of their supporting documentation as part of the application review process.

    Applications would generally be approved based on the overall expertise and sustained experience demonstrated. We are not proposing to limit the number of qualified entities or review the applications against one another. We believe our proposed approach to determining qualified entity eligibility balances the need to ensure fairness in qualified entities' evaluation of providers of services and suppliers with beneficiaries' needs for confidentiality of their health care information. We seek comments on our proposed application requirements and the total burden associated with them.

    We recognize that by not limiting the number of qualified entities in any particular geographic region, in certain circumstances providers of services and suppliers might receive multiple reports from different qualified entities. We believe that given the requirement that qualified entities contribute claims data from other sources, the likelihood of multiple qualified entities in the same area is low. However, we seek comment on the implications of providers of services and suppliers receiving multiple reports. We also seek comment on whether CMS should limit the number of qualified entities that are approved for a particular region, as well as other methods to address this issue.

    In selecting qualified entities, CMS would evaluate all applications received and identify those that meet these requirements. We propose that applications for participation in the program would be available on the CMS Web site beginning January 1, 2012. Applications would only be collected and processed once a year. We propose that applications would be due on March 31, 2012, and by the close of the first quarter of the calendar year each year thereafter. We considered, instead, using a rolling application process, where organizations could apply at any point in the year. However, we are concerned about the burden this would place on CMS in processing and reviewing applications. We seek comment on our proposed application process, specifically our decision to have a yearly application date rather than using a rolling application process.

    Applicants would be approved for a period of three years from the date of notification of the application approval by CMS. In order to continue to serve as a qualified entity for any subsequent three year periods, the qualified entity would need to reapply. To reapply, a qualified entity would need to submit to CMS documentation of any changes to what was included in their original application. Qualified entities would need to submit this documentation at least 6 months before the end of their three-year approval period. If a qualified entity has submitted a reapplication, it would be able to continue to serve as qualified entities until the re-application is either approved or denied by CMS. If the re-application is denied, CMS would terminate its relationship with the qualified entity. We propose that a qualified entity would need to be in good standing in order to reapply. A qualified entity would be considered in good standing if it had no violations of the requirements of the program or if the qualified entity was addressing any past deficiencies either on its own or through the implementation of a corrective action plan.

    III. Collection of Information Requirements

    Under the Paperwork Reduction Act of 1995, we are required to provide 60-day notice in the Federal Register and solicit public comment before a collection of information requirement is submitted to the Office of Management and Budget (OMB) for review and approval. In order to fairly evaluate whether an information collection should be approved by OMB, section 3506(c)(2)(A) of the Paperwork Reduction Act of 1995 requires that we solicit comment on the following issues:

    • The need for the information collection and its usefulness in carrying out the proper functions of our agency.
    • The accuracy of our estimate of the information collection burden.
    • The quality, utility, and clarity of the information to be collected.
    • Recommendations to minimize the information collection burden on the affected public, including automated collection techniques.

    We are soliciting public comment on each of these issues for the following sections of this proposed rule that contain information collection requirements (ICRs).

    If finalized, these regulations would require an organization seeking to receive data as a qualified entity to submit an application. Specifically, an applicant must submit the information listed in proposed §§ 401.703-401.705. The burden associated with this requirement is the time and effort necessary to gather, process, and submit the required information to CMS. We estimate that 35 organizations would submit applications to receive data as qualified entities. We further estimate that it would take each applicant 500 hours to gather, process and submit the required information. The total estimated burden associated with this requirement is 500 hours at an estimated cost of $795,641.

    Proposed § 401.707(a)(iv) states that as part of the application review and approval process, a qualified entity would be required to execute a Data Use Agreement (DUA) with CMS, that among other things, reaffirms the statutory bar on the use of Medicare data for purposes other than those referenced above. The burden associated with executing this DUA is currently approved under OMB control number 0938-0734.

    Proposed § 401.705(f) would require qualified entities in good standing to re-apply for qualified entity status 6 months before the end of their three-year approval period. We estimate that 25 entities would be required to comply with this requirement. We estimate that it would take 120 hours to reapply to CMS. The total estimated burden associated with this requirement is 120 hours at an estimated cost of $136,396.

    Proposed § 410.710(b) requires qualified entities to submit annual reports to CMS as part of CMS' ongoing monitoring of qualified entity activities. We estimate that the 25 entities in the program will be required to comply with this requirement. We estimate that it will take 150 hours to complete an annual monitoring report. The total estimated burden associated with this requirement is 150 hours at $170,475.Start Printed Page 33581

    Table 1—Estimated Annual Recordkeeping and Reporting Burden

    Regulation section(s)OMB Control No.RespondentsResponsesBurden per response (hours)Total annual burden (hours)Hourly labor cost of reporting ($)Total labor cost of reporting ($)*Total capital/maintenance costs ($)Total cost ($)
    § 401.703(a)0938-New353550017,500**795,6410795,641
    § 401.705(f)0938-New25251203,000**136,3960136,396
    § 401.710(b)0938-New25251503,750**170,4750170,475
    Total353524,2501,102,512
    * Total labor cost assuming 92% of total hours are professional and technical and 8% are legal.
    ** Wage rates vary by level of staff involved in complying with the information collection request (ICR).

    To obtain copies of the supporting statement and any related forms for the proposed paperwork collections referenced above, access CMS' Web site at http://www.cms.gov/​PaperworkReductionActof1995/​PRAL/​list.asp#TopOfPage or e-mail your request, including your address, phone number, OMB number, and CMS document identifier, to Paperwork@cms.hhs.gov, or call the Reports Clearance Office at 410-786-1326.

    If you comment on these information collection and recordkeeping requirements, please do either of the following:

    1. Submit your comments electronically as specified in the ADDRESSES section of this proposed rule; or

    2. Submit your comments to the Office of Information and Regulatory Affairs, Office of Management and Budget, Attention: CMS Desk Officer, [CMS-5059-P], Fax: (202) 395 6974; or E-mail: OIRA_submission@omb.eop.gov.

    IV. Regulatory Impact Analysis

    A. Overall Impact

    We have examined the impacts of this rule as required by Executive Order 12866 on Regulatory Planning and Review (September 30, 1993), the Regulatory Flexibility Act (RFA) (September 19, 1980, Pub. L. 96-354), section 1102(b) of the Social Security Act, section 202 of the Unfunded Mandates Reform Act of 1995 (Pub. L. 104-4), Executive Order 13132 on Federalism (August 4, 1999), and the Congressional Review Act (5 U.S.C. 804(2)).

    Executive Order 12866 directs agencies to assess all costs and benefits of available regulatory alternatives and, if regulation is necessary, to select regulatory approaches that maximize net benefits (including potential economic, environmental, public health and safety effects, distributive impacts, and equity). A regulatory impact analysis (RIA) must be prepared for major rules with economically significant effects ($100 million or more in any 1 year). For the reasons discussed below, we estimate that the total impact of this proposed rule would be less than $90 million and therefore, it would not reach the threshold for economically significant effects and is not considered a major rule.

    The RFA requires agencies to analyze options for regulatory relief of small businesses, if a rule has a significant impact on a substantial number of small entities. For purposes of the RFA, we estimate that most hospitals and most other providers are small entities as that term is used in the RFA (including small businesses, nonprofit organizations, and small governmental jurisdictions). However, since the total estimated impact of this rule is less than $100 million, and the total estimated impact would be spread over both qualified entities and providers of services and suppliers, no one entity would face significant impact. Thus, we are not preparing an analysis of options for regulatory relief of small businesses because we have determined that this rule would not have a significant economic impact on a substantial number of small entities.

    We estimate that two types of entities may be affected by the program established by section 1874(e) of the Act: Organizations that desire to operate as qualified entities and the providers of services and suppliers who receive performance reports from qualified entities.

    We anticipate that most providers of services and suppliers receiving qualified entities' performance reports would be hospitals and physicians. Many hospitals and most other health care providers and suppliers are small entities, either by being nonprofit organizations or by meeting the Small Business Administration definition of a small business (having revenues of less than $34.5 million in any 1 year) (for details see the Small Business Administration's Web site at http://sba.gov/​idc/​groups/​public/​documents/​sba_​homepage/​serv_​sstd_​tablepdf.pdf (refer to the 620000 series). For purposes of the RFA, physicians are considered small businesses if they generate revenues of $10 million or less based on Small Business Administration size standards. Approximately 95 percent of physicians are considered to be small entities.

    The analysis and discussion provided in this section and elsewhere in this proposed rule complies with the RFA requirements. Because we acknowledge that many of the affected entities are small entities, the analysis discussed throughout the preamble of this proposed rule constitutes our regulatory flexibility analysis for the remaining provisions and addresses comments received on these issues.

    In addition, section 1102(b) of the Act requires us to prepare a regulatory impact analysis, if a rule may have a significant impact on the operations of a substantial number of small rural hospitals. Any such regulatory impact analysis must conform to the provisions of section 603 of the RFA. For purposes of section 1102(b) of the Act, we define a small rural hospital as a hospital that is located outside of a metropolitan statistical area and has fewer than 100 beds. We do not believe this proposed rule has impact on significant operations of a substantial number of small rural hospitals because we anticipate that most qualified entities would focus their performance evaluation efforts on metropolitan areas where the majority of health services are provided. As a result, this rule would not have a significant impact on small rural hospitals. Therefore, the Secretary has determined that this proposed rule would not have a significant impact on the operations of a substantial number of small rural hospitals.

    Section 202 of the Unfunded Mandates Reform Act of 1995 (UMRA) also requires that agencies assess anticipated costs and benefits before issuing any rule whose mandates require spending in any 1 year of $100 million in 1995 dollars, updated annually for inflation. In 2011, that threshold is approximately $136 million. This proposed rule would not mandate any requirements for State, Start Printed Page 33582local, or tribal governments in the aggregate, or by the private sector, of $136 million. Specifically, as explained below we anticipate the total impact of this rule on all parties to be approximately $87 million.

    Executive Order 13132 establishes certain requirements that an agency must meet when it promulgates a proposed rule (and subsequent final rule) that imposes substantial direct requirement costs on State and local governments, preempts State law, or otherwise has Federalism implications. We have examined this proposed rule in accordance with Executive Order 13132 and have determined that this regulation would not have any substantial direct effect on State or local governments, preempt States, or otherwise have a Federalism implication.

    B. Anticipated Effects

    1. Impact on Qualified Entities

    Because section 1874(e) of the Act establishes a new program, there is little quantitative information available to inform our estimates. However, we believe that many or most qualified entities are likely to resemble community quality collaborative programs such as participants in the CMS Better Quality Information for Medicare Beneficiaries pilot (https://www.cms.gov/​BQI/​) and the AHRQ Chartered Value Exchange (CVE) program (http://www.ahrq.gov/​qual/​value/​lncveover.htm). Community quality collaboratives are community-based organizations of multiple stakeholders that work together to transform health care at the local level by promoting quality and efficiency of care, and by measuring and publishing quality information. Consequently, we have examined available information related to those programs to inform our assumptions, although there is only limited available data that is directly applicable to this analysis.

    We estimate that 35 organizations would submit applications to participate as qualified entities. We anticipate that the majority of applicants would be nonprofit organizations such as existing community collaboratives. In estimating qualified entity impacts, we used hourly labor costs in several labor categories reported by the Bureau of Labor Statistics (BLS) at http://data.bls.gov/​pdq/​querytool.jsp?​survey=​ce. We used the annual rates for 2009 and added 33 percent for overhead and fringe benefit costs. These rates are displayed in Table 2.

    Table 2—Labor Rates for Qualified Entity Impact Estimates

    2009 hourly wage rate (BLS)OH and fringe (33%)Total hourly costs
    Professional and technical services$34.08$11.25$45.33
    Legal review35.3511.6747.02
    Custom computer programming40.3713.3253.69
    Data processing and hosting29.369.6939.05
    Other information services30.6210.1040.72

    We estimate that preparation of an application would require a total of 500 hours of effort, requiring a combination of staff in the professional and technical services and the legal labor categories. We seek comment on our estimate that 35 organizations would apply to become qualified entities and encourage any interested organizations to signal their intent to apply as qualified entities in their comments on this rule.

    We estimate that 25 of these applicants would be approved as participating qualified entities, and that each qualified entity would request Medicare claims data accompanied by payment for these data. Because of the eligibility criteria we are proposing for qualified entities, we believe that it is likely that all of these organizations would already be performing work related to calculation of quality measures and production of performance reports for health care providers, so the impact of the program established by section 1874(e) of the Act would be an opportunity to add Medicare claims data to their existing function.

    The statute directs that the fees for these data be equal to the government's cost to make the data available. We are proposing to initially provide three years of data to qualified entities with yearly updates thereafter. Based on CMS past experience providing Medicare data to research entities, we estimate that the total approximate costs to provide three years of data for 2.5 million beneficiaries to a qualified entity would be $200,000. As shown in Table 3, this would include approximately $75,000 in costs to produce the claims data, as well as approximately $125,000 in additional costs associated with technical assistance, processing applications and requests for data, and monitoring.

    We estimate that, on average, each qualified entity's activity to analyze the Medicare claims data, calculate performance measures and produce provider performance reports would require 5,500 hours of effort. While qualified entities would not be able to calculate or produce alternative measures in the first year of serving as a qualified entity, they may submit measures for approval in the first year of the program, so we have also included estimates here of the level of effort required to develop and submit alternative measures. We estimate that half of the qualified entities (13) would propose alternative performance measures, which would involve an additional 2,100 hours of effort for each entity.

    We further estimate that, on average, each qualified entity would expend 5,000 hours of effort processing providers' and suppliers' appeals of their performance reports and producing revised reports, and 2,000 hours making information about the performance measures publicly available. These estimates assume that, as discussed below in the section on provider and supplier impacts, on average 25 percent of providers or services and suppliers would appeal their results from a qualified entity. These assumptions are based on a belief that in the first year of the program many providers would want to appeal their results prior to performance reports being made available to the public. Responding to these appeals in an appropriate manner would require a significant investment of time on the part of qualified entities. This equates to an average of four hours per appeal for each qualified entity. We assume that the complexity of appeals would vary greatly, and as such, the time required to address them would also vary greatly. Many appeals may be able to be dealt with in an hour or less while some appeals may require multiple meetings Start Printed Page 33583between the qualified entity and the affected provider of services or supplier. On average however, we believe that this is a realistic and reasonable estimate of the burden of the appeals process on qualified entities. We discuss the burden of the appeals process on providers of services and suppliers below.

    We anticipate that qualified entities would expend 2,000 hours of effort developing their proposed performance report. These estimated hours are separated into labor categories in Table 3 below, with the pertinent hourly labor rates and cost totals.

    Finally, we estimate that each qualified entity would spend 255 hours of effort submitting information to CMS for monitoring purposes. This would include audits and site visits as discussed above. It would also include an annual report that contains measures of general program adherence, measures of the provider of services and suppliers data sharing, error correction, and appeals process, and measures of the success of the program with consumers. Finally, qualified entities would be required to notify CMS of inappropriate disclosures or use of beneficiary identifiable data pursuant to the requirements in the DUA. We believe that many of the required data elements in both the annual report and the report generated in response to an inappropriate disclosure or use of beneficiary identifiable data would be generated as a matter of course by the qualified entities and therefore, would not require significant additional effort. Based on the assumptions we have described, we estimate the total impact on qualified entities for the first year of the program to be a cost of $49,003,203.

    Table 3—Impact on Qualified Entities for the First Year of the Program

    [Impact on Qualified Entities]

    ActivityHoursLabor hourly costCost per applicantNumber of applicantsTotal cost impact
    Professional and technicalLegalComputer programmingData process-sing and hosting
    APPLICATION COSTS
    Preparation of application by candidate QEs
    a. Prepare draft application360$45.33$16,319
    b. Legal review40$47.02$1,881
    c. Revisions to draft application60$45.33$2,720
    d. Senior management review and signature40$45.33$1,813
    Total: application preparation46040$22,73335$795,641
    Medicare data purchase costs by approved QEsNA$75,00025$1,875,000
    Additional Medicare data application costsNA$125,00025$3,125,000
    Total: Applications$5,795,641
    QE OPERATIONS COSTS
    Database administration500$39.0525$488,125
    Data analysis/measure calculation/report preparation2500$53.69$134,22525$3,355,625
    2500$39.05$97,62525$2,440,625
    Development and submission of alternative measures1000$45.33$45,33013$589,290
    100$53.69$5,36913$69,797
    1000$39.05$39,05013$507,650
    QE processing of provider appeals and report revision4000$45.33$181,32025$4,533,000
    1000$47.02$47,02025$1,175,500
    Development of proposed performance report formats1000$45.53$45,53025$1,138,250
    1000$53.69$53,69025$1,342,250
    Publication of performance reports1000$53.69$53,69025$1,342,250
    1000$39.05$39,05025$976,250
    Monitoring255$39.05$9,95825$248,950
    Start Printed Page 33584
    Computer hardware and processing$1,000,00025$25,000,000
    Total: Operations$43,207,562
    Total QE Impacts (application plus operations)$49,003,203

    2. Impact on Health Care Providers of Services and Suppliers

    Table 4 reflects the hourly labor rates used in our estimate of the impacts of the first year of section 1874(e) of the Act on health care providers of services and suppliers. We note that numerous health care payers, community quality collaboratives, States, and other organizations are producing performance measures for health care providers of services and suppliers using data from other sources, and that providers of services and suppliers are already receiving performance reports from these sources. We anticipate that the Medicare claims data would merely be added to those existing efforts to improve the statistical validity of the measure findings, and therefore the impact of including Medicare claims data in these existing performance reporting processes is likely to be marginal. However, we invite comments on the impact of this new voluntary program.

    Table 4—Labor Rates for Provider and Supplier Impact Estimates

    2009 hourly wage rate (BLS)Overhead and fringe benefits (33%)Total hourly costs
    Physicians' offices$30.90$10.20$41.10
    Hospitals26.448.7335.17

    We anticipate that the impacts on providers of services and suppliers consist of costs to review the performance reports generated by qualified entities and, if they choose, appeal their performance calculations. Based on a review of available information from the Better Quality Information and the Charter Value Exchange programs, we estimate that, on average, each qualified entity would distribute performance reports to 5,000 health providers of services and suppliers. We anticipate that the largest proportion of providers of services and suppliers would be physicians because they comprise the largest group of providers of services and suppliers, and are a primary focus of many recent performance evaluation efforts. Based on our review of information from these existing programs, we assume that 95 percent of the recipients of performance reports (that is, an average of 4,750 per qualified entity) would be physicians, and 5 percent (that is, an average of 250 per qualified entity) would be hospitals and other suppliers. Providers of services and suppliers receive these reports with no obligation to review them, but we assume that most would do so to verify that their calculated performance measures reflect their actual patients and health events. We estimate that, on average, each provider of services or supplier would devote five hours to reviewing these reports. We also estimate that 25 percent of the providers of services and suppliers would decide to appeal their performance calculations, and that preparing the appeal would involve an average of ten hours of effort on the part of a provider of services or supplier. As with our assumptions regarding the level of effort required by qualified entities in operating the appeals process, we believe that this average covers a range of provider efforts from providers who would need just one or two hours to clarify any questions or concerns regarding their performance reports to providers who would devote significant time and resources to the appeals process.

    Using the hourly costs displayed in Table 4, the impacts on providers of services and suppliers are calculated below in Table 5. Based on the assumptions we have described, we estimate the total impact on providers for the first year of the program to be a cost of $38,262,815.

    As stated above in Table 3, we estimate the total impact on qualified entities to be a cost of $49,003,203. Therefore, the total impact on qualified entities and on providers of services and suppliers for the first year of the program is estimated to be $87,266,018.Start Printed Page 33585

    Table 5—Impact on Providers of Services and Suppliers for the First Year of the Program

    [Impact on Providers of Services and Suppliers]

    ActivityHours per providerLabor hourly costCost per applicantNumber of providers per QENumber of QEsTotal cost impact
    Physician officesHospitals
    Provider review of performance reports5$41.10$2064,75025$24,403,125
    535.17176250251,099,063
    Preparing and submitting appeal request to QEs1041.1041111882512,206,700
    1035.173526325533,928
    Total Provider Impacts38,262,815

    C. Alternatives Considered

    The statutory provisions that were added by section 10332 of the Affordable Care Act are detailed and prescriptive about the eligibility for, and requirements of the Qualified Entity Program. Consequently, we believe there are limited approaches that would ensure program success and statutory compliance. We considered proposing a less comprehensive set of eligibility criteria for qualified entities (for example, eliminating requirements that applicants demonstrate capabilities related to calculation of measures, developing performance reports, combining Medicare claims data with other claims, and data privacy and security protection). While such an approach might have reduced certain application and operating costs for these entities, we did not adopt such an approach for several reasons. An important consideration is the protection of beneficiary identifiable data. We believe if we do not require qualified entities to provide sufficient evidence of data privacy and security protection capabilities, there would be increased risks related to the protection of beneficiary identifiable data.

    Additionally, we believe that requiring less stringent requirements regarding the production and reporting of measures would lead to increases in the number of provider appeals, and consequently in appeals-related costs of both providers and qualified entities. We expect that such a scenario would not support the development of a cooperative relationship between qualified entities and providers of services and suppliers. We request public comments on other approaches that could be considered.

    D. Conclusion

    As explained above, we estimate the total impact for the first year of the program on qualified entities and providers to be a cost of $87,266,018. Based on these estimates, we conclude this proposed rule does not reach the threshold for economically significant effects and thus is not considered a major rule.

    In accordance with the provisions of Executive Order 12866, this regulation was reviewed by the Office of Management and Budget.

    Start List of Subjects

    List of Subjects in 42 CFR Part 401

    • Claims
    • Freedom of information
    • Health facilities
    • Medicare
    • Privacy
    End List of Subjects

    For the reasons set forth in the Preamble, the Centers for Medicare and Medicaid Services proposes to amend 42 CFR Chapter IV as set forth below:

    Start Part

    PART 401—GENERAL ADMINISTRATIVE REQUIREMENTS

    1. The authority citation for part 401 is revised to read as follows:

    Start Authority

    Authority: Secs. 1102, 1871, and 1874(e) of the Social Security Act (42 U.S.C. 1302, 1395hh, and 1395w-5).

    End Authority

    2. A new subpart G is added to part 401 to read as follows:

    Subpart G—Availability of Medicare Data for Performance Measurement
    401.701
    Purpose and scope.
    401.702
    Definitions.
    401.703
    Eligibility criteria for qualified entities.
    401.704
    Operating and governance requirements for qualified entities.
    401.705
    The application process and requirements.
    401.706
    Updates to plans submitted as part of the application process.
    401.707
    Ensuring the privacy and security of data.
    401.708
    Selection and use of performance measures.
    401.709
    Provider of services and supplier requests for error correction.
    401.710
    Monitoring and sanctioning of qualified entities.
    401.711
    Termination of qualified entities.

    Subpart G—Availability of Medicare Data for Performance Measurement

    Purpose and scope.

    The regulations in this subpart implement section 1874(e) of the Social Security Act as it applies to the Centers for Medicare & Medicaid Services (CMS). The rules apply to Medicare data made available to qualified entities for the evaluation of the performance of providers of services and suppliers.

    Definitions.

    (a) Qualified entity. A qualified entity is defined as a public or private entity that:

    (1) Is qualified, as determined by the Secretary, to use claims data to evaluate the performance of providers of services and suppliers on measures of quality, efficiency, effectiveness, and resource use, and

    (2) Agrees to meet the requirements described in Section 1874(e) of the Social Security Act and meets the requirements at §§ 401.703 through 401.710.

    (b) Provider of services. A provider of services under this subpart is defined in the same manner as the identical term at section 1861(u) of the Social Security Act.

    (c) Supplier. A supplier under this subpart is defined in the same manner as the identical term at section 1861(d) of the Social Security Act.

    (d) Claims. Claims are itemized billing statements from providers of services and suppliers that, except in the context of Part D drug event date, request reimbursement for a list of services and supplies that were provided to a Medicare beneficiary in the Medicare fee-for-service context, or to a participant in other insurance or entitlement program contexts. In the Medicare program, claims files are available for each institutional (inpatient, outpatient, skilled nursing facility, hospice, or home health agency) and non-institutional (physician and durable medical equipment providers Start Printed Page 33586and suppliers) claim type as well as Medicare Part D (Prescription Drug) Event data.

    (e) Standardized data extract. For purposes of this subpart, the standardized data extract is the subset of Medicare claims data that the Secretary would make available to qualified entities under this subpart.

    (f) Beneficiary identifiable data. For the purposes of this subpart, beneficiary identifiable data is any data that contains the beneficiary name or beneficiary name and any other direct identifying factors, including, but not limited to, race, sex, age, or address.

    (g) Encrypted data. For the purposes of this subpart, encrypted data is any data that does not contain the beneficiary name or any other direct identifying factors, but does include a unique beneficiary identifier that allows for the linking of claims without divulging the direct identifier of the beneficiary.

    Eligibility criteria for qualified entities.

    (a) Eligibility criteria: To be eligible to apply to receive data as a qualified entity under this section, an applicant generally must demonstrate expertise and sustained experience, defined as three or more years, to the Secretary's satisfaction in the following three areas:

    (1) Organizational and governance criteria, including:

    (i) Accurately calculating quality, efficiency, effectiveness, and resource use measures from claims data, including:

    (A) Indentifying an appropriate method to attribute a particular patient's services to specific providers of services and suppliers.

    (B) Ensuring the use of approaches to ensure statistical validity such as a minimum number of observations or minimum denominator for each measure.

    (C) Using methods for risk-adjustment to account for variation in both case-mix and severity among providers of services and suppliers.

    (D) Identifying methods for handling outliers.

    (E) Correcting measurement errors and assessing measure reliability.

    (F) Identifying appropriate peer groups of providers and suppliers for meaningful comparisons.

    (ii) A business model that would cover the costs of performing the required functions, including the fee for the data.

    (iii) Successfully combining claims data from different payers to calculate performance reports.

    (iv) Designing, and continuously improving the format of performance reports on providers of services and suppliers.

    (v) Preparing an understandable description of the measures used to evaluate the performance of providers of services and suppliers so that consumers, providers of services and suppliers, health plans, researchers, and other stakeholders can assess performance reports.

    (vi) Implementing and maintaining a process for providers of services and suppliers identified in a report to review the report prior to publication and providing a timely response to provider of services and supplier inquiries regarding requests for data, error correction, and appeals.

    (vii) Establishing, maintaining, and monitoring a rigorous data privacy and security program, including disclosing to CMS any inappropriate disclosures of beneficiary identifiable information or HIPAA violations for the preceding 10-year period, and any corrective actions taken to address such issues.

    (viii) Accurately preparing performance reports on providers of services and suppliers and making performance report information available to the public in aggregate form, that is, at the provider of services or supplier level.

    (2) Ability to combine Medicare claims data with claims data from other sources, including demonstrating to the Secretary's satisfaction that the claims data from other sources that it intends to combine with the Medicare data received under this subpart address many of the methodological concerns expressed by multiple stakeholders regarding the calculation of performance measures from a single payer source.

    (3) Documentation of rigorous data privacy and security policies including enforcement mechanisms.

    (b) [Reserved]

    Operating and governance requirements for qualified entities.

    (a) Submit to CMS a list of all measures it intends to calculate and report, the geographic areas it intends to serve, and the methods of creating and disseminating reports. This list must include the following information:

    (1) Name of the measure, and whether it is a standard or alternative measure,

    (2) Name of the measure developer/owner,

    (3) Measure specifications, including numerator and denominator,

    (4) The rationale for selecting each measure, including the relationship to existing measurement efforts and the relevancy to the population in the geographic area(s) the entity would serve, including:

    (i) A specific description of the geographic area or areas it intends to serve, and

    (ii) A specific description of how each measure evaluates providers of services and suppliers on quality, efficiency, effectiveness, and/or resource use.

    (5) A description of the methodologies it intends to use in creating reports with respect to all of the following topics:

    (i) Attribution of beneficiaries to providers and/or suppliers,

    (ii) Benchmarking performance data, including:

    (A) Methods for creating peer groups,

    (B) Justification of any minimum sample size determinations made, and

    (C) Methods for handling statistical outliers.

    (iii) Risk adjustment.

    (b) Submit to CMS a description of the process it would establish to allow providers of services and suppliers to view reports confidentially, request data, and ask for the correction of errors before the reports are made public.

    (c) Submit to CMS a prototype report and a description of their plans for making the reports available to the public.

    The application process and requirements.

    (a) Application deadline. Qualified entity applications must be submitted by March 31, 2012 and by the close of the first quarter of the calendar year each year thereafter.

    (b) Selection criteria. To be approved as a qualified entity under this subpart, the applicant must meet the eligibility and operational and governance requirements, and fulfill all of the application requirements to CMS' satisfaction, agree to pay a fee equal to the cost of CMS making the data available, and execute a Data Use Agreement with CMS, that among other things, reaffirms the statutory ban on the use of Medicare data provided to the qualified entity by CMS under this subpart for purposes other than those referenced in this subpart.

    (c) Duration of approval. The entity would be permitted to participate as a qualified entity for a period of three years from the date of notification of application approval by CMS. The qualified entity must abide by all CMS regulations and instructions for this program. If the qualified entity wishes to continue performing the tasks under this subpart after the three-year approval period, the entity may re-apply for qualified entity status following the procedures set forth below.

    (d) Reporting period. Unless otherwise specified, the qualified entities must produce reports on the Start Printed Page 33587performance of providers of services and suppliers annually beginning in the calendar year after they are approved by CMS.

    (e) The distribution of data. Once a qualified entity is approved by CMS under this subpart, it would be required to pay a fee equal to the cost of CMS making this data available. After the qualified entity pays the fee, CMS would release claims data to the qualified entity.

    (1) CMS would release standardized extracts of encrypted data from Medicare parts A and B claims data, and D drug event data for the most recent three years of data available at that time. The data would be limited to the geographic spread of the qualified entity's other claims data as determined by CMS.

    (2) After the first year of participation, CMS would provide qualified entities with the most recent additional year of data on a yearly basis. Qualified entities would be required to pay a fee equal to the cost of CMS making this data available before CMS would release the most recent year of additional data to the qualified entity.

    (f) Re-application. Qualified entities in good standing may re-apply for qualified entity status. A qualified entity would be considered in good standing if it has had no violations of the requirements of the program or if the qualified entity is addressing any past deficiencies either on its own or through the implementation of a corrective action plan. To reapply a qualified entity would need to submit to CMS documentation of any changes to what was included in their original application. Reapplicants would need to submit this documentation at least 6 months before the end of their three year approval period and would be able to continue to serve as qualified entities until the re-application is either approved or denied by CMS. If the re-application is denied, CMS would terminate its relationship with the qualified entity.

    Updates to plans submitted as part of the application process.

    (a) If a qualified entity wishes to make changes to:

    (1) Its list of proposed measures, the qualified entity must send all the information referenced in § 401.704(a) for the new measure to CMS at least 90 days prior to its intended confidential release to providers of services and suppliers.

    (2) Its proposed prototype report, the qualified entity must send the new prototype report to CMS at least 90 days prior to its intended confidential release to providers of services and suppliers.

    (3) Its plans for sharing the reports with the public, the qualified entity must send the new plans to CMS at least 90 days prior to its intended confidential release to providers of services and suppliers.

    (b) The qualified entity would be notified when its proposed changes are approved or denied for use. Under no circumstances may a qualified entity issue a report, use a measure, or share a report without first obtaining CMS approval.

    (c) If the amount of claims data from other sources available to a qualified entity decreases, the qualified entity must immediately inform CMS and submit documentation that the remaining claims data from other sources is sufficient to address the methodological concerns regarding sample size and reliability. Under no circumstances may a qualified entity issue a report, use a measure, or share a report after this point.

    (1) If CMS determines that the remaining claims data is not sufficient, the qualified entity would have 60 days to acquire new data and submit new documentation to CMS. If after 60 days, the qualified entity does not have access to new data or if CMS decides the qualified entity still does not possess the need amount of additional claims data, CMS shall terminate its relationship with the qualified entity.

    (2) If CMS determines that the remaining claims data is sufficient, the qualified entity may resume issuing reports, using measures, and sharing reports.

    Ensuring the privacy and security of data.

    (a) Qualified entities must comply with the data requirements in the data use agreement (DUA) with CMS. The DUA would require the qualified entity to maintain privacy and security protocols throughout the duration of their agreement with CMS and would ban the use of data for purposes other than those referenced in this subpart. The DUA would also prohibit the use of unsecured telecommunications to transmit CMS data and would require disclosure of the circumstances under which CMS data would be stored and transmitted.

    (b) Qualified entities must inform each beneficiary whose beneficiary identifiable data has been or is reasonably believed to have been inappropriately accessed, acquired, or disclosed pursuant to the DUA.

    Selection and use of performance measures.

    (a) Standard measure. A standard measure is defined as a measure that can be calculated from the standardized extracts of Medicare Parts A and B claims, and Part D drug event data that:

    (1) Meets one of the following criteria:

    (i) Endorsed by the entity with a contract under section 1890(a) of the Social Security Act;

    (ii) Time-limited endorsed by the entity with a contract under Section 1890(a) of the Social Security Act until such time as the full endorsement status is determined;

    (iii) Developed pursuant to section 931 of the Public Health Service Act; or

    (iv) Can be calculated from standardized extracts of Medicare parts A or B claims or part D drug event data, was adopted through notice and comment rulemaking and is currently being used in CMS programs that include quality measurement.

    (2) Is used in a manner that follows the measure specifications as written (or as adopted through notice and comment rulemaking), including all numerator and denominator inclusions and exclusions, measured time periods, and specified data sources.

    (b) Alternative measure. (1) An alternative measure is defined as a measure that is not a standard measure, but that can be calculated from the standardized extracts of Medicare Parts A and B claims, and Part D drug event data that:

    (i) Has been found by the Secretary through a notice and comment rulemaking process, to be more valid, reliable, responsive to consumer preferences, cost-effective, or relevant to dimensions of quality and resource use not addressed by standard measures, and,

    (ii) Is used by a qualified entity in a manner that follows the measure specifications as written (or as adopted through notice and comment rulemaking), including all numerator and denominator inclusions and exclusions, measured time periods, and specified data sources.

    (2) An alternative measure may be used up until the point that a standard measure for the particular clinical area or condition becomes available at which point the qualified entity must switch to the standard measure within 6 months or submit additional scientific justification and receive approval from the Secretary to continue using the alternative measure.

    (3) To submit an alternative measure for consideration for use in the following calendar year an entity must submit the following by May 31st:Start Printed Page 33588

    (i) The name of the alternative measure.

    (ii) The name of the alternative measure's developer or owner.

    (iii) Detailed specifications for the alternative measure.

    (iv) Information demonstrating how the alternative measure is more cost-effective, relevant to consumer preferences, cost-effective, or relevant to dimensions of quality and resource use not addressed by standard measures.

    Provider of services and supplier requests for error correction.

    (a) Qualified entities must confidentially share measures, measurement methodologies, and measure results with providers of services and suppliers at least 30 business days prior to making reports public. The 30 days begins on the date on which qualified entities send the confidential reports to providers of services and suppliers.

    (b) Qualified entities must allow providers of services and suppliers at least 10 business days after receipt of a report to make a request for the data.

    (c) Qualified entities must allow providers of services and suppliers at least 10 business days after receipt of the data to make a request for error correction.

    (d) If a qualified entity receives a request for beneficiary names from a provider of services or supplier, the qualified entity must forward that request to CMS including a copy of the signed request from the provider of services or supplier as an attachment.

    (1) After the qualified entity receives the beneficiary names from CMS and sends the information to the requesting provider of services or supplier, the qualified entity must immediately destroy that data and is not permitted to retain or use the beneficiary names in any way.

    (2) If a qualified entity does not immediately destroy all identifiable data after sharing the information with the requesting provider of services or supplier, it will be subject to the penalties referenced in § 401.710(d).

    (e) Qualified entities must inform providers of services and suppliers that reports would be made public, including information related to the status of any data or error correction requests, after a specified date (at least 30 business days after the report was originally shared with providers of services and suppliers), regardless of the status of any requests for error correction.

    (f) If a provider of services or supplier still has a data or error correction request outstanding at the time of making the reports public, the qualified entity must, if feasible, post publicly the name of the appealing provider and the category of the appeal request.

    Monitoring and sanctioning of qualified entities.

    (a) CMS would monitor and assess the performance of qualified entities using the following methods:

    (1) Audits

    (2) Submission of documentation of data sources and quantities of data upon the request of CMS and/or site visits

    (3) Analysis of specific data reported to CMS by qualified entities through annual reports, as described in paragraph (b) of this section, and reports on inappropriate disclosures or uses of beneficiary identifiable data, as described in paragraph (c) of this section.

    (4) Analysis of beneficiary and/or provider complaints

    (b) Qualified entities must provide annual reports to CMS containing information related to:

    (1) General program adherence, including:

    (i) The number of Medicare and private claims combined.

    (ii) The percent of the overall market share the number of claims represents in the qualified entity's area.

    (iii) The number of measures calculated.

    (iv) The number of providers of services and suppliers profiled by type of provider and supplier.

    (v) A measure of public use of the reports.

    (2) The provider of services and suppliers data sharing, error correction, and appeals process, including:

    (i) The number of providers of services and suppliers requesting claims data.

    (ii) The number of requests for claims data fulfilled.

    (iii) The number of error corrections.

    (iv) The type(s) of problem(s) leading to the request for error correction.

    (v) The time to acknowledge the request for data or error correction.

    (vi) The time to respond to the request for error correction.

    (vii) The number of requests for error correction resolved.

    (c) Qualified entities must inform CMS of inappropriate disclosures or uses of beneficiary identifiable data pursuant to the requirements in the DUA.

    (d) CMS may take the following actions against qualified entities if it is determined that they are violation of any of the requirements of the qualified entity program, regardless of how CMS learns of the violation:

    (1) Provide a warning notice, which indicates that future deficiencies could lead to termination, to the qualified entity of the specific concern

    (2) Request a corrective action plan (CAP) from the qualified entity

    (3) Place the qualified entity on a special monitoring plan

    (4) Terminate the qualified entity

    Termination of qualified entities.

    (a) Grounds for terminating a qualified entity agreement. CMS may terminate an agreement with a qualified entity if the qualified entity:

    (1) Engages in one or more serious violations of the requirements of the qualified entity program.

    (2) Fails to completely and accurately report information to CMS or fails to make timely corrections to reported performance information per providers of services and supplier requests for such correction.

    (3) Fails to submit an approvable corrective action plan (CAP), fails to implement an approved CAP, or fails to demonstrate improved performance after the implementation of a CAP.

    (4) Improperly uses or discloses claims information received from CMS in violation of the requirements of the regulations in this subpart.

    (5) Based on their reapplication, no longer meets the requirements in this subpart.

    (b) Return of CMS data upon voluntary or involuntary termination from the qualified entity program:

    (1) If a qualified entity's agreement with CMS is terminated by CMS, it must immediately upon receipt of notification of such termination commence returning or destroying any and all CMS data (and any derivative files). In no instance should this process exceed 30 days.

    (2) If a qualified entity voluntarily terminates participation in the program, it must return to CMS, or destroy, any and all CMS data in its possession within 30 days notifying CMS of its intent to end participation.

    (Catalog of Federal Domestic Assistance Program No. 93.773, Medicare—Hospital Insurance; and Program No. 93.774, Medicare—Supplementary Medical Insurance Program)

    Start Signature

    Dated: May 4, 2011.

    Donald M. Berwick,

    Administrator, Centers for Medicare & Medicaid Services.

    Approved: June 1, 2011.

    Kathleen Sebelius,

    Secretary, Department of Health and Human Services.

    End Signature End Part End Supplemental Information

    [FR Doc. 2011-14003 Filed 6-3-11; 11:15 am]

    BILLING CODE 4120-01-P

Document Information

Comments Received:
0 Comments
Published:
06/08/2011
Department:
Centers for Medicare & Medicaid Services
Entry Type:
Proposed Rule
Action:
Proposed rule.
Document Number:
2011-14003
Dates:
To be assured consideration, comments must be received at one of
Pages:
33565-33588 (24 pages)
Docket Numbers:
CMS-5059-P
RINs:
0938-AQ17: Availability of Medicare Data for Performance Measurement (CMS-5059-P)
RIN Links:
https://www.federalregister.gov/regulations/0938-AQ17/availability-of-medicare-data-for-performance-measurement-cms-5059-p-
Topics:
Claims, Freedom of information, Health facilities, Medicare, Privacy
PDF File:
2011-14003.pdf
CFR: (11)
42 CFR 401.701
42 CFR 401.702
42 CFR 401.703
42 CFR 401.704
42 CFR 401.705
More ...