Analyzed claims data from Medicare and private sector insurers would be authorized for sale by “qualified entities,” according to a proposed rule released this morning in a special Federal Register filing by the Centers for Medicare and Medicaid Services (CMS). The proposed regulation offers a 60-day public comment period.
“[T]his proposed rule would explain how qualified entities may create non-public analyses and provide or sell such analyses to authorized users, as well as how qualified entities may provide or sell combined data, or provide Medicare claims data alone at no cost, to certain authorized users,” the new rule states. Authorized users are defined as providers, suppliers, employers, health insurance issuers, medical societies, hospital associations, healthcare professional associations or state agencies.
The qualified entity program was implemented under the Affordable Care Act and “allows organizations that meet certain qualifications to access patient-protected Medicare data to produce public reports,” according to a CMS statement. The entities must combine Medicare data with other claims data, such as private payer data, “to produce quality reports that are representative of how providers and suppliers are performing across multiple payers” (e.g., Medicare, Medicaid or various commercial payers).
An entity deemed as “qualified” (determined by the Secretary of Health and Human Services) may use claims data — standardized extracts of Medicare Part A and B claims data and Part D drug event data — to evaluate the performance of providers of services and suppliers on measures of quality, efficiency, effectiveness and resource use. The entity pays a fee for use of the data equal to the government’s cost of making it available.
The Medicare Access and CHIP Reauthorization Act of 2015, which was enacted last April, includes a provision — Section 105, Expanding the Availability of Medicare Data — that takes effect on July 1, 2016. That section defines how qualified entities will be allowed to use and disclose data “to the extent consistent with other applicable laws, including information, privacy, security and disclosure laws.”
That means that any qualified entity that is also a covered entity or business associate as defined under HIPAA will have to comply with applicable HIPAA requirements, including a prohibition on the sale of protected health information.
CMS estimates that 11 qualified entities will be able to provide or sell analyses and/or data to authorized users within the first year of the program. That number is expected to rise to 15 in subsequent years.
“Today’s rules seek to enhance the current qualified entity program to allow innovative use of Medicare data for non-public uses while ensuring the privacy and security of beneficiary information,” according to the CMS statement.
Qualified entities that make analyses or data available under provisions of the proposed rule would be subject to annual reporting requirements intended to help CMS monitor program compliance.
In addition, providers and suppliers who are individually identified in a non-public analysis must be given an opportunity to review and request corrections before a qualified entity provides or sells such information to an authorized user.
The proposed rule would also impose “assessments” for violation of terms of a required data use agreement. An assessment would be based on an amount “per potentially affected individual, and would take into account “the nature and extent of the harm or potential harm resulting from the violation, and the degree of culpability and history or prior violations,” as well as aggravating and mitigating circumstances.