83 FR 6587 - Privacy Act of 1974; System of Records.
DEPARTMENT OF HEALTH AND HUMAN SERVICES Federal Register Volume 83, Issue 31 (February 14, 2018)
Federal Register Volume 83, Issue 31 (February 14, 2018)
| Page Range | 6587-6591 | |
| FR Document | 2018-02933 |
[Federal Register Volume 83, Number 31 (Wednesday, February 14, 2018)] [Notices] [Pages 6587-6591] From the Federal Register Online [www.thefederalregister.org] [FR Doc No: 2018-02933] ----------------------------------------------------------------------- DEPARTMENT OF HEALTH AND HUMAN SERVICES Privacy Act of 1974; System of Records. AGENCY: Centers for Medicare & Medicaid Services (CMS), Department of Health and Human Services (HHS). ACTION: Notice of a New System of Records. ----------------------------------------------------------------------- SUMMARY: The Department of Health and Human Services (HHS), Centers for Medicare & Medicaid Services (CMS) proposes to establish a new system of records subject to the Privacy Act, System No. 09-70-0539, titled ``Quality Payment Program (QPP).'' The new system of records will cover quality and performance data collected and used by CMS in determining merit-based payment adjustments for health care services provided by clinicians to Medicare beneficiaries, and in providing expert feedback to clinicians and third party data submitters for the purpose of helping clinicians provide high-value care to patients. DATES: In accordance with 5 U.S.C. 552a(e)(4) and (11), this notice is effective upon publication, subject to a 30-day period in which to comment on the routine uses, described below. Please submit any comments by March 16, 2018. ADDRESSES: Written comments should be submitted by mail or email to: CMS Privacy Act Officer, Division of Security, Privacy Policy & Governance, Information Security & Privacy Group, Office of Information Technology, CMS, 7500 Security Boulevard, Baltimore, MD 21244-1870, Location N1-14-56, or [email protected]. Comments received will be available for review without redaction unless otherwise advised by the commenter at this location, by appointment, during regular business hours, Monday through Friday from 9:00 a.m.-3:00 p.m., Eastern Time zone. FOR FURTHER INFORMATION CONTACT: General questions about the new system of records should be submitted by mail or email to: Michelle Peterman, Health Insurance Specialist, Division of Electronic Clinician and Quality, Quality Measurement and Value-Based Incentives Group, Center for Clinical Standards and Quality, CMS, 7500 Security Boulevard, Baltimore, MD 21244-1870, Mailstop: S3-02-01, or [email protected]. SUPPLEMENTARY INFORMATION: I. Background on the New Quality Payment Program Supported by the New System of Records The Medicare Access and CHIP Reauthorization Act of 2015 (MACRA) amended title XVIII of the Social Security Act (the Act) to repeal the way physicians were paid under the previous Sustainable Growth Rate (SOR) formula and replaced it with a new approach known as the Quality Payment Program. The Quality Payment Program streamlines and consolidates components of three existing incentive programs that reward high-value patient centered care: (1) Physician Quality Reporting System (PQRS) (Sec. 1848(k) and (m) of the Act (42 U.S.C. 1395w-4)), (2) Medicare Electronic Health Records (EHR) Incentive Program for Eligible Professionals (Sec. 1848(0) of the Act), and (3) Physician Value-Based Payment Modifier (VM) (Sec. 1848(p) of the Act). For more information, see rulemakings implementing the existing programs, at 80 Fed. Reg. 71135 (November 16, 2015) (PQRS); 80 FR 62761 (October 16, 2015) (EHR); and 80 FR 71273 (November 16, 2015) (VM). There are two separate pathways within the Quality Payment Program, Advanced Alternative Payment Models (Advanced APM) and Merit-based Incentive Payment System (MIPS), both of which contribute toward the goal of seamless integration of the Quality Payment Program into clinical practice workflows. MIPS provides clinicians measures and activities to assist them in providing high-value, patient-centered care to Medicare patients, and to encourage and reward their use of the same. The participants generate and submit to CMS data on health care coordination. The data will be submitted to CMS by eligible clinicians and approved third party data submitters (for example, registries which collect and submit disease tracking data; health information technology (IT) vendors which submit data from clinicians' Certified Electronic Health Record Technology (CEHRT) systems). The data will include information about, and will be retrieved by personal identifiers for: (1) The clinicians, (2) any third party data submitters who are individuals (e.g., sole proprietor vendors), (3) individuals who submit data for clinicians or third party data submitters as their representatives or contact persons, and (4) Medicare beneficiaries and any non-Medicare beneficiaries receiving the health care services referenced in the Quality Payment Program data. The records are described below. The data submission process will require that clinicians and third party submitters use their identifying and contact information, tax identification number (TIN/EIN), national provider identifier (NPI), and information about health care services provided to patients for the performance categories of the MIPS including (1) quality-including a set of evidence-based, specialty-specific standards; (2) cost of services provided; (3) improvement activities that improved or are likely to improve clinical practice or care delivery; and (4) advancing care information which focuses on the use of CEHRT to support interoperability and avoid [[Page 6588]] redundancies. Except for specific measures or activities identified and published in the Federal Register by November 1 of each year, there are no changes in Calendar Year (CY) 2017 with respect to the collection and use of Privacy Act records associated with these activities in the QPP system of record notice (SORN) other than what is collected by the overlapping SORNs described below. There were no changes to the Call for Quality Measures process in the CY 2018 rule and so there are no changes to the use or additional collection of Privacy Act records related to the four performance categories. Payment adjustments for eligible clinicians do not begin until CY 2019 and at that time any additional Privacy Act records associated with those payment adjustments based on their performance during the applicable performance period will be described if needed in an update to this SORN. MIPS quality and performance data used in the program will be reported to CMS by eligible clinicians and approved third party data submitters of the types described in 42 CFR 414.1400. The data will pertain to health care services provided to Medicare beneficiaries, but may also include data about non-Medicare patients. As mentioned above, except for specific measures or activities identified and published in the Federal Register by November 1 of each year, there are no changes in CY 2017 with respect to the collection and use of Privacy Act records associated with these activities in the QPP SORN other than what is collected by the overlapping SORNs described below. II. Related Systems of Records Supporting the Existing PQRS, EHR, and VM Programs The PQRS, EHR, and VM programs each maintain records subject to the Privacy Act which are maintained in existing systems of records; these systems of records will necessarily overlap with this system of records until the existing programs fully sunset. Therefore, these SORNs cover the Quality Payment Program Privacy Act records until the QPP SORN is finalized: 1. PQRS: ``Performance Measurement and Reporting System (PMRS),'' System No. 09-70-0584, last published at 73 FR 80412 (December 31, 2008); 2. EHR: ``Medicare and Medicaid Electronic Health Record (EHR) Incentive Program National Level Repository'' System No. 09-70-0587, last published at 75 FR 73095 (November 29, 2010); 3. VM: ``Medicare Multi-Carrier Claims System (MCS),'' System No. 09-70-0501, last published at 71 FR 64968 (November 6, 2006); and 4. VM: ``Fiscal Intermediary Shared System (FISS),'' System No. 09- 70-0503, last published at 71 FR 64961 (November 6, 2006). The Performance Measurement and Reporting System (PMRS) SORN covers the Better Quality Information (BQI) to Improve Care for Medicare Beneficiaries Project, the Electronic Prescribing (E-Prescribing) Incentive Program, and the PQRS. The BQI to Improve Care for Medicare Beneficiaries Project and the E-Prescribing Incentive Program have fully sunsetted. The PQRS program's last reporting year was CY 2016. However, Privacy Act records related to the PQRS program will continue to be utilized for several additional years to assess payment adjustments in CY 2018 and data as needed. The Medicare and Medicaid Electronic Health Record (EHR) Incentive Program National Level Repository SORN covers the Medicare and Medicaid EHR Incentive Programs. The Medicare EHR Incentive program's last payment year was CY 2016. However, Privacy Act records related to the Medicare EHR Incentive program will continue to be utilized for several additional years to assess data as needed. In addition, the Medicare EHR Incentive for eligible hospitals and critical access hospitals (CAHs) and the Medicaid EHR Incentive program are active programs. Therefore, the EHR SORN will not be rescinded. The SORNs that cover the VM program will not be rescinded as they are applicable to many CMS programs. The Quality Payment Program will continue to evolve over multiple years to accommodate payment policy implementations and take advantage of new system capabilities. This SORN will be similarly reviewed and updated to reflect significant changes, including the sunsetting of the existing programs and disposition of the records covered by the existing SORNs, when they occur. III. Related Rulemakings and Information Collections Requirements for submitting data about improvement activities did not exist in the legacy programs replaced by MIPS, and CMS does not have historical data which is directly relevant. However, the Privacy Act records collected through these legacy programs are the same data elements that are used for the Quality Payment Program in CY 2017 and 2018 although the specific uses for the previous programs may be more expansive. To date, participants in the Quality Payment Program have registered, have selected measures and are submitting data beginning in 2018 as individuals, as part of a group or as part of a virtual group-- a scenario not provided through the legacy SORNs. The primary purpose of the PMRS system of records, entitled ``Performance Measurement and Reporting System (PMRS),'' is to support the collection, maintenance, and processing of information to promote the delivery of high quality, efficient, effective, and economical health care services, and promote the quality and efficiency of services of the type for which payment may be made under title XVIII by allowing for the establishment and implementation of performance measures, the provision of feedback to physicians, and public reporting of performance information. The primary purpose of the EHR system of records, entitled ``Medicare and Medicaid Electronic Health Record (EHR) Incentive Program National Level Repository,'' called the National Level Repository or NLR, is to collect, maintain, and process information that is required for the Medicare and Medicaid EHR Incentive Programs. The primary purpose of the VM program covered by the systems of records entitled, ``Medicare Multi-Carrier Claims System (MCS) and the Fiscal Intermediary Shared System (FISS),'' is to identify and associate a provider (physician or individual provider) to their registration and their reports, known as the Quality and Resource Use Report (QRUR). QRUR is a report given to providers on quality of care and cost performance. In most cases, systems of records maintain Tax Identification Number (TIN) and the name of the organization. In very few cases, providers may be using their Social Security number (SSN) as Billing TIN. As discussed above the programs covered by the PMRS SORN have sunsetted; however, the final payment year for the PQRS program is CY 2018 requiring the PMRS SORN to remain in effect until all pertinent data has been utilized. The EHR SORN and VM SORNs will not be rescinded as there are programs covered by these SORNs that are currently active and have no plans to sunset. Once the PQRS program sunsets the records will be dispositioned entirely into the QPP system of records under NARA CMS Records Schedule: DAA-0440-2015-0009-003. The retention period for these records is 10 years. Because the PMRS and the QPP systems of records maintain identical records for the categories of individuals covered by the respective system of records and also overlap for purposes of [[Page 6589]] making payment based on quality measures and improvement activities (though not with the same percentages of activity weighting or payment calculation), the routine uses for disclosures of records in the system of records and uses of records in the system of records are the same. Categories of individuals covered by the system of records will expand under the QPP SORN to include all-payer data. All of the routine uses either are necessary and proper or are compatible with the original collection purpose of encouraging and rewarding clinicians' use of measures and activities that help them provide high-value, patient-centered care to Medicare beneficiaries. Dated: February 1, 2018. Emery Csulak, Director, Information Security Privacy Group, and Senior Official for Privacy, Centers for Medicare & Medicaid Services. SYSTEM NAME AND NUMBER ``Quality Payment Program (QPP)'', HHS/CMS/CCSQ System No. 09-70- 0539. SECURITY CLASSIFICATION: Unclassified. SYSTEM LOCATION: The address of the agency component responsible for the system of records is: CMS Data Center, 7500 Security Boulevard, North Building, First Floor, Baltimore, Maryland 21244-1850. SYSTEM MANAGER(S): The agency official who is responsible for the system of records is: Director, Quality Measurement and Value-based Incentives Group, CCSQ, CMS, Room C1-23-14, 7500 Security Boulevard, Baltimore, Maryland 21244-1870. AUTHORITY FOR MAINTENANCE OF THE SYSTEM: Provisions of the Social Security Act codified at 42 U.S.C. Sec. Sec. 1320c-3, 13951, 1395w-4, 1395w-21, and 1395y. PURPOSE(S) OF THE SYSTEM: The purposes for which HHS/CMS will use the records are:To be utilized for program management and administration purposes; To determine payment adjustments for health care services provided by clinicians to Medicare beneficiaries; To provide expert feedback to clinicians and third party data submitters, in order to help clinicians provide high-value, patient-centered care to Medicare beneficiaries; To make clinician-level performance measure results available to Medicare patients and caregivers through Physician Compare, as defined via regulation, either on public profile pages or via the Downloadable Database housed on data.medicare.gov for the purpose of promoting more informed health care choices for people with Medicare; and To provide relevant records to other Federal and state agencies which administer federally-funded health benefit programs; Quality Improvement Networks that review claims and conduct outreach and reviews; and individuals and organizations that assist consumers, to use for program administrative purposes and in health, disease, and payment-related research, evaluation, outreach, and transparency projects. CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM: The records will be about these categories of individuals involved in the Quality Payment Program: Eligible clinicians (such as, physicians, physician assistants, nurse practitioners) who submit quality and performance data to CMS under the Program; Any third party data submitters of the types described in 42 CFR 414.1400 who are individuals (e.g., sole proprietor health IT or survey vendors) and submit data to the Program; Individuals who submit data for clinicians and third party data submitters (i.e., as their representatives or contact persons); and Medicare beneficiaries (and any non-Medicare beneficiaries) receiving the health care services referenced in the data submitted to CMS under the Program. CATEGORIES OF RECORDS IN THE SYSTEM: The system will include these categories of records: Records about clinicians. These will include identifying information and contact information (such as the clinician's name, address, phone number, email address, date of birth, business address, tax identification number (TIN/EIN), national provider identifier (NPI), Social Security number (SSN), prescriber identification number, and other assigned clinician numbers) and information about health care services the clinician provided to Medicare beneficiaries (and any non- Medicare beneficiaries) and the measures and activities the clinician used in providing the services. Records about any third party data submitters who are individuals (for example, sole proprietor health IT or survey vendors). These records will include the third party's name, email address, business address, and TIN/EIN. Records about individuals who submit data for clinicians and third party data submitters. These will include the representative's name and contact information such as address, TIN/EIN, email address, and business address. Records about Medicare beneficiaries (and any non-Medicare beneficiaries). These will include the beneficiary's identifying and health information, i.e. name, address, date of birth, gender, ethnicity, health care utilization and claims data, health insurance claim number (HICN), Medicare beneficiary identifier (MBI), and SSN. Records about other payer payment arrangements. These will include other payer payment arrangement information submitted by non- Medicare payers to determine whether a payment arrangement meets the Other Payer Advanced Alternative Payment Model (APM) criteria. These records will include payer identifying information, payment arrangement information, supporting documentation, and a certification statement. RECORD SOURCE CATEGORIES: The sources of the records covered by this system of records are (1) clinicians, (2) third party data submitters, and (3) individuals who submit data for clinicians or third party data submitters. ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES OF USERS AND PURPOSES OF SUCH USES: A. These routine uses specify circumstances, in addition to those provided by statute in the Privacy Act of 1974, under which CMS may disclose records from the Quality Payment Program to a party outside HHS without the prior, written consent of the individual to whom such information pertains. 1. Records may be disclosed to agency contractors (including, but not limited to, Medicare Administrative Contractors (MACs), fiscal intermediaries, and carriers) that assist in the health operations of a CMS-administered health benefits program, to CMS consultants, or to a grantee of a CMS-administered grant program, who have been engaged by the agency to assist in accomplishment of a CMS function relating to the purposes for this system of records and who need to have access to the records in order to assist CMS. Such disclosures include (but are not limited to) disclosures deemed reasonably necessary by CMS to prevent, deter, discover, detect, investigate, examine, prosecute, sue with respect to, defend against, correct, [[Page 6590]] remedy, or otherwise combat fraud, waste, or abuse in such program. 2. Records may be disclosed to another Federal or state agency to the extent deemed necessary to: (a) Contribute to the accuracy of CMS' proper payment of Medicare benefits; (b) enable such agency to administer a Federal health benefits program, or as necessary to enable such agency to fulfill a requirement of a Federal statute or regulation that implements health benefit programs funded in whole or in part with Federal funds; and/or (c) assist state Medicaid programs which may require Quality Payment Program information. 3. Clinician-level performance measurement results may be made available to the public, through Physician Compare, as defined via regulation, either on public profile pages or via the Downloadable Database housed on data.medicare.gov for the purpose of promoting more informed health care choices for people with Medicare. 4. Records may be disclosed to MIPS-eligible clinicians and eligible entities in order to provide them with expert feedback, and records may be disclosed to CMS authorized entities participating in health care transparency projects. 5. Records may be disclosed to organizations that assist consumers in comparing the quality and price of health care services, and/or that use such information for purposes related to prevention of disease or disability, or restoration or maintenance of health. 6. Records may be disclosed to organizations for research, evaluation, and projects involving payment issues. 7. Records may be disclosed to Beneficiary and Family Centered Care (BFCC)-QIOs, Quality Innovation Network-QIOs (QIN-QIOs), the Small, Underserved, and Rural Support (SURS) technical assistance contractors, and the Practice Transformation Networks (PTNs) under the Transforming Clinical Practice Initiative (TCPI) for purposes of: (a) Identifying clinicians who are included in the Quality Payment Program, specifically the MIPS track, based on the low-volume threshold; (b) determining the appropriate form of Technical Assistance based on practice size and clinician need; (c) providing eligibility information to clinicians interested in forming a virtual group; (d) transitioning clinician referrals from the Quality Payment Program Service Center to the appropriate Technical Assistance channel; (e) performing proactive outreach and engagement activities for the purpose of helping MIPS eligible clinicians participate in the program; (f) developing educational tools and resources; (g) monitoring annual MIPS eligible clinician performance; (h) assessing future need based on a MIPS eligible clinician's Final Score; (i) tracking non-MIPS eligible clinicians who voluntarily report measures and activities to MIPS; and (j) assisting MIPS eligible clinicians transition into an Advanced APM. 8. Records may be disclosed to the Department of Justice (DOJ), a court, or an adjudicatory body when: (a) The Agency or any component thereof, (b) any employee of the Agency in his or her official capacity, (c) any employee of the Agency in his or her individual capacity where the DOJ has agreed to represent the employee, or (d) the United States Government, is a party to litigation or has an interest in such litigation, and by careful review, CMS determines that the records are both relevant and necessary to the litigation. 9. Records may be disclosed to another Federal agency or to an instrumentality of any governmental jurisdiction within or under the control of the United States (including any state or local governmental agency), that administers, or that has the authority to investigate potential fraud, waste, or abuse in, a health benefits program funded in whole or in part by Federal funds, when disclosure is deemed reasonably necessary by CMS to prevent, deter, discover, detect, investigate, examine, prosecute, sue with respect to, defend against, correct, remedy, or otherwise combat fraud, waste, or abuse in such programs. 10. Records may be disclosed to appropriate agencies, entities, and persons when (a) HHS suspects or has confirmed that there has been a breach of the system of records; (b) HHS has determined that as a result of the suspected or confirmed breach there is a risk of harm to individuals, HHS (including its information systems, programs, and operations), the Federal government, or national security; and (c) the disclosure made to such agencies, entities, and persons is reasonably necessary to assist in connection with HHS' efforts to respond to the suspected or confirmed breach or to prevent, minimize, or remedy such harm. 11. Records may be disclosed to another Federal agency or Federal entity, when HHS determines that information from this system of records is reasonably necessary to as.sist the recipient agency or entity in (a) responding to a suspected or confirmed breach or (b) preventing, minimizing, or remedying the risk of harm to individuals, the recipient agency or entity (including its information systems, programs, and operations), the Federal government, or national security, resulting from a suspected or confirmed breach. 12. Records may be disclosed to the U.S. Department of Homeland Security (OHS) if captured in an intrusion detection system used by HHS and OHS pursuant to a OHS cybersecurity program that monitors internet traffic to and from Federal government computer networks to prevent a variety of types of cybersecurity incidents. B. Additional Circumstances Affecting Routine Use Disclosures: To the extent this system contains Protected Health Information (PHI) as defined by HHS regulation ``Standards for Privacy oflndividually Identifiable Health Information'' (45 CFR parts 160 and 164, Subparts A and E), disclosures of such PHI that are otherwise authorized by these routine uses may only be made if, and as, permitted or required by the ``Standards for Privacy of Individually Identifiable Health Information'' (see 45 CFR 164.512(a)(l)). POLICIES AND PRACTICES FOR STORAGE OF RECORDS: The records will be stored electronically or on magnetic media or paper. POLICIES AND PRACTICES FOR RETRIEVAL OF RECORDS: The data collected on clinicians will be retrieved by the clinician's name, address, NPI, TIN/EIN and other identifying provider numbers. Information about third party data submitters who are individuals will be retrieved by name, address, and TIN/EIN. Records about contact persons will be retrieved by name, email address and business address. The data collected on Medicare beneficiaries (and any non-Medicare beneficiaries) will be retrieved by the beneficiary's name, Medicare beneficiary identifier (MBI), health insurance claim number (HICN), SSN, address, and date of birth. POLICIES AND PRACTICES FOR RETENTION AND DISPOSAL OF RECORDS: A records disposition schedule for the Quality Payment Program is pending submission to and approval by the National Archives and Records Administration (NARA); until NARA approval is obtained, CMS will retain the records indefinitely. CMS is proposing a retention period of approximately 10 years for these records under the NARA CMS Records Schedule: DAA-0440-2015-0009-0003. Any claims-related records that become encompassed by a document preservation order may be retained longer (i.e., until notification is received from the Department of Justice). [[Page 6591]] ADMINISTRATIVE, TECHNICAL, AND PHYSICAL SAFEGUARDS: Safeguards will conform to the HHS Information Security and Privacy Program, http://www.hhs.gov/ocio/securityprivacy/index.html. Information will be safeguarded in accordance with applicable Federal laws and regulations and Federal, HHS, and CMS policies and standards, including, all pertinent National Institutes of Standards and Technology (NIST) publications, and 0MB Circular A-130. Records will be protected from unauthorized access through appropriate administrative, physical, and technical safeguards. These safeguards include protecting the facilities where records are stored or accessed with security guards, badges, and cameras; securing hard-copy records in locked file cabinets, file rooms, or offices during off-duty hours; controlling access to physical locations where records are maintained and used by means of combination locks and identification badges issued only to authorized users; limiting access to electronic databases to authorized users based on roles and two-factor authentication (user ID and password); using a secured operating system protected by encryption, firewalls, and intrusion detection systems; requiring encryption for records stored on removable media; and training personnel in Privacy Act and information security requirements. Records that are eligible for destruction will be disposed of using secure destruction methods prescribed by NIST SP 800-88. RECORD ACCESS PROCEDURES: An individual seeking access to a record about him or her in this system should write to tbe System Manager indicated above, who will require the individual's name and particulars necessary to distinguish between records on subject individuals with the same name, such as NPI or TIN. The requestor should also reasonably specify the record(s) to which access is sought. (These procedures are in accordance with Department regulation 45 CFR 5b.5(a)(2)). CONTESTING RECORD PROCEDURES: Any subject individual may request that his record be corrected or amended if he believes that the record is not accurate, timely, complete, or relevant or necessary to accomplish a Department function. A subject individual making a request to amend or correct his record shall address his request to the responsible System Manager as stated above, in writing. The subject individual shall specify in each request: (I) The system of records from which the record is retrieved; (2) The particular record which he is seeking to correct or amend; (3) Whether he is seeking an addition to or a deletion or substitution of the record; and, (4) His reasons for requesting correction or amendment of the record. (These procedures are in accordance with Department regulation 45 CFR Sb.7). NOTIFICATION PROCEDURES: Individuals wishing to know if this system contains records about them should write to the System Manager indicated above and follow the same instructions under Record Access Procedures. EXEMPTIONS PROMULGATED FOR THE SYSTEM: None. HISTORY: None. [FR Doc. 2018-02933 Filed 2-13-18; 8:45 am] BILLING CODE 4120-03-P
![Federal Register / Vol. 83, No. 31 / Wednesday, February 14, 2018 / Notices 6587
REPORTING REQUIREMENTS—Continued
Responses
Number of Total annual Hours per Total hour
Regulatory/section requirements per
respondents responses response burden
respondent
57.310(b)(1)(vi), Notification of Delinquent Accounts .......... 348 42.5 14,790 0.04 592
57.310(b)(1)(x), Credit Bureau Notification .......................... 348 709.0 246,732 0.006 1,480
57.310(b)(4)(i), Write-off of Uncollectible Loans .................. 23 1.0 23 3.00 69
57.311(a), Disability Cancellation ........................................ 16 1.0 16 1.00 16
57.315(a)(1)(ii), Administrative Hearings ............................. 0 0.0 0 0.00 0
57.316a, Administrative Hearings ........................................ 0 0.0 0 0.00 0
NSL Subtotal ................................................................. * 348 ........................ 277,382 ........................ 7,567
* Includes active and closing schools.
Amy McNulty. without redaction unless otherwise (Advanced APM) and Merit-based
Acting Director, Division of the Executive advised by the commenter at this Incentive Payment System (MIPS), both
Secretariat. location, by appointment, during regular of which contribute toward the goal of
[FR Doc. 2018–02958 Filed 2–13–18; 8:45 am] business hours, Monday through Friday seamless integration of the Quality
BILLING CODE 4165–15–P from 9:00 a.m.–3:00 p.m., Eastern Time Payment Program into clinical practice
zone. workflows. MIPS provides clinicians
FOR FURTHER INFORMATION CONTACT: measures and activities to assist them in
DEPARTMENT OF HEALTH AND General questions about the new system providing high-value, patient-centered
HUMAN SERVICES of records should be submitted by mail care to Medicare patients, and to
or email to: Michelle Peterman, Health encourage and reward their use of the
Privacy Act of 1974; System of same. The participants generate and
Insurance Specialist, Division of
Records. submit to CMS data on health care
Electronic Clinician and Quality,
AGENCY: Centers for Medicare & Quality Measurement and Value-Based coordination. The data will be
Medicaid Services (CMS), Department Incentives Group, Center for Clinical submitted to CMS by eligible clinicians
of Health and Human Services (HHS). Standards and Quality, CMS, 7500 and approved third party data
ACTION: Notice of a New System of Security Boulevard, Baltimore, MD submitters (for example, registries
Records. 21244–1870, Mailstop: S3–02–01, or which collect and submit disease
michelle.peterman@cms.hhs.gov. tracking data; health information
SUMMARY: The Department of Health and SUPPLEMENTARY INFORMATION:
technology (IT) vendors which submit
Human Services (HHS), Centers for data from clinicians’ Certified Electronic
Medicare & Medicaid Services (CMS) I. Background on the New Quality Health Record Technology (CEHRT)
proposes to establish a new system of Payment Program Supported by the systems). The data will include
records subject to the Privacy Act, New System of Records information about, and will be retrieved
System No. 09–70–0539, titled ‘‘Quality The Medicare Access and CHIP by personal identifiers for: (1) The
Payment Program (QPP).’’ The new Reauthorization Act of 2015 (MACRA) clinicians, (2) any third party data
system of records will cover quality and amended title XVIII of the Social submitters who are individuals (e.g.,
performance data collected and used by Security Act (the Act) to repeal the way sole proprietor vendors), (3) individuals
CMS in determining merit-based physicians were paid under the who submit data for clinicians or third
payment adjustments for health care previous Sustainable Growth Rate (SOR) party data submitters as their
services provided by clinicians to formula and replaced it with a new representatives or contact persons, and
Medicare beneficiaries, and in providing approach known as the Quality Payment (4) Medicare beneficiaries and any non-
expert feedback to clinicians and third Program. The Quality Payment Program Medicare beneficiaries receiving the
party data submitters for the purpose of streamlines and consolidates health care services referenced in the
helping clinicians provide high-value components of three existing incentive Quality Payment Program data. The
care to patients. programs that reward high-value patient records are described below.
DATES: In accordance with 5 U.S.C. centered care: (1) Physician Quality The data submission process will
552a(e)(4) and (11), this notice is Reporting System (PQRS) (§ 1848(k) and require that clinicians and third party
effective upon publication, subject to a (m) of the Act (42 U.S.C. 1395w–4)), (2) submitters use their identifying and
30-day period in which to comment on Medicare Electronic Health Records contact information, tax identification
the routine uses, described below. (EHR) Incentive Program for Eligible number (TIN/EIN), national provider
Please submit any comments by March Professionals (§ 1848(0) of the Act), and identifier (NPI), and information about
16, 2018. (3) Physician Value-Based Payment health care services provided to patients
ADDRESSES: Written comments should Modifier (VM) (§ 1848(p) of the Act). For for the performance categories of the
be submitted by mail or email to: CMS more information, see rulemakings MIPS including (1) quality-including a
Privacy Act Officer, Division of implementing the existing programs, at set of evidence-based, specialty-specific
daltland on DSKBBV9HB2PROD with NOTICES
Security, Privacy Policy & Governance, 80 Fed. Reg. 71135 (November 16, 2015) standards; (2) cost of services provided;
Information Security & Privacy Group, (PQRS); 80 FR 62761 (October 16, 2015) (3) improvement activities that
Office of Information Technology, CMS, (EHR); and 80 FR 71273 (November 16, improved or are likely to improve
7500 Security Boulevard, Baltimore, MD 2015) (VM). clinical practice or care delivery; and (4)
21244–1870, Location N1-14–56, or There are two separate pathways advancing care information which
walter.stone@cms.hhs.gov. Comments within the Quality Payment Program, focuses on the use of CEHRT to support
received will be available for review Advanced Alternative Payment Models interoperability and avoid
VerDate Sep<11>2014 22:07 Feb 13, 2018 Jkt 244001 PO 00000 Frm 00081 Fmt 4703 Sfmt 4703 E:\FR\FM\14FEN1.SGM 14FEN1](https://thefederalregister.org/doc/83_FR_6618/page/1.svg)
![Federal Register / Vol. 83, No. 31 / Wednesday, February 14, 2018 / Notices 6591
ADMINISTRATIVE, TECHNICAL, AND PHYSICAL request: (I) The system of records from hhs.gov, or FOIA/PA Division, Suite
SAFEGUARDS: which the record is retrieved; (2) The 729H, 200 Independence Avenue SW,
Safeguards will conform to the HHS particular record which he is seeking to Washington, DC 20201.
Information Security and Privacy correct or amend; (3) Whether he is SUPPLEMENTARY INFORMATION: The
Program, http://www.hhs.gov/ocio/ seeking an addition to or a deletion or Privacy Act (5 U.S.C. 552a), at
securityprivacy/index.html. Information substitution of the record; and, (4) His subsection (b)(3), requires each agency
will be safeguarded in accordance with reasons for requesting correction or to publish, for public notice and
applicable Federal laws and regulations amendment of the record. (These comment, routine uses describing any
and Federal, HHS, and CMS policies procedures are in accordance with disclosures of information about an
and standards, including, all pertinent Department regulation 45 CFR Sb.7). individual that the agency intends to
National Institutes of Standards and make from a Privacy Act system of
NOTIFICATION PROCEDURES:
Technology (NIST) publications, and records without the individual’s prior
0MB Circular A–130. Records will be Individuals wishing to know if this written consent, other than those which
protected from unauthorized access system contains records about them are authorized directly in the Privacy
through appropriate administrative, should write to the System Manager Act at subsections (b)(1)–(2) and (b)(4)–
physical, and technical safeguards. indicated above and follow the same (12). The Privacy Act defines ‘‘routine
These safeguards include protecting the instructions under Record Access use’’ at subsection (a)(7) to mean a
facilities where records are stored or Procedures. disclosure for a purpose compatible
accessed with security guards, badges, EXEMPTIONS PROMULGATED FOR THE SYSTEM: with the purpose for which the record
and cameras; securing hard-copy was collected.
records in locked file cabinets, file None.
In accordance with Office of
rooms, or offices during off-duty hours; HISTORY: Management and Budget (OMB)
controlling access to physical locations None. Memorandum M–17–12, issued January
where records are maintained and used 3, 2017, titled ‘‘Preparing for and
[FR Doc. 2018–02933 Filed 2–13–18; 8:45 am]
by means of combination locks and Responding to a Breach of Personally
BILLING CODE 4120–03–P
identification badges issued only to Identifiable Information,’’ HHS is
authorized users; limiting access to adding the following two routine uses to
electronic databases to authorized users all of its system of records notices
DEPARTMENT OF HEALTH AND
based on roles and two-factor (SORNs) to authorize HHS to disclose
HUMAN SERVICES
authentication (user ID and password); information from each system of records
using a secured operating system Privacy Act of 1974; System of when necessary to obtain assistance
protected by encryption, firewalls, and Records with a suspected or confirmed breach of
intrusion detection systems; requiring PII or to assist another agency in its
encryption for records stored on AGENCY: Office of the Assistant response to a breach. The first routine
removable media; and training Secretary for Administration (ASA), use is a revised version of a routine use
personnel in Privacy Act and Department of Health and Human prescribed in 2007, in former OMB
information security requirements. Services (HHS). Memorandum M–07–16. The second
Records that are eligible for destruction ACTION: Notice of modified systems of routine use is new:
will be disposed of using secure records.
‘‘To appropriate agencies, entities, and
destruction methods prescribed by NIST persons when (1) HHS suspects or has
SP 800–88. SUMMARY: The Department of Health and
confirmed that there has been a breach of the
Human Services (HHS) proposes to
RECORD ACCESS PROCEDURES: system of records; (2) HHS has determined
modify all of its systems of records to that as a result of the suspected or confirmed
An individual seeking access to a add two security-related routine uses breach there is a risk of harm to individuals,
record about him or her in this system which are needed to improve federal HHS (including its information systems,
should write to tbe System Manager agencies’ ability to detect and address programs, and operations), the federal
indicated above, who will require the actual and suspected breaches of government, or national security; and (3) the
individual’s name and particulars personally identifiable information (PII) disclosure made to such agencies, entities,
necessary to distinguish between in Privacy Act systems of records. The and persons is reasonably necessary to assist
records on subject individuals with the routine uses are explained in the in connection with HHS’s efforts to respond
same name, such as NPI or TIN. The to the suspected or confirmed breach or to
Supplementary Information section of
prevent, minimize, or remedy such harm.’’
requestor should also reasonably specify this notice. ‘‘To another federal agency or federal
the record(s) to which access is sought. DATES: This notice will become effective entity, when HHS determines that
(These procedures are in accordance 30 days after publication, unless the information from this system of records is
with Department regulation 45 CFR Department makes changes based on reasonably necessary to assist the recipient
5b.5(a)(2)). comments received. Written comments agency or entity in (1) responding to a
should be submitted on or before the suspected or confirmed breach or (2)
CONTESTING RECORD PROCEDURES:
preventing, minimizing, or remedying the
Any subject individual may request effective date.
risk of harm to individuals, the recipient
that his record be corrected or amended ADDRESSES: The public should address agency or entity (including its information
if he believes that the record is not written comments to Beth Kramer, HHS systems, programs, and operations), the
accurate, timely, complete, or relevant Privacy Act Officer, by mail or email, at federal government, or national security,
daltland on DSKBBV9HB2PROD with NOTICES
or necessary to accomplish a HHS.ACFO@hhs.gov, or FOIA/PA resulting from a suspected or confirmed
Department function. A subject Division, Suite 729H, 200 Independence breach.’’
individual making a request to amend or Avenue SW, Washington, DC 20201. Both routine uses are compatible with
correct his record shall address his FOR FURTHER INFORMATION CONTACT: the purposes for which PII is collected
request to the responsible System General questions may be submitted to in the affected systems of records,
Manager as stated above, in writing. The Beth Kramer, HHS Privacy Act Officer, because individuals whose PII is
subject individual shall specify in each by mail or email, at HHS.ACFO@ included in any federal record system
VerDate Sep<11>2014 22:07 Feb 13, 2018 Jkt 244001 PO 00000 Frm 00085 Fmt 4703 Sfmt 4703 E:\FR\FM\14FEN1.SGM 14FEN1](https://thefederalregister.org/doc/83_FR_6618/page/5.svg)
Document Created: 2018-02-14 03:59:21
Document Modified: 2018-02-14 03:59:21
| Category | Regulatory Information | |
| Collection | Federal Register | |
| sudoc Class | AE 2.7: GS 4.107: AE 2.106: | |
| Publisher | Office of the Federal Register, National Archives and Records Administration | |
| Section | Notices | |
| Action | Notice of a New System of Records. | |
| Dates | In accordance with 5 U.S.C. 552a(e)(4) and (11), this notice is effective upon publication, subject to a 30-day period in which to comment on the routine uses, described below. Please submit any comments by March 16, 2018. | |
| Contact | General questions about the new system of records should be submitted by mail or email to: Michelle Peterman, Health Insurance Specialist, Division of Electronic Clinician and Quality, Quality Measurement and Value-Based Incentives Group, Center for Clinical Standards and Quality, CMS, 7500 Security Boulevard, Baltimore, MD 21244-1870, Mailstop: S3-02-01, or [email protected] | |
| FR Citation | 83 FR 6587 |
2025 Federal Register | Disclaimer | Privacy Policy
USC | CFR | eCFR