On December 7, 2011, the Centers for Medicare & Medicaid Services (“CMS”) published in the Federal Register a final rule (the “Final Rule”)1 regarding its initiative to make provider performance reports available to the public. As our readers may recall, the Patient Protection and Affordable Care Act (“PPACA”)2 allows organizations that meet certain qualifications (“Qualified Entities”)3 to access patient-protected Medicare data in order to produce public performance reports on physicians, hospitals and other healthcare providers. An earlier issue of Health Reform IMPACT addressed the provisions of the proposed rule that would implement this PPACA mandate (the “Proposed Rule”),4 and this issue will highlight the provisions of the Final Rule and how it compares to the Proposed Rule. The modifications in the Final Rule are intended, among other things, to respond to concerns expressed in comments about (1) the collection cost and timeliness of the data provided by CMS, (2) flexibility and innovation in measure calculation, and (3) timeframes for providers’ and suppliers’ review and appeal of draft reports.

General Eligibility and Operating Requirements of Qualified Entities

In order to participate to serve as a potential Qualified Entity, an organization must first submit an application to CMS.5 In determining whether to approve a Qualified Entity’s application, CMS will evaluate an organization’s eligibility qualifications across three areas: 1) organizational and governance capabilities; 2) addition of claims data6 from other sources; and 3) data privacy and security. With respect to organizational and governance capabilities, an applicant would generally need to be able to demonstrate expertise and sustained experience of certain specified criteria relating to handling claims data and calculating performance measures for a period of at least three years. Further, prefers that an applicant be able to combine Medicare claims data with claims data from at least two other sources (such as two private payers, or one private payer and Medicaid claims data) in order to create a more complete and accurate picture about provider and supplier performance. Applicants would not be eligible to serve as Qualified Entities unless CMS determines that applicants have rigorous and thoroughly documented data privacy and security practices in place, including enforcement mechanisms. All of the aspects of the Final Rule summarized in this paragraph are substantially the same as the Proposed Rule.

Types of Performance Measures to be Used by Qualified Entities

In the Proposed Rule, CMS anticipated allowing Qualified Entities only to use measures calculated wholly from claims data. Comments from potential Qualified Entities, providers and consumer groups stated that measures that incorporate clinical data offer a more complete and accurate picture of the performance of providers and suppliers. In response to these comments, the Final Rule allows Qualified Entities to use measures calculated in full or in part from claims data.7 Thus, Qualified Entities can calculate measures that include clinical data.

The Final Rule also broadens the range of standard measures to include measures endorsed by any CMS-approved “consensus-based entity.”8 CMS will approve organizations as consensus-based entities based on review of documentation of the consensus-based entity’s process for developing and approving measures.9

In addition, the Final Rule establishes a second process by which Qualified Entities may seek approval to use alternative measures (the Proposed Rule approved only those alternative measures adopted by the Secretary in a notice and comment rulemaking process).10 This second process allows a Qualified Entity to receive approval to use an alternative measure by submitting documentation to CMS outlining consultation and agreement with stakeholders in the geographic region that the Qualified Entity serves and scientific evidence that the measure is “more valid, reliable, responsive to consumer preferences, cost-effective, or relevant to dimensions of quality and resource use not addressed by such standard measures.”11

Medicare Data Extraction Dissemination

In the Proposed Rule, CMS suggested that Qualified Entities pay for the cost incurred by CMS in providing the data, which was estimated by CMS to be approximately $200,000 for three years of data for 2.5 million beneficiaries.12 In response to public comments about this collection cost and timeliness of the Medicare claims data, CMS has identified efficiencies that will reduce the cost of Medicare claims data under the Qualified Entity program. Although the Final Rule still requires Qualified Entities to pay for the cost incurred by CMS in providing the data, CMS now estimates that the average cost for a Qualified Entity for the first year of the program is $40,000, down from the $200,000 estimate in the proposed rule.13 In addition, CMS has modified the Proposed Rule to give Qualified Entities access to more timely Medicare claims data by providing the most recent available historical data and providing quarterly updates on a rolling basis.14 In response to public comments, CMS will also allow Qualified Entities to purchase a 5 percent national sample of Medicare claims data for the purpose of calculating national benchmarks.15 Further, CMS has agreed to accommodate Qualified Entities seeking to conduct a nationwide performance program if such Qualified Entity can justify a nationwide release of Medicare data and demonstrate that it has a sufficient amount of data nationwide. 16

Data Security and Privacy

In the Proposed Rule, CMS proposed to require Qualified Entities to apply privacy and security protections similar to those required of external organizations that receive claims data for research purposes. Accordingly, CMS proposed that Qualified Entities and their contactors enter into a Data User Agreement (“DUA”) (similar to CMS’ current standard DUA for research disclosures) before receiving any Medicare claims data.17 Qualified Entities also would be required to be in compliance with the listed Office of Management and Budget (“OMB”)18 and Federal Information Processing Standards regarding all CMS data received through the Qualified Entity program.19 After receiving comments, CMS adopted the Proposed Rule’s requirements regarding data security and privacy without modification, but reiterated that any existing DUAs that a Qualified Entity may have in place will only affect the data received under those DUAs, and not the DUA governing the data from the Qualified Entity program.20

In the Proposed Rule, CMS also considered three potential options for sharing beneficiary identifiers with Qualified Entities, and, by extension, providers and suppliers. After receiving comments, CMS has decided in the Final Rule to automatically provide all Qualified Entities with a crosswalk file, with appropriate privacy and security protections, linking the encrypted beneficiary ID to both the beneficiary name and the beneficiary’s Medicare Health Insurance Claim Number.21 This crosswalk file would provide the Qualified Entity with identifiable data, but Qualified Entities would only be permitted to give to a provider or supplier the names of the beneficiaries included in that provider or supplier’s performance report.22

Confidential Opportunities for Providers to Review and Appeal

In the Proposed Rule, Qualified Entities were required to make confidential draft reports available to the identified providers of services and suppliers at least 30 days before publicly releasing them.23 The providers of services and suppliers would then be given an opportunity to review these reports, as well as information on how to interpret the results, and, if appropriate, to appeal the methodology that was utilized or other aspects of the report and to request correction of any errors. In response to public comments that the 30-day review period was too short, CMS has finalized a review period of at least 60 calendar days to allow providers and suppliers additional time to review their confidential reports.24

If you have any questions about this issue of Health Reform IMPACT, please contact any of the attorneys in our Healthcare Practice Group.


1  76 Fed. Reg. 76542 et seq. (December 7, 2011).
2  Public Law 111-148, enacted on March 23, 2010.
3  CMS has defined a qualified entity as “a public or private entity that: (1) is qualified to use claims data to evaluate the performance of providers of services and suppliers on measures of quality, efficiency, effectiveness, and resources use, and (2) agrees to meet certain regulatory requirements at 42 CFR 401.703 through 401.710. 76 Fed. Reg. at 76567
4  76 Fed. Reg. 33566 et seq. (June 8, 2011).
5  CMS has developed an online application process for potential qualified entities. Applications have been available since January 1, 2012 and are collected and processed once a year. They are available for potential qualified entities who have registered online. Find the application here.
6  Claim means an itemized billing statement from a provider or supplier that, except in the context of Part D prescription drug event data, requests payment for a list of services and supplies that were furnished to a Medicare beneficiary in the Medicare fee-for-service context, or to a participant in other insurance or entitlement program contexts. In the Medicare program, claims files are available for each institutional (inpatient, outpatient, skilled nursing facility, hospice, or home health agency) and non-institutional (physician and durable medical equipment providers and suppliers) claim type as well as Medicare Part D Prescription Drug Event (PDE) data. 76 Fed. Reg. at 76567.
76 Fed. Reg. 76547.
8  By contrast, under the Proposed Rule, standard measures would have included only measures endorsed by the National Quality Forum; measures developed pursuant to section 931 of the Public Health Service Act; or claims-based measures that were adopted through rulemaking for use in a current CMS program that includes performance measurement.
9  76 Fed. Reg. 76548.
10  76 Fed. Reg. 76547.
11  Id.
12  Included in the cost estimate by CMS was the cost of: (1) The cost of running the Qualified Entity program, including costs for processing applications, monitoring Qualified Entities, and providing technical assistance, and (2) the cost of creating a data set specific to each Qualified Entity’s requested geographic area and securely transmitting the data set to the Qualified Entity. 76 Fed. Reg. 76552.
13  The estimate is based on the assumption that there will be 25 qualified entities and that the average qualified entity will request data for approximately 2.5 million beneficiaries. 76 Fed. Reg. 76553.
14  76 Fed. Reg. 76552.
15  Id.
16  Id.
17  76 Fed Reg. 33575. The DUA contains significant penalties for inappropriate disclosures, which include both civil monetary penalties and criminal penalties. The DUA is available here.
18  OMB Circular No. A-130, Appendix III–Security of Federal Automated Information Systems. Available here. Id.
19  Id. at 33576.
20  76 Fed Reg. 76554.
21  Id. at 76555
22  CMS states: “It is clear from the comments that beneficiary identifiable data, with appropriate privacy and security protections, is required if clinical data is to be used or if a qualified entity needs to link an individual’s claims records across plans as they move over time from plan to plan.” Id.
23  Id. at 33577, 33578.
24  If an error correction is still outstanding at the specific date in which the Qualified Entity has stated it will publish the report (which must be at least 60 business days after the date in which the provider first received a draft copy of the report) then CMS proposes to require that a Qualified Entity publicly post the name of the appealing provider and a description of the appeal request. 76 Fed. Reg. 76570-71.