On June 8, 2011, the Centers for Medicare & Medicaid Services (“CMS”) issued a proposed rule (the “Proposed Rule”)1 that would allow organizations meeting certain qualifications (“qualified entities”)2 to access patient-protected Medicare data in order to produce public performance reports on physicians, hospitals, and other healthcare providers. These performance reports would combine private sector claims data with standardized extracts of claims data from CMS under Medicare Part A, B and D for one or more specified geographic areas and time periods. The data extracts would include information from all seven claim types3 that are submitted for payment in the Medicare Fee-For-Service Program.

Statutory Basis and Policy Underpinnings of the Proposed Rule

The Proposed Rule intends to implement the new statutory requirements of section 10332 of the Patient Protection and Affordable Care Act, Public Law 111-148, enacted on March 23, 2010.4 This initiative is part of a broader effort by the Obama Administration to improve care and lower costs. CMS believes that the “sharing of Medicare data with qualified entities through this program and the resulting reports produced by qualified entities would be an important driver of improving quality and reducing costs in Medicare, as well as for the healthcare system in general.” Additionally, CMS believes the program “would increase the transparency of provider and supplier performance, while ensuring beneficiary privacy.” According to CMS Administrator Donald M. Berwick, “making more Medicare data available can make it easier for employers and consumers to make smart decisions about their health care” and “result in higher quality and more cost effective care.”5

General Eligibility and Operating Requirements of Qualified Entities

In order to serve as a potential qualified entity, an organization must first submit an application to CMS. In determining whether to approve a qualified entity’s application, CMS has proposed to evaluate an organization’s eligibility qualifications across three areas: 1) organizational and governance capabilities; 2) addition of claims data6 from other sources; and 3) data privacy and security. With respect to organizational and governance capabilities, an applicant would generally need to be able to demonstrate expertise and sustained experience relating to handling claims data and calculating performance measures for a period of at least three years.

Further, CMS proposes that an applicant be able to combine Medicare claims data with claims data from at least two other sources (such as two private payers, or one private payer and Medicaid) in order to create a more complete and accurate picture about provider and supplier performance. In the past, according to CMS, provider performance reports have generally been based solely on a single health plan’s claims, which often represent only a small proportion of a provider’s overall practice. Further, CMS believes that provider performance reports from different insurers can often be contradictory, making it difficult for providers to appeal or correct any potential inaccuracies in their reports.

CMS indicates that it will develop an application process for potential qualified entities. Applications would be available on the CMS website beginning January 1, 2012 and would only be collected and processed once a year. Applicants would not be eligible to serve as qualified entities unless CMS determines that they have rigorous and thoroughly documented data privacy and security practices in place, including mechanisms to enforce those practices.

Types of Performance Measures to be Used by Qualified Entities

When selecting performance measures to assess providers and suppliers, qualified entities may only use “standard measures.” A standard measure is a measure that can be calculated using only claims data and that: 1) is endorsed by an entity with a contract under 1890(a) of the Social Security Act7; 2) is developed pursuant to section 931 of the Public Health Act as added by Section 3013 of the Affordable Care Act;8 or 3) was adopted through notice and comment rule making and is currently being used in a CMS program.9

Medicare Data Extraction Dissemination

CMS has proposed that the standardized Medicare extracts provided to qualified entities would contain only final action claims, meaning non-rejected claims for which a payment has been made and all disputes and adjustments would have been resolved. Both Medicare institutional and non-institutional claims would include, but not be limited to, the following data elements: beneficiary ID, claim ID, the start and end dates of service, the provider or supplier ID, the principal procedure and diagnosis codes, the attending physician, other physicians and the claim payment type.10

As to the scope of data provided, CMS is proposing to give qualified entities access to the most recent three years of Medicare data available at the time the qualified entity is approved for participation in the program.11 CMS is also proposing that qualified entities receive standardized data extracts for the geographic spread of the qualified entities’ claims data from other sources.12

Finally, CMS is proposing that qualified entities pay for the cost incurred by CMS in providing the data. The estimated cost is approximately $200,000 for three years of data for 2.5 million beneficiaries.13

Data Security and Privacy

Under the proposed rule, qualified entities must apply privacy and security protections similar to those required of external organizations that have access to claims data for research purposes. To that end, CMS indicates that qualified entities will enter into a Data User Agreement (“DUA”), similar to CMS’s current standard DUA for research disclosures, before receiving any Medicare claims data.14 Qualified entities will also be required to be in compliance with the listed Office of Management and Budget (“OMB”)15 and National Information Processing Standards (“NISP”) requirements with respect to all CMS data received through the qualified entity program. In addition, CMS will send only Medicare claims data sets that contain a unique encrypted beneficiary identification number for each beneficiary (which would not include the beneficiary’s name or other identifying information).16 Finally, CMS proposes prohibiting the use of unsecured telecommunications to transmit beneficiary identifiable data or deducible information derived from any CMS data file(s) and to require any qualified entity to bind their contractors and subcontractors working on their behalf to the same data security and privacy requirements.17

Draft Reports To Providers and Opportunities for Providers to Review, Appeal

Qualified entities are required to make confidential draft reports available to the identified providers of services and suppliers at least 30 days before publicly releasing them. The providers of services and suppliers must then be given an opportunity to review these reports, and, if appropriate, to appeal and request correction of any errors.18 CMS proposes to require that the qualified entities include in their application materials a plan for establishing and maintaining these appeal and correction processes. The plan must include: 1) a clear description of how the qualified entity would notify providers and suppliers of the performance measurement process; and 2) explain in detail the specific steps taken to generate their performance reports, the measurement methodology that was utilized, and information on how to interpret the results. The qualified entity must also establish procedures, including timeframes, on how a provider can request data from the qualified entity (and how the qualified entity intends to obtain and transmit such identifiable health information to the provider in a secure fashion) and request error corrections in the reports before the reports are made public. After reports have been shared confidentially with providers of services and suppliers, and any errors have been corrected, the performance reports must be made available to the public.


CMS indicates that it will continually monitor qualified entities, and entities that do not follow the applicable guidelines will be subject to sanctions, including termination from the program.19 Comments in response to the Proposed Rule are due August 8, 2011. CMS has specifically asked for general input regarding whether to use less stringent eligibility and application requirements for qualified entities and has also asked for input regarding the total burden associated with compliance. In addition, CMS has asked for comments on qualified entities’ interactions with providers and suppliers with respect to the draft report review and appeal and error processes. Finally, CMS has called for input regarding the definition of “standardized measures,” as well as the current DUA proposal relating to data security and privacy and any other modifications that might be necessary for the purposes of providing data to qualified entities.

If you have any questions, or would like to discuss the implications of the Proposed Rule, please do not hesitate to contact any of the attorneys in our Healthcare Practice Group.

1 76 Fed. Reg. 33566 et seq. (June 8, 2011).
2 CMS has defined a qualified entity as “a public or private entity that: (1) is qualified to use claims data to evaluate the performance of providers of services and suppliers on measures of quality, efficiency, effectiveness, and resources use, and (2) agrees to meet certain regulatory requirements at 42 CFR 401.703 through 401.710.” 76 Fed. Reg. 33566, 33567 (June 8, 2011)
3 The seven types of claims encompass: (a) information extracted from institutional claims, i.e., inpatient hospital, outpatient hospital, skilled nursing facility, home health and hospice services; and (b) information extracted from non-institutional claims, i.e., physician/supplier and durable medical equipment claims. Id. at 33572.
4  Section 10332 amends section 1874 of the Social Security Act by adding a new subsection (e) requiring standardized extracts of Medicare claims data under parts A, B and D to be made available to Qualified Entities for the evaluation of the performance of providers of services and suppliers.
5 Major New Effort to Give Consumers and Employers Better information About Quality of Care. CMS Press Release Update. (June 3, 2011). Available here.
6 “Claims data” is defined by CMS as “administrative claims data only, meaning itemized billing statements from providers of services and suppliers that, except in the context of Part D drug event data, request reimbursement for a list of services and supplies that were provided to a Medicare beneficiary in the fee-for-service context or to a participant in another insurance or entitlement program.” Data from other sources, such as registry data, chart abstracted data or data from electronic medical records would not be considered claims data. Id. at 33568.
7 Current, the only entity with a contract under section 1890(a) of the Act is the National Quality Forum (NQF). A list of currently NQF-endorsed performance measures can be obtained from the NQF website. Id. at 33569.
8 To date, no measures have been developed under this provision. Id.
9 As examples, CMS lists several measures in the hospital Inpatient Quality Reporting program beginning in FY 2012 (foreign object retained after surgery, air embolism, catheter-associated urinary tract infection, blood incompatibility, pressure ulcer stages III and IV, falls and trauma, manifestations of poor glycemic control, and vascular catheter associated infection) which may fit this criteria for potential standard measures. Id.
10 Qualified entities would also be eligible to receive certain Part D claims information for certain patients enrolled in the Medicare Fee-For-Service Program. Id. at 33572.
11  As an example, a qualified entity approved for participation in 2012 would receive data for calendar years 2008, 2009 and 2010, since those years would be the most recent final action claims data available. Id. at 33573.
12  As an example, CMS would provide Medicare claims data for the state of Maryland to a qualified entity that has a sufficient number of claims for the state of Maryland. Id. at 33574.
13  Included in the cost estimate by CMS is the cost of: making the data available broadly, providing the technical assistance, processing qualified entities’ applications and monitoring qualified entities to ensure appropriate use of the data and appropriate adherence to data privacy and security standards. Id.
14 Id. at 33575. The DUA contains significant penalties for inappropriate disclosures, which include both civil monetary penalties and criminal penalties. The DUA is available here.
15 OMB Circular No. A-130, Appendix III–Security of Federal Automated Information Systems. Id. at 33576.
16 CMS has proposed to only share beneficiary names with qualified entities, and by extension providers of services and suppliers, on a transactional, case-by-case basis for the purposes of responding to specific data requests from providers of services or suppliers. Id. at 33575.
17  Id. at 33756.
18  Qualified entities must give providers and suppliers at least 10 business days to make a request for data, and an additional 10 business days for a provider to request an error correction. If an error correction is still outstanding at the specific date in which the qualified entity has stated it will publish the report (which must be at least 30 business after the date in which the provider first received a draft copy of the report) then CMS proposes to require that a qualified entity publicly post the name of the appealing provider and the description appeal request. Id. at 33578.
19  CMS also proposes requiring qualified entities to submit an annual report to CMS covering: (1) General program adherence and (2) engagement of providers of services and suppliers. Id at. 33580.