The regulations in this subpart implement section 1874(e) of the Social Security Act as it applies to Medicare data made available to qualified entities for the evaluation of the performance of providers and suppliers.

For purposes of this subpart:

(a) Qualified entity means either a single public or private entity, or a lead entity and its contractors, that meets the following requirements:

(1) Is qualified, as determined by the Secretary, to use claims data to evaluate the performance of providers and suppliers on measures of quality, efficiency, effectiveness, and resource use.

(2) Agrees to meet the requirements described in this subpart at §§ 401.705 through 401.721.

(b) Provider of services (referred to as a provider) has the same meaning as the term “provider” in § 400.202 of this chapter.

(c) Supplier has the same meaning as the term “supplier” at § 400.202 of this chapter.

(d) Claim means an itemized billing statement from a provider or supplier that, except in the context of Part D prescription drug event data, requests payment for a list of services and supplies that were furnished to a Medicare beneficiary in the Medicare fee-for-service context, or to a participant in other insurance or entitlement program contexts. In the Medicare program, claims files are available for each institutional (inpatient, outpatient, skilled nursing facility, hospice, or home health agency) and non-institutional (physician and durable medical equipment providers and suppliers) claim type as well as Medicare Part D Prescription Drug Event (PDE) data.

(e) Standardized data extract is a subset of Medicare claims data that the Secretary would make available to qualified entities under this subpart.

(f) Beneficiary identifiable data is any data that contains the beneficiary's name, Medicare Health Insurance Claim Number (HICN), or any other direct identifying factors, including, but not limited to postal address or telephone number.

(g) Encrypted data is any data that does not contain the beneficiary's name or any other direct identifying factors, but does include a unique CMS-assigned beneficiary identifier that allows for the linking of claims without divulging any direct identifier of the beneficiary.

(h) Claims data from other sources means provider- or supplier-identifiable claims data that an applicant or qualified entity has full data usage right to due to its own operations or disclosures from providers, suppliers, private payers, multi-payer databases, or other sources.

(i) Clinical data is registry data, chart-abstracted data, laboratory results, electronic health record information, or other information relating to the care or services furnished to patients that is not included in administrative claims data, but is available in electronic form.

(j) Authorized user is a third party and its contractors (including, where applicable, business associates as that term is defined at 45 CFR 160.103) that need analyses or data covered by this section to carry out work on behalf of that third party (meaning not the qualified entity or the qualified entity's contractors) to whom/which the qualified entity provides or sells data as permitted under this subpart. Authorized user third parties are limited to the following entities:

(1) A provider.

(2) A supplier.

(3) A medical society.

(4) A hospital association.

(5) An employer.

(6) A health insurance issuer.

(7) A healthcare provider and/or supplier association.

(8) A state entity.

(9) A federal agency.

(k) Employer has the same meaning as the term “employer” as defined in section 3(5) of the Employee Retirement Insurance Security Act of 1974.

(l) Health insurance issuer has the same meaning as the term “health insurance issuer” as defined in section 2791 of the Public Health Service Act.

(m) Medical society means a nonprofit organization or association that provides unified representation and advocacy for physicians at the national or state level and whose membership is comprised of a majority of physicians.

(n) Hospital association means a nonprofit organization or association that provides unified representation and advocacy for hospitals or health systems at a national, state, or local level and whose membership is comprised of a majority of hospitals and health systems.

(o) Healthcare Provider and/or Supplier Association means a nonprofit organization or association that provides unified representation and advocacy for providers and suppliers at the national or state level and whose membership is comprised of a majority of suppliers or providers.

(p) State Entity means any office, department, division, bureau, board, commission, agency, institution, or committee within the executive branch of a state government.

(q) Combined data means, at a minimum, a set of CMS claims data provided under this subpart combined with claims data, or a subset of claims data from at least one of the other claims data sources described in § 401.707(d).

(r) Patient means an individual who has visited the provider or supplier for a face-to-face or telehealth appointment at least once in the past 24 months.

(s) Marketing means the same as the term “marketing” at 45 CFR 164.501 without the exception to the bar for “consent” based marketing.

(t) Violation means a failure to comply with a requirement of a CMS DUA (CMS data use agreement) or QE DUA (qualified entity data use agreement).

(u) Required by law means the same as the phrase “required by law” at 45 CFR 164.103.

(a) Eligibility criteria: To be eligible to apply to receive data as a qualified entity under this subpart, an applicant generally must demonstrate expertise and sustained experience, defined as 3 or more years, in the following three areas, as applicable and appropriate to the proposed use:

(1) Organizational and governance criteria, including:

(i) Expertise in the areas of measurement that they propose to use in accurately calculating quality, and efficiency, effectiveness, or resource use measures from claims data, including the following:

(A) Identifying an appropriate method to attribute a particular patient's services to specific providers and suppliers.

(B) Ensuring the use of approaches to ensure statistical validity such as a minimum number of observations or minimum denominator for each measure.

(C) Using methods for risk-adjustment to account for variations in both case-mix and severity among providers and suppliers.

(D) Identifying methods for handling outliers.

(E) Correcting measurement errors and assessing measure reliability.

(F) Identifying appropriate peer groups of providers and suppliers for meaningful comparisons.

(ii) A plan for a business model that is projected to cover the costs of performing the required functions, including the fee for the data.

(iii) Successfully combining claims data from different payers to calculate performance reports.

(iv) Designing, and continuously improving the format of performance reports on providers and suppliers.

(v) Preparing an understandable description of the measures used to evaluate the performance of providers and suppliers so that consumers, providers and suppliers, health plans, researchers, and other stakeholders can assess performance reports.

(vi) Implementing and maintaining a process for providers and suppliers identified in a report to review the report prior to publication and providing a timely response to provider and supplier inquiries regarding requests for data, error correction, and appeals.

(vii) Establishing, maintaining, and monitoring a rigorous data privacy and security program, including disclosing to CMS any inappropriate disclosures of beneficiary identifiable information, violations of applicable federal and State privacy and security laws and regulations for the preceding 10-year period (or, if the applicant has not been in existence for 10 years, the length of time the applicant has been an organization), and any corrective actions taken to address the issues.

(viii) Accurately preparing performance reports on providers and suppliers and making performance report information available to the public in aggregate form, that is, at the provider or supplier level.

(2) Expertise in combining Medicare claims data with claims data from other sources, including demonstrating to the Secretary's satisfaction that the claims data from other sources that it intends to combine with the Medicare data received under this subpart address the methodological concerns regarding sample size and reliability that have been expressed by stakeholders regarding the calculation of performance measures from a single payer source.

(3) Expertise in establishing, documenting and implementing rigorous data privacy and security policies including enforcement mechanisms.

(b) Source of expertise and experience: An applicant may demonstrate expertise and experience in any or all of the areas described in paragraph (a) of this section through one of the following:

(1) Activities it has conducted directly through its own staff.

(2) Contracts with other entities if the applicant is the lead entity and includes documentation in its application of the contractual arrangements that exist between it and any other entity whose expertise and experience is relied upon in submitting the application.

A qualified entity must meet the following operating and governance requirements:

(a) Submit to CMS a list of all measures it intends to calculate and report, the geographic areas it intends to serve, and the methods of creating and disseminating reports. This list must include the following information, as applicable and appropriate to the proposed use:

(1) Name of the measure, and whether it is a standard or alternative measure.

(2) Name of the measure developer/owner.

(3) If it is an alternative measure, measure specifications, including numerator and denominator.

(4) The rationale for selecting each measure, including the relationship to existing measurement efforts and the relevancy to the population in the geographic area(s) the entity would serve, including the following:

(i) A specific description of the geographic area or areas it intends to serve.

(ii) A specific description of how each measure evaluates providers and suppliers on quality, efficiency, effectiveness, and/or resource use.

(5) A description of the methodologies it intends to use in creating reports with respect to all of the following topics:

(i) Attribution of beneficiaries to providers and/or suppliers.

(ii) Benchmarking performance data, including the following:

(A) Methods for creating peer groups.

(B) Justification of any minimum sample size determinations made.

(C) Methods for handling statistical outliers.

(iii) Risk adjustment, where appropriate.

(iv) Payment standardization, where appropriate.

(b) Submit to CMS a description of the process it would establish to allow providers and suppliers to view reports confidentially, request data, and ask for the correction of errors before the reports are made public.

(c) Submit to CMS a prototype report and a description of its plans for making the reports available to the public.

(d) Submit to CMS information about the claims data it possesses from other sources, as defined at § 401.703(h), and documentation of adequate rights to use the other claims data for the purposes of this subpart.

(e) If requesting a 5 percent national sample to calculate benchmarks for the specific measures it is using, submit to CMS a justification for needing the file to calculate benchmarks.

(a) Application deadline. CMS accepts qualified entity applications on a rolling basis after an application is made available on the CMS Web site. CMS reviews applications in the order in which they are received.

(b) Selection criteria. To be approved as a qualified entity under this subpart, the applicant must meet one of the following:

(1) Standard approval process: Meet the eligibility and operational and governance requirements, fulfill all of the application requirements to CMS' satisfaction, and agree to pay a fee equal to the cost of CMS making the data available. The applicant and each of its contractors that are anticipated to have access to the Medicare data must also execute a Data Use Agreement with CMS, that among other things, reaffirms the statutory ban on the use of Medicare data provided to the qualified entity by CMS under this subpart for purposes other than those referenced in this subpart.

(2) Conditional approval process: Meet the eligibility and operational and governance requirements, and fulfill all of the application requirements to CMS' satisfaction, with the exception of possession of sufficient claims data from other sources. Meeting these requirements will result in a conditional approval as a qualified entity. Entities gaining a conditional approval as a qualified entity must meet the eligibility requirements related to claims data from other sources the entity intends to combine with the Medicare data, agree to pay a fee equal to the cost of CMS making the data available, and execute a Data Use Agreement with CMS, that among other things, reaffirms the statutory ban on the use of Medicare data provided to the qualified entity by CMS under this subpart for purposes other than those referenced in this subpart before receiving any Medicare data. If the qualified entity is composed of lead entity with contractors, any contractors that are anticipated to have access to the Medicare data must also execute a Data Use Agreement with CMS.

(c) Duration of approval. CMS permits an entity to participate as a qualified entity for a period of 3 years from the date of notification of the application approval by CMS. The qualified entity must abide by all CMS regulations and instructions. If the qualified entity wishes to continue performing the tasks after the 3-year approval period, the entity may re-apply for qualified entity status following the procedures in paragraph (f) of this section.

(d) Reporting period. A qualified entity must produce reports on the performance of providers and suppliers at least annually, beginning in the calendar year after they are approved by CMS.

(e) The distribution of data—(1) Initial data release. Once CMS fully approves a qualified entity under this subpart, the qualified entity must pay a fee equal to the cost of CMS making data available. After the qualified entity pays the fee, CMS will release the applicable encrypted claims data, as well as a file that crosswalks the encrypted beneficiary ID to the beneficiary name and the Medicare HICN. The data will be the most recent data available, and will be limited to the geographic spread of the qualified entity's other claims data, as determined by CMS.

(2) Subsequent data releases. After the first quarter of participation, CMS will provide a qualified entity with the most recent additional quarter of currently available data, as well as a table that crosswalks the encrypted beneficiary ID to the beneficiary's name and the Medicare HICN. Qualified entities are required to pay CMS a fee equal to the cost of making data available before CMS will release the most recent quarter of additional data to the qualified entity.

(f) Re-application. A qualified entity that is in good standing may re-apply for qualified entity status. A qualified entity is considered to be in good standing if it has had no violations of the requirements in this subpart or if the qualified entity is addressing any past deficiencies either on its own or through the implementation of a corrective action plan. To re-apply a qualified entity must submit to CMS documentation of any changes to what was included in its previously-approved application. A re-applicant must submit this documentation at least 6 months before the end of its 3-year approval period and will be able to continue to serve as a qualified entity until the re-application is either approved or denied by CMS. If the re-application is denied, CMS will terminate its relationship with the qualified entity and the qualified entity will be subject to the requirements for return or destruction of data at § 401.721(b).

(a) If a qualified entity wishes to make changes to the following parts of its previously-approved application:

(1) Its list of proposed measures—the qualified entity must send all the information referenced in § 401.707(a) for the new measures to CMS at least 30 days before its intended confidential release to providers and suppliers.

(2) Its proposed prototype report—the qualified entity must send the new prototype report to CMS at least 30 days before its intended confidential release to providers and suppliers.

(3) Its plans for sharing the reports with the public—the qualified entity must send the new plans to CMS at least 30 days before its intended confidential release to providers and suppliers.

(b) CMS will notify the qualified entity when the entity's proposed changes are approved or denied for use, generally within 30 days of the qualified entity submitting the changes to CMS. If a CMS decision on approval or disapproval for a change is not forthcoming within 30 days and CMS does not request an additional 30 days for review, the change or modification shall be deemed to be approved.

(c) If the amount of claims data from other sources available to a qualified entity decreases, the qualified entity must immediately inform CMS and submit documentation that the remaining claims data from other sources is sufficient to address the methodological concerns regarding sample size and reliability. Under no circumstances may a qualified entity use Medicare data to create a report, use a measure, or share a report after the amount of claims data from other sources available to a qualified entity decreases until CMS determines either that the remaining claims data is sufficient or that the qualified entity has collected adequate additional data to address any deficiencies.

(1) If the qualified entity cannot submit the documentation required in paragraph (c) of this section, or if CMS determines that the remaining claims data is not sufficient, CMS will afford the qualified entity up to 120 days to obtain additional claims to address any deficiencies. If the qualified entity does not have access to sufficient new data after that time, CMS will terminate its relationship with the qualified entity.

(2) If CMS determines that the remaining claims data is sufficient, the qualified entity may continue issuing reports, using measures, and sharing reports.

(a) Data use agreement between CMS and a qualified entity. A qualified entity must comply with the data requirements in its data use agreement with CMS (hereinafter the CMS DUA). Contractors (including, where applicable, business associates) of qualified entities that are anticipated to have access to the Medicare claims data or beneficiary identifiable data in the context of this program are also required to execute and comply with the CMS DUA. The CMS DUA will require the qualified entity to maintain privacy and security protocols throughout the duration of the agreement with CMS, and will ban the use or disclosure of Medicare data or any derivative data for purposes other than those set out in this subpart. The CMS DUA will also prohibit the use of unsecured telecommunications to transmit such data, and will specify the circumstances under which such data must be stored and may be transmitted.

(b) A qualified entity must inform each beneficiary whose beneficiary identifiable data has been (or is reasonably believed to have been) inappropriately accessed, acquired, or disclosed in accordance with the DUA.

(c) Contractor(s) must report to the qualified entity whenever there is an incident where beneficiary identifiable data has been (or is reasonably believed to have been) inappropriately accessed, acquired, or disclosed.

(d) Data use agreement between a qualified entity and an authorized user. In addition to meeting the other requirements of this subpart, and as a pre-condition of selling or disclosing any combined data or any Medicare claims data (or any beneficiary-identifiable derivative data of either kind) and as a pre-condition of selling or disclosing non-public analyses that include individually identifiable beneficiary data, the qualified entity must enter a DUA (hereinafter the QE DUA) with the authorized user. Among other things laid out in this subpart, such QE DUA must contractually bind the authorized user (including any contractors or business associates described in the definition of authorized user) to the following:

(1)(i) The authorized user may be permitted to use such data and non-public analyses in a manner that a HIPAA Covered Entity could do under the following provisions:

(A) Activities falling under paragraph (1) of the definition of “health care operations” under 45 CFR 164.501: Quality improvement activities, including care coordination activities and efforts to track and manage medical costs; patient-safety activities; population-based activities such as those aimed at improving patient safety, quality of care, or population health, including the development of new models of care, the development of means to expand coverage and improve access to healthcare, the development of means of reducing healthcare disparities, and the development or improvement of methods of payment or coverage policies.

(B) Activities falling under paragraph (2) of the definition of “health care operations” under 45 CFR 164.501: Reviewing the competence or qualifications of health care professionals, evaluating practitioner and provider performance, health plan performance, conducting training programs in which students, trainees, or practitioners in areas of health care learn under supervision to practice or improve their skills as health care providers, training of non-health care professionals, accreditation, certification, licensing, or credentialing activities.

(C) Activities that qualify as “fraud and abuse detection or compliance activities” under 45 CFR 164.506(c)(4)(ii).

(D) Activities that qualify as “treatment” under 45 CFR 164.501.

(ii) All other uses and disclosures of such data and/or such non-public analyses must be forbidden except to the extent a disclosure qualifies as a “required by law” disclosure as defined at 45 CFR 164.103.

(2) The authorized user is prohibited from using or disclosing the data or non-public analyses for marketing purposes as defined at § 401.703(s).

(3) The authorized user is required to ensure adequate privacy and security protection for such data and non-public analyses. At a minimum, regardless of whether the authorized user is a HIPAA covered entity, such protections of beneficiary identifiable data must be at least as protective as what is required of covered entities and their business associates regarding protected health information (PHI) under the HIPAA Privacy and Security Rules. In all cases, these requirements must be imposed for the life of such beneficiary identifiable data or non-public analyses and/or any derivative data, that is until all copies of such data or non-public analyses are returned or destroyed. Such duties must be written in such a manner as to survive termination of the QE DUA, whether for cause or not.

(4) Except as provided for in paragraph (d)(5) of this section, the authorized user must be prohibited from re-disclosing or making public any such data or non-public analyses.

(5)(i) At the qualified entity's discretion, it may permit an authorized user that is a provider as defined in § 401.703(b) or a supplier as defined in § 401.703(c), to re-disclose such data and non-public analyses as a covered entity will be permitted to disclose PHI under 45 CFR 164.506(c)(4)(i), under 45 CFR 164.506(c)(2), or under 45 CFR 164.502(e)(1).

(ii) All other uses and disclosures of such data and/or such non-public analyses is forbidden except to the extent a disclosure qualifies as a “required by law” disclosure.

(6) Authorized users who/that receive the beneficiary de-identified combined data or Medicare data as contemplated under § 401.718 are contractually prohibited from linking the beneficiary de-identified data to any other identifiable source of information, and must be contractually barred from attempting any other means of re-identifying any individual whose data is included in such data.

(7) The QE DUA must bind authorized user(s) to notifying the qualified entity of any violations of the QE DUA, and it must require the full cooperation of the authorized user in the qualified entity's efforts to mitigate any harm that may result from such violations, or to comply with the breach provisions governing qualified entities under this subpart.

(a) Standard measures. A standard measure is a measure that can be calculated in full or in part from claims data from other sources and the standardized extracts of Medicare Parts A and B claims, and Part D prescription drug event data and meets the following requirements:

(1) Meets one of the following criteria:

(i) Is endorsed by the entity with a contract under section 1890(a) of the Social Security Act.

(ii) Is time-limited endorsed by the entity with a contract under section 1890(a) of the Social Security Act until such time as the full endorsement status is determined.

(iii) Is developed under section 931 of the Public Health Service Act.

(iv) Can be calculated from standardized extracts of Medicare Parts A or B claims or Part D prescription drug event data, was adopted through notice-and-comment rulemaking, and is currently being used in CMS programs that include quality measurement.

(v) Is endorsed by a CMS-approved consensus-based entity. CMS will approve organizations as consensus-based entities based on review of documentation of the consensus-based entity's measure approval process. To receive approval as a consensus-based entity, an organization must submit information to CMS documenting its processes for stakeholder consultation and measures approval; an organization will only receive approval as a consensus-based entity if all measure specifications are publically available. An organization will retain CMS acceptance as a consensus-based entity for 3 years after the approval date, at which time CMS will review new documentation of the consensus-based entity's measure approval process for a new 3-year approval.

(2) Is used in a manner that follows the measure specifications as written (or as adopted through notice-and-comment rulemaking), including all numerator and denominator inclusions and exclusions, measured time periods, and specified data sources.

(b) Alternative measure. (1) An alternative measure is a measure that is not a standard measure, but that can be calculated in full, or in part, from claims data from other sources and the standardized extracts of Medicare Parts A and B claims, and Part D prescription drug event data, and that meets one of the following criteria:

(i) Rulemaking process: Has been found by the Secretary, through a notice-and comment-rulemaking process, to be more valid, reliable, responsive to consumer preferences, cost-effective, or relevant to dimensions of quality and resource use not addressed by standard measures, and is used by a qualified entity in a manner that follows the measure specifications as adopted through notice-and-comment rulemaking, including all numerator and denominator inclusions and exclusions, measured time periods, and specified data sources.

(ii) Stakeholder consultation approval process: Has been found by the Secretary, using documentation submitted by a qualified entity that outlines its consultation and agreement with stakeholders in its community, to be more valid, responsive to consumer preferences, cost-effective, or relevant to dimensions of quality and resource use not addressed by standard measures, and is used by a qualified entity in a manner that follows the measure specifications as submitted, including all numerator and denominator inclusions and exclusions, measured time periods, and specified data sources. If a CMS decision on approval or disapproval of alternative measures submitted using the stakeholder consultation approval process is not forthcoming within 60 days of submission of the measure by the qualified entity, the measure will be deemed approved. However, CMS retains the right to disapprove a measure if, even after 60 days, we find it to not be “more valid, reliable, responsive to consumer preferences, cost-effective, or relevant to dimensions of quality and resource” than a standard measure.

(2) An alternative measure approved under the process at paragraph (b)(1)(i) of this section may be used by any qualified entity. An alternative measure approved under the process at paragraph (b)(1)(ii) of this section may only be used by the qualified entity that submitted the measure for consideration by the Secretary. A qualified entity may use an alternative measure up until the point that an equivalent standard measure for the particular clinical area or condition becomes available at which point the qualified entity must switch to the standard measure within 6 months or submit additional scientific justification and receive approval, via either paragraphs (b)(1)(i) or (b)(1)(ii) of this section, from the Secretary to continue using the alternative measure.

(3) To submit an alternative measure for consideration under the notice-and-comment-rulemaking process, for use in the calendar year following the submission, an entity must submit the following information by May 31st:

(i) The name of the alternative measure.

(ii) The name of the developer or owner of the alternative measure.

(iii) Detailed specifications for the alternative measure.

(iv) Evidence that use of the alternative measure would be more valid, reliable, responsive to consumer preferences, cost-effective, or relevant to dimensions of quality and resource use not addressed by standard measures.

(4) To submit an alternative measure for consideration under the documentation of stakeholder consultation approval process described in paragraph (b)(1)(ii) of this section, for use once the measure is approved by the Secretary, an entity must submit the following information to CMS:

(i) The name of the alternative measure.

(ii) The name of the developer or owner of the alternative measure.

(iii) Detailed specifications for the alternative measure.

(iv) A description of the process by which the qualified entity notified stakeholders in the geographic region it serves of its intent to seek approval of an alternative measure. Stakeholders must include a valid cross representation of providers, suppliers, payers, employers, and consumers.

(v) A list of stakeholders from whom feedback was solicited, including the stakeholders' names and roles in the community.

(vi) A description of the discussion about the proposed alternative measure, including a summary of all pertinent arguments supporting and opposing the measure.

(vii) Unless CMS has already approved the same measure for use by another qualified entity, no new scientific evidence on the measure is available, and the subsequent qualified entity wishes to rely upon the scientific evidence submitted by the previously approved applicant, an explanation backed by scientific evidence that demonstrates why the measure is more valid, reliable, responsive to consumer preferences, cost-effective, or relevant to dimensions of quality and resource use not addressed by a standard measure.

(a) General. So long as it meets the other requirements of this subpart, and subject to the limits in paragraphs (b) and (c) of this section, the qualified entity may use the combined data to create non-public analyses in addition to performance measures and provide or sell these non-public analyses to authorized users (including any contractors or business associates described in the definition of authorized user).

(b) Limitations on a qualified entity. In addition to meeting the other requirements of this subpart, a qualified entity must comply with the following limitations as a pre-condition of dissemination or selling non-public analyses to an authorized user:

(1) A qualified entity may only provide or sell a non-public analysis to a health insurance issuer as defined in § 401.703(l), after the health insurance issuer or a business associate of that health insurance issuer has provided the qualified entity with claims data that represents a majority of the health insurance issuer's covered lives, using one of the four methods of calculating covered lives established at 26 CFR 46.4375-1(c)(2), for the time period and geographic region covered by the issuer-requested non-public analyses. A qualified entity may not provide or sell a non-public analysis to a health insurance issuer if the issuer does not have any covered lives in the geographic region covered by the issuer-requested non-public analysis.

(2) Analyses that contain information that individually identifies one or more beneficiaries may only be disclosed to a provider or supplier (as defined at § 401.703(b) and (c)) when both of the following conditions are met:

(i) The analyses only contain identifiable information on beneficiaries with whom the provider or supplier have a patient relationship as defined at § 401.703(r).

(ii) A QE DUA as defined at § 401.713(d) is executed between the qualified entity and the provider or supplier prior to making any individually identifiable beneficiary information available to the provider or supplier.

(3) Except as specified under paragraph (b)(2) of this section, all analyses must be limited to beneficiary de-identified data. Regardless of the HIPAA covered entity or business associate status of the qualified entity and/or the authorized user, de-identification must be determined based on the standards for HIPAA covered entities found at 45 CFR 164.514(b).

(4) Analyses that contain information that individually identifies a provider or supplier (regardless of the level of the provider or supplier, that is, individual clinician, group of clinicians, or integrated delivery system) may not be disclosed unless one of the following three conditions apply:

(i) The analysis only individually identifies the provider or supplier that is being supplied the analysis.

(ii) Every provider or supplier individually identified in the analysis has been afforded the opportunity to appeal or correct errors using the process at § 401.717(f).

(iii) Every provider or supplier individually identified in the analysis has notified the qualified entity, in writing, that analyses can be disclosed to the authorized user without first going through the appeal and error correction process at § 401.717(f).

(c) Non-public analyses agreement between a qualified entity and an authorized user for beneficiary de-identified non-public analyses disclosures. In addition to the other requirements of this subpart, a qualified entity must enter a contractually binding non-public analyses agreement with the authorized user (including any contractors or business associates described in the definition of authorized user) as a pre-condition to providing or selling de-identified analyses. Such non-public analyses agreement must contain the following provisions:

(1) The authorized user may not use the analyses or derivative data for the following purposes:

(i) Marketing, as defined at § 401.703(s).

(ii) Harming or seeking to harm patients or other individuals both within and outside the healthcare system regardless of whether their data are included in the analyses.

(iii) Effectuating or seeking opportunities to effectuate fraud and/or abuse in the healthcare system.

(2) If the authorized user is an employer as defined in § 401.703(k), the authorized user may only use the analyses or derivative data for purposes of providing health insurance to employees, retirees, or dependents of employees or retirees of that employer.

(3)(i) At the qualified entity's discretion, it may permit an authorized user that is a provider as defined in § 401.703(b) or a supplier as defined in § 401.703(c), to re-disclose the de-identified analyses or derivative data, as a covered entity will be permitted under 45 CFR 164.506(c)(4)(i), or under 45 CFR 164.502(e)(1).

(ii) All other uses and disclosures of such data and/or such non-public analyses is forbidden except to the extent a disclosure qualifies as a “required by law” disclosure.

(4) If the authorized user is not a provider or supplier, the authorized user may not re-disclose or make public any non-public analyses or derivative data except as required by law.

(5) The authorized user may not link the de-identified analyses to any other identifiable source of information and may not in any other way attempt to identify any individual whose de-identified data is included in the analyses.

(6) The authorized user must notify the qualified entity of any DUA violations, and it must fully cooperate with the qualified entity's efforts to mitigate any harm that may result from such violations.

(a) A qualified entity must confidentially share measures, measurement methodologies, and measure results with providers and suppliers at least 60 calendar days before making reports public. The 60 calendar days begin on the date on which qualified entities send the confidential reports to providers and suppliers. A qualified entity must inform providers and suppliers of the date the reports will be made public at least 60 calendar days before making the reports public.

(b) Before making the reports public, a qualified entity must allow providers and suppliers the opportunity to make a request for the data, or to make a request for error correction, within 60 calendar days after sending the confidential reports to providers or suppliers.

(c) During the 60 calendar days between sending a confidential report on measure results and releasing the report to the public, the qualified entity must, at the request of a provider or supplier and with appropriate privacy and security protections, release the Medicare claims data and beneficiary names to the provider or supplier. Qualified entities may only provide the Medicare claims and/or beneficiary names relevant to the particular measure or measure result the provider or supplier is appealing.

(d) A qualified entity must inform providers and suppliers that reports will be made public, including information related to the status of any data or error correction requests, after the date specified to the provider or supplier when the report is sent for review and, if necessary, error correction requests (at least 60 calendar days after the report was originally sent to the providers and suppliers), regardless of the status of any requests for error correction.

(e) If a provider or supplier has a data or error correction request outstanding at the time the reports become public, the qualified entity must, if feasible, post publicly the name of the appealing provider or supplier and the category of the appeal request.

(f) A qualified entity must comply with the following requirements before disclosing non-public analyses, as defined at § 401.716, which contain information that individually identifies a provider or supplier:

(1) A qualified entity must confidentially notify a provider or supplier that non-public analyses that individually identify the provider or supplier are going to be released to an authorized user at least 65 calendar days before disclosing the analyses. This confidential notification must include a short summary of the analyses (including the measures calculated), the process for the provider or supplier to request the analyses, the authorized users receiving the analyses, and the date on which the qualified entity will release the analyses to the authorized user.

(2) A qualified entity must allow providers and suppliers the opportunity to opt-in to the review and correction process as defined in paragraphs (a) through (e) of this section, anytime during the 65 calendar days. If a provider or supplier chooses to opt-in to the review and correction process more than 5 days into the notification period, the time for the review and correction process is shortened from 60 days to the number of days between the provider or supplier opt-in date and the release date specified in the confidential notification.

(a) General. Subject to the other requirements in this subpart, the requirements in paragraphs (b) and (c) of this section and any other applicable laws or contractual agreements, a qualified entity may provide or sell combined data or provide Medicare data at no cost to authorized users defined at § 401.703(b), (c), (m), and (n).

(b) Data—(1) De-identification. Except as specified in paragraph (b)(2) of this section, any data provided or sold by a qualified entity to an authorized user must be limited to beneficiary de-identified data. De-identification must be determined based on the de-identification standards for HIPAA covered entities found at 45 CFR 164.514(b).

(2) Exception. If such disclosure will be consistent with all applicable laws, data that individually identifies a beneficiary may only be disclosed to a provider or supplier (as defined at § 401.703(b) and (c)) with whom the identifiable individuals in such data have a current patient relationship as defined at § 401.703(r).

(c) Data use agreement between a qualified entity and an authorized user. A qualified entity must contractually require an authorized user to comply with the requirements in § 401.713(d) prior to providing or selling data to an authorized user under § 401.718.

(a) CMS will monitor and assess the performance of qualified entities and their contractors using the following methods:

(1) Audits.

(2) Submission of documentation of data sources and quantities of data upon the request of CMS and/or site visits.

(3) Analysis of specific data reported to CMS by qualified entities through annual reports (as described in paragraph (b) of this section) and reports on inappropriate disclosures or uses of beneficiary identifiable data (as described in paragraph (c) of this section).

(4) Analysis of complaints from beneficiaries and/or providers or suppliers.

(b) A qualified entity must provide annual reports to CMS containing information related to the following:

(1) General program adherence, including the following information:

(i) The number of Medicare and private claims combined.

(ii) The percent of the overall market share the number of claims represent in the qualified entity's geographic area.

(iii) The number of measures calculated.

(iv) The number of providers and suppliers profiled by type of provider and supplier.

(v) A measure of public use of the reports.

(2) The provider and supplier data sharing, error correction, and appeals process, including the following information:

(i) The number of providers and suppliers requesting claims data.

(ii) The number of requests for claims data fulfilled.

(iii) The number of error corrections.

(iv) The type(s) of problem(s) leading to the request for error correction.

(v) The amount of time to acknowledge the request for data or error correction.

(vi) The amount of time to respond to the request for error correction.

(vii) The number of requests for error correction resolved.

(3) Non-public analyses provided or sold to authorized users under this subpart, including the following information:

(i) A summary of the analyses provided or sold, including—

(A) The number of analyses.

(B) The number of purchasers of such analyses.

(C) The types of authorized users that purchased analyses.

(D) The total amount of fees received for such analyses.

(E) QE DUA or non-public analyses agreement violations.

(ii) A description of the topics and purposes of such analyses.

(iii) The number of analyses disclosed with unresolved requests for error correction.

(4) Data provided or sold to authorized users under this subpart, including the following information:

(i) The entities who received data.

(ii) The basis under which each entity received such data.

(iii) The total amount of fees received for providing, selling, or sharing the data.

(iv) QE DUA violations.

(c) A qualified entity must inform CMS of inappropriate disclosures or uses of beneficiary identifiable data under the DUA.

(d) CMS may take the following actions against a qualified entity if CMS determines that the qualified entity violated any of the requirements of this subpart, regardless of how CMS learns of a violation:

(1) Provide a warning notice to the qualified entity of the specific concern, which indicates that future deficiencies could lead to termination.

(2) Request a corrective action plan (CAP) from the qualified entity.

(3) Place the qualified entity on a special monitoring plan.

(4) Terminate the qualified entity.

(5) In the case of a violation, as defined at § 401.703(t), of the CMS DUA or the QE DUA, CMS will impose an assessment on a qualified entity in accordance with the following:

(i) Amount of assessment. CMS will calculate the amount of the assessment of up to $100 per individual entitled to, or enrolled for, benefits under part A of title XVIII of the Social Security Act or enrolled for benefits under Part B of such title whose data was implicated in the violation based on the following:

(A) Basic factors. In determining the amount per impacted individual, CMS takes into account the following:

(1) The nature and the extent of the violation.

(2) The nature and the extent of the harm or potential harm resulting from the violation.

(3) The degree of culpability and the history of prior violations.

(B) Criteria to be considered. In establishing the basic factors, CMS considers the following circumstances:

(1) Aggravating circumstances. Aggravating circumstances include the following:

(i) There were several types of violations occurring over a lengthy period of time.

(ii) There were many of these violations or the nature and circumstances indicate a pattern of violations.

(iii) The nature of the violation had the potential or actually resulted in harm to beneficiaries.

(2) Mitigating circumstances. Mitigating circumstances include the following:

(i) All of the violations subject to the imposition of an assessment were few in number, of the same type, and occurring within a short period of time.

(ii) The violation was the result of an unintentional and unrecognized error and the qualified entity took corrective steps immediately after discovering the error.

(C) Effects of aggravating or mitigating circumstances. In determining the amount of the assessment to be imposed under paragraph (d)(5)(i)(A) of this section:

(1) If there are substantial or several mitigating circumstance, the aggregate amount of the assessment is set at an amount sufficiently below the maximum permitted by paragraph (d)(5)(i)(A) of this section to reflect the mitigating circumstances.

(2) If there are substantial or several aggravating circumstances, the aggregate amount of the assessment is set at an amount at or sufficiently close to the maximum permitted by paragraph (d)(5)(i)(A) of this section to reflect the aggravating circumstances.

(D) The standards set for the qualified entity in this paragraph are binding, except to the extent that—

(1) The amount imposed is not less than the approximate amount required to fully compensate the United States, or any State, for its damages and costs, tangible and intangible, including but not limited to the costs attributable to the investigation, prosecution, and administrative review of the case.

(2) Nothing in this section limits the authority of CMS to settle any issue or case as provided by part 1005 of this title or to compromise any assessment as provided by paragraph (d)(5)(ii)(E) of this section.

(ii) Notice of determination. CMS must propose an assessment in accordance with this paragraph (d)(5), by notifying the qualified entity by certified mail, return receipt requested. Such notice must include the following information:

(A) The assessment amount.

(B) The statutory and regulatory bases for the assessment.

(C) A description of the violations upon which the assessment was proposed.

(D) Any mitigating or aggravating circumstances that CMS considered when it calculated the amount of the proposed assessment.

(E) Information concerning response to the notice, including:

(1) A specific statement of the respondent's right to a hearing in accordance with procedures established at Section 1128A of the Act and implemented in 42 CFR part 1005.

(2) A statement that failure to respond within 60 days renders the proposed determination final and permits the imposition of the proposed assessment.

(3) A statement that the debt may be collected through an administrative offset.

(4) In the case of a respondent that has an agreement under section 1866 of the Act, notice that imposition of an exclusion may result in termination of the provider's agreement in accordance with section 1866(b)(2)(C) of the Act.

(F) The means by which the qualified entity may pay the amount if they do not intend to request a hearing.

(iii) Failure to request a hearing. If the qualified entity does not request a hearing within 60 days of receipt of the notice of proposed determination, any assessment becomes final and CMS may impose the proposed assessment.

(A) CMS notifies the qualified entity, by certified mail with return receipt requested, of any assessment that has been imposed and of the means by which the qualified entity may satisfy the judgment.

(B) The qualified entity has no right to appeal an assessment for which the qualified entity has not requested a hearing.

(iv) When an assessment is collectible. An assessment becomes collectible after the earliest of the following:

(A) Sixty (60) days after the qualified entity receives CMS's notice of proposed determination under paragraph (d)(5)(ii) of this section, if the qualified entity has not requested a hearing.

(B) Immediately after the qualified entity abandons or waives its appeal right at any administrative level.

(C) Thirty (30) days after the qualified entity receives the ALJ's decision imposing an assessment under § 1005.20(d) of this title, if the qualified entity has not requested a review before the DAB.

(D) Sixty (60) days after the qualified entity receives the DAB's decision imposing an assessment if the qualified entity has not requested a stay of the decision under § 1005.22(b) of this title.

(v) Collection of an assessment. Once a determination by HHS has become final, CMS is responsible for the collection of any assessment.

(A) The General Counsel may compromise an assessment imposed under this part, after consulting with CMS or OIG, and the Federal government may recover the assessment in a civil action brought in the United States district court for the district where the claim was presented or where the qualified entity resides.

(B) The United States or a state agency may deduct the amount of an assessment when finally determined, or the amount agreed upon in compromise, from any sum then or later owing the qualified entity.

(C) Matters that were raised or that could have been raised in a hearing before an ALJ or in an appeal under section 1128A(e) of the Act may not be raised as a defense in a civil action by the United States to collect an assessment.

(a) Grounds for terminating a qualified entity agreement. CMS may terminate an agreement with a qualified entity if CMS determines the qualified entity or its contractor meets any of the following:

(1) Engages in one or more serious violations of the requirements of this subpart.

(2) Fails to completely and accurately report information to CMS or fails to make appropriate corrections in response to confidential reviews by providers and suppliers in a timely manner.

(3) Fails to submit an approvable corrective action plan (CAP) as prescribed by CMS, fails to implement an approved CAP, or fails to demonstrate improved performance after the implementation of a CAP.

(4) Improperly uses or discloses claims information received from CMS in violation of the requirements in this subpart.

(5) Based on its re-application, no longer meets the requirements in this subpart.

(6) Fails to maintain adequate data from other sources in accordance with § 401.711(c).

(7) Fails to ensure authorized users comply with their QE DUAs or analysis use agreements.

(b) Return or destruction of CMS data upon voluntary or involuntary termination from the qualified entity program:

(1) If CMS terminates a qualified entity's agreement, the qualified entity and its contractors must immediately upon receipt of notification of the termination commence returning or destroying any and all CMS data (and any derivative files). In no instance can this process exceed 30 days.

(2) If a qualified entity voluntarily terminates participation under this subpart, it and its contractors must return to CMS, or destroy, any and all CMS data in its possession within 30 days of notifying CMS of its intent to end its participation.

(a) A qualified clinical data registry that agrees to meet all the requirements in this subpart, with the exception of § 401.707(d), may request access to Medicare data as a quasi qualified entity in accordance with such qualified entity program requirements.

(b) Notwithstanding § 401.703(q) (generally defining combined data), for purposes of qualified clinical data registries acting as quasi qualified entities under the qualified entity program requirements, combined data means, at a minimum, a set of CMS claims data provided under this subpart combined with clinical data or a subset of clinical data.