The Patient Protection and Affordable Care Act (“PPACA”) requires that “standardized extracts” of Medicare claims data be made available to “qualified entities” in connection with their preparation of reports evaluating the performance of providers. Since this information is now “required by law,” these disclosures are allowed under the Health Insurance Portability and Accountability Act’s Privacy Rule. The Centers for Medicare & Medicaid Services (“CMS”) has published this proposed rule, which is available here, to implement the PPACA requirement. This proposed rule is supposed to make Medicare claims data available to qualified entities for the compilation of public reports about the quality of services and supplies provided under Medicare, but it cannot compromise patient privacy in the process. In fact, there is a requirement that these reports do not contain any private or individually identifying information.
CMS’s proposed rule explains how this process will work. For instance, the rule creates eligibility standards for how entities can become qualified by CMS to receive standardized extracts of claims data under Medicare Parts A, B, and D for the purpose of evaluating provider performance. Potential qualified entities will need to submit applications to the Secretary of Health and Human Services (“HHS”) which must include, “a description of the methodologies that the applicant proposes to use to evaluate the performance of providers of services and suppliers in the geographic area(s) they select.” CMS states that qualified entities shall use “standard measures for evaluating the performance of providers of services and suppliers unless the Secretary, in consultation with appropriate stakeholders, determines that use of alternative measures would be more valid, reliable, responsive to consumer preferences, cost-effective, or relevant to dimensions of quality and resource use not addressed by standard measures.”
It will be important to track the development of these standard and non-standard evaluation methodologies that are deemed acceptable. The proposed rule specifically mentions that proposed methodologies should address the following:
“(i) Attribution of beneficiaries to providers and/or suppliers,
(ii) Benchmarking performance data, including
(A) Methods for creating peer groups,
(B) Justification of any minimum sample size determinations made, and
(C) Methods for handling statistical outliers.
(iii) Risk adjustment.”
CMS is also considering a requirement that qualified entities must use claims data from two or more sources in compiling their reports. This would mean that a qualified entity could not use data from a single source and that it would have to use claims data from two private payers, or one private payer and Medicaid claims data, in order to be eligible to receive the Medicare data. CMS is looking for comments on this issue though its proposed rule states that “a requirement for claims data from two or more other sources may help further alleviate some of the methodological issues associated with performance measurement based on single-source data.”
One of the ways CMS intends to keep private information out of the public reports generated by these qualified entities is by allowing the use of Medicare data “in aggregate form” only. CMS terms this “aggregated, non-beneficiary identifiable data” about the providers of services and supplies under Medicare. Importantly, there is a further requirement that providers have an opportunity to review these reports and ask for corrections before they are released to the public. In fact, the proposed rule requires qualified entities to include in their applications to CMS “a description of the process [the entity] would establish to allow providers of services and suppliers to view reports confidentially, request data, and ask for the correction of errors before the reports are made public.” Qualified entities must make their reports and other information such as the methodology used in the report available to the affected providers on a confidential basis and at least 30 business days before publication. Congress included a provision in PPACA which allows the Secretary of HHS to take actions “necessary to protect the identity of individuals entitled to or enrolled in Medicare” in connection with these reports.
CMS’s proposed rule is expected to be published in the Federal Register on June 8, 2011. Any interested parties can submit comments for 60 days following publication.
This post was contributed by Kurt Bratten.