';


Title 42 Part 401

Title 42 → Chapter IV → Subchapter A → Part 401

Electronic Code of Federal Regulations e-CFR

Title 42 Part 401

e-CFR data is current as of October 16, 2019

Title 42Chapter IVSubchapter A → Part 401


Title 42: Public Health


PART 401—GENERAL ADMINISTRATIVE REQUIREMENTS


Contents

Subpart A [Reserved]

Subpart B—Confidentiality and Disclosure

Source: 46 FR 55696, Nov. 12, 1981, unless otherwise noted.

return arrow Back to Top

§401.101   Purpose and scope.

(a) The regulations in this subpart:

(1) Implement section 1106(a) of the Social Security Act as it applies to the Centers for Medicare & Medicaid Services (CMS). The rules apply to information obtained by officers or employees of CMS in the course of administering title XVIII of the Social Security Act (Medicare), information obtained by Medicare intermediaries or carriers in the course of carrying out agreements under sections 1816 and 1842 of the Social Security Act, and any other information subject to section 1106(a) of the Social Security Act;

(2) Relate to the availability to the public, under 5 U.S.C. 552, of records of CMS and its components. They set out what records are available and how they may be obtained; and

(3) Supplement the regulations of the Department of Health and Human Services relating to availability of information under 5 U.S.C. 552, codified in 45 CFR part 5, and do not replace or restrict them.

(b) Except as authorized by the rules in this subpart, no information described in paragraph (a)(1) of this section shall be disclosed. The procedural rules in this subpart (§§401.106 through 401.152) shall be applied to requests for information which is subject to the rules for disclosure in this subpart.

(c) Requests for information which may not be disclosed according to the provisions of this subpart shall be denied under authority of section 1106(a) of the Social Security Act and this subpart, and furthermore, such requests which have been made pursuant to the Freedom of Information Act shall be denied under authority of an appropriate Freedom of Information Act exemption, 5 U.S.C. 552(b).

return arrow Back to Top

§401.102   Definitions.

For purposes of this subpart:

Act means the Social Security Act.

Freedom of Information Act rules means the substantive mandatory disclosure provisions of the Freedom of Information Act, 5 U.S.C. 552 (including the exemptions from mandatory disclosure, 5 U.S.C. 552(b), as implemented by the Department's public information regulation, 45 CFR part 5, subpart F and by §§401.106 to 401.152 of this subpart.

Person means a person as defined in the Administrative Procedure Act, 5 U.S.C. 551(2). This includes State or local agencies, but does not include Federal agencies or State or Federal courts.

Record has the same meaning as that provided in 45 CFR 5.5.

Subject individual means an individual whose record is maintained by the Department in a system of records, as the terms “individual,” “record”, and “system of records” are defined in the Privacy Act of 1974, 5 U.S.C. 552a(a).

return arrow Back to Top

§401.105   Rules for disclosure.

(a) General rule. The Freedom of Information Act rules shall be applied to every proposed disclosure of information. If, considering the circumstances of the disclosure, the information would be made available in accordance with the Freedom of Information Act rules, then the information may be disclosed regardless of whether the requester or beneficiary of the information has a statutory right to request the information under the Freedom of Information Act, 5 U.S.C. 552, or whether a request has been made.

(b) Application of the general rule. Pursuant to the general rule in paragraph (a) of this section,

(1) Information shall be disclosed—

(i) To a subject individual when required by the access provision of the Privacy Act, 5 U.S.C. 552a(d), as implemented by the Department Privacy Act regulation, 45 CFR part 5b; and

(ii) To a person upon request when required by the Freedom of Information Act, 5 U.S.C. 552;

(2) Unless prohibited by any other statute (e.g., the Privacy Act of 1974, 5 U.S.C. 552a(b), the Tax Reform Act of 1976, 26 U.S.C. 6103, or section 1106(d) and (e) of the Social Security Act), information may be disclosed to any requester or beneficiary of the information, including another Federal agency or a State or Federal court, when the information would not be exempt from mandatory disclosure under Freedom of Information Act rules or when the information nevertheless would be made available under the Department's public information regulation's criteria for disclosures which are in the public interest and consistent with obligations of confidentiality and administrative necessity, 45 CFR part 5, subpart F, as supplemented by §§401.106 to 401.152 of this subpart.

[42 FR 14704, Mar. 16, 1977. Redesignated at 45 FR 74913, 74914, Nov. 13, 1980, and correctly redesignated at 46 FR 24551, May 1, 1981, as amended at 46 FR 55697, Nov. 12, 1981]

return arrow Back to Top

§401.106   Publication.

(a) Methods of publication. Materials required to be published under the provisions of The Freedom of Information Act, 5 U.S.C. 552 (a)(1) and (2) are published in one of the following ways:

(1) By publication in the Federal Register of CMS regulations, and by their subsequent inclusion in the Code of Federal Regulations;

(2) By publication in the Federal Register of appropriate general notices;

(3) By other forms of publication, when incorporated by reference in the Federal Register with the approval of the Director of the Federal Register; and

(4) By publication of indexes of precedential orders and opinions issued in the adjudication of claims, statements of policy and interpretations which have been adopted but have not been published in the Federal Register, and of administrative staff manuals and instructions to staff that affect a member of the public.

(b) Availability for inspection. Those materials which are published in the Federal Register pursuant to 5 U.S.C. 552(a)(1) shall, to the extent practicable and to further assist the public, be made available for inspection at the places specified in §401.128.

[46 FR 55696, Nov. 12, 1981, as amended at 48 FR 22924, May 23, 1983]

return arrow Back to Top

§401.108   CMS rulings.

(a) After September 1981, a precedent final opinion or order or a statement of policy or interpretation that has not been published in the Federal Register as a part of a regulation or of a notice implementing regulations, but which has been adopted by CMS as having precedent, may be published in the Federal Register as a CMS Ruling and will be made available in the publication entitled CMS Rulings.

(b) Precedent final opinions and orders and statements of policy and interpretation that were adopted by CMS before October, 1981, and that have not been published in the Federal Register are available in CMS Rulings.

(c) CMS Rulings are published under the authority of the Administrator, CMS. They are binding on all CMS components, on all HHS components that adjudicate matters under the jurisdiction of CMS, and on the Social Security Administration to the extent that components of the Social Security Administration adjudicate matters under the jurisdiction of CMS.

[48 FR 22924, May 23, 1983, as amended at 70 FR 11472, Mar. 8, 2005; 70 FR 37702, June 30, 2005]

return arrow Back to Top

§401.109   Precedential Final Decisions of the Secretary.

(a) The Chair of the Department of Health and Human Services Departmental Appeals Board (DAB Chair) may designate a final decision of the Secretary issued by the Medicare Appeals Council in accordance with part 405, subpart I; part 422, subpart M; part 423, subpart U; or part 478, subpart B, of this chapter as precedential. In determining which decisions should be designated as precedential, the DAB Chair may take into consideration decisions that address, resolve, or clarify recurring legal issues, rules or policies, or that may have broad application or impact, or involve issues of public interest.

(b) Precedential decisions are made available to the public, with personally identifiable information of the beneficiary removed, and have precedential effect from the date they are made available to the public. Notice of precedential decisions is published in the Federal Register.

(c) Medicare Appeals Council decisions designated in accordance with paragraph (a) of this section have precedential effect and are binding on all CMS components, on all HHS components that adjudicate matters under the jurisdiction of CMS, and on the Social Security Administration to the extent that components of the Social Security Administration adjudicate matters under the jurisdiction of CMS.

(d) Precedential effect, as used in this section, means that the Medicare Appeals Council's—

(1) Legal analysis and interpretation of a Medicare authority or provision is binding and must be followed in future determinations and appeals in which the same authority or provision applies and is still in effect; and

(2) Factual findings are binding and must be applied to future determinations and appeals involving the same parties if the relevant facts are the same and evidence is presented that the underlying factual circumstances have not changed since the issuance of the precedential final decision.

[82 FR 5105, Jan. 17, 2017]

return arrow Back to Top

§401.110   Publications for sale.

The following publications containing information pertaining to the program, organization, functions, and procedures of CMS may be purchased from the Superintendent of Documents, Government Printing Office, Washington, DC 20402.

(a) Titles 20, 42, and 45 of the Code of Federal Regulations.

(b) Federal Register issues.

(c) Compilation of the Social Security Laws.

(d) CMS Rulings.

(e) Social Security Handbook. The information in the Handbook is not of precedent or interpretative force.

(f) Medicare/Medicaid Directory of Medical Facilities.

return arrow Back to Top

§401.112   Availability of administrative staff manuals.

All CMS administrative staff manuals and instructions to staff personnel which contain policies, procedures, or interpretations that affect the public are available for inspection and copying. A complete listing of such materials is published in CMS Rulings. These manuals are generally not printed in a sufficient quantity to permit sale or other general distribution to the public. Selected material is maintained at Social Security Administration district offices and field offices and may be inspected there. See §§401.130 and 401.132 for a listing of this material.

return arrow Back to Top

§401.116   Availability of records upon request.

(a) General. In addition to the records made available pursuant to §§401.106, 401.108, 401.110 and 401.112, CMS will, upon request made in accordance with this subpart, make identified records available to any person, unless they are exempt from disclosure under the provisions of section 552(b) of title 5, United States Code (see §401.126), or any other provision of law.

(b) Misappropriation, alteration, or destruction of records. No person may remove any record made available to him for inspection or copying under this part, from the place where it is made available. In addition, no person may steal, alter, mutilate, obliterate, or destroy in whole or in part, such a record. See sections 641 and 2071 of title 18 of the United States Code.

return arrow Back to Top

§401.118   Deletion of identifying details.

When CMS publishes or otherwise makes available an opinion or order, statement of policy, or other record which relates to a private party or parties, the name or names or other identifying details will be deleted.

return arrow Back to Top

§401.120   Creation of records.

Records will not be created by compiling selected items from the files, and records will not be created to provide the requester with such data as ratios, proportions, percentages, per capitas, frequency distributions, trends, correlations, and comparisons. If such data have been compiled and are available in the form of a record, the record shall be made available as provided in this subpart.

return arrow Back to Top

§401.126   Information or records that are not available.

(a) Specific exemptions from disclosure. Pursuant to paragraph (b) of 5 U.S.C. 552, certain classes of records are exempt from disclosure. For some examples of the kinds of materials which are exempt, see subpart F of the public information regulation of the Department of Health and Human Services (45 CFR part 5) and the appendix to that regulation.

(b) Materials exempt from disclosure by statute. Pursuant to paragraph (b)(3) of 5 U.S.C. 552, as amended, which exempts from the requirement for disclosure matters that are exempted from disclosure by statute, provided that such statute requires that the matters be withheld from the public in such a manner as to leave no discretion on the issue, or establishes particular criteria for withholding or refers to particular types of matter to be withheld:

(1) Reports described in sections 1106 (d) and (e) of the Social Security Act shall not be disclosed, except in accordance with the provisions of sections 1106 (d) and (e). Sections 1106 (d) and (e) provide for public inspection of certain official reports dealing with the operation of the health programs established by titles XVIII and XIX of the Social Security Act (Medicare and Medicaid), but require that program validation survey reports and other formal evaluations of providers of services shall not identify individual patients, individual health care practitioners, or other individuals. Section 1106(e) further requires that none of the reports shall be made public until the contractor or provider whose performance is being evaluated has had a reasonable opportunity to review that report and to offer comments. See §401.133 (b) and (c);

(2)(i) Except as specified in paragraph (b)(2)(ii) of this section, CMS may not disclose any accreditation survey or any information directly related to the survey (including corrective action plans) made by and released to it by the Joint Commission on Accreditation of Healthcare Organizations, the American Osteopathic Association or any other national accreditation organization that meets the requirements of §488.5 or §493.506 of this chapter. Materials that are confidential include accreditation letters and accompanying recommendations and comments prepared by an accreditation organization concerning the entities it surveys.

(ii) Exceptions. (A) CMS may release the accreditation survey of any home health agency; and

(B) CMS may release the accreditation survey and other information directly related to the survey (including corrective action plans) to the extent the survey and information relate to an enforcement action (for example, denial of payment for new admissions, civil money penalties, temporary management and termination) taken by CMS; and

(3) Tax returns and return information defined in section 6103 of the Internal Revenue Code, as amended by the Tax Reform Act of 1976, shall not be disclosed except as authorized by the Internal Revenue Code.

(c) Effect of exemption. Neither 5 U.S.C. 552 nor this regulation directs the withholding of any record or information, except to the extent of the prohibitions in paragraph (b) of this section. Except for material required to be withheld under the statutory provisions incorporated in paragraph (b) of this section or under another statute which meets the standards in 5 U.S.C. 552(b)(3), materials exempt from mandatory disclosure will nevertheless be made available when this can be done consistently with obligations of confidentiality and administrative necessity. The disclosure of materials or records under these circumstances in response to a specific request, however, is of no precedent force with respect to any other request.

[46 FR 55696, Nov. 12, 1981, as amended at 58 FR 61837, Nov. 23, 1993; 80 FR 29834, May 22, 2015]

return arrow Back to Top

§401.128   Where requests for records may be made.

(a) General. Any request for any record may be made to—

(1) Any CMS component;

(2) Director, Office of Public Affairs, CMS 313-H, Hubert H. Humphrey Building, 200 Independence Avenue, Washington, DC 20201; or

(3) Director of Public Affairs in any Regional Office of the Department of Health and Human Services.

The locations and service areas of these offices are as follows:

Region I—John F. Kennedy Federal Building, Boston, MA 02203. Connecticut, Maine, Massachusetts, New Hampshire, Rhode Island, Vermont.

Region II—26 Federal Plaza, New York, NY 10007. New York, New Jersey, Puerto Rico, Virgin Islands.

Region III—Gateway Building, 3535 Market Street, Philadelphia, PA 19101. Delaware, Maryland, Pennsylvania, Virginia, West Virginia, District of Columbia.

Region IV—101 Marietta Street, Altanta, GA 30323. Alabama, Florida, Georgia, Kentucky, Mississippi, North Carolina, South Carolina, Tennessee.

Region V—300 South Wacker Drive, Chicago, IL 60606. Illinois, Indiana, Michigan, Minnesota, Ohio, Wisconsin.

Region VI—1200 Main Tower Building, Dallas, TX 75202. Arkansas, Louisiana, New Mexico, Oklahoma, Texas.

Region VII—601 East 12th Street, Kansas City, MO 64106. Iowa, Kansas, Missouri, Nebraska.

Region VIII—Federal Office Building, 19th and Stout Streets, Denver, CO 80294. Colorado, Montana, North Dakota, South Dakota, Utah, Wyoming.

Region IX—Federal Office Building, 50 United Nations Plaza, San Francisco, CA 94102. Arizona, California, Hawaii, Nevada, Guam, Trust Territory of Pacific Islands, American Samoa.

Region X—Arcade Plaza Building, 1321 Second Avenue, Seattle, WA 98101. Alaska, Idaho, Oregon, Washington.

(b) Records pertaining to individuals. CMS maintains some records pertaining to individuals. Disclosure of such records is generally prohibited by section 1106 of the Social Security Act (42 U.S.C. 1306), except as prescribed in §401.105 (See also §401.126(b)). Requests for records pertaining to individuals may be addressed to:

Director, Office of Research, Demonstrations and Statistics, CMS, Baltimore, Maryland 21235, when information is sought from the record of a person who has participated in a research survey conducted by or for CMS, Office of Research, Demonstrations and Statistics; or whose records have been included by statistical sampling techniques in research and statistical studies authorized by the Social Security Act in the field of health care financing.

(c) Requests for materials listed in §401.130 or §401.132 or indexed in the CMS Rulings. A request to inspect and copy materials listed in §401.130 or §401.132 or indexed in CMS Rulings may be made to any district or branch office of the Social Security Administration. If the specific material requested is not available in the office receiving the request, the material will be obtained and made available promptly.

return arrow Back to Top

§401.130   Materials available at social security district offices and branch offices.

(a) Materials available for inspection. The following are available or will be made available for inspection at the social security district offices and branch offices:

(1) Compilation of the Social Security Laws.

(2) The Public Information Regulation of the Department of Health and Human Services (45 CFR part 5).

(3) Medicare Program regulations issued by the Centers for Medicare & Medicaid Services. 42 CFR chapter IV .

(4) CMS Rulings.

(5) Social Security Handbook.

(b) Materials available for inspection and copying. The following materials are available or will be made available for inspection and copying at the social security district offices and branch offices:

(1) Claims Manual of the Social Security Administration.

(2) Department Staff Manual on Organization, Department of Health and Human Services, Part F, CMS.

(3) Parts 2 and 3 of the Part A

Intermediary Manual (Provider Services under Medicare CMS Pub. 13-2 and 13-3).

(4) Parts 2 and 3 of the Part B Intermediary Manual (Physician and Supplier Services).

(5) Intermediary Letters Related to Parts 2 and 3 of the Part A and Part B Intermediary Manuals.

(6) State Buy-In Handbook (State Enrollment of Eligible Individuals under the Supplementary Medical Insurance Program) and Letters.

(7) Group Practice Prepayment Plan Manual (HIM-8) and Letters.

(8) State Operations Manual (HIM-7).

(9) CMS Letters to State Agencies on Medicare.

(10) Skilled Nursing Facility Manual (CMS Pub. 12).

(11) Hearing Officers Handbook (Supplementary Medical Insurance Program—HIM-21).

(12) Hospital Manual (HIM-10).

(13) Home Health Agency Manual (HIM-11).

(14) Outpatient Physical Therapy Provider Manual (HIM-9).

(15) Provider Reimbursement Manual (HIM-15).

(16) Audit Program Manuals for Hospital (HIM-16), Home Health Agency (HIM-17), and Extended Care Facilities (HIM-18).

(17) Statements of deficiencies based upon survey reports of health care institutions or facilities prepared after January 31, 1973, by a State agency, and such reports (including pertinent written statements furnished by such institution or facility on such statements of deficiencies), as set forth in §401.133(a). Except as otherwise provided for at §§401.133 and 488.325 of this chapter for SNFs, such statements of deficiencies, reports, and pertinent written statements shall be available or made available only at the social security district office and regional office servicing the area in which the institution or facility is located, except that such statements of deficiencies and pertinent written statements shall also be available at the local public assistance offices servicing such area.

(18) Indexes to the materials listed in paragraph (a) of this section and in this paragraph (b) and an index to the Bureau of Hearings and Appeals Handbook.

[46 FR 55696, Nov. 12, 1981, as amended at 59 FR 56232, Nov. 10, 1994]

return arrow Back to Top

§401.132   Materials in field offices of the Office of Hearings and Appeals, SSA.

(a) Materials available for inspection. The following materials are available for inspection in the field offices of the Office of Hearings and Appeals, SSA.

(1) Title 45 of the Code of Federal Regulations (including the public information regulation of the Department of Health and Human Services).

(2) Regulations of the Social Security Administration and CMS.

(3) Title 5, United States Code.

(4) Compilation of the Social Security Laws.

(5) CMS Rulings.

(6) Social Security Handbook.

(b) Handbook available for inspection and copying. The Office of Hearings and Appeals Handbook is available for inspection and copying in the field offices of the Office of Hearings and Appeals.

return arrow Back to Top

§401.133   Availability of official reports on providers and suppliers of services, State agencies, intermediaries, and carriers under Medicare.

Except as otherwise provided for in §488.325 of this chapter for SNFs, the following must be made available to the public under the conditions specified:

(a) Statements of deficiencies and survey reports on providers of services prepared by State agencies. (1) Statements of deficiencies based upon official survey reports prepared after January 31, 1973, by a State agency pursuant to its agreement entered into under section 1864 of the Social Security Act and furnished to CMS, which relate to a State agency's findings on the compliance of a health care institution or facility with the applicable provisions in section 1861 of the Act and with the regulations, promulgated pursuant to those provisions, dealing with health and safety of patients in those institutions and facilities; and (2) State agency survey reports. The statement of deficiencies or report and any pertinent written statements furnished by the institution or facility on the statement of deficiencies shall be disclosed within 90 days following the completion of the survey by the State agency, but not to exceed 30 days following the receipt of the report by CMS. (See §401.130(b)(17)) for places where statements of deficiencies, reports, and pertinent written statements will be available.)

(b) CMS reports on providers of services. Upon request in writing, official reports and other formal evaluations (including followup reviews), excluding references to internal tolerance rules and practices contained therein, internal working papers or other informal memoranda, prepared and completed after January 31, 1973, which relate to the performance of providers of services under Medicare: Provided, That no information identifying individual patients, physicians, or other practitioners, or other individuals shall be disclosed under this paragraph. Those reports and other evaluations shall be disclosed within 30 days following the final preparation thereof by CMS during which time the providers of services shall be afforded a reasonable opportunity to offer comments, and there shall be disclosed with those reports and evaluations any pertinent written statements furnished CMS by those providers on those reports and evaluations.

(c) Contractor performance review reports. Upon request in writing, official contractor performance review reports and other formal evaluations (including followup reviews), excluding references to internal tolerance rules and practices contained therein, internal working papers or other informal memoranda, prepared and completed after January 31, 1973, which relate to the evaluation of the performance of (1) intermediaries and carriers under their agreements entered into pursuant to sections 1816 and 1842 of the Social Security Act and (2) State agencies under their agreements entered into pursuant to section 1864 of the Act (including comparative evaluations of the performance of those intermediaries, carriers, and State agencies). The latest Contract Performance Review Report pertaining to a particular intermediary or carrier, prepared prior to February 1, 1973, may also be disclosed to any person upon request in writing. Those reports and evaluations shall be disclosed within 30 days following their final preparation by CMS (or 30 days following the request therefor, in the case of the contract performance review report prepared prior to February 1, 1973), during which time those intermediaries, carriers, and State agencies, as the case may be, shall be afforded a reasonable opportunity to offer comments, and there shall be disclosed with those reports and evaluations any pertinent written statements furnished CMS by those intermediaries, carriers, on State agencies or those reports and evaluations.

(d) Accreditation surveys. Upon written request, CMS will release the accreditation survey and related information from an accreditation organization meeting the requirements of §488.5 or §493.506 of this chapter to the extent the survey and information relate to an enforcement action taken (for example, denial of payment for new admission, civil money penalties, temporary management and termination) by CMS;

(e) Upon written request, CMS will release the accreditation survey of any home health agency.

[46 FR 55696, Nov. 12, 1981; 46 FR 59249, Dec. 4, 1981, as amended at 58 FR 61838, Nov. 23, 1993; 59 FR 56232, Nov. 10, 1994; 80 FR 29834, May 22, 2015]

return arrow Back to Top

§401.134   Release of Medicare information to State and Federal agencies.

(a) Except as provided in paragraph (b) of this section, the following information may be released to an officer or employee of an agency of the Federal or a State government lawfully charged with the administration of a program receiving grants-in-aid under title V and XIX of the Social Security Act for the purpose of administration of those titles, or to any officer or employee of the Department of Army, Department of Defense, solely for the administration of its Civilian Health and Medical Program of the Uniformed Services (CHAMPUS):

(1) Information, including the identification number, concerning charges made by physicians, other practitioners, or suppliers, and amounts paid under Medicare for services furnished to beneficiaries by such physicians, other practioners, or suppliers, to enable the agency to determine the proper amount of benefits payable for medical services performed in accordance with those programs; or

(2) Information as to physicians or other practioners that has been disclosed under §401.105.

(3) Information relating to the qualifications and certification status of hospitals and other health care facilities obtained in the process of determining whether, and certifying as to whether, institutions or agencies meet or continue to meet the conditions of participation of providers of services or whether other entities meet or continue to meet the conditions for coverage of services they furnish.

(b) The release of such information shall not be authorized by a fiscal intermediary or carrier.

(c) The following information may be released to any officer or employee of an agency of the Federal or a State government lawfully charged with the duty of conducting an investigation or prosecution with respect to possible fraud or abuse against a program receiving grants-in-aid under Medicaid, but only for the purpose of conducting such an investigation or prosecution, or to any officer or employee of the Department of the Army, Department of Defense, solely for the administration of its Civilian Health and Medical Program of the Uniformed Services (CHAMPUS), provided that the agency has filed an agreement with CMS that the information will be released only to the agency's enforcement branch and that the agency will preserve the confidentiality of the information received and will not disclose that information for other than program purposes:

(1) The name and address of any provider of medical services, organization, or other person being actively investigated for possible fraud in connection with Medicare, and the nature of such suspected fraud. An active investigation exists when there is significant evidence supporting an initial complaint but there is need for further investigation.

(2) The name and address of any provider of medical services, organization, or other person found, after consultation with an appropriate professional association or a program review team, to have provided unnecessary services, or of any physician or other individual found to have violated the assignment agreement on at least three occasions.

(3) The name and address of any provider of medical services, organization or other person released under paragraph (c)(1) or (2) of this section concerning which an active investigation is concluded with a finding that there is no fraud or other prosecutable offense.

return arrow Back to Top

§401.135   Release of Medicare information to the public.

The following shall be made available to the public under the conditions specified:

(a) Information as to amounts paid to providers and other organizations and facilities for services to beneficiaries under title XVIII of the Act: Provided, That no information identifying any particular beneficiaries shall be disclosed under this paragraph.

(b) The name of any provider of services or other person furnishing services to Medicare beneficiaries who—

(1) Has been found by a Federal court to have been guilty of submitting false claims in connection with Medicare; or

(2) Has been found by a carrier or intermediary, after consultation with a professional medical association functioning external to program administration or, if appropriate, the State medical authority, to have been engaged in a pattern of furnishing services to beneficiaries which are substantially in excess of their medical needs; except that the name of any provider or other person shall not be disclosed pursuant to a finding under this paragraph (b)(2) of this section, unless that provider or other person has first been afforded a reasonable opportunity to offer evidence on his behalf.

(c) Upon request in writing, cost reports submitted by providers of services pursuant to section 1815 of the Act to enable the Secretary to determine amounts due the providers.

return arrow Back to Top

§401.136   Requests for information or records.

(a) A request should reasonably identify the requested record by brief description. Requesters who have detailed information which would assist in identifying the records requested are urged to provide such information in order to expedite the handling of the request. Envelopes in which written requests are submitted should be clearly identified as Freedom of Information requests. The request should include the fee or request determination of the fee. When necessary, a written request will be promptly forwarded to the proper office, and the requester will be advised of the date of the receipt and identification and address of the proper office.

(b) Determinations of whether records will be released or withheld will be made within 10 working days from date of receipt of the request in the office listed in §401.128 except where CMS extends this time and sends notice of such extension to the requester. Such extension may not exceed 10 additional working days and shall apply only where the following unusual circumstances exist:

(1) The need to search for and collect the requested records from field facilities or other establishments that are separate from the office processing the requests;

(2) The need to search for, collect, and appropriately examine a voluminous amount of separate and distinct records which are requested in a single request; or

(3) The need for consultation, which shall be conducted with all practicable speed, with another agency having a substantial interest in the request or among two or more components of CMS having a substantial interest in the subject matter of the request.

(c) If an extension is made, the requester will be notified in writing before the expiration of 10 working days from receipt of the request and will be given an explanation of why the extension was necessary and the date on which a determination will be made.

(d) Authority to extend the time limit with respect to any request for information or records is granted to the Director, Office of Public Affairs, CMS and to the Director of Public Affairs in any HHS Regional Office. Those officers and employees of CMS who are listed in §401.144(a) as having authority to deny requests for information from records maintained on individuals are granted authority to extend the time limit for responding to requests for information from such records.

return arrow Back to Top

§401.140   Fees and charges.

(a) Statement of policy. It is CMS's policy to comply with certain requests for information services without charge. Except as otherwise determined pursuant to paragraph (c) of this section, fees will be charged for the following services with respect to all other requests for information from records which are reasonably identified by the requesters:

(1) Reproduction, duplication, or copying of records;

(2) Searches for records; and

(3) Certification or authentication of records.

(b) Fee schedules. The fee schedule is as follows:

(1) Search for records. Three dollars per hour: Provided, however, That no charge will be made for the first half hour.

(2) Reproduction, duplication, or copying of records. Ten cents per page where such reproduction can be made by commonly available photocopying machines. The cost of reproducing records which cannot be so photocopied will be determined on an individual basis at actual cost.

(3) Certification or authentication of records. Three dollars per certification or authentication.

(4) Forwarding materials to destination. Any special arrangements for forwarding which are requested shall be charged at actual cost; however, no charge will be made for postage.

(5) No charge will be made when the total amount does not exceed five dollars.

(c) Waiver or reduction of fees. Waiver or reduction of the fees in paragraph (b) of this section may be made upon a determination that such waiver or reduction is in the public interest because furnishing the information can be considered as primarily benefiting the general public. Such determination may be made by the appropriate officer or employee identified in §401.144.

(d) Sale of documents. On occasion, a previously printed document may be available for sale to the public; the cost of supplying the document is one cent per page unless the document is available for sale from the Superintendent of Documents, in which case the price shall be that determined by the Superintendent.

return arrow Back to Top

§401.144   Denial of requests.

(a) General authority. Only the Director, Office of Public Affairs, CMS, and the Regional Directors of Public Affairs, HHS, are authorized to deny written requests to obtain, inspect or copy any CMS information or record.

(b) Forms of denials. (1) Oral requests may be dealt with orally, but the requester should be advised that the oral response is not an official determination and that an official determination may be obtained only by submitting the request in writing. Appropriate available assistance will be offered.

(2) Written Requests—Denials of written requests will be in writing and will contain the reasons for the denial including, as appropriate, a statement that a document requested is nonexistent or not reasonably described or is subject to one or more clearly described exemption(s). Denials will also provide the requester with appropriate information on how to exercise the right of appeal.

return arrow Back to Top

§401.148   Administrative review.

(a) Review by the Administrator. A person whose request has been denied may initiate a review by filing a request for review with the Administrator of CMS, 700 East High Rise Building, 6401 Security Boulevard, Baltimore, Maryland 21235, within 30 days of receipt of the determination to deny or within 30 days of receipt of records which are in partial response to his request if a portion of a request is granted and a portion denied, whichever is later. Upon receipt of a timely request for review, the Administrator will review the decision in question and the findings upon which it was based. Upon the basis of the data considered in connection with the decision and whatever other evidence and written argument is submitted by the person requesting the review or which is otherwise obtained, the Administrator or his designee will affirm or revise in whole or in part the findings and decision in question. A decision to affirm the denial will be made only upon concurrence of the Assistant Secretary for Public Affairs, or his designee, after consultation with the General Counsel or his or her designee, and the appropriate program policy official. Written notice of the decision of the Administrator will be mailed to the person who requested the review. A written decision will be made within 20 working days from receipt of the request for review. Extension of the time limit may be granted under the circumstances listed in §401.136(b) to the extent that the maximum 10 days limit on extensions has not been exhausted on the initial determination. The decision will include the basis for it and will advise the requester of his right to judicial review.

(b) Failure of the Administrator to comply with the time limits. Failure of the Administrator to comply with the time limits set forth in §401.136 and this section constitutes an exhaustion of the requester's administrative remedies.

return arrow Back to Top

§401.152   Court review.

Where the Administrator upon review affirms the denial of a request for records, in whole or in part, the requester may seek court review in the district court of the United States pursuant to 5 U.S.C. 552(a)(4)(B).

return arrow Back to Top

Subpart C [Reserved]

Subpart D—Reporting and Returning of Overpayments

Source: 81 FR 7683, Feb. 12, 2016, unless otherwise noted.

return arrow Back to Top

§401.301   Basis and scope.

This subpart sets forth the policies and procedures for reporting and returning overpayments to the Medicare program for providers and suppliers of services under Parts A and B of title XVIII of the Act as required by section 1128J(d) of the Act.

return arrow Back to Top

§401.303   Definitions.

For purposes of this subpart—

Medicare contractor means a Part A/Part B Medicare Administrative Contractor (A/B MAC) or a Durable Medical Equipment Medicare Administrative Contractor (DME MAC).

Overpayment means any funds that a person has received or retained under title XVIII of the Act to which the person, after applicable reconciliation, is not entitled under such title.

Person means a provider (as defined in §400.202 of this chapter) or a supplier (as defined in §400.202 of this chapter).

return arrow Back to Top

§401.305   Requirements for reporting and returning of overpayments.

(a) General. (1) A person that has received an overpayment must report and return the overpayment in the form and manner set forth in this section.

(2) A person has identified an overpayment when the person has, or should have through the exercise of reasonable diligence, determined that the person has received an overpayment and quantified the amount of the overpayment. A person should have determined that the person received an overpayment and quantified the amount of the overpayment if the person fails to exercise reasonable diligence and the person in fact received an overpayment.

(b) Deadline for reporting and returning overpayments. (1) A person who has received an overpayment must report and return the overpayment by the later of either of the following:

(i) The date which is 60 days after the date on which the overpayment was identified.

(ii) The date any corresponding cost report is due, if applicable.

(2) The deadline for returning overpayments will be suspended when the following occurs:

(i) OIG acknowledges receipt of a submission to the OIG Self-Disclosure Protocol and will remain suspended until such time as a settlement agreement is entered, the person withdraws from the OIG Self-Disclosure Protocol, or the person is removed from the OIG Self-Disclosure Protocol.

(ii) CMS acknowledges receipt of a submission to the CMS Voluntary Self-Referral Disclosure Protocol and will remain suspended until such time as a settlement agreement is entered, the person withdraws from the CMS Voluntary Self-Referral Disclosure Protocol, or the person is removed from the CMS Voluntary Self-Referral Disclosure Protocol.

(iii) A person requests an extended repayment schedule as defined in §401.603 and will remain suspended until such time as CMS or one of its contractors rejects the extended repayment schedule request or the provider or supplier fails to comply with the terms of the extended repayment schedule.

(c) Applicable reconciliation. (1) The applicable reconciliation occurs when a cost report is filed; and

(2) In instances when the provider—

(i) Receives more recent CMS information on the SSI ratio, the provider is not required to return any overpayment resulting from the updated information until the final reconciliation of the provider's cost report occurs; or

(ii) Knows that an outlier reconciliation will be performed, the provider is not required to estimate the change in reimbursement and return the estimated overpayment until the final reconciliation of that cost report.

(d) Reporting. (1) A person must use an applicable claims adjustment, credit balance, self-reported refund, or other reporting process set forth by the applicable Medicare contractor to report an overpayment, except as provided in paragraph (d)(2) of this section. If the person calculates the overpayment amount using a statistical sampling methodology, the person must describe the statistically valid sampling and extrapolation methodology in the report.

(2) A person satisfies the reporting obligations of this section by making a disclosure under the OIG's Self-Disclosure Protocol or the CMS Voluntary Self-Referral Disclosure Protocol resulting in a settlement agreement using the process described in the respective protocol.

(e) Enforcement. Any overpayment retained by a person after the deadline for reporting and returning the overpayment specified in paragraph (b) of this section is an obligation for purposes of 31 U.S.C. 3729.

(f) Lookback period. An overpayment must be reported and returned in accordance with this section if a person identifies the overpayment, as defined in paragraph (a)(2) of this section, within 6 years of the date the overpayment was received.

return arrow Back to Top

Subpart E [Reserved]

Subpart F—Claims Collection and Compromise

Source: 48 FR 39064, Aug. 29, 1983, unless otherwise noted.

return arrow Back to Top

§401.601   Basis and scope.

(a) Basis. This subpart implements the following statutory provisions:

(1) For CMS the Debt Collection Improvement Act of 1996 (Pub. L. 104-134) (DCIA), 110 Stat. 1321, 1358 (April 26, 1996) (codified at 31 U.S.C. 3711), and conforms to the regulations (31 CFR parts 900-904) issued jointly by the Department of the Treasury and the Department of Justice that generally prescribe claims collection standards and procedures under the DCIA for the Federal government.

(2) Section 1893(f)(1) of the Act regarding the use of repayment plans.

(b) Scope. Except as provided in paragraphs (c) through (f) of this section, the regulations in this subpart describe CMS's procedures and standards for the collection of claims in any amount, and the compromise of, or the suspension or termination of collection action on, all claims for money or property that do not exceed $100,000 or such higher amount as the Attorney General may from time to time prescribe, exclusive of interest, arising under any functions delegated to CMS by the Secretary.

(c) Amount of claim. CMS refers all claims that exceed $100,000 or such higher amount as the Attorney General may from time to time prescribe, exclusive of interest, to the Department of Justice or the General Accounting Office for the compromise of claims, or the suspension or termination of collection action.

(d) Related regulations—(1) Department regulations. DHHS regulations applicable to CMS that generally implement the FCCA for the Department are located at 45 CFR part 30. These regulations apply only to the extent CMS regulations do not address a situation.

(2) CMS regulations. The following regulations govern specific debt management situations encountered by CMS and supplement this subpart:

(i) Claims against Medicare beneficiaries for the recovery of overpayments are covered in 20 CFR 404.515.

(ii) Adjustments in Railroad Retirement or Social Security benefits to recover Medicare overpayments to individuals are covered in §§405.350-405.358 of this chapter.

(iii) Claims against providers, physicians, or other suppliers of services for overpayments under Medicare and for assessment of interest are covered in §§405.377 and 405.378 of this chapter, respectively.

(iv) Claims against beneficiaries for unpaid hospital insurance or supplementary medical insurance premiums under Medicare are covered in §408.110 of this chapter.

(v) State repayment of Medicaid funds by installments is covered in §430.48 of this chapter.

(e) Collection and compromise under other statutes and at common law. The regulations in this subpart do not—

(1) Preclude disposition by CMS of claims under statutes, other than the FCCA, that provide for the collection or compromise of a claim, or suspension or termination of collection action.

(2) Affect any rights that CMS may have under common law as a creditor.

(f) Fraud. The regulations in this subpart do not apply to claims in which there is an indication of fraud, the presentation of a false claim, or misrepresentation on the part of a debtor or any other party having an interest in the claim. CMS forwards these claims to the Department of Justice for disposition under 4 CFR 105.1.

(g) Enforced collection. CMS refers claims to the Department of Justice for enforced collection through litigation in those cases which cannot be compromised or on which collection action cannot be suspended or terminated in accordance with this subpart or the regulations issued jointly by the Attorney General and the Comptroller General.

[48 FR 39064, Aug. 29, 1983, as amended at 52 FR 48123, Dec. 18, 1987; 57 FR 56998, Dec. 2, 1992; 61 FR 49271, Sept. 19, 1996; 61 FR 63748, Dec. 2, 1996; 73 FR 36447, June 27, 2008]

return arrow Back to Top

§401.603   Definitions.

For purposes of this subpart—

Claim means any debt owed to CMS.

Debtor means any individual, partnership, corporation, estate, trust or other legal entity against which CMS has a claim.

Extended repayment schedule means installment payments to pay back a debt.

[48 FR 39064, Aug. 29, 1983, as amended at 73 FR 36447, June 27, 2008]

return arrow Back to Top

§401.605   Omissions not a defense.

The failure of CMS to comply with the regulations in this subpart, or with the related regulations listed in §401.601(d), is not available as a defense to a debtor against whom CMS has a claim for money or property.

return arrow Back to Top

§401.607   Claims collection.

(a) General policy. CMS recovers amounts of claims due from debtors, including interest where appropriate, by—

(1) Direct collections in lump sums or in installments; or

(2) Offsets against monies owed to the debtor by the Federal government where possible.

(b) Collection in lump sums. Whenever possible, CMS attempts to collect claims in full in one lump sum. However, if CMS determines that a debtor is unable to pay the claim in one lump sum, CMS may instead enter into an agreement to accept regular installment payments.

(c) Collection in installments. Generally, CMS requires that all claims to be satisfied by installment payments must be liquidated in three years or less. If unusual circumstances exist, such as the possibility of debtor insolvency, an installment agreement that extends beyond three years may be approved.

(1) Debtor request. If a debtor desires to repay a claim in installments, the debtor must submit—

(i) A request to CMS; and

(ii) Any information required by CMS to make a decision regarding the request.

(2) Extended repayment schedule. (i) For purposes of this paragraph (c)(2), the following definitions apply:

Extreme hardship exists when a provider or supplier qualifies as being in “hardship” as defined in this paragraph and the provider's or supplier's request for an extended repayment schedule (ERS) is approved under paragraph (c)(3) of this section.

Hardship exists when the total amount of all outstanding outstanding overpayments (principal and interest and including overpayments reported in accordance with §§401.301 through 401.305) not included in an approved, existing repayment schedule is 10 percent or greater than the total Medicare payments made for the cost reporting period covered by the most recently submitted cost report for a provider filing a cost report, or for the previous calendar year for a supplier or non cost-report provider.

(ii) CMS or its contractor reviews a provider's or supplier's request for an ERS. For a provider or a supplier not paid by Medicare during the previous year or paid only during a portion of that year, the contractor or CMS will use the last 12 months of Medicare payments. If less than a 12-month payment history exists, the number of months available is annualized to equal an approximate yearly Medicare payment level for the provider or supplier.

(iii) For a provider or supplier requesting an ERS, CMS or its contractor evaluates the request based on the definitions and information submitted under this paragraph (c)(2). For a provider or supplier whose situation does not meet the definitions in paragraph (c)(2)(i) of this section, CMS or its contractor evaluates the ERS request using the information in paragraph (c)(3) of this section in deciding to grant an ERS.

(iv) CMS or its contractor is prohibited from granting an ERS to a provider or supplier if there is reason to suspect the provider or supplier may file for bankruptcy, cease to do business, discontinue participation in the Medicare program, or there is an indication of fraud or abuse committed against the Medicare program.

(v) CMS or its contractor may grant a provider or a supplier an ERS of at least 6 months if repaying an overpayment within 30 days will constitute a “hardship” as defined in paragraph (c)(2)(i) of this section. If a provider or supplier is granted an ERS under this paragraph, missing one installment payment constitutes a default and the total balance of the overpayment will be recovered immediately.

(vi) CMS or its contractor may grant a provider or a supplier an ERS of 36 months and up to 60 months if repaying an overpayment will constitute an “extreme hardship” as defined in paragraph (c)(2)(i) of this section.

(3) CMS decision. CMS will determine the number, amount and frequency of installment payments based on the information submitted by the debtor and on other factors such as—

(i) Total amount of the claim;

(ii) Debtor's ability to pay; and

(iii) Cost to CMS of administering an installment agreement.

(d) Collection by offset. (1) CMS may offset, where possible, the amount of a claim against the amount of pay, compensation, benefits or other monies that a debtor is receiving or is due from the Federal government.

(2) Under regulations at §405.350-405.358 of this chapter, CMS may initiate adjustments in program payments to which an individual is entitled under title II of the Act (Federal Old Age, Survivors, and Disability Insurance Benefits) or under the Railroad Retirement Act of 1974 (45 U.S.C. 231) to recover Medicare overpayments.

[48 FR 39064, Aug. 29, 1983, as amended at 61 FR 49271, Sept. 19, 1996; 61 FR 63748, Dec. 2, 1996; 73 FR 36447, June 27, 2008; 81 FR 7684, Feb. 12, 2016]

return arrow Back to Top

§401.613   Compromise of claims.

(a) Amount of compromise. HFCA requires that the amount to be recovered through a compromise of a claim must—

(1) Bear a reasonable relation to the amount of the claim; and

(2) Be recoverable through enforced collection procedures.

(b) General factors. After considering the bases for a decision to compromise a claim under paragraph (c) of this section, CMS may further consider factors such as—

(1) The age and health of the debtor if the debtor is an individual;

(2) Present and potential income of the debtor; and

(3) Whether assets have been concealed or improperly transferred by the debtor.

(c) Basis for compromise. Bases on which CMS may compromise a claim include the following—

(1) Inability to pay. CMS may compromise a claim if it determines that the debtor, or the estate of a deceased debtor, does not have the present or prospective ability to pay the full amount of the claim within a reasonable time.

(2) Litigative probabilities. CMS may compromise a claim if it determines that it would be difficult to prevail in a case before a court of law as a result of the legal issues involved or inability of the parties to agree to the facts of the case. The amount that CMS accepts in compromise under this provision will reflect—

(i) The likelihood that CMS would have prevailed on the legal question(s) involved;

(ii) Whether and to what extent CMS would have obtained a full or partial recovery of a judgment, depending on the availability of witnesses, or other evidentiary support for CMS's claim; and

(iii) The amount of court costs that would be assessed to CMS.

(3) Cost of collecting the claim. CMS may compromise a claim if it determines that the cost of collecting the claim does not justify the enforced collection of the full amount. In this case, CMS may adjust the amount it accepts as a compromise to allow an appropriate discount for the costs of collection it would have incurred but for the compromise.

(d) Enforcement policy. CMS may compromise statutory penalties, forfeitures, or debts established as an aid to enforcement or to compel compliance, if it determines that its enforcement policy, in terms of deterrence and securing compliance both present and future, is adequately served by acceptance of the compromise amount.

return arrow Back to Top

§401.615   Payment of compromise amount.

(a) Time and manner of compromise. Payment by the debtor of the amount that CMS has agreed to accept as a compromise in full settlement of a claim must be made within the time and in the manner prescribed by CMS. Accordingly, CMS will not settle a claim until the full payment of the compromise amount has been made.

(b) Effect of failure to pay compromise amount. Failure of the debtor to make payment, as provided by the compromise agreement, reinstates the full amount of the claim, less any amounts paid prior to the default.

(c) Prohibition against grace periods. CMS will not agree to inclusion of a provision in an installment agreement that would permit grace periods for payments that are late under the terms of the agreement.

return arrow Back to Top

§401.617   Suspension of collection action.

(a) General conditions. CMS may temporarily suspend collection action on a claim if the following general conditions are met—

(1) Amount of future recovery. CMS determines that future collection action may result in a recovery of an amount sufficient to justify periodic review and action on the claim by CMS during the period of suspension.

(2) Statute of limitations. CMS determines that—

(i) The applicable statute of limitations has been tolled, waived or has started running anew; or

(ii) Future collections may be made by CMS through offset despite an applicable statute of limitations.

(b) Basis for suspension. Bases on which CMS may suspend collection action on a particular claim include the following—

(1) A debtor cannot be located; or

(2) A debtor—

(i) Owns no substantial equity in property;

(ii) Is unable to make payment on CMS's claim or is unable to effect a compromise; and

(iii) Has future prospects that justify retention of the claim.

(c) Locating debtors. CMS will make every reasonable effort to locate missing debtors sufficiently in advance of the bar of an applicable statute of limitations to permit timely filing of a lawsuit to recover the amount of the claim.

(d) Effect of suspension on liquidation of security. CMS will liquidate security, obtained in partial recovery of a claim, despite a decision under this section to suspend collection action against the debtor for the remainder of the claim.

return arrow Back to Top

§401.621   Termination of collection action.

(a) General factors. After considering the bases for a decision to terminate collection action under paragraph (b) of this section, CMS may further consider factors such as—

(1) The age and health of the debtor if the debtor is an individual;

(2) Present and potential income of the debtor; and

(3) Whether assets have been concealed or improperly transferred by the debtor.

(b) Basis for termination of collection action. Bases on which CMS may terminate collection action on a claim include the following—

(1) Inability to collect a substantial amount of the claim. CMS may terminate collection action if it determines that it is unable to collect, or to enforce collection, of a significant amount of the claim. In making this determination, CMS will consider factors such as—

(i) Judicial remedies available;

(ii) The debtor's future financial prospects; and

(iii) Exemptions available to the debtor under State or Federal law.

(2) Inability to locate debtor. In cases involving missing debtors, CMS may terminate collection action if—

(i) There is no security remaining to be liquidated;

(ii) The applicable statute of limitations has run; or

(iii) The prospects of collecting by offset, whether or not an applicable statute of limitations has run, are considered by CMS to be too remote to justify retention of the claim.

(3) Cost of collection exceeds recovery. CMS may terminate collection action if it determines that the cost of further collection action will exceed the amount recoverable.

(4) Legal insufficiency. CMS may terminate collection action if it determines that the claim is legally without merit.

(5) Evidence unavailable. CMS may terminate collection action if—

(i) Efforts to obtain voluntary payment are unsuccessful; and

(ii) Evidence or witnesses necessary to prove the claim are unavailable.

return arrow Back to Top

§401.623   Joint and several liability.

(a) Collection action. CMS will liquidate claims as quickly as possible. In cases of joint and several liability among two or more debtors, CMS will not allocate the burden of claims payment among the debtors. CMS will proceed with collection action against one debtor even if other liable debtors have not paid their proportionate shares.

(b) Compromise. Compromise with one debtor does not release a claim against remaining debtors. Furthermore, CMS will not consider the amount of a compromise with one debtor to be a binding precedent concerning the amounts due from other debtors who are jointly and severally liable on the claim.

return arrow Back to Top

§401.625   Effect of CMS claims collection decisions on appeals.

Any action taken under this subpart regarding the compromise of a claim, or suspension or termination of collection action on a claim, is not an initial determination for purposes of CMS appeal procedures.

return arrow Back to Top

Subpart G—Availability of Medicare Data for Performance Measurement

Source: 76 FR 76567, Dec. 7, 2011, unless otherwise noted.

return arrow Back to Top

§401.701   Purpose and scope.

The regulations in this subpart implement section 1874(e) of the Social Security Act as it applies to Medicare data made available to qualified entities for the evaluation of the performance of providers and suppliers.

return arrow Back to Top

§401.703   Definitions.

For purposes of this subpart:

(a) Qualified entity means either a single public or private entity, or a lead entity and its contractors, that meets the following requirements:

(1) Is qualified, as determined by the Secretary, to use claims data to evaluate the performance of providers and suppliers on measures of quality, efficiency, effectiveness, and resource use.

(2) Agrees to meet the requirements described in this subpart at §§401.705 through 401.721.

(b) Provider of services (referred to as a provider) has the same meaning as the term “provider” in §400.202 of this chapter.

(c) Supplier has the same meaning as the term “supplier” at §400.202 of this chapter.

(d) Claim means an itemized billing statement from a provider or supplier that, except in the context of Part D prescription drug event data, requests payment for a list of services and supplies that were furnished to a Medicare beneficiary in the Medicare fee-for-service context, or to a participant in other insurance or entitlement program contexts. In the Medicare program, claims files are available for each institutional (inpatient, outpatient, skilled nursing facility, hospice, or home health agency) and non-institutional (physician and durable medical equipment providers and suppliers) claim type as well as Medicare Part D Prescription Drug Event (PDE) data.

(e) Standardized data extract is a subset of Medicare claims data that the Secretary would make available to qualified entities under this subpart.

(f) Beneficiary identifiable data is any data that contains the beneficiary's name, Medicare Health Insurance Claim Number (HICN), or any other direct identifying factors, including, but not limited to postal address or telephone number.

(g) Encrypted data is any data that does not contain the beneficiary's name or any other direct identifying factors, but does include a unique CMS-assigned beneficiary identifier that allows for the linking of claims without divulging any direct identifier of the beneficiary.

(h) Claims data from other sources means provider- or supplier-identifiable claims data that an applicant or qualified entity has full data usage right to due to its own operations or disclosures from providers, suppliers, private payers, multi-payer databases, or other sources.

(i) Clinical data is registry data, chart-abstracted data, laboratory results, electronic health record information, or other information relating to the care or services furnished to patients that is not included in administrative claims data, but is available in electronic form.

(j) Authorized user is a third party and its contractors (including, where applicable, business associates as that term is defined at 45 CFR 160.103) that need analyses or data covered by this section to carry out work on behalf of that third party (meaning not the qualified entity or the qualified entity's contractors) to whom/which the qualified entity provides or sells data as permitted under this subpart. Authorized user third parties are limited to the following entities:

(1) A provider.

(2) A supplier.

(3) A medical society.

(4) A hospital association.

(5) An employer.

(6) A health insurance issuer.

(7) A healthcare provider and/or supplier association.

(8) A state entity.

(9) A federal agency.

(k) Employer has the same meaning as the term “employer” as defined in section 3(5) of the Employee Retirement Insurance Security Act of 1974.

(l) Health insurance issuer has the same meaning as the term “health insurance issuer” as defined in section 2791 of the Public Health Service Act.

(m) Medical society means a nonprofit organization or association that provides unified representation and advocacy for physicians at the national or state level and whose membership is comprised of a majority of physicians.

(n) Hospital association means a nonprofit organization or association that provides unified representation and advocacy for hospitals or health systems at a national, state, or local level and whose membership is comprised of a majority of hospitals and health systems.

(o) Healthcare Provider and/or Supplier Association means a nonprofit organization or association that provides unified representation and advocacy for providers and suppliers at the national or state level and whose membership is comprised of a majority of suppliers or providers.

(p) State Entity means any office, department, division, bureau, board, commission, agency, institution, or committee within the executive branch of a state government.

(q) Combined data means, at a minimum, a set of CMS claims data provided under this subpart combined with claims data, or a subset of claims data from at least one of the other claims data sources described in §401.707(d).

(r) Patient means an individual who has visited the provider or supplier for a face-to-face or telehealth appointment at least once in the past 24 months.

(s) Marketing means the same as the term “marketing” at 45 CFR 164.501 without the exception to the bar for “consent” based marketing.

(t) Violation means a failure to comply with a requirement of a CMS DUA (CMS data use agreement) or QE DUA (qualified entity data use agreement).

(u) Required by law means the same as the phrase “required by law” at 45 CFR 164.103.

[76 FR 76567, Dec. 7, 2011, as amended at 81 FR 44479, July 7, 2016]

return arrow Back to Top

§401.705   Eligibility criteria for qualified entities.

(a) Eligibility criteria: To be eligible to apply to receive data as a qualified entity under this subpart, an applicant generally must demonstrate expertise and sustained experience, defined as 3 or more years, in the following three areas, as applicable and appropriate to the proposed use:

(1) Organizational and governance criteria, including:

(i) Expertise in the areas of measurement that they propose to use in accurately calculating quality, and efficiency, effectiveness, or resource use measures from claims data, including the following:

(A) Identifying an appropriate method to attribute a particular patient's services to specific providers and suppliers.

(B) Ensuring the use of approaches to ensure statistical validity such as a minimum number of observations or minimum denominator for each measure.

(C) Using methods for risk-adjustment to account for variations in both case-mix and severity among providers and suppliers.

(D) Identifying methods for handling outliers.

(E) Correcting measurement errors and assessing measure reliability.

(F) Identifying appropriate peer groups of providers and suppliers for meaningful comparisons.

(ii) A plan for a business model that is projected to cover the costs of performing the required functions, including the fee for the data.

(iii) Successfully combining claims data from different payers to calculate performance reports.

(iv) Designing, and continuously improving the format of performance reports on providers and suppliers.

(v) Preparing an understandable description of the measures used to evaluate the performance of providers and suppliers so that consumers, providers and suppliers, health plans, researchers, and other stakeholders can assess performance reports.

(vi) Implementing and maintaining a process for providers and suppliers identified in a report to review the report prior to publication and providing a timely response to provider and supplier inquiries regarding requests for data, error correction, and appeals.

(vii) Establishing, maintaining, and monitoring a rigorous data privacy and security program, including disclosing to CMS any inappropriate disclosures of beneficiary identifiable information, violations of applicable federal and State privacy and security laws and regulations for the preceding 10-year period (or, if the applicant has not been in existence for 10 years, the length of time the applicant has been an organization), and any corrective actions taken to address the issues.

(viii) Accurately preparing performance reports on providers and suppliers and making performance report information available to the public in aggregate form, that is, at the provider or supplier level.

(2) Expertise in combining Medicare claims data with claims data from other sources, including demonstrating to the Secretary's satisfaction that the claims data from other sources that it intends to combine with the Medicare data received under this subpart address the methodological concerns regarding sample size and reliability that have been expressed by stakeholders regarding the calculation of performance measures from a single payer source.

(3) Expertise in establishing, documenting and implementing rigorous data privacy and security policies including enforcement mechanisms.

(b) Source of expertise and experience: An applicant may demonstrate expertise and experience in any or all of the areas described in paragraph (a) of this section through one of the following:

(1) Activities it has conducted directly through its own staff.

(2) Contracts with other entities if the applicant is the lead entity and includes documentation in its application of the contractual arrangements that exist between it and any other entity whose expertise and experience is relied upon in submitting the application.

return arrow Back to Top

§401.707   Operating and governance requirements for qualified entities.

A qualified entity must meet the following operating and governance requirements:

(a) Submit to CMS a list of all measures it intends to calculate and report, the geographic areas it intends to serve, and the methods of creating and disseminating reports. This list must include the following information, as applicable and appropriate to the proposed use:

(1) Name of the measure, and whether it is a standard or alternative measure.

(2) Name of the measure developer/owner.

(3) If it is an alternative measure, measure specifications, including numerator and denominator.

(4) The rationale for selecting each measure, including the relationship to existing measurement efforts and the relevancy to the population in the geographic area(s) the entity would serve, including the following:

(i) A specific description of the geographic area or areas it intends to serve.

(ii) A specific description of how each measure evaluates providers and suppliers on quality, efficiency, effectiveness, and/or resource use.

(5) A description of the methodologies it intends to use in creating reports with respect to all of the following topics:

(i) Attribution of beneficiaries to providers and/or suppliers.

(ii) Benchmarking performance data, including the following:

(A) Methods for creating peer groups.

(B) Justification of any minimum sample size determinations made.

(C) Methods for handling statistical outliers.

(iii) Risk adjustment, where appropriate.

(iv) Payment standardization, where appropriate.

(b) Submit to CMS a description of the process it would establish to allow providers and suppliers to view reports confidentially, request data, and ask for the correction of errors before the reports are made public.

(c) Submit to CMS a prototype report and a description of its plans for making the reports available to the public.

(d) Submit to CMS information about the claims data it possesses from other sources, as defined at §401.703(h), and documentation of adequate rights to use the other claims data for the purposes of this subpart.

(e) If requesting a 5 percent national sample to calculate benchmarks for the specific measures it is using, submit to CMS a justification for needing the file to calculate benchmarks.

return arrow Back to Top

§401.709   The application process and requirements.

(a) Application deadline. CMS accepts qualified entity applications on a rolling basis after an application is made available on the CMS Web site. CMS reviews applications in the order in which they are received.

(b) Selection criteria. To be approved as a qualified entity under this subpart, the applicant must meet one of the following:

(1) Standard approval process: Meet the eligibility and operational and governance requirements, fulfill all of the application requirements to CMS' satisfaction, and agree to pay a fee equal to the cost of CMS making the data available. The applicant and each of its contractors that are anticipated to have access to the Medicare data must also execute a Data Use Agreement with CMS, that among other things, reaffirms the statutory ban on the use of Medicare data provided to the qualified entity by CMS under this subpart for purposes other than those referenced in this subpart.

(2) Conditional approval process: Meet the eligibility and operational and governance requirements, and fulfill all of the application requirements to CMS' satisfaction, with the exception of possession of sufficient claims data from other sources. Meeting these requirements will result in a conditional approval as a qualified entity. Entities gaining a conditional approval as a qualified entity must meet the eligibility requirements related to claims data from other sources the entity intends to combine with the Medicare data, agree to pay a fee equal to the cost of CMS making the data available, and execute a Data Use Agreement with CMS, that among other things, reaffirms the statutory ban on the use of Medicare data provided to the qualified entity by CMS under this subpart for purposes other than those referenced in this subpart before receiving any Medicare data. If the qualified entity is composed of lead entity with contractors, any contractors that are anticipated to have access to the Medicare data must also execute a Data Use Agreement with CMS.

(c) Duration of approval. CMS permits an entity to participate as a qualified entity for a period of 3 years from the date of notification of the application approval by CMS. The qualified entity must abide by all CMS regulations and instructions. If the qualified entity wishes to continue performing the tasks after the 3-year approval period, the entity may re-apply for qualified entity status following the procedures in paragraph (f) of this section.

(d) Reporting period. A qualified entity must produce reports on the performance of providers and suppliers at least annually, beginning in the calendar year after they are approved by CMS.

(e) The distribution of data—(1) Initial data release. Once CMS fully approves a qualified entity under this subpart, the qualified entity must pay a fee equal to the cost of CMS making data available. After the qualified entity pays the fee, CMS will release the applicable encrypted claims data, as well as a file that crosswalks the encrypted beneficiary ID to the beneficiary name and the Medicare HICN. The data will be the most recent data available, and will be limited to the geographic spread of the qualified entity's other claims data, as determined by CMS.

(2) Subsequent data releases. After the first quarter of participation, CMS will provide a qualified entity with the most recent additional quarter of currently available data, as well as a table that crosswalks the encrypted beneficiary ID to the beneficiary's name and the Medicare HICN. Qualified entities are required to pay CMS a fee equal to the cost of making data available before CMS will release the most recent quarter of additional data to the qualified entity.

(f) Re-application. A qualified entity that is in good standing may re-apply for qualified entity status. A qualified entity is considered to be in good standing if it has had no violations of the requirements in this subpart or if the qualified entity is addressing any past deficiencies either on its own or through the implementation of a corrective action plan. To re-apply a qualified entity must submit to CMS documentation of any changes to what was included in its previously-approved application. A re-applicant must submit this documentation at least 6 months before the end of its 3-year approval period and will be able to continue to serve as a qualified entity until the re-application is either approved or denied by CMS. If the re-application is denied, CMS will terminate its relationship with the qualified entity and the qualified entity will be subject to the requirements for return or destruction of data at §401.721(b).

return arrow Back to Top

§401.711   Updates to plans submitted as part of the application process.

(a) If a qualified entity wishes to make changes to the following parts of its previously-approved application:

(1) Its list of proposed measures—the qualified entity must send all the information referenced in §401.707(a) for the new measures to CMS at least 30 days before its intended confidential release to providers and suppliers.

(2) Its proposed prototype report—the qualified entity must send the new prototype report to CMS at least 30 days before its intended confidential release to providers and suppliers.

(3) Its plans for sharing the reports with the public—the qualified entity must send the new plans to CMS at least 30 days before its intended confidential release to providers and suppliers.

(b) CMS will notify the qualified entity when the entity's proposed changes are approved or denied for use, generally within 30 days of the qualified entity submitting the changes to CMS. If a CMS decision on approval or disapproval for a change is not forthcoming within 30 days and CMS does not request an additional 30 days for review, the change or modification shall be deemed to be approved.

(c) If the amount of claims data from other sources available to a qualified entity decreases, the qualified entity must immediately inform CMS and submit documentation that the remaining claims data from other sources is sufficient to address the methodological concerns regarding sample size and reliability. Under no circumstances may a qualified entity use Medicare data to create a report, use a measure, or share a report after the amount of claims data from other sources available to a qualified entity decreases until CMS determines either that the remaining claims data is sufficient or that the qualified entity has collected adequate additional data to address any deficiencies.

(1) If the qualified entity cannot submit the documentation required in paragraph (c) of this section, or if CMS determines that the remaining claims data is not sufficient, CMS will afford the qualified entity up to 120 days to obtain additional claims to address any deficiencies. If the qualified entity does not have access to sufficient new data after that time, CMS will terminate its relationship with the qualified entity.

(2) If CMS determines that the remaining claims data is sufficient, the qualified entity may continue issuing reports, using measures, and sharing reports.

return arrow Back to Top

§401.713   Ensuring the privacy and security of data.

(a) Data use agreement between CMS and a qualified entity. A qualified entity must comply with the data requirements in its data use agreement with CMS (hereinafter the CMS DUA). Contractors (including, where applicable, business associates) of qualified entities that are anticipated to have access to the Medicare claims data or beneficiary identifiable data in the context of this program are also required to execute and comply with the CMS DUA. The CMS DUA will require the qualified entity to maintain privacy and security protocols throughout the duration of the agreement with CMS, and will ban the use or disclosure of Medicare data or any derivative data for purposes other than those set out in this subpart. The CMS DUA will also prohibit the use of unsecured telecommunications to transmit such data, and will specify the circumstances under which such data must be stored and may be transmitted.

(b) A qualified entity must inform each beneficiary whose beneficiary identifiable data has been (or is reasonably believed to have been) inappropriately accessed, acquired, or disclosed in accordance with the DUA.

(c) Contractor(s) must report to the qualified entity whenever there is an incident where beneficiary identifiable data has been (or is reasonably believed to have been) inappropriately accessed, acquired, or disclosed.

(d) Data use agreement between a qualified entity and an authorized user. In addition to meeting the other requirements of this subpart, and as a pre-condition of selling or disclosing any combined data or any Medicare claims data (or any beneficiary-identifiable derivative data of either kind) and as a pre-condition of selling or disclosing non-public analyses that include individually identifiable beneficiary data, the qualified entity must enter a DUA (hereinafter the QE DUA) with the authorized user. Among other things laid out in this subpart, such QE DUA must contractually bind the authorized user (including any contractors or business associates described in the definition of authorized user) to the following:

(1)(i) The authorized user may be permitted to use such data and non-public analyses in a manner that a HIPAA Covered Entity could do under the following provisions:

(A) Activities falling under paragraph (1) of the definition of “health care operations” under 45 CFR 164.501: Quality improvement activities, including care coordination activities and efforts to track and manage medical costs; patient-safety activities; population-based activities such as those aimed at improving patient safety, quality of care, or population health, including the development of new models of care, the development of means to expand coverage and improve access to healthcare, the development of means of reducing healthcare disparities, and the development or improvement of methods of payment or coverage policies.

(B) Activities falling under paragraph (2) of the definition of “health care operations” under 45 CFR 164.501: Reviewing the competence or qualifications of health care professionals, evaluating practitioner and provider performance, health plan performance, conducting training programs in which students, trainees, or practitioners in areas of health care learn under supervision to practice or improve their skills as health care providers, training of non-health care professionals, accreditation, certification, licensing, or credentialing activities.

(C) Activities that qualify as “fraud and abuse detection or compliance activities” under 45 CFR 164.506(c)(4)(ii).

(D) Activities that qualify as “treatment” under 45 CFR 164.501.

(ii) All other uses and disclosures of such data and/or such non-public analyses must be forbidden except to the extent a disclosure qualifies as a “required by law” disclosure as defined at 45 CFR 164.103.

(2) The authorized user is prohibited from using or disclosing the data or non-public analyses for marketing purposes as defined at §401.703(s).

(3) The authorized user is required to ensure adequate privacy and security protection for such data and non-public analyses. At a minimum, regardless of whether the authorized user is a HIPAA covered entity, such protections of beneficiary identifiable data must be at least as protective as what is required of covered entities and their business associates regarding protected health information (PHI) under the HIPAA Privacy and Security Rules. In all cases, these requirements must be imposed for the life of such beneficiary identifiable data or non-public analyses and/or any derivative data, that is until all copies of such data or non-public analyses are returned or destroyed. Such duties must be written in such a manner as to survive termination of the QE DUA, whether for cause or not.

(4) Except as provided for in paragraph (d)(5) of this section, the authorized user must be prohibited from re-disclosing or making public any such data or non-public analyses.

(5)(i) At the qualified entity's discretion, it may permit an authorized user that is a provider as defined in §401.703(b) or a supplier as defined in §401.703(c), to re-disclose such data and non-public analyses as a covered entity will be permitted to disclose PHI under 45 CFR 164.506(c)(4)(i), under 45 CFR 164.506(c)(2), or under 45 CFR 164.502(e)(1).

(ii) All other uses and disclosures of such data and/or such non-public analyses is forbidden except to the extent a disclosure qualifies as a “required by law” disclosure.

(6) Authorized users who/that receive the beneficiary de-identified combined data or Medicare data as contemplated under §401.718 are contractually prohibited from linking the beneficiary de-identified data to any other identifiable source of information, and must be contractually barred from attempting any other means of re-identifying any individual whose data is included in such data.

(7) The QE DUA must bind authorized user(s) to notifying the qualified entity of any violations of the QE DUA, and it must require the full cooperation of the authorized user in the qualified entity's efforts to mitigate any harm that may result from such violations, or to comply with the breach provisions governing qualified entities under this subpart.

[76 FR 76567, Dec. 7, 2011, as amended at 81 FR 44479, July 7, 2016]

return arrow Back to Top

§401.715   Selection and use of performance measures.

(a) Standard measures. A standard measure is a measure that can be calculated in full or in part from claims data from other sources and the standardized extracts of Medicare Parts A and B claims, and Part D prescription drug event data and meets the following requirements:

(1) Meets one of the following criteria:

(i) Is endorsed by the entity with a contract under section 1890(a) of the Social Security Act.

(ii) Is time-limited endorsed by the entity with a contract under section 1890(a) of the Social Security Act until such time as the full endorsement status is determined.

(iii) Is developed under section 931 of the Public Health Service Act.

(iv) Can be calculated from standardized extracts of Medicare Parts A or B claims or Part D prescription drug event data, was adopted through notice-and-comment rulemaking, and is currently being used in CMS programs that include quality measurement.

(v) Is endorsed by a CMS-approved consensus-based entity. CMS will approve organizations as consensus-based entities based on review of documentation of the consensus-based entity's measure approval process. To receive approval as a consensus-based entity, an organization must submit information to CMS documenting its processes for stakeholder consultation and measures approval; an organization will only receive approval as a consensus-based entity if all measure specifications are publically available. An organization will retain CMS acceptance as a consensus-based entity for 3 years after the approval date, at which time CMS will review new documentation of the consensus-based entity's measure approval process for a new 3-year approval.

(2) Is used in a manner that follows the measure specifications as written (or as adopted through notice-and-comment rulemaking), including all numerator and denominator inclusions and exclusions, measured time periods, and specified data sources.

(b) Alternative measure. (1) An alternative measure is a measure that is not a standard measure, but that can be calculated in full, or in part, from claims data from other sources and the standardized extracts of Medicare Parts A and B claims, and Part D prescription drug event data, and that meets one of the following criteria:

(i) Rulemaking process: Has been found by the Secretary, through a notice-and comment-rulemaking process, to be more valid, reliable, responsive to consumer preferences, cost-effective, or relevant to dimensions of quality and resource use not addressed by standard measures, and is used by a qualified entity in a manner that follows the measure specifications as adopted through notice-and-comment rulemaking, including all numerator and denominator inclusions and exclusions, measured time periods, and specified data sources.

(ii) Stakeholder consultation approval process: Has been found by the Secretary, using documentation submitted by a qualified entity that outlines its consultation and agreement with stakeholders in its community, to be more valid, responsive to consumer preferences, cost-effective, or relevant to dimensions of quality and resource use not addressed by standard measures, and is used by a qualified entity in a manner that follows the measure specifications as submitted, including all numerator and denominator inclusions and exclusions, measured time periods, and specified data sources. If a CMS decision on approval or disapproval of alternative measures submitted using the stakeholder consultation approval process is not forthcoming within 60 days of submission of the measure by the qualified entity, the measure will be deemed approved. However, CMS retains the right to disapprove a measure if, even after 60 days, we find it to not be “more valid, reliable, responsive to consumer preferences, cost-effective, or relevant to dimensions of quality and resource” than a standard measure.

(2) An alternative measure approved under the process at paragraph (b)(1)(i) of this section may be used by any qualified entity. An alternative measure approved under the process at paragraph (b)(1)(ii) of this section may only be used by the qualified entity that submitted the measure for consideration by the Secretary. A qualified entity may use an alternative measure up until the point that an equivalent standard measure for the particular clinical area or condition becomes available at which point the qualified entity must switch to the standard measure within 6 months or submit additional scientific justification and receive approval, via either paragraphs (b)(1)(i) or (b)(1)(ii) of this section, from the Secretary to continue using the alternative measure.

(3) To submit an alternative measure for consideration under the notice-and-comment-rulemaking process, for use in the calendar year following the submission, an entity must submit the following information by May 31st:

(i) The name of the alternative measure.

(ii) The name of the developer or owner of the alternative measure.

(iii) Detailed specifications for the alternative measure.

(iv) Evidence that use of the alternative measure would be more valid, reliable, responsive to consumer preferences, cost-effective, or relevant to dimensions of quality and resource use not addressed by standard measures.

(4) To submit an alternative measure for consideration under the documentation of stakeholder consultation approval process described in paragraph (b)(1)(ii) of this section, for use once the measure is approved by the Secretary, an entity must submit the following information to CMS:

(i) The name of the alternative measure.

(ii) The name of the developer or owner of the alternative measure.

(iii) Detailed specifications for the alternative measure.

(iv) A description of the process by which the qualified entity notified stakeholders in the geographic region it serves of its intent to seek approval of an alternative measure. Stakeholders must include a valid cross representation of providers, suppliers, payers, employers, and consumers.

(v) A list of stakeholders from whom feedback was solicited, including the stakeholders' names and roles in the community.

(vi) A description of the discussion about the proposed alternative measure, including a summary of all pertinent arguments supporting and opposing the measure.

(vii) Unless CMS has already approved the same measure for use by another qualified entity, no new scientific evidence on the measure is available, and the subsequent qualified entity wishes to rely upon the scientific evidence submitted by the previously approved applicant, an explanation backed by scientific evidence that demonstrates why the measure is more valid, reliable, responsive to consumer preferences, cost-effective, or relevant to dimensions of quality and resource use not addressed by a standard measure.

return arrow Back to Top

§401.716   Non-public analyses.

(a) General. So long as it meets the other requirements of this subpart, and subject to the limits in paragraphs (b) and (c) of this section, the qualified entity may use the combined data to create non-public analyses in addition to performance measures and provide or sell these non-public analyses to authorized users (including any contractors or business associates described in the definition of authorized user).

(b) Limitations on a qualified entity. In addition to meeting the other requirements of this subpart, a qualified entity must comply with the following limitations as a pre-condition of dissemination or selling non-public analyses to an authorized user:

(1) A qualified entity may only provide or sell a non-public analysis to a health insurance issuer as defined in §401.703(l), after the health insurance issuer or a business associate of that health insurance issuer has provided the qualified entity with claims data that represents a majority of the health insurance issuer's covered lives, using one of the four methods of calculating covered lives established at 26 CFR 46.4375-1(c)(2), for the time period and geographic region covered by the issuer-requested non-public analyses. A qualified entity may not provide or sell a non-public analysis to a health insurance issuer if the issuer does not have any covered lives in the geographic region covered by the issuer-requested non-public analysis.

(2) Analyses that contain information that individually identifies one or more beneficiaries may only be disclosed to a provider or supplier (as defined at §401.703(b) and (c)) when both of the following conditions are met:

(i) The analyses only contain identifiable information on beneficiaries with whom the provider or supplier have a patient relationship as defined at §401.703(r).

(ii) A QE DUA as defined at §401.713(d) is executed between the qualified entity and the provider or supplier prior to making any individually identifiable beneficiary information available to the provider or supplier.

(3) Except as specified under paragraph (b)(2) of this section, all analyses must be limited to beneficiary de-identified data. Regardless of the HIPAA covered entity or business associate status of the qualified entity and/or the authorized user, de-identification must be determined based on the standards for HIPAA covered entities found at 45 CFR 164.514(b).

(4) Analyses that contain information that individually identifies a provider or supplier (regardless of the level of the provider or supplier, that is, individual clinician, group of clinicians, or integrated delivery system) may not be disclosed unless one of the following three conditions apply:

(i) The analysis only individually identifies the provider or supplier that is being supplied the analysis.

(ii) Every provider or supplier individually identified in the analysis has been afforded the opportunity to appeal or correct errors using the process at §401.717(f).

(iii) Every provider or supplier individually identified in the analysis has notified the qualified entity, in writing, that analyses can be disclosed to the authorized user without first going through the appeal and error correction process at §401.717(f).

(c) Non-public analyses agreement between a qualified entity and an authorized user for beneficiary de-identified non-public analyses disclosures. In addition to the other requirements of this subpart, a qualified entity must enter a contractually binding non-public analyses agreement with the authorized user (including any contractors or business associates described in the definition of authorized user) as a pre-condition to providing or selling de-identified analyses. Such non-public analyses agreement must contain the following provisions:

(1) The authorized user may not use the analyses or derivative data for the following purposes:

(i) Marketing, as defined at §401.703(s).

(ii) Harming or seeking to harm patients or other individuals both within and outside the healthcare system regardless of whether their data are included in the analyses.

(iii) Effectuating or seeking opportunities to effectuate fraud and/or abuse in the healthcare system.

(2) If the authorized user is an employer as defined in §401.703(k), the authorized user may only use the analyses or derivative data for purposes of providing health insurance to employees, retirees, or dependents of employees or retirees of that employer.

(3)(i) At the qualified entity's discretion, it may permit an authorized user that is a provider as defined in §401.703(b) or a supplier as defined in §401.703(c), to re-disclose the de-identified analyses or derivative data, as a covered entity will be permitted under 45 CFR 164.506(c)(4)(i), or under 45 CFR 164.502(e)(1).

(ii) All other uses and disclosures of such data and/or such non-public analyses is forbidden except to the extent a disclosure qualifies as a “required by law” disclosure.

(4) If the authorized user is not a provider or supplier, the authorized user may not re-disclose or make public any non-public analyses or derivative data except as required by law.

(5) The authorized user may not link the de-identified analyses to any other identifiable source of information and may not in any other way attempt to identify any individual whose de-identified data is included in the analyses.

(6) The authorized user must notify the qualified entity of any DUA violations, and it must fully cooperate with the qualified entity's efforts to mitigate any harm that may result from such violations.

[81 FR 44480, July 7, 2016]

return arrow Back to Top

§401.717   Provider and supplier requests for error correction.

(a) A qualified entity must confidentially share measures, measurement methodologies, and measure results with providers and suppliers at least 60 calendar days before making reports public. The 60 calendar days begin on the date on which qualified entities send the confidential reports to providers and suppliers. A qualified entity must inform providers and suppliers of the date the reports will be made public at least 60 calendar days before making the reports public.

(b) Before making the reports public, a qualified entity must allow providers and suppliers the opportunity to make a request for the data, or to make a request for error correction, within 60 calendar days after sending the confidential reports to providers or suppliers.

(c) During the 60 calendar days between sending a confidential report on measure results and releasing the report to the public, the qualified entity must, at the request of a provider or supplier and with appropriate privacy and security protections, release the Medicare claims data and beneficiary names to the provider or supplier. Qualified entities may only provide the Medicare claims and/or beneficiary names relevant to the particular measure or measure result the provider or supplier is appealing.

(d) A qualified entity must inform providers and suppliers that reports will be made public, including information related to the status of any data or error correction requests, after the date specified to the provider or supplier when the report is sent for review and, if necessary, error correction requests (at least 60 calendar days after the report was originally sent to the providers and suppliers), regardless of the status of any requests for error correction.

(e) If a provider or supplier has a data or error correction request outstanding at the time the reports become public, the qualified entity must, if feasible, post publicly the name of the appealing provider or supplier and the category of the appeal request.

(f) A qualified entity must comply with the following requirements before disclosing non-public analyses, as defined at §401.716, which contain information that individually identifies a provider or supplier:

(1) A qualified entity must confidentially notify a provider or supplier that non-public analyses that individually identify the provider or supplier are going to be released to an authorized user at least 65 calendar days before disclosing the analyses. This confidential notification must include a short summary of the analyses (including the measures calculated), the process for the provider or supplier to request the analyses, the authorized users receiving the analyses, and the date on which the qualified entity will release the analyses to the authorized user.

(2) A qualified entity must allow providers and suppliers the opportunity to opt-in to the review and correction process as defined in paragraphs (a) through (e) of this section, anytime during the 65 calendar days. If a provider or supplier chooses to opt-in to the review and correction process more than 5 days into the notification period, the time for the review and correction process is shortened from 60 days to the number of days between the provider or supplier opt-in date and the release date specified in the confidential notification.

[76 FR 76567, Dec. 7, 2011, as amended at 81 FR 44481, July 7, 2016]

return arrow Back to Top

§401.718   Dissemination of data.

(a) General. Subject to the other requirements in this subpart, the requirements in paragraphs (b) and (c) of this section and any other applicable laws or contractual agreements, a qualified entity may provide or sell combined data or provide Medicare data at no cost to authorized users defined at §401.703(b), (c), (m), and (n).

(b) Data—(1) De-identification. Except as specified in paragraph (b)(2) of this section, any data provided or sold by a qualified entity to an authorized user must be limited to beneficiary de-identified data. De-identification must be determined based on the de-identification standards for HIPAA covered entities found at 45 CFR 164.514(b).

(2) Exception. If such disclosure will be consistent with all applicable laws, data that individually identifies a beneficiary may only be disclosed to a provider or supplier (as defined at §401.703(b) and (c)) with whom the identifiable individuals in such data have a current patient relationship as defined at §401.703(r).

(c) Data use agreement between a qualified entity and an authorized user. A qualified entity must contractually require an authorized user to comply with the requirements in §401.713(d) prior to providing or selling data to an authorized user under §401.718.

[81 FR 44481, July 7, 2016]

return arrow Back to Top

§401.719   Monitoring and sanctioning of qualified entities.

(a) CMS will monitor and assess the performance of qualified entities and their contractors using the following methods:

(1) Audits.

(2) Submission of documentation of data sources and quantities of data upon the request of CMS and/or site visits.

(3) Analysis of specific data reported to CMS by qualified entities through annual reports (as described in paragraph (b) of this section) and reports on inappropriate disclosures or uses of beneficiary identifiable data (as described in paragraph (c) of this section).

(4) Analysis of complaints from beneficiaries and/or providers or suppliers.

(b) A qualified entity must provide annual reports to CMS containing information related to the following:

(1) General program adherence, including the following information:

(i) The number of Medicare and private claims combined.

(ii) The percent of the overall market share the number of claims represent in the qualified entity's geographic area.

(iii) The number of measures calculated.

(iv) The number of providers and suppliers profiled by type of provider and supplier.

(v) A measure of public use of the reports.

(2) The provider and supplier data sharing, error correction, and appeals process, including the following information:

(i) The number of providers and suppliers requesting claims data.

(ii) The number of requests for claims data fulfilled.

(iii) The number of error corrections.

(iv) The type(s) of problem(s) leading to the request for error correction.

(v) The amount of time to acknowledge the request for data or error correction.

(vi) The amount of time to respond to the request for error correction.

(vii) The number of requests for error correction resolved.

(3) Non-public analyses provided or sold to authorized users under this subpart, including the following information:

(i) A summary of the analyses provided or sold, including—

(A) The number of analyses.

(B) The number of purchasers of such analyses.

(C) The types of authorized users that purchased analyses.

(D) The total amount of fees received for such analyses.

(E) QE DUA or non-public analyses agreement violations.

(ii) A description of the topics and purposes of such analyses.

(iii) The number of analyses disclosed with unresolved requests for error correction.

(4) Data provided or sold to authorized users under this subpart, including the following information:

(i) The entities who received data.

(ii) The basis under which each entity received such data.

(iii) The total amount of fees received for providing, selling, or sharing the data.

(iv) QE DUA violations.

(c) A qualified entity must inform CMS of inappropriate disclosures or uses of beneficiary identifiable data under the DUA.

(d) CMS may take the following actions against a qualified entity if CMS determines that the qualified entity violated any of the requirements of this subpart, regardless of how CMS learns of a violation:

(1) Provide a warning notice to the qualified entity of the specific concern, which indicates that future deficiencies could lead to termination.

(2) Request a corrective action plan (CAP) from the qualified entity.

(3) Place the qualified entity on a special monitoring plan.

(4) Terminate the qualified entity.

(5) In the case of a violation, as defined at §401.703(t), of the CMS DUA or the QE DUA, CMS will impose an assessment on a qualified entity in accordance with the following:

(i) Amount of assessment. CMS will calculate the amount of the assessment of up to $100 per individual entitled to, or enrolled for, benefits under part A of title XVIII of the Social Security Act or enrolled for benefits under Part B of such title whose data was implicated in the violation based on the following:

(A) Basic factors. In determining the amount per impacted individual, CMS takes into account the following:

(1) The nature and the extent of the violation.

(2) The nature and the extent of the harm or potential harm resulting from the violation.

(3) The degree of culpability and the history of prior violations.

(B) Criteria to be considered. In establishing the basic factors, CMS considers the following circumstances:

(1) Aggravating circumstances. Aggravating circumstances include the following:

(i) There were several types of violations occurring over a lengthy period of time.

(ii) There were many of these violations or the nature and circumstances indicate a pattern of violations.

(iii) The nature of the violation had the potential or actually resulted in harm to beneficiaries.

(2) Mitigating circumstances. Mitigating circumstances include the following:

(i) All of the violations subject to the imposition of an assessment were few in number, of the same type, and occurring within a short period of time.

(ii) The violation was the result of an unintentional and unrecognized error and the qualified entity took corrective steps immediately after discovering the error.

(C) Effects of aggravating or mitigating circumstances. In determining the amount of the assessment to be imposed under paragraph (d)(5)(i)(A) of this section:

(1) If there are substantial or several mitigating circumstance, the aggregate amount of the assessment is set at an amount sufficiently below the maximum permitted by paragraph (d)(5)(i)(A) of this section to reflect the mitigating circumstances.

(2) If there are substantial or several aggravating circumstances, the aggregate amount of the assessment is set at an amount at or sufficiently close to the maximum permitted by paragraph (d)(5)(i)(A) of this section to reflect the aggravating circumstances.

(D) The standards set for the qualified entity in this paragraph are binding, except to the extent that—

(1) The amount imposed is not less than the approximate amount required to fully compensate the United States, or any State, for its damages and costs, tangible and intangible, including but not limited to the costs attributable to the investigation, prosecution, and administrative review of the case.

(2) Nothing in this section limits the authority of CMS to settle any issue or case as provided by part 1005 of this title or to compromise any assessment as provided by paragraph (d)(5)(ii)(E) of this section.

(ii) Notice of determination. CMS must propose an assessment in accordance with this paragraph (d)(5), by notifying the qualified entity by certified mail, return receipt requested. Such notice must include the following information:

(A) The assessment amount.

(B) The statutory and regulatory bases for the assessment.

(C) A description of the violations upon which the assessment was proposed.

(D) Any mitigating or aggravating circumstances that CMS considered when it calculated the amount of the proposed assessment.

(E) Information concerning response to the notice, including:

(1) A specific statement of the respondent's right to a hearing in accordance with procedures established at Section 1128A of the Act and implemented in 42 CFR part 1005.

(2) A statement that failure to respond within 60 days renders the proposed determination final and permits the imposition of the proposed assessment.

(3) A statement that the debt may be collected through an administrative offset.

(4) In the case of a respondent that has an agreement under section 1866 of the Act, notice that imposition of an exclusion may result in termination of the provider's agreement in accordance with section 1866(b)(2)(C) of the Act.

(F) The means by which the qualified entity may pay the amount if they do not intend to request a hearing.

(iii) Failure to request a hearing. If the qualified entity does not request a hearing within 60 days of receipt of the notice of proposed determination, any assessment becomes final and CMS may impose the proposed assessment.

(A) CMS notifies the qualified entity, by certified mail with return receipt requested, of any assessment that has been imposed and of the means by which the qualified entity may satisfy the judgment.

(B) The qualified entity has no right to appeal an assessment for which the qualified entity has not requested a hearing.

(iv) When an assessment is collectible. An assessment becomes collectible after the earliest of the following:

(A) Sixty (60) days after the qualified entity receives CMS's notice of proposed determination under paragraph (d)(5)(ii) of this section, if the qualified entity has not requested a hearing.

(B) Immediately after the qualified entity abandons or waives its appeal right at any administrative level.

(C) Thirty (30) days after the qualified entity receives the ALJ's decision imposing an assessment under §1005.20(d) of this title, if the qualified entity has not requested a review before the DAB.

(D) Sixty (60) days after the qualified entity receives the DAB's decision imposing an assessment if the qualified entity has not requested a stay of the decision under §1005.22(b) of this title.

(v) Collection of an assessment. Once a determination by HHS has become final, CMS is responsible for the collection of any assessment.

(A) The General Counsel may compromise an assessment imposed under this part, after consulting with CMS or OIG, and the Federal government may recover the assessment in a civil action brought in the United States district court for the district where the claim was presented or where the qualified entity resides.

(B) The United States or a state agency may deduct the amount of an assessment when finally determined, or the amount agreed upon in compromise, from any sum then or later owing the qualified entity.

(C) Matters that were raised or that could have been raised in a hearing before an ALJ or in an appeal under section 1128A(e) of the Act may not be raised as a defense in a civil action by the United States to collect an assessment.

[76 FR 76567, Dec. 7, 2011, as amended at 81 FR 44481, July 7, 2016]

return arrow Back to Top

§401.721   Terminating an agreement with a qualified entity.

(a) Grounds for terminating a qualified entity agreement. CMS may terminate an agreement with a qualified entity if CMS determines the qualified entity or its contractor meets any of the following:

(1) Engages in one or more serious violations of the requirements of this subpart.

(2) Fails to completely and accurately report information to CMS or fails to make appropriate corrections in response to confidential reviews by providers and suppliers in a timely manner.

(3) Fails to submit an approvable corrective action plan (CAP) as prescribed by CMS, fails to implement an approved CAP, or fails to demonstrate improved performance after the implementation of a CAP.

(4) Improperly uses or discloses claims information received from CMS in violation of the requirements in this subpart.

(5) Based on its re-application, no longer meets the requirements in this subpart.

(6) Fails to maintain adequate data from other sources in accordance with §401.711(c).

(7) Fails to ensure authorized users comply with their QE DUAs or analysis use agreements.

(b) Return or destruction of CMS data upon voluntary or involuntary termination from the qualified entity program:

(1) If CMS terminates a qualified entity's agreement, the qualified entity and its contractors must immediately upon receipt of notification of the termination commence returning or destroying any and all CMS data (and any derivative files). In no instance can this process exceed 30 days.

(2) If a qualified entity voluntarily terminates participation under this subpart, it and its contractors must return to CMS, or destroy, any and all CMS data in its possession within 30 days of notifying CMS of its intent to end its participation.

[76 FR 76567, Dec. 7, 2011, as amended at 81 FR 44482, July 7, 2016]

return arrow Back to Top

§401.722   Qualified clinical data registries.

(a) A qualified clinical data registry that agrees to meet all the requirements in this subpart, with the exception of §401.707(d), may request access to Medicare data as a quasi qualified entity in accordance with such qualified entity program requirements.

(b) Notwithstanding §401.703(q) (generally defining combined data), for purposes of qualified clinical data registries acting as quasi qualified entities under the qualified entity program requirements, combined data means, at a minimum, a set of CMS claims data provided under this subpart combined with clinical data or a subset of clinical data.

[81 FR 44482, July 7, 2016]

return arrow Back to Top