On June 8, 2011, CMS published a Notice of Proposed Rulemaking (“NPRM”) to implement a provision of the Affordable Care Act (“ACA”) giving qualified entities access to Medicare claims data for use in evaluating the performance of health care providers.

This NPRM seeks to implement an ACA provision that will make available Medicare claims data for the purpose of allowing private entities to prepare publicly available evaluations and comparisons of provider performance.  The NPRM describes how an organization that meets extensive qualification requirements may pay an annual fee to access patient-level Medicare Parts A, B, and D data.  These entities will combine Medicare data with private-sector claims data that they already have access to in order to prepare public reports measuring the performance of physicians, other providers, and suppliers.  The intent of the law and NPRM is to help consumers and payors make informed decisions about their health care by selecting the highest-quality providers in their areas.

This NPRM is potentially significant because, to date, private-sector entities have had few opportunities to access patient-level data associated with specific identified providers.  If successful, this new authority could greatly increase the availability of comparative information on health care providers. 

What Data Will Be Available to Qualified Entities for Use in Evaluating Provider Performance?

Qualified entities will gain access to claims data from Medicare Parts A and B (in addition to drug event data under Part D) for a particular region or area.  CMS will not provide claims data generated under Part C through private insurance.  Generally, data will be encrypted with a unique beneficiary identifier that allows for the linking of claims without divulging the identity of the beneficiary.  However, under certain defined circumstances, entities will gain access to patient-identified data for the purpose of assisting Medicare providers in verifying and correcting data on their performance.  The NPRM proposes that CMS will provide the most recent three years of data available and that the data will be limited to the geographic spread of the qualified entity’s private-sector claims data.

How Will an Entity Qualify to Receive Medicare Data?

The NPRM proposes that an organization must satisfy the following criteria to qualify to gain access to claims data:

  • Ability to prove it can keep the data secure:  Embedded in the proposed rule are strong patient privacy protections.  Disclosure of the original claims data is permitted under the Privacy Rule issued under the Health Insurance Portability and Accountability Act (“HIPAA”) as a disclosure “required by law.”  A qualifying entity must demonstrate that it has adopted a rigorous data privacy and security program. 
  • Access to at least one other source of non-Medicare data:  As required by the ACA, entities must demonstrate that they have access to data from non-Medicare commercial sources to use with the Medicare data in producing performance reports for providers and suppliers.  CMS is considering requiring that entities have data from more than one commercial source.  A qualifying entity must demonstrate the ability to accurately calculate quality, efficiency, effectiveness, and resource use by successfully combining claims data from different payors. 
  • Ability to produce accurate performance reports:  A qualifying entity must provide CMS with a description of methodologies to be used in creating performance reports, including its ability to use risk adjustment and make determinations on minimum sample size.  An entity must also demonstrate its ability to make performance report information available to the public in aggregate form (i.e., such that no individual patient data would be shared or made available). 
  • Development of a review and grievance procedure for providers:  A qualifying entity must have the ability to implement a process for providers and suppliers identified in a report to review the report confidentially prior to publication.  This review period must come at least 30 days prior to the public release of any reports.  The NPRM provides for a minimum 10-day period for providers to request supporting data and a minimum 10-day period to review requested data and identify errors.  The qualifying entity must provide timely responses to provider and supplier inquiries regarding requests for data, error correction, and appeals.

What Performance Measures Will Be Included in Performance Reports?

Qualifying entities must use a standard performance measure or an approved alternative performance measure.  A “standard measure” is defined in part as a measure that can be calculated using only claims data and is endorsed by the National Quality Forum.  “Standard measures” also include any measure that has been adopted through rulemaking and that is currently used in a CMS program that involves performance measurement.  While there are many standard measures, only a subset are possible to evaluate using only claims data.  An entity may propose to use an “approved alternative measure” for evaluating performance in an area of performance measurement where a standard measure does not already exist, or if a standard measure already exists an alternative measure may be approved for use, provided the alternative is more valid, reliable, and responsive to consumer preferences.  The alternative measure must be approved by the Secretary through future rulemaking. 

How and on What Basis Will CMS Monitor Qualified Entities?

CMS intends to continually monitor qualified entities upon approval through the submission and review of annual reports relating to general program adherence and engagement of providers and suppliers.

Given concerns about sample size and the validity of statistical measures, CMS intends to closely monitor data sources used in performance appraisals to ensure the reliability of results.  Moreover, given the sensitive nature of the disclosures, CMS also proposes the ongoing obligation that qualified entities apply privacy and security protections to the released data (e.g., execution of a Data Use Agreement, which contains significant penalties—civil monetary and criminal penalties—for inappropriate disclosures of data).  Entities that do not comply with the specified procedures risk sanctions, including termination from the program.

What Is the Impact on Health Care Providers?

  • Increased resources spent on the measure report review process:  Given that comparative quality reporting, based on private and Medicare claims data, has the potential to put providers in an unfavorable light and influence value-based purchasing by consumers, providers will want to ensure the accuracy of performance reports.  Providers may need to expend significant time and resources on reviewing performance reports before they are made public to identify errors in performance measures of quality, efficiency, and cost.
  • The potential for an unfair representation of a provider based on a performance report:  Without proper adjustment for certain variables—the size of the provider, the number of procedures performed by the provider, the degree to which populations served are resource-intensive, etc.—there may be questions as to the reliability of the reports on specific performance measures. 
  • Increased data and security measures:  As part of the measure report review process, health care providers may receive beneficiary-identifiable health information from qualified entities.  This necessitates continued compliance with HIPAA Privacy and Security rules.  For the few providers that are not subject to HIPAA, CMS proposes the requirement that qualified entities demonstrate the existence of appropriate safeguards in protecting the data before such information may be transmitted to providers.  This may require that providers enter into signed privacy and security agreements with qualified entities.
  • Incentives to improve quality, efficiency, and resource use:  As described above, performance reports are instrumental in value-based purchasing by consumers.  The inclusion of Medicare data in the appraisal process will paint a more accurate and comprehensive picture of performance and will serve to hold providers accountable for their delivery of care to both Medicare and commercial consumers alike.

What Issues Are Open for Comment?

Among the areas that CMS is requesting comment on are:

  • Should CMS consider the ability of entities to cover the fees associated with accessing the extracted data?
  • Should qualified entities be permitted to charge for the release of their performance reports?
  • Should claims data be provided on both a regional and a national basis?
  • Should there be a precise threshold amount of non-Medicare data required to address concerns about sample size and reliability?

Comments are due by August 8, 2011.  The NPRM is available here.