System Name: "ESRD Program Management and Medical Information (PMMIS)," HHS/CMS/OCSQ.
Security Classification: Level Three Privacy Act Sensitive Data.
CMS Data Center, 7500 Security Boulevard, North Building, First Floor, Baltimore, Maryland 21244-1850 and at various other contractor locations.
Categories of Individuals Covered by the System: This system will collect and maintain individually identifiable and other data collected on individuals with ESRD who receive Medicare benefits or who are treated by DVA health care facilities. The system contains information on both the beneficiary and the provider of services.
Categories of Records in the System: The collected information will include, but is not limited to beneficiary/patient medical records, claims data, and payment data collected from several non-reimbursement data collection instruments and Medicare bills. The provider of services' name, address, Medicare identification number, types of services provided, certification and or termination date, and ESRD network number.
Authority for Maintenance of the System: The statutory authority for this system is given under the provisions of Sections 226A, 1875, and 1881 of the Social Security Act (the Act) (Title 42 United States Code (U.S.C.), sections 426-1, 1395ll, and 1395rr).
Purpose(s): The primary purpose of the system of records is to maintain information on Medicare ESRD beneficiaries, non-Medicare ESRD patients; Medicare approved ESRD hospitals and dialysis facilities, and Department of Veterans Affairs (DVA) patients. The ESRD/PMMIS is used by CMS and the renal community to perform their duties and responsibilities in monitoring the Medicare status, transplant activities, dialysis activities, and Medicare utilization (inpatient and physician/supplier bills) of ESRD patients and their Medicare providers, as well as in calculating the Medicare covered periods of ESRD. Information retrieved from this system of records will also be disclosed to: (1) Support regulatory, reimbursement, and policy functions performed within the Agency or by a contractor, consultant or grantee; (2) assist another Federal or state agency, agency of a state government, an agency established by state law, or its fiscal agent; (3) support an ESRD Network Organizations; (4) assist Quality Improvement Organizations (QIO) to implement quality improvement programs; (5) facilitate research on the quality and effectiveness of care provided and payment related projects; (6) permit the release of priority personal information to complete a transfer out event and/or a transfer-in event; (7) support litigation involving the agency; and, (8) combat fraud, waste, and abuse in certain health benefits programs.
Routine Uses of Records Maintained in the System, Including Categories of Users and the Purposes of such Uses:
The Privacy Act allows us to disclose information without an individual's consent if the information is to be used for a purpose that is compatible with the purpose(s) for which the information was collected. Any such compatible use of data is known as a "routine use." The proposed routine uses in this system meet the compatibility requirement of the Privacy Act. We are proposing to establish the following routine use disclosures of information maintained in the system:
1. To agency contractors, consultants or grantees, who have been engaged by the agency to assist in the performance of a service related to this collection and who need to have access to the records in order to perform the activity.
2. To another Federal or state agency, agency of a state government, an agency established by state law, or its fiscal agent to:
a. Contribute to the accuracy of CMS's proper payment of Medicare benefits,
b. Enable such agency to administer a Federal health benefits program, or as necessary to enable such agency to fulfill a requirement of a Federal statute or regulation that implements a health benefits program funded in whole or in part with Federal funds, and/or
c. Determine compliance with the Federal conditions that an ESRD facility must meet in order to participate in Medicare.
3. To ESRD Network Organizations in connection with review of claims, or in connection with studies or quality improvements projects or other review activities, and in performing affirmative outreach activities to individuals for the purpose of establishing and maintaining their entitlement to Medicare benefits or health insurance plans.
4. To Quality Improvement Organizations in connection with review of claims, or in connection with studies or quality improvements projects or other review activities, conducted pursuant to Part B of Title XI of the Social Security Act and in performing affirmative outreach activities to individuals for the purpose of establishing and maintaining their entitlement to Medicare benefits or health insurance plans.
5. To an individual or organization for a research project or in support of an evaluation project related to the prevention of disease or disability, the restoration or maintenance of health, or payment related projects.
6. To assist with a transfer out event from a losing ESRD facility and/or a transfer-in event to a gaining ESRD facility to:
a. Contribute to the accuracy of CMS' proper payment of Medicare benefits; and
b. Enable such facilities to ensure the proper transfer of health records, and/or as necessary to enable such a facility to fulfill a requirement of a Federal statute or regulation that implements a health benefits program funded in whole or in part with Federal funds; and
c. Assist ESRD programs which may require PMMIS information for purposes related to this system.
Information will be released to these facilities upon specific request, and only for those facilities if they meet the following requirements:
d. Provide an attestation or other qualifying information that they are providing assistance to qualified ESRD beneficiaries/patients;
e. Submit a report of the transfer-in or transfer-out event with the following required priority information: Name, address, HICN or SSN, date of birth;
f. Safeguard the confidentiality of the data and prevent unauthorized access; and
g. Complete a written statement attesting to the information recipient's understanding of and willingness to abide by these provisions.
7. To the Department of Justice (DOJ), court or adjudicatory body when:
a. The agency or any component thereof, or
b. Any employee of the agency in his or her official capacity, or
c. Any employee of the agency in his or her individual capacity where the DOJ has agreed to represent the employee, or
d. The United States Government, is a party to litigation or has an interest in such litigation, and, by careful review, CMS determines that the records are both relevant and necessary to the litigation and that the use of such records by the DOJ, court or adjudicatory body is compatible with the purpose for which the agency collected the records.
8. To a CMS contractor (including, but not necessarily limited to, fiscal intermediaries and carriers) that assists in the administration of a CMS-administered health benefits program, or to a grantee of a CMS-administered grant program, when disclosure is deemed reasonably necessary by CMS to prevent, deter, discover, detect, investigate, examine, prosecute, sue with respect to, defend against, correct, remedy, or otherwise combat fraud, waste, or abuse in such program.
9. To another Federal agency or to an instrumentality of any governmental jurisdiction within or under the control of the United States (including any State or local governmental agency), that administers, or that has the authority to investigate potential fraud, waste, or abuse in, a health benefits program funded in whole or in part by Federal funds, when disclosure is deemed reasonably necessary by CMS to prevent, deter, discover, detect, investigate, examine, prosecute, sue with respect to, defend against, correct, remedy, or otherwise combat fraud, waste, or abuse in such programs.
B. Additional Provisions Affecting Routine Use Disclosures:
To the extent this system contains Protected Health Information (PHI) as defined by HHS regulation "Standards for Privacy of Individually Identifiable Health Information" (45 CFR parts 160 and 164, subparts A and E) 65 FR 82462 (12-28-00). Disclosures of such PHI that are otherwise authorized by these routine uses may only be made if, and as, permitted or required by the "Standards for Privacy of Individually Identifiable Health Information." (See 45 CFR 164-512 (a) (1)).
In addition, our policy will be to prohibit release even of data not directly identifiable, except pursuant to one of the routine uses or if required by law, if we determine there is a possibility that an individual can be identified through implicit deduction based on small cell sizes (instances where the patient population is so small that individuals could, because of the small size, use this information to deduce the identity of the beneficiary).
Policies and Practices for Storing, Retrieving, Accessing, Retaining, and Disposing of Records in the System—
Storage: All records are stored on electronic media.
Retrievability: The collected data are retrieved by an individual identifier; e.g., beneficiary name or HICN, and unique provider identification number.
Safeguards: CMS has safeguards in place for authorized users and monitors such users to ensure against excessive or unauthorized use. Personnel having access to the system have been trained in the Privacy Act and information security requirements. Employees who maintain records in this system are instructed not to release data until the intended recipient agrees to implement appropriate management, operational and technical safeguards sufficient to protect the confidentiality, integrity and availability of the information and information systems and to prevent unauthorized access.
This system will conform to all applicable Federal laws and regulations and Federal, HHS, and CMS policies and standards as they relate to information security and data privacy. These laws and regulations may apply but are not limited to: The Privacy Act of 1974; the Federal Information Security Management Act of 2002; the Computer Fraud and Abuse Act of 1986; the Health Insurance Portability and Accountability Act of 1996; the E-Government Act of 2002, the Clinger-Cohen Act of 1996; the Medicare Modernization Act of 2003, and the corresponding implementing regulations. OMB Circular A-130, Management of Federal Resources, Appendix III, Security of Federal Automated Information Resources also applies. Federal, HHS, and CMS policies and standards include but are not limited to: All pertinent National Institute of Standards and Technology publications; the HHS Information Systems Program Handbook and the CMS Information Security Handbook.
Retention and Disposal: Records will be retained until an approved disposition authority is obtained from the National Archives and Records Administration. All claims-related records are encompassed by the document preservation order and will be retained until notification is received from DOJ.
System Manager(s) and Address(es):
Director, Information Support Group, Office of Clinical Standards and Quality, CMS, Room S3-02-01, 7500 Security Boulevard, Baltimore, Maryland 21244-1850.
Notification Procedure: For purpose of access, the subject individual should write to the system manager who will require the system name, employee identification number, tax identification number, national provider number, and for verification purposes, the subject individual's name (woman's maiden name, if applicable), HICN, and/or SSN (furnishing the SSN is voluntary, but it may make searching for a record easier and prevent delay).
Record Access Procedures: For purpose of access, use the same procedures outlined in Notification Procedures above. Requestors should also reasonably specify the record contents being sought. (These procedures are in accordance with Department regulation 45 CFR 5b.5 (a) (2)).
Contesting Record Procedures: The subject individual should contact the system manager named above, and reasonably identify the record and specify the information to be contested. State the corrective action sought and the reasons for the correction with supporting justification. (These procedures are in accordance with Department regulation 45 CFR 5b.7).
Record Source Categories: The data contained in these records are obtained from Medicare ESRD medical evidence reports, kidney transplant reports, ESRD beneficiary reimbursement method selection forms, ESRD death notification forms, Medicare bills, CMS Medicare Master files, ESRD facility surveys, ESRD facility certification notices, and the Medicare/Medicaid Automated Certification System (MMACS).
Exemptions Claimed for the System: None.
1. ESRD Network of New England, Incorporated, Post Office Box 9484, New Haven, Connecticut 06534.
2. ESRD Network of New York, Incorporated, 1249 Fifth Avenue, A-419, New York, New York 10029.
3. Trans-Atlantic Renal Council, Cranbury Plaza, 2525 Route 130--Building C, Cranbury, New Jersey 08512-9595.
4. ESRD Network Organization Number 4, 200 Lothrop Street, Pittsburgh, Pennsylvania 15213-2582.
5. Mid-Atlantic Renal Coalition, 1527 Huguenot Road, Midlothian, Virginia 23113.
6. Southeastern Kidney Council, Incorporated, 1000 Saint Albans Drive, Suite 270, Raleigh, North Carolina 27609.
7. ESRD Network of Florida, Incorporated, One Davis Boulevard, Suite 304, Tampa, Florida 33606.
8. Network 8, Incorporated, Post Office Box 55868, Jackson, Mississippi 39296-5868.
9 & 10. The Renal Network, Incorporated, 911 East 86th Street, Suite 202, Indianapolis, Indiana 46240.
11. Renal Network of the Upper Midwest, 970 Raymond Avenue #205, Saint Paul, Minnesota 55114.
12. ESRD Network Number 12, 7509 NW T Tiffany Spring Parkway, Suite 105, Kansas City, Missouri 64153.
13. ESRD Network Organization Number 13, 6600 North Meridan Avenue, Suite 155, Oklahoma City, Oklahoma 73116-1411.
14. ESRD Network of Texas, Incorporated, 14114 Dallas Parkway, Suite 660, Dallas, Texas 75240-4349.
15. Intermountain ESRD Network, Incorporated, 1301 Pennsylvania Street, Suite 220, Denver, Colorado 80203-5012.
16. Northwest Renal Network, 4702 42nd Avenue, Seattle, Washington 98116.
17. TransPacific Renal Network, 25 Mitchell Boulevard, Suite 7, San Rafael, California 94903.
18. Southern California Renal Disease Council, 6255 Sunset Boulevard, Suite 2211, Los Angeles, California 90082.