System Name: Medicare Drug Data Processing System (DDPS), HHS/CMS/CBC.
Security Classification: Level Three Privacy Act Sensitive.
System Location(s):
CMS Data Center, 7500 Security Boulevard, North Building, First Floor, Baltimore, Maryland 21244-1850 and at various contractor sites.
Categories of Individuals Covered by the System: This system collects and maintains individually identifiable information on all people with Medicare who have enrolled into a Medicare Part D plan and individually identifiable data on prescribing health care professional, referring/servicing physician, and providers.
Categories of Records in the System: The data includes, but is not limited to, summary prescription drug claim data and individually identifiable beneficiary information such as: Beneficiary name, address, city, state, ZIP code, card holder identification number, date of service, gender, demographic, other identifying data, and optionally, the patient's date of birth. Identifying information of prescribing health care professional and providers of services and referring/servicing physician include provider/physician name, title, address, city, state, ZIP code, e-mail address, telephone numbers, fax number, state licensure number, Social Security Numbers, Federal tax identification numbers, prescriber identification number, assigned provider number (facility, referring/servicing physician), Drug Enforcement Agency (DEA) assigned identification number, and numerous other data elements related to the processing of the prescription drug claim.
Authority for Maintenance of the System: This system is mandated under provisions of the Medicare Prescription Drug, Improvement, and Modernization Act, amending the Social Security Act by adding Part D under Title XVIII (§§ 1860D-15(c)(1)(C) and (d)(2)), as described in Title 42, Code of Federal Regulations (CFR) 423.301 et seq. as well as1860D-12(b)(3)(D) and 1106 of the Act, as described in 42 CFR 423.505(b)(8), (f), (l), and (m).
Purpose(s): The primary purpose of this system is to collect, maintain, and process information on all Medicare covered, and as many non-covered drug events as possible, for people with Medicare who have enrolled into a Medicare Part D plan. The system will help CMS determine appropriate payment of covered drugs. It will also provide for processing, storing, and maintaining drug transaction data in a large-scale database, while putting data into data marts to support payment analysis. CMS would allow the expanded release of information in this system to: (1) Support regulatory, analysis, oversight, reimbursement, operational and policy functions performed within the agency or by a contractor, consultant, or a CMS grantee; (2) help another Federal and/or state agency, agency of a state government, an agency established by state law, or its fiscal agent; (3) assist Medicare Part D sponsors; (4) support an individual or organization with projects that provide transparency in health care on a broad-scale enabling consumers to compare the quality and price of health care services or for a research, evaluation, or epidemiological or other project related to protecting the public's health, the prevention of disease or disability, the restoration or maintenance of health, or for payment related purposes; (5) assist Quality Improvement Organizations; (6) support lawsuits involving the agency; and (7) combat fraud, waste, and abuse in certain Federally funded health benefits programs.
Routine Uses of Records Maintained in the System, Including Categories of Users and the Purposes of such Uses:
A. Entities Who May Receive Disclosures Under Routine Use:
These routine uses specify circumstances, in addition to those provided by statute in the Privacy Act of 1974, under which CMS may use and disclose information from the DDPS without the consent of the individual to whom such information pertains. Each proposed disclosure of information under these routine uses will be evaluated to ensure that the disclosure is legally permissible, including but not limited to ensuring that the purpose of the disclosure is compatible with the purpose for which the information was collected. We propose to establish or modify the following routine use disclosures of information maintained in the system:
1. To support Agency contractors, consultants, or CMS grantees who have been engaged by the Agency to assist in accomplishment of a CMS function relating to the purposes for this SOR and who need to have access to the records in order to assist CMS.
2. To assist another Federal or state agency, agency of a state government, an agency established by state law, or its fiscal agent pursuant to agreements with CMS to:
a. Contribute to the accuracy of CMS's payment of Medicare benefits;
b. Administer a Federal health benefits program, or as necessary to enable such agency to fulfill a requirement of a Federal statute or regulation that implements a health benefits program funded in whole or in part with Federal funds; and/or
c. Access data required for Federal/state Medicaid programs.
3. To support Part D Prescription Drug sponsors, pharmacy benefit managers, claims processors, and other Prescription Drug Event submitters, in protecting their own members (and former members for the periods enrolled in a given plan) against medical expenses of their enrollees without the beneficiary's authorization, and having knowledge of the occurrence of any event affecting (a) an individual's right to any such benefit or payment, or (b) the initial right to any such benefit or payment, for the purpose of coordination of benefits with the Medicare program and implementation of the Medicare Secondary Payer provision at 42 U.S.C. 1395y(b). Information to be disclosed shall be limited to Medicare utilization data necessary to perform that specific function. In order to receive the information, they must agree to:
a. Certify that the individual about whom the information is being provided is one of its insured or employees, or is insured and/or employed by another entity for whom they serve as a Third Party Administrator;
b. Utilize the information solely for the purpose of processing the individual's insurance claims; and
c. Safeguard the confidentiality of the data and prevent unauthorized access.
4. To assist an individual or organization with research, an evaluation, or an epidemiological or other project related to protecting the public's health, the prevention of disease or disability, restoration or maintenance of health, or for payment related purposes. This includes projects that provide transparency in health care on a broad-scale enabling consumers to compare the quality and price of health care services. CMS must:
a. Determine if the use or disclosure of data violate legal limitations under which the record was provided, collected, or obtained;
b. Determine that the purpose for the use or disclosure of information:
(1) Cannot be reasonably accomplished unless the record is provided in individually identifiable form;
(2) Is of sufficient importance to warrant the effect or risk on the privacy of the individual; and
(3) Meets the objectives of the project;
c. Requires the recipient of the information to:
(1) Establish reasonable administrative, technical, and physical protections to prevent unauthorized use or disclosure of information;
(2) Remove or destroy the information that allows the individual to be identified at the earliest time at which removal or destruction can be accomplished consistent with the purpose of the project, unless the recipient presents an adequate justification for retaining such information; and
(3) No longer use or disclose information except:
(a) In emergency circumstances affecting the health or safety of any individual;
(b) For use in another research project, under these same conditions and with written CMS approval;
(c) For an audit related to the research;
(d) For disclosure to a properly identified person for the purpose of an audit related to the research project, if information that would enable research subjects to be identified is removed or destroyed at the earliest opportunity consistent with the purpose of the audit; or
(e) When required by Federal law.
d. Get signed, written statements from the entity receiving the information that they understand and will follow all provisions in this notice.
e. Complete and submit a Data Use Agreement (CMS Form 0235) in accordance with current CMS policies.
5. To support Quality Improvement Organization (QIO) with claims review process or with studies or other review activities performed in accordance with Part B of Title XI of the Social Security Act. QIOs can also use the data for outreach activities to individuals for the purpose of establishing and maintaining their entitlement to Medicare benefits or health insurance plans.
6. To assist the Department of Justice (DOJ), court, or adjudicatory body when there is a lawsuit in which the Agency, any employee of the Agency in his or her official capacity or individuals capacity (if the DOJ agrees to represent the employee), or the United States Government is a part of CMS' policies or operations could be affected by the outcome. The information must be both relevant and necessary to the lawsuit, and the use of records is for a purpose that is compatible with the purpose for which CMS collected records.
7. To support a CMS contractor that assists in the administration of a CMS health benefits program, or a grantee of a CMS-administered grant program, if the information is necessary, in any capacity, to combat fraud, waste, or abuse in such program. CMS will only provide this information if CMS can enter into a contract or grant for this purpose.
8. To support another Federal agency or any United States government jurisdiction (including any state, or local governmental agency), if the information is necessary, in any capacity to combat fraud, waste or abuse in a health benefits program funded in whole or in part by Federal funds.
B. Additional Circumstances Affecting Routine Use Disclosures:
To the extent this system contains Protected Health Information (PHI) as defined by HHS regulation "Standards for Privacy of Individually Identifiable Health Information" (45 CFR Parts 160 and 164, Subparts A and E) 65 FR 82462 (12-28-00) release of information that are otherwise allowed by these routine uses may only be made if, and as, permitted or required by the "Standards for Privacy of Individually Identifiable Health Information." (See 45 CFR 164-512 (a)(1).)
In addition, CMS will not give out information that is not directly identifiable if there is a possibility that a person with Medicare could be identified because the sample is small enough to identify participants. CMS would make exceptions if the information is needed for one of the routine uses or if it's required by law.
9. To assist a public or private entity that is qualified (as determined by the Secretary of the Department of Health and Human Services (the Secretary)) to use Medicare claims data to evaluate the performance of providers of services and suppliers on measures of quality, efficiency, effectiveness, and resource use; and who agrees to meet the requirements regarding the transparency of their methods and their use and protection of Medicare data as the Secretary may specify, if CMS:
a. Determines that the use or disclosure does not violate legal limitations under which the record was provided, collected, or obtained; and
b. Secures a written statement attesting to the information recipient's understanding of and willingness to abide by these provisions. Every Qualified Entity receiving data must have an agreement with CMS in the form of an Information Exchange Agreement or contract with all security and privacy requirements included. A Data Use Agreement (DUA) (CMS Form 0235) must be completed by the person receiving CMS data in accordance with current CMS policies.
This routine use fulfills the requirement in section 1174(e) of the Social Security Act (42 U.S.C. 1395kk (e)) to make standardized extracts of claims data under Medicare Parts A, B, and D available to a Qualified Entity (QE), recognized by the Secretary to make evaluations of provider/supplier performance in accordance with that section, and that agrees to meet specific requirements regarding the transparency of their methods and their use and protection of Medicare data. The IDR, National Claims History (NCH), CCDR, and Part D data will provide QEs, a broader, longitudinal, national perspective of the performance of Medicare providers/suppliers for use in authorized QE projects that could ultimately improve the care provided to Medicare beneficiaries and the policy that governs the care.
Policies and Practices for Storing, Retrieving, Accessing, Retaining, and Disposing of Records in the System—
Storage: Records are stored on both tape cartridges (magnetic storage media) and in a DB2 relational database management environment (DASD data storage media).
Retrievability: Information is most frequently retrieved by HICN, provider number (facility, physician, IDs), service dates, and beneficiary state code.
Safeguards: CMS has protections in place for authorized users to make sure they are properly using the data and there is no unauthorized use. Personnel having access to the system have been trained in the Privacy Act and information security requirements. Employees who maintain records in this system cannot use or disclose data until the recipient agrees to implement appropriate management, operational and technical safeguards that will protect the confidentiality, integrity, and availability of the information and information systems.
This system would follow all applicable Federal laws and regulations, and Federal, HHS, and CMS security and data privacy policies and standards. These laws and regulations include but are not limited to: the Privacy Act of 1974; the Federal Information Security Management Act of 2002 (when applicable); the Computer Fraud and Abuse Act of 1986; the Health Insurance Portability and Accountability Act of 1996; the E- Government Act of 2002, the Clinger-Cohen Act of 1996; the Medicare Modernization Act of 2003, and the corresponding implementing regulations. OMB Circular A-130, Management of Federal Resources, Appendix III, Security of Federal Automated Information Resources also applies. Federal, HHS, and CMS policies and standards include but are not limited to all pertinent National Institute of Standards and Technology publications, the HHS Information Systems Program Handbook, and the CMS Information Security Handbook.
Retention and Disposal: Records are maintained with identifiers for all transactions after they are entered into the system for a period of 20 years. Records are housed in both active and archival files. All claims-related records are encompassed by the document preservation order and will be retained until notification is received from the Department of Justice.
System Manager(s) and Address(es):
Director, Centers for Beneficiary Choices, CMS, Mail stop C5-19-07, 7500 Security Boulevard, Baltimore, Maryland 21244 -1850.
Notification Procedure: For purpose of notification, the subject individual should write to the system manager who will require the system name, and the retrieval selection criteria (e.g., HICN, facility/pharmacy number, service dates, etc.).
Record Access Procedures: For purpose of access, use the same procedures outlined in Notification Procedures above. Requestors should also reasonably specify the record contents being sought. (These procedures are in accordance with Department regulation 45 CFR 5b.5 (a)(2).)
Contesting Record Procedures: The subject individual should contact the system manager named above, and reasonably identify the record and specify the information to be contested. State the corrective action sought and the reasons for the correction with supporting justification. (These procedures are in accordance with Department regulation 45 CFR 5b.7.)
Record Source Categories: Summary prescription drug claim information contained in this system is obtained from the Part D Sponsor daily and monthly drug event transaction reports, Medicare Beneficiary Database (09-70-0530), and other payer information to be provided by the TROOP Facilitator.
System Exempted from Certain Provisions of the Act: None.
