Qualified entity rule finalized, privacy concerns mandate de-identification process

Providers that have been approved as qualified entities will be able to use combined data and information received from CMS to conduct non-public analyses. Entities may also sell the analyses or the data itself to authorized users, as long as compliance with the Health Insurance Portability and Accountability Act (HIPAA) is ensured. CMS’ Final rule implementing section 105 of the Medicare Access and CHIP Reauthorization Act (MACRA) published in the Federal Register July 7, 2016.

Purpose

CMS stated that the purpose of the Proposed rule (81 FR 5397) was to allow the use of claims data to improve care delivery (see CMS walks through the data access door opened by MACRA and ACA, Health Law Daily, February 1, 2016). The Patient Protection and Affordable Care Act (ACA) (P.L. 111-148), Section 10332, established the qualified entity program, which required CMS to combine Medicare Parts A and B data with Part D drug-event data, as well as other non-Medicare data, to evaluate provider and supplier performance. MACRA expanded this program, allowing the data to be used more effectively.

Parameters

Qualified entities must disclose patient-identifiable data in accordance with a required qualified entity data use agreement (QE DUA). If this agreement is violated by either the disclosing entity or the authorized user, they will be subject to assessment. Qualified entities making data available to other parties will be subject to annual reporting requirements. The QE DUA permits authorized users to re-disclose data in the way a covered entity would be allowed to disclose protected health information (PHI) for treatment activities. A qualified entity may not provide or sell an analysis to an issuer for a geographic area in which that issue does not provide coverage.

Comments and changes

The final version largely incorporates the Proposed rule, with a few changes or clarifications based on comments. The agency considers combined data as a set of CMS claims data combined with a subset of claims data from other sources. Commenters requested that CMS alter this definition to allow clinical data to be included. In response, CMS stated that it did not have the statutory authority to modify the definition of combined data, but agreed that clinical data may have value and highlighted that qualified entities are not prevented from merging other data to develop an analysis. CMS declined to require qualified entities to publicly report the claims data received and any other data it intends to use for the analysis, since the analysis will remain between qualified entities and authorized users.

CMS proposed a general bar on the disclosure of patient-identifiable data to authorized users, along with a requirement that any claims data provided to an authorized user be de-identified according to HIPAA rules. An exception was proposed to allow a qualified entity to provide identifiable information as long as the authorized user is a provider that has a patient relationship with every identifiable patient. CMS noted that some limited data sets include indirect identifiers, and that these are still subject to HIPAA. CMS believes that authorized users can conduct most types of analysis with de-identified data, or they can ask the qualified entity to conduct a specific analysis on their behalf.