Privacy Act of 1974; Report of New System of Records

AGENCY:

Department of Health and Human Services (HHS), Centers for Medicare & Medicaid Services (CMS).

ACTION:

Notice of New System of Records (SOR).

SUMMARY:

In accordance with the requirements of the Privacy Act of 1974, we are proposing to establish a new SOR titled, “CMS Risk Adjustment Data Validation System (RAD-V),” System No. 09-70-0511. Under § 1343 of the Patient Protection and Affordable Care Act (Pub. L. 111-148) as amended by the Health Care and Education Reconciliation Act of 2010 (Pub. L. 111-152), (hereinafter, the ACA), and the implementing regulations at 45 CFR part 153, data collected and maintained in this system will be used to support the audit functions of the risk adjustment program, including validation activities under the risk adjustment data validation program.

The goal of the risk adjustment program is to provide payments to non-grandfathered health insurance issuers in the individual and small group markets that attract higher-risk populations, including a validation program to ensure the reliability of data used as a basis for risk adjustment payments and charges. Non-grandfathered plans are health plans that came into existence after March 23, 2010. Insurers offering these plans were required to modify them to follow the ACA rules as of January 1, 2014.

The RAD-V system will contain personally identifiable information (PII) about individuals who are current or former enrollees in non-grandfathered health plans, including information obtained through the risk adjustment data validation process to establish the relative deviation from the average. The program and the system of record are more thoroughly described in the SUPPLEMENTARY INFORMATION section and System of Records Notice below.

At this time, the only personally identifiable information that will be collected under this System will be through the RAD-V, part of the risk adjustment program.

DATES:

This action will be effective without further notice 30 days after publication in the Federal Register or 40 days after providing a report of this Notice to the Office of Management and Budget and Congress, whichever is later. Written comments should be submitted within 30 days of publication in the Federal Register. HHS may publish an amended system of records notice (SORN) in light of any comments received.

ADDRESSES:

Written comments can be sent to: CMS Privacy Act Officer, Division of Security, Privacy Policy & Governance, Information Security & Privacy Group, Office of Enterprise Information, CMS, 7500 Security Boulevard, Baltimore, MD 21244-1870, Mailstop: N1-24-08, or by E-Mail to: walter.stone@cms.hhs.gov. Comments received will be available for review at this location, by appointment, during regular business hours, Monday through Friday from 9:00 a.m.-3:00 p.m., Eastern Time zone.

FOR INFORMATION CONTACT:

Catherine Anderson, RAD-V Mailbox Coordinator, Division of Risk Adjustment Operations, CCIIO, CMS, 7500 Security Boulevard, Baltimore, Maryland 21244. The email address is CCIIOACARADataValidation@cms.hhs.gov.

SUPPLEMENTARY INFORMATION:

Section 1343(b) of the ACA requires the Secretary to establish criteria and methods to carry out a risk adjustment program. Section 1321(a)(1)(C) of the ACA directs the Secretary to issue regulations and set standards to establish the risk adjustment program. Consistent with § 1321(c)(1) of the ACA, 45 CFR 153.310(a) provides that HHS will operate risk adjustment where a State does not elect to administer the risk adjustment program. The primary goals of the risk adjustment program are to assist health plans that provide coverage to individuals with higher health care costs and will help ensure that those who are sick have access to the coverage they need. The ACA's risk adjustment program also serves to level the playing field inside and outside of the individual and small group markets in each state by stabilizing premiums.

Under 45 CFR 153.620(b), issuers of risk adjustment covered plans must maintain documents and records to enable such evaluation, and must make such records available to HHS upon request for purposes of verification, investigation, audit or other review. As part of the risk adjustment data validation program, HHS may audit an issuer of a risk adjustment covered plan to assess its compliance with the risk adjustment requirements.

The state, or HHS on behalf of the state, must ensure proper validation of a statistically valid sample of risk adjustment data from each issuer that offers at least one risk adjustment covered plan in that state, as well as an administrative process to appeal findings from the risk adjustment data validation process. When HHS is conducting the risk adjustment data validation program, 45 CFR 153.620(a) and 153.630(a), requires issuers of risk adjustment covered plans to comply with any request for data for any audit or validation preformed, including relevant source enrollment documentation, all claims and encounter data, and medical record documentation.

Existing information privacy and security standards, such as standards under HIPAA and those detailed at 45 CFR 153.630(f)(2), which governs the risk adjustment data validation program, will apply to issuers and their initial validation auditors. In order to minimize the amount of individually identifiable information collected, CMS will use the smallest possible sample size that will provide a statistically valid sample, in accordance with the regulations at 45 CFR 153.350(a).

The Privacy Act

The Privacy Act governs the collection, maintenance, use, and dissemination of certain information about individuals by agencies of the federal government. A system of records is a group of any records under the control of a federal agency from which information about individuals is retrieved by name or other personal identifier. The Privacy Act requires each agency to publish notice in the Federal Register of the existence and character of each system of records that the agency maintains, including the name and location of the system; the categories of individuals whom records are maintained; the categories, routine uses, and sources of the records; the agencies policies and practices regarding storage retrieval, access controls, and retention and disposal of the records; and the title and business address of the agency official to contact with notification, access, and amendment requests.

SYSTEM NUMBER:

09-70-0511.

SYSTEM NAME:

Risk Adjustment Data Validation System (RAD-V), HHS/CMS/CCIIO.

SECURITY CLASSIFICATION:

Unclassified.

SYSTEM LOCATION:

The RAD-V will be physically located at the CMS Data Center, 7500 Security Boulevard, North Building, First Floor, Baltimore, MD 21244-1850, and at various contractor sites.

CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:

The system will contain information about individuals currently or previously enrolled in a risk adjustment covered plan as defined at 45 CFR 153.20, and individual providers of medical or health care services.

CATEGORIES OF RECORDS IN THE SYSTEM:

CMS will collect demographic, geographic, medical and/or health care information, date of birth, gender, dates of service about individuals that are currently and previously enrolled in risk adjustment covered plans. In addition, CMS will collect identifiable information about individual health care providers, including but not limited to name, ITIN or EIN, and NPI numbers.

AUTHORITY FOR MAINTENANCE OF THE SYSTEM:

Authority for the maintenance of the RAD-V is given under the provisions of §§ 1321 and 1343 of the Patient Protection and Affordable Care Act (Pub. L. 111-148) as amended by the Health Care and Education Reconciliation Act of 2010 (Pub. L. 111-152), and the Regulations at 45 CFR 153.350, 153.620, 153.630.

PURPOSE(S) OF THE SYSTEM:

The primary purpose of this system is to collect and maintain necessary to support the audit functions of the risk adjustment programs, including validation activities under the risk adjustment data validation system (RAD-V).

ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES OR USERS AND THE PURPOSES OF SUCH USES:

A. Entities Who May Receive Disclosures under Routine Uses Records about an individual may be disclosed from this system of records to the following parties outside the agency, without the individual's consent, for these purposes:

1. To CMS contractors who have been engaged by the agency to assist in the performance of a service related to this collection and who need to have access to the records in order to perform the activity.

2. To a health insurance issuer participating in the risk adjustment data validation program or any agent, contractor, sub-contractor or entity of that health insurance issuer that has entered into an agreement or contract with the issuer to assist in compliance with the risk adjustment data validation program.

3. The Department of Justice (DOJ), a court or an adjudicatory body when: a. The agency or any component thereof, or b. Any employee of the agency in his/her official capacity, or c. Any employee of the agency in his/her individual capacity where the DOJ has agreed to represent the employee, or d. The United States Government is a party to litigation or has an interest in such litigation, and by careful review, CMS determines that the records are both relevant and necessary to the litigation and that the use of such records by the DOJ, a court or an adjudicatory body is compatible for the purpose for which the agency collected the records.

4. To a CMS contractor that assists in the administration of a CMS administered health benefits program, when disclosure is deemed reasonably necessary by CMS, to prevent, deter, discover, detect, investigate, examine, prosecute, sue with respect to, defend against, correct, remedy, or otherwise combat fraud or abuse in such program.

5. To another Federal agency or to an instrumentality of any governmental jurisdiction within or under the control of the United States (including any State or local governmental agency), that administers, or that has the authority to investigate, potential fraud in the health benefits program funded in whole or in part by Federal funds, when disclosure is deemed reasonably necessary by CMS to prevent, deter, discover, detect, investigate, examine, prosecute, sue with respect to, defend against, correct, remedy, or otherwise combat fraud or abuse in such program.

6. To appropriate federal agencies and Department contractors that have a need to know the information for the purpose of assisting the Department's efforts to respond to a suspected or confirmed breach of the security or confidentiality of information maintained in this system of records, if the information disclosed is relevant to and necessary for that assistance; and information from this system may become available to U.S. Department of Homeland Security (DHS) cyber security personnel if captured in an intrusion detection system used by HHS and DHS pursuant to a DHS cyber security program that monitors internet traffic to and from federal government computer networks to prevent a variety of types of cybersecurity incidents.

Records may also be disclosed to parties outside the agency, without the individual's consent, for any of the purposes authorized directly in the Privacy Act at 5 U.S.C § 552(a)(b)(1), (2) and (b)(4)-(b)(12).

POLICIES AND PRACTICES FOR STORING, RETRIEVING, ACCESSING, RETAINING, AND DISPOSING OF RECORDS IN THE SYSTEM

STORAGE:

Archived records for the risk adjustment data validation program will be stored in electronic form in the HHS-RADV Audit Tool maintained in the Acumen Web Portal.

RETRIEVABILITY:

The data collected is retrieved by the name of an individual, or by some other identifying number, symbol, or other identifying particular assigned to an individual.

SAFEGUARDS:

CMS has safeguards in place for authorized users and monitors such users to ensure against excessive or unauthorized use. Personnel having access to the RAD-V have been trained in the Privacy Act information privacy and security requirements. Employees who maintain records in this system are instructed not to release data unless the intended recipient agrees to implement appropriate physical, technical, and administrative safeguards sufficient to protect the confidentiality, integrity and availability of the information and information systems, and to prevent unauthorized access.

This system will conform to all applicable Federal laws and regulation and Federal, HHS and CMS policies and standards as they relate to information security and data privacy. These laws and regulation mat apply but are not limited to: the Privacy Act of 1974; the Federal Information Security Act of 2002; the Computer Fraud and Abuse Act of 1986; the Health Insurance Portability and Accountability Act of 1996; the e-Government Act of 2002; the Clinger-Cohen Act of 1996; the Medicare Modernization Act of 2003, and their corresponding implementing regulations. OMB Circular A-130, Management of Federal Resources, Appendix III Security of Federal Automated Information Resources also applies, as well as Federal, HHS, and CMS information system security and privacy policies.

RETENTION AND DISPOSAL:

Records will be maintained until they become inactive, at which time they will be retired or destroyed in accordance with published records schedules of CMS, as approved by the National Archives and Records Administration, and following the guidelines in National Institutes of Science and Technology (NIST) Special Publication 800-88, Guidelines for Media Sanitation. Enrollee claims records subject to a document preservation order will be preserved consistent with the terms of the court's order.

SYSTEM MANAGER AND ADDRESS:

Director, Division of Risk Adjustment Operations, Payment Policy & Financial Management Group, CCIIO, CMS, 7500 Security Boulevard, Baltimore, MD 21244.

NOTIFICATION PROCEDURE:

Individuals wishing to know if this system contains records about them should write to the System Manager and include pertinent personally identifiable information (which CMS recommends be encrypted and properly transmitted) to be used for retrieval of their records.

RECORD ACCESS PROCEDURE:

Individuals seeking access to records about them in this system should follow the same instructions indicated under “Notification Procedure” and reasonably specify the record content being sought. (These procedures are in accordance with HHS regulations at 45 CFR 5b.5(a)(2).)

CONTESTING RECORD PROCEDURES:

Individuals seeking to contest the content of information about them in this system should follow the same instructions indicated under “Notification Procedure.” The request should: Reasonably identify the record and specify the information being contested; state the corrective action sought; and provide the reasons for the correction, with supporting justification. (These procedures are in accordance with HHS regulations at 45 CFR 5b.7.)

RECORD SOURCE CATEGORIES:

The RAD-V will contain individually identifiable enrollment and demographic information, claims and encounter information and enrollees' medical records provided by issuers of risk adjustment covered plans. The issuers will provide the information as requested by CMS or a contractor on CMS' behalf.

SYSTEMS EXEMPTED FROM CERTAIN PROVISIONS OF THE ACT:

None.