On July 1, CMS finalized new MACRA rules that significantly expand how qualified data entities will be allowed to share or sell analyses of Medicare and private claims data to providers, insurers, employers, and others who, in turn, can use the data to support improved care. In announcing the new rules, CMS’ Chief Data Officer, Niall Brennan, stated that “[i]ncreasing access to analyses and data that include Medicare data will make it easier for stakeholders throughout the healthcare system to make smarter and more informed healthcare decisions.” The goal of the program is that through data analytics, organizations will be able to identify and implement improvements to clinical practice standards and population health strategies. In fact, MACRA’s new advanced alternative payment models, which require physician groups to assume greater downside financial risk, would likely benefit from any improvements to population health strategies that are derived from this new data mining initiative.
CMS also hopes that these new rules will increase the number of organizations that are interested in its qualified entity program. Currently, there are 15 certified qualified entities, although CMS noted in the final rule that only 2 qualified entities have completed public reporting. One current qualified entity, Amino, is a new digital health care company that has used this Medicare data to create a database of billions of patient-physician interactions to match patients with physicians who have experience treating the patient’s specific condition.
The original qualified entity program was created under Section 10322 of the ACA, which authorized CMS to provide standardized extracts of Medicare Part A and B claims data, and Part D drug data, to qualifying entities covering one or more geographic regions at a fee equal to CMS’ cost to produce the data. Under the original qualified entity program, however, this Medicare claims data could only be used to evaluate the performance of providers and suppliers.
Under the new rules, qualified entities will be allowed to use the data to conduct non-public analyses and provide or sell those analyses to “authorized users” for non-public use. “Authorized users” are defined as providers, suppliers, employers, health insurers, medical societies, hospital associations, provider or supplier professional associations and state agencies, and their respective contractors (including business associates). However, CMS included several limitations on the sale of non-public analyses. For example, all data provided or sold by a qualified entity must be beneficiary de-identified data, except for disclosures to the beneficiary’s current provider or supplier. A qualified entity may only provide or sell non-public analyses to commercial insurers after that insurer has provided the qualified entity with claims data for the time period and geographic region covered by the insurer’s request. CMS will also require that qualified entities provide an annual summary to CMS of all of their non-public analyses provided or sold to authorized users, including the number and purchasers of such analyses, and total fees received. While these reports will not be made public, CMS noted that non-sensitive information in these annual reports could be disclosed under a Freedom of Information Act request.
Finally, data security is a critical component in these new data sharing rules. Qualified entities must enter into binding agreements with all authorized users that receive claims data or non-public analyses. Authorized users that receive patient-identifiable or beneficiary de-identified information are required to use protections equivalent to what is required under HIPAA’s Privacy and Security Rules until the data has been returned or destroyed and regardless of whether the authorized user is a HIPAA-covered entities. Each qualified entity also will be subject to an assessment of up to $100 per affected individual if they or their authorized users violate the terms of the qualified entity’s data use agreement with CMS.