Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
MEMORANDUM Reed Smith LLP 1301 K Street, N.W. Suite 1100 - East Tower Washington, D.C. 20005-3373 +1 202 414 9200 Fax +1 202 414 9299 reedsmith.com To: American Health Care Association Members Date: October 19, 2011 Subject: Instructions for Completing the Data Use Agreement, DUA Signature Addendum, and the Research Request Packet As part of the Bundled Payment Initiative, CMS will make available Medicare claims data to organizations that submit the Bundled Payment Initiative’s letter of intent, and request and are approved to receive the data. In order to receive the data from CMS, an organization must submit a completed DUA form, DUA signature addendum(s) (if necessary), and a completed Research Request Packet, in addition to the letter of intent form. The organization must submit all of these materials simultaneously via email to [email protected] by 5:00 pm EDT November 4, 2011. Below are certain general instructions and clarifications for completing each document. Data Use Agreement It is anticipated that participants in the Bundle Payment Initiative will want to review data from CMS to assist in developing their pricing proposals. A potential Bundled Payment Initiative applicant must submit a DUA in order to receive Medicare data for the development of an application. By way of background, when an external entity requests the use of personal identifiable data from CMS that is covered by the Privacy Act of 1974, it must sign a DUA in order to obtain that data. A DUA is a binding legal agreement between CMS and an external entity such as a contractor, an academic institution, another Federal government agency, or a state agency. The agreement delineates the confidentiality requirements of the Privacy Act, sets forth security safeguards, and explains CMS's data use policies and procedures. The DUA serves to both inform data users of the confidentiality requirements and obtain their agreement to abide by these requirements. Additionally, the DUA acts as a control mechanism through which CMS can track the location of its data and the reason for the release of the data.1 1 See CMS, System Lifecycle Framework Template, Details for Data Use Agreements, available at http://www.cms.gov/SystemLifecycleFramework/Tmpl/itemdetail.asp?filterType=none&filterByDID=99&sortByDID=1&sortOrder=ascending&itemID=CMS1228520&intNumPerPage=10. NEW YORK LONDON HONG KONG CHICAGO WASHINGTON, D.C. BEIJING PARIS LOS ANGELES SAN FRANCISCO PHILADELPHIA SHANGHAI PITTSBURGH MUNICH ABU DHABI PRINCETON NORTHERN VIRGINIA WILMINGTON SILICON VALLEY DUBAI CENTURY CITY RICHMOND GREECE OAKLAND American Health Care Association Members October 19, 2011 Page 2 An external entity (“Requestor”) must complete the Limited Data Set DUA (CMS-R-0235L)2 in order to gain access to limited data set files and years of data. Below are certain general instructions3 and clarifications for completing the Limited Data Set DUA. 1. In the first paragraph and Section #1, enter the Requestor’s Organization Name. 2. Section #2 provides that CMS retains all ownership rights to the requested limited data set files and makes no warranty with respect to the accuracy of any data in the files. 3. In Section #3, enter the study and/or project name, CMS contract number, if applicable, and a brief summary of the research purpose for which the requested files will be used. CMS has completed this section for the CMMI Bundled Payment Initiative. 4. Completion of the Research Request Packet will satisfy the requirements set forth in Attachment A. See below for general instructions regarding the Research Request Packet. For more comprehensive instructions, in addition to a discussion of practical and legal implications of obtaining CMS data, see our technical assistance memorandum on completing the Research Request Packet for the CMMI Initiative that is available under the AHCA resources section of the AHCA Bundled Payment Initiative web page. 5. In Section #4, identify the limited data set (“LDS”) files and years of data requested. The Requestor should specify particular filenames. CMS has completed this section for the CMMI Bundled Payment Initiative. a. The LDS files CMS will provide include the Standard Analytic Files for the following payment systems: inpatient hospital, outpatient hospital, home health agency, skilled nursing facility, carrier, and durable medical equipment. The Standard Analytic Files include all final action claims for each payment system and can be linked by a beneficiary identifier so that an individual beneficiary’s care can be tracked across payments systems, by institutional providers, and over time. b. CMS will also provide a denominator SAF file, which includes demographic information about beneficiaries, their Medicare eligibility status, and certain other variables including date of death. 6. Section #5 provides that the Requestor should not attempt to identify or contact any specific individual whose record is included in the requested LDS files. Absent written authorization 2 Available at http://www.cms.gov/CMSForms/CMSForms/itemdetail.asp?filterType=none&filterByDID=99&sortByDID=1&sortOrder=ascending&itemID=CMS045945&intNumPerPage=2000. 3 Instructions can also be found on page 1 of the Limited Data Set DUA (CMS-R-0235L). Id. American Health Care Association Members October 19, 2011 Page 3 from CMS, the Requestor should not attempt to link records included in the requested LDS files to any other beneficiary-specific source of information. 7. In Section #6, applicants enter the projected completion date of the study or project (“Retention Date”). CMS has completed this section for the CMMI Bundled Payment Initiative. If the study or project is completed prior to the Retention Date, the Requestor agrees to notify CMS within thirty days. Importantly, upon notice of completion to CMS or the Retention Date— whichever is sooner— the Requestor must destroy all requested LDS files. The Requestor has thirty days to destroy the files and send written certification of the files’ destruction to CMS. a. In meeting the CMS requirements, a Requestor should consider how its information technology system will ensure privacy protections and prevent unauthorized access and utilization. On the retention date or before (if the study is complete) the CMS data must be destroyed. This includes any data back-ups. The Applicant must ensure complete removal and destruction of the requested LDS data files from all backup systems as required by the DUA. For example, the backed up LDS files may need to be segregated from other backed up data to ensure complete removal upon completion of the study or project. b. A Requestor should consider designating a point person within the organization to be responsible for this process. 8. In Section #7, the Requestor agrees not to use, disclose, or otherwise grant access to the requested LDS files except as expressly permitted by the DUA or otherwise required by law. In other words, a potential Bundled Payment Initiative applicant can only use the LDS files for developing its application. 9. Section 8: a. In Section #8a, the Requestor agrees to adhere to CMS’s current cell size suppression policy with respect to the creation of any document, table, chart, report, etc. for release to anyone not authorized to access the data. This policy prohibits the disclosure of data if the data cell (e.g., admittances, discharges, patients) contains eleven or fewer individuals. This policy also applies to the use of percentages and other mathematical formulas. However, the Requestor is not required to submit any written documents for CMS to review. The Requestor may submit their documents to CMS for review if the Requestor is unsure whether they have satisfied the suppression policy. CMS agrees to make an approval determination and notify the Requestor within four to six weeks and CMS may only withhold approval for publication if it determines that the format in which data are presented may result in the identification of individual beneficiaries. b. Section #8b provides that the Requestor may only disclose the requested LDS files to a Secondary Requestor if that Secondary Requestor enters into a DUA with CMS. CMS American Health Care Association Members October 19, 2011 Page 4 will only enter into a DUA with a Secondary Requestor if the secondary use purpose is consistent with the purpose set forth in Section 3 by the Requestor. 10. In Section #9, the Requestor agrees to establish appropriate administrative, technical, and physical safeguards to protect the confidentiality of the requested LDS files and to prevent unauthorized use or access to them. The safeguards must be, at a minimum, equivalent to those established by the Office of Management and Budget (OMB) in OMB Circular No. A-130, Appendix III—Security of Federal Automated Information Systems.4 The Requestor acknowledges that the use of unsecured telecommunications, such as the Internet, to transmit individually identifiable information derived from the requested LDS files is prohibited. The Requestor also agrees that the requested LDS files will not be physically moved or electronically transmitted in any way from the site indicated in Section 15 without CMS’s prior written approval. 11. Section #10 provides that the Requestor shall reimburse CMS for all associated processing fees with respect to each requested LDS file. As noted in the FAQ, CMS will not apply a processing fee for the requested LDS data for the Bundled Payment Initiative. 12. Section #11 provides that the Requestor must promptly notify CMS of any use or disclosure of information not provided for by the DUA when the Requestor becomes aware of such use. 13. In Section #12, the Requestor acknowledges that in the event of a disclosure of information in the requested LDS files that is inconsistent with the DUA, penalties under § 1106(a) of the Social Security Act, 18 U.S.C. § 641, and the Privacy Act may apply. 14. In Section #13, the Requestor agrees to abide by all provisions set out in the DUA for protection of the requested LDS files and acknowledges having received notice of potential criminal, civil, and/or administrative penalties for violation of the DUA. 15. Section #14 must be filled out by an authorized individual on behalf of the Requestor. 16. Section #15 must be filled out by the Requestor and identifies the Custodian of the requested files. The Custodian shall oversee the establishment and maintenance of security arrangements to prevent unauthorized use as required by the DUA. The Requestor must notify CMS within fifteen days of any change of custodianship. CMS may disapprove the appointment and require a new Custodian at any time. 17. Sections #16 and #17 are to be filled out by CMS. 4 Available at http://www.whitehouse.gov/omb/circulars/a130/a130.html. American Health Care Association Members October 19, 2011 Page 5 DUA Signature Addendum The Signature Addendum to the DUA identifies additional individuals who would have permission to access the requested LDS files. 1. The Signature Addendum requires the name, organization name, telephone number, email address, dated signature, and task or role of any additional individual who may have access to the requested files. It is important to include any additional organization that will have access to the LDS files. These individuals could include members of your information technology department, internal analysts, and/or external vendors that your organization may retain to assist you in exploring and analyzing bundles, estimating episode costs, determining target prices and discount factors, etc. These individuals and organizations should be consistent with the Data Management Safeguards section of the Research Request Packet that will be submitted together with the Letter of Intent.. 2. In general, a DUA signature addendum lists internal employees as well as outside consultants or applicants that will be used by the entity completing the DUA as part of the research project. Research Request Packet The Research Request Packet5 must be submitted simultaneously with the Data Use Agreement and the Letter of Intent if an organization wishes to obtain access to the LDS data files. Below are certain general instructions for completing the Research Request Packet. For more specific instructions, see our technical assistance memorandum on completing the Research Request Packet for the CMMI Initiative that is available under the AHCA resources section of the AHCA Bundled Payment Initiative web page. 1. On page 3 is the sample written request letter prepared by CMS that outlines the primary purpose(s) for which the data will be utilized for this study. In the request letter the Requestor identifies the LDS data, the years for the data, and the markets for which they are requesting data. To assist Requestors, CMS has completed the section related to the type of LDS data and the years of data that are available for this study. Requestors, however, must complete the section related to the markets for which they are requesting data. CMS has divided the country into 92 Hospital Referral Clusters (“HRCs”), which are defined by beneficiary county of residence. The Requestor must identify on page 3 which geographical areas (or HRCs) are most appropriate for their analysis. A list of HRCs appears on page 2 of the Research Request Packet and an appendix defining the exact counties included in each HRC begins on page 11. Finally, the Requestor must identify a contact person and execute the signature line. 5 Available at http://innovations.cms.gov/areas-of-focus/patient-care-models/Bundled-Payments-%20CareImprovement-Application.html. American Health Care Association Members October 19, 2011 Page 6 2. Introduction. Beginning on page 4 is the Research Protocol, The Research Protocol document describes the objectives, background, methods, and importance of the study being proposed. To assist Requestors for this project, CMS has completed the introductory section that describes the purpose for the data to define episodes for the Initiative. No changes to this section are required. Project Issues and Methods. Also on page 4, the Requestor must describe the episodes, the methodology and analytic plan for this Initiative, and, if applicable, describe any forums where you will present results based on the data analysis beyond it’s utilization for the Initiative application. For this section, the Requestor must: a. List the MS-DRGs around which they propose to develop episodes and describe the type of episodes they wish to explore (acute, post-acute, or combined). The MS-DRGs are assigned after a short term acute care hospital discharge. In this initiative they function as the “anchor” that triggers an episode of care that is to be bundled. Any MS-DRGs listed are not binding on the Requestor’s eventual selection of agreed-upon MS-DRGs. The Requestor may choose to include all MS-DRGs here and indicate criteria they may use to select MS-DRGs to develop episodes. b. Describe in detail the plan to analyze the data for the project, including the methodology and procedures that will be used. For further suggestions regarding this section, see our technical assistance memorandum on completing the Research Request Packet for the CMMI Initiative that is available under the AHCA resources section of the AHCA Bundled Payment Initiative web page. c. Indicate whether they anticipate generating and using further tabulations, aggregations, or other data presentations beyond the scope of an application for participation in the Bundles Payments for Care Improvement Initiative. If so, the Requestor must indicate the forums under which they plan to present their results. d. State whether any of the methodology or tools contain proprietary information. Proprietary information is exempt from release under the Freedom of Information Act if it falls within Exemption 4, 5 U.S.C. § 552(b)(4). 3. Data Management Safeguards. On page 5, the Requestor begins to describe the data privacy protections that will be in place for conducting this research, which could include discussion about how you will maintain an inventory of CMS data files and manage physical access to the data files for the duration of your DUA. As part of this section, the Requestor must: a. Identify who will have the main responsibility for organizing, storing, and archiving the data. This should correlate with Section #15 of the DUA (see above), but may include more than one person. American Health Care Association Members October 19, 2011 Page 7 b. Explain the infrastructure (facilities, hardware, software, etc.) that will secure the requested LDS files. As outlined in Section #9 of the DUA (see above), the Requestor must have in place, at a minimum, safeguards equivalent to those established by the Office of Management and Budget (OMB) in OMB Circular No. A-130, Appendix III— Security of Federal Automated Information Systems. c. Indicate whether additional organizations are involved in analyzing the LDS files. If so, the Requestor must indicate how these organizations’ analysts will access the LDS files. These organizations should also be listed in the Signature Addendum as described above. d. Describe the procedures that will be used to protect the privacy and identity of an individual. Thus, the Requestor will need to have appropriate technical security measures in place, but also may wish to implement analysis plans that avoid identification of particular Medicare beneficiaries in the results and aggregations. See Section #8a of the DUA setting forth CMS’s current cell size suppression policy. For assistance in completing this section, the Requestor may wish to review the CMS Data Management Plan Guidelines for additional information on the type of data management and privacy protection safeguards that CMS takes into consideration for researchers seeking access to LDS data in general. e. Describe safeguards that would be followed for permitted disclosures of data, if applicable. CMS has however prospectively filled this section out. CMS notes that no disclosures of data to anyone outside CMS will be permitted. 4. Key Personnel. On page 6, the Requestor must: a. List all staff, including consultants, who will have access to the LDS files and their role in the project. No disclosure of data to anyone outside CMS will be permitted. Thus, only personnel listed in the research protocol will be able to access the data. 5. Dissemination/Implementation. CMS has also prospectively completed this section for the Requestor. Specifically, CMS has set forth that the findings of this research will be used in the application for awards under the Bundled Payments for Care Improvement Initiative of CMMI. Data will not be disseminated on the individual or aggregate level. 6. Proprietary Information. On page 7, CMS has set forth that if the Research Application contains proprietary information, a statement to that effect must be included in the Project Issues and Methods section (see above). 7. Financial Arrangement. On page 7, CMS countermands Section #10 of the DUA (see above) and states that Requestors whose research protocols and DUAs are approved will be provided LDS files requested at no cost to them. American Health Care Association Members October 19, 2011 Page 8 8. Data Request Worksheet. On page 8, the Requestor must set forth the Project Information (including Project Contact), the Primary User (who may be the same person as the Project Contact), and the Custodian (see Section #15 of the DUA). The Requestor must also restate the LDS files requested (see page 3 of the Research Request Packet) and provide shipping information. * * * * * If you have any general or specific questions about the Bundled Payment Initiative, please email “CMS Bundled Payments for Care Improvement” directly at [email protected]. Please email [email protected] if you have questions or require further clarification regarding the contents of this memorandum. * * * * * The contents of this memorandum are for informational purposes only and do not constitute legal advice. It is recommended that organizations have counsel review the Letter of Intent, Data Use Agreement, and Research Request Packet prior to submission to CMS.