(a) Expanding uses of Medicare data by qualified entities

(1) Additional analyses

(A) In general
Subject to subparagraph (B), to the extent consistent with applicable information, privacy, security, and disclosure laws (including paragraph (3)), notwithstanding paragraph (4)(B) of section 1874(e) of the Social Security Act (42 U.S.C. 1395kk(e)) and the second sentence of paragraph (4)(D) of such section, beginning July 1, 2016, a qualified entity may use the combined data described in paragraph (4)(B)(iii) of such section received by such entity under such section, and information derived from the evaluation described in such paragraph (4)(D), to conduct additional non-public analyses (as determined appropriate by the Secretary) and provide or sell such analyses to authorized users for non-public use (including for the purposes of assisting providers of services and suppliers to develop and participate in quality and patient care improvement activities, including developing new models of care).

(B) Limitations with respect to analyses

(i) Employers
Any analyses provided or sold under subparagraph (A) to an employer described in paragraph (9)(A)(iii) may only be used by such employer for purposes of providing health insurance to employees and retirees of the employer.

(ii) Health insurance issuers
A qualified entity may not provide or sell an analysis to a health insurance issuer described in paragraph (9)(A)(iv) unless the issuer is providing the qualified entity with data under section 1874(e)(4)(B)(iii) of the Social Security Act (42 U.S.C. 1395kk(e)(4)(B)(iii)).

(2) Access to certain data

(A) Access
To the extent consistent with applicable information, privacy, security, and disclosure laws (including paragraph (3)), notwithstanding paragraph (4)(B) of section 1874(e) of the Social Security Act (42 U.S.C. 1395kk(e)) and the second sentence of paragraph (4)(D) of such section, beginning July 1, 2016, a qualified entity may—

(i) provide or sell the combined data described in paragraph (4)(B)(iii) of such section to authorized users described in clauses (i), (ii), and (v) of paragraph (9)(A) for non-public use, including for the purposes described in subparagraph (B); or

(ii) subject to subparagraph (C), provide Medicare claims data to authorized users described in clauses (i), (ii), and (v),1 of paragraph (9)(A) for non-public use, including for the purposes described in subparagraph (B).

(B) Purposes described
The purposes described in this subparagraph are assisting providers of services and suppliers in developing and participating in quality and patient care improvement activities, including developing new models of care.

(C) Medicare claims data must be provided at no cost
A qualified entity may not charge a fee for providing the data under subparagraph (A)(ii).

(3) Protection of information

(A) In general
Except as provided in subparagraph (B), an analysis or data that is provided or sold under paragraph (1) or (2) shall not contain information that individually identifies a patient.

(B) Information on patients of the provider of services or supplier
To the extent consistent with applicable information, privacy, security, and disclosure laws, an analysis or data that is provided or sold to a provider of services or supplier under paragraph (1) or (2) may contain information that individually identifies a patient of such provider or supplier, including with respect to items and services furnished to the patient by other providers of services or suppliers.

(C) Prohibition on using analyses or data for marketing purposes
An authorized user shall not use an analysis or data provided or sold under paragraph (1) or (2) for marketing purposes.

(4) Data use agreement
A qualified entity and an authorized user described in clauses (i), (ii), and (v) of paragraph (9)(A) shall enter into an agreement regarding the use of any data that the qualified entity is providing or selling to the authorized user under paragraph (2). Such agreement shall describe the requirements for privacy and security of the data and, as determined appropriate by the Secretary, any prohibitions on using such data to link to other individually identifiable sources of information. If the authorized user is not a covered entity under the rules promulgated pursuant to the Health Insurance Portability and Accountability Act of 1996, the agreement shall identify the relevant regulations, as determined by the Secretary, that the user shall comply with as if it were acting in the capacity of such a covered entity.

(5) No redisclosure of analyses or data

(A) In general
Except as provided in subparagraph (B), an authorized user that is provided or sold an analysis or data under paragraph (1) or (2) shall not redisclose or make public such analysis or data or any analysis using such data.

(B) Permitted redisclosure
A provider of services or supplier that is provided or sold an analysis or data under paragraph (1) or (2) may, as determined by the Secretary, redisclose such analysis or data for the purposes of performance improvement and care coordination activities but shall not make public such analysis or data or any analysis using such data.

(6) Opportunity for providers of services and suppliers to review
Prior to a qualified entity providing or selling an analysis to an authorized user under paragraph (1), to the extent that such analysis would individually identify a provider of services or supplier who is not being provided or sold such analysis, such qualified entity shall provide such provider or supplier with the opportunity to appeal and correct errors in the manner described in section 1874(e)(4)(C)(ii) of the Social Security Act (42 U.S.C. 1395kk(e)(4)(C)(ii)).

(7) Assessment for a breach

(A) In general
In the case of a breach of a data use agreement under this section or section 1874(e) of the Social Security Act (42 U.S.C. 1395kk(e)), the Secretary shall impose an assessment on the qualified entity both in the case of—

(i) an agreement between the Secretary and a qualified entity; and

(ii) an agreement between a qualified entity and an authorized user.

(B) Assessment
The assessment under subparagraph (A) shall be an amount up to $100 for each individual entitled to, or enrolled for, benefits under part A of title XVIII of the Social Security Act [42 U.S.C. 1395c et seq.] or enrolled for benefits under part B of such title [42 U.S.C. 1395j et seq.]—

(i) in the case of an agreement described in subparagraph (A)(i), for whom the Secretary provided data on to the qualified entity under paragraph (2); and

(ii) in the case of an agreement described in subparagraph (A)(ii), for whom the qualified entity provided data on to the authorized user under paragraph (2).

(C) Deposit of amounts collected
Any amounts collected pursuant to this paragraph shall be deposited in Federal 2 Supplementary Medical Insurance Trust Fund under section 1841 of the Social Security Act (42 U.S.C. 1395t).

(8) Annual reports
Any qualified entity that provides or sells an analysis or data under paragraph (1) or (2) shall annually submit to the Secretary a report that includes—

(A) a summary of the analyses provided or sold, including the number of such analyses, the number of purchasers of such analyses, and the total amount of fees received for such analyses;

(B) a description of the topics and purposes of such analyses;

(C) information on the entities who received the data under paragraph (2), the uses of the data, and the total amount of fees received for providing, selling, or sharing the data; and

(D) other information determined appropriate by the Secretary.

(9) Definitions
In this subsection and subsection (b):

(A) Authorized user
The term "authorized user" means the following:

(i) A provider of services.

(ii) A supplier.

(iii) An employer (as defined in section 1002(5) of title 29).

(iv) A health insurance issuer (as defined in section 300gg–91 of this title).

(v) A medical society or hospital association.

(vi) Any entity not described in clauses (i) through (v) that is approved by the Secretary (other than an employer or health insurance issuer not described in clauses (iii) and (iv), respectively, as determined by the Secretary).

(B) Provider of services
The term "provider of services" has the meaning given such term in section 1861(u) of the Social Security Act (42 U.S.C. 1395x(u)).

(C) Qualified entity
The term "qualified entity" has the meaning given such term in section 1874(e)(2) of the Social Security Act (42 U.S.C. 1395kk(e)).3

(D) Secretary
The term "Secretary" means the Secretary of Health and Human Services.

(E) Supplier
The term "supplier" has the meaning given such term in section 1861(d) of the Social Security Act (42 U.S.C. 1395x(d)).

(b) Access to Medicare data by qualified clinical data registries to facilitate quality improvement

(1) Access

(A) In general
To the extent consistent with applicable information, privacy, security, and disclosure laws, beginning July 1, 2016, the Secretary shall, at the request of a qualified clinical data registry under section 1848(m)(3)(E) of the Social Security Act (42 U.S.C. 1395w–4(m)(3)(E)), provide the data described in subparagraph (B) (in a form and manner determined to be appropriate) to such qualified clinical data registry for purposes of linking such data with clinical outcomes data and performing risk-adjusted, scientifically valid analyses and research to support quality improvement or patient safety, provided that any public reporting of such analyses or research that identifies a provider of services or supplier shall only be conducted with the opportunity of such provider or supplier to appeal and correct errors in the manner described in subsection (a)(6).

(B) Data described
The data described in this subparagraph is—

(i) claims data under the Medicare program under title XVIII of the Social Security Act [42 U.S.C. 1395 et seq.]; and

(ii) if the Secretary determines appropriate, claims data under the Medicaid program under title XIX of such Act [42 U.S.C. 1396 et seq.] and the State Children's Health Insurance Program under title XXI of such Act [42 U.S.C. 1397aa et seq.].

(2) Fee
Data described in paragraph (1)(B) shall be provided to a qualified clinical data registry under paragraph (1) at a fee equal to the cost of providing such data. Any fee collected pursuant to the preceding sentence shall be deposited in the Centers for Medicare & Medicaid Services Program Management Account.

References in Text

The Health Insurance Portability and Accountability Act of 1996, referred to in subsec. (a)(4), is Pub. L. 104–191, Aug. 21, 1996, 110 Stat. 1936. For complete classification of this Act to the Code, see Short Title of 1996 Amendments note set out under section 201 of this title and Tables.

The Social Security Act, referred to in subsecs. (a)(7)(B) and (b)(1)(B), is act Aug. 14, 1935, ch. 531, 49 Stat. 620. Titles XVIII, XIX, and XXI of the Act are classified generally to this subchapter and subchapters XIX (§1396 et seq.) and XXI (§1397aa et seq.) of this chapter, respectively. Parts A and B of title XVIII of the Act are classified generally to parts A (§1395c et seq.) and B (§1395j et seq.) of this subchapter, respectively. For complete classification of this Act to the Code, see section 1305 of this title and Tables.

Codification

Section is comprised of section 105 of Pub. L. 114–10. Subsecs. (c) and (d) of section 105 of Pub. L. 114–10 amended section 1395kk of this title.

Section was enacted as part of the Medicare Access and CHIP Reauthorization Act of 2015, and not as part of the Social Security Act which comprises this chapter.

1 So in original. The comma probably should not appear. 2 So in original. Probably should be preceded by "the". 3 So in original. Probably should be "1395kk(e)(2))."

Tried the LawStack mobile app?

Join thousands and try LawStack mobile for FREE today.

  • Carry the law offline, wherever you go.
  • Download CFR, USC, rules, and state law to your mobile device.