CMS has published a final rule to allow organizations approved as “qualified entities” to confidentially share or sell analyses of Medicare and private-sector claims data to providers, employers, and other groups who can use the data to support improved care. CMS expects the rule to lead to “more transparency regarding provider and supplier performance and innovative uses of data that will result in improvements to the healthcare delivery system while still ensuring appropriate privacy and security protections for beneficiary-identifiable data.” As mandated by the Medicare Access and CHIP Reauthorization Act (MACRA), qualified entities will be required to combine the Medicare data with other claims data (such as private payer data) to produce reports on provider and supplier performance across multiple payers. The rule includes annual reporting requirements, along with privacy and security rules to protect beneficiary information, including protections for patient-identifiable data that are at least as stringent as what is required of covered entities and their business associates for protected health information (PHI) under HIPAA.

In the final rule, CMS addresses the confidentiality of analyses produced under this program, in light of a statutory provision that “data released to a qualified entity under this subsection shall not be subject to discovery or admission as evidence in judicial or administrative proceedings without consent of the applicable provider or supplier.’’ CMS interprets this statutory shield to apply only to data released to the qualified entity and when that data is in the possession of the qualified entity. Once the Medicare data is used to create non-public analyses and those non-public analyses are shared with authorized users, CMS does not believe the statutory shield applies.

The final rule builds on the current Qualified Entity Program established by the Affordable Care Act (ACA), which enables qualified entities to use Medicare claims data in combination with other non-Medicare claims data to evaluate the performance of providers and suppliers. Fifteen organizations have received approval to be a qualified entity under the ACA program, and two have completed public reporting. The rule is effective September 6, 2016.