Qualified entities are permitted to provide or sell claims data to healthcare providers and suppliers, as long as they adhere to strict privacy, security, and reporting requirements.
The market for analyses of Medicare and private sector claims data is getting a boost from the Centers for Medicare & Medicaid Services, which finalized new rules July 1, to allow such data to be confidentially shared or sold.
The new rules, required by the Medicare Access and CHIP Reauthorization Act (MACRA), affect qualified entities, which the Patient Protection and Affordable Care Act defines as those entities permitted to see claims data for the purpose of evaluating the performance of providers and suppliers.
Qualified entities are also permitted to provide or sell claims data to healthcare providers and suppliers, such as doctors, nurses, and skilled nursing facilities.
The new CMS rule requires entities that receive data identifiable to patients, as well as de-identified data or analyses, to adhere to strict privacy and security requirements, as well as annual reporting requirements.
Once certified, qualified entities may:
- Enter into a Data Use Agreement committing the organization to the highest levels of data security and privacy protection.
- Pay a fee equal to the cost of making the data available.
- Receive data for one or more specified geographic areas.
- Combine claims data from sources other than Medicare with the Medicare data.
- Use valid and reliable measures for evaluating the performance of providers and suppliers.
- Produce and make publicly available reports on individual providers and suppliers in aggregate form.
CMS believes qualified entities will be an important driver of improving quality and reducing costs in Medicare, as well as for the healthcare system in general.
The agency also believes this program will increase the transparency of provider and supplier performance, and provide beneficiaries access to information that will help them make more informed decisions about their healthcare.
For purposes of protecting patient-identifiable data, CMS is holding these qualified entities to the same data protection bar as covered entities and their business associates are expected to exercise for protected health information under HIPAA.
Out of 15 organizations which have applied for qualified entity status, two have completed public reporting while the other 13 are preparing for public reporting.