42 CFR § 401.705 - Eligibility criteria for qualified entities.
(a) Eligibility criteria: To be eligible to apply to receive data as a qualified entity under this subpart, an applicant generally must demonstrate expertise and sustained experience, defined as 3 or more years, in the following three areas, as applicable and appropriate to the proposed use:
(1) Organizational and governance criteria, including:
(i) Expertise in the areas of measurement that they propose to use in accurately calculating quality, and efficiency, effectiveness, or resource use measures from claims data, including the following:
(A) Identifying an appropriate method to attribute a particular patient's services to specific providers and suppliers.
(B) Ensuring the use of approaches to ensure statistical validity such as a minimum number of observations or minimum denominator for each measure.
(C) Using methods for risk-adjustment to account for variations in both case-mix and severity among providers and suppliers.
(D) Identifying methods for handling outliers.
(E) Correcting measurement errors and assessing measure reliability.
(F) Identifying appropriate peer groups of providers and suppliers for meaningful comparisons.
(ii) A plan for a business model that is projected to cover the costs of performing the required functions, including the fee for the data.
(iii) Successfully combining claims data from different payers to calculate performance reports.
(iv) Designing, and continuously improving the format of performance reports on providers and suppliers.
(v) Preparing an understandable description of the measures used to evaluate the performance of providers and suppliers so that consumers, providers and suppliers, health plans, researchers, and other stakeholders can assess performance reports.
(vi) Implementing and maintaining a process for providers and suppliers identified in a report to review the report prior to publication and providing a timely response to provider and supplier inquiries regarding requests for data, error correction, and appeals.
(vii) Establishing, maintaining, and monitoring a rigorous data privacy and security program, including disclosing to CMS any inappropriate disclosures of beneficiary identifiable information, violations of applicable federal and State privacy and security laws and regulations for the preceding 10-year period (or, if the applicant has not been in existence for 10 years, the length of time the applicant has been an organization), and any corrective actions taken to address the issues.
(viii) Accurately preparing performance reports on providers and suppliers and making performance report information available to the public in aggregate form, that is, at the provider or supplier level.
(2) Expertise in combining Medicare claims data with claims data from other sources, including demonstrating to the Secretary's satisfaction that the claims data from other sources that it intends to combine with the Medicare data received under this subpart address the methodological concerns regarding sample size and reliability that have been expressed by stakeholders regarding the calculation of performance measures from a single payer source.
(3) Expertise in establishing, documenting and implementing rigorous data privacy and security policies including enforcement mechanisms.
(b) Source of expertise and experience: An applicant may demonstrate expertise and experience in any or all of the areas described in paragraph (a) of this section through one of the following:
(1) Activities it has conducted directly through its own staff.
(2) Contracts with other entities if the applicant is the lead entity and includes documentation in its application of the contractual arrangements that exist between it and any other entity whose expertise and experience is relied upon in submitting the application.