42 U.S. Code § 1395kk–2. Expanding availability of Medicare data

(a) Expanding uses of Medicare data by qualified entities
(1) Additional analyses
(A) In general

Subject to subparagraph (B), to the extent consistent with applicable information, privacy, security, and disclosure laws (including paragraph (3)), notwithstanding paragraph (4)(B) of section 1874(e) of the Social Security Act (42 U.S.C. 1395kk(e)) and the second sentence of paragraph (4)(D) of such section, beginning July 1, 2016, a qualified entity may use the combined data described in paragraph (4)(B)(iii) of such section received by such entity under such section, and information derived from the evaluation described in such paragraph (4)(D), to conduct additional non-public analyses (as determined appropriate by the Secretary) and provide or sell such analyses to authorized users for non-public use (including for the purposes of assisting providers of services and suppliers to develop and participate in quality and patient care improvement activities, including developing new models of care).

(B) Limitations with respect to analyses
(i) Employers

Any analyses provided or sold under subparagraph (A) to an employer described in paragraph (9)(A)(iii) may only be used by such employer for purposes of providing health insurance to employees and retirees of the employer.

(ii) Health insurance issuers

A qualified entity may not provide or sell an analysis to a health insurance issuer described in paragraph (9)(A)(iv) unless the issuer is providing the qualified entity with data under section 1874(e)(4)(B)(iii) of the Social Security Act (42 U.S.C. 1395kk(e)(4)(B)(iii)).

(2) Access to certain data
(A) AccessTo the extent consistent with applicable information, privacy, security, and disclosure laws (including paragraph (3)), notwithstanding paragraph (4)(B) of section 1874(e) of the Social Security Act (42 U.S.C. 1395kk(e)) and the second sentence of paragraph (4)(D) of such section, beginning July 1, 2016, a qualified entity may—
(i)
provide or sell the combined data described in paragraph (4)(B)(iii) of such section to authorized users described in clauses (i), (ii), and (v) of paragraph (9)(A) for non-public use, including for the purposes described in subparagraph (B); or
(ii)
subject to subparagraph (C), provide Medicare claims data to authorized users described in clauses (i), (ii), and (v),[1] of paragraph (9)(A) for non-public use, including for the purposes described in subparagraph (B).
(B) Purposes described

The purposes described in this subparagraph are assisting providers of services and suppliers in developing and participating in quality and patient care improvement activities, including developing new models of care.

(C) Medicare claims data must be provided at no cost

A qualified entity may not charge a fee for providing the data under subparagraph (A)(ii).

(3) Protection of information
(A) In general

Except as provided in subparagraph (B), an analysis or data that is provided or sold under paragraph (1) or (2) shall not contain information that individually identifies a patient.

(B) Information on patients of the provider of services or supplier

To the extent consistent with applicable information, privacy, security, and disclosure laws, an analysis or data that is provided or sold to a provider of services or supplier under paragraph (1) or (2) may contain information that individually identifies a patient of such provider or supplier, including with respect to items and services furnished to the patient by other providers of services or suppliers.

(C) Prohibition on using analyses or data for marketing purposes

An authorized user shall not use an analysis or data provided or sold under paragraph (1) or (2) for marketing purposes.

(4) Data use agreement

A qualified entity and an authorized user described in clauses (i), (ii), and (v) of paragraph (9)(A) shall enter into an agreement regarding the use of any data that the qualified entity is providing or selling to the authorized user under paragraph (2). Such agreement shall describe the requirements for privacy and security of the data and, as determined appropriate by the Secretary, any prohibitions on using such data to link to other individually identifiable sources of information. If the authorized user is not a covered entity under the rules promulgated pursuant to the Health Insurance Portability and Accountability Act of 1996, the agreement shall identify the relevant regulations, as determined by the Secretary, that the user shall comply with as if it were acting in the capacity of such a covered entity.

(5) No redisclosure of analyses or data
(A) In general

Except as provided in subparagraph (B), an authorized user that is provided or sold an analysis or data under paragraph (1) or (2) shall not redisclose or make public such analysis or data or any analysis using such data.

(B) Permitted redisclosure

A provider of services or supplier that is provided or sold an analysis or data under paragraph (1) or (2) may, as determined by the Secretary, redisclose such analysis or data for the purposes of performance improvement and care coordination activities but shall not make public such analysis or data or any analysis using such data.

(6) Opportunity for providers of services and suppliers to review

Prior to a qualified entity providing or selling an analysis to an authorized user under paragraph (1), to the extent that such analysis would individually identify a provider of services or supplier who is not being provided or sold such analysis, such qualified entity shall provide such provider or supplier with the opportunity to appeal and correct errors in the manner described in section 1874(e)(4)(C)(ii) of the Social Security Act (42 U.S.C. 1395kk(e)(4)(C)(ii)).

(7) Assessment for a breach
(A) In generalIn the case of a breach of a data use agreement under this section or section 1874(e) of the Social Security Act (42 U.S.C. 1395kk(e)), the Secretary shall impose an assessment on the qualified entity both in the case of—
(i)
an agreement between the Secretary and a qualified entity; and
(B) AssessmentThe assessment under subparagraph (A) shall be an amount up to $100 for each individual entitled to, or enrolled for, benefits under part A of title XVIII of the Social Security Act [42 U.S.C. 1395c et seq.] or enrolled for benefits under part B of such title [42 U.S.C. 1395j et seq.]—
(i)
in the case of an agreement described in subparagraph (A)(i), for whom the Secretary provided data on to the qualified entity under paragraph (2); and
(ii)
in the case of an agreement described in subparagraph (A)(ii), for whom the qualified entity provided data on to the authorized user under paragraph (2).
(C) Deposit of amounts collected

Any amounts collected pursuant to this paragraph shall be deposited in Federal [2] Supplementary Medical Insurance Trust Fund under section 1841 of the Social Security Act (42 U.S.C. 1395t).

(8) Annual reportsAny qualified entity that provides or sells an analysis or data under paragraph (1) or (2) shall annually submit to the Secretary a report that includes—
(A)
a summary of the analyses provided or sold, including the number of such analyses, the number of purchasers of such analyses, and the total amount of fees received for such analyses;
(B)
a description of the topics and purposes of such analyses;
(C)
information on the entities who received the data under paragraph (2), the uses of the data, and the total amount of fees received for providing, selling, or sharing the data; and
(D)
other information determined appropriate by the Secretary.
(9) DefinitionsIn this subsection and subsection (b):
(A) Authorized userThe term “authorized user” means the following:
(ii)
(v)
A medical society or hospital association.
(vi)
Any entity not described in clauses (i) through (v) that is approved by the Secretary (other than an employer or health insurance issuer not described in clauses (iii) and (iv), respectively, as determined by the Secretary).
(B) Provider of services

The term “provider of services” has the meaning given such term in section 1861(u) of the Social Security Act (42 U.S.C. 1395x(u)).

(C) Qualified entity

The term “qualified entity” has the meaning given such term in section 1874(e)(2) of the Social Security Act (42 U.S.C. 1395kk(e)).[3]

(D) Secretary

The term “Secretary” means the Secretary of Health and Human Services.

(E) Supplier

The term “supplier” has the meaning given such term in section 1861(d) of the Social Security Act (42 U.S.C. 1395x(d)).

(b) Access to Medicare data by qualified clinical data registries to facilitate quality improvement
(1) Access
(A) In general

To the extent consistent with applicable information, privacy, security, and disclosure laws, beginning July 1, 2016, the Secretary shall, at the request of a qualified clinical data registry under section 1848(m)(3)(E) of the Social Security Act (42 U.S.C. 1395w–4(m)(3)(E)), provide the data described in subparagraph (B) (in a form and manner determined to be appropriate) to such qualified clinical data registry for purposes of linking such data with clinical outcomes data and performing risk-adjusted, scientifically valid analyses and research to support quality improvement or patient safety, provided that any public reporting of such analyses or research that identifies a provider of services or supplier shall only be conducted with the opportunity of such provider or supplier to appeal and correct errors in the manner described in subsection (a)(6).

(B) Data describedThe data described in this subparagraph is—
(i)
claims data under the Medicare program under title XVIII of the Social Security Act [42 U.S.C. 1395 et seq.]; and
(ii)
if the Secretary determines appropriate, claims data under the Medicaid program under title XIX of such Act [42 U.S.C. 1396 et seq.] and the State Children’s Health Insurance Program under title XXI of such Act [42 U.S.C. 1397aa et seq.].
(2) Fee

Data described in paragraph (1)(B) shall be provided to a qualified clinical data registry under paragraph (1) at a fee equal to the cost of providing such data. Any fee collected pursuant to the preceding sentence shall be deposited in the Centers for Medicare & Medicaid Services Program Management Account.

References in Text

The Health Insurance Portability and Accountability Act of 1996, referred to in subsec. (a)(4), is Pub. L. 104–191, Aug. 21, 1996, 110 Stat. 1936. For complete classification of this Act to the Code, see Short Title of 1996 Amendments note set out under section 201 of this title and Tables.

The Social Security Act, referred to in subsecs. (a)(7)(B) and (b)(1)(B), is act Aug. 14, 1935, ch. 531, 49 Stat. 620. Titles XVIII, XIX, and XXI of the Act are classified generally to this subchapter and subchapters XIX (§ 1396 et seq.) and XXI (§ 1397aa et seq.) of this chapter, respectively. Parts A and B of title XVIII of the Act are classified generally to parts A (§ 1395c et seq.) and B (§ 1395j et seq.) of this subchapter, respectively. For complete classification of this Act to the Code, see section 1305 of this title and Tables.

Codification

Section is comprised of section 105 of Pub. L. 114–10. Subsecs. (c) and (d) of section 105 of Pub. L. 114–10 amended section 1395kk of this title.

Section was enacted as part of the Medicare Access and CHIP Reauthorization Act of 2015, and not as part of the Social Security Act which comprises this chapter.



[1]  So in original. The comma probably should not appear.

[2]  So in original. Probably should be preceded by “the”.

[3]  So in original. Probably should be “1395kk(e)(2)).”