The Centers for Medicare and Medicaid Services (CMS) just released a Notice of a New System of Records (SOR) to set forth details of the Open Payments system as required by the federal Privacy Act of 1974. An SOR is any record that is directly solicited, collected, and under control of a Federal agency from which there is a specific retrieval of information using a personal identifier. The Physician Payments Sunshine Act, as we know, requires CMS to publish a lot of personal information about physicians and pharmaceutical manufacturers, in a searchable list, starting September 30, 2014. The document includes language that CMS will be sharing information from the database with CMS and other government agencies for investigations and enforcement purposes.
The Privacy Act requires each agency to publish in the Federal Register a description of the type and character of each system of records that the agency maintains, and the routine uses that are contained in each system to make agency recordkeeping practices transparent, to notify individuals regarding the uses to which their records are put, and to assist individuals to more easily find such files within the agency. Before the Open Payments public system could lawfully operate, CMS was required to publish a SOR, which they did this past Friday.
Categories of Records in the System
Information collected about applicable manufacturers or applicable GPOs includes profile information for the company and users interacting with the Open Payments system on the applicable manufacturers or applicable GPOs’ behalf. Such information includes but may not be limited to user first name and last name, business contact information and job title.
Information collected about physicians in the Open Payments system includes but is not limited to physician’s name, specialty, business address, business phone number, National Provider Identifier (NPI) number, state license numbers, types and descriptions as to the nature and form of payments received from applicable manufacturers or applicable GPOs, amounts of payments, natures and context of payments and dates of payments.
With respect to payments that were made in relation to a particular covered drug, device, biological, or medical supply, the name of that covered drug, device, biological, or medical supply shall also be reported. With respect to physicians who hold certain ownership or investment interests in such manufacturers and/or GPOs, or who have immediate family members who hold such ownership or investment interests in such manufacturers and/or GPOs, collected information will include the dollar amount invested; the value and terms of such ownership or investment, and information pertaining to any payment or other transfer of value provided to a physician holding such an ownership interest.
Teaching hospital information also includes profile information for the users interacting with the Open Payments system on the hospital’s behalf. Such information includes but may not be limited to user’s first name and last name, business contact information, and job title.
According to the SOR, CMS may use the information from this system for a laundry list of things:
- Support regulatory, reimbursement, and policy functions performed by Agency contractors, consultants, or CMS grantees;
- Assist Federal agencies and their fiscal agents in performing the statutory functions of the Open Payments;
- Assist applicable manufacturers or applicable GPOs with the statutory reporting requirements;
- Comply with the requirements of 42 U.S.C. 1320a-7h, and publish the information submitted on a public website;
- Support research and program evaluation activities;
- Support litigation involving the agency;
- Assist with fraud, waste, and abuse detection and prevention activities;
- Assist agencies, entities, contractors, or persons tasked with the response and remedial efforts in the event of a breach of information, and
- Assist the U.S. Department of Homeland Security (DHS) cyber security personnel.
Retrieving Physician Information
Interested parties will be able to retrieve information about physicians and their authorized representatives through a variety of personal identifiers: physicians’ name, address, license number, or National Provider Identifier (NPI). Profile information about applicable manufacturer and GPO system users may be retrieved by these identifiers: applicable manufacturers or applicable GPOs’ DUNS, name and address. Information may be extracted through a backend database access or through a business intelligence reporting tool by authorized personnel.
CMS’ Security Safeguards
The SOR states: “Personnel having access to the system have been trained in the Privacy Act and information security requirements. Employees who maintain records in this system are instructed not to release data until the intended recipient agrees to implement appropriate management, operational and technical safeguards sufficient to protect the confidentiality, integrity and availability of the information and information systems and to prevent unauthorized access.”
Furthermore: “Access to records in the Open Payments database system will be limited to CMS personnel and contractors through password security, encryption, firewalls, and secured operating system. Any electronic copies which contain information about an individual at CMS and contractor locations will be kept in secure electronic files.”
All records in the Open Payments database will be maintained for a period of up to 10 years from the end of the calendar year in which files were made publically available on CMS website.Any records that are needed longer, such as audit or other exceptions, will be retained until such matters are resolved.
Dispute Resolution Process
CMS notes that physicians, as well as members of their immediate families, will be notified by CMS via an online posting and notifications on CMS’s listservs. They may also register with CMS to receive notification about the review processes.
They remind physicians about the 45-day period to review data submitted about them and dispute its accuracy and completeness prior to the data becoming available to the public. According to CMS, once they receive notice of a resolved dispute, they will notify the physician that the additional information has been submitted and is available for review. CMS only updates the website “at least once annually with corrected information after the initial publication.”
Data Sharing
While this is not necessarily “new”–this is the first time that we are aware of in which CMS has explicitly said it will share Sunshine data with both DOJ and CMS (other divisions). CMS proposed to establish the following “routine use disclosures of information” maintained in the Open Payment system:
To provide information to the U.S. Department of Justice (DOJ), a court, or an adjudicatory body when (a) the Agency or any component thereof, or (b) any employee of the Agency in his or her official capacity, or (c) any employee of the Agency in his or her individual capacity where the DOJ has agreed to represent the employee, or (d) the United State Government, is a party to litigation or has an interest in such litigation, and by careful review, CMS determines that the records are both relevant and necessary to the litigation and that the use of such records by the DOJ, court, or adjudicatory body is compatible with the purpose for which the agency collected the records.
To assist a CMS contractor (including, but not limited to Medicare Administrative Contractors fiscal intermediaries, and carriers) that assists in the administration of a CMS-administered health benefits program, or to a grantee of a CMS-administered grant program, when disclosure is deemed reasonably necessary by CMS to prevent, deter, discover, detect, investigate, examine, prosecute, sue with respect to, defend against, correct, remedy, or otherwise combat fraud, waste or abuse in such program.
Discussion
It is not clear how a “public database” could be considered private. There is concern amongst researchers in infectious disease that pharmaceutical and medical device companies hiring physicians and teaching hospitals to work on government funded programs such as an anthrax vaccine will be forced to disclose the names of those researchers to the public, potentially putting the program at risk. In the end we may all be asking what ever happened to “privacy.”