Hospital Quality Reporting
Privacy Impact Assessment (PIA) published by CMS as an Operating Division of the U.S. Department of Health and Human Services
Date signed: 5/1/2024
OPDIV: | CMS |
PIA Unique Identifier: | P-4576917-436091 |
Name: | Hospital Quality Reporting |
The subject of this PIA is which of the following? | Major Application |
Identify the Enterprise Performance Lifecycle Phase of the system. | Operate |
Is this a FISMA-Reportable system? | Yes |
Does the system include a Website or online application available to and for the use of the general public? | No |
Is this a new or existing system? | Existing |
Does the system have Security Authorization (SA)? | Yes |
Date of Security Authorization | 2/26/2025 |
Indicate the following reason(s) for updating this PIA. Choose from the following options. | PIA Validation (PIA Refresh/Annual Review) |
Describe in further detail any changes to the system that have occurred since the last PIA. | The Hospital Quality Reporting (HQR) application is now responsible for the Health Care Quality Analytics and Reporting (HCQAR) work, that was brought into the HQR II contract. This work requires evaluating claims data for the HQR program measures, as well as the Veteran's Health Administration (VA) facilities participating in the Inpatient Quality Reporting (IQR) program. These claims are calculated to return scores at the facility level, and the results are provided via the HQR platform to authorized users, prior to being available on the hqr.cms.gov Public Reporting preview UI thirty days prior to being published on the public facing Centers for Medicaid and Medicare Services (CMS) Care Compare site. To evaluate measures for the VA facilities and map to submitted Medicare claims, the Veteran's Health Administration (VA) team provides HQR beneficiaries social security numbers in their patient file. We are working with the Veteran's Health Administration (VA) to help them identify another unique identifier to send into the system for this mapping. |
Describe the purpose of the system | The Hospital Quality Reporting (HQR) system supports the Centers for Medicare and Medicaid Services (CMS) by providing a suite of applications that are developed to gather medical encounter data to calculate the legislatively mandated measures, validate, and report those results for quality improvement opportunities, scoring to support annual payment update (APU) determination for participation of acute care hospitals (ACH), critical access hospitals (CAH), rural emergency hospitals (REH), inpatient psychiatric facilities (IPF), prospective payment system (PPS) exempt cancer hospitals (PCH), ambulatory surgical centers (ASC), Veteran's Health Administration (VA) and Department of Defense (DoD) facilities to ensure collection/calculation and reporting for the following CMS payment programs: Inpatient quality Reporting (IQR), Outpatient quality reporting (OQR), PCH quality reporting (PCHQR), IPF quality reporting (IPFQR), promoting interoperability (PI), REH quality reporting (REHQR),Hospital- Acquired Condition reduction program (HACRP), Hospital readmission reduction program (HRRP), Hospital Value-Based Purchasing (HVBP), IQR/OQR/electronic clinical quality measure (eCQM) validation, Hospital Consumer Assessment of Healthcare providers and systems (HCAHPS), Hybrid measures, and Public Reporting (PR).
|
Describe the type of information the system will collect, maintain (store), or share. (Subsequent questions will identify if this information is PII and ask about the specific data elements) | The following information is collected, maintained, and shared by Hospital Quality Reporting (HQR): HQR patient personal information, patient treatment information, treatment facility aggregated measure data, treatment facility information, and treatment facility personnel information. HQR patient personal information includes: CMS and their direct federal contractors also have access to HQR and supported programs by their contractual roles as administrators and developers. All HQR users’ access hqr.cms.gov via Health Care Quality Information Systems (HCQIS) Access Roles and Profile (HARP) authenticated username, password, and multifactor identification that is managed by the QualityNet (formerly HCQIS) Enterprise line of business (LOB). QualityNet is a CMS FISMA system covered by a separate PIA. The HQR system records user credentials upon login (username, name, and email). |
Provide an overview of the system and describe the information it will collect, maintain (store), or share, either permanently or temporarily. | The Hospital Quality Reporting (HQR) system performs measure calculation for several measures from data received directly from hospital organizations. The data submitted to the HQR system is either patient level data or submitted in aggregate for the patient population of that organization based upon the measure specifications provided by the Centers for Medicare & Medicaid Services (CMS). The HQR system also receives aggregate organization data from external sources, such as the Centers for Disease Control and Prevention (CDC). Additionally, the HQR system pulls Medicare claims data from the Centralized Data Repository (CDR), a CMS managed data base. This data is used to evaluate and score hospitals performance for each measure that is applicable to their organization, as well as provide scoring against all participating hospitals in their state and nation. The aggregated scores are shared with individual hospitals prior to being shared with the Care Compare website at https://www.medicare.gov/care-compare/ where the public can view the scores of their local facilities to be able to choose the best facility for their needs. The data used for calculations by the HQR system is determined by the measure specifications, most can be found here https://qualitynet.cms.gov/ or here https://ecqi.healthit.gov/. Measures calculated by the system, whether it be from patient level or facility level data, are submitted in the following measure types:
Chart Abstracted Measures. This data is received by the system in patient level data files and population data. Claims-based Measures/ eligible claims. Part A, Part B, and Part D claims data is retrieved from Center for Medicare and Medicaid (CMS) claims data bases, post facility submission and payment for covered services to calculate the claims-based measures and provide facilities the counts of claims submitted for a given time. This data includes patient demographics (name, birthdate, date of death, sex, medical records information (procedure, medical treatment, encounter dates, diagnoses), Medicare Beneficiary Identification number (MBI), Health Insurance Claim Number (HICN), Social Security Number (SSN), and cost information per the measure specifications. Claims-based measures are calculated at the facility, state, and nationally for public reporting on the Care Compare site, and some measures are used for risk adjustment which impact Annual Payment Updates (APU). HICN are being stored in the system for previous reporting periods for claims-based measures but are not currently being accepted. SSN are only used to evaluate claims-based measures for VA hospitals to map to Medicare claims in the system. In the future, Part C data will also be used to calculate these measures. eCQM Measures/ Hybrid measures. eCQM measures are submitted in a format that is equal to an electronic version of a medical chart that contains data including patient demographic data (Name, Mailing Address, Date of Birth, Email, race/ethnicity, sex), Measure data , Provider/Vendor data (CMS Certification Number, National Provider Identifier), Encounter Data (Admission Date, Discharge Date, Procedure codes, International Classification of Diseases (ICD-10) diagnostic codes, lab results, medical record number), Payer information (Medicare Beneficiary Identification number (MBI), private health insurance information). This data is used to evaluate against the measure specifications to calculate the quality of care provided to the patient, and then aggregated to provide the facility, state, and national rates. This data is stored for validation purposes and public reporting on the Care Compare site. Survey data- Provider and Vendor demographics include Hospital name, CMS Certification Number (CCN), National Provider Identifier (NPI), Mailing Address, Email, contact telephone. This data is collected to ensure active status of providers and vendors, as needed for access and permissions to the HQR system, and for program requirements of participation. In addition, the data collected also provides CMS the information needed to measure and improve the quality care of CMS’s HQR programs for future measures. PII - HQR uses PII to retrieve system records for the Claims product mentioned above. This includes using the first name, last name, MBI, SSN (VA only), and Date of Birth (DOB) to identify claims related to measure data submissions. The HQR system currently uses the CMS IDR Medicare database for payment cost measures, but most of the claim's data is obtained through the Centralized Data Repository CDR. All SORN notices have been included in question 22a for current and future claims data sources. |
Does the system collect, maintain, use or share PII? | Yes |
Indicate the type of PII that the system will collect or maintain. |
|
Indicate the categories of individuals about whom PII is collected, maintained or shared. |
|
How many individuals' PII in the system? | 1,000,000 or more |
For what primary purpose is the PII used? | PII is collected to accurately attribute a medical record to a specific individual for the purpose of tracking medical history electronically, evaluating the quality of care provided, scoring at the facility level, stratifying scores, and then issuing incentives to providers accordingly. |
Describe the secondary uses for which the PII will be used (e.g. testing, training or research) | PII that is collected in the HQR System is shared in the Centralized Data Repository (CDR) which provides controlled access to authorized users based on their CMS Data Use Agreement (DUA). This access is managed by a separately CMS accredited system with its own PIA. |
Describe the function of the SSN. | The Social Security Number (SSN) is used to uniquely identify Veteran's Health Administration (VA) patients in the Centralized Data Repository (CDR) to map to Medicare claims to accurately calculate measures for the VA. |
Cite the legal authority to use the SSN. | Executive order 9397 and Sections 226A, 1875 and 1881 of the Social Security Act; Title 42 U.S.C., section 426-1 1395II and 1395rr |
Identify legal authorities governing information use and disclosure specific to the system and program. | Authority for maintenance of the system is given under §§ 226, 226A, 1811, 1818, 1818A, 1831, 1833(a)(1)(A), 1836, 1837, 1838, 1843, 1866, 1876, 1881, and 1902(a)(6) of the Act and Title 42 United States Code (U.S.C.) 426, 426–1, 1395c, 1395cc, 1395i–2, 1395i– 2a, 1395j, 13951, 1395mm, 1395o, 1395p, 1395q, 1395rr, 1395v, 1396a, and Section 101 of the Medicare Prescription Drug, Improvement, and Modernization Act of 2003 (Pub. L. 108– 173) (Regulations at 42 CFR Parts 403, 411, 417 and 423) |
Are records on the system retrieved by one or more PII data elements? | Yes |
Identify the number and title of the Privacy Act System of Records (SORN) that is being used to cover the system or identify if a SORN is being developed. | Medicare Integrated Data Repository (IDR): 09-70-0571 Centralized Data Repository (CDR): |
Identify the sources of PII in the system: Directly from an individual about whom the information pertains |
|
Identify the sources of PII in the system: Government Sources |
|
Identify the sources of PII in the system: Non-Government Sources |
|
Identify the OMB information collection approval number and expiration date | OMB 0938-1022 expires 01/31/2026 |
Is the PII shared with other organizations? | No |
Describe the process in place to notify individuals that their personal information will be collected. If no prior notice is given, explain the reason. | The PII collection is done at the facility level and not directly by the Hospital Quality Reporting (HQR). Users/Patients are given a consent form stating the uses of their PII. Notice is the responsibility of the facility. |
Is the submission of the PII by individuals voluntary or mandatory? | Voluntary |
Describe the method for individuals to opt-out of the collection or use of their PII. If there is no option to object to the information collection, provide a reason. | The collection of PII is done at the physician and facility level and not directly by the HQR system. Facilities are responsible for providing methods for individuals to opt-out of collection or use of PII. |
Describe the process to notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changes since the notice at the time of original collection). Alternatively, describe why they cannot be notified or have their consent obtained. | Facilities are responsible to provide notices and obtain consent when major changes occur to their systems. System user's credential information is collected and managed by Health Care Quality Information Systems (HARP). HQR users consent to the usage of PII during the HARP registration process to obtain user credentials. Users are notified of any major changes by HARP. Any changes to permissions within the HQR system are completed by the Access Management process, which is approved by the organizations Security Administrator/Security Official. |
Describe the process in place to resolve an individual's concerns when they believe their PII has been inappropriately obtained, used, or disclosed, or that the PII is inaccurate. If no process exists, explain why not. | Individuals with concerns about their PII collection and disclosure would contact their local Quality Improvement Organization (QIO) and Security Point of Contact (SPOC) at the facility where they received care. |
Describe the process in place for periodic reviews of PII contained in the system to ensure the data's integrity, availability, accuracy and relevancy. If no processes are in place, explain why not. | The PII with HQR program is validated for integrity, availability, accuracy, and relevancy by input from hospitals for quality reporting. Any incorrect data is corrected, while using the system, by updating whichever elements are incorrect, such as name change or new telephone number or email address. HQR Administrators, who have access to PII, perform reconciliation of the eligibility information on an ongoing basis. |
Identify who will have access to the PII in the system and the reason why they require access. |
|
Describe the procedures in place to determine which system users (administrators, developers, contractors, etc.) may access PII. | Access to PII is granted using the principles of least privilege and need to know; users are only granted access to PII based on their job responsibilities needed to perform their assigned duties. Role creation involves an analysis for the role definition and type of access. HQR users must register for a Health Care Quality Information Systems (HCQIS) Access Roles and Profile (HARP) ID, that requires user name, password, and multifactor authentication. |
Describe the methods in place to allow those with access to PII to only access the minimum amount of information necessary to perform their job. | Access is defined in the specific HQR Program's participation prospective payment rules and state that the Security officials (SO) are responsible for maintaining secure access to their organization's data. A system user fills out the Production Request form, they enter the specific database/environment they need access to and the access level that is necessary to perform their job. These are then approved or disapproved by CMS approvers. Security information and event management (SIEM) tools are used to monitor access and detect anomalies. Any anomalies are addressed and resolved by contacting the user, modifying their user access, or by removing their access if no longer required. Activities of all users including system administrators are logged and reviewed to identify abnormal activities. |
Identifying training and awareness provided to personnel (system owners, managers, operators, contractors and/or program managers) using the system to make them aware of their responsibilities for protecting the information being collected and maintained. | Security and privacy awareness training is provided to each user on an annual basis. All users are required to complete training to obtain a user account and annually thereafter. Required training includes annual Department of Health and Human Services (HHS) Information Systems Security Awareness Training, annual HHS Privacy Training, reading, and attesting to the Rules of Behavior for Use of HHS Information Resources (HHS RoB). |
Describe training system users receive (above and beyond general security and privacy awareness training) | Role-based training is required for those with significant information security and privacy responsibilities. HQR system administrators, developers and direct contractors are required to complete annual role-based training. A sample list of role-based training includes Incident Response exercises, Contingency Planning exercises. |
Do contracts include Federal Acquisition Regulation and other appropriate clauses ensuring adherence to privacy provisions and practices? | Yes |
Describe the process and guidelines in place with regard to the retention and destruction of PII. Cite specific records retention schedules. | HQR follows the CMS Record Schedule, published April 2015, under the Health Care Quality Improvement Systems (HCQIS) more specifically the Center for Clinical Standards and Quality (CCSQ) File Plan. The disposal authority for HQR is National Archives and Records Administration (NARA) N1-440-09-003 and calls for destruction of data after 10 years, or when no longer needed for Agency business, whichever is later. |
Describe, briefly but with specificity, how the PII will be secured in the system using administrative, technical, and physical controls. | Administrative controls include annual security and privacy training for the proper handling of information, configuration management, change management, periodic review of users and deletion or revoking of user accounts. Technical controls include multi-factor authentication, session locks, encryption, firewalls, vulnerability scans, penetration testing, and monitoring. Physical controls include a secure AWS data center, video surveillance, intrusion detection systems, uninterruptible power supply (UPS), back-up generators, environmental controls to maintain a constant operating temperature, smoke detection sensors, and sprinkler systems. |