Skip to main content

Hospital Quality Reporting

Privacy Impact Assessment (PIA) published by CMS as an Operating Division of the U.S. Department of Health and Human Services

Date signed: 5/1/2024

View all CMS PIAs
OPDIV:CMS
PIA Unique Identifier:P-4576917-436091
Name:Hospital Quality Reporting
The subject of this PIA is which of the following?Major Application
Identify the Enterprise Performance Lifecycle Phase of the system.Operate
Is this a FISMA-Reportable system?Yes
Does the system include a Website or online application available to and for the use of the general public?No
Is this a new or existing system?Existing
Does the system have Security Authorization (SA)?Yes
Date of Security Authorization2/26/2025
Indicate the following reason(s) for updating this PIA. Choose from the following options.PIA Validation (PIA Refresh/Annual Review)
Describe in further detail any changes to the system that have occurred since the last PIA.The Hospital Quality Reporting (HQR) application is now responsible for the Health Care Quality Analytics and Reporting (HCQAR) work, that was brought into the HQR II contract. This work requires evaluating claims data for the HQR program measures, as well as the Veteran's Health Administration (VA) facilities participating in the Inpatient Quality Reporting (IQR) program. These claims are calculated to return scores at the facility level, and the results are provided via the HQR platform to authorized users, prior to being available on the hqr.cms.gov Public Reporting preview UI thirty days prior to being published on the public facing Centers for Medicaid and Medicare Services (CMS) Care Compare site. To evaluate measures for the VA facilities and map to submitted Medicare claims, the Veteran's Health Administration (VA) team provides HQR beneficiaries social security numbers in their patient file. We are working with the Veteran's Health Administration (VA) to help them identify another unique identifier to send into the system for this mapping.
Describe the purpose of the system

The Hospital Quality Reporting (HQR) system supports the Centers for Medicare and Medicaid Services (CMS) by providing a suite of applications that are developed to gather medical encounter data to calculate the legislatively mandated measures, validate, and report those results for quality improvement opportunities, scoring to support annual payment update (APU) determination for participation of acute care hospitals (ACH), critical access hospitals (CAH), rural emergency hospitals (REH), inpatient psychiatric facilities (IPF), prospective payment system (PPS) exempt cancer hospitals (PCH), ambulatory surgical centers (ASC), Veteran's Health Administration (VA) and Department of Defense (DoD) facilities to ensure collection/calculation and reporting  for  the following CMS payment programs: Inpatient quality Reporting (IQR), Outpatient quality reporting (OQR), PCH quality reporting (PCHQR), IPF quality reporting (IPFQR), promoting interoperability (PI), REH quality reporting (REHQR),Hospital- Acquired Condition reduction program (HACRP), Hospital readmission reduction program (HRRP), Hospital Value-Based Purchasing (HVBP), IQR/OQR/electronic clinical quality measure (eCQM) validation, Hospital Consumer Assessment of Healthcare providers and systems (HCAHPS), Hybrid measures, and Public Reporting (PR).


Currently the HQR system collects data for approximately one hundred and twenty (120) clinical measures and supports the preview and publicly reporting of approximately three hundred and thirty (330) measures in each quarterly release.

The clinical and publicly reported measures that the HQR system is responsible for is determined in annual legislatively mandated rules for each program. Each year, CMS programs can add, remove, or modify the measures required for APU and PR. Based upon finalization of these rules, the HQR system is responsible for developmental activities to gather, receive, calculate, validate, and report these changes. CMS PPS rules are published on federalregister.gov.

Describe the type of information the system will collect, maintain (store), or share. (Subsequent questions will identify if this information is PII and ask about the specific data elements)

The following information is collected, maintained, and shared by Hospital Quality Reporting (HQR): HQR patient personal information, patient treatment information, treatment facility aggregated measure data, treatment facility information, and treatment facility personnel information. HQR patient personal information includes:
Medical records to also include patient demographic information, insurance/payer information including unique patient identifier account number, cost data, facility information including key personnel.

CMS and their direct federal contractors also have access to HQR and supported programs by their contractual roles as administrators and developers.

All HQR users’ access hqr.cms.gov via Health Care Quality Information Systems (HCQIS) Access Roles and Profile (HARP) authenticated username, password, and multifactor identification that is managed by the QualityNet (formerly HCQIS) Enterprise line of business (LOB). QualityNet is a CMS FISMA system covered by a separate PIA. The HQR system records user credentials upon login (username, name, and email).

Provide an overview of the system and describe the information it will collect, maintain (store), or share, either permanently or temporarily.

The Hospital Quality Reporting (HQR) system performs measure calculation for several measures from data received directly from hospital organizations. The data submitted to the HQR system is either patient level data or submitted in aggregate for the patient population of that organization based upon the measure specifications provided by the Centers for Medicare & Medicaid Services (CMS). The HQR system also receives aggregate organization data from external sources, such as the Centers for Disease Control and Prevention (CDC).

Additionally, the HQR system pulls Medicare claims data from the Centralized Data Repository (CDR), a CMS managed data base. This data is used to evaluate and score hospitals performance for each measure that is applicable to their organization, as well as provide scoring against all participating hospitals in their state and nation. The aggregated scores are shared with individual hospitals prior to being shared with the Care Compare website at https://www.medicare.gov/care-compare/ where the public can view the scores of their local facilities to be able to choose the best facility for their needs. The data used for calculations by the HQR system is determined by the measure specifications, most can be found here https://qualitynet.cms.gov/ or here https://ecqi.healthit.gov/. 

Measures calculated by the system, whether it be from patient level or facility level data, are submitted in the following measure types:


Structural Measures/ Web-based Measures/ Attestation Measures/Center for Disease Control (CDC) Hospital Acquired Infection (HAI), CDC Flu Vaccination Immunization, CDC Covid Vaccination Immunization. This is aggregated data at the facility level and contains no Personal Identifiable Information (PII)/Protected Health Information (PHI) and comes in the form of a denominator (total population) and numerator (total affected population), yes/no responses, or pre-calculated facility rate information. The CCN and submission quarter is collected and stored with the aggregated data along with the submitter information.

Chart Abstracted Measures. This data is received by the system in patient level data files and population data.
The patient level data includes Name, Date of Birth, race/ethnicity, sex, Measure data (Measure Sets, Individual Measures), Provider/Vendor data (CMS Certification Number, National Provider Identifier), Encounter Data (Admission Date, Discharge Date, Diagnosis codes, Procedure codes). This data is used to calculate the quality of care provided to the patient, and then aggregated to provide the facility, state, and national rates. This data is stored for validation purposes and public reporting on the Care Compare site.
Population data is provided, but it does not include PII/PHI. It provides CMS an understanding of the total population that care was provided for a given measure population, and how many actual cases were reported to CMS per the measure requirements. This information is reported to the facilities and CMS but is not shared publicly.

Claims-based Measures/ eligible claims. Part A, Part B, and Part D claims data is retrieved from Center for Medicare and Medicaid (CMS) claims data bases, post facility submission and payment for covered services to calculate the claims-based measures and provide facilities the counts of claims submitted for a given time. This data includes patient demographics (name, birthdate, date of death, sex, medical records information (procedure, medical treatment, encounter dates, diagnoses), Medicare Beneficiary Identification number (MBI), Health Insurance Claim Number (HICN), Social Security Number (SSN), and cost information per the measure specifications. Claims-based measures are calculated at the facility, state, and nationally for public reporting on the Care Compare site, and some measures are used for risk adjustment which impact Annual Payment Updates (APU). HICN are being stored in the system for previous reporting periods for claims-based measures but are not currently being accepted. SSN are only used to evaluate claims-based measures for VA hospitals to map to Medicare claims in the system. In the future, Part C data will also be used to calculate these measures.

eCQM Measures/ Hybrid measures.  eCQM measures are submitted in a format that is equal to an electronic version of a medical chart that contains data including patient demographic data (Name, Mailing Address, Date of Birth, Email, race/ethnicity, sex), Measure data , Provider/Vendor data (CMS Certification Number, National Provider Identifier), Encounter Data (Admission Date, Discharge Date, Procedure codes, International Classification of Diseases (ICD-10) diagnostic codes, lab results, medical record number), Payer information (Medicare Beneficiary Identification number (MBI), private health insurance information). This data is used to evaluate against the measure specifications to calculate the quality of care provided to the patient, and then aggregated to provide the facility, state, and national rates. This data is stored for validation purposes and public reporting on the Care Compare site.
Hybrid measures are a combination of eCQM measures and claims-based measures. To calculate these measures, the data that is obtained from the eCQM file submission is mapped to Medicare claims in to achieve a risk adjusted outcome for the hospital based upon its patient population.

Survey data-
HCAHPS Survey data includes Patient satisfaction survey responses on aspects of the hospital experience such as communication with doctors, communication with nurses, responsiveness of hospital staff, cleanliness of the hospital environment, quietness of the hospital environment, pain management, communication about medicines, discharge information, overall rating of hospital, and recommendation of hospital. This information is aggregated and reported through to the Care Compare site.
Patient reported outcomes data includes patient demographics (height, weight, birth date) procedure type, procedure date, Medicare Beneficiary Identification number (MBI), patient evaluation of pain and activities of daily life (ADLs) for pre and post procedure. This data is used to map to claims to evaluate the patient reported experience of wellness prior to and after an elective surgical procedure to provide facility level outcomes. While this data is being collected and stored, it is not currently being shared as an overall score of the facility.

Provider and Vendor demographics include Hospital name, CMS Certification Number (CCN), National Provider Identifier (NPI), Mailing Address, Email, contact telephone. This data is collected to ensure active status of providers and vendors, as needed for access and permissions to the HQR system, and for program requirements of participation.

In addition, the data collected also provides CMS the information needed to measure and improve the quality care of CMS’s HQR programs for future measures. 

PII - HQR uses PII to retrieve system records for the Claims product mentioned above. This includes using the first name, last name, MBI, SSN (VA only), and Date of Birth (DOB) to identify claims related to measure data submissions. The HQR system currently uses the CMS IDR Medicare database for payment cost measures, but most of the claim's data is obtained through the Centralized Data Repository CDR. All SORN notices have been included in question 22a for current and future claims data sources.

Does the system collect, maintain, use or share PII?Yes
Indicate the type of PII that the system will collect or maintain.
  • Social Security Number
  • Name
  • E-Mail Address
  • Phone Numbers
  • Taxpayer ID
  • Date of Birth
  • Mailing Address
  • Medical Records Number
  • Employment Status
  • Date of Death
  • Other - Patient level data: Medicare Beneficiary Health Identification Number (MBI), CMS Certification Number (CCN), National Provider Identifier (NPI), Health Insurance Claim Number (HICN), Payer information HARP Account Credentials (User ID, name, email) and associated HQR permissions that are managed through the access management application. Medical records information: encounter dates, procedure date, procedure codes, diagnostic codes, lab results, Patient demographic data, claims data, claim payment cost information, claim number. It also collects facility information, including name, location type of facility, services provided and including name, location, type of facility, the services provided (number and type of treatment) and facility personnel information (name, facility email and phone number, position, and employee status)
Indicate the categories of individuals about whom PII is collected, maintained or shared.
  • Patients
  • Other - User credentials that may contain PII are stored in the system for auditing purposes. This can include employees, public citizens working within an organization submitted patient data, or direct contractors accessing the system. Login information is shared in the Centralized Data Repository (CDR).
How many individuals' PII in the system?1,000,000 or more
For what primary purpose is the PII used?PII is collected to accurately attribute a medical record to a specific individual for the purpose of tracking medical history electronically, evaluating the quality of care provided, scoring at the facility level, stratifying scores, and then issuing incentives to providers accordingly. 
Describe the secondary uses for which the PII will be used (e.g. testing, training or research)PII that is collected in the HQR System is shared in the Centralized Data Repository (CDR) which provides controlled access to authorized users based on their CMS Data Use Agreement (DUA). This access is managed by a separately CMS accredited system with its own PIA. 
Describe the function of the SSN.The Social Security Number (SSN) is used to uniquely identify Veteran's Health Administration (VA) patients in the Centralized Data Repository (CDR) to map to Medicare claims to accurately calculate measures for the VA.
Cite the legal authority to use the SSN.Executive order 9397 and Sections 226A, 1875 and 1881 of the Social Security Act; Title 42 U.S.C., section 426-1 1395II and 1395rr
Identify legal authorities​ governing information use and disclosure specific to the system and program.Authority for maintenance of the system is given under §§ 226, 226A, 1811, 1818, 1818A, 1831, 1833(a)(1)(A), 1836, 1837, 1838, 1843, 1866, 1876, 1881, and 1902(a)(6) of the Act and Title 42 United States Code (U.S.C.) 426, 426–1, 1395c, 1395cc, 1395i–2, 1395i– 2a, 1395j, 13951, 1395mm, 1395o, 1395p, 1395q, 1395rr, 1395v, 1396a, and Section 101 of the Medicare Prescription Drug, Improvement, and Modernization Act of 2003 (Pub. L. 108– 173) (Regulations at 42 CFR Parts 403, 411, 417 and 423)
Are records on the system retrieved by one or more PII data elements?Yes
Identify the number and title of the Privacy Act System of Records (SORN) that is being used to cover the system or identify if a SORN is being developed.

Medicare Integrated Data Repository (IDR): 09-70-0571

Centralized Data Repository (CDR):
SORN 09-70-0558
SORN 09-70-0553
SORN 09-70-0548
SORN 09-70-0548
SORN 09-70-0539
SORN 09-70-0528
SORN 09-70-0522
SORN 09-70-0502

Identify the sources of PII in the system: Directly from an individual about whom the information pertains
  • In-Person
  • Online
Identify the sources of PII in the system: Government Sources
  • Within the OPDIV
  • State/Local/Tribal
Identify the sources of PII in the system: Non-Government Sources
  • Private Sector
  • Other - Centralized Data Repository (CDR), Integrated Data Repository (IDR)
Identify the OMB information collection approval number and expiration dateOMB 0938-1022 expires 01/31/2026
Is the PII shared with other organizations?No
Describe the process in place to notify individuals that their personal information will be collected. If no prior notice is given, explain the reason.The PII collection is done at the facility level and not directly by the Hospital Quality Reporting (HQR). Users/Patients are given a consent form stating the uses of their PII. Notice is the responsibility of the facility.
Is the submission of the PII by individuals voluntary or mandatory?Voluntary
Describe the method for individuals to opt-out of the collection or use of their PII. If there is no option to object to the information collection, provide a reason.The collection of PII is done at the physician and facility level and not directly by the HQR system. Facilities are responsible for providing methods for individuals to opt-out of collection or use of PII.
Describe the process to notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changes since the notice at the time of original collection). Alternatively, describe why they cannot be notified or have their consent obtained.Facilities are responsible to provide notices and obtain consent when major changes occur to their systems.

System user's credential information is collected and managed by Health Care Quality Information Systems (HARP). HQR users consent to the usage of PII during the HARP registration process to obtain user credentials. Users are notified of any major changes by HARP. Any changes to permissions within the HQR system are completed by the Access Management process, which is approved by the organizations Security Administrator/Security Official.
Describe the process in place to resolve an individual's concerns when they believe their PII has been inappropriately obtained, used, or disclosed, or that the PII is inaccurate. If no process exists, explain why not.Individuals with concerns about their PII collection and disclosure would contact their local Quality Improvement Organization (QIO) and Security Point of Contact (SPOC) at the facility where they received care. 
Describe the process in place for periodic reviews of PII contained in the system to ensure the data's integrity, availability, accuracy and relevancy. If no processes are in place, explain why not.The PII with HQR program is validated for integrity, availability, accuracy, and relevancy by input from hospitals for quality reporting. Any incorrect data is corrected, while using the system, by updating whichever elements are incorrect, such as name change or new telephone number or email address. HQR Administrators, who have access to PII, perform reconciliation of the eligibility information on an ongoing basis.
Identify who will have access to the PII in the system and the reason why they require access.
  • Users: Health Care providers will have access to PII pertaining to Health Service Encounters (HSE) they perform. HQR users have access to the PII in the system to register, handle patient billing, and maintain patient records in HQR programs. CMS users have access to data for all HQR programs.
  • Administrators: Database administrators and database personnel may have access to maintain the system and create the exports of the information from the system, as necessary. System administrators would not have access to PII, except on a limited, by exception basis.
  • Developers: Four developers have access to claims data for CMS program reporting services.
  • Contractors:  CMS direct contractors, in their roles as database and systems administrators, may have access to the PII for the purpose of troubleshooting and maintaining the system and creating export data.
Describe the procedures in place to determine which system users (administrators, developers, contractors, etc.) may access PII.

Access to PII is granted using the principles of least privilege and need to know; users are only granted access to PII based on their job responsibilities needed to perform their assigned duties. Role creation involves an analysis for the role definition and type of access.

HQR users must register for a Health Care Quality Information Systems (HCQIS) Access Roles and Profile (HARP) ID, that requires user name, password, and multifactor authentication.
After the individual is approved for a user ID, to access hqr.cms.gov, the person must request access to an organization (or alternatively the organizations Security Official (SO) can add the user by HARP ID), and is assigned a role which determines the amount, and type, of information that is accessible and visible to the user.

Describe the methods in place to allow those with access to PII to only access the minimum amount of information necessary to perform their job.

Access is defined in the specific HQR Program's participation prospective payment rules and state that the Security officials (SO) are responsible for maintaining secure access to their organization's data.

A system user fills out the Production Request form, they enter the specific database/environment they need access to and the access level that is necessary to perform their job. These are then approved or disapproved by CMS approvers.

Security information and event management (SIEM) tools are used to monitor access and detect anomalies. Any anomalies are addressed and resolved by contacting the user, modifying their user access, or by removing their access if no longer required. Activities of all users including system administrators are logged and reviewed to identify abnormal activities.

Identifying training and awareness provided to personnel (system owners, managers, operators, contractors and/or program managers) using the system to make them aware of their responsibilities for protecting the information being collected and maintained.

Security and privacy awareness training is provided to each user on an annual basis. All users are required to complete training to obtain a user account and annually thereafter.

Required training includes annual Department of Health and Human Services (HHS) Information Systems Security Awareness Training, annual HHS Privacy Training, reading, and attesting to the Rules of Behavior for Use of HHS Information Resources (HHS RoB).

Describe training system users receive (above and beyond general security and privacy awareness training)

Role-based training is required for those with significant information security and privacy responsibilities.  HQR system administrators, developers and direct contractors are required to complete annual role-based training.

A sample list of role-based training includes Incident Response exercises, Contingency Planning exercises.

Do contracts include Federal Acquisition Regulation and other appropriate clauses ensuring adherence to privacy provisions and practices?Yes
Describe the process and guidelines in place with regard to the retention and destruction of PII. Cite specific records retention schedules.HQR follows the CMS Record Schedule, published April 2015, under the Health Care Quality Improvement Systems (HCQIS) more specifically the Center for Clinical Standards and Quality (CCSQ) File Plan. The disposal authority for HQR is National Archives and Records Administration (NARA) N1-440-09-003 and calls for destruction of data after 10 years, or when no longer needed for Agency business, whichever is later.
Describe, briefly but with specificity, how the PII will be secured in the system using administrative, technical, and physical controls.

Administrative controls include annual security and privacy training for the proper handling of information, configuration management, change management, periodic review of users and deletion or revoking of user accounts.

Technical controls include multi-factor authentication, session locks, encryption, firewalls, vulnerability scans, penetration testing, and monitoring.

Physical controls include a secure AWS data center, video surveillance, intrusion detection systems, uninterruptible power supply (UPS), back-up generators, environmental controls to maintain a constant operating temperature, smoke detection sensors, and sprinkler systems.