Open Payments System 2.0

The Open Payments provisions were included in the Patient Protection and Affordable Care Act (ACA) of 2009 (H.R. 3590, Section 6002) which was signed into law on March 23, 2010. The regulation requires applicable manufacturers and applicable Group Purchasing Organizations (GPOs) to annually report payments and other transfers of value made to Physicians and Teaching Hospitals (THs), including certain information regarding the ownership or investment interests held by Physicians or their immediate family members. CMS is required to compile the submitted data and publish it on a public website.

Program Goal:

Greater visibility into the financial relationships between covered recipients      (Physicians and Teaching Hospitals) and applicable manufacturers and group purchasing organizations (AM/GPO).

 To achieve this goal, CMS envisions the following scope:

• Complete, accurate, and timely data submissions from applicable manufacturers and GPOs on behalf of covered recipients
• Data interoperability and ability to aggregate and report across submissions and other CMS and commercial data sources.
• Minimize the burden for program participants and promote transparency for the general public.
• Robust data management practices to support future audits and penalties

OPS 2.0 collects information about physicians such as their name, medical practice information, Job Title and Employee Identification Number (EIN), business address, email address, primary practice address (if outside the United States), business phone number, state medical license, National Provider Identifier (NPI) and nature of payments received.

The nature of payment categories are as follows: consulting fees; compensation for services other than consulting, including serving as faculty or as a speaker at an event other than a continuing education program; gifts or vacations; entertainment, like tickets to events; food and drinks; travel and lodging; educational expenses, including textbooks and continuing medical education courses; research activities; and ownership and investment interests in medical manufacturers or Group Purchasing Organization (GPO).

OPS 2.0 collects information about teaching hospitals that receive compensation from manufacturers and GPO such as hospital name, address, a designated contact person’s name, business email and telephone and types of payments. Types of payments are grants and space rental/facility rental fees.

OPS 2.0 has business information about the manufacturing companies and GPO that report into the system such as business name, address, and contact person(s) telephone and email.

In order to access OPS 2.0, a user must first register and log into the CMS Identity Management (IDM) web portal each time they wish to use OPS 2.0. IDM is the access control portal and is where user credentials are collected, stored and maintained. Then the user creates a user ID and password to access OPS while in the IDM portal.

The "users" include Physician, Physician's Authorized Representative, Teaching Hospital authorized officials, Teaching Hospital authorized representatives, Applicable Manufacturers and Applicable GPOs, Principal Investigators, and Contractors (Database Administrators (DBA), Developers, Help Desk, BA Team, and Testing Team).

The Open Payment System 2.0 (OPS 2.0) is a national disclosure program that promotes transparency on the financial relationships between the healthcare industry, Applicable Manufacturers (AM) and Group Purchasing Organizations (GPO), and healthcare providers, individual physicians and teaching hospitals. The OPS program information is publicly available on CMS' website, cms.gov/openpayments.

The information collected through OPS 2.0 from applicable manufacturers and GPOs is the company profile information to identify them as participants in the program. The information collected about physicians such as name, practice type, Job Title, EIN, business address, telephone and email, and the nature, context and number of payment. In addition, NPI and Medical License number is provided by the physicians. When registering in the Open Payments System 2.0  physicians must enter all of the state license numbers they hold, as well as their NPI number (if they have one). The Job Title is provided during entity user profile creation. The EIN is provided during entity profile creation. For teaching hospitals, the information is the name of the hospital, the physician involved and the address, telephone and contact for the hospital, along with the nature, context and amount of payments.

The nature of payments includes direct monetary payments and various non-monetary payments: compensation for services other than consulting, including serving as faculty or as a speaker at an event other than a continuing education program; gifts or vacations; entertainment, like tickets to events; food and drinks; travel and lodging; educational expenses, including textbooks and continuing medical education courses; research activities; and ownership and investment interests in medical manufacturers or GPO.

OPS 2.0 user credentials are collected and maintained by the Identity Management (IDM). IDM is external to OPS 2.0 and the Personally Identifiable Information (PII) within IDM is covered by a separate Privacy Impact Assessment (PIA). After initial log into the IDM system, a user inputs a user ID and password to gain access to OPS 2.0. Only the OPS 2.0 end users' IDM user ID is stored in Open Payments. The "users" include Physician, Physician's Authorized Representative, Teaching Hospital authorized officials, Teaching Hospital authorized representatives, Applicable Manufacturers and Applicable GPOs, Principal Investigators, and Contractors (DBA, Developers, Help Desk, BA Team, and Testing Team).

The Open Payments System 2.0 regularly uses PII to retrieve system records including using the first name, middle name, last name, IDM User ID, email address, phone number, physician NPI, and Physician License and License State about Physicians, Physician's Authorized Representative, Teaching Hospital authorized officials, Teaching Hospital authorized representatives, Applicable Manufacturers and Applicable GPOs, Principal Investigators, and Contractors (DBA, Developers, Help Desk, BA Team, and Testing Team).

• Name
• E-Mail Address
• Phone Numbers
• Mailing Address
• Other - Other: Job Title, Business Name, Business Address, Business Email, Business Phone Number, Physician License State and License Number(s), Primary practice address (if outside the United States), state medical license, National Provider Identifier (NPI), Employer Identification Number (EIN) and user credentials (user ID and password).

• Employees
• Public Citizens
• Vendors/Suppliers/Contractors
• Other - Teaching Hospitals

• In-Person
• Online

• Members of the Public
• Private Sector

When an individual creates a new user account in IDM, there is a "Consent to Monitoring & Collection of Personally Identifiable Information (PII)" introduction displayed on the Terms & Conditions page. The person can elect to "Decline" to accept the Terms and Conditions and then no account will be created. 

Then, each time a user accesses the login section of IDM, to access to OPS 2.0, there is a Terms and Conditions statement that the user must click the "I Agree" button to move forward. It states that their personal information is being collected.

The redress process in place to resolve a user's concerns when they believe their PII has been inappropriately obtained, used, or disclosed, or that the PII is inaccurate is for the user to contact the Help Desk via phone or email. Depending on the issue, the trouble ticket could be created by CMS IT Service Desk or the Open Payments Help Desk.

If it is a security incident, then the Help Desk, application team & infrastructure team work together to investigate further, identify a fix and ensure it is implemented/resolved.
If it is not a security incident, say, just the mailing address disclosed is incorrect, then the users can update the profile information themselves on the CMS Portal.

For the OPS 2.0 program participants such as applicable manufacturers, GPOs, teaching hospitals, the users update their own PII within the system. For example, if the physician's PII record within the OP application is inaccurate, the physician uses the Review and Dispute functionality of the OPS 2.0 application to get it corrected. The applicable manufacturer or GPO that created the record reviews the disputed information and works with physicians or teaching hospitals to review and correct or update any disputed information. The dispute resolution is captured within the OPS 2.0 and the information is updated.

Any incorrect data is corrected by the users themselves in the course of using the system, by updating whichever element is incorrect in their profile, like a name change or new telephone.

The integrity of PII is managed by firewalls and encryption layers. Full-device encryption is employed to protect the confidentiality and integrity of information on approved mobile devices.

Throughout the year, the OPS 2.0 allows the applicable manufacturers and GPOs to submit payment information via bulk file uploads. The physicians included in those reports have the ability to review and dispute any incorrect information about themselves.

The dispute and resolution functions of the OPS 2.0 system maintains the relevancy of PII in the system.

For the user credentials, the OPS 2.0 system administrators are responsible for maintaining the allowable/registered users by deleting, reactivating or confirming the user accounts. There are processes in place to review the current users between IDM and OPS 2.0 and eliminate any inactive accounts.

For the OPS 2.0 program participants such as applicable manufacturers, GPOs, teaching hospitals, the users update their own PII within the system. For example, if the physician's PII record within the OP application is inaccurate, the physician uses the Review and Dispute functionality of the OP application to get it corrected. The applicable manufacturer or GPO that created the record reviews the disputed information and works with physicians or teaching hospitals to review and correct or update any disputed information. The dispute resolution is captured within the OPS and the information is updated.

• Users: Users have access to their own PII in their accounts.
• Administrators: Administrators can view the PII during system administration function but don't change PII.
• Developers: Developers can view the PII during system administration function but don't change PII.
• Contractors: Contractors (Direct Contractors) can view the PII during system administration function but don't change PII.

OPS 2.0 contains both Financial and Provider/Health Plan records and is covered by the following records retention schedules:
Bucket 3, Financial Records, Financial Records (Programmatic) falls under DAA -0440-2015-004-001 and has a Temporary retention which is to Destroy no sooner than 7 years after cutoff but longer retention is authorized.
Bucket 6, Provider and Health Plan Records, falls under DAA-GRS-2013-005-003 which has a Temporary retention which is to Destroy no sooner than 7 years after cutoff but longer retention is authorized.

GRS 3.1, Item 51 General Technology Management Records. Data administration records. All documentation for temporary electronic records and documentation not necessary for preservation of permanent records, fall under DAA-GRS-2013-005-0003. These records have a Temporary retention of 5 years.

PII will be secured in the system using these administrative, technical, and physical controls. The administrative controls include inactivity timeout, more than one method of authentication required to verify user's identity, annual account reviews, and user trainings.

OPS 2.0 is part of a CMS Data Center and the access is controlled by cameras, biometrics readers and badge readers.  Also, personnel who no longer require authorization are promptly removed from all access lists.

The technical controls include firewalls to prevent unauthorized system access, encrypted access when users obtain the IDM authentication (approval) to log into the application and a tiered system architecture which means users can only log into the application but not into any test environment and the testing and active applications are not joined together.