508_CMS-10522_Supporting_Statement_Part_A

508_CMS-10522_Supporting_Statement_Part_A.docx

Executive Summary Form for Research Identifiable Data (CMS-10522)

OMB: 0938-1276

Document [docx]

Download: docx | pdf

_Supp_o_r_ting_S_ta_te_m_e_n_t_–_P_a_r_t
A

_S_uppo_rting_State_m_e_n_t_fo_r_Pa_p_erwork_Re_d_u_cti_o_n_Act_S_ub_m_is_s_i_on_s

_A._Ba_c_k_g_r_o_un_d

The Centers for Medicare & Medicaid Services (CMS) is responsible for administering the Medicare, Medicaid and State Children's Health Insurance Programs. CMS collects data to support the Agency’s mission and operations. These data include information about Medicare beneficiaries, Medicare claims, Medicare providers, and Medicaid eligibility and claims. CMS discloses these identifiable data consistent with the routine uses identified in the Privacy Act Systems of Records notices that are published in the Federal Register and the limitations on uses and disclosures that are set out in the HIPAA Privacy Rule. Routine use is defined as the use of a record for a purpose that is compatible with the purpose for which it was collected.

All requests for identifiable data are received and reviewed by the Division of Privacy Operations & Compliance (DPOC) in the Office of E-Health Standards and Services. DPOC staff and the CMS Privacy Officer review the requests to determine if there is legal authorization for disclosure of the data. If legal authorization exists, the request is reviewed to ensure that the minimal data necessary is requested and approved for the project. Requests for identifiable data for research purposes must be submitted to and approved by the CMS

Privacy Board.

The Office of Information Products & Data Analysis (OIPDA) is the lead for the CMS Privacy

Board. To assist the CMS Privacy Board with its review of research data requests, OIPDA has developed the Executive Summary (ES) forms. The ES collects all the information that the CMS Privacy Board needs to review and make a determination on whether the request meets the requirements for release of identifiable data for research purposes. We currently have three versions of the ES Form and an ES Supplement for Requestors of the National Death Index (NDI) Causes of Death Variables. Each meets the need for a different type of requestor.

Form	Type of Requestors
Executive Summary for Research Identifiable Data	Most Requestors will use this. HHS Agencies, Non HHS Agencies, Non-Profits, Research Institutes, Colleges and Universities
State Executive Summary for Research Identifiable Data	States doing research.
Executive Summary for Research Identifiable Data for CMS Virtual Research Data Center(VRDC) Request	Requestors that will be accessing data through the CMS VRDC.

Executive Summary for Requestors of the

_N_D_I_C_a_us_e_s
of_Dea_th
V_a_ri_a_b_le

Any of the above requestors that need the NDI

_v_a_ri_a_bles.

Shape2 _B_._J_u_sti_f_ica_t_ion

_1._N_ee_d_a_nd_L_e_g_a_l_Ba_sis

All requests for identifiable data for research purposes must be reviewed and approved by the CMS Privacy Board, as documented in the Privacy Act and HIPAA. The CMS Privacy Board receives over 325 requests a year. The ES allows for a uniform format for the collection and review of the material needed to determine if a request meets the requirements for research disclosure under the Privacy Act and HIPAA. Previously, requestors submitted the information in their own format and it made it difficult and time consuming to review each request and determine if it met all the requirements.

_2._I_nfo_r_mation
Us_e_rs

The CMS Privacy Board will use the information in the ES to determine if a request meets the requirements for research disclosure under the Privacy Act and HIPAA. The ES will be used to answer the following questions:

Who is requesting the data?

What identifiable data is being requested? Why are they requesting the data?

How is the data going to be used? Who is funding this project?

Is the minimum data necessary being requested?

Is it feasible to obtain individual level authorization from Medicare/Medicaid beneficiaries for this project?

Does the request require the NDI data? How will the research findings be shared? How will the data be managed and protected?

The ES NDI Supplement will be used to answer questions directly related to the use of the

NDI variables.

_3._Use_of_I_nfo_r_mation
T_ec_hnolo_g_y

The ES is a PDF form that is completed electronically by the requestor and is submitted to CMS electronically as part of the data request package. The ES only requires a signature, if the project is funded by a commercial entity.

_4._Duplic_a_t_i_on
of_E_f_fo_r_ts

This information collection does not duplicate any other effort and the information cannot be obtained from any other source.

_5._S_mall_B_usiness_e_s

Not Applicable

_6._L_e_ss_F_r_e_qu_e_nt_C_ol_l_ec_t_i_on

CMS must have an ES for each research request for identifiable data. Without the ES, the request cannot be reviewed by the CMS Privacy Board.

_7._S_p_ec_ial
Cir_c_ums_t_a_n_ce_s

Not Applicable

_8._Fe_d_e_r_a_l_R_e_g_is_t_e_r/_O_uts_i_de_Consultation

The 60-day Federal Register notice published on July 11, 2014.

OIPDA has worked with two contractors in developing this form. The first contractor is the Research Data Assistance Center (ResDAC). The ResDAC Assistance Desk is located at the University of Minnesota and staffed by master's-level trained Technical Advisors. They provide technical assistance to researchers interested in using Medicare and/or Medicaid data.

The second contractor is MBL Technologies. CMS established the Data Privacy Safeguard Program to ensure that organizations to which CMS discloses identifiable data provide reasonable assurances on how data are protected, in accordance with CMS responsibilities under the Privacy Act and HIPAA Privacy Rule. As part of a researcher’s request for identifiable data, the Data Management Plan (DMP) of the ES asks researchers to outline the data privacy and security practices in place at their organization. MBL advise researchers in completing DMPs such that reasonable assurances are in place to protect CMS identifiable data used by research organizations.

ResDAC understands researchers and their projects and MLB understands data security, together they were able to assist OIPDA in developing an ES that is useful and easy to complete.

_9._P_a_y_{ments/Gifts
to}_R_e_spond_e_nts

Not Applicable

_10._Confid_e_nt_i_a_l_i_ty

CMS only collects this information for use by the CMS Privacy Board. The ES is not shared with anyone other than DPOC and the CMS Privacy Board. We pledge confidentiality to the information collected.

_11._S_e_nsi_t_ive_Q_u_e_st_i_ons

Not Applicable

_12._B_urd_e_n
Est_i_mat_e_s
(_H_ours
&_W_a_g_e_s)

Number of Respondents Annually 325 Average Frequency of Response 1 ES per Data Request Annual Hour Burden Up to 2 Hours per Request Annual Cost to Requestor $78.00 per Request

Total annual burden would be 325 respondents x 1 response per respondent x 2 hours per response = (325x1x2) = 650 hours.

Total annual cost would be 325 respondents x $78 per respondent = $25,350.

ResDAC works closely with the requestor to complete their request package to CMS. We worked with ResDAC to determine the average burden for completing the ES. The burden on requestors should not vary greatly and this average should cover all complexity of research requests. The requestors should already have the information for the ES from the

development of their research project. There is no additional cost burden other than completing the ES.

The ES is usually completed by a research assistant. We used the information in the

following link to help determine an average cost burden. We took the average assistant salary and figured the hourly rate.

_ht_t_p:_/_/o_i_r_a_.un_c_._e_du/f_ac_ul_t_y_-_s_a_la_r_ies_-a_t_-_r_e_s_ea_r_c_h_-a_nd_-aa_u_-_unive_r_si_t_ies.html

We have prepared two Executive Summary Form 83 Part IIs to cover the different types of requestors that request CMS identifiable data.

_13._C_a_pi_t_a_l_C_osts

The requestors should already have the information for the ES as part of their research development. There is no additional cost burden other than completing the ES.

_14._Cost_t_o_Fe_d_e_r_a_l
Gov_e_rnm_e_nt

Without the ES, it may take a CMS Privacy Board member and DPOC analyst an hour or two to read through each requestor’s documentation to determine if the research requirements are being met. With the ES, a CMS Privacy Board member can review a research request in 15 minutes or less. We used the following link to determine the cost to CMS:

http://www.opm.gov/policy-data-oversight/pay-leave/salaries-wages/2013/general- schedule/dcb_h.pdf

	DPOC Analyst without ES (GS11)	2 Hours	$59.00
	CMS Privacy Board Review without ES (GS 13)	2 Hours	$85.00
	Total Annual Cost per request without ES		$144
	CMS Privacy Board Review with ES	¼ Hour	$11
	DPCO Analyst with ES	¼ Hour	$7
	Total Annual Cost per request with the ES		$18
15.	Changes to Burden
	This is a new information collection request.
16.	Publication/Tabulation Dates
	Not Applicable
17.	Expiration Date

CMS would like an exemption from displaying the expiration date as these forms are used on a continuing basis. To include an expiration date would result in having to discard a potentially large number of forms.

Shape1

File Type	application/vnd.openxmlformats-officedocument.wordprocessingml.document
Author	CMS
File Modified	0000-00-00
File Created	2021-01-25