CMS-10501 - HFFP Supporting Statement - Final 2018

CMS-10501 - HFFP Supporting Statement - Final 2018.docx

Healthcare Fraud Prevention Partnership (HFPP): Data Sharing and Information Exchange (CMS-10501)

OMB: 0938-1251

Document [docx]
Download: docx | pdf

REVISED - SUPPORTING STATEMENT A

Supporting Statement for Healthcare Fraud Prevention Partnership

(HFPP) Data Sharing and Information Exchange CMS-10501

OMB Control Number: 0938-1251)


  1. BACKGROUND

The Healthcare Fraud Prevention Partnership (HFPP) is a voluntary, public-private partnership between the federal government, state and local Medicaid agencies, law enforcement, private health insurance plans, and healthcare anti-fraud associations to identify and reduce fraud, waste, and abuse across the healthcare sector. (The current list of 115 partners can be accessed at https://hfpp.cms.gov/about/current-partners.html.) Since inception of the HFPP in 2012, private and public payers have been combining claims data for the purpose of conducting cross-payer studies to detect potentially fraudulent providers and activities. In addition, the HFPP has provided a venue for the sharing of information and schemes across a variety of private and public entities.


B. JUSTIFICATION



  1. Need and Legal Basis



  1. Legal Authority


The statutory authority for the HFPP is section 1128C(a)(2) of the Social Security Act [42 U.S.C. § 1320a-7c(a)(2)], which provides that, as part of establishing a Fraud and Abuse Control Program, the Secretary of HHS and Attorney General shall consult with and arrange for the sharing of data with representatives of health plans. The HFPP was officially established by a Charter in the fall of 2012 and signed by the HHS Secretary and US Attorney General. A re-delegation of the authority vested in the Secretary under this section was made from the HHS Secretary to the Centers for Medicare & Medicaid Services (CMS) Administrator in 2013.



  1. Role of the Trusted Third Party



Federal, state and private partners undertake various activities related to the HFPP, including the performance of cross-payer studies using combined claim datasets, in-person and virtual information-sharing activities, and the development of informational papers on emerging areas of mutual concern. The undertaking of any of these activities requires the regular collection and commingling of private and public data and information from HFPP partners to a Trusted Third Party (TTP).

The TTP is a federal contractor that functions as a “common data aggregator” under the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rules. Partners execute Memorandums of Understanding and Data Sharing Agreements with the TTP signaling their intent to retain control over their claims data throughout their participation in the HFPP and to keep confidential information gathered through HFPP activities. Neither CMS nor any other federal agency have the right, under documents governing the HFPP, to access the claims data submitted by other partners, nor can the records collected by the TTP be used for any commercial purposes. 



  1. HFPP Cross-Payer Studies



For purposes of HFPP cross-payer studies, the TTP analyzes participating entities’ health insurance claims data, which is voluntarily sent in a generalized data call in a format of the participating entities choosing. The amount of and nature of information and data that Partners share with the TTP are voluntary and subject to Partner discretion. Partners that participate in HFPP studies are provided a list of data elements that may be submitted for purposes of cross-payer analyses, including personally identifiable information (PII) and protected health information (PHI). (To date, the TTP has collected claims data that is submitted on a CMS-1500 form. The type of claims information that will be collected in the future will include pharmacy and institutional data. Sample data elements are included in Appendix B.



The study process includes data acquisition, normalization, and merging; quality assurance; cross-payer analysis; documentation; and reporting. Depending on the type of question posed by a study, the activities undertaken may include quantitative data analyses, qualitative data analyses, outlier analyses, clustering/grouping, entity resolution, trend analyses, time series analyses, networking analyses, trending, statistical summarization, and more.

After conducting the analyses, the TTP produces several possible outputs, including a general summary and lessons learned, partner-specific summary reports for each partner that submits claims data, and partner-specific detailed reports for those participating in a study. These reports are de-identified so that participating entities are not able to ascertain the original source(s) of the data.



  1. Information-Sharing Activities



Through a variety of information-sharing activities, including in-person and virtual events, provider and fraud scheme alerts, and informational papers, the TTP collects and distributes information so that partners can leverage their collective experiences in combating healthcare fraud. These activities can be used to collaborate on best practices, identify and develop fraud leads, discuss study results, and develop relationships with peers and leading anti-fraud experts.



For example, over approximately the past year, the HFPP has generated over 60 Provider Alerts that include case summary descriptions and provider identifier information and over 10 Fraud Scheme notifications that include a general description of the identified scheme, including CPT and/or HCPCS codes. The HFPP also held four Regional Information Sharing Sessions, one General Assembly, and one Executive Board meeting.



  1. Outcomes Collections



The TTP also collects information from the partners regarding the outcomes achieved from their participation in the HFPP. This includes such metrics as the recoveries that have been collected, savings achieved, administrative actions taken, and law enforcement referrals made as a result of participation in the HFPP. Approximately $329 million in savings has been voluntarily reported by HFPP partners to the TTP.

2. Information Users

HFPP partners are responsible for data sharing and information exchange to address fraud, waste, and abuse issues of mutual concern. Current HFPP partners include private insurers; CMS and other federal agencies, such as the Department of Health and Human Services Office of Inspector General (HHS-OIG), Department of Justice (DOJ), and Federal Bureau of Investigation (FBI); state and local agencies; and antifraud associations. (The current list of 115 partners can be accessed at https://hfpp.cms.gov/about/current-partners.html.) As previously indicated, although the information is collected by the TTP, a federal contractor, neither CMS nor any other federal agency have the right, under documents governing the HFPP, to access such records, nor can the records collected by the TTP be used for any commercial purposes. 




3. Use of Information Technology



All claims data will be collected in electronic format.

4. Duplication of Efforts

This collection and sharing of data does not duplicate any other effort and the information cannot be obtained from any other source.

  1. Small Business

There is no burden on small businesses.

  1. Less Frequent Collection

There are no consequences to less frequent collection.

  1. Special Circumstances

There are no special Circumstances.

8. Federal Register Notice/Prior Consultation

The 60-day notice published in the Federal Register on January 19, 2017 (82 FR 6559).

A total of two (2) comments were received. Responses for those comments can be found in Appendix A of the ICR submission.

A 30-day Notice will publish in the Federal Register on April 6, 2017 (82 FR 16844).

No additional outside consultation was sought.

9. Payments/Gifts to Respondents

There are no payments or gifts to partners.

10. Confidentiality

We pledge privacy to the extent allowed by law. The CMS Privacy Officer reviewed this collection and concluded that a System of Record (SORN) for the data systems involved in the program was not required. Information will be safeguarded in accordance with Departmental standards and National Institute of Standards and Technology (NIST)

Special Publication 800-53, Recommended Security Controls for Federal Information Systems and Organizations which limits access to only authorized personnel. The safeguards shall provide a level of security as required by Office of Management and Budget (OMB) Circular No. A-130 (revised), Appendix III – Security of Federal Automated Information Systems.

In addition to the above, although the TTP system has passed the CMS Security Controls Assessment (SCA) and obtained its Authority to Operate (ATO), the TTP has implemented additional controls to enhance the security posture of its system adding additional layers of protection to the Government’s already robust security framework.

11. Sensitive Questions

This data collection does not contain information pertaining to sex, behavior, attitude, religious beliefs or any other matters that are considered private or sensitive in nature.

The HFPP TTP information technology (IT) system and infrastructure received its ATO in September 2016, allowing it to officially accept and store data that contains both PHI and PII data on behalf of the HFPP. The HFPP TTP infrastructure contains multiple zones segregated by layers of firewalls with intrusion detection and intrusion prevention capabilities to ensure the PHI and PII data is securely transferred, stored, and processed.

The HFPP TTP also received its Privacy Impact Assessment (PIA) that explicitly mentions and lists the exchange of PII and PHI.

In addition, the HFPP TTP IT infrastructure is housed within a Federal Risk

Authorization Management Program (FedRAMP) compliant cloud service provider

(CSP) that is wholly owned by the TTP. The CSP meets the Federal Information Security Management Act (FISMA) standard of “high”, the top level of FISMA classification and one that is used for the most mission critical government agency programs. The HFPP solution is currently rated at FISMA Moderate, the level required for systems that store PHI or PII data.

The TTP recognizes the challenges involved in obtaining approval to submit PHI and PII from its participating entities, but many studies and scenarios are impossible without this data. Examples of studies requiring the use of PHI and PII include, but are not limited to:

  • Billing for services for a diagnosis code outside of provider’s taxonomy

  • Beneficiary sharing across group practices for same services

  • False store front providers using stolen identities

  • Pharmacy prescriptions with no medical visit or no relevant diagnosis

  • Durable Medical Equipment claims with no relevant diagnosis

The TTP is prepared to collect a myriad of data points from the partners’ claims data including, but not limited to:

  • Member Social Security Number (SSN)

  • Member Sex

  • Member Data of Birth

  • Member State

  • Member Zip Code

  • Member Date of Death

Because the TTP will not have the member’s name or address anywhere in the data, the only option available to identify individuals across payers is to use the Social Security Number (SSN). Due to the sensitivity of SSNs, the TTP will use a one-way hashing technique that will generate a 32 character alphanumeric string to use as a unique HFPP Identification (ID) number. The hashing technique transforms the SSN in such a way that it is virtually impossible to reconstruct the original number from the HFPP ID. This approach eliminates the need to retain the SSN after initial processing yet allows the TTP to identify an individual, not a person, who is being billed under two or more payers. Combined with the other transformations of the input claims record, there will be no need for PII to be stored for processing.

12. Burden Estimates

The burden estimate for this PRA package is based on the amount of time it will take for Partners to submit data for and participate in HFPP cross-payer studies. CMS expects to implement various studies for the HFPP over the course of the 3-year approval. Each HFPP partner will voluntarily participate in the studies that are pertinent and effective in detecting fraud, waste, and abuse within its organization. It is noted that not all partners are data-sharing partners; only those who own their data and agree to share data are included in the studies. It is also estimated that approximately three (3) to five (5) new studies will be conducted per year.

Participating partners are requested to submit an original two-year data set using the data elements shown in Figure 1. After receipt of the two year data set, participating partners will then submit refreshed data in a periodic fashion (e.g., monthly, quarterly, bi-yearly) using the same data elements format they agreed upon with the TTP. (For purposes of this burden estimate, we have chosen to reflect the estimates of burden in a monthly format.) Participating entities will acquire an average annual burden of 160 hours of partner engagement and support based on an initial two year data pull followed by a monthly submission. The initial data pull will take 120 hours for year 1 with no burden hours associated with years 2 and 3 for an average of 40 hours annually. The burden hours for monthly submissions will be approximately 120 hours per year (Years 1, 2, and 3 or a total of 360 hours) per partner for an average annual burden of 120 hours. This includes burden hours necessary for data extract, quality assurance, definition resolution, and information/data transmission over the 3 year period. (Note that participating state partners are estimated to have an annual burden of 0 hours, as CMS has a contractual relationship with vendor(s) who are able to submit state Medicaid data on the behalf of most states.) The burden hour total is 7,200 hours or approximately 2,400 hours across three-years assuming 20 data-sharing Partners participating in each study.

Table 1 outlines the burden estimates0 that we foresee partners potentially experiencing:



Table 1: Estimate of Annual Burden Hours



Estimated

Average

Annual

Processing

Time for

Initial Data Pull (Per

Partner - in hours)

Estimated

Average Annual

Processing Time for Monthly

Submission –

Total Years 3 (Per

Partner - in hours)

Estimated

Partners per Study

Estimated Total Annual

Processing Time

All Partners (in hours)

Per Hour Rate of

Computer or

Information

Analyst (Code

15-1120)

Estimated Total

Processing Rate - Yearly

Data Extraction and

Submission – Year 1

Aggregate

120

120

20*

2,400

$87.12

$418,176

Data Extraction and Submission – Years 2 and 3

Aggregate

0

240

20*

4,800

$87.12

$418,176

Estimated Annual

Total Hours and Cost

Burden

120

360

20*

7,200

$87.12

$278,784

*Assumes 20 HFPP Partners participating in each study, excluding states.

13. Capital Costs

CMS is responsible for all costs to create a secure Partner Portal for HFPP and for creating a data repository for data collection and data analysis.

14. Costs to Federal Government

Costs to CMS to implement this program include administrative costs as well as costs of contractor support in various functional areas including technical and business services and products. The annual contractor support cost is $ 10,295,845.

15. Changes to Burden

The HFPP TTP is implementing a shift in the way studies are conducted for the purpose of detecting and deterring fraud, waste, and abuse among its partners. Moving to a framework with frequently updated data, including PHI and PII, the TTP will enable the HFPP to proactively identify vulnerabilities across participating entities in real time, significantly increasing the value of the HFPP to its partners. The TTP has developed a new process and expanded the set of data elements for submission by partners using a cloud environment and resources that allows it to analyze data that is stored in many formats in the same file. It also allows for the partners to choose how to provide the data taking advantage of files, formats, and processes that the partners’ IT departments are using, either with the Special Investigations Unit (SIU), other internal components, or with third parties.

As a result of this new streamlined process which incorporates procedures aimed at reducing the time and effort involved in retrieving claims data, the annual burden hours per partner has decreased from 1200 to 160 while allowing for the number of respondents to be increased from 15 to 20.



The centers anticipate this to be an ongoing collection and request OMB approval for an additional three years.

16. Publication and Tabulation Dates

Data will not be made available to the general public.

17. Expiration Date

The OMB control number and expiration date will be included on each data collection instrument (top of page 1).

0 Based on Bureau of Labor Statistics, Occupational Employment Statistics, Occupational Employment and Wages, May 2015. Includes fringe benefits calculated at 100% of base wage.

http://www.bls.gov/oes/current/oes_nat.htm

File Typeapplication/vnd.openxmlformats-officedocument.wordprocessingml.document
AuthorCMS
File Modified0000-00-00
File Created2021-01-20

© 2024 OMB.report | Privacy Policy