REVISED - SUPPORTING STATEMENT A
Supporting Statement for Healthcare Fraud Prevention Partnership
(HFPP) Data Sharing and Information Exchange
(CMS-10501/OMB Control Number: 0938-1251)
The Healthcare Fraud Prevention Partnership (HFPP) is a voluntary, public-private partnership between the federal government, state and local Medicaid agencies, law enforcement, private health insurance plans, and healthcare anti-fraud associations to identify and reduce fraud, waste, and abuse across the healthcare sector. (The current list of 205
partners can be accessed at https://hfpp.cms.gov/about/current-partners.html.) Since inception of the HFPP in 2012, private and public payers have been combining claims data for the purpose of conducting cross-payer studies to detect potentially fraudulent providers and activities. In addition, the HFPP has provided a venue for the sharing of information and schemes across a variety of private and public entities.
Legal Authority
The statutory authority for the HFPP is section 1128C(a)(2) of the Social Security Act [42 U.S.C. § 1320a-7c(a)(2)], which provides that, as part of establishing a Fraud and Abuse Control Program, the Secretary of HHS and Attorney General shall consult with and arrange for the sharing of data with representatives of health plans. The HFPP was officially established by a Charter in the fall of 2012 and signed by the HHS Secretary and US Attorney General. A re-delegation of the authority vested in the Secretary under this section was made from the HHS Secretary to the Centers for Medicare & Medicaid Services (CMS) Administrator in 2013. In December 2020, President Trump signed into law H.R.133 - Consolidated Appropriations Act, 2021, which amended Section 1128C(a) of the Social Security Act (42 U.S.C. 1320a–7c(a)) providing explicit statutory authority for the Healthcare Fraud Prevention Partnership including the potential expansion of the public-private partnership analyses. The hyperlink to H.R.133 – Consolidated Appropriations Act, 2021 is https://www.congress.gov/bill/116th-congress/house-bill/133/text/eah.
Role of the Trusted Third Party
Federal, state, and private partners undertake various activities related to the HFPP, including the performance of cross-payer studies using combined claim datasets, in-person, and virtual information-sharing activities, and the development of informational papers on emerging areas of mutual concern. The undertaking of any of these activities requires the regular collection and commingling of private and public data and information from HFPP partners to a Trusted Third Party (TTP).
The TTP is a federal contractor that functions as a “common data aggregator” under the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rules. Partners execute Memorandums of Understanding and Data Sharing Agreements with the TTP signaling their intent to retain control over their claims data throughout their participation in the HFPP and to keep confidential information gathered through HFPP activities. Neither CMS nor any other federal agency have the right, under documents governing the HFPP, to access the claims data submitted by other partners, nor can the records collected by the TTP be used for any commercial purposes.
HFPP Cross-Payer Studies
For purposes of HFPP cross-payer studies, the TTP analyzes participating entities’ health insurance claims data, which is voluntarily sent.. The amount of and nature of information and data that Partners share with the TTP are voluntary and subject to Partner discretion. Partners that participate in HFPP studies are provided a list of data elements (currently both professional data and institutional data) that may be submitted for purposes of cross-payer analyses, including personally identifiable information (PII) and protected health information (PHI). To date, the TTP has collected claims data that is submitted on a CMS-1500 form. The type of claims information that will be collected in the future will include pharmacy data. Sample data elements are included in Appendix B (professional and institutional data).
The study process includes data acquisition, normalization, and merging; quality assurance; cross-payer analysis; documentation; and reporting. Depending on the type of question posed by a study, the activities undertaken may include quantitative data analyses, qualitative data analyses, outlier analyses, clustering/grouping, entity resolution, trend analyses, time series analyses, networking analyses, trending, statistical summarization, and more.
After conducting the analyses, the TTP produces several possible outputs, including a general summary and lessons learned, partner-specific summary reports for each partner that submits claims data, and partner-specific detailed reports for those participating in a study. These reports are de-identified so that participating entities are not able to ascertain the original source(s) of the data.
Information-Sharing Activities
Through a variety of information-sharing activities, including in-person and virtual events, provider and fraud scheme alerts, and informational papers, the TTP collects and distributes information so that partners can leverage their collective experiences in combating healthcare fraud. These activities can be used to collaborate on best practices, identify and develop fraud leads, discuss study results, and develop relationships with peers and leading anti-fraud experts.
For example, over approximately the past year, the HFPP has generated over 61 Provider Alerts that include case summary descriptions and provider identifier information and over 5Fraud Scheme notifications that include a general description of the identified scheme, including CPT and/or HCPCS codes. The HFPP also held five Information Sharing Sessions,, several webinars focusing on studies and COVID-19, and one Executive Board meeting.
Outcomes Collections
The TTP also collects information from the partners regarding the outcomes achieved from their participation in the HFPP. This includes such metrics as the recoveries that have been collected, savings achieved, administrative actions taken, and law enforcement referrals made as a result of participation in the HFPP. Approximately $402 million in savings has been voluntarily reported by HFPP partners to the TTP.
HFPP partners are responsible for data sharing and information exchange to address fraud, waste, and abuse issues of mutual concern. Current HFPP partners include private insurers; CMS and other federal agencies, such as the Department of Health and Human Services Office of Inspector General (HHS-OIG), Department of Justice (DOJ), and Federal Bureau of Investigation (FBI); state and local Medicaid agencies; and antifraud associations. (The current list of 205 partners can be accessed at https://hfpp.cms.gov/about/current-partners.html.) As previously indicated, although the information is collected by the TTP, a federal contractor, neither CMS nor any other federal agency have the right, under documents governing the HFPP, to access such records, nor can the records collected by the TTP be used for any commercial purposes.
3. Use of Information Technology
All claims data will be collected in electronic format.
This collection and sharing of data does not duplicate any other effort and the information cannot be obtained from any other source.
Small Business
There is no burden on small businesses.
Less Frequent Collection
There are no consequences to less frequent collection.
Special Circumstances
There are no special Circumstances.
The 60-day notice published in the Federal Register on June 2, 2021, (86 FR 29584). A total of zero (0) comments were received.
A 30-day notice will publish in the Federal Register on ____________________.
No additional outside consultation was sought.
9. Payments/Gifts to Respondents
There are no payments or gifts to partners.
We pledge privacy to the extent allowed by law. The CMS Privacy Officer reviewed this collection and concluded that a System of Record (SORN) for the data systems involved in the program was not required. Information will be safeguarded in accordance with Departmental standards and National Institute of Standards and Technology (NIST)
Special Publication 800-53, Recommended Security Controls for Federal Information Systems and Organizations which limits access to only authorized personnel. The safeguards shall provide a level of security as required by Office of Management and Budget (OMB) Circular No. A-130 (revised), Appendix III – Security of Federal Automated Information Systems.
In addition to the above, although the TTP system has passed the CMS Adaptive Controls Test (ACT) and obtained its Authority to Operate (ATO), the TTP has implemented additional controls to enhance the security posture of its system adding additional layers of protection to the Government’s already robust security framework.
This data collection does not contain information pertaining to sex, behavior, attitude, religious beliefs or any other matters that are considered private or sensitive in nature.
The HFPP TTP information technology (IT) system and infrastructure received its new ATO in May 2020, (the first ATO was given in September 2016), allowing it to officially accept and store data that contains both PHI and PII data on behalf of the HFPP. The HFPP TTP infrastructure contains multiple zones segregated by layers of firewalls with intrusion detection and intrusion prevention capabilities to ensure the PHI and PII data is securely transferred, stored, and processed.
The HFPP TTP also received its Privacy Impact Assessment (PIA) that explicitly mentions and lists the exchange of PII and PHI.
In addition, the HFPP TTP IT infrastructure is housed within a Federal Risk
Authorization Management Program (FedRAMP) compliant cloud service provider
(CSP). The CSP meets the Federal Information Security Management Act (FISMA) standard of “high”, the top level of FISMA classification and one that is used for the most mission critical government agency programs. The HFPP solution is currently rated at FISMA Moderate, the level required for systems that store PHI or PII data.
The TTP recognizes the challenges involved in obtaining approval to submit PHI and PII from its participating entities, but many studies and scenarios are impossible without this data. Examples of studies requiring the use of PHI and PII include, but are not limited to:
Billing for services for a diagnosis code outside of provider’s taxonomy
Beneficiary sharing across group practices for same services
False store front providers using stolen identities
Pharmacy prescriptions with no medical visit or no relevant diagnosis
Durable Medical Equipment claims with no relevant diagnosis
The TTP is prepared to collect a myriad of data points from the partners’ claims data including, but not limited to:
Member Social Security Number (SSN)
Member Data of Birth
Member State
Member Zip Code
Member Date of Death
Because the TTP will not have the member’s name or address anywhere in the data, the only option available to identify individuals across payers is to use the Social Security Number (SSN). Due to the sensitivity of SSNs, the TTP will use a one-way hashing technique that will generate a 32 character alphanumeric string to use as a unique HFPP Identification (ID) number. The hashing technique transforms the SSN in such a way that it is virtually impossible to reconstruct the original number from the HFPP ID. This approach eliminates the need to retain the SSN after initial processing yet allows the TTP to identify an individual, not a person, who is being billed under two or more payers. Combined with the other transformations of the input claims record, there will be no need for PII to be stored for processing.
The burden estimate for this PRA package is based on the amount of time it will take for Partners to submit data for and participate in HFPP cross-payer studies. CMS expects to implement various studies for the HFPP over the course of the 3-year approval. Each HFPP partner will voluntarily participate in the studies that are pertinent and effective in detecting fraud, waste, and abuse within its organization. It is noted that not all partners are data-sharing partners; only those who own their data and agree to share data are included in the studies. It is also estimated that approximately six (6) to twelve (12) new or reiteration of studies will be conducted per year.
Participating partners are requested to submit an original two-year data set using the data elements shown in Appendix B for professional data and institutional data, thru the Secure File Transfer Protocol (SFTP) server which ensures the data is securely transferred using a private and safe data stream. After receipt of the two year data set, participating partners will then submit refreshed data in a periodic fashion (e.g., monthly, quarterly, bi-yearly) using the same data elements format they agreed upon with the TTP. (For purposes of this burden estimate, we have chosen to reflect the estimates of burden in a monthly format.) Participating entities will acquire an average annual burden of 128 hours of partner engagement and support based on an initial two year data pull followed by a monthly submission. The initial data pull will take 96 hours for year 1 with no burden hours associated with years 2 and 3 for an average of 32 hours annually. The burden hours for monthly submissions will be approximately 96 hours per year (Years 1, 2, and 3 or a total of 288 hours) per partner for an average annual burden of 96 hours. This includes burden hours necessary for data extract, quality assurance, definition resolution, and information/data transmission over the 3 year period. (Note that participating state partners are estimated to have an annual burden of 0 hours, as the TTP has access to and pulls state data through the State Transformed Medicaid Statistical Information System (T-MSIS).0 The burden hour total is 8064 hours or approximately 2,688 hours across three-years assuming 28 data-sharing Partners participating in each study.
Table 1 outlines the burden estimates 0
that we foresee partners potentially experiencing:
|
|
Table 1: Estimate of Annual Burden Hours |
|
|
||
|
Estimated Average Annual Processing Time for Initial Data Pull (Per Partner - in hours) |
Estimated Average Annual Processing Time for Monthly Submission – Total Years 3 (Per Partner - in hours) |
Estimated Partners per Study |
Estimated Total Annual Processing Time All Partners (in hours) |
Per Hour Rate of Computer or Information Analyst (Code 15-1120) |
Estimated Total Processing Rate - Yearly |
Data Extraction and Submission – Year 1 Aggregate |
96 |
96 |
28* |
2,688 |
$93.82 |
$ 504,376 |
Data Extraction and Submission – Years 2 and 3 Aggregate |
0 |
192 |
28* |
5,376 |
$93.82 |
$ 504,376 |
Estimated Annual Total Hours and Cost Burden |
96 |
288 |
28* |
8,064 |
$93.82 |
$ 336,250 |
*Assumes 28 HFPP participating in each study, excluding states.
CMS is responsible for all costs to create a secure Partner Portal for HFPP and for creating a data repository for data collection and data analysis.
Costs to CMS to implement this program include administrative costs as well as costs of contractor support in various functional areas including technical and business services and products. The annual contractor support cost is $ 11,333,002.
The HFPP TTP has implementing a shift in the way studies are conducted for the purpose of detecting and deterring fraud, waste, and abuse among its partners. Moving to a framework with frequently updated data, including PHI and PII, the TTP enables the HFPP to proactively identify vulnerabilities across participating entities in real time, significantly increasing the value of the HFPP to its partners. The TTP developed a new process and expanded the set of data elements for submission by partners using a cloud environment and resources that allows it to analyze data that is stored in many formats in the same file. It also allows for the partners to choose how to provide the data taking advantage of files, formats, and processes that the partners’ IT departments are using (including SFTP server transfer), either with the Special Investigations Unit (SIU), other internal components, or with third parties.
As a result of this new streamlined process which incorporates procedures aimed at reducing the time and effort involved in retrieving claims data, and updated data sharing artifacts and documents, the annual burden hours per partner has decreased from 160 to 120 while allowing for the number of respondents to be increased from 20 to 28.
The centers anticipate this to be an ongoing collection and request OMB approval for an additional three years.
16. Publication and Tabulation Dates
Data will not be made available to the general public.
The OMB control number and expiration date will be included on each data collection instrument (top of page 1).
0 This system of records covers the national Medicaid dataset, consisting of standardized enrollment, eligibility, and paid claims data about Medicaid recipients which is used to administer Medicaid at the federal level, produce statistical reports, support Medicaid related research, and assist in the detection of fraud and abuse in the Medicare and Medicaid programs.
02Based on Bureau of Labor Statistics, Occupational Employment Statistics, Occupational Employment and Wages, May 2019. Includes fringe benefits calculated at 100% of base wage.
http://www.bls.gov/oes/current/oes_nat.htm
| File Type | application/vnd.openxmlformats-officedocument.wordprocessingml.document |
| Author | CMS |
| File Modified | 0000-00-00 |
| File Created | 2021-11-30 |