CMS-10394 Letter of Commitment Template

QECP Letter of Commitment
[MONTH DD, YYYY]
[CONTACT]
[ENTITY]
[ADDRESS]
[CITY, STATE] [ZIP]
VIA EMAIL: [E-MAIL ADDRESS]
Director
Offices of Enterprise Management
Centers for Medicare & Medicaid Services
200 Independence Ave., S.W.
Mail stop: 337D
Washington, DC 20001
Dear Director:
This letter outlines the understanding between the Centers for Medicaid & Medicare Services (CMS) and
[ENTITY] with regard to [ENTITY]’s intent to complete the remaining Qualified Entity Certification Program
(QECP) minimum requirements:
▪
Data Security Review (Element 2.1)
▪
Intentions Regarding Non-Public Analyses (Element 2.2)
▪
Provider Corrections and Appeals, if applicable (Element 2.3)
▪
Secure transmission of beneficiary data, if applicable (Element 2.4)
▪
Standard Measure Use, if applicable (Element 3.1)
▪
Alternative Measure Use, if applicable (Element 3.2)
▪
Provider and Public Report Design (Element 3.3)
Included as part of this letter are:
▪
Attachment A: Public Reporting Attestation;
▪
Attachment B: Contractual Relationship Attestation (if applicable);
▪
Attachment C: CSP Identification (if applicable);
▪
Attachment D: QIO Attestation (if applicable).
If CMS deems us to have sufficiently met the remaining minimum requirements listed above, [ENTITY]
will publicly release a QE provider performance report within 12 months of receipt of the QE Medicare
data (as proposed in Attachment A).
We acknowledge that, prior to our Phase 1 application submission, we will have sufficiently:
1. Completed and attached evidence in the QECP online application for Elements 1.1-1.4, including:
a. This Letter of Commitment, signed and uploaded to Element 1.1; and
1
QECP Letter of Commitment

Revised 6/24/2020

b. An attestation of the [Entity’s] ability to meet all applicable requirements for Phases 2
and 3, and the ability to provide evidence during the relevant phase of the application.
[ENTITY] understands that QE Medicare data will only be distributed to [ENTITY] upon successful
completion of Phase 2: Data Security & Corrections and Appeals, CMS approval of submitted QE DUA
materials, and payment of appropriate fees for the QE Medicare data. Further, [ENTITY] also understands
that a Compliant Phase 2 review outcome does not provide a CMS endorsement nor does it validate the
sufficiency of the QE’s data security and privacy program for purposes outside of the QECP. QECP Phase
2 review outcomes are based solely on the information QEs provide to CMS at the time of the Phase 2
review. There is no guarantee regarding the future performance of a QE, especially as new system,
personnel, and environmental vulnerabilities and threats are continually evolving.
[ENTITY] may not distribute provider or public reports containing QE Medicare claims data provided under
this program until the QECP team has reviewed [ENTITY]’s compliance with all of the program
requirements. Upon review, if [ENTITY] does not demonstrate compliance with QECP requirements, CMS
reserves the right to retract QE Certification and require [ENTITY] to destroy or return QE Medicare data.
The terms of this understanding are acceptable to [ENTITY], and [ENTITY] acknowledges our agreement
below.
SIGNED:
Name of Entity

Address of Entity

Telephone Number

Signature of Authorized Officer

Date

Name and Title of Authorized Officer

2
QECP Letter of Commitment

Revised 8/31/2020

Attachment A
[ENTITY]’s QECP Public Reporting Attestation
“[ENTITY] will publicly report within one year of receiving QE Medicare data.”

Signature of Authorized Officer

Date

Name and Title of Authorized Officer

A-1

Attachment B
CONTRACTUAL RELATIONSHIP ATTESTATION

Lead and Contractor or Member Organizations
Legal Name of Lead Entity
Trade Name/DBA
Name(s) of Contractor, Vendor,
Partner, Subsidiary or Member
Organizations
(if applicable)
Does any organization on your
team (Lead or Other) also hold a
QIO contract with CMS?
(If yes, complete Attachment D –
QIO Attestation)

 Yes
List Organization(s):
 No

Repeat the following two tables for each Contractor, Vendor, Partner, Subsidiary or Member Organization
relevant to the entity’s Qualified Entity application and program.
Attestation of Agreement with Contractor or Member Organization
Legal Name of Contractor, Vendor, Partner,
Subsidiary or Member Organization
Trade Name/DBA
Description of Contractual Relationship
General description of agreements in place
between the lead entity and other contractor
or member organizations (as applicable).

Effective dates on agreement
The partner noted above will be responsible
for or involved in meeting compliance for the
following QECP Elements:

B-1

Attachment B
Affirmation Statements
The lead entity must attest to the following statements with regard to each Contractor or Member
Organization (as applicable) by answering each statement.
STATEMENT

YES

NO

Contractor, Vendor, Partner, Subsidiary or Member Organization is
willing to sign a Qualified Entity Certification Program (QECP) Data Use
Agreement (DUA).
Contractor, Vendor, Partner, Subsidiary or Member Organization
understands that it will also be subject to CMS review as part of the
QECP and its actions may result in sanctions and/or termination of the
Qualified Entity.
Lead and Contractor, Vendor, Partner, Subsidiary or Member
Organization have a legally enforceable agreement in place that
includes breach-of-contract liability if one of the members of the group
fails to deliver and there would be the potential of collecting damages
for that failure to perform.
Signature
To the best of my knowledge and belief, all data in this attestation are true and correct, the document has
been authorized by the governing body of the lead entity, and the lead entity will comply with the terms
and conditions of the award and applicable Federal requirements.
Authorized Representative Name (printed) ___________________________________________
Authorized Representative Title (printed) ____________________________________________

Signature_____________________________________________ Date ____________________
Phone______________________________________

B-2

Attachment C
Cloud Service Provider (CSP) Identification
The lead entity must attest to the following statements with regard to the planned use of a CSP, within
the lead organization either directly or with a contractually identified data vendor.
Name of Intended CSP: _____________________________________________________________
STATEMENT

YES

NO

Lead entity is planning to use a CSP within their system or has a
contract with a data vendor that utilizes a CSP.
Lead Entity understands that any CSP that will be utilized for CMS Data
storage must have FedRAMP approval and an authority to operate
with CMS.
Signature
To the best of my knowledge and belief, all data in this attestation are true and correct, the document has
been authorized by the governing body of the lead entity, and the lead entity will comply with the terms
and conditions of the award and applicable Federal requirements.
Authorized Representative Name (printed) ___________________________________________
Authorized Representative Title (printed) ____________________________________________

Signature_____________________________________________ Date ____________________
Phone______________________________________

C-1

Attachment D
CMS QUALITY IMPROVEMENT ORGANIZATION ATTESTATION
An entity that holds a QIO contract with CMS is permitted to function as a QE, or as part of a QE team,
under the following conditions:
• The entity may not represent the fact that they are a QIO while conducting QE activities;
• Any resources, both financial and operational, funded by CMS as part of the QIO contract may
not be used to sustain the entity’s QE program in any way;
• The entity must continue to uphold all terms of their QIO contract, including their confidentiality
and conflict of interest contractual obligations. The entity may wish to request a conflict of
interest determination by the CMS Office of Acquisitions and Grants Management; and
• The entity must complete an attestation during Phase 1 of the QECP Minimum Requirements
Review attesting that they will adhere to the three conditions listed above.
The table and signature section below must be completed by an authorized representative for each
entity in your QE team that holds a QIO contract with CMS. If none, you are not required to submit
Attachment D.
QIO Demographics
Name of Entity Recognized as a QIO (lead entity
or partner/collaborator as part of the QE team)
State(s) for which Entity Functions as a QIO

QIO Contact within the Entity
(name, title, email address, phone number)
QIO Contact within CMS
(name, title, email address, phone number)

D-1

Attachment D
QIO Affirmation Statements
We agree to maintain distinct and separate representation between QE and
QIO activities. We will not represent QE work or resulting products to be a
function of our QIO contract with CMS.
We agree to maintain funding for QE activities separate from QIO funded CMS
sources. Funds or resources provided by CMS to support the QIO program will
not be used or spent for the QE program, including funds or resources for
operating the QIO Standard Data Processing Systems (SDPS). QE-obtained
Medicare data will not be stored on the SDPS.
If approved as a Certified QE (or a member of a Certified QE team), we agree to
uphold all terms of our QIO contract, including confidentiality and conflict of
interest contractual obligations. We understand that, per our request, a QE/QIO
conflict of interest analysis can be performed by CMS-OAGM.

 Yes
 No

 Yes
 No

 Yes
 No

Signature
To the best of my knowledge and belief, all information in this attestation is true and correct; the
document has been authorized by the governing body of the entity mentioned on page C-1; and the entity
will comply with all terms and conditions of the affirmation statements mentioned on pages C-1 through
C-2.
(Authorized Representative for QIO and QE Entity)
Name (printed) ___________________________________________
Title (printed) ____________________________________________
Email Address (printed) ___________________________________

Signature_____________________________________________ Date ____________________
Phone______________________________________

D-2