Application and Re-application processes

Application and Triennial Re-application to Be a Qualified Entity to Receive Medicare Data for Performance Measurement (ACA Section 10332) (CMS-10394)

QECPProgramGuide

Application and Re-application processes

OMB: 0938-1144

Document [pdf]
Download: pdf | pdf
2022

PROGRAM GUIDE

U.S. DEPARTMENT OF HEALTH & HUMAN SERVICES
CENTERS FOR MEDICARE & MEDICAID SERVICES

January 24, 2022

Table of Contents

ii

Table of Contents
OVERVIEW AND BACKGROUND ............................................................................................................... 5
Implementing Regulations ................................................................................................................... 5
Program Eligibility and Participation Requirements.............................................................................. 5
Phased Minimum Requirements Review.............................................................................................. 6
Getting Started .............................................................................................................................. 10
Application Process........................................................................................................................ 10
Ongoing Program Administration and Monitoring ............................................................................. 10
Public Reporting ................................................................................................................................ 11
Reapplication..................................................................................................................................... 12
QE Medicare Data.............................................................................................................................. 12
Uses of QE Medicare Data ................................................................................................................. 12
SECTION 1. PHASE 1: ELIGIBILITY & EXPERIENCE .................................................................................... 13
1.1 Entity, Financial Resources, and Experience ................................................................................. 13
1.2 Claims Data .................................................................................................................................. 13
1.3 Phase 1 QE Program Requirements .............................................................................................. 13
1.4 Phase 1 Outcomes ....................................................................................................................... 19
1.4.1 Phase 1: Qualified ................................................................................................................. 19
1.4.2 Phase 1: Not Qualified........................................................................................................... 19
SECTION 2. PHASE 2: DATA SECURITY AND CORRECTIONS AND APPEALS ............................................... 19
2.1 Data Security and Privacy ............................................................................................................. 19
2.2 Intentions Regarding Non-Public Analyses ................................................................................... 20
2.3 Provider Corrections and Appeals, and Secure Transmission of Beneficiary Data.......................... 20
2.4 Phase 2 QE Program Requirements .............................................................................................. 21
2.5 Phase 2 Outcomes ....................................................................................................................... 26
2.5.1 Phase 2: Compliant ............................................................................................................... 26
2.5.2 Phase 2: Non-Compliant ........................................................................................................ 26
2.6 Medicare Data: Applying for Access and Data Delivery ................................................................. 26
2.6.1 Applying for Access to Medicare Data ................................................................................... 26
2.6.2 Making Changes to DUA ........................................................................................................ 27
2.6.3 Receiving the CMS Data ........................................................................................................ 27
SECTION 3. PHASE 3: DATA INTEGRATION & MEASURE CALCULATIONS ................................................. 27
3.1 Performance Measures Selection ................................................................................................. 29
QECP Program Guide

Table of Contents

iii

3.2 Methodology for Measurement and Attribution .......................................................................... 29
3.3 Report Prototypes........................................................................................................................ 29
3.4 Reporting Extension Policy ........................................................................................................... 30
3.5 Phase 3 QE Program Requirements .............................................................................................. 30
3.6 Phase 3 Outcomes ....................................................................................................................... 40
3.6.1 Phase 3: Compliant ............................................................................................................... 40
3.6.2 Phase 3: Non-Compliant ........................................................................................................ 40
SECTION 4. ONGOING PROGRAM ADMINISTRATION ............................................................................. 40
4.1 Reporting of Data Security Incidents ............................................................................................ 41
4.2 Reporting Changes after QE Certification ..................................................................................... 41
4.2.1 When to Report a Change ..................................................................................................... 42
4.2.2 Procedure for Reporting Changes .......................................................................................... 42
4.3 QE Annual Reports ....................................................................................................................... 50
4.3.1 Procedure for Submitting Annual Reports ............................................................................. 51
4.4 Monitoring Reviews ..................................................................................................................... 51
4.4.1 Warning ................................................................................................................................ 52
4.4.2 Technical Correction ............................................................................................................. 52
4.4.3 Corrective Action Plan ........................................................................................................... 52
4.5 OPA Outcomes............................................................................................................................. 52
4.5.1 OPA Compliant ...................................................................................................................... 52
4.5.2 In Danger of OPA Non-Compliance ........................................................................................ 52
4.5.3 OPA Non-Compliant .............................................................................................................. 53
SECTION 5. REAPPLICATION................................................................................................................... 53
5.1 QE Reapplication Policy................................................................................................................ 53
5.2 QE Reapplication Program Requirements..................................................................................... 53
5.3 Quasi QE Reapplication Program Requirements ........................................................................... 53
5.3 Reapplication Outcomes .............................................................................................................. 59
5.3.1 Reapplication: Qualified ........................................................................................................ 59
5.3.2 Reapplication: Not Qualified ................................................................................................. 59
5.4 Maintaining and Losing Certification Status.................................................................................. 59
5.4.1 Expiration and Renewal......................................................................................................... 59
5.4.2 Termination .......................................................................................................................... 59
5.4.3 Reconsideration .................................................................................................................... 59

QECP Program Guide

Table of Contents

iv

5.4.4 Voluntary Forfeiture.............................................................................................................. 59
SECTION 6. ADDITIONAL USES OF QE MEDICARE DATA .......................................................................... 60
6.1 Providing or Selling De-identified Non-Public Analyses ................................................................. 60
6.1.1 Authorized Users of De-identified Non-Public Analyses ......................................................... 60
6.1.2 Corrections and Appeals for Non-Public Analyses .................................................................. 61
6.2 Providing or Selling Patient De-Identified Data ............................................................................. 61
6.2.1 Authorized Users of Patient De-identified Data ..................................................................... 61
6.3 Providing or Selling Patient-Identifiable Data and Analyses .......................................................... 62
6.3.1 Authorized Users of Patient-Identifiable Data and Analyses .................................................. 62
6.3.2 Corrections and Appeals for Non-Public Analyses .................................................................. 62
6.4 Contractually Binding Agreements ............................................................................................... 62
6.4.1 The QE DUA .......................................................................................................................... 63
6.4.2 The Non-Public Analyses Agreement ..................................................................................... 64
6.5 QE Annual Reporting for Additional Uses of QE Medicare Data .................................................... 65
6.6 Violations of the CMS DUA or QE DUA ......................................................................................... 65
6.6.1 Assessments ......................................................................................................................... 65
6.6.2 Termination of CMS DUA ...................................................................................................... 65
Appendix A: Glossary............................................................................................................................. 66
Appendix B : QECP Resources ................................................................................................................ 77

QECP Program Guide

Overview and Background

5

OVERVIEW AND BACKGROUND
The Centers for Medicare & Medicaid Services (CMS) is providing this Program Guide to walk entities
through the requirements and application process of the Qualified Entity Certification Program (QECP).
The guide includes the CMS requirements that entities must meet to become certified as a qualified entity
(QE) or quasi QE, instructions for the application process, and an explanation of how to maintain
certification.
This section provides an overview and background of the QECP. Sections 1 through 3 present the
instructions for the program’s phased application process. Section 4 provides ongoing program
administration (OPA) requirements. Section 5 contains information about the reapplication process; and
finally, Section 6 provides information about additional uses of QE Medicare data.
Appendix A is a glossary of terms used throughout this Program Guide; terms included appear in bold
throughout the text. Appendix B lists resources including QECP team contact information, QE regulations,
relevant websites, and locations of QECP webinars and tip sheets.

Implementing Regulations
The qualified entity regulations at 42 CFR Part 401, Subpart G establish the criteria that entities must
satisfy to obtain QE and quasi QE certification, and set forth CMS’ expectations for maintaining
certification. In particular, the regulations provide requirements for entities in the following areas:
•
•
•

Organizational structure and governance criteria, including necessary experience and expertise in
the measures that entities intend to use for public reporting.
Expertise in combining Medicare claims data with claims data from other sources, or in the case
of quasi QEs, clinical data.
Expertise in establishing rigorous data security and privacy programs.

While the Program Guide primarily describes the requirements for QEs, qualified clinical data registries
(QCDRs), which may apply to become quasi QEs must meet the same requirements unless otherwise
stated in this guide. The exceptions to the QECP requirements are Element 1.3 (Experience) and part of
Element 1.4 (Claims Data) and, in certain cases, all elements associated with Phase 3. For more
information on the requirements for quasi QEs, please see the User Guide for QCDRs. For more
information on the difference between the certification processes for QEs and quasi-QEs, please see the
FAQs. Organizations recognized by CMS as qualified registries (QRs) are not eligible to apply for the quasi
QE program. However, QRs can apply to the QE program as long as they meet QECP program
requirements.

Program Eligibility and Participation Requirements
To be eligible to participate in the program as a QE, an applicant (itself or through contracts with other
entities) must:
1. Have access to sufficient claims data from other sources to combine with the QE Medicare
data;
2. Have strong systems to ensure that the data are secure and protected; and
3. Have experience in a variety of tasks related to the calculation and reporting of performance
measures, including:

QECP Program Guide

Overview and Background
a.
b.
c.
d.

6

combining claims data from different payers,
designing and sharing public reports,
working with providers and suppliers regarding requests for error correction, and
ensuring the privacy and security of data.

To participate in the QECP, entities must meet minimum requirements in each of these areas through a
phased application and review process, described in this guide (see Sections 1–4).
The QECP is an open application program, which means that there are no application submission
deadlines. There is also no charge to apply to become a QE or to maintain QE status. However, QEs are
required to pay a fee for obtaining QE Medicare data.
Within 1 year of receiving QE Medicare data, each QE is required to release its first QE public report, and
public reports are expected to be released annually thereafter.

Phased Minimum Requirements Review
To assess an organization’s compliance with the program requirements, the QECP implements a threephase process. Throughout the application process, each QE works closely with its QECP Program
Manager (PM).
A brief overview of the phases follows:
1. Phase 1: Eligibility & Experience: The QECP team examines an entity’s organizational structure,
its ability to successfully function as a QE, and its access to other-payer claims data (or clinical
data for QCDRs).
2. Phase 2: Data Security: The QECP team examines the QE’s compliance with the data security and
privacy requirements of the program, as well as the corrections and appeals processes.
3. Phase 3: Data Integration & Measure Calculations: The QECP team examines the QE’s compliance
with the requirements related to the QE’s measurement and reporting processes. Prior to
submitting evidence for the Phase 3 review, the QE must integrate the QE Medicare data with its
claims data from other sources and calculate provider performance measures.
Exhibits 1a and 1b show the phases of the application process for both QEs and quasi QEs. Exhibit 2
outlines the specific elements assessed during each phase. Detailed information on the evidence
requirements for each phase is presented in Sections 1–3 of this Program Guide.

QECP Program Guide

Overview and Background

7

Exhibit 1a: QECP Phased Application Process for QEs

QECP Program Guide

Overview and Background

8

Exhibit 1b: QECP Phased Application Process for Quasi QEs

QECP Program Guide

Overview and Background

9

Exhibit 2: QECP Minimum Requirements Review: QECP Elements by Phase

QECP Elements by Phase
Phase 1: Eligibility & Experience
1.1: Entity
1.2: Financial Resources
1.3: Experience
1.4: Claims Data
Phase 2: Data Security & Corrections and Appeals
2.1: Data Security Review (Administrative Security, Technical Security, Physical Security, and Privacy)
2.2: Intentions Regarding Non-Public Analyses
2.3: Provider Corrections and Appeals
2.4: Secure Transmission of Beneficiary Data
Phase 3: Data Integration & Measures Calculation
Performance Measures: Standard Measures
3.1: Standard Measure Use
3.1.a: Measure Specifications
3.1.b: Statistical Validity for Quality, Efficiency,
Resource Use, and Composite Measures
3.1.c: Attribution
3.1.d: Risk Adjustment and Outliers
3.1.e: Comparison Groups
3.1.f: Benchmarks
3.1.g: Rating Approaches
3.1.h: Prevalence Rates

Performance Measures: Alternative Measures
3.2: Alternative Measure Use
3.2.a: Measure Specifications
3.2.b: Statistical Validity for Quality Measures
3.2.c: Statistical Validity for Efficiency and Resource
Use Measures
3.2.d: Statistical Validity for Composite Measures
3.2.e: Attribution
3.2.f: Risk Adjustment
3.2.g: Outliers
3.2.h: Comparison Groups
3.2.i: Benchmarks
3.2.j: Rating Approaches
3.2.k: Prevalence Rates

3.3: Provider and Public Report Design

QECP Program Guide

Overview and Background

10

Getting Started
Prior to completing the application, an entity can indicate interest in the QECP by completing the publicly
available QECP inquiry form (https://www.qemedicaredata.org/apex/Registration_Form). A PM will
contact you within two business days of submitting your email inquiry or question. They will then schedule
an Introductory Call to answer any questions the entity has about the program and gauge whether it is a
good fit with its mission and objectives. If the entity intends to apply, the PM will schedule a Phase 1 KickOff Call and provide access to the QECP online application.

Application Process
The steps involved in the application review process are described below. These steps are repeated for
the evaluation of each phase.
Application Review Steps (Repeated for Phases 1–3 and Reapplication)
1.

The entity completes and submits its application, providing the evidence required. The application
is completed online in the QECP Salesforce Application. For more information about how to use
the web-based application, please review the QECP Application User`s guide.

2.

The PM validates the application for completeness. If considered complete, the review begins.
The entity is notified that the application has been accepted and that the validation is complete.
If an application is incomplete, the PM notifies the entity. Before the application is reviewed, the
entity revises and resubmits the application until the PM deems it complete. The application
processes are iterative in nature and the PM and QECP team will work with each entity to ensure
that all pieces of evidence are submitted.

3.

Once the application is complete, the review team assesses the entity’s submitted evidence and
self-assessments against the program’s requirements.

4.

After the application has been reviewed, if deficiencies are identified, the entity is notified and
permitted to resolve them.

5.

If no deficiencies are identified during the application review, a recommendation report is sent to
CMS, detailing the performance of the entity against the minimum requirements for each review
phase.

6.

Based on the recommendation report, CMS renders a final decision.

7.

The entity receives a CMS decision letter and, if applicable, a list of steps the entity must take to
proceed to the next phase of review.

Ongoing Program Administration and Monitoring
As part of Ongoing Program Administration (OPA), the QECP team ensures continued compliance with
all program elements and requirements and provides continuous support throughout the QE’s
certification period. Through OPA, the QECP team observes the QE’s compliance with all program
elements and provides continuous support throughout the QE’s certification period. The QECP monitors
and addresses any data security breaches, programmatic changes on the part of the QE, annual report
submissions, and progress toward the completion of any corrective action required. Once an organization
is approved as a QE, they are subject to OPA and monitoring. OPA monitoring consists of 1) QE selfreported changes, 2) QE Annual Report information and attestations, 3) triennial QECP Reapplication

QECP Program Guide

Overview and Background

11

information and attestations, 4) QECP Compliance Monitoring Gray Literature Scans, and 5.) QECP Data
Security Audit. These activities are designed to identify potential non-compliance.
When a potential non-compliance issue is identified it triggers a QECP monitoring review. A monitoring
review may be conducted for any QE that is found to be out of compliance or at risk of non-compliance
with program standards. During the monitoring review, the QECP team assesses a QE’s compliance with
selected elements related to data security and privacy, the provider corrections and appeals process,
and/or performance measures and public reporting. In addition, a QECP Data Security Audit may occur
within three years after the QE has received CMS data and every three years thereafter to ensure
compliance with the QE data security standards. Data security deficiencies and issues of program noncompliance discovered during audits are referred to the QECP Monitoring Team to review and
recommend either Technical Correction (TC) or Corrective Action Plan (CAP).
In addition, should a data security breach or other violation of the CMS DUA be discovered during an audit,
the audit team would immediately direct the QE to report the breach/violation to the CMS IT Service Desk.
During the monitoring review, the QECP contractor assesses whether to advance the matter further and
makes its recommendation to CMS. Once CMS approves a next step/plan of action, the QECP contractor
may request clarifying information from the QE. After this evidence has been received and reviewed, if a
program violation is determined, the contractor recommends one of three monitoring actions: (1)
Warning, (2) TC, or (3) request for CAP. A QE may receive any one of the violations as a starting point with
the potential to move to a more elevated status should they not meet the terms of the initial violation.
More information about OPA and Monitoring may be found in Section 4: Ongoing Program
Administration.

Public Reporting
Within one year of receiving the CMS QE Fee-For-Service (FFS) data, all QEs must release a public report.
CMS wants to promote innovation with the report design and dissemination plan with the QECP. The QE
is expected to propose a plan for how the measures and providers reported on will reach their target
audience. There is no established prototype for the report or the dissemination plan. QEs may not release
public reports to providers or to the public until QECP reviewers approve the dissemination approach and
the report design. QEs are required to report publicly on all years of data that they received from CMS.
QEs should report on all historical years of data requested from CMS in their first public report. Please
also note that QE public reporting refers to any public report generated by the QE using the QE Medicare
data and approved QECP measures. QEs that are unable to release public reports within one year of
receiving QE Medicare data may request a public reporting extension from CMS. However, QEs should
note that CMS generally approves only one 1-year extension request. CMS grants extensions on a caseby-case basis, with the expectation that the QE will release its public report by the extended deadline. If
a QE receives an extension that is less than one year, the QE will use that new public reporting date to
report their QE reporting efforts in the future.
Creating a New Public Report in the QE Application
Once a QE publishes a public report, they should go into their QECP Application to document it. The public
reporting tab is accessible through the QE user`s log in screen. The QE user should create a new public
report and fill out all the relevant information fields. Once all the information fields are filled out, the QE
user should upload a pdf version or screenshots of their published public report. The QE user can then
save and submit the report for review. All QEs should submit their public reports within one week of the
report being released. For more information about creating a new public report please refer to the public
reporting e-learning module on the QECP public website.

QECP Program Guide

Overview and Background

12

Reapplication
QE certification is valid for 3 years, and QEs must reapply at least 6 months prior to their 3-year
certification anniversary to continue receiving QE Medicare data under the program. During reapplication,
QEs must report changes to previously assessed QECP minimum requirements and submit supporting
documentation to confirm the changes. The QE reapplication process requires less time and effort than
the initial application process because the reapplication process leverages QE documentation already on
file with CMS and requires QEs to respond to a form that has been pre-populated with data from the QE’s
PM and consists of approximately 10 statements. See Section 5: Reapplication for more information about
the reapplication process.

QE Medicare Data
QEs and quasi QEs are eligible to request Medicare Parts A and B claims data and Part D prescription drug
event data. QE data extracts are based on the geographic region for which QEs have other sources of
claims data. Quasi QE data extracts are determined by the providers affiliated with the QCDR. 1 Data
dictionaries can be found here: https://www.ccwdata.org/web/guest/data-dictionaries.

Uses of QE Medicare Data
QEs are required to use QE Medicare data (standardized extracts of Medicare Parts A and B claims data
and Part D prescription drug event data) combined with other sources of claims data to generate public
reports for providers and suppliers on measures of quality, efficiency, effectiveness, and resource use.
QEs may also use the Medicare data to provide or sell non-public reports or combined data, or provide
Medicare data at no cost, to certain authorized users. For more information about the permissible uses
of data under the QE program, see Section 6: Additional Uses of Medicare Data.

Data extracts for quasi QEs are based on the providers affiliated with the QCDRs. All beneficiaries with at least one
claim submitted by a provider affiliated with the QCDR will be included in the data extract. Furthermore, the data
extract will contain all claims for those beneficiaries, including claims from other providers.

1

QECP Program Guide

Phase 1

13

SECTION 1. PHASE 1: ELIGIBILITY & EXPERIENCE
In Phase 1, the QECP 2 examines an entity’s organizational structure, its ability to successfully function as
a qualified entity (QE), and its access to additional claims data sources. Each phase of the QECP minimum
requirements review consists of elements, or key areas of review and consideration. Each element has an
assessment, a description of the program requirements and performance expectations with which an
entity must demonstrate compliance, as well as evidence requirements, or items that an entity must
provide in support of the assessment. Phase 1 includes the following elements, described in detail in
Exhibit 3:
•
•
•
•

Entity (Element 1.1)
Financial Resources (Element 1.2)
Experience (Element 1.3)
Claims Data (Element 1.4)

The Phase 1 application is expected to take up to 2 months for the applicant to complete and submit. The
Phase 1 review, including CMS’ final outcome decision, is estimated to take up to 20 business days from
the submission of a complete and validated Phase 1 application that meets all requirements. QCDRs
applying to become quasi QEs do not need to demonstrate experience requirements (Element 1.3) or
provide evidence that identifies their sources of clinical data (part of Element 1.4). Additional information
can also be found on the Phase 1 page of the QECP website. The following sections provide more
information about the elements in Phase 1.

1.1 Entity, Financial Resources, and Experience
For these elements, entities must present information about their organization, including whether they
are applying as a single entity, a subsidiary, or as an entity with partners, vendors, contractors (including
any intended Cloud Service Providers (CSPs)) under contract for the purposes of the QECP, and show a
commitment to using the QE Medicare data for public reporting. In terms of financial resources, entities
must show an ability to cover the costs of functioning as a QE by providing information about their
business model. Finally, entities must generally demonstrate 3 or more years of experience across areas
related to provider performance measurement and public reporting.

1.2 Claims Data
This requirement assesses the geographic area(s), level of analysis, data sources, and types of claims data
to which the entity has access for purposes of QECP performance measurement. Entities must have at
least one source of other-payer claims data from their relevant geographic areas at the time of
application; however, two or more sources of other-payer claims data are preferred. These data must be
provider- and supplier-identifiable, and entities must have full usage rights for the data. To note, both
pre-adjudicated and adjudicated claims data are an acceptable source of other-payer claims data. Entities
must demonstrate that their claims data, when combined with the requested QE Medicare data, meet
CMS sufficiency thresholds and the requirements for sample size and reliability to produce measures
based on combined data. Additionally, entities are asked to include a statement confirming their intention
to request the 5% national sample for benchmarking purposes, if applicable.

1.3 Phase 1 QE Program Requirements
The elements against which entities will be evaluated for Phase 1 are presented in full in Exhibit 3. The
explanation of each element describes the assessment(s) to be performed by reviewers in evaluating an
application, along with evidence requirements. To meet the minimum requirements, entities must pass
2

Selected terms in bold font are defined in the Appendix A: Glossary.

QECP Program Guide

Phase 1
all assessments. A failure on any assessment may prevent an entity from receiving QE Medicare data for
performance measurement and being certified as a QE by CMS.

14

In Phase 1, entities must complete the forms provided in the application and should also provide any
additional documents that demonstrate their ability to meet the requirements of each element. Exhibit 3
identifies examples of documentation for each element, but they are not comprehensive. Entities should
contact their QECP PM to discuss other forms of documentation that may be appropriate.
The evidence will be reviewed using the QE online submission process. Upon successful completion of the
Phase 1 review, the entity’s compliance status will be determined (see Section 1.4) and if qualified, the
entity may proceed to Phase 2.
Logo Usage by QEs and quasi-QEs
Only QEs and quasi QEs are permitted to use the “Certified QE” logo provided by the QECP team at the
point of Phase 1 certification. QEs are not permitted to modify or change the QE logos. Participants in the
QECP and quasi-QE programs are not permitted to display nor use either the U.S. Department of Health
and Human Services or Centers for Medicare and Medicaid Services logos due to their participation in the
QE program. Parent organizations, subsidiaries, partners, vendors, subcontractors, consultants, and
vendors are not permitted to use/display the “Certified QE” logo.

QECP Program Guide

Exhibit 3: QECP Minimum Requirements Review: Phase 1 QE Program Requirements

Phase 1

15

Phase 1: Eligibility & Experience
QE Program
Requirement

Element
1.1: Entity

Assessment

The entity is a legally recognized “lead entity” and accountable to CMS for the receipt of QE Medicare data, with clear contractual relationships
identified and documented between contractors or member organizations, if applicable, that make it possible to meet the QECP requirements.

Evidence
Requirement

1.

QECP Letter of Commitment Form, containing:
a.
b.
c.
d.
e.

Commitment to CMS signed by a member of the lead QE’s executive team
Attestation that QE or quasi QE is committed to releasing a public report within 12 months of receiving data
For applicants with contractors, vendors, partners, subsidiaries, or member organizations only: Completed contractual relationship
attestation, which includes attestation of breach of contract liability between parties with potential to collect damages for failure to
perform
For applicants planning to use a CSP: Completed Cloud Service Provider Identification, which includes the name of the proposed CSP
Completed CMS Quality Improvement Organization attestation, if applicable

2. Incorporation and, if applicable, licensure for Lead entity, contractors, vendors, partners, subsidiaries, or member organizations
Example
Documentation

•

Incorporation or licensure documentation
1.2: Financial Resources

Assessment

Evidence
Requirement

The entity’s business model is projected to cover the cost of public reporting, including costs of the data, and developing the reports. When planning
financial resources for the QECP, entities should also consider data infrastructure and maintenance fees and staffing resources to meet QECP application
and ongoing program administration requirements. Please note that, while important, it is not a requirement to reflect these items in the entity’s
business model.
1. Description of entity’s business model and resources to support the cost of the data and developing the reports. The business model should include
line items specifically for the cost of the CMS FFS data and the cost of producing and releasing a public report.
2.

An allocation of necessary resources to successfully participate in the program on an ongoing basis and evidence around the QE’s business model,
specifically, evidence of sources of sustainable income. This can be submitted as a narrative, supplemental budget, or business plan documentation.
Note: Evidence must come from the lead entity, not from a contractor or member organization.

QECP Program Guide

Phase 1

16

Phase 1: Eligibility & Experience
QE Program
Requirement

Element
1.1: Entity

Example
Documentation

•
•
•
•

Business plan
Project budget
Grant award
Letter from a signatory or the board of your organization

QECP Program Guide

Phase 1

17

1.3: Experience
Assessment

The entity generally demonstrates 3 or more years of experience in combining claims data, accurately calculating measures, verifying data, public
reporting, and using a corrections process.
Note: QCDRs applying to become quasi QEs are exempt from compliance with Element 1.3.

Evidence
Requirement

For each applicable area below, the entity: a) attests to meeting the requirement, and b) provides a description that generally demonstrates 3 or more
years of expertise and experience. Description may include methods used for previous reporting efforts.
1.

Combining claims data: Describe expertise and experience successfully combining claims data from different payers (at least two) to calculate
performance reports. If the entity has experience combining Medicare claims data with claims from other sources, please include in the description.

2.

Attribution of patient services and episodes: Describe experience and expertise with attribution of patient services or episodes to specific providers
or suppliers.

3.

Statistical validity – quality measures, applicable only if the entity selects quality measures to evaluate providers: Describe experience and expertise
establishing statistical validity requirements for quality measures, such as minimum number of observations or minimum denominator size.

4.

Statistical validity – efficiency or resource use measures, applicable only if the entity selects efficiency or resource use measures to evaluate
providers: Describe experience and expertise establishing statistical validity of efficiency and resource use measures, such as minimum number of
observations or minimum denominator size or a standard payment methodology where appropriate.

5.

Risk adjustment: For each type of measure (e.g., quality, efficiency, and resource use) the entity plans to use to evaluate providers, describe
experience and expertise using methods for risk adjustment to account for variations in both case mix and severity among providers and suppliers.
If the entity does not use or plan to use risk adjustment, provide a justification.

6.

Outliers: For each type of measure (e.g., quality, efficiency, and resource use) the entity plans to use to evaluate providers, describe experience and
expertise identifying methods for handling outliers. If the entity does not use or plan to use outlier methods, provide a justification.

7.

Defining comparison groups (e.g., individual clinicians, clinic, or group/practice), applicable only if the entity will use comparison groups to evaluate
providers: Describe expertise and experience developing appropriate peer groups of providers and suppliers for meaningful comparisons.

8.

Verification process: Describe expertise and experience in implementing a quality assurance process including assessing measure reliability and
correcting errors.

9.

Public reporting: Describe experience and expertise:
a.
b.
c.

Accurately preparing performance reports on providers and suppliers and making such performance reports available to the public
Designing and continuously improving the format of performance reports on providers and suppliers, such as testing with users and use of
evaluations to improve reporting
Developing an understandable description of the measures used to evaluate the performance of providers and suppliers so that consumers,
providers and suppliers, health plans, researchers, and other stakeholders can assess performance reports

10. Corrections process, applicable only if the entity will identify providers and suppliers in their QE reports. * Describe experience and expertise:
a.

Implementing and maintaining a process for providers and suppliers identified in a report to review measure results prior to publication

QECP Program Guide

b.

Providing a timely response to provider and supplier inquiries regarding requests for data, error corrections, and appeals

Phase 1

18

*Corrections and appeals experience is not required if the entity plans to report regionally (providers are de-identified) and seek a corrections and
appeals waiver. However, entities will not be permitted to conduct any corrections and appeals processes, for public or non-public analyses, without
meeting this requirement.
Note: Evidence of experience may include the demonstrated experience of the applicant, the applicant’s contractor(s), or, if the applicant is a
collaborative, any member of the collaborative. QEs may also use the experience of individuals within their organization or its contractors’ or members’
organizations to satisfy experience requirements.
1.4 Claims Data
Assessment

The entity defines the geographic area(s) and level of analysis for which public reporting will incorporate QE Medicare data and possesses claims data
from at least one other source; however, data from two or more sources is preferable.
Note: QCDRs applying to be quasi QEs are not required to provide evidence that identifies their sources of clinical data; however, they must provide
information about the total number of providers that are regularly providing data to their registry, the level of analysis for public reports, and whether
they intend to request a 5% national sample for benchmarking.

Evidence
Requirement

11. Completed QECP Data Source Attestation, containing:
a.
b.
c.
d.
e.

f.

Description of the geographic areas the entity’s report(s) will cover
Level of analysis for QE public reports (regional or provider-identified)
Data supplier profile, including data suppliers’ names and dates of agreement for the largest 5 suppliers and aggregate information on the
remaining (if applicable)
Data detail
i. Volume of data
ii. Geographic coverage of data
Data description
i. Claims data adjudication status
ii. Medicare Advantage covered lives
iii. Volume of pharmacy claims data received, if applicable
Covered lives calculator
i. Total number of covered lives included in all other-payer claims data sources (by state if reporting nationally or by county if reporting
for a region smaller than a state)

12. As applicable, an entity’s PM may ask for further clarification on how the applicant’s other-payer claims data will adequately address concerns of
small sample size and reliability.
13. Explicit statement for 5% national sample, if applicable.
Example
Documentation

Completed QECP Data Source Attestation, supported by documents such as:
• State or federal statutes
• Documents supporting the adequacy of the combined data set
• Spreadsheets, lists

QECP Program Guide

Phase 1

19

1.4 Phase 1 Outcomes
After Phase 1 of the minimum requirements review, a certification decision is rendered. There are two
possible outcomes: Qualified and Not Qualified.

1.4.1 Phase 1: Qualified
An entity receives the status Qualified if it demonstrates complete compliance with the requirements of
Phase 1 of the application and then is considered a certified QE. This status is valid for 3 years from the
date of notification of CMS approval unless a QE’s status is otherwise terminated (see Section 5.4). With
permission from the QE, CMS will announce the entity’s certification as a QE on the Qualified Entity
Program website (http://www.cms.gov/QEMedicareData) and will also add your organization to the
Certified QE Map on the QE Program website (http://www.qemedicaredata.org).
After certification, QEs must submit their evidence for Phases 2 and 3 of the minimum requirements
review. QEs must also work with ResDAC, the Chronic Conditions Data Warehouse (CCW), and CMS to
submit QE Medicare data requests and pay fees to receive annual and/or quarterly updates of QE
Medicare data. To maintain QE certification status, QEs must reapply every 3 years. QEs must submit their
reapplication six months prior to their 3-year certification anniversary.

1.4.2 Phase 1: Not Qualified
An entity receives the status Not Qualified if it has not demonstrated complete compliance with the
requirements of Phase 1 of the application. Failure on any single element will result in an outcome of Not
Qualified.
An entity that receives an outcome of Not Qualified may submit a second application within a 12-month
period from the date of the CMS decision letter, but no sooner than 90 business days after the date of the
letter. If the entity again receives the status of Not Qualified, it must wait 12 months from the date of the
second letter to reapply.

SECTION 2. PHASE 2: DATA SECURITY AND CORRECTIONS AND APPEALS
In Phase 2, the QECP evaluates the QE’s compliance with the data security, privacy and corrections and
appeals requirements of the program.
The Phase 2 application is expected to take up to 4 months for the QE to complete and submit. The Phase
2 review, including CMS’ final outcome decision, is estimated to take up to 20 business days from the
submission of a complete and valid Phase 2 application that meets all requirements. The time period is
highly dependent on the QE's access to, and submission of, the requested artifacts.
In Phase 2, QEs must provide evidence in the areas of data security, privacy and corrections and appeals
as described in Sections 2.1–2.4 below. Information on the CMS data use agreement (DUA) request
process can be found in Section 2.6.

2.1 Data Security and Privacy
QEs must demonstrate that they have rigorous security and privacy practices in place to protect Medicare
data. The CMS DUA specifies that QEs must establish appropriate administrative, technical, and physical
safeguards to protect the confidentiality of the QE Medicare data and to prevent unauthorized use or
access to it. Every contractor or organization within the QE that hosts beneficiary identifiable data must
adhere to the controls, policies, and procedures under the QECP Data Security Review.

QECP Program Guide

Phase 2

20

The QECP employs program appropriate controls from the CMS technical standard Acceptable Risk
Safeguards (ARS) as the standard to assess the QE's compliance with QECP Requirements. The CMS ARS
are included in the Phase 2 Toolkit.

2.2 Intentions Regarding Non-Public Analyses
During Phase 2, QEs must attest to their intentions to provide or sell provider-identifiable non-public
analyses to authorized users. Any reports that are provider-identifiable must go through the corrections
and appeals process described in Section 2.3 below.

2.3 Provider Corrections and Appeals, and Secure Transmission of Beneficiary Data
If QEs choose to report at a provider-identifiable level, they are required to share confidentially the
performance results with the providers that are being evaluated and to allow for corrections prior to
reporting. This applies for results contained in either public reports or non-public analyses to be provided
or sold to authorized users. For each measure used, QEs must provide the measure name and description,
methodology, and results to providers prior to public and non-public release. QEs must give providers
advance notice of the date the reports will be made public and must accept requests for corrections and
appeals from providers for the entire 60 or 65 calendar days. The table below delineates the various
timelines for a corrections and appeals process. QEs may release Medicare beneficiary names to providers
only when such information is relevant to the particular measure or measure results the provider is
appealing. QEs must release reports on the specified date regardless of the status of any requests for error
correction. If the QE chooses to report aggregated results in which providers are not identified, for both
its public reports and its non-public analyses, a corrections and appeals process is not required, and the
QE will be exempt from Elements 2.3 and 2.4. Should a QE determine at a later date once they have
already completed the Phase 2 application that they wish to report at a provider-identifiable level for
either public or non-public analysis, evidence for Element 2.3 will need to be resubmitted.
Requirements for Corrections and Appeals of Provider-Identifiable Analyses
Public Reports

Non-Public Reports

Shared with providers to accommodate
corrections and appeals at least 60 calendar days
prior to release.

Shared with providers to accommodate corrections
and appeals at least 65 calendar days prior to
delivery/finalization

Please note that the decisions a QE makes to comply with requests for corrections or appeals will have an
impact on compliance with its data security and privacy plan.
If a QE does not plan on identifying providers in their public report, they must submit masking
methodology under Element 2.3 to show QECP reviewers how their report will prevent reidentification of
providers. QEs are permitted to publicly report performance measures that are aggregate or otherwise
de-identified at the provider-level (e.g., individual physician, clinic, practice, medical system, etc.).
However, the QE must provide detailed evidence in Phase 2 explaining how measure results could not be
associated with a particular provider or provider group. This evidence must explain the QE’s providermasking methodology and specifically indicate how this methodology prevents provider-level
performance from being re-identified in QE reports. CMS will review the QE’s provider masking
methodology and determine whether the QE is eligible for a QE provider corrections and appeals waiver.

QECP Program Guide

Phase 2

21

QEs that are planning to report at the regional or provider deidentified level must submit masking
methodology to Element 2.3 but are exempt from Element 2.4.
Quasi QEs are exempt and are not required to submit evidence for requests for corrections or appeals if
they intend to publicly report measures through Care Compare that were included in the QCDR selfnomination process and the measures are calculated from a combined data set of CMS claims and clinical
data sources. If measures are ineligible for Care Compare public reporting, or if they are QECP standard
or approved alternative measures, quasi-QEs may have to perform corrections and appeals, depending
on the level of reporting. Quasi QEs intending to engage in non-public analyses at the provider level must
submit a corrections and appeals process.
During the 3-year QE certification period, if QEs alter their public reports and/or corrections and appeals
process, it may be necessary for QECP reviewers to assess and approve the QE’s updated dissemination
plan and public reports. QEs may not release public reports to providers for the corrections and appeals
process until their final dissemination approach and public report prototypes are approved.

2.4 Phase 2 QE Program Requirements
QEs that are planning to engage in a provider corrections and appeals process must demonstrate how
they will securely transmit beneficiary data if the provider requests a correction. This process should be
detailed in your data flow diagram and in your Data Security Review. Exhibit 4 further details how the QE
will be evaluated under element 2.4.

QECP Program Guide

Exhibit 4: QECP Minimum Requirements Review: Phase 2 QE Program Requirements

Phase 2

22

Phase 2: Data Security
QE Program
Requirement

Element
2.1: Data Security Review

Assessment

The QE demonstrates its ability to comply with federal data security and privacy requirements, and documents its processes to follow protocols for the
following CMS ARS controls (control family abbreviations in parentheses):
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•

Access Control (AC)
Authority and Purpose (AP)
Awareness and Training (AT)
Audit and Accountability (AU)
Security Assessment and Authorization (CA)
Configuration Management (CM)
Contingency Planning (CP)
Identification and Authentication (IA)
Incident Response (IR)
Maintenance (MA)
Media Protection (MP)
Physical and Environmental Protection (PE)
Planning (PL)
Personnel Security (PS)
Risk Assessment (RA)
System and Services Acquisition (SA)
System and Communications Protection (SC)
System and Information Integrity (SI)
Program Management (PM)
Accountability, Audit, and Risk Management (AR)
Data Quality and Integrity (DI)
Data Minimization and Retention (DM)
Individual Participation and Redress (IP)
Security (SE)
Transparency (TR)
Use Limitation (UL)

QECP Program Guide

Phase 2

23

Phase 2: Data Security
QE Program
Requirement

Element
2.1: Data Security Review
For detailed descriptions of the security controls listed above, please review the ARS Publication that is saved in the Phase 2 toolkit.

Evidence
Requirement

1.

Completed QECP Data Security Review supported by the following context documents:
a. Policy and procedure documents that have been reviewed and updated within the past 3 years for the following five families: AC, IA, MP,
SA, and SI.
b.

Data flow diagram with annotations that describe the flow and management of QE Medicare data through the system and the documents
and partner organizations involved. The data flow diagram must also describe the identified or deidentified state of the CMS data in each
stage of the data management process. See the example data flow diagram included in Phase 2 toolkit.

c.

List of past data security breaches over the past 10 years

d.

If the QE is going to utilize a CSP to store or manage the QE Medicare data, an executed Business Associate Agreement (BAA) between the
QE and the CSP that demonstrates an understanding of the nature of data being stored, processed, and transmitted to/from the CSP. The
CSP must be FedRamp certified as well as have an Authority to Operate (ATO) with CMS.

QECP Program Guide

Phase 2

24

2.2: Intentions Regarding Non-Public Analyses
Assessment
Evidence
Requirement

If an entity intends to provide or sell non-public analyses to an authorized user that individually identifies a provider or supplier, the entity will follow
program requirements and submit appropriate evidence for the corrections and appeals process.
1.

If your organization intends to provide or sell non-public analyses to an authorized user that contains information that individually identifies a
provider or supplier please refer to the reminders below for a yes or no response: If yes, please note the following reminders:
a.
b.
c.

2.

QEs must follow the requirements in 42 CFR § 401.716 and the corrections and appeals process as outlined in § 401.717(f).
QEs must describe their process for corrections and appeals in Element 2.3 and their methods for ensuring that only the minimum necessary
beneficiary identifiers and/or claims data are transmitted to providers in Element 2.4.
QEs must ensure that they have provided evidence of experience with the corrections and appeals process under Element 1.3. If this information
was not provided during Phase 1, it should be completed at this time.

If no, please note the following reminders:
a. QEs must describe their process for provider-masking methodology and specifically indicate how this methodology prevents provider-level
performance from being re-identified.
b. If a QE would like to engage in provider-level non-public analyses in the future, they will need to submit a full corrections and appeals process
to be reviewed by the QE team prior to releasing those reports to authorized users.
2.3: Provider Corrections and Appeals

Assessment

Evidence
Requirement

If providers or suppliers will be identified in QE reports (public and, if applicable, non-public analyses), the QE has an established process that allows
providers to view reports confidentially, request data, and ask for correction of errors. If providers will be de-identified in QE public reports, the QE has a
process for ensuring that any published measure results could not be associated with a particular provider.
1.

If providers or suppliers will be identified in QE reports (public and if applicable, non-public analyses): Describe the process the QE will use to allow
providers and suppliers to view reports confidentially, request data, and ask for the correction of errors before the reports are made public or
disclosed to the authorized user (for non-public analyses).
Note: For QE public reports, the data must be shared with the provider at least 60 calendar days prior to publicly reporting results. For non-public
analyses, QEs must allow providers and suppliers the opportunity to opt into the review and corrections process for 65 calendar days.

2.

If providers will be de-identified in QE public reports: Explain the QE’s provider-masking methodology and specifically indicate how this methodology
prevents provider-level performance from being re-identified in QE reports.
Note: The QECP team does not review provider masking methodologies for non-public analyses (only for public reports). It is the QE’s responsibility
to review the requirements at 42 CFR § 401.716 to determine whether a corrections and appeals process, as outlined in §401.717(f), is required.

Example
Documentation

•
•
•

Process documents
Standard operating procedures
Process/flow charts
Note: If a provider or supplier has a data or error correction request outstanding at the time the reports are released, the QE must, if feasible, post
publicly the name of the appealing provider or supplier and the category of the appeal request.

QECP Program Guide

Phase 2

25

2.4: Secure Transmission of Beneficiary Data
Assessment

The QE has established a process that applies privacy and security protections for the release of beneficiary identifiers, claims data, or both, to providers
for the purposes of the requests for corrections/appeals.

Evidence
Requirement

Provide artifacts that explain the processes and procedures associated with the secure transmission of beneficiary data, including a description of the
process ensuring that only the minimum necessary beneficiary identifiers, claims data, or both will be disclosed in the event of a request by a provider.
In addition, please provide the method for secure transmission and the entity responsible for secure transmission of data.
Include within the annotation states for the data flow diagram narratives that explain the following:
a.
b.
c.
d.
e.

Example
Documentation:

•

How the QE will verify that only the appropriate representatives within a provider group are permitted to access PII in the event of a request
for correction
How access credentials to PII are communicated to appropriate representatives within each provider group and how authorized
representatives may create additional access accounts for (and communicate credentials to) additional authorized individuals within their
provider group
How only the minimum necessary beneficiary identifiers and claims data will be disclosed to providers who request data
The mechanism used to transmit beneficiaries’ PII to providers in the event of a request for correction
The name of organization/contractor responsible for transmitting beneficiaries’ PII to providers in the event of a request for correction

Data Flow Diagram that incorporates the processes to engage providers (either through electronic or postal mail).

QECP Program Guide

Phase 2

26

2.5 Phase 2 Outcomes
There are two possible outcomes for Phase 2: Compliant and Non-Compliant. Compliant Phase 2 review
outcomes do not provide a CMS endorsement, nor do they validate the sufficiency of the QE’s data
security and privacy program for purposes outside of the QECP.

2.5.1 Phase 2: Compliant
If the QE is found to be compliant with the Phase 2 requirements, it may begin the process to request and
pay for Medicare data and enter into a DUA with CMS (described in Section 2.6).
QECP Phase 2 outcomes are based solely on the information QEs provide to CMS at the time of the Phase
2 review. There is no expressed guarantee regarding the future performance of a QE because new system,
personnel, and environmental vulnerabilities and threats are continually evolving. It is the responsibility
of the QE to continuously comply with the CMS DUA and maintain a data security and privacy program
that is compliant with the ARS version currently being utilized by the QECP.

2.5.2 Phase 2: Non-Compliant
If a QE is found to be non-compliant with the Phase 2 requirements, the review team will work with the
QE to determine an appropriate timeline for corrections and the resubmission of evidence to satisfy all
mandatory data security controls. If the QE is unable to meet all mandatory data security controls, its QE
certification status may be terminated.

2.6 Medicare Data: Applying for Access and Data Delivery
Once a QE successfully completes Phase 2, it can request QE Medicare data. Prior to reaching out to the
DUA Contractor (ResDAC) QEs can work with their PM to schedule a pre-DUA call to address any questions.
During this call, the team can address any questions about the DUA process and review the required
documents (listed below):
•
•

QE Data Use Agreement (DUA): https://resdac.org/request-materials/qe-data-use-agreementdua
QE Specifications Worksheet: https://www.resdac.org/request-materials/qe-specificationsworksheet

2.6.1 Applying for Access to Medicare Data
Upon notification of Phase 2 compliance, the QE can submit a data request package to ResDAC, for
approval. Prospective applicants may obtain a preliminary estimate of the cost of acquiring QE Medicare
data by visiting the Data Cost Estimates Page on the QECP public website. 3 The QE will receive a formal
cost invoice once the DUA is approved.
The ResDAC website (https://www.resdac.org) contains descriptions of available CMS data, data request
procedures, information on workshops on how to use Medicare data, and other helpful resources. Within
approximately 10 business days of submission of the data request packet to CMS, a CMS privacy analyst
will notify the QE by email of CMS’ approval of the data request.
Together with the notification that CMS has approved the DUA, the QE will receive instructions on how
to submit payment for the requested data files. Payment is due within 5 business days of receiving the

3

https://www.qemedicaredata.org/apex/Data_Availability_and_Cost

QECP Program Guide

Phase 2

27

final invoice. Data will be prepared and released to QEs only after payment has been successfully
processed.
QEs work directly with the DUA Contractor during the data request process. ResDAC provides resources
and technical support on its website and by email and phone. The website provides information on the
data available, how to request QE data, relevant data dictionaries, workshops, and webinars.
•
•
•
•

DUA Contractor’s QE website: https://www.resdac.org/requester/qualified-entity
DUA Contractor’s contact email: [email protected]
Toll-free Helpline: 1-888-9RESDAC (1-888-973-7322)
DUA Contractor workshops: https://www.resdac.org/learn

2.6.2 Making Changes to DUA
Making Changes to Individuals listed on your DUA
QEs should work directly with the QECP CMS Contacts, Kari Gaare ([email protected]) and Linh
Kennell ([email protected]) to make changes to individuals listed on a DUA. All requests sent to
CMS should include Kari Gaare, Linh Kennell and [email protected] for review and
approval. For more information about adding or removing an individual from a DUA, please see the CMS
website.
Adding Additional Years of Data to your DUA
QEs wanting to add additional years of data to their DUA should work directly with the staff at ResDAC to
submit updated documentation, receive their cost invoice, and have their request approved by CMS. QEs
must use all years of data requested in public reporting.

2.6.3 Receiving the CMS Data
While the DUA contractor serves as the primary point of contact for CMS data requestors and users,
specific questions about the data files received from the CCW contractor (HealthAPT) should be directed
to CCW staff, who provide technical assistance to QEs. The CCW website offers several resources for QEs,
including summary statistics for comparative analysis, data dictionaries for each file type, user guides,
technical papers on producing prevalence rates, and other analytical guidance documentation.
•
•
•
•

CCW website: http://www.ccwdata.org
CCW technical assistance email: [email protected]
Toll-free Helpline: 1-866-766-1915
Data dictionaries for CCW data sets: https://www.ccwdata.org/web/guest/data-dictionaries

SECTION 3. PHASE 3: DATA INTEGRATION & MEASURE CALCULATIONS
During Phase 3, the QECP team assesses the QE’s compliance with the remaining program requirements
related to the QE’s measurement and reporting activities. Prior to submitting evidence for the Phase 3
review, the QE must integrate the QE Medicare data with its claims data from other sources and calculate
provider measures. This section of the guide presents the evidence requirements against which entities
will be evaluated in Phase 3.
The Phase 3 application, including integration of the data, is expected to take up to 10 months for the QE
to complete and submit. The Phase 3 review, including CMS’ final outcome decision, is estimated to take
up to 25 business days from the submission of a complete and valid Phase 3 application that meets all

QECP Program Guide

Phase 3

28

requirements. After a QE is recognized by CMS as Phase 3 compliant, the QE begins the confidential 60day provider corrections and appeals process, if applicable.
There are different Phase 3 and public reporting requirements depending on the measures quasi QEs use.
Quasi QEs can use the measures publicly reported through Care Compare to satisfy the QE public reporting
requirements if the measures were included in the QCDR self-nomination process and they are calculated
from a combined data set of CMS claims and clinical data sources. If a quasi QE chooses to report only via
Care Compare, it will be exempt from Phase 3.
In order to receive a Phase 3 evidence exemption, quasi QEs must submit a list of measures that they
intend to publicly report. This list will be reviewed to verify that each measure was included in the quasi
QE’s QCDR self-nomination process and that the measure can be calculated using combined data. Once
Care Compare is updated, quasi QEs must submit evidence to the QE program of all the quasi QE’s selfnominated measures that were published by Care Compare. If Care Compare does not report any of the
quasi QE’s self-nominated measures, the quasi QE then has six months to choose another pathway, submit
any necessary evidence, and publicly report.
If a quasi QE’s self-nominated measures that are calculated from a combined data set of CMS claims and
clinical data sources do not meet Care Compare public reporting requirements, then the quasi QE will be
required to publicly report the measure(s) in order to satisfy the public reporting requirement. If a quasi
QE plans to only report standard or approved alternative measures through a public-facing reporting
mechanism (such as the quasi QE’s public website), a full Phase 3 review will be required.
Quasi QE Phase 3 Requirements and Options for Satisfying Public Reporting Options
Quasi QE reports only measures that were included in the QCDR
self-nomination process and are calculated from a combined
data set of CMS claims and clinical data sources via:
Care Compare 4

Other public reporting
mechanism (e.g., quasi QE’s
website)

Quasi QE is eligible for a Phase
3 exemption 5

Quasi QE must provide a public
report prototype (Element 3.3)
but is otherwise exempt from
Phase 3

Quasi QE reports only QECP
standard or approved
alternative measures via a
public-facing reporting
mechanism (e.g., quasi QE’s
website)

Quasi QE must complete all
elements in Phase 3

In Phase 3, QEs must provide evidence in the areas described below in Sections 3.1–3.3. More information
on this phase can be found on the Phase 3 page of the QECP website.

Note: If measure(s) do not meet Care Compare public reporting requirements (first year measures, etc.), the quasi
QE will be required to publicly report the measure(s) in order to satisfy the public reporting requirement.
5
In order to receive a Phase 3 evidence exemption, quasi QEs must submit a list of measures that they intend to
publicly report. This list will be reviewed to verify that each measure was included in the quasi QE’s QCDR selfnomination process and that the measure can be calculated using combined data.
4

QECP Program Guide

Phase 3

29

3.1 Performance Measures Selection
In Phase 3, the QE is required to identify the measures that will be calculated with QE Medicare data and
included in its QE public report. Please note that during Phase 3, evidence requirements for quasi QEs
may differ. 6 For the purposes of the program, standard measures are claims-based measures that are
calculated in full or in part from standardized extracts of Medicare Parts A and B claims data and Part D
prescription drug event data. They include all performance measure types, such as quality measures
(structure, process, and outcome measures), resource use measures, efficiency measures, and
composite measures. Generally, QEs use standard measures for evaluating the performance of providers
or the quality of care for a particular geographic region. QEs may also choose alternative measures;
however, if they do, they must provide additional evidence, including an explanation of why the
alternative measure is more valid, reliable, responsive to consumer preferences, cost-effective, or
relevant to dimensions of quality and resource use than the standard measure. More information about
standard 7 and alternative measures8 can be found on the QECP public website.

3.2 Methodology for Measurement and Attribution
During Phase 3, the QE must describe how it will ensure accuracy of the quality, efficiency, or resource
use measures it intends to calculate using QE Medicare and other claims data. This requirement includes,
for example, assessing the QE’s ability to follow measure specifications, use a defined and transparent
method for the attribution of patient services and episodes, and define and identify appropriate peer
groups and benchmarks. The element further assesses whether, as specified and based on the QE’s
available claims data (including the received QE Medicare data), the proposed measures meet required
scientific properties, for example, sufficient sample size, reliability, and validity. 9

3.3 Report Prototypes
During Phase 3, the QE is required to submit prototypes of the confidential provider performance report
(if applicable) and the public reports, including the narrative language the QE plans to use in the public
reports to describe the data and results. The QE must also provide a dissemination plan for its public
reports. QEs should attribute the use of the Medicare Data to their participation in the QE program and
should provide the full geographic region for which they are reporting on the Medicare data.
QEs may not release public reports to providers or to the public until QECP reviewers approve the
dissemination approach and the report design. If at any time after initial approval the QE wishes to change
its dissemination plan or public report design, CMS requires at least 30 days to review and approve the
updated plans and public report prototype prior to the QE’s next corrections and appeals cycle (see
Section 4.2).

Quasi QEs are exempt and not required to submit evidence for measure selection if they intend to publicly report
only those measures that were included in the QCDR self-nomination process, and the measures are calculated from
a combined data set of CMS claims and clinical data sources.
7
Standard Measures: https://www.qemedicaredata.org/apex/Standard_Alternative_Measures
8
Alternative Measures: https://www.qemedicaredata.org/apex/Standard_Alternative_Measures
9
Quasi QEs are exempt and not required to submit evidence for their methodology for measurement and attribution,
if they intend to publicly report only those measures that were included in the QCDR self-nomination process, and
the measures are calculated from a combined data set of CMS claims and clinical data sources.
6

QECP Program Guide

Phase 3

30

3.4 Reporting Extension Policy
QEs are required to release their first public report within 1 year of receipt of QE Medicare data. If a QE
cannot meet this deadline, it may request a public reporting extension from CMS. However, QEs should
note that CMS generally approves only one 1-year extension request. An approved public reporting
extension request will change the QE’s public reporting date for all future public reports. If a QE’s original
public reporting date is January 1st and they are granted a six-month extension; all future public reports
will be due on June 1st. CMS grants extensions on a case-by-case basis, with the expectation that the QE
will release its public report by the extended deadline.

3.5 Phase 3 QE Program Requirements
The requirements against which entities will be evaluated for Phase 3 are presented in full in Exhibit 5.
The explanation of each element describes the assessment(s) to be performed by reviewers in evaluating
an application, together with the evidence requirements. To meet the requirements, entities must pass
all assessments.
There is one set of evidence requirements for use with standard measures (Elements 3.1–3.1.g), and a
separate, longer set of evidence requirements for use with alternative measures (Elements 3.2–3.2.j).

QECP Program Guide

Phase 3

31

Exhibit 5: QECP Minimum Requirements Review: Phase 3 QE Program Requirements
Phase 3: Data Integration & Measure Calculations
QE Program
Requirement

Element
Performance Measures: Standard Measures ONLY
3.1: Standard Measure Use

Assessment

The QE selects standard measures for incorporating QE Medicare data.

Evidence
Requirement

1.

Completed items in the QECP Measure Information Workbook (for each standard measure to be included in QE reports), including:
a.
b.
c.
d.
e.
f.
g.

NQF-endorsed measure number or CMS measure name or number
Name of measure
Type of measure (individual, component of composite, or composite)
Name of measure steward/owner
Rationale for selecting measure
Relationship of the measure to existing measurement efforts
Relevance of the measure to the population in the covered geographic area defined under Element 1.4 in Phase 1
3.1.a: Measure Specifications

Assessment

The QE uses measure specifications accurately for selected standard measures, including numerator and denominator inclusions and exclusions,
measured time periods, and specified data sources.

Evidence
Requirement

1.

Completed attestation in the QECP Measure Information Workbook that standard measure specifications were followed when calculating each
measure.
Note: If a measure does not follow the exact standard measure specification, it will be considered an alternative measure.
3.1.b: Statistical Validity for Quality, Efficiency, Resource Use, and Composite Measures

Assessment

For reporting standard quality measures using QE Medicare data, the QE uses only measures with at least 30 observations, or for which the calculated
confidence interval is at least 90%, or the measure reliability is at least 0.70. For reporting standard efficiency, resource use, and composite measures
using QE Medicare data, the QE only uses measures with demonstrated reliability and validity, including a standardized payment or pricing approach, if
applicable.

QECP Program Guide

Phase 3
Evidence
Requirement

1.

32

Completed attestation in the QECP Measure Information Workbook indicating the QE followed the statistical validity requirements for selected
quality, efficiency, resource use, or composite measures.
3.1.c: Attribution

Assessment

The QE applies an appropriate method to attribute a particular patient’s services or episodes to specific providers or the relevant reporting group.
Note: If the selected measures will not be reported at the provider level, the QE must attest to using appropriate attribution levels for the reporting
level of choice (i.e., zip code of the episode of care)

Evidence
Requirement

1.

Completed items within the QECP Measure Information Workbook, including a description of the methodology used to assign patients, episodes, or
both to the provider included in the performance reports.
Note: If methods for attribution of patient services or episodes vary across the measures, this should be noted and described accordingly.
3.1.d: Risk Adjustment and Outliers

Assessment

The QE provides a rationale for using or not using: 1) a risk adjustment method and 2) an approach to outliers for standard measures.
Note: The QE is required to submit evidence only if it selects a measure that specifies a risk adjustment or outlier method.

Evidence
Requirement

1.

Completed items in the QECP Measure Information Workbook, including:
a. Indication (yes/no) of whether each standard measure employed a risk adjustment or outlier method
i. If no, provide rationale for not using a method.
b. Attestation that the requirements for risk adjustment and outliers were consistent with the calculation of standard quality, resource use,
and composite measure(s)
3.1.e: Comparison Groups

Assessment

The QE defines the comparison groups it uses to report results for each selected standard measure.
Note: The QE is required to submit evidence only if it plans to use comparison groups to evaluate providers.

Evidence
Requirement

1.

Completed items in the QECP Measure Information Workbook. For each measure to be included in QE reports, the QE must include:
a. A general description of the algorithm used to identify comparison groups (e.g., groups are compared by clinic for clinics with three or more
practicing physicians)
b. The geographic parameters that were used to compare providers to their peers. (e.g., North region includes counties A, B, and C)
3.1.f: Benchmarks

Assessment

The QE defines the benchmarks it uses to report results for each selected standard measure.
Note: The QE is required to submit evidence only if it plans to use benchmarks.

QECP Program Guide

Phase 3
Evidence
Requirement

1.

33

Completed items in the QECP Measure Information Workbook. For each measure to be included in QE reports, the QE must include:
a. A general description of the type of benchmark used (e.g., national or regional 90th percentile, national or regional average)
b. How the benchmark was identified or estimated (e.g., benchmark from federal, state, or community report, or calculated by averaging all
the physician rates included in the performance report)
3.1.g: Rating Approaches

Assessment

The QE uses valid methods for determining and calculating ratings (e.g., stars, or good/ better/best).
Note: The QE is required to submit evidence for this element only if measure calculations are aggregated or used to report provider ratings (e.g. stars, or
good/ better/ best).

Evidence
Requirement

1.

Completed items in the QECP Measure Information Workbook. A detailed description of the rating approach(es), including rating calculation and
statistical methods used.
Note: A screenshot from the public report that shows this information is not sufficient evidence for this item.
3.1.h: Prevalence Rates

Assessment

The QE uses prevalence rates to show proportion of persons in a population who have a particular disease or attribute at a specified point in time or
over a specified period. QEs can only use prevalence rates that include Medicare data if they are associated with an approved quality measure.
Note: The QE is required to submit evidence only if it plans to report prevalence rates.

Evidence
Requirement

1.

Completed items in the QECP Measure Information Workbook. For each measure to be included in QE reports, the QE must include justification for
how this prevalence rate is associated to the alternative measure.
Performance Measures – Alternative Measures ONLY
3.2 Alternative Measure Use

Assessment

Evidence
Requirement

The QE proposes alternative measures incorporating QE Medicare data. Composite measures are considered alternative measures even if they combine
standard measures, unless the standard measure itself is a composite. For alternative measures, the QE demonstrates that the measure is more valid,
reliable, responsive to consumer preferences, cost‐effective, or relevant to dimensions of quality and resource use not addressed by a standard measure,
through consultation and agreement with stakeholders in the QE’s community or through the notice and comment rulemaking process.

1.

Completed items in the QECP Measure Information Workbook (for each alternative measure to be included in QE reports), including:
a. Name of measure

QECP Program Guide

Phase 3
b.
c.
d.
e.
f.
g.

Example
Documentation

34

Type of measure (individual, component of composite, composite)
Name of measure steward/owner
Measure description and specifications, including numerator and denominator
Evidence that the measure is more valid, reliable, responsive to consumer preferences, cost effective, or relevant to dimensions of quality
and resource use not addressed by a standard measure
Relationship of the measure to existing measurement efforts
Relevance of the measure to the population in the covered geographic area defined in Element 1.4 in Phase 1

2.

Documentation of consultation and agreement with stakeholders in the QE’s community, with a description of the discussion about the proposed
alternative measure, including a summary of all pertinent arguments supporting and opposing the measure or documentation of the notice and
comment rulemaking process approval.

•

Documents supporting the rationale, relationship, and relevance of selected measures.

QECP Program Guide

Phase 3

35

3.2.a: Measure Specifications
Assessment

The QE uses measure specifications accurately for selected measures, including numerator and denominator inclusions and exclusions,
measured time periods, and specified data sources.

Evidence Requirement

1.

Completed items in the QECP Measure Information Workbook. For each alternative measure listed include:
a. Hyperlink, URL, or copy of the measure specification from the measure steward
b. Hyperlink, URL, or copy of the measure specification for implementation (if different from the measure steward’s specification)
c. Clinical logic (e.g., denominator eligibility, numerator eligibility, exclusion criteria)
d. Construction logic (e.g., trigger start dates, temporal parameters)
e. System input/output reports/logs for each measure displaying data sources, exclusion statements, denominator values, and
numerator values

Example
Documentation

•

Measure specifications
3.2.b: Statistical Validity for Quality Measures

Assessment:

For reporting quality measures using QE Medicare data, the QE uses only measures with at least 30 observations, or the calculated confidence
interval is at least 90%, or the measure reliability is at least 0.70.
Note: The QE is required to submit evidence only if it selects quality measures.

Evidence Requirement

1.

Completed items in the QECP Measure Information Workbook. For each measure listed in the workbook, the QE must include:
a. Description of the minimum requirements for reporting each quality measure that incorporates QE Medicare data, including one of
the following: minimum sample size (or denominator size) requirements, minimum calculated confidence interval, or minimum
reliability score requirements
b. Results of statistical validity testing for each quality measure to be included in QE performance reports, including the actual
sample/denominator size, confidence interval, or reliability score

Example
Documentation:

•

Methodology papers or documents demonstrating the requirements to establish statistical validity of measure results for quality measures
3.2.c: Statistical Validity for Efficiency and Resource Use Measures

Assessment

For selected efficiency and resource use measures using QE Medicare data, the QE only uses measures for which reliability and validity are
demonstrated.
For selected efficiency and resource use measures using QE Medicare data that use a standardized payment or pricing approach, the QE
provides the specified standardized payment methodology actually being used.
Note: The QE is required to submit evidence only if it selects efficiency or resource use measures.

QECP Program Guide

Phase 3
Evidence Requirement

1.

Completed items in the QECP Measure Information Workbook. For each measure listed, the QE must include:
a. Description of the minimum requirements for reporting each efficiency and resource use measure that incorporates QE Medicare
data, including the minimum calculated confidence interval or reliability score
b. Results of statistical validity testing for each efficiency and resource use measure to be included in QE performance reports,
including the actual sample/denominator size and reliability score, confidence interval, or both
c. Description of the standardized payment or pricing approach, if appropriate

Example
Documentation

•

Methodology papers or documents demonstrating requirements to establish statistical validity of measure results for efficiency and
resource use measures.

36

3.2.d: Statistical Validity for Composite Measures
Assessment

For reporting composite measures using QE Medicare data, the QE describes the measures that make up each composite.
Note: The QE is required to submit evidence only if it selects composite measures. Evidence must be provided for each component measure
included in composite measures.

Evidence
Requirement

1.

Completed items in the QECP Measure Information Workbook, including:
a. Construction of the composite
i. List of measures
ii. Weight of each measure
Note: If measures are weighted differently, provide rationale
iii. Calculation of composite (e.g., take average of all rates and divide by number of measures or all-or-none scoring)
b. Description of the minimum requirements for including or excluding a measure within the composite measure

Example
Documentation

•

Methodology papers or documents demonstrating requirements to establish statistical validity of measure results for composite measures.
3.2.e: Attribution

Assessment

The QE applies an appropriate method to attribute a particular patient's services or episodes to specific providers.
Note: The attribution methodology is still necessary for measures that will be calculated at a regional level.

Evidence Requirement

1.

Completed items within the QECP Measure Information Workbook, including a description of the methodology used to assign patients
and/or episodes to the provider included in the performance reports.

Note: If methods for attribution of patient services or episodes vary across the measures listed, this should be noted and described accordingly.
Example
Documentation

•

Methodology papers or documents demonstrating the method for attribution of patient services and/or episodes

QECP Program Guide

Phase 3

37

3.2.f: Risk Adjustment
Assessment

The QE provides a rationale for using or not using a risk adjustment method for each selected alternative measure. Furthermore, the QE
provides a description of the risk adjustment method for each applicable measure.
Note: The QE is required to submit evidence only if it selects a measure that specifies a risk adjustment method.

Evidence Requirement

1.

Completed items in the QECP Measure Information Workbook. For each measure listed, the QE must include:
a. The rationale for using or not using risk adjustment
Note: If risk adjustment was not used, the QE must include a detailed justification
b. The methodology used for risk adjustment (including case-mix or severity adjustment) wherever risk adjustment was applied

Example
Documentation

•

Methodology papers or documents demonstrating appropriate methods to employ risk adjustment
3.2.g: Outliers

Assessment

The QE describes its outlier method (i.e., how to identify and account for outliers) for each selected alternative measure as applicable.

Evidence Requirement

1.

Example
Documentation

•

Completed items in the QECP Measure Information Workbook. For each measure listed, the QE must include:
a. The rationale for using or not using an outlier method
Note: If an outlier method was not used, the QE must include a detailed justification.
b. Where an outlier method was used, a detailed description of the outlier method, specifically how outliers were identified (e.g., more
than three standard deviations from the mean) and how outliers were accounted for (e.g., truncation or removal of outlier)
Methodology papers or documents demonstrating the appropriate methods to handle outliers
3.2.h: Comparison Groups

Assessment

The QE defines the comparison groups it uses to report results for each selected measure.
Note: The QE is required to submit evidence only if it plans to use comparison groups.

Evidence Requirement

1.

Completed items in the QECP Measure Information Workbook. For each measure to be included in QE performance reports, the QE must
include:
a. A description of the algorithm used to identify comparison groups (e.g., groups are compared by clinic for clinics with three or more
practicing physicians)
b. The geographic parameters that were used to compare providers to their peers (e.g., North region includes counties A, B, and C)

Example
Documentation

•

Methodology papers or documents demonstrating the comparison group methodology

QECP Program Guide

Phase 3

38

3.2.i: Benchmarks
Assessment

The QE defines the benchmarks it uses to report results for each selected measure.
Note: The QE is required to submit evidence only if it plans to use benchmarks.

Evidence Requirement

1.

Completed items in the QECP Measure Information Workbook. For each measure to be included in QE performance reports, the QE must
include:
a. How the benchmark was identified or estimated (e.g., benchmark from federal, state, or community report, calculated by averaging
all the physician rates included in performance report)
b. Type of benchmark used (e.g., national or regional 90th percentile, national or regional average)

Example
Documentation

•

Methodology papers or documents demonstrating the benchmark process
3.2.j: Rating Approaches

Assessment

The QE uses valid methods for determining and calculating ratings if measure calculations are aggregated or used to calculate provider ratings
(e.g., stars, or good/ better/best).
Note: The QE is required to submit evidence only if it plans to report provider ratings.

Evidence Requirement

1.

Completed items in the QECP Measure Information Workbook. For each measure to be included in QE reports, the QE must include a
detailed description of the rating approach(es), including rating calculation and statistical methods used.

Note: A screenshot from the public report that shows this information is not sufficient evidence for this item.
Example
Documentation

•

Methodology papers or documents demonstrating the provider rating methodology
3.2.k: Prevalence Rates

Assessment

The QE uses prevalence rates to show proportion of persons in a population who have a particular disease or attribute at a specified point in
time or over a specified period. QEs can only use prevalence rates that include Medicare data if they are associated with an approved quality
measure.
Note: The QE is required to submit evidence only if it plans to report prevalence rates.

Evidence Requirement

1.

Completed items in the QECP Measure Information Workbook. For each measure to be included in QE reports, the QE must include
justification for how this prevalence rate is associated to the alternative measure.

QECP Program Guide

Phase 3
Example
Documentation

•

39

Methodology papers or documents demonstrating the association with the quality measure
3.3: Provider and Public Report Design

Assessment

The QE designs compliant provider and public reports using QE Medicare data and describes the plan for disseminating the reports to the public
at least annually.
Note: The QE must report measures uniformly across the provider and public reports, including identical level of analysis, rates, ratings, peer
group comparisons, and benchmarks. If a QE wishes to provide additional information to providers that it does not wish to provide to the public,
it must adhere to the requirements described in Section 6.

Evidence Requirement

Example
Documentation

1.

Submit the confidential provider performance report and public report prototypes. In these reports, the type of information that the QECP
team is looking for include:
a. An understandable description of the measures used to evaluate the performance of providers so that consumers, providers, health
plans, researchers, and other stakeholders can assess performance reports
b. An understandable description of any provider rating approaches (e.g., stars or good/better/best)
c. Attribution to the QE program for the source of the Medicare data.

2.
3.
4.

A description of the process that will be used for making QE reports available to the public.
FOR QUASI QEs ONLY: Which reporting pathway does the quasi QE intend to engage in for their next QE public report?
Note: QCDRs applying as quasi QEs that have not submitted measures to Care Compare are not eligible for Pathways 1 or 2.
FOR QUASI QEs ONLY: Have you submitted self-nominated measures or MIPS measures to Care Compare as a QCDR?

•
•
•
•

QE performance reports for providers
QE performance reports for the public
Screenshots
Document demonstrating dissemination of key methodology descriptions and results to providers and the public

QECP Program Guide

Phase 3

40

3.6 Phase 3 Outcomes
There are two possible outcomes for Phase 3: Compliant and Non-Compliant.

3.6.1 Phase 3: Compliant
If the QE is found to be compliant with the Phase 3 requirements, it may distribute confidential reports to
providers based on the approved provider performance report prototype. After allowing providers the
requisite 60 days to review their confidential reports, the QE must proceed to public reporting using the
approved public report prototype. If a QE is reporting at a regional level, and therefore not individually
identifying providers or suppliers, then once deemed compliant, it must move directly to public reporting
using the approved public report prototype.

3.6.2 Phase 3: Non-Compliant
If the QE is found to be non-compliant with the Phase 3 requirements, the QE will need to edit and
resubmit their Phase 3 application. The QE will not be permitted to distribute confidential provider reports
or release public reports until it is found to be fully compliant with the requirements. If the QE is unable
to satisfy the minimum requirements, its QE certification status may be terminated.

SECTION 4. ONGOING PROGRAM ADMINISTRATION
To monitor QEs for potential violations and non-compliance with requirements per CFR § 401.719
Monitoring and sanctioning of qualified entities, the QECP contractor employs a systematic approach
highlighted in Exhibit 6. Once an organization is approved as a QE, they are subject to OPA and monitoring.
OPA monitoring consists of 1) QE self-reported changes, 2) QE Annual Report information and
attestations, 3) QE application and public reporting submissions 4) triennial QECP Reapplication
information and attestations, 5) QECP Compliance Monitoring Gray Literature Scans, and 6) QECP Data
Security Audit. These activities are designed to ensure continued compliance with the QE program
requirements.

Exhibit 6: QECP Program Monitoring Framework

QECP Program Guide

OPA

41

If a potential non-compliance issue is identified, it triggers a QECP monitoring review. A monitoring review
may be conducted for any QE that is potentially out of compliance or at risk of non-compliance with
program standards. During any monitoring review, if a program violation is determined by CMS, one of
three monitoring actions: (1) Warning, (2) Technical Correction (TC), or (3) request for Corrective Action
Plan (CAP) may result. A QE may receive any one of the monitoring actions as a starting point with the
potential to move to a more elevated status should they not meet the terms of the initial action.
More information about OPA can be found on the Ongoing Program Administration page of the QECP
website.

4.1 Reporting of Data Security Incidents
A QE is required to report any unauthorized access or disclosure of CMS information, suspected, or
realized, to the QECP team and CMS immediately after the incident is discovered. According to the CMS
DUA, the QE must report all breaches of data security pertaining to personally identifiable information
(PII) to the CMS Action Desk within 1 hour, either by telephone at 410-786-2850 or by email at
[email protected]. Note that reporting to the QECP team only satisfies the reporting
requirement to CMS as it relates to the QECP. The QE is still obligated to report to other agencies,
beneficiaries, covered entities, or CMS as required by contract or other applicable regulations, such as the
Health Insurance Portability and Accountability Act of 1996 (HIPAA) or state data breach laws.
The QECP team will investigate each incident as it is reported. Depending on the nature and severity of
the incident, the QECP team may require a CAP to prevent further incidents and depending on the severity
of the incident, it may trigger a virtual data security audit.

4.2 Reporting Changes after QE Certification
A QE may wish to modify its program operations, which were approved based on its application. Because
changes to the QE’s processes or systems may impact its ability to meet the minimum requirements
established in the QECP, all such changes must be reported to the QECP team. This reporting procedure
helps ensure that QEs are compliant with all requirements of the QECP at all times.
All entities deemed qualified as a result of the QECP application process have provided evidence in each
of the following areas:
1. Entity (Element 1.1)
2. Financial Resources (Element 1.2)
3. Experience (Element 1.3)
4. Claims Data (Element 1.4)
5. Data Security (Element 2.1)
6. Provider Corrections and Appeals (Element 2.3)
7. Secure Transmission of Beneficiary Data (Element 2.4)
8. Measure Use & Methodology (Elements 3.1 and 3.2)
9. Provider and Public Report Design (Element 3.3)
The QE must notify the QECP team of all changes that relate to, or modify its compliance with, any of the
minimum requirements evaluated during the application process.

QECP Program Guide

OPA

42

4.2.1 When to Report a Change
Exhibit 6 provides guidance for the reporting procedures and relevant timeframes for all such changes but
may not be inclusive of all reported change scenarios.

4.2.2 Procedure for Reporting Changes
The QE must report to the QECP team all changes to the approved operations plan according to the
schedule described in Exhibit 6. The procedure to report such changes is based on updating the evidence
the QE previously submitted to meet the minimum requirements during the application process. The
procedure to report changes consists of the following steps:
1.

The QE notifies its assigned PM of the intended change.

2.

The QE works with the PM to identify which elements are modified by the change and the
applicable evidence that should be provided.

3.

In the QE online application, the QE provides a statement indicating the rationale for the proposed
change and uploads all necessary documentation to demonstrate that the proposed change
continues to meet the QECP minimum requirements.

4.

The QECP team reviews and notifies the QE of approval or denial of the change via a Reported
Change Decision Letter.

For data security reported changes, the process is slightly different. Before being able to determine what
evidence a QE needs to submit to meet the requirements based on the proposed change, our data security
review team will first need to review an updated data flow diagram with annotations. After the data
security reviewer has assessed the updated diagram, your PM will communicate any additional evidence
requirements to complete that change.

QECP Program Guide

OPA

Exhibit 7: Reference Guide for Reporting Program Changes

43

Reporting Changes
Reporting Change Requirement

When To Report Change

Required/Example Supporting Documentation
1.1: Entity

The QE must report any termination or change in
contractors, vendors, partners, subsidiaries
or member organizations.

Immediately

Required Documentation:
• An updated Letter of Commitment, including the Contractual Relationship
Attestation (Appendix B)
• Updated listing of contractors in General Information section of QECP online
application

The QE must report changes in governance due to
merger, acquisition, or consolidation (MAC).

Within 30 days following the
MAC

Required Documentation:
• Certificate of merger (if applicable)
• Amended articles of incorporation

The QE must report changes to the official name of
the organization(s).

Within 30 days following the
name change

Example Documentation:
• Amended articles of incorporation
• Letter from the executive certifying that the name change will not affect any
previously approved processes or explaining how the change will affect such
processes.

The QE must report any change in its main point of
contact for the QE program.

Immediately

Required Documentation:
• Written notification to the QE’s PM
• Updated listing of contacts in General Information section of QECP online
application
1.1: Entity (for quasi QEs only)

A quasi QE must report any change in status as a
CMS-approved QCDR.

Immediately

Example Documentation:
• Written communication from CMS confirming change in status
1.2: Financial Resources

The QE must report any changes to its business
model that would affect its ability to cover the cost
of the data and the cost of developing public
reports.

Immediately

Example Documentation:
• Written notification to the QE’s PM
Note: Guidance will depend on the QE’s current program phase.

QECP Program Guide

OPA
Reporting Change Requirement

When To Report Change

44

Required/Example Supporting Documentation

1.3: Experience
If the QE leveraged the specific experience of a staff
member, contractor, or collaborative to meet an
experience requirement(s), and the staff member,
contractor, or collaborative leaves, the entity must
report the change.

Example Documentation:
• Written notification to the QE’s PM
• Updated evidence to demonstrate the entity still meets the minimum
experience requirements

Immediately

1.4: Claims Data
The QE must report any decrease in the amount of
claims data from non-Medicare sources being used
to qualify for the QE program.

Immediately

Required Documentation:
• Updated QECP Data Source Attestation
• Evidence that remaining data are sufficient to address methodological concerns
regarding sample size and reliability

The QE must report any changes to the geographic
area (region, state, county) for which public
reporting will incorporate QE Medicare data.

Immediately if the change is
associated with a change in
other-payer claims data;
otherwise, within 30 days

Required Documentation:
• Updated QECP Data Source Attestation that reflects the new coverage area and
demonstrates that the QE has sufficient other-payer claims data for the new
region/state/county

1.1: Entity & 2.1: Data Security
The QE must report any changes to the data
analytics/warehousing vendors or contract changes
related to the organizations/vendors handling QE
Medicare data or QE Medicare data security.

Immediately

Example Documentation:
• Updated Phase 2 evidence, including a new QECP Data Security Review and
Data Flow Diagram
• New Letter of Commitment detailing role of new contractor or vendor, as
applicable

QECP Program Guide

OPA
Reporting Change Requirement

When To Report Change

45

Required/Example Supporting Documentation

2.1: Data Security
The QE must report any significant changes to the
data security and privacy policies or procedures that
it had in place during the application process. A
significant change in Data Security is defined as an
action that is likely to affect the security state of an
information system or its environment of operation.

Immediately

Example Documentation:
• Updated QECP Data Security Review, with revised supporting documentation
• Updated data flow diagram
Note: A QE may not, under any circumstances, use a measure, create a report, or
issue a report until the QECP team receives notification of the change, reviews it, and
informs the QE of the review outcome.

Examples of significant changes include, but are not
limited to, changes to:
Data hosting provider
Internet service providers used to transmit QE
Medicare data
Physical locations where QE Medicare data are
stored, processed, accessed, or transmitted (e.g.,
building moves)
Staff with primary responsibility for data security.
The QE must report any unauthorized access or
disclosure of CMS data, suspected, or realized, to
the QECP team and CMS.

Immediately after the incident is
discovered

Example Documentation:
• Breaches of data security that pertain to PII must be reported to the CMS
Action Desk within 1 hour via telephone at 410-786-2850 or email at
[email protected].
• QEs should work with their PM to identify appropriate documentation
depending on the nature of the breach. However, at a minimum, copies of
incident notifications and reports will generally be required.

The QE must report all violations of the CMS DUA by
the entity or its contractors. Examples include
unauthorized data reuse, physically moving the QE
Medicare data without CMS approval, and violating
cell size suppression policy.

Immediately

Example Documentation:
• QEs should work with their PM to identify appropriate documentation
depending on the nature of the violation. However, at a minimum, copies of
incident notifications and incident reports will generally be required.

QECP Program Guide

OPA
Reporting Change Requirement

When To Report Change

46

Required/Example Supporting Documentation

2.3: Provider Corrections and Appeals & 2.4: Secure Transmission of Beneficiary Data
The QE must report any changes to its confidential
provider corrections and appeals process related to
the privacy and security protections for the release
of beneficiary identifiers or claims data to providers

Immediately

Example Documentation:
• Updated process documents
• Updated data flow diagram with annotations

The QE must report any changes to the level of
analysis for QE public reports (regional or provideridentified).

Immediately

Required Documentation:
• If changing from regional to provider-identified level of analysis, the QE must
provide evidence of experience with Corrections and Appeals (Element 1.3) and
all required documentation for Elements 2.3 and 2.4
• If changing from provider-identified to regional level of analysis, the QE must
provide evidence under Element 2.3 explaining how providers cannot be reidentified in QE’s public reports

3.1: Standard Measure Use & 3.2: Alternative Measure Use
The QE must report if it begins using risk adjustment
methods or makes changes to risk adjustment
methods for each applicable performance measure.

At least 90 days before the
intended release of confidential
performance reports to
providers

Example Documentation:
• For standard measures, completed items for Element 3.1.d in the QECP
Measure Information Workbook
• For alternative measures, completed items for Element 3.2.f in the QECP
Measure Information Workbook, including methodology papers or documents
demonstrating that the proposed methods are appropriate.

The QE must report changes to approved standard
and alternative measure specifications. This includes
changes in the eligible population, denominator,
numerator, exclusions, measured time periods,
specified data sources, and risk adjustment method.

At least 60 days before the
intended release of confidential
performance reports to
providers

Example Documentation:
• For standard measures, completed items for Element 3.1.a in the QECP
Measure Information Workbook
• For alternative measures, completed items for element 3.2.a in the QECP
Measure Information Workbook, including updated measure specifications

The QE must report any new standard measure it
wishes to add to its approved list of measures.

At least 30 days (60 days is
encouraged) before the
intended release of confidential
performance reports to
providers

Example Documentation:
• An explanation of the standard measure that will be added in the next public
reporting cycle
• Revised QECP Measure Information Workbook that includes the added measure
• Applicable evidence for Elements 3.1.a-3.1.h

QECP Program Guide

OPA
The QE must report any new alternative measure it
wishes to add to its approved list of measures.

At least 90 days before the
intended release of confidential
performance reports to
providers or at least 30 days
before the intended release of
regional public reports.

47

Example Documentation:
• An explanation of the alternative measure that will be added in the next public
reporting cycle
• Revised QECP Measure Information Workbook that includes the added measure
• Applicable evidence for Elements 3.2.a–3.2.k (i.e., measure specification)

QECP Program Guide

OPA
Reporting Change Requirement

When To Report Change

Required/Example Supporting Documentation

The QE is required to monitor the release of
standard measures (e.g., measures newly endorsed
by NQF) and notify the QECP team of any newly
released standard measure that is similar to one of
its QECP-approved alternative measures. The QE
must inform the QECP team whether it intends to
switch to the standard measure or not.

The QE must switch to the
standard measure within 6
months of the date that the
standard measure becomes
available or provide a
justification for not switching.

Example Documentation:
• If the QE switches to the standard measure:
o An explanation of the standard measure that will be added in the next
public reporting cycle
o Revised QECP Measure Information Workbook that includes the added
measure
o Applicable evidence for Elements 3.1.a-3.1.h
•

The QE is required to monitor the endorsement
status of its QECP-approved standard measures and
notify the QECP team if any standard measure loses
endorsement status and therefore becomes an
alternative measure. If the QE wishes to continue to
publicly report the measure, but as a new
alternative measure, within 6 months of the date
that the measure loses endorsement status, the QE
must submit evidence for Element 3.2. The QECP
team will have 60 days to reach a decision on
approval or disapproval of the alternative measure.

Within 6 months following the
date that the measure loses
endorsement status

48

If the QE does not switch to the standard measure:
o Written justification for continuing to use the alternative measure

Example Documentation:
• If the QE wants to publicly report the measure as alternative:
o Revised QECP Measure Information Workbook that includes the added
alternative measure with all completed information and evidence for
Elements 3.2.a–3.2.h
•

If the QE no longer wishes to publicly report the measure:
o An explanation that the measure will not be included in the next public
reporting cycle

3.3: Provider and Public Report Design
The QE must report any significant changes to the
appearance or content of Phase 3-approved
confidential provider performance reports or public
reports.
Significant changes include changes to:
Provider ratings approach
Level of analysis for reported measures
Comparative reporting by product line
QE’s public report website address

For either a change in the
provider or public report, at
least 30 days (60 days
encouraged) before the
intended release of confidential
performance reports to
providers

Example Documentation:
• Explanation of the changes
• Revised provider and/or public report prototype or screenshots

QECP Program Guide

OPA
Reporting Change Requirement

When To Report Change

Required/Example Supporting Documentation

The QE must report any changes in the
dissemination plan for sharing reports with the
public, including the public report release timeline
and frequency.

At least 30 days (60 days is
encouraged) before the
intended release of confidential
performance reports to
providers

Example Documentation:
• Explanation of the changes
• New dissemination plan that includes the timeline and frequency of public
reports

49

3.1–3.3: Measure Use & Reporting (for quasi QEs only)
A quasi QE must notify the QECP team if it was
previously exempt from submitting evidence for
Phase 3 and wishes to add measures to its public
reports that were not included in the QCDR selfnomination process.

At least 120 days before its
intended confidential
performance report release to
providers

Required Documentation:
• All relevant documentation for these new measures for Elements 3.1–3.3

QECP Program Guide

OPA

50

4.3 QE Annual Reports
As defined in the QE regulations (42 CFR § 401.719), QEs are required to provide annual reports containing
information related to program adherence to allow the QECP team to continually monitor and assess their
performance in the program. QEs must submit an annual report for each calendar year, with the exception
of QEs certified after November 1 of that year. In other words, QEs certified on or after November 1 of a
given year will not be required to submit an annual report for that year. The QECP team will provide
instructions to QEs each year on the timeline for completing and submitting their annual report. As part
of OPA, the QECP team will review these reports and follow up with QEs, as necessary.
To make these reports as comprehensive as possible, QE regulations require the following elements in
each annual report: 10
•

The volume of Medicare and other-payer claims combined. QEs must report how much nonMedicare claims data they have available to combine with the QE Medicare data received from
CMS for use in their standard and alternative performance measures. Please note that QCDRs are
required to provide information about the changes in their total provider enrollment and whether
there was a net increase or decrease in total provider counts.

•

The percent of the overall market share the number of claims represent in the QE’s geographic
area. When QEs determine the number of non-Medicare and Medicare claims they were able to
combine, they must determine and report the percentage of the market share of their geographic
region these claims represent.

•

The number of measures calculated. QEs must report the number of standard and alternative
measures in which QE Medicare data were included and reported publicly in the past year, as well
as any measures that they may have added or deleted through the OPA process for reporting
changes. This includes any measures released through a supplemental report.

•

A measure of public use of the reports. QEs are expected to ensure that their public reports are
reaching the target audiences and that consumers are using the data contained in these reports.
QEs must collect and report some measure of public use of their reports (e.g., website hits,
examples of consumer use of measure results). This includes any activity from supplemental
public reports.

•

The number of providers and suppliers requesting claims data through the corrections and appeals
process. Accurate reporting on providers is a crucial element of the QECP. QEs must report the
number of providers requesting claims data through the corrections and appeals process as an
indication of how reports are being received by medical professionals.

•

The number of requests for claims data fulfilled. QEs must report the number of provider requests
fulfilled, including the number of claims sent to each provider.

•

The number of error corrections. Accurate reporting should be a key focus for QEs. QEs must
report the number of corrections made to the provider performance reports as a direct result of
the corrections and appeals process and of any other process in which errors were detected and
reported to the QE.

QE regulations, 42 CFR §401.719(b). Depending on a QE or quasi QE’s progress through the phased application
process, it may not be required to respond to all annual report elements. Annually, the QECP team will provide
specific annual report instructions to each QE and quasi QE.

10

QECP Program Guide

OPA

51

•

The types of problems leading to requests for error correction. QEs must also report what kinds of
errors were identified, both those that upon investigation did not require correction and those
that did require correction (e.g., system issues, missing data feeds, or misattribution of patient
services and episodes).

•

The amount of time to acknowledge requests for error correction. Once a request for error
correction is received from a provider, QEs must acknowledge receipt before processing the
request. QEs must report the time it took to acknowledge each provider request for correction or
appeal.

•

The amount of time to respond to requests for error correction. QEs should respond to provider
requests for error corrections in a timely manner. QEs must report the amount of time it took to
respond to each provider request for error correction.

•

The number of requests for error correction resolved. QEs must report how many errors were
corrected and how many identified errors were not corrected. This must be accompanied by a
description of how these errors were resolved or the reason for no resolution.

•

The security and privacy of QE Medicare data. Security and privacy are essential to the QECP, in
addition to the information required by QE regulations, all QEs are required to include in their
QECP annual report summary of incidents involving unauthorized access or disclosure of CMS
information, suspected or realized, over the past year. QEs must include the date(s), type(s), and
resolution of all incidents. This summary is in addition to the required immediate notification QEs
must provide to the QECP each time a data security incident occurs

•

Non-Public Analyses and Data. QEs that choose to engage in additional uses of QE Medicare data,
including providing QE Medicare data at no cost, or providing or selling non-public analyses, must
provide descriptive information related to each analysis bought or sold and each occurrence of
QE data provided or sold (e.g., authorized user, total fees received, topic or purposes of the
analysis).

•

QE feedback. This step is optional however, we encourage QEs to complete a survey for the annual
report to provide feedback related to the application process, technical assistance,
communication with the QECP team, or any other areas.

4.3.1 Procedure for Submitting Annual Reports
QEs have access to their Annual Report through the QECP online application. If a QE has not received QE
Medicare data or released a QE public report by the report deadline, it will submit several tables in the
workbook as “not applicable.” Once the annual report has been submitted, QEs should inform their PM.
The annual reports will then be reviewed and either assessed as “Compliant” or referred to the Monitoring
team for review.
More information on submitting Annual Reports can also be found in the Annual Report Webinar on the
QECP website under QE Program Information --> Ongoing Program Administration --> Webinars. This
webinar is offered to QEs each year to provide a demonstration of the annual report process. For more
information, please contact your PM.

4.4 Monitoring Reviews
A monitoring review may be conducted for any QE that is potentially out of compliance or at risk of noncompliance with program requirements. The review may occur at any time after the QE has obtained QE
Medicare data. An assessment of compliance may occur during phase application submission, periodic

QECP Program Guide

OPA

52

environmental scans of QE activities, in the course of a reported change or annual report submission, or
as part of the release of public or non-public reports.
During the monitoring review, the QECP team assesses a QE’s compliance with the requirements related
to data security and privacy, the provider corrections and appeals process, and performance measures
and public reporting. In certain cases, a monitoring review may consist of a virtual data security audit. As
referenced in the QE regulations (42 CFR § 401.719), a data security audit may result in a request to the
QE for updated documentation to resolve the issue of non-compliance.
Monitoring reviews may result in one of three outcomes: a Warning, a TC, or a CAP Request.

4.4.1 Warning
A warning is the lowest level of response by the QECP team to probable or potential violations. The QE
will receive a letter, signed by the QECP Project Director, outlining the concern, and explaining how to
avoid it in the future. No evidence submission will be required of the QE.

4.4.2 Technical Correction
A Technical Correction (TC) request is issued by CMS to correct a compliance issue with a QE’s
performance under the QECP. A CAP Request describes the compliance issue, outlines the steps the QE
needs to take to come back into compliance, and sets a timeline by which the QE must address the issue.
The QE will receive a letter from CMS that explicitly outlines the non-compliant behavior and the actions
required of the QE to return to compliance. Evidence submission will be required and will be reviewed by
the appropriate subject matter experts to assess compliance.

4.4.3 Corrective Action Plan
CAPs are imposed as a result of the highest level of violation and require a remediation plan. The QE will
receive a CAP Request from CMS explicitly outlining the QE’s program violations, and the requirement to
develop a 30-, 60-, or 90-day CAP. Both a remediation plan and evidence of remediation are required and
will be reviewed by the relevant SMEs. The QECP team will send a recommendation report and a CAP
decision letter to CMS for final approval.
Once CMS has approved the CAP, the QECP team will monitor the QE to ensure that it adheres to all
aspects of the CAP. This monitoring may include checking to ensure that the QE is adhering to the CAP
timeline and meeting deliverable schedules. If the QECP team finds that a QE is not following the CAP, the
team may step in and take more immediate action.

4.5 OPA Outcomes
The review and assessment of OPA activities, including reporting data security breaches, reporting
changes, submitting annual reports, and the monitoring reviews will result in one of three outcomes: OPA
Compliant, In Danger of OPA Non-Compliance, and OPA Non-Compliant.

4.5.1 OPA Compliant
If the QECP determines that the QE is in good standing, the QE will be deemed OPA compliant, and no
further action will be taken.

4.5.2 In Danger of OPA Non-Compliance
If the QE is found to be generally compliant but requires further review or modification of certain OPA
components to be in full compliance, it will receive notification that it is in danger of OPA non-compliance.

QECP Program Guide

OPA

53

Depending on the level of non-compliance, the QE may require a CAP or may be permitted to continue
working with QE Medicare data under observation by the QECP team.

4.5.3 OPA Non-Compliant
If the review of any of the OPA components uncovers a critical deficiency, the QE will receive notification
that it is OPA non-compliant. An outcome of OPA non-compliance means that the QE must immediately
stop calculating and reporting on performance measures that include QE Medicare data. Depending on
the degree of non-compliance, the QE may be able to undergo a CAP in order to resume reporting, or CMS
may terminate the QE’s certification status and require the QE to return or destroy all QE Medicare data,
as specified in the CMS DUA.

SECTION 5. REAPPLICATION
QE certification is valid for 3 years. QEs must reapply for certification 6 months prior to the end of their
certification period to remain in good standing. This 6-month anniversary is considered the reapplication
deadline by the QE program. QEs continue to be in good standing until their reapplication is either
approved or denied.
QEs will receive a reapplication notification from their PM 3 months prior to their reapplication deadline
and will be asked whether they intend to reapply. QEs may request data until their certification period
ends. If a QE reapplies and its geographic region changes during the reapplication process, the QE will be
required to return or destroy any data that it is ineligible to keep at the end of the 3-year certification
period. QEs that do not intend to reapply may request data until their QE certification expires, however,
they will be required to return or destroy any data at the end of the 3-year certification period. For more
information about reapplication, please see the Reapplication page of the QECP website.

5.1 QE Reapplication Policy
The reapplication process takes significantly less time and effort than the initial phased application
process. The reapplication process leverages QE documentation already on file with CMS and requires
QEs to respond to a form pre-populated with information by their PM and consists of no more than 10
statements based on where a QE is in the application process at the time of Reapplication. These
statements are summarized in Section 5.2. During reapplication, QEs must report changes to previously
assessed QECP elements and submit supporting documentation to confirm such changes.
Reapplication can take up to 3 months for the QE to complete and submit. The Reapplication review,
including CMS’ final outcome decision, is estimated to take up to 15 business days from the submission
of a complete and validated Reapplication that meets all requirements.

5.2 QE Reapplication Program Requirements
QEs are responsible for completing the reapplication form and submitting supporting documentation as
needed. QEs will work with their PM to determine which statements will be required of them based on
their status in the program. The QE will then upload all documentation to the online application. The
detailed evidence requirements for reapplication are shown in Exhibit 7.

5.3 Quasi QE Reapplication Program Requirements
Reapplication will be used to verify the selected QQE pathway for public reporting. As such, Statements
7, 8, and 9 will vary slightly in language for QQEs and will reference the most recently submitted evidence
on measure selection (e.g., self-nominated, standard, or alternative), reporting platform (e.g., Care
Compare) pathway. QQEs will be asked to describe any changes to the number of providers in their
QECP Program Guide

Reapplication

54

registry for Statement 2. Quasi QEs should reach out to their PMs for any quasi-QE specific Reapplication
questions.

QECP Program Guide

Exhibit 8: QECP Minimum Requirements Review: Reapplication QE Program Requirements

Reapplication

55

Reapplication
QE Program
Requirement

Element
1.1: Identify changes to the QE’s organization

Assessment

Statement 1: Your organization intends to continue to contract with the same organization(s) to fulfill the QECP requirements.
Note: Public and non-public reports that include QE Medicare data must not be disseminated using a new data analytics/warehousing vendor prior to
the new vendor (and lead QE) submitting updated QECP Phase 2 evidence and obtaining CMS approval (see Section 4.2).

Evidence
Requirement
(if applicable)

1. If your organization plans to work with new/additional contractors, vendors, partners, subsidiaries
or member organizations, complete the QECP Letter of Commitment, including Appendix B: Contractual Relationship Attestation, which includes an
attestation to breach of contract liability between parties, with potential to collect damages for failure to perform.

1.4: Identify changes to the QE’s ability to obtain claims data from at least one other source to combine with the QE Medicare data
Assessment

Statement 2: Your organization still receives the same sources and amounts of other-payer claims data for the approved geographic areas in the prefilled text box below
Note: A QE may not, under any circumstances, use a measure, create a report, or issue a report after the amount of claims data from other sources
available to the QE decreases until the QECP team determines either (1) that the remaining claims data are sufficient or (2) that the QE has collected
adequate additional data to address any identified deficiencies (see Section 4.2).

Evidence
Requirement
(if applicable)

1.

If the geographic area has changed, submit a new QECP Data Source Attestation.

2.

If the amount of other-payer claims data received by your organization has increased, submit a new QECP Data Source Attestation.

If the amount of other-payer claims data received by your organization has decreased, submit a new QECP Data Source Attestation. In addition, provide
an explanation, by data supplier name, of the reason why the data source is no longer available to your organization, or the reason why the amount of
data received by the supplier has decreased. Submit documentation that demonstrates that the remaining claims data from other sources are sufficient
to address methodological concerns regarding sample size and reliability.
2.1: Identify changes to the QE’s data security and privacy policies and procedures

QECP Program Guide

Reapplication
Assessment

56

Statement 3: The data flow diagram submitted by your organization still accurately demonstrates (1) how sites that access the QE Medicare data are
connected, and (2) how QE Medicare data flow through your organization from receipt to public reporting (including the confidential provider
corrections and appeals process)
Statement 4: Since Phase 2 approval, or submission of your organization’s most recent QECP annual report, your organization has made significant
changes to the data security environment and practices
A significant change is defined as an action that is likely to affect the security state of an information system or its environment of operation. Some
examples include, but are not limited to:
• Modifications to cryptographic modules or services;
• Modifications to security controls;
• Moving to a new facility;
• Change in vendors, business partners, or service providers;
• Changes in data hosting providers;
• Changes in staff with primary responsibility for data security;
• Data breaches and other violations of the CMS DUA;
• Acquiring specific and credible threat information that the organization is being targeted by a threat source; or
• Establishing new/modified laws, directives, policies, or regulations.
If there is any uncertainty about whether a change in a data security program is significant and should therefore be reported, please consult with the QECP
team ([email protected]) to determine the appropriate next steps.

Evidence
Requirement
(if applicable)

1.

If your organization has experienced a change to its security environment through which QE Medicare data flows, submit an updated, annotated
QE data flow diagram.

2.

If your organization has experienced a change to its data security environment or practices, provide an explanation of the changes, including the
date when each change occurred.

2.3 & 2.4: Identify changes to the corrections and appeals process; identify any changes related to the secure transmission of beneficiary data
Assessment

Statement 5: Your organization would like to change their level of reporting (provider-identified vs regional) prior to the next reporting cycle for either
public or non-public reports.
Statement 6: Your organization would like to make a change to their corrections and appeals process prior to the next reporting cycle. This includes any
changes to your organization’s privacy and security protections for the release of beneficiary identifiers and/or claims data to providers.

Evidence
Requirement
(if applicable)

1.

If your organization would like to report publicly or non-publicly at the provider level and had previously reported at a regional level, please
provide a corrections and appeals process including the process that would allow an entity to securely transmit beneficiary claims to providers.

QECP Program Guide

Reapplication
2.

If your organization would like to report publicly or non-publicly at the regional level and had previously reported at a provider level, please
provide an explanation of the masking methodology that would prevent providers from being re-identified.

3.

If your organization is planning to make changes to the confidential provider corrections and appeals process, provide an explanation describing
the changes. These changes must be reflected in the QE data flow diagram provided under Statement 3. Changes related to contractual
relationships with data analytics/warehousing vendors are subject to the requirements of Statements 1and 3.

57

3.1: Identify changes to the standard measures the QE intends to report in its next public reporting cycle
Assessment

Statement 7: Your organization intends to continue reporting the same standard measures in its next public reporting cycle.
Note: QEs are required to notify the QECP team of any new standard measures they wish to add to their approved list of measures at least 30 days
before the intended confidential performance release to providers for the corrections and appeal process (see Section 4.2).

Evidence
Requirement
(if applicable)

1.

If your organization would like to change the standard measures that have previously been publicly reported, provide an explanation of the
standard measures that will be added or removed in your organization’s next public reporting cycle. For measures that will be added, submit a
revised QECP Measure Information Workbook, accompanied by the required supporting documentation for Element 3.1.
3.2: Identify changes to alternative measures the QE intends to report in its next public reporting cycle

Assessment

Statement 8: Your organization intends to continue reporting the same alternative measures in its next public reporting cycle.
Note: QEs are required to notify the QECP team of any alternative measures they wish to add to their approved list of measures. QEs must notify the
QECP team of any new alternative measures at least 60 days before the intended confidential performance report release to providers (see Section 4.2)
and are strongly encouraged to notify the team up to 90 days beforehand.

Evidence
Requirement
(if applicable)

1.

If your organization would like to change the alternative measures that have previously been publicly reported, provide an explanation of the
alternative measures that will be added or removed in your organization’s next public reporting cycle. For measures that will be added, submit a
revised QECP Measure Information Workbook, accompanied by the required supporting documentation for Element 3.2.
3.3: Identify changes in the design of reports for providers and the public

Assessments

Statement 9: Your organization would like to change the content or appearance of its provider or public report during its next reporting cycle. A
“change” is defined as a significant modification in the provider ratings approach, level of analysis for reported measures, comparative reporting by
product line, or website address, for example, but excludes changes due to the addition or removal of performance measures.
Note: QEs must notify the QECP team of changes to the provider and/or public prototype report and submit to the QECP team the new prototype
report(s) at least 30 days before the intended confidential release to providers (see Section 4.2).
Statement 10: Your organization would like to change its dissemination plan for informing intended audiences of the issuance of its QE performance
reports. This includes anticipated changes to the public report release schedule and frequency.

QECP Program Guide

Reapplication

58

Note: QEs must notify the QECP team of changes in the dissemination plan for sharing reports with the public and submit the new plan at least 30 days
before the intended confidential performance report release to providers (see Section 4.2).
Evidence
Requirement
(if applicable)

1.

If your organization would like to make changes to the content or appearance of provider and/or public reports, provide an explanation of the
changes, and submit the revised provider and/or public report prototype.

2.

If your organization would like to make changes to the dissemination plan, provide an explanation of the changes.

QECP Program Guide

Reapplication

59

5.3 Reapplication Outcomes
After the reapplication review, a certification decision is rendered. CMS will assign the QE an outcome of
Qualified or Not Qualified.

5.3.1 Reapplication: Qualified
A QE that has reapplied to the QECP receives the status Qualified if it demonstrates complete compliance
with the reapplication requirements. This status is valid for 3 years from the date of notification of CMS
approval unless the QE’s status is otherwise terminated (see Section 5.4).
After recertification, QEs in Phase 2 or 3 must continue to work toward projected submission dates for
their Phase 2 or Phase 3 evidence. QEs must work with ResDAC and CMS to submit QE Medicare data
requests and pay associated fees to receive annual and quarterly updates of QE Medicare data.

5.3.2 Reapplication: Not Qualified
A QE that has reapplied to the QECP receives the status Not Qualified if it has not demonstrated complete
compliance with the reapplication requirements. A failure on any requirement will result in an outcome
of Not Qualified. A QE that receives a reapplication outcome of Not Qualified may not submit a second
reapplication, must cease public reporting initiatives using QE Medicare data, and must return or destroy
QE Medicare data.
QEs that receive the status Not Qualified may apply for Phase 1 QE certification no sooner than 90 business
days after the date of the reapplication decision letter from CMS.

5.4 Maintaining and Losing Certification Status
5.4.1 Expiration and Renewal
QE certification is valid for 3 years from the date of notification of CMS approval. The QE may submit data
requests and pay associated fees to receive updates of QE Medicare data until the end of its certification
period. At that time, the QE must have successfully reapplied to the QECP and have been approved to
continue receiving data. If a reapplication is not submitted or approved, the QE must destroy the data.

5.4.2 Termination
During any phase of the minimum requirements review or the monitoring review (if applicable), a QE may
have its certification terminated if it is no longer compliant with program requirements.

5.4.3 Reconsideration
As stated in the QE regulations (42 CFR § 401.711), QEs are required to notify CMS prior to updating plans
previously reviewed as part of the application process if these plans would change proposed measures,
prototype reports, public reports, data sources, or data volume. CMS may reconsider the previously issued
certification if the applicant is no longer compliant based on the updated plans.

5.4.4 Voluntary Forfeiture
The QE regulations (42 CFR § 401.721) note that QEs may voluntarily terminate their agreement with CMS
once they have entered the minimum requirements review, a monitoring review, or the OPA phase of the
program. If a QE determines that this is the most appropriate course, it must agree to immediately destroy
or return to CMS the QE Medicare data that it received under the program. Fees paid to CMS by the QE
will not be refunded.

QECP Program Guide

Additional Uses of QE Medicare Data

60

SECTION 6. ADDITIONAL USES OF QE MEDICARE DATA
Once a QE passes the Phase 2 Data Security review and obtains data, it may engage in additional nonpublic uses of QE Medicare data, beyond the public reporting requirement. Any QE that elects to engage
in additional uses of QE Medicare data under the QE program must comply with all QECP requirements
described in this Program Guide, including, but not limited to, the QECP phased minimum requirements
review and public reporting.
For more information, please see the Use of Medicare Data page of the QECP website.

6.1 Providing or Selling De-identified Non-Public Analyses
QEs may use combined data to create de-identified11 non-public analyses and provide or sell these deidentified analyses to authorized users. The requirement to use combined data does not prevent QEs
from providing or selling analyses that allow the authorized user to drill down by payer type to Medicare
only- results. For example, a QE may provide or sell a provider report that includes the provider’s overall
score on certain quality and resource use measures (using combined data) and then presents scores for
each of these measures by payer type (including a Medicare FFS category).
A QE must enter into a contractually binding non-public analyses agreement with the authorized user as
a precondition of providing or selling de-identified analyses. More on this topic is covered in Section 6.4.2:
The Non-Public Analyses Agreement, which also discusses permissible uses of de-identified non-public
analyses).

6.1.1 Authorized Users of De-identified Non-Public Analyses
A QE may provide or sell de-identified non-public analyses to the following authorized users (including
any contractors or business associates described in the definition of authorized user): (1) a provider; (2) a
supplier; (3) an employer; (4) a health insurance issuer; (5) a medical society; (6) a hospital association;
(7) a health care provider and/or supplier association; (8) a state entity; and (9) a federal agency.
A QE may only provide or sell a non-public analysis to a health insurance issuer after the health insurance
issuer or a business associate of that health insurance issuer has provided the QE with claims data that
represent a majority of the health insurance issuer’s covered lives, using one of the four methods of
calculating covered lives established at 26 CFR § 46.4375-1(c)(2), for the time period and geographic
region covered by the issuer requested- non-public analysis. A QE may not provide or sell a non-public
analysis to a health insurance issuer if the issuer does not have any covered lives in the geographic region
covered by the issuer-requested non-public analysis.
If the authorized user is an employer, the authorized user may only use the analysis or derivative data for
purposes of providing health insurance to employees, covered dependents of employees, or covered
retirees of that employer.

11 Regardless of the HIPAA covered entity or business associate status of the QE and/or the authorized user,

de-identification must be determined based on the standards for HIPAA covered entities found at 45 CFR §
164.514(b). More information on the HIPAA de-identification standards can be found on the Health and Human
Services (HHS) Office for Civil Rights website at http://www.hhs.gov/hipaa/for-professionals/privacy/specialtopics/de-identification/index.html

QECP Program Guide

Additional Uses of QE Medicare Data

61

6.1.2 Corrections and Appeals for Non-Public Analyses
Non-public analyses that contain information that individually identifies a provider or supplier (regardless
of the level of the provider or supplier, that is, an individual clinician, a group of clinicians, or an integrated
delivery system) may not be disclosed unless one of the following three conditions apply:
•

The analysis only individually identifies the provider or supplier receiving the analysis.

•

Every provider or supplier individually identified in the analysis has been afforded the opportunity
to appeal or correct errors using the process described below.

•

Every provider or supplier individually identified in the analysis has notified the QE, in writing, that
analyses may be disclosed to the authorized user without first going through the corrections and
appeals process.

A QE must comply with the following before disclosing non-public analyses which contain information
that individually identifies a provider or supplier:
•

At least 65 calendar days before disclosing the analyses, a QE must confidentially notify a provider
or supplier that non-public analyses that individually identify the provider or supplier will be
released to an authorized user. This confidential notification must include a short summary of the
analyses (including the measures calculated), the process for the provider or supplier to request
the analyses, the authorized user receiving the analyses, and the date on which the QE will release
the analyses to the authorized user.

•

A QE must allow providers and suppliers the opportunity to opt into the review and correction
process at any time during the 65-calendar-day period. If a provider or supplier chooses to opt-in
to the review and correction process more than 5 days into the notification period, the time for
the review and correction process is shortened from 60 days to the number of days between the
provider or supplier opt-in date and the release date specified in the confidential notification.

6.2 Providing or Selling Patient De-Identified Data
A QE may provide or sell de-identified12 combined data or provide QE Medicare-only data at no cost to
certain authorized users. For combined data, there is no specific minimum threshold for the amount of
other-payer claims data that must be combined with the QE Medicare data. QEs are permitted to
determine an appropriate fee to charge authorized users for access to the combined data.
A QE must enter into a contractually binding Qualified Entity Data Use Agreement (QE DUA) with an
authorized user prior to providing or selling any de-identified data. More information on this topic may
be found in Section 6.4.1: The QE DUA, which also discusses permissible uses of de-identified data.

6.2.1 Authorized Users of Patient De-identified Data
QEs are permitted to provide (or sell, where applicable) de-identified data only to the following authorized
users (including any contractors or business associates described in the definition of authorized user): (1)
providers of services, (2) suppliers, (3) medical societies, and (4) hospital associations.

12 Regardless of the HIPAA covered entity or business associate status of the QE and/or the authorized user,

de-identification must be determined based on the standards for HIPAA covered entities found at 45 CFR 164.514(b).
Additional information on the HIPAA de-identification standards can be found on the HHS Office for Civil Rights
website at: http://www.hhs.gov/hipaa/for-professionals/privacy/special-topics/de-identification/index.html

QECP Program Guide

Additional Uses of QE Medicare Data

62

6.3 Providing or Selling Patient-Identifiable Data and Analyses
QEs may provide or sell patient-identifiable combined data, 13 or provide patient-identifiable Medicareonly data at no cost, to certain authorized users. QEs may also use combined data to create patientidentifiable non-public analyses and provide or sell these identifiable analyses to authorized users. The
requirement to use combined data to create the analyses does not prevent QEs from providing or selling
identifiable analyses that allow the authorized user to drill down by payer type to Medicare only- results.
For example, a QE may provide or sell a provider a report that includes the provider’s overall score on
certain quality and resource use measures (using combined data) and then present scores for each of
those measures by payer type (including a Medicare FFS category).
A QE is required to enter into a QE DUA with any authorized user as a precondition of providing or selling
non-public analyses that contain patient-identifiable information or data. More on this topic is covered in
Section 6.4.1: The QE DUA, which also discusses permissible uses of identifiable data and analyses.

6.3.1 Authorized Users of Patient-Identifiable Data and Analyses
If consistent with all applicable laws, data or analyses that individually identify a beneficiary may only be
disclosed to a provider or supplier with whom the identifiable individual in such data or analyses has a
patient relationship. “Patient” is defined as an individual who has visited a provider or supplier for a faceto-face or telehealth appointment at least once in the past 24 months.

6.3.2 Corrections and Appeals for Non-Public Analyses
Patient-identifiable non-public analyses also require a provider corrections and appeals process. For more
information on the corrections and appeals requirements for non-public analyses, see Section 6.1.2.

6.4 Contractually Binding Agreements
There are three different contractual agreements in the QE program. The first contractual agreement is
the CMS DUA between CMS and the QE. The CMS DUA must be in place prior to the QE receiving Medicare
data. It contains all of the data use requirements that the QE and any Phase 2-approved contractor must
comply with to participate in the QE program. For more information on the CMS DUA, see Section 2.6.
The second agreement is the QE DUA. The QE DUA is executed between a QE and an authorized user and
is a precondition of selling or disclosing any combined data or Medicare claims data or non-public analyses
that includes individually identifiable beneficiary data. The QE DUA contains all of the provisions that the
authorized user must comply with to receive and maintain the QE data or patient-identifiable analyses.
More information on the QE DUA is provided in Section 6.4.1.
The third agreement is the non-public analyses agreement between a QE and an authorized user and is a
precondition of providing or selling beneficiary de-identified analyses. The non-public analyses agreement
contains all of the provisions that the authorized user must comply with to receive and maintain the deidentified analyses (see Section 6.4.2).

13

Regardless of the HIPAA covered entity or business associate status of the QE and/or the authorized user,
de-identification must be determined based on the standards for HIPAA covered entities found at 45 CFR 164.514(b).
Additional information on the HIPAA de-identification standards can be found on the HHS Office for Civil Rights
website at http://www.hhs.gov/hipaa/for-professionals/privacy/special-topics/de-identification/index.html.

QECP Program Guide

Additional Uses of QE Medicare Data

63

6.4.1 The QE DUA
As a precondition of providing or selling any QE data (including combined, Medicare-only, beneficiaryidentifiable, or de-identified data) or providing or selling non-public analyses containing protected health
information (PHI), the QE must enter into a QE DUA with the authorized user. 14 The QE DUA must
contractually bind the authorized user (including any contractors or business associates described in the
definition of authorized user) to the following:
•
•
•

Permissible uses;
Privacy and security requirements; and
The requirement to notify the QE of any violations of the QE DUA, to cooperate in the QE’s efforts
to mitigate any harm that may result from such violations, and to comply with the breach
provisions governing QEs.

Providing or selling beneficiary de-identified non-public analyses is governed not by the QE DUA, but
rather by the non-public analyses agreement.
Permissible Uses Under the QE DUA
The QE DUA must contractually bind the authorized user to the following permissible uses of data or
analyses that the authorized user receives under the QE DUA. Under a QE DUA, the authorized user may
use the QE data and the non-public analyses containing PHI only in a manner similar to that of a HIPAA
covered entity under the following provisions:
•

Activities falling under paragraph (1) of the definition of “health care operations” under 45 CFR §
164.501: Quality improvement activities, including care coordination activities and efforts to track
and manage medical costs; patient-safety activities; population-based activities such as those
aimed at improving patient safety, quality of care, or population health, including the
development of new models of care, the development of means to expand coverage and improve
access to healthcare, the development of means of reducing healthcare disparities, and the
development or improvement of methods of payment or coverage policies.

•

Activities falling under paragraph (2) of the definition of “health care operations” under 45 CFR §
164.501: “Reviewing the competence or qualifications of health care professionals; evaluating
practitioner and provider performance, and health plan performance; conducting training
programs in which students, trainees, or practitioners in areas of health care learn under
supervision to practice or improve their skills as health care providers; training of non-health care
professionals; accreditation, certification, licensing, or credentialing activities.”

•

Activities that qualify as “treatment” under 45 CFR § 164.501.

•

Activities that qualify as “fraud and abuse detection or compliance activities” under 45 CFR §
164.506(c)(4)(ii).

The authorized user is prohibited from using or disclosing the QE data or non-public analyses containing
PHI for marketing purposes. The authorized user is also prohibited from redisclosing or making public any
QE data or non-public analyses containing PHI.

In cases where all the terms of the QE DUA at 42 CFR § 401.713(d) are contained in a contractually binding
agreement between the qualified entity and the authorized user, the qualified entity is not required to re-paper that
agreement as a QE DUA.
14

QECP Program Guide

Additional Uses of QE Medicare Data

64

All other uses and disclosures of the QE data or non-public analyses containing PHI by authorized users
are forbidden, with two exceptions. First, at the QE’s discretion, the QE may permit an authorized user
that is a provider or a supplier to redisclose QE data or non-public analyses in the same way that a HIPAA
covered entity is permitted to disclose PHI under 45 CFR § 164.506(c)(4)(i), 45 CFR § 164.506(c)(2), or 45
CFR § 164.502(e)(1). Second, authorized users may be required to redisclose QE data or non-public
analyses containing PHI as required by law, as defined at 45 CFR § 164.103.
Authorized users that receive beneficiary de-identified data (combined data or Medicare-only data) are
prohibited from linking the beneficiary de-identified data to any other identifiable source of information
and are prohibited from attempting any other means of re-identifying any individual whose data are
included.
Privacy and Security Under the QE DUA
The QE DUA must contractually bind the authorized user to the following privacy and security protections
for any data or analyses the authorized user receives under the QE DUA. The authorized user is required
to ensure adequate privacy and security protection for the QE data and non-public analyses containing
PHI. At a minimum, regardless of whether the authorized user is a HIPAA covered entity, such protections
of beneficiary-identifiable data must be at least as protective as those required of covered entities and
their business associates regarding PHI under the HIPAA Privacy and Security rules. In all cases, these
requirements must be imposed for the life of such beneficiary-identifiable data or non-public analyses or
any derivative data until all copies of such data or non-public analyses are returned or destroyed. These
duties must be specified in such a manner as to survive termination of the QE DUA, whether for cause or
not.

6.4.2 The Non-Public Analyses Agreement
A QE must enter into a contractually binding non-public analyses agreement with the authorized user
(including any contractors or business associates described in the definition of authorized user) as a
precondition of providing or selling de-identified non-public analyses. The non-public analyses agreement
must contractually bind the authorized user (including any contractors or business associates described
in the definition of authorized user) to the permissible uses of the analyses and the requirement to notify
the QE of any violations of the non-public analyses agreement, and to cooperate in the QE’s efforts to
mitigate any harm that may result from such violations.
Permissible Uses Under the Non-Public Analyses Agreement
The non-public analyses agreement must prohibit the use of de-identified non-public analyses or
derivative data for the following purposes:
•
•
•
•

Marketing;
Harming or seeking to harm patients or other individuals both within and outside the health care
system regardless of whether their data are included in the analyses;
Effectuating or seeking opportunities to effectuate fraud and/or abuse in the health care system;
Publishing research reports.

If the authorized user is an employer, the authorized user may use the analyses or derivative data only for
the purposes of providing health insurance to employees, retirees, or dependents of employees or
retirees of that employer.
As part of the non-public analyses agreement, a QE may permit an authorized user that is a provider or a
supplier to redisclose the de-identified analyses or derivative data, in the same way a covered entity is
permitted to redisclose under 45 CFR § 164.506(c)(4)(i) or 45 CFR § 164.502(e)(1). If the authorized user

QECP Program Guide

Additional Uses of QE Medicare Data

65

is not a provider or supplier, the authorized user may not redisclose or make public any non-public
analyses or derivative data except as required by law.
The authorized user may not link the de-identified analyses to any other identifiable source of information
and may not in any other way attempt to identify any individual whose de-identified data are included in
the analyses.

6.5 QE Annual Reporting for Additional Uses of QE Medicare Data
QEs that choose to provide or sell QE data or non-public analyses must report additional information in
their required QE annual report.
For non-public analyses provided or sold to authorized users, the QE annual report must include the
following information:
•

•
•

A summary of the analyses provided or sold, including:
o
The number of analyses;
o
The number of purchasers of such analyses;
o
The types of authorized users that purchased analyses;
o
The total amount of fees received for such analyses; and
o
Violations of the QE DUA or the non-public analyses agreement.
A description of the topics and purposes of such analyses
The number of analyses disclosed with unresolved requests for error correction.

For QE data provided or sold to authorized users, the QE annual report must include the following
information:
•
•
•
•

The entities that received QE data
The basis on which each entity received such data
The total amount of fees received for providing, selling, or sharing the data
Violations of the QE DUA.

See Section 4.3 for additional information about the QE annual report requirements, including how to
submit annual reports, and annual report due dates.

6.6 Violations of the CMS DUA or QE DUA
6.6.1 Assessments
In the case of a violation of the CMS DUA or the QE DUA, CMS may impose an assessment on the QE. CMS
will calculate the amount of the assessment of up to $100 per Medicare Part A or B beneficiary whose
data were implicated in the violation. For detailed information about the assessment amount and process,
refer to 42 CFR § 401.719 (d)(5).

6.6.2 Termination of CMS DUA
CMS may terminate the QE’s CMS DUA if the QE fails to ensure that authorized users comply with their
QE DUAs or non-public analyses agreements.

QECP Program Guide

Appendix A: Glossary

66

Appendix A: Glossary
5% national sample files – The 5% random sample consists of Medicare beneficiaries who had a Medicare
Health Insurance Claim (HIC) number equal to the Claim Account Number (CAN) plus the Beneficiary
Identity Code (BIC) (HIC=CAN+BIC), where the last two digits of the CAN are in the set {05, 20, 45, 70, 95} at
any time, beginning January 1, 1999. The HIC number is assigned by the Social Security Administration (SSA)
when a person becomes eligible for benefits; however, the number may change over time if a person’s
reason for entitlement changes. The CAN number is the policy number of the wage earner who is eligible
for benefits, which means that the CANs for spouses are joined. A marriage may cause a change in the HIC
due to entitlement for benefits through the spouse. One variable is designed to make it easy to identify
the random 5% sample for a particular year (the 5% flag—FIVEPCT); a second variable makes it possible
to follow this sample longitudinally even when a HIC change causes the person to drop out of the 5%
sample at a later point in time (the enhanced 5% flag—EFIVEPCT).
A
Acceptable Risk Safeguards (ARS) – The Centers for Medicare & Medicaid Services' (CMS) implementation
for the selection and tailoring of the controls. The current version of the ARS is available in the CMS
Information
Security
Library
(http://www.cms.gov/Research-Statistics-Data-and-Systems/CMSInformation-Technology/InformationSecurity/Information-Security-Library.html).
Additional Uses of QE Medicare Data – Expanded uses of QE Medicare Data under the Medicare Access
and CHIP Reauthorization Act of 2015 (MACRA). The Rule, as required by MACRA, allows organizations
approved as qualified entities to confidentially share or sell analyses of Medicare and private sector claims
data to “authorized users:” providers, employers, and other groups that can use the data to support
improved care. In addition, qualified entities may provide or sell claims data to providers and suppliers,
such as doctors, nurses, and skilled nursing facilities among others. The Rule also includes strict privacy
and security requirements for all entities receiving patient identifiable and beneficiary de-identified
analyses or data, as well as expanded annual reporting requirements. 15
Alternative Measure – A non-standard measure, calculated in full or in part from claims data from other
sources and standardized extracts of Medicare Parts A and B claims data, and Part D prescription drug
event (PDE) data, that has been deemed to be more valid, reliable, responsive to consumer preferences,
cost-effective, or relevant to dimensions of quality and resource use than existing claims-based standard
measures.
Annual Report – An online module provided to QEs by the QECP team in order to collect the required
annual reporting information.
Applicant – An entity who is in the process of submitting their Phase 1 application for QE certification, or
has submitted their application and is awaiting a CMS certification decision.
Application – Comprised of all information submitted by entities during the application process, including
general information, contact information, mailing address, self-assessments, text submitted in comment
CMS Finalizes Rule Giving Providers and Employers Improved Access to Information for Better Patient Care.
07/01/2016. Available at: https://www.cms.gov/newsroom/press-releases/cms-finalizes-rule-giving-providers-andemployers-improved-access-information-better-patient-care
15

QECP Program Guide

Appendix A: Glossary

67

boxes, evidence/supporting documentation, data security plan of action and milestones (POAM) (if
required), and signature.
Assessment – A statement describing the program requirement and performance expectations. The entity
must demonstrate compliance with the assessment statement to meet the minimum requirements and
receive approval for the element.
Attribution of Patient Services and Episodes – The application of specific rules to assign a particular
patient's services or episodes to a specific provider.
Authorized User – A third party and its contractors (including, where applicable, business associates as
that term is defined at 45 CFR §160.103) to which a qualified entity may provide or sell data or non-public
analyses. Authorized users are limited to the following entities:
• A provider
• A supplier
• A medical society
• A hospital association
• An employer
• A health insurance issuer
• A health care provider and/or supplier association
• A state entity
• A federal agency
B
Beneficiary Identifiable – Any data or analyses that contain the beneficiary’s name, Medicare Health
Insurance Claim Number (HICN), or any other direct identifying factors including, but not limited to, postal
address or telephone number. See also Patient Identifiable.
C
Chronic Conditions Data Warehouse (CCW) – A research database designed to make Medicare, Medicaid,
and Part D prescription drug event (PDE) data more readily available to support research to improve the
quality of care and reduce costs and utilization.
Claim – An itemized billing statement from a provider or supplier that, except in the context of Part D
prescription drug event data, requests payment for services and supplies that were furnished to a
Medicare beneficiary in the Medicare fee-for-service context, or to a participant in other insurance or
entitlement program contexts. In the Medicare program, claims files are available for each institutional
(inpatient, outpatient, skilled nursing facility, hospice, or home health agency) and non-institutional
(physician, and durable medical equipment provider) claim type.
Clinical Data – Registry data, chart-abstracted data, laboratory results, electronic health record
information, or other information related to the care or services furnished to patients that is not included
in administrative claims data, but is available in electronic form.
CMS Data Use Agreement (DUA) – A contractual agreement between CMS and an external entity, which
must be established prior to disclosing data and which requires the entity to comply with the

QECP Program Guide

Appendix A: Glossary

68

requirements of the Federal Privacy Act, the HIPAA Privacy Rule, and CMS data release policies.
Combined Data – At a minimum, a set of CMS claims data provided under the QE regulations (42 CFR §
401.701–401.722) combined with claims data, or a subset of claims data, from at least one of the other
claims data sources described in 42 CFR § 401.707(d).
For the purposes of qualified clinical data registries acting as quasi qualified entities under the Qualified
Entity Program requirements, combined data is defined as, at a minimum, a set of CMS claims data
provided under 42 CFR Part 401, Subpart G, combined with clinical data or a subset of clinical data.
Composite Measure – A combination of two or more component measures, each of which individually
reflects quality of care, into a single performance measure with a single score 16.
Control Family – Used in NIST Special Publication (SP) 800-53 and the CMS Acceptable Risk Standards (ARS)
to organize and structure data security controls into logical families. Each family contains security controls
related to the general security topic of that family. The QECP Phase 2 minimum requirements review is
centered on these control families.
Corrective Action Plan (CAP) – Imposed as a result of the highest level of violation of QE program
requirements. The CAP, provided by the QE, consists of both a remediation plan and evidence of
remediation, which will be reviewed by relevant SMEs.
Corrective Action Plan (CAP) Request – A Corrective Action Plan (CAP) Request is issued by CMS to correct
a compliance issue with a QE’s performance under the QECP. A CAP Request describes the compliance
issue, outlines the steps required to address the issue, sets a timeline by which the QE must address the
issue, and specifies that QEs must track their progress toward CAP completion.
D
Data Breach – A data breach is a security incident in which sensitive, protected, or confidential data are
copied, transmitted, viewed, stolen, or used by an unauthorized third party. A data breach may be
intentional or unintentional.
Data Sources – The QE regulations (42 CFR § 401.703(h)) define claims data from other sources as
“provider- or supplier-identifiable claims data that an applicant or qualified entity has full data usage right
to due to its own operations or disclosures from providers, suppliers, private payers, multi-payer
databases, or other sources.” Qualified Clinical Data Registries (QCDRs) may use clinical data to meet the
need for other data sources.
DUA Custodian(s)- Individuals who will have actual possession of the CMS data files, and who will be
responsible for observance of all conditions of use, including the establishment and maintenance of
security arrangements to prevent unauthorized use. This is a required role on the DUA and in rare
instances may be the same individual as the Requester.

Definition from NQF’s Glossary of Terms:
https://www.qualityforum.org/Measuring_Performance/Submitting_Standards/NQF_Glossary.aspx
16

QECP Program Guide

Appendix A: Glossary

69

DUA Requestor- The person authorized to legally bind their organization to the terms specified in the
DUA. This is a required role on the DUA.
E
Efficiency Measure – The cost of care associated with a specified level of health outcomes. 17
Element – In order to determine an entity’s compliance with the program requirements, the program
requirements have been organized into a series of elements. Each element includes an assessment and
evidence requirements.
Employer – Any person acting directly as an employer, or indirectly in the interest of an employer, in relation
to an employee benefit plan; includes a group or association of employers acting for an employer in such
capacity, as defined in section 3(5) of the Employee Retirement Insurance Security Act of 1974.
Entity – Any legally recognized organization (public or private) interested in applying for certification to
become a qualified entity (QE).
Evidence – An item that is submitted to demonstrate compliance with an element and allows reviewers
to evaluate whether the entity meets the requirement.
F
Full Data Usage Rights – Sufficient usage rights, due to the qualified entity’s own operations or disclosures
from providers, suppliers, private payers, multi-payer databases, or other sources, to the other sources of
claims data to allow the qualified entity to use that data for the purposes required and permitted under
the QE program (including, but not limited to public reporting and calculating provider performance
measures and combining other-payer data with Medicare FFS data).
G
H
Health Care Provider and/or Supplier Association – A nonprofit organization or association that provides
unified representation and advocacy for providers and suppliers at the national or state level and whose
membership is comprised of a majority of suppliers or providers.
Health Insurance Issuer – An insurance company, insurance service, or insurance organization (including
a health maintenance organization) which is licensed to engage in the business of insurance in a State and
which is subject to State law that regulates insurance, as defined in section 2791 of the Public Health
Service Act.
Health Plan – An organization that acts as an insurer for an enrolled population. 18
Health Insurance Portability and Accountability Act of 1996 (HIPAA) – The HIPAA Privacy Rule establishes
Definition from NQF’s Glossary of Terms:
https://www.qualityforum.org/Measuring_Performance/Submitting_Standards/NQF_Glossary.aspx
18
Definition from NQF’s Glossary of Terms:
https://www.qualityforum.org/Measuring_Performance/Submitting_Standards/NQF_Glossary.aspx
17

QECP Program Guide

Appendix A: Glossary

70

national standards to protect individuals’ medical records and other personal health information and
applies to health plans, health care clearinghouses, and those health care providers that conduct certain
health care transactions electronically. The Rule requires appropriate safeguards to protect the privacy of
personal health information, and sets limits and conditions on the uses and disclosures that may be made
of such information without patient authorization. The Rule also gives patients’ rights over their health
information, including rights to examine and obtain a copy of their health records, and to request
corrections.
For more information, visit https://www.hhs.gov/hipaa/for-professionals/privacy/index.html.
Hospital Association – A nonprofit organization or association that provides unified representation and
advocacy for hospitals or health systems at a national, state, or local level and whose membership is
comprised of a majority of hospitals and health systems.
I
J
K
L
Lead Entity – An entity that chooses to contract with one or more outside entities to meet the minimum
requirements of the QECP and function as a QE. The lead entity is responsible for completing the
application, including the submission of contractual agreements with all outside entities. In addition, the
lead entity is responsible for ensuring that outside entities comply with all program requirements related
to the CMS Data Use Agreement (DUA), minimum requirements, monitoring, and ongoing program
administration.
M
Marketing – A communication about a product or service that encourages recipients of the
communication to purchase or use the product or service, as defined by 45 CFR § 164.501. Marketing is
also defined as an arrangement between a covered entity and any other entity whereby the covered entity
discloses protected health information to the other entity in exchange for direct or indirect remuneration,
for the other entity or its affiliate to make a communication about its own product or service that
encourages recipients of the communication to purchase or use that product or service.
Measure (see Alternative Measure, Composite Measure, Efficiency Measure, Quality Measure,
Resource Use Measure, Standard Measure)
Medical Society – A nonprofit organization or association that provides unified representation and
advocacy for physicians at the national or state level and whose membership is comprised of a majority
of physicians.
Medicare Part A Claims Data – Fee-for-service claims from institutional health care providers that include
the following claim types:
•

Inpatient – From inpatient hospital providers for reimbursement of facility costs (includes
variables such as diagnosis and procedure codes, diagnosis related groups (DRG), dates of
service, reimbursement amount, and provider number)
QECP Program Guide

Appendix A: Glossary

71

•

Skilled Nursing Facility – From skilled nursing facilities (includes variables such as diagnosis and
procedure codes, dates of service, reimbursement amount, and provider number)

•

Outpatient – From outpatient providers, such as hospital outpatient departments, rural health
clinics, renal dialysis facilities, outpatient rehabilitation facilities, and community mental health
centers (includes variables such as diagnosis and procedure codes, CMS Common Procedure
Coding System codes, dates of service, reimbursement amount, provider number, and revenue
center codes)

•

Hospice – From hospice providers (includes variables such as level of hospice care received [e.g.,
routine home care, inpatient respite care], terminal diagnosis code, dates of service,
reimbursement amount, and provider number)

•

Home Health – From home health care providers (includes variables such as number of visits,
types of visit, diagnosis codes, dates of visits, reimbursement amount, and provider number).

Medicare Part B Claims Data – Fee-for-service claims from non-institutional health care providers that
include the following claim types:
•

Carrier – From non-institutional providers such as physicians, physician assistants, clinical social
workers, nurse practitioners, independent clinical laboratories, ambulance providers, and freestanding ambulatory surgical centers (includes variables such as diagnosis and procedure codes,
CMS Common Procedure Coding System codes, dates of service, reimbursement amount, and
provider number)

•

Durable Medical Equipment Regional Carrier – From durable medical equipment suppliers
(includes variables such as diagnosis codes, CMS Common Procedure Coding System codes,
dates of service, reimbursement amount, and provider number).

Medicare Part D Prescription Drug Event (PDE) Data – Summary extracts of CMS-defined standard
prescription fills (not individual drug claim transactions) submitted by Medicare prescription drug plan
sponsors to CMS. The PDE data include such variables as prescriber identifier, quantity dispensed, days
supply, fill number, gross drug cost below/above out-of-pocket threshold, patient pay amount, and other
transactional information.
Minimum Requirements – The collection of elements that an entity must meet to become certified as a
qualified entity. These requirements are derived directly from the QE regulations (42 CFR § 401.705–
401.717).
Monitoring Review – A review that may occur at any time after a QE has obtained QE Medicare data. The
purpose of this review is to ensure QE compliance with selected elements related to data security,
measurement, reporting, and the corrections and appeals process as described and approved in the QECP
application. As referenced in the QE regulations (42 CFR § 401.719), monitoring may include an onsite visit
to review the documented and physical evidence submitted for the selected standards.
N
O

QECP Program Guide

Appendix A: Glossary

72

Ongoing Program Administration (OPA) – A mechanism by which the QECP team observes QEs’
compliance with all QECP elements throughout their 3-year QE certification period. During OPA, the QECP
team will interact with all certified QEs to provide ongoing program support; communicate with QEs about
any deficiencies that were identified and resolved during the minimum requirements review, any
monitoring reviews, and any CAPs that were required; and interact with QEs that report changes in key
aspects of their program, such as adding measures. As part of OPA, the QECP team also will review QEs’
annual reports.
Other-Payer Claims Data – Provider- or supplier-identifiable claims data to which an applicant or qualified
entity has full data usage rights due to its own operations or disclosures from providers, suppliers, private
payers, multi-payer databases, or other sources.
P
Patient-Identifiable - Any data or analyses that contain the patient’s name, Medicare Health Insurance
Claim Number (HICN), or any other direct identifying factors including, but not limited to, postal address
or telephone number. See also Beneficiary Identifiable.
Personally Identifiable Information (PII) – Information that can be used to distinguish or trace an
individual’s identity, either alone or when combined with other personal or identifying information that
is linked or linkable to a specific individual.
Program Guide – A comprehensive document that describes QECP operations and policies, including all
CMS requirements that entities and certified QEs must meet, as well as an overview of the application
process. The Program Guide is revised and released annually in its entirety.
Program Manager (PM) – The QECP staff member who is the entity’s primary point of contact throughout
the QECP process and who is responsible for validating the completeness of all materials submitted for
QECP review, assigning the entity to a review team, assisting the entity throughout its QECP participation,
and facilitating contact between the entity and the QECP team.
Protected Health Information (PHI) - Individually identifiable health information. For more information
see HIPAA regulations at 45 CFR 160.103.
Providers – The term used to collectively refer to providers of services and suppliers. Providers’
performance will be calculated and publicly reported by QEs.
Providers of Services – A provider is defined in 42 CFR § 400.202 as “a hospital, a CAH [critical area
hospital], a skilled nursing facility, a comprehensive outpatient rehabilitation facility, a home health
agency, or a hospice that has in effect an agreement to participate in Medicare, or a clinic, a rehabilitation
agency, or a public health agency that has in effect a similar agreement but only to furnish outpatient
physical therapy or speech pathology services, or a community mental health center that has in effect a
similar agreement but only to furnish partial hospitalization services.”
Public Reporting – Primary purpose of the QE program, wherein QEs must release public provider
performance analyses annually based on combined other-payer and QE Medicare data, using standard or
approved alternative measures. The reports must include a description of the measures used that can be

QECP Program Guide

Appendix A: Glossary

73

easily understood by consumers.
Q
Qualified Clinical Data Registry (QCDR) – An entity meeting the requirements promulgated under the
Social Security Act §1848 (m)(3)(E). A Centers for Medicare & Medicaid Services (CMS)-approved QCDR is
an entity that collects clinical data from MIPS clinicians (both individual and groups) and submits it to
CMS on their behalf for purposes of MIPS. The QCDR reporting option is different from a qualified
registry because it is not limited to measures within the Quality Payment Program. The QCDR can
develop and submit for CMS approval, QCDR measures (formally referred to as non-MIPS measures
within the CY 2017 Quality Payment Program final rule).
Qualified Entity (QE) – A single public or private entity, or a lead entity and its contractors, or, if the entity
is a collaborative, any member organization of the collaborative, that (1) is qualified, as determined by
the Secretary, to use claims data to evaluate the performance of providers on measures of quality,
efficiency, effectiveness, and resource use, and (2) agrees to meet the regulatory requirements in 42 CFR
§ 401.701–401.722.
Qualified Entity Certification Program (QECP) – The product of the QE regulations (42 CFR § 401.701–
401.722), which was developed so that interested entities that successfully meet the criteria outlined in
the QE regulations may become certified as qualified entities and maintain their QE status.
Qualified Entity Data Use Agreement (QE DUA) – A data use agreement between a QE and an authorized
user that contains specific provisions as required in the QE regulations (42 CFR § 401.713(d)) and is
required as a precondition of a QE providing or selling combined data or non-public analyses, or providing
Medicare data at no cost, to an authorized user.
Quality Measure – Numeric quantification of health care quality for a designated health care provider,
such as a hospital, health plan, nursing home, clinician, etc. 19
Quasi QE – A qualified clinical data registry that agrees to meet all the requirements in 42 CFR Part 401,
Subpart G, with the exception of § 401.707(d), may request access to Medicare data as a quasi qualified
entity in accordance with such qualified entity program requirements.
QE Medicare Data – The standardized extracts of Medicare Parts A and B claims data and Part D
prescription drug event (PDE) data that a QE is eligible to receive under the CMS DUA.
QE Regulations – 42 CFR Part 401, Subpart G, § 401.701–401.722, Availability of Medicare Data for
Performance Measurement, implements Section 10332 of the Affordable Care Act regarding the release
and use of standardized extracts of Medicare claims data for qualified entities to measure the
performance of providers of services (referred to as providers) and suppliers. The regulation explains how
entities can become qualified by CMS to receive standardized extracts of claims data under Medicare
Parts A, B, and D for the purpose of evaluating the performance of providers and suppliers. This rule also
lays out the criteria qualified entities must follow to protect the privacy of Medicare beneficiaries.

Definition from NQF’s Glossary of Terms:
https://www.qualityforum.org/Measuring_Performance/Submitting_Standards/NQF_Glossary.aspx
19

QECP Program Guide

Appendix A: Glossary

74

For more information visit http://www.gpo.gov/fdsys/pkg/FR-2011-12-07/pdf/2011-31232.pdf; amends
made July 1, 2016, are available at http://federalregister.gov/a/2016-15708.
QECP Data Security Workbook – A Microsoft Excel workbook that must be submitted by QEs in order to
pass Phase 2 of the QECP minimum requirements review.
QECP Online Application – An online tool that supports the submission, review, and approval of
applications from entities. It also facilitates ongoing technical support throughout the application process.
R

Reapplication – Process undergone by a QE in good standing 6 months before the end of its 3-year
certification approval period in order to continue receiving QE Medicare data. As part of reapplication,
QEs must submit documentation of any changes to their previously approved application.

Reliability – The repeatability or precision of measurement. Reliability of data elements refers to
repeatability and reproducibility of the data elements for the same population in the same time period.
Reliability of the measure score refers to the proportion of variation in the performance scores due to
systematic differences across the measured entities (signal) in relation to random variation or noise. 20
Required by Law – A mandate contained in law that compels an entity to make a use or disclosure of
protected health information and that is enforceable in a court of law, as defined by 45 CFR 164.103.
Required by law includes, but is not limited to:
• Court orders and court-ordered warrants
• Subpoenas or summons issued by a court
• Grand jury
• Governmental or tribal inspector general
• Administrative body authorized to require the production of information
• Civil or authorized investigative demand
• Medicare conditions of participation with respect to health care providers participating in the
program.
• Statutes or regulations that require the production of information, including statutes or
regulations that require such information if payment is sought under a government program
providing public benefits.
Resource Use Measure – Comparable measures of actual dollars or standardized units of resources
applied to the care given to a specific population or event—such as a specific diagnosis, procedure, or type
of medical encounter. 21
Review – Activity performed by the QECP team to evaluate whether an entity meets the program
requirements, either for the initial application for certification, monitoring after certification, or
reapplication for recertification.

Definition from NQF’s Glossary of Terms:
https://www.qualityforum.org/Measuring_Performance/Submitting_Standards/NQF_Glossary.aspx
21
Definition from NQF’s Glossary of Terms:
https://www.qualityforum.org/Measuring_Performance/Submitting_Standards/NQF_Glossary.aspx
20

QECP Program Guide

Appendix A: Glossary

75

Review Team – Inclusive of the QECP Program Manager, administrative reviewer, and executive reviewer.
All members of the review team must have specific educational and experience qualifications.
S
Self-assessment – The independent decision of entities regarding whether or not they meet the
requirements described in the QE application. While submitting supporting documentation for each
element during the application process, entities must answer “yes,” “no,” or “not applicable” in the selfassessment field to indicate whether they meet the requirements for the element and must provide an
explanation in the comment box.
Standard Measure – A measure that is calculated in full or in part from claims data from other sources
and the standardized extracts of Medicare Parts A and B claims data and Part D prescription drug event
(PDE) data. The measure must fall into one of the following categories: the measure is endorsed (or timelimited endorsed) by the entity with a contract under Section 1890(a) of the Social Security Act (currently
the National Quality Forum [NQF]); the measure is currently being used in a CMS program that includes
quality measurement; or the measure is endorsed by a CMS QE Consensus Based Entity (CBE).
Standardized Extracts – Medicare Parts A and B claims data and Part D prescription drug event (PDE) data
representing 100 percent of the claims in the Chronic Conditions Data Warehouse (CCW) for Medicare
beneficiaries in a specific geographic area (nation, state, county, MSA, etc.) during a specific time period.
These data will be provided to qualified entities after approval of the CMS DUA and receipt of payment
for fees.
State Entity - Any office, department, division, bureau, board, commission, agency, institution, or
committee within the executive branch of a state government.
Suppliers – As defined in 42 CFR § 400.202, “suppliers” are physicians or other practitioners, or entities
other than providers, that furnish health care services under Medicare and whose performance will be
calculated and publicly reported by QEs.
T
Technical Correction - A Technical Correction request is issued by CMS to correct a compliance issue with
a QE’s performance under the QECP. A Technical Correction describes the compliance issue, outlines the
steps the QE needs to take to come back into compliance, and sets a timeline by which the QE must
address the issue.
U
V
Validation – The first step taken by the QECP team in reviewing an application for QE certification, which
ensures that all self-assessments are complete, evidence has been provided for all applicable elements,
and contact information is complete as submitted. If the application is “valid” and therefore deemed to
be complete, the administrative and executive reviews commence. If an application does not pass
validation, the entity’s Program Manager will contact the entity for additional information or evidence.
Validity – Refers to the correctness of measurement. Validity of data elements refers to the correctness
of the data elements as compared to an authoritative source. Validity of the measure score refers to the
correctness of conclusions about quality that can be made based on the measure scores (i.e., a higher
QECP Program Guide

Appendix A: Glossary

76

score on a quality measure reflects higher quality). 22
Violation – A failure to comply with a requirement of a DUA. A QE may not, under any circumstances, use
a measure, create a report, or issue a report after a violation of the DUA until the QECP team receives and
reviews the notification of the violation and informs the QE of any changes to its relationship with CMS,
including whether the QE’s DUA has been terminated.
W
X
Y
Z

Definition from NQF’s Glossary of Terms:
https://www.qualityforum.org/Measuring_Performance/Submitting_Standards/NQF_Glossary.aspx
22

QECP Program Guide

Appendix B: QECP Resources

77

Appendix B : QECP Resources
Resource

Description and Purpose

Location

QECP Helpdesk
email

Contact a Program Manager

[email protected]

QECP Webpage

Provides general information about the Medicare
Data Sharing Program, the QE application,
frequently asked questions (FAQs), and educational
QECP webinar recordings

http://www.QEMedicareData.org

QECP Password
Resets and
Changing User
Access to the
Online Portal

To grant or change your organization`s user access
to the QECP online portal or to reset your
password; please contact your program manager

[email protected]

QECP Portal
Users Guide

A guide to the QECP Application

https://www.qemedicaredata.org/reso
urce/1570803370000/QECPPortalUser
Guide

The Affordable Care Act of 2010 includes a
provision for the Secretary to make available to
qualified entities standardized extracts of Medicare
claims data under Parts A, B, and D for the purpose
of measuring health care provider and supplier
performance.

http://www.gpo.gov/fdsys/pkg/BILLS111hr3590pp/html/BILLS111hr3590pp.htm

QE regulations
(42 CFR
§401.701401.722)

The QE regulations establish the requirements of
the QECP and the QE CBEC Program.

https://www.gpo.gov/fdsys/pkg/FR2011-12-07/pdf/2011-31232.pdf

Medicare
Access and
CHIP
Reauthorization
Act (MACRA) of
2015 (see
Section 105)

The final rule expands how QEs may use and
disclose data under the program. This rule explains
how QEs may create non-public analyses and
provide or sell such analyses to authorized users, as
well as how qualified entities may provide or sell
combined data, or provide Medicare claims data
alone at no cost, to certain authorized users.

https://www.federalregister.gov/docu
ments/2016/07/07/201615708/medicare-program-expandinguses-of-medicare-data-by-qualifiedentities

ResDAC
webpage on
the Qualified
Entity Program

General information about the Medicare Data
Sharing Program, CMS Data Use Agreement
instructions, payment processing, Medicare data
training opportunities, and data corrections
procedures

https://www.resdac.org/requester/qu
alified-entity

Patient
Protection and
Affordable Care
Act (see Section
10332)

QECP Program Guide

Appendix B: QECP Resources

CMS webpage
on the
Qualified Entity
Program

CMS general information page for the Medicare
Data Sharing Program, which also directs
individuals to the appropriate resources for
applying to become a QE and requesting QE
Medicare data

78

http://www.cms.gov/QEMedicareData

QECP Webinars

Webinar

Description and Purpose

Location

QE 101

Provides an overview of
the QECP

QE 101 Webinar (QECP website  Application tab  Webinars
 QE 101 Webinar)

Salesforce
Webinar

Provides an overview of
the
QECP
Salesforce
application

Salesforce Webinar (QECP website  Application tab 
Webinars  QECP Salesforce Webinar)

Phase 1

Provides an overview of
Phase 1 of the QECP
application

Phase 1 Webinar (QECP website  Application tab  Phase 1
Header Webinars Phase 1 Webinar)

Provides an overview of
Phase 2 of the QECP
application

Phase 2 Webinar (QECP website  Application tab  Phase 2
Header Webinars Phase 2 Webinar)

Phase 2
Provides an overview of
the new ARS 3.1 data
Security requirements

Phase 2 Webinar (QECP website  Application tab  Phase 2
Header Webinars ARS 3.1 Webinar)

Phase 3

Provides an overview of
Phase 3 of the QECP
application

Phase 3 Webinar (QECP website  Application tab  Phase 3
Header Webinars Phase 3 Webinar)

Annual Report

Provides a guide to the
Annual Report instructions

Annual Report Webinar (QECP website  QE Program
Information tab  Ongoing Program Administration Header
Webinars  QE Annual Report Webinar)

Permissible
Uses of Data

Provides an overview of
Section 105 of MACRA and
its implications for QEs,
including permissible uses
of QE Medicare data

Permissible Uses of Data Webinar (QECP website  QE Program
Information tab  Uses of Medicare Data Header Webinars
Permissible Uses of Data Under the QE Program Webinar)

Data
Dissemination

Provides an understanding
about the QE data
dissemination process and
additional information on

Data Dissemination Webinar (QECP website  QE Program
Information tab  Data Availability and Cost Header Webinars
Data Dissemination and Integration)

QECP Program Guide

Appendix B: QECP Resources

79

processing
Medicare
claims and prescription
drug event data sets
Provides an overview of
the
CMS
data
use
agreement specific to the
QECP

DUA

DUA Webinar (QECP website  Application tab  Phase 2
Header Webinars DUA Webinar)

QECP Tip Sheets

Tip Sheet

Description and Purpose

Location

Uses
of
Medicare
Data

Provides information on data
use, applicable users, and
required
contractual
agreements for use of the QE
Medicare data as part of the
QECP

Uses of QE Medicare Data Tip Sheet Permissible Uses of Data
Webinar (QECP website  QE Program Information tab  Uses
of Medicare Data Header Toolkits Uses of QE Medicare Data
Tip sheet)

QE Public
Reporting

Provides
information
on
ensuring
QE
program
compliance when producing
and publishing public reports

QE Public Reporting Tip Sheet (QECP website  Application tab
 Phase 3 Header Toolkits QE Public Reporting Tip Sheet)

QECP Program Guide


File Typeapplication/pdf
AuthorAnna [email protected];Lauren Weinmann;David Schneider
File Modified2022-01-24
File Created2022-01-24

© 2024 OMB.report | Privacy Policy