The Centers for Medicare and Medicaid Services released a final rule permitting “qualified entities” to sell Medicare claims data to providers and others for use in improving quality of care. The rule expands on CMS’ Qualified Entity Program, which permits organizations to apply to become qualified to receive Medicare Parts A, B, and D claims data to evaluate provider and supplier performance and produce public reports regarding such performance.  Qualified entities are subject to a number of requirements to participate in the current program, must enter into a data use agreement with CMS, pay a fee for the data, combine the data with non-Medicare claims data, and restrict use to evaluating the performance of providers and suppliers. Under the final rule, qualified entities are permitted to use combined data to perform non-public analyses for care delivery and quality improvement functions and to sell or otherwise provide these analyses to “authorized users” such as providers and employers.

The final rule imposes several privacy and security requirements on qualified entities that sell or provide analyses and data to authorized users. For example, qualified entities that are covered entities or business associates under HIPAA will be required to comply with applicable requirements of HIPAA. In addition, qualified entities will be subject to an assessment if patient-identifiable data is improperly disclosed by the entity or an authorized user.  According to the CMS press release, the expanded information sharing permitted under the final rule “is part of a broader effort by the Obama Administration to use data to help create a health care system that delivers better care for patients, spends dollars more wisely, and results in healthier people.”

The final rule becomes effective on September 6, 2016.