CMS-10501 - HFPP_PRA Supporting Statement 2017-2

CMS-10501 - HFPP_PRA Supporting Statement 2017-2.docx

Healthcare Fraud Prevention Partnership (HFPP): Data Sharing and Information Exchange (CMS-10501)

OMB: 0938-1251

Document [docx]
Download: docx | pdf

REVISED - SUPPORTING STATEMENT

Healthcare Fraud Prevention Partnership

(HFPP) Data Sharing and Information Exchange

(CMS-10501/OMB Control Number: 0938-1251)

BACKGROUND

The Healthcare Fraud Prevention Partnership (HFPP) is a joint initiative, established by the Department of Health and Human Services (HHS) and the Department of Justice (DOJ), to detect and prevent healthcare fraud, waste, and abuse. A central goal of the HFPP is to identify optimal ways to coordinate nationwide sharing of healthcare claims information, including the aggregation of claims and payment information from large public healthcare programs and private insurers. Through data and information-sharing and the application of analytic capabilities by the public and private sectors, the HFPP supports a data-driven model for the prediction, identification, and prevention of aberrant activity.

Current HFPP partners include private insurers; the Centers for Medicare & Medicaid

Services (CMS) and other federal agencies, such as the HHS Office of Inspector General

(OIG), the Department of Justice (DOJ), and the Federal Bureau of Investigation (FBI); state Medicaid agencies; and antifraud associations.

The HFPP’s organizational structure is made up of an Executive Board (EB), a Data Analysis and Review Committee (DARC), an Information Sharing Committee (ISC), and a Trusted Third Party (TTP) that provides the technical and operational platform to support the partnerships’ data sharing, collaboration, and study outreach activities. Through its enablement of data sharing and analytical computing capabilities, the TTP is central to the success of the HFPP.

A. JUSTIFICATION 1. Need and Legal Basis

Section 1128C(a)(2) of the Social Security Act (42 U.S.C. § 1320a-7c(a)(2)) authorizes the Secretary and the Attorney General to consult, and arrange for the sharing of data with, representatives of health plans for purposes of establishing a Fraud and Abuse Control Program as specified in Section 1128(C)(a)(1) of the Social Security Act. The result of this authority has been the establishment of the HFPP. The HFPP was officially established by a Charter in the fall of 2012 and signed by HHS Secretary Sibelius and US Attorney General Holder.

Data sharing within the HFPP primarily focuses on conducting studies for the purpose of combatting fraud, waste, and abuse. These studies are intended to target specific vulnerabilities within the payment systems in both the public and private healthcare sectors. The HFPP and its committees design and develop studies in coordination with the TTP. The core function of the TTP is to manage and execute the HFPP studies within the HFPP. Specifically, the TTP collects and consolidates partner (both public and private) study-related data in order to share information among the HFPP pertaining to analytical tools and techniques; study analysis; successful anti-fraud practices, trends and vulnerabilities; and reports that maintain the confidentiality of its source data. The data and information collected by the TTP can be categorized as follows:

  • Process and Procedure Data and Information

The TTP is responsible for the lifecycle of HFPP activities, including initial partner engagement/on-boarding, the completion of HFPP studies and information sharing activities, and the close-out of relationships with organizations that are no longer involved with the HFPP. The TTP collects all pertinent HFPP partner-specific documentation necessary for successful interaction with the HFPP, which includes information associated with the breadth of healthcare payer services provided by the partners, the number of lives covered, etc. Additionally, the TTP collects information describing potential studies that the HFPP may undertake, including definitions and descriptions of potential vulnerabilities, timelines for data exchange, levels of monetary exposure to potential fraud schemes, and other pertinent material.

  • Study Data and Information

The TTP creates a plan that outlines the goal of the study, the method for achieving that goal, the data required to execute that method, and the analytic tools envisioned to analyze the data. Each study requires different types of data, participation from various HFPP partners (known as participating entities), and different models of execution. Studies are designed to have clear and measurable performance metrics and goals.

The TTP analyzes the data using the HFPP participating entities’ health insurance claims data, which is voluntarily sent in a generalized data call in a format of the participating entities choosing. The analysis phase of the study process includes: data acquisition, harmonization and merging, analysis, quality assurance, documentation, and reporting. Depending on the type of question answered by a study, this analysis phase might contain quantitative data analysis, qualitative data analysis, outlier analysis, clustering/grouping, entity resolution, trend analyses, time series analyses, networking analyses, trending, statistical summarization, and more. Examples of study data may include specific health insurance claim codes, geographic regions, specific timeframes, or healthcare provider types. Personally Identifiable Information (PII) and Protected Health Information (PHI) may be provided, as it enables the HFPP to proactively identify vulnerabilities in real time across participating entities, significantly increasing the value of the HFPP to its partners. It is not a requirement that a participating entity submits PII and PHI in its data set; however they will not have their payer matched outside their set of claims. Additionally, signing a Data Sharing Agreement with the TTP does not obligate a participating entity to share PII and PHI.

Finally, after conducting the analyses, the TTP generates de-identified and anonymized reports, and communicates study results to study participating entities. For this phase, the TTP collects and synthesizes outcomes and performance metrics, including data and information to document processes, best practices, and results. Reports summarize TTP performance, key accomplishments, planned activities, lessons learned, and any other relevant information.

  • Results, Outcomes, and Performance Data and Information

The TTP produces several possible outputs: a general summary and lessons learned of the analysis meant for the HFPP as a whole; a partner-specific summary report for those participating in a study; and a partner-specific detailed report for those participating in a study. While some of the data and information that are used to produce the reports is generated from the specific data provided, the TTP also collects information from the participating entities regarding the outcomes achieved from their participation in the HFPP studies (e.g., savings achieved, provider billing privilege revocations issued). For example, in some cases, the TTP reaches out to understand the steps taken by each partner as a result of the information/data exchange. The TTP may also collect information regarding the number of referrals made to law enforcement agencies, as well as the number of other administrative actions taken by the participating entities as a result of the information gained through the study.

2. Information Users

HFPP partners are responsible for data sharing and information exchange to address fraud, waste, and abuse issues of mutual concern. Current HFPP partners include private insurers; the Centers for Medicare & Medicaid Services (CMS) and other federal agencies, such as the

HHS Office of Inspector General (OIG), the Department of Justice (DOJ), and the Federal Bureau of Investigation (FBI); state Medicaid agencies; and antifraud associations. The

HFPP partners are also able to share results pertaining to their internal anti-fraud initiatives. See https://hfpp.cms.gov/about/current-partners.html

3. Improved Information Technology

All data will be collected in electronic format.

4. Duplication

This collection and sharing of data does not duplicate any other effort and the information cannot be obtained from any other source.

  1. Small Business

There is no burden on small businesses.

  1. Less Frequent Collection

There are no consequences to less frequent collection.

  1. Special Circumstances

There are no special Circumstances.

8. Federal Register Notice/Prior Consultation

The 60-day notice published in the Federal Register on January 19, 2017 (82 FR 6559).

A total of two (2) comments were received. Responses for those comments can be found in Appendix A of the ICR submission.

A 30-day Notice will publish in the Federal Register on April 6, 2017 (82 FR 16844).

No additional outside consultation was sought.

9. Payment/Gift to Respondents

There are no payments or gifts to partners.

10. Confidentiality

We pledge privacy to the extent allowed by law. The CMS Privacy Officer reviewed this collection and concluded that a System of Record (SORN) for the data systems involved in the program was not required. Information will be safeguarded in accordance with Departmental standards and National Institute of Standards and Technology (NIST)

Special Publication 800-53, Recommended Security Controls for Federal Information Systems and Organizations which limits access to only authorized personnel. The safeguards shall provide a level of security as required by Office of Management and Budget (OMB) Circular No. A-130 (revised), Appendix III – Security of Federal Automated Information Systems.

In addition to the above, although the TTP system has passed the CMS Security Controls Assessment (SCA) and obtained its Authority to Operate (ATO), the TTP has implemented additional controls to enhance the security posture of its system adding additional layers of protection to the Government’s already robust security framework.

11. Sensitive Questions

This data collection does not contain information pertaining to sex, behavior, attitude, religious beliefs or any other matters that are considered private or sensitive in nature.

The HFPP TTP information technology (IT) system and infrastructure received its ATO in September 2016, allowing it to officially accept and store data that contains both PHI and PII data on behalf of the HFPP. The HFPP TTP infrastructure contains multiple zones segregated by layers of firewalls with intrusion detection and intrusion prevention capabilities to ensure the PHI and PII data is securely transferred, stored, and processed.

The HFPP TTP also received its Privacy Impact Assessment (PIA) that explicitly mentions and lists the exchange of PII and PHI.

In addition, the HFPP TTP IT infrastructure is housed within a Federal Risk

Authorization Management Program (FedRAMP) compliant cloud service provider

(CSP) that is wholly owned by the TTP. The CSP meets the Federal Information Security Management Act (FISMA) standard of “high”, the top level of FISMA classification and one that is used for the most mission critical government agency programs. The HFPP solution is currently rated at FISMA Moderate, the level required for systems that store PHI or PII data.

The TTP recognizes the challenges involved in obtaining approval to submit PHI and PII from its participating entities, but many studies and scenarios are impossible without this data. Examples of studies requiring the use of PHI and PII include, but are not limited to:

  • Billing for services for a diagnosis code outside of provider’s taxonomy

  • Beneficiary sharing across group practices for same services

  • False store front providers using stolen identities

  • Pharmacy prescriptions with no medical visit or no relevant diagnosis

  • Durable Medical Equipment claims with no relevant diagnosis

The TTP is prepared to collect a myriad of data points from the partners’ claims data including, but not limited to:

  • Member Social Security Number (SSN)

  • Member Sex

  • Member Data of Birth

  • Member State

  • Member Zip Code

  • Member Date of Death

Because the TTP will not have the member’s name or address anywhere in the data, the only option available to identify individuals across payers is to use the Social Security Number (SSN). Due to the sensitivity of SSNs, the TTP will use a one-way hashing technique that will generate a 32 character alphanumeric string to use as a unique HFPP Identification (ID) number. The hashing technique transforms the SSN in such a way that it is virtually impossible to reconstruct the original number from the HFPP ID. This approach eliminates the need to retain the SSN after initial processing yet allows the TTP to identify an individual, not a person, who is being billed under two or more payers. Combined with the other transformations of the input claims record, there will be no need for PII to be stored for processing.

12. Burden Estimate

CMS expects to implement various studies for the HFPP over the course of the 3-year approval. Each HFPP partner will voluntarily participate in the studies that are pertinent and effective in detecting fraud, waste, and abuse within its organization. It is also estimated that approximately three (3) studies will be conducted per year.

CMS estimates the burden on its new monthly format. Participating entities will acquire an average annual burden of 160 hours of partner engagement and support based on an initial two year data pull followed by a monthly submission. The initial data pull will take

120 hours for year 1 with no burden hours associated with years 2 and 3 for an average of

40 hours annually. The burden hours for monthly submissions which will be approximately 120 hours per year (Years 1, 2, and 3 or a total of 360 hours) per partner for an average annual burden of 120 hours. This includes burden hours necessary for data extract, quality assurance, definition resolution, and information/data transmission over the 3 year period. Participating state partners will have an annual burden of 0 hours since the data will be submitted using one agent and are not included in our estimated annual average. The burden hour total is 7,200 hours or approximately 2400 hours across three-years.

Table 1 outlines the burden estimates0 that we foresee partners potentially experiencing:



Table 1: Annual Burden Estimate



Estimated

Average

Annual

Processing

Time for

Initial Data Pull (Per

Partner - in hours)

Estimated

Average Annual

Processing Time for Monthly

Submission –

Total Years 3 (Per

Partner - in hours)

Estimated

Partners per Study

Estimated Total Annual

Processing Time

All Partners (in hours)

Per Hour Rate of

Computer or

Information

Analyst (Code

15-1120)

Estimated Total

Processing Rate - Yearly

Data Extraction and

Submission – Year 1

Aggregate

120

120

20*

2,400

$87.12

$418,176

Data Extraction and Submission – Years 2 and 3

Aggregate

0

240

20*

4,800

$87.12

$418,176

Estimated Annual

Total Hours and Cost

Burden

120

360

20*

7,200

$87.12

$278,784

*Assumes 20 HFPP Partners participating in each study, excluding states.

13. Capital Costs

CMS is responsible for all costs to create a secure Partner Portal for HFPP and for creating a data repository for data collection and data analysis.

14. Costs to Federal Government

Costs to CMS to implement this program include administrative costs as well as costs of contractor support in various functional areas including technical and business services and products. The annual contractor support cost is $6,614,695.

15. Program/Burden Changes

The HFPP TTP is implementing a shift in the way studies are conducted for the purpose of detecting and deterring fraud, waste, and abuse among its partners. Moving to a framework with frequently updated data, including PHI and PII, the TTP will enable the HFPP to proactively identify vulnerabilities across participating entities in real time, significantly increasing the value of the HFPP to its partners. The TTP has developed a new process and expanded the set of data elements for submission by partners using a

Cloud environment and resources that allows it to analyze data that is stored in many formats in the same file. It also allows for the partners to choose how to provide the data taking advantage of files, formats, and processes that the partners’ IT departments are using, either with the Special Investigations Unit (SIU), other internal components, or with third parties.

As a result of this new streamlined process which incorporates procedures aimed at reducing the time and effort involved in retrieving claims data, the annual burden hours per partner has decreased from 1200 to 160 while allowing for the number of respondents to be increased from 15 to 20.



The centers anticipate this to be an ongoing collection and request OMB approval for an additional three years.

16. Publication and Tabulation Dates

Data will not be made available to the general public.

17. Expiration Date

The OMB control number and expiration date will be included on each data collection instrument (top of page 1).

0 Based on Bureau of Labor Statistics, Occupational Employment Statistics, Occupational Employment and Wages, May 2015. Includes fringe benefits calculated at 100% of base wage.

http://www.bls.gov/oes/current/oes_nat.htm

File Typeapplication/vnd.openxmlformats-officedocument.wordprocessingml.document
AuthorCMS
File Modified0000-00-00
File Created2021-01-22

© 2024 OMB.report | Privacy Policy