|To download a PDF of all FAQS, click here
QE Program Information
The Qualified Entity Certification Program (QECP), launched in January 2012, is the certification arm of the Qualified Entity Medicare Data Sharing Program. The purpose of the QECP is to evaluate and certify an entity’s ability to serve as a qualified entity (QE). Once certified, QEs are eligible to receive standardized extracts of Medicare Parts A and B claims data and Part D prescription drug event data for the purpose of evaluating the performance of providers.
The primary benefit of participating in the QE program is that qualified entities are able to obtain Medicare FFS data, enabling them to create a more complete picture of the quality and cost of care. Historically, collaborative measurement organizations focused on combining claims data from private payers within the community and sometimes from Medicaid programs. However, these organizations had no access to Medicare FFS data, which limited conclusions on the quality and cost of health care within communities.
Integrating Medicare FFS data into publicly available reports provides QEs with the ability to generate more robust and accurate performance measures. In addition, QEs may use the data received under the QE program to provide or sell non-public reports or combined data, or provide Medicare data at no cost, to certain authorized users. (Please see FAQ 51 for more information on the permissible uses of date under the QE program.)
Participation in the QE program thus advances the unique, innovative, organizational missions of QEs.
The QECP aims to improve the quality of provider performance, increase transparency in health care performance, provide information for employers and consumer groups to assist them in making more informed health care decisions, and spur innovation in the area of performance measurement.
Qualified entities (QEs) are permitted to use QE Medicare data (standardized extracts of Medicare Parts A and B claims data and Part D prescription drug event data) to generate performance reports for providers and suppliers on measures of quality, efficiency, effectiveness, and resource use. QEs are required to make these reports available to the public after providers and suppliers have been given an opportunity to review, appeal, and, when appropriate, correct performance results.
In addition, QEs may also use the Medicare data to provide or sell non-public reports or combined data, or provide Medicare data at no cost, to certain authorized users. For more information about the permissible uses of data under the QE program, please refer to FAQ 51.
General Application Requirements
To be eligible to participate in the program as a QE, an applicant (either itself or through contracts with other entities) must:
- Have access to claims data from other sources to combine with the Medicare data;*
- Have strong systems to ensure that the data are secure and protected; and
- Have experience in a variety of tasks related to the calculation and reporting of performance measures, including:
- combining claims data from different payers,
- designing performance reports,
- sharing performance reports with the public,
- working with providers and suppliers regarding requests for error correction, and
- ensuring the privacy and security of data.
*Qualified Clinical Data Registries (QCDR) wishing to become quasi qualified entities must fulfill all QE program requirements, with the exception of Elements 1E and 2A and, in certain cases, all standards and elements associated with Phase 3 (Element 2B and Standards 4-8). Refer to FAQs 8 and 9 for more information about QCDRs and quasi QEs.
Applicants may self-assess their readiness to apply for QECP certification by reviewing the phased QECP application requirements outlined in the QECP Application Readiness Checklist.
Since August 2012, CMS has implemented a four-phase minimum requirements review process:
- Phase 1 (Application for Certification)
- Phase 2 (Data Security)
- Phase 3 (Data Integration and Measures Reporting)
- Phase 4 (Public Reporting)
Detailed information about this review process is available in the QECP Operations Manual and Appendices. Additionally, interested applicants may wish to view the recorded QE 101 webinar.
There is no deadline for submitting applications for Phase 1 and Phase 2 certification; applications are accepted by CMS on a rolling basis. However, CMS requires that QEs obtain Phase 3 certification and release their first public performance report within one year of receiving the QE Medicare data.
More information is available at:
No, any entity that satisfactorily meets the eligibility requirements defined in 42 CFR 401.703(a) (either itself or through contracts with other entities) can participate in the QE program. CMS has not limited the types of organizations that may serve as qualified entities. All organizations that meet the application requirements will be considered without regard to organization type.
A quasi qualified entity (QE) is a Qualified Clinical Data Registry (QCDR) that meets all of the QECP program requirements, with the exception of the requirement to have other sources of claims data (Element 2A). Additionally, quasi QEs are exempt from meeting the requirements for Element 1E and, in certain cases, all standards and elements associated with Phase 3 (Element 2B and Standards 4-8).
Any QCDRs that meet these requirements may request access to QE Medicare data as a quasi QE. To apply to become a quasi QE, QCDRs should register on the QECP public website, www.qemedicaredata.org and complete a registration form. For more information on QCDRs, see the QCDR Toolkit.
To become a quasi QE and receive QE Medicare data, QCDRs will need to follow the same phased minimum requirements review process as other organizations seeking QE certification, with a few exceptions. Quasi QEs are exempt from meeting the requirements for Elements 1E and 2A and, in certain cases, all standards and elements associated with Phase 3 (Element 2B and Standards 4-8). Additionally, for QCDRs acting as quasi QEs, combined data refers to CMS claims data provided through the QE Program, combined with clinical data or a subset of clinical data.
QCDRs that apply for and meet the set of minimum requirements, obtain and execute a CMS Data Use Agreement (DUA), pay the associated fee for data extraction and delivery, and comply with the annual public reporting and ongoing program administration activities are deemed quasi qualified entities (quasi QEs) and are certified for 3 years.
Yes, multiple entities from the same region can apply to become a QE. If there are multiple organizations in an area that could serve as individual QEs, these organizations could decide to form contractual arrangements with each other and apply for the program under a lead applicant.
No, a vendor or contractual partner of a QE cannot be referred to as a QE unless the vendor submits an application as a lead QE. There is not a separate QE certification process for QE partners. All entities, regardless of current QE affiliation, must provide all application evidence as outlined in the QECP Operations Manual and Appendices.
An entity applying to be a QE must demonstrate 3 or more years of experience combining claims data, accurately calculating measures, verifying data, using a corrections process, and public reporting. QEs may choose to partner with other organizations or contractors to comply with this standard. Evidence of experience may include the demonstrated experience of the applicant, the applicant’s contractor(s), or, if the applicant is a collaborative, any member of the collaborative.
QEs may also use the experience of individuals within their organization or its contractors’ or members’ organizations to satisfy experience requirements.
Requirements for QIOs Serving as QEs
Yes, CMS has determined that an organization that has a QIO contract may also become a QE. However, the entity may not perform any QE-related work under the QIO contract or use QIO-allocated resources. Therefore, QIOs may not use their existing Standard Data Processing System (SDPS) to house QE data. In addition, QIOs must pay particular attention to the confidentiality and conflict of interest clauses in their QIO contract to ensure that their work as a QE will not conflict with their work as a QIO.
Yes, QIOs are permitted to re-use Medicare FFS claims data for the QE program; however, not all of the file types that are part of the QE data sets are provided to QIOs. A QIO must verify that the data it is currently receiving under the QIO program is comprehensive enough to re-use for the QE program and also must purchase any missing file types needed to conduct QE-related work. For more information on the process and cost associated with using already obtained Medicare FFS claims data under an existing DUA, please refer to FAQ 62.
Data Security and Privacy Requirements
Yes, the lead QE must assume responsibility for data integrity and security for themselves and their contracting partners. While a QE’s contractual partners may process the QE Medicare data, engage with providers in the corrections and appeals process, and produce public reports, under the CMS Data Use Agreement (CMS DUA), the lead QE is ultimately responsible to CMS for the integrity and security of the QE Medicare data.
To demonstrate compliance with the Data Security standard (Standard 3), every contractor or organization within the QE that has access to beneficiary identifiable data must complete the QECP Data Security Workbook. The workbook is used to assess the QE’s responses to 213 moderate-level data security controls, which are organized across 26 logical control families (e.g., risk assessment, access control, media protection, program management). The controls consist of 50 primary data security controls and 163 secondary data security controls.
QEs must demonstrate full compliance with and implementation of the 50 primary controls; 18 of these controls require, with no exceptions, the submission of supporting documentation.
(For more information on documentation, please review the QECP Example Data Security Artifacts). It is strongly recommended (but not required) that supporting documentation also be uploaded for the remaining 32 primary controls. If QEs are not submitting documentation as evidence for the remaining 32 primary controls, they should submit strong narrative evidence in the QECP Data Security Workbook, in the compliance description fields. For the remaining 163 secondary controls, QEs must self-attest that they meet the control and must provide a brief rationale for the self-attestation.
The QECP is currently using ARS Version 2.0 for its data security and privacy assessments, which is based on Revision 4 of NIST SP 800-53. The QECP will phase in the use of future ARS versions as they become publicly available.
If the lead QE plans to only receive de-identified claim-line information from its data vendor, the lead QE has the option of submitting a letter from its CEO that details how the data received from its vendor will be de-identified according to the HIPAA de-identification standards. These standards can be found here:
If the lead QE submits this documentation to the QECP team and it is approved by CMS, then only the lead QE’s data vendor will be required to complete a QECP data security workbook. However, the lead QE will still need to be involved in the Phase 2 review process with respect to the PM control family responses and providing other context documentation.
Yes, the QECP allows QEs to submit recent data security assessments or audits as evidence for Standard 3. Such audits may be accepted as evidence of compliance with ARS if they meet the following criteria:
- The scope of the audit clearly shows coverage of relevant controls;
- The assessment was conducted by an independent third party; and
- The assessment or audit was conducted within the last 365 days.
Examples of assessments include:
- Certification audit against ISO 27001
- Assessment and audit against HIPAA standards
- SSAE 16 Overview
- Statement on Standards for Attestation Engagements (SSAE) No. 16, Reporting on Controls at a Service Organization
- FedRAMP Certification: FedRAMP Certification must be accompanied by documentation for the services contracted (e.g., Infrastructure as a Service [IAAS], Platform as a Service [PAAS], or Software as a Service [SAAS])
For QEs with a private FedRAMP-certified data center, many of the Standard 3 data security controls should be covered by the data center’s FedRAMP certification. For QEs contracting with a FedRAMP-approved cloud service provider, rather than operating a FedRAMP-certified data center, only a limited number of administrative, technical, and physical controls will be considered to be covered by the CSP’s FedRAMP certification. QEs are responsible for submitting policies and protocols for controls not covered under this FedRAMP certification.
For further details and questions, please contact the QECP staff by email.
Not necessarily. The QECP cannot recommend one approach for meeting the requirements for Standard 3 (Data Security). The best approach will depend on an organization’s infrastructure and resources.
For those applicants who have already undergone a NIST Certification and Accreditation process for compliance with Federal Information Processing Standards (FIPS) 200 and SP 800-53 at the moderate impact level, submission of the Certification and Accreditation document is sufficient evidence to demonstrate compliance with all elements of Standard 3.
Alternatively, for any applicants not currently possessing a NIST certification, the applicant must produce documentation of the systems and protocols that meet the same threshold as the security factors listed in FIPS 200 and SP 800-53 at the moderate impact level. For example, applicants must produce documentation describing the systems and protocols in place that show compliance with CMS’ Acceptable Risk Safeguards (ARS) 2.0 requirements. See FAQ 16 for additional information.
Reporting Changes Post Certification
Yes, after an organization is certified as a Qualified Entity, it may wish to modify its program operations that were approved based on its application. Because changes to the QE’s processes or systems may impact the QE’s ability to meet the minimum requirements established in the QECP, all such changes must be reported to the QECP team.
All changes that must be reported to the QECP team are detailed in Section 2.13.3 of the QECP Operations Manual. Additionally, a schedule for reporting changes in program operations has been established to ensure that QEs meet certification standards at all times. The reporting schedule provides timeframes for QEs to notify the QECP team of any proposed changes or updates to the plans submitted as part of their QE application. QEs can also refer to the QECP Reporting Changes Quick Reference Guide, which lists all QECP reporting changes requirements, the timeframe in which each change must be reported, and supporting documentation that QEs may be required to submit to support the reported change.
A significant change is defined in NIST Special Publication 800-37 as a change that is likely to affect the security state of an information system or its environment of operation. The examples listed below are significant only when they meet the threshold established in the NIST definition above.
Significant changes to an information system include:
- Installation of a new or upgraded operating system, middleware component, or application;
- Modifications to system ports, protocols, or services;
- Installation of a new or upgraded hardware platform;
- Modifications to cryptographic modules or services; or
- Modifications to security controls.
Examples of significant changes to the environment of operation may include, but are not limited to:
- Moving to a new facility;
- Change in vendors, business partners, or service providers;*
- Changes in data hosting providers;
- Changes in internet service providers used to transmit QE Medicare data;
- Changes in staff with primary responsibility for data security;
- Adding new core missions or business functions;
- Data breaches and other violations of the CMS DUA;
- Adding or removing individuals from the CMS DUA;
- Acquiring specific and credible threat information that the organization is being targeted by a threat source; or
- Establishing new/modified laws, directives, policies, or regulations.
If there is any uncertainty about whether a change in a data security program is significant and should therefore be reported, please consult with the QECP team (support@QEMedicaredata.org) to determine the appropriate next steps.
*Note: Additional detail about changes in vendors, business partners, and service providers can be found in FAQ 23.
In the event of a significant change in the QE’s data security program, examples of documentation that a QE may be required to submit to the QECP team include:
- Risk assessments
- Security impact assessments
- Pre/post production system functionality testing/data validation
- Information system design documentation
- Configuration management records
- Change request form(s)
- Attestation/confirmation that QE Medicare data backups are available if data reset is required when reverting a system to a previous version as a result of a failed upgrade or data transfer
- Updated QECP Data Security workbook with revised supporting evidence
- Updated data flow and/or physical network diagram.
A change in vendor, business partner, or service provider is considered a significant data security change (i.e., QECP Standard 3 reported change) if the change is experienced by a lead QE or QE contractor that has access to the identifiable QE Medicare claims data, has submitted a QECP Phase 2 Data Security Workbook, and was deemed Phase 2 compliant by CMS. This type of change would require the QE to submit the documentation described in FAQ 20.
Changes to a lead QE’s contractors must be reported to the QECP team as an Element 1A reported change. If a QE’s Element 1A contractor change involves organizations with access to identifiable QE Medicare claims data, the lead QE’s Phase 2 certification status will be revoked (if previously achieved) and the new contractor will be required to submit a QECP Data Security Workbook and related Standard 3 supporting documentation.
QE Medicare Data Contents
Depending on QEs other sources of claims data and reporting regions, QEs are eligible to receive regional, state, and national (all 50 states and the District of Columbia) data files.
Certified QEs may request data for one or more of the following data sets for the years from 2009 to the present if the QE has other payer data for the geographic area:
- Inpatient Claims
- Outpatient Claims
- SNF Claims
- Hospice Claims
- Home Health Claims
- Carrier Claims
- DMERC Claims
- Part D Events
- Plan Characteristics (included with Part D Event)
- Pharmacy Characteristics (included with Part D Event)
- Prescriber Characteristics (included with Part D Event)
- Beneficiary Summary File (Medicare beneficiary demographics and enrollment data)
In order to estimate benchmarks, certified QEs may also, upon approval, obtain a 5% national sample of any of the above claims files.
Data dictionaries for these CCW data sets in the QE Specifications Worksheet may be found at:
Yes, beginning in June 2017, QEs receive SAMHSA claims in their QE data sets. However, QEs must redact all SAMHSA claims from beneficiary-identifiable data or beneficiary-identifiable non-public analyses prior to sending to an authorized user. It is the responsibility of the QE to redact SAMHSA claims when necessary. QEs will receive a crosswalk file that identifies SAMHSA claims to assist with redaction.
QEs that previously received redacted CMS claims files will be able to purchase the missing SAMHSA claims and crosswalk file, in the form of “gap” files. If your organization is interested in requesting “gap” files, please contact ResDAC directly at 1-888-9RESDAC, or firstname.lastname@example.org.
QEs are permitted to use SAMHSA claims when:
- Publishing public reports on the performance of providers and suppliers;
- Providing or selling beneficiary de-identified non-public analyses to authorized users; and
- Providing or selling beneficiary de-identified combined data or providing beneficiary de-identified Medicare data at no cost to authorized users.
However, QEs must redact all SAMHSA claims from beneficiary-identifiable data or beneficiary-identifiable non-public analyses prior to sending to an authorized user.
Please contact your PM with any questions about permissible uses and disclosures of SAMHSA claims.
No, the Claim Medical Record Number is not found in the non-institutional claims (Carrier and DME) files. The institutional files (Inpatient, Outpatient, HHA, Hospice, SNF) contain the variable called the Claim Medical Record Number; however, this variable is always missing.
Beginning in June 2017, QEs can select the PDE variables that best suits their needs or continue to receive the standard set of PDE variables that were included in previous data requests. QEs must complete the PDE variable justification tab of the QE Specifications Worksheet in order to select the PDE variables, even if they wish to receive the same set of variables. Importantly, QEs that select the Service Provider ID must forgo the pharmacy characteristics file and CCW Pharmacy ID.
QEs can contact ResDAC directly at 1-888-9RESDAC, or email@example.com with questions about PDE variables or to obtain a list of the variables the QE has received in the past.
Yes, however QEs are only allowed to switch once. QEs that previously received the Pharmacy Characteristics file and CCW Pharmacy ID, and would like to switch to the Service Provider ID, must complete an attestation form indicating that they have destroyed those files/columns in their QE Medicare data. QEs may also request a PDE bridge file that includes the Service Provider ID for previous years of data. The cost of the bridge file is $2,000 per year of data requested.
If your organization is interested in switching PDE variables or requesting the PDE bridge file, please contact ResDAC directly at 1-888-9RESDAC, or firstname.lastname@example.org.
Yes, the QE Medicare data files contain denied claims. Within the Carrier and Durable Medical Equipment (DME) files, QEs can identify denied claims by looking at the “Carrier Claim Payment Denial Code” (PMTDNLCD) variable, equal to zero (“0”) Denied or “D” Denied due to demonstration involvement.
To exclude denied line items in the Carrier and DME files, include only those line items with “Line Processing Indicator Code” (PRCNGIND) equal to “A” Allowed, or “R” Reprocessed, or “S” Secondary payer and the “Line Allowed Charge Amount” (LALOWCHG) greater than $0.
To identify a fully denied institutional claim, use the variable “Claim Medicare Non-Payment Reason Code” (NOPAY_CD) equal to anything other than “blank.” The NOPAY_CD variable identifies only a small fraction of denied services. For another strategy, look at claims with zero payment amounts and then check the revenue center information.
To identify the denied revenue center lines, use the “Revenue Center Non-Covered Charge Amount” (REV_NCVR) variable equal to “Revenue Center Total Charge Amount” (REV_CHRG). Revenue center payment or line item payments equal to $0.00 could indicate a non-covered service, a covered service in which Medicare's responsibility is $0.00 due to deductibles or another primary payer, or it could indicate a code required on the claim that has no payment attached to it (e.g., location of care Healthcare Common Procedure Coding System (HCPCS) codes for hospice claims).
Finally, the following scenarios can also indicate that a claim was not covered or denied:
- Condition code of 20 or 21
- Non-covered charges > $0.00
- HCPCS modifiers GA, GX, GY, and GZ PLUS a $0.00 line item or revenue center payment
Yes, the claims data will include Medicare as both the primary payer and the secondary payer. If a Medicare beneficiary has another primary payer, such as an employer-sponsored health plan, the claims will include variables to show both the amount paid by the primary payer and the Medicare payment amount.
In the case of a dual eligible beneficiary, the claims will primarily be found in the Medicare files, except for those services that are not covered under the Medicare program, for example, nursing home coverage. In that case the claims for nursing home coverage would appear in the Medicaid claims.
In addition to the information in the Master Beneficiary Summary File for Parts A/B/C/D, QEs can request the following crosswalks to link the QE Medicare data to other data sources:
- BENE ID to HIC
- BENE ID to SSN
- BENE ID to Name
- BENE ID to MBI
Passing the Phase 2 data security requirements of the QECP program and completing a CMS DUA enable QEs to receive and incorporate QE Medicare data at the beneficiary level. For more information about crosswalks and linking the QE Medicare data, please view the Data Dissemination and Integration webinar.
Obtaining QE Medicare Data Files
Yes. Cost information on the Medicare data files available under the QE program can be found here. QEs will receive a final cost estimate after they receive their Phase 2 (Data Security) certification and DUA approval.
Payment is due within 5 business days of receiving the final Medicare data cost invoice. Data will be prepared and released to QEs only after payment has been successfully processed.
Specific information about initiating the QE data request process may be found at https://www.resdac.org/requester/qualified-entity. ResDAC will assist certified QEs with the data request process. In addition, ResDAC can provide technical assistance to:
- Determine which CMS data files are appropriate for the requestor's needs
- Clearly define the data request
- Provide general information about services available at ResDAC regarding the use of CMS data
- Assist with technical questions related to use of the QE data sets.
The 2009–2016 Medicare FFS annual files are currently available at 100% claims maturity. The 2017 annual Medicare FFS files will be available at 96% claims maturity as of July 2018 (6-month lag); they will reach 100% claims maturity by February 2019 (13-month lag).
Annual Part D prescription drug event (PDE) data are currently available for 2009–2016. The 2017 PDE data will be available in approximately September 2018 (9-month lag at 100% maturity), with several file limitations (pharmacy, formulary, prescriber, and plan characteristics files) and variable limitations (benefit phase, NCPDP ID, formulary drug ID variables). The 100% mature 2017 PDE file (without file and variable limitations) will be available in December 2018.
Quarterly FFS files (with 93% claims maturity) are available on an approximate 4.5-month lag. For example, Q3 2018 Medicare FFS files will be available in mid-February 2019 at approximately 93% claims maturity. The quarterly QE Medicare data release schedule may be found here.
How to Initiate the Data Request Process
In order to pay for and receive data by the release date, QEs must submit a CMS DUA or CMS DUA update form to ResDAC (email@example.com) at least six weeks prior to the scheduled data release dates.
State-level QE Medicare Data
The QE Medicare data can either be shipped on an external hard drive or transmitted through a Secure File Transfer System (SFTS). Data delivery options for national QE Medicare data files are discussed in FAQ 44.
The size of the state-level data files varies from approximately 3GB to 270GB. The size of the regional-level data file varies depending on the county cohorts. (For information on national data, please see FAQs 44 - 49).
RIF data files will be delivered in a fixed-column format with SAS programs (for SAS users) and FTS files (for non-SAS users). For more information on the size and structure of an example state QE Medicare data extract, refer to the State Metadata table.
See also FAQ 25. Data dictionaries for QE Medicare data sets may be found as embedded hyperlinks in the QE Medicare Data Specifications Worksheet.
No, sample files are not available for the QE program, only record layouts and data dictionaries for the files. However, for more information on the size and structure of an example state QE Medicare data file, refer to the State Metadata Table.
See also FAQ 25. Data dictionaries for QE Medicare data sets may be found as embedded hyperlinks in the QE Medicare Data Specifications Worksheet.
However, an organization interested in becoming a QE may find it beneficial to review the CMS Medicare FFS/Part D Public Use Files (http://www.cms.gov/Research-Statistics-Data-and-Systems/Downloadable-Public-Use-Files/SynPUFs/index.html).
The intent of the Data Entrepreneurs’ Synthetic Public Use Files (De-Syn PUFs) is to give users a sense of the way in which certain variables behave; however, they represent a very small subset of the files. ResDAC and the QECP team do not recommend use of the De-Syn PUFs to develop code to import the full files. The De-Syn PUFs should be used only to simulate what the user is likely to find in the full files.
For a comparison of the different types of data files (RIF, LDS, and PUF), please refer to this ResDAC knowledgebase article: https://www.resdac.org/articles/differences-between-rif-lds-and-puf-data-files
National-level QE Medicare Data
National QE Medicare data files (Parts A, B, and D) will be 3–4 TB in size per year and may be transmitted by external hard drive or SFTS. Quarterly national data files will be approximately 80 GB in size, and may also be transmitted via external hard drive or SFTS. SFTS performance will depend on the size of the files and the organization’s bandwidth connections. The minimum SFTS operating requirements are:
- Supported browsers: Current version and two previous versions of Microsoft Internet Explorer (e.g., 9.x, 8.x, and 7.x) or Mozilla Firefox (e.g., 9.x, 8.x, 7.x)
- Java 7+
- Broadband Internet connection
Due to the large file size and complex file structure, the estimated timeframe for extracting and shipping each year of national QE Medicare data (excluding Part D data) will be 30 days. The estimated timeframe for extracting and shipping each year of national QE Medicare data that includes Part D will be 8 weeks.
Yes, the national QE Medicare data can be extracted and shipped in 1-year segments.
It depends on how the QE chooses to receive the data. If the QE wishes to receive the data in 1-year segments, it will receive multiple hard drives (one every 30 days if the extract excludes Part D data or, one every 8 weeks if the extract includes Part D data), each containing one year of national data. If the QE chooses to receive several years of data at once, it will receive a single hard drive containing multiple years of national data. The QE will receive this single data delivery within a period of either 30 days (for extracts excluding Part D data) times the number of years requested or, 8 weeks (for extracts including Part D data) times the number of years requested.
Yes, the data are compressed, and the compression ratio is approximately 80-90%.
Permissible Uses and Re-Uses of QE Medicare Data
Qualified entities are required to use the QE Medicare data, combined with other sources of claims data, to create public provider performance reports at least once annually. In addition, qualified entities may use the Medicare data, combined with other sources of claims data* to conduct non-public analyses and to provide or sell those analyses to authorized users. Qualified entities may also provide or sell the combined data or provide Medicare-only claims data at no cost to certain authorized users (providers, suppliers, hospital associations, and medical societies) for non-public use.
For more information on public reporting requirements, please see FAQs 80 – 85 and the QE Public Reporting Tip Sheet. For more information on permissible uses of QE Medicare data under the QE program, refer to FAQs 50 – 64 and the Uses of QE Medicare Data Tip Sheet.
*For Qualified Clinical Data Registries acting as quasi qualified entities, combined data refers to CMS claims data provided through the QE Program, combined with clinical data or a subset of clinical data. FAQ 8 contains additional information on quasi QEs.
QEs that are interested in using the Medicare claims data for research purposes must go through the research request process and obtain a new data use agreement with CMS. However, QEs may request to re-use the Medicare claims data they received under the QE program for research purposes. Additional information on the research request process can be found at https://www.resdac.org/research-identifiable-files-rif-requests.
No, all qualified entities must comply with all QECP program requirements, including the requirement to release at least one public report annually on the performance of providers. Refer to the QECP Operations Manual for complete information on QE program requirements.
An authorized user is a third party (and/or its contractors or business associates) to which a QE provides or sells data or analyses. Authorized users are limited to the following types of entities:
- A provider – 42 CFR §401.703(b)
- A supplier – 42 CFR §401.703(c)
- A medical society – 42 CFR §401.703(m)
- A hospital association – 42 CFR §401.703(n)
- An employer – 42 CFR §401.703(k)
- A health issuance insurer – 42 CFR §401.703(l)
- A healthcare provider and/or supplier association – 42 CFR §401.703(o)
- A state entity - 42 CFR §401.703(p)
- A federal agency
Yes, the table below summarizes the types of analyses/data that a qualified entity may provide or sell to an authorized user.
Additional Uses of the QE Medicare Data: Summary of Authorized Users
Data and/or Non-Public
*De identification must be determined based on the standards for HIPAA covered entities found at 45 CFR 164.514(b). Additional information on the HIPAA de-identification standards can be found on the HHS Office for Civil Rights website at http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/De-identification/guidance.html.
^Authorized users of identifiable data and analyses include only providers and suppliers with a patient relationship. A patient means an individual who has visited the provider or supplier for a face-to-face or telehealth appointment at least once in the past 24 months.
No. The Medicare Access and CHIP Reauthorization Act (MACRA) only permits QEs to provide or sell combined data or provide Medicare data at no cost to providers, suppliers, medical societies, and hospital associations. Therefore, QEs are not permitted to provide or sell combined data or provide Medicare data at no cost to researchers.
While the QE regulations at 42 CFR Part 401, Subpart G, govern the release of Medicare data and combined data, these regulations do not impact the release of commercial-only data.
Yes, a QE must enter into a QE DUA or a non-public analyses agreement with an authorized user prior to providing or selling data or analyses to that authorized user.
A QE DUA must be in place as a pre-condition of providing or selling any QE data (including combined or Medicare-only data, whether beneficiary-identifiable or de-identified) or non-public analyses containing protected health information (PHI). The required provisions for a QE DUA can be found at 42 CFR §401.713(d).
A non-public analyses agreement must be in place before a QE may provide or sell beneficiary de-identified non-public analyses to an authorized user. The required provisions for a non-public analyses agreement can be found at 42 CFR §401.716(C).
It is the QE’s responsibility to develop and execute the legally binding agreement with the authorized user prior to providing or selling data or analyses. The QE must ensure that the required provisions are included in the QE DUA or non-public analyses agreement.
No, QEs can work directly with the authorized users that are receiving or purchasing the non-public analyses to determine the measures that will be included. QEs are not restricted to using only standard and approved alternative measures for non-public analyses.
No. The QE regulations do not impose restrictions on the uses of the publicly reported results (the numerical values of the measures published). Publicly reported results can be used by any party, including the qualified entity, for activities such as internal analyses, pay-for-performance initiatives, or provider tiering. After the QE has transformed the data into publicly reported information, other than the statutory requirement that the reports be shared with providers and the public, CMS does not assert ownership or control over additional uses that the QE may make of the publicly reported information.
Provider tiering is interpreted as a method for aggregating providers according to some predetermined criteria, for example, Tier A: Primary Care Physicians (PCPs) Scoring Above Average on Quality; Tier B: PCPs Scoring Average on Quality; Tier C: PCPs Scoring Below Average on Quality.
A QE that has obtained Medicare FFS claims data under an existing DUA and intends to use only those data for its work as a QE will be required to comply with the four phases of the QE program, including submitting a DUA for the QE program. However, the QE will not be required to pay for the data or to pay the $2,000 administrative fee for DUA processing.
A QE that already has Medicare FFS claims data under an existing DUA and intends to use the data for the QE program and that requests additional Medicare FFS claims data for its work as a QE will also need to comply with all four phases of the QE program, including submitting a DUA for the QE program. The QE will not be required to pay for existing data or to pay the $2,000 administrative fee for processing the DUA; however, the QE will be required to pay for any new data requested.
This policy is consistent with existing CMS data re-use and QE policies. According to the CMS data re-use policy for research and state agencies, an entity that has Medicare FFS claims data and wants to re-use those data must submit a new DUA, but is not required to pay for the data again. Although researchers and state agencies are required to pay a $2,000 administrative fee for DUA processing, QEs will not be required to pay this fee, because CMS DUAs are not reviewed and approved by the CMS Privacy Board. Instead, QEs participate in a comprehensive review in order to participate in the QE program.
A QE that wants to re-use data it received under the QE program for another purpose must submit a new DUA that will go through the existing process for research and state agencies, including CMS Privacy Board review and approval. The QE will not be required to pay for the data again, but it will be required to pay the $2,000 administrative fee. More information on permissible uses of QE program data can be found in the QE Public Reporting Tip Sheet and Uses of QE Data Tip Sheet.
Yes, the QE Medicare data may be used to validate standard measures that the QE intends to publically report under the QECP. However, every attempt must be made by QEs to use the QE Medicare data only to calculate measures that have previously demonstrated statistical validity. For measures considered standard under the QE program, if a QE is unsure whether a measure will be statistically valid when applied to the combined data, the QE is permitted to combine the Medicare data with the other payer claims data and run the measure on these combined data to determine validity.
If the measure passes the validity checks, the QE must include it in its public performance report(s); thus, the measure must be added to the QE’s Phase 3 Measure Information Workbook and submitted to the QECP team for review at the time of the Phase 3 minimum requirements review, or at least 30 or 60 days (depending on the measure type) before its intended confidential release to providers for the corrections and appeal process. If the measure does not pass the validity checks, it should not be added to the Measure Information Workbook;
however, the QE must internally document that the Medicare data were accessed (and for which measure), but were not used, and must have this documentation available if the QECP team conducts a review as part of Ongoing Program Administration (OPA). The QE must report the list of measures that did not pass validity, together with a brief rationale, as part of its required QE Annual Report Workbook submission.
Measure testing is defined as using QE Medicare data to calculate standard or alternative measures without reasonable confidence that the measure will pass statistical validity testing. Measure testing is not permitted under the QE program for public performance reports.
Provider Performance Measures
Pre-adjudicated claims data are an acceptable source of other-payer claims data, for combining with Medicare QE data and calculating measures for public reporting. However, pre-adjudicated claims data do not have final payment data; therefore, they are not sufficient for producing measures related to cost.
For public reports, QEs are required to use standard measures or approved alternative measures for evaluating the performance of providers and suppliers. Standardized and well-specified measures that follow tested methodologies allow results to be compared credibly across providers and organizations. All measures must include claims data from other payer sources; measures using only the Medicare data are strictly prohibited.
Standard measures are claims-based measures that can be calculated in full or in part from claims data from other sources and the standardized extracts of Medicare Parts A and B claims data and Part D prescription drug event (PDE) data. They include all performance measure types, such as quality measures (structure, process, and outcomes measures), resource use measures, efficiency measures, and composite measures. A standard measure must fall into one of the following categories: the measure is endorsed (or time-limited endorsed) by the entity with a contract under Section 1890(a) of the Social Security Act (currently the National Quality Forum);
the measure is currently being used in a CMS program that includes quality measurement; or the measure is endorsed by a CMS-approved QE Consensus-Based Entity (CBE). See FAQ 66 for additional information.
Alternative measures are non-standard claims-based measures, calculated in full or in part from claims data from other sources and standardized extracts of Medicare Parts A and B claims data and Part D PDE data, that have been deemed to be more valid, reliable, responsive to consumer preferences, cost-effective, or relevant to dimensions of quality and resource use than existing claims-based standard measures.
Alternative measures will be accepted either through the notice-and-comment rulemaking process or through a stakeholder consultation approval process in which entities demonstrate consultation and agreement with appropriate stakeholders in the community. See FAQ 67 for additional information.
A list of current standard measures can be found here. Please keep in mind that this list is dynamic because measures continually undergo review for endorsement. The QECP team will update this list twice a year, in January and July, but it is ultimately the applicant's responsibility to obtain the most recent information. Please refer to Section 2.4 of the 2016 Operations Manual for more information.
A list of current alternative measures that have been publicly reported by QEs can be found here. Please keep in mind that this list is dynamic because measures continually undergo QECP review. The QECP team will update the list of alternative measures in January and July of each year. There are two types of QECP alternative measures: measures approved using the stakeholder consultation approval process, and measures approved through the notice-and-comment rulemaking process.
QECP alternative measures approved under the stakeholder consultation approval process may only be used by the QE that submitted the measure to CMS for consideration.
QECP alternative measures submitted through the notice-and-comment rulemaking process may be used by any QE. Currently, no measures have been submitted through the notice-and-comment rulemaking process. For more information, please refer to Section 2.4 of the 2016 Operations Manual.
If a measure does not follow the exact specification as the NQF-endorsed measure, it will be considered an alternative measure. Entities may submit alternative measures for approval if the entity is able to demonstrate stakeholder consultation and approval of the deviation from the standard measure specification.
Yes, composite measures may be used as part of a QE’s public performance reporting. However, every composite measure is considered an alternative measure unless the composite measure itself is NQF-endorsed, used by a CMS program, or endorsed by a QE CBE. Composite measures are considered alternative measures even if they composite, or combine, individual NQF-endorsed standard measures.
To obtain approval of an alternative measure by demonstrating stakeholder consultation approval, the following information must be provided for each alternative measure:
- A description of the process by which the entity notified stakeholders in the geographic region it serves of its intent to seek approval of an alternative measure;
- A list of stakeholders from whom feedback was solicited, including the stakeholders’ names and roles in the community;
- A description of the discussion about the proposed alternative measure, including a summary of all pertinent arguments supporting and opposing the measure; and
- An explanation backed by scientific evidence that demonstrates that the measure is more valid, reliable, responsive to consumer preferences, cost-effective, or relevant to dimensions of quality and resource use than the standard measure.
Stakeholders must include a valid cross-representation of providers, payers, employers, and consumers within the QE’s community and public reporting area.
Once an entity is certified as a QE, the QECP team is available to assess or discuss proposed evidence for a QE’s stakeholder consultation process well in advance of its Phase 3 submission. QEs interested in requesting this assistance should contact their QECP Program Manager through the Helpdesk (support@QEMedicaredata.org).
No, measures from retired CMS quality programs that are not NQF-endorsed are not considered standard measures and must be submitted as alternative measures.
Provider Corrections and Appeals for Public Reports
During the corrections and appeals process, QEs must provide the measure name and description, methodology, and measure results to providers. Additionally, at the request of an appealing provider, QEs must also release the Medicare claims and/or beneficiary names to the provider with appropriate privacy and security protections.
QEs may only provide the Medicare claims and/or beneficiary names relevant to the particular measure or measure results the provider is appealing.
The claims information provided by the QE to the appealing provider does not have to be fully identifiable. QEs must transmit claims information with the minimally necessary beneficiary identifiers to providers. De-identified information (date of service, gender, age, service, etc.) meets the requirement of providing minimally necessary information to providers upon request.
During the corrections and appeals process, if the provider believes there is an error with the Medicare FFS claims, the provider should follow-up with their Medicare Administrative Contractor (MAC) as necessary to reconcile/adjust the claim. The QE should move forward with their public reporting according to the program requirements. If the provider or supplier has a data or error correction request outstanding at the time the reports become public, the QE must denote the performance measure as “in dispute.”
No, CMS does not provide guidance on how or if QEs should provide beneficiary information on their non-Medicare claims data to providers during the corrections and appeals process. However, CMS does encourage QEs to release their non-Medicare data during the corrections and appeals process whenever it is legally permitted by the terms of the agreement between the QE and the entity from which they received the data.
No, when transmitting requested claims data to an appealing provider, the QE must undertake the appropriate privacy and security protections (e.g., secure data transfer), but a legal agreement between the provider and QE is not required.
This process does not have a set timeframe. However, QEs are expected to deliver the data to appealing providers in a reasonable amount of time. Each year, as part of the QE Annual Report, QEs must report to CMS the amount of time to acknowledge and respond to provider requests for error correction.
Additionally, after the corrections and appeals period, if a provider has a data or error correction request outstanding at the time the QE’s performance reports become public, the QE must, if feasible, post publicly the name of the appealing provider and the category of the appeal request.
No. A QE must have a provider corrections and appeals process in place except if it does not plan to report any measures at the provider or provider group level. If a QE believes that a provider corrections and appeals process is not required for its reporting, it must submit, during Phase 3 of the QECP application process, in Element 8A, evidence that it has a process for ensuring that any published measure results could not be associated with a particular provider or provider group.
Information on the National Plan and Provider Enumeration System (sometimes referred to as the NPI downloadable file) may be found here. This CMS web page identifies the location of the NPI downloadable file, which includes provider name, mailing address, physical location, etc.
No, there are no restrictions on the geographic areas for which an entity can be certified to publish reports provided that the entity has access to a sufficient volume of claims data from other payer sources for the geographic area. However, note the following:
- Entities reporting on regions smaller than a state will need to purchase regional-level data for county cohorts, show they possess other payer sources of claims data, and meet the sample size requirements.
- Sample size requirements may be difficult to meet if the geographic area is too narrowly specified.
- If an entity intends to report on a geographic area that consists of several states, the entity must purchase data for each state separately, show they possess other payer sources of claims data, and meet sample size requirements.
- The applicant must show that they have enough claims data information for the level of analysis. The level of analysis can be regional or provider level (e.g., individual physician, clinic, practice, or medical system).
This excerpt of the QE regulations means that all results calculated for providers and suppliers must be aggregated and reported at a level higher than the patient level. Information on individual beneficiaries may NOT be disclosed. No individual patient should ever be placed at risk for identification based on results presented in a public report.
Example: When a provider's influenza immunization rate for CY 2010 is reported to the public, the result should be expressed following the specifications of the standard measure (which includes a minimum sample size). For example, 80 percent of Dr. Smith's patients received an influenza immunization during CY 2010. Releasing a list of patients (for example, those patients with or without an influenza immunization) in a public report, or in any form in which someone could identify a patient, is strictly prohibited.
A QE may display a result for an aggregate measure only if there are at least 11 individuals in the denominator. In addition, no percentages or other mathematical formulas may be used if they result in the display of a cell size of 11 or less. For example, a QE is permitted to display an aggregate measure for a given provider that has:
- 35 Medicare beneficiaries and 3 commercial members in the denominator, or
- 6 Medicare beneficiaries and 10 commercial members in the denominator.
QEs may not calculate and report measure results based only on Medicare data (this also applies to cases where the Medicare FFS data obtained from CMS is combined with Medicare Advantage data). However, a QE may drill down into a calculated measure and report results based only on Medicare data.
The QE must comply with all cell suppression guidelines in reporting Medicare-specific measure results (i.e., there must be at least 11 Medicare beneficiaries in the measure denominator).
- It would be acceptable for a QE to report Provider A’s result on a measure that contained 15 Medicare beneficiaries, 10 commercial members, and 12 Medicaid beneficiaries and then to drill down and report product-specific results for commercial products, Medicaid, and Medicare. This is permissible because there are at least 11 Medicare beneficiaries.
- It would be acceptable for a QE to report Provider A’s results on a measure that contained 8 Medicare beneficiaries, 10 commercial members, and 12 Medicaid beneficiaries and then to drill down and report a product-specific result ONLY for commercial products. This is permissible because the Medicare data are still combined with the Medicaid data, so the user cannot work back to the Medicare figure.
- It would be unacceptable for a QE to drill down and report Provider A's results for a measure for commercial products, Medicaid, and Medicare if there were 8 Medicare beneficiaries, 10 commercial members, and 12 Medicaid beneficiaries in the measure. This is not permissible, because there must be at least 11 Medicare beneficiaries in the aggregate measure if a QE wants to report by product line.
QEs may not calculate and report measure results based only on Medicare data (this also applies to cases where the Medicare FFS data obtained from CMS is combined with Medicare Advantage data). However, a QE may drill down into a calculated measure and report results based only on Medicare data. The QE must comply with all cell suppression guidelines in reporting Medicare-specific measure results (i.e., there must be at least 11 Medicare beneficiaries in the measure denominator). For instance, it would not be permissible for a QE to calculate a hip-replacement measure using only commercial data and then compare it to the hip-replacement measure calculated using only Medicare data.
QEs are expected to release their first QE public performance report within one year of receiving QE Medicare data. QEs are expected to release public performance reports annually thereafter.
QEs that are unable to release public reports within one year of receiving QE Medicare data must submit a formal letter to CMS requesting an extension. The extension request letter must include:
- the QE’s original timeline,
- the new estimated target date for the release of the QE’s first QE public performance report,
- a rationale for why an extension request letter is needed, and
- an explanation of how the QE Medicare data have been used by the QE and its contractor (if applicable) since that data were received.
QEs required to submit a formal extension request letter should contact the QECP team (support@QEMedicaredata.org) to obtain the letter template.
Yes. Described below are some additional approaches to public reporting that comply with QECP requirements. As a reminder, CMS has not (and does not plan to) prescribe a uniform QECP corrections and appeals model that all QEs must implement. As part of Element 8A, QEs must explain the corrections and appeals process that will work best for their community/geographic reporting area while still adhering to QECP requirements.
Example 1 (Longer than 60-day C&A Period): While the Final Rule requires at least 60 calendar days for provider corrections and appeals prior to publicly reporting measure results, a QE can designate a period longer than 60 calendar days for the provider corrections and appeals process. QEs may choose this approach to allow additional time for providers to request corrections for inclusion in the QE’s public report.
Example 2 (More than one C&A Period): A QE may conduct more than one 60-day provider corrections and appeals period prior to public reporting as long as:
- The measures calculated with QE Medicare data are included in all corrections and appeals periods, and these measures are ultimately publicly reported;
- The QE Medicare data used to calculate measures included in the first round of reports distributed to providers are also used to calculate measures in the next report distributed to providers, which is subsequently publicly reported; and
- The QE is compliant with the Final Rule, which requires QEs to release public reports at least annually.
QE may release a report to providers that uses claims data service dates of January–June 2014, followed by a subsequent report to providers that uses service dates of January–December 2014. After both rounds of confidential provider corrections and appeals, the QE must publicly report the January–December 2014 measure results.
Please note that if a QE chooses to pursue this option, it is the QE’s responsibility to ensure that measure specifications are followed appropriately. If this approach changes the definition of a measure from standard to alternative, the QE must submit documentation to the QECP team that demonstrates the stakeholder consultation approval process has been conducted and that justifies the use of the alternative measure.
Example 3 (Simultaneous Public Release of Two Cycles of Results): A QE may choose to delay publication of a cycle of provider performance results and publish two cycles of results simultaneously. While results from both cycles must ultimately be released publicly, a QE may choose to display the results of a particular cycle more prominently. For example, on the same day, Cycle 2 results (using 2014 claims data service dates) might be published prominently on the QE’s web page, while Cycle 1 results (using 2013 claims data service dates) might be published on a “historical performance information” web page. Since QEs are expected to release their first QE public performance report within one year of receiving QE Medicare data, this approach may require that the QE submit a letter to the QECP team requesting an extension of the public reporting requirement.