(a) General. CMS shares certain beneficiary-identifiable data as described in paragraphs (b), (c), and (e) of this section and certain aggregate data as described in paragraph (d) of this section with ASM participants regarding ASM beneficiaries and performance under the model.

(b) Beneficiary-identifiable data. CMS shares beneficiary-identifiable data with ASM participants as follows:

(1) CMS makes available certain beneficiary-identifiable data described in paragraph (b)(5) of this section for ASM participants to request for purposes of conducting health care operations work that falls within the first or second paragraph of the definition of health care operations at 45 CFR 164.501 on behalf of their patients who are ASM beneficiaries.

(2) An ASM participant that wishes to receive beneficiary-identifiable data for its ASM beneficiaries must do all of the following:

(i) Submit a formal request for the data, on at least an annual basis in a manner and form and by a date specified by CMS, which identifies the data being requested and attests that—

(A) The ASM participant is requesting this beneficiary-identifiable data as part of a covered entity, as defined at 45 CFR 160.103;

(B) The ASM participant's request reflects the minimum data necessary, as set forth in paragraph (c) of this section, for the ASM participant to conduct activities described in the first or second paragraph of the definition of health care operations at 45 CFR 164.501; and

(C) The ASM participant's use of beneficiary-identifiable data is limited to developing processes and engaging in appropriate activities related to coordinating care, improving the quality and efficiency of care, and conducting population-based activities relating to improving health or reducing health care costs that are applied uniformly to all ASM beneficiaries under the care of the ASM participant, and that these data are not to be used to reduce, limit or restrict care for specific Medicare beneficiaries.

(ii) To the extent practicable, limit the request to ASM beneficiaries whose claims were used to determine the requesting ASM participant's eligibility for ASM participation or to whom the requesting ASM participant provided care during an applicable ASM performance year.

(iii) Sign and submit a data sharing agreement with CMS as set forth in paragraph (e)(1) of this section.

(3) CMS shares beneficiary-identifiable data with an ASM participant on the condition that the ASM participant and other individuals or entities performing functions or services related to the ASM participant's activities, including but not limited to non-ASM participant parties in collaborative care arrangements with ASM participants, comply with all appliable laws addressing the appropriate use of data and the confidentiality and privacy of individually identifiable health information and the terms of the data sharing agreement described in paragraph (e)(1) of this section.

(4) CMS omits from the beneficiary-identifiable data any information that is subject to the regulations in 42 CFR part 2 governing the confidentiality of substance use disorder patient records.

(5) The beneficiary-identifiable data includes, when available, the following information:

(i) Unrefined (raw) Medicare Parts A, B, and D beneficiary-identifiable claims data used to determine ASM participant eligibility for an applicable ASM performance year; and

(ii) Unrefined (raw) Medicare Parts A, B, and D beneficiary-identifiable claims data for ASM beneficiaries who trigger an applicable EBCM episode with the ASM participant during the applicable ASM performance year.

(c) Minimum necessary data. The ASM participant must limit its request for beneficiary-identifiable data under paragraph (b) of this section to the minimum necessary to accomplish the permitted use of the data. The minimum necessary Medicare Parts A, B, and D data elements may include, but are not limited to the following:

(1) Medicare beneficiary identifier (ID).

(2) Procedure code.

(3) Sex.

(4) Diagnosis code.

(5) Claim ID.

(6) The from and through dates of service.

(7) The provider or supplier ID.

(8) The claim payment type.

(9) Date of birth and death, if applicable.

(10) Tax identification number.

(11) National provider identifier.

(d) Aggregated data feedback. CMS shares aggregated data on one or more select indicators of the ASM participant's performance, de-identified in accordance with 45 CFR 164.514(b), in a form and manner to be specified by CMS, when available, with ASM participants.

(e) ASM data sharing agreement. (1) To retrieve the beneficiary-identifiable data specified in paragraphs (b) and (c) of this section, the ASM participant must complete and submit, on at least an annual basis, a signed ASM data sharing agreement, to be provided in a form and manner and by a date specified by CMS, under which the ASM participant agrees, at a minimum to do all of the following:

(i) Comply with the requirements for use and disclosure of this beneficiary identifiable data that are imposed on covered entities by the HIPAA regulations, including but not limited to 45 CFR part 164, subparts A and E, and the requirements of ASM set forth in this part.

(ii) Comply with additional privacy, security, breach notification, and data retention requirements specified by CMS in the ASM data sharing agreement.

(iii) Contractually bind any and all downstream recipients of this beneficiary identifiable data, such as other individuals or entities performing functions or services related to the ASM participant's data sharing activities, including those that meet the definition of a business associate as defined at 45 CFR 160.103 and non-ASM participant parties to collaborative care arrangements described at § 512.771, to the same terms and conditions to which the ASM participant is itself bound in its data sharing agreement with CMS as a condition of the business associate's or non-ASM participant parties' receipt of the beneficiary-identifiable data obtained by the ASM participant.

(iv) That if the ASM participant or any downstream recipient misuses or discloses the beneficiary-identifiable data in a manner that violates any applicable statutory or regulatory requirements or that is otherwise non-compliant with the provisions of the data sharing agreement, CMS may do any or all of the following:

(A) Deem the ASM participant ineligible to obtain the beneficiary-identifiable data under paragraph (b) of this section for any amount of time.

(B) Subject the ASM participant to additional sanctions and penalties available under applicable law.

(v) An ASM participant must comply with all applicable laws and the terms of the data sharing agreement to obtain beneficiary-identifiable data.

(2) CMS shares beneficiary-identifiable data with an ASM participant on the condition that the ASM participant and other individuals or entities performing functions or services related to the ASM participant's data sharing activities, including business associates as defined at 45 CFR 160.103 of the ASM participant and non-ASM participant parties to collaborative care arrangements described at § 512.771, comply with all relevant laws governing the use of data and the privacy and security of individually identifiable health information and the terms of the data sharing agreement described in paragraph (e)(1) of this section.

(f) Data custodian. An ASM participant must designate and provide the contact information for, in a form and manner identified by CMS, a data custodian who is responsible for ensuring compliance with privacy and security requirements, including all applicable laws and terms of the ASM data sharing agreement, and for notifying CMS of any incidents relating to unauthorized disclosures of beneficiary-identifiable data.