42 C.F.R. § 512.440
(b) Beneficiary-identifiable data. CMS shares beneficiary-identifiable data with IOTA participants as follows:
(2) An IOTA participant that wishes to receive beneficiary-identifiable data for its attributed patients who are Medicare beneficiaries must do all of the following:
(i) Submit a formal request for the data, on an annual basis in a manner and form and by a date specified by CMS, which identifies the data being requested and attests that—
(5) The beneficiary-identifiable data will include, when available, the following information:
(i) Quarterly attribution lists. For the relevant PY, CMS shares with the IOTA participant the quarterly attribution lists, which will include but may not be limited to the following information for each attributed patient:
(ii) Beneficiary-identifiable claims data. CMS makes available certain beneficiary-identifiable claims data for retrieval by IOTA participants no later than 1 month after the start of each PY, in a form and manner specified by CMS. IOTA participants may retrieve the following data at any point during the relevant PY. This claims data includes all of the following:
(6) The IOTA participant must limit its attributed Medicare beneficiary identifiable data requests to the minimum necessary to accomplish a permitted use of the data.
(i) The minimum necessary Parts A and B data elements may include but are not limited to the following data elements:
(ii) The minimum necessary Part D data elements may include but are not limited to the following data elements:
(7)
(i)
(B) Such notifications must do both of the following:
(1) State that the IOTA participant may have requested beneficiary-identifiable claims data about the Medicare beneficiary for purposes of its care coordination, quality improvement work, and population-based activities relating to improving health or reducing health care costs.
(2) Inform the Medicare beneficiary how to decline having his or her claims information shared with the IOTA participant in the form and manner specified by CMS.
(iii) The opportunity to decline having claims data shared with an IOTA participant under paragraph (b)(7)(i) of this section does not apply to any of the following:
(8)
(i) If an IOTA participant wishes to retrieve any beneficiary-identifiable data specified in paragraph (b) of this section, the IOTA participant must complete and submit, on an annual basis, a signed data sharing agreement, to be provided in a form and manner specified by CMS, under which the IOTA participant agrees to all of the following:
(D) That if the IOTA participant misuses or discloses the beneficiary-identifiable data in a manner that violates any applicable statutory or regulatory requirements or that is otherwise non-compliant with the provisions of the data sharing agreement, CMS may do all of the following:
(1) Deem the IOTA participant ineligible to retrieve the beneficiary-identifiable data under paragraph (b) of this section for any amount of time.
(2) Terminate the IOTA participant's participation in the IOTA Model under § 512.466.
(3) Subject the IOTA participant to additional sanctions and penalties available under the law.
(c) Aggregate data.