[Federal Register Volume 59, Number 78 (Friday, April 22, 1994)]
[Unknown Section]
[Page 0]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 94-9804]
[[Page Unknown]]
[Federal Register: April 22, 1994]
-----------------------------------------------------------------------
DEPARTMENT OF HEALTH AND HUMAN SERVICES
Health Care Financing Administration
Privacy Act of 1974; System of Records
agency: Department of Health and Human Services (HHS), Health Care
Financing Administration (HCFA).
action: Notice of proposed expansion of system purpose and new routine
uses for existing system of records.
-----------------------------------------------------------------------
summary: HCFA proposes revising the system notice for the ``National
Claims History (NCH),'' System No. 09-70-0005, by expanding the purpose
of the system to enable HCFA to assist in a variety of health care
initiatives with other entities, in addition to studying the Medicare
program, and by adding three new routine uses (numbers 13, 14, and 15)
for the release of data without the individuals' consent.
The first new routine use would permit release of data to other
Federal agencies. This routine use has two purposes. First, disclosure
would be permitted to another Federal agency to enhance the accuracy of
Medicare's payment of health benefits.
Second, disclosure would be permitted when necessary to enable
another Federal agency to fulfill a statute or regulation. HCFA has
recently received several requests from other Federal agencies (e.g.,
the Department of Veterans Affairs and the Department of Defense)
asking for help in coordinating benefits or fulfilling of statutes or
regulations that involve Medicare enrollees. To fulfill these requests
would require release of data from the NCH system. A primary purpose of
the Medicare program, for which this system of records was established,
is to assure high quality and effective health care to Medicare
beneficiaries. We believe that this purpose can be better accomplished
through coordination of beneficiary data between and among Federal
agencies. This routine use allows release of data from the NCH system
to other Federal agencies for two purposes; (1) to contribute to the
accuracy of HCFA's proper payment of Medicare health benefits, and/or
(2) to enable such agency to administer a Federal health benefits
program, or as necessary to enable such agency to fulfill a requirement
of a Federal statute or regulation.
The second new routine use permits release of paid Medicare claims
data from the NCH system to States to support administration of health
care programs when disclosure is necessary to enable a State to fulfill
a mandated statute or regulatory requirement. An example of this type
of release is the current release of data from HCFA's Common Working
File (CWF) system (source of the NCH system), No. 09-70-0526, for the
administration of State Medicaid programs. Logistically, however, it
would often be preferable to obtain these claims data from the NCH.
The third new routine use would permit release of NCH records to
Peer Review Organizations (PROs) in order to allow a PRO to perform
Title XI functions relating to improving beneficiary quality of care.
effective dates: HCFA filed an altered system report with the Chairman
of the Committee on Government Operations of the House of
Representatives, the Chairman of the Committee on Governmental Affairs
of the Senate, and the Administrator, Office of Information and
Regulatory Affairs, Office of Management and Budget (OMB), on April 22,
1994. To ensure all parties have adequate time in which to comment, the
revised system of records, including routine uses, will become
effective 40 days from the publication of this notice or from the date
submitted to OMB and the Congress, whichever is later, unless HCFA
receives comments which require alterations to this notice.
addresses: The public should address comments to Mr. Richard A. DeMeo,
HCFA Privacy Act Officer, Office of Beneficiary Services, Office of
Customer Relations and Communications, HCFA, room 2-H-4, East Low Rise
Building, 6325 Security Boulevard, Baltimore, Maryland 21207-5187.
Comments received will be available at this location.
FOR FURTHER INFORMATION CONTACT:
Mr Frank Kirby, Director, Data Release Policy Staff, Office of
Statistics and Data Management, Bureau of Data Management and Strategy,
HCFA, room 3-A-12, Security Office Park Building, 6325 Security
Boulevard, Baltimore, Maryland 21207-5187, Telephone (410) 597-5400.
SUPPLEMENTARY INFORMATION: We are publishing this notice to inform the
public of our intent to expand the purpose to include the
administration of health care programs as well as the study of the
Medicare program, and add three new routine uses for release of data
from the NCH. The first routine use will permit coordination of
benefits and/or accomplishment of Federal statutory or regulatory
requirements by Federal agencies. The first routine use will be
numbered (13) and will read as follows:
(13) To another Federal agency; (1) To contribute to the accuracy
of HCFA's proper payment of Medicare health benefits, and/or (2) to
enable such agency to administer a Federal health benefits program, or
as necessary to enable such agency to fulfill a requirement of a
Federal statute or regulation, if HCFA:
(a) Determines that the use or disclosure does not violate legal
limitations under which the data were provided, collected, or obtained;
(b) Determines that the purpose for which the disclosure is to be
made cannot reasonably be accomplished unless the data are provided in
individually identifiable form;
(c) Requires the recipient to:
(1) Establish reasonable administrative, technical, and physical
safeguards to prevent unauthorized use or disclosure of the record:
(2) Make no further use or disclosure of the record except:
(a) In emergency circumstances affecting the health or safety of
any individual;
(b) For use on another project under the same conditions, and with
written authorization from HCFA; and
(c) When required by law;
(3) Secure a written statement attesting to the recipient's
understanding of, and willingness to abide by the following provisions:
(a) Not to use the data for purposes that are not related to the
subject project;
(b) Not to publish or otherwise disclose the data in a form raising
unacceptable possibilities that beneficiaries could be identified
(i.e., the data must not be beneficiary-specific and must be aggregated
to a level where no data cells have 10 or fewer beneficiaries); and
(c) Not to publish any aggregation of the data without HCFA's
approval.
The second new routine use allows for release of paid Medicare
claims data from the NCH system to States to support administration of
health care programs when disclosure is necessary to enable a State to
fulfill a mandated statute or regulatory requirement. It will be
numbered (14) and will read as follows:
(14) To States for the purposes of administration of health care
programs when disclosure is necessary to enable the State to fulfill a
mandated statute or regulatory requirement. These data may be released
for this purpose, if HCFA:
(a) Determines that the use or disclosure does not violate legal
limitations under which the data were provided, collected, or obtained;
(b) Establishes that the data are exempt from disclosure under the
State and/or local Freedom of Information Act;
(c) Determines that the purposes for which the disclosure is to be
made:
(1) Cannot reasonably be accomplished unless the data are provided
in individually identifiable form;
(2) Is of sufficient importance to warrant the effect and/or risk
on the privacy of the individuals that additional exposure of the
record might bring; and
(3) There is a reasonable probability that the objective for the
use would be accomplished; and
(d) Requires the recipient to:
(1) Establish reasonable administrative, technical, and physical
safeguards to prevent unauthorized use or disclosure of the record;
(2) Remove or destroy the information that allows the individual to
be identified at the earliest time at which removal or destruction can
be accomplished consistent with the purpose of the request, unless the
recipient presents an adequate justification for retaining such
information;
(3) Make no further use or disclosure of the record except:
(a) In emergency circumstances affecting the health or safety of
any individual;
(b) For use on another project under the same conditions, and with
written authorization of HCFA;
(c) For disclosure to a properly identified person for the purpose
of an audit related to the project, if information that would enable
project subjects to be identified is removed or destroyed at the
earliest opportunity consistent with the purpose of the audit; or
(d) When required by law; and
(4) Secure a written statement attesting to the recipient's
understanding of and willingness to abide by these provisions. The
recipient must agree to the following:
(a) Not to use the data for purposes that are not related to the
subject project;
(b) Not to publish or otherwise disclose the data in a form raising
unacceptable possibilities that beneficiaries could be identified
(i.e., the data must not be beneficiary-specific and must be aggregated
to a level where no data cells have 10 or fewer beneficiaries); and
(c) Not to publish any aggregation of the data without HCFA's
approval.
The third new routine use would permit release of NCH records to
Peer Review Organizations (PROs) in order to allow a PRO to perform
Title XI functions relating to improving beneficiary quality of care.
It will be numbered (15) and will read as follows:
(15) To a Peer Review Organization (PRO) in order to assist the PRO
to perform Title XI functions relating to improving beneficiary quality
of care. Data may be released for this purpose if HCFA:
(a) Determines that the use or disclosure does not violate legal
limitations under which the data were provided, collected, or obtained;
(b) Requires the PRO to:
(1) Establish reasonable administrative, technical, and physical
safeguards to prevent unauthorized use or disclosure of the record;
(2) Make no further use or disclosure of the record except:
(a) In emergency circumstances affecting the health or safety of
any individual;
(b) For use on another project under the same conditions, and with
written authorization from HCFA; and
(c) When required by law; or when otherwise permitted by Federal
law.
(3) Complete and sign a written statement attesting to the PRO's
understanding of and willingness to abide by the provisions therein.
This written statement must:
(a) Specify the conditions for maintenance and redisclosure of such
information;
(1) To the extent that may be necessary to conduct a PRO function,
e.g., a case quality review project or study;
(2) In accordance with a project-specific data release agreement;
and
(b) Not to use the data for purposes that are not related to the
subject project.
These proposed new routine uses for the ``National Claims History
(NCH)'' are consistent with the relevant provisions of the Privacy Act,
namely, 5 U.S.C. 552a(a)(7), 552a(b)(3), and 552a(e)(4)(D). Legal
authority to release these data under these routine uses and other
previously published is the Privacy Act (5 U.S.C. section 552a),
section 1106(a) of the Social Security Act (42 U.S.C. 1306(a)), and 42
CFR part 401, subpart B. Because these proposed changes will change the
purpose for which the information is collected or otherwise
significantly alter the system, we are preparing a report of altered
system of records under 5 U.S.C. 552a(r). We are publishing the notice
in its entirety below for the convenience of the reader.
Dated: April 15, 1994.
Bruce C. Vladeck,
Administrator, Health Care Financing Administration.
09-70-0005
National Claims History (NCH), HHS/HCFA/BDMS.
None.
HCFA Data Center, Lyon Building, 7131 Rutherford Road, Baltimore,
Maryland 21207-5187.
Persons enrolled in hospital insurance or supplementary medical
benefits parts of the Medicare program and their referring and
servicing physicians.
Bill data, demographic and identifying data on the beneficiary;
diagnosis and procedural codes; provider characteristics and
identifying number (including physicians).
Section 1874(a) and section 1875 of the Social Security Act (42
U.S.C. 139511).
To assist in a variety of health care initiatives with other
entities, and to study the operation and effectiveness of the Medicare
program.
Disclosure may be made:
(1) To a congressional office from the record of an individual in
response to an inquiry from the congressional office made at the
request of that individual.
(2) To the Bureau of Census for use in processing research and
statistical data directly related to the administration of Agency
programs.
(3) To the Department of Justice, to a court or other tribunal, or
to another party before such tribunal, when:
(a) HHS, or any component thereof; or
(b) Any HHS employee in his or her official capacity; or
(c) Any HHS employee in his or her individual capacity where the
Department of Justice (or HHS, where it is authorized to do so) has
agreed to represent the employee; or
(d) The United States or any agency thereof where HHS determines
that the litigation is likely to affect HHS or any of its components;
is party to litigation or has an interest to such litigation, and HHS
determines that the use of such records by the Department of Justice,
the tribunal, or the other party is relevant and necessary to the
litigation and would help in the effective representation of the
governmental party, provided, however, that in each case HHS determines
that such disclosure is compatible with the purpose for which the
records were collected.
(4) To an individual or organization for a research, evaluation, or
epidemiological project related to the prevention of disease or
disability, or the restoration or maintenance of health if HCFA:
(a) Determines that the use or disclosure does not violate legal
limitation under which the record was provided, collected, or obtained;
(b) Determines that the purpose for which the disclosure is to be
made:
(1) Cannot be reasonably accomplished unless the record is provided
in individually identifiable form;
(2) Is of sufficient importance to warrant the effect and/or risk
on the privacy of the individual that additional exposure of the record
might bring; and
(3) There is reasonable probability that the objective for the use
would be accomplished;
(c) Requires the information recipient to:
(1) Establish reasonable administrative, technical, and physical
safeguards to prevent unauthorized use or disclosure of the record;
(2) Remove or destroy the inforamiton that allows the individual to
be identified at the earliest time at which removal or destruction can
be accomplished consistent with the purpose of the project unless the
recipient presents an adequate justification of a research or health
nature for retaining such information; and
(3) Make no further use or disclosure of the record except;
(a) In emergency circumstances affecting the health or safety of
any individual;
(b) For use in another research project, under these same
conditions, and with written authorization of HCFA;
(c) For disclosure to a properly identified person for the purpose
of an audit related to the research project, if information that would
enable research subjects to be identified is removed or destroyed at
the earliest opportunity consistent with the purpose of the audit; or
(d) When required by law.
(d) Secures a written statement attesting to the recipient's
understanding and willingness to abide by the provisions.
(5) To entities with a legitimate need for data for statistical
analyses bearing on Medicare payment policies for inpatient hospital
services. Information disclosed for this purpose will not include a
beneficiary's health insurance claim number, race, or Medicare status
code; the beneficiary's age will be identified only to the extent of
stating whether he or she resides in the same State as the provider;
the admission and discharge dates will be identified only by calendar
quarter; and the date of surgery will be identified only as the number
of days after admission. Each of the Medicare Provider Analysis and
Review (MEDPAR) files--short-stay hospital services file, long-term
hospital services, skilled nursing facility services file, and other
provider services files--will be modified in accordance with the
foregoing provision for release. The entity must agree:
(a) Not to try to identify individual beneficiaries;
(b) Not to disclose raw data to any persons except contractors for
data processing and storage (and it must agree to require any such
contractor not to release any data and not to retain any data after
performing the contract);
(c) Not to link this information to other beneficiary-specific
records;
(d) Not to publish or otherwise disclose data in a form raising
unacceptable possibilities that beneficiaries could be identified; and
(e) To safeguard the confidentiality of the data and to try to
prevent unauthorized access to it.
(6) To a contractor for the purpose of collating, analyzing,
aggregating, or otherwise refining or processing records in this system
or for developing, modifying, and/or manipulating automated data
processing (ADP) software. Data would also be disclosed to contractors
incidental to consultation, programming, operation, user assistance, or
maintenance for ADP or telecommunications systems containing or
supporting records in the system.
(7) With respect to the quality of care (QC) MEDPAR file, to
entities with a legitimate need for data for the purpose of conducting
research or evaluation on the quality and effectiveness of care
provided in hospitals. Research or evaluation under this routine use
must focus on the improvement of health care or measures for
determining, validating, and monitoring the quality and effectiveness
of hospital care in such areas as access to care, outcomes of care, and
effectiveness of care in improving, restoring, or maintaining the
independence and functioning of Medicare beneficiaries. Information
disclosed under this routine use will be limited to the data elements
described in appendix A.
The QC MEDPAR file may be released to an entity if HCFA determines:
a. That the use or disclosure does not violate legal limitations
under which the data were provided, collected, or obtained.
b. That the purpose for which the disclosure is to be made:
(1) Cannot reasonably be accomplished unless the data are provided
in the detailed form described in appendix A;
(2) Is reasonably likely to be accomplished in view of the
capabilities of the requesting entity and other factors; and
(3) Is of sufficient importance to warrant the possible effect on
the privacy of the individual that the disclosure of the data might
bring.
c. In order for HCFA to determine that the requirements in section
7.b. are met, the entity must submit and HCFA must approve:
(1) A research or evaluation plan specifying the objectives of the
research or evaluation, the manner in which the data will be used, the
financial support for the plan, and the date the research or evaluation
will be completed. Evaluation plans designed to assist specific
providers must be supported by letters of commitment to the evaluation
by the providers. Values or differences in values that would trigger
provider action must be addressed in the evaluation plan as well as the
action the provider intends to take; and
(2) A copy of any report by a panel of recognized experts reviewing
the research or evaluation plan (when such review has been performed).
d. The entity and its contractors, if any, must sign a statement
acknowledging that section 1106(a) of the Social Security Act, which
prohibits the disclosure of confidential information and imposes
criminal penalties, may apply. They must also agree to the following:
(1) Not to link the data to other beneficiary-specific records nor
to use the data to identify individual beneficiaries;
(2) Not to use the data for purposes that are not related to HCFA-
approved research or evaluation of the quality and effectiveness of
hospital inpatient care. Prohibited uses include but are not limited
to: Marketing, (for example, identification and targeting of under- or
over-served health service markets primarily for the purposes of
commercial benefit), insurance (for example, redlining areas deemed to
offer bad health insurance or underwriting risks), and adverse
selection (for example, identifying patients with high risk diagnoses).
The data must not be made available by the entity or its contractor for
an activity not approved by HCFA, even if carried on within the entity
or its contractor;
(3) Not to disclose the data to any persons or organizations unless
the data are in aggregated form as described in paragraph 5. The data
may be disclosed to a contractor for data processing if:
(a) The entity has specified in the research plan submitted to HCFA
that the contractor would receive the data for that purpose, or the
entity has obtained written authorization from HCFA to make the
disclosure to the contractor, and
(b) The contractor has signed a confidentiality statement with
HCFA.
(4) Not to publish or otherwise disclose the data in a form raising
unacceptable possibilities that beneficiaries could be identified
(i.e., the data must not be beneficiary-specific and must be aggregated
to a level where no data cells have 10 or fewer beneficiaries);
(5) To submit a copy of its plans for any aggregation of the data
intended for publication to HCFA for approval prior to publication;
(6) To establish appropriate administrative, technical, procedural,
and physical safeguards to protect the confidentiality of the data and
to prevent unauthorized access to it;
(7) To return all files to HCFA, and destroy any copies that may
have been made, at the completion of the research or evaluation plan.
(8) To an agency of a State government, or established by State
law, for purposes of determining, evaluating, and/or assessing cost,
effectiveness, and/or the quality of health care services provided in
the State, if HCFA:
(a) Determines that the use or disclosure does not violate legal
limitations under which the data were provided, collected, or obtained;
(b) Establishes that the data are exempt from disclosure under the
State and/or local Freedom of Information Act;
(c) Determines that the purpose for which the disclosure is to be
made:
(1) Cannot reasonably be accomplished unless the data are provided
in individually identifiable form;
(2) Is of sufficient importance to warrant the effect and/or risk
on the privacy of the individuals that additional exposure of the
record might bring; and
(3) There is a reasonable probability that the objective for the
use would be accomplished; and
(d) Requires the recipient to:
(1) Establish reasonable administrative, technical, and physical
safeguards to prevent unauthorized use or disclosure of the record;
(2) Remove or destroy the information that allows the individual to
be identified at the earliest time at which removal or destruction can
be accomplished consistent with the purpose of the request, unless the
recipient presents an adequate justification for retaining such
information;
(3) Make no further use or disclosure of the record except:
(a) In emergency circumstances affecting the health or safety of
any individual;
(b) For use on another project under the same conditions, and with
written authorization of HCFA;
(c) For disclosure to a properly identified person for the purpose
of an audit related to the project, if information that would enable
project subjects to be identified is removed or destroyed at the
earliest opportunity consistent with the purpose of the audit; or
(d) When required by law; and
(4) Secure a written statement attesting to the recipient's
understanding of and willingness to abide by these provisions. The
recipient must agree to the following:
(a) Not to use the data for purposes that are not related to the
evaluation of cost, quality, and effectiveness of care;
(b) Not to publish or otherwise disclose the data in a form raising
unacceptable possibilities that beneficiaries could be identified
(i.e., the data must not be beneficiary-specific and must be aggregated
to a level where no data cells have 10 or fewer beneficiaries); and
(c) To submit a copy of any aggregation of the data intended for
publication to HCFA for approval prior to publication.
(9) With respect to the Medicare mortality information file derived
from the MEDPAR file and other files available to HCFA, to individual
hospitals that have previously supplied to HCFA the patient-
identifiable data included on the file. Release of these data to the
hospital would include mortality predictors which have been
statistically derived by HCFA from data provided by the hospital,
national data, and the number of previous hospitalizations in all
hospitals. Certain conditions must be met before the data are released:
(a) The data may include information only on patients that the
requesting hospital has previously supplied plus the mortality
predictors;
(b) The hospital administrator must make a specific request for
these data in writing. This request must be on hospital letterhead,
must associate the need for these data with the hospital's quality of
care activities, and must indicate that the hospital will continue to
maintain the confidentiality of the data;
(c) A standard fee must be paid, as determined by HCFA, for these
data prior to their release to the hospital.
(10) To the Railroad Retirement Board for administering provisions
of both the Railroad Retirement and Social Security Acts relating to
railroad employment and/or to the administration of the Medicare
program.
(11) To insurance companies, self-insurers, Health Maintenance
Organizations (HMOs), multiple employer trusts, and other groups
providing protection against medical expenses of their enrollees
without the beneficiary's authorization.
Information to be disclosed shall be limited to Medicare
entitlement, utilization, and payment data. In order to receive this
information the entity must agree to the following conditions:
a. To certify that the individual about whom the information is
being provided is one of its insureds;
b. To utilize the information solely for the purpose of processing
the identified individual's insurance claims; and
c. To safeguard the confidentiality of the data and to prevent
unauthorized access to it.
(12) To insurers, underwriters, third party administrators (TPAs),
self-insurers, group health plans, employers, HMOs, health and welfare
benefit funds, Federal agencies, a State or local government or
political subdivision of either (when the organization has assumed the
role of an insurer, underwriter, or TPA, or in the case of a State that
assumes the liabilities of an insolvent insurer, through a State
created insolvent insurer pool or fund), multiple employer trusts, no-
fault, medical, automobile insurers, workers' compensation carriers or
plans, liability insurers, and other groups providing protection
against medical expenses who are primary payers to Medicare in
accordance with 42 U.S.C. 1395y(b), or any entity having knowledge of
the occurrence of any event affecting (A) an individual's right to any
such benefit or payment, or (B) the initial or continued right to any
such benefit or payment (for example, a State Medicaid agency, State
Workers' Compensation Board, or Department of Motor Vehicles) for the
purpose of coordination of benefits with the Medicare program and
implementation of the Medicare Secondary Payer (MSP) provision at 42
U.S.C. 1395y(b). The information HCFA may disclose will be:
Beneficiary Name
Beneficiary Address
Beneficiary Health Insurance Claim Number
Beneficiary Social Security Number
Beneficiary Sex
Beneficiary Date of Birth
Amount of Medicare Conditional Payment
Provider Name and Number
Physician Name and Number
Supplier Name and Number
Dates of Service
Nature of Service
Diagnosis
To administer the MSP provision at 42 U.S.C. 1395y(b)(1) more
effectively, HCFA would receive from and may disclose to insurers,
underwriters, TPAs, self-insureds, etc., the following types of
information (to the extent that it is available):
Subscriber Name and Address
Subscriber Date of Birth
Subscriber Social Security Number
Dependent Name
Dependent Date of Birth
Dependent Social Security Number
Dependent Relationship to Subscriber
Insurer/Underwriter/TPA Name and Address
Insurer/Underwriter/TPA Group Number
Insurer/Underwriter/TPA Group Name
Policy Number
Effective Date of Coverage
Employer Name, Employer Identification Number (EIN) and
Address
Employment Status
Amounts of Payment
To administer the MSP provision at 42 U.S.C. 1395y(b)(2) more
effectively for entities such as workers' compensation carriers or
boards, liability insurers, no-fault and automobile medical policies or
plans, HCFA would receive (to the extent that it is available) and may
disclose the following information:
Beneficiary's Name and Address
Beneficiary's Date of Birth
Beneficiary's Social Security Number
Name of Insured*
Insurer Name and Address
Type of Coverage; automobile, medical, no-fault, or
liability payment, or workers' compensation settlement
Insured's Policy Number
Effective Date of Coverage
Amount of payment under liability, no-fault, or automobile
medical policies, plans, and workers' compensation settlements
Employer Name and Address (workers' compensation only)
Name of insured could be the driver of the car, a
business, the beneficiary (i.e., the name of the individual or entity
which carries the insurance policy or plan).
In order to receive this information the entity must agree to the
following conditions:
a. To utilize the information solely for the purpose of
coordination of benefits with the Medicare program in accordance with
42 U.S.C. 1395y(b);
b. To safeguard the confidentiality of the data and to prevent
unauthorized access to it;
c. To prohibit the use of beneficiary-specific data for purposes
other than for the coordination of benefits between the recipient
organization and the Medicare program. This agreement would allow the
entities to use the information to determine cases where they have
primary responsibility for payment or cases where Medicare has primary
responsibility for payment. Examples of prohibited uses would include
but are not limited to: Creation of a mailing list, sale or transfer of
data.
To administer the MSP provision more effectively, HCFA may receive
or disclose the following types of information from or to entities
including insurers, underwriters, TPSs, and self-insured plans,
concerning potentially affected individuals:
Subscriber Health Insurance Claim Number
Dependent Name
Funding arrangements of employer group health plans, for
example, contributory or noncontributory plan, self-insured, re-
insured, HMO, TPA insurance
Claims payment information, for example, the amount paid,
the date of payment, the name of the insurer or payer
Dates of employment including termination date, if
appropriate
Number of full- and/or part-time employees in current and
preceding calendar years
Employment status of subscriber; for example, full- or
part-time, self-employed
(13) To another Federal agency; (1) to contribute to the accuracy
of HCFA's proper payment of Medicare health benefits, and/or (2) to
enable such agency to administer a Federal health benefits program, or
as necessary to enable such agency to fulfill a requirement of a
Federal statute or regulation, if HCFA:
(a) Determines that the use or disclosure does not violate legal
limitations under which the data were provided, collected, or obtained;
(b) Determines that the purpose for which the disclosure is to be
made cannot reasonably be accomplished unless the data are provided in
individually identifiable form;
(c) Requires the recipient to:
(1) Establish reasonable administrative, technical, physical
safeguards to prevent unauthorized use or disclosure of the record;
(2) Make no further use or disclosure of the record except:
(a) In emergency circumstances affecting the health or safety of
any individual;
(b) For use on another project under the same conditions, and with
written authorization from HCFA; and
(c) When required by law;
(3) Secure a written statement attesting to the recipient's
understanding of and willingness to abide by the following provisions.
(a) Not to use the data for purposes that are not related to the
subject project;
(b) Not to publish or otherwise disclose the data in a form raising
unacceptable possibilities that beneficiaries could be identified
(i.e., the data must not be beneficiary-specific and must be aggregated
to a level where no data cells have 10 or fewer beneficiaries); and
(c) Not to publish any aggregation of the data without HCFA's
approval.
(14) To States for the purpose of administration of health care
programs when disclosure is necessary to enable the State to fulfill a
mandated statute or regulatory requirement. These data may be released
for these purposes, if HCFA:
(a) Determines that the use or disclosure does not violate legal
limitations under which the data were provided, collected, or obtained;
(b) Establishes that the data are exempt from disclosure under the
State and/or local Freedom of Information Act;
(c) Determines that the purpose for which the disclosure is to be
made:
(1) Cannot reasonably be accomplished unless the data are provided
in individually identifiable form;
(2) Is of sufficient importance to warrant the effect and/or risk
on the privacy of the individuals that additional exposure of the
record might bring; and
(3) There is a reasonable probability that the objective for the
use would be accomplished; and
(d) Requires the recipient to:
(1) Establish reasonable administrative, technical, and physical
safeguards to prevent unauthorized use or disclosure of the record;
(2) Remove or destroy the information that allows the individual to
be identified at the earliest time at which removal or destruction can
be accomplished consistent with the purpose of the request, unless the
recipient presents an adequate justification for retaining such
information;
(3) Make no further use or disclosure of the record except:
(a) In emergency circumstances affecting the health or safety of
any individual;
(b) For use on another project under the same conditions, and with
written authorization of HCFA;
(c) For disclosure to a properly identified person for the purpose
of an audit related to the project, if information that would enable
project subjects to be identified is removed or destroyed at the
earliest opportunity consistent with the purpose of the audit; or
(d) When required by law; and
(4) Secure a written statement attesting to the recipient's
understanding of and willingness to abide by these provisions. The
recipient must agree to the following:
(a) Not to use the data for purposes that are not related to the
subject project;
(b) Not to publish or otherwise disclose the data in a form raising
unacceptable possibilities that beneficiaries could be identified
(i.e., the data must not be beneficiary-specific and must be aggregated
to a level where no data cells have 10 or fewer beneficiaries); and
(c) Not to publish any aggregation of the data without HCFA's
approval.
(15) To a Peer Review Organization (PRO) in order to assist the PRO
to perform Title XI functions relating to improving quality of care.
Data may be released for this purpose if HCFA:
(a) Determines that the use or disclosure does not violate legal
limitations under which the data were provided, collected, or obtained;
(b) Requires the PRO to:
(1) Establish reasonable administrative, technical, and physical
safeguards to prevent unauthorized use or disclosure of the record;
(2) Make no further use or disclosure of the record except:
(a) In emergency circumstances affecting the health or safety of
any individual;
(b) For use on another project under the same conditions, and with
written authorization from HCFA; and
(c) When required by law; or when otherwise permitted by Federal
law.
(3) Complete and sign a written statement attesting to the PRO's
understanding of and willingness to abide by the provisions therein.
This written statement must:
(a) Specify the conditions for maintenance and redisclosure of such
information;
(1) To the extent that may be necessary to conduct a PRO function;
e.g., a case quality review project or study;
(2) In accordance with a project-specific data release agreement;
and
(b) Not to use the data for purposes that are not related to the
subject project.
All records are stored on magnetic media.
All records are indexed by health insurance claim number and by
provider number.
For computerized records, safeguards established in accordance with
Department standards and National Institute of Standards and Technology
guidelines (e.g., security codes) will be used, limiting access to
authorized personnel. System securities are established in accordance
with HHS, Information Resource Management (IRM) Circular #10, Automated
Information Systems Security Program; and HCFA Automated Information
Systems (AIS) Guide, Systems Security Policies.
Records are maintained with identifiers as long as needed for
program research.
Director, Bureau of Data Management and Strategy, 1-A-11, Security
Office Park, Baltimore, Maryland 21207-5187.
For purpose of access, the subject individual should write to the
system manager and furnish the following information: Name of system;
health insurance claim number; and for verification purposes, the
subject individual's name (women's maiden name, if applicable), social
security number, address, date of birth, and sex; and to ascertain
whether the individual's record is in the system, the date(s) of
utilization and they type of utilization under Part A or Part B of
Medicare services (e.g., home health services, hospital inpatient
services, hospital outpatient services, or skilled nursing facility
services.
Same as notification procedures. Individuals in the system should
also reasonably specify the record contents being sought. (These access
procedures are in accordance with the Department regulations (45 CFR
5b.5.)
The subject individual should contact the system manager named
above, and reasonably identify the record and specify the information
to be contested. State the corrective action sought and the reasons for
the correction with supporting justification. (These procedures are in
accordance with Department regulations (45 CFR 5b.7).)
Medicare enrollment records; Medicare bill records; Medicare
provider records for a sample of person treated as hospital patients
(inpatient and outpatient) and skilled nursing facility patients.
None.
[FR Doc. 94-9804 Filed 4-21-94; 8:45 am]
BILLING CODE 4120-03-M
