[Federal Register Volume 59, Number 139 (Thursday, July 21, 1994)]
[Unknown Section]
[Page 0]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 94-17621]
[[Page Unknown]]
[Federal Register: July 21, 1994]
-----------------------------------------------------------------------
DEPARTMENT OF HEALTH AND HUMAN SERVICES
Health Care Financing Administration
Privacy Act of 1974; Systems of Records
AGENCY: Department of Health and Human Services (HHS), Health Care
Financing Administration (HCFA).
ACTION: Notice of proposed new routine use for existing systems of
records.
-----------------------------------------------------------------------
SUMMARY: HCFA is proposing to revise the system notices for the
``Carrier Medicare Claims Records'' (CMCR), System No. 09-70-0501, and
the ``Intermediary Medicare Claims Records'' (IMCR), System No. 09-70-
0503. The Privacy Act permits disclosure of information without the
prior written consent of an individual for ``routine use'' that is;
disclosure for purposes compatible with the purpose for which the data
is collected. HCFA is proposing to revise the CMCR and IMCR by adding a
new routine use for release of intermediary and carrier maintained
beneficiary data to servicing Medicare banks and/or provider banks.
The purpose of this new routine use is to allow fiscal
intermediaries (FIs) and carriers to send claims payment and
beneficiary information to providers or their banks either directly, or
through a Value Added Network (VAN) telecommunications service and for
provider banks to use this information to perform account management
activities on behalf of providers. Under this scenario, the electronic
funds transfer (EFT) and the electronic remittance advice (ERA) flow
together through the banking system. The consolidation of Medicare
beneficiary and payment information will reduce paperwork and
administrative costs.
EFFECTIVE DATES: HCFA filed an altered system report with the Chairman
of the Committee on Government Operations of the House of
Representatives, the Chairman of the Committee on Governmental Affairs
of the Senate, and the Administrator, Office of Information and
Regulatory Affairs, Office of Management and Budget (OMB), on July 18,
1994. To ensure all parties have adequate time in which to comment, the
altered systems of records, including routine uses, will become
effective 40 days from the publication of this notice or from the date
submitted to OMB and the Congress, whichever is later, unless HCFA
receives comments which require alterations to this notice. The
proposed new routine use shall take effect without further notice 40
days from the date of publication unless comments received on or before
that date would warrant changes.
ADDRESSES: Please address comments to Mr. Richard A. DeMeo, HCFA
Privacy Act Officer, Office of Budgetary Services, Office of Customer
Relations and Communications, HCFA, Room 2-H-4 East High Rise Building,
6325 Security Boulevard, Baltimore, Maryland 21207-5187. Comments
received will be available for inspection at this location.
FOR FURTHER INFORMATION CONTACT:
Joseph Morical, Division of Financial Management, Office of Contracting
and Financial Management, Bureau of Program Operations, Health Care
Financing Administration, Room 1-B-4, Meadows East Building, 6325
Security Boulevard, Baltimore, Maryland 21207-5187. His telephone
number is (410) 966-7477.
SUPPLEMENTARY INFORMATION: The IMCR and the CMCR exist to assure proper
health insurance benefit payments to or on behalf of entitled Medicare
Part A and Part B beneficiaries. The Privacy Act permits disclosure of
information without the prior written consent of an individual for
``routine use'' that is; disclosure for purposes compatible with the
purpose for which the data is collected.
The IMCR and CMCR systems of records were last published in the
Federal Register at 55 FR 37549; September 12, 1990. Currently, there
are 23 routine uses in the IMCR system and 25 in the CMCR system that
permit disclosure of information to individuals and/or organizations
for a variety of reasons, the majority of which relate to the timely
and accurate processing of Medicare claims, payment safeguards
activities, and research. There are safeguards in place, as described
in the safeguard section of both systems, to protect the data which
have been developed in accordance with part 6 of the HHS Information
Resource Management Manual and the National Institute of Standards and
Technology Information Process Standards.
We are proposing to add a new routine use (number (24)/(26)) to the
Carrier and Intermediary systems of records, for the release of data
without an individuals' prior written consent. The new routine use
would permit the release of beneficiary data via ERA to servicing
Medicare banks and to provider banks. Servicing Medicare banks enter
into agreements with the Health Care Financing Administration and with
contracted Medicare claims processors to provide check clearing,
account maintenance and electronic payment origination services for the
Medicare program. The proposed routine use allows release of data from
the IMCR and the CMCR to servicing Medicare banks and/or Medicare
provider banks for one or more of the following purposes: (1) For
servicing Medicare banks to transmit ERAs on behalf of Medicare
contractors to Medicare providers directly or through the banking
system to either the provider's bank or a VAN; (2) For provider banks
to receive ERAs from the servicing Medicare banks and to transmit the
remittance information directly to Medicare providers via mail,
telefax, or electronic transmission; (3) For provider banks to receive
ERAs from the originating Medicare banks in order to perform account
maintenance activities at the request of Medicare providers.
Transmitting remittance data electronically to providers or their
banks directly from the servicing Medicare bank, and/or electronically
transmitting beneficiary and provider data along with payment
information from the servicing Medicare bank to providers, their banks
or a VAN service, allows for more efficient payment and reconciliation
processes for both HCFA and providers. The new routine use number (24),
for the IMCR, and (26), for the CMCR, will read as follows:
(24)/(26) Servicing Fiscal Intermediary/Carrier banks, Automated
Clearing Houses, VANs and provider banks to the extent necessary to
transfer to providers electronic remittance advices of Medicare
payments, and with respect to provider banks, to the extent necessary
to provide account management services to providers using this
information.
Technical amendments have been made to routine use number (24)/(26)
for consistency with the current notices. The IMCR and CMCR systems
maintain information for the purpose of processing and paying Medicare
benefits to or on behalf of eligible individuals. The proposed new
routine use is consistent with the Privacy Act, 5 U.S.C. 552a(a)(7),
since it is compatible with this purpose. In accordance with OMB
Guidelines (Circular A-130, 58 FR 36068, 36077 July 2, 1993), this
addition of a routine use constitutes a significant change in the
system of records. Accordingly, we have prepared a report of an altered
system of records under 5 U.S.C. 552a(r). In addition, for the
convenience of the reader, we are publishing the notice for both
systems in their entirety below.
Dated: July 12, 1994.
Bruce C. Vladeck,
Administrator, Health Care Financing Administration.
09-70-0501
Carrier Medicare Claim Records, HHS/HCFA/BPO.
None.
Carriers under contract to the Health Care Financing Administration
(HCFA) and the Social Security Administration. Direct any inquiries
regarding carrier locations to HCFA, Bureau of Program Operations,
Office of Contracting and Financial Management, Division of Acquisition
and Contracts, Contractor Operations Branch, Meadows East Building,
Room 332, 6325 Security Boulevard, Baltimore, Maryland 21207-5187.
Beneficiaries who have submitted claims for Supplementary Medical
Insurance (Medicare Part B), or individuals whose enrollment in an
employer group health benefits plan covers the beneficiary.
Request for Payment: Provider Billing for Patient services by
Physician; Prepayment Plan for Group Medicare Practice dealing through
a Carrier, Health Insurance Claim Form, Request for Medical Payment,
Patient's Request for Medicare Payment, Request for Medicare Payment-
Ambulance, Explanation of Benefits, Summary Payment Voucher, Request
for Claim Number Verification; Payment Record Transmittal; Statement of
Person Regarding Medicare Payment for Medical Services Furnished
Deceased Patient; Report of Prior Period of Entitlement; itemized bills
and other similar documents from beneficiaries required to support
payments to beneficiaries and to physicians and other suppliers of Part
B Medicare services; Medicare secondary payer records containing other
party liability insurance information necessary for appropriate
Medicare claim payment.
Sections 1842, 1862(b) and 1874 of title XVIII of the Social
Security Act (42 U.S.C. 1395u, 1395y(b) and 1395kk).
To properly pay medical insurance benefits to or on behalf of
entitled beneficiaries.
Disclosure may be made to:
(1) Claimants, their authorized representative or representative's
payees to the extent necessary to pursue claims made under Title XVIII
of the Social Security Act (Medicare).
(2) Third-party contacts (without the consent of the individuals to
whom the information pertains) in situations where the party to be
contacted has, or is expected to have information relating to the
individual's capability to manage his or her affairs or to his or her
eligibility for or entitlement to benefits under the Medicare program
when:
(a) The individual is unable to provide the information being
sought (an individual is considered to be unable to provide certain
types of information when any of the following conditions exist:
Individual is incapable or of questionable mental capability, cannot
read or write, cannot afford the cost of obtaining the information, a
language barrier exists, or the custodian of the information will not,
as a matter of policy, provide it to the individual), or
(b) The data are needed to establish the validity of evidence or to
verify the accuracy of information presented by the individual, and it
concerns one or more of the following; the individual's eligibility to
benefits under the Medicare program;: The amount of reimbursement;: Any
case in which the evidence is being reviewed as a result of suspected
abuse or fraud, concern for program integrity, or for quality
appraisal, or evaluation and measurement of system activities.
(3) Third-party contacts where necessary to establish or verify
information provided by representative payees or payee applicants.
(4) The Treasury Department for investigating alleged theft,
forgery, or unlawful negotiation of Medicare reimbursement checks.
(5) The U.S. Postal Service for investigating alleged forgery or
theft of Medicare checks.
(6) The Department of Justice for investigating and prosecuting
violations of the Social Security Act to which criminal penalties
attach, or other criminal statutes as they pertain to the Social
Security Act programs, for representing the Secretary, and for
investigating issues of fraud by agency officers or employees, or
violation of civil rights.
(7) The Railroad Retirement Board for administering provisions of
the Railroad Retirement and Social Security Acts relating to railroad
employment.
(8) Peer Review Organizations and Quality Review Organizations in
connection with their review of claims, or in connection with studies
or other review activities, conducted pursuant to Part B of Title XI of
the Social Security Act.
(9) State Licensing Boards for review of unethical practices of
nonprofessional conduct.
(10) Providers and suppliers of services (and their authorized
billing agents) directly or dealing through fiscal intermediaries or
carriers, for administration of provisions of title XVIII.
(11) An individual or organization for a research, evaluation or
epidemiological project related to the prevention of disease or
disability, or the restoration or maintenance of health if HCFA:
a. Determines that the use of disclosure does not violate legal
limitations under which the record was provided, collected, or
obtained.
b. Determines that the purpose for which this disclosure is to be
made:
(1) Cannot be reasonably accomplished unless the record is provided
in individually identifiable form.
(2) Is of sufficient importance to warrant the effect and/or risk
on the privacy of the individual that additional exposure of the record
might bring, and
(3) There is reasonable probability that the objective for the use
would be accomplished:
(c) Requires the information recipient to:
(1) Establish reasonable administrative, technical, and physical
safeguards to prevent unauthorized use or disclosure of the record, and
(2) Remove or destroy the information that allows the individual to
be identified at the earliest time at which removal or destruction can
be accomplished consistent with the purpose of the project, unless the
recipient presents an adequate justification of a research or health
nature for retaining such information and
(3) Make no further use or disclosure of the record except:
(a) In emergency circumstances affecting the health or safety or
any individual.
(b) For use in another research project, under these same
conditions, and with written authorization of HCFA.
(c) For disclosure to a properly identified person for the purpose
of audit related to the research project, if information that would
enable research subjects to be identified is removed or destroyed at
the earliest opportunity consistent with the purpose of the audit, or
(d) When required by law;
d. Secures a written statement attesting to the information
recipient's understanding of and willingness to abide by these
provisions.
(12) State welfare departments pursuant to agreements with the
Department of Health and Human Services for administration of State
supplementation payments for determinations of eligibility for
Medicaid, for enrollment of welfare recipients for medical insurance
under section 1843 of the Social Security Act, for quality control
studies, for determining eligibility of recipients of assistance under
titles IV and XIX of the Social Security Act, and for the complete
administration of the Medicaid program.
(13) A congressional office from the record of an individual in
response to an inquiry from the congressional office at the request of
that individual.
(14) State audit agencies in connection with the audit of Medicare
eligibility considerations. Disclosures of physicians' customary charge
data are made to State audit agencies in order to ascertain the
corrections of Title XIX charges and payments.
(15) The Department of Justice to a court or other tribunal, or to
another party before such tribunal, when:
(a) HHS, or any component therein; or
(b) Any HHS employee in his or her official capacity; or
(c) Any HHS employee in his or her individual capacity where the
Department of Justice or HHS, (where it is authorized to do so) has
agreed to represent the employee; or
(d) The United States or any agency thereof where HHS determines
that the litigation is likely to affect HHS or any of its components,
is a party to litigation or has an interest in such litigation, and HHS
determines that the use of such records by the Department of Justice,
the tribunal, or the other party is relevant and necessary to the
litigation and would help in the effective representation of the
governmental party, provided, however, that in each case, HHS
determines that such disclosure is compatible with the purpose for
which the records were collected.
(16) Peer review groups, consisting of members of State, County, or
local medical societies or medical care foundations (physicians),
appointed by the medical societies or foundation at the request of the
carrier to assist in the resolution of questions of medical necessity,
utilization of particular procedures or practices, or other utilization
of services with respect to Medicare claims submitted to the carrier.
(17) Physicians and other suppliers of services who are attempting
to validate individual items on which the amounts included in the
annual Physician-Supplier Payment List or similar publications are
based.
(18) Senior citizen volunteers working in intermediaries' and
carriers' offices to assist Medicare beneficiaries in response to
beneficiaries' requests for assistance.
(19) A contractor working with Medicare carriers/intermediaries to
identify and recover erroneous Medicare payments for which workers'
compensation programs are liable.
(20) State and other governmental Workers' Compensation Agencies
working with the Health Care Financing Administration to assure that
workers' compensation payments are made where Medicare has erroneously
paid and workers' compensation programs are liable.
(21) Insurance companies, self-insurers, Health Maintenance
Organizations, multiple employer trusts and other groups providing
protection against medical expenses of their enrollees. Information to
be disclosed shall be limited to Medicare entitlement data. In order to
receive the information the entity must agree to the following
conditions:
a. To certify that the individual on whom the information is being
provided is one of its insured;
b. To utilize the information solely for the purpose of processing
the identified individual's insurance claims; and
c. To safeguard the confidentiality of the data and to prevent
unauthorized access to it.
(22) To a contractor for the purpose of collating, analyzing,
aggregating or other wise refining or processing records in this system
or for developing, modifying and/or manipulating ADP software. Data
would also be disclosed to contractors incidental to consultation,
programming, operation, user assistance, or maintenance for ADP or
telecommunications systems containing or supporting records in the
system.
(23) To an agency of a State Government, or established by State
law, for purposes of determining, evaluating and/or assessing cost,
effectiveness, and/or the quality of health care services provided in
the State, if HCFA:
a. Determines that the use of disclosure does not violate legal
limitations under which the data were provided, collected or obtained:
b. Establishes that the data are exempt from disclosure under the
State and/or local Freedom of Information Act;
c. Determines that the purpose for which the disclosure is to be
made:
(1) Cannot reasonably be accomplished unless the data are provided
in individually identifiable form;
(2) Is of sufficient importance to warrant the effect and/or risk
on the privacy of the individuals that additional exposure of the
record might bring, and;
(3) There is reasonable probability that the objectives for the use
would be accomplished; and
d. Requires the recipient to:
(1) Establish reasonable administrative, technical, and physical
safeguards to prevent unauthorized use or disclosure of the record;
(2) Remove or destroy the information that allows the individual to
be identified at the earliest time at which removal or destruction can
be accomplished consistent with the purpose of the request, unless the
recipient presents an adequate justification for retaining such
information;
(3) Make no further use or disclosure of the record except:
(a) In emergency circumstances affecting the health or safety of
any individual;
(b) For use in another project under the same conditions, and with
written authorization in HCFA;
(c) For disclosure to a properly identified person for the purpose
of an audit related to the project, if information that would enable
project subjects to be identified is removed or destroyed at the
earliest opportunity consistent with the purpose of the audit, or
(d) When required by law; and
(4) Secure a written statement attesting to the recipient's
understanding of and willingness to abide by these provisions. The
recipient must agree to the following:
(a) Not to use the data for purposes that are not related to the
evaluation of cost, quality and effectiveness of care;
(b) Not to publish or otherwise disclose the data in a form raising
unacceptable possibilities that beneficiaries could be identified
(i.e., the data must not be beneficiary-specific and must be aggregated
to a level when no data cells have ten or fewer beneficiaries); and
(c) To submit a copy of any aggregation of the data intended for
publication to HCFA for approval prior to publication.
(24) to insurers, underwriters, third party administrators, self-
insurers, groups health plans, employers, health maintenance
organizations, health and welfare benefit funds, Federal agencies, a
State or local government or political subdivision of either (when the
organization has assumed the role of an insurer, underwriter, or third
party administrator, or in the case of a State that assumes the
liabilities of an insolvent insurer, through a State created insolvent
insurer pool or fund), multiple-employer trusts, no-fault, medical,
automobile insurers, workers' compensation carriers or plans, liability
insurers, and other groups providing protection against medical
expenses who are primary payers to Medicare in accordance with 42
U.S.C. 1395y(b), or any entity having knowledge of the occurrence of
any event affecting (A) an individual's right to any such benefit or
payment, or (B) the initial or continued right to any such benefit or
payment (for example, a State Medicaid Agency, State Workers'
Compensation Board, or the Department of Motor Vehicles), for the
purpose of coordination of benefits with the Medicare program and
implementation of the Medicare Secondary Payer provisions at 42 U.S.C.
1395y(b). The information HCFA may disclose will be:
Beneficiary Name.
Beneficiary Address.
Beneficiary Health Insurance Claim Number.
Beneficiary Social Security Number.
Beneficiary Sex.
Beneficiary Date of Birth
Amount of Medicare Conditional Payment
Provider name and number
Physician name and number
Supplier name and number
Dates of service
Nature of Service
Diagnosis.
To administer the Medicare Secondary Payer provisions at 42 U.S.C.
1395y(b)(2), (3), and (4) more effectively, HCFA would receive (to the
extent that it is available) and may disclose the following types of
information from insurers, underwriters, third party administrators
(TPAs), self-insured, etc.:
Subscriber Name and Address.
Subscriber Date of Birth.
Subscriber Social Security Number.
Dependent Name.
Dependent Date of Birth.
Dependent Social Security Number.
Dependent Relationship to Subscriber.
Insurer/Underwriter/TPA Name and Address.
Insurer/Underwriter/TPA Group Number.
Insurer/Underwriter/TPA Group Name.
Prescription Drug Coverage.
Policy Number.
Effective Date of Coverage.
Employer Name, Employer Identification Number (EIN) and
Address.
Employment Status.
Amounts of Payment.
To Administer the Medicare Secondary Payer provision at 42 U.S.C.
1395y(b)(1) more effectively for entities such as Workers Compensation
carriers or boards, liability insurers, no-fault and automobile medical
policies or plans, HCFA would receive (to the extent that it is
available) and may disclose the following information:
Beneficiary's Name and Address.
Beneficiary's Date of Birth.
Beneficiary's Social Security Number.
Name of Insured.
Insurer Name and Address.
Type of coverage; automobile medical, no-fault, liability
payment, or workers' compensation settlement.
Insured's Policy Number.
Effective Date of Coverage.
Date of accident, injury or illness.
Amount of payment under liability, no-fault, or automobile
medical policies, plans, and workers' compensation settlement.
Employer Name and Address (Workers' Compensation only).
Name of insured could be the driver of the car, a
business, the beneficiary (i.e., the name of the individual or entity
which carries the insurance policy or plan).
In order to receive this information the entity must agree to the
following conditions:
a. To utilize the information solely for the purpose of
coordination of benefits with the Medicare program and other third
party payers in accordance with 42 U.S.C. 1395y(b);
b. To safeguard the confidentiality of the data and to prevent
unauthorized access to it;
c. To prohibit the use of beneficiary-specific data for purposes
other than for the coordination of benefits among third party payers
and the Medicare program. This agreement would allow the entities to
use the information to determine cases where they or other third party
payers have primary responsibility for payment. Examples of prohibited
uses would include but are not limited to: Creation of a mailing list,
sale or transfer of data.
--To administer the MSP provisions more effectively, HCFA may receive
or disclose the following types of information from or to entities
including insurers, underwriters, third party administrators (TPAs),
and self-insured plans, concerning potentially affected individuals:
Subscriber Health Insurance Claim Number.
Dependent Name.
Funding arrangements of employer group health plans, for
example, contributory or non-contributory plan, self-insured, re-
insured, HMO, TPA insurance.
Claims payment information, for example, the amount paid,
the date of payment, the name of the insurer or payer.
Dates of employment including termination date, if
appropriate.
Number of full and/or part-time employees in the current
and preceding calendar years.
Employment status of subscriber, for example full or part
time, self employed.
(25) To the Internal Revenue Service for the application of tax
penalties against employers and employee organizations that contribute
to Employer Group Health Plans or Large Group Health Plans that are not
in compliance with 42 U.S.C. 1395y(b).
(26) To servicing Fiscal Intermediary/Carrier banks, Automated
Clearing Houses, VANs and provider banks to the extent necessary to
transfer to providers electronic remittance advice of Medicare
payments, and with respect to provider banks, to the extent necessary
to provide account management services to providers using this
information. See ``Supplementary Information.''
Records maintained on paper and electronic media.
System is indexed by health insurance claim number. The record is
prepared by the physician, supplier or other provider with identifying
information received from the beneficiary to establish eligibility for
Medicare and document and support payments to physicians, suppliers or
other providers by the carrier. The claim data are forwarded to the
Health Care Financing Administration, Bureau of Data Management and
Strategy, Baltimore, MD, where they are used to update the Central
Office Records.
Unauthorized personnel are denied access to the records area.
Disclosure is limited. Physical safeguards related to the transmission
and reception of data between Rockville and Baltimore are those
requirements established in accordance with HHS standards and National
Institute of Standards and Technology guidelines (e.g., security codes
will be used, limiting access to authorized personnel). System
securities are established in accordance with HHS Information Resource
Management (IRM) Circular #10, Automated Information Systems Security
Program, and HCFA's Automated Information Systems (AIS) Guide, Systems
Security Policies.
Records are closed at the end of the calendar year in which paid,
held 2 additional years, transferred to Federal Records Center and
destroyed after another 2 years.
Health Care Financing Administration, Director, Bureau of Program
Operations, 6325 Security Boulevard, Baltimore, MD 21207.
Inquiries and requests for system records should be addressed to
the most convenient social security office, the appropriate carrier,
the HCFA Regional Office, or to the system manager named above. The
individual should furnish his or her health insurance claim number and
the name as shown on social security records. An individual who
requests notification of or access to a medical record shall, at the
time the request is made, designate in writing a responsible
representative who will be willing to review the record and inform the
subject individual of its contents at the representative's discretion.
Same as notification procedures. Requesters should also reasonably
specify the records contents being sought. These procedures are in
accordance with Department Regulations, 45 CFR 5b.5(a)(2).
Contact the official at the address specified under notification
procedures above, and reasonably identify the record and specify the
information to be contested. State the corrective action sought and the
reasons for the correction with supporting justification. These
procedures are in accordance with Department regulations, 45 CFR 5b.7.
The data contained in these records is either furnished by the
individual or, in the case of some Medicare secondary payer situations,
through third party contacts. In most cases, the identifying
information is provided to the physician by the individual. The
physician then adds the medical information and submits the bill to the
carrier for payment.
None.
09-70-0503
Intermediary Medicare Claims Records, HHS/HCFA/BPO
None.
Intermediaries under contract to the Health Care Financing
Administration and the Social Security Administration. Direct inquiries
for intermediary locations to: HCFA, Bureau of Program Operations,
Office of Contracting and Financial Management, Division of Acquisition
and Contracts, Contractor Operations Branch, Meadows East Building,
Room 332, 6325 Security Boulevard, Baltimore, Maryland 21207-5187.
Beneficiaries on whose behalf providers have submitted claims for
reimbursement on a reasonable cost basis under Medicare parts A and B,
or are eligible for Medicare, or individuals whose enrollment in an
employer group health benefits plan covers the beneficiary under
Medicare.
Billing for Medical and Other Health Services: Uniform bill for
provider services or equivalent data in electronic format, and Medicare
Secondary Payer records containing other third party liability
insurance information necessary for appropriate Medicare claims payment
and other documents used to support payments to beneficiaries and
providers of services. These forms contain the beneficiary's name, sex,
health insurance claim number, address, date of birth, medical record
number, prior stay information, provider name and address, physician's
name and/or identification number, warranty information when pacemakers
are implanted or explanted, date of admission and discharge, other
health insurance, diagnosis, surgical procedures, a statement of
services rendered for related charges and other data needed to
substantiate claims.
The following elements are outpatient data provided to Medicare
intermediaries by rehabilitation agencies, skilled nursing facilities,
hospital outpatient departments, home intravenous drug providers and
home health agencies that provide physical therapy in addition to home
health services:
Outpatient's name.
HI number.
Admission data to provider.
Place treatment rendered.
Number of visits since start of care.
Diagnosis.
Diagnosis requiring treatment.
Onset of condition for which treatment is being sought.
Dates of previous therapy for same diagnosis.
Other therapy outpatient is currently receiving.
Observations.
Precautions and medical equipment.
Functional status immediately prior to this therapy.
Types of treatment--modalities.
Frequency of treatment.
Expected duration of treatment.
Rehabilitation potential.
Level of communication potential.
Average time per visits.
Goals.
Statement of problem at beginning of billing period.
Changes in problem at end of billing period.
Signature of therapist.
Certification and recertification by physician that
services are to be provided from an established plan of care.
Tests results.
Biopsy reports.
Methods of administration, e.g., pill vs. injection.
Physician orders.
Procedure codes.
Changes.
Weekly progress notes.
National Drug Code (NDC).
Sections 1816, 1862(b) and 1874 of Title XVIII of the Social
Security Act (42 U.S.C. 1395h, 1395y(b) and 1395kk).
To process and pay Medicare benefits to or on behalf of eligible
individuals.
Disclosure may be made to:
(1) Claimants, their authorized representatives or representative
payees to the extent necessary to pursue claims made under title XVIII
of the Social Security Act (Medicare).
(2) Third-party contacts, without the consent of the individual to
whom the information pertains, in situations where the party to be
contacted has, or is expected to have information relating to the
individual's capability to manage his or her affairs or to his or her
eligibility for or entitlement to benefits under the Medicare program
when:
(a) The individual is unable to provide the information being
sought (an individual is considered to be unable to provide certain
types of information when any of the following conditions exist:
Individual is incapable or of questionable mental capability, cannot
read or write, cannot afford the cost of obtaining the information, a
language barrier exists, or the custodian of the information will not,
as a matter of policy provide to the individual), or
(b) The data are needed to establish to validity of evidence or to
verify the accuracy of information presented by the individual, and it
concerns one or more of the following: The individual's eligibility to
benefits under the Medicare program; the amount of reimbursement of any
case in which the evidence is being reviewed as a result of suspected
abuse or fraud, concern for program integrity, or for quality
appraisal, or evaluation and measurement of systems activities.
(3) Third-party contacts where necessary to establish or verify
information provided by representative payees or payee applicants.
(4) The Treasury Department for investigating alleged theft,
forgery, or unlawful negotiations of Medicare reimbursement checks.
(5) The U.S. Postal Service for investigating alleged forgery or
theft of Medicare checks.
(6) The Department of Justice for investigating and prosecution
violations of the Social Security Act to which criminal penalties
attach, or other criminal statutes as they pertain to Social Security
Act programs, for representing the Secretary, and for investigating
issues of fraud by agency officers or employees, or violation of civil
rights.
(7) The Railroad Retirement Board for administering provisions of
the Railroad Retirement and Social Security Acts relating to railroad
employment.
(8) Peer Review Organizations and Quality Review Organizations in
connection with their review of claims, or in connection with studies
or other review activities, conducted pursuant to Part B of Title XI of
the Social Security Act.
(9) State Licensing Boards for review of unethical practices or
nonprofessional conduct.
(10) Providers and suppliers of services (and their authorized
billing agents) directly or dealing through fiscal intermediaries or
carriers, for administration of provisions of title XVIII.
(11) An individual or organization for a research, evaluation, or
epidemiological project related to the prevention of disease or
disability, or maintenance of health if HCFA:
a. Determines that the use or disclosure does not violate legal
limitations under which the record was provided, collected, or
obtained:
b. Determines that the purpose for which the disclosure is to be
made:
(1) Cannot be reasonably accomplished unless the record is provided
in individually identifiable form.
(2) Is of sufficient importance to warrant the effect and/or risk
on the privacy of the individual that additional exposure of the record
might bring, and
(3) There is reasonable probability that the objective for the use
would be accomplished:
c. Requires the information recipient to:
(1) Establish reasonable administrative, technical, and physical
safeguards to prevent unauthorized use or disclosure of the record, and
(2) Remove or destroy the information that allows the individual to
be identified at the earliest time at which removal or destruction can
be accomplished consistent with the purpose of the project, unless the
recipient presents an adequate justification of a research or health
nature for retaining such information, and
(3) Make no further use or disclosure of the record except:
(a) In emergency circumstances affecting the health or safety of
any individual;
(b) For use in another research project, under these same
conditions, and with written authorization of HCFA;
(c) For disclosure to a properly identified person for the purpose
of an audit related to the research project, if information that would
enable research subjects to be identified is removed or destroyed at
the earliest opportunity consistent with the purpose of the audit;
(d) When required by law.
d. Secures a written statement attesting to the information
recipient's understanding of and willingness to abide by the
provisions.
(12) State welfare departments pursuant to agreements with the
Department of Health and Human Services for administration of State
supplementation payments for determination of eligibility for Medicaid,
for enrollment of welfare recipients for medical insurance under
section 1843 of the Social Security Act for quality control studies,
for determining eligibility of recipients of assistance under titles IV
and XIX of the Social Security Act, and for the complete administration
of the Medicaid program.
(13) A congressional office from the record of an individual in
response to an inquiry from the congressional office at the request of
that individual.
(14) State audit agencies in connection with the audit of Medicaid
eligibility considerations.
(15) The Department of Justice, to a court or other tribunal, or to
another party before such tribunal, when:
(a) HHS, or any component thereof; or
(b) Any HHS employee in his or her official capacity; or
(c) Any HHS employee in his or her individual capacity where the
Department of Justice (or HHS, where it is authorized to do so) has
agreed to represent the employee, or
(d) The United States or any agency thereof where HHS determines
that the litigation is likely to affect HHS or any of its components,
is a party to litigation or has an interest in such litigation, and HHS
determines that the use of such records by the Department of Justice,
the tribunal, or the other party is relevant and necessary to the
litigation and would help in the effective representation of the
government party, provided, however, that in such case, HHS determines
that such disclosure is compatible with the purpose for which the
records were collected.
(16) Senior citizen volunteers working in the intermediaries' and
carriers' offices to assist Medicare beneficiaries in response to
beneficiaries requests for assistance.
(17) A contractor working with Medicare carriers/intermediaries to
identify and recover erroneous Medicare payments for which workers'
compensation programs are liable.
(18) State and other governmental Workers' Compensation Agencies
working with the Health Care Financing Administration to assure that
workers' compensation payments are made where Medicare has erroneously
paid and workers' compensation programs are liable.
(19) Insurance companies, self-insurers, Health Maintenance
Organizations, multiple employer trusts and other groups providing
protection against medical expenses of their enrollees. Information to
be disclosed shall be limited to Medicare entitlement data. In order to
receive this information the entity must agree to the following
conditions:
a. To certify that the individual about whom the information is
being provided is one of its insured:
b. To utilize the information solely for the purpose of processing
the identified individual's insurance claims; and
c. To safeguard the confidentiality of the data and to prevent
unauthorized access to it.
(20) To a contractor for the purpose of collating, analyzing,
aggregating or otherwise refining or processing records in this system
or for developing, modifying and/or manipulating ADP software. Data
would also be disclosed to contractors incidental to consultation,
programming, operation, user assistance, or maintenance for ADP or
telecommunications systems containing or supporting records in the
system.
(21) To any agency of a State Government, or established by State
law, for purposes of determining, evaluating and/or assessing cost,
effectiveness, and/or the quality of health care services provided in
the State, if HCFA:
a. Determines that the use or disclosure does not violate legal
limitations under which the data were provided, collected, or obtained;
b. Establishes that the data are exempt from disclosure under the
State and/or local Freedom of Information Act;
c. Determines that the purpose for which the disclosure is to be
made:
(1) Cannot reasonably be accomplished unless the data are provided
in individually identifiable form;
(2) Is of sufficient importance to warrant the effect and/or risk
on the privacy of the individuals that additional exposure of the
record might bring; and
(3) There is reasonable probability that the objective for the use
would be accomplished; and
d. Requires the recipient to:
(1) Establish reasonable administrative, technical, and physical
safeguards to prevent unauthorized use or disclosure of the record;
(2) Removed or destroy the information that allows the individual
to be identified at the earliest time at which removal or destruction
can be accomplished consistent with the purpose of the request, unless
the recipient presents an adequate justification for retaining such
information;
(3) Make no further use or disclosure of the record except;
(a) In emergency circumstances affecting the health or safety of
any individual;
(b) For use in another project under the same conditions, and with
written authorization of HCFA;
(c) For disclosure to a properly identified person for the purpose
of an audit related to the project, if information that would enable
project subjects to be identified is removed or destroyed at the
earliest opportunity consistent with the purpose of the audits; or
(d) When required by law; and
(4) Secure a written statement attesting to the recipient's
understanding of and willingness to abide by these provisions. The
recipient must agree to the following:
(1) Not to use the data for purposes that are not related to the
evaluation of cost, quality, and effectiveness of care;
(2) Not to publish or otherwise disclose the data in a form raising
unacceptable possibilities that beneficiaries could be identified
(i.e., the data must not be beneficiary-specific and must be aggregated
to level when no data cells have ten or fewer beneficiaries); and
(3) To submit a copy of any aggregation of the data intended for
publication to HCFA for approval prior to publication.
(22) To insurers, underwriters, third party administrators (TPAs),
self-insurers, group health plans, employers, health maintenance
organizations, health and welfare benefit funds. Federal agencies, a
State or local government or political subdivision of either (when the
organization has assumed the role of an insurer, underwriter, or third
party administrator, or in the case of a State that assumes the
liabilities of an insolvent insurer, through a State created insolvent
insurers pool or fund), multiple-employer trusts, no-fault, medical,
automobile insurers, workers' compensation carriers or plans, liability
insurers, and other groups providing protection against medical
expenses who are primary payers to Medicare in accordance with 42
U.S.C. 1395y(b), or any entity having knowledge of the occurrence of
any event affecting (A) an individual's right to any such benefit or
payment, Or (B) the initial or continued right to any such benefit or
payment (for example, a State Medicaid Agency, State Workers'
Compensation Board, or Department of Motor Vehicles) for the purpose of
coordination of benefits with the Medicare program and implementation
of the Medicare Secondary Payer provisions at 42 U.S.C. implementation
of the Medicare Secondary Payer provisions at 42 U.S.C. 1395y(b). The
information HCFA may disclose will be:
Beneficiary Name.
Beneficiary Address.
Beneficiary Health Insurance Claim Number.
Beneficiary Social Security Number.
Beneficiary Sex.
Beneficiary Date of Birth.
Amount of Medicare Conditional Payment.
Provider Name and Number.
Physician Name and Number.
Supplier Name and Number.
Dates of Service.
Nature of Service.
Diagnosis.
The administer the Medicare Secondary Payer provision at 42 USC
1395y(b) (2), (3), and (4) more effectively, HCFA would receive (to the
extent that it is available) and may disclose the following types of
information from insurers, underwriters, third party administrator,
self-insurers, etc.:
Subscriber Name and Address.
Subscriber Date of Birth.
Subscriber Social Security Number.
Dependent Name.
Dependent Date of Birth.
Dependent Social Security Number.
Dependent Relationship to Subscriber.
Insurer/Underwriter/TPA Name and Address.
Insurer/Underwriter/TPA Group Number.
Insurer/Underwriter/Group Name.
Prescription Drug Coverage.
Policy Number.
Effective Date of Coverage.
Employer Name, Employer Identification Number (EIN) and
Address.
Employment Status.
Amounts of Payment.
To administer the Medicare Secondary Payer provision at 42 USC
12395(b)(1) more effectively for entities such as Workers Compensation
carriers or boards, liability insurers, no-fault and automobile medical
policies or plans, HCFA would receive (to the extent that it is
available) and may disclose the following information:
Beneficiary's Name and Address.
Beneficiary's Date of Birth.
Beneficiary's Social Security Number.
Name of Insured.
Insurer Name and Address.
Type of coverage; automobile medical, no-fault, liability
payment, or workers' compensation settlement.
Insured's Policy Number.
Effective Date of Coverage.
Date of accident, injury or illness.
Amount of payment under liability, no-fault, or automobile
medical policies, plans, and workers compensation settlements.
Employer Name and Address (Workers' Compensation only).
Name of insured could be the driver of the car, a
business, the beneficiary (i.e., the name of the individual or entity
which carries the insurance policy or plan).
In order to receive this information the entity must agree to the
following conditions:
a. To utilize the information solely for the purpose of
coordination of benefits with the Medicare program and other third
party payer in accordance with 42 U.S.C. 1395y(b);
b. To safeguard the confidentiality of the data and to prevent
unauthorized access to it;
c. To prohibit the use of beneficiary-specific data for purposes
other than for the coordination of benefits among third party payers
and the Medicare program. This agreement would allow the entities to
use the information to determine cases where they or other third party
payers have primary responsibility for payment. Examples of prohibited
uses would include but are not limited to; creation of a mailing list,
sale or transfer of data.
--To administer the MSP provisions more effectively, HCFA may receive
or disclose the following types of information from or to entities
including insurers, underwriters, TPAs, and self-insured plans,
concerning potentially affected individuals:
Subscriber Health Insurance Claim Number.
Dependent Name.
Funding arrangements of employer group health plans, for
example, contributory or non-contributory plan, self-insured, re-
insured, HMO, TPA insurance.
Claims payment information, for example, the amount paid,
the date of payment, the name of the insurer or payer.
Dates of employment including termination date, if
appropriate.
Number of full and/or part-time employees in the current
and preceding calendar years.
Employment status of subscriber, for example full or part
time, self employed.
(23) To the Internal Revenue Service for the application of tax
penalties against employers and employee organizations that contribute
to Employer Group Health Plans or Large Group Health Plans that are not
in compliance with 42 U.S.C. 1395y(b).
(24) To servicing Fiscal Intermediary/Carrier banks, Automated
Clearing Houses, VANs and provider banks to the extent necessary to
transfer to providers electronic remittance advice of Medicare
payments, and with respect to provider banks, to the extent necessary
to provide account management services to providers using this
information. See SUPPLEMENTARY INFORMATION.
Records maintained on paper forms and/or electronic media.
The system is indexed by health insurance claim number. The record
is prepared by the hospital or other provider with identifying
information received from the beneficiary to establish eligibility for
Medicare and document and support payments to providers by the
intermediaries. The bill data are forwarded to the Health Care
Financing Administration, Bureau of Data Management and Strategy,
Baltimore, MD, where they are used to update the central office
records.
Disclosure of records is limited. Physical safeguards are
established in accordance with Department standards and National
Institute of Standards and Technology guidelines (e.g., security codes)
will be used, limiting access to authorized personnel. System
securities are established in accordance with HHS Information Resource
Management (IRM) Circular #10, Automated information Systems Security
Program, and HCFA Automated Information Systems (AIS) Guide, System
Security Policies.
Records are closed out at the end of the calendar year in which
paid, held 2 more years, transferred to the Federal Records Center and
destroyed after another 6 years.
Health Care Financing Administration, Director, Bureau of Program
Operations, 6325 Security Boulevard, Baltimore, MD 21207.
Inquiries and requests for system records should be addressed to
the social security office nearest the requester's residence, the
appropriate intermediary, the HCFA Regional Office, or to the system
manager named above. The individual should furnish his or her health
insurance number and name as shown on social security records. An
individual who requests notification of or access to a medical record
shall, at the time the request is made, designate in writing a
responsible representative who will be willing to review the record and
inform the subject individual of its contents at the representative's
discretion.
Same as notification procedures. Requesters should also reasonably
specify the records contents being sought. These procedures are in
accordance with Department Regulations, 45 CFR 5b.5(a)(2).
Contact the official at the address specified under notification
procedure above, and reasonably identify the record and specify the
information to be contested. State the corrective action sought and the
reasons for the correction with supporting justification. These
procedures are in accordance with Department Regulations, 45 CFR 5b.7.
The identifying information contained in these records is obtained
by the provider from the individual or, in the case of some Medicare
secondary payer situations, through third party contacts. The medical
information is entered by the provider of medical services.
None.
[FR Doc. 94-17621 Filed 7-20-94; 8:45 am]
BILLING CODE 4120-03-M
