CMS Pub. 100-01, ch. 6
(Rev. 123, 05-10-19)
(Rev. 124, 05-17-19)
100.2 - Procedures for Supplying Title XVIII Information to State Agencies
100.3 - Disclosure to Title V and Title XIX Agencies of Information Indicating Unprofessional or Unethical Practices by Physicians and Other Practitioners
170.4 - Disclosure to Third Parties for Other Than program Purposes
170.5 - Disclosure of Claims Payment Information in Alcohol and Drug Abuse Cases
170.6 - Disclosure of Itemized Statement to an Individual for Any Item or Service Provided
180 - Cost to a Provider That Requests Information Available to the Public
190 - The Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule
200 - Removal of Medicare Number from Reimbursement Checks
Exhibit A - Freedom of Information Act Request
Exhibit B - Summary Sheet for the CMS Monthly FOIA Report
Exhibit C - Invoice of Fees for FOIA Services
Exhibit E - Medicare Authorization to Disclose Personal Health Information Form and Information to Help You Fill Out the Medicare Authorization to Disclose Personal Health Information Form
(Rev. 1, 09-11-02)
The purpose of the Privacy Act of 1974 is to provide safeguards for individuals against an invasion of privacy by Federal agencies. Among other things, Federal agencies are required to permit an individual to:
Contractors considered to be Federal agencies for purposes of administering the Privacy Act must comply with its provisions. Contractors must:
Additional information concerning Medicare privacy policies can be accessed on the CMS Web site under the Privacy Policy link at the bottom of the web page.
"Individual" means a living person on whom CMS has any personal (as opposed to business) information. "Individual" does not include so-called persons such as sole proprietorships, partnerships, or corporations. Except for disclosure of and access to medical information about minors, a parent or legal guardian of a minor, or a legal guardian of someone the court has declared incompetent, has the same rights as the individual to the individual's records. No one may act on behalf of an individual who has not been declared incompetent by a court or gain access to his/her records under the Privacy Act without the individual's written consent.
Providers, physicians, and suppliers as business entities do not have access to business information about themselves under the Privacy Act, since the Privacy Act concerns individuals only. However, a physician or other supplier who is also an individual has the same access rights as any other individual to personal information maintained about themselves. Purely business information which is retrievable by the physician's unique identifier is not subject to the Privacy Act, but it may be disclosed to the physician to the extent that we would not deny the physician the information under the Freedom of Information Act (FOIA).
The contractor must inform the individual of his/her rights under the Privacy Act when it solicits any information directly from the beneficiary in connection with a Medicare claim. This would usually be a result of the failure of the individual or provider to furnish all the information required on a claims form. When information is collected by telephone, the contractor will give the individual a brief oral explanation. When information is requested by mail a written notice is used.
The law requires that an agency must inform an individual, upon request, whether a system of records contains a record pertaining to the individual, permit the individual to review such record and to be accompanied for the purpose of reviewing the record by a person of his or her choice. Further, the individual is permitted to obtain a copy of such record in a comprehensible form at a reasonable cost. There is a charge of 10 cents per page with all fees under $25 waived. There is no charge for searching; nor is there a charge for a copy furnished as a means of permitting an individual access to their records.
Each requester shall be asked for proof of identity as well as such general information as is necessary to determine where and how to look for records about the data subject. Within 10 working days of receiving a request, the contractor must decide whether to release the records. The requested information must be furnished within 30 working days unless good cause exists. An example of 'good cause' would be an inactive record filed in a records center that cannot be obtained within 30 days. The requester should be told of the delay and given an approximate date to expect the information.
If an individual's request for information concerning themselves is not in the contractor's files, the contractor should advise the individual that it does not have the information and, if available elsewhere, that it is forwarding the request to the office which has it. The contractor should furnish any requested information available if the request cannot be satisfied in full. The contractor should identify requests under the Privacy Act that require referral to CMS for data in central office systems. As required by the Privacy Act, the contractor should send the request for processing, along with a copy of the
interim response, to the systems manager listed in the Annual Publication: Systems of Records.
The official responsible for the records, or their designated medical officer, may disclose medical information directly to the individual if the official determines, based on review of the medical evidence, that such disclosure is not likely to have an adverse effect. In such cases the responsible official will give the requested information to the individual and annotate the record to show that the disclosure was made.
If the responsible official determines that direct disclosure of the medical record would be likely to have an adverse effect on the individual or does not consider themselves qualified to make such a determination, the official will disclose the medical information to the representative designated in writing by the individual. The representative must be a medical professional (licensed medical practitioner or nurse) who would be willing to review the record and discuss it with the individual. The contractor will retain a record showing the reason for its determination and a copy of the correspondence transmitting the information to the individual or to his/her medical representative.
If there is sensitive medical information in the records and the individual refuses to name a medical professional or cannot afford the fee for the service, or if the designated medical professional refuses to serve, the contractor will refer the file to the CMS regional office.
In order to protect the privacy of a minor, a parent or authorized guardian who requests access to the minor's medical record may not be given direct access to the record. Contractors shall ask a parent or guardian who requests access to such a record to designate a physician or other professional (other than a family member) to whom the record may be sent. The physician or health professional to whom the record is sent will be asked by the contractor to consider the effect that the disclosure of the record to the parent or guardian would have on the minor in determining whether the record should be made available to the parent or guardian.
The contractor will prepare a response to the parent or guardian in substantially the following form:
We have completed processing your request for access to the medical records of (name)________, a minor
The medical records have been sent to (name and address of designated health professional) in accordance with your instructions
In each case where a minor's medical records are sent to a physician or health professional, reasonable efforts will be made by the contractor to so inform the minor. In the event the parent or guardian refuses to name a medical professional or cannot afford the fee for the service or the designated medical professional refuses to serve, the contractor will refer the file to the CMS regional office for appropriate action.
The Privacy Act permits disclosure to any third party with the written consent of the individual to whom the record pertains. It also permits disclosure in certain instances without the individual's consent. However, the contractor must not disclose information unless the disclosure is specifically authorized in this chapter, or the individual has consented to the disclosure in writing, or the CMS regional office authorizes the disclosure.
Except for those disclosures discussed below in §10L of this chapter, Disclosure Without Consent, information may not be disclosed without the written consent of the subject individual, or their legal guardian, or, in the case of a minor, their parent (a parent or legal guardian of a minor may not consent to the disclosure of medical information about the minor). Other persons, regardless of relationship (except members of Congress and representative payees), may not receive information about the individual without their consent. In addition, a person who receives information about an individual with the individual's consent may not authorize disclosure of that information to someone else. Awkward situations may develop from a refusal, in compliance with the Privacy Act, to divulge information to the child or spouse of an aged or infirm individual. In order to avoid lengthy and unproductive correspondence, the requester should be advised that the Privacy Act precludes our disclosing any information to anyone other than the individual to whom the information pertains without the specific written consent of that individual, but that the requested information will be sent directly to the individual concerned with an explanation of the inquiry received on their behalf.
Information requested by members of Congress and their staffs may be disclosed as follows:
information about themselves to the MC (if we respond directly to the individual or with their consent, no accounting record is required). Where the inquirer is the legal guardian, or the parent of a minor, the contractor may disclose the information to the MC, but must make a record of the disclosure.
A copy of the reply (or a report of telephone call if the response is by telephone) will provide an adequate accounting record. The record should show the date of disclosure, the information disclosed, and to whom the disclosure was made. The contractor should file this record by name or social security claim number so that retrieval may be made expeditiously.
An SSA-appointed representative payee is entitled to receive information on, or act on, behalf of a beneficiary to the extent necessary to protect the beneficiary's rights under title II or XVIII.
Below are listed the situations in which data on identifiable individuals may be released without the individual's consent. The disclosure is permitted if the disclosure would be:
compatible with the purpose for which the information was collected in the first place. An explanation of the purposes and uses of each "routine use" disclosure must be published in the Federal Register at least 30 days prior to the disclosure and at least annually thereafter. Current routine uses are:
The Privacy Act requires that agencies account for disclosures of personal data to organizations outside DHHS or made in response to requests under the FOIA. The purposes of the accounting are:
The accounting must enable the contractor to tell the individual when and what information about the individual was released and to whom. It is not necessary to maintain a separate record of disclosures if such information can be retrieved from the contractor's operating records.
An individual has the same access rights to an accounting of disclosures as to other information, with no exception. It is not mandatory to tell an individual about disclosures made to an agency for law enforcement purposes. (Refer requests for accountings that include disclosures to law enforcement agencies to the CMS regional office.)
The contractor must maintain accounting records for 5 years, or the life of the basic record, whichever is longer. The lives of various basic records are furnished in Chapter 1 of the Claims Processing Manual.
Individuals are permitted by the Privacy Act to request correction of any record pertaining to themselves. The contractor should have a method of reviewing records at the request of the individual and making corrections where appropriate. In reviewing an
individual's request to amend a record, the contractor should, whenever practicable, complete the review and advise the individual of the results within 10 days of the receipt of the request. Prompt action should be taken wherever possible to reduce the administrative costs involved in issuing both a separate acknowledgment of the receipt of the request and a subsequent notice informing the individual of the action taken. If a contractor denies a request for correction, the individual can appeal to the system manager for the contractor's system of records.
All employees must be aware of their responsibilities under the Privacy Act and guard against improper disclosure of personal information. Any officer or employee who willfully discloses individually identifiable information, the disclosure of which is prohibited by the Act, shall be guilty of a misdemeanor and fined not more than $5,000.
Medicare information may not be accepted from providers, physicians, and other suppliers of services on a confidential basis, expressed or implied, since any medical information obtained by a contractor is subject to disclosure to the individual to whom it pertains. Contractors are to make sure their providers and other suppliers of services are aware that no medical information marked 'confidential' will be accepted on that basis and that any medical information received by the contractor may be disclosed to the patient or his/her representative upon request, either directly or through designated professional medical personnel. If a provider, physician, or other supplier of services documents medical findings on medical forms preprinted 'confidential' or the provider or other supplier of services routinely stamps all records 'confidential,' such records, when transmitted to the contractor are to be accompanied by a signed statement to the effect that the provider, physician or supplier understands that the information is subject to disclosure at the request of the patient or his/her representative under the Privacy Act.
In situations such as the admission to a hospital of an unconscious person, where the individual has not signed a statement authorizing the provider to pursue a Medicare claim, the disclosure of Medicare information to the provider should be treated as a routine use disclosure. If the individual has authorized the provider or supplier to pursue a Medicare claim, the release of information may be treated as a disclosure made with the beneficiary's consent.
The following sections contain instructions concerning the confidentiality and disclosure of information acquired and maintained by CMS, contractors (i.e., Medicare Administrative Contractors), providers, and State agencies in the administration of the health insurance program. These instructions comply with the statutes and regulations governing disclosure of information, specifically section 1106 of the Social Security Act, the Freedom of Information Act (5 USC §552) and implementing HHS FOIA regulations at 45 CFR Part 5, and CMS Confidentiality and Disclosure regulations at 42 CFR 401.101, et seq.
The Freedom of Information Act (FOIA) requires that within 20 working days of the receipt of a written request for records (or information known to be contained within an agency record), Federal agencies must decide whether the records/information will or will not be disclosed. By HHS regulation, only the CMS Freedom of Information Officer can make this decision. However, the CMS Freedom of Information Officer with the concurrence of the Office of the Assistant Secretary for Public Affairs, HHS, has delegated authority to Medicare contractors to directly release certain categories of frequently requested documents that the CMS Freedom of Information Officer has previously reviewed and decided to always release. These records are called 'direct release' records. Some are identified within this manual; others are established by the CMS Freedom of Information Officer in administrative issuances.
Accordingly, within 20 working days of receipt of an FOI request, if the contractor is authorized to release all or at least some of the requested records, it will advise the requester in writing whether the request will be wholly or partially fulfilled.
The CMS does not permit the contractor to issue a written denial of any request for information, except in response to the contractor's direct receipt of a state or local court subpoena duces tecum that seeks records on a beneficiary or individual practitioner that are contained in a Privacy Act System of Records, when such subpoena is not accompanied by a valid authorization to release the records signed by the subject of records. (See §40.1B.) CMS requires the contractor to refer to the RO all requests for which the contractor does not have clear authority to release the records/information.
Therefore, if the contractor receives a written request for records, the contractor must determine within 2 days of the receipt of the request whether it is clearly authorized to disclose the information. When able to furnish the requested materials, the contractor will furnish it whenever possible, within 20 working days. If it is not possible to furnish the materials within 20 working days, the contractor will immediately send the requester a substantive response that states that the records will be released, and explains the reason for the delay.
If the contractor is not clearly authorized to release the information, it notifies the RO immediately and refers the request to the RO for handling. It sends the request, along
with one set of the requested records, immediately to the RO by first class mail, and clearly identifies the request as a Freedom of Information Act request.
The contractor acknowledges to the requester any request referred to the RO, using the following language:
Dear:
We have referred your (date) Freedom of Information Act request for (specify type of information requested) to: (name of the CMS Regional Office FOIA Coordinator, address of CMS RO, and telephone number of the CMS RO Coordinator).
Any questions you may have relative to your request should be directed to that office.
Sincerely yours,
The contractor sends a copy of the acknowledgment letter with the request to the RO. The contractor is not required to create records to comply with requests for information. Contractors may answer requests that require creation of records by stating that the requested records do not exist and that the FOIA does not require agencies to recreate records in order to respond to a request. Include the appeal rights statement set forth below in the response. (Note that deletion of non-releasable information from an existing record is not considered creation of a records, no matter how extensive or time consuming the deletion process might be. Respond to requests that require creation of records using the following language:
Dear:
This is in response to your request dated ____, seeking access to (specify the subject(s) of requested record). Because you seek access to one or more agency records, or information contained in such records, we have considered your request under the Freedom of Information Act (FOIA) (5USC §552).
We are unable to comply with your request because the agency does not maintain a records that is responsive to your request and because, under FOIA, we are not required to create records or to furnish information in a particular form or format is not readily reproducible employing reasonable efforts.
If you have reason to disagree with this decision, you may appeal. Your appeal should be mailed, within 30 days of the date of this letter, to the
Centers for Medicare & Medicaid Services, Room C5-16-03,
7500 Security Boulevard, Baltimore, Maryland 21244-1850.
Please mark your envelope "Freedom of Information Act Appeal," and enclose a copy of this letter.
(Rev. 1, 09-11-02)
Form CMS-632-FOI (Exhibit A) serves as a cover sheet for FOI requests. The form is designed to expedite the handling of requests and to provide the information necessary for reporting purposes. For each FOI request, the contractor will complete a Form CMS-632-FOI. Completion instructions for the form are included on the reverse side. The contractor may furnish estimated costs if actual postage costs are not readily available.
Order Form CMS-632-FOI routinely on an annual basis using the CMS 1961 Forms Order. Direct any interim requests for Form CMS-632-FOI to CMS Forms Distribution Officer, Forms Management and Distribution, Office of Internal Customer Support. Interim requests must be submitted in writing.
(Rev. 1, 09-11-02)
The contractor's authority to directly release certain kinds of records includes the responsibility for complete and accurate reporting on the use of this authority. The following are reporting requirements for Medicare contractors:
Since many requesters make multiple FOIA requests, name identification is not adequate to assure proper tracking, or fiscal accounting. Therefore, CMS employs a Case Numbering System which includes unique identifiers for each releasing activity.
1. All case numbers in this system consist of ten characters. These characters maybe numeric or alphabetical and are determined as follows:
a. Case numbers for requests responded to directly by contractors begin with an Arabic number for the Region.
| Region | Case Number | Region | Case Number |
|---|---|---|---|
| Boston | 1 | Dallas | 6 |
| New York | 2 | Kansas City | 7 |
| Philadelphia | 3 | Denver | 8 |
| Atlanta | 4 | San Francisco | 9 |
| Chicago | 5 | Seattle | 0 |
NOTE: Only one space is designated to indicate the responding regional office or contractor within the region. Therefore, Seattle is represented by "0" rather than by "10".
b. For example, a request responded to directly by any A/B MAC (B) within Region 1 would begin with the digit "1":
1---
c. In all case numbers, the second character is the last digit of the calendar year in which the request is received by the responding activity. , continuing the example above, for a 2001 request in Region 1:
11---
d. Characters three through six indicate the contractor within the region. A request answered by a contractor would use the last four digits of the contractor number in positions three through six. Thus, a request responded to
directly by Blue Cross and Blue Shield of Rhode Island (A/B MAC (B) number 00870) would be:
110870---
e. The last four characters indicate the consecutively assigned case number, beginning with "0001". Thus, the first request responded to by that A/B MAC (B) in calendar year 2002 would be:
1108700002
(Rev. 1, 09-11-02)
Under the provisions of the Freedom of Information Act, certain fees and charges have been established to recover some of the cost of disclosing information to the public. Providers, contractors, and State agencies are required to pay appropriate fees for copies of reports they request pertaining to other providers, contractors, or State agencies. Such fees are not reimbursable administrative costs under the Medicare program for contractors or State agencies. A provider may claim such fees as allowable costs only if it demonstrates that the information is necessary in developing and maintaining the operation of patient care facilities and activities. Members of Congress, when clearly requesting information on behalf of a constituent or other third party, are subject to the same fees and charges that would apply to the person represented. The contractor will not charge the public for inspection of disclosable documents, or for requests which result in charges under the minimum described in §21.3, below.
(Rev. 1, 09-11-02)
1. Fees are to be charged differentially, depending on the category of requester/use of the requested material, as follows:
charge the requester if the charge to be billed is less than the established billing threshold.
NOTE: The CMS Freedom of Information Officer can rule on requests for waiver or reduction of fees, other than those listed above.
2. Regardless of the actual cost of responding to the requester, the law only permits charges to be levied for certain services and only in accord with a published FOIA fee schedule. The DHHS schedule at 45 CFR Part 5 is binding on CMS, and results in the following charges:
a. Photocopying - Charge 10 cents per page for copying records. The contractor may charge lower fees for particular documents where:
b. Search and Review - For manual searching and for review (when used, as applicable, in connection with processing records for a commercial use or other request), base the cost on the hourly rate of employees involved. Equate employee hourly wage scales to these three categories:
| Level | Hourly Wage Range | GS Grade Range | CMS Bills |
|---|---|---|---|
| Level 1 | Up to $20.74 | Federal Grades 1 through 8 | $16.00 |
| Level 2 | $20.75 - $46.69 | Federal Grades 9 through 14 | $33.00 |
| Level 3 | $46.70 or more/hr | Federal Grades 15 and up | $59.00 |
NOTE: The CMS Freedom of Information Officer updates the above scale based upon changes to the HHS fee schedule, and provides such updates to all CMS/contractor FOIA Coordinators.
The contractor will not charge the requester any fee at all if the costs of routine collection and processing of the fee are likely to equal or exceed the amount of the fee. As of November 2001, CMS's charge threshold is $15.00.
If the contractor determines that the requester is breaking down a single request into a series of requests in order to avoid (or reduce) the fees charged, it may aggregate all these requests for purposes of calculating the fees charged.
Certifying that records are true copies - Charge $10 per certification.
Performing any other special service requested, that the contractor agrees to provide - actual costs of operating any machinery, plus actual cost of any materials used, plus charges for the time of its employees, at the rates given in paragraph 2b of this section.
Special Forwarding Arrangements - Actual cost. This includes special delivery, airmail, registered mail, etc.
(Rev. 1, 09-11-02)
The contractor is responsible for the billing of costs resulting from providing disclosable information. To invoice, use Form CMS-633 - Invoice of Fees for FOIA Services (Exhibit C). The requester sends payment derived from the release of information to the CMS Division of Accounting.
(Rev. 1, 09-11-02)
Where estimated costs exceed $250.00, or if the requester has failed to pay previous bills in a timely fashion, collect fees and charges before the requested material is copied and furnished. Use the Division of Accounting, CMS's FOIA Bad Debtor Listing to determine delinquency. Notify the requester of the total estimated charges, using language similar to the following:
The HHS regulations require that a charge be made to recover some of the costs incurred in the disclosure of information. The total (estimated) billable cost for the material you requested is $ ______. The cost consists of the following charges: (list here breakdown of charges; e.g., 'Photocopying: $10; Searching: $450). Please send a check or money order for the total amount made out to CMS and mail it to (contractor address).
The material will be mailed to you upon receipt of payment (subject to any adjustment to the estimate). If we do not hear from you within 30 days, we will assume your request has been withdrawn and no further action will be taken.
Be sure to point out to the requester that even though the invoice says to mail the check to the CMS Division of Accounting in Baltimore, in this case the check must be mailed to the contractor so that payment can be verified before the material is mailed. Subsequent to the contractor's receipt of the advance payment, send both the check and the finance copy of the invoice to the Division of Accounting in Baltimore. Because some requesters will neither provide advance payment nor notify the contractor that they no longer desire the requested material, do not send the 'Finance' copy of the invoice to Accounting until after the advance payment check is received. For the same reason, do not begin
searching for and photocopying the requested material until the advance payment is received. If you do not hear from the requester in 30 days, close the request.
(Rev. 1, 09-11-02)
The Freedom of Information Act deals with the right of the public to information about Government rules and methods of operating. It requires that every Federal agency make available for inspection and copying:
"522(a)(2) (B) those statements of policy and interpretations which have been adopted by the agency and are not published in the Federal Register; and (C) administrative staff manual and instructions to staff that affect any member of the public, unless such materials are promptly published and copies offered for sale."
Information contained in Medicare program manuals and Program Memoranda can be obtained via the Internet. Where requests are made to contractors, contractors will photocopy Program Memoranda and individual pages from CMS manuals to respond to minor requests. When inquirers ask to see Social Security Manuals and letters that are not maintained, the contractor will refer them to the SSO. If the request is for Medicare related information, the contractor may disclose the following:
The contractor will not engage in interpretive analysis or discussion of the material when responding to requests.
The contractor will not release information on the parameters and computer edits used to identify claims for medical review. These are tools for selection of claims for MR and are not determinants of whether a service is payable.
EXAMPLE: The contractor has a screen which identifies for review all claims for CAT Scans of the head in excess of 3 in 30 days. Written MR policy contains diagnoses and other descriptions of medical conditions that would justify CAT Scans in excess of that amount. The contractor is required to release the policy guidelines but must withhold the '3 in 30 days' parameter used to identify claims for MR.
The contractor must refer requests for information for which denial is recommended, including parameters and computer edits to the RO.
The contractor should provide a facility for the public to view the program manuals and other information available to the public on the Internet.
It will fulfill requests for printouts resulting in 50, or fewer, pages.
Requests to examine manuals or letters usually arise where a beneficiary calls at an office to discuss his/her claim. In such situations, the contractor will abstain from engaging in interpretative analysis or discussion of the material.
All interpretive materials, guidelines, and clarification of policies that relate to payment of Medicare benefits must be released.
Upon request, the contractor will release written guidelines used to evaluate and make payment decisions on claims subject to MR. Precise information on the screens, parameters and computer edits used to identify claims for MR may be withheld.
EXAMPLE: A screen identifies for review any SNF claim with more than 30 covered days. Written MR policy contains the documentation standards and guidelines which assist the reviewer in the decision to pay or deny the claim. Release of the policy guidelines is required, but the review screen can be withheld.
Guidelines may be withheld that use specific criteria and tolerances intended to identify claims that raise a strong possibility of fraud or abuse because of a pattern of payment requests for excessive or duplicate services, or services not rendered. If disclosure of such guidelines could be judged to adversely affect the program by allowing violators to go undetected, the contractor should refer the request to the RO with its recommendations. The contractor will acknowledge any requests that should have gone to another contractor and refer them to the appropriate contractor.
(Rev. 1, 09-11-02)
Sections 3764 - 3769 set the guidelines for disclosure of information about a named beneficiary, to whom it may be disclosed, and the purposes for which it may be disclosed. In general, no information may be released except to the beneficiary (or the beneficiary's legal guardian) without the beneficiary's (or legal guardian's) explicit written authorization.
In cases requiring the beneficiary's consent, the authorization may be in any form, but it must:
A contractor will not honor a blanket consent to disclose all beneficiary records to unspecified individuals or organizational units.
The disclosure of information about beneficiaries is governed by the provisions of § 1106 if the Social Security Act as implemented by Regulation No. 1, the Privacy Act, the FOI Act, and the DHHS Public Information Regulation.
(Rev. 1, 09-11-02)
Section 1106 of the Social Security Act prohibits disclosure of any file, record, report, or other paper, or any information obtained at any time by the Secretary or an officer or employee of DHHS in the course of discharging their duties under the Act, except as prescribed by regulations. Where manual instructions permit disclosure, assume that related regulations have been published. The same prohibition applies to information received by any person outside DHHS, from the Secretary, or an officer or employee of DHHS.
The prohibition applies to any agency, organization (e.g., contractors), or institution, or any of its officers or employees, in the fulfillment of a contract or agreement with the Secretary.
The prohibition also relates to any information received from DHHS, a contractor, or any person or entity that furnishes services under arrangements with a provider or accepts an assignment under the program. However, patient records in the possession of a provider
or physician are not subject to the prohibition against disclosure or to the Departmental rules and regulations concerning confidentiality merely because the patient is entitled to Medicare benefits. Disclosure of provider or physician records not in the possession of CMS or a contractor may, however, be subject to applicable State or local laws, or to hospital rules governing disclosure.
Denial of all or portions of requested records can only be made by the CMS Freedom of Information Officer. Therefore, when a request for information is received, disclosure of which is prohibited under these guidelines, the contractor will follow §10.2 above.
The CMS FOIA Officer has authorized Medicare contractors to issue a denial on his/her behalf in the following situation: If any officer, employee, agent or subcontractor is served a subpoena or other compulsory process requiring the production of records or information on a beneficiary or individual practitioner that are contained in a Privacy Act System of records and such a request is not accompanied by a valid authorization to release the records signed by the subject of the records, he/she will decline to produce the records or information. He/she will base the refusal on §1106 of the Social Security Act and on 5 USC §552a, 5 USC §552, 45 CFR Part 2 and 45 CFR Part 5. The contractor will notify the RO immediately.
If the contractor directly receives such a subpoena, it uses the following language to respond:
Dear Sir or Madam:
This is in response to the subpoena duces tecum, dated ______, initiated by your firm, for certain Medicare records in our possession.
The Department of Health and Human Services regulation at 45 CFR Part 2 states, among other things, that the Department will treat subpoenas duces tecum for records in its possession as requests under the Freedom of Information Act (5 U.S.C. §552).
Because the records the subpoena seeks are in a Privacy Act system of records, the Privacy Act (5 U.S.C. §552a) precludes release of those records except pursuant to a written authorization to release signed by the subject(s) of the records or unless the Freedom of Information Act requires release of the records or a court of competent jurisdiction orders release. Regarding the latter condition of disclosure, for purposes of the Privacy Act, a court of competent jurisdiction is a Federal court only.
Review of this matter indicates that your firm has not presented a written authorization to release records signed by the subject(s) of the records. Moreover, your firm's subpoena is not an order of a court of competent jurisdiction, and 45
CFR Part 2 requires us to treat the subpoena duces tecum as a Freedom of Information Act request. Further the Freedom of Information Officer for the Centers for Medicare & Medicaid Services has determined that the requested records are exempt from mandatory disclosure under the Freedom of Information Act by exemption (b)(6) of that Act. Exemption (b)(6) permits the withholding of information about individuals in personnel and medical files and similar files, when the disclosure of such information would constitute a clearly unwarranted invasion of personal privacy.
Based upon the foregoing, we respectfully decline to produce the Medicare records requested by your firm's subpoena duces tecum.
If you have reason to disagree with this decision, you may appeal. Your appeal should be mailed, within 30 days of the date of this letter, to the Deputy Administrator, Centers for Medicare & Medicaid Services, Room C5-16-03, 7500 Security Boulevard, Baltimore, MD 21244-1850. Please mark your envelope 'Freedom of Information Act Appeal,' and enclose a copy of this letter.
Sincerely yours,
Signature of Authorized Official
cc: FOI Officer, CMS
Process the State or local court subpoena duces tecum that seeks other kinds of CMS records in accord with §10.2 above.
Section 1106(a) of the Act provides that any person who violates the disclosure provisions shall be deemed guilty of a misdemeanor and, upon conviction thereof, shall be punished by a fine not exceeding $1,000, by imprisonment not exceeding 1 year, or both.
Regulation No. 1 of the Act defines the basic authorization for disclosure of information obtained in the administration of the program. The general rule is that information about an individual obtained in the administration of the program may not be disclosed without the authorization of that individual. Medical information relating to an individual will generally be disclosed under more restrictive conditions than other information and, where permitted, usually may be furnished only upon the written authorization of the individual. Specific exceptions to this rule are detailed in the following sections. As far as program operations are concerned, information about an individual may be disclosed
without the individual's authorization when the disclosure is necessary in connection with any claim, or other proceeding, under the Social Security Act.
Information will be disclosed for other than program purposes only if the disclosure is authorized by Regulation No. 1 and is consistent with the proper and efficient administration of the program.
(Rev. 1, 09-11-02)
Disclosure of any record, report, or information about an individual may be made without the individual's authorization if it is in connection with any claim, or other proceeding, under the Act when it is necessary for the proper performance of duties of:
The SSOs have a responsibility for public information activities. In its development of a human interest story concerning health insurance, an SSO may, on occasion, request the contractor to provide claims reimbursement information about a specific beneficiary. The contractor will honor such a request when it comes from an SSO employee having authority for liaison with the contractor.
Depending upon the agreements made with the parallel SSO, the employee authorized may be the manager, assistant manager, staff assistant, and/or HI coordinator. The contractor will not honor requests by other employees for beneficiary claims information.
In the administration of the program, the contractor may want to avail itself of the services of third parties such as auditors, court reporters, public stenographers, microfilm processors, or companies developing equipment for use in the program.
The arrangement between the contractor and such third parties, even where it is of short duration, is in the nature of an agreement supplementing its contract with the Secretary. Under such an arrangement, disclosure to these parties of necessary information that relates to, and is used in, the administration of title XVIII of the Social Security Act is permitted as provided by §1106 of the Social Security Act and Regulation No. 1.
However, when the contractor enters into an agreement with these parties, it will inform them that §401.1 of Regulation No. 1 precludes the disclosure of any information on identifiable individuals. It will call their attention to the penalty clause of §1106(a). It will call attention to these provisions by letter (see below), and obtain a written agreement to comply with the disclosure provisions before releasing any information.
Dear
We are prepared to make available to your organization certain social security records so that (state reason).
However, before making these records available, we must point out that by law, all information derived on identifiable individuals in the administration of the Social Security Act is confidential and may be disclosed to others only under very restrictive circumstances. Regulation No. 1 of the Social Security Administration which governs disclosure of official records and information precludes you from disclosing any information on identifiable individuals.
You should also note that §1106(a) of the Social Security Act imposes criminal penalties for unauthorized disclosure.
Any social security records which do not identify or make identifiable any individuals are not subject to these restrictions, but may be restricted under the provisions of the Freedom of Information Act.
In order to comply with the requirements of the Social Security Act and Freedom of Information Act you must agree to the following conditions before we can make any social security records available to you:
Any information which is turned over to you will be used only for the specific purpose intended.
All employees having access to this material will be instructed as to its confidential nature.
An official of your company will assume the responsibility for ensuring that the information is not revealed to another.
The material must be returned to us as soon as you have finished the job.
We must have a letter from a responsible official in your office agreeing to these conditions and assuming responsibility for carrying them out.
Upon receipt of such letter, the social security records will be made available to you.
Sincerely yours,
(Rev. 123, Issued: 05-10-19, Effective: 06-11-19, Implementation: 06-11-19)
For more information related to disclosure of PII and PHI, please refer to Pub. 100-9, Medicare Contractor Beneficiary and Provider Communications Manual, Chapter 6, section 80.
(Rev. 1, 09-11-02)
The contractor may disclose information concerning the fact, date, or circumstances of death when efficient administration permits. The request must be in writing and must state why the information is sought. Additional information may be disclosed to a surviving relative or an authorized representative of that relative, the legal representative of the estate, or to a probate court for the purpose of appointing a legal representative of the decedent's estate. The contractor must exercise care, however, to see that it discloses no information which would appear to be detrimental to the individual or the individual's estate, i.e., unusual place or manner of death or information which could create a liability to the individual's estate.
The contractor may disclose medical information, in form and detail consistent with proper and efficient administration of the program, when such disclosure is reasonably necessary for a title XVIII purpose. (See §50 of this chapter for further information concerning the disclosure of non-medical and medical information when necessary for a program purpose.)
The contractor may disclose medical information obtained in the administration of title XVIII to a surviving relative or legal representative of the estate of the individual or to others for other than a title XVIII purpose, when such information is necessary for a determination as to what supplementary benefits or services such deceased individual was eligible to receive under a private or public hospital or medical insurance program which is consistent with the purposes and objectives of title XVIII. The contractor may disclose such information only if the individual has consented to such disclosure or a surviving relative or the legal representative of the estate consents. (See §80.1 'Release of Title XVIII Claims Information for Complementary Insurance Purposes' in this chapter.)
(Rev. 1, 09-11-02)
Non-medical information about an individual may be disclosed for other than a program purpose, to persons or organizations designated by the individual, if the individual authorizes disclosure, and if disclosure is consistent with the proper and efficient administration of the Act.
The contractor may disclose medical information to a supplier of medical services solely for the purpose of the beneficiary's care or treatment. Such supplier will be informed that the information is being furnished in connection with the treatment of the beneficiary and that its use should be restricted to that purpose.
Occasionally in the course of reviewing medical evidence submitted to substantiate a claim, contractor medical personnel may discover a medical condition of which the source of the information is unaware. (For purposes of this section, the 'source' of the information is the part submitting the evidence.) In cases where a serious or potentially serious condition is found, the contractor may wish to inform the source of the information. If the source of the information indicates that the beneficiary is not institutionalized and the identity of the beneficiary's current physician is not known, the source should recommend that the beneficiary consult a physician or institution of the beneficiary's choice for further treatment.
Medical information may also be disclosed, upon request, to the beneficiary's physician or to a medical institution at which the beneficiary is or was a patient when such physician or institution is not the source of the information. However, consent for the release must be obtained from the beneficiary.
The contractor may not release or use information obtained in the administration of the Medicare program for non-program activities. However, when the beneficiary has given written authorization the contractor is permitted to release certain information to its complementary insurance program under specific conditions in its capacity as insurance writer or administrator, or to other insurers for complementary health benefits purposes. Under no circumstances may the contractor use the knowledge of an individual's
entitlement or benefit utilization information for purposes of dropping an individual from a group health insurance plan.
A. Information That May be Released
Subject to necessary authorizations, copies, extracts, or summaries of only the following records may be released:
Requests for other information desired for complementary insurance purposes should be referred to the RO.
B. Form of Authorization
The contractor must make certain that information is not released without the required authorization. This authorization may be either indicated on the billing and admission form or on a dated statement from the beneficiary. Where the authorization is on a dated statement it must:
Where the bill contains a beneficiary signature or indicates that the beneficiary's signature authorizing release of information is contained in the provider's records, the bill must contain the name of the complementary insurer unless a dated statement as outlined above is already on file.
Where the contractor has a dated statement on file, information may not be released for individual claims when the beneficiary indicated that they do not want disclosure on that claim. This may be indicated on certain claims forms by the beneficiary checking an appropriate block, or by attaching a separate statement.
If someone other than the beneficiary, legal guardian, or authorized representative has authorized disclosure to a third party by filling out the appropriate item on the billing form, the contractor may not release the information unless an authorization from the beneficiary is on file. Instead, where feasible, the contractor will inform the beneficiary (or legal guardian or authorized representative) that the signature on the claims form does not constitute a proper authorization for disclosure and that, if the beneficiary desires information to be disclosed to a third party, the beneficiary should send to either the contractor or the third party, a statement authorizing release. (The contractor will indicate the necessary contents of a proper authorization or enclose an appropriate form or statement for use by the proper party in authorizing release.)
If invalid authorizations are a frequent problem, the contractor advises third party payers to obtain appropriate ongoing consent statements from enrollees.
Where the complementary insurers desire title XVIII information for certain claims only, either the complementary insurer or the beneficiary may request its release.
The complementary insurer must furnish the required authorization(s) for release and must pay any charges. (The Medicare program will absorb charges for supplying duplicate MSN's or billing forms to beneficiaries, their authorized representatives, and to social security offices.) In the absence of a standing arrangement, the mere presence of an 'authorization' to release and the identification of a complementary insurer on a title XVIII billing form does not constitute a request for the 'release' of information. There must be a specific request for the information.
The contractor may enter into a standing arrangement with a complementary insurer to provide and charge for title XVIII information, such as MSNs or deductible non-met letters, in every case in which the contractor receives a title XVIII claim which contains the necessary authorizations and identifies the complementary insurer.
Contractors should be aware that, subject to specific written beneficiary authorization, providers are permitted to furnish certain limited information about Medicare eligibility status and related claims information to third party payers for complementary insurance purposes. (See §170.)
In using an integrated claims processing system, it is permissible to match a currently updated subscriber file against a run of currently processed Medicare claims to extract information required to pay the complementary claim provided:
Contractors must update the subscriber file to incorporate all terminations before each match with the Medicare claims file so that information will not be passed to the private business sector for beneficiaries who are not entitled to the complementary insurance plan.
The contractor may not permit the private business sector to have access to the Medicare claims history file. The private business sector may use only information concerning the current claim from the current run of processed claims.
(Rev. 1, 09-11-02)
(Rev. 1, 09-11-02)
The contractor may disclose information on such matters as entitlement, benefit payment, or benefit utilization relating to an individual who has applied for benefits administered by the State welfare departments. It may make such disclosure without the authorization of the individual or the individual's legal representative (i.e., legal guardian appointed by a court or a parent or a minor) to any duly authorized officer or employee of a State agency administration of grants-in-aid programs under titles IV, V, or XIX or in the case of Puerto Rico, Guam, or the Virgin Islands, titles I, X, or XVI of the Social Security Act with the authorization of the individual or their authorized representative. Medical information beyond that shown on billing forms relating to an individual (and obtained in the administration of the Medicare program) may be disclosed to a State agency administering the grants-in-aid program if the State agency shows a special need for the information, and the file contains a written authorization by the beneficiary specifically consenting to disclosure of medical information.
Title XVIII, billing forms and completion instructions, provide for authorization by the beneficiary for the release of information to State agencies or their agents. Where the contractor, or a third party organization, is administering the medical payment program under a contract or underwriting arrangement with the State, it may release information to itself or to the third party organization on the same basis as it may release information to a State agency.
(Rev. 1, 09-11-02)
Contractors may provide State Medicaid agencies with Medicare claims information. See Pub 100-04, Chapter 28 for more information.
(Rev. 1, 09-11-02)
The release of information obtained in the administration of title XVIII indicating a course of unprofessional conduct or unethical practices by a physician or other practitioner will assist in the investigation of such conduct under titles V and XIX. The information to be released must have previously been released by a contractor in the administration of title XVIII to an official of a State licensing board (see §100.4 of this chapter), or to any officer, agency, establishment, or department of the Federal Government charged with the duty of conducting an investigation to determine whether there has been a violation of any provision of a Federal tax law (see §120 of this chapter).
(Rev. 1, 09-11-02)
The CMS, which administers title XIX, requires a correlation between payments under that title and the fee schedule or the 75th percentile of the range of customary charges, if applicable, as determined for treatment rendered under Part B of title XVIII. This requirement assumes that title XVIII fee schedule and medical charge experience, where applicable, will be available to title XIX agencies.
Therefore, it is necessary that agencies administering title XIX be furnished with physician, other practitioner, and supplier identification numbers; and fee schedules and/or charges of physicians or other practitioners, or suppliers for services furnished to beneficiaries, to enable them to determine the amount of benefits payable for medical services furnished under Title XVIII and XIX.
As the individual title XIX programs of the several States may differ, some variation in the type of information required can be expected. Therefore, in order to obtain the information it needs, each State agency should consult with the title XVIII contractor(s) serving the various areas in each State concerning the availability and format of the necessary information. (CMS advises the appropriate State agencies of this arrangement.)
Contractor Involvement -
(Rev. 1, 09-11-02)
Contractors may provide State Medicaid agencies with Medicare claims information. See Pub 100-04, Chapter 28 for more information.
(Rev. 1, 09-11-02)
The CMS and/or A/B MACs (A) may furnish PROs information on claims specified by CMS for PRO review.
(Rev. 1, 09-11-02)
The contractor may disclose information to the Internal Revenue Service when requested for investigation of a possible violation of the F.I.C.A., S.E.C.A., F.U.T.A., or any Federal income tax law. The contractor will bring to the attention of the RO any problem in complying with the IRS request (e.g., machine capability, cost, etc.).
(Rev. 1, 09-11-02)
(Rev. 1, 09-11-02)
The CMS may disclose certain information to TriCare for use in administering the TriCare program. The type of information to be made available parallels that made available to non-complementary title V and XIX State agencies and contractors. (See §100 of this chapter.)
(Rev. 1, 09-11-02)
We expect that most requests from TriCare for information will involve primarily Part B Medicare operations in such areas as identification of physicians and other medical practitioners who may be engaging in providing excess services or fraud. Before we release this information to a requesting TriCare contractor that is not also a Medicare contractor, a Medicare contractor must have previously released the information in the administration of Title XVIII to:
We may also disclose to TriCare the types of data covered in §100.2 of this chapter, upon request when authorized by the beneficiary or the beneficiary's legal representative. In addition, we will, upon request, make available to TriCare Economic Index Data (as prescribed by §§405.502(a) and 405.504(a) of Regulations No. 5) that might affect the limits on prevailing charge levels.
(Rev. 1, 09-11-02)
TriCare fiscal agents desiring Medicare information will usually request it either through the TriCare headquarters in Denver or through the parallel RO. The TriCare headquarters will refer the request to the parallel RO. Should a Medicare contractor receive a request directly from TriCare, it will refer the request to the RO. The RO will meet with the TriCare fiscal agent and the Medicare contractor to determine exactly what is needed, impress upon the TriCare contractor that TriCare may not further disclose the information, and indicate the cost involved, if any. (Also note that payment may be estimated or waived if collection would interfere with efficient administration.) At the RO's discretion, the Medicare contractor and the TriCare fiscal agent may meet to discuss
data and cost requirements without regional involvement. Upon agreement about data and cost requirements, the RO will authorize release of the information from the Medicare contractor to the TriCare fiscal agent.
In keeping with the spirit of the Freedom of Information Act and growing consumer interest in health care facilities and suppliers, CMS has made available to the public various final reports and other information regarding providers and suppliers. Disclosure to the public by a contractor is limited, but the following guidelines indicate what information is available, to whom it may be released, and the source to which a requestor should be directed for information that the contractor is not authorized to release.
A. Disclosure of Survey Information of the Joint Commission on Accreditation for Hospitals (JCAH), American Osteopathic Association (AOA), or any other National Accreditation Organization
The CMS may not disclose any accreditation survey made and released by the JCAH, AOA or other national accreditation organization except as prescribed by regulations. Accreditation letters and accompanying Recommendations and Comments prepared by the JCAH, AOA or other national accreditation organization for the provider's accreditation survey are confidential and exempted from public disclosure.
A copy of the provider's most recent accreditation survey may be disclosed with the provider's authorization to any authorized representative, employee or agent of CMS for official use only in connection with the Medicare sample validation or substantial allegation survey program.
B. Disclosure of Information About Hospitals, Skilled Nursing Facilities, Home Health Agencies, and Independent Laboratories
Information about a hospital, skilled nursing facility, or home health agency, as well as information about independent laboratories, providers of outpatient physical therapy (rehabilitation and public health agencies and clinics) and portable X-ray suppliers, may be disclosed without the authorization of the institution or organization when such disclosure is required for the proper performance of the duties of:
An officer or employee of a contractor; or
An officer or employee of a State agency when necessary to carry out their duties under State law in the licensing or approving of hospitals, skilled nursing facilities, home health agencies, or independent laboratories, etc.
Information obtained in the provider certification process is not to be disclosed to those not included in the above three categories, except as indicated in §140.3 below.
However, information that a particular institution is participating in the program may be released; and information indicating the specialties for which title XVIII payment may be made for services of a particular independent laboratory may be released. This information is usually available from the Directory of Medical Providers and Suppliers of Services published by the Government Printing Office.
Disclosure to third parties for program purposes of information about identifiable physicians and other suppliers who are natural persons is governed by the same restrictions and procedures as disclosure about named beneficiaries to third parties for program purposes. (See §50 of this chapter.)
Information about unidentifiable individuals or about providers or corporate entities (e.g., clinics or independent laboratories), is not exempt from disclosure by section 1106 and regulations at 42 CFR, Part 401. However, it is not to be disclosed by third parties to which information is disclosed for program purposes.
If the information the contractor discloses to third parties for program purposes is solely information that does not identify, or make identifiable, individuals (e.g., aggregate statistics or records on providers and other corporate entities) the following sample letter is to be used instead of the letter in §50B of this chapter.
Dear
We are prepared to make available to your organization certain CMS records so that (state reason).
However, before making these records available to you, we must point out that by law all information derived in the administration of the Social Security Act is subject to the provisions of the Freedom of Information Act, which exempts from disclosure certain categories of records. In order to assure that no records held confidential under the Freedom of Information Act are disclosed, you must agree to meet the following conditions before we make any social security records available to you:
Upon receipt of this letter from your organization, we will make available to you the CMS records you requested.
Sincerely yours,
(Rev. 1, 09-11-02)
A. Provider Survey Report and Related Information
Information concerning survey reports of providers or facilities, as well as statements of deficiencies based on survey reports are available at the local social security office or the public health assistance office in the area where the facility is located. The following data may be released under this provision.
B. Program Validation Review Reports and Other Formal Evaluation (CMS)
Upon written request, CMS makes available to the public official reports and other formal evaluations of the performance of providers. After CMS prepares the survey reports and other formal evaluations, it must provide the evaluated provider an opportunity (not to exceed 30 days) to review the report and submit comments on the accuracy of the findings and conclusions. CMS must incorporate the provider's pertinent comments in the report.
Generally, the RO serving the area in which the provider is located releases Program validation review reports. It will provide a copy of the report and the provider's comments to the contractors servicing the provider.
CMS may also make available to the public, subject to certain possible exemptions, informal reports and other evaluations of the performance of providers prepared by the contractor. The contractor refers requests for these reports to the Medicare regional office with a copy of the information requested.
Requests by the public either to inspect or to obtain a copy of a provider cost report must be in writing and must identify the provider or class of providers and specific cost reports requested.
NOTE: Personal salary information cannot be disclosed.
A/B MACs (A) or (HHH) must respond in writing within 10 working days after receipt of the written request, advising the requestor of the date the reports will be available. This date should be no earlier than 10 working days from the date of the contractor's response. (For exceptions, see Exceptions To 10-Day Notice Requirement immediately below.) A copy of this response must be sent simultaneously to the provider, thus putting it on notice that its report has been requested and by whom. (For exception, see §140.3 below.) If the request is for a report submitted by a former owner of a participating facility, copies of the contractor's response should go to both the present and former owners. If the request is for a report submitted by a provider no longer participating in the program, a copy of the contractor's response should be sent to the former provider. (For both former owners and former providers the copy of the response should be sent to the last known address of the party.)
If we cannot make the information available within a reasonable period of time, our response will include a brief explanation for the delay (e.g., because of the extent of searching, photocopying, or delay in securing reports from records retention centers). In addition to the provider's copy, the contractor sends a copy to the CMS regional office servicing the provider.
If a contractor receives a request for information concerning providers that it does not service, it will immediately forward such request to the CMS regional office servicing the provider and will inform the requester of its action. The regional office forwards the request to the servicing contractor.
No 10-day delay in furnishing cost reports is necessary in the case of requests from:
The Congress - Requests from Congress are limited to those from the Congress as an official body (e.g., the Speaker of the House or the President of the Senate, or from the chairman of a committee or subcommittee of the House or Senate with jurisdiction related to the information requested). Requests from individual members of the House or Senate are considered requests from the public.
CMS's rules limit disclosure to cost report documents that providers are required by regulations and instructions to submit. In the case of a settled cost report, this includes the contractor's notice of program reimbursement. Cost report documents include the statistical page, the settlement pages, trial balance of expenses, cost finding schedules, balance sheet, statement of income and expenses, and other schedules or documents required as part of the regular cost report process. (Where a provider, after first obtaining program approval, submits equivalent documents in lieu of official program documents, such documents are subject to the same disclosure rules as apply to official forms.)
If a provider chooses to submit with its cost report additional information not specifically required by regulations or instructions, the contractor should not disclose such information unless it is contained within an official document or the equivalent thereof. For example, some providers may submit supplementary analyses of certain expenses, details of the professional component adjustment, financial statements (other than the statement of income and expenses and the balance sheet as required in accordance with cost reporting instructions), or income tax returns that are not required by the program. These would not be disclosable by the contractor.
Except where a provider has not submitted an acceptable cost report and supplements are required to complete the report, any additional documents or schedules that the contractor requires the provider to submit in support of its cost representations are also not to be disclosed. In addition, do not disclose audits, schedules, letters, notes, and comments; comments on results of desk reviews (including copies of the actual desk review documents); contractor notes and comments (including transmittal letters); audit adjustment summaries that contractors and auditors are required to prepare; and information pertaining to an individual patient. Contractors acknowledge such requests and refer them to the regional office.
NOTE: Cost report information that the contractor may not disclose may, nevertheless, be disclosed under the Freedom of Information Act by the CMS regional office, central office or, upon appeal of a denial, by the Administrator, CMS. Upon judicial review, a U. S. District Court may order Disclosure.
When an A/B MAC (A) or (HHH) discloses a settled report, it may disclose schedules applicable to the settlement that have been reworked. The general rule is that if the contractor has reworked any of the schedules that the provider is required to submit with its original submission, these schedules become an integral part of the report for disclosure purposes. However, the A/B MAC (A) or (HHH) may not disclose any details containing contractor or auditor comments concerning the settlement, details of specific adjustments, or supporting schedules applicable to the settlement of the provider's operation.
Prior to the release of cost report information to the requestor, the A/B MAC (A) or (HHH) servicing the provider must screen each cost report and remove non-disclosable documents and information. If the A/B MAC (A) or (HHH) is uncertain whether a particular document must be disclosed it should consult the regional office in the region in which the provider is located. Further, if the A/B MAC (A) or (HHH) discovers as a result of review that the cost report reflects information that might result in adverse program publicity, it alerts the RO immediately. However, it does not delay disclosure.
The above instructions do not negate in any manner the requirement that the A/B MAC (A) or (HHH) submit cost reports to CMS that contain full and complete information, including the details of all contractor and auditor adjustments, comments, and any supporting schedules that may be needed to verify the settlement.
The A/B MAC (A) or (HHH) will make cost reports available for inspection by the requestor at the A/B MAC (A) or (HHH)'s office during regular business hours. In addition, arrangements will be made to make copies available upon specific request at any RO, or at central office. The A/B MAC (A) or (HHH) must provide appropriate space for such inspections. It must establish procedures to ensure that all reports inspected are properly accounted for. Under no circumstances should it permit any requester to remove cost reports from the place of inspection.
If the requester has questions with respect to the interpretation or analysis of cost report information, the A/B MAC (A) or (HHH) will advise the requester to submit such requests for more than routine explanations in writing to the regional office.
If a request is received to inspect or to obtain a copy of a report that has not been settled; i.e., the final settlement notice of program reimbursement has not been sent, the A/B MAC (A) or (HHH) will disclose a copy of the report as submitted by the provider. If settlement has been made, it will disclose the settled report. If a requester specifically asks for both the settled and unsettled cost reports of a provider, the A/B MAC (A) or (HHH) will comply. When a report is made available for inspection or copying, it should be clearly marked with one of the following captions, as applicable.
Cost report as submitted:
Requests for reproduction of all or part of a provider's cost report may be subject to photocopy fees. If it is determined that a fee must be charged, the A/B MAC (A) or (HHH) prepares the written response to the requester in accordance with §20 and §20.4 of this chapter.
A requester may desire only selected cost report information of a provider or several providers. However, the DHHS Freedom of Information Regulation specifies that agencies are not required to create a record by compiling selected items from the files; such requests will be met by furnishing copies of specific documents which contain the information requested. In addition, when the contractor receives a request that requires selecting documents from various cost reports, the request should be honored. It will follow the written response procedure above even though the entire report is not being disclosed. It will advise the requester that a searching fee will be charged and give an approximate date when the documents will be ready.
The A/B MAC (A) or (HHH) may release Medicare payment or Medicare cost data concerning a named provider without giving the provider the ten-day notice required in §10.2 or 30 above. However, it does not give the requester enough information to calculate provider non-Medicare data as well. For example, A/B MACs (A) or (HHH) do not tell a requester that Medicare payments to the provider represent 30 percent of its total revenues.
The Medicare payment or Medicare cost data may be extracted from such documents as cost reports or Form CMS-3286, Monthly Actuarial Sample of Hospital Reimbursement. Any extraction of data is subject to the instructions above concerning creation of records.
The waiver of liability status of a particular provider and the statistics used to determine that status may be disclosed.
Generally, the contractor will not honor requests for information about a specific physician or other supplier of services, or for information which would identify such a physician or other supplier of services, except in situations described in §140.1 above. Disclosure to third parties for program purposes of information about individual physicians and other suppliers who are natural persons is governed by the same restrictions and procedures as disclosure about named beneficiaries to third parties for program purposes. (See §50B of this chapter.) The contractor acknowledges such requests and refers them to the RO for response.
If the information the contractor discloses is solely information that does not identify or make identifiable individuals (e.g., aggregate statistics or records on providers and other corporate entities), it uses the following language:
Dear:
We are prepared to make available to your organization certain social security records so that (state reason).
However, before making these records available to you, we must point out that by law all information derived in the administration of the Social Security Act is subject to the provisions of the Freedom of Information Act, which exempts from disclosure certain categories of records. In order to assure that no records held confidential under the Freedom of Information Act are disclosed, you must agree to meet the following conditions before we make any social security records available to you:
1. Any information which is turned over to you will be used only for the specific purpose intended and for no other purpose.
2. All employees having access to this material will be instructed as to its confidential nature.
3. An official of your company will assume responsibility for ensuring that the information is not revealed to any other party.
4. The material must be returned to us as soon as you have finished the job.
5. We must have a letter from a responsible official in your office agreeing to these conditions and assuming responsibility for carrying them out.
Upon receipt of this letter from your organization, the social security records will be made available to you.
Sincerely yours,
If the contractor receives a written request for a physician's or supplier's customary charges or for amounts of program payments made to physicians outside of its jurisdiction, it acknowledges the request and sends it to the appropriate contractor, when known. If not known, it sends the request to the RO.
Disclosure of information about unidentifiable individuals, or about provider or corporate entities (e.g., clinics or independent laboratories) is not to be disclosed by third parties to which information is disclosed for program purposes.
Customary charges may be disclosed to the public. However, requests from anyone (including a physician or supplier) for actual data used to determine the customary charge(s) should be referred to the RO.
A/B MACs (B) or DME MACs may voluntarily specify a physician's or supplier's customary charges when explaining reimbursement or when furnishing denial or review notices.
The A/B MAC (B) or DME MAC may furnish a physician or supplier with a copy of their own customary charges free of charge; requests for customary charges from other sources will be subject to FOIA fees. However, anyone may inspect the customary charges free at the office of the A/B MAC (B) or DME MAC serving the locality for which the screens are used. A/B MACs (B) or DME MACs produce a printout to be made available for inspection and/or photocopying in their office. If past experience with requests for customary charge screens from the public does not warrant the expense of producing a printout of all screens for inspection (i.e., there have been few request and no one has requested to inspect all the screens), printout copies of single screens or small numbers of screens may be furnished instead of photocopies; however, there will be no charge for the computer time for the printout nor shall the requesters be asked to pay more than they would if they were to request a photocopy of the screens. Requests specifically for printouts or tapes shall be furnished at cost to related Federal programs (for example, to TRICARE or Medicaid).
A/B MACs (B) or DME MACs may release information to the public regarding the method used to determine Medicare allowances, e.g., that the median of the charges made by physician for a service is used as the customary charge, and that the 75th percentile of such customary charges in an area (weighted by frequency of service) is used to establish the prevailing charge.
Written requests for lists A/B MACs (B) or DME MACs do not have should be referred to the RO immediately by telephone so that RO can indicate whether the A/B MAC (B) or DME MAC should create a list. Such request might be for all the customary charge screens of internists in a given county or for a list of all physicians who charge a given amount or less for a certain procedure. If requesters orally ask to see a list, which does
not exist, the A/B MAC (B) or DME MAC will offer them the opportunity to inspect the screens and create their own list.
Information such as the specialty and business address of a physician or supplier may be disclosed to the public. The A/B MAC (B) or DME MAC will refer to the RO written requests for special lists, such as a list of five orthopedists in a given city. However, if the A/B MAC (B) has processed a list of all orthopedists in that city, it may, upon request, disclose the entire list. It may fulfill oral requests by offering the requester the opportunity to look at whatever disclosable records (e.g., customary charge screens) there are that contain the data (or to purchase photocopies of the data) or by referring the requester to the medical society or licensing board in the requester's area, if appropriate.
(Rev. 1, 09-11-02)
(Rev. 1, 09-11-02)
Upon request, an A/B MAC (B) or DME MAC may disclose to the public the fact that a provider no longer participates in the program. It will refer to the RO inquiries as to why a provider no longer participates in the program.
(Rev. 1, 09-11-02)
CMS publishes the names of providers, physicians, other suppliers of services, or any other persons who have been found guilty by a Federal court of submitting false claims in connection with title XVIII. A/B MACs (B) or DME MACs will refer requests for such names to the RO for response.
The DHHS Second Opinion Campaign has led to requests under the Freedom of Information Act for the list of physicians who have volunteered to accept referrals for second opinions. If a contractor has a list, it should disclose it upon request.
(Rev. 1, 09-11-02)
A. Referral of Suspended Practitioners
Section 1862(e)(2)(B) of the Social Security Act requires the Secretary to notify the appropriate State or local licensing authority (e.g., State licensing board or medical review board) whenever a physician or other practitioner has been suspended from participation in the Medicare program. Thus, whenever CMS suspends a practitioner from participation in the Medicare program because the practitioner has been convicted of a criminal offense related to participation in the title XVIII or XIX program, CMS will promptly notify the appropriate State or local licensing authority(ies) to (1) make appropriate investigations, (2) invoke any sanctions available under State law which the authority(ies) deems appropriate, and (3) keep CMS and the Inspector General fully and currently informed of any action it takes.
B. Referral by Medicare A/B MACs (B) or DME MACs
In addition to the referrals made by CMS under section 1862, Medicare A/B MACs (B) or DME MACs are authorized to refer title XVIII-related cases of apparent unethical practices or unprofessional conduct to medical or other professional societies, and State or local licensing authorities (licensing boards or medical review boards). (See the routine uses for the Medicare Carrier Claims Records system as described in the system notice published in the Federal Register. The web address for this information is: http://www.cms.gov/Research-Statistics-Data-and-Systems/Computer-Data-and-Systems/Privacy/PrivacyActof1974.html
When considering a case for referral, the A/B MAC (B) or DME MAC should assure itself that substantial basis for referral exists; that more than mere suspicion is involved. It need not compile evidence sufficient to prove misconduct before referral; it should ascertain the probability and severity of misconduct and leave further investigation, review, and disciplinary action to the appropriate society or board. Isolated instances of questionable practices or conduct should not normally be referred.
Further, referral of apparent unethical practices or a course of unprofessional conduct by a practitioner should be made only after proper professional advice has been obtained from the A/B MAC (B)'s physician staff members, medical consultants, or other professional advisors.
Since State licensing boards and medical review boards are responsible for the licensing and sanctioning of practitioners, cases should be referred to those boards only where the apparent unethical practices or unprofessional conduct is of a severity to possibly warrant such sanctions; cases involving less severe improprieties should typically be referred only to professional or medical societies for action.
The following are examples of cases that should be referred:
1. Over-utilization - This refers to a pattern of medical care which consists of providing more services than are medically necessary or which is not in accordance with acceptable medical practice (e.g., an inordinate number of office visits over an extended period of time for a chronic illness, a conspicuously high number of injections, excessive hospitalizations). Cases involving suspected over utilization should be reviewed by the A/B MAC (B) or DME MAC's physician staff. In cases where additional peer review is necessary, A/B MACs (B) or DME MACs may refer the case to a PRO. If the PRO servicing the area in question is not available to perform this type of review, the case should be reviewed by the medical society, medical consultants, or other professional advisors.
2. Mis-utilization - This involves the rendering of services that are not medically acceptable according to the standards of the community concerned.
3. Overcharging - This refers to the charging of fees by a physician, or other practitioner, that are not commensurate with the services rendered. Billing for amounts in addition to the deductible and coinsurance when assignment has been accepted also falls into this category.
4. Harmful Services or Pattern of Treatment - This involves the furnishing of services or a pattern of treatment that is harmful to the patient, or of a quality which does not meet professionally-recognized standards of care.
5. Violation of Ethics - These violations involve conduct of a physician or other practitioner that is contrary to the principles of ethics of the professional society to which the physician or other practitioner may belong, or which would make their practice a danger to the health and welfare of their patients or to the public.
6. Violation of the State's Professional Practice Statutes - This involves the committing of acts that, under the applicable State law, would be grounds for suspension or revocation of the physician's or practitioner's license to practice.
These guidelines are not all inclusive; any activities by a physician, or other practitioner, in their treatment of program beneficiaries, which would warrant concern by professional societies or State or local licensing boards or medical review boards may be brought to their attention.
When a A/B MAC (B) or DME MAC refers a case to a professional society or State or local licensing board or medical review board because of apparent unethical practices or unprofessional conduct by practitioners furnishing services to beneficiaries, the PI staff in the regional office should be concurrently notified of the referral. Notification should include copies of all materials referred to the professional society or State or local board, and should be followed by reports of significant case developments. Since such cases may involve program abuse by the practitioner, the RO should be notified as quickly as possible to permit remedial or sanction action if deemed appropriate.
When a case is pending prosecution, or when a decision is pending on whether to proceed with prosecution, the contractor will delay referral to the professional society until: (1) the prosecution action is completed, (2) the decision is made not to prosecute, or (3) CMS authorizes the referral.
C. Requests for Assistance by State or Local Licensing Boards, or State or Local Medical Review Boards
While cooperation on the part of CMS ROs and A/B MACs (B) or DME MACs with State or local licensing/medical review boards is generally encouraged, there seems to be three distinct situations in which these boards might request assistance:
1. When a case has been referred to a State or local licensing/medical review board for investigation and possible sanctions (either by CMS as a result of the conviction and suspension of the subject practitioner, or by an A/B MAC (B) or DME MAC), it would seem appropriate for CMS and A/B MACs (B) or DME MACs to provide assistance to the board in its investigative activity, provided the demands on staff time and resources do not become burdensome or unreasonable. All requests for A/B MAC (B) or DME MAC assistance should, however be channeled through the servicing CMS RO for a determination regarding the reasonableness of the request. Appearance by CMS personnel before board meetings involving a case which has been previously referred would also be permitted.
2. When a State or local licensing board or medical review board requests information or assistance on a case which was self-initiated (i.e., not previously referred to the board by CMS or a Medicare A/B MAC (B) or DME MAC) as a result of a complaint, allegation, inquiry, etc., relative to a specific physician or practitioner's practices, this request should be treated as a Freedom of Information Act request. Therefore, any requested material should be screened for sensitive information, with the decision to release or withhold such information made on a case-by-case basis. Further, the board would be responsible for the costs involved in providing such information (searching costs, duplicating costs, etc.). In such instances, the appearance of CMS personnel at a board hearing would be discouraged.
3. When the State or local licensing board or medical review board's request is for general information pursuant to a study or investigation of physician or practitioner impropriety or abuse, and is not related to a complaint, allegation, etc., against a specific physician or practitioner; or when the request would represent a clearly unwarranted invasion of personal privacy, cooperation by CMS or contractor personnel would be discouraged. In such instances it would be appropriate to release general or statistical information that did not identify specific individuals; however, the request for identifying information would constitute an improper search for information.
140.4.5 - Disclosure of Medicare Statistics
Numerous statistics on individual providers are available to the public. They include, but are not limited to, the following:
1. Waiver of liability statistics;
2. Interim rate payment data;
3. Amount of Medicare reimbursement;
4. Overpayment data;
5. Data from the Provider Monitor Listing;
6. Information from the Directory of Medical Facilities and the Directory of Medicare Providers and Suppliers of Services;
7. Medicare statistics (e.g., total visits, number of starts of care,)
8. Presumptive waiver of liability status;
9. Information as to whether a provider participates in the Medicare program; and
10. Medicare inpatient statistics for inpatient facilities (e.g., total inpatient days, number of admissions, average length of stay).
(Rev. 1, 09-11-02)
(Rev. 1, 09-11-02)
RCPs are available to the public at the RO servicing the contractor. The contractor will refer requests for RCPs to the RO for response. It will refer requests for an RCP of a multi-State contractor to the RO servicing the home office of the contractor.
The contractor will refer requests for supporting documentation for the RCP contained in Contractor Performance Evaluation (CPE) reports to the RO.
(Rev. 1, 09-11-02)
DHHS Audit Agency reports issued to Medicare contractors are available if requested, to members of the press and the public. The contractor will refer requests for DHHS Audit Agency reports directly to the Audit Agency, which is responsible for decisions regarding the release of these reports.
CMS and its agents may disclose statistical data and similar information that does not relate to any identifiable person or persons. However, they are not required to create records for requestors by compiling selected items from the files, nor are they required to
create records to provide such data as ratios, proportions, percentages, per capita, frequency distributions, trends, correlations or comparisons.
They may, however, create such records when efficient administration permits. Final authority to determine when 'efficient administration permits' rests with CMS. The contractor will refer requests for information, which can be created by hand, to the RO unless the requestor is willing to accept copies of the pages containing the data needed to compile the requested information (i.e., the requester is willing to do the necessary compilation). The contractor will refer requests for information, which must be created by machine (e.g., computer programs to manipulate data and print results), to the RO.
CMS and the contractors have a joint obligation to ensure that the program is clearly and accurately represented and that the public is given a complete picture of program performance.
There are certain problems in accurately representing program performance by means of statistical data alone, since some groupings of statistics are subject to inadvertent inaccuracies or are susceptible to misinterpretation. Careful judgment is, therefore, essential in presenting information on operating and payment activities.
When considered appropriate, the contractor may release operating, payment, and cost data listed below without prior approval of the RO. The contractor will promptly forward to the RO a copy of information provided under this guideline.
In releasing any data under this guideline, the contractor must insure that the data are related specifically to the geographical area for which the contractor is responsible. For example, if a press inquiry is clearly for the purpose of presenting program operating data for a geographical area beyond the jurisdiction of the contractor, and CMS has not made such data available for public release, the contractor will tell the requestor that it does not have the authority to release information beyond its operational jurisdiction. It will refer the request to the RO. (See §160ff of this chapter.)
In releasing payment data, the contractor must indicate that the information refers only to the area it services and does not include payments to direct dealing providers, group practice prepayment plans, or railroad beneficiaries.
If it is not clear whether information can be released under this guide, the contractor will resolve doubt in favor of obtaining prior clearance from the RO.
The data released under this guideline should be based on the figures furnished to CMS in the monthly financial report and the monthly workload report. The administrative cost information should be the same as in the quarterly Operations Schedule-Cumulative Interim Expenditure Report.
The following data, relating only to the contractor's title XVIII workload, may be released:
Form SSA-1523 (Estimate of Administrative Costs and Credits)
○ Form SSA-1566 (Intermediary Workload Report)
Release of the last form should be accompanied by a qualifying statement such as the following:
'This report is based on preliminary data and is subject to adjustment by subsequent cumulative reports and a final cost proposal.'
Absent prior RO clearance, the contractor may release only the data listed above. A request for data not included in the above list may, in the contractor's judgment, require an immediate response. If so, the contractor may furnish general comments but cannot provide statistics. No further action need be taken on these requests unless the requestor asks for additional information. When additional information is requested, the contractor refers the request to the RO.
The CMS regional office may authorize contractors to release the following information:
Total man-years (or man-quarters, etc.) employed per report period.
Man-hours per claim or bill processed.
Data which contrast one contractor's performance with the performance of any other contractor, or which compare a contractor's performance with any set of national, regional, or other combined contractor performance data, may not be released by the contractor without prior RO approval. The contractor refers requests for such information to the RO. Generally, data of this type will be made available in periodic CMS releases when sufficient to permit valid statistical inferences. When the release of this kind of information is considered valuable for contractor or program public relation, telephone request and approval for contractor release may be appropriate.
This section applies only to data compiled in the administration of the health insurance program. The contractor does not need prior RO approval to release, for example, compilations created by the Blue Cross Administration (BCA) or The National Association of Blue Shield Plans (NABSP).
Data pertaining to more than one contractor or which compare contractor performance may be released only in proper perspective. Essentially, cost information alone is not an accurate indication of a contractor's performance and, therefore, is not to be publicized without other relevant data accompanying it; e.g., information pertaining to workload volume and processing time. Moreover, release should always be accompanied by an interpretive statement indicating the limitations of the data and the known variables; e.g., wage differentials.
Requests which include a provider population beyond the jurisdiction of the contractor may involve data which have not been made available by CMS for public release. Requests for such combined data will be handled by the RO, which, if it approves the release, will furnish the requestor with the appropriate combined data and alert the contractors involved regarding the release.
(Rev. 124, Issued: 05-17-19, Effective: 06-18-19, Implementation: 06-18-19)
The term Medicare beneficiary identifier (Mbi) is a general term describing a beneficiary's Medicare identification number. For purposes of this manual, Medicare beneficiary identifier references both the Health Insurance Claim Number (HICN) and the Medicare Beneficiary Identifier (MBI) during the new Medicare card transition period and after for certain business areas that will continue to use the HICN as part of their processes.
Records and information, acquired in the administration of the Medicare program, may be disclosed only under prescribed rules and regulations or under the authority of the
Administrator of CMS. Information furnished specifically for purposes of a claim under the health insurance program is subject to these rules and regulations. These regulations apply to Governmental or private agencies that participate in program administration. These entities include the following:
The type of information includes, but is not limited to, the following:
Information not subject to these rules and regulations includes information in the provider's own records, such as the following:
A provider's own records are, however, subject to requirements listed in the "Conditions of Participation", that "Patient's records be kept confidential (20 CFR Part 405.126). These records may also be subject to State or local laws governing disclosure.
Providers are also responsible for following conditions for coverage. A provider or supplier that receives a request for disclosure of information about a Medicare beneficiary, Medicare claim, or related information that it may not disclose, should refer the requestor to the appropriate contractor for further consideration of the request.
(Rev. 1, 09-11-02)
Information such as Medicare entitlement or eligibility data may be disclosed to a beneficiary or their authorized representative (this includes the beneficiary's representative payee).
(Rev. 1, 09-11-02)
Providers and suppliers may not forward medical information to contractors on a confidential basis, expressed, or implied, since, under the Privacy Act, any medical information obtained by a contractor is subject to disclosure to the individual to whom the information pertains or to another person authorized by the individual to have access to it.
Some providers and suppliers document findings on medical forms pre-printed "confidential" or routinely stamp all records "confidential" whether or not such records are ever intended for disclosure to a contractor. The contractor will accept such records only if the provider or supplier accompanies them with a signed statement indicating the following:
(Rev. 1, 09-11-02)
Disclosure by the provider or supplier to persons other than the individual or the individual's authorized representative of any records, reports, or other information about the individual is authorized without the individual's or their representative's consent under the following circumstances:
The disclosure is required in connection with any claim or other proceeding under the Social Security Act for the proper performance of the duties of:
These limitations apply whether or not the individual to whom the information pertains authorizes further disclosure to third parties (e.g., to a private medical plan).
(Rev. 124, Issued: 05-17-19, Effective: 06-18-19, Implementation: 06-18-19)
The term Medicare beneficiary identifier (Mbi) is a general term describing a beneficiary's Medicare identification number. For purposes of this manual, Medicare beneficiary identifier references both the Health Insurance Claim Number (HICN) and the Medicare Beneficiary Identifier (MBI) during the new Medicare card transition period and after for certain business areas that will continue to use the HICN as part of their processes.
Information obtained from CMS or its contractor is confidential and may be disclosed only under conditions prescribed in rules and regulations or on the express authorization of the Administrator of CMS. However, certain limited information about a beneficiary's Medicare eligibility status and related claims information may be released to third party payers with the beneficiary's express authorization.
The following information may be released subject to necessary authorization:
Providers should refer requests for other information to the contractor. Contractors refer requests to the CMS regional office.
The provider or supplier will adhere to the following authorization guidelines to ensure that information is not released without the required authorization. Authorization must:
Specify the purpose for which the information is being released;
Specify an expiration date for the authorization that should not exceed 2 years from the date it was signed; and
(Rev. 1, 09-11-02)
The law requires providers to observe more stringent rules when disclosing medical information for claims processing purposes from the records of alcohol and drug abuse patients. Since the standard consent statement on the provider billing form is not sufficient authority, under the law, to permit the provider to release information from the records of alcohol or drug abuse patients, more explicit consent statements are required.
Providers that participate in Medicare and alcohol and drug abuse prevention and treatment programs must obtain written consent in each alcohol or drug abuse case from beneficiaries to release medical information. This written consent, which allows the provider to disclose the records of the patient, must include all of the following:
If the beneficiary wishes, the consent statement may be expanded to permit disclosure by the provider to any other person, organization, or program (e.g., PRO), as appropriate. Providers may also give authorization to CMS and its contractors to re-disclose specific information to third party payers for complementary insurance purposes.
The provider keeps the consent statement with the patient's medical and other records.
The duration of the consent statement is not to exceed 2 years after which it must be renewed by the beneficiary if further disclosures are necessary.
(Rev. 124, Issued: 05-17-19, Effective: 06-18-19, Implementation: 06-18-19)
The term Medicare beneficiary identifier (Mbi) is a general term describing a beneficiary's Medicare identification number. For purposes of this manual, Medicare beneficiary identifier references both the Health Insurance Claim Number (HICN) and the Medicare Beneficiary Identifier (MBI) during the new Medicare card transition period and after for certain business areas that will continue to use the HICN as part of their processes.
Section 4311 of the Balanced Budget Act of 1997 requires that if a Medicare beneficiary submits a written request to a health services provider for an itemized statement for any Medicare item or service provided to that beneficiary, the provider must furnish this statement within 30 days of the request. The law also states that a health services provider not furnishing this itemized statement may be subject to a civil monetary penalty of up to $100 for each unfulfilled request. Since most institutional health practices have established an itemized billing system for internal accounting procedures as well as for billing other payers, the furnishing of an itemized statement should not pose any significant additional burden.
The provider will furnish to the individual described above, or duly authorized representative, no later than 30 days after receipt of the request, an itemized statement describing each item or service provided to the individual requesting the itemized statement.
Although §4311 of the Balanced Budget Act of 1997 does not specify the contents of an itemized statement, suggestions for the types of information that might be helpful for a beneficiary to receive on any statement include: beneficiary name, date(s) of service, description of item or service furnished, number of units furnished, provider charges, and an internal reference or tracking number. If Medicare has adjudicated the claim, additional information the provider can include are: amounts paid by Medicare, beneficiary responsibility for co-insurance, and Medicare beneficiary identifier. The
statement should also include a name and telephone number for the beneficiary to call if there are further questions.
A knowing failure to furnish the itemized statement shall be subject to a civil monetary penalty of up to $100 for each such failure.
(Rev. 1, 09-11-02)
Providers are required to pay appropriate fees for information they request pertaining to other providers, Medicare contractors, or State agencies. A provider may claim such fees as allowable costs only if it demonstrates to the contractor the information is necessary in developing and maintaining the operations of patient care facilities and activities.
(Rev. 7, 06-25-04)
To improve the efficiency and effectiveness of the health care system, HIPAA included provisions that required national standards for electronic health care transactions. At the same time, Congress recognized that advances in electronic technology could erode the privacy of health information. Consequently, Congress incorporated into HIPAA provisions that mandated the adoption of Federal privacy protections for individually identifiable health information.
The Department of Health and Human Services issued the regulation 'Standards for Privacy of Individually Identifiable Health Information', 45 CFR Parts 160 and 164, (the HIPAA Privacy Rule) to implement section 264 of HIPAA. The HIPAA Privacy Rule establishes a set of basic national privacy standards and fair information practices. It sets a floor of ground rules for health care providers, health plans, and health care clearinghouses to follow to protect the privacy of an individual's personal health information.
The HIPAA Privacy Rule is based on the same fair information principles that are found in the Privacy Act of 1974 and are now generally extended to the public and private sectors of the health care delivery system. The HIPAA Privacy Rule applies to protected health information (PHI) held by covered entities, as defined by the Rule, while the Privacy Act protects records with individually identifiable information held by Federal agencies. The Privacy Act continues to apply to Medicare and Medicare fee-for-service (FFS) contractors in their day-to-day operations.
The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) is responsible for providing outreach and technical assistance to covered entities (health plans, health care clearinghouses, and health care providers who conduct certain financial and administrative transactions electronically) and for enforcing the HIPAA Privacy Rule. OCR maintains information on the HIPAA Privacy Rule at
Since Medicare operates under both the Privacy Act and the HIPAA Privacy Rule, CMS has determined how the provisions interact with each other as it uses personally identifiable information in its day-to-day operations. For example, a use or disclosure that is permitted under the HIPAA Privacy Rule (e.g., to facilitate cadaveric organ donation and transplants), but not published in a Federal Register notice as a routine use in a CMS system of records would not be permitted for Medicare. Similarly, if the disclosure is a “routine use” under the Privacy Act, but the HIPAA Privacy Rule prohibits the disclosure, CMS will not make the disclosure.
Exemption 6 of the Freedom of Information Act (FOIA) permits Federal agencies to withhold personnel and medical files the disclosure of which would constitute a clearly unwarranted invasion of personal privacy. When a FOIA request asks for documents that include personal information, CMS must apply Exemption 6 to preclude the release of, or must otherwise redact, identifying details before disclosing the remaining information.
The application of Exemption 6 of the FOIA to information about deceased individuals requires a different analysis than that applicable to living individuals because under the Privacy Act of 1974, privacy rights are extinguished at death. However, under FOIA, it is entirely appropriate to consider the privacy interest of a decedent’s survivors under Exemption 6. Under the HIPAA Privacy Rule, the personal health information of deceased as well as living persons is protected.
The FOIA and Privacy Act requests will continue to be handled according to current procedures and timeliness standards. A FOIA request for access to public records requires CMS, as a Federal agency, to provide the fullest possible disclosure of its records to the public, subject to certain exceptions (e.g., proprietary information, national defense risks). The Privacy Act requires CMS to provide individuals access to their personal information maintained in a System of Records. Note that an individual’s request under the Privacy Act to access his or her records must specify a
Privacy Act System of Records and must be addressed to the system manager identified in the Federal Register notice.
A HIPAA Privacy Rule request for access is separate from both FOIA and the Privacy Act and has its own timeliness standards associated with it. Requests for access under the HIPAA Privacy Rule will be handled by CMS' Central Office (see section G below).
Medicare is a national program that is administered under Federal statute and regulation. CMS administers Medicare through Medicare FFS contractors that are required to operate in accordance with statutory and regulatory requirements and CMS administrative direction.
When considering the provisions of HIPAA, Congress expressly intended to defer to more stringent state laws if those laws conflict with provisions in the HIPAA Privacy Rule. The HIPAA Privacy Rule therefore explicitly preempts conflicting state law provisions, unless they are more stringent or more protective of the individual's rights. Since the Federal law expressly preserves more stringent state laws, and because of the complexity of this issue, contractors should ask CMS for guidance as issues arise.
The Federal health programs that CMS administers are health plans as defined in HIPAA and are covered entities subject to the HIPAA Privacy Rule. These health plans are:
The CMS is directly responsible for ensuring that the Medicare Fee-For-Service (FFS) program, also known as the Original Medicare Plan, complies with the HIPAA Privacy Rule. For the Medicaid and SCHIP programs, the appropriate State Agency is responsible for ensuring compliance with privacy requirements. Medicare Advantage (formerly M+C) plans are covered entities subject to the HIPAA Privacy Rule in their own right and responsible for their own compliance.
Most health care providers and health plans do not carry out all of their health care activities and functions by themselves; they require assistance from a variety of contractors and other businesses. By definition, a business associate is a person or entity that performs or assists in the performance of a function or activity involving the use or disclosure of individually identifiable health information on behalf of a covered entity.
Medicare FFS contractors that perform health care activities involving the use of PHI on behalf of the Medicare FFS health plan (i.e., claims processing functions) are business associates of the Medicare FFS health plan (the covered entity). The HIPAA Privacy Rule allows providers and plans to give PHI to their business associates as long as they have satisfactory assurances and document those assurances, typically by contract, that business associates will safeguard the information.
Medicare contracts have been modified to include the business associate provisions. These provisions also address the contractor’s responsibility to ensure that subcontractors or agents to whom they disclose Medicare data agree, by contract, to safeguard any PHI as well. Contracts continue to include language that applies to contractors who maintain or operate a Privacy Act protected systems of records on Medicare’s behalf.
Medicare contractors that perform health care activities involving the use of PHI on behalf of the Medicare FFS health plan are not business associates of providers, physicians, suppliers, clearinghouses, or other health plans. Likewise, providers, physicians, suppliers, clearinghouses, or other health plans are not business associates of the Medicare contractor unless the provider, physician, supplier, clearinghouse, or other health plan is doing work on behalf of the Medicare contractor. For these reasons, Medicare FFS contractors should not sign business associate agreements with any provider, physician, supplier, clearinghouse, or other plan unless the provider, physician, supplier, clearinghouse, or other health plan is doing work on the contractor’s behalf.
Currently, Medicare contractors execute trading partner agreements (TPAs) with a number of payers, including Medigap insurers, Medicare supplemental/employee retiree health plans, multiple employer welfare trusts, TRICARE for Life, as well as State Medicaid Agencies, for the purpose of exchanging adjudicated Medicare claims for secondary liability determination by those partners. This exchange of data is commonly referred to as the “claims crossover process.” For coordination of benefits (COB) purposes, Medicare contractors and trading partners are not business associates of each other since neither entity is doing work on the other’s behalf; therefore, MACs should not sign business associate agreements with COB trading partners that receive claims crossover data from them.
The HIPAA Privacy Rule requires each covered entity to develop and provide a plain language notice that describes its legal duties, the uses and disclosures of protected health
information that it may make, and individual privacy rights and how to exercise them. The individual rights include the right to inspect and copy protected health information, to amend protected health information, to request restrictions, confidential communications, an accounting of disclosures, a paper copy of the privacy notice, and how to file complaints.
Medicare’s privacy notice was provided to beneficiaries for the first time in the 2003 Medicare & You handbook and is provided in the handbook every year. New enrollees receive the privacy notice in the handbook that is mailed to them within 30 days of Medicare entitlement. Medicare’s privacy notice is also posted on Medicare’s Web site at www.medicare.gov.
Medicare’s Notice of Privacy Practices informs beneficiaries who are interested in exercising individual rights to go to www.medicare.gov or call 1-800-MEDICARE. Customer Service Representatives (CSR) at 1-800-MEDICARE use scripts to answer questions regarding exercising individual rights and filing complaints.
Since Medicare’s privacy notice describes the uses and disclosures of PHI in the day-to-day operations of Medicare (including Medicare FFS contractors), FFS contractors are not required to develop a separate privacy notice for Medicare beneficiaries.
NOTE: For Individual Rights Under the Privacy Act of 1974, see §10 above.
The HIPAA Privacy Rule gives individuals rights with respect to their PHI. These rights are listed in covered entities’ privacy notices. The Notice of Privacy Practices for the Original Medicare Plan includes the right to:
1. See and get a copy of personal health information held by Medicare.
CMS Central Office is responsible for responding to beneficiary requests for access to records under the HIPAA Privacy Rule. Medicare FFS contractors should only respond to those requests for information related to payment of a claim, for which they are already responsible under the contract under existing customer service procedures. Simple telephone inquiries, such as asking about the status of a claim or requesting a duplicate Medicare Summary Notice, are not considered a HIPAA request for access and should be handled under existing customer service procedures.
2. Have personal health information amended if it is wrong or missing, and Medicare agrees. If Medicare disagrees, a statement of disagreement may be added to the personal health information.
Central office is responsible for handling beneficiary requests to amend the record under the HIPAA Privacy Rule. Contractors will not be responding to requests to amend records.
Requests for changes to claims or payment records, such as an appeal or change of address request, are not considered HIPAA Privacy Rule requests for amendments, and should be handled according to current procedures.
Note, however, that if the request for amendment involves medical records, contractors should explain that, except in rare circumstances, only the source of the medical record (i.e., the provider) may make changes to the record.
3. Get a listing of those receiving personal medical information from Medicare.
CMS Central Office is responsible for responding to beneficiary requests for an accounting of disclosures under the HIPAA Privacy Rule. Contractors will not be responding to requests for an accounting of disclosures.
The listing does not cover personal health information that was given to the individual or his or her personal representative, that was given out to pay for health care or Medicare operations, or that was given out for law enforcement purposes.
4. Ask Medicare to communicate in a different manner or at a different place, for example, by sending materials to a P.O. box instead of the address on file.
Current regulations and existing agreements with the Social Security Administration are extremely prescriptive, often governing precisely how CMS can respond to requests for confidential communications.
Operationally, CMS can only maintain one address at a time. Because of this, routine change of address requests should be handled according to current change of address procedures.
5. Ask Medicare to limit how personal health information is used and given out to pay claims and run the Medicare program.
CMS Central Office is responsible for responding to beneficiary requests to restrict disclosure of PHI. Contractors will not be responding to requests to restrict disclosure of PHI.
6. Get a separate paper copy of the privacy notice.
Contractors who receive requests for a paper copy of the Notice of Privacy Practices for the Original Medicare Plan should refer requestors to their Medicare & You handbook.
Medicare’s Notice of Privacy Practices informs individuals of the right to file complaints about Medicare’s privacy practices with either Medicare or the Secretary of Health and Human Services. The privacy notice refers individuals to www.medicare.gov or 1-800-MEDICARE for further information on filing a complaint.
CMS is required to document in written or electronic form the complaints received and their disposition. There is no requirement to respond in a particular manner or time frame.
For the privacy rights listed above where CMS Central Office is responsible for responding to the request, contractors should advise beneficiaries to address their requests to:
HIPAA Privacy P.O. Box 8050 U.S. Department of Health and Human Services Centers for Medicare & Medicaid Services 7500 Security Boulevard Baltimore, MD 21244-1850
An authorization is a document that an individual uses to give a covered entity permission to disclose his or her PHI for a particular purpose (e.g., for marketing) or to a third party specified by the individual. A covered entity is generally not required to obtain an authorization for the use or disclosure of PHI for treatment, payment, or health care operations, as well as for certain public priority activities under specified conditions (e.g., health care oversight, law enforcement). Contractors should inform providers that contractors are unable to make payment for Medicare claims if the provider fails to provide the information needed to process them.
The HIPAA Privacy Rule specifies certain core elements and required statements for a valid authorization. Contractors may add more elements to their authorizations as long as the core elements and required statements remain and no provisions are added that conflict with these core elements and statements.
Contractors must also accept an authorization from another entity, provided it includes all of the core elements and required statements, and no provisions are added that conflict with these core elements and statements.
The core elements of a valid authorization are:
1. A description of the information to be used or disclosed that identifies the information in a specific and meaningful fashion;
2. The name or other specific identification of the person(s), or class of persons, authorized to make the requested use or disclosure;
3. The name or other specific identification of the person(s) or class of persons, to whom the covered entity may make the requested use or disclosure;
4. A description of each purpose of the requested use or disclosure. The statement, “at the request of the individual” is a sufficient description of the purpose when the beneficiary initiates the authorization and does not, or elects not to, provide a statement of the purpose;
5. An expiration date or an expiration event that relates to the individual or the purpose of the use or disclosure; and
6. The signature of the individual and date. If a personal representative of the individual signs the authorization, a description of such representative’s authority to act for the individual must also be provided. Although the HIPAA Privacy Rule requires only a description of the representative’s authority to act for the individual, CMS is requiring that documentation showing the representative’s authority be attached to the authorization (e.g., a Power of Attorney).
In addition to the core elements, the authorization must contain statements adequate to place the individual on notice of all of the following:
1. The individual’s right to revoke the authorization in writing, how the individual may revoke the authorization, and the exceptions to the right to revoke, e.g., “You have the right to take back (“revoke”) your authorization at any time in writing, except to the extent that Medicare has already acted based on your permission. To revoke your authorization, send a written request to: [Each Medicare contractor or CMS: Please insert Name, Address, and Telephone number of your organization here]”;
2. The inability to condition treatment, payment, enrollment or eligibility for benefits on the authorization, e.g., “I understand refusal to authorize disclosure of my personal medical information will have no effect on my enrollment, eligibility for benefits, or the amount Medicare pays for the health services I receive”;
3. The potential for information disclosed pursuant to the authorization to be subject to redisclosure by the recipient and no longer protected, e.g.: “Your personal medical information that you authorize Medicare to disclose may be subject to redisclosure and no longer protected by law.”
In addition, the authorization must be written in plain language and a signed copy must be provided to the individual (or the individual should be advised to retain a copy).
The CMS is developing a standard authorization for beneficiaries or their personal representatives to request disclosure of PHI to third parties. The standard will contain the elements for compliance with both the HIPAA Privacy Rule and Privacy Act requirements. Contractors will be notified when the standard authorization is available.
The HIPAA Privacy Rule requires covered entities to treat an individual’s personal representative as the individual with respect to uses and disclosures of the individual’s PHI, as well as exercising the individual’s privacy rights listed in the covered entity’s Notice of Privacy Practices. A personal representative may also authorize disclosures of an individual’s PHI (see §190H above).
In addition to these formal designations of a personal representative, the HIPAA Privacy Rule permits a covered entity to disclose to any person identified by the individual the protected health information directly relevant to such person’s involvement with the individual’s care or payment related to the individual’s care. Therefore, a verbal authorization is allowed under the HIPAA Privacy Rule for those individuals involved in the care of an individual.
Contractors should continue to handle routine inquiries, such as telephone requests for the status of claims, under existing customer service procedures that include verification of the individual’s identity. Therefore, with the beneficiary’s verbal or written permission, contractors may continue to speak to third parties on behalf of the individual. See Exhibit D - Disclosure Desk Reference Guide for Call Centers for detailed instructions on disclosing PHI over the telephone.
Contractors may also continue to handle Congressional inquiries under existing customer service procedures (see §10J above).
As Medicare’s business associate, contractors are not subject to the administrative requirements of the HIPAA Privacy Rule. However, under the Privacy Act, contractors must comply with the privacy provisions specified in their contracts. Contractors are not required to designate a privacy official. However, contractors are required to have in place a senior official or other responsible party to address the privacy concerns of the organization and to establish an internal control system to monitor compliance with privacy requirements.
Similarly, as Medicare’s business associate, contractors are not subject to the HIPAA Privacy Rule’s requirement to train staff specifically on the HIPAA Privacy Rule.
However, under the Privacy Act, contractors are required to ensure that employees understand their responsibility to protect the privacy and confidentiality of CMS's records.
It is CMS policy that any data collected on behalf of CMS in the administration of a Medicare contract belongs to CMS. Any disclosure of individually identifiable information without prior consent from the individual to whom the information pertains, or without statutory or contract authorization, requires prior approval by CMS.
Contractors (A/B MACS (A and B), A/B MACs (HHH) and DME MACs) shall stop printing the Medicare Number on reimbursement checks to Medicare beneficiaries.
Reimbursement checks going to Medicare beneficiaries are subject to others (e.g. banks) seeing the Medicare Number. CMS has determined that there is no business reason for the Medicare Number to be printed on the reimbursement check to the beneficiary. Therefore, CMS is directing Medicare contractors to stop printing the Medicare Number on reimbursement checks to Medicare beneficiaries.
This change in policy does not affect the use of the Medicare Number by Medicare contractors. The Medicare program uses the Medicare Number to meet administrative responsibilities to pay for health care and to operate the Medicare program. In performance of these duties, Medicare is required to protect individual privacy and confidentiality in accordance with applicable laws, including the Privacy Act of 1974 and the Privacy Rule of the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
Data on this Summary Sheet is a summation of the data from all Forms CMS-632-FOI completed during the month.
1. Enter the month and year that this summary sheet covers.
2. Enter, in the applicable space, appropriate identifying information concerning your unit.
3. Enter the total number of 632s completed during the identified month.
4. Enter the number of times the 632s showed a request was closed by the cited action.
5. Enter the total of all staff hours used during the identified month. Use only whole numbers and fractions or decimals, e.g., 102 1/2 or 102.25, not 102 hours and fifteen minutes.
6. Enter the total of actual cost figures, based on the salaries of the staff involved.
7. Enter the total of copying charges.
8. Enter the mailing/postage costs.
9. Enter the total dollar amount of fees charged. This figure is not the same as actual costs.
10. Enter the total of all fees waived. (Unless the FOI Office, CMS has granted a waiver, this figure is a compilation of all fees which were waived because they were lower than CMS' $15.00 threshold).
11. Enter the name, office and address of the person who completed this summary sheet.
12. Enter the date the summary sheet was completed.
PLEASE FILL OUT COMPLETELY
1. Month: __ Year: __
MAC: ________
CENTRAL OFFICE COMPONENT:
Total 632s: ______
Actions:
| ___ Direct Reply (Records Sent) | ___ No Records Found |
|---|---|
| ___ Request Withdrawn | ___ Not FOIA |
| ___ Records Not Reasonably Described | ___ Subpoena Denial |
| ___ Fee Related Closure | ___ Other |
Staff Hours: ___
Staff Charges: ___
Copy Charges: ___
Postage: ___
Fees Charged: ___
Fees Waived: ___
Name/Phone: _________
Office: _____________
Address: _____________
Date: ___
| Rev # | Issue date | Subject | Impl date | CR# |
|---|---|---|---|---|
| R124GI | 05/17/2019 | Update to Publication (Pub.) 100-01 to Provide Language-Only Changes for the New Medicare Card Project | 06/18/2019 | 11240 |
| R123GI | 05/10/2019 | Updates to Publication (Pub.) 100-01, Medicare General Information, Eligibility, and Entitlement, Chapter 6, Disclosure of Information | 06/11/2019 | 11218 |
| R21GI | 04/29/2005 | Removal of Medicare Number from Reimbursement Checks | 10/03/2005 | 3760 |
| R07GI | 06/25/2004 | HIPAA Privacy Rules | N/A | 2484 |
| R01MGI | 09/11/2002 | Initial Publication of Manual | NA | NA |
Back to top of Chapter