[Federal Register Volume 59, Number 20 (Monday, January 31, 1994)]
[Unknown Section]
[Page 0]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 94-1979]


[[Page Unknown]]

[Federal Register: January 31, 1994]


=======================================================================
-----------------------------------------------------------------------

DEPARTMENT OF HEALTH AND HUMAN SERVICES

Health Care Financing Administration

42 CFR Part 435

[MB-57-F]
RIN 0938-AF91

 

Medicaid Program: Computer Matching and Privacy Protection for 
Medicaid Eligibility

AGENCY: Health Care Financing Administration (HCFA), HHS.

ACTION: Final rule.

-----------------------------------------------------------------------

SUMMARY: This final rule revises regulations concerning the income and 
eligibility verification system (IEVS) under the Medicaid program. It 
implements provisions of the Computer Matching and Privacy Protection 
Act of 1988 and the Computer Matching and Privacy Protection Amendments 
of 1990. These laws improve the oversight and procedures governing the 
disclosure of personal information used in computer matching programs 
and protect the privacy and due process rights of individuals whose 
records are exchanged by these programs.

EFFECTIVE DATE: This final rule is effective on April 1, 1994.

FOR FURTHER INFORMATION CONTACT: Helaine Jeffers, (410) 966-5920.

SUPPLEMENTARY INFORMATION:

I. Background

a. General

    Under section 1137 of the Social Security Act (the Act), State 
Medicaid agencies are required to have a computerized income and 
eligibility verification system (IEVS) that matches Medicaid 
eligibility information with data from Federal and State benefit 
agencies and the Internal Revenue Service (IRS) to prevent or reduce 
erroneous expenditures. Our regulations at 42 CFR 435.945 through 
435.965 specify the sources from which States must access data through 
computer matches, mandate the frequency of such matches, set time 
limits in which States must act on the output of the matches, and 
establish due process protection for Medicaid applicants and 
recipients.

b. The Computer Matching and Privacy Protection Act of 1988

    The Computer Matching and Privacy Protection Act of 1988 (CMPPA) 
(Pub. L. 100-503) amended 5 U.S.C. 552a (the Privacy Act of 1974) by 
adding a new subsection (o). The CMPPA improves the oversight and 
procedures governing the disclosure of personal information used in 
computer matching programs and protects the privacy and due process 
rights of individuals whose records are exchanged by such programs.
    Computer matching, as described by the CMPPA, is the computerized 
comparison of two or more automated systems of records (one of which 
must be a Federal system of records) to establish or verify eligibility 
or continuing compliance with laws and regulations. The matching 
operation can apply to either recipients of cash or in-kind assistance 
or to providers of services who receive payments under Federal benefit 
programs. The CMPPA provides that any reduction, suspension, 
termination, or denial of benefits for assistance that is based on 
information received through a computer match involving a Federal 
government system of records cannot take effect until the information 
is independently verified and the affected individual has received 30-
days notice of the proposed action.
    The CMPPA requires that Federal agencies involved in matches 
covered under the law enter into a written agreement with any State 
agency with which a match is to occur. The agreement must be reviewed 
and approved by each Federal agency's Data Integrity Board (DIB), as 
established under CMPPA. The agreement review requirements were 
included in a revision to the Office of Management and Budget's (OMB) 
Circular No. A-130 and published as a final notice in the Federal 
Register (58 FR 36068) on July 2, 1993. Under these requirements, 
covered agreements become effective the later of either 40 days after 
copies of the agreement are transmitted to the Congress and OMB, or 30 
days after publication of notification in the Federal Register that the 
match is being conducted.
    Current Federal-State computer matching activities, as well as any 
proposed Federal matches to be performed by State agencies to establish 
or verify the Medicaid eligibility of applicants and recipients, are 
matching programs as described by the CMPPA. Other State-developed 
matching activities not involving a comparison with Federal agency 
records are exempt from the CMPPA requirements.

c. The Computer Matching and Privacy Protection Amendments of 1990

    Section 7201 of the Computer Matching and Privacy Protection 
Amendments of 1990 (Pub. L. 101-508) amended the due process protection 
provisions of the CMPPA, effective October 26, 1990. The CMPPA 
provisions require an agency to verify independently any and all 
information developed through a matching program before an individual's 
benefits are denied, reduced, or terminated. The CMPPA also requires 
State agencies to notify the individual of a proposed adverse action 30 
days before the effective date of the action.
    The 1990 amendments retained the independent verification provision 
as a general requirement but established a new procedure for certain 
classes of matches, which permits an agency's DIB to waive the 
independent verification requirement. The exception is narrowly drawn 
and requires the Office of Management and Budget (OMB) to issue 
specific guidance on its implementation.
    The CMPPA and the 1990 amendments require that States independently 
verify all data covered by the CMPPA regardless of the source, unless 
the Federal agency's DIB waives this requirement. The waiver is 
applicable only to information identifying the amount of benefits paid 
by the source agency under a Federal benefit program and only if there 
is a high degree of confidence that the information provided is 
accurate. The amendments also retain the 30-day advance notice of 
adverse action protection as a general notice period but allow agencies 
to substitute other statutory or regulatory notice periods if they 
already exist. Medicaid regulations at Secs. 431.210, 431.211, 431.213 
and 431.214, which provide that notice is to be mailed at least 10 days 
before the effective date of the adverse action, except in certain 
specified cases, satisfy this requirement.

II. Issuance of Proposed Rule

    On December 4, 1992, we published in the Federal Register (57 FR 
57403) a proposed rule to incorporate the provisions of the CMPPA and 
the 1990 amendments in the Medicaid regulations.

a. Independent Verification

    We proposed to amend the IEVS regulations at Secs. 435.952(a) and 
435.955(a) to clarify that States must independently verify all 
information received if required by the CMPPA as implemented in 
Sec. 435.955 (as amended) or if the State determines it appropriate 
because of agency experience.
    We proposed to revise Sec. 435.955, which applied only to data from 
the Department of the Treasury, so that it applies to all data on 
individuals received as a result of a computerized data match with a 
Federal agency that would adversely affect the individual's 
eligibility. We proposed to require the agency to verify the 
information by either requesting the original source of the information 
to verify the fact and amount of income or resource, or by informing 
the applicant of receipt of the information and asking him or her to 
respond within a specified time period.
    We proposed to make conforming changes to the provisions relating 
to the action the agency must take if the information is verified, if 
the applicant or recipient fails to respond to reasonable attempts to 
contact him or her, and if the applicant or recipient disputes the 
information (Sec. 435.955(c)). We also proposed to correct a cross-
reference to the hearings and appeals regulations.

b. Waiver of Independent Verification Requirement

    We proposed to add a new Sec. 435.955(d), which outlines the 
general waiver provision under which the independent verification 
requirement may be waived with respect to a category of data if the 
Federal agency's DIB waives the requirement. We proposed to require the 
State to furnish the Federal agency with any information it needs to 
seek a waiver from the DIB.

c. Advance Notice of Adverse Action

    We found it unnecessary to propose any changes or additions to the 
Medicaid regulations to implement the advance notice of adverse action 
provisions of the CMPPA because current regulations meet the 
requirements of the CMPPA as amended by the Computer Matching and 
Privacy Protection Amendments of 1990. Medicaid regulations at 
Secs. 431.210, 431.211, 431.213 and 431.214, which provide that notice 
is to be mailed at least 10 days before the effective date of an 
adverse action, except in certain specified cases, satisfy the 
requirements of the amendments.

d. Negotiating Interagency Agreements

    We proposed to amend Sec. 435.945, to add a new paragraph (f)(7) to 
require that State agencies conform to the CMPPA requirements when 
negotiating matching agreements with Federal agencies supplying IEVS 
information when the match is covered by the CMPPA. We proposed that 
all agreements between Medicaid and a Federal benefit agency for IEVS 
data, in addition to containing the elements required by 
Sec. 435.945(f)(1)-(5), contain the following elements, which are found 
in the existing OMB guidelines that were published in the Federal 
Register (54 FR 25818) on June 19, 1989--
     The purpose of the exchange and legal authority. The 
agreement must cite a specific Federal or State statutory or regulatory 
basis for undertaking the exchange (that is, section 1137 of the Social 
Security Act).
     Justification and expected results. The agreement must 
explain why computer matching--as opposed to some other administrative 
activity--is being proposed and estimate the expected results.
     Notice procedures. The agreement must describe the 
individual and general periodic notice procedures.
     Verification procedures. The agreement must describe the 
methods the Medicaid agency will use to verify independently the 
information obtained through the matching program.
     Disposition of matched items. The agreement must state 
that information generated through the match will be destroyed as soon 
as it has served the matching program's purpose. It must also include 
any legal retention requirements the agency establishes in conjunction 
with the National Archives and Records Administration or other 
cognizant authority.
     Security procedures. The agreement must describe the 
administrative and technical safeguards to be used in protecting the 
information. These safeguards must be consistent with the requirements 
prescribed by the Federal agency furnishing the data.
     Records accuracy assessments. The agreement must include 
any information relating to the quality of the records to be used in 
the matching program.
     Comptroller General access. The agreement must state that 
the Comptroller General may have access to all records of the State 
agency necessary to monitor or verify compliance with the agreement. 
This requirement permits the Comptroller General to inspect State and 
local records used on matching programs covered by these agreements.
     We believe that the other elements OMB requires in its 
guidelines--records description and records usage, duplication and 
redisclosure restrictions--are already covered in existing IEVS 
agreement requirements (see Sec. 435.945 (f)(1) and (f)(4)) but we 
repeated them in proposed Sec. 435.945(f)(7). We note that, for CMPPA 
purposes, the records description must include: (1) Specific 
identification of the system of records; (2) the number of records; (3) 
data elements to be included in the match; (4) and projected starting 
and completion dates.

e. Other Requirements

    In addition to the requirements for the elements of Federal-State 
matching agreement, we proposed to--
     Require that States furnish the Federal agency with 
whatever information it needs to do a cost/benefit analysis 
(Sec. 435.955(e)).
     Require States to follow procedures set by the Federal 
agency concerning waiting before an adverse case action is taken and in 
following the terms of the agreement (Sec. 435.955(f) and (g)).

III. Summary of Public Comments and Departmental Responses

    We received three responses to the December 1992 proposed rule.
    Comment: One Federal Government agency commented that the required 
certification or analysis regarding the effects of the rule on small 
entities such as small businesses had not been included in the 
Regulatory Flexibility Act Statement.
    Response: We are including the required statements as part of the 
regulatory impact statement.
    Comment: Two State agencies questioned the need to verify data, or 
to submit waiver requests to be relieved of the requirement of 
independently verifying data, furnished by the Social Security 
Administration (SSA). They indicated that the SSA data are accepted by 
many States without verification because they are received from the 
primary source agency and are highly accurate.
    Response: States are not required to independently verify SDX and 
BENDEX data from SSA because these files meet the requirements for 
waiver of independent verification. State and Federal concerns about 
the independent verification requirements were addressed when the 
Computer Matching and Privacy Protection Amendments of 1990 amended the 
due process protection provisions of the CMPPA. The 1990 amendments 
retained the independent verification provisions as a general 
requirement but established a new procedure for certain categories of 
matches, which permit an agency's Data Integrity Board (DIB) to waive 
the independent verification requirement.
    The waiver is applicable only to information identifying the amount 
of benefits paid by the source agency under a Federal benefit program 
and only if there is a high degree of confidence that the information 
provided is accurate. The exception is narrowly drawn and is 
interpreted through specific Office of Management and Budget (OMB) 
guidelines. OMB's proposed OMB April 23, 1991, guidelines state:

     * * * The Computer Matching and Privacy Protection Act of 1988 
(Matching Act), as amended, permits a recipient agency to determine 
that the information it has received to carry out a match covered by 
the Matching Act is accurate enough to be relied on without making 
an independent verification. The Data Integrity Board of the source 
agency undertakes this finding for non-Federal recipient agencies. 
In the case of matches conducted under the Beneficiary and Earnings 
Data Exchange (BENDEX) or State Data Exchange (SDX) programs between 
State agencies and SSA, the Data Integrity Board of the Department 
of Health and Human Services is responsible for making this 
determination.
    Once the HHS Data Integrity Board has established that there is 
a high degree of confidence in the accuracy of the data, it should 
issue an opinion to that effect and instruct the SSA to provide a 
copy of the opinion to each State agency to whom it discloses its 
data tapes. The opinion should inform the State recipient agencies 
that they may consider the BENDEX and SDX data verified and use it 
immediately to make appropriate adjustments.  * * *


    On January 28, 1991, OMB advised HHS that SDX and BENDEX files met 
the requirements for waiver of independent verification. HHS's DIB then 
made a formal determination that it has a high degree of confidence in 
the accuracy of the data. HHS notified SSA of its findings on March 18, 
1991. Shortly thereafter, SSA, through its regional staffs, advised the 
States of this determination.
    We are clarifying the final regulation by specifying in 
Sec. 435.955(d) that ``The Federal benefit agency involved in the data 
exchange will develop the request petitioning its DIB for a waiver of 
independent verification by Medicaid State agencies.''
    Comment: One State agency expressed the need for the computer 
matching and privacy regulations to be consistent among Medicaid, Food 
Stamp, and the Aid to Families with Dependent Children programs.
    Response: We have developed these final regulations on computer 
matching and privacy in consultation with the Food Stamp and AFDC 
programs to ensure that our procedure or information is not in conflict 
with any procedure or information under those programs.

IV. Provisions of Final Regulation

    We are adopting the December 1992 proposed rule as final with the 
one modification to Sec. 435.955(d) as indicated in the response to 
public comment section of this preamble.

V. Regulatory Impact Analysis

    We generally prepare a regulatory flexibility analysis that is 
consistent with the Regulatory Flexibility Act (RFA) (5 U.S.C. 601 
through 612), unless the Secretary certifies that a final rule will not 
have a significant economic impact on a substantial number of small 
entities. In determining what is a ``significant economic impact'' on 
small entities, we considered the following factors:
     Direct and indirect costs of compliance with the rule, 
calculated both as absolute costs and as a percentage of revenue of the 
regulated small entity (including, for example, interest rates to small 
borrowers and the ability of small borrowers to borrow at all);
     Direct and indirect costs of completing paperwork or 
recordkeeping requirements--again, both as absolute costs and as a 
percentage of revenue;
     Effect of the final rule on the competitive position of 
small entities in relation to larger entities;
     Effect of the final rule on the small entity's cash flow 
and liquidity; (For example: Does the rule indirectly require the small 
business to tie up funds?)
     Effect of the final rule on the ability of a small entity 
to remain in the market at all; and
     Availability and costs of any professional assistance 
needed by the small entity to meet regulatory requirements.
    We have concluded, based on the above-mentioned criteria and past 
legislative experience, that these rules would not have a significant 
effect. For purposes of the RFA, States and individuals are not 
considered small entities. Therefore, we believe these final rules 
would not pose a major burden on other entities.
    In addition, section 1102(b) of the Act requires the Secretary to 
prepare a regulatory impact analysis if this rule has a significant 
impact on the operations of a substantial number of small rural 
hospitals. That analysis must conform to the provisions of section 603 
of the RFA. For purposes of section 1102(b) of the Act, we consider a 
small rural hospital as a hospital is located outside of a Metropolitan 
Statistical Area and has fewer than 50 beds.
    The provisions of this rule conform the regulations to the 
legislative provisions of the Computer Matching and Privacy Protection 
Act of 1988 as amended by the Computer Matching and Privacy Protection 
Amendments of 1990.
    We have determined, and the Secretary certifies, that these final 
regulations will not have a significant economic impact on a 
substantial number of small entities and will not have a significant 
impact on the operations of a substantial number of small rural 
hospitals. Therefore, we have not prepared a regulatory flexibility 
analysis or an analysis of effects on small rural hospitals.

VI. Paperwork Reduction Act

    Sections 435.945(f)(7), 435.952, and 435.955 of this final rule 
contain information collection requirements that are subject to the 
Office of Management and Budget (OMB) approval under the Paperwork 
Reduction Act of 1980 (44 U.S.C. 3504, et seq.). Section 435.945(f) 
requires an agency to execute an agreement with other agencies before 
releasing data to or requesting data from other agencies. Reporting 
burden for Sec. 435.945(f) is estimated to be 4\1/2\ hours per 
agreement. The information collection requirements contained in 
Secs. 435.952 and 435.955 are currently approved under OMB approval 
number 0938-0467.

List of Subjects in 2 CFR Part 435

    Aid to Families with Dependent Children, Grant programs-health, 
Medicaid, Reporting and recordkeeping requirements, Supplemental 
Security Income (SSI), Wages.

    42 CFR Part 435 is amended as follows:

PART 435--ELIGIBILITY IN THE STATES, DISTRICT OF COLUMBIA, THE 
NORTHERN MARIANA ISLANDS, AND AMERICAN SAMOA

    1. The authority citation for part 435 continues to read as 
follows:

    Authority: Sec. 1102 of the Social Security Act (42 U.S.C. 
1302).

    2. In Sec. 435.945, the introductory text of paragraph (f) is 
republished, paragraph (f)(6) is revised, and a new paragraph (f)(7) is 
added to read as follows:


Sec. 435.945  General requirements.

 * * * * *
    (f) The agency must execute written agreements with other agencies 
before releasing data to or requesting data from those agencies. The 
agreements, at a minimum, must specify:
 * * * * *
    (6) In the case of an agreement between a SWICA or a UC agency and 
the Medicaid agency, that the Medicaid agency will obtain information 
on applicants at least twice monthly; and
    (7) In the case of an agreement between any Federal agency and the 
Medicaid agency for data on individuals, provisions relating to--
    (i) Purpose and legal authority;
    (ii) Justification and expected results;
    (iii) Records description (including specific identification of the 
system of records, the number of records, what data elements will be 
included in the match, and projected starting and completion dates);
    (iv) Notice procedures;
    (v) Verification procedures;
    (vi) Disposition of matched items;
    (vii) Security procedures;
    (viii) Records usage, duplication and redisclosure restrictions;
    (ix) Records accuracy assessments; and
    (x) Access by the Comptroller General.
 * * * * *
    3. Section 435.952 is amended by revising paragraph (a) to read as 
follows:


Sec. 435.952  Use of information.

    (a) Except as provided under Sec. 435.953, the agency must review 
and compare against the case file all information received under 
Secs. 435.940 through 435.960 to determine whether it affects the 
applicant's or recipient's eligibility or amount of medical assistance 
payment. The agency also must independently verify the information if 
required by Sec. 435.955 or if determined appropriate by agency 
experience.
 * * * * *
    4. Section 435.955 is revised to read as follows:


Sec. 435.955  Additional requirements regarding information released by 
a Federal agency.

    (a) Unless waived under paragraph (d) of this section, based on 
information received from a computerized data match in which 
information on an individual is provided to the agency by a Federal 
agency, the agency may not terminate, deny, suspend, or reduce medical 
assistance to that individual until it has taken appropriate steps to 
verify the information independently. The agency must independently 
verify information relating to--
    (1) The amount of the income and resource that generated the income 
involved;
    (2) Whether the applicant or recipient actually has (or had) access 
to the resource or income (or both) for his or her own use;
    (3) The period or periods when the individual actually has (or had) 
access to the resource or income or both.
    (b) The agency must verify the information by either
    (1) Requesting the entity from which the information originally 
came to verify the fact and amount of income or resource; or
    (2) Sending the applicant or recipient a letter informing that 
individual of the information received and asking him or her to respond 
within a specified period. The letter must clearly explain the 
information the agency has and its possible relevance to the 
individual's past or future eligibility, and be as neutral in tone as 
possible.
    (c) (1) If the original source of the income or resource or the 
applicant or recipient verifies the information, and the agency intends 
to reduce, suspend, terminate or deny medical assistance based on the 
information, the agency must send the applicant or recipient a notice 
of the action to be taken and include information on the right to 
appeal and opportunity for a hearing under Secs. 431.200 through 
431.246 of this chapter (see also Sec. 435.912 and Sec. 435.919).
    (2) If the applicant or recipient fails to respond after reasonable 
attempts to contact him or her, the agency must proceed to deny, 
terminate, reduce or suspend medical assistance based on the 
applicant's or recipient's failure to cooperate.
    (3) If the applicant or recipient disputes the information, the 
agency must obtain evidence (from the source of the data, applicant, 
recipient, or otherwise) to substantiate any negative case action it 
may take.
    (d) The independent verification requirement concerning a category 
of data received from a Federal benefit agency may be waived if the 
Federal agency's Data Integrity Board approves the waiver. The Federal 
benefit agency involved in the data exchange will develop the request 
by petitioning its Data Integrity Board for a waiver of independent 
verification by a Medicaid State agency. The State agency must furnish 
the Federal agency with any information it needs to seek the Data 
Integrity Board's approval of the waiver.
    (e) In accordance with the Federal agency's procedures, the agency 
must provide data on the costs and benefits of the matching program to 
the Federal agency from which it receives information on individuals.
    (f) In accordance with the Federal agency's procedures, the agency 
must certify to the Federal agency that it will not take adverse action 
against an individual until the information has been independently 
verified and until 10 days (or sooner if permitted by Sec. 431.213 or 
Sec. 431.214) after the individual has been notified of the findings 
and given an opportunity to contest.
    (g) In accordance with the Federal agency's procedures for renewals 
of matching programs, the agency must certify to the Federal agency 
that the terms of the agreement have been followed.


(Catalog of Federal Domestic Assistance Program No. 93.778, Medical 
Assistance Program)

    Dated: September 24, 1993.
Bruce C. Vladeck,
Administrator, Health Care Financing Administration.
    Dated: December 10, 1993.
Donna E. Shalala,
Secretary.
[FR Doc. 94-1979 Filed 1-28-94; 8:45 am]
BILLING CODE 4120-01-P