[Federal Register Volume 59, Number 78 (Friday, April 22, 1994)]
[Unknown Section]
[Page 0]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 94-9804]


[[Page Unknown]]

[Federal Register: April 22, 1994]


-----------------------------------------------------------------------

DEPARTMENT OF HEALTH AND HUMAN SERVICES
Health Care Financing Administration

 

Privacy Act of 1974; System of Records

agency: Department of Health and Human Services (HHS), Health Care 
Financing Administration (HCFA).

action: Notice of proposed expansion of system purpose and new routine 
uses for existing system of records.

-----------------------------------------------------------------------

summary: HCFA proposes revising the system notice for the ``National 
Claims History (NCH),'' System No. 09-70-0005, by expanding the purpose 
of the system to enable HCFA to assist in a variety of health care 
initiatives with other entities, in addition to studying the Medicare 
program, and by adding three new routine uses (numbers 13, 14, and 15) 
for the release of data without the individuals' consent.
    The first new routine use would permit release of data to other 
Federal agencies. This routine use has two purposes. First, disclosure 
would be permitted to another Federal agency to enhance the accuracy of 
Medicare's payment of health benefits.
    Second, disclosure would be permitted when necessary to enable 
another Federal agency to fulfill a statute or regulation. HCFA has 
recently received several requests from other Federal agencies (e.g., 
the Department of Veterans Affairs and the Department of Defense) 
asking for help in coordinating benefits or fulfilling of statutes or 
regulations that involve Medicare enrollees. To fulfill these requests 
would require release of data from the NCH system. A primary purpose of 
the Medicare program, for which this system of records was established, 
is to assure high quality and effective health care to Medicare 
beneficiaries. We believe that this purpose can be better accomplished 
through coordination of beneficiary data between and among Federal 
agencies. This routine use allows release of data from the NCH system 
to other Federal agencies for two purposes; (1) to contribute to the 
accuracy of HCFA's proper payment of Medicare health benefits, and/or 
(2) to enable such agency to administer a Federal health benefits 
program, or as necessary to enable such agency to fulfill a requirement 
of a Federal statute or regulation.
    The second new routine use permits release of paid Medicare claims 
data from the NCH system to States to support administration of health 
care programs when disclosure is necessary to enable a State to fulfill 
a mandated statute or regulatory requirement. An example of this type 
of release is the current release of data from HCFA's Common Working 
File (CWF) system (source of the NCH system), No. 09-70-0526, for the 
administration of State Medicaid programs. Logistically, however, it 
would often be preferable to obtain these claims data from the NCH.
    The third new routine use would permit release of NCH records to 
Peer Review Organizations (PROs) in order to allow a PRO to perform 
Title XI functions relating to improving beneficiary quality of care.

effective dates: HCFA filed an altered system report with the Chairman 
of the Committee on Government Operations of the House of 
Representatives, the Chairman of the Committee on Governmental Affairs 
of the Senate, and the Administrator, Office of Information and 
Regulatory Affairs, Office of Management and Budget (OMB), on April 22, 
1994. To ensure all parties have adequate time in which to comment, the 
revised system of records, including routine uses, will become 
effective 40 days from the publication of this notice or from the date 
submitted to OMB and the Congress, whichever is later, unless HCFA 
receives comments which require alterations to this notice.

addresses: The public should address comments to Mr. Richard A. DeMeo, 
HCFA Privacy Act Officer, Office of Beneficiary Services, Office of 
Customer Relations and Communications, HCFA, room 2-H-4, East Low Rise 
Building, 6325 Security Boulevard, Baltimore, Maryland 21207-5187. 
Comments received will be available at this location.

FOR FURTHER INFORMATION CONTACT:
Mr Frank Kirby, Director, Data Release Policy Staff, Office of 
Statistics and Data Management, Bureau of Data Management and Strategy, 
HCFA, room 3-A-12, Security Office Park Building, 6325 Security 
Boulevard, Baltimore, Maryland 21207-5187, Telephone (410) 597-5400.

SUPPLEMENTARY INFORMATION: We are publishing this notice to inform the 
public of our intent to expand the purpose to include the 
administration of health care programs as well as the study of the 
Medicare program, and add three new routine uses for release of data 
from the NCH. The first routine use will permit coordination of 
benefits and/or accomplishment of Federal statutory or regulatory 
requirements by Federal agencies. The first routine use will be 
numbered (13) and will read as follows:

    (13) To another Federal agency; (1) To contribute to the accuracy 
of HCFA's proper payment of Medicare health benefits, and/or (2) to 
enable such agency to administer a Federal health benefits program, or 
as necessary to enable such agency to fulfill a requirement of a 
Federal statute or regulation, if HCFA:
    (a) Determines that the use or disclosure does not violate legal 
limitations under which the data were provided, collected, or obtained;
    (b) Determines that the purpose for which the disclosure is to be 
made cannot reasonably be accomplished unless the data are provided in 
individually identifiable form;
    (c) Requires the recipient to:
    (1) Establish reasonable administrative, technical, and physical 
safeguards to prevent unauthorized use or disclosure of the record:
    (2) Make no further use or disclosure of the record except:
    (a) In emergency circumstances affecting the health or safety of 
any individual;
    (b) For use on another project under the same conditions, and with 
written authorization from HCFA; and
    (c) When required by law;
    (3) Secure a written statement attesting to the recipient's 
understanding of, and willingness to abide by the following provisions:
    (a) Not to use the data for purposes that are not related to the 
subject project;
    (b) Not to publish or otherwise disclose the data in a form raising 
unacceptable possibilities that beneficiaries could be identified 
(i.e., the data must not be beneficiary-specific and must be aggregated 
to a level where no data cells have 10 or fewer beneficiaries); and
    (c) Not to publish any aggregation of the data without HCFA's 
approval.
    The second new routine use allows for release of paid Medicare 
claims data from the NCH system to States to support administration of 
health care programs when disclosure is necessary to enable a State to 
fulfill a mandated statute or regulatory requirement. It will be 
numbered (14) and will read as follows:
    (14) To States for the purposes of administration of health care 
programs when disclosure is necessary to enable the State to fulfill a 
mandated statute or regulatory requirement. These data may be released 
for this purpose, if HCFA:
    (a) Determines that the use or disclosure does not violate legal 
limitations under which the data were provided, collected, or obtained;
    (b) Establishes that the data are exempt from disclosure under the 
State and/or local Freedom of Information Act;
    (c) Determines that the purposes for which the disclosure is to be 
made:
    (1) Cannot reasonably be accomplished unless the data are provided 
in individually identifiable form;
    (2) Is of sufficient importance to warrant the effect and/or risk 
on the privacy of the individuals that additional exposure of the 
record might bring; and
    (3) There is a reasonable probability that the objective for the 
use would be accomplished; and
    (d) Requires the recipient to:
    (1) Establish reasonable administrative, technical, and physical 
safeguards to prevent unauthorized use or disclosure of the record;
    (2) Remove or destroy the information that allows the individual to 
be identified at the earliest time at which removal or destruction can 
be accomplished consistent with the purpose of the request, unless the 
recipient presents an adequate justification for retaining such 
information;
    (3) Make no further use or disclosure of the record except:
    (a) In emergency circumstances affecting the health or safety of 
any individual;
    (b) For use on another project under the same conditions, and with 
written authorization of HCFA;
    (c) For disclosure to a properly identified person for the purpose 
of an audit related to the project, if information that would enable 
project subjects to be identified is removed or destroyed at the 
earliest opportunity consistent with the purpose of the audit; or
    (d) When required by law; and
    (4) Secure a written statement attesting to the recipient's 
understanding of and willingness to abide by these provisions. The 
recipient must agree to the following:
    (a) Not to use the data for purposes that are not related to the 
subject project;
    (b) Not to publish or otherwise disclose the data in a form raising 
unacceptable possibilities that beneficiaries could be identified 
(i.e., the data must not be beneficiary-specific and must be aggregated 
to a level where no data cells have 10 or fewer beneficiaries); and
    (c) Not to publish any aggregation of the data without HCFA's 
approval.
    The third new routine use would permit release of NCH records to 
Peer Review Organizations (PROs) in order to allow a PRO to perform 
Title XI functions relating to improving beneficiary quality of care. 
It will be numbered (15) and will read as follows:
    (15) To a Peer Review Organization (PRO) in order to assist the PRO 
to perform Title XI functions relating to improving beneficiary quality 
of care. Data may be released for this purpose if HCFA:
    (a) Determines that the use or disclosure does not violate legal 
limitations under which the data were provided, collected, or obtained;
    (b) Requires the PRO to:
    (1) Establish reasonable administrative, technical, and physical 
safeguards to prevent unauthorized use or disclosure of the record;
    (2) Make no further use or disclosure of the record except:
    (a) In emergency circumstances affecting the health or safety of 
any individual;
    (b) For use on another project under the same conditions, and with 
written authorization from HCFA; and
    (c) When required by law; or when otherwise permitted by Federal 
law.
    (3) Complete and sign a written statement attesting to the PRO's 
understanding of and willingness to abide by the provisions therein. 
This written statement must:
    (a) Specify the conditions for maintenance and redisclosure of such 
information;
    (1) To the extent that may be necessary to conduct a PRO function, 
e.g., a case quality review project or study;
    (2) In accordance with a project-specific data release agreement; 
and
    (b) Not to use the data for purposes that are not related to the 
subject project.
    These proposed new routine uses for the ``National Claims History 
(NCH)'' are consistent with the relevant provisions of the Privacy Act, 
namely, 5 U.S.C. 552a(a)(7), 552a(b)(3), and 552a(e)(4)(D). Legal 
authority to release these data under these routine uses and other 
previously published is the Privacy Act (5 U.S.C. section 552a), 
section 1106(a) of the Social Security Act (42 U.S.C. 1306(a)), and 42 
CFR part 401, subpart B. Because these proposed changes will change the 
purpose for which the information is collected or otherwise 
significantly alter the system, we are preparing a report of altered 
system of records under 5 U.S.C. 552a(r). We are publishing the notice 
in its entirety below for the convenience of the reader.

    Dated: April 15, 1994.
Bruce C. Vladeck,
Administrator, Health Care Financing Administration.
09-70-0005
    National Claims History (NCH), HHS/HCFA/BDMS.
    None.
    HCFA Data Center, Lyon Building, 7131 Rutherford Road, Baltimore, 
Maryland 21207-5187.
    Persons enrolled in hospital insurance or supplementary medical 
benefits parts of the Medicare program and their referring and 
servicing physicians.
    Bill data, demographic and identifying data on the beneficiary; 
diagnosis and procedural codes; provider characteristics and 
identifying number (including physicians).
    Section 1874(a) and section 1875 of the Social Security Act (42 
U.S.C. 139511).
    To assist in a variety of health care initiatives with other 
entities, and to study the operation and effectiveness of the Medicare 
program.
    Disclosure may be made:
    (1) To a congressional office from the record of an individual in 
response to an inquiry from the congressional office made at the 
request of that individual.
    (2) To the Bureau of Census for use in processing research and 
statistical data directly related to the administration of Agency 
programs.
    (3) To the Department of Justice, to a court or other tribunal, or 
to another party before such tribunal, when:
    (a) HHS, or any component thereof; or
    (b) Any HHS employee in his or her official capacity; or
    (c) Any HHS employee in his or her individual capacity where the 
Department of Justice (or HHS, where it is authorized to do so) has 
agreed to represent the employee; or
    (d) The United States or any agency thereof where HHS determines 
that the litigation is likely to affect HHS or any of its components;

is party to litigation or has an interest to such litigation, and HHS 
determines that the use of such records by the Department of Justice, 
the tribunal, or the other party is relevant and necessary to the 
litigation and would help in the effective representation of the 
governmental party, provided, however, that in each case HHS determines 
that such disclosure is compatible with the purpose for which the 
records were collected.
    (4) To an individual or organization for a research, evaluation, or 
epidemiological project related to the prevention of disease or 
disability, or the restoration or maintenance of health if HCFA:
    (a) Determines that the use or disclosure does not violate legal 
limitation under which the record was provided, collected, or obtained;
    (b) Determines that the purpose for which the disclosure is to be 
made:
    (1) Cannot be reasonably accomplished unless the record is provided 
in individually identifiable form;
    (2) Is of sufficient importance to warrant the effect and/or risk 
on the privacy of the individual that additional exposure of the record 
might bring; and
    (3) There is reasonable probability that the objective for the use 
would be accomplished;
    (c) Requires the information recipient to:
    (1) Establish reasonable administrative, technical, and physical 
safeguards to prevent unauthorized use or disclosure of the record;
    (2) Remove or destroy the inforamiton that allows the individual to 
be identified at the earliest time at which removal or destruction can 
be accomplished consistent with the purpose of the project unless the 
recipient presents an adequate justification of a research or health 
nature for retaining such information; and
    (3) Make no further use or disclosure of the record except;
    (a) In emergency circumstances affecting the health or safety of 
any individual;
    (b) For use in another research project, under these same 
conditions, and with written authorization of HCFA;
    (c) For disclosure to a properly identified person for the purpose 
of an audit related to the research project, if information that would 
enable research subjects to be identified is removed or destroyed at 
the earliest opportunity consistent with the purpose of the audit; or
    (d) When required by law.
    (d) Secures a written statement attesting to the recipient's 
understanding and willingness to abide by the provisions.
    (5) To entities with a legitimate need for data for statistical 
analyses bearing on Medicare payment policies for inpatient hospital 
services. Information disclosed for this purpose will not include a 
beneficiary's health insurance claim number, race, or Medicare status 
code; the beneficiary's age will be identified only to the extent of 
stating whether he or she resides in the same State as the provider; 
the admission and discharge dates will be identified only by calendar 
quarter; and the date of surgery will be identified only as the number 
of days after admission. Each of the Medicare Provider Analysis and 
Review (MEDPAR) files--short-stay hospital services file, long-term 
hospital services, skilled nursing facility services file, and other 
provider services files--will be modified in accordance with the 
foregoing provision for release. The entity must agree:
    (a) Not to try to identify individual beneficiaries;
    (b) Not to disclose raw data to any persons except contractors for 
data processing and storage (and it must agree to require any such 
contractor not to release any data and not to retain any data after 
performing the contract);
    (c) Not to link this information to other beneficiary-specific 
records;
    (d) Not to publish or otherwise disclose data in a form raising 
unacceptable possibilities that beneficiaries could be identified; and
    (e) To safeguard the confidentiality of the data and to try to 
prevent unauthorized access to it.
    (6) To a contractor for the purpose of collating, analyzing, 
aggregating, or otherwise refining or processing records in this system 
or for developing, modifying, and/or manipulating automated data 
processing (ADP) software. Data would also be disclosed to contractors 
incidental to consultation, programming, operation, user assistance, or 
maintenance for ADP or telecommunications systems containing or 
supporting records in the system.
    (7) With respect to the quality of care (QC) MEDPAR file, to 
entities with a legitimate need for data for the purpose of conducting 
research or evaluation on the quality and effectiveness of care 
provided in hospitals. Research or evaluation under this routine use 
must focus on the improvement of health care or measures for 
determining, validating, and monitoring the quality and effectiveness 
of hospital care in such areas as access to care, outcomes of care, and 
effectiveness of care in improving, restoring, or maintaining the 
independence and functioning of Medicare beneficiaries. Information 
disclosed under this routine use will be limited to the data elements 
described in appendix A.
    The QC MEDPAR file may be released to an entity if HCFA determines:
    a. That the use or disclosure does not violate legal limitations 
under which the data were provided, collected, or obtained.
    b. That the purpose for which the disclosure is to be made:
    (1) Cannot reasonably be accomplished unless the data are provided 
in the detailed form described in appendix A;
    (2) Is reasonably likely to be accomplished in view of the 
capabilities of the requesting entity and other factors; and
    (3) Is of sufficient importance to warrant the possible effect on 
the privacy of the individual that the disclosure of the data might 
bring.
    c. In order for HCFA to determine that the requirements in section 
7.b. are met, the entity must submit and HCFA must approve:
    (1) A research or evaluation plan specifying the objectives of the 
research or evaluation, the manner in which the data will be used, the 
financial support for the plan, and the date the research or evaluation 
will be completed. Evaluation plans designed to assist specific 
providers must be supported by letters of commitment to the evaluation 
by the providers. Values or differences in values that would trigger 
provider action must be addressed in the evaluation plan as well as the 
action the provider intends to take; and
    (2) A copy of any report by a panel of recognized experts reviewing 
the research or evaluation plan (when such review has been performed).
    d. The entity and its contractors, if any, must sign a statement 
acknowledging that section 1106(a) of the Social Security Act, which 
prohibits the disclosure of confidential information and imposes 
criminal penalties, may apply. They must also agree to the following:
    (1) Not to link the data to other beneficiary-specific records nor 
to use the data to identify individual beneficiaries;
    (2) Not to use the data for purposes that are not related to HCFA-
approved research or evaluation of the quality and effectiveness of 
hospital inpatient care. Prohibited uses include but are not limited 
to: Marketing, (for example, identification and targeting of under- or 
over-served health service markets primarily for the purposes of 
commercial benefit), insurance (for example, redlining areas deemed to 
offer bad health insurance or underwriting risks), and adverse 
selection (for example, identifying patients with high risk diagnoses). 
The data must not be made available by the entity or its contractor for 
an activity not approved by HCFA, even if carried on within the entity 
or its contractor;
    (3) Not to disclose the data to any persons or organizations unless 
the data are in aggregated form as described in paragraph 5. The data 
may be disclosed to a contractor for data processing if:
    (a) The entity has specified in the research plan submitted to HCFA 
that the contractor would receive the data for that purpose, or the 
entity has obtained written authorization from HCFA to make the 
disclosure to the contractor, and
    (b) The contractor has signed a confidentiality statement with 
HCFA.
    (4) Not to publish or otherwise disclose the data in a form raising 
unacceptable possibilities that beneficiaries could be identified 
(i.e., the data must not be beneficiary-specific and must be aggregated 
to a level where no data cells have 10 or fewer beneficiaries);
    (5) To submit a copy of its plans for any aggregation of the data 
intended for publication to HCFA for approval prior to publication;
    (6) To establish appropriate administrative, technical, procedural, 
and physical safeguards to protect the confidentiality of the data and 
to prevent unauthorized access to it;
    (7) To return all files to HCFA, and destroy any copies that may 
have been made, at the completion of the research or evaluation plan.
    (8) To an agency of a State government, or established by State 
law, for purposes of determining, evaluating, and/or assessing cost, 
effectiveness, and/or the quality of health care services provided in 
the State, if HCFA:
    (a) Determines that the use or disclosure does not violate legal 
limitations under which the data were provided, collected, or obtained;
    (b) Establishes that the data are exempt from disclosure under the 
State and/or local Freedom of Information Act;
    (c) Determines that the purpose for which the disclosure is to be 
made:
    (1) Cannot reasonably be accomplished unless the data are provided 
in individually identifiable form;
    (2) Is of sufficient importance to warrant the effect and/or risk 
on the privacy of the individuals that additional exposure of the 
record might bring; and
    (3) There is a reasonable probability that the objective for the 
use would be accomplished; and
    (d) Requires the recipient to:
    (1) Establish reasonable administrative, technical, and physical 
safeguards to prevent unauthorized use or disclosure of the record;
    (2) Remove or destroy the information that allows the individual to 
be identified at the earliest time at which removal or destruction can 
be accomplished consistent with the purpose of the request, unless the 
recipient presents an adequate justification for retaining such 
information;
    (3) Make no further use or disclosure of the record except:
    (a) In emergency circumstances affecting the health or safety of 
any individual;
    (b) For use on another project under the same conditions, and with 
written authorization of HCFA;
    (c) For disclosure to a properly identified person for the purpose 
of an audit related to the project, if information that would enable 
project subjects to be identified is removed or destroyed at the 
earliest opportunity consistent with the purpose of the audit; or
    (d) When required by law; and
    (4) Secure a written statement attesting to the recipient's 
understanding of and willingness to abide by these provisions. The 
recipient must agree to the following:
    (a) Not to use the data for purposes that are not related to the 
evaluation of cost, quality, and effectiveness of care;
    (b) Not to publish or otherwise disclose the data in a form raising 
unacceptable possibilities that beneficiaries could be identified 
(i.e., the data must not be beneficiary-specific and must be aggregated 
to a level where no data cells have 10 or fewer beneficiaries); and
    (c) To submit a copy of any aggregation of the data intended for 
publication to HCFA for approval prior to publication.
    (9) With respect to the Medicare mortality information file derived 
from the MEDPAR file and other files available to HCFA, to individual 
hospitals that have previously supplied to HCFA the patient-
identifiable data included on the file. Release of these data to the 
hospital would include mortality predictors which have been 
statistically derived by HCFA from data provided by the hospital, 
national data, and the number of previous hospitalizations in all 
hospitals. Certain conditions must be met before the data are released:
    (a) The data may include information only on patients that the 
requesting hospital has previously supplied plus the mortality 
predictors;
    (b) The hospital administrator must make a specific request for 
these data in writing. This request must be on hospital letterhead, 
must associate the need for these data with the hospital's quality of 
care activities, and must indicate that the hospital will continue to 
maintain the confidentiality of the data;
    (c) A standard fee must be paid, as determined by HCFA, for these 
data prior to their release to the hospital.
    (10) To the Railroad Retirement Board for administering provisions 
of both the Railroad Retirement and Social Security Acts relating to 
railroad employment and/or to the administration of the Medicare 
program.
    (11) To insurance companies, self-insurers, Health Maintenance 
Organizations (HMOs), multiple employer trusts, and other groups 
providing protection against medical expenses of their enrollees 
without the beneficiary's authorization.
    Information to be disclosed shall be limited to Medicare 
entitlement, utilization, and payment data. In order to receive this 
information the entity must agree to the following conditions:
    a. To certify that the individual about whom the information is 
being provided is one of its insureds;
    b. To utilize the information solely for the purpose of processing 
the identified individual's insurance claims; and
    c. To safeguard the confidentiality of the data and to prevent 
unauthorized access to it.
    (12) To insurers, underwriters, third party administrators (TPAs), 
self-insurers, group health plans, employers, HMOs, health and welfare 
benefit funds, Federal agencies, a State or local government or 
political subdivision of either (when the organization has assumed the 
role of an insurer, underwriter, or TPA, or in the case of a State that 
assumes the liabilities of an insolvent insurer, through a State 
created insolvent insurer pool or fund), multiple employer trusts, no-
fault, medical, automobile insurers, workers' compensation carriers or 
plans, liability insurers, and other groups providing protection 
against medical expenses who are primary payers to Medicare in 
accordance with 42 U.S.C. 1395y(b), or any entity having knowledge of 
the occurrence of any event affecting (A) an individual's right to any 
such benefit or payment, or (B) the initial or continued right to any 
such benefit or payment (for example, a State Medicaid agency, State 
Workers' Compensation Board, or Department of Motor Vehicles) for the 
purpose of coordination of benefits with the Medicare program and 
implementation of the Medicare Secondary Payer (MSP) provision at 42 
U.S.C. 1395y(b). The information HCFA may disclose will be:

     Beneficiary Name
     Beneficiary Address
     Beneficiary Health Insurance Claim Number
     Beneficiary Social Security Number
     Beneficiary Sex
     Beneficiary Date of Birth
     Amount of Medicare Conditional Payment
     Provider Name and Number
     Physician Name and Number
     Supplier Name and Number
     Dates of Service
     Nature of Service
     Diagnosis

    To administer the MSP provision at 42 U.S.C. 1395y(b)(1) more 
effectively, HCFA would receive from and may disclose to insurers, 
underwriters, TPAs, self-insureds, etc., the following types of 
information (to the extent that it is available):

     Subscriber Name and Address
     Subscriber Date of Birth
     Subscriber Social Security Number
     Dependent Name
     Dependent Date of Birth
     Dependent Social Security Number
     Dependent Relationship to Subscriber
     Insurer/Underwriter/TPA Name and Address
     Insurer/Underwriter/TPA Group Number
     Insurer/Underwriter/TPA Group Name
     Policy Number
     Effective Date of Coverage
     Employer Name, Employer Identification Number (EIN) and 
Address
     Employment Status
     Amounts of Payment

    To administer the MSP provision at 42 U.S.C. 1395y(b)(2) more 
effectively for entities such as workers' compensation carriers or 
boards, liability insurers, no-fault and automobile medical policies or 
plans, HCFA would receive (to the extent that it is available) and may 
disclose the following information:

     Beneficiary's Name and Address
     Beneficiary's Date of Birth
     Beneficiary's Social Security Number
     Name of Insured*
     Insurer Name and Address
     Type of Coverage; automobile, medical, no-fault, or 
liability payment, or workers' compensation settlement
     Insured's Policy Number
     Effective Date of Coverage
     Amount of payment under liability, no-fault, or automobile 
medical policies, plans, and workers' compensation settlements
     Employer Name and Address (workers' compensation only)
     Name of insured could be the driver of the car, a 
business, the beneficiary (i.e., the name of the individual or entity 
which carries the insurance policy or plan).
    In order to receive this information the entity must agree to the 
following conditions:
    a. To utilize the information solely for the purpose of 
coordination of benefits with the Medicare program in accordance with 
42 U.S.C. 1395y(b);
    b. To safeguard the confidentiality of the data and to prevent 
unauthorized access to it;
    c. To prohibit the use of beneficiary-specific data for purposes 
other than for the coordination of benefits between the recipient 
organization and the Medicare program. This agreement would allow the 
entities to use the information to determine cases where they have 
primary responsibility for payment or cases where Medicare has primary 
responsibility for payment. Examples of prohibited uses would include 
but are not limited to: Creation of a mailing list, sale or transfer of 
data.
    To administer the MSP provision more effectively, HCFA may receive 
or disclose the following types of information from or to entities 
including insurers, underwriters, TPSs, and self-insured plans, 
concerning potentially affected individuals:

     Subscriber Health Insurance Claim Number
     Dependent Name
     Funding arrangements of employer group health plans, for 
example, contributory or noncontributory plan, self-insured, re-
insured, HMO, TPA insurance
     Claims payment information, for example, the amount paid, 
the date of payment, the name of the insurer or payer
     Dates of employment including termination date, if 
appropriate
     Number of full- and/or part-time employees in current and 
preceding calendar years
     Employment status of subscriber; for example, full- or 
part-time, self-employed

    (13) To another Federal agency; (1) to contribute to the accuracy 
of HCFA's proper payment of Medicare health benefits, and/or (2) to 
enable such agency to administer a Federal health benefits program, or 
as necessary to enable such agency to fulfill a requirement of a 
Federal statute or regulation, if HCFA:
    (a) Determines that the use or disclosure does not violate legal 
limitations under which the data were provided, collected, or obtained;
    (b) Determines that the purpose for which the disclosure is to be 
made cannot reasonably be accomplished unless the data are provided in 
individually identifiable form;
    (c) Requires the recipient to:
    (1) Establish reasonable administrative, technical, physical 
safeguards to prevent unauthorized use or disclosure of the record;
    (2) Make no further use or disclosure of the record except:
    (a) In emergency circumstances affecting the health or safety of 
any individual;
    (b) For use on another project under the same conditions, and with 
written authorization from HCFA; and
    (c) When required by law;
    (3) Secure a written statement attesting to the recipient's 
understanding of and willingness to abide by the following provisions.
    (a) Not to use the data for purposes that are not related to the 
subject project;
    (b) Not to publish or otherwise disclose the data in a form raising 
unacceptable possibilities that beneficiaries could be identified 
(i.e., the data must not be beneficiary-specific and must be aggregated 
to a level where no data cells have 10 or fewer beneficiaries); and
    (c) Not to publish any aggregation of the data without HCFA's 
approval.
    (14) To States for the purpose of administration of health care 
programs when disclosure is necessary to enable the State to fulfill a 
mandated statute or regulatory requirement. These data may be released 
for these purposes, if HCFA:
    (a) Determines that the use or disclosure does not violate legal 
limitations under which the data were provided, collected, or obtained;
    (b) Establishes that the data are exempt from disclosure under the 
State and/or local Freedom of Information Act;
    (c) Determines that the purpose for which the disclosure is to be 
made:
    (1) Cannot reasonably be accomplished unless the data are provided 
in individually identifiable form;
    (2) Is of sufficient importance to warrant the effect and/or risk 
on the privacy of the individuals that additional exposure of the 
record might bring; and
    (3) There is a reasonable probability that the objective for the 
use would be accomplished; and
    (d) Requires the recipient to:
    (1) Establish reasonable administrative, technical, and physical 
safeguards to prevent unauthorized use or disclosure of the record;
    (2) Remove or destroy the information that allows the individual to 
be identified at the earliest time at which removal or destruction can 
be accomplished consistent with the purpose of the request, unless the 
recipient presents an adequate justification for retaining such 
information;
    (3) Make no further use or disclosure of the record except:
    (a) In emergency circumstances affecting the health or safety of 
any individual;
    (b) For use on another project under the same conditions, and with 
written authorization of HCFA;
    (c) For disclosure to a properly identified person for the purpose 
of an audit related to the project, if information that would enable 
project subjects to be identified is removed or destroyed at the 
earliest opportunity consistent with the purpose of the audit; or
    (d) When required by law; and
    (4) Secure a written statement attesting to the recipient's 
understanding of and willingness to abide by these provisions. The 
recipient must agree to the following:
    (a) Not to use the data for purposes that are not related to the 
subject project;
    (b) Not to publish or otherwise disclose the data in a form raising 
unacceptable possibilities that beneficiaries could be identified 
(i.e., the data must not be beneficiary-specific and must be aggregated 
to a level where no data cells have 10 or fewer beneficiaries); and
    (c) Not to publish any aggregation of the data without HCFA's 
approval.
    (15) To a Peer Review Organization (PRO) in order to assist the PRO 
to perform Title XI functions relating to improving quality of care. 
Data may be released for this purpose if HCFA:
    (a) Determines that the use or disclosure does not violate legal 
limitations under which the data were provided, collected, or obtained;
    (b) Requires the PRO to:
    (1) Establish reasonable administrative, technical, and physical 
safeguards to prevent unauthorized use or disclosure of the record;
    (2) Make no further use or disclosure of the record except:
    (a) In emergency circumstances affecting the health or safety of 
any individual;
    (b) For use on another project under the same conditions, and with 
written authorization from HCFA; and
    (c) When required by law; or when otherwise permitted by Federal 
law.
    (3) Complete and sign a written statement attesting to the PRO's 
understanding of and willingness to abide by the provisions therein. 
This written statement must:
    (a) Specify the conditions for maintenance and redisclosure of such 
information;
    (1) To the extent that may be necessary to conduct a PRO function; 
e.g., a case quality review project or study;
    (2) In accordance with a project-specific data release agreement; 
and
    (b) Not to use the data for purposes that are not related to the 
subject project.
    All records are stored on magnetic media.
    All records are indexed by health insurance claim number and by 
provider number.
    For computerized records, safeguards established in accordance with 
Department standards and National Institute of Standards and Technology 
guidelines (e.g., security codes) will be used, limiting access to 
authorized personnel. System securities are established in accordance 
with HHS, Information Resource Management (IRM) Circular #10, Automated 
Information Systems Security Program; and HCFA Automated Information 
Systems (AIS) Guide, Systems Security Policies.
    Records are maintained with identifiers as long as needed for 
program research.
    Director, Bureau of Data Management and Strategy, 1-A-11, Security 
Office Park, Baltimore, Maryland 21207-5187.
    For purpose of access, the subject individual should write to the 
system manager and furnish the following information: Name of system; 
health insurance claim number; and for verification purposes, the 
subject individual's name (women's maiden name, if applicable), social 
security number, address, date of birth, and sex; and to ascertain 
whether the individual's record is in the system, the date(s) of 
utilization and they type of utilization under Part A or Part B of 
Medicare services (e.g., home health services, hospital inpatient 
services, hospital outpatient services, or skilled nursing facility 
services.
    Same as notification procedures. Individuals in the system should 
also reasonably specify the record contents being sought. (These access 
procedures are in accordance with the Department regulations (45 CFR 
5b.5.)
    The subject individual should contact the system manager named 
above, and reasonably identify the record and specify the information 
to be contested. State the corrective action sought and the reasons for 
the correction with supporting justification. (These procedures are in 
accordance with Department regulations (45 CFR 5b.7).)
    Medicare enrollment records; Medicare bill records; Medicare 
provider records for a sample of person treated as hospital patients 
(inpatient and outpatient) and skilled nursing facility patients.
    None.

[FR Doc. 94-9804 Filed 4-21-94; 8:45 am]
BILLING CODE 4120-03-M