[Federal Register Volume 59, Number 139 (Thursday, July 21, 1994)]
[Unknown Section]
[Page 0]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 94-17621]


[[Page Unknown]]

[Federal Register: July 21, 1994]


-----------------------------------------------------------------------

DEPARTMENT OF HEALTH AND HUMAN SERVICES
Health Care Financing Administration

 

Privacy Act of 1974; Systems of Records

AGENCY: Department of Health and Human Services (HHS), Health Care 
Financing Administration (HCFA).

ACTION: Notice of proposed new routine use for existing systems of 
records.

-----------------------------------------------------------------------

SUMMARY: HCFA is proposing to revise the system notices for the 
``Carrier Medicare Claims Records'' (CMCR), System No. 09-70-0501, and 
the ``Intermediary Medicare Claims Records'' (IMCR), System No. 09-70-
0503. The Privacy Act permits disclosure of information without the 
prior written consent of an individual for ``routine use'' that is; 
disclosure for purposes compatible with the purpose for which the data 
is collected. HCFA is proposing to revise the CMCR and IMCR by adding a 
new routine use for release of intermediary and carrier maintained 
beneficiary data to servicing Medicare banks and/or provider banks.
    The purpose of this new routine use is to allow fiscal 
intermediaries (FIs) and carriers to send claims payment and 
beneficiary information to providers or their banks either directly, or 
through a Value Added Network (VAN) telecommunications service and for 
provider banks to use this information to perform account management 
activities on behalf of providers. Under this scenario, the electronic 
funds transfer (EFT) and the electronic remittance advice (ERA) flow 
together through the banking system. The consolidation of Medicare 
beneficiary and payment information will reduce paperwork and 
administrative costs.

EFFECTIVE DATES: HCFA filed an altered system report with the Chairman 
of the Committee on Government Operations of the House of 
Representatives, the Chairman of the Committee on Governmental Affairs 
of the Senate, and the Administrator, Office of Information and 
Regulatory Affairs, Office of Management and Budget (OMB), on July 18, 
1994. To ensure all parties have adequate time in which to comment, the 
altered systems of records, including routine uses, will become 
effective 40 days from the publication of this notice or from the date 
submitted to OMB and the Congress, whichever is later, unless HCFA 
receives comments which require alterations to this notice. The 
proposed new routine use shall take effect without further notice 40 
days from the date of publication unless comments received on or before 
that date would warrant changes.

ADDRESSES: Please address comments to Mr. Richard A. DeMeo, HCFA 
Privacy Act Officer, Office of Budgetary Services, Office of Customer 
Relations and Communications, HCFA, Room 2-H-4 East High Rise Building, 
6325 Security Boulevard, Baltimore, Maryland 21207-5187. Comments 
received will be available for inspection at this location.

FOR FURTHER INFORMATION CONTACT:
Joseph Morical, Division of Financial Management, Office of Contracting 
and Financial Management, Bureau of Program Operations, Health Care 
Financing Administration, Room 1-B-4, Meadows East Building, 6325 
Security Boulevard, Baltimore, Maryland 21207-5187. His telephone 
number is (410) 966-7477.

SUPPLEMENTARY INFORMATION: The IMCR and the CMCR exist to assure proper 
health insurance benefit payments to or on behalf of entitled Medicare 
Part A and Part B beneficiaries. The Privacy Act permits disclosure of 
information without the prior written consent of an individual for 
``routine use'' that is; disclosure for purposes compatible with the 
purpose for which the data is collected.
    The IMCR and CMCR systems of records were last published in the 
Federal Register at 55 FR 37549; September 12, 1990. Currently, there 
are 23 routine uses in the IMCR system and 25 in the CMCR system that 
permit disclosure of information to individuals and/or organizations 
for a variety of reasons, the majority of which relate to the timely 
and accurate processing of Medicare claims, payment safeguards 
activities, and research. There are safeguards in place, as described 
in the safeguard section of both systems, to protect the data which 
have been developed in accordance with part 6 of the HHS Information 
Resource Management Manual and the National Institute of Standards and 
Technology Information Process Standards.
    We are proposing to add a new routine use (number (24)/(26)) to the 
Carrier and Intermediary systems of records, for the release of data 
without an individuals' prior written consent. The new routine use 
would permit the release of beneficiary data via ERA to servicing 
Medicare banks and to provider banks. Servicing Medicare banks enter 
into agreements with the Health Care Financing Administration and with 
contracted Medicare claims processors to provide check clearing, 
account maintenance and electronic payment origination services for the 
Medicare program. The proposed routine use allows release of data from 
the IMCR and the CMCR to servicing Medicare banks and/or Medicare 
provider banks for one or more of the following purposes: (1) For 
servicing Medicare banks to transmit ERAs on behalf of Medicare 
contractors to Medicare providers directly or through the banking 
system to either the provider's bank or a VAN; (2) For provider banks 
to receive ERAs from the servicing Medicare banks and to transmit the 
remittance information directly to Medicare providers via mail, 
telefax, or electronic transmission; (3) For provider banks to receive 
ERAs from the originating Medicare banks in order to perform account 
maintenance activities at the request of Medicare providers.
    Transmitting remittance data electronically to providers or their 
banks directly from the servicing Medicare bank, and/or electronically 
transmitting beneficiary and provider data along with payment 
information from the servicing Medicare bank to providers, their banks 
or a VAN service, allows for more efficient payment and reconciliation 
processes for both HCFA and providers. The new routine use number (24), 
for the IMCR, and (26), for the CMCR, will read as follows:
    (24)/(26) Servicing Fiscal Intermediary/Carrier banks, Automated 
Clearing Houses, VANs and provider banks to the extent necessary to 
transfer to providers electronic remittance advices of Medicare 
payments, and with respect to provider banks, to the extent necessary 
to provide account management services to providers using this 
information.
    Technical amendments have been made to routine use number (24)/(26) 
for consistency with the current notices. The IMCR and CMCR systems 
maintain information for the purpose of processing and paying Medicare 
benefits to or on behalf of eligible individuals. The proposed new 
routine use is consistent with the Privacy Act, 5 U.S.C. 552a(a)(7), 
since it is compatible with this purpose. In accordance with OMB 
Guidelines (Circular A-130, 58 FR 36068, 36077 July 2, 1993), this 
addition of a routine use constitutes a significant change in the 
system of records. Accordingly, we have prepared a report of an altered 
system of records under 5 U.S.C. 552a(r). In addition, for the 
convenience of the reader, we are publishing the notice for both 
systems in their entirety below.

    Dated: July 12, 1994.
Bruce C. Vladeck,
Administrator, Health Care Financing Administration.
09-70-0501
    Carrier Medicare Claim Records, HHS/HCFA/BPO.
    None.
    Carriers under contract to the Health Care Financing Administration 
(HCFA) and the Social Security Administration. Direct any inquiries 
regarding carrier locations to HCFA, Bureau of Program Operations, 
Office of Contracting and Financial Management, Division of Acquisition 
and Contracts, Contractor Operations Branch, Meadows East Building, 
Room 332, 6325 Security Boulevard, Baltimore, Maryland 21207-5187.
    Beneficiaries who have submitted claims for Supplementary Medical 
Insurance (Medicare Part B), or individuals whose enrollment in an 
employer group health benefits plan covers the beneficiary.
    Request for Payment: Provider Billing for Patient services by 
Physician; Prepayment Plan for Group Medicare Practice dealing through 
a Carrier, Health Insurance Claim Form, Request for Medical Payment, 
Patient's Request for Medicare Payment, Request for Medicare Payment-
Ambulance, Explanation of Benefits, Summary Payment Voucher, Request 
for Claim Number Verification; Payment Record Transmittal; Statement of 
Person Regarding Medicare Payment for Medical Services Furnished 
Deceased Patient; Report of Prior Period of Entitlement; itemized bills 
and other similar documents from beneficiaries required to support 
payments to beneficiaries and to physicians and other suppliers of Part 
B Medicare services; Medicare secondary payer records containing other 
party liability insurance information necessary for appropriate 
Medicare claim payment.
    Sections 1842, 1862(b) and 1874 of title XVIII of the Social 
Security Act (42 U.S.C. 1395u, 1395y(b) and 1395kk).
    To properly pay medical insurance benefits to or on behalf of 
entitled beneficiaries.
    Disclosure may be made to:
    (1) Claimants, their authorized representative or representative's 
payees to the extent necessary to pursue claims made under Title XVIII 
of the Social Security Act (Medicare).
    (2) Third-party contacts (without the consent of the individuals to 
whom the information pertains) in situations where the party to be 
contacted has, or is expected to have information relating to the 
individual's capability to manage his or her affairs or to his or her 
eligibility for or entitlement to benefits under the Medicare program 
when:
    (a) The individual is unable to provide the information being 
sought (an individual is considered to be unable to provide certain 
types of information when any of the following conditions exist: 
Individual is incapable or of questionable mental capability, cannot 
read or write, cannot afford the cost of obtaining the information, a 
language barrier exists, or the custodian of the information will not, 
as a matter of policy, provide it to the individual), or
    (b) The data are needed to establish the validity of evidence or to 
verify the accuracy of information presented by the individual, and it 
concerns one or more of the following; the individual's eligibility to 
benefits under the Medicare program;: The amount of reimbursement;: Any 
case in which the evidence is being reviewed as a result of suspected 
abuse or fraud, concern for program integrity, or for quality 
appraisal, or evaluation and measurement of system activities.
    (3) Third-party contacts where necessary to establish or verify 
information provided by representative payees or payee applicants.
    (4) The Treasury Department for investigating alleged theft, 
forgery, or unlawful negotiation of Medicare reimbursement checks.
    (5) The U.S. Postal Service for investigating alleged forgery or 
theft of Medicare checks.
    (6) The Department of Justice for investigating and prosecuting 
violations of the Social Security Act to which criminal penalties 
attach, or other criminal statutes as they pertain to the Social 
Security Act programs, for representing the Secretary, and for 
investigating issues of fraud by agency officers or employees, or 
violation of civil rights.
    (7) The Railroad Retirement Board for administering provisions of 
the Railroad Retirement and Social Security Acts relating to railroad 
employment.
    (8) Peer Review Organizations and Quality Review Organizations in 
connection with their review of claims, or in connection with studies 
or other review activities, conducted pursuant to Part B of Title XI of 
the Social Security Act.
    (9) State Licensing Boards for review of unethical practices of 
nonprofessional conduct.
    (10) Providers and suppliers of services (and their authorized 
billing agents) directly or dealing through fiscal intermediaries or 
carriers, for administration of provisions of title XVIII.
    (11) An individual or organization for a research, evaluation or 
epidemiological project related to the prevention of disease or 
disability, or the restoration or maintenance of health if HCFA:
    a. Determines that the use of disclosure does not violate legal 
limitations under which the record was provided, collected, or 
obtained.
    b. Determines that the purpose for which this disclosure is to be 
made:
    (1) Cannot be reasonably accomplished unless the record is provided 
in individually identifiable form.
    (2) Is of sufficient importance to warrant the effect and/or risk 
on the privacy of the individual that additional exposure of the record 
might bring, and
    (3) There is reasonable probability that the objective for the use 
would be accomplished:
    (c) Requires the information recipient to:
    (1) Establish reasonable administrative, technical, and physical 
safeguards to prevent unauthorized use or disclosure of the record, and
    (2) Remove or destroy the information that allows the individual to 
be identified at the earliest time at which removal or destruction can 
be accomplished consistent with the purpose of the project, unless the 
recipient presents an adequate justification of a research or health 
nature for retaining such information and
    (3) Make no further use or disclosure of the record except:
    (a) In emergency circumstances affecting the health or safety or 
any individual.
    (b) For use in another research project, under these same 
conditions, and with written authorization of HCFA.
    (c) For disclosure to a properly identified person for the purpose 
of audit related to the research project, if information that would 
enable research subjects to be identified is removed or destroyed at 
the earliest opportunity consistent with the purpose of the audit, or
    (d) When required by law;
    d. Secures a written statement attesting to the information 
recipient's understanding of and willingness to abide by these 
provisions.
    (12) State welfare departments pursuant to agreements with the 
Department of Health and Human Services for administration of State 
supplementation payments for determinations of eligibility for 
Medicaid, for enrollment of welfare recipients for medical insurance 
under section 1843 of the Social Security Act, for quality control 
studies, for determining eligibility of recipients of assistance under 
titles IV and XIX of the Social Security Act, and for the complete 
administration of the Medicaid program.
    (13) A congressional office from the record of an individual in 
response to an inquiry from the congressional office at the request of 
that individual.
    (14) State audit agencies in connection with the audit of Medicare 
eligibility considerations. Disclosures of physicians' customary charge 
data are made to State audit agencies in order to ascertain the 
corrections of Title XIX charges and payments.
    (15) The Department of Justice to a court or other tribunal, or to 
another party before such tribunal, when:
    (a) HHS, or any component therein; or
    (b) Any HHS employee in his or her official capacity; or
    (c) Any HHS employee in his or her individual capacity where the 
Department of Justice or HHS, (where it is authorized to do so) has 
agreed to represent the employee; or
    (d) The United States or any agency thereof where HHS determines 
that the litigation is likely to affect HHS or any of its components, 
is a party to litigation or has an interest in such litigation, and HHS 
determines that the use of such records by the Department of Justice, 
the tribunal, or the other party is relevant and necessary to the 
litigation and would help in the effective representation of the 
governmental party, provided, however, that in each case, HHS 
determines that such disclosure is compatible with the purpose for 
which the records were collected.
    (16) Peer review groups, consisting of members of State, County, or 
local medical societies or medical care foundations (physicians), 
appointed by the medical societies or foundation at the request of the 
carrier to assist in the resolution of questions of medical necessity, 
utilization of particular procedures or practices, or other utilization 
of services with respect to Medicare claims submitted to the carrier.
    (17) Physicians and other suppliers of services who are attempting 
to validate individual items on which the amounts included in the 
annual Physician-Supplier Payment List or similar publications are 
based.
    (18) Senior citizen volunteers working in intermediaries' and 
carriers' offices to assist Medicare beneficiaries in response to 
beneficiaries' requests for assistance.
    (19) A contractor working with Medicare carriers/intermediaries to 
identify and recover erroneous Medicare payments for which workers' 
compensation programs are liable.
    (20) State and other governmental Workers' Compensation Agencies 
working with the Health Care Financing Administration to assure that 
workers' compensation payments are made where Medicare has erroneously 
paid and workers' compensation programs are liable.
    (21) Insurance companies, self-insurers, Health Maintenance 
Organizations, multiple employer trusts and other groups providing 
protection against medical expenses of their enrollees. Information to 
be disclosed shall be limited to Medicare entitlement data. In order to 
receive the information the entity must agree to the following 
conditions:
    a. To certify that the individual on whom the information is being 
provided is one of its insured;
    b. To utilize the information solely for the purpose of processing 
the identified individual's insurance claims; and
    c. To safeguard the confidentiality of the data and to prevent 
unauthorized access to it.
    (22) To a contractor for the purpose of collating, analyzing, 
aggregating or other wise refining or processing records in this system 
or for developing, modifying and/or manipulating ADP software. Data 
would also be disclosed to contractors incidental to consultation, 
programming, operation, user assistance, or maintenance for ADP or 
telecommunications systems containing or supporting records in the 
system.
    (23) To an agency of a State Government, or established by State 
law, for purposes of determining, evaluating and/or assessing cost, 
effectiveness, and/or the quality of health care services provided in 
the State, if HCFA:
    a. Determines that the use of disclosure does not violate legal 
limitations under which the data were provided, collected or obtained:
    b. Establishes that the data are exempt from disclosure under the 
State and/or local Freedom of Information Act;
    c. Determines that the purpose for which the disclosure is to be 
made:
    (1) Cannot reasonably be accomplished unless the data are provided 
in individually identifiable form;
    (2) Is of sufficient importance to warrant the effect and/or risk 
on the privacy of the individuals that additional exposure of the 
record might bring, and;
    (3) There is reasonable probability that the objectives for the use 
would be accomplished; and
    d. Requires the recipient to:
    (1) Establish reasonable administrative, technical, and physical 
safeguards to prevent unauthorized use or disclosure of the record;
    (2) Remove or destroy the information that allows the individual to 
be identified at the earliest time at which removal or destruction can 
be accomplished consistent with the purpose of the request, unless the 
recipient presents an adequate justification for retaining such 
information;
    (3) Make no further use or disclosure of the record except:
    (a) In emergency circumstances affecting the health or safety of 
any individual;
    (b) For use in another project under the same conditions, and with 
written authorization in HCFA;
    (c) For disclosure to a properly identified person for the purpose 
of an audit related to the project, if information that would enable 
project subjects to be identified is removed or destroyed at the 
earliest opportunity consistent with the purpose of the audit, or
    (d) When required by law; and
    (4) Secure a written statement attesting to the recipient's 
understanding of and willingness to abide by these provisions. The 
recipient must agree to the following:
    (a) Not to use the data for purposes that are not related to the 
evaluation of cost, quality and effectiveness of care;
    (b) Not to publish or otherwise disclose the data in a form raising 
unacceptable possibilities that beneficiaries could be identified 
(i.e., the data must not be beneficiary-specific and must be aggregated 
to a level when no data cells have ten or fewer beneficiaries); and
    (c) To submit a copy of any aggregation of the data intended for 
publication to HCFA for approval prior to publication.
    (24) to insurers, underwriters, third party administrators, self-
insurers, groups health plans, employers, health maintenance 
organizations, health and welfare benefit funds, Federal agencies, a 
State or local government or political subdivision of either (when the 
organization has assumed the role of an insurer, underwriter, or third 
party administrator, or in the case of a State that assumes the 
liabilities of an insolvent insurer, through a State created insolvent 
insurer pool or fund), multiple-employer trusts, no-fault, medical, 
automobile insurers, workers' compensation carriers or plans, liability 
insurers, and other groups providing protection against medical 
expenses who are primary payers to Medicare in accordance with 42 
U.S.C. 1395y(b), or any entity having knowledge of the occurrence of 
any event affecting (A) an individual's right to any such benefit or 
payment, or (B) the initial or continued right to any such benefit or 
payment (for example, a State Medicaid Agency, State Workers' 
Compensation Board, or the Department of Motor Vehicles), for the 
purpose of coordination of benefits with the Medicare program and 
implementation of the Medicare Secondary Payer provisions at 42 U.S.C. 
1395y(b). The information HCFA may disclose will be:
     Beneficiary Name.
     Beneficiary Address.
     Beneficiary Health Insurance Claim Number.
     Beneficiary Social Security Number.
     Beneficiary Sex.
     Beneficiary Date of Birth
     Amount of Medicare Conditional Payment
     Provider name and number
     Physician name and number
     Supplier name and number
     Dates of service
     Nature of Service
     Diagnosis.
    To administer the Medicare Secondary Payer provisions at 42 U.S.C. 
1395y(b)(2), (3), and (4) more effectively, HCFA would receive (to the 
extent that it is available) and may disclose the following types of 
information from insurers, underwriters, third party administrators 
(TPAs), self-insured, etc.:
     Subscriber Name and Address.
     Subscriber Date of Birth.
     Subscriber Social Security Number.
     Dependent Name.
     Dependent Date of Birth.
     Dependent Social Security Number.
     Dependent Relationship to Subscriber.
     Insurer/Underwriter/TPA Name and Address.
     Insurer/Underwriter/TPA Group Number.
     Insurer/Underwriter/TPA Group Name.
     Prescription Drug Coverage.
     Policy Number.
     Effective Date of Coverage.
     Employer Name, Employer Identification Number (EIN) and 
Address.
     Employment Status.
     Amounts of Payment.
    To Administer the Medicare Secondary Payer provision at 42 U.S.C. 
1395y(b)(1) more effectively for entities such as Workers Compensation 
carriers or boards, liability insurers, no-fault and automobile medical 
policies or plans, HCFA would receive (to the extent that it is 
available) and may disclose the following information:
     Beneficiary's Name and Address.
     Beneficiary's Date of Birth.
     Beneficiary's Social Security Number.
     Name of Insured.
     Insurer Name and Address.
     Type of coverage; automobile medical, no-fault, liability 
payment, or workers' compensation settlement.
     Insured's Policy Number.
     Effective Date of Coverage.
     Date of accident, injury or illness.
     Amount of payment under liability, no-fault, or automobile 
medical policies, plans, and workers' compensation settlement.
     Employer Name and Address (Workers' Compensation only).
     Name of insured could be the driver of the car, a 
business, the beneficiary (i.e., the name of the individual or entity 
which carries the insurance policy or plan).
    In order to receive this information the entity must agree to the 
following conditions:
    a. To utilize the information solely for the purpose of 
coordination of benefits with the Medicare program and other third 
party payers in accordance with 42 U.S.C. 1395y(b);
    b. To safeguard the confidentiality of the data and to prevent 
unauthorized access to it;
    c. To prohibit the use of beneficiary-specific data for purposes 
other than for the coordination of benefits among third party payers 
and the Medicare program. This agreement would allow the entities to 
use the information to determine cases where they or other third party 
payers have primary responsibility for payment. Examples of prohibited 
uses would include but are not limited to: Creation of a mailing list, 
sale or transfer of data.

--To administer the MSP provisions more effectively, HCFA may receive 
or disclose the following types of information from or to entities 
including insurers, underwriters, third party administrators (TPAs), 
and self-insured plans, concerning potentially affected individuals:

     Subscriber Health Insurance Claim Number.
     Dependent Name.
     Funding arrangements of employer group health plans, for 
example, contributory or non-contributory plan, self-insured, re-
insured, HMO, TPA insurance.
     Claims payment information, for example, the amount paid, 
the date of payment, the name of the insurer or payer.
     Dates of employment including termination date, if 
appropriate.
     Number of full and/or part-time employees in the current 
and preceding calendar years.
     Employment status of subscriber, for example full or part 
time, self employed.
    (25) To the Internal Revenue Service for the application of tax 
penalties against employers and employee organizations that contribute 
to Employer Group Health Plans or Large Group Health Plans that are not 
in compliance with 42 U.S.C. 1395y(b).
    (26) To servicing Fiscal Intermediary/Carrier banks, Automated 
Clearing Houses, VANs and provider banks to the extent necessary to 
transfer to providers electronic remittance advice of Medicare 
payments, and with respect to provider banks, to the extent necessary 
to provide account management services to providers using this 
information. See ``Supplementary Information.''
    Records maintained on paper and electronic media.
    System is indexed by health insurance claim number. The record is 
prepared by the physician, supplier or other provider with identifying 
information received from the beneficiary to establish eligibility for 
Medicare and document and support payments to physicians, suppliers or 
other providers by the carrier. The claim data are forwarded to the 
Health Care Financing Administration, Bureau of Data Management and 
Strategy, Baltimore, MD, where they are used to update the Central 
Office Records.
    Unauthorized personnel are denied access to the records area. 
Disclosure is limited. Physical safeguards related to the transmission 
and reception of data between Rockville and Baltimore are those 
requirements established in accordance with HHS standards and National 
Institute of Standards and Technology guidelines (e.g., security codes 
will be used, limiting access to authorized personnel). System 
securities are established in accordance with HHS Information Resource 
Management (IRM) Circular #10, Automated Information Systems Security 
Program, and HCFA's Automated Information Systems (AIS) Guide, Systems 
Security Policies.
    Records are closed at the end of the calendar year in which paid, 
held 2 additional years, transferred to Federal Records Center and 
destroyed after another 2 years.
    Health Care Financing Administration, Director, Bureau of Program 
Operations, 6325 Security Boulevard, Baltimore, MD 21207.
    Inquiries and requests for system records should be addressed to 
the most convenient social security office, the appropriate carrier, 
the HCFA Regional Office, or to the system manager named above. The 
individual should furnish his or her health insurance claim number and 
the name as shown on social security records. An individual who 
requests notification of or access to a medical record shall, at the 
time the request is made, designate in writing a responsible 
representative who will be willing to review the record and inform the 
subject individual of its contents at the representative's discretion.
    Same as notification procedures. Requesters should also reasonably 
specify the records contents being sought. These procedures are in 
accordance with Department Regulations, 45 CFR 5b.5(a)(2).
    Contact the official at the address specified under notification 
procedures above, and reasonably identify the record and specify the 
information to be contested. State the corrective action sought and the 
reasons for the correction with supporting justification. These 
procedures are in accordance with Department regulations, 45 CFR 5b.7.
    The data contained in these records is either furnished by the 
individual or, in the case of some Medicare secondary payer situations, 
through third party contacts. In most cases, the identifying 
information is provided to the physician by the individual. The 
physician then adds the medical information and submits the bill to the 
carrier for payment.
    None.
09-70-0503
    Intermediary Medicare Claims Records, HHS/HCFA/BPO
    None.
    Intermediaries under contract to the Health Care Financing 
Administration and the Social Security Administration. Direct inquiries 
for intermediary locations to: HCFA, Bureau of Program Operations, 
Office of Contracting and Financial Management, Division of Acquisition 
and Contracts, Contractor Operations Branch, Meadows East Building, 
Room 332, 6325 Security Boulevard, Baltimore, Maryland 21207-5187.
    Beneficiaries on whose behalf providers have submitted claims for 
reimbursement on a reasonable cost basis under Medicare parts A and B, 
or are eligible for Medicare, or individuals whose enrollment in an 
employer group health benefits plan covers the beneficiary under 
Medicare.
    Billing for Medical and Other Health Services: Uniform bill for 
provider services or equivalent data in electronic format, and Medicare 
Secondary Payer records containing other third party liability 
insurance information necessary for appropriate Medicare claims payment 
and other documents used to support payments to beneficiaries and 
providers of services. These forms contain the beneficiary's name, sex, 
health insurance claim number, address, date of birth, medical record 
number, prior stay information, provider name and address, physician's 
name and/or identification number, warranty information when pacemakers 
are implanted or explanted, date of admission and discharge, other 
health insurance, diagnosis, surgical procedures, a statement of 
services rendered for related charges and other data needed to 
substantiate claims.
    The following elements are outpatient data provided to Medicare 
intermediaries by rehabilitation agencies, skilled nursing facilities, 
hospital outpatient departments, home intravenous drug providers and 
home health agencies that provide physical therapy in addition to home 
health services:
     Outpatient's name.
     HI number.
     Admission data to provider.
     Place treatment rendered.
     Number of visits since start of care.
     Diagnosis.
     Diagnosis requiring treatment.
     Onset of condition for which treatment is being sought.
     Dates of previous therapy for same diagnosis.
     Other therapy outpatient is currently receiving.
     Observations.
     Precautions and medical equipment.
     Functional status immediately prior to this therapy.
     Types of treatment--modalities.
     Frequency of treatment.
     Expected duration of treatment.
     Rehabilitation potential.
     Level of communication potential.
     Average time per visits.
     Goals.
     Statement of problem at beginning of billing period.
     Changes in problem at end of billing period.
     Signature of therapist.
     Certification and recertification by physician that 
services are to be provided from an established plan of care.
     Tests results.
     Biopsy reports.
     Methods of administration, e.g., pill vs. injection.
     Physician orders.
     Procedure codes.
     Changes.
     Weekly progress notes.
     National Drug Code (NDC).
    Sections 1816, 1862(b) and 1874 of Title XVIII of the Social 
Security Act (42 U.S.C. 1395h, 1395y(b) and 1395kk).
    To process and pay Medicare benefits to or on behalf of eligible 
individuals.
    Disclosure may be made to:
    (1) Claimants, their authorized representatives or representative 
payees to the extent necessary to pursue claims made under title XVIII 
of the Social Security Act (Medicare).
    (2) Third-party contacts, without the consent of the individual to 
whom the information pertains, in situations where the party to be 
contacted has, or is expected to have information relating to the 
individual's capability to manage his or her affairs or to his or her 
eligibility for or entitlement to benefits under the Medicare program 
when:
    (a) The individual is unable to provide the information being 
sought (an individual is considered to be unable to provide certain 
types of information when any of the following conditions exist: 
Individual is incapable or of questionable mental capability, cannot 
read or write, cannot afford the cost of obtaining the information, a 
language barrier exists, or the custodian of the information will not, 
as a matter of policy provide to the individual), or
    (b) The data are needed to establish to validity of evidence or to 
verify the accuracy of information presented by the individual, and it 
concerns one or more of the following: The individual's eligibility to 
benefits under the Medicare program; the amount of reimbursement of any 
case in which the evidence is being reviewed as a result of suspected 
abuse or fraud, concern for program integrity, or for quality 
appraisal, or evaluation and measurement of systems activities.
    (3) Third-party contacts where necessary to establish or verify 
information provided by representative payees or payee applicants.
    (4) The Treasury Department for investigating alleged theft, 
forgery, or unlawful negotiations of Medicare reimbursement checks.
    (5) The U.S. Postal Service for investigating alleged forgery or 
theft of Medicare checks.
    (6) The Department of Justice for investigating and prosecution 
violations of the Social Security Act to which criminal penalties 
attach, or other criminal statutes as they pertain to Social Security 
Act programs, for representing the Secretary, and for investigating 
issues of fraud by agency officers or employees, or violation of civil 
rights.
    (7) The Railroad Retirement Board for administering provisions of 
the Railroad Retirement and Social Security Acts relating to railroad 
employment.
    (8) Peer Review Organizations and Quality Review Organizations in 
connection with their review of claims, or in connection with studies 
or other review activities, conducted pursuant to Part B of Title XI of 
the Social Security Act.
    (9) State Licensing Boards for review of unethical practices or 
nonprofessional conduct.
    (10) Providers and suppliers of services (and their authorized 
billing agents) directly or dealing through fiscal intermediaries or 
carriers, for administration of provisions of title XVIII.
    (11) An individual or organization for a research, evaluation, or 
epidemiological project related to the prevention of disease or 
disability, or maintenance of health if HCFA:
    a. Determines that the use or disclosure does not violate legal 
limitations under which the record was provided, collected, or 
obtained:
    b. Determines that the purpose for which the disclosure is to be 
made:
    (1) Cannot be reasonably accomplished unless the record is provided 
in individually identifiable form.
    (2) Is of sufficient importance to warrant the effect and/or risk 
on the privacy of the individual that additional exposure of the record 
might bring, and
    (3) There is reasonable probability that the objective for the use 
would be accomplished:
    c. Requires the information recipient to:
    (1) Establish reasonable administrative, technical, and physical 
safeguards to prevent unauthorized use or disclosure of the record, and
    (2) Remove or destroy the information that allows the individual to 
be identified at the earliest time at which removal or destruction can 
be accomplished consistent with the purpose of the project, unless the 
recipient presents an adequate justification of a research or health 
nature for retaining such information, and
    (3) Make no further use or disclosure of the record except:
    (a) In emergency circumstances affecting the health or safety of 
any individual;
    (b) For use in another research project, under these same 
conditions, and with written authorization of HCFA;
    (c) For disclosure to a properly identified person for the purpose 
of an audit related to the research project, if information that would 
enable research subjects to be identified is removed or destroyed at 
the earliest opportunity consistent with the purpose of the audit;
    (d) When required by law.
    d. Secures a written statement attesting to the information 
recipient's understanding of and willingness to abide by the 
provisions.
    (12) State welfare departments pursuant to agreements with the 
Department of Health and Human Services for administration of State 
supplementation payments for determination of eligibility for Medicaid, 
for enrollment of welfare recipients for medical insurance under 
section 1843 of the Social Security Act for quality control studies, 
for determining eligibility of recipients of assistance under titles IV 
and XIX of the Social Security Act, and for the complete administration 
of the Medicaid program.
    (13) A congressional office from the record of an individual in 
response to an inquiry from the congressional office at the request of 
that individual.
    (14) State audit agencies in connection with the audit of Medicaid 
eligibility considerations.
    (15) The Department of Justice, to a court or other tribunal, or to 
another party before such tribunal, when:
    (a) HHS, or any component thereof; or
    (b) Any HHS employee in his or her official capacity; or
    (c) Any HHS employee in his or her individual capacity where the 
Department of Justice (or HHS, where it is authorized to do so) has 
agreed to represent the employee, or
    (d) The United States or any agency thereof where HHS determines 
that the litigation is likely to affect HHS or any of its components, 
is a party to litigation or has an interest in such litigation, and HHS 
determines that the use of such records by the Department of Justice, 
the tribunal, or the other party is relevant and necessary to the 
litigation and would help in the effective representation of the 
government party, provided, however, that in such case, HHS determines 
that such disclosure is compatible with the purpose for which the 
records were collected.
    (16) Senior citizen volunteers working in the intermediaries' and 
carriers' offices to assist Medicare beneficiaries in response to 
beneficiaries requests for assistance.
    (17) A contractor working with Medicare carriers/intermediaries to 
identify and recover erroneous Medicare payments for which workers' 
compensation programs are liable.
    (18) State and other governmental Workers' Compensation Agencies 
working with the Health Care Financing Administration to assure that 
workers' compensation payments are made where Medicare has erroneously 
paid and workers' compensation programs are liable.
    (19) Insurance companies, self-insurers, Health Maintenance 
Organizations, multiple employer trusts and other groups providing 
protection against medical expenses of their enrollees. Information to 
be disclosed shall be limited to Medicare entitlement data. In order to 
receive this information the entity must agree to the following 
conditions:
    a. To certify that the individual about whom the information is 
being provided is one of its insured:
    b. To utilize the information solely for the purpose of processing 
the identified individual's insurance claims; and
    c. To safeguard the confidentiality of the data and to prevent 
unauthorized access to it.
    (20) To a contractor for the purpose of collating, analyzing, 
aggregating or otherwise refining or processing records in this system 
or for developing, modifying and/or manipulating ADP software. Data 
would also be disclosed to contractors incidental to consultation, 
programming, operation, user assistance, or maintenance for ADP or 
telecommunications systems containing or supporting records in the 
system.
    (21) To any agency of a State Government, or established by State 
law, for purposes of determining, evaluating and/or assessing cost, 
effectiveness, and/or the quality of health care services provided in 
the State, if HCFA:
    a. Determines that the use or disclosure does not violate legal 
limitations under which the data were provided, collected, or obtained;
    b. Establishes that the data are exempt from disclosure under the 
State and/or local Freedom of Information Act;
    c. Determines that the purpose for which the disclosure is to be 
made:
    (1) Cannot reasonably be accomplished unless the data are provided 
in individually identifiable form;
    (2) Is of sufficient importance to warrant the effect and/or risk 
on the privacy of the individuals that additional exposure of the 
record might bring; and
    (3) There is reasonable probability that the objective for the use 
would be accomplished; and
    d. Requires the recipient to:
    (1) Establish reasonable administrative, technical, and physical 
safeguards to prevent unauthorized use or disclosure of the record;
    (2) Removed or destroy the information that allows the individual 
to be identified at the earliest time at which removal or destruction 
can be accomplished consistent with the purpose of the request, unless 
the recipient presents an adequate justification for retaining such 
information;
    (3) Make no further use or disclosure of the record except;
    (a) In emergency circumstances affecting the health or safety of 
any individual;
    (b) For use in another project under the same conditions, and with 
written authorization of HCFA;
    (c) For disclosure to a properly identified person for the purpose 
of an audit related to the project, if information that would enable 
project subjects to be identified is removed or destroyed at the 
earliest opportunity consistent with the purpose of the audits; or
    (d) When required by law; and
    (4) Secure a written statement attesting to the recipient's 
understanding of and willingness to abide by these provisions. The 
recipient must agree to the following:
    (1) Not to use the data for purposes that are not related to the 
evaluation of cost, quality, and effectiveness of care;
    (2) Not to publish or otherwise disclose the data in a form raising 
unacceptable possibilities that beneficiaries could be identified 
(i.e., the data must not be beneficiary-specific and must be aggregated 
to level when no data cells have ten or fewer beneficiaries); and
    (3) To submit a copy of any aggregation of the data intended for 
publication to HCFA for approval prior to publication.
    (22) To insurers, underwriters, third party administrators (TPAs), 
self-insurers, group health plans, employers, health maintenance 
organizations, health and welfare benefit funds. Federal agencies, a 
State or local government or political subdivision of either (when the 
organization has assumed the role of an insurer, underwriter, or third 
party administrator, or in the case of a State that assumes the 
liabilities of an insolvent insurer, through a State created insolvent 
insurers pool or fund), multiple-employer trusts, no-fault, medical, 
automobile insurers, workers' compensation carriers or plans, liability 
insurers, and other groups providing protection against medical 
expenses who are primary payers to Medicare in accordance with 42 
U.S.C. 1395y(b), or any entity having knowledge of the occurrence of 
any event affecting (A) an individual's right to any such benefit or 
payment, Or (B) the initial or continued right to any such benefit or 
payment (for example, a State Medicaid Agency, State Workers' 
Compensation Board, or Department of Motor Vehicles) for the purpose of 
coordination of benefits with the Medicare program and implementation 
of the Medicare Secondary Payer provisions at 42 U.S.C. implementation 
of the Medicare Secondary Payer provisions at 42 U.S.C. 1395y(b). The 
information HCFA may disclose will be:
     Beneficiary Name.
     Beneficiary Address.
     Beneficiary Health Insurance Claim Number.
     Beneficiary Social Security Number.
     Beneficiary Sex.
     Beneficiary Date of Birth.
     Amount of Medicare Conditional Payment.
     Provider Name and Number.
     Physician Name and Number.
     Supplier Name and Number.
     Dates of Service.
     Nature of Service.
     Diagnosis.
    The administer the Medicare Secondary Payer provision at 42 USC 
1395y(b) (2), (3), and (4) more effectively, HCFA would receive (to the 
extent that it is available) and may disclose the following types of 
information from insurers, underwriters, third party administrator, 
self-insurers, etc.:
     Subscriber Name and Address.
     Subscriber Date of Birth.
     Subscriber Social Security Number.
     Dependent Name.
     Dependent Date of Birth.
     Dependent Social Security Number.
     Dependent Relationship to Subscriber.
     Insurer/Underwriter/TPA Name and Address.
     Insurer/Underwriter/TPA Group Number.
     Insurer/Underwriter/Group Name.
     Prescription Drug Coverage.
     Policy Number.
     Effective Date of Coverage.
     Employer Name, Employer Identification Number (EIN) and 
Address.
     Employment Status.
     Amounts of Payment.
    To administer the Medicare Secondary Payer provision at 42 USC 
12395(b)(1) more effectively for entities such as Workers Compensation 
carriers or boards, liability insurers, no-fault and automobile medical 
policies or plans, HCFA would receive (to the extent that it is 
available) and may disclose the following information:
     Beneficiary's Name and Address.
     Beneficiary's Date of Birth.
     Beneficiary's Social Security Number.
     Name of Insured.
     Insurer Name and Address.
     Type of coverage; automobile medical, no-fault, liability 
payment, or workers' compensation settlement.
     Insured's Policy Number.
     Effective Date of Coverage.
     Date of accident, injury or illness.
     Amount of payment under liability, no-fault, or automobile 
medical policies, plans, and workers compensation settlements.
     Employer Name and Address (Workers' Compensation only).
     Name of insured could be the driver of the car, a 
business, the beneficiary (i.e., the name of the individual or entity 
which carries the insurance policy or plan).
    In order to receive this information the entity must agree to the 
following conditions:
    a. To utilize the information solely for the purpose of 
coordination of benefits with the Medicare program and other third 
party payer in accordance with 42 U.S.C. 1395y(b);
    b. To safeguard the confidentiality of the data and to prevent 
unauthorized access to it;
    c. To prohibit the use of beneficiary-specific data for purposes 
other than for the coordination of benefits among third party payers 
and the Medicare program. This agreement would allow the entities to 
use the information to determine cases where they or other third party 
payers have primary responsibility for payment. Examples of prohibited 
uses would include but are not limited to; creation of a mailing list, 
sale or transfer of data.

--To administer the MSP provisions more effectively, HCFA may receive 
or disclose the following types of information from or to entities 
including insurers, underwriters, TPAs, and self-insured plans, 
concerning potentially affected individuals:

     Subscriber Health Insurance Claim Number.
     Dependent Name.
     Funding arrangements of employer group health plans, for 
example, contributory or non-contributory plan, self-insured, re-
insured, HMO, TPA insurance.
     Claims payment information, for example, the amount paid, 
the date of payment, the name of the insurer or payer.
     Dates of employment including termination date, if 
appropriate.
     Number of full and/or part-time employees in the current 
and preceding calendar years.
     Employment status of subscriber, for example full or part 
time, self employed.
    (23) To the Internal Revenue Service for the application of tax 
penalties against employers and employee organizations that contribute 
to Employer Group Health Plans or Large Group Health Plans that are not 
in compliance with 42 U.S.C. 1395y(b).
    (24) To servicing Fiscal Intermediary/Carrier banks, Automated 
Clearing Houses, VANs and provider banks to the extent necessary to 
transfer to providers electronic remittance advice of Medicare 
payments, and with respect to provider banks, to the extent necessary 
to provide account management services to providers using this 
information. See SUPPLEMENTARY INFORMATION.
    Records maintained on paper forms and/or electronic media.
    The system is indexed by health insurance claim number. The record 
is prepared by the hospital or other provider with identifying 
information received from the beneficiary to establish eligibility for 
Medicare and document and support payments to providers by the 
intermediaries. The bill data are forwarded to the Health Care 
Financing Administration, Bureau of Data Management and Strategy, 
Baltimore, MD, where they are used to update the central office 
records.
    Disclosure of records is limited. Physical safeguards are 
established in accordance with Department standards and National 
Institute of Standards and Technology guidelines (e.g., security codes) 
will be used, limiting access to authorized personnel. System 
securities are established in accordance with HHS Information Resource 
Management (IRM) Circular #10, Automated information Systems Security 
Program, and HCFA Automated Information Systems (AIS) Guide, System 
Security Policies.
    Records are closed out at the end of the calendar year in which 
paid, held 2 more years, transferred to the Federal Records Center and 
destroyed after another 6 years.
    Health Care Financing Administration, Director, Bureau of Program 
Operations, 6325 Security Boulevard, Baltimore, MD 21207.
    Inquiries and requests for system records should be addressed to 
the social security office nearest the requester's residence, the 
appropriate intermediary, the HCFA Regional Office, or to the system 
manager named above. The individual should furnish his or her health 
insurance number and name as shown on social security records. An 
individual who requests notification of or access to a medical record 
shall, at the time the request is made, designate in writing a 
responsible representative who will be willing to review the record and 
inform the subject individual of its contents at the representative's 
discretion.
    Same as notification procedures. Requesters should also reasonably 
specify the records contents being sought. These procedures are in 
accordance with Department Regulations, 45 CFR 5b.5(a)(2).
    Contact the official at the address specified under notification 
procedure above, and reasonably identify the record and specify the 
information to be contested. State the corrective action sought and the 
reasons for the correction with supporting justification. These 
procedures are in accordance with Department Regulations, 45 CFR 5b.7.
    The identifying information contained in these records is obtained 
by the provider from the individual or, in the case of some Medicare 
secondary payer situations, through third party contacts. The medical 
information is entered by the provider of medical services.
    None.

[FR Doc. 94-17621 Filed 7-20-94; 8:45 am]
BILLING CODE 4120-03-M