[Federal Register Volume 59, Number 139 (Thursday, July 21, 1994)] [Unknown Section] [Page 0] From the Federal Register Online via the Government Publishing Office [www.gpo.gov] [FR Doc No: 94-17621] [[Page Unknown]] [Federal Register: July 21, 1994] ----------------------------------------------------------------------- DEPARTMENT OF HEALTH AND HUMAN SERVICES Health Care Financing Administration Privacy Act of 1974; Systems of Records AGENCY: Department of Health and Human Services (HHS), Health Care Financing Administration (HCFA). ACTION: Notice of proposed new routine use for existing systems of records. ----------------------------------------------------------------------- SUMMARY: HCFA is proposing to revise the system notices for the ``Carrier Medicare Claims Records'' (CMCR), System No. 09-70-0501, and the ``Intermediary Medicare Claims Records'' (IMCR), System No. 09-70- 0503. The Privacy Act permits disclosure of information without the prior written consent of an individual for ``routine use'' that is; disclosure for purposes compatible with the purpose for which the data is collected. HCFA is proposing to revise the CMCR and IMCR by adding a new routine use for release of intermediary and carrier maintained beneficiary data to servicing Medicare banks and/or provider banks. The purpose of this new routine use is to allow fiscal intermediaries (FIs) and carriers to send claims payment and beneficiary information to providers or their banks either directly, or through a Value Added Network (VAN) telecommunications service and for provider banks to use this information to perform account management activities on behalf of providers. Under this scenario, the electronic funds transfer (EFT) and the electronic remittance advice (ERA) flow together through the banking system. The consolidation of Medicare beneficiary and payment information will reduce paperwork and administrative costs. EFFECTIVE DATES: HCFA filed an altered system report with the Chairman of the Committee on Government Operations of the House of Representatives, the Chairman of the Committee on Governmental Affairs of the Senate, and the Administrator, Office of Information and Regulatory Affairs, Office of Management and Budget (OMB), on July 18, 1994. To ensure all parties have adequate time in which to comment, the altered systems of records, including routine uses, will become effective 40 days from the publication of this notice or from the date submitted to OMB and the Congress, whichever is later, unless HCFA receives comments which require alterations to this notice. The proposed new routine use shall take effect without further notice 40 days from the date of publication unless comments received on or before that date would warrant changes. ADDRESSES: Please address comments to Mr. Richard A. DeMeo, HCFA Privacy Act Officer, Office of Budgetary Services, Office of Customer Relations and Communications, HCFA, Room 2-H-4 East High Rise Building, 6325 Security Boulevard, Baltimore, Maryland 21207-5187. Comments received will be available for inspection at this location. FOR FURTHER INFORMATION CONTACT: Joseph Morical, Division of Financial Management, Office of Contracting and Financial Management, Bureau of Program Operations, Health Care Financing Administration, Room 1-B-4, Meadows East Building, 6325 Security Boulevard, Baltimore, Maryland 21207-5187. His telephone number is (410) 966-7477. SUPPLEMENTARY INFORMATION: The IMCR and the CMCR exist to assure proper health insurance benefit payments to or on behalf of entitled Medicare Part A and Part B beneficiaries. The Privacy Act permits disclosure of information without the prior written consent of an individual for ``routine use'' that is; disclosure for purposes compatible with the purpose for which the data is collected. The IMCR and CMCR systems of records were last published in the Federal Register at 55 FR 37549; September 12, 1990. Currently, there are 23 routine uses in the IMCR system and 25 in the CMCR system that permit disclosure of information to individuals and/or organizations for a variety of reasons, the majority of which relate to the timely and accurate processing of Medicare claims, payment safeguards activities, and research. There are safeguards in place, as described in the safeguard section of both systems, to protect the data which have been developed in accordance with part 6 of the HHS Information Resource Management Manual and the National Institute of Standards and Technology Information Process Standards. We are proposing to add a new routine use (number (24)/(26)) to the Carrier and Intermediary systems of records, for the release of data without an individuals' prior written consent. The new routine use would permit the release of beneficiary data via ERA to servicing Medicare banks and to provider banks. Servicing Medicare banks enter into agreements with the Health Care Financing Administration and with contracted Medicare claims processors to provide check clearing, account maintenance and electronic payment origination services for the Medicare program. The proposed routine use allows release of data from the IMCR and the CMCR to servicing Medicare banks and/or Medicare provider banks for one or more of the following purposes: (1) For servicing Medicare banks to transmit ERAs on behalf of Medicare contractors to Medicare providers directly or through the banking system to either the provider's bank or a VAN; (2) For provider banks to receive ERAs from the servicing Medicare banks and to transmit the remittance information directly to Medicare providers via mail, telefax, or electronic transmission; (3) For provider banks to receive ERAs from the originating Medicare banks in order to perform account maintenance activities at the request of Medicare providers. Transmitting remittance data electronically to providers or their banks directly from the servicing Medicare bank, and/or electronically transmitting beneficiary and provider data along with payment information from the servicing Medicare bank to providers, their banks or a VAN service, allows for more efficient payment and reconciliation processes for both HCFA and providers. The new routine use number (24), for the IMCR, and (26), for the CMCR, will read as follows: (24)/(26) Servicing Fiscal Intermediary/Carrier banks, Automated Clearing Houses, VANs and provider banks to the extent necessary to transfer to providers electronic remittance advices of Medicare payments, and with respect to provider banks, to the extent necessary to provide account management services to providers using this information. Technical amendments have been made to routine use number (24)/(26) for consistency with the current notices. The IMCR and CMCR systems maintain information for the purpose of processing and paying Medicare benefits to or on behalf of eligible individuals. The proposed new routine use is consistent with the Privacy Act, 5 U.S.C. 552a(a)(7), since it is compatible with this purpose. In accordance with OMB Guidelines (Circular A-130, 58 FR 36068, 36077 July 2, 1993), this addition of a routine use constitutes a significant change in the system of records. Accordingly, we have prepared a report of an altered system of records under 5 U.S.C. 552a(r). In addition, for the convenience of the reader, we are publishing the notice for both systems in their entirety below. Dated: July 12, 1994. Bruce C. Vladeck, Administrator, Health Care Financing Administration. 09-70-0501 Carrier Medicare Claim Records, HHS/HCFA/BPO. None. Carriers under contract to the Health Care Financing Administration (HCFA) and the Social Security Administration. Direct any inquiries regarding carrier locations to HCFA, Bureau of Program Operations, Office of Contracting and Financial Management, Division of Acquisition and Contracts, Contractor Operations Branch, Meadows East Building, Room 332, 6325 Security Boulevard, Baltimore, Maryland 21207-5187. Beneficiaries who have submitted claims for Supplementary Medical Insurance (Medicare Part B), or individuals whose enrollment in an employer group health benefits plan covers the beneficiary. Request for Payment: Provider Billing for Patient services by Physician; Prepayment Plan for Group Medicare Practice dealing through a Carrier, Health Insurance Claim Form, Request for Medical Payment, Patient's Request for Medicare Payment, Request for Medicare Payment- Ambulance, Explanation of Benefits, Summary Payment Voucher, Request for Claim Number Verification; Payment Record Transmittal; Statement of Person Regarding Medicare Payment for Medical Services Furnished Deceased Patient; Report of Prior Period of Entitlement; itemized bills and other similar documents from beneficiaries required to support payments to beneficiaries and to physicians and other suppliers of Part B Medicare services; Medicare secondary payer records containing other party liability insurance information necessary for appropriate Medicare claim payment. Sections 1842, 1862(b) and 1874 of title XVIII of the Social Security Act (42 U.S.C. 1395u, 1395y(b) and 1395kk). To properly pay medical insurance benefits to or on behalf of entitled beneficiaries. Disclosure may be made to: (1) Claimants, their authorized representative or representative's payees to the extent necessary to pursue claims made under Title XVIII of the Social Security Act (Medicare). (2) Third-party contacts (without the consent of the individuals to whom the information pertains) in situations where the party to be contacted has, or is expected to have information relating to the individual's capability to manage his or her affairs or to his or her eligibility for or entitlement to benefits under the Medicare program when: (a) The individual is unable to provide the information being sought (an individual is considered to be unable to provide certain types of information when any of the following conditions exist: Individual is incapable or of questionable mental capability, cannot read or write, cannot afford the cost of obtaining the information, a language barrier exists, or the custodian of the information will not, as a matter of policy, provide it to the individual), or (b) The data are needed to establish the validity of evidence or to verify the accuracy of information presented by the individual, and it concerns one or more of the following; the individual's eligibility to benefits under the Medicare program;: The amount of reimbursement;: Any case in which the evidence is being reviewed as a result of suspected abuse or fraud, concern for program integrity, or for quality appraisal, or evaluation and measurement of system activities. (3) Third-party contacts where necessary to establish or verify information provided by representative payees or payee applicants. (4) The Treasury Department for investigating alleged theft, forgery, or unlawful negotiation of Medicare reimbursement checks. (5) The U.S. Postal Service for investigating alleged forgery or theft of Medicare checks. (6) The Department of Justice for investigating and prosecuting violations of the Social Security Act to which criminal penalties attach, or other criminal statutes as they pertain to the Social Security Act programs, for representing the Secretary, and for investigating issues of fraud by agency officers or employees, or violation of civil rights. (7) The Railroad Retirement Board for administering provisions of the Railroad Retirement and Social Security Acts relating to railroad employment. (8) Peer Review Organizations and Quality Review Organizations in connection with their review of claims, or in connection with studies or other review activities, conducted pursuant to Part B of Title XI of the Social Security Act. (9) State Licensing Boards for review of unethical practices of nonprofessional conduct. (10) Providers and suppliers of services (and their authorized billing agents) directly or dealing through fiscal intermediaries or carriers, for administration of provisions of title XVIII. (11) An individual or organization for a research, evaluation or epidemiological project related to the prevention of disease or disability, or the restoration or maintenance of health if HCFA: a. Determines that the use of disclosure does not violate legal limitations under which the record was provided, collected, or obtained. b. Determines that the purpose for which this disclosure is to be made: (1) Cannot be reasonably accomplished unless the record is provided in individually identifiable form. (2) Is of sufficient importance to warrant the effect and/or risk on the privacy of the individual that additional exposure of the record might bring, and (3) There is reasonable probability that the objective for the use would be accomplished: (c) Requires the information recipient to: (1) Establish reasonable administrative, technical, and physical safeguards to prevent unauthorized use or disclosure of the record, and (2) Remove or destroy the information that allows the individual to be identified at the earliest time at which removal or destruction can be accomplished consistent with the purpose of the project, unless the recipient presents an adequate justification of a research or health nature for retaining such information and (3) Make no further use or disclosure of the record except: (a) In emergency circumstances affecting the health or safety or any individual. (b) For use in another research project, under these same conditions, and with written authorization of HCFA. (c) For disclosure to a properly identified person for the purpose of audit related to the research project, if information that would enable research subjects to be identified is removed or destroyed at the earliest opportunity consistent with the purpose of the audit, or (d) When required by law; d. Secures a written statement attesting to the information recipient's understanding of and willingness to abide by these provisions. (12) State welfare departments pursuant to agreements with the Department of Health and Human Services for administration of State supplementation payments for determinations of eligibility for Medicaid, for enrollment of welfare recipients for medical insurance under section 1843 of the Social Security Act, for quality control studies, for determining eligibility of recipients of assistance under titles IV and XIX of the Social Security Act, and for the complete administration of the Medicaid program. (13) A congressional office from the record of an individual in response to an inquiry from the congressional office at the request of that individual. (14) State audit agencies in connection with the audit of Medicare eligibility considerations. Disclosures of physicians' customary charge data are made to State audit agencies in order to ascertain the corrections of Title XIX charges and payments. (15) The Department of Justice to a court or other tribunal, or to another party before such tribunal, when: (a) HHS, or any component therein; or (b) Any HHS employee in his or her official capacity; or (c) Any HHS employee in his or her individual capacity where the Department of Justice or HHS, (where it is authorized to do so) has agreed to represent the employee; or (d) The United States or any agency thereof where HHS determines that the litigation is likely to affect HHS or any of its components, is a party to litigation or has an interest in such litigation, and HHS determines that the use of such records by the Department of Justice, the tribunal, or the other party is relevant and necessary to the litigation and would help in the effective representation of the governmental party, provided, however, that in each case, HHS determines that such disclosure is compatible with the purpose for which the records were collected. (16) Peer review groups, consisting of members of State, County, or local medical societies or medical care foundations (physicians), appointed by the medical societies or foundation at the request of the carrier to assist in the resolution of questions of medical necessity, utilization of particular procedures or practices, or other utilization of services with respect to Medicare claims submitted to the carrier. (17) Physicians and other suppliers of services who are attempting to validate individual items on which the amounts included in the annual Physician-Supplier Payment List or similar publications are based. (18) Senior citizen volunteers working in intermediaries' and carriers' offices to assist Medicare beneficiaries in response to beneficiaries' requests for assistance. (19) A contractor working with Medicare carriers/intermediaries to identify and recover erroneous Medicare payments for which workers' compensation programs are liable. (20) State and other governmental Workers' Compensation Agencies working with the Health Care Financing Administration to assure that workers' compensation payments are made where Medicare has erroneously paid and workers' compensation programs are liable. (21) Insurance companies, self-insurers, Health Maintenance Organizations, multiple employer trusts and other groups providing protection against medical expenses of their enrollees. Information to be disclosed shall be limited to Medicare entitlement data. In order to receive the information the entity must agree to the following conditions: a. To certify that the individual on whom the information is being provided is one of its insured; b. To utilize the information solely for the purpose of processing the identified individual's insurance claims; and c. To safeguard the confidentiality of the data and to prevent unauthorized access to it. (22) To a contractor for the purpose of collating, analyzing, aggregating or other wise refining or processing records in this system or for developing, modifying and/or manipulating ADP software. Data would also be disclosed to contractors incidental to consultation, programming, operation, user assistance, or maintenance for ADP or telecommunications systems containing or supporting records in the system. (23) To an agency of a State Government, or established by State law, for purposes of determining, evaluating and/or assessing cost, effectiveness, and/or the quality of health care services provided in the State, if HCFA: a. Determines that the use of disclosure does not violate legal limitations under which the data were provided, collected or obtained: b. Establishes that the data are exempt from disclosure under the State and/or local Freedom of Information Act; c. Determines that the purpose for which the disclosure is to be made: (1) Cannot reasonably be accomplished unless the data are provided in individually identifiable form; (2) Is of sufficient importance to warrant the effect and/or risk on the privacy of the individuals that additional exposure of the record might bring, and; (3) There is reasonable probability that the objectives for the use would be accomplished; and d. Requires the recipient to: (1) Establish reasonable administrative, technical, and physical safeguards to prevent unauthorized use or disclosure of the record; (2) Remove or destroy the information that allows the individual to be identified at the earliest time at which removal or destruction can be accomplished consistent with the purpose of the request, unless the recipient presents an adequate justification for retaining such information; (3) Make no further use or disclosure of the record except: (a) In emergency circumstances affecting the health or safety of any individual; (b) For use in another project under the same conditions, and with written authorization in HCFA; (c) For disclosure to a properly identified person for the purpose of an audit related to the project, if information that would enable project subjects to be identified is removed or destroyed at the earliest opportunity consistent with the purpose of the audit, or (d) When required by law; and (4) Secure a written statement attesting to the recipient's understanding of and willingness to abide by these provisions. The recipient must agree to the following: (a) Not to use the data for purposes that are not related to the evaluation of cost, quality and effectiveness of care; (b) Not to publish or otherwise disclose the data in a form raising unacceptable possibilities that beneficiaries could be identified (i.e., the data must not be beneficiary-specific and must be aggregated to a level when no data cells have ten or fewer beneficiaries); and (c) To submit a copy of any aggregation of the data intended for publication to HCFA for approval prior to publication. (24) to insurers, underwriters, third party administrators, self- insurers, groups health plans, employers, health maintenance organizations, health and welfare benefit funds, Federal agencies, a State or local government or political subdivision of either (when the organization has assumed the role of an insurer, underwriter, or third party administrator, or in the case of a State that assumes the liabilities of an insolvent insurer, through a State created insolvent insurer pool or fund), multiple-employer trusts, no-fault, medical, automobile insurers, workers' compensation carriers or plans, liability insurers, and other groups providing protection against medical expenses who are primary payers to Medicare in accordance with 42 U.S.C. 1395y(b), or any entity having knowledge of the occurrence of any event affecting (A) an individual's right to any such benefit or payment, or (B) the initial or continued right to any such benefit or payment (for example, a State Medicaid Agency, State Workers' Compensation Board, or the Department of Motor Vehicles), for the purpose of coordination of benefits with the Medicare program and implementation of the Medicare Secondary Payer provisions at 42 U.S.C. 1395y(b). The information HCFA may disclose will be:Beneficiary Name. Beneficiary Address. Beneficiary Health Insurance Claim Number. Beneficiary Social Security Number. Beneficiary Sex. Beneficiary Date of Birth Amount of Medicare Conditional Payment Provider name and number Physician name and number Supplier name and number Dates of service Nature of Service Diagnosis. To administer the Medicare Secondary Payer provisions at 42 U.S.C. 1395y(b)(2), (3), and (4) more effectively, HCFA would receive (to the extent that it is available) and may disclose the following types of information from insurers, underwriters, third party administrators (TPAs), self-insured, etc.: Subscriber Name and Address. Subscriber Date of Birth. Subscriber Social Security Number. Dependent Name. Dependent Date of Birth. Dependent Social Security Number. Dependent Relationship to Subscriber. Insurer/Underwriter/TPA Name and Address. Insurer/Underwriter/TPA Group Number. Insurer/Underwriter/TPA Group Name. Prescription Drug Coverage. Policy Number. Effective Date of Coverage. Employer Name, Employer Identification Number (EIN) and Address. Employment Status. Amounts of Payment. To Administer the Medicare Secondary Payer provision at 42 U.S.C. 1395y(b)(1) more effectively for entities such as Workers Compensation carriers or boards, liability insurers, no-fault and automobile medical policies or plans, HCFA would receive (to the extent that it is available) and may disclose the following information: Beneficiary's Name and Address. Beneficiary's Date of Birth. Beneficiary's Social Security Number. Name of Insured. Insurer Name and Address. Type of coverage; automobile medical, no-fault, liability payment, or workers' compensation settlement. Insured's Policy Number. Effective Date of Coverage. Date of accident, injury or illness. Amount of payment under liability, no-fault, or automobile medical policies, plans, and workers' compensation settlement. Employer Name and Address (Workers' Compensation only). Name of insured could be the driver of the car, a business, the beneficiary (i.e., the name of the individual or entity which carries the insurance policy or plan). In order to receive this information the entity must agree to the following conditions: a. To utilize the information solely for the purpose of coordination of benefits with the Medicare program and other third party payers in accordance with 42 U.S.C. 1395y(b); b. To safeguard the confidentiality of the data and to prevent unauthorized access to it; c. To prohibit the use of beneficiary-specific data for purposes other than for the coordination of benefits among third party payers and the Medicare program. This agreement would allow the entities to use the information to determine cases where they or other third party payers have primary responsibility for payment. Examples of prohibited uses would include but are not limited to: Creation of a mailing list, sale or transfer of data. --To administer the MSP provisions more effectively, HCFA may receive or disclose the following types of information from or to entities including insurers, underwriters, third party administrators (TPAs), and self-insured plans, concerning potentially affected individuals: Subscriber Health Insurance Claim Number. Dependent Name. Funding arrangements of employer group health plans, for example, contributory or non-contributory plan, self-insured, re- insured, HMO, TPA insurance. Claims payment information, for example, the amount paid, the date of payment, the name of the insurer or payer. Dates of employment including termination date, if appropriate. Number of full and/or part-time employees in the current and preceding calendar years. Employment status of subscriber, for example full or part time, self employed. (25) To the Internal Revenue Service for the application of tax penalties against employers and employee organizations that contribute to Employer Group Health Plans or Large Group Health Plans that are not in compliance with 42 U.S.C. 1395y(b). (26) To servicing Fiscal Intermediary/Carrier banks, Automated Clearing Houses, VANs and provider banks to the extent necessary to transfer to providers electronic remittance advice of Medicare payments, and with respect to provider banks, to the extent necessary to provide account management services to providers using this information. See ``Supplementary Information.'' Records maintained on paper and electronic media. System is indexed by health insurance claim number. The record is prepared by the physician, supplier or other provider with identifying information received from the beneficiary to establish eligibility for Medicare and document and support payments to physicians, suppliers or other providers by the carrier. The claim data are forwarded to the Health Care Financing Administration, Bureau of Data Management and Strategy, Baltimore, MD, where they are used to update the Central Office Records. Unauthorized personnel are denied access to the records area. Disclosure is limited. Physical safeguards related to the transmission and reception of data between Rockville and Baltimore are those requirements established in accordance with HHS standards and National Institute of Standards and Technology guidelines (e.g., security codes will be used, limiting access to authorized personnel). System securities are established in accordance with HHS Information Resource Management (IRM) Circular #10, Automated Information Systems Security Program, and HCFA's Automated Information Systems (AIS) Guide, Systems Security Policies. Records are closed at the end of the calendar year in which paid, held 2 additional years, transferred to Federal Records Center and destroyed after another 2 years. Health Care Financing Administration, Director, Bureau of Program Operations, 6325 Security Boulevard, Baltimore, MD 21207. Inquiries and requests for system records should be addressed to the most convenient social security office, the appropriate carrier, the HCFA Regional Office, or to the system manager named above. The individual should furnish his or her health insurance claim number and the name as shown on social security records. An individual who requests notification of or access to a medical record shall, at the time the request is made, designate in writing a responsible representative who will be willing to review the record and inform the subject individual of its contents at the representative's discretion. Same as notification procedures. Requesters should also reasonably specify the records contents being sought. These procedures are in accordance with Department Regulations, 45 CFR 5b.5(a)(2). Contact the official at the address specified under notification procedures above, and reasonably identify the record and specify the information to be contested. State the corrective action sought and the reasons for the correction with supporting justification. These procedures are in accordance with Department regulations, 45 CFR 5b.7. The data contained in these records is either furnished by the individual or, in the case of some Medicare secondary payer situations, through third party contacts. In most cases, the identifying information is provided to the physician by the individual. The physician then adds the medical information and submits the bill to the carrier for payment. None. 09-70-0503 Intermediary Medicare Claims Records, HHS/HCFA/BPO None. Intermediaries under contract to the Health Care Financing Administration and the Social Security Administration. Direct inquiries for intermediary locations to: HCFA, Bureau of Program Operations, Office of Contracting and Financial Management, Division of Acquisition and Contracts, Contractor Operations Branch, Meadows East Building, Room 332, 6325 Security Boulevard, Baltimore, Maryland 21207-5187. Beneficiaries on whose behalf providers have submitted claims for reimbursement on a reasonable cost basis under Medicare parts A and B, or are eligible for Medicare, or individuals whose enrollment in an employer group health benefits plan covers the beneficiary under Medicare. Billing for Medical and Other Health Services: Uniform bill for provider services or equivalent data in electronic format, and Medicare Secondary Payer records containing other third party liability insurance information necessary for appropriate Medicare claims payment and other documents used to support payments to beneficiaries and providers of services. These forms contain the beneficiary's name, sex, health insurance claim number, address, date of birth, medical record number, prior stay information, provider name and address, physician's name and/or identification number, warranty information when pacemakers are implanted or explanted, date of admission and discharge, other health insurance, diagnosis, surgical procedures, a statement of services rendered for related charges and other data needed to substantiate claims. The following elements are outpatient data provided to Medicare intermediaries by rehabilitation agencies, skilled nursing facilities, hospital outpatient departments, home intravenous drug providers and home health agencies that provide physical therapy in addition to home health services: Outpatient's name. HI number. Admission data to provider. Place treatment rendered. Number of visits since start of care. Diagnosis. Diagnosis requiring treatment. Onset of condition for which treatment is being sought. Dates of previous therapy for same diagnosis. Other therapy outpatient is currently receiving. Observations. Precautions and medical equipment. Functional status immediately prior to this therapy. Types of treatment--modalities. Frequency of treatment. Expected duration of treatment. Rehabilitation potential. Level of communication potential. Average time per visits. Goals. Statement of problem at beginning of billing period. Changes in problem at end of billing period. Signature of therapist. Certification and recertification by physician that services are to be provided from an established plan of care. Tests results. Biopsy reports. Methods of administration, e.g., pill vs. injection. Physician orders. Procedure codes. Changes. Weekly progress notes. National Drug Code (NDC). Sections 1816, 1862(b) and 1874 of Title XVIII of the Social Security Act (42 U.S.C. 1395h, 1395y(b) and 1395kk). To process and pay Medicare benefits to or on behalf of eligible individuals. Disclosure may be made to: (1) Claimants, their authorized representatives or representative payees to the extent necessary to pursue claims made under title XVIII of the Social Security Act (Medicare). (2) Third-party contacts, without the consent of the individual to whom the information pertains, in situations where the party to be contacted has, or is expected to have information relating to the individual's capability to manage his or her affairs or to his or her eligibility for or entitlement to benefits under the Medicare program when: (a) The individual is unable to provide the information being sought (an individual is considered to be unable to provide certain types of information when any of the following conditions exist: Individual is incapable or of questionable mental capability, cannot read or write, cannot afford the cost of obtaining the information, a language barrier exists, or the custodian of the information will not, as a matter of policy provide to the individual), or (b) The data are needed to establish to validity of evidence or to verify the accuracy of information presented by the individual, and it concerns one or more of the following: The individual's eligibility to benefits under the Medicare program; the amount of reimbursement of any case in which the evidence is being reviewed as a result of suspected abuse or fraud, concern for program integrity, or for quality appraisal, or evaluation and measurement of systems activities. (3) Third-party contacts where necessary to establish or verify information provided by representative payees or payee applicants. (4) The Treasury Department for investigating alleged theft, forgery, or unlawful negotiations of Medicare reimbursement checks. (5) The U.S. Postal Service for investigating alleged forgery or theft of Medicare checks. (6) The Department of Justice for investigating and prosecution violations of the Social Security Act to which criminal penalties attach, or other criminal statutes as they pertain to Social Security Act programs, for representing the Secretary, and for investigating issues of fraud by agency officers or employees, or violation of civil rights. (7) The Railroad Retirement Board for administering provisions of the Railroad Retirement and Social Security Acts relating to railroad employment. (8) Peer Review Organizations and Quality Review Organizations in connection with their review of claims, or in connection with studies or other review activities, conducted pursuant to Part B of Title XI of the Social Security Act. (9) State Licensing Boards for review of unethical practices or nonprofessional conduct. (10) Providers and suppliers of services (and their authorized billing agents) directly or dealing through fiscal intermediaries or carriers, for administration of provisions of title XVIII. (11) An individual or organization for a research, evaluation, or epidemiological project related to the prevention of disease or disability, or maintenance of health if HCFA: a. Determines that the use or disclosure does not violate legal limitations under which the record was provided, collected, or obtained: b. Determines that the purpose for which the disclosure is to be made: (1) Cannot be reasonably accomplished unless the record is provided in individually identifiable form. (2) Is of sufficient importance to warrant the effect and/or risk on the privacy of the individual that additional exposure of the record might bring, and (3) There is reasonable probability that the objective for the use would be accomplished: c. Requires the information recipient to: (1) Establish reasonable administrative, technical, and physical safeguards to prevent unauthorized use or disclosure of the record, and (2) Remove or destroy the information that allows the individual to be identified at the earliest time at which removal or destruction can be accomplished consistent with the purpose of the project, unless the recipient presents an adequate justification of a research or health nature for retaining such information, and (3) Make no further use or disclosure of the record except: (a) In emergency circumstances affecting the health or safety of any individual; (b) For use in another research project, under these same conditions, and with written authorization of HCFA; (c) For disclosure to a properly identified person for the purpose of an audit related to the research project, if information that would enable research subjects to be identified is removed or destroyed at the earliest opportunity consistent with the purpose of the audit; (d) When required by law. d. Secures a written statement attesting to the information recipient's understanding of and willingness to abide by the provisions. (12) State welfare departments pursuant to agreements with the Department of Health and Human Services for administration of State supplementation payments for determination of eligibility for Medicaid, for enrollment of welfare recipients for medical insurance under section 1843 of the Social Security Act for quality control studies, for determining eligibility of recipients of assistance under titles IV and XIX of the Social Security Act, and for the complete administration of the Medicaid program. (13) A congressional office from the record of an individual in response to an inquiry from the congressional office at the request of that individual. (14) State audit agencies in connection with the audit of Medicaid eligibility considerations. (15) The Department of Justice, to a court or other tribunal, or to another party before such tribunal, when: (a) HHS, or any component thereof; or (b) Any HHS employee in his or her official capacity; or (c) Any HHS employee in his or her individual capacity where the Department of Justice (or HHS, where it is authorized to do so) has agreed to represent the employee, or (d) The United States or any agency thereof where HHS determines that the litigation is likely to affect HHS or any of its components, is a party to litigation or has an interest in such litigation, and HHS determines that the use of such records by the Department of Justice, the tribunal, or the other party is relevant and necessary to the litigation and would help in the effective representation of the government party, provided, however, that in such case, HHS determines that such disclosure is compatible with the purpose for which the records were collected. (16) Senior citizen volunteers working in the intermediaries' and carriers' offices to assist Medicare beneficiaries in response to beneficiaries requests for assistance. (17) A contractor working with Medicare carriers/intermediaries to identify and recover erroneous Medicare payments for which workers' compensation programs are liable. (18) State and other governmental Workers' Compensation Agencies working with the Health Care Financing Administration to assure that workers' compensation payments are made where Medicare has erroneously paid and workers' compensation programs are liable. (19) Insurance companies, self-insurers, Health Maintenance Organizations, multiple employer trusts and other groups providing protection against medical expenses of their enrollees. Information to be disclosed shall be limited to Medicare entitlement data. In order to receive this information the entity must agree to the following conditions: a. To certify that the individual about whom the information is being provided is one of its insured: b. To utilize the information solely for the purpose of processing the identified individual's insurance claims; and c. To safeguard the confidentiality of the data and to prevent unauthorized access to it. (20) To a contractor for the purpose of collating, analyzing, aggregating or otherwise refining or processing records in this system or for developing, modifying and/or manipulating ADP software. Data would also be disclosed to contractors incidental to consultation, programming, operation, user assistance, or maintenance for ADP or telecommunications systems containing or supporting records in the system. (21) To any agency of a State Government, or established by State law, for purposes of determining, evaluating and/or assessing cost, effectiveness, and/or the quality of health care services provided in the State, if HCFA: a. Determines that the use or disclosure does not violate legal limitations under which the data were provided, collected, or obtained; b. Establishes that the data are exempt from disclosure under the State and/or local Freedom of Information Act; c. Determines that the purpose for which the disclosure is to be made: (1) Cannot reasonably be accomplished unless the data are provided in individually identifiable form; (2) Is of sufficient importance to warrant the effect and/or risk on the privacy of the individuals that additional exposure of the record might bring; and (3) There is reasonable probability that the objective for the use would be accomplished; and d. Requires the recipient to: (1) Establish reasonable administrative, technical, and physical safeguards to prevent unauthorized use or disclosure of the record; (2) Removed or destroy the information that allows the individual to be identified at the earliest time at which removal or destruction can be accomplished consistent with the purpose of the request, unless the recipient presents an adequate justification for retaining such information; (3) Make no further use or disclosure of the record except; (a) In emergency circumstances affecting the health or safety of any individual; (b) For use in another project under the same conditions, and with written authorization of HCFA; (c) For disclosure to a properly identified person for the purpose of an audit related to the project, if information that would enable project subjects to be identified is removed or destroyed at the earliest opportunity consistent with the purpose of the audits; or (d) When required by law; and (4) Secure a written statement attesting to the recipient's understanding of and willingness to abide by these provisions. The recipient must agree to the following: (1) Not to use the data for purposes that are not related to the evaluation of cost, quality, and effectiveness of care; (2) Not to publish or otherwise disclose the data in a form raising unacceptable possibilities that beneficiaries could be identified (i.e., the data must not be beneficiary-specific and must be aggregated to level when no data cells have ten or fewer beneficiaries); and (3) To submit a copy of any aggregation of the data intended for publication to HCFA for approval prior to publication. (22) To insurers, underwriters, third party administrators (TPAs), self-insurers, group health plans, employers, health maintenance organizations, health and welfare benefit funds. Federal agencies, a State or local government or political subdivision of either (when the organization has assumed the role of an insurer, underwriter, or third party administrator, or in the case of a State that assumes the liabilities of an insolvent insurer, through a State created insolvent insurers pool or fund), multiple-employer trusts, no-fault, medical, automobile insurers, workers' compensation carriers or plans, liability insurers, and other groups providing protection against medical expenses who are primary payers to Medicare in accordance with 42 U.S.C. 1395y(b), or any entity having knowledge of the occurrence of any event affecting (A) an individual's right to any such benefit or payment, Or (B) the initial or continued right to any such benefit or payment (for example, a State Medicaid Agency, State Workers' Compensation Board, or Department of Motor Vehicles) for the purpose of coordination of benefits with the Medicare program and implementation of the Medicare Secondary Payer provisions at 42 U.S.C. implementation of the Medicare Secondary Payer provisions at 42 U.S.C. 1395y(b). The information HCFA may disclose will be: Beneficiary Name. Beneficiary Address. Beneficiary Health Insurance Claim Number. Beneficiary Social Security Number. Beneficiary Sex. Beneficiary Date of Birth. Amount of Medicare Conditional Payment. Provider Name and Number. Physician Name and Number. Supplier Name and Number. Dates of Service. Nature of Service. Diagnosis. The administer the Medicare Secondary Payer provision at 42 USC 1395y(b) (2), (3), and (4) more effectively, HCFA would receive (to the extent that it is available) and may disclose the following types of information from insurers, underwriters, third party administrator, self-insurers, etc.: Subscriber Name and Address. Subscriber Date of Birth. Subscriber Social Security Number. Dependent Name. Dependent Date of Birth. Dependent Social Security Number. Dependent Relationship to Subscriber. Insurer/Underwriter/TPA Name and Address. Insurer/Underwriter/TPA Group Number. Insurer/Underwriter/Group Name. Prescription Drug Coverage. Policy Number. Effective Date of Coverage. Employer Name, Employer Identification Number (EIN) and Address. Employment Status. Amounts of Payment. To administer the Medicare Secondary Payer provision at 42 USC 12395(b)(1) more effectively for entities such as Workers Compensation carriers or boards, liability insurers, no-fault and automobile medical policies or plans, HCFA would receive (to the extent that it is available) and may disclose the following information: Beneficiary's Name and Address. Beneficiary's Date of Birth. Beneficiary's Social Security Number. Name of Insured. Insurer Name and Address. Type of coverage; automobile medical, no-fault, liability payment, or workers' compensation settlement. Insured's Policy Number. Effective Date of Coverage. Date of accident, injury or illness. Amount of payment under liability, no-fault, or automobile medical policies, plans, and workers compensation settlements. Employer Name and Address (Workers' Compensation only). Name of insured could be the driver of the car, a business, the beneficiary (i.e., the name of the individual or entity which carries the insurance policy or plan). In order to receive this information the entity must agree to the following conditions: a. To utilize the information solely for the purpose of coordination of benefits with the Medicare program and other third party payer in accordance with 42 U.S.C. 1395y(b); b. To safeguard the confidentiality of the data and to prevent unauthorized access to it; c. To prohibit the use of beneficiary-specific data for purposes other than for the coordination of benefits among third party payers and the Medicare program. This agreement would allow the entities to use the information to determine cases where they or other third party payers have primary responsibility for payment. Examples of prohibited uses would include but are not limited to; creation of a mailing list, sale or transfer of data. --To administer the MSP provisions more effectively, HCFA may receive or disclose the following types of information from or to entities including insurers, underwriters, TPAs, and self-insured plans, concerning potentially affected individuals: Subscriber Health Insurance Claim Number. Dependent Name. Funding arrangements of employer group health plans, for example, contributory or non-contributory plan, self-insured, re- insured, HMO, TPA insurance. Claims payment information, for example, the amount paid, the date of payment, the name of the insurer or payer. Dates of employment including termination date, if appropriate. Number of full and/or part-time employees in the current and preceding calendar years. Employment status of subscriber, for example full or part time, self employed. (23) To the Internal Revenue Service for the application of tax penalties against employers and employee organizations that contribute to Employer Group Health Plans or Large Group Health Plans that are not in compliance with 42 U.S.C. 1395y(b). (24) To servicing Fiscal Intermediary/Carrier banks, Automated Clearing Houses, VANs and provider banks to the extent necessary to transfer to providers electronic remittance advice of Medicare payments, and with respect to provider banks, to the extent necessary to provide account management services to providers using this information. See SUPPLEMENTARY INFORMATION. Records maintained on paper forms and/or electronic media. The system is indexed by health insurance claim number. The record is prepared by the hospital or other provider with identifying information received from the beneficiary to establish eligibility for Medicare and document and support payments to providers by the intermediaries. The bill data are forwarded to the Health Care Financing Administration, Bureau of Data Management and Strategy, Baltimore, MD, where they are used to update the central office records. Disclosure of records is limited. Physical safeguards are established in accordance with Department standards and National Institute of Standards and Technology guidelines (e.g., security codes) will be used, limiting access to authorized personnel. System securities are established in accordance with HHS Information Resource Management (IRM) Circular #10, Automated information Systems Security Program, and HCFA Automated Information Systems (AIS) Guide, System Security Policies. Records are closed out at the end of the calendar year in which paid, held 2 more years, transferred to the Federal Records Center and destroyed after another 6 years. Health Care Financing Administration, Director, Bureau of Program Operations, 6325 Security Boulevard, Baltimore, MD 21207. Inquiries and requests for system records should be addressed to the social security office nearest the requester's residence, the appropriate intermediary, the HCFA Regional Office, or to the system manager named above. The individual should furnish his or her health insurance number and name as shown on social security records. An individual who requests notification of or access to a medical record shall, at the time the request is made, designate in writing a responsible representative who will be willing to review the record and inform the subject individual of its contents at the representative's discretion. Same as notification procedures. Requesters should also reasonably specify the records contents being sought. These procedures are in accordance with Department Regulations, 45 CFR 5b.5(a)(2). Contact the official at the address specified under notification procedure above, and reasonably identify the record and specify the information to be contested. State the corrective action sought and the reasons for the correction with supporting justification. These procedures are in accordance with Department Regulations, 45 CFR 5b.7. The identifying information contained in these records is obtained by the provider from the individual or, in the case of some Medicare secondary payer situations, through third party contacts. The medical information is entered by the provider of medical services. None. [FR Doc. 94-17621 Filed 7-20-94; 8:45 am] BILLING CODE 4120-03-M