March 31, 2000

Medi-777-00

TO: ALL MEDICARE PROVIDERS

SUBJECT: ACCESS TO ELIGIBILITY DATA VIA VENDORS

PRIMARY INTEREST: ADMINISTRATORS, BUSINESS OFFICE MANAGERS

The Health Care Financing Administration has instructed all Medicare contractors to notify all Medicare eligibility verification vendors and providers of the following information.

Contractors are not allowed to establish any partnership connections with new vendors and should not expand connections with established vendors to accommodate additional providers until July 1, 2000. The current vendors we have contracts with are MediFax, Healthcare Data Exchange (HDX), and Passport. No new connections can be made via these vendors until July 1, 2000 or HCFA advises otherwise.

Vendors with existing access must sign a Network Service Agreement (attached) by May 31, 2000. This agreement sets out clear responsibilities for protecting eligibility data. If a vendor has not signed the agreement by May 31, contractors are instructed to terminate their access immediately and notify the HCFA Central Office.

THIS BULLETIN SHOULD BE SHARED WITH ALL HEALTH CARE PRACTITIONERS AND MANAGERIAL MEMBERS OF THE PROVIDER STAFF. NO COST COPIES ARE ALSO AVAILABLE FROM OUR WEB SITE AT riverbendgba.com

Please refer any questions to our office at (423) 755-5950.

The network service agrees that:

1. All beneficiary-specific information is confidential and subject to the provisions of the Privacy Act of 1974 which requires federal information systems to establish appropriate safeguards to ensure the security and confidentiality of individually identifiable records. This includes eligibility information, claims, remittance advice, online claims correction and any other transaction where any individually identifiable information applicable to a Medicare beneficiary is processed or submitted electronically.

2. It has no ownership rights and is not a user of the data, but merely a means of transmitting data between users that have a need for the data and are already identified as legitimate users under a "routine use" of the system; that is, disclosure for purposes that are compatible with the purpose for which Medicare collects the information.

3. The data submitted to the network service by the contractor are owned by Medicare.

4. It will not disclose any information concerning a Medicare beneficiary to any person or organization other than: a) an authorized Medicare provider making an inquiry concerning a Medicare beneficiary who is the provider’s patient; b) HCFA; or c) HCFA’s contractors.

5. It will promptly notify the contractor of any unauthorized disclosure of information about a Medicare beneficiary and will cooperate to prevent further unauthorized disclosure.

6. The data will not be stored for any duration longer than that required to assure that they have reached their destination, and no more than 30 days for any purpose.

7. It has identified to the contractor in writing any instances where it would need to view Medicare data in order to perform its intended tasks under the agreement. It will not view the data unless it is absolutely necessary to perform its intended tasks.

8. It will not prepare any reports, summary or otherwise, based on any individual aspect of the data content. Reports may be written, however, on data externals or summaries such as the number of records transmitted to a given receiver on a given date.

9. It will guarantee that an authorized user may be deleted within 24 hours. Other standards of performance, including, but not limited to, how quickly a user may be added to the network, must be specified in writing.

10. No incoming or outgoing electronic data interchange (EDI) will be conducted unless authorization for access is in writing and signed by the provider, and each provider has a valid EDI enrollment form on file.

11. It has the ability to associate each inquiry with the provider making the inquiry.

12. It will furnish, upon request, documentation that assures the above privacy concerns are being met.

13. It understands that final regulations on security and privacy standards for health information under the Health Insurance Portability and Accountability Act of 1996 will be forthcoming. It will adhere to those regulations when they become effective.

2

NOTICE:

Federal law shall govern both the interpretation of this document and the appropriate jurisdiction and venue for appealing any final decision made by HCFA under this document.

This document shall become effective when signed by the network service. The responsibilities and obligations contained in this document will remain in effect as long as electronic data interchange is being conducted with HCFA or the contractor. Either party may terminate this arrangement by giving the other party (30) days notice of its intent to terminate.

SIGNATURE:

I am authorized to sign this document on behalf of the indicated party and I have read and agree to the forgoing provisions and acknowledge same by signing below.

Network Service Company Name

______________________________________________________________________________

Address

______________________________________________________________________________

City/State/Zip

______________________________________________________________________________

Signed By

______________________________________________________________________________

Title

______________________________________________________________________________

Date

_____________________________________________________________________________