May ,2000

November 22, 2000

Medi-867-00

TO: ALL MEDICARE PROVIDERS

SUBJECT: COMMON WORKING FILE ACCESS REQUIREMENTS

PRIMARY INTERESTS: BUSINESS OFFICE MANAGERS

The Health Care Financing Administration is requiring all Medicare contractors to enter into new agreements with Medicare Eligibility Network Service Vendors. These vendors provide access to the Common Working File. The following is informational only.

Each Medicare Eligibility Network Service Vendor must agree to the following stipulations:

1. All beneficiary-specific information is confidential and subject to the provisions of the Privacy Act of 1974 which requires Federal information systems to establish appropriate safeguards to ensure the security and confidentiality of individually identifiable records. This includes eligibility information, claims, remittance advice, online claims correction, and any other transaction where any individually identifiable information applicable to a Medicare beneficiary is processed or submitted electronically.

2. It is has no ownership rights and is not a user of the data, but merely a means of transmitting data between users that have a need for the data and are already identified as legitimate users under a "routine use" of the system; that is, disclosure for purposes that are compatible with the purpose for which Medicare collects the information.

3. The data submitted to the network service by the contractor are owned by Medicare.

4. It will not disclose any information concerning a Medicare beneficiary to any person or organization other than a.) an authorized Medicare provider making an inquiry concerning a Medicare beneficiary who is the provider’s patient, b.) HCFA or c.)HCFA’s contractors.

5. It will promptly notify the contractor of any unauthorized disclosure of information about a Medicare beneficiary and will cooperate to prevent further unauthorized disclosure.

6. The data will not be stored for any duration longer than that required to assure that they have reached their destination, and no more than 30 days for any purpose.

7. It has identified to the contractor in writing any instances where it would need to view Medicare data in order to perform its intended tasks under the agreement. It will not view the data unless it is absolutely necessary to perform its intended tasks.

8. It will not prepare any reports, summary or otherwise, based on any individual aspect of the data content. Reports may be written, however, on data externals or summaries such as the number of records transmitted to a given receiver on a given date.

9. It will guarantee that an authorized user may be deleted within 24 hours. Other standards of performance, including, but not limited to, how quickly a user may be added to the network, must be specified in writing.

10. No incoming or outgoing electronic data interchange (EDI) will be conducted unless authorization for access is in writing and signed by the provider, and each provider has a valid EDI enrollment form on file.

11. It has the ability to associate each inquiry with the provider making the inquiry.

12. It will furnish, upon request, documentation that assures the above privacy concerns are being met.

13. It understands that final regulations on security and privacy standards for health information under the Health Insurance Portability and Accountability Act of 1996 will be forthcoming. It will adhere to those regulations when they become effective.

THIS BULLETIN SHOULD BE SHARED WITH ALL HEALTH CARE PRACTITIONERS AND MANAGERIAL MEMBERS OF THE PROVIDER STAFF. NO COST COPIES ARE ALSO AVAILABLE FROM OUR WEB SITE AT riverbendgba.com

Please refer any questions to our office toll-free at 877- 296- 6189.