Supporting Statement – Part A
Supporting Statement For Paperwork Reduction Act Submissions
A. Background
The Centers for Medicare and Medicaid Services (CMS) is requesting the Office of Management and Budget (OMB) approval of the Real-Time Eligibility Attestation Form (Attestation Form) and MDCN Access Request Form. CMS created a national database and infrastructure to provide Health Insurance Portability and Accountability Act of 1996 (HIPAA) compliant 270/271 health care eligibility inquires (270) and responses (271) on a real-time basis. In creating this database, federal law requires that CMS take precautions to minimize the security risk to federal information systems. Accordingly, CMS is requiring that trading partners who wish to connect to the Medicare Data Center Network (MDCN) to access Medicare beneficiary information provide certain assurances as a condition of receiving access to the Medicare database. This will be accomplished by the Trading Partner Agreement Form. Also CMS is requiring that trading partners use the MDCN Access Request Form to establish connectivity to the data center. In combination, these forms will be used to establish connectivity to the service and assure that those entities that access the Medicare database are aware of applicable provisions and penalties for the misuse of information.
B. Justification
In its administration of the Medicare FFS program, CMS is a covered entity under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) rules. As a covered entity, CMS is required to verify the identity of the person requesting the Protected Health Information (PHI) and the person’s authority to have access to that information. In addition, in contrast to the other standard transactions which Medicare conducts, provision of information in the 271 response transaction, on a real-time basis, will involve direct access by outside entities to a national Medicare datafile.
MDCN provides networking services in support of the Medicare for the Common Working File (CWF) network and other Medicare/Medicaid-related traffic. The MDCN contract, which uses Value Added Network (VAN) services from AT&T Global Networking Services (AGNS), replaces a contract originally let by the National Library of Medicine, which used the services of Advantis. AGNS provides CMS with a private frame-relay-based network WAN (Wide Area Network). As part of the User ID setup process, a user can be granted access to specific IP (Internet Protocol) addresses. All addresses not specifically allowed are automatically denied
1 . Need and Legal Basis
HIPAA regulations require covered entities to verify the identity of the person requesting PHI and the person’s authority to have access to that information Under the HIPAA Security Rule, covered entities, regardless of their size, are required under 164.312(a)(2)(i) to “{a}sign a unique name and/or number for identifying and tracking user identity.” A ‘user’ is defined in 164.304 as a “person or entity with authorized access” Accordingly, the Security Rule requires covered entities to assign a unique name and/or number to each employee or workforce member who uses a system that receives, maintains or transmits electronic PHI, so that system access and activity can be identified and tracked by user. This pertains to workforce members within small or large provider offices, health plans, group health plans, and clearinghouses.
Federal law requires that CMS take precautions to minimize the security risk to the federal information system. FIPS PUB 161-2 Para 11.7: “Security and Authentication. Agencies shall employ risk management techniques to determine the appropriate mix of security controls needed to protect specific data and systems. The selection of controls shall take into account procedures required under applicable laws and regulations.” Accordingly, CMS is requiring that entities who wish to connect to the Medicare Data Center Network are uniquely identified. CMS is required to verify the identity of the person requesting the Protected Health Information (PHI) and the person’s authority to have access to MDCN. Furthermore, CMS is requiring that trading partners who wish to conduct eligibility transactions on a real-time basis with CMS provide certain assurances as a condition of receiving access to the Medicare database for the purpose of conducting real-time 270/271 inquiry/response transactions.
2. Information Users
The Access Request form is used by CMS to capture certain information whereby a person identifies the particular application, Server, IP (Internet Protocol) address, information as well as specific organization information which is reviewed and authorized prior to the access being granted.
The Trading Partner Agreement Form is used by CMS to capture certain information whereby a person certifies that they are fully aware of any and all penalties related to the use of PHI and their access to this data from the CMS database. The information is an attestation by the authorized representative of an entity that wishes to access the CMS database to conduct real-time eligibility transactions. The data captured includes the authorized representative’s name, title contact number and the name of the submitting entity. Other data captured is the submitters’ National Provider Identifier (NPI), business name, billing address, physical address, and telephone number.
3. Use of Information Technology
CMS is allowing public access to the MDCN network in order to offer real-time Eligibility Inquiries (270) and Responses (271) in an electronic format as a method for healthcare providers to ascertain the eligibility beneficiaries using a secure network connection. The Access Request form is available on the CMS website. The electronic form requires users to complete the Access Request form by keying specific information and by clicking on the appropriate boxes and entering general contact information about themselves
CMS is offering real-time 270/271’s as a method for healthcare providers to ascertain the eligibility of beneficiaries using a secure network connection. The Trading Partner Agreement Form is available on the CMS website. The electronic form requires users to complete the Trading Partner Agreement Form attesting to certain conditions, by clicking on the appropriate boxes and entering general contact information about themselves.
These are modified versions of existing forms that do not duplicate other collection efforts and do not require a signature.
4. Duplication of Efforts
This data has not been captured previously as this Access Request is the first application where public users will connect directly to a Medicare Data Center Network for the purpose of conducting HIPAA transactions.
This data has not been captured previously as this real-time eligibility process is the first application where users will connect directly to a national CMS database to conduct HIPAA transactions.
5. Small Businesses
There will be minimal impact on small businesses as the length of time to read, complete, and submit is typically less than fifteen minutes.
6. Less Frequent Collection
This information will be collected one time for entities wishing to connect to MDCN and to conduct real-time eligibility transactions with the CMS database.
7. Special Circumstances
Responders must complete the Access Request form and obtain authorization prior to gaining access to the MDCN
Responders must complete the Trading Partner Agreement Form prior to gaining access to the CMS real-time eligibility transaction system.
8. Federal Register/Outside Consultation
The 60-day Federal Register notice for this information collection published on March 20, 2009.
9. Payments/Gifts to Respondents
There are no payments or gifts to respondents.
10. Confidentiality
The information collected will be gathered and used solely by CMS. The data will not be shared with any outside organizations.
11. Sensitive Questions
There are no sensitive questions on the Attestation form.
12. Burden Estimates (Hours & Wages)
The provider community that is expected to request access to the CMS database is estimated to be at a maximum of 2000 annually with 90% of the respondents to reply electronically (the remainder by fax). The estimated time to read, execute, and submit these forms is less than fifteen minutes and the total burden is estimated to be 500 hours.
13. Capital Costs
There are no capital costs to the respondents.
14. Cost to Federal Government
The cost to the Federal Government is estimated at $100,000. This is to publish the Trading Partner Agreement Form and Access Request Form on the CMS website, receive, review, and store the completed forms that are submitted by the respondents. The receipt of the Trading Partner Agreement form from 2,000 respondents at a cost of $25 to receive, review, and store the complete forms was the basis for cost determination. The receipt of the Access Request form from 2,000 respondents at a cost of $25 to receive, review, and store the complete forms was the basis for cost determination
15. Changes to Burden
The original information collection request and the subsequent extension request in 2006, we listed a burden estimate of maximum 122,000 respondents replying electronically. At 15 minutes per form, the total burden was estimated at 45,000 hours. At the time, it appears that CMS was underestimating the percentage of transaction volume that would be submitted via clearinghouses or third party vendor type aggregators. Nearly 92% of HETS 270/271 volume today is submitted by clearinghouses or Medicare FFS contractors. Provider’s choice to rely on aggregators for HETS connectivity has minimized the number of submitter applications (and HETS direct submitters). When preparing the version of the ICR that OMB is currently reviewing, we amended the burden estimate to 2,000 respondents annually with 90% electronic reply. Still assuming 15 minutes per form, the total burden is estimated at 500 hours. We based our estimate of 2,000 applications on the average number of new HETS 270/271 submitter requests that were being received each month in Q4 2008.
Additionally, the burden estimate is being reduced in numbers and cost because the application has been in use for three users and a significant number of providers have already enrolled for the system. Additional applications will be expected but volume will be substantially lowered. The forms have been revised to improve clarity and to remove unnecessary questions.
16. Publication/Tabulation Dates
N/A
17. Expiration Date
CMS would like an exemption from displaying the expiration date as these forms are used on a continuing basis. To include an expiration date would result in having to discard a potentially large number of forms.
18. Certification Statement
There are no exceptions to the certification statement.
| File Type | application/msword |
| File Title | Supporting Statement – Part A |
| Author | CMS |
| Last Modified By | CMS |
| File Modified | 2009-08-18 |
| File Created | 2009-08-18 |