CMS-10157 CMS-10157.Revised Trading Partner Agreement

Medicare HIPAA Eligibility Transaction System

Trading Partner Agreement Submission

PRA Disclosure Statement

According to the Paperwork Reduction Act of 1995, no persons are required to respond to a collection of information unless it displays a valid OMB control number. The valid OMB control number for this information collection is 0938-0960. The time required to complete this information collection is estimated to average 15 minutes per response, including the time to review instructions, search existing data resources, gather the data needed, and complete and review the information collection. If you have comments concerning the accuracy of the time estimate(s) or suggestions for improving this form, please write to: CMS, 7500 Security Boulevard, Attn: PRA Reports Clearance Officer, Mail Stop C4-26-05, Baltimore, Maryland 21244-1850.

I. Background

A. Purpose of the Agreement

The Centers for Medicare & Medicaid Services (CMS) is committed to maintaining the integrity and security of health care data in accordance with applicable laws and regulations. Disclosure of Medicare beneficiary eligibility data is restricted under the provisions of the Privacy Act of 1974 and the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The Medicare beneficiary eligibility transaction is to be used for conducting Medicare business only.

In its administration of the Medicare FFS program, The Centers for Medicare & Medicaid Services (CMS) is a covered entity under the HIPAA rules. This Trading Partner Agreement serves to identify entities external to CMS that will exchange HIPAA compliant electronic transactions with CMS applications. The information collected will enable CMS and the Trading Partner to establish connectivity, define the data exchange requirements, and stipulate the responsibilities of the entities receiving CMS-supplied beneficiary eligibility information.

Connectivity to CMS eligibility systems is supported by use of the Extranet and/or the Internet. Eligibility information currently available on the Extranet is through the HIPAA Eligibility Transaction System (HETS). HETS supports the exchange of the HIPAA compliant 270 Eligibility Inquiry and 271 Eligibility Response. The eligibility application currently available on the Internet is the data equivalent of the 270/271 exchange.

Entities that wish to submit 270 inquiries to Medicare via HETS on a real-time basis (hereinafter, "Submitter" or "Submitters") will use the AT&T communication Extranet (the Medicare Data Communication Network, or MDCN). This Extranet is a secure closed private network currently used to transmit data between Medicare FFS contractors and CMS, as well as for transmission of electronic transactions between CMS and providers or clearinghouses. In order to access the MDCN, Submitters must obtain the necessary AGNS connectivity from an AT&T reseller.

As a covered entity in making the disclosures of information in the 271 response transaction, CMS is required to verify the identity of the individual requesting the Protected Health Information and the individual’s authority to have access to that information. Federal law requires that CMS take precautions to minimize security risks to the federal information systems. Accordingly, CMS is requiring that trading partners who wish to conduct the 270/271 transaction on a real-time basis provide certain assurances as a condition of receiving access to the Medicare data.

B. Authorized Uses

Medicare eligibility data are only to be used for Medicare business done on behalf of Medicare providers, including preparing accurate Medicare claims or determining eligibility for specific services. Authorized requests for Medicare beneficiary eligibility information are listed below:

• After screening the patient to determine Medicare eligibility, verify eligibility for Part A or Part B of Medicare

• Determine beneficiary payment responsibility with regard to deductible/co-insurance

• Determine eligibility for services such as preventive services

• Determine if Medicare is the primary or secondary payer

• Determine if the beneficiary is in the original Medicare plan, Part C plan (Medicare Advantage), or Part D plan.

• Determine proper billing

• Checking eligibility for a Medicare beneficiary currently being treated or serviced or who has contacted a Medicare provider about treatment or service, or for whom a Medicare provider has received a referral from a health care provider that has treated or served that patient.

C. Criminal Penalties

CMS monitors beneficiary eligibility inquiries. Submitters demonstrating behavior that suggests improper use of the data (e.g., high inquiry error rate or, for provider submitters, high ratio of eligibility inquiries to claims submitted) may be suspended, put on a corrective action plan (CAP) or, when appropriate, be referred for investigation. Criminal penalties could be imposed for continued aberrant behavior.

PENALTIES FOR FALSIFYING INFORMATION ON, WRONGFUL OBTAINING OF INFORMATION THROUGH, AND WRONGFUL DISCLOSURE OF INFORMATION OBTAINED PURSUANT TO, THE TRADING PARTNER AGREEMENT FOR SUBMISSION OF 270s TO MEDICARE ON A REAL-TIME BASIS.

Health Insurance Portability and Accountability Act of 1996 (HIPAA)

HHS may impose civil money penalties on a covered entity of $100 per failure to comply with a Privacy Rule requirement. That penalty may not exceed $25,000 per year for multiple violations of the identical Privacy Rule requirement in a calendar year. A person who knowingly obtains or discloses individually identifiable health information in violation of HIPAA faces a fine of $50,000 and up to one-year imprisonment. The criminal penalties increase to $100,000 and up to five years imprisonment if the wrongful conduct involves false pretenses, and to $250,000 and up to ten years imprisonment if the wrongful conduct involves the intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain, or malicious harm. Criminal sanctions will be enforced by the Department of Justice.

Trading Partner Agreement Violation

42 U.S.C. 1320d-6 authorizes criminal penalties against a person who, "knowingly and in violation of this part ... (2) obtains individually identifiable health information relating to an individual; or (3) discloses individually identifiable health information to another person." Offenders shall "(1) be fined not more than $50,000, imprisoned not more than 1 year, or both; (2) if the offense is committed under false pretenses, be fined not more than $100,000, imprisoned not more than 5 years, or both; and (3) if the offense is committed with intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain, or malicious harm, be fined not more than $250,000, imprisoned not more than 10 years, or both."

False Claim Act

Under the False Claims Act, 31 U.S.C. §§ 3729-3733, those who knowingly submit, or cause another person or entity to submit, false claims for payment of government funds are liable for three times the government’s damages plus civil penalties of $5,500 to $11,000 per false claim.

18 U.S.C. 1001 authorizes criminal penalties against an individual who in any matter within the jurisdiction of any department or agency of the United States knowingly and willfully falsifies, conceals, or covers up by any trick, scheme, or device, a material fact, or makes any false, fictitious or fraudulent statements or representations, or makes any false writing or document knowing the same to contain any false, fictitious or fraudulent statement or entry. Individual offenders are subject to fines of up to $250,000 and imprisonment for up to 5 years. Offenders that are organizations are subject to fines of up to $500,000. 18 U.S.C. 3571(d) also authorizes fines of up to twice the gross gain derived by the offender if it is greater than the amount specifically authorized by the sentencing statute.

II. Assurances

Provision by CMS of access to the HETS Extranet is subject to Submitter's agreement and assurances as set forth below. Access to HETS may be terminated by CMS, without prior notice to the Submitter, in the event that CMS determines based on information from the Submitter or otherwise, that Submitter has not complied with one or more of the assurances hereafter provided by Submitter.

In consideration of the foregoing, and in order to obtain access to HETS on a real-time basis, the Submitter hereby agrees and assures, by checking the left-hand boxes, as appropriate, as follows:

All Submitters:

All Clearinghouse Submitters:

Along with the previous provisions for all submitters, all clearinghouse submitters must attest to:

All Provider Submitters:

Along with the previous provisions for all submitters, all provider submitters must attest to:

Attestation:

The Authorized Representative whose name is supplied below is authorized to bind Submitter to the undertakings in this agreement. By completing the section below you are agreeing that your organization will be in compliance with the provisions listed above.

(* indicates required field)