Download: docx | pdf

Form Approved - OMB No. 0938-1035 / Expires: XX/XX/XXXX

DEPARTMENT OF HEALTH AND HUMAN SERVICES CENTERS FOR MEDICARE & MEDICAID SERVICES

SECURITY CONSENT AND SURROGATE AUTHORIZATION FORM

INSTRUCTIONS FOR COMPLETING THE SECURITY CONSENT AND SURROGATE AUTHORIZATION FORM

**Indicates a Required Field

SECTION 1: Security Consent and Surrogate Authorization Form’s Purpose and Definitions

SECTION 2: Confirmation of Understanding and Penalties for Falsifying Information

SECTION 3A: Individual Provider

Complete this section if you are an Individual Provider that submits claims to Medicare or an organization you may be employed by submits claims to Medicare on your behalf for the Medicare-covered medical items and services provided to Medicare beneficiaries.

• The full name, Social Security Number (SSN), National Provider Identifier, phone number and email address provided should be of the Individual Provider.

• The Individual Provider shall sign and date the form.

SECTION 3B: Organizational Provider

Complete this section if you are an Organizational Provider (including a group practice) that submits claims to the

Medicare Part A and/or Part B program and provide Medicare-covered medical items and services to Medicare beneficiaries.

• The Legal Business Name (LBN), Employer Identification Number (EIN) and the National Provider Identifier (NPI) should be of the Organizational Provider. The LBN and EIN must match your IRS CP-575.

• An Authorized Official (AO) of the Organizational Provider must provider their full name and Social Security Number (SSN).

• The phone number and email address should be of the AO.

• The AO shall sign and date the form.

If the AO would like to delegate the authority to access the CMS computer system on the Individual or Organizational Provider’s behalf to another individual within their organization, the “Delegated Official of the Organizational Provider” section within 3B should be completed.

• The Delegated Official (DO) of the Organizational Provider must provide their full name and Social Security Number (SSN).

• The phone number and email address should be of the DO.

• The DO should sign and date the form.

SECTION 4: CMS Computer Systems

Complete this section by identifying the CMS computer system for which you will be providing surrogate services. If the CMS system is not listed please select “Other” and specify in the field provided. At least one system must be selected.

• PECOS: Provider Enrollment Chain and Ownership System

• NPPES: National Provider Plan and Enumeration System

• EHR Incentive Program: Electronic Health Records Incentive Program

SECTION 5A: Surrogate Organization

Complete this section if you are an Organization (i.e., a third party billing company, billing agency, staffing company or credentialing department) that will be accessing CMS computer systems on behalf of the Individual Provider listed in Section 3A or the Organizational Provider listed in Section 3B.

• The Legal Business Name (LBN) and Employer Identification Number (EIN) should be of the Surrogate Organization. The LBN and EIN must match your IRS CP-575.

• The Authorized Official (AO) of the Surrogate Organization must provide their full name and Social Security Number (SSN).

• The phone number and email address should be of the AO.

• The AO should sign and date the form.

If the AO would like to delegate the authority to access the CMS computer system on the Individual or Organizational Provider’s behalf to another individual within their organization, the “Surrogate Organization Delegated Official” section within 3B should be completed.

• The Delegated Official (DO) of the Surrogate Organization must provide their full name and Social Security Number (SSN).

• The phone number and email address should be of the DO.

• The DO should sign and date the form.

SECTION 5B: Surrogate Individual

Complete this section if you are an Individual (i.e., office assistant) that will be accessing CMS computer systems on behalf of the Individual Provider listed in Section 3A or the Organizational Provider listed in Section 3B:

Example #1: If Individual Provider named John Smith is part of an Organizational Provider group practice name Health Group Inc., and he has made business arrangements with them to manage his enrollment information with PECOS and update information in HITECH, then John Smith would complete Section 3A and Section 4. Health Group Inc. would complete 3B.

Example #2: If Organizational Provider named United Health Group has made business arrangements with a 3rd party consulting company, Billing Medical to manage their enrollment information in PECOS, then United Health Group would complete Section 3B and Section 4. Billing Medical would complete 5A.

When you have completed and confirmed all information below you must submit all pages, and the copies of the following documentation to CMS via CMS External User Services:

• A Government Issued identification for all individuals listed.

• An IRS CP-575 or equivalent for each organization listed.

Please note: Due to the increased time associated with the manual processing of the security consent and surrogate authorization form, some delays may be experienced before this request is approved. For more rapid approval, please ask the Provider to log in to CMS’ Identity and Access Management System and approve this request online. If approved online by the Provider this confirmation form does not need to be submitted, and access will be granted immediately.

Please contact the CMS External User Services (EUS) Help Desk should you have any questions regarding this conformation. Please return all pages, completed and signed to: CMS External User Services (EUS) Help Desk, PO Box 792750, San Antonio TX 78279, Phone Number: (866) 484-8049.

SECTION 6: Required Documentation and Submission Instructions

Review this section to identify the documents required to be sent to the CMS EUS Help Desk to complete the security consent and Surrogate authorization process. Contact information for the help desk is also identified.

NOTE: LACK OF PROPER DOCUMENTATION (e.g., Government Issued identification for individuals and Internal Revenue Service (IRS) CP-575 (or equivalent) WILL RESULT IN A REJECTION OF THIS REQUEST.

CMS-10220 (Rev. xx/xx) 2

EXAMPLES

Example #1: Individual Provider and Group Practice

John Smith (Individual Provider) is part of a group practice Health Group Inc. (Organizational Provider). Brian Johnson is the Authorized Official (AO) for Health Group Inc. John has made business arrangements with Health Group Inc. to manage his enrollment information within PECOS and update information in EHR.

1. Brian Johnson registers for an account in the I&A system and identifies Health Group Inc. as his Employer and himself as the AO.

2. Brian Johnson submits a request in I&A to become a Surrogate for Individual Provider John Smith.

3. John Smith can either approve the request electronically in I&A (approval received immediately), or approve via paper by completing this Security Consent and Surrogate Authorization Form.

4. John Smith would complete Section 3A of this form, and Section 4 indicating PECOS and EHR Incentive Program.

5. Brian Johnson as the AO for Health Group Inc. would complete 3B. Brian Johnson supplies his government Id and a copy of the IRS CP-575 for Health Group Inc. verifying the LBN and TIN.

6. John Smith supplies his government Ids.

7. This form and the above documentation are submitted to EUS for processing.

These steps establish the connection between John Smith and Health Group Inc. Health Group Inc. can now act as a Surrogate for John Smith.

Example #2: Group Practice and 3rd party Organization as Surrogate

United Health Group (Organizational Provider) has made business arrangements with a 3rd party consulting company, Billing Medical (3rd Party Organization) to manage their enrollment information in PECOS. Jane Foster is the Authorized Official (AO) of United Health Group and Jack Lee is the AO of Billing Medical.

1. Jane Foster registers for an account in the I&A system and identifies United Health Group as her Employer and herself as the AO.

2. Jack Lee registers for an account in the I&A system and identifies Billing Medical as his Employer and himself as the AO.

3. Jack Lee submits a request in I&A to become a Surrogate for Organizational Provider United Health Group.

4. Jane Foster can either approve the request electronically in I&A (approval received immediately), or approve via paper by completing this Security Consent and Surrogate Authorization Form

5. Jane Foster, as the AO for United Health Group, would complete Section 3B and Section 4.

6. Billing Medical would complete 5A.

7. Jane Foster supplies her government Id and a copy of the IRS CP-575 for United Health Group verifying the LBN and TIN.

8. Jack Lee supplies his government Ids and a copy of the IRS CP-575 for Billing Medical verifying the LBN and TIN.

9. This form and the above documentation are submitted to EUS for processing.

These steps establish the connection between United Health Group and Billing Medical. Billing Medical can now act as a

Surrogate for United Health Group and modify their organization information in PECOS. However, this does not grant Billing Medical the authority to access PECOS on behalf of the Individual Providers who may be linked to United Health Group as indicated in example 1.

Example #3: Individual Provider and Group Practice with Delegated Officials

Jane Doe (Individual Provider) is one of many physicians that work at United Health Group (Organizational Provider). Mark Williams is the Authorized Official (AO) for United Health Group. Jane Doe has approved United Health Group as a Surrogate to manage her enrollment information within PECOS and update information in HITECH using the steps in Example #1. David Jones and Michael Brown are employees of United Health Group and are delegated as their credentialing specialist and meaningful use point person. In order for David and Michael to be Surrogate users for Jane Doe:

1. David Jones and Michael Brown each register for an account in the I&A system and identifies United Health Group as their Employer and themselves as the DO.

2. Mark Williams can either approve the request electronically in I&A (approval received immediately), or approve via paper by completing this Security Consent and Surrogate Authorization Form twice, once approving David Jones as the DO and the other approving Michael Brown as the DO.

3. Mark Williams would complete Section 3B (Organizational Provider and Authorized Official of the Organizational Provider)

4. David Jones/Mark Williams would complete Section 3B (Delegated Official of the Organizational Provider).

5. David Jones and Mark Williams supply their government Ids and a copy of the IRS CP-575 for United Health Group verifying the LBN and TIN.

6. This form and the above documentation are submitted to EUS for processing.

These steps establish David Jones and Mark Williams as delegated officials for United Health Group, and gives then authority to access systems on behalf of any Individual Provider who has authorized United Health Group as a Surrogate.

Example #4: Individual Provider and 3rd party Individual as Surrogate

Joe Brown (Individual Provider) has a private practice JB Medical Clinic. Sarah Douglas is Joe Brown’s office manager and will be managing his enrollment information within PECOS and update information in EHR.

1. Joe Brown registers for an account in the I&A system as the Individual Provider.

2. Sarah Douglas registers for an account in the I&A system and identifies Joe Brown as her Employer and herself as the Delegated Official (DO).

   

3. Sarah Douglas submits a request in I&A to become a Surrogate for Individual Provider Joe Brown. Joe Brown can either approve the request electronically in I&A (approval received immediately), or approve via paper by completing this Security Consent and Surrogate Authorization Form.

4. Joe Brown would complete Section 3A and Section 4 indicating PECOS and EHR Incentive Program.

5. Sarah Douglas would complete Section 5B.

6. Sarah Douglas supplies her government Id.

7. This form and the above documentation are submitted to EUS for processing.

These steps establish the connection between Joe Brown and Sarah Douglas. Sarah Douglas can now act as a Surrogate for Joe Brown.

Example #5: Registering as an Authorized Official for a new Organizational Provider

Brian Johnson is the Authorized Official (AO) for Health Group Inc. (Organizational Provider), which has a Type 2 NPI, and is now interested in enrolling in Medicare.

1. Brian Johnson registers for an account in the I&A system and identifies Health Group Inc. as his Employer and himself as the AO.

2. Brian Johnson as the AO for Health Group Inc. would complete 3B.

3. Brian Johnson submits a copy of his government ID, the IRS CP-575 or equivalent IRS document for Health Group Inc. verifying the Legal Business Name and EIN match the EIN used to register in I&A.

4. Brian Johnson submits this form and the above documentation to EUS for processing.

These steps establish Brian Johnson as the Authorized Official for Health Group Inc., and allows him to act on behalf of Health Group Inc.in the CMS systems that use I&A.

For more information or examples please visit the Identify and Access Management System (I&A) at https://nppes.cms.hhs. gov/NPPES/IASecurityCheck.do.

CMS-10220 (Rev. xx/xx)

Form Approved

DEPARTMENT OF HEALTH AND HUMAN SERVICES OMB No. 0938-1035, CENTERS FOR MEDICARE & MEDICAID SERVICES Expires: XX/XX

SECURITY CONSENT AND SURROGATE AUTHORIZATION FORM

SECTION 1: SECURITY CONSENT AND SURROGATE AUTHORIZATION FORM PURPOSE AND DEFINITIONS

The purpose of this Security Consent and Surrogate Authorization Form is for the Individual or Organizational Provider listed below to confirm that they are aware that the individual or organization identified as the Surrogate below has requested access to act on their behalf. The Individual or Organizational Provider will approve the Surrogate to act on their behalf when accessing CMS computer systems including but not limited to Provider Enrollment, Chain and Ownership System (PECOS), National Provider Plan and Enumeration System (NPPES) and the Medicare and Medicaid Electronic Health Records (EHR) Incentive Program Registration and Attestation System (HITECH).

• Authorized Official: An appointed official of an organization with the legal authority to conduct various actions related to business for the organization and ensure organization compliance with Medicare statutes, regulations and instructions.

• Delegated Official: An individual delegated by the Authorized Official of an organization to ensure organization compliance Medicare statutes, regulations and instructions.

• Individual Provider/Supplier: An individual that submits claims to Medicare or an individual who is employed by an organization that submits claims to Medicare on their behalf for the Medicare-covered medical items and services provided to Medicare beneficiaries. Hereinafter referred to as “Individual Provider”.

• Organizational Provider/Supplier: An organizational provider (including a group practice) that submits claims to the Medicare Part A and/or Part B programs and provides Medicare-covered medical items and services to Medicare beneficiaries. Hereinafter referred to as “Organizational Provider”.

• Surrogate: An Individual or Organization identified by an Individual or Organizational Provider as someone authorized to access CMS computer systems on their behalf and to modify or view any information contained therein that the Individual or Organizational Provider may have permission or right to access in accordance with Medicare statutes, regulations, policies, and usage guidelines for any CMS system.

SECTION 2: CONFIRMATION OF UNDERSTANDING AND PENALTIES FOR FALSIFYING INFORMATION FOR INDIVIDUAL OR ORGANIZATIONAL PROVIDER

By signing below and submitting or authorizing the submission of this information to CMS all signers of this form confirm and agree to the following:

• The individual identified in Section 3A (“Individual Provider”) or the organization identified in Section 3B

(“Organizational Provider”) has: i) a pre-existing and current business relationship with the Surrogate Organization or Surrogate Individual listed in Section 5A and Section 5B respectively below (collectively “Surrogate”); ii) has authorized the Surrogate to access CMS computer systems on their behalf for the sole purpose of modifying or viewing any information contained therein that the Individual or Organizational Provider may have permission or right to access in accordance with Medicare statutes, regulations, policies, and usage guidelines for that system; iii) has not shared their CMS issued username and password with any 3rd party including the Surrogate.

• The individual identified in Section 5A confirms that they are an Authorized or Delegated Official as defined above for the Organization identified in Section 5A (“Surrogate Organization”), and that this Organization has a preexisting and current business relationship with Individual Provider that grants this Organization the authority to act as a Surrogate, as defined above.

• The individual identified in Section 5B (“Surrogate Individual”) confirms that they are an Individual not acting on behalf of any Organization as defined above, and that they have a pre-existing and current business relationship with the Individual Provider that grants this individual the authority to act as a Surrogate, as defined above.

• Surrogates shall only access CMS systems with the username and password issued to them personally as part of the Identity and Access Management Registration process, and not the username and password issued to the Individual Provider identified in Section 3A.

The signatures below further confirm that all signers: have read, understand, and agree to all statements herein, including the following:

• PENALTIES FOR FALSIFYING INFORMATION ON THE SECURITY CONSENT AND SURROGATE AUTHORIZATION FORM FOR MEDICARE INDIVIDUAL OR ORGANIZATIONAL PROVIDER

The signatures below authorize the Medicare program to grant the Surrogate identified in Section 5A or 5B access to Medicare information for the Individual or Organizational Provider identified in Section 3A or 3B of this form. The Individual Provider/Authorized Official of the Organization, agree to the following statements:

• 18 U.S.C. § 1001 authorizes criminal penalties against an individual who, in any matter within the jurisdiction of any department or agency of the United States, knowingly and willfully falsifies, conceals or covers up by any trick, scheme or device a material fact, or makes any false, fictitious or fraudulent statements or representations, or makes any false writing or document knowing the same to contain any false, fictitious or fraudulent statement or entry. Individual offenders are subject to fines of up to $250,000 and imprisonment for up to five years. Offenders that are organizations are subject to fines of up to $500,000(18 U.S.C. § 3571). Section 3571(d) also authorizes fines of up to twice the gross gain derived by the offender if it is greater than the amount specifically authorized by the sentencing statute.

Any deliberate omission, misrepresentation, or falsification of any information contained in this application or contained in any communication supplied to Medicare or its contractors, or any deliberate alteration of any text on this conformation, may be punishable by criminal, civil, or administrative penalties including, but not limited to, the denial or revocation of Medicare billing privileges and/or imposition of fines, civil damages, and/or imprisonment.

NOTE: LACK OF PROPER DOCUMENTATION (e.g., Government Issued identification for individuals and Internal Revenue Service (IRS) CP-575 (or equivalent) WILL RESULT IN A REJECTION OF THIS REQUEST.

SECTION 3A: INDIVIDUAL PROVIDER

**Indicate Required Fields

I, the undersigned, certify that I have read and agree to all statements within this conformation, and that all information contained herein is true, correct, and complete. I agree that if I become aware that any information contained herein is not true, correct, or complete, I shall notify the CMS EUS Help Desk of this fact immediately.

**Individual Provider (First, Middle, Last, Jr., Sr., M.D., D.O., etc)

**SSN	**Individual NPI
Phone Number	Email Address
**Signature		**Date Signed (mm/dd/yyyy)

SECTION 3B: ORGANIZATIONAL PROVIDER

**Indicate Required Fields

I, the undersigned, certify that I have read and agree to all statements within this conformation, and that all information contained herein is true, correct, and complete. I agree that if I become aware that any information contained herein is not true, correct, or complete, I shall notify the CMS EUS Help Desk of this fact immediately.

**Organizational Provider (Legal Business Name) Note: LBN and EIN must match the IRS CP-575

**EIN	**Organization NPI
**Authorized Official of the Organizational Provider (First, Middle, Last, Jr., Sr., etc)		**SSN
Phone Number	Email Address
**Signature		**Date Signed (mm/dd/yyyy)
** Delegated Official of the Organizational Provider (First, Middle, Last, Jr., Sr., etc)		**SSN
Phone Number	Email Address
**Signature		**Date Signed (mm/dd/yyyy)

SECTION 4: CMS COMPUTER SYSTEMS

**Select the system(s) for which you will be providing surrogate services:

Note: At least one must be selected.

SECTION 6: REQUIRED DOCUMENTATION AND SUBMISSION INSTRUCTIONS

When you have completed and confirmed all information on this form you must submit all pages, excluding the instructions, and the copies of the following documentation to CMS via CMS External User Services (EUS). Please identify the items and number of documents being submitted using the checklist provided:

Please return all pages, completed and signed to:

CMS External User Services (EUS) Help Desk

PO Box 792750

San Antonio TX 78279

Phone Number: (866) 484-8049

Paperwork Reduction Act Disclosure Statement: According to the Paperwork Reduction Act of 1995, no persons are required to respond to a collection of information unless it displays a valid OMB control number. The valid OMB control number for this information collection is 0938-1035. The time required to complete this information collection is estimated to be one hour per response, including the time to review instructions, search existing data resources, gather the data needed, and complete and review the information collection. If you have any comments concerning the accuracy of the time estimate(s) or suggestions for improving this form, please write to: CMS, 7500 Security Boulevard, Attn: PRA Reports Clearance Officer, Baltimore, Maryland 21244-1850. DO NOT MAIL APPLICATIONS TO THIS ADDRESS. Mailing your application to this address will significantly delay application processing.

File Type	application/vnd.openxmlformats-officedocument.wordprocessingml.document
Author	JAMAA HILL
File Modified	0000-00-00
File Created	2021-01-22