SECURITY CONSENT AND SURROGATE AUTHORIZATION FORM
SECTION 1 – SECURITY CONSENT AND SURROGATE AUTHORIZATION FORM PURPOSE AND DEFINITIONS: |
The purpose of this form is to:
Prior to use of this form:
This form should not be submitted unless these steps have been completed. This form is not required to authorize a surrogate if the Individual Provider or Organizational Provider and the Surrogate both confirm the connection online via the CMS Identity and Access Management (I&A) system.
Due to the increased time associated with the manual processing of the Security Consent and Surrogate Authorization Form, some delays may be experienced before a surrogacy confirmation is approved. To complete the surrogacy authorization electronically and receive approval immediately, please use the CMS' I&A system at https://nppes.cms.hhs.gov/NPPES/IASecurityCheck.do.
For purposes of this form, the following definitions apply:
Authorized Official: An appointed official of an Organizational Provider or 3rd Party Organization with the authority to legally bind that organization and conduct business on behalf of the organization. If an Organizational Provider, also ensures the organization’s compliance with Medicare statutes, regulations and instructions
Delegated Official: An individual, delegated by the Authorized Official of an Organizational Provider or 3rd Party Organization, with the authority to legally bind the organization and conduct business on behalf of the organization. If an Organizational Provider, also ensures the organization’s compliance with Medicare statutes, regulations and instructions.
Individual Provider/Supplier: An individual that provides services to Medicare beneficiaries and submits claims to Medicare and/or reassigns benefits to an organization that submits claims to Medicare on their behalf. Must have or be eligible for a Type 1 NPI in NPPES. Hereinafter referred to as “Individual Provider”.
Organizational Provider/Supplier: An organization that provides medical items and services to Medicare beneficiaries (including a group practice) that submits claims to the Medicare Part A and/or Part B programs. Must have or be eligible for a Type 2 NPI in NPPES. Hereinafter referred to as “Organizational Provider”.
Third-Party Organization: A third-party organization (e.g. billing agency, credentialing consultant, or other staffing company) that has business relationships with Individual Providers or Organizational Providers to work on their behalf.
Surrogate:
Approving a Surrogate to work on behalf of an Individual Provider or Organizational Provider does not give the Surrogate the authority to sign Medicare enrollment applications. All enrollment applications are still required to be signed by the Individual Provider or appropriate Official of the Organizational Provider. |
SECTION 2 - CONFIRMATION OF UNDERSTANDING AND PENALTIES FOR FALSIFYING INFORMATION FOR INDIVIDUAL OR ORGANIZATIONAL PROVIDER: |
By signing below and submitting or authorizing the submission of this information to CMS all signers of this form confirm and agree to the following, as applicable to their situation:
The individual(s) identified in Section 3A confirms that they are an Authorized or Delegated Official as defined above for the Organization identified in Section 3A ("Organizational Provider").
The individual identified in Section 3A ("Individual Provider") has: i) a pre-existing and current business relationship with the organization identified in Section 3B (“Organizational Provider”); ii) has authorized this organization to be a Surrogate and access CMS computer systems on their behalf for the sole purpose of modifying or viewing any information contained therein that the Individual or Organizational Provider may have permission or right to access in accordance with Medicare statutes, regulations, policies, and usage guidelines for that system; iii) has not shared their CMS issued username and password with any 3rd party including the Surrogate.
The individual identified in Section 3A ("Individual Provider") or the organization identified in Section 3B (“Organizational Provider”) has: i) a pre-existing and current business relationship with the 3rd Party Organization or 3rd Party Individual listed in Section 5A and Section 5B respectively below; ii) has authorized has authorized this organization to be a Surrogate and access CMS computer systems on their behalf for the sole purpose of modifying or viewing any information contained therein that the Individual or Organizational Provider may have permission or right to access in accordance with Medicare statutes, regulations, policies, and usage guidelines for that system; iii) has not shared their CMS issued username and password with any 3rd party including the Surrogate.
The individual identified in Section 5A confirms that they are an Authorized or Delegated Official as defined above for the Organization identified in Section 5A ("3rd party Organization"), and that this Organization has a pre-existing and current business relationship with the Individual Provider that grants this Organization the authority to act as a Surrogate, as defined above.
The individual identified in Section 5B ("3rd party Individual") confirms that they are an Individual not acting on behalf of any Organization as defined above, and that they have a pre-existing and current business relationship with the Individual Provider that grants this individual the authority to act as a Surrogate, as defined above.
Surrogates shall only access CMS systems with the username and password issued to them personally as part of the Identity and Access Management Registration process, and not the username and password issued to the Individual Provider identified in Section 3A.
The signatures below further confirm that all signers: have read, understand, and agree to all statements herein, including the following:
PENALTIES FOR FALSIFYING INFORMATION ON THE SECURITY CONSENT AND SURROGATE AUTHORIZATION FORM FOR MEDICARE INDIVIDUAL OR ORGANIZATIONAL PROVIDER
The signatures below authorize the Medicare program to grant the Surrogate identified in Section 5A or 5B access to Medicare information for the Individual or Organizational Provider identified in Section 3A or 3B of this form. The Individual Provider/Authorized Official of the Organization, agree to the following statements:
18 U.S.C. § 1001 authorizes criminal penalties against an individual who, in any matter within the jurisdiction of any department or agency of the United States, knowingly and willfully falsifies, conceals or covers up by any trick, scheme or device a material fact, or makes any false, fictitious or fraudulent statements or representations, or makes any false writing or document knowing the same to contain any false, fictitious or fraudulent statement or entry. Individual offenders are subject to fines of up to $250,000 and imprisonment for up to five years. Offenders that are organizations are subject to fines of up to $500,000(18 U.S.C. § 3571). Section 3571(d) also authorizes fines of up to twice the gross gain derived by the offender if it is greater than the amount specifically authorized by the sentencing statute.
Any deliberate omission, misrepresentation, or falsification of any information contained in this application or contained in any communication supplied to Medicare or its contractors, or any deliberate alteration of any text on this conformation, may be punishable by criminal, civil, or administrative penalties including, but not limited to, the denial or revocation of Medicare billing privileges and/or imposition of fines, civil damages, and/or imprisonment. |
SECTION 3A- INDIVIDUAL PROVIDER |
** Indicate Required Fields
|
|
I, the undersigned, certify that I have read and agree to all statements within this conformation, and that all information contained herein is true, correct, and complete. I agree that if I become aware that any information contained herein is not true, correct, or complete, I shall notify the CMS EUS Help Desk of this fact immediately. |
||
**Individual Provider (First, Middle, Last, Jr., Sr., M.D., D.O., etc): |
**SSN: |
**Individual NPI: |
|
|
|
Phone Number: |
E-mail Address: |
|
|
|
|
**Signature: |
**Date Signed (MM/DD/YYYY): |
|
|
|
|
SECTION 3B – ORGANIZATIONAL PROVIDER |
** Indicate Required Fields
|
|
I, the undersigned, certify that I have read and agree to all statements within this conformation, and that all information contained herein is true, correct, and complete. I agree that if I become aware that any information contained herein is not true, correct, or complete, I shall notify the CMS EUS Help Desk of this fact immediately. |
||
**Organizational Provider (Legal Business Name): Note: LBN and EIN must match the IRS CP-575 |
**EIN: |
**Organization NPI: |
|
|
|
**Authorized Official of the Organizational Provider (First, Middle, Last, Jr., Sr., etc): |
**SSN: |
|
|
|
|
Phone Number: |
E-mail Address: |
|
|
|
|
**Signature: |
**Date Signed (MM/DD/YYYY): |
|
|
|
|
** Delegated Official of the Organizational Provider (First, Middle, Last, Jr., Sr., etc): |
**SSN: |
|
|
|
|
Phone Number: |
E-mail Address: |
|
|
|
|
**Signature: |
**Date Signed (MM/DD/YYYY): |
|
|
|
|
SECTION 4 – CMS COMPUTER SYSTEMS |
**Select the system(s) for which you will be providing Surrogate services: Note: At least one must be selected. |
PECOS ☐ Tracking ID: [Internal Use Only] EHR Incentive Program ☐ Tracking ID: [Internal Use Only] NPPES ☐ Tracking ID: [Internal Use Only] Other ☐ (specify): _____________________ Tracking ID: [Internal Use Only] |
SECTION 5A- 3RD PARTY ORGANIZATION (if applicable): |
** Indicate Required Fields |
I, the undersigned, certify that I have read and agree to all statements within this conformation, and that all information contained herein is true, correct, and complete. I agree that if I become aware that any information contained herein is not true, correct, or complete, I shall notify the CMS EUS Help Desk of this fact immediately. |
|
3rd Party Organization (Legal Business Name): Note: LBN and EIN must match the IRS CP-575 |
** EIN: |
|
|
3rd Party Organization Authorized Official (First, Middle, Last, Jr., Sr., etc): |
** SSN: |
|
|
Phone Number: |
E-mail Address: |
|
|
**Signature: |
**Date Signed (MM/DD/YYYY): |
|
|
3rd Party Organization Delegated Official (First, Middle, Last, Jr., Sr., etc): |
** SSN: |
|
|
Phone Number: |
E-mail Address: |
|
|
**Signature: |
**Date Signed (MM/DD/YYYY): |
|
|
SECTION 5B- 3RD PARTY INDIVIDUAL (if applicable): |
** Indicate Required Fields |
I, the undersigned, certify that I have read and agree to all statements within this conformation, and that all information contained herein is true, correct, and complete. I agree that if I become aware that any information contained herein is not true, correct, or complete, I shall notify the CMS EUS Help Desk of this fact immediately. |
|
3rd Party Individual (First, Middle, Last, Jr., Sr., etc):
|
** SSN: |
|
|
Phone Number: |
E-mail Address: |
|
|
**Signature: |
**Date Signed (MM/DD/YYYY): |
|
|
SECTION 6- REQUIRED DOCUMENTATION AND SUBMISSION INSTRUCTIONS |
When you have completed and confirmed all information on this form you must submit all pages, excluding the instructions, and the copies of the following documentation to CMS via CMS External User Services (EUS). Please identify the items and number of documents being submitted using the checklist provided:
☐ Copy(ies) of Government Issued identification for all individuals listed _____________ (# of documents) (i.e., Driver’s License or Passport).
☐ Copy(ies) of Internal Revenue Service (IRS) CP-575 (letter generated _____________ (# of documents) by the IRS confirming your Employer Identification Number (EIN) and Legal Business Name (LBN) or equivalent for each organization listed). Note: The LBN should match what you have registered in I&A and NPPES.
Please return all pages, completed and signed to: CMS External User Services (EUS) Help Desk, PO Box 792750, San Antonio TX 78279, Phone Number: (866) 484-8049. |
SECTION 7A – INSTRUCTIONS FOR COMPLETING THE SECURITY CONSENT AND SURROGATE AUTHORIZATION FORM
**Indicates a Required Field |
|
SECTION 1 – SECURITY CONSENT AND SURROGATE AUTHORIZATION FORM’S PURPOSE AND DEFINITIONS
SECTION 2 – CONFIRMATION OF UNDERSTANDING AND PENALTIES FOR FALSIFYING INFORMATON
SECTION 3A – INIDIVIDUAL PROVIDER
This section should be completed by the Individual Provider, as defined above, if they are authorizing a Surrogate to work on their behalf.
SECTION 3B – ORGANIZATIONAL PROVIDER
This section should be completed by the Authorized Official of an Organizational Provider, as defined above.
If the Authorized Official would like to delegate their authority to another individual within their organization, the “Delegated Official of the Organizational Provider” section within 3B should be completed.
SECTION 4 – CMS COMPUTER SYSTEMS
Complete this section by identifying the CMS computer system for which the Individual Provider or Organizational Provider has granted the Surrogate authority to access. If the CMS system is not listed please select “Other” and specify in the field provided. At least one system must be selected.
PECOS - Provider Enrollment Chain and Ownership System
EHR Incentive Program – Electronic Health Records Incentive Program
NPPES – National Provider Plan and Enumeration System
SECTION 5A – 3RD PARTY ORGANIZATION (SURROGATE)
This section should be completed by the Authorized Official of a Surrogate Organization, as defined above.
If the Authorized Official of the Surrogate Organization would like to delegate their authority to another individual within their organization, the “Surrogate Organization Delegated Official” section within 3B should be completed.
SECTION 5B – 3RD PARTY INDIVIDUAL (SURROGATE)
Complete this section if you are an Individual Surrogate, as defined above.
Note: If an Organizational Provider Authorizes a Surrogate for their Organization, that does not grant the Surrogate authority to access any systems on behalf of Individual Providers who may be linked to that Organizational Provider (i.e. previously authorized them as a Surrogate, or has reassigned benefits).
SECTION 6 – REQUIRED DOCUMENATION AND SUBMISSION INSTRUCTIONS
Review this section to identify the documents required to be sent to the CMS EUS Help Desk to complete the security consent and Surrogate authorization process. Contact information for the help desk is also identified. |
|
SECTION 7B - EXAMPLES |
|
Example #1: Individual Provider and Group Practice John Smith (Individual Provider) is part of a group practice Health Group Inc. (Organizational Provider). Brian Johnson is the Authorized Official (AO) for Health Group Inc. John has made business arrangements with Health Group Inc. to manage his enrollment information within PECOS and update information in EHR.
These steps establish the connection between John Smith and Health Group Inc. Health Group Inc. can now act as a Surrogate for John Smith.
Example #2: Group Practice and 3rd party Organization United Health Group (Organizational Provider) has made business arrangements with a 3rd party consulting company, Billing Medical (3rd Party Organization) to manage their enrollment information in PECOS. Jane Foster is the Authorized Official (AO) of United Health Group and Jack Lee is the AO of Billing Medical.
These steps establish the connection between United Health Group and Billing Medical. Billing Medical can now act as a Surrogate for United Health Group and modify their organization information in PECOS. However, this does not grant Billing Medical the authority to access PECOS on behalf of the Individual Providers who may be linked to United Health Group as indicated in example 1.
Example #3: Individual Provider and Group Practice with Delegated Officials Jane Doe (Individual Provider) is one of many physicians that work at United Health Group (Organizational Provider). Mark Williams is the Authorized Official (AO) for United Health Group. Jane Doe has approved United Health Group as a Surrogate to manage her enrollment information within PECOS and update information in HITECH using the steps in Example #1. David Jones and Michael Brown are employees of United Health Group and are delegated as their credentialing specialist and meaningful use point person. In order for David and Michael to be Surrogate users for Jane Doe:
These steps establish David Jones and Mark Williams as delegated officials for United Health Group, and gives then authority to access systems on behalf of any Individual Provider who has authorized United Health Group as a Surrogate.
Example #4: Individual Provider and 3rd party Individual Joe Brown (Individual Provider) has a private practice JB Medical Clinic. Sarah Douglas is Joe Brown’s office manager and will be managing his enrollment information within PECOS and update information in EHR.
These steps establish the connection between Joe Brown and Sarah Douglas. Sarah Douglas can now act as a Surrogate for Joe Brown.
Example #5: Registering as an Authorized Official for a new Organizational Provider Brian Johnson is the Authorized Official (AO) for Health Group Inc. (Organizational Provider), which has a Type 2 NPI, and is now interested in enrolling in Medicare.
These steps establish Brian Johnson as the Authorized Official for Health Group Inc., and allows him to act on behalf of Health Group Inc.in the CMS systems that use I&A.
For more information or examples please visit the Identify and Access Management System (I&A) at https://nppes.cms.hhs.gov/NPPES/IASecurityCheck.do |
|
CMS XXXX (XX/XX)
| File Type | application/vnd.openxmlformats-officedocument.wordprocessingml.document |
| Author | Alisha Banks |
| File Modified | 0000-00-00 |
| File Created | 2021-01-22 |