Form CMS-10220 Security Consent and Surrogate Authorization Form

Provider Enrollment Chain and Ownership System (PECOS) Web Security Consent Form (CMS-10220)

Security Consent and Surrogate Authorization Form100113

PECOS Web Security Consent Form - Individuals

OMB: 0938-1035

Document [docx]
Download: docx | pdf


SECURITY CONSENT AND SURROGATE AUTHORIZATION FORM


SECTION 1 – SECURITY CONSENT AND SURROGATE AUTHORIZATION FORM PURPOSE AND DEFINITIONS:

The purpose of this form is to:

  1. Register and certify that the person(s) listed as Authorized or Delegated Official for an Organizational Provider or Third-Party Organization has the authority to act on behalf of that Organization in that capacity, as defined below; and/or

  2. Confirm the Individual or Organizational Provider listed below authorizes the individual or organization identified as a Surrogate below to act on their behalf. Also to confirm, they agree that the Surrogate may access CMS computer systems on their behalf, including but not limited to: Provider Enrollment, Chain and Ownership System (PECOS), the Medicare and Medicaid Electronic Health Records (EHR) Incentive Program Registration and Attestation System (HITECH), and the National Provider Plan and Enumeration System (NPPES).


Prior to use of this form:

  1. A person(s) seeking to act on behalf of their organization must first have established an account in the Identify and Access Management System (I&A) at https://nppes.cms.hhs.gov/NPPES/IASecurityCheck.do and identify their organization as an employer.

  2. A Surrogate seeking to act on behalf of an Individual or Organizational provider must first have established an account in the Identify and Access Management System (I&A) at https://nppes.cms.hhs.gov/NPPES/IASecurityCheck.do; the Individual or Organizational Provider must have an NPI; and a connection must have been initiated between the Surrogate and the Individual Provider or Organizational Provider.


This form should not be submitted unless these steps have been completed. This form is not required to authorize a surrogate if the Individual Provider or Organizational Provider and the Surrogate both confirm the connection online via the CMS Identity and Access Management (I&A) system.


Due to the increased time associated with the manual processing of the Security Consent and Surrogate Authorization Form, some delays may be experienced before a surrogacy confirmation is approved. To complete the surrogacy authorization electronically and receive approval immediately, please use the CMS' I&A system at https://nppes.cms.hhs.gov/NPPES/IASecurityCheck.do.


For purposes of this form, the following definitions apply:


Authorized Official: An appointed official of an Organizational Provider or 3rd Party Organization with the authority to legally bind that organization and conduct business on behalf of the organization. If an Organizational Provider, also ensures the organization’s compliance with Medicare statutes, regulations and instructions


Delegated Official: An individual, delegated by the Authorized Official of an Organizational Provider or 3rd Party Organization, with the authority to legally bind the organization and conduct business on behalf of the organization. If an Organizational Provider, also ensures the organization’s compliance with Medicare statutes, regulations and instructions.


Individual Provider/Supplier: An individual that provides services to Medicare beneficiaries and submits claims to Medicare and/or reassigns benefits to an organization that submits claims to Medicare on their behalf. Must have or be eligible for a Type 1 NPI in NPPES. Hereinafter referred to as “Individual Provider”.


Organizational Provider/Supplier: An organization that provides medical items and services to Medicare beneficiaries (including a group practice) that submits claims to the Medicare Part A and/or Part B programs. Must have or be eligible for a Type 2 NPI in NPPES. Hereinafter referred to as “Organizational Provider”.


Third-Party Organization: A third-party organization (e.g. billing agency, credentialing consultant, or other staffing company) that has business relationships with Individual Providers or Organizational Providers to work on their behalf.


Surrogate:


  • An Organizational Provider identified by an Individual Provider as someone authorized to access, view, and modify information within a CMS computer systems on their behalf; OR.

  • A Third-Party Organization (e.g. billing agency, credentialing consultant, or other staffing company) that has a business relationship with an Individual Provider or Organizational Provider and will be acting on their behalf; OR


  • A Third-Party Individual (e.g., office manager) who has a business relationship with an Individual Provider or Organizational Provider, however, may not be directly employed by that Individual Provider or Organizational Provider but will be acting on their behalf.


Approving a Surrogate to work on behalf of an Individual Provider or Organizational Provider does not give the Surrogate the authority to sign Medicare enrollment applications. All enrollment applications are still required to be signed by the Individual Provider or appropriate Official of the Organizational Provider.




SECTION 2 - CONFIRMATION OF UNDERSTANDING AND PENALTIES FOR FALSIFYING INFORMATION FOR INDIVIDUAL OR ORGANIZATIONAL PROVIDER:

By signing below and submitting or authorizing the submission of this information to CMS all signers of this form confirm and agree to the following, as applicable to their situation:


The individual(s) identified in Section 3A confirms that they are an Authorized or Delegated Official as defined above for the Organization identified in Section 3A ("Organizational Provider").


The individual identified in Section 3A ("Individual Provider") has: i) a pre-existing and current business relationship with the organization identified in Section 3B (“Organizational Provider”); ii) has authorized this organization to be a Surrogate and access CMS computer systems on their behalf for the sole purpose of modifying or viewing any information contained therein that the Individual or Organizational Provider may have permission or right to access in accordance with Medicare statutes, regulations, policies, and usage guidelines for that system; iii) has not shared their CMS issued username and password with any 3rd party including the Surrogate.


The individual identified in Section 3A ("Individual Provider") or the organization identified in Section 3B (“Organizational Provider”) has: i) a pre-existing and current business relationship with the 3rd Party Organization or 3rd Party Individual listed in Section 5A and Section 5B respectively below; ii) has authorized has authorized this organization to be a Surrogate and access CMS computer systems on their behalf for the sole purpose of modifying or viewing any information contained therein that the Individual or Organizational Provider may have permission or right to access in accordance with Medicare statutes, regulations, policies, and usage guidelines for that system; iii) has not shared their CMS issued username and password with any 3rd party including the Surrogate.


The individual identified in Section 5A confirms that they are an Authorized or Delegated Official as defined above for the Organization identified in Section 5A ("3rd party Organization"), and that this Organization has a pre-existing and current business relationship with the Individual Provider that grants this Organization the authority to act as a Surrogate, as defined above.


The individual identified in Section 5B ("3rd party Individual") confirms that they are an Individual not acting on behalf of any Organization as defined above, and that they have a pre-existing and current business relationship with the Individual Provider that grants this individual the authority to act as a Surrogate, as defined above.


Surrogates shall only access CMS systems with the username and password issued to them personally as part of the Identity and Access Management Registration process, and not the username and password issued to the Individual Provider identified in Section 3A.


The signatures below further confirm that all signers: have read, understand, and agree to all statements herein, including the following:


PENALTIES FOR FALSIFYING INFORMATION ON THE SECURITY CONSENT AND SURROGATE AUTHORIZATION FORM FOR MEDICARE INDIVIDUAL OR ORGANIZATIONAL PROVIDER


The signatures below authorize the Medicare program to grant the Surrogate identified in Section 5A or 5B access to Medicare information for the Individual or Organizational Provider identified in Section 3A or 3B of this form. The Individual Provider/Authorized Official of the Organization, agree to the following statements:


18 U.S.C. § 1001 authorizes criminal penalties against an individual who, in any matter within the jurisdiction of any department or agency of the United States, knowingly and willfully falsifies, conceals or covers up by any trick, scheme or device a material fact, or makes any false, fictitious or fraudulent statements or representations, or makes any false writing or document knowing the same to contain any false, fictitious or fraudulent statement or entry. Individual offenders are subject to fines of up to $250,000 and imprisonment for up to five years. Offenders that are organizations are subject to fines of up to $500,000(18 U.S.C. § 3571). Section 3571(d) also authorizes fines of up to twice the gross gain derived by the offender if it is greater than the amount specifically authorized by the sentencing statute.


Any deliberate omission, misrepresentation, or falsification of any information contained in this application or contained in any communication supplied to Medicare or its contractors, or any deliberate alteration of any text on this conformation, may be punishable by criminal, civil, or administrative penalties including, but not limited to, the denial or revocation of Medicare billing privileges and/or imposition of fines, civil damages, and/or imprisonment.




SECTION 3A- INDIVIDUAL PROVIDER

** Indicate Required Fields


I, the undersigned, certify that I have read and agree to all statements within this conformation, and that all information contained herein is true, correct, and complete. I agree that if I become aware that any information contained herein is not true, correct, or complete, I shall notify the CMS EUS Help Desk of this fact immediately.

**Individual Provider (First, Middle, Last, Jr., Sr., M.D., D.O., etc):

**SSN:

**Individual NPI:




Phone Number:

E-mail Address:



**Signature:

**Date Signed (MM/DD/YYYY):





SECTION 3B – ORGANIZATIONAL PROVIDER

** Indicate Required Fields


I, the undersigned, certify that I have read and agree to all statements within this conformation, and that all information contained herein is true, correct, and complete. I agree that if I become aware that any information contained herein is not true, correct, or complete, I shall notify the CMS EUS Help Desk of this fact immediately.

**Organizational Provider (Legal Business Name):

Note: LBN and EIN must match the IRS CP-575

**EIN:

**Organization NPI:




**Authorized Official of the Organizational Provider (First, Middle, Last, Jr., Sr., etc):

**SSN:



Phone Number:

E-mail Address:



**Signature:

**Date Signed (MM/DD/YYYY):



** Delegated Official of the Organizational Provider (First, Middle, Last, Jr., Sr., etc):

**SSN:



Phone Number:

E-mail Address:



**Signature:

**Date Signed (MM/DD/YYYY):




SECTION 4 – CMS COMPUTER SYSTEMS

**Select the system(s) for which you will be providing Surrogate services:

Note: At least one must be selected.

PECOS Tracking ID: [Internal Use Only]

EHR Incentive Program Tracking ID: [Internal Use Only]

NPPES Tracking ID: [Internal Use Only]

Other (specify): _____________________ Tracking ID: [Internal Use Only]




SECTION 5A- 3RD PARTY ORGANIZATION (if applicable):

** Indicate Required Fields

I, the undersigned, certify that I have read and agree to all statements within this conformation, and that all information contained herein is true, correct, and complete. I agree that if I become aware that any information contained herein is not true, correct, or complete, I shall notify the CMS EUS Help Desk of this fact immediately.

3rd Party Organization (Legal Business Name):

Note: LBN and EIN must match the IRS CP-575

** EIN:



3rd Party Organization Authorized Official (First, Middle, Last, Jr., Sr., etc):

** SSN:



Phone Number:

E-mail Address:



**Signature:

**Date Signed (MM/DD/YYYY):





3rd Party Organization Delegated Official (First, Middle, Last, Jr., Sr., etc):

** SSN:



Phone Number:

E-mail Address:



**Signature:

**Date Signed (MM/DD/YYYY):





SECTION 5B- 3RD PARTY INDIVIDUAL (if applicable):

** Indicate Required Fields

I, the undersigned, certify that I have read and agree to all statements within this conformation, and that all information contained herein is true, correct, and complete. I agree that if I become aware that any information contained herein is not true, correct, or complete, I shall notify the CMS EUS Help Desk of this fact immediately.

3rd Party Individual (First, Middle, Last, Jr., Sr., etc):


** SSN:



Phone Number:

E-mail Address:



**Signature:

**Date Signed (MM/DD/YYYY):




SECTION 6- REQUIRED DOCUMENTATION AND SUBMISSION INSTRUCTIONS

When you have completed and confirmed all information on this form you must submit all pages, excluding the instructions, and the copies of the following documentation to CMS via CMS External User Services (EUS). Please identify the items and number of documents being submitted using the checklist provided:



Copy(ies) of Government Issued identification for all individuals listed _____________ (# of documents)

(i.e., Driver’s License or Passport).


Copy(ies) of Internal Revenue Service (IRS) CP-575 (letter generated _____________ (# of documents)

by the IRS confirming your Employer Identification Number (EIN)

and Legal Business Name (LBN) or equivalent for each

organization listed). Note: The LBN should match what you have

registered in I&A and NPPES.


Please return all pages, completed and signed to: CMS External User Services (EUS) Help Desk, PO Box 792750, San Antonio TX 78279, Phone Number: (866) 484-8049.


SECTION 7A – INSTRUCTIONS FOR COMPLETING THE SECURITY CONSENT AND SURROGATE AUTHORIZATION FORM


**Indicates a Required Field


SECTION 1SECURITY CONSENT AND SURROGATE AUTHORIZATION FORM’S PURPOSE AND DEFINITIONS


SECTION 2CONFIRMATION OF UNDERSTANDING AND PENALTIES FOR FALSIFYING INFORMATON


SECTION 3AINIDIVIDUAL PROVIDER


This section should be completed by the Individual Provider, as defined above, if they are authorizing a Surrogate to work on their behalf.


  • The full name, Social Security Number (SSN), National Provider Identifier, phone number and email address provided should be of the Individual Provider.

  • The Individual Provider shall sign and date the form.


SECTION 3BORGANIZATIONAL PROVIDER


This section should be completed by the Authorized Official of an Organizational Provider, as defined above.


  • The Legal Business Name (LBN), Employer Identification Number (EIN) and the National Provider Identifier (NPI) should be of the Organizational Provider. The LBN and EIN must match your IRS CP-575, or equivalent.

  • An Authorized Official of the Organizational Provider must provider their full name and Social Security Number (SSN).

  • The phone number and email address should be of the AO.

  • The Authorized Official shall sign and date the form.


If the Authorized Official would like to delegate their authority to another individual within their organization, the “Delegated Official of the Organizational Provider” section within 3B should be completed.


  • The Delegated Official of the Organizational Provider must provide their full name and Social Security Number (SSN).

  • The phone number and email address should be of the DO.

  • The Delegated Official should sign and date the form.


SECTION 4 – CMS COMPUTER SYSTEMS


Complete this section by identifying the CMS computer system for which the Individual Provider or Organizational Provider has granted the Surrogate authority to access. If the CMS system is not listed please select “Other” and specify in the field provided. At least one system must be selected.


PECOS - Provider Enrollment Chain and Ownership System


EHR Incentive Program – Electronic Health Records Incentive Program


NPPES – National Provider Plan and Enumeration System



SECTION 5A – 3RD PARTY ORGANIZATION (SURROGATE)


This section should be completed by the Authorized Official of a Surrogate Organization, as defined above.


  • The Legal Business Name (LBN) and Employer Identification Number (EIN) should be of the Surrogate Organization. The LBN and EIN must match your IRS CP-575 or equivalent.

  • The Authorized Official of the Surrogate Organization must provide their full name and Social Security Number (SSN).

  • The phone number and email address should be of the AO.

  • The AO should sign and date the form.


If the Authorized Official of the Surrogate Organization would like to delegate their authority to another individual within their organization, the “Surrogate Organization Delegated Official” section within 3B should be completed.


  • The Delegated Official of the Surrogate Organization must provide their full name and Social Security Number (SSN).

  • The phone number and email address should be of the DO.

  • The DO should sign and date the form.



SECTION 5B – 3RD PARTY INDIVIDUAL (SURROGATE)


Complete this section if you are an Individual Surrogate, as defined above.


  • The individual Surrogate must supply their full name and Social Security Number (SSN).

  • The phone number and email address should be of the individual.

  • The individual should sign and date the form.


Note: If an Organizational Provider Authorizes a Surrogate for their Organization, that does not grant the Surrogate authority to access any systems on behalf of Individual Providers who may be linked to that Organizational Provider (i.e. previously authorized them as a Surrogate, or has reassigned benefits).


SECTION 6 – REQUIRED DOCUMENATION AND SUBMISSION INSTRUCTIONS


Review this section to identify the documents required to be sent to the CMS EUS Help Desk to complete the security consent and Surrogate authorization process. Contact information for the help desk is also identified.


SECTION 7B - EXAMPLES

Example #1: Individual Provider and Group Practice

John Smith (Individual Provider) is part of a group practice Health Group Inc. (Organizational Provider). Brian Johnson is the Authorized Official (AO) for Health Group Inc. John has made business arrangements with Health Group Inc. to manage his enrollment information within PECOS and update information in EHR.


  1. Brian Johnson registers for an account in the I&A system and identifies Health Group Inc. as his Employer and himself as the AO.

  2. Brian Johnson submits a request in I&A to become a Surrogate for Individual Provider John Smith.

  3. John Smith can either approve the request electronically in I&A (approval received immediately), or approve via paper by completing this Security Consent and Surrogate Authorization Form.

  4. John Smith would complete Section 3A of this form, and Section 4 indicating PECOS and EHR Incentive Program.

  5. Brian Johnson as the AO for Health Group Inc. would complete 3B. Brian Johnson supplies his government Id and a copy of the IRS CP-575 for Health Group Inc. verifying the LBN and TIN.

  6. John Smith supplies his government Ids.

  7. This form and the above documentation are submitted to EUS for processing.


These steps establish the connection between John Smith and Health Group Inc. Health Group Inc. can now act as a Surrogate for John Smith.


Example #2: Group Practice and 3rd party Organization

United Health Group (Organizational Provider) has made business arrangements with a 3rd party consulting company, Billing Medical (3rd Party Organization) to manage their enrollment information in PECOS. Jane Foster is the Authorized Official (AO) of United Health Group and Jack Lee is the AO of Billing Medical.


  1. Jane Foster registers for an account in the I&A system and identifies United Health Group as her Employer and herself as the AO.

  2. Jack Lee registers for an account in the I&A system and identifies Billing Medical as his Employer and himself as the AO.

  3. Jack Lee submits a request in I&A to become a Surrogate for Organizational Provider United Health Group.

  4. Jane Foster can either approve the request electronically in I&A (approval received immediately), or approve via paper by completing this Security Consent and Surrogate Authorization Form

  5. Jane Foster, as the AO for United Health Group, would complete Section 3B and Section 4.

  6. Billing Medical would complete 5A.

  7. Jane Foster supplies her government Id and a copy of the IRS CP-575 for United Health Group verifying the LBN and TIN.

  8. Jack Lee supplies his government Ids and a copy of the IRS CP-575 for Billing Medical verifying the LBN and TIN.

  9. This form and the above documentation are submitted to EUS for processing.


These steps establish the connection between United Health Group and Billing Medical. Billing Medical can now act as a Surrogate for United Health Group and modify their organization information in PECOS. However, this does not grant Billing Medical the authority to access PECOS on behalf of the Individual Providers who may be linked to United Health Group as indicated in example 1.


Example #3: Individual Provider and Group Practice with Delegated Officials

Jane Doe (Individual Provider) is one of many physicians that work at United Health Group (Organizational Provider). Mark Williams is the Authorized Official (AO) for United Health Group. Jane Doe has approved United Health Group as a Surrogate to manage her enrollment information within PECOS and update information in HITECH using the steps in Example #1. David Jones and Michael Brown are employees of United Health Group and are delegated as their credentialing specialist and meaningful use point person. In order for David and Michael to be Surrogate users for Jane Doe:



  1. David Jones and Michael Brown each register for an account in the I&A system and identifies United Health Group as their Employer and themselves as the DO.

  2. Mark Williams can either approve the request electronically in I&A (approval received immediately), or approve via paper by completing this Security Consent and Surrogate Authorization Form twice, once approving David Jones as the DO and the other approving Michael Brown as the DO.

  3. Mark Williams would complete Section 3B (Organizational Provider and Authorized Official of the Organizational Provider)

  4. David Jones/Mark Williams would complete Section 3B (Delegated Official of the Organizational Provider).

  1. David Jones and Mark Williams supply their government Ids and a copy of the IRS CP-575 for United Health Group verifying the LBN and TIN.

  2. This form and the above documentation are submitted to EUS for processing.


These steps establish David Jones and Mark Williams as delegated officials for United Health Group, and gives then authority to access systems on behalf of any Individual Provider who has authorized United Health Group as a Surrogate.


Example #4: Individual Provider and 3rd party Individual

Joe Brown (Individual Provider) has a private practice JB Medical Clinic. Sarah Douglas is Joe Brown’s office manager and will be managing his enrollment information within PECOS and update information in EHR.


  1. Joe Brown registers for an account in the I&A system as the Individual Provider.

  2. Sarah Douglas registers for an account in the I&A system and identifies Joe Brown as her Employer and herself as the Delegated Official (DO).

  3. Sarah Douglas submits a request in I&A to become a Surrogate for Individual Provider Joe Brown. Joe Brown can either approve the request electronically in I&A (approval received immediately), or approve via paper by completing this Security Consent and Surrogate Authorization Form.

  4. Joe Brown would complete Section 3A and Section 4 indicating PECOS and EHR Incentive Program.

  5. Sarah Douglas would complete Section 5B.

  6. Sarah Douglas supplies her government Id.

  7. This form and the above documentation are submitted to EUS for processing.


These steps establish the connection between Joe Brown and Sarah Douglas. Sarah Douglas can now act as a Surrogate for Joe Brown.




Example #5: Registering as an Authorized Official for a new Organizational Provider

Brian Johnson is the Authorized Official (AO) for Health Group Inc. (Organizational Provider), which has a Type 2 NPI, and is now interested in enrolling in Medicare.


  1. Brian Johnson registers for an account in the I&A system and identifies Health Group Inc. as his Employer and himself as the AO.

  2. Brian Johnson as the AO for Health Group Inc. would complete 3B.

  3. Brian Johnson submits a copy of his government ID, the IRS CP-575 or equivalent IRS document for Health Group Inc. verifying the Legal Business Name and EIN match the EIN used to register in I&A.

  4. Brian Johnson submits this form and the above documentation to EUS for processing.


These steps establish Brian Johnson as the Authorized Official for Health Group Inc., and allows him to act on behalf of Health Group Inc.in the CMS systems that use I&A.


For more information or examples please visit the Identify and Access Management System (I&A) at https://nppes.cms.hhs.gov/NPPES/IASecurityCheck.do


CMS XXXX (XX/XX)

File Typeapplication/vnd.openxmlformats-officedocument.wordprocessingml.document
AuthorAlisha Banks
File Modified0000-00-00
File Created2021-01-22

© 2024 OMB.report | Privacy Policy