Supporting Statement A
For New Collection: FOIA/Privacy Act Requests for Medicare Claims Data via CMS FOIA Public Portal
Contact Information:
Hugh Gilmore
FOIA Officer
Office of Strategic Affairs (OSORA)/CMS
7500 Security Boulevard, Baltimore, MD 21244
(410) 786-5352
July 23, 2021
Since 1967, the Freedom of Information Act (FOIA) has provided the public the right to request access to records from any federal agency. It is the law that keeps citizens in the know about their government. Federal agencies are required to disclose any information requested under the FOIA unless it falls under one of the nine exemptions, which protect interests such as personal privacy, national security, and law enforcement.
On average CMS receives approximately 26,000 FOIA requests annually and the majority of those requests (19,000) pertain to Medicare beneficiary records which are considered “FOIA/Privacy Act” requests. Only one percent of those requests are from the actual beneficiary and the other ninety-nine percent are from third party requestors.
An individual may submit a request to CMS for his/her own Medicare records by submitting a signed, written request containing the required information: name, address, Medicare Card number, and the time frame of the records being requested.
An attorney or other representative (Third Party Requester) with proper authorization may also make a FOIA/Privacy Act request on behalf of another person. The request must be in writing and accompanied by a valid authorization signed by the Medicare beneficiary. The authorization must include all the core elements identified on the “Medicare Authorization to Disclose Personal Health Information” form. If the third party is acting in a representative capacity such as a Power of Attorney, a copy of the Power of Attorney documents must also be included with the request for records.
If someone requests information that does not pertain to a beneficiary, those requests will be processed through the CMS internal tracking system, which will eventually be integrated with the National FOIA portal1. This portal allows a member of the public to submit a request for records to any agency from a single website. NOTE: Privacy Act (PA) or requests that contain PHI or PII are excluded from the National FOIA portal.
The CMS FOIA Public Portal Project aims to only collect this subset of beneficiary claims data requests through a centralized, secure electronic online portal.
This collection of information is dedicated to Medicare beneficiaries and third party requesters (law firms or others) acting on behalf of beneficiaries that are making requests for CMS to produce Medicare beneficiary records through 5 U.S.C. § 552(b) (See also 42 C.F.R. § 401.136). Currently the requests are mailed / faxed / emailed to CMS. The new online portal will allow for ease and efficiency to upload the request and required authorization, which will be quickly and securely sent directly to CMS. Additionally, with the new online portal, requesters will be able to securely submit requests electronically that contain PHI or PII; they will be advised that MyMedicare.gov / Blue Button2 is an online service available for beneficiaries to set up an account to access their own records and give authorization to share with third parties. This secure public online portal will be integrated with the agency’s current FOIA/Privacy Act case management system to ensure a centralized location for housing, securing, tracking and processing the incoming requests (See 45 C.F.R. § 5.22 and 5.24).
Unless permitted or required by law, the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule (45 C.F.R. § 164.508) prohibits Medicare (a HIPAA covered entity) from disclosing an individual’s protected health information without a valid authorization.
The information collected in the portal will contain details of the names and addresses of FOIA and Privacy Act requesters and the description of the information which they seek in federal records. The agency searches and responds to the requesters by replying with documents to the addresses provided by the requesters.
The FOIA allows the public to request in writing access to government records held by federal agencies. Congress further requires all requests are assigned a case number and an acknowledgement letter with the case number being sent to the requester within 10 working days of receipt (45 C.F.R. § 5.24). The data collected must contain the requester name, address, request, and identifier, e.g. a CMS control number assigned to each request. For beneficiary related information, further information as required by HIPAA may be required.
The primary goal for phase one of the new public online portal is to efficiently respond to requests for Medicare claims records from first party requesters or third party entities. CMS only maintains Medicare claims data for individuals enrolled in traditional Medicare. Therefore, the input form on the new public portal asks a series of questions to ensure that entities requesting Medicaid data, claims data from those enrolled in a Medicare Advantage or Prescription Drug Plan, or enrolled in an Exchange plan, are redirected to the appropriate location or source to obtain that information. If determined the requesting entity/individual only wants Medicare fee-for-service claims data for a person with Medicare, CMS will need to collect the following information:
Name, address, date of birth, and current Medicare number to match the correct person in our system,
Date range of Medicare records needed,
Name, address, and contact information about the third party requesting the data and,
Authorization from the person with Medicare to release records to this entity (HIPAA requirement).
As prescribed by HIPAA, CMS/Medicare will not share protected health information without a valid authorization that contains the core elements such as name of the beneficiary, signature of the beneficiary, date, expiration date of the authorization, purpose, information to be disclosed, and name of the person to whom CMS/Medicare may make the requested disclosure. In accordance with HIPAA, the completed authorization will enable CMS/Medicare to share an individual’s personal health information with a third party at the individual’s request (usually a spouse, relative, law firm, record retrieval company, or agency personnel or representative).
Once the authorization is received and all required documents are accounted for, the FOIA analysts will process the requests and disclose the beneficiary’s personal health information to the authorized individual.
Currently CMS receives all of the requests manually (via paper mail delivery, fax, or email), including requests that do not have the proper authorization that must be returned to the requester. The public portal will ensure confidentiality, integrity, availability, and reliability of the request and will comply with applicable security regulations, policies, standards and controls. By establishing a secure public facing portal to intake the requests, CMS is able to accomplish the following:
Avoid entities requesting data that CMS is unable to fulfill.
Ensure that all authorizations and approvals under FOIA, Privacy, and HIPAA laws are met prior to the submission of the request.
Minimize the need to manually enter these requests into the CMS centralized FOIA management system, which is required in order to meet reporting requirements under FOIA law.
Route the perfected and authorized FOIA/Privacy Act requests to the appropriate Regional Office/Medicare Administrative Contractor where the records are located.
Similar information is collected via PRA package currently approved under OMB control number 0938-09303; however, the information is used for a different purpose and stored in separate system of record (the Medicare Beneficiary Database (MBD) CMS SORN 09-70-0536). This collection is currently used by Medicare beneficiaries to authorize Medicare to disclose their protected health information to a third party by submitting the Medicare Authorization to Disclose Personal Health Information form electronically at MyMedicare.gov, by mail to the Medicare Call Center Operations, or verbally over the phone by calling 1-800-Medicare. Whereas, the FOIA/Privacy Act collection is a different and separate process.
The new information collection for FOIA/Privacy Act Requests for Medicare Claims Data requested will be submitted via the CMS FOIA Public Portal, which applies to the HIPAA, PAand FOIA laws and regulations and does not duplicate any other effort. The nature of these types of requests are unique to CMS as we are the system of record for a huge number of claims paid under Medicare Part A (inpatient services) and Medicare Part B (outpatient services). The system of record related to the CMS FOIA Public Portal is discussed in greater detail in Section 10 of this document.
Automating this process would improve customer service, reduce errors and denials for requested information, account for duplicate requests and ensure requests are routed to the appropriate locations. This will have a significant benefit to the small business community because it will increase efficiency and timeliness of the requests being processed. CMS continues to work with the small entities to provide them guidance to ensure they submit the correct information and documents required to obtain sensitive beneficiary records that are protected by the Privacy, HIPAA and FOIA laws. Establishing a public online portal with the capability to route the requesters through a series of questions designed to re-direct “non-CMS” requests to the correct entity or resource will improve the accuracy and timeliness of the request being submitted. This will enhance customer service, eliminate the recirculating of misdirected requests between federal and state agencies, improve the timeliness of responses, and reduce unperfected requests (those that are missing authorized documents).
CMS would continue to obtain FOIA/Privacy Act requests via postal system, e-mail, and fax and continue to use government resources to manually enter these requests into the CMS case management system. The FOIA Improvement Act of 2016 directed the Office of Management and Budget (OMB) and the Department of Justice (DOJ) to build a “government-wide National online FOIA request portal to” allow members of the public to submit a request for federal agency records. This project will afford CMS requesters a secure opportunity to submit requests for sensitive, PII and PHI records through a secure online portal, which will eliminate burden and establish an online presence for all types of requests.
Explain any special circumstances that would cause an information collection to be conducted in a manner.
- requiring respondents to report information to the agency more often than quarterly;
- requiring respondents to prepare a written response to a collection of information in fewer than 30 days after receipt of it;
- requiring respondents to submit more than an original and two copies of any document;
- requiring respondents to retain records, other than health, medical, government contract, grant-in-aid, or tax records for more than three years;
- in connection with a statistical survey that is not designed to produce valid and reliable results that can be generalized to the universe of study,
- requiring the use of a statistical data classification that has not been reviewed and approved by OMB;
- that includes a pledge of confidentiality that is not supported by authority established in statute or regulation that is not supported by disclosure and data security policies that are consistent with the pledge, or which unnecessarily impedes sharing of data with other agencies for compatible confidential use; or
- requiring respondents to submit proprietary trade secret, or other confidential information unless the agency can demonstrate that it has instituted procedures to protect die information's confidentiality to the extent permitted by law.
None of the aforementioned special circumstances are applicable to this information collection request.
Federal Register Notices
The 60-day Federal Register notice published on July 23, 2021 (86 FR 39024). No comments were received. The 30-day Federal Register notice published on October 15, 2021 (86 FR 57431).
Outside Consultation
CMS conducted a process improvement project (Kaizen event) with the New York Regional Office and invited several stakeholders from industry to participate in discussions during the event, similar to an Open Door Forum. Based on the findings and recommendations of the project team, the capability to submit requests online proved to be a step in the right direction to gain some efficiency in the process. To share information, provide guidance and gain the perspective of industry, the FOIA team established a process to consult with those law firms and record retrieval companies that request records on a frequent basis. This has proven to be beneficial towards improving the process and relationship with industry; therefore, the FOIA team will continue to reach out to industry representatives on an ongoing basis.
There are no payments or gifts associated with these requests. Respondents will receive the information that they are requesting, which includes Medicare beneficiary claims data for themselves or their authorized representative.
Records would be electronically maintained in an existing Privacy Act System of Records which provides Privacy Act protections pursuant to 5 U.S.C. §552a (See HHS SORN 09-90-0058 Tracking Records and Case Files for FOIA and Privacy Act Requests and Appeals).
Note that our collection specifically excludes the Social Security Number (SSN)-based Health Insurance Claim Number (HICN) and will only accept the current Medicare number, commonly referred to as the Medicare Beneficiary Identifier (MBI). Requests for deceased person records in which the requesting party is not in possession of the MBI will not be processed through the online portal. These requests will be conducted through the old manual process (email / fax / mail).
The online portal will require that first party and third party requestors provide the following information for the Medicare beneficiary they are requesting Medicare claims information on: First Name, Last Name, date of birth (DOB), and MBI, as well a mailing address and/or email address for delivery of responsive records once the request is fulfilled by CMS. Unless permitted or required by law, the HIPAA Privacy Rule (45 C.F.R. § 164.508) prohibits Medicare (a HIPAA covered entity) from disclosing an individual’s protected health information to a third party without a valid authorization. Medicare assures beneficiaries of the confidentiality of their information by requiring the authorization include the core elements and statements required by HIPAA.
Besides the HIPAA Authorization Form, it may be necessary to include for a third party request, additional records showing the representative has authority according to supporting legal documents. Documents that may be included along with the HIPAA Authorization Form could include an Authorized representative confirmation, a Power of Attorney, and/or Letters testamentary or letters of administration or a court order. These records are probate court or legal records and do not contain confidential personal health information.
In general, the request for Medicare claims records does not ask for sensitive information. However, for requests for information for beneficiaries or on behalf of beneficiaries living in the state of New York, per New York state statute (New York State Public Health Law Article 27-F), the requestor must indicate whether the CMS FOIA/Privacy Act response should include or exclude all information “about alcohol and drug abuse, mental health treatment, and HIV”.
The public reporting burden for this information collection is estimated to be 20 minutes. This burden estimate includes time for reading each screen, gathering required information, and completing and submitting the information.
Requesters in the commercial category under the FOIA/Privacy Act are typically law firms and document retrieval companies searching for government records on behalf of Medicare beneficiary clients. The convenience of submitting requests through the online portal will result in faster customer service and better satisfaction. The new portal will provide guidance and direction for what the requester is seeking that enhances the accuracy and completeness of requests and provides the information instantly to CMS. This avoids multiple iterations through mail / fax / email when the submitted information is incomplete or inaccurate.
Number of respondents and frequency of response: CMS receives approximately 19,000 of these FOIA/Privacy Act requests per year.
Burden hour and cost to respondents for the collection of information: There will be no cost to requestors other than the time required to request, complete, and submit the online form; however, we have provided a dollar cost equivalent of this hour burden. It should take approximately 20 minutes for a requestor to complete the required information. Twenty minutes multiplied by 19,000 requests equals 6,333 hours annually.
Additionally it should be noted that respondents currently spend the same amount of time to submit their requests via the current mail / fax / email submission options. Therefore, the burden cost estimate below via the new online portal is NOT to be considered an additional or new cost burden; we anticipate the new online submission portal will save requesters time in the long run.
Respondent Type |
Number of Respondents |
Unit Cost ($/hr) |
Unit Cost + Fringe and Overhead† ($/hr) |
Units (20 mins) |
Total cost per 1 request |
Total cost for requests annually |
Medicare beneficiary4 |
190 |
$19.14 |
$19.14** |
.33 |
$6.38 |
$1,212 |
Document5 retriever |
12,540 |
$19.89 |
$39.78 |
.33 |
$13.13 |
$164,650 |
Paralegal6 |
6,270 |
$24.87 |
$49.74 |
.33 |
$16.58 |
$103,957 |
TOTAL BURDEN: |
|
|
|
|
|
$269,819 |
**We have not accounted for fringe and overhead in our wage estimates for Medicare beneficiaries.
† To account for fringe and overhead benefits we increased the hourly labor wage by a factor of 100%.
The vast majority of these requests (99%) originate from document retrieval companies and paralegal staff at law firms. Out of the total requests received 33% are from law firms and 66% are from records retrieval companies. While we have included cost estimates for Medicare beneficiaries requesting their own records, these respondents are rare (1%). Therefore, we expect the annual respondent burden to total $269,819.
There are no capital costs associated with this information collection request.
Cost: The estimated cost to the government for collecting these data includes the one time investment for building the tool ($350,000) and first year hosting/operations and maintenance costs ($104,000). Therefore, the first year’s cost to CMS equals $454,000. Subsequent year hosting/operations and maintenance costs to CMS equals $102,000. The annualized average cost to the government is $219,334.
Savings: The main source of cost savings will come in the amount of staff time that is saved as a result of the efficiencies achieved through receiving the FOIA requests online vs staff retyping the 100+ FOIAs submitted daily. Note that a transition from manual to automation period would be needed before staff could be fully re-allocated to work other than data entry. Approximately 6 FTEs required to manually enter FOIA data:
Daily average grade 13 step 1 salary of $47.52/hr x 8 hrs = $380.16 for 1 FTE to enter FOIAs into SWIFT
240 work days a year * $380.16 = $91,238.40 annual cost for 1 FTE to manually enter FOIA data into SWIFT
6 FTEs * 91,238.40 = $547,430.4 annual cost to manually enter FOIAs into SWIFT today.
Once automated, FTEs could focus on analyzing and working FOIA cases more efficiently, more likely to meet required 20-day fulfillment, less likely to undergo litigation. Anticipate that approximately 3 FTEs are still required for review and assessments of each automated request.
Total savings to CMS per year equals $273,715.20.
Overall Costs:
Therefore, in the first year the overall cost to the government equals $180,284.80 ($454,000 Cost - $273,715.20 Savings).
In subsequent years, we estimate an annual savings to the government of $171,715.20 ($102,000 Cost - $273,715.20 Savings).
This is a new information collection request.
Individual responses are not published. Aggregate number of requests and average time to fulfill requests are published in the agency’s FOIA Annual Report, as per DOJ requirements.
The online portal will have a splash page that will list both the PRA Disclosure Statement which will include the OMB control as well as the expiration date.
3 CMS-10106: Medicare Authorization to Disclose Personal Health Information (expires June 30, 2021, and is currently seeking reapproval)
4 We used the median hourly wage for all occupations, $19.14, https://www.bls.gov/oes/current/oes_nat.htm.
5 We used the median hourly wage for Information and Record Clerks, $19.89, https://www.bls.gov/oes/current/oes434199.htm.
6 We used the median hourly wage for Paralegals and Legal Assistants, $24.87, https://www.bls.gov/oes/current/oes232011.htm.
| File Type | application/vnd.openxmlformats-officedocument.wordprocessingml.document |
| File Title | 0938-0568 Supporting Statement A |
| Subject | OMB documentation |
| Author | NORC |
| File Modified | 0000-00-00 |
| File Created | 2021-10-21 |