Medicare Authorization to Disclose Personal Health Information Supporting Statement Part A
Background
This “Medicare Authorization to Disclose Personal Health Information” will be used by Medicare beneficiaries to authorize Medicare to disclose their protected health information to a third party. Medicare beneficiaries can submit the Medicare Authorization to Disclose Personal Health Information electronically at Medicare.gov. Beneficiaries may also submit the Medicare Authorization to Disclose Personal Health Information by mailing a complete and valid authorization form to Medicare. Beneficiaries can submit the Medicare Authorization to Disclose Personal Health Information verbally over the phone by calling Medicare.
This is a request for reinstatement of the approval for the CMS-10106, the Medicare Authorization to Disclose Personal Health Information, which was previously approved under OMB control number 0938-0930. The approval for OMB control number 0938-0930 lapsed due to administrative issues.
Justification
Unless permitted or required by law, the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule (§ 164.508) prohibits Medicare (a HIPAA covered entity) from disclosing an individual’s protected health information without a valid authorization. In order to be valid, an authorization must include specified core elements and statements. Medicare will make available to Medicare beneficiaries a standard, valid authorization to enable beneficiaries to request the disclosure of their protected health information. This standard authorization will simplify the process of requesting information disclosure for beneficiaries and minimize the response time for Medicare.
As prescribed by HIPAA Medicare will not share protected health information without a valid authorization that contains the core elements such as name of the beneficiary, signature of the beneficiary, date, expiration date of the authorization, description of purpose, description of the information to be disclosed, and name of the person to whom Medicare may make the requested disclosure. In accordance with HIPAA, the completed authorization will enable Medicare to share an individual’s personal health information with a third party at the individual’s request (usually a spouse, relative, or agency personnel or representative). The disclosure of an
individual’s personal health information occurs over the telephone. For example, a daughter may need to contact Medicare on behalf of her incapacitated elderly mother to inquire about her mother’s denied Medicare claim.
Once the authorization is processed a notation is placed on the beneficiary’s account that will allow Medicare to disclose the beneficiary’s personal health information to the authorized individual.
Beneficiaries will submit the “Medicare Authorization to Disclose Personal Health Information” electronically, verbally, or via written format. Individuals may request an electronic authorization via the internet. An individual may request a verbal authorization over the phone with Medicare. An individual may also submit a written Medicare authorization form to Medicare.
There are no duplications as this is the only source for the information in question.
Small businesses are not affected by this collection.
Submission of the Medicare Authorization to Disclose Personal Health Information is voluntary. Medicare will process the authorization as necessary to gain the beneficiary’s consent to disclosure when requested. Medicare is not allowed to offer the authorization less frequently than currently offered nor is CMS allowed to stop offering the authorization upon request. Medicare will be out of compliance with both the HIPAA Privacy Rule and Privacy Act if it does either of the above.
Not applicable.
The 60-day notice published in the Federal Register on March 15, 2022 (87 FR 14536). The 30-day notice published in the Federal Register on June 9, 2022 (87 FR 35216).
Not applicable.
As required by HIPAA, Medicare sends all Medicare beneficiaries a Notice of Privacy Practices (included in the Medicare & You Handbook and on the Medicare.gov Web site
(https://www.medicare.gov/pubs/pdf/10050-Medicare-and-You.pdf). The Notice of Privacy Practices assures Medicare beneficiaries that their personal health information is protected and informs beneficiaries of their privacy rights. Medicare has added HIPAA-required privacy protection language to all contracts with business associates. As required by the Privacy Act, Medicare publishes systems of records notices in the Federal Register that describe the data in each system and to whom Medicare may disclose the information. The information collected is part of a Privacy Act System of Records Notice (SORN):
Medicare Beneficiary Database (MBD) SORN#:09-70-0536
SORN history: 71 FR 70396 (12/4/06); updated 78 FR 23938 (4/23/13), 78 FR 32257 (5/29/13), *83 FR 6591 (2/14/18)
Common Working File (CWF) SORN#:09-70-0526
SORN history: 71 FR 64955 (11/6/06); updated 78 FR 23938 (4/23/13), 78 FR 32257 (5/29/13), *83 FR 6591 (2/14/18)
Enrollment Database (EDB) SORN#:09-70-0502
SORN history: 73 FR 10249 (2/26/08); updated 78 FR 23938 (4/23/13), 81 FR 8204 (2/18/16), *83 FR 6591 (2/14/18).
A Privacy Act Statement assuring confidentiality is given to individuals when their information is collected.
Unless permitted or required by law, Medicare only discloses an individual’s protected information with a valid authorization. Medicare assures beneficiaries of the confidentiality of their information by requiring the authorization include the core elements and statements required by HIPAA. The core elements specify what information is to be disclosed and to whom.
The core elements of a valid authorization required by HIPAA include:
A description of the information to be used or disclosed that identifies the information in a specific and meaningful fashion;
The name or other specific identification of the person(s), or class of persons, authorized to make the requested use or disclosure;
The name or other specific identification of the person(s) or class of persons, to whom the covered entity may make the requested use or disclosure;
A description of each purpose of the requested use or disclosure. The statement, “at the request of the individual” is a sufficient description of the purpose when the beneficiary initiates the authorization and does not, or elects not to, provide a statement of the purpose;
An expiration date or an expiration event that relates to the individual or the purpose of the use or disclosure; and
The signature of the individual and date. If a personal representative of the individual signs the authorization, a description of such representative’s authority to act for the individual must also be provided. Although the HIPAA Privacy Rule requires only a description of the representative’s authority to act for the individual, CMS is requiring that documentation showing the representative’s authority be attached to the authorization (e.g., a Power of Attorney).
In addition to the core elements, the authorization must contain statements adequate to place the individual on notice of all of the following:
The individual’s right to revoke the authorization in writing, how the individual may revoke the authorization, and the exceptions to the right to revoke, e.g., “You have the right to take back (“revoke”) your authorization at any time in writing, except to the extent that Medicare has already acted based on your permission. To revoke your authorization, send a written request to: [Each Medicare contractor or CMS: Please insert Name, Address, and Telephone number of your organization here]”;
The inability to condition treatment, payment, enrollment or eligibility for benefits on the authorization, e.g., “I understand refusal to authorize disclosure of my personal medical information will have no effect on my enrollment, eligibility for benefits, or the amount Medicare pays for the health services I receive”;
The potential for information disclosed pursuant to the authorization to be subject to redisclosure by the recipient and no longer protected, e.g.: “Your personal medical information that you authorize Medicare to disclose may be subject to redisclosure and no longer protected by law.”
Not applicable.
Number of respondents and frequency of response: There are approximately 63 million Medicare beneficiaries. Beneficiaries contact Medicare contractors to request the disclosure of their Medicare protected health information. To estimate the number of Medicare beneficiaries who may submit authorizations on an annual basis, Medicare asked the Medicare contractors to provide an estimate of the number of authorizations the contractor receives annually. The Medicare contractors provided the total number of authorizations received by month for calendar year 2020. The monthly figures were summed to arrive at the number of authorizations received annually. Medicare estimates 1 million authorizations will be submitted per year.
Burden hour and cost to respondents for the collection of information: There will be no cost to Medicare beneficiaries other than the time required to request, complete, submit, or have processed the Medicare authorization form; however, we have provided a dollar cost equivalent of
this hour burden. It should take approximately 15 minutes for a beneficiary to complete the Medicare authorization form. Fifteen minutes multiplied by 1 million beneficiaries equal 250,000 hours. The total estimated cost is $1,812,500. We used the U.S. minimum wage[1] value of $7.25 per hour.
(15 minutes/response) x (1 hour/60 minutes) x (1 million responses) = 250,000 hours (250,000 hours) x ($7.25/hour) = $1,812,500
There are no capital costs associated with this information collection request.
The Medicare Authorization to Disclose Personal Health Information is processed by Medicare contractors. The annual cost to the federal government is $5,750,000.
There are no program changes associated with this reinstatement of the previously approved collection.
Not applicable.
Medicare will display the expiration date on the authorization form. The expiration date will be listed in the upper right-hand corner of the form.
There are no exceptions to the certification statement.
File Type | application/vnd.openxmlformats-officedocument.wordprocessingml.document |
File Title | Medicaer Authorization to Disclose Personal Health Information Supporting Statement Part A |
Author | WILLIAM PARHAM |
File Modified | 0000-00-00 |
File Created | 2022-06-13 |