Filing Litigation Timeline Supporting Statement A
FOIA/Privacy Act Requests for Medicare Claims Data via CMS FOIA Public Portal
Contact Information:
Joseph Tripline FOIA Officer
Office of Strategic Affairs (OSORA)/CMS 7500 Security Boulevard, Baltimore, MD 21244
(410) 786-5362
Background
Since 1967, the Freedom of Information Act (FOIA) has provided the public the right to request access to records from any federal agency. It is the law that keeps citizens in the know about their government. Federal agencies are required to disclose any information requested under the FOIA unless it falls under one of the nine exemptions, which protect interests such as personal privacy, national security, and law enforcement.
In FY2024, CMS received approximately 30,800 FOIA requests annually and most of those requests (approximately 75%) pertain to Medicare beneficiary records, which are considered “FOIA/Privacy Act” requests. Approximately, 4% of those requests (i.e., annual total requests) are from actual beneficiaries, 84% from third party requesters, 10% related to subpoenas, and the remaining approximate 2% are from other entities (i.e., news media, non-profits, state agencies, educational organizations and Congress).
An individual may submit a request to CMS for his/her own Medicare records by submitting a signed, written request containing the required information: name, address, Medicare Card number, and the time frame of the records being requested.
An attorney or other representative (Third Party Requester) with proper authorization may also make a FOIA/Privacy Act request on behalf of another person. The request must be in writing and accompanied by a valid authorization signed by the Medicare beneficiary. The authorization must include all the core elements identified on the “Medicare Authorization to Disclose Personal Health Information” form1. If the third party is acting in a representative capacity such as a Power of Attorney, a copy of the Power of Attorney documents must also be included with the request for records.
If someone requests information that does not pertain to a beneficiary, the request will be processed through the CMS internal tracking system, which is integrated with the National FOIA portal2. This portal allows a member of the public to submit a request for records to any agency from a single website. NOTE: Privacy Act (PA) or requests that contain PHI or PII are excluded from the National FOIA portal.
The CMS FOIA Public Portal only collects beneficiary claims data requests through a centralized secure electronic online portal.
This is a reinstatement without change of the previously approved information collection. The approval lapsed due to administrative oversight.
Justification
Need and Legal Basis
This collection of information is dedicated to Medicare beneficiaries and third-party requesters (law firms or others) acting on behalf of beneficiaries that are making requests for CMS to produce
1 This information collection request (ICR) is currently approved under OMB control number 0938-0930 and has an expiration date of November 30, 2025. The ICR is currently seeking reapproval.
2 Website to the National Freedom of Information Act Portal
Medicare beneficiary records through 5 U.S.C. § 552(b) (See also 42 C.F.R. § 401.136). The online portal allows for ease and efficiency in uploading requests and required authorizations. Additionally, with the portal, requesters can securely submit requests electronically that contain PHI or PII. They are advised that MyMedicare.gov / Blue Button3 is an online service available for beneficiaries to set up an account to access their own records and give authorization to share with third parties. This secure public online portal is integrated with CMS’s current FOIA/Privacy Act case management system to enter, track, and process incoming FOIA requests (See 45 C.F.R. §§ 5.22 and 5.24).
Unless permitted or required by law, the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule (45 C.F.R. § 164.508) prohibits Medicare (a HIPAA-covered entity) from disclosing an individual’s protected health information without valid authorization.
Information Users
The information collected in the portal contains details of the names and addresses of FOIA and Privacy Act requesters and the description of the information they seek in federal records. The agency searches and responds to the requesters by replying with records to the addresses provided by the requesters.
The FOIA allows the public to request in writing access to government records held by federal agencies. Congress further requires agencies to assign all requests a case number and send an acknowledgement letter with the case number to the requester within 10 working days of receipt (45 C.F.R. § 5.24). The data collected must contain the requester’s name, address, request, and unique identifier (i.e., CMS control number assigned to each request). For beneficiary-related information, HIPAA may require additional information.
The goal of the public online portal is to efficiently respond to requests for Medicare claims records from first-party requesters or third-party entities. CMS only maintains Medicare claims data for individuals enrolled in traditional Medicare. Therefore, the input form on the public portal asks a series of questions to ensure that entities requesting Medicaid data, claims data from those enrolled in a Medicare Advantage or Prescription Drug Plan, or enrolled in an Exchange plan, are redirected to the appropriate location or source to obtain that information. If the requester only wants Medicare fee-for-service claims data for a person with Medicare, CMS will need to collect the following information:
Name, address, date of birth, and current Medicare number to match the correct person in our system;
Date range of Medicare records needed;
Name, address, and contact information about the third party requesting the data; and
Authorization from the person with Medicare to release records to this entity (HIPAA requirement).
As required by HIPAA, CMS/Medicare will not share protected health information without a valid authorization that contains the core elements such as name of the beneficiary, signature of the beneficiary, date, expiration date of the authorization, purpose, information to be disclosed, and
3 Medicare Website on Blue Button Service
name of the person to whom CMS/Medicare may make the requested disclosure. In accordance with HIPAA, the completed authorization will enable CMS/Medicare to share an individual’s personal health information with a third party at the individual’s request (usually a spouse, relative, law firm, record retrieval company, or agency personnel or representative).
Once the authorization is received and all required documents are accounted for, the FOIA analyst will process the request and disclose the beneficiary’s personal health information to the authorized individual.
Use of Information Technology
Currently, CMS receives requests manually (via paper mail delivery, fax, or email) and through the CMS FOIA Public Portal. With the manual process, often requests lack proper authorization documentation and as a result are returned to the requester, which causes delays. The launch of the public portal in 2022 allowed for a more efficient and secure way to submit FOIA requests. It ensured confidentiality, integrity, availability, and reliability of requests while complying with applicable security regulations, policies, standards and controls. By establishing a secure public facing portal to receive FOIA requests, CMS is able to accomplish the following:
Avoid entities requesting data that CMS is unable to fulfill.
Ensure that all authorizations and approvals under FOIA, Privacy, and HIPAA laws are met prior to the submission of the request.
Minimize the need to manually enter these requests into the CMS centralized FOIA management system, which is required to meet reporting requirements under FOIA.
Route the perfected and authorized FOIA/Privacy Act requests to the appropriate Regional Office/Medicare Administrative Contractor where the records are located.
Duplication of Efforts
Similar information is collected via PRA package currently approved under OMB control number 0938-0930; however, the information is used for a different purpose and stored in a separate system of record (the Medicare Beneficiary Database (MBD) CMS SORN 09-70-0536).
Information in the MBD is used by Medicare beneficiaries to authorize Medicare to disclose their protected health information to a third party by submitting the “Medicare Authorization to Disclose Personal Health Information” form electronically at MyMedicare.gov, by mail to the Medicare Call Center Operations, or verbally by calling 1-800-Medicare. The FOIA/Privacy Act collection is a different and separate process but uses similar beneficiary information.
The information on Medicare Claims Data collected for FOIA/Privacy Act requests through the CMS FOIA Public Portal adheres to HIPAA, PA, and FOIA laws and regulations without duplicating other efforts. These requests are unique to CMS as we manage a vast number of claims under Medicare Part A (inpatient services) and Medicare Part B (outpatient services). Details about the CMS FOIA Public Portal system of record can be found in Section 10 of this document.
Impact on Small Businesses and Other Small Entities
Automating the FOIA request process has improved customer service, reduced errors and denials, accounted for duplicate requests, and ensured proper routing of requests. This has significantly
benefited the small business community through increased efficiency and timeliness of processing requests. CMS has actively collaborated with small entities to provide guidance on submitting the appropriate information and documents needed to access sensitive beneficiary records protected by Privacy, HIPAA, and FOIA laws. The FOIA Public Portal prompts the requester through a series of questions designed to redirect "non-CMS" requests to the proper entity or resource and has thus far enhanced the accuracy and timeliness of submissions. This initiative has improved customer service, eliminated the re-circulation of misdirected requests between federal and state agencies, increased the timeliness of responses, and reduced the number of unperfected requests (those lacking authorized documents).
Less Frequent Collection
CMS continues to receive FOIA/Privacy Act requests via mail, email, and fax, utilizing government resources to manually enter these requests into the CMS case management system. The FOIA Improvement Act of 2016 instructed the Office of Management and Budget (OMB) and the Department of Justice (DOJ) to develop a government-wide National online FOIA request portal, enabling the public to submit requests for federal agency records. CMS's FOIA Public Portal allows requesters to securely submit FOIA requests for sensitive information, including Personally Identifiable Information (PII) and Protected Health Information (PHI) records, online.
Special Circumstances
Explain any special circumstances that would cause information collection to be conducted in a manner.
requiring respondents to report information to the agency more often than quarterly;
requiring respondents to prepare a written response to a collection of information in fewer than 30 days after receipt of it;
requiring respondents to submit more than an original and two copies of any docu-ment;
requiring respondents to retain records, other than health, medical, government contract, grant-in-aid, or tax records for more than three years;
in connection with a statistical survey that is not designed to produce valid and reliable results that can be generalized to the universe of study;
requiring the use of a statistical data classification that has not been reviewed and approved by OMB;
that includes a pledge of confidentiality that is not supported by authority established in statute or regulation that is not supported by disclosure and data security policies that are consistent with the pledge, or which unnecessarily impedes sharing of data with other agencies for compatible confidential use; or
requiring respondents to submit proprietary trade secret, or other confidential
information unless the agency can demonstrate that it has instituted procedures to protect die information's confidentiality to the extent permitted by law.
None of the aforementioned special circumstances are applicable to this information collection request.
Federal Register Notice/Outside Consultation Federal Register Notices
The 60-day Federal Register notice published on August 29, 2025 (90 FR 42246). No comments were received.
The 30-day Federal Register notice published on November 24, 2025 (90 FR 52954).
Outside Consultation
Prior to the initial inception of the FOIA Public Portal, CMS conducted a process improvement project that included several engagements where FOIA staff, CMS’s New York Regional Office and several stakeholders from industry were invited to participate in discussions on ways to improve CMS’s FOIA process. These Open-Door Forums took place February, April and August of 2018.
Based on the findings and recommendations of the project team, the ability to submit requests online proved to be a step in the right direction to gain some efficiency in the process. To share information, provide guidance, and gain the perspective of industry, the FOIA team established a process to consult with those law firms and record retrieval companies that request records on a frequent basis. This proved to be beneficial towards improving the process and relationship with industry.
Payments/Gifts to Respondents
There are no payments or gifts associated with these requests. Respondents receive information they have requested, including Medicare beneficiary claims data for themselves or their authorized representatives.
Confidentiality
Records are electronically maintained in an existing Privacy Act System of Records, which provides Privacy Act protections pursuant to 5 U.S.C. §552a (See HHS SORN 09-90-0058 Tracking Records and Case Files for FOIA and Privacy Act Requests and Appeals).
Note that our data collection specifically excludes the Social Security Number (SSN)-based Health Insurance Claim Number (HICN) and only accept the current Medicare number, commonly referred to as the Medicare Beneficiary Identifier (MBI). Requests for deceased person records in which the requesting party is not in possession of the MBI will not be processed through the online portal.
These requests will be accepted and processed through mail, email, or by fax.
This online portal requires first- and third-party requesters to provide the Medicare beneficiary's first name, last name, date of birth (DOB), MBI, and a mailing address or email for record delivery once CMS fulfills the request. Unless permitted or required by law, the HIPAA Privacy Rule (45 C.F.R. § 164.508) prohibits Medicare (a HIPAA-covered entity) from disclosing an individual’s protected health information to a third party without a valid authorization. Medicare assures beneficiaries of
Page | 6
the confidentiality of their information by requiring the authorization include the core elements and statements required by HIPAA.
In addition to the HIPAA Authorization Form, it may be necessary to provide supplementary documentation for a third-party request. These documents should demonstrate the representative's authority as per supporting legal records. Examples of such supporting documents include Authorized Representative Confirmation, a Power of Attorney, Letters Testamentary or Letters of Administration, or a court order. These are probate court or legal documents and do not contain confidential personal health information.
Sensitive Questions
In general, the request for Medicare claims records does not ask for sensitive information. However, for requests for information for beneficiaries or on behalf of beneficiaries living in the State of New York, per New York state statute (New York State Public Health Law Article 27-F), the requester must indicate whether the CMS FOIA/Privacy Act response should include or exclude all information “about alcohol and drug abuse, mental health treatment, and HIV.”
Burden Estimate (Total Hours & Wages)
The public reporting burden for this information collection is estimated to be 20 minutes. This burden estimate includes time for reading each screen, gathering required information, and completing and submitting the information.
Requesters in the commercial category under the FOIA/Privacy Act are typically law firms and document retrieval companies searching for government records on behalf of Medicare beneficiary clients. The convenience of submitting requests through the online portal results in faster customer service and better satisfaction. The portal offers guidance and direction for requesters, enhancing the accuracy and completeness of their submissions. It provides information instantly to CMS, preventing multiple iterations through mail, fax, or email when the submitted information is incomplete or inaccurate.
Number of respondents and frequency of response: CMS receives approximately 30,800 FOIA/Privacy Act requests per year. Of these, approximately 22,600 are beneficiary-related requests for records.
Burden hour and cost to respondents for the collection of information: There will be no cost to requesters other than the time required to request, complete, and submit the online form; however, we have provided a dollar cost equivalent of this hour burden. It should take approximately 20 minutes for a requester to complete the required information. Twenty minutes multiplied by 22,600 requests equal to 7,533 hours annually.
Additionally, it should be noted that respondents currently spend the same amount of time to submit their requests via the current mail / fax / email submission options. Therefore, the burden cost estimate below for the online portal is NOT to be considered an additional or new cost burden. We believe the online portal minimizes errors and creates efficiencies that lower the burden in comparison to a manual request process (i.e., mail, fax, or email submission).
Table 1: Estimation of the Annual Respondent Burden for Beneficiary Related FOIA RequestsResp ondent Type |
Number of Respondents |
Unit Cost ($/hr) |
Unit Cost + Fringe and Overhead† ($/hr) |
Units (20 mins) |
Total cost per 1 request |
Total cost for requests annually |
Medicare beneficiary4 3F |
306 |
$23.11 |
$23.11** |
.33 |
$7.703 |
$2,357.22 |
Document retriever 5 4F |
12736 |
$22.22 |
$44.44 |
.33 |
$14.813 |
$188,662.61 |
6 Paralegal5F |
9467 |
$29.31 |
$58.62 |
.33 |
$19.540 |
$184,985.18 |
TOTAL BURDEN: |
NA |
NA |
NA |
NA |
NA |
$376,005.01 |
**We have not accounted for fringe and overhead in our wage estimates for Medicare beneficiaries.
† To account for fringe and overhead benefits, we increased the hourly labor wage by a factor of 100%.
Of the vast majority of beneficiary-related FOIA requests CMS receives, approximately 98% originate from document retrieval companies and law firms (~56% and ~42%, respectively). While we have included cost estimates for Medicare beneficiaries requesting their own records, these respondents are rare. Therefore, we expect the annual respondent burden to total $376,005.
Capital Costs
There is no capital costs associated with this information collection request.
Cost to the Federal Government
Cost: Since the launch of the portal, the operations and maintenance cost for the portal has been approximately $45.5K yearly.
Savings: Since the inception of the FOIA Public Portal, the main source of cost savings derives from the amount of staff time that is saved because of the efficiencies achieved through
4Median hourly wage of all occupations is $23.11; US Bureau of Labor Statistic Website for Median Hourly Wage for All Occupations 5Median hourly wage for information and records clerk, $22.22; US Bureau of Labor Statistic Website for Median Hourly Wage for Information and Records Clerk
6 Mediant hourly wage for paralegals and legal assistants is $29.31; US Bureau of Labor Statistic Website for Median Hourly Wage for Paralegal and Legal Assistants
receiving the FOIA requests online rather than staff retyping the 120+ FOIAs submitted daily. Prior to the portal, it took approximately 6 FTEs to manually enter FOIA data:
Average yearly salary cost of 6 government staff FTEs (without benefits) to enter FOIA requests into CMS’s FOIA tracking system (i.e., SWIFT):
Daily salary of GS-12 step 1 in Baltimore, Maryland (headquarters of CMS) in 2025 is $48.59
$48.59 X 8 hours X 240 work-days X 6 FTEs = $559,756.80
Since the portal’s inception, CMS was able to reduce the number of FTEs entering FOIA requests (for those still submitting via email, fax and email) from 6 to 3. The other 3 FTEs have been able to focus on the analysis and processing of the requests to better meet the statutory requirements and mitigate risks for potential litigations. The cost savings from the 3 less FTEs is approximately 279.9K. Even with the operating and maintenance cost of the portal, we can approximate the savings to the government as $ 234,357 (i.e., $279,878 –
$45,521).
Program Changes
This is an information collection renewal request. There are no program changes to the FOIA Public Portal since its inception three years ago. The online portal provides an efficient mechanism for the public to request, and the federal government to process beneficiary records.
Publication and Tabulation Dates
Individual responses are not published. Aggregate number of requests and the average time to fulfill requests are published in the agency’s FOIA Annual Report, as per DOJ requirements.
Expiration Date
The online portal has a splash page that lists the PRA Disclosure Statement, including the OMB control number and an expiration date.
Certification Statement
There are no exceptions to the certification statement.
| File Type | application/vnd.openxmlformats-officedocument.wordprocessingml.document |
| File Title | 0938-0568 Supporting Statement A |
| Subject | OMB documentation |
| Author | NORC |
| File Modified | 0000-00-00 |
| File Created | 2025-11-26 |