Highmark Medicare Services was selected as the Medicare Part A intermediary for Maryland and Washington, DC as the result of a competitive procurement conducted to replace CareFirst of Maryland, Inc., who has decided to discontinue its role as the fiscal intermediary effective September 30, 2005. Highmark Medicare Services will assume this new role as fiscal intermediary for Maryland and Washington, DC on October 1, 2005.

**All contact information contained within these documents should be considered outdated.  **

TABLE OF CONTENTS

• Replacement of Transmission Methods Memo - June 14, 2005
• List of Providers who have Successfully Completed Testing to Submit HIPAA Claims - April 2, 2004
• HIPAA Requirement for Discharge Hour on Inpatient Claims - March 29, 2004
• HIPAA Guidance - December 17, 2003
• CMS Companion Document for the Accredited Standards Committee (ASC) X12N 276/277 Health Care Claim Status Request & Response - October 21, 2003
• HIPAA Provider Outreach Activities - May 2, 2003
• Free Health Insurance Portability and Accountability Act Billing Software - April 1, 2003
• Medicare Fee for Service Contractor Guidance on the HIPAA Privacy Rule - March 20, 20030001 Revenue Line Direction for the Health Insurance Portability and Accountability Act (HIPAA) Institutional 837 Health Care Claim - November 21, 2002
• HIPAA Institutional 837 Health Care Claims -DDE Updates - August 20, 2002
• HIPAA Institutional 837 Health Care Claim Additional Implementation Direction - August 16, 2002
• HIPAA Institutional 837 Health Care Claim-Hospice Direction
• HIPAA Institutional 837 Health Care Claim-Home health Direction - May 16, 2002
• HIPAA Health Care Eligibility Benefit Inquiry/Response Transaction Standard - April 25, 2002
• HIPAA Institutional 837 Health Care Claim Implementation Updates - March 7, 2002
• HIPAA 837 Health Care Claim implementation - February 28, 2002
• Electronic Remittance Advice Changes for HIPAA - September 6, 2001
• Notification to Providers and Suppliers of Transaction and Code Set Rule Promulgated In Accordance With the Health Insurance Portability and Accountability Act (HIPAA) - October 26, 2000

---

Replacement of Transmission Methods Memo - June 14, 2005

To: Electronic Claims/Electronic Remittance Advice (ERA) Transmission Users

From: Maryland Medicare Part A EDI Department

Re: Replacement of Transmission Methods

*****IMPORTANT NOTIFICATION*****

Maryland Medicare Part A is changing the methods it uses to receive and distribute electronic batch data. The Health Insurance Portability and Accountability Act (HIPAA), Centers for Medicare and Medicaid Services (CMS) System Security Requirements and outdated CareFirst Software, require the introduction of new methods for communicating Electronic Data Interchange (EDI). As of October 3, 2005 Providers/Clearing Houses will no longer be able use the current connectivity methods for submitting ANSI 837 Claims and receiving Electronic Remittance Advice (ERA) and ANSI 837 Translator Acceptance Reports.

In order to facilitate compliance with the new requirements, Maryland Medicare Part A is notifying you about two vendors that can provide alternative network service connectivity for our Electronic Trading Partners. The Vendors below offer many types of services and many benefits. We have included information about both companies as well as their contact information. In addition, we have provided links to each company’s Web Site so you can review information for each company.

There are costs associated with both options, so we strongly encourage that you contact these vendors in the near future to determine which one best meet the needs of your business environment. You may have two different departments involved with this endeavor, one for claims and another for ERA. Please make sure all impacted departments are notified.

For questions regarding the described changes, please contact Joe Yurfest at 410-561-4003.

NOTE – The proposed changes do NOT impact your current method for accessing any FISS applications, including Eligibility Inquiry (HIQA, ELGA), Claims Entry and Return To Provider (RTP) Resolution.

VENDOR CONTACT INFORMATION

IVANS

Many submitters are already using IVANS services for accessing Medicare Direct Data Entry (DDE) applications such as eligibility and claim status and resolution. IVANS is extending its services to include its Electronic Commerce Server (ECS) to transmit claims and receive ERA and Claim Translator Reports. IVANS offers several connectivity options including dial, leased lines and Internet. For pricing and specific questions about IVANS, contact their support group at 800-548-2675. If you would like to learn more about the IVANS solution, visit IVANS on the web at, www.ivans.com/marylandmedicare.

VisionShare

The VisionShare Secure Exchange Software™ allows providers or clearing houses the ability to use their high-speed internet connection for file transfer and real-time Part A, DDE applications. The file transfer feature allows providers the ability to transmit claims, receive ERAs and Claim Translator Reports. In addition to file transfer, VisionShare also provides access to the FISS for Maryland Part A DDE. If you would like to learn more about VisionShare, call their sales hotline at 651-305-2727 or go to their web site at, www.visionshareinc.com and select Maryland.

---

List of Providers who have Successfully Completed Testing to Submit HIPAA Claims - April 2, 2004

To: All Providers
From: CareFirst of Maryland Inc.
Subject: HIPAA Testing
Date: April 2, 2004

Organizations Successfully Tested with CareFirst of Maryland – Medicare Part A For Submitting HIPAA Compliant Claims (updated 4/1/2004)

Name	Web Address	Tel#	Address
NDC Health	www.ndchealth.com	800-852-0707	6100 South Yale Ave, Suite 1900, Tulsa, OK, 74136
Per-se Technologies	www.per-se.com	440-461-4200	675G Alpha Dr. Highland Hts, OH 44143
CPSI	www.cpsinet.com	251-639-8100	6600 Wall Street. Mobile, AL. 36695
Quadax Incorporated	www.quadax.com	800-929-3775	21755 Brookpark Road Cleveland, Ohio 44126
Achieve Healthcare Technologies		800-869-1322	7690 Golden Triangle Drive, Eden Prairie, MN 55344
WebMD		615-885-3700	One Century Place 26 Century Blvd., Suite 601 Nashville, Tennessee 37214
McKesson-HBOC		563-557-3401	700 Locust Street, Suite 500 Dubuque, IA 52001
MDI Technologies		800-552-9846	940 West Port Plaza Drive, Suite 100 St. Louis, MO 63146
The SSI Group	www.thessigroup.com	800-880-3032	4721 Morrison Dr. Suite 100 Mobile, AL 36691

Software Product	Version X12N 837
Premis 2.62 ePremis1.2	4010A1
CLAIMTRACK	4010A1
CPSI Hipaa Format	4010A1
Xpeditor	4010A1
DataCare	4010A1
AccuClaim Plus	4010A1
	4010A1
On-Line Advantage	4010A1
Direct	4010A1

 

ACS Service Bureau (ASB)		226 Lowell St. Wilmington, MA 01887			4010A1
Xactimed, Inc.	www.xactimed.com		9400 NCX, Suite 700 Dallas, TX 75231	XCLAIM		4010A1

 

THIS BULLETIN SHOULD BE SHARED WITH ALL HEATLH CARE PRACTITIONERS AND MANAGERIAL MEMBERS OF THE PROVIDER/SUPPLIER STAFF. BULLETINS ISSUED AFTER OCTOBER 1, 1999 ARE AVAILABLE ON OUR WEBSITE AT WWW.MARYLANDMEDICARE.COM

---

HIPAA Requirement for Discharge Hour on Inpatient Claims - March 29, 2004

TO: All Providers
FROM: CareFirst of Maryland Inc.
Date: March 29, 2004
SUBJECT: HIPAA Requirement for Discharge Hour on Inpatient Claims

We have been notified in the next few weeks that the HIPAA translator will begin editing claims for discharge hour on final inpatient claims. If a claim was submitted without the discharge hour the claim will be dropped from the submission (IG edit). At this time, Direct Data Entry (DDE) has not been updated to accept discharge hour. It is important to bill the appropriate value in the discharge hour field. Listed below are the correct values for discharge hour.

Code Time- a.m. Code Time- p.m.

00 12:00-12:59 Midnight 12 12:00-12:59-Noon

01 01:00-01:59 13 01:00-01:59

02 02:00-02:59 14 02:00-02:59

03 03:00-03:59 15 03:00-03:59

04 04:00-04:59 16 04:00-04:59

05 05:00-05:59 17 05:00-05:59

06 06:00-06:59 18 06:00-06:59

07 07:00-07:59 19 07:00-07:59

08 08:00-08:59 20 08:00-08:59

09 09:00-09:59 21 09:00-09:59

10 10:00-10:59 22 10:00-10:59

11 11:00-11:59 23 11:00-11:59

99 Hour Unknown

This information was previously communicated in a provider bulletin dated March 7, 2004 (Change Request 2028, A-02-014). http://www.marylandmedicare.com/pages/mdmedicare/provider_relations/pdf/CR2028_A-02-014.pdf

THIS BULLETIN SHOULD BE SHARED WITH ALL HEALTH CARE PRACTITIONERS AND MANGERIAL MEMBERS OF THE PROVIDER/SUPPLIER STAFF. BULLETINS ISSUED AFTER OCTOBER 1, 1999 ARE AVAILABLE FROM OUR WEB SITE AT www.marylandmedicare.com

---

HIPAA Guidance December 17, 2003

TO:                  All Providers
FROM:            CareFirst of Maryland, Inc.
DATE:             December 17, 2003

SUBJECT:       Additional Guidance Relating to Health Insurance Portability and Accountability Act (HIPAA) Contingency Plan Implementation

This bulletin provides further guidance for operating under Medicare’s contingency plan for HIPAA. You may not add new users of legacy inbound formats. The contingency plan for the claim applies to submitters sending claims to Medicare prior to October 16, 2003, and it applies to receivers who were receiving electronic remittance advice prior to October 16, 2003.

Effective immediately:

• New electronic submitters may only test on the HIPAA format for inbound claims;

 

• New electronic submitters may only go into production on the HIPAA format for inbound claims;

 

• New electronic remittance receivers may only test and go into production on the HIPAA format; and

 

• Any entity (e.g., clearinghouse) currently receiving electronic remittance advice may not add a new provider receiving electronic remittance advice in a pre-HIPAA format.

 

Submitters must move their entire workload into production within 30 days after they have successfully completed testing of the HIPAA claim format.

If you have any questions on HIPAA claims submission or HIPAA remittance advice, please contact:

Kenya McEachern-Todd 410-561-4299
Debbie Leary 410-561-4122
Wayne Piotrowski 410-561-4145
Joe Yurfest 410-561-4003

(Source: Joint Signature Memorandum- November 25, 2003)

THIS BULLETIN SHOULD BE SHARED WITH ALL HEALTH CARE PRACTITIONERS AND MANAGERIAL MEMBERS OF THE PROVIDER/SUPPLIER STAFF. BULLETINS ISSUED AFTER OCTOBER 1, 1999 ARE AVAILABLE FROM OUR WEBSITE AT www.marylandmedicare.com

---

CMS Companion Document for the Accredited Standards Committee (ASC) X12N 276/277 Health Care Claim Status Request & Response - October 21, 2003

TO:                  All Providers
FROM:            CareFirst of Maryland Inc.
DATE:             October 21, 2003

RE:                   CMS Companion Document for the Accredited Standards Committee (ASC) X12N 276/277 Health Care Claim Status Request & Response

X12N 276/277 Companion Document

The table provided below indicates those segments or data elements in the X12N 276/277

Implementation Guide version 4010A1 that allow for Medicare to specify its business requirements. The information describes specific requirements used by CareFirst Medicare A 00190. The information in this document is subject to change. Changes will be communicated in the Intermediary News, periodic news bulletin and/or on CareFirst Medicare A Web site:  www.marylandmedicare.com.

General Requirements:

Data elements that are defined by a previous qualifier will contain valid and appropriate information for the noted qualifier.

Examples:

o          If ISA07 has a value of “28” indicating a fiscal intermediary ID Number, then ISA08 will contain a valid Fiscal Intermediary ID Number.

o          If NM108 has a value of “24” indicating an EIN, then NM109 will contain a valid EIN for the identified provider.

CareFirst Medicare A will process your request for claim status information in batch form.

Upon receipt of your 276, we will generate the following:

Local reject report for interchange control errors within 24 hours.  277 within 24 hours.

CareFirst Medicare A will process your 276 as identified in the implementation guide and create a 277 as identified in the implementation guide. At least the minimum response data will be sent.

CareFirst Medicare A keeps it's online paid claims file for 27 months. After that time, paid claims are stored in an off-line paid claims history file. A 276 inquiry for a claim that has reached history, will result in a 277 response with a health care claim status code “35” (claim not found).

The 276 transaction must utilize delimiters as defined in the standard. The delimiters selected must not occur in the transmitted data elements. The delimiters used in a 277 response or in an acknowledgment may not necessarily be the same as the delimiters submitted in the original 276 request transaction.

All alphabetic characters in the 277 transaction will be upper case. If lower case characters are included in the 276 request, they will be converted to upper case for data storage and return processing purposes.

Multiple functional groups (GS to GE segments) can be sent in one interchange (ISA to IEA segments). Multiple 276s or 277s (ST through SE) can be included in a single functional group.

For Medicare the subscriber and patient are the same person. The Dependent Level hierarchical level is never used.

(Source CR-2742, AB-03-141)

Page	Data Segment Name	Segment or Data Element	Supported Value (s)	Requirement
276 Request Transaction
B.4	Interchange Control Header	ISA05	ZZ	Interchange Identity Qualifier for ISA06Submitter uses the “ZZ” value
B.4	Interchange Control Header	ISA06		Interchange Sender ID.   Submitter chooses and enters a value later used by the contractor for sending back the 277.
B.4	Interchange Control Header	ISA07	27, 28	Carrier submitter uses a “27”; intermediary submitter uses a “28” as the Interchange ID Qualifier for ISA08.
B.5	Interchange Control Header	ISA08		Interchange Receiver ID.   Submitter uses the CMS assisted Medicare carrier or intermediary number.
28 addenda	Functional Group Header	GS01		Submitter uses code “HR” to designate the 276.
28 addenda	Functional Group Header	GS02		Submitter uses codes agreed to by trading partners.
28 addenda	Functional Group Header	GS03		Submitter uses codes agreed to by trading partners.
29 addenda	Functional Group Header	GS05		Submitter uses the recommended HHMM format.
55	Payer Name	NM108	PI	Submitter uses the code “PI” to identify that the carrier or intermediary identifier will follow.
56	Payer Name	NM109		Submitter uses the identifier provided by the carrier or intermediary.
57	Payer Contact Information			This segment is not needed for Medicare.
63	Information Receiver Name	NM108	46	This is the individual or organization requesting to receive the status information.
68	Provider Name	NM108	SV	Submitter uses the “SV” qualifier for the Medicare provider number in NM109.
69	Provider name	NM109		Submitter enters the Medicare provider number.
75	Subscriber name	NM108	MI	Submitter uses the “MI” qualifier for the patient’s Medicare health insurance claim (HIC) number entered in NM109.
76	Subscriber Name	NM109		Submitter enters the patient’s Medicare health insurance claim (HIC) number.
14 addenda	Group Number	REF		This segment is not used for inquiries to Medicare.
277 Response Transaction
B.4	Interchange Control Header	ISA05	27, 28	Contractor enters the valid code as a qualifier for ISA06 for Carrier or Intermediary Identification Number as assigned by CMS.   Carriers enter “27” and intermediaries enter “28”.
B.4	Interchange Control Header	ISA06		Contractor enters the Carrier or Intermediary Identification Number as assigned by CMS.
B.4	Interchange Control Header	ISA07	ZZ	Contractor enters the “ZZ” Qualifier for ISA08.
B.5	Interchange Control Header	ISA08		Contractor enters the ID number assigned by the 276 submitter in the 276, ISA06.
28 addenda	Functional Group Header	GS01	HN	Contractor uses code “HN” to designate the 277
28 addenda	Functional Group Header	GS02		Contractor uses the code agreed to by trading partners.
28 addenda	Functional Group Header	GS03		Contractor uses the code agreed to by trading partners.
29 addenda	Functional Group Header	GS05		Contractor enters the recommended HHMM format.
131	Payer Name	NM108	PI	Contractor enters the “PI” qualifier for NM109.
132	Payer Name	NM109		Contractor enters identification code.

 

(Source CR-2742, AB-03-141)

The effective date for this bulletin is October 27, 2003

The implementation date for this bulletin is October 27, 2003.

---

HIPAA Provider Outreach Activities May 2, 2003

TO: All Providers
FROM: CareFirst of Maryland, Inc.
DATE: May 2, 2003
SUBJECT: HIPAA Provider Outreach Activities

The April 14, 2003 HIPAA privacy deadline and the April 16, 2003 testing deadline, have passed, and the October 16, 2003 deadline for compliance with the HIPAA electronic transactions and code set standards is approaching quickly. Many providers are only now starting to think about what they need to do to become HIPAA compliant. To avoid being a HIPAA covered entity, some consultants are suggesting that providers consider switching from electronic transmission to paper claims. Their advice is extremely shortsighted and certainly not a panacea, especially for Medicare providers. Consider the following:

Requirement to go to electronic claims

Medicare will not accept paper claims, effective October 16, 2003. There will be exceptions for small providers and under other limited situations. Regulations are expected soon.

Negative fiscal impact of paper claims

Processing paper claims takes longer than electronic claims and has an increased rate of error.  Faster payment can be made for electronic claims submitted to Medicare. Electronic Medicare claims can be paid 14 days after they are received while paper claims cannot be paid before 28 days after receipt. In addition, processing paper claims has increased administrative, postage and handling costs.

Changes to business processes

Switching from electronic transmission to paper claims would have numerous repercussions on the business processes of your office. Remember that HIPAA transactions include more than just claims submission. Providers often conduct eligibility queries, claim status queries, and referral transmission electronically. All of these would have to be done on paper to avoid being a HIPAA covered entity, ultimately leaving less time for patient care and more time devoted to administration. However, you could decide to do some paper transactions and some electronic transactions, but remember that the electronic transactions must be HIPAA compliant.

General HIPAA Information

What is HIPAA?

Congress passed the Health Insurance Portability and Accountability Act (HIPAA) in 1996. There are four main areas that comprise administrative simplification:

1. Electronic Transactions and code sets
2. Unique Identifiers
3. Privacy
4. Security

What are the HIPAA transactions?

Electronic Transaction Standards have been developed for the following exchanges of information that providers conduct:

1. Health care claims or equivalent encounter information;
2. Health care payment and remittance advice;
3. Health care claims status
4. Eligibility inquiry
5. Referral certification and authorization
6. Claims attachment (standards forthcoming)
7. First report of injury (standards forthcoming)

What is a HIPAA covered entity?

Under HIPAA, all health care clearinghouses, all health plans, and those health care providers that conduct certain transactions in electronic form or who use a billing service to conduct transactions on their behalf are considered covered entities.

What is “electronic’?

The term “electronic” is used to describe moving health care data via the Internet, an extranet, leased lines, dial-up lines such as for “direct data entry”, or DDE, private networks, point of service, and health data that is physically moved from one location to another using magnetic tape, disk or CD media. For example, if a provider transmits information electronically by transmitting claims, conducting eligibility queries, conducting claim status queries or referrals, they would be considered a covered entity under HIPAA.

A benefit to consider

HIPAA efficiencies include using the same format for all payers rather than separate formats for each payer, as is often done today.

HIPAA Deadlines:

April 14, 2003 Privacy - all covered entities except small health plans.

April 16, 2003 Electronic Health Care Transactions and Code Sets - all covered entities must have started internal software and systems testing.

October 16, 2003 Electronic Health Care Transactions and Code Sets - all covered entities that filed for an extension and small health plans.

April 14, 2004 Privacy - small health plans.

April 21, 2005 Security - all covered entities except small health plans.

April 21, 2006 Security - small health plans.

Where to go for help:

CMS website: http://www.cms.hhs.gov/hipaa/hipaa2

HIPAA hotline: 1-866-282-0659

AskHIPAA mailbox, send an email to askhipaa@cms.hhs.gov

For more information on privacy, visit http://www.hhs.gov/ocr/hipaa.

For privacy questions, call 1-866-627-7748

(Source: CMS Joint Signature Memorandum dated April 25, 2003)

THIS BULLETIN SHOULD BE SHARED WITH ALL HEALTH CARE PRACTITIONERS AND MANAGERIAL MEMBERS OF THE  PROVIDER/SUPPLIER STAFF. ALL BULLETINS ISSUED AFTER OCTOBER 1, 1999 ARE AVAILABLE AT NO COST FROM OUR WEB SITE AT www.marylandmedicare.com.

Questions regarding this bulletin should be directed to the provider relations department at (866) 488-0545.

---

Free Health Insurance Portability and Accountability Act Billing Software April 1, 2003

TO: All Providers
FROM: CareFirst of Maryland, Inc.
DATE: April 1, 2003

SUBJECT: Free Health Insurance Portability and Accountability Act (HIPAA)

Billing Software

This is to inform you that the Centers for Medicare & Medicaid Services (CMS) will continue support of the free Health Insurance Portability and Accountability Act billing software through FY 2004 and beyond. CMS initially intended to phase out the free billing software during FY 2004 since we expected that providers would experience the benefits of electronic billing by using our basic free billing software and would procure or develop more sophisticated practice management or billing software that performed additional functions. However, due to the continued provider requests and use of the free billing software, and recognizing that most providers will be mandated to send claims electronically to Medicare, CMS has decided to continue support of the free billing software.

Questions regarding this bulletin should be directed to the provider relations department at (866) 488-0545.

THIS BULELTIN SHOULD BE SHARED WITH ALL HEALTH CARE PRACTITIONERS AND MANAGERIAL MEMBERS OF THE PROVIDER/SUPPLIER STAFF. ALL BULLETINS ISSUED AFTER OCTOBER 1, 1999 ARE AVAILABLE AT NO COST FROM OUR WEB SITE AT www.marylandmedicare.com.

---

Medicare Fee for Service Contractor Guidance on the HIPAA Privacy Rule - March 20, 2003

TO: All Providers
FROM: CareFirst of Maryland, Inc.
DATE: March 20, 2003

SUBJECT: Medicare Fee for Service Contractor Guidance on the HIPAA Privacy Rule

Medicare Fee for Service Contractor Guidance on the HIPAA Privacy Rule

The purpose of this bulletin is to provide guidance in describing the roles of Medicare FFS contractors (i.e., fiscal intermediaries, carriers, DMERC and Program Safeguard Contractors) and the Centers for Medicare & Medicaid Services (CMS) in implementing the “Standards for Privacy of Individually Identifiable Health Information” (“Privacy Rule”) for the Original Medicare (“Original Medicare”) Fee-For-Service (FFS) Health Plan. This guidance summarizes the operational activities that are being developed to ensure Original Medicare’s compliance with the Privacy Rule by the April 14, 2003 compliance date required by the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

The Privacy Rule applies to three types of entities, which collectively are termed “covered entities” and are subject to the requirements of HIPAA. The covered entities are health plans, health care clearinghouses, and health care providers who conduct certain financial and administrative transactions electronically.

The Privacy Rule applies to Original Medicare, which under the Rule is a health plan and therefore a “covered entity.” CMS is responsible for ensuring that Medicare complies with the privacy standards.

The Privacy Rule is based on the same fair information principles that are found in the Privacy Act of 1974, and are now generally extended to the public and private sectors of the health care delivery system. The Privacy Rule applies to protected health information as defined by the Rule while the Privacy Act protects records with individually identifiable information held by Federal agencies.  The Privacy Act continues to apply to Medicare and Medicare FFS contractors in their day-to-day operations.

In addition to the summary, CMS has developed a list of questions and answers that follow. They are available from the CMS Web site at http://cms.hhs.gov/contractors/.

Privacy Rule Requirements

The Department of Health and Human Services (HHS) issued the Privacy Rule (45 CFR Parts 160 and 164, 65 Federal Register 82462 as amended by 66 FR 12434). The HHS Office for Civil Rights (OCR) is responsible for providing outreach and technical assistance to covered entities and for enforcement. The OCR maintains information on the Privacy Rule at http://www.hhs.gov/ocr/hipaa/, including Frequently Asked Questions. Listed below is a brief description of the Privacy Rule requirements, how the requirements apply to Medicare, and how CMS central office is operationalizing them.

Business Associates

Most health care providers and health plans do not carry out all of their health care activities and functions by themselves; they require assistance from a variety of contractors and other businesses.  The Privacy Rule allows providers and plans to give protected health information (PHI) to their “business associates” as long as they have satisfactory assurances and document those assurances, typically by contract, that business associates will safeguard the information.

The privacy modifications issued by HHS on August 14, 2002, (67 Federal Register 53182) contain Sample Business Associate Contract Provisions that covered entities may use. Covered entities may have up to an additional year to change existing written contracts to come into compliance with business associate requirements, that is, by April 14, 2004.

As a Medicare contractor that participates in FFS claims processing, you are a business associate of the Original Medicare plan. When your Medicare contract is modified, the business associate provisions will be added. These provisions will also address your responsibility to ensure that your subcontractors or agents to whom you disclose Medicare data agree, by contract, to safeguard any PHI as well. Your contract will continue to include language that applies to contractors who maintain or operate a Privacy Act protected systems of records on Medicare’s behalf.

Notice of Privacy Practices

The Privacy Rule requires each covered entity to develop and provide a plain language notice that describes its legal duties, the uses and disclosures of protected health information that it may make, and individual rights and how to exercise them.

Since CMS is responsible for Original Medicare, CMS developed a Notice of Privacy Practices, effective on April 14, 2003, for Medicare beneficiaries. Medicare’s privacy notice was provided to beneficiaries for the first time in the 2003 Medicare & You handbook that was mailed beginning in October 2002. New enrollees will receive the privacy notice when the handbook is mailed (within 30 days of Medicare entitlement).

Since Medicare’s privacy notice describes the uses and disclosures of PHI in the day-to-day operations of Medicare (including Medicare FFS contractors), you are not to develop a separate privacy notice for Medicare beneficiaries.

Authorization

The Privacy Rule requires an individual’s written authorization in order for a covered entity to use or disclose PHI for purposes other than treatment, payment, or health care operations.

CMS is developing a model authorization for beneficiaries or their personal representatives to request disclosure of PHI to third parties. The model will contain the elements for compliance with both the Privacy Rule and Privacy Act requirements. As soon as the model authorization form is available, it will be shared with our contractors. Until then, continue to use authorizations under existing customer service procedures.

Opportunity to Agree/Object

The Privacy Rule permits covered entities to disclose PHI to persons who are family members or relatives of, or other persons identified by, the individual, and are currently involved in the individual’s health care or payment for health care. Covered entities may disclose PHI when the individual is present and agrees to the disclosure being made to the person involved in his or her health care.

You may continue to handle routine inquiries, such as telephone requests for the status of claims, under existing customer service procedures that include verification of the individual’s identity.  Therefore, with the beneficiary’s verbal or written permission, you may continue to speak with third parties on behalf of the individual. Refer to Change Request 2237, Transmittal AB-02-094, dated July 3, 2002, for instructions on disclosing individually identifiable information over the phone.

You may also continue to handle Congressional inquiries under existing customer service procedures that include verification of the individual’s identity and authority.

Individual Rights and Complaints

The Privacy Rule gives individuals rights with respect to their PHI. These rights are listed in the covered entities’ privacy notices, and include the right to inspect, copy, and amend the individual’s PHI, the right to request restrictions, confidential communications, accounting of disclosures, paper copy of privacy notice, and filing complaints.

Medicare’s Notice of Privacy Practices informs beneficiaries who are interested in exercising individual rights and filing complaints to go to www.medicare.gov or call 1-800-MEDICARE (1- 800-633-4227). The Web site and Customer Service Representatives at 1-800 MEDICARE will provide information on how to exercise individual rights and file complaints.

Medicare is establishing a centralized process by April 14, 2003, to respond to beneficiary requests to exercise individual rights and to complain. If procedures are in place prior to the effective date, central office will respond to written requests and complaints. Central office is establishing a process to be able to respond to requests specific to the Privacy Rule by April 14, 2003. Requests that fall under the Privacy Act or other existing information authority will continue to be processed according to existing procedures. 

We do not anticipate that our Medicare FFS contractors will be responding to beneficiary requests to exercise individual rights and filing complaints. Your role is limited to referring beneficiary inquiries and complaints to central office.

Administrative Requirements

As Medicare’s business associate, you are not subject to the administrative requirements of the Privacy Rule (but business associates may also be covered entities in their own right and therefore subject to the Rule’s requirements). However, under the Privacy Act, you are Medicare’s agent and therefore must comply with the privacy provisions specified in your contract.

Compliance Date

Covered entities, including the original Medicare plan, are required to be in compliance with the provisions of the Privacy Rule by April 14, 2003 (April 14, 2004, for small health plans). The Administrative Simplification Compliance Act (ASCA) does not affect the Privacy Rule’s compliance. The ASCA instead enabled covered entities other than small health plans, (which already had the later compliance date), to obtain a one-year delay in the date on which they must comply with the requirements of the Transactions Rule, or the “Standards for Electronic Transactions” (published on August 17, 2000). For those entities that obtained an extension under ASCA, their new compliance date is October 16, 2003.

ATTACHMENT

COVERED ENTITY

Question: Is CMS a “covered entity” under HIPAA?

Answer: The Federal health programs that CMS administers are health plans, as defined in HIPAA, and therefore covered entities subject to the Privacy Rule. The health plans are:

• Part A or Part B of the Medicare program under Title XVIII;
• Medicaid program under Title XIX;
• State Children’s Health Insurance Program (SCHIP); and
• Medicare+Choice (M+C) program and other Medicare health plans.

CMS is directly responsible for ensuring that the Medicare Fee-For-Service (FFS) program, also known as the Original Medicare Plan, complies with the Privacy Rule by the April 14, 2003 compliance date. For the Medicaid and SCHIP programs, the appropriate State Agency is responsible for ensuring compliance with privacy requirements. M+C plans are covered entities subject to the Privacy Rule in their own right and responsible for their own compliance.

BUSINESS ASSOCIATES

Question: Are Medicare Fee-For-Service contractors (i.e., intermediaries, carriers, DMERC and program safeguard contractors) considered business associates of Medicare (the covered entity)?

Answer: Medicare FFS contractors are business associates of Medicare under the Privacy Rule.

Question: As business associates of Medicare, will Medicare FFS contractors be required to execute a HIPAA business associate contract with CMS? If so, will the business associate contract require that Medicare FFS contractors sign HIPAA-compliant “business associate” agreements with all subcontractors of Medicare FFS contractors? Will CMS provide a “model” contract for this purpose or can Medicare FFS contractors use their own corporate business associate agreements for subcontracts?

Answer: Your contract with CMS will be modified the earlier of the date the contract is up for renewal or April 14, 2004. The contract and any subcontracts that you have must include specific subsections in the Appendix to the Preamble - Sample Business Associate Contract published in the modifications to the HIPAA Privacy Final Rule (FR Vol. 67, No. 157, p. 53264, dated 8/14/02).  These provisions address your responsibility to ensure that your subcontractors or agents to whom you disclose Medicare data agree, by contract, to safeguard all protected health information.

Your contract will continue to include language that applies to contractors who maintain or operate a Privacy Act protected Systems of Records on CMS behalf.

Question: Does the 1-year extension for existing contracts provide an additional 1-year (i.e., April 2004) for Medicare FFS contractors to update the contract with CMS and all subcontracts?

Answer: Not exactly. The Final Privacy Rule, as amended, provides that prior contracts and subcontracts shall be “deemed” compliant until the earlier of April 14, 2004 or the date such contract is renewed or modified after the compliance date of April 14, 2003.

Question: If Medicare is doing a common audit for a State Medicaid Agency, will the Program Safeguard Contractor (PSC) need a business associate contract with the State Agency?

Answer: Yes. The PSC will need a business associate contract with that state agency whenever there is the likelihood that the PSC would be handling protected health information during the course of the audit.

Question: Are physicians or other providers considered business associates of a health plan or other payer?

Answer: This question is answered in the Frequently Asked Questions (FAQ), published by OCR on October 2, 2002. It states, "Generally, providers are not business associates of payers. For example, if a provider is a member of a health plan network and the only relationship between the health plan (payer) and the provider is one where the provider submits claims for payment to the plan, then the provider is not a business associate of the health plan. A business associate relationship could arise if the provider is performing a function on behalf of, or providing services to, the health plan (e.g. case management services). See the discussion at 67 Fed. Reg. 14776, 14788 (March 27, 2002) concerning this issue."

CMS PRIVACY RULE IMPLEMENTATION

Question: What has CMS done to implement the Privacy Rule?

Answer: To ensure Medicare’s compliance by April 14, 2003, CMS developed and implemented a 3-phased plan that was approved by the Agency’s Beneficiary Confidentiality Board (BCB). The BCB has executive oversight of CMS’s privacy implementation plan as well as for the ongoing compliance program to ensure continued adherence to privacy requirements.

The Agency-wide plan was implemented in June 2001 and includes the following phases:

• Identifying agency activities subject to privacy requirements;

• Baseline assessment and gap analysis; and

• Workplan, implementation, and verification.

CMS’s identification of its business functions subject to privacy requirements and assessment of gaps were very useful in planning for agency-wide compliance with new privacy standards (e.g., Notice of Privacy Practices, authorizations).

Question: As business associates of Medicare, can you clarify what the expectations of Medicare FFS contractors are going to be with respect to conducting a privacy assessment?

Answer: Currently, under the Privacy Act, you only use that information which is necessary to carry out the work of the Medicare program. There is no new requirement to perform assessments of uses, disclosures or minimum necessary requirements under the Privacy Rule.

BUDGET

Question: Will HIPAA privacy activities of Medicare FFS contractors be funded?

Answer: No additional funding will be provided by CMS; contractor activities are to be carried out within the FY03 operating budget.

Question: Will the HIPAA privacy regulations necessitate system changes?

Answer: No new systems changes are required by these instructions.

NOTICE OF PRIVACY PRACTICES

Question: As “individuals”, Medicare beneficiaries are entitled to receive a Notice of Privacy Practices. Who will issue the notice and when will it be distributed?

Answer: CMS developed a Notice of Privacy Practices, effective on April 14, 2003, for Medicare beneficiaries. Since Medicare’s privacy notice describes the uses and disclosures of individually identifiable information in the day-to-day operations of Medicare and its contractors, you are not to develop a separate privacy notice for Medicare beneficiaries.

Medicare’s Notice of Privacy Practices was provided to beneficiaries for the first time in the 2003 Medicare & You handbook that was mailed to beneficiaries beginning in October 2002. New enrollees will receive the privacy notice when the handbook is mailed (within 30 days of Medicare entitlement).

Question: When a beneficiary calls a contractor and wants a copy of the Notice of Privacy Practices, what action should the contractor take?

Answer: You can tell beneficiaries that their copy of Medicare’s privacy notice is in their 2003 Medicare & You handbook on pages 50-53, and is also posted on Medicare’s Web site at www.medicare.gov.

Question: How will a Medicare beneficiary know how to exercise his/her individual rights identified in the Notice of Privacy Practices?

Answer: Medicare’s Notice of Privacy Practices informs beneficiaries who are interested in exercising individual rights to go to www.medicare.gov or call 1-800-MEDICARE. Customer Service Representatives (CSR) at 1-800-MEDICARE will have scripts to answer questions regarding exercising individual rights and filing complaints.

Question: How will Medicare handle a beneficiary’s request to exercise his/her individual rights under the Privacy Rule?

Answer: The individual rights include the right to inspect and copy protected health information, amend protected health information, the right to request restrictions, confidential communications, accounting of disclosures, a paper copy of the privacy notice, and how to file complaints.

CMS is responsible for responding to beneficiary inquiries about individual rights. CMS is establishing a centralized process using existing customer service resources. This integrated operation will enable Medicare to respond to written beneficiary inquiries on individual rights (and also handle complaints) by April 14, 2003. If procedures are in place prior to the compliance date, central office will respond to written inquiries and complaints. Where procedures are still being developed, central office will send a written acknowledgement that the inquiry/complaint cannot be processed at the present time and that a response will be sent on or shortly after April 14, 2003.

We do not anticipate that our Medicare FFS contractors will be responding to beneficiary inquiries on individual rights and complaints. Your role is limited to referring beneficiary inquiries and complaints to central office.

If you receive a request from a beneficiary explicitly wishing to exercise his/her individual rights under the Privacy Rule, advise him or her to send a written request to (or forward it if you receive a written request):

HIPAA Privacy
P.O. Box 8050
U. S. Department of Health and Human Services
Centers for Medicare and Medicaid Services
7500 Security Boulevard
Baltimore, MD 21244-1850

Process requests that are not explicitly Privacy Rule requests according to the current procedures outlined below.

ACCESS & AMENDMENT

Question: Will CMS or the contractors provide beneficiary access under the Privacy Rule?

Answer: CMS is responsible for responding to beneficiary requests for access to records under the Privacy Rule. Medicare FFS contractors should only respond to those requests for information related to payment of a claim, for which you are already responsible under the contract under existing customer service procedures.

Question: Please explain the relationship between requests for access under the Freedom of Information Act (FOIA), the Privacy Act of 1974, and the Privacy Rule, including the timeliness standards.

Answer: CMS provides numerous individuals and organizations access to a broad array of information under many statutes, including FOIA and the Privacy Act. FOIA and Privacy Act requests will continue to be handled according to current procedures and timeliness standards. A FOIA request for access to public records requires CMS, as a Federal Agency, to provide the fullest possible disclosure of its records to the public, subject to certain exceptions (e.g., proprietary information, national defense risks). The Privacy Act requires CMS to provide access for individuals to their personal information maintained in a System of Records. Note that an individual’s request under the Privacy Act to access his or her records must specify a Privacy Act System of Records and must be addressed to the system manager identified in the Federal Register notice.

A Privacy Rule request for access is separate from both FOIA and the Privacy Act and has it own timeliness standards associated with it. Requests for access under the Privacy Rule will be handled through CMS’ centralized process.

Question: Are simple telephone inquiries, such as asking about the status of a claim or requesting a duplicate Medicare Summary Notice, considered a HIPAA request for access?

Answer: No. You should continue to handle routine inquiries under existing customer service procedures.

Question: Will contractors be responsible for amendments to beneficiary records?

Answer: No. CMS is responsible for handling beneficiary requests to amend the record under the Privacy Rule. This is part of the centralized process being developed and implemented to respond to beneficiaries’ requests regarding individual rights. Therefore, you will not be responding to requests to amend records.

Only a request from a beneficiary that explicitly states that he/she wishes to exercise his/her individual rights under the Privacy Rule will be handled through the centralized process. Other requests for changes to claims or payment records, such as an appeal or change of address request, are not considered Privacy Rule requests for amendments, and should be handled according to current procedures.

Please note, however, that if the request for amendment involves medical records, you should explain that, except in rare circumstances, only the source of the medical record (i.e., the provider) may make changes to the record.

ACCOUNTING FOR DISCLOSURES

Question: Do Medicare FFS contractors have to account for disclosures under the Privacy Rule?

Answer: No. Under the Privacy Act, you are only allowed to use individually identifiable information in the course of your Medicare business. In June 2000, CMS issued CR 1156, Transmittal AB-00-46 entitled, HCFA Policy for Disclosure of Individually Identifiable Information. Those instructions state that any disclosure of individually identifiable information without prior consent from the individual to whom the information pertains, or without statutory or contract authorization, requires CMS’ prior approval. CMS uses Data Use Agreements to track all disclosures that are authorized by CMS (e.g., General Accounting Office, OIG [Office of Inspector General]).

CMS is responsible for responding to beneficiary requests on accounting of disclosures under the Privacy Rule. This is part of the centralized process being developed and implemented to respond to beneficiaries on individual rights. Therefore, you will not be responding to requests for an accounting of disclosures.

Question: Is it a disclosure when a Medicare FFS contractor provides claims files to the Office of the Inspector General (OIG) for audit sampling purposes?

Answer: Yes. The Privacy Rule would consider these to be disclosures by a business associate of the covered entity. The disclosures though are permissible under several avenues: as health care operations, as required by law, or as required for the investigation and prevention of fraud and abuse. Note that disclosures for health care operations are not required to be included in any accounting of disclosures.

RIGHT TO RESTRICT/CONFIDENTIAL COMMUNICATIONS

Question: Will Medicare FFS contractors be responsible for responding to requests to restrict the use of an individual’s protected health information?

Answer: CMS is responsible for responding to beneficiary requests to restrict. This is part of the centralized process being developed and implemented to respond to beneficiaries on individual rights. Therefore, you will not be responding to requests to restrict.

Question: Will Medicare FFS contractors be responsible for responding to requests for confidential communications?

Answer: Current regulations and existing agreements with the Social Security Administration are extremely prescriptive, often governing precisely how CMS can respond to requests for confidential communications.

Operationally, we can only maintain one address at a time. Because of this, routine change of address requests should be handled according to current change of address procedures. Follow instructions found at Part 3, §7009 of the Medicare Carrier Manual or Part 3, §3717.1 of the Medicare Intermediary Manual entitled Beneficiary Address Change to carry out routine requests for change of address.

COMPLAINTS

Question: Will contractors handle complaints about privacy violations at the contractor level or will they be handled by CMS?

Answer: Medicare’s Notice of Privacy Practices informs individuals of the right to file complaints about Medicare’s privacy practices with either Medicare or the Secretary of Health and Human Services. The privacy notice refers individuals to www.medicare.gov or 1-800-MEDICARE for further information on filing a complaint.

If you receive a complaint from an individual concerning Medicare’s privacy practices, advise him or her to send a written complaint to (or forward it if you receive a written request):

Privacy Complaints
P.O. Box 8050
U. S. Department of Health and Human Services
Centers for Medicare and Medicaid Services
7500 Security Boulevard
Baltimore, MD 21244-1850

Central office is responsible for maintaining a record of complaints and their resolutions, if any.  This is part of the centralized process being developed and implemented for individual rights.

An individual also has the right to complain to the Secretary of HHS. OCR is expected to issue guidance on how an individual may submit his/her complaints to the Secretary.

AUTHORIZATIONS

Question: Under the Privacy Act of 1974, Medicare currently requires authorizations for disclosures of individually identifiable information to third parties, however, the level of detail required in the authorization under the Privacy Rule is greater. Will CMS create a blanket authorization form containing the core elements outlined in the Privacy Rule?

Answer: CMS is developing a model authorization for a beneficiary or their personal representative to use to request disclosure of their protected health information to a third party. The model will contain the elements for compliance with both the Privacy Rule and Privacy Act requirements. As soon as the model authorization form is available, it will be shared with our contractors. Until then, continue to use authorizations under existing customer service procedures.

Continue to handle routine inquiries, such as telephone requests for the status of claims, under existing customer service procedures that include verification of the individual’s identity. You may continue to speak with third parties on behalf of the individual after you obtain the beneficiary’s verbal or written permission. Refer to CR 2237, Transmittal AB-02-094, dated July 3, 2002, entitled

Disclosure Desk Reference for Call Centers for instructions on disclosing individually identifiable information over the phone.

Question: Does the HIPAA Privacy Rule allow for verbal authorizations?

Answer: The Privacy Rule permits a covered entity to disclose to any person identified by the individual the protected health information directly relevant to such person’s involvement with the individual’s care or payment related to the individual’s care. Therefore, a verbal authorization is allowed under the Privacy Rule for those individuals involved in the care of an individual.

ADMINISTRATIVE REQUIREMENTS

Question: Will CMS hold contractors accountable for adhering to HIPAA privacy requirements for covered entities or for business associates?

Answer: As Medicare’s business associate, you are not subject to the administrative requirements of the Privacy Rule. However, under the Privacy Act, you must comply with the privacy provisions specified in your contract.

Question: Will CMS designate a Medicare-wide privacy officer to handle privacy complaints or will each Medicare contractor need to appoint a privacy officer?

Answer: CMS has a Privacy Officer. As our business associates under the Privacy Rule, you are not required to designate a privacy official. However, your contract with CMS requires compliance with the Privacy Act and related regulations and manual instructions concerning disclosures. In June 2000, CMS issued CR 1156, Transmittal AB-00-46, entitled HCFA Policy for Disclosure of Individually Identifiable Information. Those instructions require you to have in place a senior official or other responsible party to address the privacy concerns of your organization and to establish an internal control system to monitor compliance with privacy requirements.

Question: Will Medicare FFS contractors be expected to do any privacy training?

Answer: The Privacy Rule requires that a covered entity train employees on its privacy policies and procedures with respect to protected health information by April 14, 2003. To comply with the training requirement, CMS employees are required to complete computer-based training on protecting the privacy and security of CMS’ data.

As Medicare’s business associate, you are not subject to the Privacy Rule’s requirement to train your staff specifically on the Privacy Rule. However, under the Privacy Act, you are required to ensure that your employees understand their responsibility to protect the privacy and confidentiality of the Agency’s records.

MISCELLANEOUS

Question: What is the relationship between the Privacy Act and the Privacy Rule?

Answer: Medicare is subject to the Privacy Act of 1974 as well as other applicable Federal statutes, regulations, instructions, and memoranda that relate to protecting individually identifiable information. Your Medicare contract requires compliance with these privacy requirements to protect the individually identifiable information that is needed to perform business functions for program administration, such as claims processing and program integrity.

In June 2000, CMS issued CR 1156, Transmittal AB-00-46, entitled HCFA Policy for Disclosure of Individually Identifiable Information. Those instructions enunciated the policy of CMS regarding the disclosure of individually identifiable information that is acquired and maintained under authority of Title XVIII of the Social Security Act, by Medicare fiscal intermediaries and carriers.  It is CMS' policy that any data collected on behalf of CMS in the administration of your Medicare contract belongs to CMS. Any disclosure of individually identifiable information without prior consent from the individual to whom the information pertains, or without statutory or contract authorization, requires CMS’ prior approval. The PM did not communicate a change, but rather a reminder of the existing policy.

Privacy provisions that currently apply to Federal Agencies under the Privacy Act are now extended through the Privacy Rule to covered entities in both the public and private sectors of the health care delivery system. The Privacy Act continues to apply to Medicare and Medicare FFS contractors.  Additionally, Medicare is subject to the Privacy Rule as a health plan. As Medicare operates under both the Privacy Act and the Privacy Rule, CMS has determined how the provisions interact with each other as it uses personally identifiable information in its day-to-day operations. For example, a use or disclosure that is permitted under the Privacy Rule (e.g., to facilitate cadaveric organ donation and transplants), but not published in a Federal Register notice as a routine use in a CMS system of records would not be permitted for Medicare. We do not currently see any significant changes in the way the Medicare FFS contractors conduct Medicare business. If in the future we determine that the Privacy Rule necessitates changes in the way you do the work of the Medicare program, you will be notified.

Question: Is there any operational difference between what is protected under the Privacy Act and the Privacy Rule?

Answer: In the operation of the Medicare program, the difference between the Privacy Act and the Privacy Rule is the applicability to deceased individuals. The Privacy Act protects the identifiable information about living individuals only. Once an individual dies, his/her information is no longer protected under the Privacy Act. The Privacy Rule, however, protects protected health information (PHI) held by a covered entity regardless of whether the individual is living or deceased.

Question: The HIPAA Privacy Rule does not preempt more stringent state laws. Will contractors in such states be subject to additional privacy requirements? If so, how will those requirements be communicated, made part of contractors’ work expectations, and funded? If not, what is the CMS rationale for denying additional state requirements on Medicare FFS contractors?

Answer: Medicare is a national program that is administered under Federal statute and regulation.  CMS administers Medicare through our Medicare FFS contractors and you are required to operate in accordance with statutory and regulatory requirements and CMS administrative direction.

When considering the provisions of HIPAA, Congress expressly intended to defer to more stringent state laws that conflict with provisions in the Privacy Rule. The Privacy Rule therefore explicitly preempts conflicting state law provisions, unless they are more stringent or more protective of the individual’s rights. Since the federal law expressly preserves more stringent state laws, and because of the complexity of this issue, you should anticipate further guidance on this from CMS as related issues arise.

Question: Do providers need to get an authorization from the beneficiary before they can share information that is needed to process the claim with the Medicare contractor?

Answer: There is no requirement to obtain an authorization from the beneficiary for treatment, payment, and health care operations. The provider should be informed that you will be unable to make payment for the claim if he/she fails to provide you the information you need to process his/her Medicare claim.

Question: Will CMS be changing any of the requirements recently issued via CR 2237 – Disclosure Desk Reference for Call Centers, as a result of the more stringent guidelines of HIPAA? For example, callers other than the individual that have a copy of the Explanation of Benefits (EOB) or Medicare Summary Notice (MSN) are allowed to discuss information relative to services appearing on that EOB/MSN even when an authorization has not been provided. Under HIPAA, an authorization is required when releasing PHI to other than the individual.

Answer: CMS will update CR 2237, TN AB-02-94 dated July 3, 2002, entitled Disclosure Desk Reference for Call Centers based on the Privacy Rule in the near future, however, we have determined that the current procedures meet the requirements of the Privacy Rule. In addition, CMS will continue to post clarifications to the call center website (http://cms.hhs.gov/callcenters/QandA.asp).

When an individual has a copy of the EOB/MSN, the Customer Service Representative (CSR) may discuss only what is on the EOB/MSN. It is not considered a disclosure if the individual already has the information. However, no additional information should be released without obtaining an authorization.

Question: The FY 2003 Budget Performance Requests (BPR) require contractors to provide CMS remote access to allow CMS personnel to hear live calls from beneficiaries to CSRs. Since beneficiaries will be discussing PHI, is this a violation of privacy regulations?

Answer: Remote access by CMS personnel is part of CMS’ health care operations and therefore is not a disclosure of information and is not in violation of the privacy regulation.

Question: Must we inform the beneficiary that the contractor and CMS staff may listen to live phone calls? Please confirm if the contractors need to expand their telephone message to include that CMS may listen.

Answer: CMS is the covered entity. Contractors are business associates of CMS. Therefore remote monitoring of calls is part of CMS’s healthcare operations. We believe a phrase such as, “This call may be monitored to ensure outstanding quality,” will cover both the contractor and CMS staff monitoring calls.

Only CMS staff whose job description permits them to perform remote monitoring will be given access.  Staff are trained to keep this information safe and secure in the same manner that confidential beneficiary information is currently safeguarded.

Question: Current instructions permit a carrier to respond to and disclose PHI to a member of Congress who is representing a beneficiary even though the carrier has no evidence from the beneficiary that the member of Congress has been appointed as his/her Personal Representative. Will this practice be changed?

Answer: You may continue to handle Congressional inquiries under existing customer service procedures that include verification of the individual’s identity.

Question: What is the status of the trading partner agreement between Medicare FFS contractors and COB insurers? When can we look to receive the language and the instructions?

Answer: Currently, we are seeking Office of General Counsel’s (OGC) opinion on a few issues that will influence our ability to issue the standard trading partner agreement, but we remain confident that these will be addressed before the end of the calendar year (CY) 2002. In the interim, our Medicare FFS contractors have been instructed in CR 2216, Transmittal AB-02-095, dated 7/5/02, entitled Prohibition on New Trading Partner Agreements (TPAs) with Certain Entities for the Purpose of Coordination of Benefits (COB) regarding what steps they may take regarding their existing agreements with non-insurers, e.g., healthcare clearinghouses, or third party administrators.  The standard trading partner agreement for the purpose of COB is not designed to be a business associate agreement nor is it to be regarded as a document that will subsume all previously developed EDI agreements (also generically termed “ trading partner agreements).

Question: Will the trading partner agreement be finalized by April 2003?

Answer: The Division of Benefits has every intention of issuing its standard trading partner agreement for the purpose of Coordination of Benefits before the April 14, 2003 compliance date for the Privacy Rule. Once issued, Medicare FFS contractors may begin to use this document for the purpose of entering into agreements for COB purposes with Medigap insurers, other supplemental insurers/employers retiree health plans, multiple welfare trusts, self-insured plans, State Medicaid Agencies, other Federal payers, and related entities.

Question: Currently, contractors are required to send EDI billers an EDI enrollment form for Medicare Electronic Medical Claims (EMC) submissions. Would the EMC submission process require a business associate contract between the contractor and the provider? If a business associate contract is not appropriate, will contractors be required to update the EDI enrollment form as a result of HIPAA Privacy?

Answer: HIPAA’s Administrative Simplification provisions require the Secretary to adopt standards for electronic health care transactions.

The CMS Standard EDI Enrollment Form must be completed prior to submitting electronic media claims to Medicare. Completing the form constitutes an agreement between the provider and Medicare. The purpose of the agreement is to ensure that the provider understands the appropriate uses and disclosures of Medicare beneficiaries’ individually identifiable information.

The relationship between a provider and Medicare is that of two covered entities sharing information for the purposes of treatment, payment, and health care operations. It is not a business associate relationship since neither entity is doing work on behalf of the other. The privacy modifications specifically allow for the sharing of information between two covered entities provided that both entities have or have had a relationship with the individual.

The Privacy Rule does not require the EDI form to be updated.

(Source: Program Memorandum AB-03-034; Change Request 2484)

The effective and implementation date for this instruction is January 1, 2002.

THIS BULLETIN SHOULD BE SHARED WITH ALL HEALTH CARE PRACTITIONERS AND MANAGERIAL MEMBERS OF THE PROVIDER/SUPPLIER STAFF. ALL BULLETINS ISSUED AFTER OCTOBER 1, 1999 ARE AVAILABLE AT NO COST FROM OUR WEB SITE AT www.marylandmedicare.com.

Questions regarding this bulletin should be directed to the provider relations department at (866) 488-0545.

---

0001 Revenue Line Direction for the Health Insurance Portability and Accountability Act (HIPAA) Institutional 837 Health Care Claim - November 21, 2002

TO: All Providers
FROM: CareFirst of Maryland, Inc.
DATE: November 21, 2002

SUBJECT: 0001 Revenue Line Direction for the Health Insurance Portability and

Accountability Act (HIPAA) Institutional 837 Health Care Claim

The HIPAA (version 4010) Institutional 837 references the National Uniform Billing Committee (NUBC) as the maintainer of revenue codes used by the 837. Effective May 9, 2002, the NUBC has limited the use of the 0001 revenue code to non-electronic claims (paper or paper facsimile).

After April 1, 2003, CMS will use the amount in the 2300 loop CLM02 (total claim charge amount) as the total in lieu of the 0001 revenue line amount. Between now and April 1, 2003, CMS will be in a ‘transition’ phase. The 0001 revenue line submitted on test and production claims after April 1, 2003, will be ignored by your shared system (whether you map the 0001 line or not). Your shared system will use CLM02 data, as well as other line item claim data, to create a 0001 line for use in internal processing. For the purposes of generating an 837 COB, your shared system will not enter the 0001 revenue line on the Medicare Part A/coordination of benefits (COB) flat file (flat file) after April 1, 2003, (moving the 0001 line American National Standards Institute (ANSI) codes to a Claim Level Adjustment fields on the flat file). For the purposes of generating an 837 COB, your shared system will generate the flat file total claim charge amount. The 0001 revenue line will not be sent on the outbound 837 COB transaction after April 1, 2003.

For purposes of direct data entry (DDE) processing, there are no changes at this time.

The 450 service lines direction given in Transmittal A-01-20 (CR1533) dated February 5, 2001, is being changed. After April 1, 2003, (and until further notice), intermediaries will map only the first 449 lines of claims exceeding 449 service lines to the flat file. 449 service lines is the threshold so that your shared system can use CLM02 data, as well as other line item claim data, to create a 0001 line for use in internal processing (totaling 450 lines). Your shared system will continue to return to provider (RTP) claims containing 449 lines where the CLM02 amount does not equal the total amount calculated by your shared system.

Until further notice, continue to use the 0001 revenue line for the Medicare 837 version 3051 as CMS maintains the codes used for 3051. Until further notice, continue to use the 0001 revenue line for the Uniform Billing (UB)-92 version 6.0 as this format will no longer be used after the 837 version 4010 is implemented.

(Source: Program Memorandum A-02-119; Change Request 2387)

The effective date for this instruction is November 8, 2002.

The implementation date for this instruction is April 1, 2003.

THIS BULLETIN SHOULD BE SHARED WITH ALL HEALTH CARE PRACTITIONERS AND MANAGERIAL MEMBERS OF THE PROVIDER/SUPPLIER STAFF. ALL BULLETINS ISSUED AFTER OCTOBER 1, 1999 ARE AVAILABLE AT NO COST FROM OUR WEB SITE AT www.marylandmedicare.com.

Questions regarding this bulletin should be directed to the provider relations department at (866) 488-0545.

---

HIPAA Institutional 837 Health Care Claims -DDE Updates - August 20, 2002

TO: All Providers
FROM: CareFirst of Maryland, Inc.
DATE: August 20, 2002

SUBJECT: Health Insurance Portability and Accountability Act (HIPAA) Institutional 837 Health Care Claim - Direct Data Entry (DDE) Updates

Change Request 2028 noted that an instruction would be forthcoming instructing your intermediary to update their DDE systems. This bulletin provides you with information about the standard systems upgrades to DDE systems:

• Allow for only one investigational device exemption number (IDE) per claim (at the claim level);

• Remove employment status code, employer name, and employer address information;

• Allow Other Subscriber Demographic Information (date of birth and gender) if the other subscriber is a person;

• Allow for discharge hour and minute information in the numeric form of HHMM; and

• Allow for correct processing of the unique physicians identifier number in the 2310A

(Attending Physician) loop.

(Source: Program Memorandum A-02-078; Change Request 2211)

The effective date for this instruction is January 6, 2003.

The implementation date for this instruction is January 6, 2003.

THIS BULLETIN SHOULD BE SHARED WITH ALL HEALTH CARE PRACTITIONERS AND MANAGERIAL MEMBRS OF THE PROVIDER/SUPPLIER STAFF. ALL BULLETINS ISSUED AFTER OCTOBER 1, 1999 ARE AVAILABLE AT NO COST FROM OUR WEB SITE AT www.marylandmedicare.com.

Questions regarding this bulletin should be directed to the provider relations department at (866) 488-0545.

CMS-Pub. 60A

---

HIPAA Institutional 837 Health Care Claim Additional Implementation Direction - August 16, 2002

TO: All Providers
FROM: CareFirst of Maryland, Inc.
DATE: August 16, 2002

SUBJECT: Health Insurance Portability and Accountability Act (HIPAA) Institutional 837 Health Care Claim Additional Implementation Direction

This Program Memorandum (PM) provides additional information for intermediaries and their standard systems and is a follow-up to Transmittal A-02-014, dated February 12, 2002. The following information is being provided to you to ensure an accurate HIPAA implementation.

Date of Receipt

Transmittal A-02-014 stated that the date of receipt will be translator generated. This requirement is being modified. The date of receipt is to be generated upon receipt of a claim, prior to transmission of the data to the data center. The intermediary has the responsibility to ensure the correct date of receipt is populated onto the Medicare Part A Claim/Coordination of Benefit (COB) flat file (flat file) before the file gets to the standard system. Section 3600.1 of the Medicare Intermediary Manual, Part 3 further clarifies the reason the intermediaries, rather than the standard system, need to assign the date of receipt. The standard system will process the date of receipt reported in the flat file. If the flat file contains an incorrect date of receipt (e.g., all zeros), the flat file will be rejected back to the flat file’s submitter (intermediary or data center) by the standard system with an appropriate error message.

Improper Flat File Format/Size

If the standard system detects an improper flat file format/size (incorrect record length, record length exceeding 32,700 bytes, etc.), the flat file will be rejected back to the file’s submitter (intermediary or data center) by the standard system with an appropriate error message.

Decimal Edits to be Performed by the Intermediary

The IG allows for the units of service segment to contain a decimal. However, Medicare does not process units of service that contain any decimals. Notify your providers/submitters via your next scheduled bulletin that incoming claims where a unit of service contains any decimals will be rounded by Medicare so the standard system can process the resulting numeric unit of service (i.e., if the number to the right of the decimal is 4 or less, round down. If the number to the right of the decimal is 5 or greater, round up).

The IG allows for diagnosis codes to contain a decimal. However, CMS does not process diagnosis codes containing decimals. If an incoming claim contains a diagnosis code with a decimal in the correct position based on the external code source, the intermediary must reformat the diagnosis code into a 6-position alphanumeric field as defined in the Medicare Part A/COB flat file (flat file) where the digits are left justified and space filled when translating the data into the flat file format. The decimal will be assumed between the third and fourth digit (i.e., 999V9bb – “V” represents the assumed decimal and “b” represents a space). If an incoming claim contains a diagnosis code with a decimal in an incorrect position based on the external code source populate (flag) the field with ampersands.

Edits to be Performed by the Standard Systems

Claims containing a diagnosis code flagged with ampersands will be returned to the provider/submitter, via the intermediary, with an appropriate error message.

Medicare Edits Document Updates

The following are Medicare Edits Document (available by August 2, 2002 at www.hcfa.gov/medicare/edi/hipaadoc.htm) changes:

• REF01 (2310A Loop) Medicare Values is changed to ‘1C or 1G’.

• REF01 (2310A Loop) Edit Logic is changed to ‘REF01 must contain the Medicare Provider Number code 1C or the Provider UPIN number code 1G’.

• REF01 (2310B Loop) Medicare Values is changed to ‘1C or 1G’.

• REF01 (2310B Loop) Edit Logic is changed to ‘REF01 must contain the Medicare Provider Number code 1C or the Provider UPIN number code 1G’.

• REF01 (2310D Loop) Medicare Values is changed to ‘1C or 1G’.

• REF01 (2310D Loop) Edit Logic is changed to ‘REF01 must contain the Medicare Provider

Number code 1C or the Provider UPIN number code 1G’.

• REF01 (2420A Loop) Medicare Values is changed from ‘1C’ to ‘1G’.

• REF01 (2420A Loop) Edit Logic is changed to ‘REF01 must contain the Provider UPIN number code 1G’.

• REF01 (2420B Loop) Medicare Values is changed from ‘1C’ to ‘1G’.

• REF01 (2420B Loop) Edit Logic is changed to ‘REF01 must the Provider UPIN number code 1G’.

• REF01 (2420C Loop) Medicare Values is changed from ‘1C’ to ‘1G’.

• REF01 (2420C Loop) Edit Logic is changed to ‘REF01 must the Provider UPIN number code 1G’.

• REF01 (2420D Loop) Medicare Values is changed from ‘1C’ to ‘1G’.

• REF01 (2420D Loop) Edit Logic is changed to ‘REF01 must contain the Provider UPIN number code 1G’.

These changes will be included as a ‘Summary of Changes’ sheet in the document.

(Source: Program Memorandum A-02-069; Change Request 2134)

The effective date for this instruction is July 31, 2002.

The implementation date for this instruction is January 1, 2003.

THIS BULLETIN SHOULD BE SHARED WITH ALL HEALTH CARE PRACTITIONERS AND MANAGERIAL MEMBRES OF THE PROVIDER/SUPPLIER STAFF. ALL BULLETINS ISSUED AFTER OCTOBER 1, 1999 ARE AVAILABLE AT NO COST FROM OUR WEB SITE AT www.marylandmedicare.com.

Questions regarding this bulletin should be directed to the provider relations department at (866) 488-0545.

---

HIPAA Institutional 837 Health Care Claim-Hospice Direction

TO: All Providers
FROM: CareFirst of Maryland, Inc.
DATE: May 16,2002

SUBJECT(S): Health Insurance Portability and Accountability Act (HIPAA) Institutional 837 Health Care Claim - Outpatient Hospice Implementation Direction

Health Insurance Portability and Accountability Act (HIPAA) Institutional 37Health Care Claim - Home Health Implementation Direction

Updates to Common Working File (CWF) Editing of Intermediary Claims for Durable Medical Equipment (DME) and Prosthetic/Orthotic Devices

Health Insurance Portability and Accountability Act (HIPAA) Institutional 837 Health Care Claim - Outpatient Hospice Implementation Direction

This instruction provides additional information for intermediaries and their standard systems and is a follow-up to Transmittal A-02-014, Change Request 2028, dated February 12, 2002.

Outpatient Hospice Claims via the 837

The 837 2300 loop Admission Date segment must be used to report the start of care date for outpatient hospice claims.

Intermediaries should advise their submitters/providers via their next scheduled bulletin (or Web site) to use the 2300 loop Admission Date segment to submit the start of care date for outpatient hospice claims for test (and later, for production) version 4010 claims and to submit “0001” as a default value for the hour and minute (HHMM) part of the admission date data element if the information is not available.

Outpatient Hospice claims via Direct Data Entry (DDE)

The admission hour (HH) is available via DDE whereas the minutes (MM) are not. Notify your submitters/providers via your next scheduled bulletin (or Web site) to submit a compliant numeric hour (“00” is acceptable if unknown) for outpatient hospice claims submitted via DDE. For purposes of coordination of benefits (COB) processing, the HH and MM must be submitted by your standard system. Your standard system will create a default value of “01” for the MM and submit this value for COB.

(Source: Program Memorandum A-02-036; Change Request 2135)

The effective date for this PM is May 1, 2002.

The implementation date for this PM is October 1, 2002.

Health Insurance Portability and Accountability Act (HIPAA) Institutional 837Health Care Claim - Home Health Implementation Direction

Home Health Claims via the 837

In Program Memorandum (PM) A-02-014, Change Request 2028, dated February 12, 2002, we advised intermediaries and their standard systems to await further instructions regarding how to process home health claims using the 4010 format. Intermediaries must advise their home health submitters/providers via their next scheduled bulletin (or Web site) to use the 2300 loop Admission Date segment to submit the admission date/start of care date for home health claims for test (and later, for production) version 4010 claims and to submit “0001” as a default value for the hour and minute (HHMM) part of the admission date data element if the information is not available.

The home health care information (CR6) segment could contain the start of care date. Forward any data received in CR6 to the repository to be sent for coordination of benefits (COB). However, this data should not be used to process the claim.

Home Health Claims via Direct Data Entry (DDE)

The admission hour (HH) is available via DDE whereas the minutes (MM) are not.   Notify your submitters/providers via your next scheduled bulletin (or Web site) to submit a compliant numeric hour (“00” is acceptable if unknown) for home health claims submitted via DDE. For purposes of COB processing, the HH and MM must be submitted by your standard system. Your standard system will create a default value of “01” for the MM and submit this value for COB.

(Source Program Memorandum A-02-037; Change Request 2137)

The effective date for this PM is May 1, 2002.

The implementation date for this PM is October 1, 2002.

Updates to Common Working File (CWF) Editing of Intermediary Claims for Durable Medical Equipment (DME) and Prosthetic/Orthotic Devices

I - GENERAL INFORMATION

A - Background:

The purpose of this Program Memorandum (PM) is to provide updated instructions regarding the CWF processing of intermediary claims for DME and prosthetic/orthotic devices. Provider billing instructions for these services are not changed by this PM.

The lists of HCPCS codes defined as DME or as prosthetics/orthotics are updated annually. In CWF processing of carrier claims, the updating of tables of codes for these service categories results in the automatic updating of edits. However, in CWF processing of fiscal intermediary claims, the category tables cannot be accessed and therefore individual edit lists must be updated. In recent years, the conforming updates to fiscal intermediary edit lists have been overlooked and variations between these lists and the category tables must now be corrected.

B - Policy:

The most recent annual update to the fee schedules for DME and prosthetics and orthotics is published in PM AB-01-126. Billing instructions for these services are found in §3629 of the Medicare Intermediary Manual, §463 of the Home Health Agency Manual, §441 of the Hospital Manual, §534 of the Skilled Nursing Facility Manual and §412 of the Outpatient Physical Therapy/Comprehensive Outpatient Rehabilitation Facility/Community Mental Health Center Manual.

II - BUSINESS REQUIREMENTS

Claims Processing Requirements:

Req. #

2092.1

2092.2

2092.3

2092.4

2092.5

2092.6

2092.7

2092.8

III - Possible Design Considerations and Supporting Information

A - Inputs:

X-Ref Req.

#

N/A

B - Outputs:

X-Ref Req.

#

N/A

C - Interfaces:

X-Ref Req.

#

N/A

D - Provider Impact:

X-Ref Req.

#

N/A

E - Contractor Financial Reporting /Workload Impact: This instruction corrects edits for which intermediaries currently have claims suspended which they are unable to process. It will not be possible to process such claims systematically until this instruction is implemented.

F - Dependencies: This Change Request is not dependent on any other current Change Request or on any pending regulation/instruction.

G - Testing Considerations: N/A

IV - Attachment(s) N/A

(Source: Program Memorandum A-02-031; Change Request 2092)

The effective date for this instruction is October 1, 2002.

The implementation date for this PM is October 1, 2002.

THIS BULLETIN SHOULD BE SHARED WITH ALL HEALTH CARE PRACTITIONERS AND MANAGERIAL MEMBERS OF THE PROVIDER/SUPPLIER STAFF. ALL BULLETINS ISSUED AFTER OCTOBER 1, 1999 ARE AVAILABLE AT NO COST FROM OUR WEB SITE AT www.marylandmedicare.com.

Questions regarding this bulletin should be directed to the provider relations department at (866) 488-0545.

---

HIPAA Institutional 837 Health Care Claim-Home health Direction – May 16, 2002

TO: All Providers
FROM: CareFirst of Maryland, Inc.
DATE: May 16,2002

SUBJECT(S): Health Insurance Portability and Accountability Act (HIPAA)

Institutional 837 Health Care Claim - Outpatient Hospice

Implementation Direction

Health Insurance Portability and Accountability Act (HIPAA)

Institutional 37Health Care Claim - Home Health Implementation

Direction

Updates to Common Working File (CWF) Editing of Intermediary

Claims for Durable Medical Equipment (DME) and Prosthetic/Orthotic Devices

Health Insurance Portability and Accountability Act (HIPAA) Institutional 837 Health Care Claim - Outpatient Hospice Implementation Direction

This instruction provides additional information for intermediaries and their standard systems and is a follow-up to Transmittal A-02-014, Change Request 2028, dated February 12, 2002.

Outpatient Hospice Claims via the 837

The 837 2300 loop Admission Date segment must be used to report the start of care date for outpatient hospice claims.

Intermediaries should advise their submitters/providers via their next scheduled bulletin (or Web site) to use the 2300 loop Admission Date segment to submit the start of care date for outpatient hospice claims for test (and later, for production) version 4010 claims and to submit “0001” as a default value for the hour and minute (HHMM) part of the admission date data element if the information is not available.

Outpatient Hospice claims via Direct Data Entry (DDE)

The admission hour (HH) is available via DDE whereas the minutes (MM) are not. Notify your submitters/providers via your next scheduled bulletin (or Web site) to submit a compliant numeric hour (“00” is acceptable if unknown) for outpatient hospice claims submitted via DDE. For purposes of coordination of benefits (COB) processing, the HH and MM must be submitted by your standard system. Your standard system will create a default value of “01” for the MM and submit this value for COB.

(Source: Program Memorandum A-02-036; Change Request 2135)

The effective date for this PM is May 1, 2002.

The implementation date for this PM is October 1, 2002.

Health Insurance Portability and Accountability Act (HIPAA) Institutional 837Health Care Claim - Home Health Implementation Direction

Home Health Claims via the 837 In Program Memorandum (PM) A-02-014, Change

Request 2028, dated February 12, 2002, we advised intermediaries and their standard systems to await further instructions regarding how to process home health claims using the 4010 format. Intermediaries must advise their home health submitters/providers via their next scheduled bulletin (or Web site) to use the 2300 loop Admission Date segment to submit the admission date/start of care date for home health claims for test (and later, for production) version 4010 claims and to submit “0001” as a default value for the hour and minute (HHMM) part of the admission date data element if the information is not available.

The home health care information (CR6) segment could contain the start of care date. Forward any data received in CR6 to the repository to be sent for coordination of benefits (COB). However, this data should not be used to process the claim.

Home Health Claims via Direct Data Entry (DDE)

The admission hour (HH) is available via DDE whereas the minutes (MM) are not. Notify your submitters/providers via your next scheduled bulletin (or Web site) to submit a compliant numeric hour (“00” is acceptable if unknown) for home health claims submitted via DDE. For purposes of COB processing, the HH and MM must be submitted by your standard system. Your standard system will create a default value of “01” for the MM and submit this value for COB.

(Source Program Memorandum A-02-037; Change Request 2137)

The effective date for this PM is May 1, 2002.

The implementation date for this PM is October 1, 2002.

Updates to Common Working File (CWF) Editing of Intermediary Claims for Durable Medical Equipment (DME) and Prosthetic/Orthotic Devices

I - GENERAL INFORMATION

A - Background:

The purpose of this Program Memorandum (PM) is to provide updated instructions regarding the CWF processing of intermediary claims for DME and prosthetic/orthotic devices. Provider billing instructions for these services are not changed by this PM.

The lists of HCPCS codes defined as DME or as prosthetics/orthotics are updated annually. In CWF processing of carrier claims, the updating of tables of codes for these service categories results in the automatic updating of edits. However, in CWF processing of fiscal intermediary claims, the category tables cannot be accessed and therefore individual edit lists must be updated.  In recent years, the conforming updates to fiscal intermediary edit lists have been overlooked and variations between these lists and the category tables must now be corrected.

B - Policy:

The most recent annual update to the fee schedules for DME and prosthetics and orthotics is published in PM AB-01-126. Billing instructions for these services are found in §3629 of the Medicare Intermediary Manual, §463 of the Home Health Agency Manual, §441 of the Hospital Manual, §534 of the Skilled Nursing Facility Manual and §412 of the Outpatient Physical Therapy/Comprehensive Outpatient Rehabilitation Facility/Community Mental Health Center Manual.

II - BUSINESS REQUIREMENTS

Claims Processing Requirements:

Req. #

2092.1

2092.2

2092.3

2092.4

2092.5

2092.6

2092.7

2092.8

III - Possible Design Considerations and Supporting Information

A - Inputs:

X-Ref Req.

#

N/A

B - Outputs:

X-Ref Req.

#

N/A

C - Interfaces:

X-Ref Req.

#

N/A

D - Provider Impact:

X-Ref Req.

#

N/A

E - Contractor Financial Reporting /Workload Impact: This instruction corrects edits for which intermediaries currently have claims suspended which they are unable to process.  It will not be possible to process such claims systematically until this instruction is implemented.

F - Dependencies: This Change Request is not dependent on any other current Change Request or on any pending regulation/instruction.

G - Testing Considerations: N/A

IV - Attachment(s) N/A

(Source: Program Memorandum A-02-031; Change Request 2092)

The effective date for this instruction is October 1, 2002.

The implementation date for this PM is October 1, 2002.

THIS BULLETIN SHOULD BE SHARED WITH ALL HEALTH CARE PRACTITIONERS AND MANAGERIAL MEMBERS OF THE PROVIDER/SUPPLIER STAFF. ALL BULLETINS ISSUED AFTER OCTOBER 1, 1999 ARE AVAILABLE AT NO COST FROM OUR WEB SITE AT www.marylandmedicare.com.

Questions regarding this bulletin should be directed to the provider relations department at (866) 488-0545.

---

HIPAA Health Care Eligibility Benefit Inquiry/Response Transaction Standard – April 25, 2002

TO: All Providers
FROM: CareFirst of Maryland, Inc.
DATE: April 25, 2002

SUBJECT: Implementation of the Health Insurance Portability and Accountability Act (HIPAA) Health Care Eligibility Benefit Inquiry/Response Transaction (270/271) Standard

CareFirst of Maryland, Medicare Part A Intermediary will continue to provide the Direct

Data Entry (DDE) functionality for eligibility benefit inquiry/response (as is being used currently). CareFirst of Maryland, Medicare Part A, will not implement the EDI transaction 270/271 for eligibility benefit inquiry/response.

Excerpts from CMS Program Memorandum A-02-013 (CR2009):

B. CWF HIQA and Standard Systems Direct Data Entry (DDE) Eligibility Inquiry--

HIPAA uses the term “direct data entry” generically to refer to a type of functionality operated by many different payers under a variety of titles. Within this instruction, the acronym DDE is being used to refer to any type of direct data entry system maintained by

Medicare intermediaries, or standard system maintainers. DDE was specifically permitted to continue in the Transactions Final Rule (45 CFR162.923), with the stipulation that direct data entry is subject to “...the applicable data content and data condition requirements of the standard when conducting the transaction. The health care provider is not required to use the format requirements of the standard.”

Data content conformity means that the same information permitted or required by the 271-version 4010 implementation guide must be reported in the eligibility screens (DDE outbound). The DDE outbound may not report a data element for eligibility purposes that is not included in the 271, exceeds the maximum length of the data element in the 271, does not meet the minimum length for the data element in the 271, or that does not meet the 271 requirement that the data element be numeric, alpha-numeric, or meet another characteristic as specified in the 271. The standard system cannot issue a response with information above and beyond the information in the 271. X12 standard implementation guides include data element length and characteristics in their definition of data attributes.

Conformity does not mean that a DDE screen that includes eligibility information must display each of the data qualifiers or other means of data identification contained in the 271 version 4010 implementation guide. DDE screens typically identify, explicitly or by context, the type of information being reported in a field, e.g., would identify if a number represents a health insurance claim number, date of birth, or etc. DDE screens would not be expected to use a qualifier contained in the 271 to identify data type if otherwise evident in the design or content of the DDE screen.

The standard system maintainers must map the DDE eligibility data elements to the 270/271 version 4010 implementation guide to determine if the DDE eligibility data elements meet the data content and conformity requirements above. If the standard system maintainer determines that DDE screen changes are required for data content and conformity requirements, the maintainer must modify the DDE screens to conform to the 271 version 4010 implementation guide.

If an FI currently supports the DDE functionality, then the FI must continue to do so.

CWF will be responsible for the data content and conformity requirements of HIHO, the HMO DDE eligibility process.

IV. Restricting and Controlling Access to Eligibility Information

FIs will allow Medicare certified providers, and their agents access to beneficiary eligibility data as long as an EDI Enrollment Form is on file (see MIM Part 3 section

3601.4) for that entity, and to network service vendors if there is an EDI Enrollment

Form and EDI Network Service Agreement on file (see MIM Part 3 section 3601.8).

CWF will determine the appropriate information the provider is qualified to receive by the provider type; e.g., psych, HMO, home health, or other provider. The appropriate information will be displayed in a subsequent PM no later than March 31.

V. Audit Trail Requirements

The CWF module will capture the audit trail data (control information, sender/receiver information, etc.) for real time and DDE eligibility transactions. The standard systems will develop a program that will allow FIs to use the audit trail data to compare inquiry volume to paid claim volume. The FIs will generate a quarterly report using the standard systems software that will detect unusual volumes of eligibility submissions by providers.

The audit trail file will contain such elements as the date/time, the HICN, the provider number, the vendor ID, etc. The appropriate information will be displayed in a subsequent PM no later than March 31.

Each quarter, the FIs will run the program developed by the standard system that compares inquiry volume to paid claim volume for use by the FIs. The standard system software will use the audit file created by CWF to tally the inquiries by provider, and then compare that total to the number of claims paid for that provider during the same quarter. Neither the standard systems nor the FIs are responsible for matching a particular inquiry with a particular claim. The sole purpose of the standard system software is to create counts and a ratio.

The claims to inquiry ratio should be at least 80 percent. This means that for every 100 inquiries submitted, we expect there to be 80 claims submitted for each provider. If the claim to inquiry ratio does not exceed 80 percent from a given provider, the FI must contact the provider to clarify inquiry volume expectations and restrictions. If there is a problem or the behavior continues, the FI must remove the provider from the FIs eligibility access system.

(Source: A-02-013; Change Request 2009)

THIS BULLETIN SHOULD BE SHARED WITH ALL HEALTH CARE PRACTITIONERS AND MANAGERIAL MEMBERS OF THE PROVIDER/SUPPLIER STAFF. ALL BULLETINS ISSUED AFTER OCTOBER 1, 1999 ARE AVAILABLE AT NO COST FROM OUR WEB SITE AT www.marylandmedicare.com.

Questions regarding this bulletin should be directed to the provider relations department at (866) 488-0545.

---

HIPAA Institutional 837 Health Care Claim Implementation Updates – March 7, 2002

TO: All Providers
FROM: CareFirst of Maryland, Inc.
DATE: March 7, 2002

SUBJECT: Health Insurance Portability and Accountability Act (HIPAA) Institutional 837 Health Care Claim Implementation Updates

This bulletin provides additional information for intermediaries and their standard systems. CMS has been receiving HIPAA 837 claim implementation questions and requests for clarification on an ongoing basis. The following information is being provided to you to ensure an accurate HIPAA implementation.

1. Q: Since the HIPAA 837 institutional implementation guide (IG) allows for only 1Investigational Device Exemptions (IDEs) per claim, how should HIPAA test claims containing multiple IDEs received via direct data entry (DDE) be tested since DDE currently allows for multiple IDEs?

A The HIPAA 837 transaction allows for only 1 IDE per claim (your HIPAA free billing software should already only accept 1 IDE per claim) and providers should NOT submit HIPAA test claims containing multiple IDEs via DDE.

2. Q: Since the HIPAA 837 Institutional IG allows for only 1 IDE per claim, how should HIPAA production claims containing multiple IDEs received via DDE be processed since DDE currently allows for multiple IDEs?

A: Any production claim containing multiple IDEs must NOT be submitted via DDE. This should not be a hardship since we determined that from January 2001 through June 2001 less than 5 claims with multiple IDEs were processed by Medicare.

3. Q: How should the standard system maintainers process HIPAA test claims containing a nonnumeric revenue code?

A: Any HIPAA test claim containing a non-numeric revenue code will be returned to the provider (RTPd) with an appropriate error message.

4. Q: How should the standard system maintainers process HIPAA production claims containing a non-numeric revenue code?

A: Any HIPAA production claim containing a non-numeric revenue code will be RTPd with an appropriate error message.

5. Q: Can providers/submitters use HCPCS codes to bill for drugs on HIPAA test inpatient claims?

A: Yes. Your FI will continue to test these claims using HCPCS. CMS will determine at a later time when to accept National Drug Codes (NDCs).

6. Q: Can providers/submitters use HCPCS to bill for drugs on HIPAA production inpatient claims?

A: Yes. CMS will determine at a later time when to accept NDCs.

7. Q: Realizing there is no employment status code, employer name, or employer address in the HIPAA 837 Institutional IG, how should the standard system maintainers process HIPAA test claims when currently the standard system maintainers’ internal software requires this information for certain claims?

A: CMS has determined that this information is no longer needed. Do not RTP HIPAA test claims that do not carry this information. Process the test claim. Test claims containing this information are NOT to be submitted via DDE.

8. Q: Realizing there is no employment status code, employer name, or employer address in the HIPAA Institutional 837 IG, how should the standard system maintainers process HIPAA production claims when currently the standard system maintainers’ internal software requires this information status code for certain claims?

A: CMS has determined that this information is no longer needed. Do not RTP HIPAA production claims that do not carry this information. Process the production claim. Production claims containing this information are NOT to be submitted via DDE

9. Q: How should Notices of Election (NOEs) be tested and processed under HIPAA?

A: NOEs are not established under HIPAA. Providers should not use the 837 for NOEs.

10. Q: How should HIPAA test claims that require Subscriber Demographic Information (DMG) be processed since Medicare has never required this information?

A: The DMG segment is for other insured. This is information on the gender and date of birth for the holder of a supplementary insurance policy, if not the beneficiary. These pieces of information have been mapped to the flat file and since they are not required for Medicare they should go to your repository file. For your free billing software, we have already approved the use of dummy (any data that meets the IG requirements) test data for testing purposes. Notify your providers/submitters via your next scheduled bulletin under which conditions this information is required for HIPAA test claims and to not submit claims requiring this segment via DDE.

11. Q: How should HIPAA production claims that require DMG be processed since Medicare has never required this information?