CMS Privacy and Disclosure of Beneficiary Information
Toolkitskip nav Close Window

Toolkit Menu

To return to the Toolkit Menu, select the Toolkit Menu icon above.

What is the Privacy Act?

The Privacy Act of 1974, the basis for CMS's Privacy Policy, is a law designed to ensure confidentiality and protect a beneficiary's rights and information. The Privacy act applies only to Federal agencies and their agents.

The purpose of the Privacy Act is to balance the Government's need to maintain information about individuals with the rights of individuals to be protected from unwarranted invasions of their privacy stemming from Federal agencies' collection, maintenance, use, and disclosure of personal information about them.

Why is adherence to the Privacy Act important?

The beneficiaries entrust their personal information to Medicare and trust that Medicare will not give out their information to anyone except those individuals whom the beneficiary has approved (this does not include routine use disclosures). To give this information to anyone not authorized by the beneficiary would violate that trust.

Furthermore, as a representative of the United States Government, you are required to follow the guidelines set forth in the Privacy Act of 1974.

Beneficiary Rights and Priveleges

Beneficiary-specific information is confidential, or private and personal. Under the Privacy Act of 1974, beneficiaries have a number of rights and privileges regarding the information they submit to a federal agency, such as CMS.

Federal agencies, including CMS, must inform beneficiaries:

  • Why they are collecting the information
  • To whom they plan to give it
  • Whether the beneficiary must, by law, give agencies that information.

The Privacy Act of 1974 allows beneficiaries to:

  • Review their records for accuracy
  • Make corrections if they believe there are errors
  • Know exactly what the agencies will do with their records.
  • Understand the effects on the beneficiary, if any, of not providing all or part of the requested information.

Medicare CSRs must follow Privacy Act rules. The primary rule that must be followed is that you cannot release beneficiary-specific information to anyone unless the beneficiary authorizes that person to receive his or her information.

Obtaining Verification

Before you release any beneficiary-specific information, you need to determine that the caller is indeed the beneficiary or a representative designated by him or her.

Obtaining this identifying data is one of the first steps that you must perform every time that you answer an incoming call requesting beneficiary-specific information.

A caller must verify his or her identity by providing supporting particulars, which parallel the record to which disclosure or access is being sought. If the CSR determines that the particulars provided by telephone are insufficient, the requestor will be required to submit the request in writing or in person. (To see examples of written authorization, go to the Toolkit and select the Written Authorization Sample Forms tool.) Telephone requests will not be accepted where an individual is requesting disclosure of, or access to, sensitive records such as medical records.

Access and disclosure involve looking at a Medicare record and giving out information. If you do not have to look at a record (for example, in explaining a letter), access and disclosure rules are not involved. General (that is, non-beneficiary-specific) information may be discussed at any time with any caller.

Call Center CSRs must obtain four items of verification from the caller to answer questions concerning beneficiary-specific information. These verification items must include the beneficiary's:

  • Full name
  • Date of birth
  • Health Insurance Claim (HIC) Number (also referred to as Medicare number).

One additional piece of information is also required, such as the beneficiary's:

  • Social Security Number
  • Address
  • Phone number
  • Effective date(s)
  • Coverage - whether the beneficiary has Part A and/or Part B.

Call Centers that have access to portions of the Master Beneficiary Record (MBR) and the Enrollment Database (EDB) must obtain six items of information when accessing the MBR or EDB.

It is recommended that three of those items be the beneficiary's:

  • Full name
  • Date of birth
  • Health Insurance Claim (HIC) Number (also referred to as Medicare number).

On all calls dealing with Managed Care issues other than enrollment and disenrollment issues and dates, CSRs must refer the contact to the Managed Care organization. CSRs may not release any Managed Care claims information.

If a caller uses IVR technology (Whisper Technology or any similar system) to secure claim information, enters his or her HIC number, but ultimately decides to request to speak with a CSR, the caller is then routed to the CSR along with the HIC number. The CSR can now see the HIC number. In order to comply with the Privacy Act:

  • If the caller is the beneficiary it is not necessary for the CSR to reconfirm the HIC, unless the name, DOB, or other information does not match the HIC.
  • If the caller is someone other than the beneficiary, the CSR should ask for all of the information from the beneficiary.

For Example: The CSR receives a call transferred from the IVR, and can see the HIC that was entered in the IVR, but the caller is the wife of the beneficiary. The CSR should (1) get verbal permission to speak with the wife on his behalf and should (2) obtain all four pieces of information from the beneficiary himself. The CSR should not obtain the beneficiary's identifying information from the wife, regardless if the beneficiary gave permission to speak to his wife.

Note: In rare instances, the CSR may be told that the beneficiary is too sick or too weak to answer all the questions. The supervisor may allow the CSR in such circumstances, to ask for the identifying information from the caller and only seek permission from the beneficiary. This is a judgment call by the supervisor.