Fundamentals of Medicare

Section 1: Introduction


Privacy Act

The purpose of the Privacy Act of 1974 (Act), Title 5, United States Code, Section 552a, is to balance the government’s need to maintain information about individuals with the rights of individuals to be protected against unwarranted invasions of their privacy stemming from federal agencies’ collection, maintenance, use, and disclosure of personal information about them.

The Act applies to federal agencies in the executive branch of the federal government (including the Executive Office of the President) and private companies that are under contract with the federal government. National Government Services has a contract with the federal government to process Medicare claims, therefore National Government Services as a company and employees of National Government Services are bound by the rules and regulations of the Privacy Act.

The Act requires each agency or contracted company to maintain only the information about an individual that is relevant and necessary to accomplish the purpose of that agency’s existence or the contractual obligation.

There are ten exemptions to the Privacy Act. Exemptions include records that are maintained by the Central Intelligence Agency (CIA), related to law enforcement activities, classified in the interest of national security, regarding protective services to the President of the United States, and regarding specific circumstances of federal civilian employment, military service and access to classified material.

Unlawful disclosure of information can lead to civil and criminal penalties for the agency and the individual(s) involved. Penalties can be up to $5,000 for each violation.

More information regarding the Privacy Act can be found in the CMS IOM, Publication 100-01, Medicare Financial Management Manual, Chapter 6, Section 10.

How Does the Privacy Act Impact Medicare?

Since all MACs are under contract with the federal government, the Privacy Act’s rules and restrictions bind all employees and systems of Medicare contractors.

The Privacy Act is why providers need to have individual passwords to obtain access into the Medicare claims systems, and why providers can only see the claims that they submitted.

In addition, the Privacy Act restricts the information that the Provider Contact Center, customer care representatives (CCRs) can disclose to providers and outside individuals. It is due to these restrictions that people calling on behalf of a provider, including the billing office or the billing service, will always need to identify themselves and inform the CCR of their provider number and additional information as requested by the CCR. Note: CCRs cannot disclose claim information to collection agencies.

CCRs cannot disclose information regarding claims that were not submitted by the calling provider. The only exception to this is where a provider’s claim has been rejected due to an overlap with a claim submitted by another provider. In this situation, the CCR is allowed to inform the calling provider of the dates of service on the overlapping claim only.

Reviewed 6/4/2024