Privacy and Disclosure of Beneficiary

Information Course

BasicsTable of Contents

PRIVACY AND DISCLOSURE OF BENEFICIARY INFORMATION COURSE

TABLE OF CONTENTS
Page

HOW TO USE THIS WORKBOOK...... 1

PRIVACY AND DISCLOSURE OF BENEFICIARY INFORMATION

Lesson A: Introduction to the Privacy Act of 1974...... A-1
Lesson B: Releasing Any Beneficiary-Specific Information...... B-1
Lesson C: Releasing Some Beneficiary-Specific Information...... C-1
Lesson D: Refusing To Release Beneficiary-Specific Information...... D-1
Knowledge Check...... KC-1

APPENDICES

Appendix A: Training Guides and CMS Disclosure Desk Reference for
Call Centers: Beneficiary Information...... AppA-1
Appendix B: Who’s Calling...... AppB-1
Appendix C: Written Authorization Sample Forms...... AppC-1
Appendix D: Glossary of Acronyms...... AppD-1
Appendix E: Glossary of Terms...... AppE-1
Appendix F: Index...... AppF-1
Privacy and Disclosure of Beneficiary Information Course / Page 1
How To Use This Workbook
HOW TO USE THIS WORKBOOK
OVERVIEW / The Privacy and Disclosure of Beneficiary Information Course applies the techniques of self-paced print instruction to the concepts and methods used by the Center for Medicare and Medicaid Services (CMS) Customer Service Representatives (CSRs) to effectively comply with the Privacy Act of 1974.
It is designed to complement and augment policy information released by CMS regarding the Privacy Act of 1974.

Purpose of theCourse

/ This course is designed to enable you to:
  • Explain the importance of adherence to the Privacy Act of 1974 and identify the consequences of non-compliance
  • Disclose beneficiary-specific information consistent with CMS policies and guidance.

Self-Paced Instruction

/ Because this course is self-directed, it has been designed to allow you to work at your own pace; no time limits have been set. The estimated time to complete the course is approximately 4 hours.

Target Audience

/ This course is designed for existing and newly hired beneficiary CSRs at each of CMS’s contractor call centers responsible for Part A, Part B, and DMERC.
Additional users include central and regional office CMS personnel and call center personnel such as managers, supervisors, and quality assurance staff.

COURSE

CONTENT

/ The course consists of four lessons. These lessons are organized as described in the following sections.

Introduction to the Privacy Act of 1974

/ Lesson A: Introduction to the Privacy Act of 1974 gives you an understanding of CMS’s basic Privacy Policy and why it is important to CMS, Medicare beneficiaries, and you.

Releasing Any Beneficiary-Specific Information

/ Lesson B: Releasing Any Beneficiary-Specific Information provides additional detail on CMS’s Privacy Policy and focuses on when a CSR can release any beneficiary information to a caller. Three sample calls and exercises are included in this lesson.

Releasing Some Beneficiary-Specific Information

/ Lesson C: Releasing Some Beneficiary-Specific Information provides additional detail on CMS’s Privacy Policy and focuses on when a CSR can release some beneficiary information to a caller. Three sample calls and exercises are included in this lesson.

Refusing To Release Beneficiary-Specific Information

/ Lesson D: Refusing To Release Beneficiary-Specific Information provides additional detail on CMS's Privacy Policy and focuses on when a CSR should refuse to release beneficiary information to a caller. Three sample calls and exercises are included in this lesson.

WORKBOOK OVERVIEW

/ Lessons are sequential. Therefore, to be most effective, lessons should be followed in order. Exercises are included to help you apply the skills learned in each lesson.

Exercises

/ Interactive exercises are included at the end of each lesson. These activities are intended to enable you to apply facts and concepts covered in the lesson to your own on-the-job needs. Training Guides, in Appendix A, are available to assist you during the exercises.

Knowledge Check

/ At the end of this course, you will be asked to complete an open book Knowledge Check. This Knowledge Check will test your understanding of the material covered in the course and reinforce your learning.

Icons

/ In each section, certain icons are included in the left column to signal specific points in the lesson. The standard icons used in the lessons are listed in the table on the next page.
ICON /

MEANING

/

Overview

The guidepost icon indicates the overview of each lesson, which describes the topic(s) covered in the lesson.
/

Objectives

The bull’s-eye icon accompanies the lesson’s objectives, the “target” of your learning.
/

Resources

The appendices, included at the end of the workbook, will serve as useful references during and after completion of the course.
/

Exercise

Exercises are signaled by the pad and pencil icon.
/

Knowledge Check

Finally, the question icon accompanies the Knowledge Check at the end of this course.
Exercises / You will need a pen or pencil to complete the exercises and the Knowledge Check. Many users find that a highlighter pen or marker is also useful.

Resources

/ The following appendices, included at the end of the workbook, will serve as useful references during and after completion of the course:
  • Appendix A—Training Guides and CMS Disclosure Desk Reference
  • Appendix B—Who’s Calling?
  • Appendix C—Written Authorization Sample Forms
  • Appendix D—Glossary of Acronyms
  • Appendix E—Glossary of Terms
  • Appendix F—Index.

Key Point
/ The course materials are yours to keep and use later as a resource. Feel free to highlight important passages, take notes, or make queries as you work.

course evaluation

/ When you have completed the Privacy and Disclosure of Information Course, fill out the evaluation form on the following pages and forward it to your Privacy Course Administrator.
Privacy and Disclosure of Beneficiary Information Course / Page 1
How To Use This Workbook
Name______
/ Date______ /
Name of WBT:______
WEB-BASED TRAINING COURSE EVALUATION
Circle the number that best describes your opinion of each item.
Strongly Agree / Strongly
Disagree
Content (Including scenarios and exercises)
The content was interesting, easy to understand, and easy to learn. / 5 / 4 / 3 / 2 / 1
The information will help me perform my job. / 5 / 4 / 3 / 2 / 1
The scenarios helped me translate the content into my own work situation. / 5 / 4 / 3 / 2 / 1
The exercises reinforced the important points. / 5 / 4 / 3 / 2 / 1
Format
The format was clear and easy to follow. / 5 / 4 / 3 / 2 / 1
The navigation was clear and easy to follow throughout the course. / 5 / 4 / 3 / 2 / 1
Course Resources
The CSR Toolkit will be useful on the job. / 5 / 4 / 3 / 2 / 1
The Glossary will be useful on the job. / 5 / 4 / 3 / 2 / 1
Selecting the Help function provided the answers I needed. / 5 / 4 / 3 / 2 / 1
Overall
The course was appropriate to my needs. / 5 / 4 / 3 / 2 / 1
I will recommend this training to other CSRs. / 5 / 4 / 3 / 2 / 1
WEB-BASED TRAINING COURSE EVALUATION (continued)
Comments:
What aspect of the course do you think will be most useful to you in your job?
What suggestions do you have for improving the course?
Privacy and Disclosure of Beneficiary Information Course / Page 1
Lesson A / Introduction to The Privacy Act of 1974
LESSON A: Introduction To The Privacy Act of 1974
OVERVIEW / The Privacy Act of 1974 governs the requirements on how, when, and to whom Centers for Medicare and Medicaid Services (CMS) staff can release beneficiary-specific information. As a CMS Customer Service Representative (CSR), supervisor, or manager, you ensure strict adherence to the Privacy Act for all calls.
Objectives / At the end of this lesson, you will be able to:
  • Define the Privacy Act of 1974
  • Explain why adherence to the Privacy Act is important
  • List beneficiary rights and privileges
  • Request the appropriate verification information from a caller.

Your Peer Coaching Task / During this training course, you will assume the role of a CSR at Capital Insurance, one of CMS’s call centers. CMS has recently revised and refined its policy related to the Privacy Act in order to ensure the highest level of protection for Medicare beneficiary-specific information.
Your supervisor has designated you as a Peer Coach. She has assigned you the task of briefing other CSRs on Privacy Policy, reviewing their transcribed calls to ensure adherence to the revised policy, and holding a feedback meeting for the CSRs and your supervisor.
Your successful completion of this task will contribute to the overall goal shared by CMS, Capital Insurance, and every CSR at your call center - striving to provide the best customer service possible to Medicare beneficiaries.
Task Description / Before you begin your task, let’s review the task description:
  • Prepare for and hold a meeting with CSRs to review Privacy Policy
  • Review a series of transcribed calls for Privacy Policy adherence
  • Hold a feedback meeting for the CSRs and your supervisor.

Privacy Policy Meeting Preparation / The first step in your Peer Coaching task is to prepare for a meeting with CSRs to review Privacy Policy.
In order to complete this step, you decide to research the Privacy Policy to prepare for the meeting.
To assist with your research, your supervisor gives you a Privacy Policy Summary document to review. The Summary document addresses the following topics:
  • What is the Privacy Act of 1974?
  • Why is adherence to the Privacy Act important?
  • Beneficiary rights and privileges
  • Obtaining verification information.
Topic details are presented below and on the following pages.
Summary Document Topic: What Is the Privacy Act of 1974? / The Privacy Act of 1974, the basis for CMS’s Privacy Policy, is a law designed to ensure confidentiality and protect a beneficiary’s rights and information. The Privacy Act applies only to Federal agencies and their agents.
The purpose of the Privacy Act is to balance the government’s need to maintain information about individuals with the rights of individuals to be protected from unwarranted invasions of their privacy stemming from Federal agencies’ collection, maintenance, use, and disclosure of personal information about them.
Summary Document Topic: Why Is Adherence to the Privacy Act Important? / The beneficiaries entrust their personal information to Medicare and trust that Medicare will not give out their information to anyone except those individuals whom the beneficiary has approved. This does not include routine use disclosures. To give this information to anyone not authorized by the beneficiary would violate that trust.
Furthermore, as a representative of the United States Government, you are required to follow the guidelines set forth in the Privacy Act of 1974.
Summary Document Topic: Beneficiary Rights and Privileges / Beneficiary-specific information is confidential, or private and personal. Under the Privacy Act of 1974 beneficiaries have a number of rights and privileges regarding the information they submit to a Federal agency, such as CMS.
Federal agencies, including CMS, must inform beneficiaries:
  • Why they are collecting the information
  • To whom they plan to give it
  • Whether the beneficiary must, by law, give agencies that information.
The Privacy Act of 1974 allows beneficiaries to:
  • Review their records for accuracy
  • Make corrections if they believe there are errors
  • Know exactly what the agencies will do with their records
  • Understand the effects on the beneficiary, if any, of not providing all or part of the requested information.
Medicare CSRs must follow Privacy Act rules. The primary rule that must be followed is that you cannot release beneficiary-specific information to anyone unless the beneficiary authorizes that person to receive his or her information.
Summary Document Topic: Obtaining Verification Information / Before you release any beneficiary-specific information, you need to determine that the caller is indeed the beneficiary or a representative designated by him or her.
Obtaining this identifying data is one of the first steps that you must perform every time that you answer an incoming call requesting beneficiary-specific information.
A caller must verify his or her identity by providing supporting particulars, which parallel the record to which disclosure or access is being sought. If the CSR determines that the particulars provided by telephone are insufficient, the requestor will be required to submit the request in writing or in person. (To see examples of written authorization, go to Appendix C: Written Authorization Sample Forms.) Telephone requests will not be accepted where an individual is requesting disclosure of, or access to, sensitive records such as medical records.
Access and disclosure involve looking at a Medicare record and giving out information. If you do not have to look at a record (for example, in explaining a letter), access and disclosure rules are not involved. General (that is, non-beneficiary-specific) information may be discussed at any time with any caller.
Call Center CSRs must obtain four items of verification from the caller to answer questions concerning beneficiary-specific information. These verification items must include the beneficiary’s:
  • Full name
  • Date of birth
  • Health Insurance Claim (HIC) Number (also referred to as Medicare number).
One additional piece of information is also required, such as the beneficiary’s:
  • Social Security Number
  • Address
  • Phone number
  • Effective date(s)
  • Coverage - whether the beneficiary has Part A and/or Part B.
Call Centers that have access to portions of the Master Beneficiary Record (MBR) and the Enrollment Database (EDB) must obtain six items of information when accessing the MBR or EDB.
Summary Document Topic: Obtaining Verification Information (continued) / It is recommended that three of those items be the beneficiary’s:
  • Full name
  • Date of birth
  • Health Insurance Claim (HIC) Number (also referred to as Medicare number).
On all calls dealing with Managed Care issues other than enrollment and disenrollment issues and dates, CSRs must refer the contact to the Managed Care organization. CSRs may not release any Managed Care claims information.
If a caller uses IVR technology (Whisper Technology or any similar system) to secure claim information, enters his or her HIC number, but ultimately decides to request to speak with a CSR, the caller is then routed to the CSR along with the HIC number. The CSR can now see the HIC number. In order to comply with the Privacy Act:
  • If the caller is the beneficiary it is not necessary for the CSR to reconfirm the HIC, unless the name, DOB, or other information does not match the HIC.
  • If the caller is someone other than the beneficiary, the CSR should ask for all of the information from the
    beneficiary.
For Example: The CSR receives a call transferred from the IVR, and can see the HIC that was entered in the IVR, but the caller is the wife of the beneficiary. The CSR should (1) get verbal permission to speak with the wife on his behalf and should (2) obtain all four pieces of information from the beneficiary himself. The CSR should not obtain the beneficiary's identifying information from the wife, regardless if the beneficiary gave permission to speak to his wife.
Note: In rare instances, the CSR may be told that the beneficiary is too sick or too weak to answer all the questions. The supervisor may allow the CSR in such circumstances, to ask for the identifying information from the caller and only seek permission from the beneficiary. This is a judgment call by the supervisor.
The Next Step / The next step in your Peer Coaching task is to hold your Privacy Policy meeting with the CSRs. You will do this by completing the exercise on the following page.
Summary Exercise:
Privacy Policy Meeting With CSRs / Now that you have reviewed the Privacy Policy Summary document, it is time to hold your meeting with the CSRs.
During this meeting, you present the information detailed in the Privacy Policy Summary document to the CSRs. After your presentation, each CSR makes a specific statement about Privacy Policy. These CSR statements are listed below.
In this exercise, you will need to let the CSRs know if their statements are true or false. Read each CSR statement below and write either TRUEor FALSEin the blank at the end of each statement.
The CSRs in the meeting make the following statements:
  1. The Privacy Act of 1974 was created to protect a beneficiary’s confidential information. ______
  1. Obtaining the caller’s verification information is one of the last things that you should do during a call. ______
  1. If the beneficiary asks, you must tell him or her why CMS is collecting the information. ______
  1. You may not give the beneficiary’s claim information out to people whom the beneficiary has not authorized. ______
  1. There are three standard pieces and one additional piece of verifying data that you can use to check the caller’s identity. ______
  1. If the caller is not the beneficiary, or authorized to receive the beneficiary’s information, then you may not give out that information. ______
  1. Beneficiaries entrust you to keep their information private. ______
  1. You can release a beneficiary’s claim information to anyone calling on his or her behalf. ______
Check your answers on the next page.
Answers /
  1. The Privacy Act of 1974 was created to protect a beneficiary’s confidential information. TRUE
  2. Obtaining the caller’s verification information is one of the last things that you should do during a call. FALSE
  3. If the beneficiary asks, you must tell him or her why CMS is collecting the information. TRUE
  4. You may not give the beneficiary’s claim information out to people whom the beneficiary has not authorized. TRUE
  5. There are three standard pieces and one additional piece of verifying data that you can use to check the caller’s identity. TRUE
  6. If the caller is not the beneficiary, or authorized to receive the beneficiary’s information, then you may not give out that information. TRUE
  7. Beneficiaries entrust you to keep their information private. TRUE
  8. You can release a beneficiary’s claim information to anyone calling on his or her behalf. FALSE