MEDICAID CONFIDENTIALITY REGULATIONS AND STANDARDS
Confidential Data Requirements are explained through the answers provided for
the following questions and summary of procedures and regulations:
II MCDRC OVERVIEW
III PRIMARY RESPONSIBILITIES
Confidential Data Review Committee Creation
Confidential Data Review Committee Procedures
Directly Related To State Plan Administration
Authority For Safeguarding Information
of Information To Be Safeguarded
of Information Materials
10. Maintenance of
11. ePACES Access Control
Question 1: What are Medicaid’s
confidentiality standards and who defines them?
The federal Medicaid
confidential data standard is established by §1902(a)(7) of the Social Security
Act (42 USC §1396a(a)(7)). The law requires that a “State plan for medical
assistance must: (7) provide safeguards which restrict the use or disclosure of
information concerning applicants and recipients to purposes directly connected
with the administration of the plan.” This statutory
requirement is implemented in regulations at 42 CFR §431.300 et seq.. 42 CFR
§431.302 defines Medicaid program administration to include:
(B)Determining the amount of Medical
(C)Providing services for recipients;
assisting an investigation, prosecution, or civil or criminal proceeding
related to the administration of the plan.
42 C.F.R. §431.306
requires the single state agency to have criteria specifying the conditions for
release and use of information about applicants and recipients. The information
for which the agency must have criteria to safeguard must include: (1) names
and addresses; (2) medical services provided; (3) social and economic
conditions; (4) agency evaluation of personal information; (5) medical data,
including diagnosis and past history of disease or disability; and (6) any
information received for verifying income eligibility and amount of medical
assistance payments, of which information received from the Internal Revenue
Service (IRS) or Social Security Administration (SSA) must be safeguarded
pursuant to the requirements of those agencies.
These criteria apply to
all requests for information from outside sources, including governmental
bodies, the courts, or law enforcement officials. Access to information
concerning applicants or recipients must be restricted to persons or agency
representatives who are subject to standards of confidentiality that are
comparable to those of the agency. The agency is prohibited from publishing
names of applicants or recipients. Furthermore, whenever possible, the agency
must obtain permission from the individual or his family before responding to a
request for information from an outside source, unless the information is to be
used to verify income, eligibility and the amount of medical assistance
payments. Before information is requested from or released to another bureau or
agency (not part of Medicaid program administration) to verify income,
eligibility, and the amount of assistance, the Department must execute data
exchange agreements with those agencies. Data exchange
agreements are also required before the department may request information from
or release information to other agencies to identify third party resources. If
an emergency situation prevents the department from obtaining recipient consent
prior to release, the department must notify the family or individual
immediately after supplying the information. Where a court issues a subpoena
for a case record or for any agency representative to testify concerning an
applicant or recipient, the department must inform the court of the applicable
statutory provisions, policies, and regulations restricting disclosure of
MEDICAID ALCOHOL AND SUBSTANCE CONFIDENTIALITY
Federal law also requires that certain confidential drug and
alcohol abuse treatment records must be accorded enhanced protection.
Requirements pertaining to drug and alcohol treatment records are codified at
42 U.S.C. §290dd-3, which is implemented in regulations at 42 C.F.R. §2.1 et
seq.. Records concerning the identity, diagnosis, prognosis, or treatment of
any patient which are connected with drug abuse prevention, or alcoholism
education, training, treatment, rehabilitation or research, which are
conducted, regulated, or directly or indirectly assisted by any department or
agency of the United States, may only be disclosed as expressly authorized in
§2.1 et seq.. Such records may be disclosed in accordance with the patient’s
prior written consent. Whether or not the patient provides written consent, his
or her records may be disclosed:
(A)to medical personnel to the extent
necessary to meet a bona fide medical emergency;
qualified personnel for the purpose of conducting scientific research,
management audits, financial audits, or program evaluation, but such personnel
may not identify, directly or indirectly, any individual patient in any report
of such research, audit, or evaluation, or otherwise disclose patient
identities in any manner; and
(C)if authorized by an appropriate
order of a court of competent jurisdiction granted after application showing
good cause therefor.
MEDICAID HIV CONFIDENTIALITY RESTRICTIONS:
The Health Care Financing
Administration (HCFA) also has issued a State Operations Letter #91-32,
regarding the confidentiality and release of Medicaid data concerning persons
with AIDS. The letter establishes that sharing of claims data regarding AIDS
patients with other state agencies is a violation of federal privacy
safeguards. The operations letter notes that while it is a legitimate
public health concern to engage in disease prevalence surveillance, federal law
and regulations permit disclosure of information concerning Medicaid applicants
or recipients, including AIDS data, only for purposes directly related to State
Medicaid plan administration.Accordingly, state health departments seeking
recipient information for reasons unrelated to administration of the Medicaid
program must rely on provider compliance with State reporting requirements.
Medicaid data cannot be released for such purposes, including accurate counting
of AIDS cases. The HCFA suggests that as an alternative to the release
of patient identifying information, Medicaid agencies may provide summary data,
including recipient counts and expenditures.
Also note that Medicaid Confidential Data (MCD) may contain HIV related
confidential information, as defined in Section 2780(7) of the N.Y. Pub. Health
Law. As required by N.Y. Pub. Health Law Section 2782(5). The New York
Department of Health hereby provides the following notice:
This information has been disclosed to you from
confidential records which are protected by state law. State law prohibits you
from making any further disclosure of this information without the specific
written consent of the person to whom it pertains, or as otherwise permitted by
law. Any unauthorized further disclosure in violation of state law may result
in a fine or jail sentence or both. A general authorization for the release of
medical or other information is NOT sufficient authorization for further
STATE MEDICAID CONFIDENTIALITY
confidentiality standards have been implemented in State law in various
provisions of the Social Services Law (SSL), and the Social Services
regulations at Title 18 NYCRR. §369 of the SSL provides that all information
received by social services and public health officials and service officers
concerning Medicaid applicants and recipients may be disclosed or used only for
purposes directly connected with the administration of the Medicaid program.
Also, pursuant to Section 367b(4) of the NY Social Services Law, information
relating to persons APPLYING FOR medical assistance shall also be considered
confidential and shall not be disclosed to persons or agencies without the
prior written approval of the New York State Department of Health.
18 NYCRR §357.5 sets
forth specific procedures for storing and using individually identifiable
information. These procedures apply to all recipient identifying information,
including Medicaid data, maintained by the Department of Health, local social
services districts, and other authorized agencies. Records containing
individually identifiable information must be marked ‘’confidential’’ and kept
in locked files or in rooms that are locked when the records are not in use.
When in use, records must be maintained in such a manner as to prevent exposure
of individual identifiable information to anyone other than the authorized
party directly utilizing the case record. No records can be taken from the
place of business without prior authorization by supervisory staff of the
Department of Health, the local social services district, or other authorized
agency, nor can records be taken home by agency staff except upon prior
supervisory authorization. Records must be transmitted from one location to
another in sealed envelopes stamped ‘’confidential’’, and a receipt must be
obtained documenting delivery of the records. Interviews with clients must be
conducted at a location and in a manner which maximizes privacy. Medicaid program
administration employees of the Department, Social Services, local social
services districts, and other authorized (via M.O.U.) agencies are permitted
access to individual identifying information only where their specific job
responsibilities cannot be accomplished without access to individual
State law and regulations
further limit the general handling of HIV and AIDS data. Because this data may
be contained in Medicaid records, these requirements are applicable to the
Medicaid program. See Article 27-F of the Public Health Law. 18 NYCRR Subpart
360-8 prohibits access, use, disclosure, or redisclosure of confidential HIV
related information except for a purpose directly connected with the
administration of the MA program, and consistent with the limitations of §2782
of the Public Health Law relating to persons to whom or entities to which
confidential HIV related information may be disclosed. Disclosure of such
information to a court may be made only pursuant to a court order authorized by
§2785 of the PHL.
It is important to note
that where the disclosure of confidential HIV related information is made
pursuant to a release from the subject of the information; the release must
specify that it authorizes the disclosure of HIV related information, contain
the date and time period during which the release is to be effective, specify
to whom disclosure is authorized, and the purposes for disclosure. Therefore, a
general release from the recipient is not sufficient to authorize disclosure of
confidential HIV related information. The regulation further requires that any
written disclosure of confidential HIV related information must be accompanied
by a written statement which contains the following notification:
This information has been
disclosed to you from confidential records which are protected by State law.
State law prohibits you from making any further disclosure of this information
without the specific written consent of the person to whom it pertains, or as
otherwise permitted by law. Any unauthorized further disclosure in violation of
State law may result in a fine or jail sentence or both. A general
authorization for the release of medical or other information is not sufficient
authorization for further disclosure.
An oral disclosure of
confidential HIV related information must be accompanied, or followed as soon
as possible within 10 days, by the written notification.
Question 2: Who is responsible
for upholding Medicaid’s confidentiality standards?
The Office of Legal
Affairs has primary responsibility (within the Department) over the
interpretation and enforcement of all laws and regulations pertaining to
Medicaid data confidentiality. Rulings, opinions, appeals, and clarification on
matters of to Medicaid recipient confidentiality are also rendered by the
Health Care Financing Administration (HCFA) Region II Administrator. The
Commissioner of Health, with the advice of counsel, has the final authority to
determine if a particular use meets the applicable standards of Medicaid
Office of Medicaid
Management’s, data security is maintained by the Data Security Coordinator; and
access to confidential recipient data is coordinated by the Medicaid
Confidential Data Security Committee (MCDRC). This committee is chaired by the
Director of Medicaid Management or her designee. The Data Security Coordinator
reports to the chair of the MCDRC. The MCDRC meets periodically, to review and
make recommendations on requests for confidential Medicaid information. The
MCDRC is an advisory committee on Medicaid data confidentiality. All MCDRC
decisions can be appealed to the Medicaid program Director and or the
II MCDRC OVERVIEW
Question 3: What is the Medicaid
Confidential Data Review Committee; and where did it get its charge?
The Medicaid Confidential
Data Review Committee (MCDRC) is established by the Department of Health
pursuant to 42CFR 431. This regulation requires the Single State
agency to develop “criteria specifying the conditions for release and use of
information about applicants and recipients.” In compliance with this
federal requirement, the MCDRC serves to assure Department compliance with
confidentiality policy and procedures as to requests for Medicaid data.
The Medicaid Confidential
Data Review Committee (MCDRC) is an advisory committee within the Office of
Medicaid Management, under the direction of the Director of Medicaid
Management. The MCDRC is charged with implementing the Department’s policy on
recipient data confidentiality and security. Any issues concerning the
evaluation of Medicaid Data Exchange Applications are referred to the MCDRC.
Question 4: Who is responsible
for upholding Medicaid’s confidentiality standards under Managed Care?
The Department of Health
is the State agency responsible for developing disclosure standards and
protocols consistent with the laws and regulations under Title XIX of the
Social Security Act. The Medicaid Confidential Data Review Committee (MCDRC) is
an intra-Medicaid program review group (representing expertise in each Medicaid
program area) charged with reviewing applications for access to confidential
Medicaid recipient information.
III PRIMARY RESPONSIBILITIES
responsibilities of the MCDRC are to review and evaluate all requests for
Medicaid recipient-identifiable information. All requests are evaluated against
the standard whether the purpose of the request for release is directlyrelated
to the administration of the Medicaid program (pursuant to 42CFR
41 et. seq.).
42CFR 430.10 The State Plan.
- The State Plan is a comprehensive written statement submitted by the agency
describing the nature and scope of its Medicaid program. The State Plan also
provides assurance that the Medicaid program will be administered in conformity
with the specific requirements of title XIX, and other applicable official
issuance’s of the Department.
The State Plan contains
all information necessary for HCFA to determine whether the plan can be
approved to serve as a basis for Federal financial participation (FFP) in the
State program. Moreover, the State Plan requirements mandate protection of
recipient confidentiality for purposes connected with the administration of the
Data Exchange Procedures
Data Security and Confidentiality
February 25, 2003
New York State Department of Health
Office of Medicaid Management
42CFR 430.306 et. seq.
require that the Department enter into a “data exchange agreement” before any
data is released. Additionally, on December 18, 1990 the Medicaid Data Security
Committee issued a document on Data Exchange Guidelines and Issue Analysis. The
purpose of this document was twofold; first to reinforce the Department’s Data
Security Policy, and also to provide guidelines for creation of data security
processes for each Division. The purpose of this section is to outline the
specific role, procedures, and processes through which the Office of Medicaid
Management’s data security policy be implemented.
New changes in office
automation and data processing have increased the ability of researchers, data
warehouse companies, and organizations, outside the Medicaid program, to create
large recipient specific databases. With these new
technological changes, the Office of Medicaid Management has witnessed an
increase in the demand for recipient specific or identifiable data. The role of
the New York State Department of Health Office of Medicaid Management’s
confidential data review policy is to assess the appropriateness of exchanging
and handling these requests for recipient identifiable data. Recipient
identifiable data is defined as any individual or summary level Medicaid data
that can lead to the identification or re-identification of a Medicaid
recipient. New York State Department of Health’s Office of Medicaid Management
is required by law, regulation, and policy to safeguard and take specific steps
to ensure the confidentiality of recipient-identifiable data. Therefore,
Medicaid recipient records can be released only for purposes directly related
to the NEW YORK STATE Medicaid program. Medicaid’s data protection
policy is set forth in the following cited laws and regulations.
Pursuant to Social
Services Law Section 369 (4) which states:
provision of this chapter or other law notwithstanding, all information
received by public welfare officers concerning applicants for and recipients of
medical assistance may be disclosed or used only for purposes directly
connected with the administration of medical assistance for needy persons.
Also following New York
State Department of Health Medicaid State Plan requirements, Social Security
Act, Section 1902(a) (7), 42 USC 1396a(a)7) a.d., and federal regulations 42
CFR 431.300 which provide for the protection of recipient specific information.
(A) All inquiries and
requests for access to individual recipient level data to be used outside of
the Office of Medicaid Management be referred to the Medicaid Data Security
Coordinator (DSC). The Medicaid data security policy staff act as primary
contact for all confidential data requests.
(B) Medicaid research
(e.g. professional, medical, academic, grants or foundation research) be
evaluated according to the guidelines set forth in 42 CFR 431.300 et. seq..
Initial decisions on all applications will be made by the Medicaid Confidential
Data Review Committee (MCDRC) and referred to Legal for clearance.
recipient data will be made accessible to the Local Social Services Districts
(LSSDs) for authorized Medicaid program-related purposes.
To facilitate the
processing of confidential data requests, the Office of Medicaid Management
(formerly the Social Services’, Division of Health & Long Term Care)
established the Medicaid Confidential Data Review Committee (MCDRC). This
committee consists of representatives from the Bureaus of Eligibility, Medicaid
Management Information Systems, Primary Care and Ambulatory Utilization Review,
Long Term Care, Managed Care, Legal Affairs and will include the Data Security
Coordinator. This committee reports to and is chaired by the Director’s
appointed representative. In the absence of the Director’s appointed
representative, the MCDRC is chaired by Medicaid’s Data Security Coordinator.
The Medicaid Confidential Data Review Committee meets, as needed, to review all
requests for confidential data.
(A) The Medicaid
Confidential Data Review Committee (MCDRC) has the preliminary authority,
subject to Director approval, to determine the appropriateness and merits of
all confidential data requests. The MCDRC is responsible for the evaluation of
each request. Determinations on each request will at a minimum consider the
1. How does the
applicant’s request directly relate to the direct administration
of the Medicaid program?
2. What specific
Medicaid program, policy, rule or law will be affected or changed?
3. What will be the
status of internal program priorities relative to the approved confidential
4. How will the Office of
Medicaid Management’s objectives be helped or impaired by answering a request?
5. What impact or cost
(staff and systems resources) is incurred by Medicaid producing the data?
6. Will the confidential
data requests have the potential for:
a.Reducing cost of the
b. Improving access for
c.Increasing quality of
care to recipients?
(B)The MCDRC recommends
approval or denial of a request for confidential recipient data subject to
ratification by Counsel and the Director of Medicaid.
(C)The MCDRC may not
approve any request for recipient confidential data unless it clearly meets the
cited legal conditions in Section I of the “MEDICAID CONFIDENTIAL DATA
REQUIREMENTS” of this document.
(D)Once an application is
approved by the MCDRC and Legal, it is forwarded to the Data Security
Coordinator for action.
(A) The MCDRC meets as
needed. Prior to each meeting, MCDRC members receive copies of each application
for evaluation along with all previous reviews and recommendations pertaining
to that request. Members are responsible for reviewing all applications prior
to each meeting.
(B) The Data Security
Coordinator in consultation with the Director’s Representative, sets the agenda
of applications to be reviewed for each MCDRC meeting.
(C) The MCDRC approves,
denies, refers, or pends all requests on the periodic meeting agenda.
(D) Each application
approved by the MCDRC is evaluated by the Division of Legal Affairs
representative. After counsel renders an opinion on a confidential data
request, the application is sent back to Medicaid’s Data Security Coordinator
(E) Approved applications
are forwarded to a data source bureau that will respond to the request.
(F) The data source
bureau must always attempt to satisfy request for confidential recipient data
with summary or aggregate data. If summary or aggregate data cannot be used
then only the specific or minimal amount of recipient identifiable information
necessary to answer the request can be disseminated.
(G) All adjudicated
applications are forwarded to the Office of Medicaid Management’s Data Security
Coordinator. The Data Security Coordinator maintains a central database log and
is the central contact between the Department and all applicants( while the
request is under review). The Data Security Coordinator is responsible for
notifying all applicants on the status of their request.
(H) The Data
Security Coordinator be the Medicaid Bureau’s representative to the
Department’s Data Security Committee and be responsible for informing the MCDRC
of relevant Departmental data security policies and guidelines.
Data Exchange Regulations
Data Security and Confidentiality
New York State Department of Health
Office of Medicaid Management
Information on Applicants and Recipients
Source: 44 FR 17934, Mar. 29, 1979, unless otherwise noted.
42CFR 431.300 Basis
(a)Section 1902(a)(7) of the Act requires that a State plan
must provide safeguards that restrict the use or disclosure of information
concerning applicants and recipients to purposes directly connected with the
administration of the plan. This subpart specifies State plan requirements, the
types of information to be safeguarded, the conditions for release of
safeguarded information, and restrictions on the distribution of other
(b)Section 1137 of the Act, which requires agencies to
exchange information in order to verify the income and eligibility of
applicants and recipients (see §435.94 0ff), requires State agencies to have
adequate safeguards to assure that—
(1)Information exchanged by the State agencies is made
available only to the extent necessary to assist in the valid administrative
needs of the program receiving the information, and information received under
section 6103(l) of the Internal Revenue Code of 1954 is exchanged only with
agencies authorized to receive that information under that section of the Code;
and (2) The information is adequately stored and processed so that it is
protected against unauthorized disclosure for other purposes.
[51 FR 7210, Feb. 28, 1986]
42CFR 431.301 State
A State plan must provide, under a State statute that imposes
legal sanctions, safeguards meeting the requirements of this subpart that
restrict the use or disclosure of information concerning applicants and
recipients to purposes directly connected with the administration of the plan.
42CFR 431.302 Purposes
directly related to State plan administration.
Purposes directly related to plan administration include—
(b)Determining the amount of medical assistance;
(c)Providing services for recipients; and
(d)Conducting or assisting an investigation, prosecution, or
civil or criminal proceeding related to the administration of the plan.
42CFR 431.303 State
authority for safeguarding information.
The Medicaid agency must have authority to implement and
enforce the provisions specified in this subpart for safeguarding information
about applicants and recipients.
42CFR 431.304 Publicizing
(a)The agency must publicize provisions governing the
confidential nature of information about applicants and recipients, including
the legal sanctions imposed for improper disclosure and use.
(b)The agency must provide copies of these provisions to
applicants and recipients and to other persons and agencies to whom information
42CFR 431.305 Types
of information to be safeguarded.
(a)The agency must have criteria that govern the types of
information about applicants and recipients that are safeguarded.
(b)This information must include at least—
(1)Names and addresses;
(2)Medical services provided;
(3)Social and economic conditions or circumstances;
(4)Agency evaluation of personal information;
(5)Medical data, including diagnosis and past history of
disease or disability; and
(6)Any information received for verifying income eligibility
and amount of medical assistance payments (see _435.940ff). Income information
received from SSA or the Internal Revenue Service must be safeguarded according
to the requirements of the agency that furnished the data.
(7)Any information received in connection with the
identification of legally liable third party resources under _433.138 of this
[44 FR 17934, Mar. 29, 1979, as amended at 51 FR 7210, Feb.
28, 1986; 52 FR 5975, Feb. 27, 1987]
42CFR 431.306 Release
(a)The agency must have criteria specifying the conditions for
release and use of information about applicants and recipients.
(b)Access to information concerning applicants or recipients
must be restricted to persons or agency representatives who are subject to
standards of confidentiality that are comparable to those of the agency.
(c)e agency must not publish names of applicants or
(d)The agency must obtain permission from a family or
individual, whenever possible, before responding to a request for information
from an outside source, unless the information is to be used to verify income,
eligibility and the amount of medical assistance payment under section 1137 of
this Act and §435.940 through §435.965 of this chapter. If, because of an
emergency situation, time does not permit obtaining consent before release, the
agency must notify the family or individual immediately after supplying the
(e)The agency’s policies must apply to all requests for
information from outside sources, including governmental bodies, the courts, or
law enforcement officials.
(f)If a court issues a subpoena for a case record or for any
agency representative to testify concerning an applicant or recipient, the
agency must inform the court of the applicable statutory provisions, policies,
and regulations restricting disclosure of information.
(g)Before requesting information from, or releasing
information to, other agencies to verify income, eligibility and the amount of
assistance under §435.940 through §435.965 of this chapter, the agency must
execute data exchange agreements with those agencies, as specified in
(h)Before requesting information from, or releasing
information to, other agencies to identify legally liable third party resources
under §433.138(d) of this chapter, the agency must execute data exchanges
agreements, as specified in §433.138(h)(2) of this chapter.
[44 FR 17934, Mar. 29, 1979, as amended at 51 FR 7210, Feb.
28, 1986; 52 FR 5975, Feb. 27, 1987]
42CFR 431.307 Distribution
of information materials.
(a)All materials distributed to applicants, recipients, or
medical providers must—
(1)Directly relate to the administration of the Medicaid
(2)Have no political implications;
(3)Contain the names only of individuals directly connected
with the administration of the plan; and
(4)Identify those individuals only in their official capacity
with the State or local agency.
(b)The agency must not distribute materials such as
``holiday’’ greetings, general public announcements, voting information, and
alien registration notices.
©The agency may distribute materials directly related to the
health and welfare of applicants and recipients, such as announcements of free
medical examinations, availability of surplus food, and consumer protection
42CFR 431.10 Single
(a)Basis and purpose. This section implements section
1902(a)(5) of the Act, which provides for designation of a single State agency
for the Medicaid program. (b) Designation and certification. A State plan must—
(1)Specify a single State agency established or designated to
administer or supervise the administration of the plan; and
(2)Include a certification by the State Attorney General,
citing the legal authority for the single State agency to—
(i)Administer or supervise the administration of the plan; and
(ii)Make rules and regulations that it follows in
administering the plan or that are binding upon local agencies that administer
(c)Determination of eligibility. (1) The plan must specify
whether the agency that determines eligibility for families and for individuals
under 21 is—
(i)The Medicaid agency; or
(ii)The single State agency for the financial assistance
program under title IV - A (in the 50 States or the District of Columbia), or
under title I or XVI (AABD), in Guam, Puerto Rico, or the Virgin Islands.
(2)The plan must specify whether the agency that determines
eligibility for the aged, blind, or disabled is—
(i)The Medicaid agency;
(ii)The single State agency for the financial assistance
program under title IV - A (in the 50 States or the District of Columbia) or
under title I or XVI (AABD), in Guam, Puerto Rico, or the Virgin Islands; or
(iii)The Federal agency administering the supplemental
security income program under title XVI (SSI). In this case, the plan must also
specify whether the Medicaid agency or the title IV - An agency determines
eligibility for any groups whose eligibility is not determined by the Federal
(d)Agreement with Federal or State agencies. The plan must
provide for written agreements between the Medicaid agency and the Federal or
other State agencies that determine eligibility for Medicaid, stating the
relationships and respective responsibilities of the agencies.
(e)Authority of the single State agency. In order for an
agency to qualify as the Medicaid agency—
(1)The agency must not delegate, to other than its own
officials, authority to—
(i)Exercise administrative discretion in the administration or
supervision of the plan, or
(ii)Issue policies, rules, and regulations on program matters.
(2)The authority of the agency must not be impaired if any of
its rules, regulations, or decisions are subject to review, clearance, or
similar action by other offices or agencies of the State.
(3)If other State or local agencies or offices perform
services for the Medicaid agency, they must not have the authority to change or
disapprove any administrative decision of that agency, or otherwise substitute
their judgment for that of the Medicaid agency with respect to the application
of policies, rules, and regulations issued by the Medicaid agency.
[44 FR 17930, Mar. 23, 1979]
42CFR 431.17 Maintenance
(a)Basis and purpose. This section, based on section
1902(a)(4) of the Act, prescribes the kinds of records a Medicaid agency must
maintain, the retention period, and the conditions under which microfilm copies
may be substituted for original records.
(b)Content of records. A State plan must provide that the
Medicaid agency will maintain or supervise the maintenance of the records
necessary for the proper and efficient operation of the plan. The records must
(1)Individual records on each applicant and recipient that
contain information on—
(i)Date of application;
(ii)Date of and basis for disposition;
(iii)Facts essential to determination of initial and
(iv)Provision of medical assistance;
(v)Basis for discontinuing assistance;
(vi)The disposition of income and eligibility verification
information received under ··§435.940 through §435.960 of this subchapter; and
(2)Statistical, fiscal, and other records necessary for
reporting and accountability as required by the Secretary.
(c)Retention of records. The plan must provide that the
records required under paragraph (b) of this section will be retained for the
periods required by the Secretary.
(d)Conditions for optional use of microfilm copies. The agency
may substitute certified microfilm copies for the originals of substantiating
documents required for Federal audit and review, if the conditions in
paragraphs (d)(1) through (4) of this section are met.
(1)The agency must make a study of its record storage and must
show that the use of microfilm is efficient and economical.
(2)The microfilm system must not hinder the agency’s
supervision and control of the Medicaid program.
(3)The microfilm system must—
(i)Enable the State to audit the propriety of expenditures for
which FFP is claimed; and
(ii)Enable the HHS Audit Agency and HCFA to properly discharge
their respective responsibilities for reviewing the manner in which the
Medicaid program is being administered.
(4)The agency must obtain approval from the HCFA regional
(i)The system meets the conditions of paragraphs (d)(2) and
(3) of this section; and
(ii)The microfilming procedures are reliable and are supported
by an adequate retrieval system.
[44 FR 17931, Mar. 23, 1979, as amended at 51 FR 7210, Feb.
ePACES Access Control
Warning: As per the Health Insurance Portability and Accountability Act
(HIPAA), CSC or the on-site ePACES Administrator is required to assign unique
user ids and passwords for identifying and tracking user’s identity [Ref: §
164.312(a)(2)(i)].Users that share their ePACES user id and password are in
violation of the HIPAA Security Regulation.If this practice is detected, the
user’s access will be revoked and other sanctions may apply.