Frequently Asked Questions

State Medicaid agencies and their business associates can use the data obtained pursuant to the process established under section 1902(a)(25)(I) of the Social Security Act and applicable state laws, as permitted or required by law. This should include the coordination of payments for services covered under the Medicaid state plan and actions to ensure that correct payment amounts are made under the Medicaid program and that mistaken payments are recovered. If the appropriate legal relationships are established (e.g., business associate agreements under the Health Insurance Portability and Accountability Act of 1996 (HIPAA)), we expect that the data could be released to entities working under contract with a state agency for use in activities such as claims adjudication activities, or for the purpose of recovering improper Medicaid payments. State Medicaid agencies must have procedures in place to ensure that the privacy of individuals is appropriately protected, and that information concerning applicants and beneficiaries is protected in accordance with the requirements of 42 CFR Part 431 Subpart F and the regulations at 45 CFR Parts 160 and 164, which were promulgated under HIPAA and Health Information Technology for Economic and Clinical Health (HITECH) Act.

Supplemental Links:

• This FAQ was released as part of a larger set. View the full set. (PDF, 252.32 KB) 

FAQ ID:94186

State laws determine what information is required of the health plans. A health plan's disclosure and use of information that is required to be submitted under state law - such as, information from insurer eligibility files sufficient to determine during what period any individual may be, or have been, covered by a health insurer and the nature of the coverage that is or was provided by the health insurer — is consistent with the HIPAA privacy provisions.

Under HIPAA, both the state Medicaid agency and most health insurers are covered entities and must comply with the HIPAA Privacy Rule in 45 CFR Part 160 and Part 164, Subparts A and E. In their capacities as covered entities under HIPAA, the state Medicaid agency and health insurers are restricted from using and disclosing protected health information (PHI), as that term is defined in 45 CFR section 160.103, other than as permitted or required by the HIPAA Privacy Rule. However, as relevant here:

1. A covered entity may use or disclose PHI to the extent that such use or disclosure is required by law and the use or disclosure complies with and is limited to the relevant requirements of the law. (45 CFR 164.512(a)(1)) Under this provision, each covered entity must be limited to disclosing or using only the PHI necessary to meet the requirements of the law that compels the use or disclosure. Anything required to be disclosed by a law can be disclosed without violating HIPAA under the ""required by law"" provisions. Therefore, health insurers may disclose data elements in addition to the four minimum data elements, up to and including submission of an entire insurer eligibility file, to the extent such information is required to be submitted by state law. (45 CFR 164.512(a))
2. Separately, a covered entity may use or disclose PHI, without the consent of an individual, for payment activities, including to facilitate payment. (45 CFR 164.502(a)(1) and 164.506) Under HIPAA, the term payment includes activities undertaken by a health plan to determine or fulfill its responsibility for coverage and provision of benefits under the health plan. These activities include determinations of eligibility or coverage, adjudication or subrogation of health benefits claims, and collection activities. (45 CFR 164.501) To the extent plans are releasing this information to the Medicaid program for payment purposes; this is a separate basis for disclosure under HIPAA.
3. The HIPAA Privacy Rule generally requires covered entities to take reasonable steps to limit the use and disclosure of PHI to the minimum necessary to accomplish the intended purpose. (45 CFR 164.502(b)(1)) However, among other limited exceptions, the minimum necessary requirements do not apply to uses or disclosures that are required by law under 45 CFR 164.512(a).

Supplemental Links:

• This FAQ was released as part of a larger set. View the full set. (PDF, 252.32 KB) 

FAQ ID:94191

Yes. There is a significant amount of third party coverage derived from health plans licensed in a different state than where the Medicaid beneficiary resides. This can commonly happen when the policyholder works in one state and lives in another state. For example, there may be policyholders who are enrolled in Medicaid coverage in Maryland, or have dependents that are enrolled, who work in Delaware, the District of Columbia, Pennsylvania, Virginia, or West Virginia and also have coverage through their employer in that state. This highlights the need for Medicaid agencies to obtain plan eligibility information from contiguous states in addition to collecting information in their respective state.

Another example is when Medicaid-eligible children are covered by the insurance plan of non-custodial parents who live in a different state than their child(ren). This example is not limited to contiguous states because non-custodial parents could reside in any state in the country. Depending on the size, it may be beneficial for the state to obtain the plan's entire eligibility file. The specific geographical areas to be included in the data exchange should be negotiated with the plans. We recommend use of a Trading Partner Agreement in the exchange of electronic data.

Finally, section 1902(a)(25)(I)(i) of the Social Security Act directs states, as a condition of receiving federal financial participation (FFP) for Medicaid, to have laws in effect that require health insurers doing business in their state to provide the state with the requisite information with respect to individuals who are eligible for, or are provided medical assistance, i.e., Medicaid beneficiaries. State law cannot reach beyond the entities that are "doing business"in their states.

Supplemental Links:

• This FAQ was released as part of a larger set. View the full set. (PDF, 252.32 KB) 

FAQ ID:94231

Yes. State Medicaid programs may enter into data matching agreements directly with third parties or may obtain the services of a contractor to complete the required matches. Such arrangements should comply with Health Insurance Portability and Accountability Act of 1996 (HIPAA)'s ""Business Associate"" requirements, where applicable. When the state Medicaid program chooses to use a contractor to complete data matches, including matches as required by the Deficit Reduction Act of 2005 (DRA), the program delegates its authority to obtain the desired information from third parties to the contractor.

Third parties should generally treat a request from the contractor as a request from the state Medicaid agency. Third parties may request verification from the state Medicaid agency that the contractor is working on behalf of the agency and the scope of the delegated work.

Supplemental Links:

• This FAQ was released as part of a larger set. View the full set. (PDF, 252.32 KB) 

FAQ ID:94241

Yes. State Medicaid programs may contract with MCOs to provide health care to Medicaid beneficiaries, and may delegate responsibility and authority to the MCOs to perform third party liability TPL discovery and recovery activities, including data matches as required by the Deficit Reduction Act of 2005 (DRA). The Medicaid program may authorize the MCO to use a contractor to complete these activities. The contract language between the state Medicaid agency and the MCO dictates the terms and conditions under which the MCO assumes TPL responsibility. Generally, any TPL administration and performance standards for the MCO will be set by the state and should be accompanied by state oversight.

When TPL responsibilities are delegated to an MCO, third parties are required to treat the MCO as if it were the state Medicaid agency, including:

1. Providing access to third party eligibility and claims data to identify individuals with third party coverage;
2. Adhering to the assignment of rights from the state to the MCO of a Medicaid beneficiary's right to payment by such insurers for health care items or services; and,
3. Refraining from denying payment of claims submitted by the MCO for procedural reasons.

Third parties may request verification from the state Medicaid agency that the MCO or its contractor is working on behalf of the agency and the scope of the delegated work.

Supplemental Links:

• This FAQ was released as part of a larger set. View the full set. (PDF, 252.32 KB) 

FAQ ID:94256

Under section 1902(a)(25)(H) of the Social Security Act (the Act) before passage of the Deficit Reduction Act of 2005 (DRA), states were required to have laws in effect that to the extent Medicaid payment was made, the state was considered to have acquired the rights of the Medicaid beneficiary to reimbursement by any other party that was liable for payment. However, payers sometimes deny Medicaid claims based on procedural requirements. Section 1902(a)(25)(I) of the Act, added by the DRA, strengthens the statute by requiring states to enact laws that require health insurers:

1. To accept the state's right of recovery and the assignment to the state of the right of a Medicaid beneficiary or other entity to payment from such party for an item or service for which Medicaid has made payment; and,
2. To process and, if appropriate, pay the claim for reimbursement from Medicaid to the same extent that the plan would have been liable had the plan's card been used for billing at the ""point of sale"" (POS).

Specifically, the state should pass laws which require an insurer to agree not to deny claims submitted by the state on the basis of the date of submission of the claim, the type or format of the claim form, or a failure to present proper documentation of coverage at the POS that is the basis of the claim.

Whether a plan provision affecting payment for an item or service is solely procedural in nature or whether it defines or limits the covered benefits must be determined on a case-by-case basis.

Note that nothing in the DRA negates the state's responsibility to provide proper documentation when submitting claims to the health insurer so that the insurer can determine that a covered service for which the insurer is liable was provided.

Supplemental Links:

• This FAQ was released as part of a larger set. View the full set. (PDF, 252.32 KB) 

FAQ ID:94261

No. States typically do not meet the definition of a covered health care provider under 45 CFR 160.103, and therefore, are not eligible to receive an NPI. If states encounter situations where plans are requiring them to submit an NPI, they can submit a formal complaint to the Office of E-Health Standards and Services (OESS) in CMS by using the online Administrative Simplification Enforcement Tool (ASET). ASET allows individuals or organizations to electronically file a complaint against an entity whose actions they believe violate an Administrative Simplification provision of the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

States may submit a formal complaint electronically at: https://asett.cms.gov/ASETT_HomePage. ASET users are required to register with OESS and create a user identification name and password. States also may submit a paper complaint. The form is available at: www.cms.gov/Regulations-and-Guidance/Administrative-Simplification/Enforcements/Downloads/HIPAANon-PrivacyComplaintForm.pdf.

Supplemental Links:

• This FAQ was released as part of a larger set. View the full set. (PDF, 252.32 KB) 

FAQ ID:94266

Section 1902(a)(25)(I) of the Social Security Act requires states to have laws in effect that require health insurers to make payment as long as the claim is submitted by the state within three years from the date on which the item or service was furnished.

Some health insurers currently deny claims submitted by Medicaid if they are not filed within a prescribed time limit, which is applied to plan beneficiaries and providers (e.g., a plan might require beneficiaries and providers to submit claims within 30 days from date of service). If the state Medicaid agency is unable to ascertain the existence of the third party coverage and submit a claim within the time limit, the insurer may attempt to avoid liability.

Any action by the state to enforce its rights with respect to such claim must be commenced within six years of the state's submission of such claim. Health insurers also must respond to any inquiry by a state regarding claims submitted within three years from the date on which the item or service was furnished.

Supplemental Links:

• This FAQ was released as part of a larger set. View the full set. (PDF, 252.32 KB) 

FAQ ID:94286

No. Section 1902(a)(25)(I)(iv) of the Social Security Act requires states to pass laws that would require health insurers to accept claims submitted by the state within the 3-year period beginning with the date on which the item or service was furnished. States are not precluded from having laws or regulations that would require insurers to accept claims for a period of time longer than three years.

Supplemental Links:

• This FAQ was released as part of a larger set. View the full set. (PDF, 252.32 KB) 

FAQ ID:94291

No. States typically do not meet the definition of a covered health care provider, and therefore, are not eligible to receive a National Provider Identifier (NPI) number to enable them to bill Medicare. The NPI is the standard unique identifier for health care providers that CMS adopted in 2007. At that time, Medicare revoked existing billing numbers previously issued to Medicaid agencies and notified Medicare carriers to stop enrolling Medicaid programs as Medicare providers. Only recognized providers and suppliers of services that have an NPI can enroll in Medicare. Medicare will not enroll state Medicaid programs, as they are not direct providers or suppliers of services.

Medicaid may submit claims to health plans on behalf of Medicaid beneficiaries who have assigned their rights to payment from third parties (other than Medicare) to the Medicaid program, under the authority of sections 1912, 1902(a)(25)(H), and 1992(a)(25)(I)(ii) of the Social Security Act. However, Medicaid doesn't have the same authority to submit claims to Medicare on behalf of a "dually" eligible beneficiary. The rights to Medicare benefits are not assignable; only the Medicare provider and the beneficiary may submit claims to Medicare.

Supplemental Links:

• This FAQ was released as part of a larger set. View the full set. (PDF, 252.32 KB) 

FAQ ID:94301