Skip to Content


Privacy Act of 1974

Document Details

Information about this document as published in the Federal Register.

Published Document

This document has been published in the Federal Register. Use the PDF linked in the document sidebar for the official electronic format.

Start Preamble


Department of Health and Human Services (HHS), Centers for Medicare & Medicaid Services (CMS).


Notice of Computer Matching Program (CMP).


In accordance with the requirements of the Privacy Act of 1974, as amended, this notice announces the establishment of a CMP that CMS plans to conduct with various Participating States. We have provided information about the matching program in the “Supplementary Information” section below. The Privacy Act provides an opportunity for interested persons to comment on the matching program. We may defer implementation of this matching program if we receive comments that persuade us to defer implementation. See “Effective Dates” section below for comment period.


Effective Dates: CMS filed a report of the CMP with the Chair of the House Committee on Oversight and Government Reform, the Chair of the Senate Committee on Homeland Security and Governmental Affairs, and the Administrator, Office of Information and Regulatory Affairs, Office of Management and Budget (OMB) on < DATE >. We will not disclose any information under a matching agreement until 40 days after filing a report to OMB and Congress or 30 days after publication in the Federal Register, whichever is later. We may defer implementation of this matching program if we receive comments that persuade us to defer implementation.


The public should address comments to: CMS Privacy Officer, Division of Privacy Compliance, Enterprise Architecture and Strategy Group, Office of Information Services, CMS, Mail-stop N2-04-27, 7500 Security Boulevard, Baltimore, Maryland 21244-1850. Comments received will be available for review at this location, by appointment, during regular business hours, Monday through Friday from 9 a.m.-3 p.m., eastern daylight time.

Start Further Info


Lourdes Grindal Miller, Health Insurance Specialist, Program Integrity Group, Office of Financial Management, CMS, Mail-stop C3-02-16, 7500 Security Boulevard, Baltimore, Maryland 21244-1850. The telephone number is 410-786-1022 and e-mail is

End Further Info End Preamble Start Supplemental Information


Description of the Matching Program

A. General

The Computer Matching and Privacy Protection Act of 1988 (Public Law (Pub. L.) 100-503), amended the Privacy Act (5 U.S.C. 552a) by describing the manner in which computer matching involving Federal agencies could be performed and adding certain protections for individuals applying for and receiving Federal benefits.

Section 7201 of the Omnibus Budget Reconciliation Act of 1990 (Pub. L. 101-508) further amended the Privacy Act regarding protections for such individuals. The Privacy Act, as amended, regulates the use of computer matching by Federal agencies when records in a system of records are matched with other Federal, state, or local government records. It requires Federal agencies involved in computer matching programs to: Negotiate written agreements with the other agencies participating in the matching programs;

Obtain the Data Integrity Board approval of the match agreements; Furnish detailed reports about matching programs to Congress and OMB; Notify applicants and beneficiaries that the records are subject to matching; and, Verify match findings before reducing, suspending, terminating, or denying an individual's benefits or payments.

B. CMS Computer Matches Subject to the Privacy Act

CMS has taken action to ensure that all CMPs that this Agency participates in comply with the requirements of the Privacy Act of 1974, as amended.

Start Signature

Dated: June 22, 2009.

Michelle Snyder,

Deputy Chief Operating Officer, Centers for Medicare & Medicaid Services.

End Signature

CMS Computer Match No. 2009-05; HHS Computer Match No. 0603


“Computer Matching Agreement (CMA) Between the Centers for Medicare & Medicaid Services (CMS) and Participating States for the Disclosure of Medicare and Medicaid Information.”


Level Three Privacy Act Sensitive


The Centers for Medicare & Medicaid Services (CMS) All Participating States, Start Printed Page 31968the District of Columbia, and the territories of Guam, Puerto Rico, American Samoa, and the Virgin Islands.


This CMA is executed to comply with the Privacy Act of 1974 (Title 5 United States Code (U.S.C.) § 552a), as amended, (as amended by Pub. L. 100-503, the Computer Matching and Privacy Protection Act (CMPPA) of 1988), the Office of Management and Budget (OMB) Circular A-130, titled “Management of Federal Information Resources” at 65 Federal Register (FR) 77677 (December 12, 2000), 61 FR 6435 (February 20, 1996), and OMB guidelines pertaining to computer matching at 54 FR 25818 (June 19, 1989).

This Agreement provides for information matching fully consistent with the authority of the Secretary of the Department of Health and Human Services (HHS) (the Secretary). Sections 1816 and 1842 of the Social Security Act (the Act) permits the Secretary to make audits of the records of providers as necessary to insure that proper payments are made, to assist in the application of safeguards against unnecessary utilization of services furnished by providers of services and other persons to individuals entitled to benefits, and to perform other functions as are necessary (Pub. L. 108-173 § 911, amending Title XVIII, § 1874A (42 U.S.C. 1395kk-1).

Section 1857 of the Act provides that the Secretary, or any person or organization designated by the Secretary shall have the right to “inspect or otherwise evaluate (i) the quality, appropriateness, and timeliness of services performed under the contract” (42 U.S.C. 1395w-27(d) (2) (A)); and “audit and inspect any books and records of [a Medicare Advantage] organization that pertain to services performed or determinations of amounts payable under the contract.” (42 U.S.C. 1395w-27(d) (2) (B)).

Furthermore, § 1874(b) of the Act authorizes the Secretary to “contract with any person, agency, or institution to secure on a reimbursable basis such special data, actuarial information, and other information as may be necessary in the carrying out of his functions under Subchapter XVIII.” (42 U.S.C. 1395kk (b).)

Section 1893 of the Act establishes the Medicare Integrity Program, under which the Secretary may contract with eligible entities to conduct a variety of program safeguard activities, including fraud review employing equipment and software technologies that surpass existing capabilities (42 U.S.C. 1395ddd)). These entities are called Program Safeguards Contractors (PSC) and Medicare Drug Integrity Contractors (MEDIC).

Pursuant to the applicable state statutes and guidelines for the Participating State charged with the administration of the Medicaid program, disclosure of the Medicaid data pursuant to this Agreement is for purposes directly connected with the administration of the Medicaid program, in compliance with 42 CFR 431.300 through 431.307. Those purposes include the detection, prosecution, and deterrence of FW&A in the Medicaid program. (See state signature page for the legal authority for each specific state.)

CMS would cite to 45 CFR 164.501 (definition of “Health Oversight Agency”) and 45 CFR 164.512(d) as bases under which it believes Participating States may make the contemplated disclosures of Medicaid data to CMS' contractor. It would also note that under sec. 6034(g)(1)(B) of the Deficit Reduction Act (Pub. L. 109-171; 42 U.S.C. 1395ddd(g)(1)(B)), CMS is required to disclose certain data and statistical information collected by the Medi-Medi program to States and other named parties. This data can then be used by each receiving state's own FW&A programs.


The purpose of this Agreement is to establish the conditions, safeguards, and procedures under which the Centers for Medicare & Medicaid Services (CMS) will conduct a computer matching program with Participating States to study claims, billing, and eligibility information to detect suspected instances of fraud, waste and abuse (FW&A). To support the health oversight activities of CMS, CMS and the Participating State will provide a CMS contractor (hereinafter referred to as the “Custodian”) with Medicare and Medicaid records pertaining to eligibility, claims, and billing information, which the Custodian will match. Utilizing fraud detection software, the information will then be used to identify patterns of aberrant practices and abnormal patterns requiring further investigation. Aberrant practices and abnormal patterns identified in this matching program that constitute FW&A will involve individuals who are practitioners, providers and suppliers of services, Medicare beneficiaries, Medicaid recipients, and other individuals whose information may be maintained in the records. Furthermore, § 6034(g)(1)(B) of the Deficit Reduction Act (DRA), Public Law 109-171; 42 U.S.C. 1395ddd(g)(1)(B) provides for the disclosure of certain information that will be derived from these CMS health oversight activities to “States (including a Medicaid fraud and abuse control unit described in § 1903(q)” of the Social Security Act (SSA). Participating states will therefore receive information from CMS for use in their own FW&A programs.


This computer matching program (CMP) will enhance the ability of CMS and Participating States to detect FW&A by matching claims data, eligibility, and practitioner, provider, and supplier enrollment records of Medicare beneficiaries, practitioners, providers, and suppliers in the Participating State against records of Medicaid recipients, practitioners, providers, and suppliers in the Participating State.


One Program Integrity Data Repository (ODR), System No. 09-70-0568 was published at 71 FR 64530 (November 2, 2006).

Medicare Integrated Data Repository (IDR), System No. 09-70-0571 was published at 71 FR 74915 (December 13, 2006).

The records files that will be made available for this matching program by the Participating State include utilization, entitlement, and provider records.


The CMP shall become effective 40 days after the report of the matching program is sent to OMB and Congress, or 30 days after publication in the Federal Register, whichever is later. The matching program will continue for 18 months from the effective date and may be extended for an additional 12 months thereafter, if certain conditions are met.

End Supplemental Information

[FR Doc. E9-15803 Filed 7-2-09; 8:45 am]