Skip to main content
U.S. flag

An official website of the United States government

Return to Search

Electronic Data Interchange System Access and Privacy - updated 2016

Guidance for Medicare beneficiaries on EDI system access and privacy requirements

Issued by: Centers for Medicare & Medicaid Services (CMS)

Issue Date: June 10, 2019

Medicare systems contain extensive Personally Identifiable Information (PHI) (PII) on beneficiaries. As established by the Privacy Act and the Health Insurance Portability and Accountability Act (HIPAA), beneficiaries have a right to expect that their data will not be seen by individuals or entities that do not have a need to know that information for billing or payment purposes. Acceptable uses of beneficiary data, such as for claims processing, are periodically published in the Federal Register.

Electronic Data Interchange (EDI) cannot occur unless providers and their agents such as billing services and clearinghouses are given some level of access to Medicare Systems, but the information which they submit to or obtain from Medicare systems, and the purposes for which they may use that data are limited to protect beneficiaries. Each provider must complete an EDI Enrollment form prior to starting to exchange any EDI transactions either directly with Medicare or through a billing service or clearinghouse. In that agreement, the provider agrees to accept responsibility for safeguarding of beneficiary data and to assure that billing services or clearinghouses whom they may engage to assist with transmission of beneficiary data in turn sign an agreement to also meet the same security and privacy requirements that are binding on the provider as required by CMS and HIPAA.

As part of their EDI Enrollment, each provider must also submit a written notice to their Medicare Administrative Contractor (MAC) for Part A and Part B claims or Common Electronic Data Interchange (CEDI) for durable medical equipment claims specifying which transactions a billing service or clearinghouse is authorized to submit or receive on behalf of the provider, and must notify that same Medicare contractor whenever there is a change in that authorization or representation.

HHS is committed to making its websites and documents accessible to the widest possible audience, including individuals with disabilities. We are in the process of retroactively making some documents accessible. If you need assistance accessing an accessible version of this document, please reach out to the guidance@hhs.gov.

DISCLAIMER: The contents of this database lack the force and effect of law, except as authorized by law (including Medicare Advantage Rate Announcements and Advance Notices) or as specifically incorporated into a contract. The Department may not cite, use, or rely on any guidance that is not posted on the guidance repository, except to establish historical facts.