. ,f""'4~Vl�( ?
'+,~l'''''".a
DEPARTMENT OF HEALTH & HUMAN SERVICES Office of Inspector General
Washington, D.C. 20201
DEC 22 1999
TO All Medicaid Fraud Control Units
SUBJECT: State Fraud Policy Transmittal No. 99-02
Public Disclosure Requests and Safeguarding of Privacy Rights
This transmittal is to clarify the Office of Inspector General (O.lG) policy with respect to
the safeguarding of privacy rights by State Medicaid Fraud Control Units (MFCU's)
when MFCU's receive requests from the public for investigative records..
Federal regulations provide, as one "duty and responsibility," that a MFCU "will
safeguard the privacy rights of all individuals and will provide safeguards to prevent the
misuse of information under the unit's control,"( 42 CFR, section 1007.11 (f)). One
situation in which a MFCU must safeguard pnvacy rights is when a Unit receives a
request for investigative records under a State public disclosure law. Such requests
may be for investigative files in either fraud or patient abuse or neglect cases.
In determining what information to disclose in response.to a request from the public, a
MFCU is subject to its State's public disclosure law. In order to meet the Federal
confidentiality requirement, a MFCU must protect, to the fullest extent authorized by
such laws, the identities of witnesses, victims, and informants, as well as the identities
of suspects when the allegations are unsubstantiated, unless such identities are
already in the public domain or the individuals dearly consented to the release of their
identities. Such identities are typically protected by redacting identifying information, or
information that could lead to those identities, from files being released.
A MFCU should immediately contact the Director �:f the OIG State Medicaid Oversight
and Policy Staff in the following situations:
If a MFCU interprets its Stat� 'public disclosure law in such a manner that it
cannot protect from release the identities of witnesses, victims, and informants,
as well as the identities of suspects when the allegations are unsubstantiated,
uniess such identities are already in. the public domain or the individuals clearly
consented to the release of their id�ntities. We may discuss with the Unit
appropriate legislative remedies to bring the MFCU into compliance with the
Federal regulation.
Page 2 - Public Disclosure Requests and Privacy Rights
. If a MFCU receives a public disclosure request and intends to release the
identities of witnesses, victims, and informants, as well as the identities of
suspects when the allegations are unsubstantiated, in the situations described
above. The MFCU must provide GIG adequate time prior to the anticipated
release for OIG to provide its analysis of the situation or other appropriate
assistance. The Medicaid Fraud Control Units should not inform OIG about
routine requests for investigative information that do not involve the identities of
individuals or other sensitive situations. .
Providing OIG adequate and timely notice in these situations wilt help ensure that Units
are complying with, and OIG is adequately enforcing, the Federal requirement
regarding individual privacy rights.
If you have any questions regarding this transmittal, please contact Joseph Prekker,
Director, State Medicaid Oversight and Policy Staff at (202) 619-3557.
----_::)..--../'
Frank ,N Iik
Assista nspector General for
Investigative Oversight and Support
v.L