Security - HETS UI

The Center for Medicare & Medicaid Services (CMS) is committed to maintaining the integrity and security of health care data in accordance with applicable laws and regulations. Disclosure of Medicare Beneficiary eligibility data is restricted under the provisions of the Privacy Act of 1974 and the Health Insurance Portability and Accountability Act of 1996 (HIPAA.) The Provider Medicare Beneficiary eligibility transaction is to be used for conducting Medicare business only. Providers interested in utilizing the HETS UI Internet application are advised to become familiar with the security related documents on this page and understand that CMS monitors the transaction for aberrant behavior.  Refer to Section 10.3 of the Medicare Claims Processing Manual in the Downloads section below.

Cautions & Warnings

The HETS UI Internet application will suspend a User's account access when the number of User errors exceeds the CMS parameterized values for either consecutive errors, or the number of total errors in a single web session. This provides greater system security against End-User fraud and abuse. To protect the privacy of Beneficiary data, the subscriber last name, subscriber first name, subscriber primary ID (HICN), and subscriber birth date must match the Beneficiary's data maintained by Medicare. Providers/Suppliers must use caution to ensure that accurate information is entered into the HETS UI Internet application in order to prevent User lockout.

Authorized Users of the HETS UI Internet application agree to use appropriate safeguards to prevent use or disclosure of Protected Health Information other than as permitted or as required by the HIPAA. Unauthorized disclosure may result in prosecution to the fullest extent of the law.

The following identifies incident severity levels and describes the required action:

Incident Severity Levels and Required Action

LOW SEVERITY (User is very infrequently locked out):

The External Point of Contacts (EPOC currently referred to as User Group Administrators – UGA) (if applicable) or Security Official contacts the Medicare Customer Assistance Regarding Eligibility (MCARE) Help Desk to request reinstatement. MCARE notifies the Security Official (and UGA, if applicable) of reinstatement via email.

HIGH SEVERITY (User is frequently locked out):

The Security Official contacts the MCARE Help Desk to request reinstatement. MCARE notifies the Security Official (and UGA, if applicable) that the User will remain suspended for at least one week. The Security Official will also be required to complete a Corrective Action Plan (CAP) using a CMS provided form. CMS must receive and approve the CAP before the User will be reinstated (User suspension will last at least one week).

SECURITY INCIDENT EMERGENCY SEVERITY (User continues to be locked out frequently after a CAP has been submitted OR the Organization's Users demonstrate systematic failure to enter valid data):

The Security Official contacts the MCARE Help Desk to request reinstatement. MCARE notifies the Security Official (and UGA, if applicable) that due to repeated suspensions, the User and all other Users in the Organization will be suspended for at least one week. The Security Official will also be required to complete an updated CAP using a CMS provided form. CMS must receive and approve the revised CAP before all of the Organization's Users will be reinstated (suspension will last at least one week).

The HETS UI Internet application will display the following alert message within the application's browser window when a User has been locked out:

Access Denied

Your session has been terminated because you have exceeded the error limit.  Please contact the MCARE Help Desk at 1-866-440-3805 to restore your access to the system.  The MCARE Help Desk is available Monday – Friday from 7AM – 9PM Eastern Time.

ID's and Password Policy

User IDs and Passwords are assigned to individuals. Individuals are strictly forbidden from sharing or "handing off" their User IDs and Passwords with others. The unauthorized use of an individual's User ID and Password will result in the termination of that User's ID and Password.

If you have any questions or concerns, please feel free to contact the MCARE Help Desk listed on the Contact Us page by email or phone.

Medicare Customer Assistance Regarding Eligibility (MCARE) Help Desk 1-866-440-3805