The Centers for Medicare & Medicaid Services (CMS) is warning of a phishing scam in which providers are being sent faxes requesting all Medicare patient information and records. The faxes generally demand this information in 72 hours.
Many of these faxes are using CMS headers for authenticity, or headers of other organizations, such as the National Archives and Records Administration (NARA).
Be aware of this ongoing scam and do not respond or share your patients’ information.
Will CMS ever request patient information or records?
Yes, but CMS (or its contractors) will identify specific Medicare beneficiaries, time periods, encounters or prescription drug event records involved. These requests will also provide ample time to respond, typically 30-45 days.
CMS also generally doesn’t initiate audits via fax or email, unless a provider requests it, and Medicare overpayment collections are handled through an established process through the Medicare Administrative Contractors (MACs). Medicare medical reviews are requested through an Additional Documentation Request (ADR) and are outlined in Title 42 of the Code of Federal Regulations (CFR), Part 405, Subpart I.
What are some other organizations that will ask for patient information and records?
Datavant, DataLink, Veradigm and ConventBridge (UPIC) are legitimate data contractors working with Priority Health and CMS that will request patient data. Again, these requests will identify specific patients, over specific time periods, with specific kinds of information requested.
If you get a request for patient information from Priority Health or one of our vendor partners, you can always call us to verify the authenticity of the request at 800.942.4765.