Medicare systems contain extensive personally identifiable information on beneficiaries. As established by the Privacy Act and the Health Insurance Portability and Accountability Act (HIPAA), beneficiaries have a right to expect that their data will not be seen by individuals or entities that do not have a need to know that information for billing or payment purposes. Acceptable uses of beneficiary data, such as for claims processing, are periodically published in the Federal Register.

Electronic Data Interchange (EDI) cannot occur unless providers and their agents such as billing services and clearinghouses are given some level of access to Medicare Systems, but the information which they submit to or obtain from Medicare systems, and the purposes for which they may use that data are limited to protect beneficiaries. Each provider must complete an EDI Enrollment form prior to starting to exchange any EDI transactions either directly with Medicare or through a billing service or clearinghouse. In that agreement, the provider agrees to accept responsibility for safeguarding of beneficiary data and to assure that billing services or clearinghouses whom they may engage to assist with transmission of beneficiary data in turn sign an agreement to also meet the same security and privacy requirements that are binding on the provider as required by CMS and HIPAA.

As part of their EDI Enrollment, each provider must also submit a written notice to their carrier, durable medical equipment regional carrier (DMERC) or fiscal intermediary (FI) specifying which transactions a billing service or clearinghouse is authorized to submit or receive on behalf of the provider, and must notify that same Medicare contractor whenever there is a change in that authorization or representation.