2020 (CWF)
Privacy Impact Assessment (PIA) published by CMS as an Operating Division of the U.S. Department of Health and Human Services
Date signed: 7/18/2024
PIA Questions | PIA Answers |
---|---|
OPDIV: | CMS |
PIA Unique Identifier: | P-6319522-407826 |
Name: | 2020 (CWF) |
The subject of this PIA is which of the following? | Major Application |
Identify the Enterprise Performance Lifecycle Phase of the system. | Operate |
Is this a FISMA-Reportable system? | Yes |
Does the system include a Website or online application available to and for the use of the general public? | No |
Identify the operator: | Agency |
Is this a new or existing system? | Existing |
Does the system have Security Authorization (SA)? | Yes |
Date of Security Authorization | 8/29/2022 |
Indicate the following reason(s) for updating this PIA. Choose from the following options. | Other - The PIA has been updated to reflect data center operations migration from Tulsa, OK to CMS Disaster Recovery as a Service Continuously Available CMS Hosting Environment (DRaaS-CACHE) data centers located in Kent, Washington and Ashburn, Virginia). All operations and processes remain the same. |
Describe in further detail any changes to the system that have occurred since the last PIA. | The Common Working File (CWF) authorized application change requests implemented in Quarterly and Off-Quarter releases. Change requests are used to implement new validation checks to be used in validating claims that are submitted by Medicare Administrative Contractors to CWF Hosts. Personally identifiable information (PII) is collected prior to CWF and PII is not edited but may be used as part of the validation process. Changes undergo a security impact analysis. |
Describe the purpose of the system | The Common Working File (CWF) is a tool used by the Centers for Medicare & Medicaid Services (CMS) to maintain records about beneficiaries enrolled in the Medicare fee for service health plan. The system is used to determine the Medicare beneficiaries' eligibility for Medicare services and to monitor and inform other CMS payment systems on the appropriate usage of Medicare benefits and to ensure payments for services received are appropriately determined and applied to payments based on Medicare payment and coverage rules. Also, the repository for Medicare beneficiary eligibility information that is received nightly from the Social Security Administration (SSA). The eligibility information consists of newly enrolled beneficiaries into Medicare. |
Describe the type of information the system will collect, maintain (store), or share. (Subsequent questions will identify if this information is PII and ask about the specific data elements) | CWF maintains beneficiary eligibility information that comes from Social Security Administration (SSA). The information maintained is Social Security Number, Email Address, Medical Notes, Mailing address, Name, Phone number, Certificates, Military Status, Taxpayer ID, Medical Record Number, Date of Birth, Date of Death, Health Insurance Claim Number, and user authentication data. It also maintains claims information. Claims include information about the services provided to a Medicare beneficiary, along with information about the provider that provided the services. When a claim with a new beneficiary is received, CWF will go to the beneficiary eligibility database to validate eligibility and create a file with the beneficiary's eligibility and claims history. CWF also maintains claims and eligibility information for those who are Medicare eligible and receiving Workman's Compensation. Since CWF is a batch processing application, there are no user accounts for the system. The CWF host facility in Kent, Washington maintains administrative accounts for users maintaining the host site infrastructure, but they do not access the CWF system. Administrative accounts are validated via EUA. EUA is covered by a PIA managed by the Infrastructure and User Services Group (IUSG). User authentication data collected is user name and user password. |
Provide an overview of the system and describe the information it will collect, maintain (store), or share, either permanently or temporarily. | CWF is a batch processing application that compares submitted claims information with eligibility information provided to CWF from SSA. Claims are reviewed and processed within CWF. CWF processed claims determinations are then sent to other CMS systems so that claims payments can be made. All exchanges of information are done machine-to-machine, and no users log into CWF. The CWF is a Medicare Part A and Part B benefit coordination and pre-payment claims validation system. Claims are processed to the point of reimbursement computation. CWF software currently performs data collection and validation, on-line inquiry, file maintenance, reports, and archival/retrieval. The claims received are processed through various software modules and sub-routines, databases, files, and records. The Medicare Administrative Contractor (MAC) submits the claims to the CWF site to verify entitlement and utilization on the claim. Under the CWF, Part A and Part B data for each Beneficiary is combined into a single, 'common' working file. The CWF software also performs limited Part A/B crossover editing to confirm that the services are not paid twice on different types of claims. The CWF provides the MAC with responses to those claims. MACs also submit special transactions such as Medicare Secondary Payment (MSP) data (primary insurer data when Medicare is secondary), ESRD (End Stage Renal Disease) Method of Reimbursement Computation data (only Part A MACs submit these transactions) and Certificate of Medical Necessity ((CMS) only DME MACs submit these transactions). These transactions are submitted to the CWF along with the claims and are identified by transaction type. MACs receive responses to these transactions along with the responses to the claims. Once the claim passes all the edits, the CWF beneficiary master file is updated to reflect the benefits now available, as well as any changes to the deductible status. The claim is added to the CWF full claim history file. CWF regularly retrieves information by the beneficiary's name, HICN, and assigned unique physician identification number. |
Does the system collect, maintain, use or share PII? | Yes |
Indicate the type of PII that the system will collect or maintain. |
|
Indicate the categories of individuals about whom PII is collected, maintained or shared. |
|
How many individuals' PII in the system? | 1,000,000 or more |
For what primary purpose is the PII used? | Information is shared to verify patient data between Medicare Insurers, if necessary, as well as beneficiary entitlement and accuracy of payment. |
Describe the secondary uses for which the PII will be used (e.g. testing, training or research) | PII from CWF is used to populate other CMS accredited systems that use information from the CWF. |
Describe the function of the SSN. | The SSN is used to verify beneficiary identity and eligibility. |
Cite the legal authority to use the SSN. | Authority for the maintenance of this system of records is given under the authority of sections 1816, and 1874 of Title XVIII of the Social Security Act (42 U.S.C.1395h, and 1395kk) and E.O. 9397.
|
Identify legal authorities governing information use and disclosure specific to the system and program. | Authority for the maintenance of this system of records is given under the authority of sections 1816, and 1874 of Title XVIII of the Social Security Act (421395h, and 1395kk) and E.O. 9397. 5 USC 301.
|
Are records on the system retrieved by one or more PII data elements? | Yes |
Identify the number and title of the Privacy Act System of Records (SORN) that is being used to cover the system or identify if a SORN is being developed. | System of Records Notice #09-70-0526, Common Working File |
Identify the sources of PII in the system: Directly from an individual about whom the information pertains | Other - MAC sites collect claim information (pre-CWF) which is then submitted to CWF Hosts for batch processing in an automated, machine-to-machine process. CWF validates the claims and returns the results to the MAC submitting the claims. |
Identify the sources of PII in the system: Government Sources |
|
Identify the sources of PII in the system: Non-Government Sources | |
Identify the OMB information collection approval number and expiration date | N/A |
Is the PII shared with other organizations? | Yes |
Identify with whom the PII is shared or disclosed and for what purpose. |
|
Describe any agreements in place that authorizes the information sharing or disclosure (e.g. Computer Matching Agreement, Memorandum of Understanding (MOU), or Information Sharing Agreement (ISA)). | The CWF system does not share information outside of CMS. CWF shares/collects information from other CMS systems only within the CMS datacenter. MOUs are not required for CMS systems authorized under the same authorizing official. The Computer Matching and Privacy Protection Act (CMPPA) Agreement (Agreement) establishes the terms, conditions, safeguards, and procedures under which the Social Security Administration (SSA) will disclose information to the Centers for Medicare & Medicaid Services (CMS) under the Patient Protection and Affordable Care Act (Public Law (Pub. L.) No. 111-148), as amended by the Health Care and Education Reconciliation Act of 2010 (Pub. L. No. 111-152) Computer matching agreements (CMA) establish the conditions for data sharing between CMS and the Railroad Retirement Board, Treasury department and others. A CMA is a written agreement between the source agency and the recipient agency (or non-federal agency) specifying the terms of the matching program. The computer matching provisions of the Privacy Act apply to a broad range of federal agency computer matching activities for the purpose of establishing or verifying eligibility or compliance as it relates to cash or in-kind assistance or payments under federal benefit programs. These agreements are executed in compliance with the Privacy Act of 1974 (5 U.S.C. § 552a), as amended by the Computer Matching and Privacy Protection Act of 1988, and the regulations and guidance promulgated thereunder. The legal authority for the disclosures under this agreement is the Privacy Act of 1974, as amended (5 U.S.C. § 552a(b)(3)), which authorizes a Federal agency to disclose information from its system of records, without prior written consent, when such disclosure is pursuant to a routine use.
|
Describe the procedures for accounting for disclosures | The CWF system does not directly share information with entities outside of CMS. CWF data feeds other CMS systems that make disclosures. Information sharing from CWF with other CMS systems are maintained in a systems log. |
Describe the process in place to notify individuals that their personal information will be collected. If no prior notice is given, explain the reason. | CWF does not collect personally identifiable information (PII) directly from individual. The information in CWF is supplied by the Social Security Administration (SSA) and from Medicare Administrative contractors. Therefore, there is no way for CWF to notify individuals. Notices for the information that is maintained in CWF are provided by the systems that are the source for the information in CWF. |
Is the submission of the PII by individuals voluntary or mandatory? | Voluntary |
Describe the method for individuals to opt-out of the collection or use of their PII. If there is no option to object to the information collection, provide a reason. | CWF does not collect information directly from individuals. The systems that collect information directly from individuals that are then provided to CWF provide notice, including how to opt out or not participate in the collection of their information. |
Describe the process to notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changes since the notice at the time of original collection). Alternatively, describe why they cannot be notified or have their consent obtained. | CWF does not collect information directly from Medicare beneficiaries and therefore does not have a process to notify or obtain their consent. The systems that collect information from beneficiaries provide notice and consent. |
Describe the process in place to resolve an individual's concerns when they believe their PII has been inappropriately obtained, used, or disclosed, or that the PII is inaccurate. If no process exists, explain why not. | CWF does not collect information directly from individuals. |
Describe the process in place for periodic reviews of PII contained in the system to ensure the data's integrity, availability, accuracy and relevancy. If no processes are in place, explain why not. | CWF compares PII data it receives in a claim against a CMS hosted database for accuracy and relevancy. However, CWF is not the source of the information in the system. The data maintained by CMS is a copy of SSA records and claims records maintained at the MAC. SSA and the MACs have processes in place to ensure data integrity of the source information. Data received is considered accurate; however, inconsistencies will cause a claim to be rejected and to be reworked by Host. CWF only has PII data as required to run edit checks required by CMS. Claims with inaccurate PII would be rejected as part of validation checks. |
Identify who will have access to the PII in the system and the reason why they require access. |
|
Describe the procedures in place to determine which system users (administrators, developers, contractors, etc.) may access PII. | CWF data repositories uses role-based access limitations and least privilege controls to restrict PII availability in the production environment. CWF is a batch processing system, which does not have users. |
Describe the methods in place to allow those with access to PII to only access the minimum amount of information necessary to perform their job. | CWF uses role-based access limitations and least privilege controls to restrict PII availability. Users must have a CWF job code in their Enterprise User Administration (EUA) user profile before they are granted access to CWF. CWF employs the CMS Enterprise User Administration and Resource Access Control Facility (RACF) to issue user IDs and grant permissions. Data center administrators have role-based access, which limits their access to PII data. EUA is covered by a PIA managed by the Infrastructure and User Services Group (IUSG). |
Identifying training and awareness provided to personnel (system owners, managers, operators, contractors and/or program managers) using the system to make them aware of their responsibilities for protecting the information being collected and maintained. | CWF staff receive annual security awareness and privacy awareness training, security incident response training and acknowledge security rules of behavior. |
Describe training system users receive (above and beyond general security and privacy awareness training) | CWF staff receive annual incident response training and acknowledge security rules of behavior. Security staff may receive additional training throughout the year from CMS and outside providers; as training is scheduled/becomes available. CWF production staff maintain their own training programs and training records of their personnel. |
Do contracts include Federal Acquisition Regulation and other appropriate clauses ensuring adherence to privacy provisions and practices? | Yes |
Describe the process and guidelines in place with regard to the retention and destruction of PII. Cite specific records retention schedules. | Business Owners must contact the CMS Office of Strategic Operations and Regulatory Affairs (OSORA) to initiate the records management process. All data in system will be disposed of in accordance with the National Archives and Records Administration (NARA) Disposition Authority DAA-0440-2015-0006, which has 7-year minimum retention. |
Describe, briefly but with specificity, how the PII will be secured in the system using administrative, technical, and physical controls. | Security for PII, collected/maintained by the application, is a function of the production DRaaS-CACHE Kent Data Center (KDC), as CWF is resident on the CMS sponsored mainframe. CWF data is maintained and secured by the database administrator hosting facility. Physical controls, such as security guards and Personally Identity Verification are used to access government facilities. Technical and administrative controls, in accordance with CMS Acceptable Risk Standards are in place to ensure the protection of the application and ensure access to the system is managed on a need-to-know basis. |