Skip to main content

2020 (CWF)

Privacy Impact Assessment (PIA) published by CMS as an Operating Division of the U.S. Department of Health and Human Services

Date signed: 7/18/2024

PIA Information for the 2020 (CWF)
PIA QuestionsPIA Answers

OPDIV:

CMS

PIA Unique Identifier:

P-6319522-407826

Name:

2020 (CWF)

The subject of this PIA is which of the following?

Major Application

Identify the Enterprise Performance Lifecycle Phase of the system.

Operate

Is this a FISMA-Reportable system?

Yes

Does the system include a Website or online application available to and for the use of the general public?

No

Identify the operator:

Agency

Is this a new or existing system?

Existing

Does the system have Security Authorization (SA)?

Yes

Date of Security Authorization

8/29/2022

Indicate the following reason(s) for updating this PIA. Choose from the following options.

Other - The PIA has been updated to reflect data center operations migration from Tulsa, OK to CMS Disaster Recovery as a Service Continuously Available CMS Hosting Environment (DRaaS-CACHE) data centers located in Kent, Washington and Ashburn, Virginia). All operations and processes remain the same.

Describe in further detail any changes to the system that have occurred since the last PIA.

The Common Working File (CWF) authorized application change requests implemented in Quarterly and Off-Quarter releases. Change requests are used to implement new validation checks to be used in validating claims that are submitted by Medicare Administrative Contractors to CWF Hosts. Personally identifiable information (PII) is collected prior to CWF and PII is not edited but may be used as part of the validation process. Changes undergo a security impact analysis.

Describe the purpose of the system

The Common Working File (CWF) is a tool used by the Centers for Medicare & Medicaid Services (CMS) to maintain records about beneficiaries enrolled in the Medicare fee for service health plan. The system is used to determine the Medicare beneficiaries' eligibility for Medicare services and to monitor and inform other CMS payment systems on the appropriate usage of Medicare benefits and to ensure payments for services received are appropriately determined and applied to payments based on Medicare payment and coverage rules. Also, the repository for Medicare beneficiary eligibility information that is received nightly from the Social Security Administration (SSA).  The eligibility information consists of newly enrolled beneficiaries into Medicare.  

Describe the type of information the system will collect, maintain (store), or share. (Subsequent questions will identify if this information is PII and ask about the specific data elements)

CWF maintains beneficiary eligibility information that comes from Social Security Administration (SSA).  The information maintained is Social Security Number, Email Address, Medical Notes, Mailing address, Name, Phone number, Certificates, Military Status, Taxpayer ID, Medical Record Number, Date of Birth, Date of Death, Health Insurance Claim Number, and user authentication data.   It also maintains claims information.  Claims include information about the services provided to a Medicare beneficiary, along with information about the provider that provided the services.  When a claim with a new beneficiary is received, CWF will go to the beneficiary eligibility database to validate eligibility and create a file with the beneficiary's eligibility and claims history. CWF also maintains claims and eligibility information for those who are Medicare eligible and receiving Workman's Compensation. 

Since CWF is a batch processing application, there are no user accounts for the system. The CWF host facility in Kent, Washington maintains administrative accounts for users maintaining the host site infrastructure, but they do not access the CWF system. 

Administrative accounts are validated  via EUA. EUA is covered by a PIA managed by the Infrastructure and User Services Group (IUSG). User authentication data collected is user name and user password. 

Provide an overview of the system and describe the information it will collect, maintain (store), or share, either permanently or temporarily.

CWF is a batch processing application that compares submitted claims information with eligibility information provided to CWF from SSA.  Claims are reviewed and processed within CWF.  CWF processed claims determinations are then sent to other CMS systems so that claims payments can be made.  All exchanges of information are done machine-to-machine, and no users log into CWF.

The CWF is a Medicare Part A and Part B benefit coordination and pre-payment claims validation system. Claims are processed to the point of reimbursement computation. CWF software currently performs data collection and validation, on-line inquiry, file maintenance, reports, and archival/retrieval. The claims received are processed through various software modules and sub-routines, databases, files, and records.

The Medicare Administrative Contractor (MAC) submits the claims to the CWF site to verify entitlement and utilization on the claim. Under the CWF, Part A and Part B data for each Beneficiary is combined into a single, 'common' working file.

The CWF software also performs limited Part A/B crossover editing to confirm that the services are not paid twice on different types of claims. The CWF provides the MAC with responses to those claims.   MACs also submit special transactions such as Medicare Secondary Payment (MSP) data (primary insurer data when Medicare is secondary), ESRD (End Stage Renal Disease) Method of Reimbursement Computation data (only Part A MACs submit these transactions) and Certificate of Medical Necessity ((CMS) only DME MACs submit these transactions). These transactions are submitted to the CWF along with the claims and are identified by transaction type.   MACs receive responses to these transactions along with the responses to the claims.

Once the claim passes all the edits, the CWF beneficiary master file is updated to reflect the benefits now available, as well as any changes to the deductible status. The claim is added to the CWF full claim history file.

CWF regularly retrieves information by the beneficiary's name, HICN, and assigned unique physician identification number.

Does the system collect, maintain, use or share PII?

Yes

Indicate the type of PII that the system will collect or maintain.

  • Social Security Number

  • Name
  • E-Mail Address
  • Phone Numbers
  • Medical Notes
  • Certificates
  • Military Status
  • Taxpayer ID
  • Date of Birth
  • Mailing Address
  • Medical Records Number
  • Date of Death
  • Other - Health Insurance Claim Number, user authentication data. Administrative accounts are validated  via EUA. EUA is covered by a PIA managed by the Infrastructure and User Services Group (IUSG). 

Indicate the categories of individuals about whom PII is collected, maintained or shared.

  • Employees

  • Public Citizens

  • Business Partners/Contacts (Federal, state, local agencies)

How many individuals' PII in the system?

1,000,000 or more

For what primary purpose is the PII used?

Information is shared to verify patient data between Medicare Insurers, if necessary, as well as beneficiary entitlement and accuracy of payment.

Describe the secondary uses for which the PII will be used (e.g. testing, training or research)

PII from CWF is used to populate other CMS accredited systems that use information from the CWF. 

Describe the function of the SSN.

The SSN is used to verify beneficiary identity and eligibility.

Cite the legal authority to use the SSN.

Authority for the maintenance of this system of records is given under the authority of sections 1816, and 1874 of Title XVIII of the Social Security Act (42 U.S.C.1395h, and 1395kk) and E.O. 9397.

 

Identify legal authorities​ governing information use and disclosure specific to the system and program.

Authority for the maintenance of this system of records is given under the authority of sections 1816, and 1874 of Title XVIII of the Social Security Act (421395h, and 1395kk) and E.O. 9397.

5 USC 301.

 

Are records on the system retrieved by one or more PII data elements?

Yes

Identify the number and title of the Privacy Act System of Records (SORN) that is being used to cover the system or identify if a SORN is being developed.

System of Records Notice #09-70-0526, Common Working File

Identify the sources of PII in the system: Directly from an individual about whom the information pertains

Other - MAC sites collect claim information (pre-CWF) which is then submitted to CWF Hosts for batch processing in an automated, machine-to-machine process. CWF validates the claims and returns the results to the MAC submitting the claims.

Identify the sources of PII in the system: Government Sources

  • Within the OPDIV

  • Other Federal Entities

Identify the sources of PII in the system: Non-Government Sources

 

Identify the OMB information collection approval number and expiration date

N/A

Is the PII shared with other organizations?

Yes

Identify with whom the PII is shared or disclosed and for what purpose.

  • Within HHS: Centers for Medicare & Medicaid Services (CMS), Enrollment Data Base (EDB), Next Generation Desktop (NGD), National Claims History (NCH) - claims data analysis agency contractors, consultants, or grantees, who have been engaged by the agency to assist in the performance of a service related to this collection and who need to have access to the records to perform the activity. No authentication is exchanged.

  • Other Federal Agency/Agencies: Treasury Department may require CWF data for investigating alleged theft, forgery, or unlawful negotiation of Medicare reimbursement checks. United States Postal Service may require CWF data for investigating alleged forgery or theft of reimbursement checks. Railroad Retirement Board requires CWF information to enable them to assist in the implementation and maintenance of the Medicare program. Social Security Administration (SSA) requires CWF data to enable them to assist in the implementation and maintenance of the Medicare program. Internal Revenue Service may require CWF data for the application of tax penalties against employers and employee organizations that contribute to Employer Group Health Plan or Large Group Health Plans that are not in compliance with 42 U.S.C. 1395y(b). No authentication is exchanged.
  • Private Sector: Medicare Secondary Payer (MSP) information is shared with employer health plans that insure and provide health care benefits to Medicare beneficiaries.   

    To third party contacts (without the consent of the individuals to whom the information pertains) in situations where the party to be contacted has or is expected to have information relating to the individual’s capacity to manage his or her affairs or to his or her eligibility for, or an entitlement to, benefits under the Medicare program.

    Senior citizen volunteers working in the carriers and intermediaries’ offices to assist Medicare beneficiaries’ request for assistance may require access to CWF information.

    Fiscal intermediary/ carrier banks, automated clearinghouses, VANS, and provider banks, to the extent necessary to transfer to providers electronic remittance advice of Medicare payments, and with respect to provider banks, to the extent necessary to provide account management services to providers using this information. 

    Quality Improvement Organizations (QIO) in connection with review of claims, or in connection with studies or other review activities.

    Insurance companies, underwriters, third party administrators (TPA), employers, self-insurers, group health plans, health maintenance organizations (HMO), health and welfare benefit funds, managed care organizations, other supplemental insurers, non-coordinating insurers, multiple employer trusts, liability insurers, no-fault medical automobile insurers, workers’ compensation carriers or plans, other groups providing protection against medical expenses without the beneficiary’s authorization, and any entity having knowledge of the occurrence of any event affecting (a) An individual’s right to any such benefit or payment, or (b) the initial right to any such benefit or payment, for the purpose of coordination of benefits with the Medicare program and implementation of the Medicare Secondary Payment provision at 42 U.S.C. 1395y(b).

    Third parties contacts require CWF information to provide support for the individual’s entitlement to benefits under the Medicare program; to establish the validity of evidence or to verify the accuracy of information presented by the individual or the representative of the applicant and assist in the monitoring of Medicare claims information of beneficiaries, including proper reimbursement of services provided.

    An individual or organization for research, evaluation, or epidemiological projects related to the prevention of disease or disability, the restoration or maintenance of health, or payment related projects.

    No authentication is exchanged.

  • State or Local Agency/Agencies: State Medicaid agencies pursuant to agreements with Health and Human Services (HHS) for administration of State supplementation payments for determinations of eligibility for Medicaid, for enrollment of welfare recipients for medical insurance under section 1843 of the Act, for quality control studies, for determining eligibility of recipients of assistance under Titles IV, and XIX of the Act, and for the complete administration of the Medicaid program. State licensing boards require access to the CWF data for review of unethical practices or nonprofessional conduct. State auditing agencies require CWF information for auditing of Medicare eligibility considerations. Disclosure of physicians’ customary charge data are made to State audit agencies to ascertain the corrections of Title XIX charges and payments.

    State and other governmental workers’ compensation agencies working with CMS to assure that workers’ compensation payments are made where Medicare has erroneously paid, and workers’ compensation programs are liable.

    No authentication is exchanged.

Describe any agreements in place that authorizes the information sharing or disclosure (e.g. Computer Matching Agreement, Memorandum of Understanding (MOU), or Information Sharing Agreement (ISA)).

The CWF system does not share information outside of CMS. CWF shares/collects information from other CMS systems only within the CMS datacenter. MOUs are not required for CMS systems authorized under the same authorizing official. 

The Computer Matching and Privacy Protection Act (CMPPA) Agreement (Agreement) establishes the terms, conditions, safeguards, and procedures under which the Social Security Administration (SSA) will disclose information to the Centers for Medicare & Medicaid Services (CMS) under the Patient Protection and Affordable Care Act (Public Law (Pub. L.) No. 111-148), as amended by the Health Care and Education Reconciliation Act of 2010 (Pub. L. No. 111-152) 

Computer matching agreements (CMA) establish the conditions for data sharing between CMS and the Railroad Retirement Board, Treasury department and others. A CMA is a written agreement between the source agency and the recipient agency (or non-federal agency) specifying the terms of the matching program. The computer matching provisions of the Privacy Act apply to a broad range of federal agency computer matching activities for the purpose of establishing or verifying eligibility or compliance as it relates to cash or in-kind assistance or payments under federal benefit programs.  

These agreements are executed in compliance with the Privacy Act of 1974 (5 U.S.C. § 552a), as amended by the Computer Matching and Privacy Protection Act of 1988, and the regulations and guidance promulgated thereunder. The legal authority for the disclosures under this agreement is the Privacy Act of 1974, as amended (5 U.S.C. § 552a(b)(3)), which authorizes a Federal agency to disclose information from its system of records, without prior written consent, when such disclosure is pursuant to a routine use. 

 

 

Describe the procedures for accounting for disclosures

The CWF system does not directly share information with entities outside of CMS. CWF data feeds other CMS systems that make disclosures.  Information sharing from CWF with other CMS systems are maintained in a systems log.

Describe the process in place to notify individuals that their personal information will be collected. If no prior notice is given, explain the reason.

CWF does not collect personally identifiable information (PII) directly from individual.  The information in CWF is supplied by the Social Security Administration (SSA) and from Medicare Administrative contractors.  Therefore, there is no way for CWF to notify individuals.  Notices for the information that is maintained in CWF are provided by the systems that are the source for the information in CWF. 

Is the submission of the PII by individuals voluntary or mandatory?

Voluntary

Describe the method for individuals to opt-out of the collection or use of their PII. If there is no option to object to the information collection, provide a reason.

CWF does not collect information directly from individuals. The systems that collect information directly from individuals that are then provided to CWF provide notice, including how to opt out or not participate in the collection of their information. 

Describe the process to notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changes since the notice at the time of original collection). Alternatively, describe why they cannot be notified or have their consent obtained.

CWF does not collect information directly from Medicare beneficiaries and therefore does not have a process to notify or obtain their consent.  The systems that collect information from beneficiaries provide notice and consent. 

Describe the process in place to resolve an individual's concerns when they believe their PII has been inappropriately obtained, used, or disclosed, or that the PII is inaccurate. If no process exists, explain why not.

CWF does not collect information directly from individuals. 

Describe the process in place for periodic reviews of PII contained in the system to ensure the data's integrity, availability, accuracy and relevancy. If no processes are in place, explain why not.

CWF compares PII data it receives in a claim against a CMS hosted database for accuracy and relevancy.  However, CWF is not the source of the information in the system.  The data maintained by CMS is a copy of SSA records and claims records maintained at the MAC.  SSA and the MACs have processes in place to ensure data integrity of the source information.   Data received is considered accurate; however, inconsistencies will cause a claim to be rejected and to be reworked by Host.

CWF only has PII data as required to run edit checks required by CMS. Claims with inaccurate PII would be rejected as part of validation checks.

Identify who will have access to the PII in the system and the reason why they require access.

  • Users: Medicare Administrative Contractors (MACs), which are direct CMS contractors using CMS issued IDs and passwords, submit claim data batches to the CWF system for inquiry purposes and collect/format claim data that is submitted daily as sequential claim data files. These files are processed by the production CMS Disaster Recovery as a Service Continuously Available CMS Hosting Environment (DRaaS-CACHE) data centers located in Kent, Washington and Ashburn, Virginia) to determine benefits eligibility and response data is sent back to the originating MAC.  There are no user accounts in the CWF application.  Direct CMS contractors operate and maintain the production data center that hosts CWF on behalf of the agency.

  • Administrators: Production site administrators supporting CWF do not have access to the CWF application but can administer the content of disk storage devices containing processed claim and beneficiary data in accordance with their role.
  • Developers: CWF developers and development system do not have access to the production system or PII data.  Test data is created by the developer and is used for testing in the development environment.  Development and production operational systems are physically and logically separated by Mainframe LPARS. (Production and Dev/Test processing activities are hosted at the CMS DRaaS-CACHE datacenters located in Kent, Washington with DRaaS recovery site at Ashburn, Virginia).
  • Contractors: Direct Contractors support CWF in one of the previously mentioned roles: User, Administrator and Developer.

Describe the procedures in place to determine which system users (administrators, developers, contractors, etc.) may access PII.

CWF data repositories uses role-based access limitations and least privilege controls to restrict PII availability in the production environment.  CWF is a batch processing system, which does not have users. 

Describe the methods in place to allow those with access to PII to only access the minimum amount of information necessary to perform their job.

CWF uses role-based access limitations and least privilege controls to restrict PII availability.  Users must have a CWF job code in their Enterprise User Administration (EUA) user profile before they are granted access to CWF.

CWF employs the CMS Enterprise User Administration and Resource Access Control Facility (RACF) to issue user IDs and grant permissions.  Data center administrators have role-based access, which limits their access to PII data. EUA is covered by a PIA managed by the Infrastructure and User Services Group (IUSG). 

Identifying training and awareness provided to personnel (system owners, managers, operators, contractors and/or program managers) using the system to make them aware of their responsibilities for protecting the information being collected and maintained.

CWF staff receive annual security awareness and privacy awareness training, security incident response training and acknowledge security rules of behavior. 

Describe training system users receive (above and beyond general security and privacy awareness training)

CWF staff receive annual incident response training and acknowledge security rules of behavior.  Security staff may receive additional training throughout the year from CMS and outside providers; as training is scheduled/becomes available.  CWF production staff maintain their own training programs and training records of their personnel.

Do contracts include Federal Acquisition Regulation and other appropriate clauses ensuring adherence to privacy provisions and practices?

Yes

Describe the process and guidelines in place with regard to the retention and destruction of PII. Cite specific records retention schedules.

Business Owners must contact the CMS Office of Strategic Operations and Regulatory Affairs (OSORA) to initiate the records management process.

All data in system will be disposed of in accordance with the National Archives and Records Administration (NARA) Disposition Authority DAA-0440-2015-0006, which has 7-year minimum retention.

Describe, briefly but with specificity, how the PII will be secured in the system using administrative, technical, and physical controls.

Security for PII, collected/maintained by the application, is a function of the production DRaaS-CACHE Kent Data Center (KDC), as CWF is resident on the CMS sponsored mainframe.  CWF data is maintained and secured by the database administrator hosting facility.  Physical controls, such as security guards and Personally Identity Verification are used to access government facilities.  Technical and administrative controls, in accordance with CMS Acceptable Risk Standards are in place to ensure the protection of the application and ensure access to the system is managed on a need-to-know basis.