Advanced Provider Screening
Privacy Impact Assessment (PIA) published by CMS as an Operating Division of the U.S. Department of Health and Human Services
Date signed: 10/3/2024
| PIA Questions | PIA Answers |
OPDIV: | CMS |
PIA Unique Identifier: | P-6696917-214123 |
Name: | Advanced Provider Screening |
The subject of this PIA is which of the following? | Major Application |
Identify the Enterprise Performance Lifecycle Phase of the system. | Operate |
Is this a FISMA-Reportable system? | Yes |
Does the system include a Website or online application available to and for the use of the general public? | No |
Identify the operator: | Contractor |
Is this a new or existing system? | Existing |
Does the system have Security Authorization (SA)? | Yes |
Date of Security Authorization | 4/2/2024 |
Indicate the following reason(s) for updating this PIA. Choose from the following options. | PIA Validation (PIA Refresh/Annual Review) Other - Addition of Asurint as a Private Sector screening vendor with whom Personal Identifiable Information (PII) is shared. |
Describe in further detail any changes to the system that have occurred since the last PIA. | The system originally collected aggregated data from one other Centers for Medicare and Medicaid (CMS) information system. It now collects data from multiple sources. |
Describe the purpose of the system | The CMS Advanced Provider Screening (APS) application screens potential Medicare providers and suppliers seeking to enroll into the Medicare program. The application screens new and existing provider enrollments, obtains third-party commercial data, and creates an "Entity Profile" for individual and organizational providers. The underlying purpose is for the following capabilities to perform automated screening on new and existing enrollments of providers/suppliers, and to conduct automated risk assessments for potential fraud, waste, and abuse on a pre- and post-enrollment basis, resulting in alerts and reporting to designated CMS business partners. |
Describe the type of information the system will collect, maintain (store), or share. (Subsequent questions will identify if this information is PII and ask about the specific data elements) | The APS system does not collect any information directly. The application receives data real-time from the Provider Enrollment Chain and Ownership System (PECOS). The information that APS receives is about suppliers and providers such as: medical credentials (providers only), name, date of birth, medical license number (if applicable), Social Security Number (SSN), provider type, medical school information (school and graduation year), and felony records, email address, phone number, professional certificates, mailing address, National Provider Identifier (NPI), mother's maiden name, PI, medical license number, User IDs, passwords, First Name, Last Name, Middle Name, and Date of Death and their taxpayer ID (if applicable). System Administrator user IDs and passwords are transmitted and processed by this application for application access. However, the storage and management of these credentials is a function of the General Support System (GSS) which hosts this application and has a separate PIA. Additionally, end-user user IDs and passwords are transmitted and processed by this application for application access. Those credentials are stored and managed by the CMS Enterprise password management tool, which also has a separate approved and published PIA. |
Provide an overview of the system and describe the information it will collect, maintain (store), or share, either permanently or temporarily. | The APS system is designed to automate the provider screening process. The APS application will screen providers and suppliers by automating data checks as well as developing and maintaining risk-assessment methods to proactively identify potential fraud, waste, and abuse. The solution will also provide information back to the CMS systems responsible for CMS provider/supplier enrollments and re-verification processes and pass risk-based alerts on to CMS and its partner contractors responsible for investigating potential fraud. The APS System regularly use PII to retrieve system records including using the last name, employee ID number, and/or work phone number of CMS employees, contractors, and members of the public authorized to access the main campus and satellite offices. APS uses some of the identifying information like name, NPI, and SSN to locate the entity profile in the database. Information is stored permanently. |
Does the system collect, maintain, use or share PII? | Yes |
Indicate the type of PII that the system will collect or maintain. |
|
Indicate the categories of individuals about whom PII is collected, maintained or shared. |
|
How many individuals' PII in the system? | 1,000,000 or more |
For what primary purpose is the PII used? | The primary purpose of PII is to identify the providers and suppliers and determine if a provider should be allowed to participate in Medicare. The primary purpose of the user ID and password is for system access. |
Describe the secondary uses for which the PII will be used (e.g. testing, training or research) | None |
Describe the function of the SSN. | The SSN is used as a confirmation to correctly identify a specific provider or supplier. |
Cite the legal authority to use the SSN. | Executive Order (E.O.) 9397, Numbering System for Federal Accounts Relating to Individual Persons E.O. 13478, Amendments to Executive Order 9397 Relating To Federal Agency Use of Social Security Numbers |
Identify legal authoritiesā governing information use and disclosure specific to the system and program. | 5 U.S. Code (USC) Section 301, Departmental regulations Sections 1102(a) (Title 42 U.S.C. 1302(a)), 1128 (42 U.S.C 1320a-7), 1814(a)) (42 U.S.C. 1395f(a)(1), 1815(a) (42 U.S.C. 1395g(a)), 1833(e) (42 U.S.C. 1395I(3)), 1871 (42 U.S.C. 1395hh), and 1886(d)(5)(F), (42 U.S.C. 1395ww(d)(5)(F) of the Social Security Act.
|
Are records on the system retrieved by one or more PII data elements? | Yes |
Identify the number and title of the Privacy Act System of Records (SORN) that is being used to cover the system or identify if a SORN is being developed. | 09-70-0532-Provider Enrollment, Chain, and Ownership System (PECOS) first published 10/13/06); updated 5/29/13, and included in the CMS-wide update 2/14/18. 09-70-0555 National Plan and Provider Enumeration System (NPPES) |
Identify the sources of PII in the system: Directly from an individual about whom the information pertains | In-Person |
Identify the sources of PII in the system: Government Sources | Within the OPDIV |
Identify the sources of PII in the system: Non-Government Sources | Other - Asurint, Lexus Nexus, Thomson-Reuters, Federation of State Medical Boards |
Identify the OMB information collection approval number and expiration date | Not applicable |
Is the PII shared with other organizations? | Yes |
Identify with whom the PII is shared or disclosed and for what purpose. |
|
Describe any agreements in place that authorizes the information sharing or disclosure (e.g. Computer Matching Agreement, Memorandum of Understanding (MOU), or Information Sharing Agreement (ISA)). | APS has a signed Memorandum of Understanding (MOU) with both NPPES and PECOS for the transmission of information between the two systems. Both systems are CMS information systems. |
Describe the procedures for accounting for disclosures | The APS system does not collect provider and supplier PII directly. The application receives data Real-Time from the PECOS/NPPES systems. The PECOS/NPPES systems is responsible for notification on disclosures as noted in the system SORN. APS system user PII is handled by the hosting data center, the CMS AWS Cloud hosting provider, and Enterprise User Administration (EUA). Those systems are responsible for notifying individuals that their PII is being collected. Both systems have approved and published CMS PIAs. |
Describe the process in place to notify individuals that their personal information will be collected. If no prior notice is given, explain the reason. | The APS system does not collect provider and supplier PII directly. The application receives data Real-time from the PECO/NPPES systems. The PECOS/NPPES systems is responsible for notification to any individuals whose PII is collected by that system. APS system user PII is handled by the hosting data center, the CMS AWS Cloud hosting provider, and EUA. Those systems are responsible for notifying individuals that their PII is being collected. Both systems have approved and published CMS PIAs. |
Is the submission of the PII by individuals voluntary or mandatory? | Voluntary |
Describe the method for individuals to opt-out of the collection or use of their PII. If there is no option to object to the information collection, provide a reason. | APS does not provide a method to opt-out of the collection of PII for providers and suppliers because APS does not collect PII directly from the providers and suppliers. The collection, storage, and management of system user and system administrator user IDs and passwords is handled by the hosting data center, CMS AWS Cloud and EUA, which both have approved and published PIAs. |
Describe the process to notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changes since the notice at the time of original collection). Alternatively, describe why they cannot be notified or have their consent obtained. | The APS system does not collect provider and supplier PII directly, APS receives data Real-time from the PECOS which has its own PIA. Therefore, there is no process to notify and obtain consent if there are system changes. For the system users/administrators, any changes to the system would not impact how they access the system; notice would be provided by the CMS EUA system or the CMS AWS Cloud provider. |
Describe the process in place to resolve an individual's concerns when they believe their PII has been inappropriately obtained, used, or disclosed, or that the PII is inaccurate. If no process exists, explain why not. | If a system user believes their PII has been inappropriately obtained, used, or disclosed, the user can contact either the CMS Cloud Help Desk or the APS Service Desk. The service desks will assign an incident ticket to the respective Incident Teams to investigate and resolve. |
Describe the process in place for periodic reviews of PII contained in the system to ensure the data's integrity, availability, accuracy and relevancy. If no processes are in place, explain why not. | APS implements a monthly data quality process conducted by the APS data analytics team. APS primary purpose is to ensure the accuracy and relevancy of provider and supplier PII for eligibility and does a cross-walk of the PII with various sources to ensure the integrity and accuracy. The results of the process are reported to CMS each month. The results are also reviewed with each of the data vendors as part of an overall quality improvement process. System user PII, user ID /password, is verified and monitored by the CMS Cloud Navigator and EUA systems to ensure that the PII is valid. |
Identify who will have access to the PII in the system and the reason why they require access. |
|
Describe the procedures in place to determine which system users (administrators, developers, contractors, etc.) may access PII. | APS system user access to PII is based on the principle of least privilege and minimum necessity. System users have access to PII as necessary to perform job functions. System access is periodically reviewed and amended as needed. System administrators' access is inherited from the CMS AWS Cloud Provider and limited to system support functions. |
Describe the methods in place to allow those with access to PII to only access the minimum amount of information necessary to perform their job. | APS utilizes logical access controls based on job requirements to restrict access to application functions. Roles have assigned levels of access. Only system administrators access mainframe and network applications. Access is granted based on individual job responsibilities and subject to management review and approval. |
Identifying training and awareness provided to personnel (system owners, managers, operators, contractors and/or program managers) using the system to make them aware of their responsibilities for protecting the information being collected and maintained. | All APS staff are required to take security and privacy training at initial employment and then annually thereafter. This includes both the CMS Computer-based Training (CBT) Information Systems Security and Privacy Training (ISSPT) and annual refresher security awareness training for current workforce members. The security awareness program for the APS direct contractor (TISTA) includes Pre-System Access Training for new workforce members, and annual refresher security awareness training. |
Describe training system users receive (above and beyond general security and privacy awareness training) | Privileged users are required to complete additional security training and role-based training is required. There are also other activities that promote security awareness throughout the organization. |
Do contracts include Federal Acquisition Regulation and other appropriate clauses ensuring adherence to privacy provisions and practices? | Yes |
Describe the process and guidelines in place with regard to the retention and destruction of PII. Cite specific records retention schedules. | APS follows the CMS Records Control Schedules (RCS) files with the National Archives and Records Administration (NARA. Specifically, APS falls under "Bucket 6 - Provider and Health Plan Records," DAA-0440-2015-0008. Under this RCS, there are various retention and destruction guidelines. The primary guideline is to delete or destroy after seven (7) years, or when no longer needed for Agency business, whichever is later. |
Describe, briefly but with specificity, how the PII will be secured in the system using administrative, technical, and physical controls. | APS System secures PII by implementing a range of controls. Administrative controls include strict role-based access to the application, personnel receive regular training and accounts are reviewed and monitored for normal and anomalous activity. The technical controls in place include a multi-tiered architecture, utilization of multiple types and layers of firewall and intrusion detection technology. In terms of PE controls, since the GSS doesn't have a physical environment at the CMS AWS level, these are inherited from the parent cloud provider (AWS) and they are validated by the Federal Risk and Authorization Management Program (FedRAMP) certification. Additionally, all personnel are required to sign Rules of Behavior (ROB) regarding their responsibilities in protecting CMS data. |