Skip to main content

Central Data Abstraction Tool-Modernized

Privacy Impact Assessment (PIA) published by CMS as an Operating Division of the U.S. Department of Health and Human Services

Date signed: 6/21/2022

PIA Information for the Central Data Abstraction Tool-Modernized
PIA QuestionsPIA Answers

OPDIV:

CMS

PIA Unique Identifier:

P-6684419-797506

Name:

Central Data Abstraction Tool-Modernized

The subject of this PIA is which of the following?

Major Application

Identify the Enterprise Performance Lifecycle Phase of the system.

Operate

Is this a FISMA-Reportable system?

Yes

Does the system include a Website or online application available to and for the use of the general public?

Yes

Identify the operator:

Agency

Is this a new or existing system?

Existing

Does the system have Security Authorization (SA)?

Yes

Date of Security Authorization

5/9/2024

Indicate the following reason(s) for updating this PIA. Choose from the following options.

Other - After the PIA was reviewed by the CRA Team Lead, instructions were given to the CDAT-M team to modify their response to question 4. The guidance provided was to change the answer regarding whether the system includes a website or online application available to the general public to "Yes." This directive stemmed from the understanding that the response to this question is "Yes" unless all websites are exclusively used for internal agency activities, such as on intranets, internal applications, or interactions involving only HHS employees and/or contractors directly supporting HHS. In this context, the MAO users are considered members of the general public.

Describe in further detail any changes to the system that have occurred since the last PIA.

There have been no changes since the last PIA.

Describe the purpose of the system

The purpose of the Centralized Data Abstraction Tool - Modernized (CDAT-M) system is to assist Centers for Medicare and Medicaid Services (CMS) in conducting Risk Adjustment Data Validation (RADV) audits. The CDAT-M system is a secured online tool used by Medicare Advantage Organizations (MAO) to upload Enrollee data, complete a Medical Record Coversheet and attach a corresponding medical record file. MAO's are referred to as Plan Users on the CDAT-M system.

All submitted Medical Records are coded in the system for purposes of calculating a payment error rate.

Describe the type of information the system will collect, maintain (store), or share. (Subsequent questions will identify if this information is PII and ask about the specific data elements)

CDAT -M collects and stores the following
information:
Enrollee Health Insurance Claim Number
(HICN)
Enrollee Date of Birth (DOB)
Enrollee Medical Record – pdf copy
CDAT Users ID
CDAT Users Phone Number
The Enrollee Medical Record could contain
additional information such as: driver license number, mailing address, mother’s maiden name, medical notes, certificate, military status, email address, financial, employment status, and Passport
number.
 

The entities involved in using CDAT-M to facilitate the flow of information will include CMS, Risk Adjustment Data Validation (RADV)
contractors, Appeals entities, and Medical Advantage Organizations (MAO's). CDAT -M does not share this information. CDAT-M also maintains CMS employee and direct contractor user IDs, passwords, and phone numbers.

Provide an overview of the system and describe the information it will collect, maintain (store), or share, either permanently or temporarily.

CMS conducts Risk Adjustment Data Validation (RADV) audits to validate the accuracy of risk adjustment data submitted to CMS by Medicare Advantage Organizations (MAOs) for Part C payments. The purpose of RADV audit is to measure the extent to which inaccurate diagnosis codes impact Hierarchical Condition Categories (HCC) assignments and the associated payment for Medicare Advantage (MA) beneficiaries. The CMS primary RADV audit objectives are to:

1) Estimate national payment error; and

2) Estimate contract-level risk adjustment payment error for payment adjustment and payment recovery efforts. To facilitate the contract-level RADV audit process, CMS has developed the Centralized Data Abstraction Tool-Modernized (CDAT-M). CDAT-M is used to manage the collection and distribution of medical records, medical record abstraction, medical record dispute, management of RADV audit data, and other project information including some activities related to payment error calculation. The entities involved in using CDAT-M to facilitate the flow of information include: CMS, RADV contractors, Appeals entities, and MAO's. CDAT-M maintains CMS employee and direct contractor user ID, password, and phone numbers. This information is not shared with other organizations. This information is needed for normal operation of the system. The CDAT-M system regularly uses PII to retrieve records including using: Enrollee ID; Name, DOB and Medicare ID

Does the system collect, maintain, use or share PII?

Yes

Indicate the type of PII that the system will collect or maintain.

  • Name

  • Phone Numbers
  • Date of Birth
  • Mailing Address
  • Medical Records Number
  • Other - HICN, user ID, password. The possibility exists that the following information could be listed on the medical records: Email Address, driver license number, medical notes, certificate, military status, mother's maiden name, financial, employment
    status, and passport number.

Indicate the categories of individuals about whom PII is collected, maintained or shared.

  • Employees

  • Public Citizens
  • Vendors/Suppliers/Contractors
  • Patients

How many individuals' PII in the system?

10,000-49,999

For what primary purpose is the PII used?

The Enrollee Data (Name, Telephone number, Date of Birth and Medical Records Numbers) are used to identify and validate each enrollee medical records which are collected and used for RADV auditing purposes. CDAT-M Users’ IDs and passwords are used to grant users access to the CDAT-M system and to determine their user roles and access levels, which determines what data each user can access.

Describe the secondary uses for which the PII will be used (e.g. testing, training or research)

 None

Describe the function of the SSN.

The CDAT system does not use the SSN as identifiers. The SSN information is embedded within the medical records that are uploaded to the CDAT-M system. CDAT-M does not share the information with other systems and does not interconnect with other systems.

Cite the legal authority to use the SSN.

N/A. CDAT-M does not use, collect or share the SSN.

Identify legal authorities​ governing information use and disclosure specific to the system and program.

The Improper Payments Elimination and Recovery Act of 2012; Public Law 112-248 and 42 CFR § 422.310 

Are records on the system retrieved by one or more PII data elements?

Yes

Identify the number and title of the Privacy Act System of Records (SORN) that is being used to cover the system or identify if a SORN is being developed.

Published: SORN “CMS Risk Adjustment Suite of Systems
(RASS),” System No. 09-70-0508
https://www.federalregister.gov/articles/2015/08/
17/2015-20224/privacy-act-of-1974-report-ofnew-
system-of-records

Identify the sources of PII in the system: Directly from an individual about whom the information pertains

  • In-Person

  • Online

Identify the sources of PII in the system: Government Sources

  • Within the OPDIV

  • Other - Medical advantage plans

Identify the sources of PII in the system: Non-Government Sources

  • Private Sector

  • Other - CMS CDAT contractor and Plan users

Identify the OMB information collection approval number and expiration date

N/A- only user IDs and passwords are collected directly from the individual

Is the PII shared with other organizations?

No

Describe the process in place to notify individuals that their personal information will be collected. If no prior notice is given, explain the reason.

No prior notice is given to individuals whose medical records are submitted to CDAT-M by MAO's for RADV audits since the information is not being collected directly from the individual about whom it pertains. CMS employee and direct contractor system users are provided unique user IDs and passwords. The PII (name, email address, phone number) is needed for normal operation of the system.

Is the submission of the PII by individuals voluntary or mandatory?

Voluntary

Describe the method for individuals to opt-out of the collection or use of their PII. If there is no option to object to the information collection, provide a reason.

For RADV audits, all enrollee/beneficiary data is collected directly from the Managed Care Organization (MAO) and not the individual beneficiary.  Hence, no option to object is provided/given to individuals. For CMS employee and RADV contractors, system users are provided unique user IDs and passwords. The PII (name, email address, phone number) is required for normal operations of the system.

Describe the process to notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changes since the notice at the time of original collection). Alternatively, describe why they cannot be notified or have their consent obtained.

CMS Employees and RADV contractors will be notified via emails and phone calls if a major change would occur to the system that would change the reason for data collection or change to whom the data is disclosed to or in the event of a data breach.  CDAT-M does not directly collect information from enrollees/beneficiaries.  At a minimum, for enrollee/beneficiary data, any significant data use changes would result in publishing a notice to the MAO, from where the data was obtained.

Describe the process in place to resolve an individual's concerns when they believe their PII has been inappropriately obtained, used, or disclosed, or that the PII is inaccurate. If no process exists, explain why not.

CDAT-M does not directly collect information from patient enrollees. CDAT-M does not have interconnections with other systems. As for CMS Employee and direct contractor system user credentials/information, the responsibility falls under the CMS agency/Division of Medicare Advantage and Audits (DMAA) which conducts investigations for all data breach incidents. DMAA follows the CMS data breach policy for conducting investigations. Users are notified via emails and phone calls. Concerns are addressed by the CMS team.

Describe the process in place for periodic reviews of PII contained in the system to ensure the data's integrity, availability, accuracy and relevancy. If no processes are in place, explain why not.

There are no periodic reviews of PII information contained in medical records. The goal of the system is to collect and store medical records uploaded into the system by the MAO's. PII data elements are embedded within the medical records collected. CDAT-M tracks the reception and encoding of the medical records throughout the submission process. The system has technical checks and balances of tracking the submission process. Only a few designated personnel have access to the database. Privileged user actions and other system related activities are monitored via Security Information Event Manager, Firewalls, Audit Management Tools, Intrusion Detection Systems and Intrusion Preventions Systems. As for CMS Employees and direct contractors, CDAT-M maintains user IDs and Passwords for CMS employees and direct contractors. Modification of this information is monitored through the use of Security Information Event Management tools. Only a few designated users have access to the back end of the system where this information resides. User IDs are changed on a periodic basis and old accounts are disabled. User IDs and passwords are backed up for redundancy and copies are stored on backup tapes to ensure availability. User ID and password parameters are reinforced via policies.

Identify who will have access to the PII in the system and the reason why they require access.

  • Administrators: Limited access for system maintenance tasks.

  • Contractors: To execute the RADV audit tasks. Contractors do not have an HHS email address. Therefore, they are in-direct contractors.

Describe the procedures in place to determine which system users (administrators, developers, contractors, etc.) may access PII.

CDAT-M Business Owner in conjunction with the CDAT-M team determines the user roles.
 

The CDAT-M system has implemented segregation of roles at the Application and Operating system level. There is a formal account provisioning process for assigning appropriate permissions for each individual. Individual account types are used to identify and authenticate all users. Each unique person is assigned a unique account.  While system developers and administrators do not have access to any PHI/PII data, several RADV contractors require access to Medical Records (which include PHI/PII data) for Coding purposes.  Medical Coding by Certified Coders is a critical component of our RADV audits.

Describe the methods in place to allow those with access to PII to only access the minimum amount of information necessary to perform their job.

Individual account types are used to identify and authenticate all system accounts, privileged administrators, and contractors supporting the RADV process. Each unique person is assigned a unique account. CDAT-M utilizes 2-factor authentication for granting access to the system. Examples of Individual accounts are Plan Users, Encoders, and Administrator accounts. Plan users ONLY have access to the CDAT application via the web portal, and do not have access to the CDAT infrastructure servers and devices.

Identifying training and awareness provided to personnel (system owners, managers, operators, contractors and/or program managers) using the system to make them aware of their responsibilities for protecting the information being collected and maintained.

CMS Security Awareness and Privacy training is provided annually to all CMS system users and contractors. Agenda for the training includes an overview of Federal Information Security Modernization Act (FISMA), Privacy awareness highlights, protection of Protected health information (PHI)/Personally identifiable information (PII) and the data breach process. All new members’ internal and external users are required to sign the Rules of Behavior prior to gaining access to the system. CDAT-M users who have CMS user IDs are also required to take annual security training that is provided by CMS. Every year, CDAT-M employees go through a refresher training module in security and privacy.

Describe training system users receive (above and beyond general security and privacy awareness training)

In addition to CMS Security awareness training and Privacy training, the CDAT-M personnel receive role based training for specific job functions. System Administrators receive Contingency Planning, Incident Response, and System Administration training. Developers are provided with secure coding training modules and IT managers are trained on Security Program Management. The role based training modules covers security safeguards for securing data during the system development lifecycle. Employees have to undergo refresher training courses every year.

Do contracts include Federal Acquisition Regulation and other appropriate clauses ensuring adherence to privacy provisions and practices?

Yes

Describe the process and guidelines in place with regard to the retention and destruction of PII. Cite specific records retention schedules.

CDAT records will be held for a period of 7 years after cutoff, or when no longer needed for
Agency business, whichever is later per Disposition Authority: N1-440-09-6, Item 1a.

Describe, briefly but with specificity, how the PII will be secured in the system using administrative, technical, and physical controls.

A variety of controls are in place to insure valid access to sensitive data. Technical safeguards include but are not limited to transmission and database field encryption, storage encryption, two factor authentication, operating system level and database controls. The system is browser based limiting a user’s ability to retrieve data to individual desktops. Administrative controls include signing of Rules of Behavior and mandatory training prior to being granted access to the CDAT system. Physical security controls are provided by Microsoft Azure Government (MAG) -- Infrastructure as a Service.  MAG is accredited by Federal Risk and Authorization Management Program (FedRAMP) and CMS.

Identify the publicly-available URL:

•    PRODUCTION – https://radvcdat.cms.gov
•    R&D PRODUCTION (RD-PROD) – https://rdradvcdat.cms.gov
•    QA – https://qa.cms.radvcdat.com
•    QA-HOTFIX – https://qahotfix.cms.radvcdat.com
•    TRAINING – https://qatrng.cms.radvcdat.com
•    DEVELOPMENT –  https://dev.cms.radvcdat.com
•    DEVELOPMENT-HOTFIX – https://devhotfix.cms.radvcdat.com
•    DEVELOPMENT2 – https://dev2.cms.radvcdat.com
•    SAS PRODUCTION – https://sasreports.radvcdat.cms.gov
•    SAS RD-PROD – https://sasreports.rdradvcdat.cms.gov
•    SAS DEV – https://devsas.cms.radvcdat.com

Does the website have a posted privacy notice?

Yes

Is the privacy policy available in a machine-readable format?

Yes

Does the website use web measurement and customization technology?

No

Does the website have any information or pages directed at children under the age of thirteen?

No

Does the website contain links to non-federal government website external to HHS?

No