CM - Maximus
Privacy Impact Assessment (PIA) published by CMS as an Operating Division of the U.S. Department of Health and Human Services
Date signed: 5/1/2024
| PIA Questions | PIA Answers | |
|---|---|---|
| OPDIV: | CMS | |
| PIA Unique Identifier: | P-8810813-553003 | |
| Name: | CM - Maximus | |
| The subject of this PIA is which of the following? | Major Application | |
| Identify the Enterprise Performance Lifecycle Phase of the system. | Operate | |
| Is this a FISMA-Reportable system? | Yes | |
| Does the system include a Website or online application available to and for the use of the general public? | Yes | |
| Identify the operator: | Contractor | |
| Is this a new or existing system? | Existing | |
| Does the system have Security Authorization (SA)? | Yes | |
| Date of Security Authorization | 12/11/2024 | |
| Indicate the following reason(s) for updating this PIA. Choose from the following options. | PIA Validation (PIA Refresh/Annual Review) | |
| Describe in further detail any changes to the system that have occurred since the last PIA. | Medicare Part D (Prescription Drugs) component has been removed. Durable Medical Equipment (DME) has component been added. | |
| Describe the purpose of the system | The CM-Maximus information system is used by Maximus Federal Services (Maximus), a CMS direct contractor, in the performance of Medicare appeal services as a CMS Qualified Independent Contractor (QIC). QICs are responsible for conducting second level Medicare appeals of coverage determinations and payment disputes related to Medicare Hospital Insurance (Part A), Medicare Advantage Plans (Part C), and durable medical equipment (DME). The adjudication services include processing appeal requests, tracking appeal data, and responding to correspondence related to the appeal. The CM-Maximus environment also supports the Federal External Review Process (FERP) Portal which allows for patients/appellants to submit a request a review of their health plan's adverse benefit determination. | |
| Describe the type of information the system will collect, maintain (store), or share. (Subsequent questions will identify if this information is PII and ask about the specific data elements) | The CM-Maximus system contains beneficiary and provider information and system user information. The information on beneficiaries consists of name, address, telephone number, email address, Medicare Beneficiary Identifier (MBI), Health Insurance Claim Number (HICN), optional legal documents, medical records, and medical notes. Provider's information consists of name, address, phone number, and National Provider Identifier (NPI). Correspondence with appellants is also contained within the system. Information on system users consists of names, usernames, and passwords. | |
| Provide an overview of the system and describe the information it will collect, maintain (store), or share, either permanently or temporarily. | The CM-Maximus system is used by Maximus Federal Services in their performance as a Qualified Independent Contract (QIC) conducting appeal services. The CM-Maximus system contains contact information and medical information about Medicare beneficiaries and contact information about Medicare providers. The information on Medicare beneficiaries and providers is obtained from the Medicare Appeals System (MAS), which is another CMS information system. MAS maintains its own PIA for the information collected, stored, and shared within it. It also contains correspondence with beneficiaries and providers about the status of the Medicare appeal. Maximus is a CMS direct contractor and only Maximus employees are system users. To access the CM-Maximus system, users provide their user ID and password to obtain access to the system. User credentials are maintained for as long as necessary | |
| Does the system collect, maintain, use or share PII? | Yes | |
| Indicate the type of PII that the system will collect or maintain. |
| |
| Indicate the categories of individuals about whom PII is collected, maintained or shared. |
| |
| How many individuals' PII in the system? | 1,000,000 or more | |
| For what primary purpose is the PII used? | Beneficiary and provider PII are used for the processing of second level Medicare appeals for Medicare Part A, Part C, and DME. System user PII is used to allow access to the CM- Maximus system. | |
| Describe the secondary uses for which the PII will be used (e.g. testing, training or research) | Not applicable. | |
| Describe the function of the SSN. | SSNS are not used as an identifier but is collected as part of the individual's medical record for the medical provider or health plan carrier. | |
| Cite the legal authority to use the SSN. | SSNs are not collected as an identifier within the system. An individual’s SSN may incidentally be collected as part of the medical provider’s or health plan carrier’s medical record. CMS must collect medical record information to process external reviews as required under Section 205 of Title II, Sections 1155 and 1156 of Title XI, Sections1812, 1814, 1816, 1842, 1869, and 1872 of Title XVIII of the Social Security Act as amended (42 United States Code Sections 405, 1320c-4, 1320c-5, 1395d, 1395f, 1395h, 1395u, 1395ff, and 1395ii) and the Medicare Prescription Drug, Improvement, and Modernization Act of 2003 (Public Law 108-173). | |
| Identify legal authorities governing information use and disclosure specific to the system and program. | Authority for information use and disclosure is given under Section 205 of Title II, Sections 1155 and 1156 of Title XI, Sections1812, 1814, 1816, 1842, 1869, and 1872 of Title XVIII of the Social Security Act as amended (42 United States Code Sections 405, 1320c-4, 1320c-5, 1395d, 1395f, 1395h, 1395u, 1395ff, and 1395ii). Additional authority is given under the Medicare Prescription Drug, Improvement, and Modernization Act of 2003 (Public Law 108-173). | |
| Are records on the system retrieved by one or more PII data elements? | Yes | |
| Identify the number and title of the Privacy Act System of Records (SORN) that is being used to cover the system or identify if a SORN is being developed. | 09-70-0566 Medicare Appeals System, published 12/16/2004 (last full publication 9/15/06) and updated 02/14/2018 | |
| Identify the sources of PII in the system: Directly from an individual about whom the information pertains |
| |
| Identify the sources of PII in the system: Government Sources | Within the OPDIV | |
| Identify the sources of PII in the system: Non-Government Sources | Members of the Public | |
| Identify the OMB information collection approval number and expiration date | Not applicable. | |
| Is the PII shared with other organizations? | No | |
| Describe the process in place to notify individuals that their personal information will be collected. If no prior notice is given, explain the reason. | The CM-Maximus system does not directly notify individuals that their personal information is being collected because the system uses personal information from the MAS system. However, providers and beneficiaries are informed on the appeal request form that providing their information is voluntary but failure to provide all or part of the requested information may affect the determination of their appeal. System users are notified as part of the employment process and to obtain access to the CM-Maximus system that their personal information is required.
| |
| Is the submission of the PII by individuals voluntary or mandatory? | Voluntary | |
| Describe the method for individuals to opt-out of the collection or use of their PII. If there is no option to object to the information collection, provide a reason. | The beneficiary and provider PII are required for appeal processing and is received from the MAS system. If the appeals process requires individuals to verify the information in the MAS system, they are notified on the standardized processing letters that the information provided will be used to further document their appeal and that submission of the information requested is voluntary, but failure to provide all or any part of the requested information may affect the determination of the appeal. System user credentials, PII, are mandatory for system access, so there is no option to opt-out.
| |
| Describe the process to notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changes since the notice at the time of original collection). Alternatively, describe why they cannot be notified or have their consent obtained. | System users would be notified of major system changes through internal corporate email and training, Medicare beneficiaries and providers would find notification of any major changes to the MAS system, and affecting PII, through the updating or revision to the System of Record Notice (SORN) in the Federal Register. | |
| Describe the process in place to resolve an individual's concerns when they believe their PII has been inappropriately obtained, used, or disclosed, or that the PII is inaccurate. If no process exists, explain why not. | If system users have concerns about their PII, they would contact the Maximus IT help desk. The help desk would investigate the incident and provide direction to the user on if further action is necessary. Beneficiary and provider PII are obtained from MAS. That CMS system is responsible for resolving any concerns about the PII within it. | |
| Describe the process in place for periodic reviews of PII contained in the system to ensure the data's integrity, availability, accuracy and relevancy. If no processes are in place, explain why not. | The system uses data directly from the Medicare Appeals System (MAS) which is the appeals system of record. The PII contained in the CM-Maximus system is routinely backed up to ensure availability. User PII is protected and can only be modified by system administrators and is regularly reviewed for relevancy and accuracy. The PII of beneficiaries is verified with the MAS for accuracy and relevancy at the time of appeal case creation and reviewed throughout the appeal process, maintaining the integrity of the PII.
| |
| Identify who will have access to the PII in the system and the reason why they require access. |
| |
| Describe the procedures in place to determine which system users (administrators, developers, contractors, etc.) may access PII. | The system has both discretionary access control (DAC) and role- based access control (RBAC) within our system. System users are granted the most minimal access level to complete their job duties. System administrators review accounts at least semi-annually. All user activities are logged and reviewed. | |
| Describe the methods in place to allow those with access to PII to only access the minimum amount of information necessary to perform their job. | The system restricts access to information based on each end user's role within the system. Employees are granted the most minimal access level to complete their job duties, by System Administrators, thus limiting their access to minimal amounts of PII. | |
| Identifying training and awareness provided to personnel (system owners, managers, operators, contractors and/or program managers) using the system to make them aware of their responsibilities for protecting the information being collected and maintained. | System users are required to complete the CMS Security and Privacy Awareness training provided annually as a Computer Based Training (CBT) course. All system users complete annual corporate security training. Individuals with privileged access must also complete role-based security training based on their job function. | |
| Describe training system users receive (above and beyond general security and privacy awareness training) | Not applicable. | |
| Do contracts include Federal Acquisition Regulation and other appropriate clauses ensuring adherence to privacy provisions and practices? | Yes | |
| Describe the process and guidelines in place with regard to the retention and destruction of PII. Cite specific records retention schedules. | The CM-Maximus system follows the CMS Records Schedule published July 17, 2017, that details the records retention policy for the MAS system in Bucket 3 – Financial Records. Data retention complies with the National Archives and Records Administration (NARA) Disposition Authority: DAA-0440-2015-0004-0001, which states that records will be destroyed no sooner than 7 years after cut-off, but longer retention is authorized. | |
| Describe, briefly but with specificity, how the PII will be secured in the system using administrative, technical, and physical controls. | The system’s administrative security controls consist of policies and procedures including security training, role-based access permissions and regular review of access logs and activities. The system’s technical security controls consist of restricting access using user ids and passwords, and firewalls and intrusion prevention. Technical protection is also achieved through continuous monitoring for system usage and unexpected or malicious activity; the configuration of specialty hardware and the use of encryption, including full disk encryption of laptops and workstations.
The system’s physical security controls consist of restricted access and environmental protections. Which consist of protected cooling and power sources. Access to this area is recorded and restricted only to authorized personnel with appropriate security clearance. Facility access is controlled using badge access card readers. Designated high security areas are only accessible to approved personnel. Physical equipment and media are subject to documented handling procedures, including proper disposal and destruction as necessary. | |
| Identify the publicly-available URL: | https://externalappeal.cms.gov/ferpportal/ | |
| Does the website have a posted privacy notice? | Yes | |
| Is the privacy policy available in a machine-readable format? | Yes | |
| Does the website use web measurement and customization technology? | Yes | |
| Select the type of website measurement and customization technologies is in use and if is used to collect PII. (Select all that apply) |
| |
| Web Beacons - Collects PII?: | No | |
| Session Cookies - Collects PII?: | No | |
| Does the website have any information or pages directed at children under the age of thirteen? | No | |
| Does the website contain links to non-federal government website external to HHS? | No | |