Commercial Repayment Center (CRC) Intake

Within this system, the Medicare Secondary Player (MSP) Commercial Repayment Center (CRC) Intake contractor will utilize internal and CMS systems to review MSP leads for Group Health Plan (GHP) and Non-Group Health Plan (NGHP) cases. The Commercial Repayment Center (CRC) will identify claims and/or services potentially appropriate to the MSP recovery case, issue correspondence regarding the MSP case and validate MSP responsibility from Group Health Plans (GHPs) and Non-Group Health Plans (NGHPs). To develop these cases, the CRC organization consists of staff who support the following processes and functions: correspondence intake and processing, correspondence review and adjudication, financial management, payment receipt and processing, quality assurance, internal audit and incoming telephone call receipt and response.  

The CRC operates a mail intake service that provides lockbox and incoming media processing. The lockbox function conducts compliant trust accounting services, involving processing of deposits, mapping of payments into the CMS Healthcare Integrated General Ledger Accounting System (HIGLAS) financial management system and issuance of refunds. The incoming media process matches and maps images of communications received for upload into the FILENET system and documentation on the proper account record located in the CMS owned correspondence system known as MSPSC-MA system.

CRC system maintains patient, provider and Insurer applicable information in relation to Medicare paid claims. This information is NOT collected by the CRC. All claims information contained in CMS’ MSPSC-MA, maintained by systems maintainer General Dynamic Information Technology Services (GDIT) is collected and stored in the CMS' National Claims History (NCH) system which has its own PIA.

The CMS MSPSC-MA, which the CRC is a user,  contains the following Personally Identifiable Information (PII) about patients: social security number (SSN), taxpayer ID, date of death, therapy records,  beneficiary identifier, name, date of birth, mailing address, telephone number, health insurance claim number (HICN), sex, ethnicity, medical notes, medical record information (procedure codes, diagnosis codes, dates of service, total charges, Medicare payment amount) and provider credentials to access the Claims Status website are also stored in the CRC system.

The system also contains information about providers, such as: National Provider Identifier (NPI), facility name and address, and provider name and telephone number.

PII records are maintained and stored for 7 years unless requested to be deleted.

The purpose of this contract is for the Centers for Medicare & Medicaid Services (CMS) to exercise its authority under §1893 of the Social Security Act (also 42 U.S.C. 1395ddd), to utilize a Contractor (Performant Recovery, Inc.,) compensated on a contingency fee basis to identify and recover certain payments made under the Medicare program. These payments are for services for which the Medicare program made payment under Part A or B of title XVIII of the Social Security Act, but another party ultimately had primary payment responsibility. Specifically, Performant Recovery, Inc. (“MSP CRC contractor”) shall identify and recover Medicare Secondary Payer (MSP) Group Health Plan (GHP) mistaken payments and certain Non-Group Health Plan (NGHP) conditional payments, based on data collected by the CMS MSPSC-MA. The Contractor shall only pursue those debts where the debtor is not a beneficiary. 

Under the program, the MSP CRC contractor will utilize CMS systems to review MSP leads for Group Health Plan (GHP) and Non-Group Health Plan (NGHP) cases. The CRC will identify claims and/or services potentially appropriate to the MSP case, issue correspondence regarding the MSP case and timelines and validate MSP responsibility from GHP and certain other NGHP parties. To develop these cases, the CRC operates a call center to handle all incoming calls, receives and images case documentation, conducts dispute and redetermination reviews and updates CMS systems to document all case development activity. The CRC will operate a lockbox and conducts compliant trust accounting services, involving processing of deposits, mapping of payments into the CMS Healthcare Integrated General Ledger Accounting System (HIGLAS) system and issuance of refunds. 
To issue correspondence regarding the MSP case, MSP CRC contractor will use SSN, HICN, name, case ID and other information on individuals (as identified in the bullets below) to whom claims were paid by Medicare to collect claim information from healthcare providers.  

Data is received from the National Claims History (NCH) database managed by CMS and accessed via a Secure File Transfer Protocol (SFTP) connection over a dedicated network link between CMS and CMS CRC Contractor.  

Data collected and processed by the CMS CRC Contractor includes the following:

- Social Security Number
- Email Address
- Medical Notes
- Data of Birth of Patient
- Mailing Address
- Name
- Phone Numbers
- Taxpayer ID
- Medical Records Number
- Therapy Records
- Financial Account Information
- User Credentials
- Health Insurance Claim Number (HICN)
- Medicare Beneficiary Identifier
- Date of Death
- Medical record information (date of service, diagnosis code, procedure code, charge for procedure)
- Sex
- Ethnicity
- and National Provider Identifier (NPI)

• Social Security Number
• Name
• E-Mail Address
• Phone Numbers
• Medical Notes
• Taxpayer ID
• Date of Birth
• Mailing Address
• Medical Records Number
• Financial Account Info
• Therapy records
• Other - User Credentials, Health Insurance Claim number (HICN), Medicare Beneficiary Identifier, Date of Death, medical record information (date of service, diagnosis code, procedure code, charge for procedure), sex, ethnicity, and National Provider Identifier (NPI)

• Online
• Hard Copy
• Mail/Fax

• Within the OPDIV
• Other HHS OPDIV

CRC does not interact with Medicare Beneficiary (patient) directly as part of the MSP CRC contract. Medicare Beneficiary (patient) has no option for opt-out of the collection or use of their PII with MSP CRC.  MSP CRC system is not the authoritative source of PII obtained from National Claims History.  CRC contractor only receives and does not modify any of the PII from National Claims History.  Any such requests for modification of PII will be redirected to CMS MSP COR.

In case the beneficiary does contact MSP CRC contractor, the beneficiary is redirected to contact the provider if they believe their PII is inaccurate.

Should the Medicare Beneficiary believe their PII has been inappropriately obtained, used, or disclosed by MSP CRC contractor, the MSP CRC compliance department will perform an investigation to include information security on the concern.  Should the investigation determine data is inappropriately obtained, used, or disclosed, MSP CRC contractor will submit a security incident ticket with the CMS helpdesk along with any corrective actions required.

CRC does not interact with Medicare Beneficiary (patient) directly as part of the MSP CRC contract. Medicare Beneficiary (patient) has no option for opt-out of the collection or use of their PII with MSP CRC.  MSP CRC system is not the authoritative source of PII obtained from National Claims History.  CRC contractor only receives and does not modify any of the PII from National Claims History.  Any such requests for modification of PII will be redirected to CMS MSP COR.

In case the beneficiary does contact MSP CRC contractor, the beneficiary is redirected to contact the provider if they believe their PII is inaccurate.

Should the Medicare Beneficiary believe their PII has been inappropriately obtained, used, or disclosed by MSP CRC contractor, the MSP CRC compliance department will perform an investigation to include information security on the concern.  Should the investigation determine data is inappropriately obtained, used, or disclosed, MSP CRC contractor will submit a security incident ticket with the CMS helpdesk along with any corrective actions required.

• Users: MSP CRC users have access to PII (to include name, medical notes, phone numbers, date of birth, mailing address, medical records number, health insurance claim number (HICN), medical record information (date of service, diagnosis code, procedure code, charge for procedure), sex, ethnicity, and National Provider Identifier (NPI)) to access medical records, scan in documents and medical records, conduct audits, respond to inquiries, respond to appeals, and gather required documents for GHP and NGHP debts associated with Medicare Beneficiary
• Administrators: Administrators have access to PII (to include name, medical notes, phone numbers, date of birth, mailing address, medical records number, health insurance claim number (HICN), medical record information (date of service, diagnosis code, procedure code, charge for procedure), sex, ethnicity, and National Provider Identifier (NPI)) to support the system production environment as part of their roles and responsibilities.
• Developers: MSP CRC Developers have periodic access to PII (to include name, medical notes, phone numbers, date of birth, mailing address, medical records number, health insurance claim number (HICN), medical record information (date of service, diagnosis code, procedure code, charge for procedure), sex, ethnicity, and National Provider Identifier (NPI)) in support of the information systems that hold and process PII as part of their job roles and responsibilities. These activities may include post go-live support, bug fixes, or troubleshooting activities.
• Contractors: MSP CRC Call Center Contractor Users have access to PII (to include name, medical notes, phone numbers, date of birth, mailing address, medical records number, health insurance claim number (HICN), medical record information (date of service, diagnosis code, procedure code, charge for procedure), sex, ethnicity, and National Provider Identifier (NPI)) to access medical records, scan in documents and medical records, conduct audits, respond to inquiries, respond to appeals, and gather required documents for GHP and NGHP debts associated with Medicare Beneficiary.  MSP CRC Call Center Contractor is an indirect contractor for MSP but is a direct contractor with the MSP CRC contractor.  

CRC uses role-based access controls to ensure that users, administrators, and developers are granted access on a "need-to-know" and "need-to-access" for their assigned job duties.

CRC individuals requesting access must complete an Account Request form prior to account creation and indicates the person's name, email, phone number and access level needed. This form is reviewed and approved by the Recovery Audit Contractor Regions 1 and 5 system manager prior to account creation.

CRC staff who access or operate CRC systems are required to complete the annual CMS Security Awareness training provided annually as a Computer Based Training (CBT) course. Contractor also completes annual corporate security awareness training and complete annual Health Insurance Portability and Accountability Act (HIPAA) of 1996 training.

CRC administrators with privileged access must also complete role-based security training commensurate with the position they are working in on an annual basis.

The CRC system is in data center within a surrounding secure area. The security measures in place are the use of dual factor authentication with card key access system and biometrics; an active intrusion alarm system, and video surveillance to monitor and record physical access.

Administrative controls such as written policy, procedures and guidelines have been established for system access. Access to the system is limited to authorized users. Each user is granted access based on the principle of least privilege.

From a technical perspective, PII is secured via firewalls, encrypted transmissions and connections, intrusion detection systems, anti-virus, and email content filtering software. Additionally, the use of portable storage devices is blocked.