Common Electronic Data Interchange
Privacy Impact Assessment (PIA) published by CMS as an Operating Division of the U.S. Department of Health and Human Services
Date signed: 12/27/2024
| PIA Questions | PIA Answers |
|---|---|
| OPDIV: | CMS |
| PIA Unique Identifier: | P-6516963-096312 |
| Name: | Common Electronic Data Interchange |
| The subject of this PIA is which of the following? | Major Application |
| Identify the Enterprise Performance Lifecycle Phase of the system. | Operate |
| Is this a FISMA-Reportable system? | Yes |
| Does the system include a Website or online application available to and for the use of the general public? | No |
| Identify the operator: | Contractor |
| Is this a new or existing system? | Existing |
| Does the system have Security Authorization (SA)? | Yes |
| Date of Security Authorization | 4/2/2024 |
| Indicate the following reason(s) for updating this PIA. Choose from the following options. | PIA Validation (PIA Refresh/Annual Review) |
| Describe in further detail any changes to the system that have occurred since the last PIA. | There have not been any changes to the system that have occurred since the last PIA. |
| Describe the purpose of the system | CEDI exchanges Durable Medical Equipment (DME) Medicare Administrative Contractors (MAC) Fee for Service (FFS) and Veteran’s Administration (VA) electronic Medicare Remittance Advice (eMRA) HIPAA electronic transactions to assist with the payment of Medicare claims. CEDI does not directly collect any data directly from providers or beneficiaries. It is an electronic exchange of information. The Common Electronic Data Interchange (CEDI) Gateway and Translator is a transactional information system. It supports the Medicare program by processing the Durable Medical Equipment (DME) Medicare Administrative Contractor (MAC) Fee for Service (FFS) and Veteran’s Administration (VA) electronic Medicare Remittance Advice (eMRA) HIPAA electronic transactions. An electronic data interchange is the structured electronic process that is used to transfer information electronically instead of using paper. There is no direct collection of information from beneficiaries or medical providers. |
| Describe the type of information the system will collect, maintain (store), or share. (Subsequent questions will identify if this information is PII and ask about the specific data elements) | CEDI does not collect information directly from people. There is an electronic interchange of data between CEDI and another CMS data center, the Perspecta Virtual Data Center (VDC). Perspecta VDC creates and maintains a Privacy Impact Assessment (PIA) to describe the security and privacy controls. All files are transferred to and from the Perspecta VDC using Network Data Mover (NDM) Connect: Direct over CMSNet from the CEDI environment to the Perspecta VDC and from the Perspecta VDC into the CEDI environment. Data files contain name, mailing address, phone numbers, medical records numbers, Social Security number, date of birth, financial account information and medical provider taxpayer ID. For CEDI system users the data is userID, password, email and phone number. |
| Provide an overview of the system and describe the information it will collect, maintain (store), or share, either permanently or temporarily. | CEDI exchanges files between Durable Medical Equipment (DME) Medicare Administrative Contractors (MAC) Fee for Service (FFS) and Veteran’s Administration (VA) electronic Medicare Remittance Advice (eMRA) HIPAA electronic transactions to assist with the payment of Medicare claims. CEDI does not directly collect any data directly from providers or beneficiaries. It is an electronic exchange of information. Data files contain name, mailing address, phone number, medical records numbers, Social Security number, date of birth, financial account information and medical provider taxpayer ID. For CEDI system users the data is userID, password, email and phone number. To access the system and perform functions and retrieve data in CEDI, the userID and password are used. A warning banner alerts the users that they are accessing a US Government website. CEDI regularly uses PII of CMS employees and direct contractors, userID, password, to retrieve system records and perform the functions of CEDI. To retrieve some CEDI claims records, medical provider National Provider Identifier (NPI) can be used. For claims records, a beneficiary's last name can be used. |
| Does the system collect, maintain, use or share PII? | Yes |
| Indicate the type of PII that the system will collect or maintain. |
|
| Indicate the categories of individuals about whom PII is collected, maintained or shared. |
|
| How many individuals' PII in the system? | 1,000,000 or more |
| For what primary purpose is the PII used? | CEDI user PII is collected to verify the system user's identity and allow access. |
| Describe the secondary uses for which the PII will be used (e.g. testing, training or research) | There is no secondary use of PII. |
| Describe the function of the SSN. | A provider's EIN or Taxpayer ID may be their SSN. It would be used to facilitate claims payments. |
| Cite the legal authority to use the SSN. | Sections 1842, 1862 (b) and 1874 of Title XVIII of the Social Security Act (The Act), (42 United States Code (U.S.C.) 1395u, 1395y (b), and 1395kk) |
| Identify legal authorities governing information use and disclosure specific to the system and program. | Sections 1842, 1862 (b) and 1874 of Title XVIII of the Social Security Act (The Act), (42 United States Code (U.S.C.) 1395u, 1395y (b), and 1395kk) 5 U.S.C. 301, Departmental Regulations |
| Are records on the system retrieved by one or more PII data elements? | Yes |
| Identify the number and title of the Privacy Act System of Records (SORN) that is being used to cover the system or identify if a SORN is being developed. | 09-70-0501 Medicare Multi-Carrier Claims System: 55 FR 37549 (9/12/90); updated 55 FR 47394 (11/13/90), 59 FR 37243 (7/21/94), 62 FR 6648 (2/21/96), 63 FR 38414 (7/16/98), 65 FR 50552 (8/18/00), 67 FR 54428 (8/22/02), 71 FR 64968 (11/6/06), 78 FR 32257 (5/29/13), *83 FR 6591 (2/14/18) 09-70-0503 Fiscal Intermediary Shared System: 71 FR 64961 (11/6/06); updated 78 FR 32257 (5/29/13), *83 FR 6591 (2/14/18) |
| Identify the sources of PII in the system: Directly from an individual about whom the information pertains | In-Person |
| Identify the sources of PII in the system: Government Sources | Within the OPDIV |
| Identify the sources of PII in the system: Non-Government Sources | Members of the Public |
| Identify the OMB information collection approval number and expiration date | OMB # 0938-0983, (CMS Number CMS-10164 A/B) expiration date of 08/31/2027. |
| Is the PII shared with other organizations? | No |
| Describe the process in place to notify individuals that their personal information will be collected. If no prior notice is given, explain the reason. | The CEDI system notifies system users that their PII is being collected in the warning banner that they are accessing a government system. There is no process to notify beneficiaries because CEDI does not directly collect PII from beneficiaries. Beneficiaries would be notified by their medical providers. |
| Is the submission of the PII by individuals voluntary or mandatory? | Voluntary |
| Describe the method for individuals to opt-out of the collection or use of their PII. If there is no option to object to the information collection, provide a reason. | For CEDI system users there is no method to opt-out of the collection of PII because it required to access the system by using the userID and password. There is not an opt-out option for beneficiaries because CEDI does not directly collect PII from beneficiaries. Beneficiaries would be advised by their medical providers about options to opt-out of providing PII. |
| Describe the process to notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changes since the notice at the time of original collection). Alternatively, describe why they cannot be notified or have their consent obtained. | There is no process in place to directly notify the beneficiaries should major changes occur to the system because CEDI does not directly collect PII from beneficiaries. If there was a major change affecting the PII in the system, then the SORNs that apply to CEDI would be updated and are available for the general public’s access. Staff that support the CEDI application are notified of any major changes that happen in the system that requires additional PII through CEDI program meetings and communications. |
| Describe the process in place to resolve an individual's concerns when they believe their PII has been inappropriately obtained, used, or disclosed, or that the PII is inaccurate. If no process exists, explain why not. | A CEDI system user would contact the CEDI help desk or administrators to resolve a concern about their PII. For a beneficiary, there is not direct process because their PII is not actively collected by CEDI. Beneficiary information is collected at medical providers' offices and input into systems outside the scope of CEDI. That information is transmitted to CEDI. |
| Describe the process in place for periodic reviews of PII contained in the system to ensure the data's integrity, availability, accuracy and relevancy. If no processes are in place, explain why not. | The data transacted through CEDI is in a flat file that cannot be modified or physically reviewed in CEDI. The external sources, claim file information would be verified by Medicare providers, outside the scope of CEDI. The PII data of CEDI system users are verified for accuracy and relevancy by access management monitoring (logon activity, password expiration and account latency rules). Integrity is maintained through system security and control processes that are reviewed by external auditors. Availability is maintained through system redundancies. |
| Identify who will have access to the PII in the system and the reason why they require access. |
|
| Describe the procedures in place to determine which system users (administrators, developers, contractors, etc.) may access PII. | Role-based access is applied to enforce least privilege rights to system users. User accounts are reviewed periodically to ensure the appropriate access is being enforced. |
| Describe the methods in place to allow those with access to PII to only access the minimum amount of information necessary to perform their job. | Roles are applied to user accounts to ensure the minimum amount of data exposure necessary that still allows for the successful execution of job functions. Roles strictly limit the functions and information accessible and available to the users of the system. |
| Identifying training and awareness provided to personnel (system owners, managers, operators, contractors and/or program managers) using the system to make them aware of their responsibilities for protecting the information being collected and maintained. | CEDI system users are required to take the CMS annual Security and Privacy Awareness training, the contractor organization's annual information security and privacy awareness training and acknowledge and agree to comply with system Rules of Behavior annually. |
| Describe training system users receive (above and beyond general security and privacy awareness training) | System users with 'significant security responsibilities" participate in Role-based training annually. Role-based training topics include System Administrator responsibilities, contingency planning, incident response and training related to the CEDI user role access. |
| Do contracts include Federal Acquisition Regulation and other appropriate clauses ensuring adherence to privacy provisions and practices? | Yes |
| Describe the process and guidelines in place with regard to the retention and destruction of PII. Cite specific records retention schedules. | CEDI follows the CMS Records Control Buckets that are outlined in the National Archive and Records Administration (NARA) Records Control Schedules (RCS). Specifically, RCS DAA-0440-2015-0007 Bucket 5 Beneficiary Records. DAA-0440-2015-0007 notes that records are retained for various timeframes, from temporarily to up to 30 years, or whenever no longer needed by the agency, whichever is later. |
| Describe, briefly but with specificity, how the PII will be secured in the system using administrative, technical, and physical controls. | The CEDI system(s) follow the Centers for Medicare and Medicaid Services' (CMS) Acceptable Risk Safeguards (ARS) 5.1 for specific security controls guidance. The CEDI system and supporting infrastructure is housed in a CMS FISMA ATO-ed datacenter. Entry is controlled by Physical Access Cards and facility personnel who limit access to individuals who have a legitimate business or technical need to enter the facility. The facility has fire suppression and alarms and constantly monitored HVAC systems to ensure environmental controls. Administrative controls implemented for the CEDI system include role-based access, training of personnel and regular account review, which includes disabling accounts. The technical controls in place include network firewalls, two-factor authentication, anti-virus protection and encryption of information. |