Skip to main content

Comprehensive Error Rate Testing - RC

Privacy Impact Assessment (PIA) published by CMS as an Operating Division of the U.S. Department of Health and Human Services

Date signed: 1/2/2025

View all CMS PIAs
PIA Information for Comprehensive Error Rate Testing - RC
PIA QuestionsPIA Answers

OPDIV:

CMS

PIA Unique Identifier:

P-4112945-051406

Name:

Comprehensive Error Rate Testing - RC

The subject of this PIA is which of the following?

Major Application

Identify the Enterprise Performance Lifecycle Phase of the system.

Operate

Is this a FISMA-Reportable system?

Yes

Does the system include a Website or online application available to and for the use of the general public?

No

Identify the operator:

Agency

Is this a new or existing system?

Existing

Does the system have Security Authorization (SA)?

Yes

Date of Security Authorization

12/6/2023

Indicate the following reason(s) for updating this PIA. Choose from the following options.

PIA Validation (PIA Refresh/Annual Review)

Describe in further detail any changes to the system that have occurred since the last PIA.

None

Describe the purpose of the system

The Comprehensive Error Rate Testing Review Contractor (CERT RC) system is a strategic Centers for Medicare & Medicaid Services (CMS) program that calculates the Medicare Fee-for-Service (FFS) improper payment rates paid to healthcare providers. Each year, CERT RC claim review contractors made up of nurses, medical doctors, and certified coders evaluate random samples of claims from providers to determine if they were paid properly under Medicare coverage, coding, and billing rules.

Describe the type of information the system will collect, maintain (store), or share. (Subsequent questions will identify if this information is PII and ask about the specific data elements)

The CERT RC system reviews Medicare medical records and FFS claims provided by CMS claims processing systems, Medicare Multi-Carrier Claims System (MCS) and Fiscal Intermediary Standard System (FISS). Medical records and claims reviewed by the CERT RC system contain a combination of Protected Health Information (PHI) and Personally Identifiable Information (PII) data elements to identify a specific beneficiary.

PHI and PII information contained in the medical records and FFS claims include beneficiary name, age, date of birth, mailing address, Health Insurance Claim Number (HICN), medical records number, patient International Classification of Diseases (ICD) diagnosis description and notes from the provider about the patient.

The medical records and medical claims also contain the name of providers and CERT RC system claims review contractors (nurses, medical doctors, and certified coders), their phone number and business mailing address and email address. The combination of this information is used to validate the medical claim records submitted for review belongs to the correct beneficiary.

CERT RC system users (CERT claims review contractors, administrators, developers) access the system through an Intranet-only application and are prompted to enter in their designated username and password each time when accessing the CERT system. 

Provide an overview of the system and describe the information it will collect, maintain (store), or share, either permanently or temporarily.

The goal of the CERT RC system is to review CMS provided Medicare medical records and claims that have been paid to medical providers and claims that are denied ensuring that the decision was appropriate. This process is performed through independent reviews of random samples of Medicare medical records and FFS claims.

Medicare medical records and FFS claims are collected by a CMS claims processing system prior to being sent to the CERT RC system from the CMS. Medicare medical records and FFS claims that include PHI and PII information, such as patient’s Health Insurance Claim Number (HICN), beneficiary name, age, date of birth, mailing address, medical records number, patient ICD diagnosis description and notes from the provider about the patient. This combination of data is used to validate the medical claim records submitted for review belong to the correct beneficiary.

The CERT RC system also provides electronic error rate reports (through a secure file transfer) to the Payment error rare measurement (PERM) contractor for CMS. The error rate calculations (non-PII) of CERT RC and PERM achieve high visibility across the executive branch and Congress, and they are used to help guide CMS, Medicare Authorized Contractors and the states’ error rate reduction efforts.

CERT RC system external users (CERT claims review contractors) and internal users (CMS employee and direct contractor system administrators and developers) access the system through an Intranet-only application and are prompted to enter in their designated username and password each time when accessing the CERT RC system.

An interconnection exists between the CERT RC and AdMed-GSS systems. The AdMed-GSS system has a valid PIA.  

 

Does the system collect, maintain, use or share PII?

Yes

Indicate the type of PII that the system will collect or maintain.

  • Name
  • E-Mail Address
  • Phone Numbers
  • Medical Notes
  • Date of Birth
  • Mailing Address
  • Medical Records Number
  • Other - The system will also collect patient's age, Health Insurance Claim Number (HICN), patient ICD diagnosis description and notes from the provider about the patient. Usernames and passwords are also stored in the system.

Indicate the categories of individuals about whom PII is collected, maintained or shared.

  • Employees
  • Public Citizens
  • Business Partners/Contacts (Federal, state, local agencies)
  • Patients
  • Other - Beneficiaries

How many individuals' PII in the system?

1,000,000 or more

For what primary purpose is the PII used?

The PII data used by the CERT RC system is used to perform medical record and Medicare FFS claim reviews to determine the national payment error rate for Medicare claims.  The analysis performed includes validating correct Medicare Administrative Contractor (MAC) claim processing, correct provider billing, and that coding requirements are being met.

User credential information is used in order to gain access into the system in order to perform job duties as CERT contractors and for maintenance of the system for developers and administrators.

Describe the secondary uses for which the PII will be used (e.g. testing, training or research)

There is no secondary use for the PII in the system.

Describe the function of the SSN.

Not Applicable 

Cite the legal authority to use the SSN.

Not applicable

Identify legal authorities​ governing information use and disclosure specific to the system and program.

The authority for the collection and maintenance of this system is given under the provisions of sections 1842,1862(b) and 1874 of Title XVIII of the Social Security Act (The Act) (42 United States Code (U.S.C.) 1395u, 1395y(b), 1395kk), 5 USC 301 and departmental regulations.

 

 

Are records on the system retrieved by one or more PII data elements?

Yes

Identify the number and title of the Privacy Act System of Records (SORN) that is being used to cover the system or identify if a SORN is being developed.

09-70-0501 Medicare Multi-Carrier Claims System (MCS)

09-70-0503, Fiscal Intermediary Standard System (FISS)

Identify the sources of PII in the system: Directly from an individual about whom the information pertains

 

Identify the sources of PII in the system: Government Sources

Within the OPDIV

Identify the sources of PII in the system: Non-Government Sources

Members of the Public

Identify the OMB information collection approval number and expiration date

Not Applicable.  System does not collect PII directly from individuals.

Is the PII shared with other organizations?

No

Describe the process in place to notify individuals that their personal information will be collected. If no prior notice is given, explain the reason.

There is no process in place for the CERT RC system to notify individuals that their personal information within Medicare medical records and claims will be collected to determine improper payment rates because the CERT RC system retrieves Medicare records and claims directly from CMS systems, FISS and MCS, which is responsible for such notices. FISS and MCS each have their own PIA.

Therefore, providing prior notice to individuals regarding collection of patients PII and PHI related information is a function of the other CMS systems. However, Medicare beneficiaries sign a Privacy Act notice when they become eligible for Medicare that informs them that information, they provide will be used to determine the appropriateness of Medicare payments.

Prior to logging into the CERT RC system, a warning banner is displayed notifying users that their personal information will be recorded and monitored. Consent to the warning banner is required by all users prior to accessing the CERT RC system.

Is the submission of the PII by individuals voluntary or mandatory?

Voluntary

Describe the method for individuals to opt-out of the collection or use of their PII. If there is no option to object to the information collection, provide a reason.

There is no method in place for Medicare patients to opt-out of the collection or use of their PII and PHI within the CERT RC system. The PII and PHI is collected from individuals that receive Medicare benefits and is stored within a CMS claims processing system prior to being sent to the CERT RC system from that system.

CERT RC system users, developers and administrators cannot opt-out of PII (username and password) because it is required for system access.

There is no process in place for the CERT RC system to notify individuals that their personal information within Medicare medical records and claims will be collected to determine improper payment rates because the CERT RC system retrieves Medicare records and claims directly from CMS systems, FISS and MCS, which is responsible for such notices. FISS and MCS each have their own PIA.

Describe the process to notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changes since the notice at the time of original collection). Alternatively, describe why they cannot be notified or have their consent obtained.

There is no process to notify and obtain consent from the individuals whose PII and PHI is stored by the CERT RC system if a major change to the system occurs because the PII is collected by a CMS claims processing system prior to being sent to the CERT RC system.

CERT RC system users, developers and administrators are notified by email if there are any changes to the uses of their account usernames.

There is no process in place for the CERT RC system to notify individuals that their personal information within Medicare medical records and claims will be collected to determine improper payment rates because the CERT RC system retrieves Medicare records and claims directly from CMS systems, FISS and MCS, which is responsible for such notices. FISS and MCS each have their own PIA.

Describe the process in place to resolve an individual's concerns when they believe their PII has been inappropriately obtained, used, or disclosed, or that the PII is inaccurate. If no process exists, explain why not.

If an individual has a concern about their PII, the process to report a PII related issue is to contact a CMS Medicare Administrative Contractor (MAC) that manages the claims processing system and describe the concern. The MAC will investigate and work with the individual to resolve their concern.

CERT RC system users would contact the MACs IT help desk to investigate the issue and determine if further action is needed.

Describe the process in place for periodic reviews of PII contained in the system to ensure the data's integrity, availability, accuracy and relevancy. If no processes are in place, explain why not.

The CERT RC system confirms the integrity of the data received from CMS by checking it against the CMS data integrity system during the course of a medical review. This review ensures medical review claim records that contain PII are accurate when compared to the source data provided from CMS and relevant when determining the proper error rates.

 

The CERT system infrastructure provides consistent availability through secured and encrypted communications between all offices, as well as firewall protection against unauthorized intrusions. In addition, backups are performed daily to ensure critical data can always be recovered.

 

 

Identify who will have access to the PII in the system and the reason why they require access.

  • Users: CERT RC system users' access PII on the system to perform the following job functions:

    • Conduct procurement, pre-review processing, and end storage of the Medicare beneficiary medical records.

    • Perform initial screening of records received from providers and MAC’s and forward all screened rejects to the Customer Service Representative.

    • Analyze sampled Medicare claims using medical records that are used to make payment determinations based on coverage, coding, utilization of services and practice guidelines.

    • Review medical records to identify and obtain missing/incomplete medical record documentation.

    • Monitor quality control and implement necessary corrective actions.

    • Respond to MAC questions, concerns or issues related to or associated with CERT RC claims reviews with error findings.

  • Administrators: Administrator(s) provide data analysis for the Error Report, developing new or enhanced programs
  • Developers: Developers are responsible for developing and testing of the Review Module components or new programs, setting up/ maintaining all e-pathway connections, infrastructure and network issues, etc.
  • Contractors: The contractor (both direct and non-direct/independent) performs user, administrative and developer functions when reviewing medical records and Medicare Claims information. 

Describe the procedures in place to determine which system users (administrators, developers, contractors, etc.) may access PII.

Access to the CERT RC system PII is based on pre-defined user roles which are approved by the CERT-RC CMS Access Administrator (CAA). Therefore, pre-defined user roles govern which permissions system users receive. CERT RC system users only have access to PII that corresponds with their job function. 

Describe the methods in place to allow those with access to PII to only access the minimum amount of information necessary to perform their job.

CERT RC enforces the concept of least privilege to access PII data so that users can access only the minimum amount of PII needed to perform their job function. This is done through first determining the user’s role prior to account creation and then placing users in the appropriate organizational unit that has the predefined least privileges, such as access denied, read-only or edit. 

 

Identifying training and awareness provided to personnel (system owners, managers, operators, contractors and/or program managers) using the system to make them aware of their responsibilities for protecting the information being collected and maintained.

Prior to accessing the CERT RC system, all personnel are required to complete CMS Security Awareness and Privacy training, as well as sign a Security Policy Acknowledgement form to certify they understand their responsibility in protecting PII on the system. Users are also required to repeat this training on an annual basis. 

Describe training system users receive (above and beyond general security and privacy awareness training)

CERT RC system users and administrators are also trained on the appropriate incident reporting and handling process and procedures in the event of an incident pertaining to PII and PHI.

Do contracts include Federal Acquisition Regulation and other appropriate clauses ensuring adherence to privacy provisions and practices?

Yes

Describe the process and guidelines in place with regard to the retention and destruction of PII. Cite specific records retention schedules.

The CERT RC system Information is retained off site at a secure storage facility for a period of 10 years, in accordance with the National Archives and Records Administration (NARA) guideline DAA-GRS-2013-0008-0001. 

Describe, briefly but with specificity, how the PII will be secured in the system using administrative, technical, and physical controls.

The CERT RC system follows a number of administrative policies and procedures to protect CERT RC PII.  A detailed personnel screening process is performed prior to requesting or approving access to the CERT RC system. All CERT RC system personnel must then complete mandatory CMS Security Awareness and Privacy training, as well as sign a Security Policy Acknowledgement form to certify they understand their responsibility in protecting PII on the system. Follow-on training is required annually, or sooner in the event of a breach or security violation pertaining to PII. The CERT RC system training covers a number of security related topics, which include ways to protect and store CERT RC PII, different types of insider threats, and detailed incident response handling procedures. Lastly, all CERT RC personnel must also sign a Rules of Behavior at the completion of their security training.

The CERT RC system is monitored using a number of automated security tools to detect any unauthorized user activity and to ensure user compliance. Personnel that fail to meet the CERT RC security requirements, or those that violate the terms outlined in the Rules of Behavior will have their user account and system privileges revoked.

Federal Information Processing Standards (FIPS) 140-2 compliant encryption is used to protect CERT RC PII. Perimeter firewalls are configured to encrypt data in transit and full-disk encryption is enabled to protect CERT RC devices for data at rest. All CERT RC users are uniquely identified and authenticated using CMS approved multifactor authentication tokens before accessing the CERT RC system. In additional all CERT RC application sessions are configured to automatically logoff after a specified time (CMS defined) of inactivity.

CERT RC facilities protect PII and sensitive data using a number of physical security controls. Only authorized personnel are allowed entry into CERT RC facilities and must also badge in prior to gaining access. Audit logs are built into the access control system to monitor daily access at ingress and egress points. There are security alarms installed at CERT RC facilities to detect unauthorized physical access.

Server room access is further restricted to authorize CERT RC administrators with the appropriate badge access. All facilities are equipped with sensors to detect fire and electrical issues as a result of environmental hazards and natural disasters, in which case the assigned Security Site Administrators (SSAs) is then notified.