Conversion Medicare
Privacy Impact Assessment (PIA) published by CMS as an Operating Division of the U.S. Department of Health and Human Services
Date signed: 8/28/2024
| PIA Questions | PIA Answers |
|---|---|
| OPDIV: | CMS |
| PIA Unique Identifier: | P-4374235-649985 |
| Name: | Conversion Medicare |
| The subject of this PIA is which of the following? | Major Application |
| Identify the Enterprise Performance Lifecycle Phase of the system. | Operate |
| Is this a FISMA-Reportable system? | Yes |
| Does the system include a Website or online application available to and for the use of the general public? | No |
| Identify the operator: | Agency |
| Is this a new or existing system? | Existing |
| Does the system have Security Authorization (SA)? | Yes |
| Date of Security Authorization | 8/28/2024 |
| Indicate the following reason(s) for updating this PIA. Choose from the following options. | PIA Validation (PIA Refresh/Annual Review) |
| Describe in further detail any changes to the system that have occurred since the last PIA. | The system has not been modified since the last PIA submission. |
| Describe the purpose of the system | Conversion Medicare (CVM) is the modernized Cloud version of Medicare Quality Release/Medicare Quality Assurance (MQR/MQA), it will provide the same business functions as the legacy MQR/MQA. The fundamental purpose of the CVM is to accept all Adjudicated Medicare Claims from the Common Working File (CWF) and perform receipt and control, data cleansing, quality assurance and validation of those Claims per IEEE-12207 prior to consumer use. A secondary function of the CVM is to receive and distribute files containing Entitlement Database Eligibility Maintenance data; and Training Hospital Abbreviated Inpatient Claims (also referred to as the ‘Extract’ file in various CMS documents). |
| Describe the type of information the system will collect, maintain (store), or share. (Subsequent questions will identify if this information is PII and ask about the specific data elements) | CVM receives data from Common Working File (CWF), the data includes Medicare Part A and B claims data, Entitlement Database Eligibility Maintenance data and Training Hospital abbreviated Inpatient claims. The data elements stored may include Social Security Number (SSN), name, phone numbers, date of birth, mailing address, medical record number, Health Insurance Clam Number (HICN), Unique Physician Identification Number (UPIN), Medicare Beneficiary Identifier (MBI), race, sex, diagnosis codes and procedure codes. This information is not collected directly by CVM, CWF maintains its own PIA. The SSN is a part of HICN, but this is no longer a required field. This information will be stored temporarily to follow the current schedule of retention. System support personnel also provide their User ID and Password to access CVM systems for support purposes. |
| Provide an overview of the system and describe the information it will collect, maintain (store), or share, either permanently or temporarily. | The System performs these functions: The output files of the CVM are ingested by downstream systems such as Integrated Data Repository (IDR), Chronic Conditions Warehouse (CCW), and National Claims History (NCH). There is no direct end users' access to CVM. The PII records can only be retrieved by accessing through the downstream systems. Each downstream system has its own PIA as well. This information will be stored temporarily to follow the current schedule of retention. Conversion Medicare (CVM) personnel who access or use the system do not use any personal identifiers to retrieve records held in the system. |
| Does the system collect, maintain, use or share PII? | Yes |
| Indicate the type of PII that the system will collect or maintain. |
|
| Indicate the categories of individuals about whom PII is collected, maintained or shared. |
|
| How many individuals' PII in the system? | 1,000,000 or more |
| For what primary purpose is the PII used? | The enrollment data collected from CWF is sent to Enrollment database. The Part A and Part B claims data collected is sent to the downstream systems - National Claim History (NCH), Integrated Data Repository (IDR) and Chronic Condition Warehouse (CCW). The data would be consumed by end users from these downstream systems after the file is ingested and incorporated into these databases/systems. The primary purpose of the PII is as part of the whole Part A and Part B claims data. The downstream systems would use these claims to link data from other data sources and perform analysis. The only user credentials collected by CVM is from the Application Development Organization as the system developer and maintainer. |
| Describe the secondary uses for which the PII will be used (e.g. testing, training or research) | N/A |
| Describe the function of the SSN. | The SSN is part of the Health Insurance Claim Number (HICN). HICN is used in conjunction with Medicare Beneficiary Identifier (MBI) to identify the beneficiary. |
| Cite the legal authority to use the SSN. | Sec. 205 [42 U.S.C. 405] of the Social Security Act provides authority to use the SSN. |
| Identify legal authorities governing information use and disclosure specific to the system and program. | The cite for the legal authority to use the SSN is: Sec.205 [42 U.S.C. 405] of the Social Security Act provides authority to use the SSN. |
| Are records on the system retrieved by one or more PII data elements? | No |
| Identify the sources of PII in the system: Directly from an individual about whom the information pertains |
|
| Identify the sources of PII in the system: Government Sources |
|
| Identify the sources of PII in the system: Non-Government Sources |
|
| Identify the OMB information collection approval number and expiration date | Not applicable |
| Is the PII shared with other organizations? | No |
| Describe the process in place to notify individuals that their personal information will be collected. If no prior notice is given, explain the reason. | Not applicable. Notice is responsibility of the Common Working Files (CWF) that collects information directly from an individual and that it is covered by its own PIA). |
| Is the submission of the PII by individuals voluntary or mandatory? | Voluntary |
| Describe the method for individuals to opt-out of the collection or use of their PII. If there is no option to object to the information collection, provide a reason. | CVM processes data from CWF and does not have an option to exclude the data sent from CWF. The appropriate procedures to allow individuals to opt-out of the collection or use of their PII is performed by CWF which is responsible for the collection of information. However, System users, developers and administrators cannot 'opt-out' of providing their user ID and password, as its required to log onto the system to perform their job duties. |
| Describe the process to notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changes since the notice at the time of original collection). Alternatively, describe why they cannot be notified or have their consent obtained. | Major changes to the application do not affect the system in a manner that an individual would need to be notified to have their consent obtained. The appropriate procedures to allow individuals to opt-out of the collection or use of their PII is performed by CWF, which is responsible for the collection of information. |
| Describe the process in place to resolve an individual's concerns when they believe their PII has been inappropriately obtained, used, or disclosed, or that the PII is inaccurate. If no process exists, explain why not. | CVM processes data received from CWF to provide data to downstream systems. Individual PII concerns can be addressed with CWF and the respective downstream systems' business owners by contacting the CMS Privacy Office. |
| Describe the process in place for periodic reviews of PII contained in the system to ensure the data's integrity, availability, accuracy and relevancy. If no processes are in place, explain why not. | This is not applicable. However, annual independent operational audits are performed that test the security of the system, to ensure data integrity, accuracy and relevancy, and testing of contingency planning to ensure the availability of the system. |
| Identify who will have access to the PII in the system and the reason why they require access. |
|
| Describe the procedures in place to determine which system users (administrators, developers, contractors, etc.) may access PII. | Procedures are in place to determine which system users may access PII, including account management mechanisms for the CVM which are used to identify account types (i.e., administrators, developers, contractors); establish conditions for group membership; and assign associated authorizations. Individuals with access to PII are granted access based on the assigned duty and intended use of the CVM. |
| Describe the methods in place to allow those with access to PII to only access the minimum amount of information necessary to perform their job. | Under the principal of least privilege, users of the system are provided access, via role-based access control, to minimum amount of information necessary to perform their job. |
| Identifying training and awareness provided to personnel (system owners, managers, operators, contractors and/or program managers) using the system to make them aware of their responsibilities for protecting the information being collected and maintained. | All personnel (CMS employees and contractors) are required to complete annual CMS Security and Privacy Awareness Training. |
| Describe training system users receive (above and beyond general security and privacy awareness training) | In addition to the Security Awareness training, all CVM contractors are required to complete annual Security & Privacy Training which is above and beyond general security training. |
| Do contracts include Federal Acquisition Regulation and other appropriate clauses ensuring adherence to privacy provisions and practices? | Yes |
| Describe the process and guidelines in place with regard to the retention and destruction of PII. Cite specific records retention schedules. | CVM will follow the guidance in maintaining the input (CWF) and output files (daily and weekly files for IDR and CCW). CVM will follow the National Archives and Record Administration (NARA) General Record Schedule (GRS) found in Subchapter B of 36 Code of Federal Regulations Chapter XII. CMS retains records until it is determined that they are no longer needed for administrative, legal, audit or other operational purposes. This includes, for example, retention and availability of audit records relative to Freedom of Information Act (FOIA) request, subpoena, and law enforcement actions. CVM will follow the NARA records disposition schedule for Bucket 3 - Beneficiary Record with a NARA Disposition Authority Number - DAA-0440-2015-0004-0001. |
| Describe, briefly but with specificity, how the PII will be secured in the system using administrative, technical, and physical controls. | PII is secured by administrative controls which include only assigning necessary privileges to user accounts (developer /administrator / contractor) that access the CVM environment, performing annual account reviews to ensure that those user accounts have the needed access and implementing process to disable inactive user accounts. Technical controls to secure PII include firewalls that protect and control network traffic that goes in and out of CVM system. Vulnerabilities and exploits are scanned for within the CVM system by leverage vulnerability scanning and monitoring. Access to CVM environment is only allowed through multi-factor authentication through HHS-issued Personal Identity Verification (PIV) cards or Secure ID Token. Physical controls to secure PII include the physical controls from the AWS center hosting the CVM environment. Encryption has been implemented to protect PII data at rest and in transit. |