Skip to main content

Customer Support Front End System

Privacy Impact Assessment (PIA) published by CMS as an Operating Division of the U.S. Department of Health and Human Services

Date signed: 12/5/2023

PIA Information for the Customer Support Front End System
PIA QuestionsPIA Answers

OPDIV:

CMS

PIA Unique Identifier:

P-9158844-632691

Name:

Customer Support Front End System

The subject of this PIA is which of the following?

Major Application

Identify the Enterprise Performance Lifecycle Phase of the system.

Operate

Is this a FISMA-Reportable system?

Yes

Does the system include a Website or online application available to and for the use of the general public?

Yes

Identify the operator:

Contractor

Is this a new or existing system?

Existing

Does the system have Security Authorization (SA)?

Yes

Date of Security Authorization

8/14/2023

Indicate the following reason(s) for updating this PIA. Choose from the following options.

PIA Validation (PIA Refresh/Annual Review)

Describe in further detail any changes to the system that have occurred since the last PIA.

Enhanced security protocols to use Secure File Transfer Protocol (FTP) and use regular password changes for credentialing with the Medicare Advantage Organizations (MAOs).  Enhanced the overall look and feel of our external web site, csscoperations.com. Created various tools, available via the website to aid customers with things such as, edit lookups, report restores, and password resets.

Describe the purpose of the system

The Customer Service Front-End System (CSFES) or Front-End System (FES) is a collection of systems that process, edit, and transfer accepted files to CMS and CMS back-end processing systems. The FES receives Accredited Standards Committee (ASC) X12 encounters, prescription drug event (PDE), risk adjustment (RA), Medicaid, and National Council for Prescription Drug Program (NCPDP) from Medicare Advantage Organizations, Prescription Drug Plans (PDPs) and Medicare Medicaid Plans (MMPs). The ASC X12 encounters, PDE, and RA data are validated for accuracy by the FES and then sent to one of the back-end systems; the Risk Adjustment Processing System (RAPS) for RA data, the Drug Data Processing System (DDPS) for PDE data, and the Encounter Data Processing Systems (EDPS) for Encounter data for additional editing and storage. These systems each have a Privacy Impact Assessment. This processing occurs at the CMS Virtual Data Centers. Customer support functions inherent to these operations are also provided. Customer service representatives access the RAPS, DDPS and EDPS systems to research data in accordance with CMS policies and standards. The Customer Support Front End Systems (CSFES) manages the Customer Services and Support Center (CSSC) website on behalf of CMS, with a link to the Palmetto GBA (Government Benefit Administrator), LLC Privacy Policy.

 

Describe the type of information the system will collect, maintain (store), or share. (Subsequent questions will identify if this information is PII and ask about the specific data elements)

The information is collected, maintained or disseminated for

Beneficiaries - This information includes name, date of birth, health insurance claim number (HICN), Beneficiary Identification Code (BIC), Medicare Beneficiary Identifier (MBI), mailing address, phone numbers, education records, medical record numbers, employment status and or records, health insurer name/plan, health insurer group number, and patient marital status for the purpose of processing and editing data. 

Providers - This information includes name, tax ID number which is sometimes the Social Security Number (SSN), mailing address, phone numbers, email address, and educations records, for the purpose of processing and editing data for Medicare Advantage Organizations (MAOs), PDPs, and MMPs. 

CMS direct contractors and CMS employees- This information includes username, password, email address and name.

Provide an overview of the system and describe the information it will collect, maintain (store), or share, either permanently or temporarily.

The FES collects and stores the names of individuals, Medicare Beneficiary Identifiers (MBI), Health Insurance Claim Numbers (HICN), Medicare Beneficiary Identifier (MBI), date of birth, mailing addresses and medical record numbers. To assist with error resolution any of these PII identifiers may be used to retrieve specific records requiring analysis by those authorized to do so.

Does the system collect, maintain, use or share PII?

Yes

Indicate the type of PII that the system will collect or maintain.

  • Social Security Number

  • Name
  • E-Mail Address
  • Phone Numbers
  • Education Records
  • Taxpayer ID
  • Date of Birth
  • Mailing Address
  • Medical Records Number
  • Employment Status
  • Other - Medicare Beneficiary Identifier (MBI), Health Insurance Claim Number (HICN); BIC; Username and Password; Employment Records;

Indicate the categories of individuals about whom PII is collected, maintained or shared.

  • Employees

  • Business Partners/Contacts (Federal, state, local agencies)
  • Vendors/Suppliers/Contractors
  • Patients

How many individuals' PII in the system?

1,000,000 or more

For what primary purpose is the PII used?

Beneficiary PII is collected from MAOs, PDPs, and MMPs to edit and transfer submissions to back-end processing systems and CMS. Provider PII is collected to edit and verify the identity of the provider prior to storage on the EDPS. Also, CMS direct contractors and CMS employee PII is collected to verify the system user's identity and credentials.

Describe the secondary uses for which the PII will be used (e.g. testing, training or research)

Secondary uses for which the PII will be used are limited research uses only.

Describe the function of the SSN.

The SSN is the tax ID for some providers. For beneficiaries, the SSN is combined with a two-digit BIC to form the Medicare Health Insurance Claim Number (HICN), which is used to determine the beneficiary’s eligibility and to process and edit data. The HICN is used by numerous CMS back-end systems and CMS requires that the CSFES use the HICN to process claims. The HICN has been replaced by the Medicare Beneficiary Identifier (MBI) however HICNs are still stored in our backups and/or data warehouse.

Cite the legal authority to use the SSN.

Risk Adjustment – The Balanced Budget Act of 1997. Sections 1853(a), 1860D-15(c), and 1894(d)(2) of the Social Security Act (42 U.S.C. 1395w-23, 1395w-115, 1395eee).

Prescription Drug Data – The Medicare Prescription Drug, Improvement and Modernization Act of 2003. Sections 1860D-15 and 1106 of the Social Security Act.

Encounter - The final 2009 Inpatient Prospective Payment System rule. Section 1853(a)(3)(B) of the Act,

Medicare Medicaid Dual Program – Financial Alignment Initiative 2011. Section 1115 of the Social Security Act.

Identify legal authorities​ governing information use and disclosure specific to the system and program.

Risk Adjustment - This system was established pursuant to sections 1853(a), 1860D-15(c), and 1894(d)(2) of the Social Security Act (42 U.S.C. 1395w-23, 1395w-115, 1395eee).

Prescription Drug Data - is mandated under provisions of the Medicare Prescription Drug, Improvement, and Modernization Act, amending the Social Security Act by adding Part D under Title XVIII (§§ 1860D–15(c)(1)(C) and (d)(2)), as described in Title 42, Code of Federal Regulations (CFR) 423.301 et seq. as well as1860D–12(b)(3)(D) and 1106 of the Act, as described in 42 CFR 423.505(b)(8), (f), (l), and (m).

 Encounter Data - Section 1853(a)(3)(B) of the Act requires that MA organizations and certain other private Medicare plans submit data regarding inpatient hospital and other services that CMS deems necessary to risk adjust these payments. The final 2009 Inpatient Prospective Payment System rule (73 FR 48757, August 19, 2008) modified 42 CFR 422.310 to clarify that the Secretary has the authority to require MA organizations and other private plans to submit encounter data for each item and service provided to a MA plan enrollee.

Medicare Medicaid Dual Eligible - Under the authority granted in Section 1115 of the Social Security Act (the Act), CMS is authorized to conduct experimental, pilot or demonstration projects. CMS is conducting a demonstration project under the Financial Alignment Initiative to test a new capitated payment system and item/service delivery model designed to lower costs and improve the quality of care for individuals eligible for both Medicare and Medicaid (dual eligible).

Are records on the system retrieved by one or more PII data elements?

Yes

Identify the number and title of the Privacy Act System of Records (SORN) that is being used to cover the system or identify if a SORN is being developed.

Encounter Data SORN - 09–70–0506; 

Risk Adjustment System SORN - 09–70–0508;

Medicare Drug Data Processing System (DDPS) SORN- 09–70–0553.

Identify the sources of PII in the system: Directly from an individual about whom the information pertains

Online

Identify the sources of PII in the system: Government Sources

Within the OPDIV

Identify the sources of PII in the system: Non-Government Sources

Private Sector

Identify the OMB information collection approval number and expiration date

0938-1152; Expires 03/31/2025

0938-0878; Expires 03/31/2020 (Please note, this package is currently going through the renewal process with OSORA/OMB. Although the expiration date has passed, the package is still valid since it is being renewed. Once a new expiration date is obtained, it will be updated)

Is the PII shared with other organizations?

Yes

Identify with whom the PII is shared or disclosed and for what purpose.

  • Other Federal Agency/Agencies: The information is shared with other federal agencies such as Department of Justice (DOJ), General Accounting Office (GAO), and the Office of the Inspector General (OIG). This sharing is for data analytics, research and periodic and annual audits performed by such agencies.

  • Private Sector: CMS direct contractors for back-end processing and reporting results.
  • State or Local Agency/Agencies: Data is shared with Medicaid State Agencies for the purposes of fighting fraud, waste, and abuse.

Describe any agreements in place that authorizes the information sharing or disclosure (e.g. Computer Matching Agreement, Memorandum of Understanding (MOU), or Information Sharing Agreement (ISA)).

CMS determines how and with whom MAO, PDP, and MMP data is disclosed. As directed by CMS via contractual arrangements, the CSFES shares data with other CMS direct contractors for the purposes of fighting fraud waste and abuse. The CSFES contract requires a Joint Operating Agreement to document the data that will be exchanged. These other CMS direct contractors include, but are not limited to, Project Management Direct Contractors, Training Direct Contractors, Medicaid State Agencies, and back-end system direct contractors.

 

Describe the procedures for accounting for disclosures

Data that is shared with the CMS Virtual Data Centers to process RA, ASC X12 encounter data, PDE, Medicaid and NCPDP data is tracked and accounted for through daily reporting and balancing routines. Data that is shared with other direct contractors designated by CMS is tracked and accounted for through case management software tools that are part of the collection of systems processed as part of the CSFES contract. These other CMS direct contractors include, but are not limited to, Project Management Direct Contractors, Training Direct Contractors, Medicaid State Agencies, and back-end system direct contractors.

 

 

Describe the process in place to notify individuals that their personal information will be collected. If no prior notice is given, explain the reason.

For the beneficiary, written notice is given when the beneficiary initially enrolls in a Medicare Advantage (MA) Part C, Part D or Medicare Medicaid Plan Demonstration program, and written or orally each time the beneficiary applies for service at a provider. For the provider, written notice is provided during enrollment. For the CSFES employees and CMS employees, written notice is provided when they apply for a job.

 

 

Is the submission of the PII by individuals voluntary or mandatory?

Voluntary

Describe the method for individuals to opt-out of the collection or use of their PII. If there is no option to object to the information collection, provide a reason.

When a beneficiary's data is collected and sent to the FES the beneficiary has already agreed to share their information, so their ability to opt-out of PII data collection is not an option. The CSFES employees and CMS employees cannot opt out of providing PII because the collection of the data is necessary for employment.

Describe the process to notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changes since the notice at the time of original collection). Alternatively, describe why they cannot be notified or have their consent obtained.

 A System of Records Notice (SORN) was filed for the systems used to process Risk Adjustment data, titled “CMS Risk Adjustment Suite of Systems (RASS),” System No. 09-70-0508. A System of Records Notice (SORN) was filed for the systems used to process Prescription Drug Data, titled ‘‘Medicare Drug Data Processing System (DDPS),’’ System No. 09–70–0553. A System of Records Notice (SORN) was filed for the systems used to process Encounter and Medicare Medicaid Dual eligible data, titled “CMS Encounter Data System (EDS)’’, System No. 09–70–0506. Due to the large number of beneficiaries and providers that would be impacted by a change, obtaining individual consent is not feasible. Therefore, in accordance with the Privacy Act, a new SORN would be published with a 60-day comment period to notify individuals of a change in use and/or disclosure of data by CMS.

 

Describe the process in place to resolve an individual's concerns when they believe their PII has been inappropriately obtained, used, or disclosed, or that the PII is inaccurate. If no process exists, explain why not.

The CSFES is not the primary source of obtaining consent from individuals whose PII is in the system. As a result, MAOs, PDPs, and MMPs, are responsible for notifying individuals of their right to file a complaint if they believe their privacy rights have been violated.

As described in the SORN - Individuals (i.e., the beneficiary or provider) wishing to know if these systems contain records about them should write to the system manager and include pertinent personally identifiable information (encrypted and properly transmitted) to be used for retrieval of their records (i.e., NPI or Health Insurance Claim Number).

Describe the process in place for periodic reviews of PII contained in the system to ensure the data's integrity, availability, accuracy and relevancy. If no processes are in place, explain why not.

The FES is not the primary source in the collection of PII. The FES receives PII data from MAOs, PDPs, and MMPs that have enrolled the beneficiary in their plan. The CMS back-end systems use the Medicare Beneficiary Database (MBD) and the Medicare Advantage Prescription Drug System (MARx) eligibility file and verification processes to ensure PII is timely, accurate and relevant.

Integrity is maintained through system security and control processes that are reviewed by external auditors. Availability is maintained through system redundancies and the CSFES is required to annually test disaster recovery capabilities. Relevancy and accuracy are maintained by the interactions with the back- end systems MBD and MARx. These sources of the data have their own processes to ensure the PII's accuracy and relevancy.

Identify who will have access to the PII in the system and the reason why they require access.

  • Users: CMS internal staff use the CSFES beneficiary data in developing the health risk factors to be used for payment, to analyze the performance of plans and to address the concerns of MAOs. The data is also used for research on system edits and errors.

  • Administrators: Required to support administration activities, interactions of internal users and external interfacing activities and to perform tasks to maintain the system.
  • Developers: Required to maintain, test, validate and support health risk factor development and MAOs. Access is also required to review system controls to test new code and correct programming errors encountered in the production environment.
  • Contractors: Required to maintain, test, validate and support health risk factor development and MAOs. These contractors are direct contractors. Direct contractors are contractors that operate on behalf of the agency and use the agency's credentials when doing so. Access is required to process and review risk adjustment data, encounter data and PDE data, to test controls and new programming code, and to correct programming errors encountered in production.

Describe the procedures in place to determine which system users (administrators, developers, contractors, etc.) may access PII.

Access to the systems is given based on need to know and job responsibilities to process data using a user ID and role-based access. Access is obtained using a CSFES form and an Application for Access to CMS Computer Systems request form which must be approved by the designated approvers prior to access being granted.

Describe the methods in place to allow those with access to PII to only access the minimum amount of information necessary to perform their job.

Access to the systems is controlled using security software. The user is given the least amount of access required to perform their job duties and is explicitly denied access by the security software unless otherwise granted.

Identifying training and awareness provided to personnel (system owners, managers, operators, contractors and/or program managers) using the system to make them aware of their responsibilities for protecting the information being collected and maintained.

All Palmetto GBA direct contractors and employees are required to take annual training regarding the security and privacy requirements for protecting PII. In addition, role-based training is provided to individuals with significant access or security responsibilities. This annual role-based training is required by the CMS Chief Information Officer Directive 12-03. All training is modeled on and is consistent with training offered by the Department of Health and Human Services and CMS.

In addition, general security and privacy awareness training is taken annually; users must sign rules of behavior.

Describe training system users receive (above and beyond general security and privacy awareness training)

Also, throughout the year, CSFES users are provided with newsletters, list serve messages and security bulletins to provide ongoing awareness of their security and privacy responsibilities while using the system and its data.

Do contracts include Federal Acquisition Regulation and other appropriate clauses ensuring adherence to privacy provisions and practices?

Yes

Describe the process and guidelines in place with regard to the retention and destruction of PII. Cite specific records retention schedules.

In accordance with the NARA RCS Job Number N1-440-04-003, records are maintained in a secure storage area with identifiers. Records are closed at the end of the fiscal year, in which paid, and destroyed after 10 or as required for legal matters. All claims-related records are encompassed by the document preservation order and will be retained until notification is received from Department of Justice.

Describe, briefly but with specificity, how the PII will be secured in the system using administrative, technical, and physical controls.

Access to the systems is given based on need to know and job responsibilities to process data. Palmetto GBA use security software and procedural methods to provide “least privilege access” to grant or deny access to data based upon need to know. External audits also verify these controls are in place and functioning. Technical controls used include user identification, passwords, firewalls, virtual private networks, multifactor authentication (MFA) using a hard token, and intrusion detection systems. Physical controls used include guards, identification badges, key cards, cipher locks and closed-circuit televisions.

Identify the publicly-available URL:

www.csscoperations.com

Does the website have a posted privacy notice?

Yes

Is the privacy policy available in a machine-readable format?

Yes

Does the website use web measurement and customization technology?

Yes

Select the type of website measurement and customization technologies is in use and if is used to collect PII. (Select all that apply)

  • Session Cookies

  • Persistent Cookies

Web Beacons - Collects PII?:

No

Web Bugs - Collects PII?:

No

Session Cookies - Collects PII?:

No

Persistent Cookies - Collects PII?:

No

Other - Collects PII?:

No

Does the website have any information or pages directed at children under the age of thirteen?

No

Does the website contain links to non-federal government website external to HHS?

Yes

Is a disclaimer notice provided to users that follow external links to websites not owned or operated by HHS?

No