Customer Support Front End System
Privacy Impact Assessment (PIA) published by CMS as an Operating Division of the U.S. Department of Health and Human Services
Date signed: 12/5/2023
| PIA Questions | PIA Answers |
|---|---|
OPDIV: | CMS |
PIA Unique Identifier: | P-9158844-632691 |
Name: | Customer Support Front End System |
The subject of this PIA is which of the following? | Major Application |
Identify the Enterprise Performance Lifecycle Phase of the system. | Operate |
Is this a FISMA-Reportable system? | Yes |
Does the system include a Website or online application available to and for the use of the general public? | Yes |
Identify the operator: | Contractor |
Is this a new or existing system? | Existing |
Does the system have Security Authorization (SA)? | Yes |
Date of Security Authorization | 8/14/2023 |
Indicate the following reason(s) for updating this PIA. Choose from the following options. | PIA Validation (PIA Refresh/Annual Review) |
Describe in further detail any changes to the system that have occurred since the last PIA. | Enhanced security protocols to use Secure File Transfer Protocol (FTP) and use regular password changes for credentialing with the Medicare Advantage Organizations (MAOs). Enhanced the overall look and feel of our external web site, csscoperations.com. Created various tools, available via the website to aid customers with things such as, edit lookups, report restores, and password resets. |
Describe the purpose of the system | The Customer Service Front-End System (CSFES) or Front-End System (FES) is a collection of systems that process, edit, and transfer accepted files to CMS and CMS back-end processing systems. The FES receives Accredited Standards Committee (ASC) X12 encounters, prescription drug event (PDE), risk adjustment (RA), Medicaid, and National Council for Prescription Drug Program (NCPDP) from Medicare Advantage Organizations, Prescription Drug Plans (PDPs) and Medicare Medicaid Plans (MMPs). The ASC X12 encounters, PDE, and RA data are validated for accuracy by the FES and then sent to one of the back-end systems; the Risk Adjustment Processing System (RAPS) for RA data, the Drug Data Processing System (DDPS) for PDE data, and the Encounter Data Processing Systems (EDPS) for Encounter data for additional editing and storage. These systems each have a Privacy Impact Assessment. This processing occurs at the CMS Virtual Data Centers. Customer support functions inherent to these operations are also provided. Customer service representatives access the RAPS, DDPS and EDPS systems to research data in accordance with CMS policies and standards. The Customer Support Front End Systems (CSFES) manages the Customer Services and Support Center (CSSC) website on behalf of CMS, with a link to the Palmetto GBA (Government Benefit Administrator), LLC Privacy Policy.
|
Describe the type of information the system will collect, maintain (store), or share. (Subsequent questions will identify if this information is PII and ask about the specific data elements) | The information is collected, maintained or disseminated for Beneficiaries - This information includes name, date of birth, health insurance claim number (HICN), Beneficiary Identification Code (BIC), Medicare Beneficiary Identifier (MBI), mailing address, phone numbers, education records, medical record numbers, employment status and or records, health insurer name/plan, health insurer group number, and patient marital status for the purpose of processing and editing data. Providers - This information includes name, tax ID number which is sometimes the Social Security Number (SSN), mailing address, phone numbers, email address, and educations records, for the purpose of processing and editing data for Medicare Advantage Organizations (MAOs), PDPs, and MMPs. CMS direct contractors and CMS employees- This information includes username, password, email address and name. |
Provide an overview of the system and describe the information it will collect, maintain (store), or share, either permanently or temporarily. | The FES collects and stores the names of individuals, Medicare Beneficiary Identifiers (MBI), Health Insurance Claim Numbers (HICN), Medicare Beneficiary Identifier (MBI), date of birth, mailing addresses and medical record numbers. To assist with error resolution any of these PII identifiers may be used to retrieve specific records requiring analysis by those authorized to do so. |
Does the system collect, maintain, use or share PII? | Yes |
Indicate the type of PII that the system will collect or maintain. |
|
Indicate the categories of individuals about whom PII is collected, maintained or shared. |
|
How many individuals' PII in the system? | 1,000,000 or more |
For what primary purpose is the PII used? | Beneficiary PII is collected from MAOs, PDPs, and MMPs to edit and transfer submissions to back-end processing systems and CMS. Provider PII is collected to edit and verify the identity of the provider prior to storage on the EDPS. Also, CMS direct contractors and CMS employee PII is collected to verify the system user's identity and credentials. |
Describe the secondary uses for which the PII will be used (e.g. testing, training or research) | Secondary uses for which the PII will be used are limited research uses only. |
Describe the function of the SSN. | The SSN is the tax ID for some providers. For beneficiaries, the SSN is combined with a two-digit BIC to form the Medicare Health Insurance Claim Number (HICN), which is used to determine the beneficiary’s eligibility and to process and edit data. The HICN is used by numerous CMS back-end systems and CMS requires that the CSFES use the HICN to process claims. The HICN has been replaced by the Medicare Beneficiary Identifier (MBI) however HICNs are still stored in our backups and/or data warehouse. |
Cite the legal authority to use the SSN. | Risk Adjustment – The Balanced Budget Act of 1997. Sections 1853(a), 1860D-15(c), and 1894(d)(2) of the Social Security Act (42 U.S.C. 1395w-23, 1395w-115, 1395eee). Prescription Drug Data – The Medicare Prescription Drug, Improvement and Modernization Act of 2003. Sections 1860D-15 and 1106 of the Social Security Act. Encounter - The final 2009 Inpatient Prospective Payment System rule. Section 1853(a)(3)(B) of the Act, Medicare Medicaid Dual Program – Financial Alignment Initiative 2011. Section 1115 of the Social Security Act. |
Identify legal authorities governing information use and disclosure specific to the system and program. | Risk Adjustment - This system was established pursuant to sections 1853(a), 1860D-15(c), and 1894(d)(2) of the Social Security Act (42 U.S.C. 1395w-23, 1395w-115, 1395eee). Prescription Drug Data - is mandated under provisions of the Medicare Prescription Drug, Improvement, and Modernization Act, amending the Social Security Act by adding Part D under Title XVIII (§§ 1860D–15(c)(1)(C) and (d)(2)), as described in Title 42, Code of Federal Regulations (CFR) 423.301 et seq. as well as1860D–12(b)(3)(D) and 1106 of the Act, as described in 42 CFR 423.505(b)(8), (f), (l), and (m). Encounter Data - Section 1853(a)(3)(B) of the Act requires that MA organizations and certain other private Medicare plans submit data regarding inpatient hospital and other services that CMS deems necessary to risk adjust these payments. The final 2009 Inpatient Prospective Payment System rule (73 FR 48757, August 19, 2008) modified 42 CFR 422.310 to clarify that the Secretary has the authority to require MA organizations and other private plans to submit encounter data for each item and service provided to a MA plan enrollee. Medicare Medicaid Dual Eligible - Under the authority granted in Section 1115 of the Social Security Act (the Act), CMS is authorized to conduct experimental, pilot or demonstration projects. CMS is conducting a demonstration project under the Financial Alignment Initiative to test a new capitated payment system and item/service delivery model designed to lower costs and improve the quality of care for individuals eligible for both Medicare and Medicaid (dual eligible). |
Are records on the system retrieved by one or more PII data elements? | Yes |
Identify the number and title of the Privacy Act System of Records (SORN) that is being used to cover the system or identify if a SORN is being developed. | Encounter Data SORN - 09–70–0506; Risk Adjustment System SORN - 09–70–0508; Medicare Drug Data Processing System (DDPS) SORN- 09–70–0553. |
Identify the sources of PII in the system: Directly from an individual about whom the information pertains | Online |
Identify the sources of PII in the system: Government Sources | Within the OPDIV |
Identify the sources of PII in the system: Non-Government Sources | Private Sector |
Identify the OMB information collection approval number and expiration date | 0938-1152; Expires 03/31/2025 0938-0878; Expires 03/31/2020 (Please note, this package is currently going through the renewal process with OSORA/OMB. Although the expiration date has passed, the package is still valid since it is being renewed. Once a new expiration date is obtained, it will be updated) |
Is the PII shared with other organizations? | Yes |
Identify with whom the PII is shared or disclosed and for what purpose. |
|
Describe any agreements in place that authorizes the information sharing or disclosure (e.g. Computer Matching Agreement, Memorandum of Understanding (MOU), or Information Sharing Agreement (ISA)). | CMS determines how and with whom MAO, PDP, and MMP data is disclosed. As directed by CMS via contractual arrangements, the CSFES shares data with other CMS direct contractors for the purposes of fighting fraud waste and abuse. The CSFES contract requires a Joint Operating Agreement to document the data that will be exchanged. These other CMS direct contractors include, but are not limited to, Project Management Direct Contractors, Training Direct Contractors, Medicaid State Agencies, and back-end system direct contractors.
|
Describe the procedures for accounting for disclosures | Data that is shared with the CMS Virtual Data Centers to process RA, ASC X12 encounter data, PDE, Medicaid and NCPDP data is tracked and accounted for through daily reporting and balancing routines. Data that is shared with other direct contractors designated by CMS is tracked and accounted for through case management software tools that are part of the collection of systems processed as part of the CSFES contract. These other CMS direct contractors include, but are not limited to, Project Management Direct Contractors, Training Direct Contractors, Medicaid State Agencies, and back-end system direct contractors.
|
Describe the process in place to notify individuals that their personal information will be collected. If no prior notice is given, explain the reason. | For the beneficiary, written notice is given when the beneficiary initially enrolls in a Medicare Advantage (MA) Part C, Part D or Medicare Medicaid Plan Demonstration program, and written or orally each time the beneficiary applies for service at a provider. For the provider, written notice is provided during enrollment. For the CSFES employees and CMS employees, written notice is provided when they apply for a job.
|
Is the submission of the PII by individuals voluntary or mandatory? | Voluntary |
Describe the method for individuals to opt-out of the collection or use of their PII. If there is no option to object to the information collection, provide a reason. | When a beneficiary's data is collected and sent to the FES the beneficiary has already agreed to share their information, so their ability to opt-out of PII data collection is not an option. The CSFES employees and CMS employees cannot opt out of providing PII because the collection of the data is necessary for employment. |
Describe the process to notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changes since the notice at the time of original collection). Alternatively, describe why they cannot be notified or have their consent obtained. | A System of Records Notice (SORN) was filed for the systems used to process Risk Adjustment data, titled “CMS Risk Adjustment Suite of Systems (RASS),” System No. 09-70-0508. A System of Records Notice (SORN) was filed for the systems used to process Prescription Drug Data, titled ‘‘Medicare Drug Data Processing System (DDPS),’’ System No. 09–70–0553. A System of Records Notice (SORN) was filed for the systems used to process Encounter and Medicare Medicaid Dual eligible data, titled “CMS Encounter Data System (EDS)’’, System No. 09–70–0506. Due to the large number of beneficiaries and providers that would be impacted by a change, obtaining individual consent is not feasible. Therefore, in accordance with the Privacy Act, a new SORN would be published with a 60-day comment period to notify individuals of a change in use and/or disclosure of data by CMS.
|
Describe the process in place to resolve an individual's concerns when they believe their PII has been inappropriately obtained, used, or disclosed, or that the PII is inaccurate. If no process exists, explain why not. | The CSFES is not the primary source of obtaining consent from individuals whose PII is in the system. As a result, MAOs, PDPs, and MMPs, are responsible for notifying individuals of their right to file a complaint if they believe their privacy rights have been violated. As described in the SORN - Individuals (i.e., the beneficiary or provider) wishing to know if these systems contain records about them should write to the system manager and include pertinent personally identifiable information (encrypted and properly transmitted) to be used for retrieval of their records (i.e., NPI or Health Insurance Claim Number). |
Describe the process in place for periodic reviews of PII contained in the system to ensure the data's integrity, availability, accuracy and relevancy. If no processes are in place, explain why not. | The FES is not the primary source in the collection of PII. The FES receives PII data from MAOs, PDPs, and MMPs that have enrolled the beneficiary in their plan. The CMS back-end systems use the Medicare Beneficiary Database (MBD) and the Medicare Advantage Prescription Drug System (MARx) eligibility file and verification processes to ensure PII is timely, accurate and relevant. Integrity is maintained through system security and control processes that are reviewed by external auditors. Availability is maintained through system redundancies and the CSFES is required to annually test disaster recovery capabilities. Relevancy and accuracy are maintained by the interactions with the back- end systems MBD and MARx. These sources of the data have their own processes to ensure the PII's accuracy and relevancy. |
Identify who will have access to the PII in the system and the reason why they require access. |
|
Describe the procedures in place to determine which system users (administrators, developers, contractors, etc.) may access PII. | Access to the systems is given based on need to know and job responsibilities to process data using a user ID and role-based access. Access is obtained using a CSFES form and an Application for Access to CMS Computer Systems request form which must be approved by the designated approvers prior to access being granted. |
Describe the methods in place to allow those with access to PII to only access the minimum amount of information necessary to perform their job. | Access to the systems is controlled using security software. The user is given the least amount of access required to perform their job duties and is explicitly denied access by the security software unless otherwise granted. |
Identifying training and awareness provided to personnel (system owners, managers, operators, contractors and/or program managers) using the system to make them aware of their responsibilities for protecting the information being collected and maintained. | All Palmetto GBA direct contractors and employees are required to take annual training regarding the security and privacy requirements for protecting PII. In addition, role-based training is provided to individuals with significant access or security responsibilities. This annual role-based training is required by the CMS Chief Information Officer Directive 12-03. All training is modeled on and is consistent with training offered by the Department of Health and Human Services and CMS. In addition, general security and privacy awareness training is taken annually; users must sign rules of behavior. |
Describe training system users receive (above and beyond general security and privacy awareness training) | Also, throughout the year, CSFES users are provided with newsletters, list serve messages and security bulletins to provide ongoing awareness of their security and privacy responsibilities while using the system and its data. |
Do contracts include Federal Acquisition Regulation and other appropriate clauses ensuring adherence to privacy provisions and practices? | Yes |
Describe the process and guidelines in place with regard to the retention and destruction of PII. Cite specific records retention schedules. | In accordance with the NARA RCS Job Number N1-440-04-003, records are maintained in a secure storage area with identifiers. Records are closed at the end of the fiscal year, in which paid, and destroyed after 10 or as required for legal matters. All claims-related records are encompassed by the document preservation order and will be retained until notification is received from Department of Justice. |
Describe, briefly but with specificity, how the PII will be secured in the system using administrative, technical, and physical controls. | Access to the systems is given based on need to know and job responsibilities to process data. Palmetto GBA use security software and procedural methods to provide “least privilege access” to grant or deny access to data based upon need to know. External audits also verify these controls are in place and functioning. Technical controls used include user identification, passwords, firewalls, virtual private networks, multifactor authentication (MFA) using a hard token, and intrusion detection systems. Physical controls used include guards, identification badges, key cards, cipher locks and closed-circuit televisions. |
Identify the publicly-available URL: | |
Does the website have a posted privacy notice? | Yes |
Is the privacy policy available in a machine-readable format? | Yes |
Does the website use web measurement and customization technology? | Yes |
Select the type of website measurement and customization technologies is in use and if is used to collect PII. (Select all that apply) |
|
Web Beacons - Collects PII?: | No |
Web Bugs - Collects PII?: | No |
Session Cookies - Collects PII?: | No |
Persistent Cookies - Collects PII?: | No |
Other - Collects PII?: | No |
Does the website have any information or pages directed at children under the age of thirteen? | No |
Does the website contain links to non-federal government website external to HHS? | Yes |
Is a disclaimer notice provided to users that follow external links to websites not owned or operated by HHS? | No |