Encounter Data Processing System
Privacy Impact Assessment (PIA) published by CMS as an Operating Division of the U.S. Department of Health and Human Services
Date signed: 9/26/2022
| PIA Questions | PIA Answers |
|---|---|
OPDIV: | CMS |
PIA Unique Identifier: | P-5612528-097888 |
Name: | Encounter Data Processing System |
The subject of this PIA is which of the following? | Major Application |
Identify the Enterprise Performance Lifecycle Phase of the system. | Operate |
Is this a FISMA-Reportable system? | Yes |
Does the system include a Website or online application available to and for the use of the general public? | No |
Identify the operator: | Agency |
Is this a new or existing system? | Existing |
Does the system have Security Authorization (SA)? | Yes |
Date of Security Authorization | 1/10/2023 |
Indicate the following reason(s) for updating this PIA. Choose from the following options. |
|
Describe in further detail any changes to the system that have occurred since the last PIA. | We have decommissioned the HealthBeat application and renamed the application from EDPS NextGen to EDPS. The change did not impact Personally Identifiable Information (PII) storage, processing, access and/or transmission. |
Describe the purpose of the system | The primary purpose of the Encounter Data Processing System (EDPS) is to collect and maintain encounter data for each item and service provided to Medicare Advantage (MA) plan enrollees reported by a Medicare provider, supplier, physician, or other practitioner. The Centers for Medicare and Medicaid Services (CMS) will collect information necessary to determine the risk adjustment factors used to adjust payments, calculate Medicare Disproportionate Share Hospital (DSH) percentages, conduct quality review and improvement activities, and for other Medicare coverage purposes. Currently Medicare Advantage Organizations (MAOs) submit data in an abbreviated claims format to CMS to provide the diagnostic information used in calculating the health status component of the beneficiary risk scores, which is used as the basis for the MA plan payment. MA plans do not currently submit information on each encounter and do not submit most elements included, such as Current Procedural Terminology (CPT) codes that might be used to calculate a Fee-For-Service (FFS) payment. Therefore, CMS uses FFS data to determine beneficiary utilization patterns to predict costs in the MA program. CMS has shown that patterns in FFS and MA diagnostic data differ in important ways and lead to overpayments to MA plans. Adding a beneficiary's entire health care encounter data to the existing risk adjustment system will improve the accuracy of the risk adjustment model used to pay MA plans by reflecting the appropriate patterns of utilization and costs within the MA program. While establishing a risk adjustment model appropriate for MA plans is the paramount reason for collecting encounter data, there are other important uses of the data that will improve other key functions undertaken by CMS, including the calculation of Medicare DSH payments, conducting quality review and improvement activities, and for Medicare coverage purposes. Just as diagnosis data is currently collected, edited and stored, the new system will collect, edit, and store MA health care data necessary to describe and price a health care encounter and more accurately estimate the cost of a Medicare beneficiary enrolled in an MA plan. The EDPS is hosted to operate and process encounter data at Amazon Web Services (AWS) cloud environment located in AWS East Region in Norther Virginia, United State (U.S.). |
Describe the type of information the system will collect, maintain (store), or share. (Subsequent questions will identify if this information is PII and ask about the specific data elements) | EDPS will retrieve Personally Identifiable Information (PII) and Protected Health Information (PHI) for routine use of encounters processing, data elements include: Health Insurance Claim Number (HICN), Social Security Number (SSN), Medicare Beneficiary Identifier (MBI), Beneficiary Name, Date of Birth (DOB), Date of Death (DOD), addresses, sex, medical notes, medical records number, diagnosis codes. Other non-PHI program used include National Health Provider Identifier (NPI), CMS Certification Number (CCN), Medicare Hospital Number, county, billing provider name and address, and other information received on 837 P/I ((837P – Electronic version of the CMS-1500 form, used to transmit professional claims / 837I- Electronic version of UB-04, used to transmit Institutional claims) files. EDPS will collect member information from Medicare Beneficiary Database (MBD), Provider information from Provider Enrollment, Chain, and Ownership System (PECOS) and National Plan and Provider Enumeration System (NPPES), which are covered by their own PIAs. Reference data like diagnosis codes, procedure codes, fee schedule information, etc., are received from CMS systems. All the processed encounters will be transferred to Integrated Data Repository (IDR) and the MAOs will be notified about processed encounters. PECOS and NPPES are interconnecting systems from which EDPS receives information related to the provider (for example NPI, CCN, Taxpayer Identification Number (TIN), enrollment etc.,). The extracted or shared data will be for routine use and is necessary to comply with the Medicare Modernization Act (MMA) payment provisions. EDPS stages the data. The processed encounters shared with the IDR are transferred to Risk Adjustment Suite of Systems (RASS) to calculate Risk Adjustment Factors (RAFs), feeds the risk adjustment factors to other systems within the Medicare Modernization Act (MMA), and provide reports on the resulting factors and other data outcomes. EDPS is hosted on AWS cloud and any Employees or contractor has to use EUA login credentials to login to the system. These credentials are validated by CMS Lightweight Directory Access Protocol (LDAP) and are not stored directly by the application. |
Provide an overview of the system and describe the information it will collect, maintain (store), or share, either permanently or temporarily. | The CMS Encounter Data System (EDS) consists of two applications: The EDPS System and EDFES (Encounter Data Front End System). The EDFES applications will utilize the Encounter Data Suite of software to receive full claims data. EDPS then collects, edits, adjudicates and stores MA health care data necessary to describe and price a health care encounter and more accurately estimate the cost of a Medicare beneficiary enrolled in an MA plan. EDPS receives the encounter data from EDFES and Master data, reference data and fee schedule from other systems such as Medicare Beneficiary Database, PECOS and NPPES, Common Medicare Environment (CME), and Health Plan Management System (HPMS), CMS websites which all are covered by their separate PIAs. The data received from these systems includes HICN, SSN, MBI, beneficiary Name, DOB, DOD, addresses, sex, medical notes, medical records number, diagnosis codes. Other non-PHI program used include NPI, CCN, Medicare Hospital Number, county, billing provider name and address, and other encounter information received on 837 P/I file. EDPS uses the information it received to process, edit and price the encounters and this processed information is transferred to IDR. The processed encounters shared with IDR are transferred to RASS to calculate the Risk Adjustment Factors (RAFs), feed the RAF to other systems within the Medicare Modernization Act (MMA), and provide reports on the resulting factors and other data outcomes. The vendor, suppliers, and contractor names, and address data is also used in calculation of Medicare DSH payments, conducting quality review and improvement activities, and for Medicare coverage purposes. |
Does the system collect, maintain, use or share PII? | Yes |
Indicate the type of PII that the system will collect or maintain. |
|
Indicate the categories of individuals about whom PII is collected, maintained or shared. |
|
How many individuals' PII in the system? | 1,000,000 or more |
For what primary purpose is the PII used? | The Encounter Data Processing System (EDPS) receives PII, health and other claims data (via the Encounter Data Front End System (EDFES), which formats the initial data) from Medicare Advantage (MA) and Medicare Advantage Prescription Drug (MAPD) organizations. EDFES then submits the formatted data to EDPS, and returns submission reports to the submitters. The collection is required to generate health risk scores for MA and MAPD enrolled Medicare beneficiaries. Integrated Data Repository (IDR): provides FFS PII, health and other claims data. This collection is required to generate health risk scores for all Medicare beneficiaries. Medicare Beneficiary Database (MBD)/Common Medicare Environment (CME): provides PII and beneficiaries demographic data. This collection is required to generate health risk scores for Medicare beneficiaries. Health Plan Management System (HPMS): provides the most current and accurate Contract and Plan level data. This collection is required to generate reports, which are used to track and monitor the performance of Medicare Advantage Organizations (MAOs). |
Describe the secondary uses for which the PII will be used (e.g. testing, training or research) | EDPS will perform tests in its Validation environment. EDPS is in progress of researching mitigations and compensating controls to perform tests. No other testing of PII is utilized in the lower environments. |
Describe the function of the SSN. | EDPS stores Health Insurance Claim Number (HICN) and SSN to validate if the beneficiary is a valid Medicare beneficiary. When we receive the HICN on the 837-I and 837-P files, we validate the HICN against beneficiary data stored in EDPS via various member edits such as HICN on file, DOB/Last Name/Sex match, and their MAO enrollments. These edits are crucial to ensure the Providers are submitting valid Medicare claims. |
Cite the legal authority to use the SSN. | The CMS Medicare Advantage Program uses SSN collected as part of the encounter data received for processing to fulfill its statutory mandate under the Electronic Code of Federal Regulations (e-CFR) Title 42. PUBLIC HEALTH- SUBCHAPTER B - MEDICARE PROGRAM with references to C.F.R. §§ 422.304, 422.308, 422.310, 422.312, 423.329 and the Medicare Prescription Drug Benefit (Part D) program in accordance with Social Security Act (42 U.S.C. §§ 1395w-23, 1395w-115), E.O. 9397. |
Identify legal authorities governing information use and disclosure specific to the system and program. | The EDPS system collects Part C utilization and cost data from MA plans to provide the means for CMS to meet the statutory requirements in the final rule of 73 FR 48757 revised 422.310(d) to collect encounter data records from Medicare Advantage Organizations consistent with Title 42 C.F.R. §§ 422 - MEDICARE ADVANTAGE PROGRAM, and E.O. 9397. |
Are records on the system retrieved by one or more PII data elements? | No |
Identify the sources of PII in the system: Directly from an individual about whom the information pertains | Online |
Other - PII data is transmitted to EDPS by CMS front end interconnecting systems (EDFES) with EDPS. EDPS does not collect information directly from a patient. Other - Employees and contractors do not use personally identifiable information to gain entry to the EDPS. Each contractor maintaining the system has a specific login credential which is utilized to gain entry to the system. Employees and contractors use EUA login credentials to login to the system. These credentials are validated by CMS LDAP. To access the servers Employees and contractors use Key based authentication where the public key will be stored in the server and the private key is stored in your local system. HHS user PII are not stored in the application. | |
Identify the sources of PII in the system: Government Sources |
|
Identify the sources of PII in the system: Non-Government Sources |
|
Identify the OMB information collection approval number and expiration date | The current OMB information collect approval number for EDPS is 0938-1152 and expires on 03/31/2025. EDPS does not collect information from a patient, nor does it collect information directly from Admins and CMS staff. |
Is the PII shared with other organizations? | Yes |
Identify with whom the PII is shared or disclosed and for what purpose. | Within HHS: EDPS processed encounters are transferred and stored into the CMS Integrated Data Repository (IDR). |
Describe any agreements in place that authorizes the information sharing or disclosure (e.g. Computer Matching Agreement, Memorandum of Understanding (MOU), or Information Sharing Agreement (ISA)). | EDPS currently does not have any MOUs/MOAs/agreements. EDPS does have a DUA in place. The DUA number is CONT-2018-51677. |
Describe the procedures for accounting for disclosures | A copy of every IDR extract file transferred to the IDR system is stored in EDPS. All the IDR file level information and its status are stored in audit history tables. |
Describe the process in place to notify individuals that their personal information will be collected. If no prior notice is given, explain the reason. | CMS EDFES is the source system for encounters that contain PII/PHI for EDPS for processing. The process to notify individuals that their personal information will be collected is performed at the provider level prior to sending encounters to EDS. CMS and Contractor staff do not directly enter individual PII/PHI data into system. |
Is the submission of the PII by individuals voluntary or mandatory? | Voluntary |
Describe the method for individuals to opt-out of the collection or use of their PII. If there is no option to object to the information collection, provide a reason. | Participation in MA and MAPD plans is voluntary and requires an affirmative election to join. When an individual enrolls in a plan, as part of the application package, the beneficiary is required to sign the Agreement Page. Thus, MMA enrollment equates to beneficiary consent. |
Describe the process to notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changes since the notice at the time of original collection). Alternatively, describe why they cannot be notified or have their consent obtained. | EDPS does not directly notify individuals whose PII is in the system when major changes occur to the system. EDPS receive encounters from a source system which is the CMS EDFES that is covered by a separate PIA. |
Describe the process in place to resolve an individual's concerns when they believe their PII has been inappropriately obtained, used, or disclosed, or that the PII is inaccurate. If no process exists, explain why not. | EDPS doesn’t obtain any PHI/PII information directly from individuals, system only processes the encounters received from EDFES provided by the Submitters. Patient will directly address all concerns through the Submitters. However, in the event of a PII/PHI breach, EDPS Business Owner will coordinate with the CMS Senior Official for Privacy and HHS Privacy Incident Response Team (PIRT) to handle and notifying affected individuals. These procedures are in accordance with HHS department regulation 45 CFR 5b.7. |
Describe the process in place for periodic reviews of PII contained in the system to ensure the data's integrity, availability, accuracy and relevancy. If no processes are in place, explain why not. | Yes. Periodic review of PHI/PII data is performed during the EDPS Change Control Board (CCB) process when change requests are reviewed. The PHI and PII are reviewed for the following: PHI/PII is improperly or inadvertently destroyed; individuals who provide or modify PHI/PII cannot repudiate that action; PHI/PII is available when needed; PHI/PII is sufficiently accurate for the purposes needed; outdated and unnecessary, irrelevant, incoherent and inaccurate PHI/PII is removed from the system. The PHI/PII in the system are also reviewed on an annual basis with during the Privacy Impact Assessment (PIA) and in a manner consistent with CMS retention policy. |
Identify who will have access to the PII in the system and the reason why they require access. |
|
Describe the procedures in place to determine which system users (administrators, developers, contractors, etc.) may access PII. | The procedures in place to determine which system users (administrators, developers, contractors, etc.,) may access PII are as follows: when a staff person needs access to EDPS and to the PHI/PII data, will follow CMS Enterprise User Administration (EUA) in place for CMS management review and approval process in place where user will be assigned the required job code for authentication and access authorizations base on their role. The necessary form is filled out, along with the manager's approval. The next step is the approval from security for account creation on the EDPS system. An account is created for the end user and specific roles and access criteria are applied. All administrators, developers, contractors, etc. have to take mandatory CMS Information System Security and Privacy Awareness, and HIPAA trainings, and a sign the Rules of Behavior document prior to gaining access to the EDPS. |
Describe the methods in place to allow those with access to PII to only access the minimum amount of information necessary to perform their job. | In the EDPS, role-based access control provides the necessary profile settings to allow users to access EDPS PII/PHI data. For example, a developer will not have access to the Oracle database, where as a tester will have access. Only individuals who need access to EDPS PII/PHI are permitted access. |
| Identifying training and awareness provided to personnel (system owners, managers, operators, contractors and/or program managers) using the system to make them aware of their responsibilities for protecting the information being collected and maintained. | All EDPS users are required to take the CMS Information Security and Privacy training with 10 days on hire and on an annual basis, or whenever changes to the training module have been made. This training includes details on the handling of PII. The contractors also take mandatory HIPAA training on hire and on an annual basis. |
Describe training system users receive (above and beyond general security and privacy awareness training) | System users are required to complete role-based training and meet continuing education requirements commensurate with their role. Occasional trainings are also provided through conferences, seminars, and in- class in addition to the annual trainings. Personnel are mandated to successfully complete trainings on HIPAA within 30 days of hire and on an annual basis thereafter. Personnel who access PHI as part of their job duties also receive more in-depth training and must complete any project specific HIPAA training prior to working with PHI. |
Do contracts include Federal Acquisition Regulation and other appropriate clauses ensuring adherence to privacy provisions and practices? | Yes |
Describe the process and guidelines in place with regard to the retention and destruction of PII. Cite specific records retention schedules. | EDPS adheres to the National Archives & Records Administration (NARA) retention schedule for storing PHI/PII data as indefinite. The associated and required NARA citation number is Disposition Authority: N1-440-09-04, Item 1 a, per page 114 of the attached schedule: https://www.cms.gov/Regulations-and-Guidance/Guidance/CMSRecordsSchedule/Downloads/Bucket-7-Research-and-Program-Analysis.pdf |
| Describe, briefly but with specificity, how the PII will be secured in the system using administrative, technical, and physical controls. | The PHI/PII in the EDPS system is protected through various administrative, technical and physical controls. Administrative - only staff and CMS users who need to see the data are provided access and the access is approved only by management. EPDS adheres to Federal Information System Modernization Act (FISMA) of 2014, regulations and applies National Institute of Standards and Technology (NIST) Risk Management Framework to implement NIST 800-53 security controls consistent with Federal Risk and Authorization Management Program (FedRAMP) and CMS Acceptable Risk Safeguards (3.1) Moderate requirements. The controls implemented encompasses technical, management and operational controls required to ensure PII/PHI protection and ongoing periodic assessment. EDPS is hosted on the CMS AWS Cloud. The EDPS team does not have physical access to the EDPS servers. Reference to the previous PIA included information from the Legacy EDPS system which is hosted in physical Data Center so we have reviewed and updated the PIA to reflect the current status of the system. |