Fiscal Intermediary Shared System
Privacy Impact Assessment (PIA) published by CMS as an Operating Division of the U.S. Department of Health and Human Services
Date signed: 1/25/2023
| PIA Questions | PIA Answers |
|---|---|
OPDIV: | CMS |
PIA Unique Identifier: | P-6651713-848618 |
Name: | Fiscal Intermediary Shared System |
The subject of this PIA is which of the following? | Major Application |
Identify the Enterprise Performance Lifecycle Phase of the system. | Operate |
Is this a FISMA-Reportable system? | Yes |
Does the system include a Website or online application available to and for the use of the general public? | No |
Identify the operator: | Contractor |
Is this a new or existing system? | Existing |
Does the system have Security Authorization (SA)? | Yes |
Date of Security Authorization | 2/19/2025 |
Indicate the following reason(s) for updating this PIA. Choose from the following options. | PIA Validation (PIA Refresh/Annual Review) |
Describe in further detail any changes to the system that have occurred since the last PIA. | None |
Describe the purpose of the system | The Fiscal Intermediary Shared System (FISS) application is the shared system used to process Medicare Part A claims for physician care, durable medical equipment, and other outpatient services nationwide. It processes Medicare Part A claims, to include: data collection and validation, claims control, pricing, adjudication, correspondence, on-line inquiry, file maintenance, reimbursement, and financial processing. It interfaces directly with the Common Working File (CWF). The Common Working File (CWF) is a tool used by the Centers for Medicare & Medicaid Services (CMS) to maintain national Medicare records for individual beneficiaries enrolled in the program. The system is used to determine the eligibility of patients and to monitor the appropriate usage of Medicare benefits. This is also the repository for the beneficiary data received nightly from the Social Security Administration. CWF is covered by a separate Privacy Impact Assessment (PIA). |
Describe the type of information the system will collect, maintain (store), or share. (Subsequent questions will identify if this information is PII and ask about the specific data elements) | The information collected, maintained or disseminated includes name, date of birth, health insurance claim number, mailing address, phone numbers, medical record numbers medical notes, financial account information and/or numbers, certificates, device identifiers, email address, military status and/or records, employment status and/or records, employer or school name, health insurer name/plan, health insurer group number, patient marriage and employment status; claims forms for the purpose of processing and paying claims. User ID and Password for system users (CMS employees and direct contracting support) are managed by FISS. The FISS Users IDs and Passwords are synchronized by the CMS Enterprise User Administrator system (EUA) to CMS IDs. |
Provide an overview of the system and describe the information it will collect, maintain (store), or share, either permanently or temporarily. | The FISS subsystem, Medicare Part A Shared System Maintainer (SSM), manages the Claims Processing application system (known as FISS) to provide ongoing claim support and system maintenance. The information collected, maintained or disseminated includes test data, change requests to the application code or system and patient claims processing. Test data is composed of collected data items to make test records that can simulate actual claims records. The test data used accurately reflects all possible claims conditions to ensure that changes to the application does not disrupt claims processing. The real data is supplied by the Social Security Administration (SSA) and satellite batch processing sites. The system stores information about its system users for authentication, access control, auditing and reporting purposes. The FISS Test and Development System requires User system login credentials for identifications and authentication to retrieve system records. FISS regularly retrieves information by the beneficiary's name, Health Insurance Claims Number (HICN), and assigned unique physician identification number. |
Does the system collect, maintain, use or share PII? | Yes |
Indicate the type of PII that the system will collect or maintain. |
|
Indicate the categories of individuals about whom PII is collected, maintained or shared. |
|
How many individuals' PII in the system? | 100,000-999,999 |
For what primary purpose is the PII used? | Information is shared to verify patient data between Medicare Insurers, if necessary, as well as beneficiary entitlement and accuracy of payment. System user credentials are used for authentication, access control, auditing and reporting purposes. |
Describe the secondary uses for which the PII will be used (e.g. testing, training or research) | The information is used in the Development and Testing of the claims processing application in order to use test data to make test records that can simulate actual claims records. This is done to ensure that changes to the application does not disrupt claims processing as it resides at the contractor data center. |
Describe the function of the SSN. | Not applicable |
Cite the legal authority to use the SSN. | Not applicable |
Identify legal authorities governing information use and disclosure specific to the system and program. | Sections 1816, 1862 (b) and 1874 of Title XVIII of the Social Security Act (the Act) (42 U.S.C. 1395(h), 1395y (b), and 1395kk).
|
Are records on the system retrieved by one or more PII data elements? | Yes |
Identify the number and title of the Privacy Act System of Records (SORN) that is being used to cover the system or identify if a SORN is being developed. | The FISS System of Records Notice (SORN) is 09-70-0503; Common Working File SORN is 09-70-0526 |
Identify the sources of PII in the system: Directly from an individual about whom the information pertains | Online |
Identify the sources of PII in the system: Government Sources |
|
Identify the sources of PII in the system: Non-Government Sources | |
Identify the OMB information collection approval number and expiration date | OMB approval is not applicable to direct collection of system user credentials. |
Is the PII shared with other organizations? | Yes |
Identify with whom the PII is shared or disclosed and for what purpose. |
|
Describe any agreements in place that authorizes the information sharing or disclosure (e.g. Computer Matching Agreement, Memorandum of Understanding (MOU), or Information Sharing Agreement (ISA)). | There are Computer Matching Agreements (CMAs) in place between CMS and SSA, IRS, RRB and participating States. |
Describe the procedures for accounting for disclosures | CMS has safeguards in place for authorized users and monitors such users to ensure against unauthorized use. Personnel having access to the system have been trained in the Privacy Act and information security requirements. Employees who maintain records in this system are instructed not to release data until the intended recipient agrees to implement appropriate management, operational and technical safeguards sufficient to protect the confidentiality, integrity and availability of the information and information systems and to prevent unauthorized access. |
Describe the process in place to notify individuals that their personal information will be collected. If no prior notice is given, explain the reason. | For the beneficiary, written notice is given when the beneficiary initially enrolls in the Medicare program, and written or orally each time the beneficiary applies for service at a provider. For the CMS contractors and CMS employees, written notice is provided when they apply for a job. |
Is the submission of the PII by individuals voluntary or mandatory? | Voluntary |
Describe the method for individuals to opt-out of the collection or use of their PII. If there is no option to object to the information collection, provide a reason. | When a beneficiary’s data is collected and sent to the FISS system, the beneficiary has already agreed to share their information, so there is not an ability for them to opt out of PII data collection. The CMS contractors and CMS employees cannot opt out of providing PII because the collection of the data is necessary for employment. |
Describe the process to notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changes since the notice at the time of original collection). Alternatively, describe why they cannot be notified or have their consent obtained. | Due to the large number of beneficiaries and providers that would be impacted by a change, obtaining individual consent is not feasible. Therefore, in accordance with the Privacy Act, a new System of Record Notice (SORN) would be published with a 60-day comment period to notify individuals of a change in use and/or disclosure of data by the FISS system. The term “system of records” (SORN) means a group of any records under the control of any agency from which information is retrieved by the name of the individual or by some identifying number, symbol, or other identifying particular assigned to the individual |
Describe the process in place to resolve an individual's concerns when they believe their PII has been inappropriately obtained, used, or disclosed, or that the PII is inaccurate. If no process exists, explain why not. | Individuals are notified annually in the Medicare & You handbook of their right to file a complaint if they believe their privacy rights have been violated. A phone number is included in the handbook and there is more information on www.medicare.gov. The phone number is 1-800-Medicare. When a beneficiary calls this number, they are contacting a CMS system known as the Next Generation Desktop (NGD), which is a system that is separate from the FISS. To resolve complaints, CMS Contractors log onto the NGD system to retrieve and respond accordingly to complaints. The final resolution is managed and recorded in the NGD system. NGD is covered by a separate privacy impact assessment (PIA) |
Describe the process in place for periodic reviews of PII contained in the system to ensure the data's integrity, availability, accuracy and relevancy. If no processes are in place, explain why not. | FISS does not collect personally identifiable information (PII) from individuals; the data is supplied by the Social Security Administration (SSA) and satellite batch processing sites. Relevancy and accuracy are maintained by the interactions with the other claim data systems. Integrity is maintained through system security and control processes that are reviewed by external auditors. Availability is maintained through system redundancies and FISS is required to annually test disaster recovery capabilities. Only Systems Administrators have access to make authorized changes and system security audit logs capture all changes made by privileged users. Logs are reviewed to ensure all security changes have been approved as part of the formal change management process. System Administrators maintain/manage user system account information by periodic reviews, accounts are disabled and then removed during the termination process or when no longer needed. User accounts are maintained by the Operating system and only system administrators can access the information. System security audit logs capture the user IDs of the systems administrator who make changes to user accounts. |
Identify who will have access to the PII in the system and the reason why they require access. |
|
Describe the procedures in place to determine which system users (administrators, developers, contractors, etc.) may access PII. | FISS uses role-based access limitations and least privilege controls to restrict PII availability. |
Describe the methods in place to allow those with access to PII to only access the minimum amount of information necessary to perform their job. | Administrators and Direct Contractors have role-based access which limits their access to PII data. Users must have a FISS job code in their EUA user profile before they are granted access to FISS. |
Identifying training and awareness provided to personnel (system owners, managers, operators, contractors and/or program managers) using the system to make them aware of their responsibilities for protecting the information being collected and maintained. | Security Awareness and Privacy training is provided to each user on an annual basis. Users acknowledge successful training after passing a test at the end of training and the system verifies completion. Included in the training is education about how to properly handle sensitive data. |
Describe training system users receive (above and beyond general security and privacy awareness training) | Security personnel receive job related training by attending conferences, forums, and other specific training on an annual basis. Security based role training is recorded within the security department. |
Do contracts include Federal Acquisition Regulation and other appropriate clauses ensuring adherence to privacy provisions and practices? | Yes |
Describe the process and guidelines in place with regard to the retention and destruction of PII. Cite specific records retention schedules. | Data within FISS is temporarily retained per National Archive Records Administration (NARA) Disposition Authority: N1-440-09-16, Item 2: Cutoff at the end of the fiscal year in which cost reports are produced. Delete/destroy 8 years after cutoff, or when no longer needed for Agency business, whichever is later and per NARA Disposition Authority: N1-440-09-8: Cutoff at time of annual update. Delete/destroy each annual data file 10 years after cutoff or when no longer needed for Agency business, whichever is later. |
Describe, briefly but with specificity, how the PII will be secured in the system using administrative, technical, and physical controls. | Access to the systems is given based on need to know and job responsibilities to process Medicare claims. Medicare Claims Processing Standard Systems maintainers use security software and methods to provide “least privilege access.” They will utilize software which is part of the security systems that provides access control and auditing functionality, the ability to grant or deny access to data based upon need to know. Sometimes, in order to fix programmatic problems, programmers are granted temporary access in order to fix and ensure that errors are fixed. The temporary access may be granted for a day or other short periods of time that can be controlled through security software. External audits also verify these controls. Technical controls used include user identification, passwords, firewalls, virtual private networks and intrusion detection systems. Physical controls used include guards, identification badges, key cards, cipher locks and closed-circuit televisions. |