Health Care Cost Report Information System
Privacy Impact Assessment (PIA) published by CMS as an Operating Division of the U.S. Department of Health and Human Services
Date signed: 9/18/2023
| PIA Questions | PIA Answers | |
|---|---|---|
| OPDIV: | CMS | |
| PIA Unique Identifier: | P-2752686-222043 | |
| Name: | Health Care Cost Report Information System | |
| The subject of this PIA is which of the following? | Major Application | |
| Identify the Enterprise Performance Lifecycle Phase of the system. | Operate | |
| Is this a FISMA-Reportable system? | Yes | |
| Does the system include a Website or online application available to and for the use of the general public? | No | |
| Is this a new or existing system? | Existing | |
| Does the system have Security Authorization (SA)? | Yes | |
| Date of Security Authorization | 2/1/2024 | |
| Indicate the following reason(s) for updating this PIA. Choose from the following options. |
| |
| Describe in further detail any changes to the system that have occurred since the last PIA. | Direct access to the system by individuals is no longer allowed. Access to the system's data by non-administrative users is accomplished by the Statistical Analysis System Enterprise Business Intelligence (SAS EBI) system. This has removed the dependency of the system on the Enterprise User Administration System and eliminated the use of User Ids for non-administrative user access control and auditing. The system's use of the HHS email system for data file submissions has been removed. Data updates are provided using an Informatica server which authenticates as a system account. The email addresses of file submitters are no longer collected. As a result, HCRIS does not maintain or use any user information for data acquisition, system access or auditing.
| |
| Describe the purpose of the system | The Healthcare Cost Report Information System (HCRIS) is the CMS system for aggregating cost report information generated by Medicare providers. This data is received from the Provider and Statistical Reimbursement (PS&R)/System for Tracking Audit and Reimbursement (STAR) system. The cost report information includes annual statistics, demographics, and financial information about each provider. This information is used by researchers, actuaries, and policy analysts in understanding the costs associated with providing healthcare to Medicare beneficiaries. HCRIS provides this data to other systems: SAS EBI and the CMS internet services system for distribution to users. | |
| Describe the type of information the system will collect, maintain (store), or share. (Subsequent questions will identify if this information is PII and ask about the specific data elements) | HCRIS collects and stores cost report data which is shared with CMS employees and the public. The cost report data originates at health care providers who seek reimbursement from CMS for expenses incurred in providing services to Medicare clients. The healthcare provider types include hospitals, skilled nursing facilities, home health agencies, hospices, community health centers, rural health clinics, organ procurement organizations and renal care providers. The data elements include geographic information such as street, city, county, state, and zip code; statistics such as the number of beds at a facility, the square footage of space used in providing particular services such as operating room or neonatal care; and financial costs related to operations, training, facility acquisition and management, and management overhead. Other statistics list the number of staff and contractors at a facility, the number of procedures performed categorized by type of procedure, the number of beds maintained for different types of care, and the number of residents or nurses in training in a hospital setting.
| |
| Provide an overview of the system and describe the information it will collect, maintain (store), or share, either permanently or temporarily. | HCRIS receives and stores cost report data from the PS&R/STAR system and provides it to other systems and users at CMS in its databases and in files. Analysis of the cost report data by these groups is used to gain insight into trends in the provision of healthcare to Medicare beneficiaries. The HCRIS data is used to inform policy makers about the costs of providing healthcare on a national basis and allows researchers to compare different provider's costs and other metrics to identify areas where improvements can be made. The HCRIS is data is historical in nature and includes cost report data from the 1990s. All data is retained indefinitely.
| |
| Does the system collect, maintain, use or share PII? | No | |
| Administrators Explanation: | Database administrators require access to auditing records to comply with security controls. Any PII found would be an instance of unauthorized access to the system. | |
| Contractors Explanation: | Direct contractors in their role as administrators would have access to audit records to support the system objectives. | |