Skip to main content

Healthcare Fraud Prevention Partnership Trusted Third Party 2.0

Privacy Impact Assessment (PIA) published by CMS as an Operating Division of the U.S. Department of Health and Human Services

Date signed: 1/26/2024

PIA Information for Healthcare Fraud Prevention Partnership Trusted Third Party 2.0
PIA QuestionsPIA Answers
OPDIV:CMS
PIA Unique Identifier:P-5181656-319270
Name:Healthcare Fraud Prevention Partnership Trusted Third Party 2.0
The subject of this PIA is which of the following?Major Application
Identify the Enterprise Performance Lifecycle Phase of the system.Operate
Is this a FISMA-Reportable system?Yes
Does the system include a Website or online application available to and for the use of the general public?No
Identify the operator:Contractor
Point of Contact (POC) Title:Contract Officer Representative (COR)
Point of Contact (POC) Name:Felicia Lane
Is this a new or existing system?Existing
Does the system have Security Authorization (SA)?Yes
Date of Security Authorization5/5/2023
Indicate the following reason(s) for updating this PIA. Choose from the following options.PIA Validation (PIA Refresh/Annual Review)
Describe in further detail any changes to the system that have occurred since the last PIA.There are no significant changes to the HFPP portal or any new data fields being ingested.
Describe the purpose of the system

The Healthcare Fraud Prevention Partnership Trusted Third Party 2.0 (HFPP TTP 2.0) is a voluntary public-private partnership between the federal government, state agencies, law enforcement, private health insurance plans, and healthcare anti-fraud associations. The HFPP TTP 2.0 aims to foster a proactive approach to detect and prevent healthcare fraud through data and information sharing.

The purpose of the HFPP TTP 2.0 information system provides analytic and management support for the data aggregation and analysis functions of the HFPP TTP 2.0. The HFPP TTP 2.0 information system supports the partnership with analytic and management ability to exchange health care information and to identify innovative measures to detect and prevent health care fraud, waste, and abuse.

Specifically, the HFPP TTP 2.0 TTP information system allows the HFPP TTP 2.0 partners to design and execute studies in collaboration, using cross-payer claims and other payment data, and provides facilities to safeguard sensitive health care data, including protected health information (PHI) and personally identifiable information (PII). As an organization, the HFPP TTP 2.0 facilitates collaboration and builds trust among HFPP partners by disallowing disclosure of this data by other partners, including CMS, providing partners with the independent and impartial judgment necessary to perform analysis of partner data.

The HFPP TTP 2.0 follows the "common data aggregator" model under HIPAA Privacy Rule. Under this model, each covered entity enters into a HIPAA Business Associate Agreement with the Common Data Aggregator (the HFPP TTP 2.0) to conduct data aggregation and analysis services on that entity's behalf. The aggregator is barred from disclosing PHI to any entity other than the data source entity. Partners who do not qualify as HIPAA covered entities must provide a congruent Business Associate Agreement to conduct data aggregation and analysis services on that entity's behalf.

Describe the type of information the system will collect, maintain (store), or share. (Subsequent questions will identify if this information is PII and ask about the specific data elements)

The HFPP TTP system can receive and maintains the following types of information:

Name of Business entity providing data to HFPP

Unique number for healthcare claim

Unique identification number assigned to each person by the business entity

Social Security Number (SSN)

Sex

Date of Birth

State of Residence

Zip Code

Date of Death

Healthcare Provider Legal Business Name

Healthcare Provider Doing Business as Name

Healthcare Provider National Provider Identifier (NPI)

Healthcare Provider Tax Identification Number (TIN)

Healthcare Provider Employer Identification Number (EIN)

Healthcare Provider Taxonomy (specialization) Code

Healthcare Provider Specialty Code

Healthcare Provider Specialty Description

Healthcare Provider Address

Healthcare Provider City

Healthcare Provider State

Healthcare Provider Zip

Service/Procedure Code(s)

International Classification of Diseases (ICD) 9 and/or 10 Diagnosis Codes

Place of Healthcare Service Provided Code

Beginning Date of Healthcare Service

Ending Date of Healthcare Service

Type of Service Received Code

Total Charge (dollars) submitted by the Healthcare Provider

Amount Paid to the Healthcare Provider

Coordination of Benefits Amount Paid

Date on which the claim was submitted for payment

Date on which the payment status of the claim was paid

Date of admission to hospital

Date of discharge from hospital

Number of administrative necessary days (When patients remain in the hospital because no room can be found for them in nursing home)

Number of inpatient days covered by healthcare claim payer

Number of days not covered by healthcare claim payer

Code indicating the patient status as of the ending date of service

National Drug Code

Area of Oral Cavity

Type of tooth system used by healthcare provider

Appropriate tooth number or letter when the procedure directly involves a tooth or range of teeth

Code that indicates when the procedure performed by tooth involves one or more tooth surfaces

Prescription Number

Prescription Origin Code (Written, Telephone, Electronic, Facsimile, Pharmacy

Pharmacy Identification Number

Pharmacy Service Type Code

Drug Brand Name

Generic Drug Indicator

Drug Control Substance Level (1-5)

Billing code that reports the unit of measure for the pharmaceutical delivered.

Number of units in the pharmaceutical package

Number of days’ supply of the pharmaceutical

Date the pharmaceutical was first filled

Date of the pharmaceutical refill

Drug Coverage Status Code

Average price at which drugs are purchased at the wholesale level

HFPP member user data is also collected and maintained and includes the user’s name, user account name, email address, and Internet Protocol (IP) address. 

Provide an overview of the system and describe the information it will collect, maintain (store), or share, either permanently or temporarily.

Members of the HFPP TTP 2.0 provide healthcare claims and other pertinent data based on the need by the HFPP TTP 2.0 to perform analytic analysis to detect and deter fraudulent behaviors within the health care system. Members provide health care claim information data files through the HFPP Portal.

HFPP portal information system secure file upload feature, or through Secure File Transfer Protocol (SFTP) service.  Both methods use government-approved data encryption technology making data only readable by the HFPP TTP 2.0.

The HFPP TTP 2.0 follows the "common data aggregator" model under HIPAA Privacy Rule. Under this model, the HFPP is barred from disclosing PHI to any entity other than the data source entity, including CMS. Only patient de-identified data/findings may flow to all covered entity participants.

This information is stored until such time as its destruction is called for within the Data Sharing Agreements (DSAs) HFPP TTP 2.0 has acknowledged and signed with the HFPP partners.

No PII or PHI collected will be retrieved by a unique identifier.

Describe why the information listed in question PIA-012 is collected. The response to this question should consider all information, whether or not it is PII. The response to this question should also specify what information is collected about each category of individual and should document and discuss if records are retrieved by PII elements.
Reminder: If you answer Yes to question PIA-022 regarding the method of record retrieval, include in the response to question PIA-013 a brief description of the retrieval practice. Note the PII used and categories of individuals to whom the PII relates.
An example is: The Physical Security System (PSS) regularly use PII to retrieve system records including using the last name, employee ID number, and/or work phone number of CMS employees, contractors, and members of the public authorized to access the main campus and satellite offices.
Does the system collect, maintain, use or share PII?Yes
Indicate the type of PII that the system will collect or maintain.
  • Social Security Number
  • Name
  • E-Mail Address
  • Taxpayer ID
  • Date of Birth
  • Mailing Address
  • Medical Records Number
  • Financial Account Info
  • Other - National Provider Identifier (NPI), Employer Identification Number (EIN), Unique identification number assigned to each person by the business entity,  Sex, System user account name, and email address, Name of Business entity, Unique healthcare claim number, Unique identification number assigned to each person by the business entity, State of Residence, Zip Code, Date of Death, Healthcare Provider Legal Business Name, Healthcare Provider Doing Business as Name, Healthcare Provider Tax Identification Number (TIN), Healthcare Provider Employer Identification Number (EIN), Healthcare Provider Taxonomy (specialization) Code, Healthcare Provider Specialty Code, Healthcare Provider Specialty Description, Service/Procedure Code(s), International Classification of Diseases (ICD) 9 and/or 10 Diagnosis Codes, Place of Healthcare Service Provided Code; area of oral cavity; prescription number.
Indicate the categories of individuals about whom PII is collected, maintained or shared.
  • Employees
  • Public Citizens
How many individuals' PII in the system?1,000,000 or more
For what primary purpose is the PII used?

PII, in the form of healthcare claims information is used as identifying elements in performing analytical studies on potential healthcare fraud, waste, and abuse.

Examples of studies include misused medical codes and fraud schemes, non-operational provider of services, aka "False Store Fronts", Pharmacies that dispense improper and dangerous amounts of controlled drugs, identify providers who may be inappropriately billing quantitative and qualitative urine drug screens.

PII of information system, system administrator/engineer users is collected and used for system authentication and verification.

Describe the secondary uses for which the PII will be used (e.g. testing, training or research)There is no secondary use for the PII.
Describe the function of the SSN.

The HFPP TTP 2.0 will not have the member's name or address anywhere in the data, the only option available to identify individuals across payers is to use the SSN. Due to the sensitivity of SSNs, the HFPP TTP 2.0 will use a one-way hashing technique that will generate a 32-character alphanumeric string to use as a unique HFPP identification (ID) number. The hashing technique transforms the SSN in such a way that it is virtually impossible to reconstruct the original number from the result. This approach eliminates the need to retain the SSN after initial processing yet allows the HFPP TTP 2.0 to have an individual level identifier/surrogate key, not a person, who is being billed under two or more payers. Since the HFPP ID will replace the member SSN in the input record, the SSN will not be stored or retained by the HFPP TTP 2.0 in the fraud study data after initial processing is complete.

This question should describe all the ways SSN, if collected, is used in the system; when, where, and why SSN is disclosed or shared; and why the SSN is used rather than another identifier. 

NOTE: Employer Identification Number (EIN) also known as Federal Employer Identification Number (FEIN) or Tax Identification Number (TIN) or Federal Tax Identification Number (FTIN).  Individuals may choose to use their SSN as their EIN or FTIN. Typically, this would be sole proprietors or other small business owners who use SSN as EIN for tax purposes. EIN often appears in the format XX-XXXXXXX and may not stand out as SSN.

Any time SSN is entailed, examine whether collection/use of the SSN can be eliminated.

Cite the legal authority to use the SSN.

Section 1128C (a)(2) of the Social Security Act (42 U.S.C. § 1320a-7c(a)(2)) 

Section 6034 (g)(1)(a) of the Deficit Reduction Act of 2005 (DRA) established in the Medicaid Integrity Program in section 1936 of the Social Security Act (Public Law 109-171)

Health Care Fraud and Abuse Control Program (Section 1128C (a) (2) of the Social Security Act) codified in Section 201(a) of the Health Insurance Portability and Accountability Act (HIPAA) of 1996

Identify legal authorities​ governing information use and disclosure specific to the system and program.

5 U.S.C. Section 301, Departmental Regulations

Section 1128C (a)(2) of the Social Security Act (42 U.S.C. § 1320a-7c(a)(2)) 

Section 6034 (g)(1)(a) of the Deficit Reduction Act of 2005 (DRA) established in the Medicaid Integrity Program in section 1936 of the Social Security Act (Public Law 109-171)

Health Care Fraud and Abuse Control Program (Section 1128C (a) (2) of the Social Security Act) codified in Section 201(a) of the Health Insurance Portability and Accountability Act (HIPAA) of 1996

45 C.F.R. secs. 164.501 (definition of "data aggregation") and 164.504(e)(2)(i)(B) (providing that business associate agreements may provide for data aggregation services)

Are records on the system retrieved by one or more PII data elements?No
Identify the sources of PII in the system: Directly from an individual about whom the information pertainsOnline
Other - System users and admins credentials are collected.   Individuals provide their information manually to TTP staff which then get entered the TTP information system and Portal.
Identify the sources of PII in the system: Government Sources
  • Within the OPDIV
  • Other - Federal Entities, HFPP partners via electronic claims data submissions
Identify the sources of PII in the system: Non-Government Sources
  • Private Sector
  • Other - Private health insurance companies, health care and anti-fraud associations.  HFPP partners via electronic claims data submissions. Each partner organization submits health care claims data through the HFPP portal, in a generalized data format, that includes PII / PHI.
Identify the OMB information collection approval number and expiration date

OMB information collection approval number - 0938-1251

Expiration date - 09/30/2025

Is the PII shared with other organizations?No
Describe the process in place to notify individuals that their personal information will be collected. If no prior notice is given, explain the reason.Participating partners who are considered HIPAA covered entities are required to adhere to HIPAA privacy rules which requires notification to individuals that their personal information will be collected.
Is the submission of the PII by individuals voluntary or mandatory?Voluntary
Describe the method for individuals to opt-out of the collection or use of their PII. If there is no option to object to the information collection, provide a reason.

PII is not submitted directly from individuals to the HFPP TTP 2.0. Disclosure of PII to the HFPP partner is dictated by the individual partners’ requirements under HIPAA or respective Business Associate Agreement.

System user and system administrator/engineers’ credentials are considered PII.  There is no option for the user to object to the collection of their PII, as it is required for accessing the HFPP TTP 2.0 information system and HFPP Portal.

Describe the process to notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changes since the notice at the time of original collection). Alternatively, describe why they cannot be notified or have their consent obtained.

PII is not submitted directly from individuals to the HFPP TTP 2.0. Disclosure of PII to the HFPP partner is dictated by the individual partners’ requirements under HIPAA or respective Business Associate Agreement.

System user and system administrator/engineers’ credentials are considered PII.  There is no option for the user to object to the collection of their PII, as it is required for accessing the HFPP TTP 2.0 information system and HFPP Portal.

Any changes to the HFPP TTP 2.0 information system or HFPP Portal are communicated to support personnel and HFPP organization members through e-mail correspondence and notices.

Describe the process in place to resolve an individual's concerns when they believe their PII has been inappropriately obtained, used, or disclosed, or that the PII is inaccurate. If no process exists, explain why not.

PII is not submitted directly from individuals to the HFPP TTP 2.0. Disclosure of PII to the HFPP partner is dictated by the individual partners’ requirements under HIPAA or respective Business Associate Agreement.

System user and system administrator/engineers’ credentials are considered PII.  There is no option for the user to object to the collection of their PII, as it is required for accessing the HFPP TTP 2.0 information system and HFPP Portal.

A HFPP TTP 2.0 information system user or HFPP organization member who believes their PII may have been compromised would contact the HFPP TTP 2.0 Service Desk to investigate and potentially re-issue passwords or take other steps to investigate the individual's concerns.

Describe the process in place for periodic reviews of PII contained in the system to ensure the data's integrity, availability, accuracy and relevancy. If no processes are in place, explain why not.

HFPP TTP 2.0 data sets containing PII are maintained within an access-controlled, limited-access environment. Data sets are inventoried to ensure the integrity, availability, and accuracy. Actions taken upon the data sets are logged to a secure file for review as needed. The PII is as accurate as provided by the partners.

System user and system administrator/engineers’ credentials are considered PII.

The methods for ensuring the integrity, availability, accuracy, and relevancy of HFPP TTP 2.0 information system users and HFPP organization members PII are as follows: the designated administrators review all user accounts twice a year to determine the access permissions, whether the user is still valid and the role-based permissions. Users that are no longer valid are deactivated and any new permissions and roles are updated. Additionally, firewalls and encryption ensure the integrity of the system information.

 

Identify who will have access to the PII in the system and the reason why they require access.
  • Users: HFPP TTP 2.0 data sets containing PII are maintained within an access-controlled, limited-access environment. Data sets are inventoried to ensure the integrity, availability, and accuracy. Actions taken upon the data sets are logged to a secure file for review as needed. The PII is as accurate as provided by the partners.
    System user and system administrator/engineers’ credentials are considered PII.
    The methods for ensuring the integrity, availability, accuracy, and relevancy of HFPP TTP 2.0 information system users and HFPP organization members PII are as follows: the designated administrators review all user accounts twice a year to determine the access permissions, whether the user is still valid and the role-based permissions. Users that are no longer valid are deactivated and any new permissions and roles are updated. Additionally, firewalls and encryption ensure the integrity of the system information.
  • Administrators: HFPP TTP 2.0 administrators/engineers may require intermittent access to PII to perform necessary IT support functions.
  • Developers: On a routine basis as needed. Developers do not typically have access to PII but on an ad hoc or exception basis, may be granted permission to perform a necessary function.
  • Contractors: HFPP TTP 2.0 contractors (not direct contractors of CMS), in their roles of supporting HFPP TTP 2.0 functions (performing studies, developing study reports, and supporting/managing the system and information contained within the system) may have access to PII. GDIT as a CMS direct contractor will have access to the data. CMS will not have access to the data in its role as a HFPP partner. The contract does not allow CMS to have direct access to the data. Only GDIT in its role as the trusted third party will have access and only those users with the need to know (in an analytic or study data management role)
  • Others: HFPP partner study participants, listed as users above.
Describe the procedures in place to determine which system users (administrators, developers, contractors, etc.) may access PII.

HFPP TTP 2.0 contractors (not direct contractors of CMS), in their roles of supporting HFPP TTP 2.0 functions (performing studies, developing study reports, and supporting/managing the system and information contained within the system) may have access to PII.

GDIT as a CMS direct contractor will have access to the data. CMS will not have access to the data in its role as a HFPP partner. The contract does not allow CMS to have direct access to the data. Only GDIT in its role as the trusted third party will have access and only those users with the need to know (in an analytic or study data management role).

Describe the methods in place to allow those with access to PII to only access the minimum amount of information necessary to perform their job.The system implements the principle of role-based access controls which provides access to only those individuals who need to utilize the PII to fulfill their job responsibilities.
Identifying training and awareness provided to personnel (system owners, managers, operators, contractors and/or program managers) using the system to make them aware of their responsibilities for protecting the information being collected and maintained.All users of the system are required to take security and privacy training annually which includes specific information on handling, managing, and protecting PII maintained in the HFPP TTP 2.0 information system.
Describe training system users receive (above and beyond general security and privacy awareness training)Personnel with security responsibilities receive specific training on implementing security practices to protect the confidentiality, integrity, and availability of the HFPP TTP 2.0 information system, and its data.
Do contracts include Federal Acquisition Regulation and other appropriate clauses ensuring adherence to privacy provisions and practices?No
Describe the process and guidelines in place with regard to the retention and destruction of PII. Cite specific records retention schedules.

The National Archives and Records Administration (NARA) General Records Schedule (GRS) citation for PII storage and destruction for user account access information is DAA-GRS-2013-0006-0003 which states to destroy 1 year(s) after user account is terminated or password is altered or when no longer needed for investigative or security purposes, whichever is appropriate.

No other PII of the HFPP Partners is ever stored outside of the HFPP TTP 2.0 FISMA authorization boundary. This information is stored until such time as its destruction is called for within the Data Sharing Agreements (DSAs) it has signed with the HFPP partners. In addition, if a participating entity terminates its DSA and relationship with the HFPP TTP 2.0, the data provided will be destroyed.

Either Party may terminate the Data Sharing Agreement at any time upon advance written notice to the other Party. If the Data Providing Entity terminates this Agreement, any data already contributed by the Data Providing Entity to the HFPP TTP 2.0 will be destroyed in accordance with Section V.B. of the Data Sharing Agreement. If a new entity is designated CMS and agreed to by HFPP to perform the functions performed by the TTP, the TTP will engage in commercially reasonable efforts to assist the Data Providing Entity with the transfer of data to the new TTP. 

Describe, briefly but with specificity, how the PII will be secured in the system using administrative, technical, and physical controls.

The HFPP TPP 2.0 information system utilizes administrative, technical and the cloud service provider data center has physical controls to secure PII.

Administrative controls include security and network policies and procedures, and user access procedures.

Technical security controls include the encryption of data in transmission; use of firewalls, anti-virus, and intrusion detection/prevention technologies.

Physical controls include having the server and data storage environment a within a secure, access-controlled data center which has 24-hour security and video monitoring.