Skip to main content

HIPAA Eligibility Transaction System

Privacy Impact Assessment (PIA) published by CMS as an Operating Division of the U.S. Department of Health and Human Services

Date signed: 3/15/2024

PIA Information for the HIPAA Eligibility Transaction System
PIA QuestionsPIA Answers

OPDIV:

CMS

PIA Unique Identifier:

P-1895367-241429

Name:

HIPAA Eligibility Transaction System

The subject of this PIA is which of the following?

Major Application

Identify the Enterprise Performance Lifecycle Phase of the system.

Operate

Is this a FISMA-Reportable system?

Yes

Does the system include a Website or online application available to and for the use of the general public?

No

Identify the operator:

Contractor

Is this a new or existing system?

Existing

Does the system have Security Authorization (SA)?

Yes

Date of Security Authorization

11/27/2024

Indicate the following reason(s) for updating this PIA. Choose from the following options.

PIA Validation (PIA Refresh/Annual Review)

Describe in further detail any changes to the system that have occurred since the last PIA.

The Health Insurance Portability and Accountability Act (HIPAA) Eligibility Transaction System (HETS) infrastructure is at the Amazon Web Services (AWS) US East Region + West Region.

Describe the purpose of the system

The Health Insurance Portability and Accountability Act (HIPAA) Eligibility Transaction System (HETS) gives Medicare beneficiary eligibility data to Medicare providers, suppliers, or their authorized billing agents so they can accurately make Medicare claims, determine beneficiary liability or eligibility for specific services.

Describe the type of information the system will collect, maintain (store), or share. (Subsequent questions will identify if this information is PII and ask about the specific data elements)

The information collected in the HETS Desktop (HDT) includes the submitters’ IDs and their relationships with Medicare Providers to manage access to the HETS 270/271 system.

HETS collects Personally Identifiable Information (PII):
Submitter ID and provider relationship with the submitters, Name(s), phone number, email address, legal business name, Medicare provider’s name, billing address, physical address, technical representative name, Provider National Provider Identifier (NPI) ID.

HETS HDT users are CMS employees, contractors and submitters who manage provider/submitter relationships. CMS Enterprise Identity Management Solution gives a HETS HDT user ID and password to enter the system. CMS Enterprise Identity Management Solution is covered by its own Privacy Impact Assessment. HETS HDT collects user IDs and passwords.
HETS 270 271 system returns this beneficiary information: beneficiary entitlement, first, middle and last name, suffix, date of birth, address, sex, Medicare Beneficiary Identifier (MBI), address, city, state, zip, applicable date, Medicare entitlement effective date(s) for Part A and Part B, inactive Part A/B period dates for unlawful circumstances (incarceration, deportation, or alien status), beneficiary date of death, coverage status of services, non-covered services type codes, base deductible, remaining deductible, beneficiary Medicare Advantage enrollment, Medicare Advantage enrollment date(s), Medicare Advantage contract and plan ID, prior managed care organization ID – managed care, organization contract ID + plan benefit.

Provide an overview of the system and describe the information it will collect, maintain (store), or share, either permanently or temporarily.

The Health Insurance Portability and Accountability Act (HIPAA) Eligibility Transaction System (HETS) receives beneficiary information from Medicare providers, suppliers, or their authorized billing agents so it can determine beneficiaries’ deductibles and co-insurance for services requested. HETS 270 request uses PII and processes the beneficiary data received to retrieve records for each individual transaction that the system receives. HETS 271 response then is to return the financial responsibility information and the Medicare entitlement so beneficiaries can accurately make Medicare claims, determine beneficiary liability or eligibility for specific services.

The information collected in the HETS Desktop (HDT) includes the submitters’ IDs and their relationships with Medicare Providers to manage access to the HETS 270/271 system.

HETS collects Personally Identifiable Information (PII):
Submitter ID and provider relationship with the submitters, Name(s), phone number, email address, legal business name, Medicare provider’s name, billing address, physical address, technical representative name, Provider National Provider Identifier (NPI) ID.

HETS HDT users are CMS employees, contractors and submitters who manage provider/submitter relationships. CMS Enterprise Identity Management Solution gives a HETS HDT user ID and password to enter the system. CMS Enterprise Identity Management Solution is covered by its own Privacy Impact Assessment. HETS HDT collects user IDs and passwords.
HETS 270 271 system returns this beneficiary information: beneficiary entitlement, first, middle and last name, suffix, date of birth, address, sex, Medicare Beneficiary Identifier (MBI), address, city, state, zip, applicable date, Medicare entitlement effective date(s) for Part A and Part B, inactive Part A/B period dates for unlawful circumstances (incarceration, deportation, or alien status), beneficiary date of death, coverage status of services, non-covered services type codes, base deductible, remaining deductible, beneficiary Medicare Advantage enrollment, Medicare Advantage enrollment date(s), Medicare Advantage contract and plan ID, prior managed care organization ID – managed care, organization contract ID + plan benefit.

Does the system collect, maintain, use or share PII?

Yes

Indicate the type of PII that the system will collect or maintain.

  • Name

  • E-Mail Address
  • Phone Numbers
  • Date of Birth
  • Mailing Address
  • Other - Medicare Beneficiary Identifier (MBI), Submitter IDUser Credentials, legal business name, Medicare provider’s name, technical representative name, applicable date, Medicare entitlement effective date(s) for Part A and Part B, inactive Part A/B period dates for unlawful circumstances (Incarceration, Deportation, or Alien Status), NPI, Date of Death, Sex, Provider Relationship, coverage status of services, non-covered services type codes, base deductible, remaining deductible, beneficiary Medicare Advantage enrollment, Medicare Advantage enrollment date(s), Medicare Advantage contract and plan ID, prior managed care organization ID – managed care, organization contract ID + plan benefit.

Indicate the categories of individuals about whom PII is collected, maintained or shared.

  • Employees

  • Public Citizens
  • Business Partners/Contacts (Federal, state, local agencies)

How many individuals' PII in the system?

1,000,000 or more

For what primary purpose is the PII used?

The primary reason the PII’s used is for providers to confirm that Medicare beneficiaries are entitled to be in the Medicare program and to get information about Medicare benefits to correctly submit claims. The Health Insurance Portability and Accountability Act (HIPAA) requires all covered entities, including Medicare, to share this information and is required to support these inquiry/response transactions.

Describe the secondary uses for which the PII will be used (e.g. testing, training or research)

None

Describe the function of the SSN.

N/A. The SSN is not collected by the HIPAA Eligibility Transaction System (HETS).

Cite the legal authority to use the SSN.

N/A. The SSN is not collected by the HIPAA Eligibility Transaction System (HETS).

Identify legal authorities​ governing information use and disclosure specific to the system and program.

Section 101 of the Medicare Prescription Drug, Improvement, and Modernization Act of 2003; 5 U.S.C 301, Departmental Regulations

Are records on the system retrieved by one or more PII data elements?

Yes

Identify the number and title of the Privacy Act System of Records (SORN) that is being used to cover the system or identify if a SORN is being developed.

Health Plan Management System (HPMS), 09-70-0500

Enrollment Data Base (EDB), 09-70-0502

Medicare Advantage Prescription Drug System (MARx), 09-70-0588

Common Working File (CWF), 09-70-0526

Identify the sources of PII in the system: Directly from an individual about whom the information pertains

  • In-Person

  • Online

Identify the sources of PII in the system: Government Sources

Within the OPDIV

Identify the sources of PII in the system: Non-Government Sources

Private Sector

Identify the OMB information collection approval number and expiration date

OMB approval number:

OMB-0938-0960 - Expiration 04/30/2025  

Is the PII shared with other organizations?

Yes

Identify with whom the PII is shared or disclosed and for what purpose.

  • Other Federal Agency/Agencies: Department of Veterans Affairs (VA)

  • Private Sector: PII may be shared with Medicare active providers who are currently enrolled within Medicare programs in order to provide services to Medicare Beneficiaries.

Describe any agreements in place that authorizes the information sharing or disclosure (e.g. Computer Matching Agreement, Memorandum of Understanding (MOU), or Information Sharing Agreement (ISA)).

Trading Partner Agreements (TPAs) must be in place between the third-party vendors, clearinghouses, and CMS.

 

Describe the procedures for accounting for disclosures

The HETS Desktop (HDT) monitors all transactions submitted to HETS 270/271.

The HDT tracking functionality captures the submitter ID that identifies who submitted the transaction and the NPI that identifies the Medicare provider requesting eligibility information. 

Describe the process in place to notify individuals that their personal information will be collected. If no prior notice is given, explain the reason.

Online and paper forms have Instructions that tell you how to complete each field and the reasons we collect information.

Submitters or third-party vendors and clearinghouses, learn of the collection of their personal information when they complete the Trading Partner Agreement form. CMS program officials verbally inform third parties that personal information is needed to participate in the program.

The EDB, MARx systems that directly collect PII are responsible for letting beneficiaries and providers know. Each of these systems are covered by their own PIA. 

CMS Enterprise Identity Management Solution, the source collector, has the process in place to notify internal users of the HETS HDT system that their PII is being collected. Requesting access to any CMS system, including HETS HDT, through the Enterprise Identity Management Solution makes sure that users are given privacy statements explaining why and how information will be used.

Is the submission of the PII by individuals voluntary or mandatory?

Voluntary

Describe the method for individuals to opt-out of the collection or use of their PII. If there is no option to object to the information collection, provide a reason.

Submitters have the option to not submit their PII; however, they will not have access to HETS.

Other CMS systems, Enrollment Data Base (EDB), Medicare Advantage and Prescription Drug System (MARx), and Common Working File (CWF), which all have Privacy Impact Assessments (PIAs), collect beneficiary and provider PII. The opt-out process lies with these systems which all have PIAs.

The PII collected from internal system users is needed to perform their job duties therefore there is no opt-out process in place.

Describe the process to notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changes since the notice at the time of original collection). Alternatively, describe why they cannot be notified or have their consent obtained.

The CMS helpdesk will let infrastructure system users know if their user credential data will be collected or used differently.

The Medicare Customer Assistance Regarding Eligibility (MCARE) helpdesk will notify third party vendors and clearinghouses.

The EDB, MARx System of Record Notices (SORNs) will notify beneficiaries. If there are changes to how PII is collected, used and/or disclosed, SORNs will be revised and published for a 30-day comment period before they’re finalized.

Describe the process in place to resolve an individual's concerns when they believe their PII has been inappropriately obtained, used, or disclosed, or that the PII is inaccurate. If no process exists, explain why not.

The Medicare Customer Assistance Regarding Eligibility (MCARE) helpdesk follows a documented CMS incident handling process, including reporting mishandling of PII data of system users, which if confirmed would be investigated, and resolved by a highly trained team of CMS Incident Response Professionals.

Concerned individuals should contact the system manager named below, reasonably identify the records, and specify the information to be contested. State the corrective action sought and the reasons for the correction with supporting justification. (These Procedures are in accordance with Department regulation 45 CFR 5b.7.) The system manager would then consider, investigate, and resolve the individual concern.

Individuals whose information has been obtained by the System of Record (SOR) can contact the system Director, Division of Enrollment and Eligibility Policy, Medicare Enrollment and Appeals Group, Center for Beneficiary Choices, CMS, Mail Stop S1–05–06, 7500 Security Boulevard, Baltimore, Maryland 21244–1850. 

Individuals whose information has been obtained by the System of Record (SOR) EDB can contact the system Director, Division of Enrollment & Eligibility Policy, Medicare Enrollment and Appeals Group, Centers for Beneficiary Choices, Mail Stop C2–09– 17, Centers for Medicare & Medicaid Services, 7500 Security Boulevard, Baltimore, MD 21244–1849. The director will then assess the issue and respond within the defined processes of EDB.

Individuals whose information has been obtained by the System of Record (SOR) MARx can contact the system Director, Division of Medicare Advantage Appeals and Payment Systems, Information Services Modernization Group, Office of Information Services, CMS, Room N3– 16–24, 7500 Security Boulevard, Baltimore, Maryland 21244–1850. The director will then assess the issue and respond within the defined processes of MARx.

Describe the process in place for periodic reviews of PII contained in the system to ensure the data's integrity, availability, accuracy and relevancy. If no processes are in place, explain why not.

PII and Personal Health Information (PHI) data submitted daily gets updated in real time: the HETS 270/271 source database for Medicare beneficiaries’ data eligibility is updated via the Q-Replication (QRPP) database service; an International Business Machines Corporation (IBM) product that replicates data from the System of Records (SOR). There are also data backups to make sure the data’s available.

The HETS Trading Partner Agreement (TPA) is recertified annually; if it needs to be updated during the year, a full TPA must be resubmitted to make sure the data’s relevant and accurate. The TPA is collected and maintained in the entry tracking contractor tool. 

Data integrity is protected by system user roles that only let specific users access the PII that they need to do their jobs.

Identify who will have access to the PII in the system and the reason why they require access.

  • Users: To determine if the beneficiary has Medicare Eligibility benefits to render services to the patient.

  • Administrators: Application Support Activities including managing system users, auditing user access, and providing support to users.
  • Developers: Application Support Activities including developing code, maintaining code, and testing the functionality of the system prior to promoting code to production.
  • Contractors: Direct Contractors are developers and independent code testers and maintain code and test the functionality of the system.

Describe the procedures in place to determine which system users (administrators, developers, contractors, etc.) may access PII.

We limit access to a need-to-know basis and certify yearly in line with CMS Security Requirements.

HETS authorized officials at CMS review requests for access to ensure only approved individuals maintain access consistent with their job responsibilities.

If an employee is terminated, the Government Task Leader (GTL) will remove access immediately.

Describe the methods in place to allow those with access to PII to only access the minimum amount of information necessary to perform their job.

The CMS Identity Solution user ID and job codes that go with the HIPAA Eligibility Transaction System (HETS) HDT system access control all access to HETS. To support a least privilege methodology and keep duties segregated, multi-factor authentication is also required for limited CMS and contractor users who have approved infrastructure access.

We monitor the access of the system on a real time, continuous basis with notifications from the Security Operations Center. HETS HDT only approves access following the least privilege methodology to make sure users have the minimal access/data necessary to do their jobs.

Identifying training and awareness provided to personnel (system owners, managers, operators, contractors and/or program managers) using the system to make them aware of their responsibilities for protecting the information being collected and maintained.

All system owners, managers, operators, and contractors of the HIPAA Eligibility Transaction System (HETS) must have a CMS Enterprise User ID. They also must complete annual CMS Information Security and Awareness training (Computer Based Training). This training covers privacy and security controls to access any CMS system and, if not taken, a user's ID will be revoked until the training is completed. 

 

Describe training system users receive (above and beyond general security and privacy awareness training)

N/A

Do contracts include Federal Acquisition Regulation and other appropriate clauses ensuring adherence to privacy provisions and practices?

Yes

Describe the process and guidelines in place with regard to the retention and destruction of PII. Cite specific records retention schedules.

Personal Identifiable Information (PII) for system access information meets the National Archives and Record Administration (NARA) disposition: Cut off at the close of the calendar year. Destroy/delete 6 years and 3 months after cutoff.  (NARA Disposition Authority: N1-440-04-3, Item 1a).

PII is kept in system logs that’s archived for up to 6 years, 3 months in a secure database. We’re working up to the full NARA retention requirement with the HIPAA Eligibility Transaction System (HETS, so we won’t destroy PII because there are no tapes to degauss. The controls are regularly reviewed as required by CMS security requirements in the Federal Information Security Management Act (FISMA) Adaptive Capabilities Test (ACT) process.

Describe, briefly but with specificity, how the PII will be secured in the system using administrative, technical, and physical controls.

HIPAA Eligibility Transaction System (HETS) lives in an Amazon Web Services (AWS) data center across multiple facilities in the US East Region; each is protected by security guards and is only accessible to registered personnel after undergoing extensive vetted and approved background checks. Technical controls include access controls made to limit system access to only approved end users and operations/maintenance staff with a valid need to know based on their roles. All policies information security policies are in the CMS organizational security and privacy policy and procedures. All staff acknowledge CMS security and privacy policies when they’re hired and then every year after. In CMS’ policies and procedures is training on how to properly handle sensitive data and the minimum technical controls needed for all federal systems to protect the confidentiality and integrity of data CMS is trusted with. HETS monitors system activity with help from CMS and the Cloud Computing Services (CCS) contractor to make sure PII is only used as intended for approved business requirements. Records are encrypted and kept in both active and archival files to protect data confidentiality and integrity.

The Health Insurance Portability and Accountability Act (HIPAA) Eligibility Transaction System (HETS) infrastructure is at the Amazon Web Services (AWS) US East Region + West Region.

Session Cookies - Collects PII?:

No