Skip to main content

Master Data Management System

Privacy Impact Assessment (PIA) published by CMS as an Operating Division of the U.S. Department of Health and Human Services

Date signed: 10/31/2023

PIA Information for Master Data Management System
PIA QuestionsPIA Answers
OPDIV:CMS
PIA Unique Identifier:P-7933946-777535
Name:Master Data Management System
The subject of this PIA is which of the following?Major Application
Identify the Enterprise Performance Lifecycle Phase of the system.Operate
Is this a FISMA-Reportable system?Yes
Does the system include a Website or online application available to and for the use of the general public?No
Identify the operator:Contractor
Is this a new or existing system?Existing
Does the system have Security Authorization (SA)?Yes
Date of Security Authorization9/28/2023
Indicate the following reason(s) for updating this PIA. Choose from the following options.PIA Validation (PIA Refresh/Annual Review)
Describe in further detail any changes to the system that have occurred since the last PIA.Modernization efforts have shifted platform changes and improvements to data ingestion and identification resolution.
Describe the purpose of the system

The Master Data Management system is an enterprise-wide service, located in the Centers for Medicare and Medicaid Services Amazon Web Services enclave comprised of concerted processes for collecting, aggregating, matching, consolidating, quality-assuring, persisting, medical notes, and distributing data about providers, Medicare beneficiary identifiers, organizations and programs to ensure consistency and control in the ongoing maintenance and use of this information. 

This system currently supports requirements to provide identity resolution, relationship management, and eligibility tracking using data from the following Centers for Medicare and Medicaid Services systems: Eligibility and Enrollment Medicare Online; Provider Enrollment Chain and Ownership System; Quality Improvement and Evaluation System; Transformed Medicaid Statistical Information System; and National Provider Identifier Crosswalk System.

The reference systems above are covered in separate Privacy Impact Assessments. As Stakeholders for each of the referenced systems are required to complete and publish a Privacy Impact Assessment covering their respective systems.  

Similar programmatic data from other sources may be integrated with this existing data as the Master Data Management system matures.

Describe the type of information the system will collect, maintain (store), or share. (Subsequent questions will identify if this information is PII and ask about the specific data elements)

The Master Data Management system receives information from the following the Centers for Medicare and Medicaid Services systems data sources of the Eligibility and Enrollment Medicare Online; Provider Enrollment Chain and Ownership System; Quality Improvement and Evaluation System; Transformed Medicaid Statistical Information System; and National Provider Identifier Crosswalk System.

The type of information received and maintained for the Provider Enrollment Chain and Ownership System includes, Provider/supplier information, Basic Information: Medicare Administrator Contractor, Provider Transaction Access Number, National Provider Identifier. Identifying information: Name, Date of Birth, Tax Identification Number, Specialty, State Licensed, Drug Enforcement Agency Number, and Certifications. In addition to Final Adverse Legal Actions and Medical Sanctions Information as well as Practice Location Information to include the National Provider Identifier-Provider Transaction Access Number used at this address, hours of operation, pay to location, medical records storage location, and billing agency information.

The type of information received and maintained for the National Provider Identifier Crosswalk System includes, Provider/supplier information, Basic Information to include the Medicare Administrator Contractor, National Provider Identifier, and National Provider Identifier-Provider Transaction Access Number. Identifying Information to include Name, Date of Birth, Transaction Identification Number, Specialty, State Licenses, Drug Enforcement Agency Number. Practice Location Information: National Provider Identifier-Provider Transaction Access Number used at this address, Crosswalk between National Provider Identifiers and National Provider Identifier-Provider Transaction Access Numbers.

The type of information received and maintained for the Quality Improvement and Evaluation System is Inpatient Rehabilitation Facilities, Long-Term Care Hospitals, the Long-Term Care Hospitals Care Data Set and Skilled Nursing facilities. In addition, there is Identifying Information – Name, Centers for Medicare and Medicaid Services Certification Number, Certification date, Specialty, Practice Location Information and Mailing Address Information.

The type of information received and maintained for the Transformed Medicaid Statistical Information System is the data schema pertaining to the Transformed Medicaid Statistical Information System data source. The Transformed Medicaid Statistical Information System data includes information about beneficiary eligibility, beneficiary enrollment, and claims and managed care data. Data points to convey this information include beneficiary demographics, diagnosis codes, procedure codes, as well as claims and eligibility factors.

The type of information received and maintained for the Common Medicare Environment is Medicare beneficiary demographic data used to support managed care enrollments, Payments to Medicare Advantage plans, Identifying Information to include Name, Date Of Birth, Social Security Number, Beneficiary Link Key, Health Insurance Claim Number, Medicare Beneficiary Identifier, Transaction Identification Number, Mailing Address Information, Medicare Advantage Prescription Drug Enrollment Information, Medicare Part A, B, C, D enrollment Information, and Dual Medicare Eligibility Information.

For each data source records will be held indefinitely until no longer needed for agency use and are refreshed on a monthly cadence. 

Lastly, the system collects usernames and passwords for administrators of the system. 

The reference systems above are covered in separate Privacy Impact Assessments. As Stakeholders for each of the referenced systems are required to complete and publish a Privacy Impact Assessment covering their respective systems. 

Provide an overview of the system and describe the information it will collect, maintain (store), or share, either permanently or temporarily.

The Master Data Management system focuses on eliminating redundancy, inconsistency, and fragmentation by having a single, synchronized, comprehensive source of authoritative data in the Medicare Beneficiary Identifier, Medical Notes, Provider, Organization, and Program domains.  For the initial release, the Master Data Management system used various existing data sources and a modern software platform to build and maintain master indexes, profiles, and relationships between the domains.

The Master Data Management system receives information from the Centers for Medicare and Medicaid Services data sources of Eligibility and Enrollment Medicare Online; Provider Enrollment Chain and Ownership System; Quality Improvement and Evaluation System; Transformed Medicaid Statistical Information System; and National Provider Identifier Crosswalk System. The type of information received and maintained includes; Provider/supplier information from Provider Enrollment Chain and Ownership System, Provider/supplier information from the National Provider Identifier Crosswalk System, Medicare beneficiary demographic data used to support managed care enrollments and payments to Medicare Advantage plans from Common Medicare Environment, and Quality information that includes Inpatient Rehabilitation Facilities, Long-Term Care Hospitals, the Long-Term Care Hospitals CARE Data Set and the Skilled Nursing Facilities.

Lastly, the system collects usernames and passwords for administrators and users of the system. System users regularly use Personally Identifiable Information to retrieve system records including using the last name, Health Insurance Claim Number, and/or Transaction Identification Number.

The reference systems above are covered in separate Privacy Impact Assessments. As Stakeholders for each of the referenced systems are required to complete and publish a Privacy Impact Assessment covering their respective systems. 

 

Does the system collect, maintain, use or share PII?Yes
Indicate the type of PII that the system will collect or maintain.
  • Social Security Number
  • Name
  • Medical Notes
  • Taxpayer ID
  • Date of Birth
  • Mailing Address
  • Other - Health Insurance Claim Number, Medicare Beneficiary Identifier, Transaction Identification Number; National Provider Identifier; Usernames and passwords for administrators and users.
Indicate the categories of individuals about whom PII is collected, maintained or shared.
  • Employees
  • Vendors/Suppliers/Contractors
  • Patients
How many individuals' PII in the system?1,000,000 or more
For what primary purpose is the PII used?The Master Data Management system uses Personally Identifiable Information for aggregating, matching, and consolidating data to ensure consistency and control for the use of the information, and to provide a single source for the Centers for Medicare and Medicaid Services programs to leverage the aggregated data.
Describe the secondary uses for which the PII will be used (e.g. testing, training or research)The Master Data Management system follows the Targeted Life Cycle as part of its change management process for enhancements and changes. These enhancements and changes are tested in the validation environment, hardened to the same level of production, using Personally Identifiable Information to ensure that they function as intended prior to moving changes into the production environment.   
Describe the function of the SSN.The Social Security Number is used as a unique identifier to identify an individual and to assist with record matching.
Cite the legal authority to use the SSN.5.United States Code. Section 301 Departmental Regulations Section 3004 of the Patient Protection and Affordable Care Act of 2010 [Publication L. 111-148, amending the Social Security Act (42.U.S.C.1886 (m)]
Identify legal authorities​ governing information use and disclosure specific to the system and program.5.United States Code. Section 301 Departmental Regulations Section 3004 of the Patient Protection and Affordable Care Act of 2010 [Publication L. 111-148, amending the Social Security Act (42. United States Code.1886 (m)]
Are records on the system retrieved by one or more PII data elements?Yes
Identify the number and title of the Privacy Act System of Records (SORN) that is being used to cover the system or identify if a SORN is being developed.System of Record Number:09–70–0598 Accountable Care Organizations Database System Health and Human Services/Centers for Medicare and Medicaid Services /Center for Medicare and Health and Human Services/Health and Human Services/Centers for Medicare and Medicaid Innovation
Identify the sources of PII in the system: Directly from an individual about whom the information pertainsOnline
Identify the sources of PII in the system: Government SourcesWithin the OPDIV
Identify the OMB information collection approval number and expiration dateNot applicable
Is the PII shared with other organizations?Yes
Identify with whom the PII is shared or disclosed and for what purpose.Within HHS: The Health and Human Services Office of Inspector General utilizes data products for the purposes of detection Fraud and Abuse. 
Describe any agreements in place that authorizes the information sharing or disclosure (e.g. Computer Matching Agreement, Memorandum of Understanding (MOU), or Information Sharing Agreement (ISA)).An Information Sharing Agreement has been executed between the Centers for Medicare and Medicaid Services and the Office of Inspector General for the purposes of sharing information. 
Describe the procedures for accounting for disclosuresThe executed Information Sharing Agreement with the Office of Inspector General documents how information may be shared, what information may be shared, and with whom that information may be shared. It further documents the responsibilities of each party to protect the confidentiality, integrity, and availability of data. 
Describe the process in place to notify individuals that their personal information will be collected. If no prior notice is given, explain the reason.

The Master Data Management system receives beneficiary and provider data from other Centers for Medicare and Medicaid Services applications; Eligibility and Enrollment Medicare Online; Provider Enrollment Chain and Ownership System; Quality Improvement and Evaluation System; Transformed Medicaid Statistical Information System; and National Provider Identifier Crosswalk System not directly from the individual parties. As such, the programs referenced must provide the necessary notifications for individuals.

Administrator data is collected during the account request and provisioning process.

The reference systems above are covered in separate Privacy Impact Assessments. As Stakeholders for each of the referenced systems are required to complete and publish a Privacy Impact Assessment covering their respective systems. 

 

Is the submission of the PII by individuals voluntary or mandatory?Voluntary
Describe the method for individuals to opt-out of the collection or use of their PII. If there is no option to object to the information collection, provide a reason.

The Master Data Management system receives beneficiary and provider data from other Centers for Medicare and Medicaid Services applications; Eligibility and Enrollment Medicare Online; Provider Enrollment Chain and Ownership System; Quality Improvement and Evaluation System; Transformed Medicaid Statistical Information System; and National Provider Identifier Crosswalk System, not directly from the individual parties. As such, the programs referenced must provide the necessary notifications for individuals to opt-out of such collection and use.

Administrator data is collected during the account request and provisioning process. There is no opt-out process for this level of user. If the information is not provided, then accounts will not be provisioned, nor access granted. 

The reference systems above are covered in separate Privacy Impact Assessments. As Stakeholders for each of the referenced systems are required to complete and publish a Privacy Impact Assessment covering their respective systems. 

 

Describe the process to notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changes since the notice at the time of original collection). Alternatively, describe why they cannot be notified or have their consent obtained.

The Master Data Management system receives beneficiary and provider data from other Centers for Medicare and Medicaid Services applications; Eligibility and Enrollment Medicare Online; Provider Enrollment Chain and Ownership System; Quality Improvement and Evaluation System; Transformed Medicaid Statistical Information System; and National Provider Identifier Crosswalk System, not directly from the individual parties. As such, the programs referenced must provide the necessary notifications for individuals parties. As such, the programs referenced must provide the necessary notifications.

The reference systems above are covered in separate Privacy Impact Assessments. As Stakeholders for each of the referenced systems are required to complete and publish a Privacy Impact Assessment covering their respective systems. 

 

Describe the process in place to resolve an individual's concerns when they believe their PII has been inappropriately obtained, used, or disclosed, or that the PII is inaccurate. If no process exists, explain why not.

The Master Data Management system receives beneficiary and provider data from other Centers for Medicare and Medicaid Services applications; Eligibility and Enrollment Medicare Online; Provider Enrollment Chain and Ownership System; Quality Improvement and Evaluation System; Transformed Medicaid Statistical Information System; and National Provider Identifier Crosswalk System, not directly from the individual parties. As such, the programs referenced must provide the necessary notifications for individuals.

The reference systems above are covered in separate Privacy Impact Assessments. As Stakeholders for each of the referenced systems are required to complete and publish a Privacy Impact Assessment covering their respective systems. 

 

Describe the process in place for periodic reviews of PII contained in the system to ensure the data's integrity, availability, accuracy and relevancy. If no processes are in place, explain why not.

The Master Data Management system receives beneficiary and provider data from other Centers for Medicare and Medicaid Services applications; Eligibility and Enrollment Medicare Online; Provider Enrollment Chain and Ownership System; Quality Improvement and Evaluation System; Transformed Medicaid Statistical Information System; and National Provider Identifier Crosswalk System, not directly from the individual parties. As such, the programs referenced must perform the required steps to validate data integrity, availability, accuracy and relevancy. To ensure the aggregated information in the Master Data Management system is accurate and relevant, daily jobs are completed to update provider information from source systems and monthly jobs are completed to update beneficiary information from the source systems.

The reference systems above are covered in separate Privacy Impact Assessments. As Stakeholders for each of the referenced systems are required to complete and publish a Privacy Impact Assessment covering their respective systems. 

 

Identify who will have access to the PII in the system and the reason why they require access.
  • Administrators: The Master Data Management system administrators require access to provide Operations and Maintenance support which exposes them to Personally Identifiable Information. The Personally Identifiable Information exposure may extend to the data elements stored for beneficiary and provider entries for each respective data set.
  • Developers: Developers access Personally Identifiable Information for testing and assisting in troubleshooting of issues that may occur with the application and/or data. Personally Identifiable Information exposure may extend to the data elements stored for beneficiary and provider entries for each respective data set.
  • Contractors: Direct contractors with the Centers for Medicare and Medicaid Services provisioned credentials (e.g., Centers for Medicare and Medicaid Services Identification, Centers for Medicare and Medicaid Services electronic Mail) provide the roles of Administrators and Developers.
Describe the procedures in place to determine which system users (administrators, developers, contractors, etc.) may access PII.

Access to the Master Data Management system sources, including any and all sensitive information, is guided by the Enterprise User Administration access control process. Potential users are required to apply for the Enterprise User Administration access first. Once unique identifiers are issued, roles for users requiring access to the Master Data Management system resources, including sensitive information, are established via Enterprise User Administration job codes. Once job codes are approved using the existing Centers for Medicare and Medicaid Services Enterprise User Administration process, users receive access to this system sources including Personally Identifiable Information, if appropriate. Developers and system administrators must use the same process to receive the Centers for Medicare and Medicaid Services Identifications and access. Any and all requests for administrative access is submitted to and approved by the Master Data Management system Business Owner before access is given. Privileged user reviews are conducted by the Business Owner to ensure that only authorized users have privileged access to system which may contain Personally Identifiable Information.

The reference systems above are covered in separate Privacy Impact Assessments. As Stakeholders for each of the referenced systems are required to complete and publish a Privacy Impact Assessment covering their respective systems. 

 

Describe the methods in place to allow those with access to PII to only access the minimum amount of information necessary to perform their job.

The Master Data Management system utilizes role-based access to ensure that users have only the access necessary for them to perform their job functions. The information that may be accessed is defined by the users’ role. 

The process for provisioning access to a given users, via Enterprise User Administration and associated roles, requires a determination via review and approval by the system owner, while implementation is performed via the system administrator during account provisioning.

Stakeholders for each of the referenced systems are required to complete and publish a Privacy Impact Assessment covering their respective systems. 

Identifying training and awareness provided to personnel (system owners, managers, operators, contractors and/or program managers) using the system to make them aware of their responsibilities for protecting the information being collected and maintained.

All users who wish to access the Master Data Management system resources are required to receive the Centers for Medicare and Medicaid Services security awareness training, which includes information related to their responsibilities for protecting sensitive the Centers for Medicare and Medicaid Services information. This training is required before initial access. All users must be recertified annually and must again complete this training.

 

Describe training system users receive (above and beyond general security and privacy awareness training)

The Centers for Medicare and Medicaid Services security awareness training covers special handling of Personally Identifiable Information /Protected Health Information, as well as best practice security techniques for day-to-day handling of information and access to the Centers for Medicare and Medicaid Services systems. The Master Data Management system contractors receive role-based training in addition to the Centers for Medicare and Medicaid Services security awareness training. This training is more locally specialized and emphasizes protection of sensitive information and incident response techniques and responsibilities. Each of these referenced trainings are conducted initially when access is requested, and again annually thereafter.

The Master Data Management System's direct contractors receive role-based training in addition to the Centers for Medicare and Medicaid Services security awareness training.

Do contracts include Federal Acquisition Regulation and other appropriate clauses ensuring adherence to privacy provisions and practices?Yes
Describe the process and guidelines in place with regard to the retention and destruction of PII. Cite specific records retention schedules.

Records will be held indefinitely until no longer needed for agency use.

 

Personally Identifiable Information is retained and destroyed in accordance with National Archives and Records Administration Records Schedule Number DAA-0440-2015-0007 and DAA-0440-2015-0008 for Beneficiary and Provider information, respectively.  Accordingly, data will be destroyed in accordance with these requirements, no sooner than 10 years after cutoff for beneficiary information and no sooner than 7 years after cutoff for provider data, unless longer retention is authorized.

Describe, briefly but with specificity, how the PII will be secured in the system using administrative, technical, and physical controls.

Administrative controls include access approval by management, and review of accounts.

Technical controls include event logging, roles-based access, and networking security controls.

Physical controls in place at the Amazon Web Services Data Center monitor physical access, visitor logging, and environmental access controls.

The reference systems above are covered in separate Privacy Impact Assessments. As Stakeholders for each of the referenced systems are required to complete and publish a Privacy Impact Assessment covering their respective systems.