Medicaid-CHIP Payment Error Rate Measurement – NCI RC
Date signed: 4/24/2025
| PIA Questions | PIA Answers |
|---|---|
| OPDIV: | CMS |
| PIA Unique Identifier: | P-7607006-852427 |
| Name: | Medicaid-CHIP Payment Error Rate Measurement – NCI RC |
| The subject of this PIA is which of the following? | Major Application |
| Identify the Enterprise Performance Lifecycle Phase of the system. | Operate |
| Is this a FISMA-Reportable system? | Yes |
| Does the system include a Website or online application available to and for the use of the general public? | No |
| Identify the operator: | Contractor |
| Is this a new or existing system? | Existing |
| Does the system have Security Authorization (SA)? | Yes |
| Date of Security Authorization | 1/11/2023 |
| Indicate the following reason(s) for updating this PIA. Choose from the following options. | PIA Validation (PIA Refresh/Annual Review) |
| Describe in further detail any changes to the system that have occurred since the last PIA. | No major changes occurred. |
| Describe the purpose of the system | The purpose of this system is to review random samples of medical claims and medical records to measure payment error rates for state Medicaid and Children Health Insurance Program (CHIP) programs. |
| Describe the type of information the system will collect, maintain (store), or share. (Subsequent questions will identify if this information is PII and ask about the specific data elements) | The Medicaid-CHIP Payment Error Rate Measurement - Navigate Collaborate Innovate Review Contractor system (PERM NCIRC) does not collect Personally Identifiable Information (PII) or Protected Health Information (PHI) directly from individuals that receive Medicaid and CHIP benefits. The system conducts reviews of medical claims and medical records that originate from a CMS processing system that include phone numbers, medical notes, date of birth, mailing address, medical record ID, Insurance Claim Number (HICN), patient International Classification of Diseases (ICD) diagnosis description and notes from the provider about the patient. The system will collect and maintain user credentials (i.e., name, usernames and passwords) for PERM NCIRC system users, developers and administrators to control system access. Information collected, maintained and shared from the CMS processing system will be used by the PERM NCIRC system to: (1) Support regulatory and policy functions performed within the Agency or by a contractor, consultant or grantee; (2) assist another Federal or state agency in the proper administration of the Medicare program, enable such agency to administer a Federal health benefits program, and/or assist Federal/state Medicaid programs within the state; (3) support constituent requests made to a Congressional representative; (4) to support litigation involving the Agency related to this system; and (5) combat fraud and abuse in certain health benefits programs. |
| Provide an overview of the system and describe the information it will collect, maintain (store), or share, either permanently or temporarily. | The Payment Error Rate Measurement (PERM) system performs the following functions: Medical Reviews - Includes sampled Fee-for-Service (FFS) claims information, as part of the review of the provider’s medical record supporting the service(s) claimed, Code of Federal Regulations that are applicable to conditions of payment, and the State’s written policies to determine whether the service was medically necessary, reasonable, provided in the appropriate setting, billed correctly, and coded accurately. Information stored in the system required to perform payment error reviews include the following: name, phone number, mailing address, date of birth, patient's Health Insurance Claim Number (HICN), PERM NCIRC usernames and passwords, Medicaid and CHIP identification number, Medicaid and CHIP claims data, provider's medical records, claim numbers, managed care capitation payment data, and eligibility-related information on the Medicaid and CHIP beneficiaries included in the eligibility sample. |
| Does the system collect, maintain, use or share PII? | Yes |
| Indicate the type of PII that the system will collect or maintain. |
|
| Indicate the categories of individuals about whom PII is collected, maintained or shared. |
|
| How many individuals' PII in the system? | 10,000-49,999 |
| For what primary purpose is the PII used? | The system will only review the minimum personal data necessary to achieve the purpose of PERM program. The Personally Identifiable Information (PII) data is used for verifying individually identifiable claims information to calculate payment error rates for Medicaid and CHIP programs. User credential information is also used to gain access into the system to perform medical record reviews and for maintenance of the system by developers and administrators. |
| Describe the secondary uses for which the PII will be used (e.g. testing, training or research) | There is no secondary use for the PII in the system. |
| Describe the function of the SSN. | Not Applicable |
| Cite the legal authority to use the SSN. | Not Applicable |
| Identify legal authorities governing information use and disclosure specific to the system and program. | The authority for information use and disclosure within the system is given under the provisions of sections 1842,1862(b) and 1874 of Title XVIII of the Social Security Act (The Act) (42 United States Code (U.S.C.) 1395u, 1395y(b), 1395kk), 5 USC 301 and departmental regulations. |
| Are records on the system retrieved by one or more PII data elements? | Yes |
| Identify the number and title of the Privacy Act System of Records (SORN) that is being used to cover the system or identify if a SORN is being developed. | Medicaid Program and State Children’s Health Insurance Program Payment Error Rate Measurement (PERM), 09-70-0578 |
| Identify the sources of PII in the system: Directly from an individual about whom the information pertains | Other - The PERM NCIRC system does not collect PII or PHI directly from individuals receiving Medicaid and CHIP benefits. |
| Identify the sources of PII in the system: Government Sources |
|
| Identify the sources of PII in the system: Non-Government Sources |
|
| Identify the OMB information collection approval number and expiration date | Not Applicable. The system does not collect PII directly from the public or individuals receiving Medicaid or CHIP benefits. The system only collects PII from non-government sources, such as system users, developers and system administrators (i.e., usernames and passwords). |
| Is the PII shared with other organizations? | No |
| Describe the process in place to notify individuals that their personal information will be collected. If no prior notice is given, explain the reason. | The PERM NCIRC system does not collect PII or PHI directly from individuals receiving Medicaid and CHIP benefits. The PERM NCIRC system retrieves Medicare records and claims directly from CMS systems, MMIS (Medicaid Management Information System) and TMIS (Transformed Medicaid Statistical Information System). Medicaid Management Information System (MMIS) and Transformed Medicaid Statistical Information System (TMIS) are covered by separate PIAs. |
| Is the submission of the PII by individuals voluntary or mandatory? | Voluntary |
| Describe the method for individuals to opt-out of the collection or use of their PII. If there is no option to object to the information collection, provide a reason. | PERM NCIRC conducts reviews of medical claims and medical records that originate from CMS processing systems, MMIS (Medicaid Management Information System) and TMIS (Transformed Medicaid Statistical Information System). Therefore, individuals who receive Medicaid and CHIP benefits that want to opt-out, must contact the CMS processing systems in which the data originates. PERM NCIRC does collect PII from system users, developers and administrators. System users, developers and administrators cannot opt-out of PII (username and password) because this information is required for system access. |
| Describe the process to notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changes since the notice at the time of original collection). Alternatively, describe why they cannot be notified or have their consent obtained. | PERM NCIRC conducts reviews of medical claims and medical records that originate from CMS processing systems, MMIS (Medicaid Management Information System) and TMIS (Transformed Medicaid Statistical Information System). Therefore, the process to notify and obtain consent of individuals receiving Medicaid and CHIP benefits is a function of the originating CMS processing system. However, PERM NCIRC system users, developers and administrators are notified by email if there are any changes to the use of their PII. |
| Describe the process in place to resolve an individual's concerns when they believe their PII has been inappropriately obtained, used, or disclosed, or that the PII is inaccurate. If no process exists, explain why not. | PERM NCIRC conducts reviews of medical claims and medical records that originate from separate CMS processing systems, MMIS (Medicaid Management Information System) and TMIS (Transformed Medicaid Statistical Information System). Therefore, individuals who receive Medicaid and CHIP benefits that want to resolve how their PII and PHI is obtained, used, or disclosed, must contact the CMS processing systems in which the data originates. However, PERM NCIRC system users, developers and administrators can contact the PERM NCIRC help desk for any issues related to their PII being inappropriately obtained, used, disclosed, or that the PII is inaccurate. |
| Describe the process in place for periodic reviews of PII contained in the system to ensure the data's integrity, availability, accuracy and relevancy. If no processes are in place, explain why not. | PII is collected by CMS claims processing system prior to being sent to the PERM NCIRC system. Therefore, the accuracy and relevancy of the PII is a function of the CMS processing system. However, The PERM NCIRC system infrastructure provides secured and encrypted communications between all offices, as well as firewall protection against unauthorized intrusions. In addition, backups are performed daily to ensure critical data can always be recovered to ensure data integrity, availability, accuracy and relevancy. |
| Identify who will have access to the PII in the system and the reason why they require access. |
|
| Describe the procedures in place to determine which system users (administrators, developers, contractors, etc.) may access PII. | Access to the PERM NCIRC system PII is based on pre-defined user roles which permissions system users receive. The pre-defined user roles are approved by the CMS Access Administrator (CAA) to ensure that PERM NCIRC system users only have access to PII that corresponds with their job function. |
| Describe the methods in place to allow those with access to PII to only access the minimum amount of information necessary to perform their job. | PERM NCIRC enforces the concept of least privilege to access PII data so that users can access only the minimum amount of PII needed to perform their job function. This is done through first determining the user’s role prior to account creation and then placing users in the appropriate organizational unit that has the predefined least privileges, such as access denied, read-only or edit. |
| Identify training and awareness provided to personnel (system owners, managers, operators, contractors and/or program managers) using the system to make them aware of their responsibilities for protecting the information being collected and maintained. | Prior to accessing the PERM NCIRC system, all personnel are required to complete CMS Security Awareness and Privacy training, as well as sign a Security Policy Acknowledgement form to certify they understand their responsibility in protecting PII on the system. Users are also required to repeat this training on an annual basis. |
| Describe training system users receive (above and beyond general security and privacy awareness training) | PERM NCIRC system users, developers and administrators are trained, at a minimum annually, on the appropriate incident handling and reporting procedures pertaining to the potential unauthorized disclosure of PII and PHI. |
| Do contracts include Federal Acquisition Regulation and other appropriate clauses ensuring adherence to privacy provisions and practices? | Yes |
| Describe the process and guidelines in place with regard to the retention and destruction of PII. Cite specific records retention schedules. | The PERM NCIRC system Information is retained off site at a secure storage facility for a period of 10 years, in accordance with the National Archives and Records Administration (NARA) guideline DAA-GRS-2013-0008-0001. |
| Describe, briefly but with specificity, how the PII will be secured in the system using administrative, technical, and physical controls. | The PERM NCIRC system follows a number of administrative policies and procedures to protect PERM NCIRC PII. A detailed personnel screening process is performed prior to requesting or approving access to the PERM NCIRC system. All PERM NCIRC system personnel must then complete mandatory CMS Security Awareness and Privacy training, as well as sign a Security Policy Acknowledgement form to certify they understand their responsibility in protecting PII on the system. Follow-on training is required annually, or sooner in the event of a breach or security violation pertaining to PII. The PERM NCIRC system training covers a number of security related topics, which include ways to protect and store PERM NCIRC PII, different types of insider threats, and detailed incident response handling procedures. Lastly, all PERM NCIRC personnel must also sign a Rules of Behavior at the completion of their security training. The PERM NCIRC system is monitored using a number of automated security tools to detect any unauthorized user activity and to ensure user compliance. Personnel that fail to meet the PERM NCIRC security requirements, or those that violate the terms outlined in the Rules of Behavior will have their user account and system privileges revoked. Federal Information Processing Standards (FIPS) 140-2/140-3 compliant encryption is used to protect PERM NCIRC PII. Perimeter firewalls are configured to encrypt data in transit and full-disk encryption is enabled to protect PERM NCIRC devices for data at rest. All PERM NCIRC users are uniquely identified and authenticated using CMS approved multifactor authentication tokens before accessing the PERM NCIRC system. In additional all PERM NCIRC application sessions are configured to automatically logoff after a specified time (CMS defined) of inactivity. PERM NCIRC facilities protect PII and sensitive data using a number of physical security controls. Only authorized personnel are allowed entry into PERM NCIRC facilities and must also badge in prior to gaining access. Audit logs are built into the access control system to monitor daily access at ingress and egress points. Security alarms installed at PERM NCIRC facilities detect unauthorized physical access. Server room access is further restricted to authorize PERM NCIRC administrators with the appropriate badge access. All facilities are equipped with sensors to detect fire and electrical issues as a result of environmental hazards and natural disasters, in which case the assigned Security Site Administrators (SSAs) is then notified. |
Privacy Impact Assessment (PIA) published by CMS as an Operating Division of the U.S. Department of Health and Human Services