Medicare Appeals System
Privacy Impact Assessment (PIA) published by CMS as an Operating Division of the U.S. Department of Health and Human Services
Date signed: 5/23/2022
PIA Questions | PIA Answers |
---|---|
OPDIV: | CMS |
PIA Unique Identifier: | P-6757126-364033 |
Name: | Medicare Appeals System |
The subject of this PIA is which of the following? | Major Application |
Identify the Enterprise Performance Lifecycle Phase of the system. | Operate |
Is this a FISMA-Reportable system? | Yes |
Does the system include a Website or online application available to and for the use of the general public? | No |
Identify the operator: | Agency |
Is this a new or existing system? | Existing |
Does the system have Security Authorization (SA)? | Yes |
Date of Security Authorization | 1/17/2023 |
Indicate the following reason(s) for updating this PIA. Choose from the following options. |
|
Describe in further detail any changes to the system that have occurred since the last PIA. | None. |
Describe the purpose of the system | The purpose of the Medicare Appeals System (MAS) is to process and adjudicate Medicare appeals. MAS is the central system repository for Medicare Appeals and their related data. Currently, Level 1 Part A Medicare Administrative Contractors (MACs), Level 2 Qualified Independent Contractors (QICs), and Level 3 the Office of Medicare Hearings and Appeals (OMHA) use MAS to process and adjudicate Medicare Appeals. All relative appeals data, records, and supporting information is stored in MAS for these respective users. |
Describe the type of information the system will collect, maintain (store), or share. (Subsequent questions will identify if this information is PII and ask about the specific data elements) | MAS collects and maintains beneficiary enrollment data, claim information, medical records, and contact information. Other CMS systems, covered by separate PIAs, provide beneficiary enrollment, claims and provider information to MAS. This information is used to record and adjudicate appeals of Medicare claims and services in dispute. These systems include the Medicare Beneficiary Database (MBD), Health Plan Management System (HPMS), Next Generation Desktop (NGD), and National Plan and Provider Enumeration System (NPPES). This information consists of: Name, Health Insurance Claim Number (HICN), Social Security Number (SSN), Address, Telephone Number, Date of Birth (DOB), Device Identifiers, X-ray results, Legal Documents, and Medical History documentation necessary to conduct a review of the appeal. MAS also collects and maintains provider data which consists of name, address, email address, and phone number. Information on system users includes user credentials, including username and password, for direct contractors to gain access to the system. These contractors include CMS Operations contractors and CMS system development and maintenance contractors. |
Provide an overview of the system and describe the information it will collect, maintain (store), or share, either permanently or temporarily. | MAS is used as the system of record for the processing of Medicare Appeals. MAS stores beneficiary PII needed for the appeal adjudication process. The information needed for the adjudication process includes Name, Social Security Number (SSN), Health Insurance Claim Number (HICN), assigned provider number, Address, Telephone Number, Date of Birth (DOB), Device Identifiers, X-ray results, Legal Documents, Case Appeal Number, and Medical History documentation about beneficiaries/patients, and providers. MAS uses the HICN or MBI number to retrieve records from BIC. The information is used during the review process by Medicare Administrative Contractors (MACs), Qualified Independent Contractors (QICs), and Office of Medicare Hearings, and Appeals (OMHA). MAS also stores user credentials. |
Does the system collect, maintain, use or share PII? | Yes |
Indicate the type of PII that the system will collect or maintain. |
|
Indicate the categories of individuals about whom PII is collected, maintained or shared. |
|
How many individuals' PII in the system? | 1,000,000 or more |
For what primary purpose is the PII used? | The primary purpose of the MAS is to collect and maintain information necessary to: (1) process level one, two and three appeal requests made by an appellant or appealing party; (2) track appeal data, including: status, type, history, timeliness, electronic case file, and decisions; and (3) respond to future correspondence related to the case. The primary purpose PII is used is by the Office of Medicare Hearings and Appeals (OMHA), CMS, and the CMS contractors (MACs and QICs) who review and adjudicate Medicare appeals. The PII is necessary to record and adjudicate the Medicare appeals. PII is collected and maintained within the MAS and not disclosed to external entities other than HHS, CMS, and respective contractors with the exception of decision notices which are provided to beneficiaries, providers, and suppliers. User's IDs are used to identify the user within the system and is stored along with password. |
Describe the secondary uses for which the PII will be used (e.g. testing, training or research) | There are no secondary uses for which PII will be used, only use is for appeals processing. |
Describe the function of the SSN. | The SSN is not used by the system.
|
Cite the legal authority to use the SSN. | N/A |
Identify legal authorities governing information use and disclosure specific to the system and program. | Authority for maintenance of the system is given under § 205 of Title II, §§ 1155 and 1156 of Title XI, §§ 1812, 1814, 1816, 1842, 1869, and 1872 of Title XVIII of the Social Security Act (the Act), as amended (42 United States Code (U.S.C.) sections 405, 1320c-4, 1320c-5, 1395d, 1395f, 1395h, 1395u, 1395ff, and 1395ii). Additional authority for this system is given under the Medicare Prescription Drug, Improvement, and Modernization Act of 2003 (Public Law (Pub. L.) 108-173). |
Are records on the system retrieved by one or more PII data elements? | Yes |
Identify the number and title of the Privacy Act System of Records (SORN) that is being used to cover the system or identify if a SORN is being developed. | 09-70-0566, Medicare Appeals System |
Identify the sources of PII in the system: Directly from an individual about whom the information pertains |
|
Identify the sources of PII in the system: Government Sources |
|
Identify the sources of PII in the system: Non-Government Sources | |
Identify the OMB information collection approval number and expiration date | N/A Exempt from OMB collection approval under statutory exemptions 32;3244U.S.C.§3518(c).335.C.F.R.1320.3(h) |
Is the PII shared with other organizations? | Yes |
Identify with whom the PII is shared or disclosed and for what purpose. | Within HHS: The PII is shared with the Office of Medicare Hearings and Appeals (OMHA) who are the Level 3 adjudicators of appeals. |
Describe any agreements in place that authorizes the information sharing or disclosure (e.g. Computer Matching Agreement, Memorandum of Understanding (MOU), or Information Sharing Agreement (ISA)). | There are Memorandum(s) of Understanding (MOU), Interconnection Security Agreement(s) (ISA), and Joint Operating Agreement(s) (JOA) in place. MOU: Purpose is to establish an agreement between the QICs and OMHA. An MOU describes a bilateral or multilateral agreement between two (2) or more parties. It expresses a convergence of will between the parties, indicating an intended common line of action. It is often used in cases where parties either do not imply a legal commitment or in situations where the parties cannot create a legally enforceable agreement. It is a more formal alternative to a gentlemen's agreement and consists primarily of a Statement(s) of Work and an understanding between the parties that will be performing or receiving the work. An MOU is in place between OMHA and CMS to establish a formal governance, management, funding and provision of IT services in support of Medicare Appeals Activities. ISA: Purpose is to establish procedures for mutual cooperation and coordination between CMS and contractors regarding the development, management, operation, and security of a connection between CMS and the contractors. An ISA is intended to minimize security risk and ensure the confidentiality, integrity, and availability of CMS’s information to the contractor for the processing of appeals. An ISA is in place between OMHA and CMS pertaining to the specified technical and security requirements regarding the interconnection between OMHA's Electronic Case Adjudication and Processing Environment (ECAPE) and MAS. JOA: Reflects the joint responsibilities of the MACs and QICs to provide timely and accurate disposition of appeals and to set forth duties for coordination and communication with appellants and other parties. Including but not limited to secure communication of appeals information and when applicable PII. |
Describe the procedures for accounting for disclosures | Any access to MAS has to be requested and goes through a review process by CMS employees. Data within the system can only be accessed by approved users. Users access of the system is tracked. There are two levels we use to determine who has access to data within MAS: Role Based Access: Access to MAS is controlled through roles (managed by EUA). These roles map to a position and a responsibility. Responsibility provides restrictions on functionality available to a user. Position restricts data access for a user. So, this role will provide information on who has access to what data within MAS. User Auditing: Siebel (the underlying MAS tool) audits changes/edits to data within MAS and provides an ‘audit trail’ to see who has made changes. This is in addition to application and database logs which also provide insight into user activities. This Siebel audit trail provides additional data on who had updated any data within MAS. |
Describe the process in place to notify individuals that their personal information will be collected. If no prior notice is given, explain the reason. | Beneficiary, Provider, and Claim information is provided from MBD, NPPES, and NGD to MAS. Users are notified in the Enterprise User Administration (EUA) Application for Access to CMS Computer Systems request form that their information is being collected. |
Is the submission of the PII by individuals voluntary or mandatory? | Voluntary |
Describe the method for individuals to opt-out of the collection or use of their PII. If there is no option to object to the information collection, provide a reason. | Beneficiaries and providers that want to appeal a payment decision opt in to providing their information by filing an appeal. The beneficiary's and provider's PII are required for appeal processing. Individuals are notified on the standard processing letters that the information provided will be used to further document their appeal and that submission of the information requested is voluntary, but failure to provide all or any part of the requested information may affect the determination of the appeal. System user credentials are mandatory for system access, so there is no option to opt-out. |
Describe the process to notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changes since the notice at the time of original collection). Alternatively, describe why they cannot be notified or have their consent obtained. | A beneficiary or provider consents to their PII being in the system when they appeal. Any changes to the rights of the individuals or how the system uses the information provided is presented to the individual at the time they submit their appeal. User Access information is collected and stored via Enterprise User Administration. Users are notified via email when a major system change occurs. The MAS System of Record Notice (SORN) will be modified and published for public comment and notification if any changes in the disclosure or use of PII occurs. |
Describe the process in place to resolve an individual's concerns when they believe their PII has been inappropriately obtained, used, or disclosed, or that the PII is inaccurate. If no process exists, explain why not. | MAS PII is obtained from other systems which verify appellant PII. These systems include the Medicare Beneficiary Database (MBD), Health Plan Management System (HPMS), Next Generation Desktop (NGD), and National Plan and Provider Enumeration System (NPPES). User PII is obtained contingent with employment with their respective companies. If there are concerns about user PII users can contact the MAS Help Desk. |
Describe the process in place for periodic reviews of PII contained in the system to ensure the data's integrity, availability, accuracy and relevancy. If no processes are in place, explain why not. | Personally Identifiable Information with respect to beneficiaries is matched against the Medicare Beneficiary Database (MBD) for verification of integrity. MBD is the system of record and MAS users have the ability to pull data at any time to make sure what is attached to an appeal is the most current, up to date data CMS has for verification of accuracy. This data is accurate and relevant as long as the PII is updated in MBD. The data’s availability is supported through the system availability requirements. In the case of a disaster, this data can be restored from nightly backups within the target business restoration times. |
Identify who will have access to the PII in the system and the reason why they require access. |
|
Describe the procedures in place to determine which system users (administrators, developers, contractors, etc.) may access PII. | The MAS has user based roles which are built with access requirements for job performance. Additionally, those user based roles are specific to regional access and dependent on geographical location. |
Describe the methods in place to allow those with access to PII to only access the minimum amount of information necessary to perform their job. | The MAS uses role based access to limit information given to each user. The MAS created user based roles which are built with access requirements for specific job performance. Each user is granted the minimum level of access to complete their specific job within their specific jurisdiction. |
Identifying training and awareness provided to personnel (system owners, managers, operators, contractors and/or program managers) using the system to make them aware of their responsibilities for protecting the information being collected and maintained. | Users are required to take all mandatory CMS Information Technology Security and Privacy Awareness Computer Based Training annually. |
Describe training system users receive (above and beyond general security and privacy awareness training) | Personnel having access to the system have been trained in the Privacy Act and information security requirements. MAS role based security training is also available to all CMS support contractors using MAS. Direct contractors have additional internal security and privacy training in addition to CMS required trainings. |
Do contracts include Federal Acquisition Regulation and other appropriate clauses ensuring adherence to privacy provisions and practices? | Yes |
Describe the process and guidelines in place with regard to the retention and destruction of PII. Cite specific records retention schedules. | Records are maintained in a secure storage area with identifiers. Disposal occurs ten years after the final determination of the case is completed based on Disposition Authority N1-440-09-5, item 1B. All claims-related records are encompassed by the document preservation order and will be retained until notification is received from Department of Justice DOJ. |
Describe, briefly but with specificity, how the PII will be secured in the system using administrative, technical, and physical controls. | Physical: Users are required to wear Identification Badges / Key Cards in order to gain access to the facilities. The user must then access the system through a Tier 1 line that is dedicated to CMS. Technical: Firewalls are in place to block unauthorized access. Role based access is also applied to the system giving users the least access necessary to complete their duties. Administrative: The user can only access the system with their CMS user ID and password. Users are only allowed to access their specified jurisdiction. User accounts are also role based to protect unnecessary access to PII. |