Medicare Authenticated Experience

The last PIA described the retrieval of data from BEDAP for presentation to the consumer and stated the data was not kept over 24 hours. That has changed, and Medicare Authenticated Experience (MAX) will now be retrieving the same data elements from BEDAP as before, in addition to storing it within MAX for use in predictive modeling to identify people who can benefit from Medicare benefits, including subsidy programs.
Additionally, name and address will be used to mail eligibility letters. Race, ethnicity, Medicare Beneficiary Identification (MBI) (ID) and Health Insurance Claim Number (HICN) will be used to categorize the individuals for outreach purposes. Geographic aggregate data from the Census will be used in predictive modeling and ingested into MAX for targeted outreach. A new data element, Medicare Beneficiary Outreach Indicator (MBOI) will identify beneficiaries with combined high-level geographic data from the Census and Beneficiary Experience Data Analytics Platform (BEDAP).

MAX does not collect Protected Health Information (PHI)/Personally Identifiable information (PII), it receives PHI/PII from the BEDAP system which is subsystem under Medicare Online Support System (MOSS) and returns this data to the consumer.

The following PII elements will be retrieved from MAX:
Unique alphanumeric identifier.

The following PII elements will be retrieved and stored from (BEDAP) system which is subsystem under Medicare Online Support System (MOSS):

Medicare Beneficiary Identification (MBI) or Health Insurance Claim Number (HICN), along with email address will be collected also with:
Name
Date of birth
Address
Zip code or city
Part A effective date

Part B effective date.
Medicare Online Support system (MOSS) does have its own PIA. Medicare Coverage Tools (MCT), BEDAP and Care Choice Experience (CCXP) are subsystem under MOSS.
MAX will retrieve the following PII from MOSS;
 MCT - application will interface with the CMS Health Plan Management System (HPMS) to obtain plan, drug and pharmacy data. MCT will store this data permanently in a database.

User zip code and county data logged in Splunk is archived and stored for 1 year should any audit of the system need to take place. Splunk is the enterprise SIEM (Security information and event management) tool used by CMS to collect and store security audit events. MCT will store/transmit the following PII/PHI: Beneficiary Name, Health Insurance Claim Number (HICN)/Medicare Beneficiary Identifier (MBI), and Drug Plan to/from external CMS system integrations. This data will be stored in a separate database from the HPMS collected data.

BEDAP: BEDAP stores PII/PHI about Medicare beneficiaries, including eligibility & enrollment, Medicare claims (including prescription drug events), digital services utilization, email interactions (subscribes/unsubscribes/clicks/opens), Short Message Service (SMS) interactions (subscribes/unsubscribes/replies), and call center contact history. In the future, BEDAP will also store data from the Federal Trade Commission (FTC) related to do-not-call list membership.

CCXP: The information being collected from data.medicare.gov is all facility information (address, phone, etc.) and some demographic information, all of which is public information.
 System administrators log on with a user ID and password. System administrators are CMS employees and direct contractors. Login credentials are maintained for as long as the system user requires access.)
Chronic Condition Data Warehouse (CCW) has its own PIA. The following elements will be retrieved from CCW: race, ethnicity, MBI and HICN. The data will be used to categorize the individuals for outreach messaging.

MAX will ingest Census variables listed in Appendix B which are following :
Feature
Median Household Income
Percent of Population below Poverty Level
Percent of Population under 18 below Poverty Level
Percent of Population 18-64 below Poverty Level
Percent of Population 65 and Older below Poverty Level
Median Mortgage Value
Percent of Mortgages Valued <$50K
Percent of Mortgages Valued $50-99K
Percent of Mortgages Valued $100-299K
Percent of Mortgages Valued $300-499K
Percent of Mortgages Valued $500-749K
Percent of Mortgages Valued $750-999K
Percent of Mortgages Valued >$1M
Percent of Population with <9th Grade Education
Percent of Population with Some High School Education
Percent of Population with High School Diploma
Percent of Population with Some College Education
Percent of Population with Associate Degree
Percent of Population with Bachelor's Degree
Percent of Population with Postgraduate Degree
Area Deprivation Index
Rural-Urban Continuum Code
Total Population for whom Poverty Is Determined
Total Population below Poverty Level
Total Population below 125% Poverty Level
Total Population below 150% Poverty Level
Total Population below 185% Poverty Level
Total Population below 200% Poverty Level
Percent of Population Receiving SNAP
Percent of Population with an Internet Subscription
Percent of Population Insured
Percent of Population with SSI
Percent of Population with Annual Income <$10K
Percent of Population with a Computing Device
Percent of Noninstitutionalized Population with a Disability
Percent of Population Receiving Cash Public Assistance
That are geographic high-level data to create statistical reporting about populations. The data does not identify individuals and contain no PII.

The products delivered under the MAX task order will provide a personalized Medicare experience, focusing on individual Medicare beneficiaries, and be part of a broader integrated website that offers digital products across multiple channels and enables beneficiaries to explore their care choices, explore and enroll in health plans, participate in outreach and read and print important Medicare information.

Sharing Medicare Online Support System (MOSS)/ Subsystems under MOSS (BEDAP, Medicare Coverage Tools (MCT), Care Choice Experience (CCPX)), Internet Service (ISERV) and Medicare Beneficiary Portal (MBP), and sharing the data with only the customer (Beneficiary).

BEDAP: BEDAP stores PII/PHI about Medicare beneficiaries, including eligibility & enrollment, Medicare claims (including prescription drug events), digital services utilization, email interactions (subscribes/unsubscribes/clicks/opens), Short Message Service (SMS) interactions (subscribes/unsubscribes/replies), and call center contact history. In the future, BEDAP will also store data from the Federal Trade Commission (FTC) related to do-not-call list membership.
MCT - application will interface with the CMS Health Plan Management System (HPMS) to obtain plan, drug and pharmacy data. MCT will store this data permanently in a database.
User zip code and county data logged in Splunk is archived and stored for 1 year should any audit of the system need to take place. Splunk is the enterprise SIEM (Security information and event management) tool used by CMS to collect and store security audit events.

MCT - will store/transmit the following PII/PHI: Beneficiary Name, HICN/MBI, and Drug Plan to/from external CMS system integrations. This data will be stored in a separate database from the HPMS collected data.

CCXP - The information being collected from data.medicare.gov is all facility information (address, phone, etc.) and some demographic information, all of which is public information.
 

System administrators log on with a user ID and password. System administrators are CMS employees and direct contractors. Login credentials are maintained for as long as the system user requires access.)

The following PII elements will be retrieved and stored from BEDAP and MOSS systems (listed above):
name
date of birth
address
zip code or city
Part A effective date
Part B effective date.

During normal operations MAX authorized personnel does not access/use data or any personal identifiers to retrieve records held in the system except for a security/incident research and/or mitigation in the event of an incident.
MAX will retrieve records using a unique alphanumeric identifier. MAX does use MBI to access personal records PII, originally from BEDAP, but only data in the system on behalf of the authenticated beneficiary/user.
MAX personnel are not using data other than when providing maintenance or data validation i.e, checking on a cache record or manually testing a BEDAP exchange. The data/cache is stored during the life of the user's session/activity.
Race, ethnicity, Medicare Beneficiary Identification (MBI) (ID) and Health Insurance Claim Number (HICN) will be used to categorize the individuals for outreach purposes.

Geographic high-level data from Census, listed in Appendix B, will be used in predictive modeling and combined with existing PII in Appendix A to create a new data element Medicare Beneficiary Outreach Indicator (MBOI) designed to identify target audiences to improve outreach on available Medicare benefits. MBOI will be displayed as a score.

• Name
• E-Mail Address
• Date of Birth
• Mailing Address
• Other - Master Beneficiary Identifier (MBI) and/or Health Insurance Claim Number (HICN). Unique alphanumeric identifier. These elements will be retrieved from the MOSS-BEDAP System: Address, Zip code or City, Part A Effective date, Part B Effective date, date of birth, MBOI and email. Reference data elements listed in Appendix A. Race and Ethnicity.

• Employees
• Public Citizens
• Vendors/Suppliers/Contractors
• Other - Member of the public/ Medicare Beneficiaries.

MAX utilizes the following elements to retrieve beneficiary information to provide personalized beneficiary experience when viewing Medicare information on the website.    

Medicare Beneficiary Identification (ID) (MBI) or Health Insurance Claim Number (HICN), along with email address will be collected also with:

last name
date of birth

Address

zip code or city
 Part A effective date 
 Part B effective date.

Race

Unique alphanumeric identifier

MBOI

MAX uses PII elements in predictive modeling to identify people who can benefit from Medicare benefits, including subsidy programs. Reference data elements listed in Appendix A.
MAX utilizes name and address to mail eligibility letters.

• Online

• Within the OPDIV

• Members of the Public
• Other - Medicare Beneficiaries.

Title: Medicare Authorization to Disclose Personal Health Information (CMS-10106)

OMB#: 0938-0930

Expires: November 30, 2025

A Privacy Act Statement is made available to individuals during the account creation process and within the Privacy Policy of the website. In addition, the following language is listed in the Privacy Policy for each website:
Privacy Policy -This link opens a new window or tab. that takes the user here - https://www.medicare.gov/privacy-policy.

 CMS websites do not collect any Personally Identifiable Information (PII) about individuals during their visit unless they choose to provide it to us.

CMS has a National Institute of Standards and Technology (NIST) compliant continuous monitoring program to ensure system integrity, availability, accuracy, and relevancy.

The source data for MAX is contained within BEDAP sub-system of MOSS. MOSS has its own PIA.  

All web transactions and software functions are logged, and logs are aggregated into Splunk and stored for 1 year should any audit of the system need to take place.

All logs in Splunk are reviewed for anomalies by the MAX team.

• Administrators: The CMS employee and direct contractors have access to PII to generate a list of system users and manage and assign access to MAX system.
• Contractors: Only to ensure data Confidentiality, Integrity and Availability and only if they have approved/authorized access, Direct contractors have administrative rights in order access PII to complete their system development and operation tasks.
• Others Explanation: Individuals authorized to act on the behalf of the Beneficiary - to use the system as intended

CMS uses role-based access controls to ensure administrators and contractors are granted access on a "need-to-know" and "need-to-access" commensurate with their assigned duties. CMS grants access to those the accounts.

This is a shared responsibility between CMS and contractors, Oddball, Blast Analytics and (Amazon Web Services) AWS - 
Oddball and Blast Analytics requests access through CMS for an account, once the account is received, 
Oddball and Blast Analytics authorized users only System Administrators, developers, direct contractors, etc. for the MAX system then requests access to AWS to use AWS resources needed to maintain the system. 

There are three methods for restricting access.

First, is to program user interfaces to limit the display of PII to only those elements needed to perform specific tasks. Second, is to limit the transmission of Personally Identifiable Information (PII) to validate information rather than copy or pull information from another authoritative source. Third, is to implement role-based access controls and auditing to ensure those with access have a "need-to-know" and "need to access".

MAX follows the CMS Records Schedule, which is aligned with the National Archives Records Administration (NARA) Records Control Schedule 

Systems and Data Security Records
 DAA-GRS-2013-0006-0001- Destroy 1 year(s) after system is superseded by a new iteration or when no longer needed for agency/
IT administrative purposes to ensure a continuity of security controls throughout the life of the system.

Systems Not Requiring Special Accountability for Access 
DAA-GRS-2013-0006-0003 - Destroy 1 year(s) after user account is terminated or password is altered or when no longer needed for investigative or security purposes, whichever is appropriate; and 

Beneficiary Records
DAA-0440-2015-0007-001 - Bucket 5 Beneficiary Records - Beneficiary Records - Disposition Authority Number: DAA-0440-2015-0007-0001 - Retention - Destroy no sooner than 10 years after cutoff but longer retention is authorized. 

MAX follows the Data Destruction Standards prescribed in NIST Special Publication (SP) 800-88.

Persistent Cookies

Other - Google Analytics and Tealium. Tealium may collect PII if a user has explicitly opted in. Web Usage stats via New Relic which is used as an application monitoring tools - No PII is collected.