Skip to main content

Medicare Enrollment and Premium Billing System

Privacy Impact Assessment (PIA) published by CMS as an Operating Division of the U.S. Department of Health and Human Services

Date signed: 5/22/2023

PIA Information for the Medicare Enrollment and Premium Billing System
PIA QuestionsPIA Answers

OPDIV:

CMS

PIA Unique Identifier:

P-6780845-366760

Name:

Medicare Enrollment and Premium Billing System

The subject of this PIA is which of the following?

Major Application

Identify the Enterprise Performance Lifecycle Phase of the system.

Operate

Is this a FISMA-Reportable system?

Yes

Does the system include a Website or online application available to and for the use of the general public?

No

Identify the operator:

Contractor

Is this a new or existing system?

Existing

Does the system have Security Authorization (SA)?

Yes

Date of Security Authorization

1/17/2023

Indicate the following reason(s) for updating this PIA. Choose from the following options.

  • PIA Validation (PIA Refresh/Annual Review)

  • Other - Transition of Medicare Administrative Issue Tracker and Reporting of Operations (MAISTRO) to ELMO.

Describe in further detail any changes to the system that have occurred since the last PIA.

As part of the CMS Modernization Project the Medicare Enrollment and Premium Billing Systems (MEPBS) Eligibility and Enrollment Online (ELMO) has migrated most of its legacy applications including the Medicare Beneficiary Database Suite of Systems (MBDSS) and Enrollment Database Suite of Systems (EDBSS) from the Mainframe in the Baltimore Data Center (BDC) to the CMS Amazon Web Services Cloud Enclave.  The goal of the modernization project is to utilize a highly available and scalable Amazon Web Services (AWS) cloud-based platform to make Medicare Beneficiary Information available in real time to various Medicare systems and business partners. The Modernization Project started in 2019 and was completed in July 2023.  

The first phase towards modernization was to eliminate redundant user interfaces for EDBSS and MBDSS and combine them in to a single The Eligibility and Enrollment Medicare Online User Interface (ELMO UI).  The next phase consisted of establishing the ELMO Beneficiary Information on the Cloud (BIC) in AWS.  BIC is a strategic CMS initiative to minimize and eventually eliminate redundancy, latency and inconsistency in beneficiary information used by systems and business partners supporting the Medicare Program. The last phase fully migrated the BDC's Common Medicare Environment (CME) DB2 database to PostgresSQL hosted in the AWS US-East-1 cloud environment. This cloud-based source of beneficiary information provides real time access to current beneficiary information.  Legacy batch data feeds and redundant copies of beneficiary information across the Medicare Program are being progressively eliminated.  The scope of the data transformations for this project includes CME, MBDSS, and EDBSS data structures.  All beneficiary claims and data processing now occur in the AWS cloud environment.

The BIC-based repository will be accessible to authorized partners via an Application Programming Interface (API). API keys are assigned to each partner connection and source IP addresses are restricted using security groups.  A Trusted Partner model for partner end user-level access control is utilized, which is administered by the partner. 

The Medicare Administrative Issue Tracker and Reporting of Operations (MAISTRO) transitioned to ELMO in Q3 2023. The MAISTRO system provides a cloud-based mechanism for CMS’ central and regional offices to capture, track, manage, report and trend inquiries, complaints and issues related to Fee-for-Service. 

Peraton Corporation is the Application Development Organization (ADO) for ELMO.  ADO contractors are granted limited access to PII that is collected, maintained and shared in the system by the ELMO Contracting Officer’s Representative  (COR). This access is granted on a “need-to-know” basis and only for performance of contractual work responsibilities.  

Describe the purpose of the system

The Eligibility and Enrollment Medicare Online (ELMO) application provides access to the authoritative sources of beneficiary information and services provided by the ELMO subsystems Enrollment Database (EDB) and the Medicare Beneficiary Suite of System (MBDSS). These systems are the source of information for individuals who have been determined eligible to receive Medicare and includes data on plan enrollments, beneficiary population, and changes to beneficiary demographics, and is the single resource for managing Medicare entitlements, billing and management of Medicare Secondary Payer payments.

MAISTRO provides a mechanism for CMS’ central and regional office to capture, track, manage, report and trend inquiries, complaints and issues related to Fee-for-Service. MAISTRO provides a consistency when tracking, resolving, and reporting FFS inquiries, complaints and issues on a national level such that trends, workloads and systemic issues can be identified and managed appropriately across the organization.

Describe the type of information the system will collect, maintain (store), or share. (Subsequent questions will identify if this information is PII and ask about the specific data elements)

Information is collected on individuals age 65 or over who have been, or currently are entitled to health insurance (Medicare) benefits under Title XVIII of the Act or under provisions of the Railroad Retirement Act; individuals under 65 who have been, or currently are entitled to such benefits on the basis of having been entitled for not less than 24 months to disability benefits under Title II of the Act or under the Railroad Retirement Act; individuals who have been, or currently are entitled to such benefits because they have End Stage Renal Disease; individuals age 64 and 8 months or over who are likely to become entitled to health insurance (Medicare) benefits upon attaining age 65; and individuals under age 65 who have at least 21 months of disability benefits who are likely to become entitled to Medicare upon the 25th month of their being disabled. It also collects and maintains information on a Medicare beneficiary's enrollment in a Medicare Advantage Plan. The system contains information on Medicare enrollment and entitlement and Medicare Secondary Payer data. The Medicare Secondary Payer data contains other third-party liability insurance information necessary to ensure appropriate Medicare claim payment. It contains hospice election, Direct Billing and Third-Party Premium collection information; group health plan enrollment data; an individual's health insurance number and beneficiary identifier; name, geographic location, race/ethnicity, sex and date of birth.

It also contains the Social Security Number (SSN) and Medicare Beneficiary Identifier (MBI) as part of the Medicare beneficiary's claim number that uniquely identifies the beneficiary's relationship to the primary Social Security Administration or Railroad Retirement Board wage earner to justify the entitlement to Medicare benefits. Additionally, other types of Personal Identifiable Information (PII) are collected that identify a beneficiary, such as Social Security Number, Medicare Beneficiary Claim Number, Medicare Beneficiary Identifier, First and Last Name, State, County, Bank Account, Email, Military Status, Mailing Address, Railroad Retirement Board number, Medicare Contractor Information, and Date of Birth to determine Medicare eligibility and enrollment status. This identifying information is collected and shared with other agencies, including the Social Security Administration (SSA),  Internal Revenue Service (IRS), Railroad Retirement Board (RRB) and State Agencies.

MAISTRO collects and contains information such as a beneficiary’s name, address data, health insurance claim number (HICN), Medicare Beneficiary Identifier (MBI), demographic information (sex, date of birth), provider name, address data and provider identification number (NPI), provider organization information, contact person information, employer identification numbers, and certain optional data such as Social Security Numbers and other provider identifiers used by these health care providers. 

Peraton is the Application Development Organization (ADO) and System Maintainer for ELMO.  Peraton Direct Contractors are granted limited access to PII that is collected, maintained and shared in the system by the Eligibility and Enrollment Medicare Online Contracting Officer Representative. This access is granted on a “need-to-know” basis and only for performance of contractual work responsibilities. Direct Contractors access the system using multi-factor authentication credentials consisting of a User Identification, password and one-time password or soft-token.

Provide an overview of the system and describe the information it will collect, maintain (store), or share, either permanently or temporarily.

The following information is used to determine an individual's entitlement and eligibility  for Medicare: information collected on individuals age 65 or over who have been, or currently are entitled to health insurance (Medicare) benefits under Title XVIII of the Act or under provisions of the Railroad Retirement Act; individuals under age 65 who have been, or currently are entitled to such benefits on the basis of having been entitled for not less than 24 months to disability benefits under Title II of the Act of under the Railroad Retirement Act; individuals who have been, or currently are entitled to such benefits because they have End Stage Renal Disease; individuals 64 and 8 months or over who are likely to become entitled to health insurance (Medicare) benefits upon attaining age 65; and individuals under age 65 who have at least 21 months of disability benefits who are likely to become entitled to Medicare upon the 25th month of their being disabled.

Authorized ELMO users retrieve beneficiary records using PII which includes Social Security Number, Medicare Beneficiary Claim Number, Medicare Beneficiary Identifier, First and Last Name, State, County, Bank Account, and Date of Birth to determine Medicare eligibility and enrollment status.

The Eligibility and Enrollment Medicare Online uses Personal Identifiable Information (PII) to retrieve system records including using Social Security Numbers, Medicare Beneficiary Claim Number, Medicare Beneficiary Identifier, First and Last Name, State, County, Bank Account, and Data of Birth.

The information on those entitled and enrolled in Medicare is used to administer and pay for benefits provided to a Medicare beneficiary. The Medicare Secondary Payer data that contains other third-party liability insurance information is used to ensure appropriate Medicare claim payment, and that Medicare does not pay for service for which another health plan is responsible. The hospice election is used to annotate a beneficiary's election for hospice services. Direct Billing and Third-Party Premium collection information is used by the program to know which beneficiaries need to be billed for billing premium payments. The group health plan enrollment data is used to manage a beneficiary's enrollment in a Medicare Part C and Part D health plan. The individual's health insurance number and beneficiary identifier are used to identify and track the individual by a unique identifier assigned to the beneficiary. Name, geographic location, race/ethnicity, sex and date of birth are personal identifiers of beneficiaries used by the program to ensure benefits are being administered for the appropriate individual.

The Medicare beneficiary enrollment and entitlement information is used to know who is enrolled in Medicare so that payments to health care providers can be made. User identification and passwords on internal and external business partners that interact with the Centers for Medicare and Medicaid Services to conduct payment and health care operational activities are maintained in order to ensure those that need to interact with the enrollment system to conduct work are appropriately authorized. For the Eligibility and Enrollment Medicare Online User Interface, the Centers for Medicare and Medicaid Services Identity Management handles provisioning and authentication of users accessing the Eligibility and Enrollment Medicare Online subsystems through the Centers for Medicare and Medicaid portal. This involves identity proofing and use or multi-factor authentication in order to be granted access to the Eligibility and Enrollment Medicare Online application. User identification and passwords are the initial credentials required for authorization process. The Portal team further authenticates users by providing a code or one-time password using one of several methods:
(1) A recognized device (computer, phone, tablet)
(2) SMS Text Message
(3) Interactive Voice Response
(4) Email
(5) Soft Token
The Social Security Number is part of the Medicare beneficiary's claim number that uniquely identifies the beneficiary's relationship to the primary Social Security Administration of Railroad Retirement Board wage earner to justify the entitlement to Medicare benefits.
Authorized CMS employees, external partners and direct contractors use multi-factor authentication credentials consisting of a User ID, password and one-time password (OTP) or token to access the ELMO system.

The ELMO Beneficiary Information on the Cloud (BIC) is a strategic CMS initiative to minimize and  eliminate redundancy, latency and inconsistency in beneficiary information used by systems and business partners supporting the Medicare Program. Migration to the AWS cloud was completed in July 2023 when the Common Medicare Environment (CME) DB2 database fully transitioned to the AWS PostgresSQL database. The goal of the modernization project is to utilize a highly available and scalable Amazon Web Services (AWS) cloud-based platform to make Medicare Beneficiary Information available in real time to various Medicare systems and business partners. This cloud-based source of beneficiary information provides real time access to current beneficiary information and progressively eliminates legacy batch data feeds and redundant copies of beneficiary information across the Medicare Program.  The scope of the data transformations for this project includes CME, Medicare beneficiary Database (MBD), and EDB data structures.  The MAISTRO system transitioned to the ELMO AWS environment in Q3 2023.

MAISTRO collects and maintain information needed to provide a mechanism for CMS’ central and regional offices to capture, track, manage, report and trend inquiries, complaints and issues related to Fee-for-Service (FFS) programs.  The system collects and contains information such as a beneficiary’s name, address data, health insurance claim number (HICN), Medicare Beneficiary Identifier (MBI), demographic information (sex, date of birth), provider name, address data and provider identification number (NPI), provider organization information, contact person information, employer identification numbers, and certain optional data such as Social Security Numbers and other provider identifiers used by these health care providers. Beneficiary information will be store and retained in accordance with the appropriate NARA retention schedule.

The BIC-based repository will be accessible to authorized partners via an Application Programming Interface (API). API keys are assigned to each partner connection and source IP addresses are restricted using security groups.  A Trusted Partner model for partner end user-level access control is utilized, which is administered by the partner.

Peraton direct contractors are granted limited access to PII that is collected, maintained and shared in the system by the ELMO COR. This access is granted on a “need-to-know” basis and only for performance of contractual work responsibilities. Administrative users authenticate to the BIC environment using an Information Technology Operations (ITOPS)-issued user ID that matches the CMS Enterprise User Administration (EUA) ID; and Multi-factor Authentication.  ITOPS is an AWS contractor that will manage the provisioning of the AWS infrastructure and instances up to the operating system level. Access to BIC is granted to Direct Contractor developers and testers using Multi-Factor Authentication on the CMS Cloud virtual private network (VPN).

Does the system collect, maintain, use or share PII?

Yes

Indicate the type of PII that the system will collect or maintain.

  • Social Security Number

  • Name
  • E-Mail Address
  • Phone Numbers
  • Medical Notes
  • Military Status
  • Date of Birth
  • Mailing Address
  • Financial Account Info
  • Other - Other - Medicare Beneficiary Identifier, Sex, Railroad Retirement Board Number, Medicare Contractor Information, Medicare Entitlement Information, Medicare Eligibility Information, Race, Prescription Drug Coverage Information, Incarceration Status, Medical Diagnosis Information, Financial Institution Information, User Name, Password, Cell Phone Number, Email Addresses

Indicate the categories of individuals about whom PII is collected, maintained or shared.

  • Public Citizens

  • Vendors/Suppliers/Contractors
  • Other - Medicare beneficiary's Representative Payee

How many individuals' PII in the system?

1,000,000 or more

For what primary purpose is the PII used?

The primary purpose of the Personal Identifiable Information in the system is to maintain information on Medicare enrollment for the administration of the Medicare program, including the following functions: ensuring proper Medicare enrollment, claims payment, Direct Billing and Third-Party premium collection, coordination of benefits by validating and verifying the enrollment status of beneficiaries and validating and studying the characteristics of persons enrolled in the Medicare program in order to improve the program.

MAISTRO collects and maintains information needed to provide a mechanism for CMS’ central and regional offices to capture, track, manage, report and trend inquiries, complaints and issues related to Fee-for-Service (FFS) programs. MAISTRO enables consistent tracking, resolving, and reporting of FFS inquiries, complaints and issues on a national level such that trends, workloads and systemic issues can be identified and managed appropriately across the organization.

Describe the secondary uses for which the PII will be used (e.g. testing, training or research)

Secondary uses include work done by developers, system administrators and contractors working on behalf of the agency to conduct analysis to improve system operations and system development tasks. Additionally, external researchers may be authorized by the Centers for Medicare and Medicaid Services Privacy Board to analyze enrollment personal identifiable information to develop improvements to the Medicare program of its beneficiaries.

Describe the function of the SSN.

The Social Security Number was used as part of the beneficiary's claim number that uniquely identifies the beneficiary's relationship to the primary Social Security Administration or Railroad Retirement Board wage earner to justify the entitlement to Medicare benefits. The Medicare Beneficiary Identifier (MBI) is now used as part of the claim number, and has replaced the SSN on beneficiaries' Medicare cards.

Cite the legal authority to use the SSN.

Section 1811. [42 U.S.C. 1395c] of the Social Security Act created the legal authority for use of the social security number. The Medicare insurance program for which entitlement is established by sections 226 and 226A provides basic protection against the costs of hospital, related post-hospital, home health services, and hospice care in accordance with this part for (1) individuals who are age 65 or over and are eligible for retirement benefits under title II of this Act (or would be eligible for such benefits if certain government employment were covered employment under such title) or under the railroad retirement system, (2) individuals under age 65 who have been entitled for not less than 24 months to benefits under title II of this Act (or would have been so entitled to such benefits if certain government employment were covered employment under such title) or under the railroad retirement system on the basis of a disability, and (3) certain individuals who do not meet the conditions specified in either clause (1) or (2) but who are medically determined to have end stage renal disease.

Identify legal authorities​ governing information use and disclosure specific to the system and program.

Legal Authorities for information use and disclosure of information in the system are governed by 45 CFR 164.502, The E-Government Act (Public Law 107-347, §208), Office of Management and Budget Circular A-130/ FR Document 2016-17872, Privacy Office of Management and Budget Act: §552a(b)(1). 
Section 1862 of the Social Security Act was an authority in the published System of Record. We included section 1862 in the modified System of Record since we do maintain a limited number of data elements in the Enrollment Database pertaining to Medicare Secondary Payer. Authority for maintenance of the system section 1870 of the Act was included in the modified system since the Enrollment Database maintains data regarding direct billing for Medicare premiums.
Internal Revenue Service: Section 6055 of the Affordable Care Act is the legal authority that permits the reporting of Minimum Essential Coverage information of all Part A eligible beneficiaries as of March 2016.

Are records on the system retrieved by one or more PII data elements?

Yes

Identify the number and title of the Privacy Act System of Records (SORN) that is being used to cover the system or identify if a SORN is being developed.

Enrollment Data Base: System of Record# 09-70-0502              

Medicare Beneficiary Database Suite of Systems: System Of Record# 09–70– 0536

Medicare Administrative Issue Tracker and Reporting of Operations (MAISTRO) System of Record No. 09–70–0598 

Identify the sources of PII in the system: Directly from an individual about whom the information pertains

Other - No Personal Identifiable Information comes directly from an individual

Identify the sources of PII in the system: Government Sources

  • Other HHS OPDIV

  • State/Local/Tribal
  • Other Federal Entities
  • Other - Other - BUSINESS PARTNERS/CONTACTS (FEDERAL, STATE, LOCAL AGENCIES): Social Security Administration, Office of Personnel Management, Pay.Gov, IRS.Gov., Healthcare.gov, Federal Marketplaces

Identify the sources of PII in the system: Non-Government Sources

  • Private Sector

  • Public Media/Internet
  • Other - Non-Government State Medicaid Agencies, Private Third-Party Groups, Prisoner Update Processing System, 1-800-Medicare (Next Generation Desktop) VENDORS/SUPPLIERS /CONTRACTORS: Medicare Easy Pay System/LockBox Bank Remittance System     Other Federal Agency/Agencies State or Local Agency/Agencies Private Sector Insurance Plans

Identify the OMB information collection approval number and expiration date

N/A

Is the PII shared with other organizations?

Yes

Identify with whom the PII is shared or disclosed and for what purpose.

  • Within HHS: Beneficiary identifying information and health information is shared with Common Working Files, Healthcare Integrated General Ledger Accounting System, Renal Management Information System and other Centers for Medicare and Medicaid Service data partners to carry out the required functions of administering the Medicare program.

    MAISTRO collects and maintain information needed to provide a mechanism for CMS’ central and regional offices to capture, track, manage, report and trend inquiries, complaints and issues related to Fee-for-Service (FFS) programs. Information maintained in MAISTRO is disclosed to support regulatory, reimbursement, and policy functions performed within the Agency or by a contractor, consultant or CMS grantee.

  • Other Federal Agency/Agencies: Beneficiary identification information is received from Social Security Administration and Railroad Retirement Board. Beneficiary information is shared with the Office of Personnel Management and with Department of Treasury for the purpose of making and verifying Medicare premium payments.  Beneficiary Identification Information is shared with the Internal Revenue Service for the reporting of health insurance coverage under the Affordable Care Act, as well as the Healthcare.gov Health Insurance Marketplace.

    Information maintained in MAISTRO is disclosed to other Federal agencies to facilitate research on the quality and effectiveness of care provided, as well as epidemiological projects;  support litigation involving the Agency; and combat fraud, waste, and abuse in certain health benefits programs.

  • Private Sector: External Partners
  • State or Local Agency/Agencies: Third-party and State Phasedown information is shared with state Medicaid agencies for the purpose of determining federal and state responsibility for Medicaid health insurance premiums.

    MAISTRO discloses information to state agencies, agencies of a state government, an agency established by state law, or its fiscal agent to facilitate research on the quality and effectiveness of care provided, as well as epidemiological projects; support litigation involving the agency; and combat fraud, waste, and abuse in certain health benefits programs.

  • Within HHS Private Sector

Describe any agreements in place that authorizes the information sharing or disclosure (e.g. Computer Matching Agreement, Memorandum of Understanding (MOU), or Information Sharing Agreement (ISA)).

Computer Matching Agreement and Exchange Agreement.
Internal Revenue Service: Section 6055 of the Affordable Care Act is the legal authority that permits the reporting of Minimum Essential Coverage information of all Part A eligible beneficiaries as of March 2016.
Computer Matching Agreement and Exchange Agreement.
Internal Revenue Service: Section 6055 of the Affordable Care Act is the legal authority that permits the reporting of Minimum Essential Coverage information of all Part A eligible beneficiaries as of March 2016.

Interconnection Security Agreements:
·                     CMS AND PERATON CORP. (CONTRACTING ORGANIZATION / ADO)
·                     CMS Identity Management (IDM) MOU and ELMO
·                     CMS and Office of Personnel Management (OPM)
·                     CMS ELMO and Social Security Administration (SSA)
·                     CMS EDB and Center for Program Integrity (CPI)/Thomson Reuters
·                     CMS and Dept. of Treasury (DOT)
·                    
  
CMS Memorandum of Understanding:
        CMS ELMO Beneficiary in the Cloud (BIC) Interface to Marketplace  

 
Data Use Agreement (DUA) 27773:
·                     CMS AND PERATON CORP. (CONTRACTING ORGANIZATION)
·                     HIGLAS - HIGLAS-PAYMENT DATA 
·                     AMBFLE - AMBULANCE FILE (BENE LEVEL) 
·                     ESRD - END STAGE RENAL DISEASE DATA
·                     TPBD - THIRD-PARTY BILLING DATA
·                     CWF - COMMON WORKING FILE 
·                     DDPS - DRUG DATA PROCESSING SYSTEM 
·                     EDB - ENROLLMENT DATABASE
·                     HPMS - HEALTH PLAN MGMT SYS 
·                     MARX - MEDICARE ADVANTAGE AND PRESCRIPTION DRUG PLAN SYSTEM
·                     MAS - MEDICARE APPEALS SYSTEM
·                     MEDHTL - 1 800 MEDICARE HELPLINE
·                     NGD - NEXT GENERATION DESKTOP 
·                     RDS - RETIREE DRUG SYSTEMS 
·                     SSA - SOCIAL SECURITY ADMINISTRATION
·                     RRB (Railroad Retirement Board) 
·                     DOT (US Department of Treasury)
·                     MPCC (Medicare Premium Collection Center)
·                     OPM (Office of Personnel Management)
MCSC (Medicare Customer Service Center)

Describe the procedures for accounting for disclosures

The disclosure and use of Personable Identifiable Information is tracked through the Data Use Agreement process. All Data Use Agreements have an initial expiration date of no more than 365 days from the creation date. All Data Use Agreements must be re-validated annually by the Data Use Agreement Requestor stating that the data continues to be needed for their Project/Study as originally requested. All Data Use Agreement extensions will be granted for no more than 365 days from the date approved by the Data Use Agreement office. The Enrollment Database keeps track of the Data Use Agreements by ensuring that only authorized users (recipients) are granted access to the data by adding these individuals via the Data Use Agreement addendum process; and terminated users are removed via the Data Use Agreement removal request process. The Enrollment Database Data Use Agreement recipients and data files are reviewed and re-validated at least annually. All Data Use Agreement requests and extensions are submitted by the requestor/custodian listed on the Data Use Agreement and must be approved by the Centers for Medicare and Medicaid Service Enrollment Database Government Task Lead/Contracting Officer Representatives.

Describe the process in place to notify individuals that their personal information will be collected. If no prior notice is given, explain the reason.

The Centers for Medicare and Medicaid Services required to give individuals notice telling them how the Centers Medicare and Medicaid Service may use and disclose their personal medical information. Individuals are made aware in the "Medicare and You Handbook" published yearly and sent out to each Medicare beneficiary.

Is the submission of the PII by individuals voluntary or mandatory?

Voluntary

Describe the method for individuals to opt-out of the collection or use of their PII. If there is no option to object to the information collection, provide a reason.

An individual that enrolls into Medicare is provided notice. They can "opt out" of Medicare Part B by choosing not to participate and having premiums collected.

Describe the process to notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changes since the notice at the time of original collection). Alternatively, describe why they cannot be notified or have their consent obtained.

For purposes of access, the subject individual should write to the system manager who will require the system name, address, date of birth, and sex, and for verification purposes, the subject individual’s name and the Medicare Beneficiary Identifier. Individuals are notified when the purpose for collecting the information has changed from what was originally authorized. This is described in the Medicare and You Handbook. Additionally, individuals can access the http://www.mymedicare.com/privacy-policy/ website for more current information on privacy practices.

Describe the process in place to resolve an individual's concerns when they believe their PII has been inappropriately obtained, used, or disclosed, or that the PII is inaccurate. If no process exists, explain why not.

Individuals can write to the following address:

Privacy Complaints
Post Office Box 8050
United States Department of Health and Human Services
Centers for Medicare & Medicaid Services
7500 Security Boulevard
Baltimore, Maryland 21244-1850

Also, individuals can call 1-800-Medicare with all inquiries.

Describe the process in place for periodic reviews of PII contained in the system to ensure the data's integrity, availability, accuracy and relevancy. If no processes are in place, explain why not.

A significant source of data in the Eligibility and Enrollment Medicare Online is provided by the Social Security Administration. Other data sources include State Medicare agencies, Part B penalty only groups, Office of Personnel Management, Railroad Retirement Board, and the Department of Treasury.  The Eligibility and Enrollment Medicare Online adheres to the Centers for Medicare and Medicaid Services Risk Management Handbook for Privacy, Privacy-Enhanced System Design and Development which requires the following actions at least every 365 days: Re-validates to the greatest extent practicable, the personally identifiable information data collected are accurate, relevant, timely, and complete via the Privacy Impact Assessment process; re-validates Personally Identifiable Information directly from the individual to the greatest extent practicable but for the Eligibility and Enrollment Medicare Online this is not applicable; checks for and corrects as necessary any inaccurate or outdated Personally Identifiable Information used by its programs or systems as directed by the Department of Health and Human Services Data Integrity Board; and issues guidelines ensuring and maximizing the quality, utility, objectivity, and integrity of disseminated information.

Identify who will have access to the PII in the system and the reason why they require access.

  • Users: Read, modify Medicare entitlement/enrollment and billing data. Validation & quality assurance of information on the Medicare Beneficiary Database Suite of Systems.

  • Administrators: Managing data. Monitoring and controlling access.  Provide support for program development, maintenance, and operational support.
  • Developers: Read, modify and develop processes. Test, validate and maintain programs.
  • Contractors: Direct contractors can read, modify and develop processes. They also perform testing, validation, quality assurance, documentation of programs; provide support for systems development and system operations.
  • Others - State: As stated in the System of Records for each application.

Describe the procedures in place to determine which system users (administrators, developers, contractors, etc.) may access PII.

For new contract staff, onboarding is handled through the Centers for Medicare and Medicaid Services Enterprise User Administration Front End Interface. Requests must be approved by the Request for Access to the Centers of Medicare and Medicaid Applications approver for further processing.  That request must be approved by the Government Task Lead for that contract before the request is sent to the Project Officer for approval.  The Centers for Medicare and Medicaid Services user identification doesn't, on its own, provide any accesses, however, role-based Resource Access Control Facility rules are applied to the Centers for Medicare and Medicaid Services user identification, as approved by the Government Task Lead, and according to the role this employee is assigned and the data elements they will need to access in order to fulfill their job duties.
For Beneficiary in the Cloud (BIC), which is hosted on the CMS Amazon Web Services Cloud Enclave, External Partners are granted access from the Internet via the BIC API. The BIC API external endpoint (bic.cms.gov) is setup on Amazon API Gateway.  External Access is restricted by whitelisting IP addresses of authorized partners using resource policies. The API Gateway endpoint connects to a secure endpoint within the BIC Web zone using Amazon VPC Private Link.  An API Key issued by BIC is required for access and authorization to specific services at the API Gateway level as well as the BIC API Server level. In addition, the BIC API Server uses the API Key to restrict access to specific types of beneficiary data based on the partner’s authorization profile.


For BIC API Consumers or Internal Partners (Via CMSNet): Access to the BIC API for CMS internal systems is permitted via an end point in the BIC Application zone.  Virtual Routing and Forwarding (VRF) from a CMSNet IP address is required to the appropriate security groups attached to the end point.  An API Key issued by BIC is required for access and authorization to specific BIC API services and types of beneficiary data requested.  Access is granted to developers and testers using Multi-Factor Authentication on the CMS Cloud VPN. Access to EC2 instances is only permitted using Amazon Secure Token Service and Secure Shell (SSH) keys. These tokens expire every 12 hours.

Describe the methods in place to allow those with access to PII to only access the minimum amount of information necessary to perform their job.

Staff that work on the Eligibility and Enrollment Medicare Online only have access to data elements that are maintained by the system and those data elements which are included in the Centers for Medicare and Medicaid Services Common Medicare Environment. Once a Centers for Medicare and Medicaid Services user identification is issued Request for Access Form rules are applied, scrutinized and approved by the contract Government Task Lead before they are processed. Staff is not authorized to view data maintained by other areas unless valid justification is provided and a request is approved by the proper Centers for Medicare and Medicaid Services component contract officer. Once contract staff gain access to Personally Identifiable Information data, the viewing and handling of that data is subject to the Rules of Behavior that must be signed by all contract staff and their management. The Enrollment Database uses existing standard Centers for Medicare and Medicaid Services access controls to limit access to Personally Identifiable Information to only individuals and organizations authorized to do so. Access is provisioned via the Request for Access Form, Enterprise User Administration and Enterprise Identity Management facilities at the Centers for Medicare and Medicaid Services. Access is requested and approved by the Centers for Medicare and Medicaid Services approves as needed for specific roles belonging to the individual. The Centers for Medicare and Medicaid Services standard protections are in place to prevent unauthorized individuals and organizations access to the data, including physical protections as well as technical, administrative and management controls.

For BIC partners the BIC API Server uses and API Key to restrict access to specific types of beneficiary data based on a partner’s authorization profile.  There is no end user access to BIC.  Administrative users authenticate to the environment using an ITOPS-issued user ID that matches the CMS EUA ID; and Multi-factor Authentication.  Access to instances is restricted through the cloud.cms.gov VPN and AWS Secure Token Service (STS).

For partner authentication to the BIC environment API keys are assigned to each partner connection and source IP addresses are restricted using security groups.  A Trusted Partner model for end user-level access control is utilized, which is administered by the partner.

Authorization is achieved by using Access Roles based on the specific business process.  This allows controlled access to one or more beneficiary profile elements.  Partner connections will be assigned one or more access roles based on business need and their approved Data Use Agreement (DUA).

Identifying training and awareness provided to personnel (system owners, managers, operators, contractors and/or program managers) using the system to make them aware of their responsibilities for protecting the information being collected and maintained.

The Centers for Medicare and Medicaid Services provides role-based system security awareness training at least annually. The Business Owner is responsible for ensuring that their users receive the required Centers for Medicare and Medicaid Services training, and maintaining training records. Training is conducted onsite or via online courses and user guides. ADO contractor support staff are direct Centers for Medicare and Medicaid contractors, Business Associates and System Maintainers that also provides security and privacy support for CMS’ systems and staff. The ADO ensures that all ELMO, Enrollment Database and Medicare Beneficiary Database. The ADO ensures that all Enrollment Database staff with security responsibilities receive security role-based training at least annually, and that training is delivered and tracked via Peraton's Learning Exchange online Computer Based Training system. The ADO Security Team conducts Privacy Training for all ADO staff at least annually, and for new hires prior to them accessing the Eligibility and Enrollment Medicare Online.  The ADO Security Staff conducts Health Insurance Portability and Accountability Act (HIPAA) Training sessions weekly to ensure new personnel are trained in their privacy and security responsibilities as soon as possible after hire.

Describe training system users receive (above and beyond general security and privacy awareness training)

The Office of the Chief Information Security Officer provides quarterly security awareness training for the Centers for Medicare and Medicaid Services and provides meetings throughout the year to keep users abreast of relevant and timely security issues. The Centers for Medicare and Medicaid Services conducts phishing exercises to ensure employees and contractors can recognize, avoid and report phishing emails. All Eligibility and Enrollment Medicare Online users on the ADO staff receive annual security awareness, privacy, incident response and social engineering training.

Do contracts include Federal Acquisition Regulation and other appropriate clauses ensuring adherence to privacy provisions and practices?

Yes

Describe the process and guidelines in place with regard to the retention and destruction of PII. Cite specific records retention schedules.

Per guidance and compliance to the Federal Records Management Acts, Public Laws 81-754 (1950) and 94-575 (1976) and provisions of the Privacy Act: These laws require the establishment of standards and procedures to ensure the effective creation, use, maintenance, and disposal of records that contain personal identifiable information. The Enrollment Database records are retained in accordance with the National Archives and Records Administration record retention schedule dated Sept 2014, Section II. MEDICARE RECORDS--GENERAL. The Enrollment Database system policy is to maintain information for at least 7 years. The Enrollment Database integration layer limits displayed claims data to the past 36 months. Information older than 36 months is archived to an external archive database. Backup tapes containing personal identifiable information are logged in and recorded in accordance with Acceptable Risk Safeguards 3.0 MP-6 - Media Sanitization. The media destruction process ensures personal identifiable information remains secure through the employment of degaussing and shredding techniques. The Enrollment Database will follow the Centers for Medicare and Medicaid Services Records Retention Schedules and Disposition Authorities:

DAA-0440-2015-0006-001 for Enrollment Records Disposition: Temporary, Instruction: Destroy no sooner than 7 years after cutoff *but no longer retention is authorized.

DAA-0440-2015-0007 for Beneficiary Records Disposition: Temporary, Instructions: Destroy no sooner than 10 years after cutoff *but no longer retention is authorized.

*Cutoff at the end of the calendar year.

Records Control Schedule (RCS) RG-0440

  • Records Schedule Number DAA-0440-2015-0006. Enrollment Records for all CMS Programs. Includes Medicare Part A, Part B, Part C, and Part D; Medicaid; CHIP; Affordable Health Care Act. Cutoff Instruction - Cutoff at the end of the calendar year. 
  • Retention Period- Destroy no sooner than 7 year(s) after cutoff but longer retention is authorized
  • Disposition Instruction
  • Records Schedule Number DAA-0440-2015-0007. Beneficiary Records Disposition: Records that facilitate the management of beneficiaries (those eligible for all CMS programs). Cutoff Instruction - Cutoff at the end of the calendar year.
  • Retention Period- Destroy no sooner than 10 year(s) after cutoff but longer retention is authorized
  • Disposition Instruction

Describe, briefly but with specificity, how the PII will be secured in the system using administrative, technical, and physical controls.

System Security Plan Security controls are routinely reviewed; a contingency plan is in place and files are backed up and stored off-site regularly. All personnel (users, administrators, developers, contractors) using the system have been trained and made aware of their responsibility to protect the data collected and maintained. Technical controls (user ids, passwords, firewalls, intrusion detection/prevention, and data loss prevention systems) are in place to minimize the possibility of unauthorized access, use or dissemination of the data. Unauthorized access messages are generated by the system and forwarded to the appropriate Centers for Medicare and Medicaid Services personnel for investigation. Physical access controls (guards, identification badges, key cards, closed-circuit TV) are also in place.