Medicare Exclusion Database
Date signed: 10/10/2023
| PIA Questions | PIA Answers |
|---|---|
| OPDIV: | CMS |
| PIA Unique Identifier: | P-9842164-216790 |
| Name: | Medicare Exclusion Database |
| The subject of this PIA is which of the following? | Major Application |
| Identify the Enterprise Performance Lifecycle Phase of the system. | Operate |
| Is this a FISMA-Reportable system? | Yes |
| Does the system include a Website or online application available to and for the use of the general public? | Yes |
| Identify the operator: | Contractor |
| Is this a new or existing system? | Existing |
| Does the system have Security Authorization (SA)? | Yes |
| Date of Security Authorization | 8/8/2024 |
| Indicate the following reason(s) for updating this PIA. Choose from the following options. | PIA Validation (PIA Refresh/Annual Review) |
| Describe in further detail any changes to the system that have occurred since the last PIA. | System has been refactored and migrated to CMS AWS Cloud |
| Describe the purpose of the system | The purpose of Medicare Exclusion Database (MED) application is to maintain the list of individuals and businesses that have been excluded from participating in the Medicare Program during the period of exclusion. The application shares the excluded provider data with Medicare Contractors, Law Enforcement agencies and other CMS applications to prevent fraud, waste, and abuse. |
| Describe the type of information the system will collect, maintain (store), or share. (Subsequent questions will identify if this information is PII and ask about the specific data elements) | The system collects the Excluded Provider information such as Name, Date of Birth, Social Security Number (SSN), Employer Identification Number (EIN) and Exclusion related data provided by the CMS Office of Inspector General (OIG). Access control information is maintained and controlled within the CMS Enterprise User Administration (EUA) and Enterprise Identity Management (EIDM) systems. |
| Provide an overview of the system and describe the information it will collect, maintain (store), or share, either permanently or temporarily. | The CMS Office of Inspector General (OIG) generates the List of Excluded Individuals and Entities who are excluded from participating in the Medicare Program. The Medicare Exclusion Database (MED) application receives the excluded provider information from OIG monthly basis and MED is responsible for adding new sanctions and updating the existing data. The data is shared with approved users using an online web application available at MED CMS Homepage and as downloadable files through the CMS Managed File Transfer (MFT) application with various user communities such as Medicare Contractors, Law Enforcement Agencies, State Medicaid Agencies, and other CMS applications etc. The access to the MED and MFT site is managed through CMS Enterprise Identity Management (EIDM) and access can be requested through the CMS Portal website EIDM Login Portal. The System collects information such as Name, Date of Birth, Social Security Number (SSN), Employer Identification Number (EIN) and Exclusion related data, provider sanctions, reinstatements, a list of MED users from EIDM, and the provider information from National Plan and Provider Enumeration System (NPPES). The excluded provider information from OIG is compared with the provider information from NPPES to ensure data quality and consistency. At the end of monthly processing of sanctions and reinstatements data, the database is updated to provide the latest information about the excluded providers and the downloadable files are made available that includes current month's sanctions, reinstatements, cumulative sanctions, cumulative reinstatements, and any waiver data. As a part of monthly data maintenance and in response to data questions, the staff retrieves the PII data from the MED system using various search criteria such as SSN, Last Name, Date of Birth, and NPI ID. |
| Does the system collect, maintain, use or share PII? | Yes |
| Indicate the type of PII that the system will collect or maintain. |
|
| Indicate the categories of individuals about whom PII is collected, maintained or shared. | Vendors/Suppliers/Contractors |
| How many individuals' PII in the system? | 50,000-99,999 |
| For what primary purpose is the PII used? | The Personally Identifiable Information (PII) is used in the system to provide information to the Carriers, Fiscal Intermediaries, States, Payment Safeguard Contractors, Zone Program Integrity Contractor, and Medicare Advantage Payers – to identify and refuse payment to the excluded providers. |
| Describe the secondary uses for which the PII will be used (e.g. testing, training or research) | The secondary purposes could include data for research purposes and statistical analysis. |
| Describe the function of the SSN. | To assist in uniquely identifying sanctioned or reinstated providers. Additionally, the SSN is used for comparing the National Provider Identifier (NPI) number received from OIG with the NPI number listed in the National Plan and Provider Enumeration System (NPPES). |
| Cite the legal authority to use the SSN. | Sections 1128 A and B and 1156 of the Social Security Act give the Department of Health and Human Services (HHS) through the Office of the Inspector General (OIG) the authority to exclude certain individuals and entities from participation in the Medicare and state healthcare programs. |
| Identify legal authorities governing information use and disclosure specific to the system and program. | Authority for maintenance of this system is given under §§ 1128 A and B, and 1156 of the Social Security Act. |
| Are records on the system retrieved by one or more PII data elements? | Yes |
| Identify the number and title of the Privacy Act System of Records (SORN) that is being used to cover the system or identify if a SORN is being developed. | 09-70-0534 - Medicare Exclusion Database (MED) |
| Identify the sources of PII in the system: Directly from an individual about whom the information pertains |
|
| Identify the sources of PII in the system: Government Sources |
|
| Identify the sources of PII in the system: Non-Government Sources | |
| Identify the OMB information collection approval number and expiration date | Not applicable. |
| Is the PII shared with other organizations? | Yes |
| Identify with whom the PII is shared or disclosed and for what purpose. |
|
| Describe any agreements in place that authorizes the information sharing or disclosure (e.g. Computer Matching Agreement, Memorandum of Understanding (MOU), or Information Sharing Agreement (ISA)). | All MED users are required to have their name present in the Data User Agreement (DUA) before the access is approved. A Memorandum of Understanding (MOU) is executed for any System-to-System transfer of data. |
| Describe the procedures for accounting for disclosures | Any disclosure is filed and stored in the DUA Office within Office of Enterprise Data and Analytics (OEDA). This CMS office keeps track of all DUAs and are assigned a DUA number for easier tracking which allows the DUA to indicate when a disclosure was provided, who it was provided to, for what purpose, and when the disclosure needs to be re- reviewed. |
| Describe the process in place to notify individuals that their personal information will be collected. If no prior notice is given, explain the reason. | No notice is given - the PII is initially obtained / disseminated to MED via OIG. Individuals do not provide MED with their PII. |
| Is the submission of the PII by individuals voluntary or mandatory? | Voluntary |
| Describe the method for individuals to opt-out of the collection or use of their PII. If there is no option to object to the information collection, provide a reason. | There is no method to opt-out. All the sanctioned provider data and information comes from OIG. They provide MED with a Sanctions and Reinstatement files, and Team MED pulls off the data that is required to identify an excluded provider. |
| Describe the process to notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changes since the notice at the time of original collection). Alternatively, describe why they cannot be notified or have their consent obtained. | There is no notification or consent process. The MED application does not interact with or contact the individual whose PII is in the system when a major change occurs to the system because the source of data is from the CMS Office of Inspector General’s List of Excluded Individuals and Entities (LEIE) application. This application is responsible for notifying and obtaining consent. |
| Describe the process in place to resolve an individual's concerns when they believe their PII has been inappropriately obtained, used, or disclosed, or that the PII is inaccurate. If no process exists, explain why not. | The Individual or entity whose information is incorrect would have to work with the OIG to resolve any data issues. |
| Describe the process in place for periodic reviews of PII contained in the system to ensure the data's integrity, availability, accuracy and relevancy. If no processes are in place, explain why not. | MED files are run against the NPPES database monthly, during which PII is validated against the National Plan and Provider Enumeration System (NPPES) database (which has been verified with SSA). |
| Identify who will have access to the PII in the system and the reason why they require access. |
|
| Describe the procedures in place to determine which system users (administrators, developers, contractors, etc.) may access PII. | MED application implements role-based security wherein the access roles are defined and approved based on the assigned duty and intended system use. The system users must complete the necessary forms to initiate the request for access. The request must be approved by the Security Point Contact (SPC) and the CMS Government Task Lead. Once the request for access is approved, a ticket is opened with the system administration group to provision the access for the approved role. |
| Describe the methods in place to allow those with access to PII to only access the minimum amount of information necessary to perform their job. | MED application implements logical access controls and procedures are established to ensure that only designated individuals can access the system. MED application uses specific roles for access based on the job duty and separate roles have been defined for Development, Validation and Production environments. Additionally, the security is implemented using CMS Enterprise User Administration (EUA), Enterprise Identity Management System (EIDM). |
| Identify training and awareness provided to personnel (system owners, managers, operators, contractors and/or program managers) using the system to make them aware of their responsibilities for protecting the information being collected and maintained. | All users of the MED system are required to take annual Information Security and Privacy Awareness training to ensure the protection of and secure handling of the information being collected and maintained. |
| Describe training system users receive (above and beyond general security and privacy awareness training) | None. |
| Do contracts include Federal Acquisition Regulation and other appropriate clauses ensuring adherence to privacy provisions and practices? | Yes |
| Describe the process and guidelines in place with regard to the retention and destruction of PII. Cite specific records retention schedules. | The excluded provider PII information in MED is saved permanently because MED system serves both current operational needs as well as long-term knowledge management requirements for preserving institutional history and facilitating research on historical data that related to current matters. However, the PII information obtained from National Plan and Provider Enumeration System (NPPES) is kept temporarily and deleted each month. National Archives and Records Administration (NARA) record schedule is N1-440-09-18, items 1a,1b, and1c. |
| Describe, briefly but with specificity, how the PII will be secured in the system using administrative, technical, and physical controls. | Administrative Controls: The MED application implements all applicable CMS security controls to protect the PII. The implementation of controls is documented under System Security Plan (SSP), Contingency Plan (CP) and Risk Assessment (ISRA) plan. Various reviews are performed periodically, such as accounts review, application access log review, audit log review etc. to ensure data protection and compliance. Additionally, all employees and contractors who have access to PII data are required to take annual Security & Privacy Awareness Training. Technical Controls: MED application uses CMS Enterprise Identity Management (EIDM) system for access management. The application uses Multifactor authentication for access, implements role-based security and functionality, inactivity session time-out and maintains audit trial history. Physical Controls: The MED application is housed in a secured CMS AWS data center and uses physical controls such as Armed security guards, Identification Badges, Key Cards, periodic access review and Closed-Circuit TVs. |
| Identify the publicly-available URL: | MED CMS Homepage |
| Does the website have a posted privacy notice? | Yes |
| Is the privacy policy available in a machine-readable format? | Yes |
| Does the website use web measurement and customization technology? | Yes |
| Select the type of website measurement and customization technologies is in use and if is used to collect PII. (Select all that apply) | Session Cookies |
| Session Cookies - Collects PII?: No | |
| Does the website have any information or pages directed at children under the age of thirteen? | No |
| Does the website contain links to non-federal government website external to HHS? | No |
Privacy Impact Assessment (PIA) published by CMS as an Operating Division of the U.S. Department of Health and Human Services