Medicare Payment System Environment
Privacy Impact Assessment (PIA) published by CMS as an Operating Division of the U.S. Department of Health and Human Services
Date signed: 11/22/2024
| PIA Questions | PIA Answers |
|---|---|
OPDIV: | CMS |
PIA Unique Identifier: | P-2893462-868644 |
Name: | Medicare Payment System Environment |
The subject of this PIA is which of the following? | Major Application |
Identify the Enterprise Performance Lifecycle Phase of the system. | Operate |
Is this a FISMA-Reportable system? | Yes |
Does the system include a Website or online application available to and for the use of the general public? | Yes |
Identify the operator: | Agency |
Is this a new or existing system? | Existing |
Does the system have Security Authorization (SA)? | Yes |
Date of Security Authorization | 11/28/2022 |
Indicate the following reason(s) for updating this PIA. Choose from the following options. | PIA Validation (PIA Refresh/Annual Review) |
Describe in further detail any changes to the system that have occurred since the last PIA. | Medicare Adjudication Portal (MAP) (for dental claims processing) uses Medicare Beneficiary Identifiers (MBIs). Even though this identifier does not include a social security number, it is still sensitive information and can be used for fraud and abuse if not properly protected. |
Describe the purpose of the system | The Medicare Payment Systems Environment (MPSE) is part of the Medicare Payment Systems Modernization initiative, an effort to modernize the Centers for Medicare & Medicaid Services (CMS) Medicare Fee for Service (FFS) Shared Systems. MPSE hosts cloud-based tools, web services, and applications with various system-to-system interconnections including, but not limited to, the shared systems on CMS Virtual Data Centers (VDCs) and external CMS partners. Other modernization objectives will be implemented in MPSE over time. |
Describe the type of information the system will collect, maintain (store), or share. (Subsequent questions will identify if this information is PII and ask about the specific data elements) | The information collected, maintained or disseminated may include name, date of birth, health insurance claim number, Social Security Number (SSN), mailing address, phone numbers, medical record numbers medical notes, financial account information and/or numbers, certificates, device identifiers, email address, military status and/or records, employment status and/or records, employer or school name, health insurer name/plan, health insurer group number, patient marriage and employment status; claims forms for the purpose of processing and paying claims. User ID and Password for system users (CMS employees and direct contracting support) are managed by CMS EUA. The MPSE Users IDs and Passwords are synchronized by the CMS Enterprise User Administrator system (EUA) to CMS IDs. MSPE communicates with legacy systems that use the HICN, or Health Insurance Claim Number. HICN includes the beneficiary’s SSN. MPSE will use SSN, as part of HICN, when necessary, to integrate with these systems. Medicare Adjudication Portal (MAP) (for dental claims processing) uses Medicare Beneficiary Identifiers (MBIs). Even though this identifier does not include a social security number, it is still sensitive information and can be used for fraud and abuse if not properly protected. |
Provide an overview of the system and describe the information it will collect, maintain (store), or share, either permanently or temporarily. | The Medicare Payment Systems Environment (MPSE) application is a cloud-based system providing modernization services and processing to CMS Shared System applications. It will assist in processing Medicare Part A, Part B, dental claims under Medicare fee for service (FFS), and Medical Equipment claims, to include data collection and validation, claims control, pricing, adjudication, correspondence, on-line inquiry, file maintenance, and communication of pricing with reimbursement systems. MPSE interfaces directly with the Fiscal Intermediary Shared System (FISS), Medicare Part B Shared System Claims Processing System (MCS), ViPS Medicare Shared System (VMS), the Provider Enrollment, Chain, and Ownership System (PECOS) which is used to verify provider status, Medicare Adjudication Portal (MAP) used by MACs and clearing houses to adjudicate 837D electronic claims, and the Common Working File (CWF). The FISS is the shared system used to process Medicare Part A claims, including outpatient claims submitted under Part B. It interfaces directly with the Common Working File (CWF) system for verification, validation, and payment authorization. Claims are entered, corrected, adjusted, or canceled. Inquiries for status of claims, for additional development requests, or for eligibility and various codes are processed. FISS is covered by separate Privacy Impact Assessment (PIA) Multi Carrier System (MCS) is the shared system used to process Medicare Part B claims for physician care, durable medical equipment, and other outpatient services nationwide. Claims are entered, corrected, adjusted, or cancelled. Inquiries for status of claims, for additional development requests, or for eligibility and various codes are processed. MCS interfaces directly with the Common Working File (CWF) for the purpose of providing a single data source where the contractors can verify beneficiary eligibility to receive prepayment review and approval of claims. MCS interfaces directly with the Healthcare Integrated General Ledger Accounting System (HIGLAS) to perform daily functions of payment calculation (following pre-payment validation), formatting, and accounting, thereby ensuring timely and accurate delivery of Medicare benefit payments. MCS is covered by separate Privacy Impact Assessment (PIA) The VMS (ViPS Medicare Systems) supports the business function of Benefits Calculation and Claims Management. The VMS claims processing system is one of the shared systems used to process claims for Durable Medical Equipment, Prosthetics, Orthotics, and Supplies (DMEPOS) typically provided by a supplier and that are not covered by Part A. It interfaces directly with the Common Working File (CWF) for verification, validation, and payment authorization. VMS includes much of the Part B functionality for claims collection, editing, pricing, adjudication, correspondence, on-line inquiry, file maintenance, financial processing and reporting. VMS also includes Certificate of Medical Necessity requirements and supplier interfaces. VMS has its covered by its own separate Privacy Impact Assessment (PIA). MPSE and MAP interface directly with the Provider Enrollment, Chain, and Ownership System (PECOS) to verify provider status. PECOS is covered by a separate PIA. The Common Working File (CWF) is a system used by CMS to maintain national Medicare records for individual beneficiaries enrolled in the program. The system is used to determine the eligibility of patients and to monitor the appropriate usage of Medicare benefits. This is also the repository for the beneficiary data received nightly from the Social Security Administration. CWF is covered by a separate Privacy Impact Assessment (PIA). |
Does the system collect, maintain, use or share PII? | Yes |
Indicate the type of PII that the system will collect or maintain. |
|
Indicate the categories of individuals about whom PII is collected, maintained or shared. |
|
How many individuals' PII in the system? | 1,000,000 or more |
For what primary purpose is the PII used? | Information is shared to verify patient data between Medicare Insurers, if necessary, as well as beneficiary entitlement and accuracy of payment. System user credentials are used for authentication, access control, auditing and reporting purposes. |
Describe the secondary uses for which the PII will be used (e.g. testing, training or research) | The information is used in the Development and Testing of the modernization application(s) in order to use relevant data to make test records that can simulate actual claims records. This is done to ensure that changes to the application do not disrupt claims processing. |
Describe the function of the SSN. | MSPE communicates with legacy systems that use the HICN, or Health Insurance Claim Number. HICN includes the beneficiary’s SSN. MPSE will use SSN, as part of HICN, when necessary, to integrate with these systems. |
Cite the legal authority to use the SSN. | E.O. 9397. |
Identify legal authorities governing information use and disclosure specific to the system and program. | Sections 1816, 1862 (b) and 1874 of Title XVIII of the Social Security Act (the Act) (42 U.S.C. 1395(h), 1395y (b), and 1395kk). E.O. 9397. |
Are records on the system retrieved by one or more PII data elements? | Yes |
Identify the number and title of the Privacy Act System of Records (SORN) that is being used to cover the system or identify if a SORN is being developed. | Published: The FISS System of Records Notice (SORN) is 09-70-0503. The MCS System of Record Notice (SORN) is 09-70-0501. VMS N/A for Development VMS at GDIT. Common Working File SORN is 09-70-0526. |
Identify the sources of PII in the system: Directly from an individual about whom the information pertains | Online |
Identify the sources of PII in the system: Government Sources | Within the OPDIV |
Identify the sources of PII in the system: Non-Government Sources | Other - Medical Providers |
Identify the OMB information collection approval number and expiration date | OMB approval is not applicable to direct collection of system user credentials. |
Is the PII shared with other organizations? | No |
| Describe the process in place to notify individuals that their personal information will be collected. If no prior notice is given, explain the reason. | For the beneficiary, written notice is given when the beneficiary initially enrolls in the Medicare program and written or orally each time the beneficiary applies for service at a provider. For the CMS Direct contractors and CMS employees, written notice is provided when they apply for a job. |
Is the submission of the PII by individuals voluntary or mandatory? | Voluntary |
Describe the method for individuals to opt-out of the collection or use of their PII. If there is no option to object to the information collection, provide a reason. | When a beneficiary’s data is collected and sent to the MPSE system, the beneficiary has already agreed to share their information, so there is not an ability for them to opt out of PII data collection. The CMS direct contractors and CMS employees cannot opt out of providing PII because the collection of the data is necessary for employment. |
Describe the process to notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changes since the notice at the time of original collection). Alternatively, describe why they cannot be notified or have their consent obtained. | MPSE receives all PII from four source systems covered by other PIAs, which are responsible for any notification and consent: FISS MCS VMS CWF PECOS |
| Describe the process in place to resolve an individual's concerns when they believe their PII has been inappropriately obtained, used, or disclosed, or that the PII is inaccurate. If no process exists, explain why not. | Individuals are notified annually in the 'Medicare & You' handbook of their right to file a complaint if they believe their privacy rights have been violated. A phone number is included in the handbook and there is more information on www.medicare.gov. The phone number is 1-800-Medicare. When a beneficiary calls this number, they are contacting a CMS system known as the Next Generation Desktop (NGD), which is a system that is separate from MPSE. To resolve complaints, CMS Contractors log onto the NGD system to retrieve and respond accordingly to complaints. The final resolution is managed and recorded in the NGD system. NGD is covered by a separate privacy impact assessment (PIA). |
Describe the process in place for periodic reviews of PII contained in the system to ensure the data's integrity, availability, accuracy and relevancy. If no processes are in place, explain why not. | Consent and data are collected in the form of personally identifiable Information (PII) from individuals; the data is supplied by the Social Security Administration (SSA) and Medicare Administrative Contractors (MACs). Relevancy and accuracy are maintained by the interactions with the other claim data systems. |
Identify who will have access to the PII in the system and the reason why they require access. |
|
Describe the procedures in place to determine which system users (administrators, developers, contractors, etc.) may access PII. | MPSE uses role-based access limitations and least privilege controls to restrict PII availability. |
Describe the methods in place to allow those with access to PII to only access the minimum amount of information necessary to perform their job. | Administrators and Direct Contractors have role-based access which limits their access to PII data. |
Identifying training and awareness provided to personnel (system owners, managers, operators, contractors and/or program managers) using the system to make them aware of their responsibilities for protecting the information being collected and maintained. | Security Awareness and Privacy training is provided to each user on an annual basis. Users acknowledge successful training after passing a test at the end of training and the system verifies completion. Included in the training is education about how to properly handle sensitive data. |
Describe training system users receive (above and beyond general security and privacy awareness training) | Security personnel receive job related training by attending conferences, forums, and other specific training on an annual basis. Security based role training is recorded within the security department. |
Do contracts include Federal Acquisition Regulation and other appropriate clauses ensuring adherence to privacy provisions and practices? | Yes |
Describe the process and guidelines in place with regard to the retention and destruction of PII. Cite specific records retention schedules. | Data within MPSE is temporarily retained per National Archive Records Administration (NARA) Disposition Authority: N1-440-09-16, Item 2: Cutoff at the end of the fiscal year in which cost reports are produced. Delete/destroy 8 years after cutoff, or when no longer needed for Agency business, whichever is later and per NARA Disposition Authority: N1-440-09-8: Cutoff at time of annual update. Delete/destroy each annual data file 10 years after cutoff or when no longer needed for Agency business, whichever is later. |
| Describe, briefly but with specificity, how the PII will be secured in the system using administrative, technical, and physical controls. | Access to the system is given based on need to know and job responsibilities to process Medicare claims. Medicare Claims Processing Environment maintainers use security software and methods to provide “least privilege access.” They will utilize software which is part of the security systems that provides access control and auditing functionality, the ability to grant or deny access to data based upon need to know. Sometimes, to fix programmatic problems, programmers are granted temporary access to fix and ensure that errors are fixed. The temporary access may be granted for a day or other short periods of time that can be controlled through security software. External audits also verify these controls. Technical controls used include user identification, passwords, firewalls, virtual private networks and intrusion detection systems. Physical controls used include guards, identification badges, key cards, cipher locks and closed-circuit televisions. |
Identify the publicly-available URL: | https://webpricer.mps.cms.gov/#/ https://pds.mps.cms.gov/#/ |
Does the website have a posted privacy notice? | Yes |
Is the privacy policy available in a machine-readable format? | Yes |
Does the website use web measurement and customization technology? | Yes |
Select the type of website measurement and customization technologies is in use and if is used to collect PII. (Select all that apply) |
|
Does the website have any information or pages directed at children under the age of thirteen? | No |
Does the website contain links to non-federal government website external to HHS? | No |