Medicare Provider Analysis and Review System
Privacy Impact Assessment (PIA) published by CMS as an Operating Division of the U.S. Department of Health and Human Services
Date signed: 8/23/2022
| PIA Questions | PIA Answers |
|---|---|
| OPDIV: | CMS |
| PIA Unique Identifier: | P-7339406-260410 |
| Name: | Medicare Provider Analysis and Review System |
| The subject of this PIA is which of the following? | Major Application |
| Identify the Enterprise Performance Lifecycle Phase of the system. | Operate |
| Is this a FISMA-Reportable system? | Yes |
| Does the system include a Website or online application available to and for the use of the general public? | No |
| Is this a new or existing system? | Existing |
| Does the system have Security Authorization (SA)? | Yes |
| Date of Security Authorization | 6/15/2022 |
| Indicate the following reason(s) for updating this PIA. Choose from the following options. | PIA Validation (PIA Refresh/Annual Review) |
| Describe in further detail any changes to the system that have occurred since the last PIA. | No changes |
| Describe the purpose of the system | This system makes it possible for providers and researchers to analyze stay records for a beneficiary utilization in a particular inpatient facility or Skilled Nursing Facility (SNF). Medicare Provider Analysis and Review System (MEDPAR) is used to calculate the disproportionate share (DSH) fraction. MEDPAR is also used for rate setting and other research initiatives. MEDPAR is also used for litigations. Core Functions: This system makes it possible for CMS staff, providers and researchers to analyze stay records of a beneficiary's utilization in a particular inpatient facility or SNF. The MEDPAR file enables CMS and its contractors to facilitate research on the quality and effectiveness of care provided, update annual hospital Prospective Payment System (PPS) rates, and to recalculate Supplemental Security Income (SSI) ratios for hospitals that are paid under the PPS and serve a disproportionate share of low-income patients and that might be entitled to increased reimbursement. Information retrieved from the MEDPAR file will also be disclosed to support regulatory, reimbursement, and policy functions performed. |
| Describe the type of information the system will collect, maintain (store), or share. (Subsequent questions will identify if this information is PII and ask about the specific data elements) | MEDPAR is a legacy tape database of sequential flat files that function as CMS’s repository of beneficiary stay data in an Inpatient Hospital or in a Skilled Nursing Facility (SNF). MEDPAR receives and maintains Medicare beneficiary information such as: name, date of birth (DOB), social security number (SSN), payment information, provider information, diagnosis and procedure code details, medical record number, NCH (Health Insurance Claim Number (HICN) and Unique Position Identification Number (UPIN)/National Provider Identifier (NPI), Race, and Sex. The information is not collected from CMS employees and/or CMS direct contractors. The information is provided by the Medicare Quality Analysis (MQA) application, which is a component of the National Claims History (NCH). NCH is a FISMA authorized system and maintains a separate PIA. |
| Provide an overview of the system and describe the information it will collect, maintain (store), or share, either permanently or temporarily. | MEDPAR is a legacy tape database of sequential flat files that function as CMS’ repository of beneficiary data beginning with service year 1992. MEDPAR maintains information on inpatient hospital and Skilled Nursing Facility (SNF) stays of Medicare beneficiaries. All MEDPAR update processes use batch processing on the Mainframe at the CMS Data Center. The input data for the MEDPAR file is the National Claims History (NCH) Inpatient/SNF "tap" file and Supplemental Security Income (SSI) data from the Social Security Administration (SSA). When NCH creates the Impatient File that is used by MEDPAR processing to create the Beneficiary stay, the HCIN, Admission date and Provider Number is retrieved. Each quarter the MEDPAR system receives an Inpatient and SNF "tap" file. The files are “taps”/”pulls” against the NCH based on specific criteria. These pulls were created because the usual retrieval methods (i.e. DESY) would not suffice. These custom configured extracts are used for certain agency business functions two segments for each year. The remaining claims, from the Financial Analysis (FA) processing; are collapsed by claim number, admission date and provider number to create a stay record.
|
| Does the system collect, maintain, use or share PII? | Yes |
| Indicate the type of PII that the system will collect or maintain. |
|
| Indicate the categories of individuals about whom PII is collected, maintained or shared. | Patients |
| How many individuals' PII in the system? | 1,000,000 or more |
| For what primary purpose is the PII used? | The primary purpose in which PII is used is to study the operation and effectiveness of the Medicare program. The MEDPAR file contains Inpatient/SNF final-action claims data for individual Medicare beneficiary and provider SSI data. The MEDPAR system is the repository of beneficiary stay data in Inpatient Hospital or Skilled Nursing Facility in a mainframe environment.
|
| Describe the secondary uses for which the PII will be used (e.g. testing, training or research) | The data from the MEDPAR is used for statistical and research purposes related to evaluating/studying the operation and effectiveness of the Medicare program. |
| Describe the function of the SSN. | The SSN is a part of the HCIN. The function of the SSN in the HCIN is used to identify the Beneficiary stay. |
| Cite the legal authority to use the SSN. | The cite for the legal authority to use the SSN is: Sec. 205 [42 U.S.C. 405] of the Social Security Act provides authority to use the SSN |
| Identify legal authorities governing information use and disclosure specific to the system and program. | The cite for the legal authority to use the SSN is: Sec. 205 [42 U.S.C. 405] of the Social Security Act provides authority to use the SSN. Also, the Privacy Act of 1974 (Public Law No. 99-579) and the Health Insurance Portability and Accountability Act (HIPAA) (Public Law No. 104-191) |
| Are records on the system retrieved by one or more PII data elements? | Yes |
| Identify the number and title of the Privacy Act System of Records (SORN) that is being used to cover the system or identify if a SORN is being developed. | Published: 09–70– 0514 Medicare Provider Analysis and Review (MEDPAR) |
| Identify the sources of PII in the system: Directly from an individual about whom the information pertains | In-Person |
| Identify the sources of PII in the system: Government Sources | Within the OPDIV |
| Identify the sources of PII in the system: Non-Government Sources | Members of the Public |
| Identify the OMB information collection approval number and expiration date | Not applicable |
| Is the PII shared with other organizations? | No |
| Describe the process in place to notify individuals that their personal information will be collected. If no prior notice is given, explain the reason. | CMS System of Records Notification Process. The information is aggregated to support statistical analysis and investigation. Information about an individual is processed in support of investigations. |
| Is the submission of the PII by individuals voluntary or mandatory? | Voluntary |
| Describe the method for individuals to opt-out of the collection or use of their PII. If there is no option to object to the information collection, provide a reason. | MEDPAR is based on Medicare claims. Beneficiaries cannot opt-out of CMS collecting claim level information because that information is needed to provide benefits. The method for beneficiaries to opt-out of claim level data collection is to opt out of receiving Medicare benefits. The Privacy Act and Health Insurance Portability and Accountability Act (HIPAA) regulate how the data must be protected and used after the point of collection. The Privacy Act allows us to disclose information without an individual's consent if the information is to be used for a purpose that is compatible with the purpose(s) for which the information was collected. Any such compatible use of data is known as a "routine use." The proposed routine uses in this system meets the compatibility requirement of the Privacy Act. |
| Describe the process to notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changes since the notice at the time of original collection). Alternatively, describe why they cannot be notified or have their consent obtained. | Not Applicable to the MEDPAR application. Major changes to the application do not affect the system in a manner that an individual would need to be notified to have their consent obtained. Data elements that are added to the application during specific system updates do not obtain PII.
|
| Describe the process in place to resolve an individual's concerns when they believe their PII has been inappropriately obtained, used, or disclosed, or that the PII is inaccurate. If no process exists, explain why not. | Individuals may raise concerns by contacting the CMS Privacy Office for issues regarding inaccurate or inappropriately obtained uses of their information. Once the incident is reported, they are forwarded to the Computer Security Incident Response Team (CSIRT). Upon notification of a potential concern, the incident is forwarded to the CMS Breach Analysis Team (BAT) for assessment. CSIRT and BAT coordinates with the NCH Business Owner, the Information Systems Security Officer (ISSO), and the Systems Security Officer (SSO) to determine if the reported issue is an actual incident. If the issue is deemed an incident, it will be categorized to determine priority and actions that must be taken to resolve. The incident is then triaged for handling by the appropriate team. The CSIRT follow CMS policies and procedures to contain and resolve the incident |
| Describe the process in place for periodic reviews of PII contained in the system to ensure the data's integrity, availability, accuracy and relevancy. If no processes are in place, explain why not. | Not Applicable. However, annual independent operational audits are performed that test the security of the system, which affects data integrity, and testing of contingency planning, which affects the availability of the system. MEDPAR does not manipulate data that comes into the system to ensure accuracy. For relevancy of MEDPAR PII data, the HCIN must always be present to identify a beneficiary. The Centers for Medicare make a determination of any additional data elements that need to be used for research purposes. |
| Identify who will have access to the PII in the system and the reason why they require access. |
|
| Describe the procedures in place to determine which system users (administrators, developers, contractors, etc.) may access PII. | Account management mechanisms are established for MEDPAR to identify account types (i.e., individual, group, and system); establish conditions for group membership; and assign associated authorizations. MEDPAR team members are granted access based on the assigned duty and intended system use and this determination is made from the System Owner. Downstream users of MEDPAR submit a request through the GTL/COR for access, which includes a justification for access of data. Once submitted, the MEDPAR System Owner approves the initial request. |
| Describe the methods in place to allow those with access to PII to only access the minimum amount of information necessary to perform their job. | Logical access controls and procedures are established for MEDPAR to ensure that only designated individuals can access the CMS information system. MEDPAR team members with CMS Time Sharing Option (TSO) User IDs re-take the CMS online Information Security and Privacy Training course and re-certify the “System Access” annually via CMS Extended User Authorization (EUA) Passport to continue accessing the approved CMS system(s). When user access is no longer required, due to a change in role on the project or departure from the MEDPAR project team, the MEDPAR Project Manager notifies the CMS MEDPAR Government Task Leader (GTL) to remove the CMS TSO User ID or revoke the specific access privileges that are no longer required. |
| Identifying training and awareness provided to personnel (system owners, managers, operators, contractors and/or program managers) using the system to make them aware of their responsibilities for protecting the information being collected and maintained. | All personnel (CMS employees and contractors) are required to complete annual CMS Security Awareness Training and Privacy Act Training. |
| Describe training system users receive (above and beyond general security and privacy awareness training) | In addition to the Security Awareness training, all MEDPAR contractors are required to complete annual Data Security & Privacy Training and HIPAA Requirements training. |
| Do contracts include Federal Acquisition Regulation and other appropriate clauses ensuring adherence to privacy provisions and practices? | Yes |
| Describe the process and guidelines in place with regard to the retention and destruction of PII. Cite specific records retention schedules. | CMS Baltimore Data Center Storage Management Guidelines are employed, which are consistent with the National Archives and Records Administration (NARA) General Records Schedules (GRS) found in Subchapter B of 36 Code of Federal Regulations Chapter XII. CMS retains records until it is determined that they are no longer needed for administrative, legal, audit or other operational purposes. This includes, for example, retention and availability of audit records relative to Freedom of Information Act (FOIA) requests, subpoena and law enforcement actions. MEDPAR follows the NARA records disposition schedule for Bucket 5 – Beneficiary Record with a NARA Disposition Authority Number: DAA-0440-2015-0007-0001. |
| Describe, briefly but with specificity, how the PII will be secured in the system using administrative, technical, and physical controls. | Data is secured according to CMS Baltimore Data Center Security Standards. Administrative controls include documented MEDPAR System Security Plan, Contingency Plan, and Risk Assessment. Technical Controls include: Resource Access Control Facility (RACF), in concert with Database 2 (DB2) security controls, limits access to MEDPAR to authorized users. UserIDs and Passwords, RSA Token, Firewall, and Virtual Private Network (VPN). Physical Controls Include: Guards, Identification Badges, Key Cards and Closed Circuit TVs. |