Medicare Secondary Payer Systems Contractor - Major Application
Privacy Impact Assessment (PIA) published by CMS as an Operating Division of the U.S. Department of Health and Human Services
Date signed: 9/21/2023
| PIA Questions | PIA Answers |
|---|---|
| OPDIV: | CMS |
| PIA Unique Identifier: | P-7899387-006720 |
| Name: | Medicare Secondary Payer Systems Contractor - Major Application |
| The subject of this PIA is which of the following? | Major Application |
| Identify the Enterprise Performance Lifecycle Phase of the system. | Operate |
| Is this a FISMA-Reportable system? | Yes |
| Does the system include a Website or online application available to and for the use of the general public? | Yes |
| Identify the operator: | Contractor |
| Is this a new or existing system? | New |
| Does the system have Security Authorization (SA)? | Yes |
| Date of Security Authorization | 5/25/2023 |
| Describe the purpose of the system | To gather information in an effort to identify the health benefits available to Medicare beneficiaries, which involves the collection, management, and reporting of other insurance coverage. This ensure the accuracy and timeliness of updates to Medicare’s eligibility and entitlement databases housed in other Centers for Medicare and Medicaid Services (CMS) systems. To consolidate the activities of Coordination of Benefits and Recovery (COB-R) and Medicare Secondary Payer (MSP), and to manage the performance of all activities that support the collection, management, and reporting of other insurance coverage of Medicare beneficiaries and the collection of conditional payments or mistaken primary payments. It supports internal and external Medicare Secondary Payer (MSP) customers. To identify and track cases of mistaken and conditional payments that are to be recovered by the Centers for Medicare and Medicaid Services (CMS). Medicare Secondary Payer Systems Contractor - Major Application (MSPSC MA) provides case creation and tracking, letter generation, and a standard reporting capability Core functions: 1) to identify Medicare Secondary Payer (MSP) debt in a more timely manner, 2) to manage and control Medicare Secondary Payer (MSP) recovery cases in a centralized database, and 3) to be the system of record relative to the status of recovery of Medicare Secondary Payer (MSP) claims by Medicare. |
| Describe the type of information the system will collect, maintain (store), or share. (Subsequent questions will identify if this information is PII and ask about the specific data elements) | The Medicare Secondary Payer Systems Contractor - Major Application (MSPSC MA) collects and maintains the following information types:
All public facing websites which fall under the purview of the MSPSC MA are Secure Websites. These websites require credentials to access. Said websites employ the use of Multi-Factor Authentication (MFA). |
| Provide an overview of the system and describe the information it will collect, maintain (store), or share, either permanently or temporarily. | The Coordination of Benefits and Recovery (COB-R) program is the result of the Centers for Medicare and Medicaid Services (CMS) efforts to consolidate the Coordination of Benefits (COB) and Medicare Secondary Payer Recovery (MSPR) activities into a centralized operation, providing quality customer service and a streamlined process to all stakeholders. To make this effort a success, CMS has partnered with General Dynamics Information Technology (GDIT). GDIT is the original developer and current maintainer of the internal applications that make up the Medicare Secondary Payer Systems Contractor (MSPSC) program which is comprised of the Medicare Secondary Payer Systems Contractor (MSPSC) Major Application (MA).
The goal of combining the COB and MSPR into the COB-R program is to consolidate these activities, the performance of all activities that support the collection, management, and reporting of other insurance coverage of Medicare beneficiaries and the collection of conditional payments or mistaken primary payments.
CMS has established a centralized COB and Medicare Secondary Payer (MSP) operation by consolidating these activities, the performance of all activities that support the collection, maintenance, and reporting of other insurance coverage of Medicare beneficiaries, and the collection of conditional payments or mistaken primary payments. These activities have been performed under two separate contracts in the past. CMS has established a centralized COB and Medicare Secondary Payer Recovery Contractor (MSPRC) operation in order to provide quality customer service and a single source to Medicare providers, suppliers, beneficiaries, insurers, and other stakeholders by streamlining the Medicare Secondary Payer data and debt collection processes while ensuring the integrity of the Medicare Trust Funds. As with any consolidation of efforts for similar functions, savings of time and costs can be realized.
The Medicare Secondary Payer Systems Contractor - Major Application (MSPSC MA) collects and maintains information about persons: Social Security Number Email Address Education Records Date of Birth Mailing Address Financial Account Information Name Phone Numbers Taxpayer ID Medical Records Number Employment Status User Credentials - (user ID and password) Medicare Health Insurance Claim Numbers Federal Employer Identification Number (EIN) Federal Tax Identification Number (TIN) Medicare Beneficiary Identifiers (MBIs) Medical Record Data (Provider Data, Diagnosis Codes, Dates of Insurance Coverage, Claim Dates) |
| Does the system collect, maintain, use or share PII? | Yes |
| Indicate the type of PII that the system will collect or maintain. |
|
| Indicate the categories of individuals about whom PII is collected, maintained or shared. |
|
| How many individuals' PII in the system? | 1,000,000 or more |
| For what primary purpose is the PII used? | The primary purpose of the Personally Identifiable Information (PII) used is to identify and track cases of mistaken and conditional payments that are to be recovered by CMS. For user credentials, the primary purpose is to log into the system for system support and operations. |
| Describe the secondary uses for which the PII will be used (e.g. testing, training or research) | The PII is used for testing the applications in the Implementation (IMPL) environment prior to changes being placed into Production. Access to this environment is restricted to authorized personnel only. |
| Describe the function of the SSN. | The Social Security Number (SSN) is only used to search for a beneficiary’s case if the Federal Employer Identification Number (EIN) or Federal Tax Identification Number (TIN) is unknown for the purposes of gathering claim information and to recover mistaken primary payments when another entity is responsible for primary payment. The SSN is not disclosed or shared. |
| Cite the legal authority to use the SSN. | The collection of this information is authorized by 42 U.S.C. 1395y (b) (7) & (8). The information collected will be used to identify and recover past mistaken Medicare primary payments and to prevent Medicare from making mistakes in the future for those Medicare Secondary Payer situations that continue to exist. |
| Identify legal authorities governing information use and disclosure specific to the system and program. | Title XVIII of the Social Security Act (The Act) (42 United States Code (U.S.C.) 1395(h), 1395u, 1395y(b), and 1395kk) sections 226, 226A, 1811, 1816, 1818, 1818A, 1831, 1833(a)(1)(A), 1836, 1837, 1838, 1842, 1843, 1862(b), 1866, 1874, 1876, 1881, and 1902(a)(6) Title 42 United States Code (U.S.C.) 426, 426–1, 1395c, 1395cc, 1395i–2, 1395i– 2a, 1395j, 13951, 1395mm, 1395o, 1395p, 1395q, 1395rr, 1395v, 1396a Section 101 of the Medicare Prescription Drug, Improvement, and Modernization Act of 2003 (Pub. L. 108– 173) (Regulations at 42 CFR Parts 403, 411, 417 and 423). |
| Are records on the system retrieved by one or more PII data elements? | Yes |
| Identify the number and title of the Privacy Act System of Records (SORN) that is being used to cover the system or identify if a SORN is being developed. | Published: 09-70-0501 Medicare Multi-Carrier Claims System Published: 09-70-0503 Fiscal Intermediary Shared System Published: 09-70-0526 Common Working File Published: 09-70-0536 Medicare Beneficiary Database |
| Identify the sources of PII in the system: Directly from an individual about whom the information pertains |
|
| Identify the sources of PII in the system: Government Sources |
|
| Identify the sources of PII in the system: Non-Government Sources |
|
| Identify the OMB information collection approval number and expiration date | Not applicable |
| Is the PII shared with other organizations? | Yes |
| Identify with whom the PII is shared or disclosed and for what purpose. |
|
| Describe any agreements in place that authorizes the information sharing or disclosure (e.g. Computer Matching Agreement, Memorandum of Understanding (MOU), or Information Sharing Agreement (ISA)). | MSPSC MA has several electronic interfaces with other systems. Beneficiary data will be obtained from the Medicare Beneficiary Database (MBD). Claims data are obtained from National Claims History (NCH) and National Medicare Utilization Database (NMUD) via the Data Extract System (DESY). Provider data will be obtained from the Online Survey, Certification, and Reporting (OSCAR), National Provider Identifier (NPI) and Streamlined Technology Acquisition Resources for Services (STARS) systems. Memorandums of Understanding (MOU)/Data Use Agreements (DUA) between the Recovery Management and Accounting System (ReMAS) and all other interfacing systems have been established. This includes the Medicare Secondary Payer Systems Contract and the MOU between Office of Financial Management/Financial Services Group/Coordination of Benefits & Recovery (COB & R) and Office of Financial Management/Financial Services Group/Healthcare Integrated General Ledger Accounting System (HIGLAS). |
| Describe the procedures for accounting for disclosures | Review of the Interconnection Security Agreement (ISA) between business partners are reviewed and tested annually. The CMS Privacy Office keeps an accurate account of disclosures though the use of the Data Use Agreement (DUA). The DUA captures Date, Nature, and purpose of the disclosure as well as the Name and address of the requesting person/agency. CMS currently retains the DUA over the life of the record. Providers can request disclosures of PII information from CMS. Per language in the Interconnection Security Agreements (ISAs), parties are required to report privacy breaches or suspected breaches to CMS within one (1) hour of detection. Disclosure of privacy information between systems is managed under routine use notices. In addition, system logs maintain transaction information only (not the PII/PHI itself) as a record or accounting of each time it discloses information as part of routine use. |
| Describe the process in place to notify individuals that their personal information will be collected. If no prior notice is given, explain the reason. | For users of Internet Facing Secure Website Applications: About three months before a beneficiary’s entitlement to Medicare, Initial Enrollment Questionnaire is mailed to the beneficiary. The Initial Enrollment Questionnaire asks whether the beneficiary has other insurance that pays before Medicare. To ensure correct payment of Medicare claims, it is important that Medicare enrollees complete and return the Initial Enrollment Questionnaire timely. Additionally, the following Privacy Act Statement is presented when first navigating to the Individual Application:
The collection of this information is authorized by 42 U.S.C. 1395y(b)(5). The information collected will be used to identify and recover past mistaken Medicare primary payments and to prevent Medicare from making mistakes in the future for those Medicare Secondary Payer situations that continue to exist. In addition, Section 42 U.S.C. 1395y(b)(5)(C)(ii) provides for a civil monetary penalty of up to $1,000.00 per individual for whom an inquiry concerning health coverage was made, to be assessed to any employer (other than a governmental entity) who willfully or repeatedly fails to respond timely, accurately, and completely to this request.
This statement contains information about the privacy and use of information and must be accepted before accessing the application.
Additionally, the following SORNs have been posted on the HHS website to inform the public:
Published: 09-70-501 Medicare Multi-Carrier Claims System
Published: 09-70-0503 Fiscal Intermediary Shared System
Published: 09-70-0526 Common Working File
Published: 09-70-0536 Medicare Beneficiary Database
For Administrators of Internet Facing Applications: Login Banner Statements are displayed and must be agreed upon prior to access to the Application. The login banner states that employees' actions are monitored while accessing the system and that there is no reasonable expectation of privacy regarding any communication or data transiting or stored on this information system.
CMSNet Facing applications do not collect PII directly from the individual about whom it pertains. The information is supplied by other CMS systems of record. Those systems, Medicare Multi-Carrier Claims System, Fiscal Intermediary Shared System, Common Working File, Medicare Beneficiary Database, National Claims History, and National Provider System, have processes in place to notify individuals that their PII will be collected. They have their own PIAs. These applications also collect user ID and password from internal users in order to log into the system. The only user accounts are those used by the agency or the direct contractor. These accounts are created by request of the individual's employer to perform a job function. |
| Is the submission of the PII by individuals voluntary or mandatory? | Voluntary |
| Describe the method for individuals to opt-out of the collection or use of their PII. If there is no option to object to the information collection, provide a reason. | There is no option to opt-out of the collection or use of their Personally Identifiable Information (PII) because this information is needed to collect money owed to CMS. |
| Describe the process to notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changes since the notice at the time of original collection). Alternatively, describe why they cannot be notified or have their consent obtained. | For Users of Internet Facing MSPSC MA Applications: Users are required to review and agree to the Coordination of Benefits - Secure Website (COB-SW) User Agreement, Privacy Policy and Login Warning. In the event of a major change, the System of Record Notice (SORN) will be updated and posted on the HHS website to inform the public. The revised SORN is published in the Federal Register for a 60 day comment period by the public. This system contains Protected Health Information as defined by Health and Human Services (HHS) regulation "Standards for Privacy of Individually Identifiable Health Information" (45 CFR Parts 160 and 164, 65 FR 82462 (Dec. 28, 00), as amended by 66 FR12434 (Feb. 26, 01)). Disclosures of Protected Health Information authorized by these routine uses may only be made if, and as, permitted or required by the "Standards for Privacy of Individually Identifiable Health Information."
For CMSNet Facing MSPSC MA Applications: The PII within this system is provided through interconnections with other CMS systems which are documented within the Data Use Agreement (DUA) and is not collected directly from the individuals. In the event of a major change, the System of Record Notice (SORN) will be updated and posted on the HHS website to inform the public. This system contains Protected Health Information as defined by Health and Human Services (HHS) regulation "Standards for Privacy of Individually Identifiable Health Information" (45 CFR Parts 160 and 164, 65 FR 82462 (Dec. 28, 00), as amended by 66 FR12434 (Feb. 26, 01)). Disclosures of Protected Health Information authorized by these routine uses may only be made if, and as, permitted or required by the "Standards for Privacy of Individually Identifiable Health Information." Benefits Coordination Recovery System (BCRS) Application Specifically: The login credentials within this system are provided to users by another CMS system which is Enterprise User Administration (EUA) which has a PIA addresses the process to notify and obtain consent from the individuals. For the Administrators of CMSNet Facing MA Applications: The only user accounts are those used by the agency or the direct contractor. These accounts are created by request of the individual's employer to perform a job function. The direct contractor is responsible for notifying administrators of major changes to the system that may impact PII. Additionally, the login banner states that employees' actions are monitored while accessing the system and that there is no reasonable expectation of privacy regarding any communication or data transiting or stored on this information system. |
| Describe the process in place to resolve an individual's concerns when they believe their PII has been inappropriately obtained, used, or disclosed, or that the PII is inaccurate. If no process exists, explain why not. | For Users: The beneficiary would contact CMS, who would in turn follow their Standard Operating Procedure (SOP) for processing beneficiary concerns / complaints. In accordance with the Medicare Beneficiary Handbook, individuals can use the following resources to resolve any concerns as they pertain to PII: Visit Medicare.gov Call 1-800-MEDICARE (1-800-633-4227) and ask to speak to a customer service representative about Medicare’s privacy notice. Teletypewriter (TTY) users should call 1-877-486-2048 or File a complaint with the Secretary of the Department of Health and Human Services. Call the Office for Civil Rights at 1-800-368-1019. TTY users should call 1 800 537 7697. For Administrators: All system administrators are employees to the direct contractor. The direct contractor is responsible for notifying administrators of major changes to the system that may impact PII and will handle any concerns from the system administrator. Additionally, the login banner states that employees' actions are monitored while accessing the system and that there is no reasonable expectation of privacy regarding any communication or data transiting or stored on this information system. |
| Describe the process in place for periodic reviews of PII contained in the system to ensure the data's integrity, availability, accuracy and relevancy. If no processes are in place, explain why not. | The Centers for Medicare and Medicaid Services (CMS) has a National Institute of Science and Technology (NIST) compliant continuous monitoring program to ensure system integrity, availability. The COB-SW system is designed with logic checks to ensure data accuracy and integrity. Yearly testing of the system is required to review and update data collection process to ensure data collected is relevant and accurate. Back-up servers are in place to ensure information is readily available, even if a main server fails. |
| Identify who will have access to the PII in the system and the reason why they require access. |
|
| Describe the procedures in place to determine which system users (administrators, developers, contractors, etc.) may access PII. | Users, Administrators, Developers, and Contractors (direct) having system access are screened by their respective Human Resources (HR) departments. Roles are assigned based upon "need-to-know" or "need-to-access" requirements to perform their assigned duties. Technical security requirements include but are not limited to: user accounts, passwords, access limitation, reset procedures, suspension requirements, auditing procedures, and authenticator requirements. System Administrators review user accounts at least semi-annually. Any anomalies are addressed and resolved by contacting the user, and modifying their user data, or by removing their access if no longer required. Activities of all users including system administrators are logged and reviewed by the MSPSC MA ISSO to identify abnormal activities if any. |
| Describe the methods in place to allow those with access to PII to only access the minimum amount of information necessary to perform their job. | Access to PII is provided on a need to know basis based upon the principle of least privilege. This involves a separation of duties based upon each individual's role. Users: Different roles are defined at the user level based on a need to know. Differences in these roles include team/staff membership, access to the notices of settlements, access to checks/refunds, access to conditional payment letters, exhaust letters. The function that the user provides must be justified and go through an approval process before access is granted. Developers: Developers are only given access based upon project and function (i.e. the ability to approve changes versus move changes). The function that the developer provides must be justified and go through an approval process before access is granted. Administrators: Administrators are given access based upon project and function. Administrator roles are defined based upon the type of device/technology administered (i.e. windows admin, network admin, database admin, etc.) and are given access on an as needed basis. The function that the contracted individual provides must be justified and go through an approval process before access is granted. |
| Identifying training and awareness provided to personnel (system owners, managers, operators, contractors and/or program managers) using the system to make them aware of their responsibilities for protecting the information being collected and maintained. | All employees who support the information system are required to complete privacy and security-based training prior to gaining initial access to the system and on a yearly basis thereafter. The following topics are the following: Information Security Awareness CMS/HHS Rules of Behavior Culture of Responsibility (Securing of all sensitive information within an employee's possession while completing system related tasks) HIPAA Privacy Training: the direct contractor shall ensure that “all” active credentialed Users, which includes contractor employees, and all third party vendors, are provided and take the Information Security Awareness (ISA) training; (i) before authorizing access to the system or performing assigned duties; (ii) when required by changes; and (iii) annually thereafter. In addition, non-employee sponsors are responsible for ensuring compliance with this policy by the non-employee they are sponsoring. The contractor Information Systems Security Officer (ISSO) may accept certification of training from other contractor Business Units. If approved, the contractor ISSO provides the training completion date in order to update the user’s records. |
| Describe training system users receive (above and beyond general security and privacy awareness training) | In addition to the Information Security Awareness training that all employees are required to complete, users, administrators, developers and contractors of the system are also required to complete the following courses as part of their training prior to receiving System access; HHS Rules of Behavior The HHS Rules of Behavior (HHS Rules) provides common rules on the appropriate use of all HHS technology resources and information for Department users, including federal employees, interns and contractors. Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Training The purpose of this Privacy Training course is to 1) increase HIPAA awareness, 2) define requirements of the Privacy Rule, 3) communicate Privacy policies, 4) provide examples of how Privacy requirements impact operations, 5) identify organizational support contacts, and 6) foster and maintain a culture of integrity Culture of Responsibility This training course is designed to make sure employees are aware of their responsibilities in assuring the protection of customer data that has been entrusted to them.
Users, administrators, developers and contractors CMS employees and contractors with privileged access are also required to complete role-based training at hire and annually thereafter, and meet continuing education requirements commensurate with their role. Other training avenues such as conferences, seminars and classroom training provided by CMS are available apart from the regular annual training. |
| Do contracts include Federal Acquisition Regulation and other appropriate clauses ensuring adherence to privacy provisions and practices? | Yes |
| Describe the process and guidelines in place with regard to the retention and destruction of PII. Cite specific records retention schedules. | CMS adheres to data retention and destruction policies/procedures that closely follow National Archives and Record Administration (NARA) guidelines related to data retention. Specifically, the Medicare Secondary Payer Systems Contractor - Major Application (MSPSC MA) adheres to NARA General Records Schedule (GRS) 3.2 Item 31 - System Access Records and NIST guidelines related to data destruction. PII is stored for 7 years per NARA GRS 3.2 standards. |
| Describe, briefly but with specificity, how the PII will be secured in the system using administrative, technical, and physical controls. | MSPSC MA is regularly assessed using the CMS Security Policies and Controls that includes administrative and technical controls. Physical controls are out of scope for this FISMA system as it is hosted within the CMS Amazon Web Services (AWS) Enclave. The CMS AWS Enclave (separate FISMA System) is responsible for adhering to physical controls. All controls are tested within a 3 year period as part of annual FISMA evaluations. |
| Identify the publicly-available URL: |
Please note all public facing websites which fall under the purview of the MSPSC MA are Secure Websites. These websites require credentials to access. |
| Does the website have a posted privacy notice? | Yes |
| Is the privacy policy available in a machine-readable format? | Yes |
| Does the website use web measurement and customization technology? | No |
| Does the website have any information or pages directed at children under the age of thirteen? | No |
| Does the website contain links to non-federal government website external to HHS? | No |