Medicare Transaction Facilitator: Payment Module
Date signed: 6/30/2025
| PIA Questions | PIA Answers |
|---|---|
| OPDIV: | CMS |
| PIA Unique Identifier: | P-6097636-274469 |
| Name: | Medicare Transaction Facilitator: Payment Module |
| The subject of this PIA is which of the following? | Major Application |
| Identify the Enterprise Performance Lifecycle Phase of the system. | Operate |
| Is this a FISMA-Reportable system? | Yes |
| Does the system include a Website or online application available to and for the use of the general public? | No |
| Identify the operator: | Agency |
| Is this a new or existing system? | New |
| Does the system have Security Authorization (SA)? | No |
| Planned Date of Authorization | 9/12/2025 |
| Describe the purpose of the system | The Medicare Transaction Facilitator Payment Module (MTF-PM) processes payments for the Medicare Transaction Facilitator: Data Module (MTF-DM). |
| Describe the type of information the system will collect, maintain (store), or share. (Subsequent questions will identify if this information is PII and ask about the specific data elements) | The system contains internal user identifications and credentials, network information for interconnected systems, payment status information, and payment information. The MTF-PM system receives Banking information including bank account numbers and routing numbers, Organization name, and/or First Name, Last Name, Address, Email, Social Security Number (SSN), and Tax ID Numbers (Employer Identification Number (EIN), Federal Employer Identification Number (FEIN), Federal Tax Identification Number (FTIN)) for manufacturers and dispensers, and Drug Information such as drug name, quantity, and drug code, from the MTF-Data Exchange Module (MTF-DM) system. The MTF-DM system is responsible for validation of all PII prior to being transmitted to MTF-PM. This information is processed to make payments from Manufacturers to dispensing entities. The information loaded into the MTF-PM system is refreshed with daily incremental changes and a weekly bulk-load operation to reconcile any potential incremental failures. The system stores payment related data for up to 7 years. Audit logs of the application and related network connections are stored for 90 days online, 365 days offline. User management and authentication is handled by the CMS System Enterprise User Administration system. User identifications are stored within MTF-PM to associate users logged into the MTF-PM application with the actions they perform. |
| Provide an overview of the system and describe the information it will collect, maintain (store), or share, either permanently or temporarily. | The system facilitates the payment of the Maximum Fair Price determined by the manufacturer to the dispensing entity and reports payment details to Medicare Transaction Facilitator: Data Exchange Module. The MTF PM only stores the information necessary related to completing payments. |
| Does the system collect, maintain, use or share PII? | Yes |
| Indicate the type of PII that the system will collect or maintain. |
|
| Indicate the categories of individuals about whom PII is collected, maintained or shared. |
|
| How many individuals' PII in the system? | 50,000-99,999 |
| For what primary purpose is the PII used? | PII is used to authenticate internal users to the MTF-PM system. Without the username and password combination, a user cannot access the MTF-PM system. PII is also used to Facilitate Manufacturers Payments to Dispensers. The use of Bank account and routing information, First Name, Last Name, Address, Tax ID Numbers, Manufacturer Name, Dispenser Name, Drug Name, Drug Code, and Drug Quantity are required to facilitate a payment. Without this required information, a payment cannot be successfully processed by the MTF-PM. |
| Describe the secondary uses for which the PII will be used (e.g. testing, training or research) | PII will be present in the implementation (IMPL) environment to ensure the application functions correctly in the production environment. |
| Describe the function of the SSN. | The SSN/ Employer Identification Number (EIN)/ Federal Employer Identification Number (FEIN) / Tax Identification Number (TIN) / Federal Tax Identification Number (FTIN) is used for tax purposes if required by the program. |
| Cite the legal authority to use the SSN. | 1851(d) of the Social Security Act and OMB Circular A–123. |
| Identify legal authorities governing information use and disclosure specific to the system and program. | 42 CFR Parts 417, 422, 423, and 460. Inflation Reduction Act of 2022. Sections 1191 through 1198 of the Social Security Act. |
| Are records on the system retrieved by one or more PII data elements? | No |
| Identify the sources of PII in the system: Directly from an individual about whom the information pertains |
|
| Identify the sources of PII in the system: Government Sources |
|
| Identify the sources of PII in the system: Non-Government Sources |
|
| Identify the OMB information collection approval number and expiration date | Not Applicable |
| Is the PII shared with other organizations? | Yes |
| Identify with whom the PII is shared or disclosed and for what purpose. |
|
| Describe any agreements in place that authorizes the information sharing or disclosure (e.g. Computer Matching Agreement, Memorandum of Understanding (MOU), or Information Sharing Agreement (ISA)). | The MTF-PM will have a Joint operating agreement (JOA) with the MTF-DM system, and multifactor authentication (MFA) with each drug manufacturer. |
| Describe the procedures for accounting for disclosures | Each disclosure will be made for the purpose of facilitating payments to individuals. The program will not disclose PII for any other reason than those stated within the PIA. |
| Describe the process in place to notify individuals that their personal information will be collected. If no prior notice is given, explain the reason. | PII is not collected directly from the individuals. The system does not maintain PII. The system receives PII from the MTF-DM. |
| Is the submission of the PII by individuals voluntary or mandatory? | Voluntary |
| Describe the method for individuals to opt-out of the collection or use of their PII. If there is no option to object to the information collection, provide a reason. | PII is not collected directly from the individuals, thus there is no opt out method in place. |
| Describe the process to notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changes since the notice at the time of original collection). Alternatively, describe why they cannot be notified or have their consent obtained. | PII is not collected directly from the individuals |
| Describe the process in place to resolve an individual's concerns when they believe their PII has been inappropriately obtained, used, or disclosed, or that the PII is inaccurate. If no process exists, explain why not. | Users can contact the CMS MTF-DM help desk. |
| Describe the process in place for periodic reviews of PII contained in the system to ensure the data's integrity, availability, accuracy and relevancy. If no processes are in place, explain why not. | The system does not maintain PII. The system receives PII from the MTF-DM. The files from the Transaction Facilitator: Data Exchange Module are formatted specifically to transmit only the relevant information necessary for a payment to be processed. Any inaccurate information may lead to delay or cancellation of the payment. |
| Identify who will have access to the PII in the system and the reason why they require access. |
|
| Describe the procedures in place to determine which system users (administrators, developers, contractors, etc.) may access PII. | The MTF-PM program requires that only the least privileges and access are granted to individuals in any role. Access is granted based on the actual work being performed by the individual and any unnecessary access is revoked. |
| Describe the methods in place to allow those with access to PII to only access the minimum amount of information necessary to perform their job. | Access to the system must be approved by the user's manager and CMS prior to being given access. |
| Identify training and awareness provided to personnel (system owners, managers, operators, contractors and/or program managers) using the system to make them aware of their responsibilities for protecting the information being collected and maintained. | All users are required to complete Privacy and Security Awareness training from National Government Services (NGS) and CMS. |
| Describe training system users receive (above and beyond general security and privacy awareness training) | HHS Records Management training, and Enterprise User Administration (EUA) Computer-Based Training (CBT)/Role-Based Training (RBT) training. |
| Do contracts include Federal Acquisition Regulation and other appropriate clauses ensuring adherence to privacy provisions and practices? | Yes |
| Describe the process and guidelines in place with regard to the retention and destruction of PII. Cite specific records retention schedules. | MTF-PM follows the CMS Records Schedule and the National Archives and Records Administration (NARA) guidelines. The timeline for destruction of records for this program is 7 years unless the records are required for other business, legal or investigative use, in accordance with CMS Records Schedule / Records and Information Management Policy (2022) as outlined in Bucket 3 - Financial Records (2017). |
| Describe, briefly but with specificity, how the PII will be secured in the system using administrative, technical, and physical controls. | Physical Controls: The CMS AWS East region hosts the MTF-PM application. This hosting environment has many physical controls in place to protect PII, including 24/7 surveillance of data center facilities, perimeter security including fences, access control points, gate guards, and mantraps, environmental control systems to protect against the loss of data, and a geographically dispersed regional footprint to protect against natural disasters. Technical Controls: Encryption at rest and in transit. Access controls are at the infrastructure and application levels. The application contractor will not have physical access to the systems. Administrative Controls: Policies and procedures are in place that expressly prohibit the use of PII for any reason not covered by the PIA. |
Privacy Impact Assessment (PIA) published by CMS as an Operating Division of the U.S. Department of Health and Human Services