National Claims History
Privacy Impact Assessment (PIA) published by CMS as an Operating Division of the U.S. Department of Health and Human Services
Date signed: 8/25/2022
| PIA Questions | PIA Answers |
|---|---|
| OPDIV: | CMS |
| PIA Unique Identifier: | P-9021234-882399 |
| Name: | National Claims History |
| The subject of this PIA is which of the following? | Major Application |
| Identify the Enterprise Performance Lifecycle Phase of the system. | Operate |
| Is this a FISMA-Reportable system? | Yes |
| Does the system include a Website or online application available to and for the use of the general public? | No |
| Identify the operator: | Agency |
| Is this a new or existing system? | Existing |
| Does the system have Security Authorization (SA)? | Yes |
| Date of Security Authorization | 6/15/2022 |
| Indicate the following reason(s) for updating this PIA. Choose from the following options. | PIA Validation (PIA Refresh/Annual Review) |
| Describe in further detail any changes to the system that have occurred since the last PIA. | No changes |
| Describe the purpose of the system | National Claims History (NCH) system is a data repository of Medicare Part A and Part B claims beginning with service year 1991. The core function of NCH is to be a repository of Medicare Part A and Part B claims data that produces Standard Analytical Files, which are "tapped" or "pulled", from NCH, referred to as TAP files for many users. NCH also feeds information to the National Medicare Utilization Database (NMUD) and is the main source for the Medicare Provider Analysis and Review (MEDPAR) file. |
| Describe the type of information the system will collect, maintain (store), or share. (Subsequent questions will identify if this information is PII and ask about the specific data elements) | NCH will collect and maintain Medicare Part A and Part B claims data, which includes but is not limited to Medicare billing and utilization data, name, health insurance claim number/Medicare Beneficiary Identifier (HICN/MBI), ethnicity, sex, date of birth, state and county code, zip code, as well as the basis for the beneficiary’s Medicare entitlement. NCH also contains Provider characteristics, assigned Provider numbers (facility, referring/servicing physician), admission date, service dates, diagnosis and procedural codes, total charges, Medicare payment amount, and beneficiary’s liability. The primary purpose of NCH is to collect and maintain billing and utilization data on Medicare beneficiaries enrolled in hospital insurance (Part A) or medical insurance (Part B) of the Medicare program for statistical and research purposes related to evaluating and studying the operation and effectiveness of the Medicare program. The collection of this data is mandatory and is Personally Identifiable Information (PII). |
| Provide an overview of the system and describe the information it will collect, maintain (store), or share, either permanently or temporarily. | NCH is the current System of Record for Medicare Utilization Data. It is a legacy tape database of sequential flat files that function as CMS’ repository of paid Medicare claims data beginning with service year 1991. The data from the NCH is used for statistical and research purposes related to evaluating/studying the operation and effectiveness of the Medicare program. Information from this system is also used to support regulatory, reimbursement, and policy functions performed within the Agency, or by authorized contractors or consultants, other Federal agencies, and Quality Improvement Organizations (QIOs). The information is vital to research the quality and effectiveness of care provided, it also supports litigation involving the Medicare program, and to combat fraud and abuse. All NCH update processes use batch processing on the mainframe at the CMS Data Center, and the output from the Common Working File Medicare Quality Assurance (CWFMQA) weekly process is the required system input. The NCH weekly, monthly, and quarterly update processes continue to add data for up to 4 years. The data in the NCH repository is not deleted; all service years (1991 – present) are permanently maintained. |
| Does the system collect, maintain, use or share PII? | Yes |
| Indicate the type of PII that the system will collect or maintain. |
|
| Indicate the categories of individuals about whom PII is collected, maintained or shared. |
|
| How many individuals' PII in the system? | 1,000,000 or more |
| For what primary purpose is the PII used? | NCH information containing PII is disclosed to: (1) support regulatory reimbursement and policy functions performed within the agency or by a contractor, consultant, or grantee; (2) assist another Federal or state agency, agency of a state government, an agency established by state law, or its fiscal agent; (3) support providers and suppliers of services for administration of Title XVIII; (4) assist third parties where the contact is expected to have information relating to the individual’s capacity to manage his or her own affairs; (5) assist QIOs; (6) process individual insurance claims by other insurers; (7) facilitate research on the quality and effectiveness of care provided, as well as payment-related projects; (8) support litigation involving the agency; and (9) combat fraud, waste and abuse in Federally-funded health benefits programs. |
| Describe the secondary uses for which the PII will be used (e.g. testing, training or research) | The data from the NCH is used for statistical and research purposes related to evaluating / studying the operation and effectiveness of the Medicare program. |
| Describe the function of the SSN. | The SSN is part of the Health insurance claim number (HICN) and it is used in the NCH system to identify the beneficiary. |
| Cite the legal authority to use the SSN. | Sec. 205 [42 U.S.C. 405] of the Social Security Act provides authority to use the SSN. |
| Identify legal authorities governing information use and disclosure specific to the system and program. | The cite for the legal authority to use the SSN is: Sec.205 [42 U.S.C. 405] of the Social Security Act provides authority to use the SSN. Also, the Privacy Act of 1974 (Public Law No. 99-579) and the Health Insurance Portability and Accountability Act (HIPAA) (Public Law No. 104-191). |
| Are records on the system retrieved by one or more PII data elements? | Yes |
| Identify the number and title of the Privacy Act System of Records (SORN) that is being used to cover the system or identify if a SORN is being developed. | Published: 09-70-0558 National Claims History (NCH) |
| Identify the sources of PII in the system: Directly from an individual about whom the information pertains |
|
| Identify the sources of PII in the system: Government Sources |
|
| Identify the sources of PII in the system: Non-Government Sources |
|
| Identify the OMB information collection approval number and expiration date | Not applicable |
| Is the PII shared with other organizations? | No |
| Describe the process in place to notify individuals that their personal information will be collected. If no prior notice is given, explain the reason. | Records come from other systems that have already provided the appropriate beneficiary notifications. There is no direct collection from an individual of privacy records.
|
| Is the submission of the PII by individuals voluntary or mandatory? | Voluntary |
| Describe the method for individuals to opt-out of the collection or use of their PII. If there is no option to object to the information collection, provide a reason. | NCH is based on Medicare claims. Beneficiaries cannot opt-out of CMS collecting claim level information because that information is needed to provide benefits. The method for beneficiaries to opt-out of claim level data collection is to opt out of receiving Medicare benefits. The Privacy Act and HIPAA regulate how the data must be protected and used after the point of collection. The Privacy Act allows us to disclose information without an individual's consent if the information is to be used for a purpose that is compatible with the purpose(s) for which the information was collected. Any such compatible use of data is known as a "routine use." The proposed routine uses in this system meets the compatibility requirement of the Privacy Act. |
| Describe the process to notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changes since the notice at the time of original collection). Alternatively, describe why they cannot be notified or have their consent obtained. | Any material changes to the purpose and use of the privacy information in the NCH is published in the Federal Register since this system is a System of Record for Medicare claims. Major changes to the application do not affect the system in a manner that an individual would need to be notified to have their consent obtained. Data elements that are added to the application during specific system updates do not obtain PII.
|
| Describe the process in place to resolve an individual's concerns when they believe their PII has been inappropriately obtained, used, or disclosed, or that the PII is inaccurate. If no process exists, explain why not. | Individuals may raise concerns by contacting the CMS Privacy Office. Once the incident is reported, they are forwarded to the Computer Security Incident Response Team (CSIRT). Upon notification of a potential concern, the incident is forwarded to the CMS Breach Analysis Team (BAT) for assessment. CSIRT and BAT coordinates with the NCH Business Owner, the Information Systems Security Officer (ISSO), and the Systems Security Officer (SSO) to determine if the reported issue is an actual incident. If the issue is deemed an incident, it will be categorized to determine priority and actions that must be taken to resolve. The incident is then triaged for handling by the appropriate team. The CSIRT follow CMS policies and procedures to contain and resolve the incident. |
| Describe the process in place for periodic reviews of PII contained in the system to ensure the data's integrity, availability, accuracy and relevancy. If no processes are in place, explain why not. | Not Applicable. However, annual independent operational audits are performed that test the security of the system, which affects data integrity, and testing of contingency planning, which affects the availability of the system. NCH does not manipulate data that comes into the system to ensure accuracy. For relevancy of NCH PII data, the HCIN must always be present to identify a beneficiary. The Centers for Medicare make a determination of any additional data elements that need to be used for research purposes |
| Identify who will have access to the PII in the system and the reason why they require access. |
|
| Describe the procedures in place to determine which system users (administrators, developers, contractors, etc.) may access PII. | Account management mechanisms are established for NCH to identify account types (i.e., individual, group, and system); establish conditions for group membership; and assign associated authorizations. NCH team members are granted access based on the assigned duty and intended system use. |
| Describe the methods in place to allow those with access to PII to only access the minimum amount of information necessary to perform their job. | Logical access controls and procedures are established for NCH to ensure that only designated individuals can access the CMS information system. NCH team members with CMS Time Sharing Option (TSO) User IDs re-take the CMS online Information Security and Privacy Training course and re-certify the “System Access” annually via CMS Extended User Authorization (EUA) Passport to continue accessing the approved CMS system(s). When user access is no longer required, due to a change in role on the project or departure from the NCH project team, the NCH Project Manager notifies the CMS NCH Government Task Leader (GTL) to remove the CMS TSO User ID or revoke the specific access privileges that are no longer required. |
| Identifying training and awareness provided to personnel (system owners, managers, operators, contractors and/or program managers) using the system to make them aware of their responsibilities for protecting the information being collected and maintained. | All personnel (CMS employees and contractors) are required to complete annual CMS Security and Privacy Awareness Training. |
| Describe training system users receive (above and beyond general security and privacy awareness training) | In addition to the Security Awareness training, all NCH contractors are required to complete annual Security & Privacy Training and HIPAA requirements training which is above and beyond general security training. |
| Do contracts include Federal Acquisition Regulation and other appropriate clauses ensuring adherence to privacy provisions and practices? | Yes |
| Describe the process and guidelines in place with regard to the retention and destruction of PII. Cite specific records retention schedules. | The CMS Baltimore Data Center Storage Management Guidelines are employed in regards to the retention and destruction of PII. These processes are consistent with the National Archives and Records Administration (NARA) General Records Schedules (GRS) found in Subchapter B of 36 Code of Federal Regulations Chapter XII. CMS retains records until it is determined that they are no longer needed for administrative, legal, audit or other operational purposes. This includes, for example, retention and availability of audit records relative to Freedom of Information Act (FOIA) requests, subpoena and law enforcement actions. NCH follows the NARA records disposition schedule for Bucket 3 –Beneficiary Record with a NARA Disposition Authority Number: DAA-0440-2015-0004-0001.
|
| Describe, briefly but with specificity, how the PII will be secured in the system using administrative, technical, and physical controls. | Data is secured in NCH in accordance to CMS Baltimore Data Center Security Standards. From an Administrative controls perspective, NCH documents and updates on a regular basis a System Security Plan, Contingency Plan, and Risk Assessment. Technical controls for NCH consist of RACF, in concert with DB2 security controls and PIV cards, limits access to NCH to authorized users; User IDs and Passwords, RSA Token, Firewall and VPN. Lastly, NCH employs Physical controls such as Guards, Identification Badges, Key Cards and Closed Circuit TVs. |