Skip to main content

One Program Integrity

Privacy Impact Assessment (PIA) published by CMS as an Operating Division of the U.S. Department of Health and Human Services

Date signed: 10/3/2024

PIA information for One Program Integrity

OPDIV:

CMS

PIA Unique Identifier:

P-8285825-413150

Name:

One Program Integrity

The subject of this PIA is which of the following?

Major Application

Identify the Enterprise Performance Lifecycle Phase of the system.

Operate

Is this a FISMA-Reportable system?

Yes

Does the system include a Website or online application available to and for the use of the general public?

No

Identify the operator:

Contractor

Is this a new or existing system?

Existing

Does the system have Security Authorization (SA)?

Yes

Date of Security Authorization

6/27/2024

Indicate the following reason(s) for updating this PIA. Choose from the following options.

PIA Validation (PIA Refresh/Annual Review)

Describe in further detail any changes to the system that have occurred since the last PIA.

N/A

Describe the purpose of the system

One Program Integrity (One PI) provides program integrity contractors, law enforcement personnel, Department of Health and Human Services (HHS) Office of the Inspector General (OIG) investigators, and people from many other organizations "one stop shop" access 
through a secure portal to analytical tools and data needed to detect and deter Medicare and Medicaid fraud, waste and abuse (FWA). By accessing current and historical Medicare and Medicaid data from the Integrated Data Repository (IDR), users can investigate improper payments, establish payment eligibility, understand the accuracy of claims, perform medical reviews, establish payment error rates, identify fraud schemes, create and enhance fraud prevention models, take administrative actions, respond to law enforcement requests, pursue civil and criminal penalties, and more to protect Medicare and Medicaid trust funds. The One PI system also supports audit functions such as regional Medicare Drug Integrity Contractor (MEDIC) plan audits and Hospital Cost Report audits as additional techniques to identify FWA.

Describe the type of information the system will collect, maintain (store), or share. (Subsequent questions will identify if this information is PII and ask about the specific data elements)

The data that can be obtained through this system of record are extracted from the Centers for Medicare & Medicaid Services (CMS) Integrated Data Repository (IDR). The IDR data that One PI queries are related to the following CMS systems: Medicare Drug Data Processing System; Medicare Beneficiary Database; Medicare Advantage Prescription Drug System; State Medicaid Records; Medicaid Statistical Information System; Retiree Drug Subsidy Program; Common Working File; National Claims History; Enrollment Database; Carrier Medicare Claims Record; Intermediary Medicare Claims Record; Unique Physician/Provider Identification Number; Provider Enrollment Chain & Ownership System (PECOS); and Medicare Supplier Identification File. 

The types of Personal Identifiable Information (PII) data that the One PI system can retrieve from a query include: Social Security Number, Name, Phone Numbers, Medical Notes, Date of Birth, Mailing Address, Medical Records Number, Financial Account Information, Employment Status, Health Insurance Claim Number (HICN), Provider Identification Number, and Provider Tax Identification The One PI system can also query and display medical claim transactions. Records are only used during the course of active legal investigations and analysis, but are not inherently collected or maintained.

The system does not collect and maintain information on individuals or collect email addresses about system users (such as employees or contractors) in order to control system access. The CMS Enterprise User Administration (EUA) system is used to control access to the system.

For context, the One PI system is used to access and analyze Medicare and Medicaid data. Most importantly, none of the business intelligence (BI) tools used to analyze data are considered a "system of record" for purposes of this analysis. If users want to retain the results of their analysis (for example, to support legitimate law enforcement efforts to prosecute a court case), they must archive the results to a different CMS system, such as the Unified Case Management (UCM) system, which is under a separate privacy impact assessment, and System of Records Notices (SORNs).

Specific data elements used are:

  • Social Security Number

  • Name

  • Phone Numbers

  • Medical Notes

  • Date of Birth

  • Mailing Address

  • Medical Records Number

  • Financial Account Info

  • Employment Status

  • Other: Health Insurance Claim Number (HICN), Provider Identification Number, and Provider Tax Identification, Medical Records Number, Financial Account Information, Employment Status.

Provide an overview of the system and describe the information it will collect, maintain (store), or share, either permanently or temporarily.

One PI is a data analysis and reporting platform supporting program integrity functions. It helps protect healthcare expenditures by combating fraud, waste and abuse in Medicare and Medicaid. One PI does not inherently collect and maintain this PII, but the systems that do collect and maintain this information are responsible for the security safeguards and have their own PIAs to address the privacy and security controls in place.

 

The information that the system utilizes for these efforts include claims data, provider enrollment data, medical review data, financial data and investigative data. Nearly all PII stored in the Integrated Data Repository can be queried and analyzed by One PI. The One PI system can temporarily save queried results provided by the IDR during active investigations and analysis. Specific data elements that are frequently used to access PII records include, but are not limited to:

  • Name

  • Date of Birth

  • Social Security Number

  • Phone Numbers

  • Medical Notes

  • Mailing Address

  • Medical Records Number

  • Financial Account Info

  • Employment Status

  • Health Insurance Claim Number (HICN)

  • Provider Identification Number

  • Provider Tax Identification

  • Medical Records Number

  • Financial Account Information

  • Employment Status

 

One PI users access PII records based upon investigative requirements. These requirements are usually not driven by a calendar schedule, and are likely to be prompted by events or situations such as fraud alerts, provider or beneficiary activities of interest, audit requirements and other research topics. Some requests are completed within minutes and immediately satisfy their objectives, while other analysis may take many months to build a complete understanding of a complex situation or fraud scheme.

Does the system collect, maintain, use or share PII?

Yes

Indicate the type of PII that the system will collect or maintain.

  • Social Security Number

  • Name

  • Phone Numbers

  • Medical Notes

  • Date of Birth

  • Mailing Address

  • Medical Records Number

  • Financial Account Info

  • Employment Status

  • Other - Both MBI and HICN numbers are required for use as data elements.

  • Health Insurance Claim Number(HICN), Provider Identification Number, and Provider Tax Identification, Medical Records Number, Financial Account Information, Employment Status

Indicate the categories of individuals about whom PII is collected, maintained or shared.

  • Public Citizens

  • Vendors/Suppliers/Contractors

  • Patients

How many individuals' PII in the system?

1,000,000 or more

For what primary purpose is the PII used?

Users of One PI are responsible for supporting efforts to protect healthcare expenditures by supporting program integrity functions and combating fraud, waste and abuse in Medicare and Medicaid.

The PII/Protected health information (PHI) from the IDR that can be displayed and saved through the One PI system are of the patients and healthcare providers Medicare and Medicaid payment transactions. One PI users review the query data results of these transactions to help identify cases of fraud, waste and abuse.

Describe the secondary uses for which the PII will be used (e.g. testing, training or research)

One PI uses PII data from the IDR when performing testing, when training new or existing One PI users (such as investigators and law enforcement), and for researching user activities to improve services and support identification and deterrence of fraud, waste and abuse schemes.

Describe the function of the SSN.

The Social Security Number (SSN) is intended to identify individuals within the database. The SSN is required for analysts to identify individuals. When analyzing claims and provider information, the Medicare Beneficiary Identification (MBI) number (only if present) can optionally be used to perform lawful analysis of the data.

Cite the legal authority to use the SSN.

Section 1893 of the Social Security Act (the Act)

Identify legal authorities​ governing information use and disclosure specific to the system and program.

Authority for the collection of data maintained in this system is given under §§ 226, 226A, 1811, 1818, 1818A, 1831, 1833(a)(1)(A), 1836, 1837, 1838, 1843, 1866, 1874a, 1875, 1876, 1881, and 1902(a)(6) of the Social Security Act (the Act). The following are the corresponding sections from Title 42 of the United States Code (U.S.C.): 426, 426-1, 1395c, 1395i-2, 1395i-2a, 1395j, 1395l(a)(1)(A), 1395o, 1395p, 1395q, 1395v, 1395cc, 1395kk-l, 1395ll, 1395mm, 1395rr, 1396a(a)(6), and § 101 of the Medicare Prescription Drug, Improvement, and Modernization Act of 2003 (MMA) (Pub. L. 108-173), which established the Medicare Part D program.

Are records on the system retrieved by one or more PII data elements?

Yes

Identify the number and title of the Privacy Act System of Records (SORN) that is being used to cover the system or identify if a SORN is being developed.

09-70-0571, Medicare Integrated Data Repository
09-70-0568, One Program Integrity Data Repository

Identify the sources of PII in the system: Government Sources

  • Within the OPDIV

  • Other HHS OPDIV

  • State/Local/Tribal

  • Other Federal Entities

Identify the OMB information collection approval number and expiration date

Not applicable

Is the PII shared with other organizations?

Yes

Identify with whom the PII is shared or disclosed and for what purpose.

  • Within HHS: PII is used to conduct fraud waste and abuse investigation activities, and shared with the Unified Program Integrity Contractors (UPIC), One PI system maintainers contractors, all of whom are vetted by CMS.

  • Other Federal Agency/Agencies: Department of Justice PII is used to conduct fraud waste and abuse investigation activities

  • State or Local Agency/Agencies: PII is used to conduct fraud waste and abuse investigation activities

Describe any agreements in place that authorizes the information sharing or disclosure (e.g. Computer Matching Agreement, Memorandum of Understanding (MOU), or Information Sharing Agreement (ISA)).

The Data Use Agreement (DUA), custodian form CMS-R-0235, must be executed prior to the disclosure of data from the CMS Systems of Records to ensure that the disclosure will comply with the requirements of the Privacy Act, Privacy Rule, and CMS data release policies. It must be completed prior to the release of, or access to, specified data files containing protected health information (PHI) and individual identifiers.

Describe the procedures for accounting for disclosures

To the extent that this system contains Protected Health Information (PHI) as defined by HHS regulation ‘‘Standards for Privacy of Individually Identifiable Health Information’’ (45 CFR parts 160 and 164, subparts A and E) 65 FR 82462 (12–28–00) disclosures of such PHI that are otherwise authorized by the routine uses may only be made if, and as, permitted or required by the ‘‘Standards for Privacy of Individually Identifiable Health Information.’’ (See 45 CFR 164–512(a)(1)).

The Center for Program Integrity requires that all One PI users sign data use agreements (DUA) custodian forms. All access to sensitive information by One PI users is tracked by the data source within the CMS IDR.

Describe the process in place to notify individuals that their personal information will be collected. If no prior notice is given, explain the reason.

Individual notification is not required, the information in One PI is collected from other CMS systems which are responsible for notification to individuals. For example, the Integrated Data Repository (IDR) has its own PIA and details these notification requirements.

The system does not collect any information (like email addresses) about system users (such as employees or contractors).

Is the submission of the PII by individuals voluntary or mandatory?

Voluntary

Describe the method for individuals to opt-out of the collection or use of their PII. If there is no option to object to the information collection, provide a reason.

One PI does not directly interact with individuals to collect personal information. The information in One PI is obtained for investigation analysis, used for investigative purposes, there is no option given to individuals to object to the information collection or to opt out.

Describe the process to notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changes since the notice at the time of original collection). Alternatively, describe why they cannot be notified or have their consent obtained.

One PI is not required to notify or obtain consent since the information in One PI is collected from other CMS systems, which are responsible for notification to individuals. For example, the IDR has its own PIA and details these notification requirements.

Describe the process in place to resolve an individual's concerns when they believe their PII has been inappropriately obtained, used, or disclosed, or that the PII is inaccurate. If no process exists, explain why not.

One PI PII integrity is managed by the original data sources. To correct an individual's PII in the system, and to inquire into concerns that an individual’s PII has been compromised; that individual should place an inquiry with the CMS system that collects the data. Beneficiary's and providers can contact CMS; 1-800-MEDICARE if they suspect that their information has been compromised.

If the CMS direct contractor believes that a PII breach has occurred then the CMS incident handling procedures would be followed.

Describe the process in place for periodic reviews of PII contained in the system to ensure the data's integrity, availability, accuracy and relevancy. If no processes are in place, explain why not.

The CMS Information Security Levels are reviewed periodically to determine the appropriate level of system security based on the confidentiality, integrity, and availability of the information as well as its criticality to the agency’s business mission. These reviews are conducted at least annually or when major system capabilities are changed. As the One PI system is not the original system that collects PII it is does not periodically review its PII. The original sources (systems) of the PII do review PII. One PI users do not have the ability to modify or destroy any PII data.

Identify who will have access to the PII in the system and the reason why they require access.

  • Users: One PI users use PII to detect and prevent Medicare/Medicaid fraud, waste, and abuse.

  • Administrators: System administrators handle changes/upgrades to the system and the receipt, processing and loading of data into the system.

  • Developers: Select developers such as data coaches, have access to PII in the performance of their duties.

  • Contractors: Program Integrity direct contractors use the system to detect and prevent Medicare/Medicaid fraud, waste, and abuse.

Describe the procedures in place to determine which system users (administrators, developers, contractors, etc.) may access PII.

Access to PII is controlled by the End User Administration (EUA) job code assigned to each user. Requested job codes must be approved by the system owner and the user manager. The job codes grant or restrict permissions to access PII based on the principle of 'least privilege.'

Describe the methods in place to allow those with access to PII to only access the minimum amount of information necessary to perform their job.

Based on the authorized job codes assigned to each individual, the relational database warehouse uses database views to restrict PII access to the minimum number of rows and columns required by a particular role.

Identifying training and awareness provided to personnel (system owners, managers, operators, contractors and/or program managers) using the system to make them aware of their responsibilities for protecting the information being collected and maintained.

All system users having access to One PI are held to the same standard of data protection. CMS makes users aware of their data protection obligations through the CMS annual Security and Privacy Awareness Training, and annual Records Management Training.

Describe training system users receive (above and beyond general security and privacy awareness training)

In addition to CMS security and Privacy Awareness training and standard records retention training, any user accessing data supplied through the One PI system receives technical training on how to properly operate the relevant tools.

Do contracts include Federal Acquisition Regulation and other appropriate clauses ensuring adherence to privacy provisions and practices?

Yes

Describe the process and guidelines in place with regard to the retention and destruction of PII. Cite specific records retention schedules.

Records will be retained until an approved disposition authority is obtained from the National Archives and Records Administration. All claims-related records are encompassed by the document preservation order and will be retained until notification is received from Department of Justice (DOJ). National Archive Records Association (NARA) record retention schedule citation number is (Disposition Authority: N1-440-04-3, Item 1a).

Describe, briefly but with specificity, how the PII will be secured in the system using administrative, technical, and physical controls.

Access to the systems is given based on 'need to know' and job responsibilities.  Systems grant or deny access to data based upon 'need to know' roles.  External audits also verify these controls. Technical controls used include user identification, passwords, security session tokens, firewalls, virtual private networks and intrusion detection systems. Physical controls used include guards, identification badges, key cards, cipher locks and closed-circuit televisions.