Skip to main content

Payment Error Rate Measurement-Eligibility Review Data Collection Tool

Privacy Impact Assessment (PIA) published by CMS as an Operating Division of the U.S. Department of Health and Human Services

Date signed: 11/5/2024

PIA Information for the Payment Error Rate Measurement-Eligibility Review Data Collection Tool
PIA QuestionsPIA Answers

OPDIV:

CMS

PIA Unique Identifier:

P-6815186-516565

Name:

Payment Error Rate Measurement-Eligibility Review Data Collection Tool

The subject of this PIA is which of the following?

Major Application

Identify the Enterprise Performance Lifecycle Phase of the system.

Operate

Is this a FISMA-Reportable system?

Yes

Does the system include a Website or online application available to and for the use of the general public?

No

Identify the operator:

Contractor

Is this a new or existing system?

Existing

Does the system have Security Authorization (SA)?

Yes

Date of Security Authorization

7/13/2022

Indicate the following reason(s) for updating this PIA. Choose from the following options.

PIA Validation (PIA Refresh/Annual Review)

Describe in further detail any changes to the system that have occurred since the last PIA.

The Case History Database (CHD) and Dashboard application modules were added to the system. For hosting these applications, new servers have been provisioned. 

- The Case History Database (CHD) is a web-based internal application. It used by Business Analysts to reconcile changes in Error Rate Data Collection Tool (ERDCT) and State Medicaid Error Rate Finding (SMERF) applications at case level. 

- Dashboard is a web-based application that aggregates eligibility review status, error rates, qualifiers, and other metrics and provide visualizations for CMS user for real-time updates.

These changes do not result in any new PII elements. 

Describe the purpose of the system

The purpose of the Payment Error Rate Measurement-Eligibility Review Data Collection Tool (ERDCT) system is to perform eligibility review functions in support of the Medicaid and Children’s Health Insurance Program (CHIP) Payment Error Rate Measurement program (PERM). The PERM program produces national level payment error rates for Medicaid and the CHIP as required by the Improper Payments Information Act of 2002 (IPIA), amended by the Improper Payments Elimination and Recovery Act of 2010 (IPERA) and the Improper Payments Elimination and Recovery Information Act of 2012 (IPERIA). Medicaid and CHIP are administered by state agencies according to each state’s unique program characteristics, and the system facilitates the secure collection, storing, analyzing, and reporting on state eligibility specific data to calculate a state-by-state, comprehensive error rate for both the Medicaid and CHIP programs and meet program requirements.

Describe the type of information the system will collect, maintain (store), or share. (Subsequent questions will identify if this information is PII and ask about the specific data elements)

Social Security Number
Name
Driver's License Number
Mother's Maiden Name
E-Mail Address
Phone Numbers
Certificates
Taxpayer ID
Date of Birth
Vehicle Identifiers
Mailing Address
Medical Records Number
Financial Account Info
Legal Documents
Employment Status
Other - Wage stubs
Username
Password

The information is retained in the CMS AWS for a period of 7 years (or when no longer needed for agency business, whichever is later), in accordance with the National Archives and Records Administration (NARA) guidelines. PERM follows the DAA-0440-2015-0012 - Compliance and Integrity; records that support compliance and integrity activities and functions, regardless of CMS programs, including plans, agreements; administrative records, records related to surveys, reviews, and audits; reports; and legal records related to compliance and integrity operations.

Provide an overview of the system and describe the information it will collect, maintain (store), or share, either permanently or temporarily.

The ERDCT system is composed of four main components.  

The first component is a secure file transfer protocol (SFTP), the second is the Eligibility Review and Data Collection Tool (ERDCT), the third is Case History Database (CHD), and the fourth is Dashboard application.   

 The SFTP system component is used to transfer medical claims information and eligibility verification information into the system.  

In ERDCT component, the reviewers (about 80 users) log into the system and use the system to view the eligibility records collected and stored in the file systems of the ERDCT server. The reviewers then enter their eligibility determinations and notes into the ERDCT system. The output of the system is an XML file (which does not contain PII or PHI) that is manually uploaded each workday to the State Medicaid Error Rate Findings (SMERF) system via an encrypted HTTPS interface. The SMERF system is a CMS-owned system operated by the PERM Eligibility Review Contractor (RC). The SMERF system is covered under the Medicaid-CHIP Payment Error Rate Measurement – Empower AI (formerly known as NCI) Review Contractor (RC) PIA.  

The Case History Database (CHD) component is used by data analysts and reviewers to reconcile the information; additionally, the CHD is used to track documentation received from the states.  

The Dashboard component displays review status information in an interactive manner and allows CMS to view aggregated data on-demand basis.   

CMS Enterprise User Administration (EAU) provides access to the system for System Administrators, and Reviewers who use the non-public facing component of the system (ERDCT). EAU is covered by the EUA PIA. The SFTP component of the system leverages EUA for users with CMS EUA IDs and collects usernames / passwords for the other users. The Dashboard component leverages CMS IDM(Okta) and CMS EUA IDs for the access. 

ERDCT users who access or use the system do not use personal identifiers to retrieve records held in the system. 

Does the system collect, maintain, use or share PII?

Yes

Indicate the type of PII that the system will collect or maintain.

  • Social Security Number

  • Name
  • Driver's License Number
  • Mother's Maiden Name
  • E-Mail Address
  • Phone Numbers
  • Certificates
  • Taxpayer ID
  • Date of Birth
  • Vehicle Identifiers
  • Mailing Address
  • Medical Records Number
  • Financial Account Info
  • Legal Documents
  • Employment Status
  • Other - Username, password, wage stubs,

Indicate the categories of individuals about whom PII is collected, maintained or shared.

  • Public Citizens

  • Patients

  • Other - Public citizens, patients, business partners/contacts (federal, state, and local agencies), vendors/suppliers/contractors. (Other: Ad-hoc SFTP users (Lewin, the Statistical Contractor (SC) and Empower AI (formerly known as NCI), the Review Contractor (RC), and state information providers) access the SFTP system and their access is maintained in the database.

How many individuals' PII in the system?

100,000-999,999

For what primary purpose is the PII used?

The primary purpose for the PII within the system is to calculate payment error rates for Medicaid and CHIP programs. This PII is not used to retrieve or match data/claims, and PERM users who access or use the system do not use any personal identifiers to retrieve records held in the system. The system organizes data by claim files that are represented by a PERM ID. The PERM ID is used for matching/retrieval of data in the system. The PERM ID is comprised of non-identifying data elements that include the state, the type of claim (Medicaid (m) or Chip (c)), the year, the quarter number, payment method (fee for service (f); managed care (m)), and a 3-digit sequential number. For example, the 51st fee for service payment sampling unit from the Alabama 2020 Q1 CHIP universe will have the following PERM ID: ALC2001F051.
The PII in the system also includes usernames and passwords. The only usernames and passwords in the system are for those individuals who use the SFTP. This includes state points of contact, and the CMS PERM Statistical Contractor (SC) who upload their own data and only have access to their own uploaded data within the SFTP until it is moved into the ERDCT database and purged from the SFTP.

Describe the secondary uses for which the PII will be used (e.g. testing, training or research)

There is no secondary use of PII.

Describe the function of the SSN.

The function of the SSN is used to confirm that the SSN was verified as part of eligibility determination. Only the last 4 digits of the SSN are stored in ERDCT; the full SSN can only be found in screen prints (from the state systems) that are housed within the AWS environment as evidence that the full SSN is present in the state system. The SSN is not used to retrieve or match data/claim in ERDCT. 

Cite the legal authority to use the SSN.

Authority for the use of the SSN is provide by Section 1137 of the Social Security Act (42 U.S.C. § 1320b—7, E.O. 9397.

Identify legal authorities​ governing information use and disclosure specific to the system and program.42 CFR § 431.950This subpart requires States and providers to submit information and provide support to Federal contractors as necessary to enable the Secretary to produce national improper payment estimates for Medicaid and the Children's Health Insurance Program (CHIP). In addition, authority for this system is given under provisions of the Improper Payments Information Act of 2002 (Pub. L. 107–300), sections 1102, 1902(a)(6), 1902(a)(27), and 2107(b)(1) of the Social Security Act.

Are records on the system retrieved by one or more PII data elements?

No

Identify the sources of PII in the system: Directly from an individual about whom the information pertains

Other - Data is provided from state eligibility systems and from state Medicaid samples

Identify the sources of PII in the system: Government Sources

  • Within the OPDIV

  • State/Local/Tribal

Identify the sources of PII in the system: Non-Government Sources

 

Identify the OMB information collection approval number and expiration date

The system does not use electronic or paper forms from the public.

Is the PII shared with other organizations?

Yes

Identify with whom the PII is shared or disclosed and for what purpose.

  • Within HHS: Information may be shared within CMS to determine the proper administration of the PERM program.

  • Private Sector: Information may be shared with private sector to determine the proper administration of the PERM program.

Describe any agreements in place that authorizes the information sharing or disclosure (e.g. Computer Matching Agreement, Memorandum of Understanding (MOU), or Information Sharing Agreement (ISA)).

The Payment Error Rate Eligibility Review Contractor (PERM ERC) maintains separate data use agreements with all states that are under review. Presently 51 Data Use Agreements (DUAs) have been authored and approved by both state and Booz Allen Hamilton authorized signers. 

Describe the procedures for accounting for disclosures

If PII must be disclosed, an accounting of disclosures can be created by tracing back the individual request to the data in the system through system logs and data export information.

Describe the process in place to notify individuals that their personal information will be collected. If no prior notice is given, explain the reason.

Not applicable. Notice is responsibility of the state who administer the Medicaid and the Children’s Health Insurance Program and collect the information directly from the individual

Is the submission of the PII by individuals voluntary or mandatory?

Voluntary

Describe the method for individuals to opt-out of the collection or use of their PII. If there is no option to object to the information collection, provide a reason.

The system does not collect data directly from individuals and therefore there is no option to object or opt out of the collection of PII. The data is collected from the various state Medicaid and Children’s Health Insurance Program offices that administer the programs. The ERDCT system does not ingest data from other federal agency systems that may be subject to PIA requirements. 

 

 

Describe the process to notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changes since the notice at the time of original collection). Alternatively, describe why they cannot be notified or have their consent obtained.

Notice is provided by the various state Medicaid and Children’s Health Insurance Program offices who administer their programs. The states use their own state systems and process to collect information to administer their programs. Since the states collect the information from the individuals, the states provide notice and consent. Individuals seeking to understand what data the state health department collects, uses, and maintains on them, including notice of collection or opportunities to consent should contact their individual state health department and consult the state health department privacy policies for more information. If CMS changes its practices with regard to the collection or handling of PII related to the system, CMS will adopt measures to provide any required notice and obtain consent from individuals regarding the collection and/or use of PII. Individuals that use the SFTP are provided notice via the SFTP instructions that their username and password are only being used and stored to access the SFTP system.  

Describe the process in place to resolve an individual's concerns when they believe their PII has been inappropriately obtained, used, or disclosed, or that the PII is inaccurate. If no process exists, explain why not.

The data is collected from the states who maintain their own systems. There would be at least 51+ systems since each state have at least one system. The state systems do not have Federal agency mandated PIAs as they are not governed by the E-Gov Act of 2002. 

If an individual has concerns about the data in the ERDCT they would need to follow the CMS standard process. For purpose of access, and in accordance with 45 CFR § 5b.5, the subject individual should write to the system manager who will require the system name and the retrieval selection criteria. Individuals can also consult the published Medicaid Program and State Children’s Health Insurance Program Payment Error Rate Measurement (PERM) SORN published at 83 FR 6591 for more information on the process. Individuals who suspect their PII has been inappropriately obtained, used, or disclosed in any CMS system have several avenues available to address their concerns. Often, these individuals contact the office or center where they have determined that their information is held. Individuals may then make further requests for their information to be corrected or amended as needed. Users or direct contractors with such concerns can additionally work with their supervisors, the CMS 24-hour technical assistance line, and other channels. External users can contact the PERM ERC System Administrator or Help Desk for assistance. A list of contacts for various applications is publicly available from CMS.gov as well.   

Describe the process in place for periodic reviews of PII contained in the system to ensure the data's integrity, availability, accuracy and relevancy. If no processes are in place, explain why not.

PII is provided by individuals to the states. The individual is responsible for providing accurate information to the states. One of the main functions of the PERM program is to validate the eligibility determinations made by the states. This requires continuous evaluation of the accuracy and integrity of the data. The minimum amount of data is collected to perform the review process ensuring only relevant data is collected and maintained. In addition, prior to use of the data, the system has an automated validation process which runs a series of checks against the data to ensure it accuracy and integrity. Access is granted and restricted at the individual level as appropriate to the individual's duties (role-based access). Integrity and availability are protected by security controls selected and implemented in the course of providing the system with an authority to operate (ATO). CMS performs annual reviews to evaluate user access. One of the controls includes information system backups reflecting the requirements in contingency plans as well as other agency requirements for backing up information. 

Identify who will have access to the PII in the system and the reason why they require access.

  • Users: Users require access to review eligibility determinations. Users who are reviewers will have access to all the PII in the system to perform the eligibility reviews. 

  • Administrators: Administrators require access to troubleshoot problems with the system. Administrators and developers have access to all the PII, but do not use it as part of their role, and access is incidental to their technical roles in administering and troubleshooting the system.
  • Developers: Developers require access to develop and test functionality of system. To test certain functionality related to specific data elements, developers need access to redacted information.
  • Contractors: Direct Contractors (who are the Reviewers/users) need access to make decisions regarding the appropriateness of the Medicaid and CHIP eligibility decisions made by state Medicaid and CHIP eligibility workers.
  • Others - State users: State users only have access to the information they upload to the SFTP (which is information that comes from their own state systems). States who upload their data only have access to the data they upload to the SFTP, they do not have access to any other component of the system or any other data.

Describe the procedures in place to determine which system users (administrators, developers, contractors, etc.) may access PII.

Users are evaluated when they apply for credentials to the system and are assigned appropriate roles based upon least privilege. The system includes Roles Based Access Controls that allow fine grain access to data according to the need for reviewers to see certain information. ERDCT Administrators do not have access to the login credentials that are controlled by CMS Enterprise User Administration (EUA). This is an inherited control and CMS EUA has its own PIA. ERDCT Administrators have access to usernames for the STFP service to maintain accounts, but they do not have access to passwords.

Describe the methods in place to allow those with access to PII to only access the minimum amount of information necessary to perform their job.

The system includes Role Based Access Controls to provide access to data according to the need for reviewers to see certain information. The system limits access based on Active Directory roles. Additionally, two-factor authentication and encryption provide technical controls and account access is monitored and logged.

Identifying training and awareness provided to personnel (system owners, managers, operators, contractors and/or program managers) using the system to make them aware of their responsibilities for protecting the information being collected and maintained.

All staff with access to the system are required to take the CMS Information Systems Security Awareness Training. This training is administered annually and is confirmed by a test at the end and the system verifies the completion of the course.
This training is mandatory and is required for continued access to CMS systems. Additionally, rules of behavior for privileged users and acceptable use policies are acknowledged by privileged users.

Describe training system users receive (above and beyond general security and privacy awareness training)

Users receive specific PERM Security and Privacy training, as well as specific process training that is geared toward careful handling of sensitive information. This training is conducted once before being granted access to the system and annually thereafter.

Do contracts include Federal Acquisition Regulation and other appropriate clauses ensuring adherence to privacy provisions and practices?

No

Describe the process and guidelines in place with regard to the retention and destruction of PII. Cite specific records retention schedules.

The information is retained in the CMS AWS for a period of 7 years (or when no longer needed for agency business, whichever is later), in accordance with the National Archives and Records Administration (NARA) guidelines.  PERM follows the DAA-0440-2015-0012 - Compliance and Integrity; records that support compliance and integrity activities and functions, regardless of CMS programs, including plans, agreements; administrative records, records related to surveys, reviews, and audits; reports; and legal records related to compliance and integrity operations.

Describe, briefly but with specificity, how the PII will be secured in the system using administrative, technical, and physical controls.

Administrative safeguards: include policies, and procedures around access and use of PII, change management, incident response, awareness and training, and system logging and review.

Technical safeguards: include Encryption, Role-based access, automatic logoff/timeout, and 2-factor authorization.

Physical safeguards: This is a CMS AWS cloud-based system. No data is stored outside of the AWS environment. Physical access to AWS data center is controlled by Amazon and includes security guards, surveillance cameras, multifactor authentication for entry and exit.