Skip to main content

Payment Record Processing

Privacy Impact Assessment (PIA) published by CMS as an Operating Division of the U.S. Department of Health and Human Services

Date signed: 6/21/2022

PIA Information for Payment Record Processing
PIA QuestionsPIA Answers
OPDIV:CMS
PIA Unique Identifier:P-1089752-368680
Name:Payment Record Processing
The subject of this PIA is which of the following?Major Application
Identify the Enterprise Performance Lifecycle Phase of the system.Operate
Is this a FISMA-Reportable system?Yes
Does the system include a Website or online application available to and for the use of the general public?No
Is this a new or existing system?Existing
Does the system have Security Authorization (SA)?Yes
Date of Security Authorization6/16/2022
Indicate the following reason(s) for updating this PIA. Choose from the following options.PIA Validation (PIA Refresh/Annual Review)
Describe in further detail any changes to the system that have occurred since the last PIA.The changes to the Medicare Beneficiary Payment Record Processing (MBPRP) also known as Payment Record Processing (PRP) since the last PIA were the: (1) modification of PRP to accommodate new data elements being received from the Medicare Quality Assurance (MQA) application; (2) deletion of PRP files created during an accidental execution of the PRP#MON schedule; (3) modification of PRP to accommodate new data elements being received from the MQA application; (4) correction of a problem with the PRP monthly file; (5) modification of the PRP application to replace the Automated Production Control and Scheduling System (APCSS) manual control processes with automated controls for managing the monthly and quarterly execution schedules; (6) correction of Job Scheduling and Restart Information in the APCDOCS system for the PRP application; (7) removal of PRP datasets that were created when PRP#MON JOB was executed outside the normal schedule; (8) correction of the PRP Monthly files for October 2016; and (9) modification of PRP to accommodate new data elements being received from the MQA application.  
Describe the purpose of the system

The purpose of the PRP is to assist with the creation of statistics from Medicare Part A claims. These statistics are used by the Centers for Medicare and Medicaid Services (CMS) actuaries to compile various Medicare financial reports and recommendations to CMS management. Medicare Part A claims files are passed to PRP by the Medical Quality Assurance (MQA) application operated by CMS. 

 

PRP processes the Part A claim files and creates skeleton records which only contains claim codes and statistics. No information about Medicare beneficiaries is moved to this copy. The Part A claim skeleton records created by PRP are passed to the Statistical Tabulation System (STS). 

Describe the type of information the system will collect, maintain (store), or share. (Subsequent questions will identify if this information is PII and ask about the specific data elements)

The PRP contains Medicare beneficiary information such as: name, mailing address, date of birth (DOB), social security number, medical records (healthcare facility type, treatment descriptors, treatment costs/charges and medical codes), medical notes, and claim account numbers.

The information is not collected from CMS employees and/or CMS direct contractors. The information is provided by the MQA application, which is a component of the National Claims History (NCH).  NCH is a FISMA authorized system and maintains a separate PIA.

Please note that all processing performed by PRP is accomplished by PRP batch application programs. In simple terms, these application programs process Part A Medicare claims history to create the skeleton record output files without human intervention. No user interface or access to PRP programs is provided by this application. Because of this constraint, manual changes cannot be performed to programs and data within the PRP application. This also means that there are no user credentials to be captured by PRP processes.

Provide an overview of the system and describe the information it will collect, maintain (store), or share, either permanently or temporarily.

The PRP is a relatively small application internal to CMS that supports the compilation of statistics from Medicare Part A claims history. Part A claims are classified as institutional and include the inpatient/skilled nursing facility, hospice, certain outpatient and home health type claims. 

Beneficiary information is not directly collected by the PRP.  The input data provided to PRP comes from the MQA application, a component of the NCH, which is a FISMA authorized application that maintains its own PIA.  

The PRP processes the Part A input from MQA to create a ‘skeleton’ record, a discreet subset of each Part A claim. Skeleton records created by PRP are accumulated into output files on a monthly and quarterly basis according to a defined schedule. 

Skeleton files created by PRP are a main input to the STS, which is a CMS- internal application that supports statistical report generation and contains no PII. The PRP provides no user interface and supports no user-staff. STS is the only user of files created by the PRP. 

All interfaces between PRP and STS are flat-file based.

Please note that all processing performed by PRP is accomplished by PRP batch application programs. In simple terms, these application programs process Part A Medicare claims history to create the skeleton record output files without human intervention. No user interface or access to PRP programs is provided by this application. Because of this constraint, manual changes cannot be performed to programs and data within the PRP application. This also means that there are no user credentials to be captured by PRP processes.

Does the system collect, maintain, use or share PII?Yes
Indicate the type of PII that the system will collect or maintain.
  • Social Security Number
  • Name
  • Medical Notes
  • Date of Birth
  • Mailing Address
  • Medical Records Number
  • Other - Race and Sex
Indicate the categories of individuals about whom PII is collected, maintained or shared.Patients
How many individuals' PII in the system?1,000,000 or more
For what primary purpose is the PII used?The primary purpose of the Personally Identifiable Information (PII) is to create data extracts of Medicare beneficiary Part A claims for statistical reasons.
Describe the secondary uses for which the PII will be used (e.g. testing, training or research)There are no secondary uses for which the PII is used.  
Describe the function of the SSN.

The PRP creates skeleton records from Part A Medicare claims history. The purpose of PRP skeleton records is to store data concerned about the Medicare business/process and not to store data concerned about the beneficiary/patient. However, the single exception is the Medicare Claim Numbers, which contain the SSNs of the beneficiaries/patients. The Medicare Claim number is placed in the skeleton records to support identification of the specific provider claim if it becomes necessary to validate the data in the skeleton record; in other words to authenticate the statistics being collected.  The SSN is not used to identify the beneficiary.    

The STS application is the only other CMS application that has access to the skeleton files created by PRP. PRP and STS are CMS-internal applications. Neither application supports an interactive user interface. Both applications are batch data processes. Based on the rules defined for the SSN Reduction Initiative (SSNRI), PRP and STS are not required to support SSN to MBI translation.

Cite the legal authority to use the SSN.The cite for the legal authority to use the SSN is:  Sec. 205 [42 U.S.C. 405] of the Social Security Act provides authority to use the SSN. 
Identify legal authorities​ governing information use and disclosure specific to the system and program.The cite for the legal authority to use the SSN is:  Sec. 205 [42 U.S.C. 405] of the Social Security Act provides authority to use the SSNAlso, the Privacy Act of 1974 (Public Law No. 99-579) and the Health Insurance Portability and Accountability Act (HIPAA) (Public Law No. 104-191) govern the information use and disclosure specific to PRP.  
Are records on the system retrieved by one or more PII data elements?Yes
Identify the number and title of the Privacy Act System of Records (SORN) that is being used to cover the system or identify if a SORN is being developed.In accordance with the Privacy Act of 1974, CMS is planning on modifying or altering the existing SOR, ‘‘Payment Record Processing (PRP),’’ System No. 09–70–0005, last published at 67 FR 57015 (September 6, 2002). CMS is proposing to assign a new CMS identification number to this system to simplify the obsolete and confusing numbering system originally designed to identify the Bureau, Office, or Center that maintained information in the Health Care Financing Administration systems of records.
Identify the sources of PII in the system: Directly from an individual about whom the information pertainsOther - NCH
Identify the sources of PII in the system: Government SourcesWithin the OPDIV
Identify the sources of PII in the system: Non-Government SourcesOther - Not applicable.   The PRP does not receive PII from non-government sources.
Identify the OMB information collection approval number and expiration dateThis is not applicable to PRP.
Is the PII shared with other organizations?No
Describe the process in place to notify individuals that their personal information will be collected. If no prior notice is given, explain the reason.PRP does not collect personal information from any individuals, so there is no notification process.
Is the submission of the PII by individuals voluntary or mandatory?Voluntary
Describe the method for individuals to opt-out of the collection or use of their PII. If there is no option to object to the information collection, provide a reason.

Beneficiary information is not collected from the beneficiaries by the PRP application. The PRP processes Medicare Part A claims history files received from the MQA component of the NCH.  

 

As explained, MQA is a component of NCH. NCH is a FISMA authorized application and is covered by a separate PIA. NCH is therefore responsible for the providing methods for individuals to opt-out of the collection or use of their PII.

 

Describe the process to notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changes since the notice at the time of original collection). Alternatively, describe why they cannot be notified or have their consent obtained.

Beneficiary information is not directly collected from the beneficiary by the PRP application. 

The PRP receives and processes MQA Medicare Part A claims history files created for the NCH. As mentioned above, MQA is a component of NCH.  When major changes occur, NCH is, therefore, responsible for notifying and obtaining consent from individuals, whose PII is in NCH. 

Describe the process in place to resolve an individual's concerns when they believe their PII has been inappropriately obtained, used, or disclosed, or that the PII is inaccurate. If no process exists, explain why not.If CMS employees or direct contractors have concerns about their PII, they would contact the CMS Information Technology (IT) Help Desk by telephone or email and describe the concerns. The IT Help Desk would investigate, determine if further action is needed, and identify corrections, if needed. 
Describe the process in place for periodic reviews of PII contained in the system to ensure the data's integrity, availability, accuracy and relevancy. If no processes are in place, explain why not.Beneficiary information is not directly collected from the beneficiary by the PRP application.  The PRP is provided its information by the MQA application, which is a component of the NCH. The NCH is responsible for conducting periodic reviews of PII and the processes to ensure that the integrity, availability, accuracy, and relevancy of the data is maintained.  This scope of these reviews is discussed in more detail in the NCH PIA. 
Identify who will have access to the PII in the system and the reason why they require access.
  • Users: CMS mission requirements requires access to the PII.
  • Administrators: Administrators would have access to PII for the management of system user access.
  • Developers: Developers may have limited access, if any, to PII to provide PRP application enhancements and testing of enhancements.
  • Contractors: CMS direct contractors may have the role of administrator or developer. If so, then the access to PII would be in line with the explanations for administrators and developers.
Describe the procedures in place to determine which system users (administrators, developers, contractors, etc.) may access PII.

The least privilege standard is utilized for all access to the PRP.  Access Control Lists are used to filter access and control access based on an individual's assigned duties.

Account management mechanisms are established for PRP to identify account types (i.e., individual, group, and system); conditions for group membership are established; and associated authorizations are assigned.

PRP administrators, developers, and contractors are granted access based on the assigned duty and intended system use.

Describe the methods in place to allow those with access to PII to only access the minimum amount of information necessary to perform their job.

The least privilege standard is utilized for all access to the PRP.  Access Control Lists are used to filter access and control access based on an individual's assigned duties.

Logical access controls (e.g., user name and security token, and security software controls) and role-based access are established for PRP to ensure that only authorized individuals can access PRP.

The PRP project manager notifies the CMS PRP Government Task Leader (GTL) to remove or revoke user access privileges that are no longer required.

Identifying training and awareness provided to personnel (system owners, managers, operators, contractors and/or program managers) using the system to make them aware of their responsibilities for protecting the information being collected and maintained.

All CMS employees and direct contractors are required to complete annual CMS Information System Security and Privacy Awareness Training. 

 

Describe training system users receive (above and beyond general security and privacy awareness training)For system users with specific role-based responsibilities, additional role-based training is required. Depending on the significance of the roles and responsibilities, the users are required to take an additional one (1) to eight (8) training hours per year.
Do contracts include Federal Acquisition Regulation and other appropriate clauses ensuring adherence to privacy provisions and practices?Yes
Describe the process and guidelines in place with regard to the retention and destruction of PII. Cite specific records retention schedules.

PRP follows the HHS Record Management and CMS Baltimore Data Center Storage Management Guidelines, which are consistent with the HIPAA record retention requirements and the National Archives and Records Administration (NARA) General Records Schedules (GRS) that provide federal retention requirements. 

PRP records may be retained longer, if they are needed for administrative, legal, audit, or other operational purposes.

Describe, briefly but with specificity, how the PII will be secured in the system using administrative, technical, and physical controls.

Administrative controls secure PII in PRP by limiting access to PII to a small number of authorized users by using role-based access permissions and providing annual security awareness and privacy training PRP application users. 

Technical Controls secure PII in PRP by limiting access to CMS authorized users by requiring a user name combined with a numeric security token for system access; maintaining firewalls; encrypting transmission of information; and implementing intrusion detection and prevention software. 

Physical Controls secures PII in PRP by preventing physical access to CMS IT resources through maintaining a building security guard force; requiring identification badges for building access; and implementing video monitoring of CMS facilities.