Skip to main content

PRI Review System

Privacy Impact Assessment (PIA) published by CMS as an Operating Division of the U.S. Department of Health and Human Services

Date signed: 11/6/2024

PIA information for PRI Review System
PIA QuestionsPIA Answers
OPDIV:CMS
PIA Unique Identifier:P-7289605-847397
Name:PRI Review System
The subject of this PIA is which of the following?Major Application
Identify the Enterprise Performance Lifecycle Phase of the system.Operate
Is this a FISMA-Reportable system?Yes
Does the system include a Website or online application available to and for the use of the general public?No
Is this a new or existing system?Existing
Does the system have Security Authorization (SA)?Yes
Date of Security Authorization12/11/2024
Indicate the following reason(s) for updating this PIA. Choose from the following options.
  • PIA Validation (PIA Refresh/Annual Review)
  • Other - Changes in active contracts
Describe in further detail any changes to the system that have occurred since the last PIA.

Since the last Privacy Impact Assessment (PIA), the PRI Review System (the System) has dropped support for one contract: Beneficiary Care Management Program (BCMP) under the Beneficiary and Family Centered Care Quality Improvement Organization (BFCC-QIO) Indefinite Delivery Indefinite Quality (IDIQ) contracts. However, the QIO remains active and new work can come via the IDIQ vehicle.

The System has added support for Independent Dispute Resolution Entity (IDRE). The Department of Health and Human Services (HHS), the Department of Labor (DOL), and the Department of the Treasury (USDT) have certified Provider Resources, Inc. (PRI) to serve as an independent dispute resolution entity in the federal independent dispute resolution process between providers, facilities or providers of air ambulance services and group health plans, health insurance issuers and Federal Employees Health Benefits (FEHB) Program carriers. The “No Surprises” rules create new protections against out-of-network balance billing and establish a new process, called independent dispute resolution, which providers (including air ambulance providers), facilities, and health plans can use to resolve payment disputes for certain out-of-network charges.  As of January 2022, providers, facilities, and health plans can use this process to determine the payment rates for those services.

The System was migrated to the Continuously Available CMS Hosting Environment (DRaaS-CACHE) GSS. Due to resource constraints, the file server component of the System was implemented within the FEDRAMP-compliant instance of Box. A Business Associate Agreement has been executed between the parties.

The net result of these changes is not expected to yield an increase in privacy risk.

The System collects information from individuals for credentialing for some web applications.

Describe the purpose of the systemThe System supports Centers for Medicare and Medicaid Services (CMS) activities where medical records, claims data, or a subset of claims must be analyzed or evaluated to identify specific outcomes.  Information is securely imported into the System from other CMS systems where the Personally Identifiable Information (PII) are first collected.  Reviewers and analysts use secure connections to access the information, where they evaluate it based on specified criteria. Reports or responses are generated to provide the outcomes of the analysis.  This information is then made available to CMS in an appropriate, secure manner. 
Describe the type of information the system will collect, maintain (store), or share. (Subsequent questions will identify if this information is PII and ask about the specific data elements)

The System maintains some or all of the following information as needed for a review or study:  Medicare claims information, medical records associated with claims under review or study, Beneficiary information, Provider information, and Device identifiers associated with Durable Medical Equipment (DME).   In addition, the following information are maintained in the system:  Coverage Gap Discount Reconciliation (CGDP):  Name, Email, Telephone, Appeal Date, Drug Reaction Network (DRN) Drug Number, Invoice Identifier (ID), Manufacturer Name, Location 

Other - National Provider Identifier (NPI), Computer Numerical Control (CNC), Physician Group Practice, Practice Address, Admission Date, Discharge Date, Discharge Status, Prescription (RX) Amount Paid, group practice name, International Classification of Diseases Tenth Edition (ICD-10) codes, Detailed Reference Number (DRN), Health Insurance Claim Number (HICN), Provider Identification Numbers, Employment Information, sex, Date of Death 

Credentials:  Information collected consists of First and Last name, email address and username/User ID and password.

Provide an overview of the system and describe the information it will collect, maintain (store), or share, either permanently or temporarily.

The System uses the data obtained from other CMS systems to analyze and report on the Medical Care program.  For each facet of the System, this review is specifically focused on mandated facets of Medicare and Medicaid services.  CGDP: The System assists CMS in analyzing Prescription Drug Event (PDE) data to understand how many discounts have been provided in the coverage gap and for which classes of prescription drugs. CMS provides the PII Data utilized which includes Names, Date Elements, Electronic Mail Addresses, Medical Record Numbers and Other Unique Identifier Numbers, Characteristics or codes private individuals.  BFCC QIO: The BFCC-QIO work is an effort to measurably improve the quality of health care for Medicare beneficiaries as well as all individuals protected under Emergency Medical Treatment and Active Labor Act (EMTALA) and to provide peer review for purposes of determining the appropriateness of payment under Medicare.

 The results of all case review activities shall also be used to identify and recommend quality improvement efforts and make recommendations to CMS for approval of focused reviews to be conducted by the BFCC-QIO.

  CMS provides the PII/PHI Data utilized which includes Geographical subdivisions smaller than a State, Date Elements, Phone Numbers, Electronic Mail Addresses, Fax Numbers, Web Universal Resource Locators (URLs) and Other Unique Identifying Numbers, Characteristics or Codes of private individuals.  Overall Summary: The System contains the information needed to perform the appropriate analyses of provided and projected medical treatment. This information varies from project to project, and contains claims information, associated medical record information, associated beneficiary information, provider information, reviewer notes, review and appeals findings, and review and appeals reports. Review and appeals findings reports are shared with CMS. Information is maintained within the system as required by the particular review or study.   CMS employees and Provider Resources, Inc direct contractors are users of the System. Note: Users of the System retrieve cases by case number only and never utilizing PII/PHI.

 

Does the system collect, maintain, use or share PII?Yes
Indicate the type of PII that the system will collect or maintain.
  • Social Security Number
  • Name
  • E-Mail Address
  • Phone Numbers
  • Medical Notes
  • Date of Birth
  • Mailing Address
  • Medical Records Number
  • Device Identifiers
  • Employment Status
  • Date of Death
  • Other - National Provider Identifier (NPI), Computer Numerical Control (CNC), Physician Group Practice, Practice Address, Admission Date, Discharge Date, Discharge Status, Prescription (RX) Amount Paid, group practice name, International Classification of Diseases Tenth Edition (ICD-10) codes, Detailed Reference Number (DRN), Health Insurance Claim Number (HICN), Provider Identification Numbers, Employment Information, Sex, 
    User credentials: User ID and password
Indicate the categories of individuals about whom PII is collected, maintained or shared.
  • Employees
  • Business Partners/Contacts (Federal, state, local agencies)
  • Vendors/Suppliers/Contractors
  • Patients
  • Other - Providers
How many individuals' PII in the system?50,000-99,999
For what primary purpose is the PII used?

Personally Identifiable Information (PII) is used exclusively to perform the review or analysis of claims and credentials are collected to control System access.

 

Describe the secondary uses for which the PII will be used (e.g. testing, training or research)Not applicable.
Describe the function of the SSN.The Social Security Number is used to identify the beneficiary.
Cite the legal authority to use the SSN.The Medicare Secondary Payer Mandatory Reporting Provisions in Section 111 of the Medicare, Medicaid, and SCHIP Extension Act of 2007 (See 42 U.S.C. 1395y(b)(7) &(b)(8))
Identify legal authorities​ governing information use and disclosure specific to the system and program.Section 1893(h) of the Social Security Act 
Section 302 of the Tax Relief and Health Care Act of 2006
Sec. 1862. [42 U.S.C. 1395y] (b)(8)(G)
42 CFR 495.102.a(3)
Section 402(a)(1)(J) of the Social Security Amendments of 1967 (42 U.S.C. 1395b-1(a)(1)(J)).
Are records on the system retrieved by one or more PII data elements?No
Identify the sources of PII in the system: Directly from an individual about whom the information pertainsOther - User IDs are obtained for authorized users
Identify the sources of PII in the system: Government SourcesWithin the OPDIV
Identify the sources of PII in the system: Non-Government SourcesOther - No personally identifiable information (PII) is collected from non-government sources.
Identify the OMB information collection approval number and expiration dateNot applicable.
Is the PII shared with other organizations?No
Describe the process in place to notify individuals that their personal information will be collected. If no prior notice is given, explain the reason.

For credentialing, notice is provided within the Privacy Notice as well as the Terms and Conditions of Use as to how the System may collect information. By proceeding to access the System, the individual acknowledges the notices.

Other PII held within the System is obtained from the Center for Clinical Standards and Quality (CCSQ) Centralized Data Repository (CDR). Notification is the responsibility of the CCSQ CDR and should be addressed within the systems PIA.

Is the submission of the PII by individuals voluntary or mandatory?Voluntary
Describe the method for individuals to opt-out of the collection or use of their PII. If there is no option to object to the information collection, provide a reason.

Information is collected from individuals only for credentialing. The individual opted to provide said information, so no opt out is necessary.

Other PII within the System is obtained from the Center for Clinical Standards and Quality (CCSQ) Centralized Data Repository (CDR). Methods for opting out would be the responsibility of the CCSQ CDR and should be addressed within the systems PIA.

Describe the process to notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changes since the notice at the time of original collection). Alternatively, describe why they cannot be notified or have their consent obtained.

There is no scenario where individuals provided information for credentialing would be used for a purpose materially different from that given at the time of collection.

Other PII within the System is obtained from the Center for Clinical Standards and Quality (CCSQ) Centralized Data Repository (CDR). Notification and request for consent would be the responsibility of the CCSQ CDR and should be addressed within the systems PIA.

Describe the process in place to resolve an individual's concerns when they believe their PII has been inappropriately obtained, used, or disclosed, or that the PII is inaccurate. If no process exists, explain why not.

Individuals request access to the System, providing the necessary information for credentialing. If there is any concern or inaccuracy, the individual may contact the appropriate support via directions provided upon credentialing.

Other PII held within the System is obtained from the Center for Clinical Standards and Quality (CCSQ) Centralized Data Repository (CDR). The process to resolve an individual's concerns in relation to any inappropriately obtained, used or disclosed data or inaccuracies within same is the responsibility of the CMS source system.

Describe the process in place for periodic reviews of PII contained in the system to ensure the data's integrity, availability, accuracy and relevancy. If no processes are in place, explain why not.Information is received from other CMS systems for use in this System on a periodic basis.   All data is checked upon import to ensure that the received information is syntactically complete and semantically relevant.  Once the data is in the environment, information stores are backed up in accordance with CMS requirements, and backup tapes checked for integrity and proper operation. Database integrity checks are conducted on a scheduled basis to ensure that information has not been changed.  Functionally, reviewers assess the completeness, relevancy, and accuracy of claims and associated documentation as part of the review process integral to the work process. User access is reviewed on a periodic basis to ensure that only authorized personnel continue to have access to the system.
Identify who will have access to the PII in the system and the reason why they require access.
  • Users - Users require access to review claims which is integral to the work to be performed.  These users are vetted, trained and authorized employees of the organization.
  • Administrators - System administrators do not always have access to PII.  They only have access to PII when they are working within the production system for operational maintenance or for troubleshooting.  This is performed as part of their production support functions.
  • Developers - Developers are occasionally required to provide production support for break fix or defects in production.  PII is never transferred to a nonproduction environment for development purposes.
  • Contractors - The PRI Review System is a direct contractor-managed system. Direct contractors need access to the personally identifiable information (PII) to support system operations and maintenance. 
Describe the procedures in place to determine which system users (administrators, developers, contractors, etc.) may access PII.Access to information is based on a user’s specific job function, or role.  Each role is evaluated for the minimum necessary access levels needed for the role to perform the task(s) associated with the job.   These roles are formally validated and serve as the basis for all access to PII.  When an individual is hired, they are assigned the role required to perform their duties.  Access request must be approved by the individual's manager before they can be assigned to that role.   
Describe the methods in place to allow those with access to PII to only access the minimum amount of information necessary to perform their job.There are two elements to ensure that employees only have the minimum access to PII within the system.  First, job functions or roles within the system are evaluated to determine the permission level required for both the job function and the information needed to perform that function. These permissions are carefully assessed to ensure that the permission allows only the minimum access required to perform the job, and nothing more.   This evaluation is a formal process and is presented to senior leadership for acceptance prior to moving forward.  Second, the permissions are implemented in the system.  This is done by assigning the permissions to a system group, or role.  For example, permissions needed to perform maintenance on the system are assigned to an Administrator group.  Once these groups are constructed, individuals who are qualified, have been pre-screened, and understand their jobs are assigned to a group within the system.  Once within the group the individual can only perform the functions for which they have been cleared.
Identifying training and awareness provided to personnel (system owners, managers, operators, contractors and/or program managers) using the system to make them aware of their responsibilities for protecting the information being collected and maintained.All those associated with system functions are required to gain a thorough understanding of their security and privacy responsibilities prior to accessing the system.  This understanding is accomplished through a battery of training events, including Information Technology (IT) Security and Awareness Training, Rules of Behavior Training, Conflict of Interest Training and Disclosure, Portable Device and Removable Storage Training, Social Networking Training, Phishing Awareness Training, and Health Information Portability and Accessibility Act (HIPAA) Privacy Training.  Users are required to attest to the completion of this training prior to accessing the system.  Refresher training is provided within 365 days every year thereafter.
Describe training system users receive (above and beyond general security and privacy awareness training)Prior to gaining access, all system users receive in depth orientation and training by managers to ensure that they understand the proper operation of the piece of the system which is relevant to them.  This training includes not only proper function, but proper care for CMS Sensitive and Corporate sensitive information.  They receive and are required to annotate understanding of training spelled out in the organization employee manual. Training is an integral component includes periodic refreshers where needed as well as timely tips and reminders within company communications. Additional training is also provided if there are changes in functionality, for example.
Do contracts include Federal Acquisition Regulation and other appropriate clauses ensuring adherence to privacy provisions and practices?Yes
Describe the process and guidelines in place with regard to the retention and destruction of PII. Cite specific records retention schedules.

Each time a project is undertaken within the System, specific timelines and guidance is provided for the duration of retention of PII.  While being retained, PII is held in a pre-designated, authorized environment.  All PII is encrypted, and access only authorized to those who specifically need it for their job function.   When it is time to be destroyed, PII is destroyed based on the media on which it is stored.  If stored on system storage, it is carefully inventoried prior to destruction.  Once the inventoried PII is validated as the correct information, it is deleted using federally approved data deletion methods so that it cannot be restored.  Once this destruction is complete the information is checked to ensure that it is no longer available for use, and this fact is kept on file.  If information is on physical media such as compact disk (CD) or Digital Video Disk (DVD), the same pre-destruction procedures are followed.  Actual destruction is performed by physical destruction of the media with media pieces shredded afterward.  

As the PRI Review System is not a designated Office of Management and Budget (OMB) System of Record, there is no retention of PII beyond the end of the contract and the date of termination for the CMS Data Use Agreement.

Records will be retained and destroyed in accordance with the General Records Schedule (GRS) 4.2; Item 160, Disposition Authority DAA-GRS-2016-0003-0003. Temporary. Destroy 3 years after associated PIA is published or determination that PIA is unnecessary, but longer retention is authorized if required for business use; and 
Item 161, Disposition Authority DAA-GRS-2016-0003-0004. Temporary. Destroy 3 years after a superseding PIA is published, after system ceases operation, or (if PIA concerns a website) after website is no longer available to the public, as appropriate. Longer retention is authorized if required for business use.4).

 

Describe, briefly but with specificity, how the PII will be secured in the system using administrative, technical, and physical controls.PII is secured using administrative, technical, and physical controls. Administrative controls include extensive screening and background checks for all employees, security and operational training prior to system access and annually thereafter, policies and procedures to provide guidance and articulate expectations, assurance of minimum necessary access to information based on role, and comprehensive management oversight. Technical controls include encryption of all PII while it is being stored and while it is being transmitted both internally within the System and to external entities when appropriate. All equipment associated with the System is configured to federal configuration standards. Networks are configured to detect and prevent unauthorized access from outside the System environment as well as from within. Antivirus software ensures that no corrupted or virus-infected files are allowed to be within the system. Physical controls include controlled access to the System data center. The facility and data center are badge access controlled and monitored through a surveillance camera system. Environmental controls, fire suppression, and backup power are available to help maintain a proper operating environment. Contingency plans are in place to minimize the impact should a disaster occur.