Program Integrity Contractor CoventBridge
Privacy Impact Assessment (PIA) published by CMS as an Operating Division of the U.S. Department of Health and Human Services
Date signed: 9/21/2023
| PIA Questions | PIA Answers |
|---|---|
| OPDIV: | CMS |
| PIA Unique Identifier: | P-2340102-053752 |
| Name: | Program Integrity Contractor CoventBridge |
| The subject of this PIA is which of the following? | Major Application |
| Identify the Enterprise Performance Lifecycle Phase of the system. | Operate |
| Is this a FISMA-Reportable system? | Yes |
| Does the system include a Website or online application available to and for the use of the general public? | No |
| Is this a new or existing system? | Existing |
| Does the system have Security Authorization (SA)? | Yes |
| Date of Security Authorization | 8/1/2022 |
| Indicate the following reason(s) for updating this PIA. Choose from the following options. | Significant System Management Change |
| Describe in further detail any changes to the system that have occurred since the last PIA. | PI-Advance Med major application migrated from on-premises data center to CMS Cloud. |
| Describe the purpose of the system | The Unified Program Integrity Contract Mid-West (UPIC-MW) is used to perform fraud and abuse investigations, support benefit integrity efforts, provide medical review support, national and regional data analysis, and law enforcement support. UPIC-MW uses a variety of methods to perform its fraud and abuse investigation functions; including reviewing received claims, as well as validating beneficiary, and provider data for Medicare and Medicaid. The overall goal is to reduce improper payments by identifying and addressing coverage and coding billing errors for all provider types.
|
| Describe the type of information the system will collect, maintain (store), or share. (Subsequent questions will identify if this information is PII and ask about the specific data elements) | The UPIC-MW collects, maintains and shares claims, beneficiary and provider data with the Medicare Fee For Service (FFS) and State Medicaid programs for the purpose of detecting and preventing fraud, waste, and abuse.
The UPIC-MW process is performed through independent reviews of multiple Medicare and Medicaid Claims and medical records that include PHI and PII information, such as patient’s Health Insurance Claim Number (HICN), beneficiary name, age, date of birth, social security number, mailing address, medical records number, patient International Classification of Diseases (ICD) diagnosis description and notes from the provider about the patient and secondary insurer identification information (if applicable).
The medical claim records also contain public provider information, such as the name of providers and contractors (not direct contractors), their phone number and address.
As part of the claim's reviews, investigators also review PII information about the provider that is relevant to the ongoing investigation, such as licensures, certifications, attachments of financial information (bank account numbers, property ownership), and relationships with other entities within their group. The combination of this information is used by investigators to make proper Medicare and Medicaid claim payment determinations.
Information is retained for a period of 10 years, in accordance with the National Archives and Records Administration (NARA) guideline DAA-GRS-2013-0008-0001.
Approved UPIC-MW users access the system through an Intranet-only application and are prompted to enter in their designated username and password when accessing the system.
Data elements collected, maintained (stored), or shared include: HICN, beneficiary name, age, date of birth, social security number, mailing address, medical records, medical records number, patient ICD diagnosis description, notes from the provider about the patient, secondary insurer information, certificates, taxpayer ID, and Financial Account information, Medicaid, and Medicare claim information. |
| Provide an overview of the system and describe the information it will collect, maintain (store), or share, either permanently or temporarily. | The purpose of the UPIC-MW program is to assist CMS with its program integrity responsibilities regarding fraud, waste, and abuse prevention and detection. The contractors who perform this work for CMS are not direct contractors of CMS and shall be referred to as "contractors" throughout the document.
Data captured includes Claims Histories, Provider Profiles, Peer Comparisons, Average Billing Reports and statistically valid random samples that contain beneficiary PII, PHI and claims data.
The UPIC-MW collects, maintains and shares claims, beneficiary and provider data with the Medicare Fee For Service (FFS) program and State Medicaid programs.
The UPIC-MW uses the AdvanceTrack application to track the entire Medicare and Medicaid fraud audit process by recording findings and generating timely and accurate reports based on the claims data that is reviewed.
The UPIC-MW can retrieve records by any element contained in the Medicare or Medicaid claims data, including PII. This data will relate to providers and beneficiaries in both the Medicare and Medicaid programs. Pre-investigation, data is run on procedure codes, provider specialties, and geographic areas to identify potential outliers. Once an investigation is opened, records are retrieved through Provider ID (either National Provider Identifier (NPI) or Medicare/Medicaid ID) and Employer Identification Number (EIN). Similarly, beneficiary PII is used for identification and to search for claims or other investigation information pertinent to analyzing data to detect fraud, waste, and abuse in the Medicare and Medicaid systems. |
| Does the system collect, maintain, use or share PII? | Yes |
| Indicate the type of PII that the system will collect or maintain. |
|
| Indicate the categories of individuals about whom PII is collected, maintained or shared. |
|
| How many individuals' PII in the system? | 100,000-999,999 |
| For what primary purpose is the PII used? | The primary purpose of Personally Identifiable Information (PII) and Protected Health Information (PHI) for use in UPIC-MW is to ensure correct Medicare and Medicaid claim payment determinations.
User credential information is used for authentication to the system in order to access the system as well as for maintenance and operations of the system. |
| Describe the secondary uses for which the PII will be used (e.g. testing, training or research) | There is no secondary use for the PII in the system. |
| Describe the function of the SSN. | Social Security Numbers are used to verify the identity of providers and beneficiaries in an effort to combat fraud, waste and abuse within the Medicare and Medicaid programs. |
| Cite the legal authority to use the SSN. | Sections 1816, 1842, 1862(b) and 1874 of Title XVIII of the Social Security Act (42 United States Code (U.S.C.) 1395u, 1395y(b), and 1395kk). |
| Identify legal authorities governing information use and disclosure specific to the system and program. | The UPIC-MW system adheres to the Improper Payments Elimination and Recovery Improvement Act (IPERIA, January 2013) as the legal authority governing information use and disclosure.
Sections 205, 1106, 1107, 1815, 1816, 1833, 1842, 1872, 1874, 1876, 1877, and 1902 of the Act (Title 42 United States Code (U.S.C.) sections 405, 1306, 1307, 1395g, 1395h, 1395l, 1395u, 1395ii, 1395kk, 1395mm, 1395nn, and 1396a) |
| Are records on the system retrieved by one or more PII data elements? | Yes |
| Identify the number and title of the Privacy Act System of Records (SORN) that is being used to cover the system or identify if a SORN is being developed. | 09-70-0527 The Fraud Investigation Database 09-70-0568 One Program Integrity Data |
| Identify the sources of PII in the system: Directly from an individual about whom the information pertains | Online |
| Identify the sources of PII in the system: Government Sources |
|
| Identify the sources of PII in the system: Non-Government Sources |
|
| Identify the OMB information collection approval number and expiration date | Not Applicable. The only direct collection is for user credential information collected by the system for user access logon. |
| Is the PII shared with other organizations? | Yes |
| Identify with whom the PII is shared or disclosed and for what purpose. |
|
| Describe any agreements in place that authorizes the information sharing or disclosure (e.g. Computer Matching Agreement, Memorandum of Understanding (MOU), or Information Sharing Agreement (ISA)). | The Memorandum of Understanding (MOU) is between Centers for Medicare and Medicaid Services (CMS) & Health and Human Services Office of Inspector General (HHS OIG) & U.S. Department of Justice Federal Bureau of Investigation (DOJ FBI). Joint Operating Agreements exist between the UPIC-MW and all State Medicaid agencies. |
| Describe the procedures for accounting for disclosures | CoventBridge tracks all request for information through its proprietary application AdvanceTrack, which keeps a record of the date of the request, what information was released and when and to whom. All AdvanceTrack records are kept within CMS Cloud environment at a secure backup facility indefinitely. |
| Describe the process in place to notify individuals that their personal information will be collected. If no prior notice is given, explain the reason. | CMS and Medicare Administrative Contractors (MACs) collect PHI and PII directly from individuals. The role of the UPIC-MW is to conduct audits that identify potential fraud, waste and abuse based on medical records and claim data provided to the UPIC-MW from CMS and MACs. Therefore, providing prior notice to individuals regarding collection of patients PII and PHI related information is not a function of the UPIC-MW.
However, Medicare beneficiaries sign a privacy act notice when they become eligible for Medicare that informs them that information, they provide to justify payments will be used to determine the appropriateness of the payment.
Similarly, State Medicaid Agencies collect PHI and PII directly from individuals. The role of the UPIC-MW is to conduct audits that identify potential fraud, waste and abuse based on medical records and claim data provided to the UPIC-MW from CMS and the State Medicaid Agencies. Therefore, providing prior notice to individuals regarding collection of patients PII and PHI related information is not a function of the UPIC-MW.
The PII that is collected for the users, developers and administrators of the system is assigned to a unique username and password to log in to the system. This is required to perform their job functions. No prior notice is provided by UPIC-MW. |
| Is the submission of the PII by individuals voluntary or mandatory? | Voluntary |
| Describe the method for individuals to opt-out of the collection or use of their PII. If there is no option to object to the information collection, provide a reason. | Another CMS system collects PHI and PII directly from individuals, which is then provided to UPIC-MW system. Therefore, allowing individuals to opt-out is not a function of UPIC-MW system.
The PII that is collected for the users, developers and administrators of the system is assigned to a unique username and password to log in to the system. This is required to perform their job functions. Therefore, there is no option to opt-out provided by UPIC-MW. |
| Describe the process to notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changes since the notice at the time of original collection). Alternatively, describe why they cannot be notified or have their consent obtained. | Another CMS system collects PHI and PII directly from individuals, which is then provided to UPIC-MW system. Therefore, the responsibility of notifying individuals of major changes to the system is not a function of the system.
There is no process to notify users that their PII will change from the original collection. Those that access the system are assigned a unique username and password to log in to the system which do not contain any PII. Therefore, there is no reason for the use or disclosure to ever change. |
| Describe the process in place to resolve an individual's concerns when they believe their PII has been inappropriately obtained, used, or disclosed, or that the PII is inaccurate. If no process exists, explain why not. | Another CMS system collects PHI and PII directly from individuals, which is then provided to UPIC-MW systems. Therefore, the responsibility of notifying individuals of major changes to the system is not a function of the UPIC-MW system. |
| Describe the process in place for periodic reviews of PII contained in the system to ensure the data's integrity, availability, accuracy and relevancy. If no processes are in place, explain why not. | The UPIC-MW IT Team are responsible for conducting quality checks to ensure the availability and integrity of the data.
The UPIC MW system inherits the CMS Cloud infrastructure to provide a consistent high-availability environment. Specifically, data is stored using Amazon Relational Database Service (RDS) and FSx Windows File Server with multiple availability zones (Amazon Web Service data centers) to ensure the data is highly available.
To ensure integrity, data is stored using Amazon FSx Windows File Server which utilizes shadow copies to allow prior version restores of files. In addition to daily backups, Amazon RDS conducts incremental backups of any data changes. All communication and data in transit is encrypted to provide protection against unauthorized intrusions.
CMS is responsible for ensuring the accuracy and relevancy of the PII data. If a data analyst identifies a discrepancy in the PII data, then UPIC MW will notify CMS. |
| Identify who will have access to the PII in the system and the reason why they require access. |
|
| Describe the procedures in place to determine which system users (administrators, developers, contractors, etc.) may access PII. | Access to the UPIC-MW system is based on pre-defined user roles. Therefore, pre-defined user roles govern which permissions system users receive. UPIC-MW users only have access to PII that corresponds with their job function which is approved by a CMS Access Administrator (CAA). |
| Describe the methods in place to allow those with access to PII to only access the minimum amount of information necessary to perform their job. | UPIC-MW enforces the concept of least privilege when accessing PII data so that users can access only the minimum amount of PII needed to perform their job function. This is done through first determining the user’s role prior to account creation and then placing users in the appropriate organizational unit that has the predefined least privileges, such as access denied, read-only or edit. |
| Identifying training and awareness provided to personnel (system owners, managers, operators, contractors and/or program managers) using the system to make them aware of their responsibilities for protecting the information being collected and maintained. | CoventBridge provides mandatory CMS Security Awareness and Privacy training to all users on an annual basis which describes the security responsibilities of the users and administrators to protect the confidentiality, integrity and availability of PII and PHI data. Training topics also include the required security mechanisms for storing PII and PHI when not in use, printed on media or sent offsite for archiving purposes. |
| Describe training system users receive (above and beyond general security and privacy awareness training) | UPIC-MW users and administrators are also trained on the appropriate incident reporting and handling process and procedures in the event of an incident pertaining to PII and PHI. |
| Do contracts include Federal Acquisition Regulation and other appropriate clauses ensuring adherence to privacy provisions and practices? | Yes |
| Describe the process and guidelines in place with regard to the retention and destruction of PII. Cite specific records retention schedules. | The UPIC-MW program information is retained off site at a CMS Cloud redundant availability zone secure storage facility for a period of 10 years, in accordance with the National Archives and Records Administration (NARA) guideline DAA-GRS-2013-0008-0001. |
| Describe, briefly but with specificity, how the PII will be secured in the system using administrative, technical, and physical controls. | All PII and PHI is processed and maintained within a secured environment that complies with all CMS security policies and security requirements. Facilities are secured where PII is stored. This includes physical security components (e.g., hardware, walls, doors and locks).
System security controls also includes those components not directly associated with information processing and /or data/information retention such as scanners, copiers, and printers. PII is protected at rest using an approved method of cryptography consistent with Federal Information Processing Standards (FIPS) 140-2 and National Institute of Standards and Technology (NIST), Special Publication (SP) 800-66 guidance.
Physical media containing PII in transit is controlled using locked cabinets or sealed packing cartons. Privacy controls are built into system design and development processes to mitigate privacy risks associated with PII and PHI.
The overall security program provides a comprehensive set of security services to include privacy and security awareness training, corrective action plans, continuity planning, independent external tests of security controls, risk assessments, system security plans, and incident response planning. |