Skip to main content

Program Integrity Contractor CoventBridge

Privacy Impact Assessment (PIA) published by CMS as an Operating Division of the U.S. Department of Health and Human Services

Date signed: 9/21/2023

PIA Information for Program Integrity Contractor CoventBridge
PIA QuestionsPIA Answers
OPDIV:CMS
PIA Unique Identifier:P-2340102-053752
Name:Program Integrity Contractor CoventBridge
The subject of this PIA is which of the following?Major Application
Identify the Enterprise Performance Lifecycle Phase of the system.Operate
Is this a FISMA-Reportable system?Yes
Does the system include a Website or online application available to and for the use of the general public?No
Is this a new or existing system?Existing
Does the system have Security Authorization (SA)?Yes
Date of Security Authorization8/1/2022
Indicate the following reason(s) for updating this PIA. Choose from the following options.Significant System Management Change
Describe in further detail any changes to the system that have occurred since the last PIA.PI-Advance Med major application migrated from on-premises data center to CMS Cloud.
Describe the purpose of the system

The Unified Program Integrity Contract Mid-West (UPIC-MW) is used to perform fraud and abuse investigations, support benefit integrity efforts, provide medical review support, national and regional data analysis, and law enforcement support. UPIC-MW uses a variety of methods to perform its fraud and abuse investigation functions; including reviewing received claims, as well as validating beneficiary, and provider data for Medicare and Medicaid. The overall goal is to reduce improper payments by identifying and addressing coverage and coding billing errors for all provider types.

 

Describe the type of information the system will collect, maintain (store), or share. (Subsequent questions will identify if this information is PII and ask about the specific data elements)

The UPIC-MW collects, maintains and shares claims, beneficiary and provider data with the Medicare Fee For Service (FFS) and State Medicaid programs for the purpose of detecting and preventing fraud, waste, and abuse.

 

The UPIC-MW process is performed through independent reviews of multiple Medicare and Medicaid Claims and medical records that include PHI and PII information, such as patient’s Health Insurance Claim Number (HICN), beneficiary name, age, date of birth, social security number, mailing address, medical records number, patient International Classification of Diseases (ICD) diagnosis description and notes from the provider about the patient and secondary insurer identification information (if applicable).

 

The medical claim records also contain public provider information, such as the name of providers and contractors (not direct contractors), their phone number and address.

 

As part of the claim's reviews, investigators also review PII information about the provider that is relevant to the ongoing investigation, such as licensures, certifications, attachments of financial information (bank account numbers, property ownership), and relationships with other entities within their group. The combination of this information is used by investigators to make proper Medicare and Medicaid claim payment determinations.

 

Information is retained for a period of 10 years, in accordance with the National Archives and Records Administration (NARA) guideline DAA-GRS-2013-0008-0001.

 

Approved UPIC-MW users access the system through an Intranet-only application and are prompted to enter in their designated username and password when accessing the system.

 

Data elements collected, maintained (stored), or shared include: HICN, beneficiary name, age, date of birth, social security number, mailing address, medical records, medical records number, patient ICD diagnosis description, notes from the provider about the patient, secondary insurer information, certificates, taxpayer ID, and Financial Account information, Medicaid, and Medicare claim information.

Provide an overview of the system and describe the information it will collect, maintain (store), or share, either permanently or temporarily.

The purpose of the UPIC-MW program is to assist CMS with its program integrity responsibilities regarding fraud, waste, and abuse prevention and detection. The contractors who perform this work for CMS are not direct contractors of CMS and shall be referred to as "contractors" throughout the document.

 

Data captured includes Claims Histories, Provider Profiles, Peer Comparisons, Average Billing Reports and statistically valid random samples that contain beneficiary PII, PHI and claims data.

 

The UPIC-MW collects, maintains and shares claims, beneficiary and provider data with the Medicare Fee For Service (FFS) program and State Medicaid programs.

 

The UPIC-MW uses the AdvanceTrack application to track the entire Medicare and Medicaid fraud audit process by recording findings and generating timely and accurate reports based on the claims data that is reviewed.

 

The UPIC-MW can retrieve records by any element contained in the Medicare or Medicaid claims data, including PII. This data will relate to providers and beneficiaries in both the Medicare and Medicaid programs. Pre-investigation, data is run on procedure codes, provider specialties, and geographic areas to identify potential outliers. Once an investigation is opened, records are retrieved through Provider ID (either National Provider Identifier (NPI) or Medicare/Medicaid ID) and Employer Identification Number (EIN). Similarly, beneficiary PII is used for identification and to search for claims or other investigation information pertinent to analyzing data to detect fraud, waste, and abuse in the Medicare and Medicaid systems.

Does the system collect, maintain, use or share PII?Yes
Indicate the type of PII that the system will collect or maintain.
  • Social Security Number
  • Name
  • Phone Numbers
  • Medical Notes
  • Certificates
  • Taxpayer ID
  • Date of Birth
  • Mailing Address
  • Medical Records Number
  • Financial Account Info
  • Other - The system will also collect patient's Health Insurance Claim Number (HICN), age, patient ICD diagnosis description and notes from the provider about the patient. Provider ID (either National Provider Identifier (NPI) or Medicare/Medicaid ID) and Employer Identification Number (EIN), provider licensures, attachments of provider financial information (e.g., bank account numbers and property ownership) and relationships with other entities within their group. Data captured includes Claims Histories, and statistically valid random samples that contain beneficiary PII, PHI and claims data.  Usernames and passwords are also stored in the system.
Indicate the categories of individuals about whom PII is collected, maintained or shared.
  • Employees
  • Public Citizens
  • Business Partners/Contacts (Federal, state, local agencies)
  • Vendors/Suppliers/Contractors
  • Patients
  • Other - Beneficiaries
How many individuals' PII in the system?100,000-999,999
For what primary purpose is the PII used?

The primary purpose of Personally Identifiable Information (PII) and Protected Health Information (PHI) for use in UPIC-MW is to ensure correct Medicare and Medicaid claim payment determinations.

 

User credential information is used for authentication to the system in order to access the system as well as for maintenance and operations of the system.

Describe the secondary uses for which the PII will be used (e.g. testing, training or research)There is no secondary use for the PII in the system.
Describe the function of the SSN.Social Security Numbers are used to verify the identity of providers and beneficiaries in an effort to combat fraud, waste and abuse within the Medicare and Medicaid programs.
Cite the legal authority to use the SSN.Sections 1816, 1842, 1862(b) and 1874 of Title XVIII of the Social Security Act (42 United States Code (U.S.C.) 1395u, 1395y(b), and 1395kk).
Identify legal authorities​ governing information use and disclosure specific to the system and program.

The UPIC-MW system adheres to the Improper Payments Elimination and Recovery Improvement Act (IPERIA, January 2013) as the legal authority governing information use and disclosure.

 

Sections 205, 1106, 1107, 1815, 1816, 1833, 1842, 1872, 1874, 1876, 1877, and 1902 of the Act (Title 42 United States Code (U.S.C.) sections 405, 1306, 1307, 1395g, 1395h, 1395l, 1395u, 1395ii, 1395kk, 1395mm, 1395nn, and 1396a)

Are records on the system retrieved by one or more PII data elements?Yes
Identify the number and title of the Privacy Act System of Records (SORN) that is being used to cover the system or identify if a SORN is being developed.

09-70-0527 The Fraud Investigation Database
(FID)

09-70-0568 One Program Integrity Data
Repository (ODR)

Identify the sources of PII in the system: Directly from an individual about whom the information pertainsOnline
Identify the sources of PII in the system: Government Sources
  • Within the OPDIV
  • State/Local/Tribal
  • Other Federal Entities
Identify the sources of PII in the system: Non-Government Sources
  • Members of the Public
  • Private Sector
  • Other - CMS approved Medicare providers
Identify the OMB information collection approval number and expiration dateNot Applicable. The only direct collection is for user credential information collected by the system for user access logon.
Is the PII shared with other organizations?Yes
Identify with whom the PII is shared or disclosed and for what purpose.
  • Within HHS:  PII and PHI is shared with Centers for Medicare and Medicaid Services (CMS), Office of Inspector General (OIG) for Medicare program payment safeguards oversight and ensuring correct Medicare claim payment determinations. Incorrect payments may result in Administrative Actions to include overpayment identification and collection, law enforcement fraud referral, civil and/or criminal monetary penalties.
  • Other Federal Agency/Agencies:  PII and PHI may be shared with Department of Justice (DOJ) and Federal Bureau of Investigation (FBI) for law enforcement fraud referral, criminal prosecution, civil and/or criminal monetary penalties.
  • Private Sector: The UPIC-MW supports contractor (not direct contractors) user accounts that are required to perform medical record reviews, assist in investigations and data analysis. Contractor administrators are responsible for ensuring the system is operating according to contractual requirements, which includes accessing potential PHI or PII data only on an as-needed basis, such as assisting in investigations. Contract developers are responsible for managing and maintaining the system applications that are used to perform medical record reviews.
  • State or Local Agency/Agencies: PII and PHI may be shared with Medicaid Fraud Control Units, Medicaid Program Integrity for program payment safeguards oversight and ensuring correct claim payment determinations. Incorrect payments may result in Administrative Actions to include overpayment identification and collection, law enforcement fraud referral, civil and/or criminal monetary penalties.
Describe any agreements in place that authorizes the information sharing or disclosure (e.g. Computer Matching Agreement, Memorandum of Understanding (MOU), or Information Sharing Agreement (ISA)).The Memorandum of Understanding (MOU) is between Centers for Medicare and Medicaid Services (CMS) & Health and Human Services Office of Inspector General (HHS OIG) & U.S. Department of Justice Federal Bureau of Investigation (DOJ FBI). Joint Operating Agreements exist between the UPIC-MW and all State Medicaid agencies.
Describe the procedures for accounting for disclosuresCoventBridge tracks all request for information through its proprietary application AdvanceTrack, which keeps a record of the date of the request, what information was released and when and to whom. All AdvanceTrack records are kept within CMS Cloud environment at a secure backup facility indefinitely.
Describe the process in place to notify individuals that their personal information will be collected. If no prior notice is given, explain the reason.

CMS and Medicare Administrative Contractors (MACs) collect PHI and PII directly from individuals. The role of the UPIC-MW is to conduct audits that identify potential fraud, waste and abuse based on medical records and claim data provided to the UPIC-MW from CMS and MACs. Therefore, providing prior notice to individuals regarding collection of patients PII and PHI related information is not a function of the UPIC-MW.

 

However, Medicare beneficiaries sign a privacy act notice when they become eligible for Medicare that informs them that information, they provide to justify payments will be used to determine the appropriateness of the payment.

 

Similarly, State Medicaid Agencies collect PHI and PII directly from individuals. The role of the UPIC-MW is to conduct audits that identify potential fraud, waste and abuse based on medical records and claim data provided to the UPIC-MW from CMS and the State Medicaid Agencies. Therefore, providing prior notice to individuals regarding collection of patients PII and PHI related information is not a function of the UPIC-MW.

 

The PII that is collected for the users, developers and administrators of the system is assigned to a unique username and password to log in to the system. This is required to perform their job functions. No prior notice is provided by UPIC-MW.

Is the submission of the PII by individuals voluntary or mandatory?Voluntary
Describe the method for individuals to opt-out of the collection or use of their PII. If there is no option to object to the information collection, provide a reason.

Another CMS system collects PHI and PII directly from individuals, which is then provided to UPIC-MW system. Therefore, allowing individuals to opt-out is not a function of UPIC-MW system.

 

The PII that is collected for the users, developers and administrators of the system is assigned to a unique username and password to log in to the system. This is required to perform their job functions. Therefore, there is no option to opt-out provided by UPIC-MW.

Describe the process to notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changes since the notice at the time of original collection). Alternatively, describe why they cannot be notified or have their consent obtained.

Another CMS system collects PHI and PII directly from individuals, which is then provided to UPIC-MW system. Therefore, the responsibility of notifying individuals of major changes to the system is not a function of the system.

 

There is no process to notify users that their PII will change from the original collection. Those that access the system are assigned a unique username and password to log in to the system which do not contain any PII. Therefore, there is no reason for the use or disclosure to ever change.

Describe the process in place to resolve an individual's concerns when they believe their PII has been inappropriately obtained, used, or disclosed, or that the PII is inaccurate. If no process exists, explain why not.Another CMS system collects PHI and PII directly from individuals, which is then provided to UPIC-MW systems. Therefore, the responsibility of notifying individuals of major changes to the system is not a function of the UPIC-MW system.
Describe the process in place for periodic reviews of PII contained in the system to ensure the data's integrity, availability, accuracy and relevancy. If no processes are in place, explain why not.

The UPIC-MW IT Team are responsible for conducting quality checks to ensure the availability and integrity of the data.

 

The UPIC MW system inherits the CMS Cloud infrastructure to provide a consistent high-availability environment. Specifically, data is stored using Amazon Relational Database Service (RDS) and FSx Windows File Server with multiple availability zones (Amazon Web Service data centers) to ensure the data is highly available.

 

To ensure integrity, data is stored using Amazon FSx Windows File Server which utilizes shadow copies to allow prior version restores of files. In addition to daily backups, Amazon RDS conducts incremental backups of any data changes. All communication and data in transit is encrypted to provide protection against unauthorized intrusions.

 

CMS is responsible for ensuring the accuracy and relevancy of the PII data. If a data analyst identifies a discrepancy in the PII data, then UPIC MW will notify CMS.

Identify who will have access to the PII in the system and the reason why they require access.
  • Users: The UPIC-MW supports user accounts that are required to perform medical record reviews, assist in investigations and data analysis.
  • Administrators :Administrators are responsible for ensuring the system is operating according to contractual requirements, which includes access potential PHI or PII data only on an as-needed basis, such as assisting in investigations.
  • Developers: Developers are responsible for managing and maintaining the system applications that are used to perform medical record reviews.
  • Contractors: CoventBridge is a direct contractor and is contracted by CMS for the purpose of performing user, administrative and developer functions when reviewing medical records and Medicare Claims information. Only direct contractors will have access to PII in the system.
Describe the procedures in place to determine which system users (administrators, developers, contractors, etc.) may access PII.Access to the UPIC-MW system is based on pre-defined user roles. Therefore, pre-defined user roles govern which permissions system users receive. UPIC-MW users only have access to PII that corresponds with their job function which is approved by a CMS Access Administrator (CAA).
Describe the methods in place to allow those with access to PII to only access the minimum amount of information necessary to perform their job.UPIC-MW enforces the concept of least privilege when accessing PII data so that users can access only the minimum amount of PII needed to perform their job function. This is done through first determining the user’s role prior to account creation and then placing users in the appropriate organizational unit that has the predefined least privileges, such as access denied, read-only or edit.
Identifying training and awareness provided to personnel (system owners, managers, operators, contractors and/or program managers) using the system to make them aware of their responsibilities for protecting the information being collected and maintained.CoventBridge provides mandatory CMS Security Awareness and Privacy training to all users on an annual basis which describes the security responsibilities of the users and administrators to protect the confidentiality, integrity and availability of PII and PHI data. Training topics also include the required security mechanisms for storing PII and PHI when not in use, printed on media or sent offsite for archiving purposes.
Describe training system users receive (above and beyond general security and privacy awareness training)UPIC-MW users and administrators are also trained on the appropriate incident reporting and handling process and procedures in the event of an incident pertaining to PII and PHI.
Do contracts include Federal Acquisition Regulation and other appropriate clauses ensuring adherence to privacy provisions and practices?Yes
Describe the process and guidelines in place with regard to the retention and destruction of PII. Cite specific records retention schedules.The UPIC-MW program information is retained off site at a CMS Cloud redundant availability zone secure storage facility for a period of 10 years, in accordance with the National Archives and Records Administration (NARA) guideline DAA-GRS-2013-0008-0001.
Describe, briefly but with specificity, how the PII will be secured in the system using administrative, technical, and physical controls.

All PII and PHI is processed and maintained within a secured environment that complies with all CMS security policies and security requirements. Facilities are secured where PII is stored. This includes physical security components (e.g., hardware, walls, doors and locks).

 

System security controls also includes those components not directly associated with information processing and /or data/information retention such as scanners, copiers, and printers. PII is protected at rest using an approved method of cryptography consistent with Federal Information Processing Standards (FIPS) 140-2 and National Institute of Standards and Technology (NIST), Special Publication (SP) 800-66 guidance.

 

Physical media containing PII in transit is controlled using locked cabinets or sealed packing cartons. Privacy controls are built into system design and development processes to mitigate privacy risks associated with PII and PHI.

 

The overall security program provides a comprehensive set of security services to include privacy and security awareness training, corrective action plans, continuity planning, independent external tests of security controls, risk assessments, system security plans, and incident response planning.