Program Integrity Contractor Qlarant
Privacy Impact Assessment (PIA) published by CMS as an Operating Division of the U.S. Department of Health and Human Services
Date signed: 5/19/2022
| PIA Question | PIA Answers |
|---|---|
| OPDIV: | CMS |
| PIA Unique Identifier: | P-6258296-214190 |
| Name: | Program Integrity Contractor Qlarant |
| The subject of this PIA is which of the following? | General Support System |
| Identify the Enterprise Performance Lifecycle Phase of the system. | Operate |
| Is this a FISMA-Reportable system? | Yes |
| Does the system include a Website or online application available to and for the use of the general public? | No |
| Identify the operator: | Contractor |
| Is this a new or existing system? | Existing |
| Does the system have Security Authorization (SA)? | Yes |
| Date of Security Authorization | 6/28/2024 |
| Indicate the following reason(s) for updating this PIA. Choose from the following options. | PIA Validation (PIA Refresh/Annual Review) |
| Describe in further detail any changes to the system that have occurred since the last PIA. | NA |
| Describe the purpose of the system | The Program Integrity Contractor Qlarant General Support System (GSS) and applications provide the information technology functions for the Unified Program Integrity Contract (UPIC) West and Southwest contracts. For the UPIC West Contract Qlarant performs fraud, waste and abuse detection, deterrence and prevention activities for Medicare and Medicaid claims within the Western jurisdiction for the states of Alaska, Arizona, California, Hawaii, Idaho, Montana, Nevada, North Dakota, Oregon, South Dakota, Utah, Washington and Wyoming (other territories of the Western jurisdiction include American Samoa, Northern Marianas Islands and Guam). For the UPIC Southwest contract Qlarant performs fraud, waste and abuse detection, deterrence and prevention activities for the Medicare and Medicaid claims for CMS within the Southwestern jurisdiction for the states of Colorado, New Mexico, Oklahoma, Texas, Arkansas, Louisiana and Mississippi. |
| Describe the type of information the system will collect, maintain (store), or share. (Subsequent questions will identify if this information is PII and ask about the specific data elements) | Program Integrity Contractor Qlarant receives claims, beneficiary, and provider data for Medicare. The information is used to detect and prevent fraud, waste, and abuse in the Medicare Fee For Service (FFS) program. Claims and Beneficiary data may include name, social security numbers, address, telephone number(s), Date of Birth (DoB), Date of Death, Medicare Number, Medicare Beneficiary Identifier (MBI), Medicare and Secondary Insurer identification, Email Addresses, Medical Records Numbers, Legal Documents, Employment Status, User ID, passwords, claim numbers, and taxpayer IDs, Driver's License or State Identification numbers. Provider data may contain Owner/Employee names, addresses, Health Insurance Claim Numbers (HICNs), licensures, certifications, financial account information (bank account numbers, property ownership), and relationships with other entities within their group. |
| Provide an overview of the system and describe the information it will collect, maintain (store), or share, either permanently or temporarily. | Program Integrity Contractor Qlarant uses a variety of CMS source systems for Medicare and Medicaid claims, beneficiary, and provider data in support of benefit integrity efforts. Program Integrity. Qlarant conducts national and regional data analysis, conducts investigations and audits, and provides medical review and law enforcement support. Data is sourced from CMS Data Centers and State Medicaid Agencies. Qlarant uses Suite of Analytics Software (SAS) software to perform analysis and its internally developed case management system ZEUS to perform case management. |
| Does the system collect, maintain, use or share PII? | Yes |
| Indicate the type of PII that the system will collect or maintain. |
|
| Indicate the categories of individuals about whom PII is collected, maintained or shared. |
|
| How many individuals' PII in the system? | 1,000,000 or more |
| For what primary purpose is the PII used? | Personally Identifiable Information (PII) is used to search for information on beneficiaries, claims and investigation information pertinent to analyzing data for detection of fraud, waste and abuse. User PII is used for authentication to the system in order to support the system functions. |
| Describe the secondary uses for which the PII will be used (e.g. testing, training or research) | NA |
| Describe the function of the SSN. | Social Security Numbers are used to verify the identity of providers and beneficiaries, in an effort to combat fraud, waste and abuse of federally funded healthcare benefits and programs. |
| Cite the legal authority to use the SSN. | Legal authority is given under the provisions of sections 1816, 1842, 1862(b) and 1874 of Title XVIII of the Social Security Act (42 United States Code (U.S.C.) 1395u, 1395y(b), and 1395kk). |
| Identify legal authoritiesā governing information use and disclosure specific to the system and program. | Authority for the collection and maintenance of this system is given under the provisions of sections 1816, 1842, 1862 (b) and 1874 of Title XVIII of the Social Security Act (The Act) (42United States Code (U.S.C.) 1395u, 1395y (b), and 1395kk). |
| Are records on the system retrieved by one or more PII data elements? | Yes |
| Identify the number and title of the Privacy Act System of Records (SORN) that is being used to cover the system or identify if a SORN is being developed. | Medicare Integrated Data Repository (IDR) 09-70-0571 One Program Integrity Data Repository (OnePI) 09-70-0568 |
| Identify the sources of PII in the system: Directly from an individual about whom the information pertains |
|
| Identify the sources of PII in the system: Government Sources |
|
| Identify the sources of PII in the system: Non-Government Sources |
|
| Identify the OMB information collection approval number and expiration date | Not Applicable. |
| Is the PII shared with other organizations? | Yes |
| Identify with whom the PII is shared or disclosed and for what purpose. |
|
| Describe any agreements in place that authorizes the information sharing or disclosure (e.g. Computer Matching Agreement, Memorandum of Understanding (MOU), or Information Sharing Agreement (ISA)). | Data Use Agreement #CONT-2018-51954 and ISA agreements with Office of the Inspector General (OIG), the Department of Justice (DOJ), and State Agencies are in place that authorize information sharing or The Data Use Agreement (DUA) authorizes information sharing for the purposes that support the case study, research and investigations. The Information Sharing Agreements state the responsibility and requirements in which the third party must adhere to for the collection and use of the information which is being shared.
|
| Describe the procedures for accounting for disclosures | A Data Use Agreement is required from Law Enforcement for any requests for disclosure of Personally Identifiable Information (PII). These are maintained in the ZEUS Case Tracking System, an internal case tracking system database maintained by Program Integrity Contractor Qlarant and in hard copy files. ZEUS keeps records of the law enforcement information requests, the requesters and their agencies alongside the specifics of their information request. |
| Describe the process in place to notify individuals that their personal information will be collected. If no prior notice is given, explain the reason. | Notice is given to individuals whose data is in the Medicare system that feeds Program Integrity Contractor Qlarant through Federal Register System of Record (SORN) Notices: 09-70-0568 One Program Data Integrity Repository (ODR). This system is covered by another PIA. Notice is the responsibility of the source system. |
| Is the submission of the PII by individuals voluntary or mandatory? | Voluntary |
| Describe the method for individuals to opt-out of the collection or use of their PII. If there is no option to object to the information collection, provide a reason. | This system does not collect PII directly from individuals. That data collection is done prior to the data reaching this system. Centers for Medicare and Medicaid Services (CMS) employees cannot opt out because their info is necessary as part of their employment. If they choose not to provide their PII then they do not participate in the Medicare program. Users of the system must also provide their personal identifiable information should they require to obtain access to the system |
| Describe the process to notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changes since the notice at the time of original collection). Alternatively, describe why they cannot be notified or have their consent obtained. | Program Integrity Contractor Qlarant does not have a process in place because it does not collect Personally Identifiable Information (PII) from individuals. However, Centers for Medicare and Medicaid Services (CMS), through their Medicare Administrative Contractors, notifies individuals if there are Medicare program system changes. Notice occurs in Explanation of Benefit notices, Remittance Advices and through the Medicare Learning Network. Notice is given to individuals whose data is in the Medicare system that feeds Program Integrity Contractor Qlarant through Federal Register System of Record (SORN) Notices: 09-70-0568 One Program Data Integrity Repository (ODR). This system is covered by another PIA. Notice is the responsibility of the source system. |
| Describe the process in place to resolve an individual's concerns when they believe their PII has been inappropriately obtained, used, or disclosed, or that the PII is inaccurate. If no process exists, explain why not. | No process is in place to notify and obtain consent from the individuals, whose PII is in the system, when major changes occur to the system because the system does not collect PII directly from individuals. The system collects PII from other systems. System administrators can report any issues to the CMS Information Technology (IT) Service Desk and they will be resolved accordingly. Notice is given to individuals whose data is in the Medicare system that feeds This system is covered by another PIA. Notice is the responsibility of the source system. |
| Describe the process in place for periodic reviews of PII contained in the system to ensure the data's integrity, availability, accuracy and relevancy. If no processes are in place, explain why not. | Records are reviewed and analyzed individually by trained case workers as part of the data analysis process. Validation edits are performed by the system to ensure data integrity. |
| Identify who will have access to the PII in the system and the reason why they require access. |
|
| Describe the procedures in place to determine which system users (administrators, developers, contractors, etc.) may access PII. | System and data access is determined by job function. Access is role-based and controlled by administrative and technical controls. A formal process is defined for account creation that includes limiting account categories to only appropriate resources. Account creation and modification permissions must be requested by functional leadership or Business Owners. Reviews are conducted monthly to ensure account reconciliation is being performed. |
| Describe the methods in place to allow those with access to PII to only access the minimum amount of information necessary to perform their job. | Access is role-based with least privilege, based on job functions. User profiles dictate the level of access granted (user profiles define the access level and security groups that the individuals are a member of). |
| Identifying training and awareness provided to personnel (system owners, managers, operators, contractors and/or program managers) using the system to make them aware of their responsibilities for protecting the information being collected and maintained. | Users are required to complete CMS Security and Privacy Awareness training prior to accessing the system. This training is mandatory and completed annually. Attestations to the policies, procedures, directives and Rules of Behavior are required and signed. All users are required to complete Ethics Training, Insider Threat training, and Health Insurance Portability and Accountability Act (HIPAA) training upon hire and annually thereafter. |
| Describe training system users receive (above and beyond general security and privacy awareness training) | None. |
| Do contracts include Federal Acquisition Regulation and other appropriate clauses ensuring adherence to privacy provisions and practices? | Yes |
| Describe the process and guidelines in place with regard to the retention and destruction of PII. Cite specific records retention schedules. | No information is destroyed, all Information is retained off-site indefinitely at a secure storage facility that conforms to the National Archives and Records Administration (NARA) guidelines per N1-440-09-4, Item 1a, (Cutoff annually. Delete/destroy 10 years after cutoff), and all information and media is transported in accordance with the requirements for media protection as outlined in the CMS Business Partners System Security Manual and Acceptable Risk Safeguards. |
| Describe, briefly but with specificity, how the PII will be secured in the system using administrative, technical, and physical controls. | Physical access controls include; a visitor access policy - visitors must be signed in and escorted, employees must wear ID badges; access to secure areas is controlled by proximity card; areas storing PII are limited to necessary staff; physical intrusion detection is in place (alarm system); cameras are in place within the primary location that hosts the data center; the data center is equipped with redundant air conditioning, redundant power, a gas-based fire suppression system, and environmental monitoring (temp, water, power loss). Technical controls include; a firewalled enclaved network specific to the contract, encrypted connectivity into and out of the encrypted enclave, network access control, host based intrusion detection, network based intrusion detection, system event monitoring, centralized security patch management, access control policy and procedures (account management - access limited by user profile, all access is monitored), Active Directory (to facilitate access control), file level permissions based on required access, routine system vulnerability scanning, centralized anti-virus and malware management, whole disk encryption (for laptops used off site), dual factor authentication (for users working off site) Administrative controls include; User security awareness and Rules of Behavior training (required prior to granting access), a change advisory board (CAB) (to facilitate system changes), a fully maintained System Security Plan, a yearly Federal Information System Management Act (FISMA) assessment (for the required 1/3 controls), Security Control Assessments are performed (initially and every 3 years thereafter), Risk is assessed and documented and reviewed annually. |