Skip to main content

Program Integrity Contractor Qlarant

Privacy Impact Assessment (PIA) published by CMS as an Operating Division of the U.S. Department of Health and Human Services

Date signed: 5/19/2022

PIA Information for Program Integrity Contractor Qlarant
PIA QuestionPIA Answers
OPDIV:CMS
PIA Unique Identifier:P-6258296-214190
Name:Program Integrity Contractor Qlarant
The subject of this PIA is which of the following?General Support System
Identify the Enterprise Performance Lifecycle Phase of the system.Operate
Is this a FISMA-Reportable system?Yes
Does the system include a Website or online application available to and for the use of the general public?No
Identify the operator:Contractor
Is this a new or existing system?Existing
Does the system have Security Authorization (SA)?Yes
Date of Security Authorization6/28/2024
Indicate the following reason(s) for updating this PIA. Choose from the following options.PIA Validation (PIA Refresh/Annual Review)
Describe in further detail any changes to the system that have occurred since the last PIA.NA
Describe the purpose of the systemThe Program Integrity Contractor Qlarant General Support System (GSS) and applications provide the information technology functions for the Unified Program Integrity Contract (UPIC) West and Southwest contracts. For the UPIC West Contract Qlarant performs fraud, waste and abuse detection, deterrence and prevention activities for Medicare and Medicaid claims within the Western jurisdiction for the states of Alaska, Arizona, California, Hawaii, Idaho, Montana, Nevada, North Dakota, Oregon, South Dakota, Utah, Washington and Wyoming (other territories of the Western jurisdiction include American Samoa, Northern Marianas Islands and Guam). For the UPIC Southwest contract Qlarant performs fraud, waste and abuse detection, deterrence and prevention activities for the Medicare and Medicaid claims for CMS within the Southwestern jurisdiction for the states of Colorado, New Mexico, Oklahoma, Texas, Arkansas, Louisiana and Mississippi.
Describe the type of information the system will collect, maintain (store), or share. (Subsequent questions will identify if this information is PII and ask about the specific data elements)Program Integrity Contractor Qlarant receives claims, 
beneficiary, and provider data for Medicare. The information is used to detect and prevent fraud, waste, and abuse in the Medicare Fee For 
Service (FFS) program. Claims and Beneficiary data may include 
name, social security numbers, address, telephone number(s), Date of Birth (DoB), Date of Death, Medicare Number, Medicare Beneficiary
Identifier (MBI), Medicare and Secondary Insurer identification, Email 
Addresses, Medical Records Numbers, Legal Documents, 
Employment Status, User ID, passwords, claim numbers, and 
taxpayer IDs, Driver's License or State Identification numbers. 
Provider data may contain Owner/Employee names, addresses, 
Health Insurance Claim Numbers (HICNs), licensures, certifications,
financial account information (bank account numbers, property ownership), and relationships with other entities within their group.
Provide an overview of the system and describe the information it will collect, maintain (store), or share, either permanently or temporarily.Program Integrity Contractor Qlarant uses a variety of CMS source systems for Medicare and Medicaid claims, beneficiary, and provider data in support of benefit integrity efforts. Program Integrity. Qlarant
conducts national and regional data analysis, conducts investigations and audits, and provides medical review and law enforcement support.  Data is sourced from CMS Data Centers and State Medicaid 
Agencies. Qlarant uses Suite of Analytics Software (SAS) software to perform analysis and its internally developed case management system ZEUS to perform case management.
Does the system collect, maintain, use or share PII?Yes
Indicate the type of PII that the system will collect or maintain.
  • Social Security Number
  • Name
  • Driver's License Number
  • E-Mail Address
  • Phone Numbers
  • Medical Notes
  • Certificates
  • Taxpayer ID
  • Date of Birth
  • Mailing Address
  • Medical Records Number
  • Financial Account Info
  • Legal Documents
  • Employment Status
  • Date of Death
  • Other - MBI (Medicare Beneficiary Identifier), Claim Number, User Credentials (User ID, password), State ID Number
Indicate the categories of individuals about whom PII is collected, maintained or shared.
  • Employees
  • Public Citizens
  • Vendors/Suppliers/Contractors
  • Patients
  • Other - Beneficiaries and physicians
How many individuals' PII in the system?1,000,000 or more
For what primary purpose is the PII used?Personally Identifiable Information (PII) is used to search for information on beneficiaries, claims and investigation information pertinent to analyzing data for detection of fraud, waste and abuse. User PII is used for authentication to the system in order to support the system functions.
Describe the secondary uses for which the PII will be used (e.g. testing, training or research)NA
Describe the function of the SSN.Social Security Numbers are used to verify the identity of providers and beneficiaries, in an effort to combat fraud, waste and abuse of federally funded healthcare benefits and programs.
Cite the legal authority to use the SSN.Legal authority is given under the provisions of sections 1816, 1842, 1862(b) and 1874 of Title XVIII of the Social Security Act (42 United States Code (U.S.C.) 1395u, 1395y(b), and 1395kk).
Identify legal authorities​ governing information use and disclosure specific to the system and program.Authority for the collection and maintenance of this system is given under the provisions of sections 1816, 1842, 1862 (b) and 1874 of Title XVIII of the Social Security Act (The Act) (42United States Code (U.S.C.) 1395u, 1395y (b), and 1395kk).
Are records on the system retrieved by one or more PII data elements?Yes
Identify the number and title of the Privacy Act System of Records (SORN) that is being used to cover the system or identify if a SORN is being developed.

Medicare Integrated Data Repository (IDR) 09-70-0571 

One Program Integrity Data Repository (OnePI) 09-70-0568

Identify the sources of PII in the system: Directly from an individual about whom the information pertains
  • Online
  • Other - Online Other - The Beneficiary or provider is the collection point for all PII/Protected Health Information (PHI). This information is maintained in the CMS SOR as the authoritative source.
Identify the sources of PII in the system: Government Sources
  • Within the OPDIV
  • Other HHS OPDIV
  • State/Local/Tribal
  • Other Federal Entities
Identify the sources of PII in the system: Non-Government Sources
  • Private Sector
Identify the OMB information collection approval number and expiration dateNot Applicable.
Is the PII shared with other organizations?Yes
Identify with whom the PII is shared or disclosed and for what purpose.
  • Within HHS: For use within fraud, waste and abuse investigations.
  • Other Federal Agency/Agencies: Department of Justice (DOJ) and Office of Inspector General (OIG) for use within fraud, waste and abuse investigations.
  • Private Sector: Private sector contractors to provide assistance in medical reviews on behalf of Health Integrity.
  • State or Local Agency/Agencies: State and Local Law enforcement for use within fraud, waste and abuse investigations
Describe any agreements in place that authorizes the information sharing or disclosure (e.g. Computer Matching Agreement, Memorandum of Understanding (MOU), or Information Sharing Agreement (ISA)).

Data Use Agreement #CONT-2018-51954 and ISA agreements with Office of the Inspector General (OIG), the Department of Justice (DOJ), and State Agencies are in place that authorize information sharing or 
disclosure.

The Data Use Agreement (DUA) authorizes information sharing for the purposes that support the case study, research and investigations.

The Information Sharing Agreements state the responsibility and requirements in which the third party must adhere to for the collection and use of the information which is being shared.

 

Describe the procedures for accounting for disclosuresA Data Use Agreement is required from Law Enforcement for any requests for disclosure of Personally Identifiable Information (PII). These are maintained in the ZEUS Case Tracking System, an internal case tracking system database maintained by Program Integrity Contractor Qlarant and in hard copy files. ZEUS keeps records of the law enforcement information requests, the requesters and their agencies alongside the specifics of their
information request.
Describe the process in place to notify individuals that their personal information will be collected. If no prior notice is given, explain the reason.

Notice is given to individuals whose data is in the Medicare system that feeds Program Integrity Contractor Qlarant through Federal Register System of Record (SORN) Notices: 09-70-0568 One Program Data Integrity Repository (ODR).

This system is covered by another PIA. Notice is the responsibility of the source system.

Is the submission of the PII by individuals voluntary or mandatory?Voluntary
Describe the method for individuals to opt-out of the collection or use of their PII. If there is no option to object to the information collection, provide a reason.This system does not collect PII directly from individuals. That data collection is done prior to the data reaching this system. Centers for Medicare and Medicaid Services (CMS) employees cannot opt out because their info is necessary as part of their employment. If they choose not to provide their PII then they do not participate in the Medicare program.  Users of the system must also provide their personal identifiable information should they require to obtain access to the system
Describe the process to notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changes since the notice at the time of original collection). Alternatively, describe why they cannot be notified or have their consent obtained.

Program Integrity Contractor Qlarant does not have a process in place because it does not collect Personally Identifiable Information (PII) from individuals. However, Centers for Medicare and Medicaid Services (CMS), through their Medicare Administrative Contractors, notifies individuals if there are Medicare program system changes. Notice occurs in Explanation of Benefit notices, Remittance Advices and through the Medicare Learning Network.

Notice is given to individuals whose data is in the Medicare system that feeds Program Integrity Contractor Qlarant through Federal Register System of Record (SORN) Notices: 09-70-0568 One Program Data Integrity Repository (ODR). This system is covered by another PIA. Notice is the responsibility of the source system.

Describe the process in place to resolve an individual's concerns when they believe their PII has been inappropriately obtained, used, or disclosed, or that the PII is inaccurate. If no process exists, explain why not.

No process is in place to notify and obtain consent from the individuals, whose PII is in the system, when major changes occur to the system because the system does not collect PII directly from individuals. The system collects PII from other systems.

System administrators can report any issues to the CMS Information Technology (IT) Service Desk and they will be resolved accordingly.

Notice is given to individuals whose data is in the Medicare system that feeds 
Program Integrity Contractor Qlarant through Federal Register System of 
Record (SORN) Notices: 09-70-0568 One Program Data Integrity Repository (ODR).

This system is covered by another PIA. Notice is the responsibility of the source system.

Describe the process in place for periodic reviews of PII contained in the system to ensure the data's integrity, availability, accuracy and relevancy. If no processes are in place, explain why not.Records are reviewed and analyzed individually by trained case workers as part of the data analysis process. Validation edits are performed by the system to ensure data integrity.
Identify who will have access to the PII in the system and the reason why they require access.
  • Users: To detect and investigate fraud, waste and abuse in the Medicare Parts C and D program, Hospice, and Durable Medical Equipment
  • Administrators: Administration of the General Support System and IT environment
  • Developers: Development and Maintenance of the major application used for case management (ZEUS)
  • Contractors: Direct Contractors - To detect and investigate fraud, waste and abuse in the Medicare Parts C and D program. Contractors are used to assist in medical reviews. Some are HHS contractors and others are private sector. Those that are private sector are used to provide assistance in medical reviews on behalf of Qlarant.
Describe the procedures in place to determine which system users (administrators, developers, contractors, etc.) may access PII.System and data access is determined by job function. Access is role-based and controlled by administrative and technical controls. A formal process is defined for account creation that includes limiting account categories to only appropriate resources. Account creation and modification permissions must be requested by functional leadership or Business Owners. Reviews are conducted monthly to ensure account reconciliation is being performed.
Describe the methods in place to allow those with access to PII to only access the minimum amount of information necessary to perform their job.Access is role-based with least privilege, based on job functions. User profiles dictate the level of access granted (user profiles define the access level and security groups that the individuals are a member of).
Identifying training and awareness provided to personnel (system owners, managers, operators, contractors and/or program managers) using the system to make them aware of their responsibilities for protecting the information being collected and maintained.

Users are required to complete CMS Security and Privacy Awareness training prior to accessing the system. This training is mandatory and completed annually. Attestations to the policies, procedures, directives and Rules of Behavior are required and signed.

All users are required to complete Ethics Training, Insider Threat training, and Health Insurance Portability and Accountability Act (HIPAA) training upon hire and annually thereafter.

Describe training system users receive (above and beyond general security and privacy awareness training)None.
Do contracts include Federal Acquisition Regulation and other appropriate clauses ensuring adherence to privacy provisions and practices?Yes
Describe the process and guidelines in place with regard to the retention and destruction of PII. Cite specific records retention schedules.No information is destroyed, all Information is retained off-site indefinitely at a secure storage facility that conforms to the National Archives and Records Administration (NARA) guidelines per N1-440-09-4, Item 1a, (Cutoff annually. Delete/destroy 10 years after cutoff), and all information and media is transported in accordance with the requirements for media protection as outlined in the CMS Business Partners System Security Manual and Acceptable Risk Safeguards.
Describe, briefly but with specificity, how the PII will be secured in the system using administrative, technical, and physical controls.

Physical access controls include; a visitor access policy - visitors must be signed in and escorted, employees must wear ID badges; access to secure areas is controlled by proximity card; areas storing PII are limited to necessary staff; physical intrusion detection is in place (alarm system); cameras are in place within the primary location that hosts the data center; the data center is equipped with redundant air conditioning, redundant power, a gas-based fire suppression system, and environmental monitoring (temp, water, power loss).

Technical controls include; a firewalled enclaved network specific to the contract, encrypted connectivity into and out of the encrypted enclave, network access control, host based intrusion detection, network based intrusion detection, system event monitoring, centralized security patch management, access control policy and procedures (account management - access limited by user profile, all access is monitored), Active Directory (to facilitate access control),  file level permissions based on required access, routine system vulnerability scanning, centralized anti-virus and malware management, whole disk encryption (for laptops used off site), dual factor authentication (for users working off site)

Administrative controls include; User security awareness and Rules of Behavior training (required prior to granting access), a change advisory board (CAB) (to facilitate system changes), a fully maintained System Security Plan, a yearly Federal Information System Management Act (FISMA) assessment (for the required 1/3 controls), Security Control Assessments are performed (initially and every 3 years thereafter), Risk is assessed and documented and reviewed annually.