Program Integrity Contractor SGS
Privacy Impact Assessment (PIA) published by CMS as an Operating Division of the U.S. Department of Health and Human Services
Date signed: 11/6/2024
| PIA Questions | PIA Answers |
|---|---|
OPDIV: | CMS |
PIA Unique Identifier: | P-3535148-999646 |
Name: | Program Integrity Contractor SGS |
The subject of this PIA is which of the following? | General Support System |
Identify the Enterprise Performance Lifecycle Phase of the system. | Operate |
Is this a FISMA-Reportable system? | Yes |
Does the system include a Website or online application available to and for the use of the general public? | No |
Identify the operator: | Contractor |
Is this a new or existing system? | Existing |
Does the system have Security Authorization (SA)? | Yes |
Date of Security Authorization | 3/15/2024 |
Indicate the following reason(s) for updating this PIA. Choose from the following options. | PIA Validation (PIA Refresh/Annual Review) |
Describe in further detail any changes to the system that have occurred since the last PIA. | NONE |
Describe the purpose of the system | Program Integrity Contractor System Safeguard Services (SGS) is used to perform fraud (Over billing, inappropriate services, excessive services, etc.) and abuse investigation, support benefit integrity efforts, provide medical review support, national and regional data analysis, and law enforcement support. |
Describe the type of information the system will collect, maintain (store), or share. (Subsequent questions will identify if this information is PII and ask about the specific data elements) | Program Integrity Contractor SGS receives claims, beneficiary, and provider data for Medicare. The information is used to detect and prevent fraud, waste, and abuse in the Medicare Fee For Service (FFS) program. Claims and Beneficiary data may include name, address, telephone number(s), Date of Birth (DoB), Medicare Number, Health Insurance Claim Number (HICN), Medicare and Secondary insurer identification information, Driver's License or State Identification numbers. Provider data may contain Owner/Employee names, addresses, HICNs, licensures, certifications, financial account information (bank account numbers, property ownership), and relationships with other entities within their group. |
Provide an overview of the system and describe the information it will collect, maintain (store), or share, either permanently or temporarily. | Program Integrity Contractor SGS uses a variety of CMS source systems for Medicare and Medicaid claims, beneficiary, and provider data in support of benefit integrity efforts. Program Integrity Contractor SGS conducts national and regional data analysis, conducts investigations, and audits, and provides medical review and law enforcement support. Data is sourced from CMS Data Centers and State Medicaid Agencies. SGS case management systems which comprise the GSS and are used on a day-to-day basis include the Workload Management Module (WMM) and Medical Review Case Tracking (MRCT). Program Integrity Contractor SGS utilizes Suite of Analytics Software (SAS) software to run Automated Risk and Integrated Assessment Logic (ARIAL) and Integrated Fraud & Abuse Detection System (IFADS) SAS programs to profile and score providers and prioritize WMM workload. Queries are run by SGS analysts and investigators using Business Objects software or SAS to automate reporting on WMM and MRCT workload support administrative action referrals. Data captured includes Claims Histories, Provider Profiles, Peer Comparisons, Average Billing Reports, and statistically valid random samples that contain beneficiary Personal Identifiable Information (PII), Protected health information (PHI) and claims data. The MRCT application is a case management system for clinician medical review. Maintaining case tracking systems is a Centers for Medicare and Medicaid Services (CMS) contract Optional requirement, as CMS works toward completing the Unified Case Management Module (UCM) and related CMS UCM reporting system. |
Does the system collect, maintain, use or share PII? | Yes |
Indicate the type of PII that the system will collect or maintain. |
|
Indicate the categories of individuals about whom PII is collected, maintained or shared. |
|
How many individuals' PII in the system? | 1,000,000 or more |
For what primary purpose is the PII used? | The primary purpose of Personally Identifiable Information (PII) use is for ensuring correct Medicare claim payment determinations. PII is also used to create user credentials for identifying users and providing them their proper user role access into the system.
|
Describe the secondary uses for which the PII will be used (e.g. testing, training or research) | N/A |
Describe the function of the SSN. | N/A |
Cite the legal authority to use the SSN. | N/A |
Identify legal authoritiesā governing information use and disclosure specific to the system and program. | Authority for the collection and maintenance of this system is given under the provisions of sections 1816, 1842, 1862 (b) and 1874 of Title XVIII of the Social Security Act (The Act) (42 United States Code (U.S.C.) 1395u, 1395y (b), and 1395kk). |
Are records on the system retrieved by one or more PII data elements? | Yes |
Identify the number and title of the Privacy Act System of Records (SORN) that is being used to cover the system or identify if a SORN is being developed. | 09-70-0568 One Program Integrity Data Repository (ODR) |
Identify the sources of PII in the system: Directly from an individual about whom the information pertains |
|
Identify the sources of PII in the system: Government Sources |
|
Identify the sources of PII in the system: Non-Government Sources | |
Identify the OMB information collection approval number and expiration date | N/A for user credential information |
Is the PII shared with other organizations? | Yes |
Identify with whom the PII is shared or disclosed and for what purpose. |
|
Describe any agreements in place that authorizes the information sharing or disclosure (e.g. Computer Matching Agreement, Memorandum of Understanding (MOU), or Information Sharing Agreement (ISA)). | Program Integrity Contractor SGS has Information Exchange Agreement in place with State Medicaid Agencies and CMS for our Medi-Medi and Data Use Agreements in place with CMS for each contract. |
Describe the procedures for accounting for disclosures | A Data Use Agreement is required from Law Enforcement for any requests for disclosure of Personally Identifiable Information (PII). These are maintained in the Medical Review Case Tracker, an internal case tracking system database maintained by Program Integrity Contractor SGS and in hard copy files. Medical Review Case Tracker keeps records of the law enforcement information requests, the requesters, and their agencies alongside the specifics of their information request. |
Describe the process in place to notify individuals that their personal information will be collected. If no prior notice is given, explain the reason. | Notice is given to individuals whose data is in the Medicare system that feeds Program Integrity Contractor SGS through Federal Register System of Record (SOR) Notices: 09-70-0568 One Program Integrity Data Repository (ODR). |
Is the submission of the PII by individuals voluntary or mandatory? | Voluntary |
Describe the method for individuals to opt-out of the collection or use of their PII. If there is no option to object to the information collection, provide a reason. | This system does not collect PII directly from individuals. That data collection is done prior to the data reaching this system. Centers for Medicare and Medicaid Services (CMS) employees cannot opt out because their info is necessary as part of their employment. If they choose not to provide their PII then they do not participate in the Medicare program. Users of the system must also provide their personal identifiable information should they require to obtain access to the system. |
Describe the process to notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changes since the notice at the time of original collection). Alternatively, describe why they cannot be notified or have their consent obtained. | Program Integrity Contractor SGS does not have a process in place because it does not collect Personally Identifiable Information (PII) from individuals. However, Centers for Medicare and Medicaid Services (CMS), through their Medicare Administrative Contractors, notifies individuals if there are Medicare program system changes. Notice occurs in Explanation of Benefit notices, Remittance Advices and through the Medicare Learning Network. |
Describe the process in place to resolve an individual's concerns when they believe their PII has been inappropriately obtained, used, or disclosed, or that the PII is inaccurate. If no process exists, explain why not. | Program Integrity Contractor SGS does not have a process in place because it does not collect Personally Identifiable Information (PII) from individuals directly. |
Describe the process in place for periodic reviews of PII contained in the system to ensure the data's integrity, availability, accuracy and relevancy. If no processes are in place, explain why not. | The personally identifiable information (PII) contained in this system, which is NOT a SOR, is collected by CMS SOR systems. The information provided by other CMS systems for the purposes of performing analysis of the data provided to identify potential waste fraud and abuse activities. The Program Integrity Contractor SGS system itself is a read only instance of the information and not an authoritative source for any purpose but analysis. Updates to the system are done by following the CMS Technical Reference Architecture (TRA) process as well as the CMS Acceptable Risk Safeguards (ARS) requirements. The system maintainers test the data integrity, availability, accuracy, and relevancy of the data by placing data in testing tables and then performing automated and manual data quality checks. Also, the information uses Role-Based Access Controls (RBAC) and will provide them their proper user role in the system for the activities they are to perform in the system. The Program Integrity Contractor SGS internal systems are read only, as the systems do not have the ability to impact or alter the authoritative data housed and maintained in the CMS systems, The systems documented here use replicated data from the Systems of record, since all information is a replica and not the authoritative data, Issues of confidentiality, availability, integrity, and non-repudiation are mitigated. |
Identify who will have access to the PII in the system and the reason why they require access. |
|
Describe the procedures in place to determine which system users (administrators, developers, contractors, etc.) may access PII. | Program Integrity Contractor SGS has implemented a Segregation of Duties Policy. The Program Integrity Contractor SGS Internal Audit Department reviews the sufficiency of segregation of duties procedures through periodic audits. The first area of concern is the protection of sensitive information. Job assignments are analyzed by preparing a matrix of all positions. Physical and logical access controls help restrict employees to authorized actions, based upon organizational and individual job responsibilities. At least annually, or whenever major changes are made to the Program Integrity Contractor SGS organization structure, management performs a high-level review of segregation of duties to ensure that new risks have not been created due to organizational changes or changes in assignment of duties within Medicare operations. Resources are classified based on risk assessments. |
Describe the methods in place to allow those with access to PII to only access the minimum amount of information necessary to perform their job. | Every user of the system has a user account comprised of a unique identifier (Username or Identification) as well as an account authenticator (password) that provides access to the system. Once the user has been authenticated (Approved for access based on username and password) and starts to perform analysis, the user would select a record, and the system would compare the record requested with the user's authorization to determine if the user is allowed to access that record. This series of requirements is called role-based access and is defined for each type of user to ensure that users only have approved and appropriate privileges to information that they must access, and no other information. |
Identifying training and awareness provided to personnel (system owners, managers, operators, contractors and/or program managers) using the system to make them aware of their responsibilities for protecting the information being collected and maintained. | All personnel that interact with this system personnel (system owners, managers, operators, contractors and/or program managers) using the system are provided annual training to make them aware of their responsibilities for protecting the information being collected and maintained this annual training is monitored and tracked at the account level and includes internal application training, security and awareness training and developed desk level procedures. |
Describe training system users receive (above and beyond general security and privacy awareness training) | All personnel (system owners, managers, operators, contractors and/or program managers) using the system are provided additional training, above the general security and privacy and awareness training on an annual basis. This Health Insurance Portability and accountability Act Training ensures that all participants are aware of their responsibilities for protecting the information being collected and maintained. |
Do contracts include Federal Acquisition Regulation and other appropriate clauses ensuring adherence to privacy provisions and practices? | Yes |
Describe the process and guidelines in place with regard to the retention and destruction of PII. Cite specific records retention schedules. | No information is destroyed, all Information is retained off-site indefinitely at a secure storage facility that conforms to the National Archives and Records Administration (NARA) guidelines per N1-440-09-4, Item 1a, (Cutoff annually. Delete/destroy 10 years after cutoff), and all information and media are transported in accordance with the requirements for media protection as outlined in the CMS Business Partners System Security Manual and Acceptable Risk Safeguards. |
Describe, briefly but with specificity, how the PII will be secured in the system using administrative, technical, and physical controls. | The Program Integrity Contractor SGS system operates behind secure firewalls on the CMS wide-area network (WAN) and is housed at physically secure sites. Business Partners Systems Security Manual (BPSSM) and Federal Information Security Modernization Act (FISMA) requirements are followed. A systems security plan details control for the 28 FISMA families of controls. Controls include firewalls, Intrusion Detection System (IDS), network authentication, file-based permissions, application-level permissions; event monitoring, change control procedures, minimum system security standards (baselines/hardening); anti-virus, encryption, patch management; network level hardening (Active Directory (AD) group policy). Physical security controls include visitor sign-in requirement, keycard requirement, physical intrusion detection, video cameras, employees must wear badges; perimeter doors are locked after hours; containers and rooms containing PII are protected by dual barriers (perimeter walls, interior walls, or metal locked containers) and any data leaving data center must be encrypted. |