Skip to main content

Provider Compliance Group-Fast Healthcare Interoperability Resources

View all CMS PIAs

Date signed: 6/8/2022

PIA Information for Provider Compliance Group-Fast Healthcare Interoperability Resources
PIA QuestionsPIA Answers  
OPDIV:CMS  
   
PIA Unique Identifier:P-8270913-449431 
   
    
Name:Provider Compliance Group-Fast Healthcare Interoperability Resources  
   
The subject of this PIA is which of the following?Major Application  
   
    
Identify the Enterprise Performance Lifecycle Phase of the system.Operate  
   
    
Is this a FISMA-Reportable system?Yes  
    
Does the system include a Website or online application available to and for the use of the general public?Yes  
   
Identify the operator:Agency  
   
    
Point of Contact (POC) Title:ISSO (Information System Security Officer)  
   
    
Point of Contact (POC) Name:Shannon Gillis  
   
    
Point of Contact (POC) Organization:DHHS/CMS/CPI (Center for Program Integrity)  
   
    
Point of Contact (POC) Email:Shannon.Gillis@cms.hhs.gov  
   
    
Point of Contact (POC) Phone:(410) 929-2632  
   
    
Is this a new or existing system?Existing  
    
Does the system have Security Authorization (SA)?Yes  
    
  
Date of Security Authorization12/14/2023  
    
Indicate the following reason(s) for updating this PIA. Choose from the following options.PIA Validation (PIA Refresh/Annual Review)  
   
Describe in further detail any changes to the system that have occurred since the last PIA.

Addition of the ECTA module.

The ECTA module expands on the capabilities built in the PCG-FHIR module. This module provides APIs, in conformance with the Da Vinci CRD and DTR standards, that provide PA requirements and Coverage requirements for a specific service or item. Provider systems use their Client ID/secret to authenticate to the system and use the APIs provided to determine if a PA is required and if additional coverage requirements exist. Additionally, the provider system can also get the logic to extract this data from EHR systems. 

ECTA and PCG-FHIR modules employ shared components. 

There are no additional risks with the introduction of this change.

  
   
When answering question PIA-010, consider all changes that have occurred since the PIA was last finalized and will occur when the PIA is finalized. All changes, whether or not they pose a new privacy risk, should be documented. Examples of changes include changing the physical location of a server or adding additional collection of new PII elements.   
Describe the purpose of the system

The PCG-FHIR system establishes a FHIR (Fast Healthcare Interoperability Resources) based communication channel between Providers and CMS.  PCG-FHIR provides a FHIR end-point capable of receiving and processing;

1) FHIR-based Unstructured Documentation submissions in the form of PDF attachments both solicited and unsolicited; 

2) FHIR-based Structured Documentation submissions both solicited and unsolicited; and

3) FHIR-based Prior Authorization Requests and Response. The PCG-FHIR system allows Providers to submit medical information in FHIR-based format and converts that information to data acceptable for Electronic Submission of Medical Documentation (esMD).

- RCs will now be able to send documentation requests to Providers in FHIR format using the PCG-FHIR server (formerly known as DRFP).

- The SHMS module will give providers the ability to exchange documents with CMS in traditional XDR and X12 formats. This module will act as a HIH on behalf of CMS.

  
   
Question PIA-011 should include what HHS functions are supported by the system and what the system does for each of those functions. Your response should be concise and specific, and should not contain jargon or overly technical terms so that a reader with no prior knowledge of the system will understand the response. Don’t forget to spell out all acronyms on first usage.   
Describe the type of information the system will collect, maintain (store), or share. (Subsequent questions will identify if this information is PII and ask about the specific data elements)

The PCG-FHIR system does not collect, share or access information directly from individuals. The PCG-FHIR system accepts information in FHIR format and converts that information to data acceptable for esMD. PCG-FHIR could receive all or a subset of the following information in the FHIR bundle, parses it and puts it in the X12 file for esMD, but PCG-FHIR does not store any of this information. The information that is transported through the DRFP system may contain the following elements: Subscriber/Member Number or Unique Patient Identifier (UPI) (this is referring to Beneficiary MBI – Medicare Beneficiary Identifier from a CMS standpoint), Subscriber Full Name, Subscriber Address, Subscriber City, State, and Zip code; Subscriber Birth Date, Driver's License, E-mail Address, Practitioner National Provider Identifier (NPI), Practitioner Name, Practitioner Address, Practitioner City, State, and Zip code; Organization Contact Name, Organization Contact Email Address, Organization Contact Telephone and Organization Contact Fax. Medical Documents in the form of attachments, such as: Care Plan, Consultation Note, Continuity of Care Document (CCD), Diagnostic Imaging Report (DIR), Discharge Summary, History and Physical, Operative Note, Procedure Note, Progress Note, Referral Note, and Transfer Summary. Personally Identifiable Information (PII) information on the medical documents relate to the subscriber/beneficiary and include: Member Number, Full Name, Mailing Address, City, State, and Zip code, and Birth Date. 

- The introduction of the ability to send documentation requests to Providers will mean that the solution will now start storing beneficiary information related to claims submitted, procedures performed, etc.

- The same applies to the addition of the SHMS module.

  
   
For question PIA-012, list and describe all types of information collected by the system regardless of whether that information is considered PII and regardless of how long information is stored. However, make sure to include how long information is stored in the system. And, if the system holds system-specific access credentials, e.g., username, password, please describe that in the response to this question and specify whether the username and/or password are created by the individual, generated by the system, provided by a system administrator, or established through some other process.  Reminder: Any types of PII listed in this response also need to be listed in Q15.   
Provide an overview of the system and describe the information it will collect, maintain (store), or share, either permanently or temporarily.

The PCG-FHIR system does not collect, share or access information directly from individuals. It acts as a conduit system and establishes a FHIR based communication channel between Providers systems and CMS systems. It receives specific information from Subscribers (Patients/Beneficiaries) and Providers, in the form of a FHIR bundle, analyzes this information, and puts it in the X12 file for the esMD system, but it does not store any of this information. 

PCG-FHIR provides a FHIR end-point capable of receiving and processing the following: 1) FHIR-based Unstructured Documentation submissions in the form of PDF attachments both solicited and unsolicited; 2) FHIR-based Structured Documentation submissions both solicited and unsolicited; and 3) FHIR-based Prior Authorization Requests and Response. 

For Patients (Subscribers/Beneficiaries) PCG-FHIR parses the following information from the FHIR Bundle and transmits to esMD in an X12 format but does not store this information: Subscriber/Member Number or Unique Patient Identifier (UPI)/MBI, Subscriber Full Name, Subscriber Address, Subscriber City, State, and Zip code; and Subscriber Birth Date.

For Providers, PCG-FHIR parses the following information from the FHIR Bundle and transmits to esMD in an X12 format, but does not store this information: Practitioner National Provider Identifier (NPI), Practitioner Name, Practitioner Address, Practitioner City, State, and Zip code; Organization Contact Name, Organization Contact Email Address, Organization Contact Telephone and Organization Contact Fax. 

The DRFP system is not a system of record. Information is not collected, shared or accessed by the PCG-FHIR system. System Administrators and Developers of the PCG-FHIR system are direct Contractors with CMS. The PCG-FHIR system does not collect or maintain end-user identification or password information.   

- When RCs send documentation requests to the Providers, the RC requests for additional documents pertaining to a particular claim. These documentation requests will need to be stored in the PCG-FHIR solution until the Provider retrieves the request. Such requests would include Beneficiary information such as last name, first name, beneficiary ID, details about procedures performed, etc. The requests may also include Provider related information such as name, address, NPI, etc.

- The SHMS module will basically enable the Provider to perform similar tasks as PCG-FHIR but in traditional XDR and X12 formats. Therefore, the information collected and stored will be the same as the PCG-FHIR solution.

  
   
Describe why the information listed in question PIA-012 is collected. The response to this question should consider all information, whether or not it is PII. The response to this question should also specify what information is collected about each category of individual and should document and discuss if records are retrieved by PII elements.
Reminder: If you answer Yes to question PIA-022 regarding the method of record retrieval, include in the response to question PIA-013 a brief description of the retrieval practice. Note the PII used and categories of individuals to whom the PII relates.
An example is: The Physical Security System (PSS) regularly use PII to retrieve system records including using the last name, employee ID number, and/or work phone number of CMS employees, contractors, and members of the public authorized to access the main campus and satellite offices.
  
Does the system collect, maintain, use or share PII?Yes  
   
Question PIA-014 is calculated from the system. Reminder: If the response to this question is No, questions 15-38 should no longer appear on the form.   
Indicate the type of PII that the system will collect or maintain.Name  
   
Driver's License Number  
E-Mail Address  
Phone Numbers  
Medical Notes  
Date of Birth  
Mailing Address  
Medical Records Number  
Other - Unique Patient Identifier (UPI)/MBI. National Provider Identifier (NPI). Fax number.  
Therapy records  
For question PIA-015, check all the boxes that apply. If the information collected not described by any of the items in the list, there is a text field under ‘Other’ where you can list additional information. Your response should include all types of PII regardless of type sensitivity, or whether it is from employees or the public. Reminder: Any types of PII listed in this response need to be listed in Q12.   
Indicate the categories of individuals about whom PII is collected, maintained or shared.Patients  
Other - Providers  
   
How many individuals' PII in the system?50,000-99,999  
    
For what primary purpose is the PII used?

Each year, the Centers for Medicare & Medicaid Services' (CMS) Medicare Fee-For-Service (FFS) program makes billions of dollars in estimated improper payments. CMS employs several types of Review Contractors (RC) to measure, prevent, identify, and correct these improper payments. The RCs identify improper payments by requesting medical documentation for a small sample of claims. Also, CMS runs several Prior Authorization programs to safeguard beneficiaries’ access to medically necessary items and services while reducing improper Medicare billing and payments. The DRFP project is creating a CMS end point where Providers can submit medical documentation and Prior Authorization requests in a FHIR format. These FHIR requests may contain PII or Protected Health Information (PHI). To simplify the solution implementation, the FHIR request is converted to an X12 or XDR format and sent to RCs through the existing esMD system. Given this, the PCG-FHIR system is ONLY processing the FHIR request to pass it on to the RC. The DRFP system does not collect, share or access information directly from individuals. It acts as a conduit system and establishes a FHIR based communication channel between Providers systems and CMS systems. It receives specific information from Subscribers (Patients/Beneficiaries) and Providers, but it does not store any of this information. PII received by DRFP is not functionally processed but transferred to esMD. PCG-FHIR only parses the PII from the FHIR Bundle, formats into an X12 format and sends it to esMD. PCG-FHIR does not disclose or share the PII with any other application or entity.

PCG-FHIR will now start storing the above mentioned information. The primary usage of the information from Providers to RCs does not change. The purpose of the documentation requests is to notify providers of what information/documentation needs to be sent back to the RCs to complete processing of a given claim.

The same applies to the SHMS module.

  
   
Describe the secondary uses for which the PII will be used (e.g. testing, training or research)Not Applicable. There are no secondary uses of the PII.  
   
Describe the function of the SSN.Not Applicable. SSN is not used by system.  
   

This question should describe all the ways SSN, if collected, is used in the system; when, where, and why SSN is disclosed or shared; and why the SSN is used rather than another identifier. 


NOTE: Employer Identification Number (EIN) also known as Federal Employer Identification Number (FEIN) or Tax Identification Number (TIN) or Federal Tax Identification Number (FTIN).  Individuals may choose to use their SSN as their EIN or FTIN. Typically, this would be sole proprietors or other small business owners who use SSN as EIN for tax purposes. EIN often appears in the format XX-XXXXXXX and may not stand out as SSN.


Any time SSN is entailed, examine whether collection/use of the SSN can be eliminated.


Reminder: If the response to this question states that SSN is collected, SSN should also be listed in the response to Q15. 

  
Cite the legal authority to use the SSN.Not Applicable.  
   
Identify legal authorities​ governing information use and disclosure specific to the system and program.5 U.S.C. Section 301, Departmental Regulations, the Medicare Access and CHIP Reauthorization Act (MACRA) of 2015.  
   
Are records on the system retrieved by one or more PII data elements?No  
    
Identify the sources of PII in the system: Directly from an individual about whom the information pertainsOther - Not Applicable.  
   
Identify the sources of PII in the system: Government SourcesOther - Not Applicable.  
   
Identify the sources of PII in the system: Non-Government SourcesOther - The PCG-FHIR system does not collect, share or access information directly from individuals. Providers collect information directly from individuals and send the information to the PCG-FHIR system in FHIR structure to be transferred in a compatible form to esMD.  This information includes PII.  
   
Identify the OMB information collection approval number and expiration dateNot Applicable  
Is the PII shared with other organizations?No  
    
Describe the process in place to notify individuals that their personal information will be collected. If no prior notice is given, explain the reason.PCG-FHIR and SHMS module store PII, but this information is not collected directly from individuals. Providers are responsible to notify individuals that they are collecting the individual’s personal information.  
   
Is the submission of the PII by individuals voluntary or mandatory?Voluntary  
    
Describe the method for individuals to opt-out of the collection or use of their PII. If there is no option to object to the information collection, provide a reason.PCG-FHIR and SHMS module store PII, but this information is not collected directly from individuals. Providers are responsible for notifying individuals from whom they are collecting personal information and how they can opt-out.  
   
Describe the process to notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changes since the notice at the time of original collection). Alternatively, describe why they cannot be notified or have their consent obtained.PCG-FHIR and SHMS module store PII, but this information is not collected directly from individuals. Providers are responsible for notifying individuals and obtaining consent from whom they are collecting personal information.   
Describe the process in place to resolve an individual's concerns when they believe their PII has been inappropriately obtained, used, or disclosed, or that the PII is inaccurate. If no process exists, explain why not.Not Applicable. PCG-FHIR and SHMS module store PII, but this information is not collected directly from individuals. Providers collect information directly from individuals and send the information to PCG-FHIR. Providers are responsible to have processes in place to resolve an individual’s concerns if they believe their PII has been inappropriately obtained, used, or disclosed, or that the PII is inaccurate.  
Describe the process in place for periodic reviews of PII contained in the system to ensure the data's integrity, availability, accuracy and relevancy. If no processes are in place, explain why not.

PCG-FHIR and SHMS module store PII, but this information is not collected directly from individuals. The process for periodic reviews is carried out by CMS though a Security Control Assessment. PCG-FHIR goes through a mandatory Security Assessment at least annually. This assessment includes an annual review and evaluation of system security controls, the system security plan and other required system security documentation by an independent third-party assessor. 

 

  
Identify who will have access to the PII in the system and the reason why they require access.
  • Users Explanation: System Administrators are only accessing the system for management and maintenance of the PCG-FHIR platform. Administrators cannot access the PII that is electronically transported through the PCG-FHIR system. Documentation requests being sent from RCs to Providers will contain PII/PHI. Users (Providers or their authorized representatives) will be able to access requests that pertain only to their NPIs. They will need this information to understand the documents being requested by the RCs.
  • Administrators Explanation: System Administrators are only accessing the system for management and maintenance of the PCG-FHIR platform. Administrators cannot access the PII that is electronically transported through the PCG-FHIR system. Administrators will not have access to any PII.
  • Developers Explanation: System Developers are only accessing the system for management and maintenance of the PCG-FHIR platform. Developers cannot access the PII that is electronically transported through the PCG-FHIR system. Developers will not be able to access any PII.
  • Contractors Explanation: System Administrators and Developers are CMS direct contractors that only access the system for management and maintenance of the PCG-FHIR platform. System Administrators and Developers do not access the electronically transported medical records sent through the PCG-FHIR system. Contractors will not be able to access any PII.
  • Others Explanation: PCG-FHIR parses the PII data from the FHIR bundle input file, converts it into an X12 278 transaction format, and transmits the transaction in an encrypted format to esMD. (Individuals within the PCG-FHIR boundary will not have access to PII that is transferred through the system.)
  
Describe the procedures in place to determine which system users (administrators, developers, contractors, etc.) may access PII.

The principle of least privilege is utilized for all accesses to the PCG-FHIR system. Access control lists are used to silo access and control access based on an individual’s privileges.

System Administrators and Developers cannot access the PII that is electronically transported through the PCG-FHIR system. System Administrators and Developers are CMS direct contractors that only access the system for management and maintenance of the PCG-FHIR platform.

  
Describe the methods in place to allow those with access to PII to only access the minimum amount of information necessary to perform their job.The principle of least privilege is utilized for all accesses to the PCG-FHIR system. Access control lists are used to silo access and control access based on an individual’s privileges.  
   
Identifying training and awareness provided to personnel (system owners, managers, operators, contractors and/or program managers) using the system to make them aware of their responsibilities for protecting the information being collected and maintained.CMS employees and direct contractors with access to CMS systems are required to complete the mandatory annual Information Systems Security and Privacy Awareness Training.  
   
Describe training system users receive (above and beyond general security and privacy awareness training)Not Applicable.  
Do contracts include Federal Acquisition Regulation and other appropriate clauses ensuring adherence to privacy provisions and practices?Yes  
   
Describe the process and guidelines in place with regard to the retention and destruction of PII. Cite specific records retention schedules.PCG-FHIR and SHMS follow the CMS records schedule for claims and provider records, https://www.cms.gov/Regulations-and-Guidance/Guidance/CMSRecordsSchedule. The data falls into the Bucket 5 category, DAA-0440-2015-0007, which requires a 10 year retention. In accordance with these guidelines all transaction related data is stored online as yearly partitions for a period of 10 years. On a yearly basis, a batch job will be run that creates the partition for the latest (nth) year and deletes the partition for the oldest (n-10th) year.  
   
Describe, briefly but with specificity, how the PII will be secured in the system using administrative, technical, and physical controls.

The PCG-FHIR system does not collect, share or access information directly from individuals. Administrative controls that are in place to secure PII include only assigning needed privileges to user accounts that access the PCG-FHIR environment. Annual account reviews are performed to ensure that those user accounts have the needed access and automated actions to disable inactive user accounts. Technical controls that are in place to secure PII include Web Application Firewalls that protect and control network traffic that goes in and out of the DRFP system. Vulnerabilities and exploits are scanned for within the PCG-FHIR system by a Continuous Monitoring program.

PCG-FHIR and the SHMS modules will now store PII and PHI. However, the response to the question remains the same.

From a physical controls standpoint, PCG-FHIR resides in the CMS Amazon Web Services (AWS) environment. Physical controls are inherited from a central level from the Cloud Support team.