Skip to main content

Provider Customer Service Program System

Privacy Impact Assessment (PIA) published by CMS as an Operating Division of the U.S. Department of Health and Human Services

Date signed: 11/5/2024

PIA Information for the Provider Customer Service Program System
PIA QuestionsPIA Answers

OPDIV:

CMS

PIA Unique Identifier:

P-1102469-465855

Name:

Provider Customer Service Program System

The subject of this PIA is which of the following?

Major Application

Identify the Enterprise Performance Lifecycle Phase of the system.

Operate

Is this a FISMA-Reportable system?

Yes

Does the system include a Website or online application available to and for the use of the general public?

Yes

Identify the operator:

Agency

Is this a new or existing system?

Existing

Does the system have Security Authorization (SA)?

Yes

Date of Security Authorization

8/7/2024

Indicate the following reason(s) for updating this PIA. Choose from the following options.

PIA Validation (PIA Refresh/Annual Review)

Describe in further detail any changes to the system that have occurred since the last PIA.

The Communications Relational Assurance Database (CRAD) was retired in June 2023 since we ended the contract with the third party to complete Quality Assurance Monitoring. This does not create any additional privacy risks.  No other changes were made since the last iteration of the PIA. 

Describe the purpose of the system

The Provider Customer Service Program (PCSP) system collects contractors and organization information such as contract, operations, and workload information from the Medicare Administrative Contractors (MACs). Information is collected to report on the workload and performance of MACs and to ensure payments are processed for claims.

Describe the type of information the system will collect, maintain (store), or share. (Subsequent questions will identify if this information is PII and ask about the specific data elements)

The PCSP system receives information about the MACs, including contact and workload information.  For example, it contains the MACs' website address, the number of Medicare health care providers served in the jurisdiction, phone numbers, quality assessment scores for Customer Service Representatives (CSR) and correspondent responses to provider telephone and written inquiries, and monthly telephone, written, and Internet portal statistics related to the PCSP.

The system also collects usernames and credentials (Password and Business E-mail Address) of those individuals accessing the PCSP.  CMS employees and Medicare Administrative Contractor (MAC) staff use the system.  Names are collected to identify system users.  Business e-mail addresses are collected and used as the user's account login.  Phone numbers are collected to contact users if there is an issue with their system access.  Passwords are collected to maintain the security of a user's account.

Provide an overview of the system and describe the information it will collect, maintain (store), or share, either permanently or temporarily.

PCSP System consists of four databases that support Medicare Administrative Contractors' (MACs) reporting and evaluation.   They include the Provider Contact Center (PCC), Provider Self Service (PSS), and Provider Outreach and Education (POE) databases  The purpose of each of these component databases is for (1) Quality Written Correspondence Monitoring (QWCM) to assess and report the quality of written interactions with the provider community;   (2) Quality Call Monitoring (QCM), to  assess and report the quality of telephone interactions with the provider community;  (3) Provider Customer Service Program Contractor Information Database (PCID), that stores general contract information and reports monthly inquiries, education and training statistics on the PCSP; and (4) Provider Inquiries Evaluation System (PIES), that reports monthly calls, written, and Internet portal statistics on the PCSP.

The system collects user credential information, which includes name, business e-mail address, phone number and password.  Names are collected to identify system users.  Business e-mail addresses are collected and used as the user's account login.  Phone numbers are collected in order to contact users if there is an issue with their system access.  Passwords are collected to maintain the security of a user's account.

 

Does the system collect, maintain, use or share PII?

Yes

Indicate the type of PII that the system will collect or maintain.

  • Name

  • E-Mail Address
  • Phone Numbers
  • Other - passwords, user credentials

Indicate the categories of individuals about whom PII is collected, maintained or shared.

  • Employees

  • Vendors/Suppliers/Contractors

How many individuals' PII in the system?

500-4,999

For what primary purpose is the PII used?

The PII in the system is used to create reports about the performance of individuals working at the MAC and to create and maintain user accounts.  

Describe the secondary uses for which the PII will be used (e.g. testing, training or research)

There is no secondary use of PII.   

Describe the function of the SSN.

SSNs are not collected.

Cite the legal authority to use the SSN.

SSNs are not collected.

Identify legal authorities​ governing information use and disclosure specific to the system and program.

5 USC 301, Departmental Regulations

Are records on the system retrieved by one or more PII data elements?

No

Identify the sources of PII in the system: Directly from an individual about whom the information pertains

  • In-Person

  • Email

Identify the sources of PII in the system: Government Sources

Within the OPDIV

Identify the sources of PII in the system: Non-Government Sources

Private Sector

Identify the OMB information collection approval number and expiration date

Not applicable

Is the PII shared with other organizations?

No

Describe the process in place to notify individuals that their personal information will be collected. If no prior notice is given, explain the reason.

Users must complete an access request form that requires their name and business e-mail address to gain access to the system. The form used to request access to the databases explains that names and e-mail addresses are used to create an account.

Is the submission of the PII by individuals voluntary or mandatory?

Voluntary

Describe the method for individuals to opt-out of the collection or use of their PII. If there is no option to object to the information collection, provide a reason.

Individuals cannot opt out of providing PII if they require access to the system.  The only information required to access the system is a person's CMS name and business e-mail address.

Describe the process to notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changes since the notice at the time of original collection). Alternatively, describe why they cannot be notified or have their consent obtained.

If disclosure and/or data uses change a Technical Direction Letter (TDL) gets issued to the MACs to make them aware of the change.  The databases will never be used to collect, store or transmit PII other than the user's name and business e-mail address.

Describe the process in place to resolve an individual's concerns when they believe their PII has been inappropriately obtained, used, or disclosed, or that the PII is inaccurate. If no process exists, explain why not.

If individuals believe their PII has been inappropriately obtained, used, or disclosed, or that the PII is inaccurate they can contact CMS via their CMS Contracting Officer Representative (COR).  Staff from CMS/Provider Communications Group/Division of Contractor Provider Communications (CMS/PCG/DCPC) will investigate the claim.  Any inappropriate use or disclosure will be reported per CMS policy and the individual's information will be removed from the system.  If the PII is inaccurate, CMS/PCG/DCPC will correct any inaccuracies.

Describe the process in place for periodic reviews of PII contained in the system to ensure the data's integrity, availability, accuracy and relevancy. If no processes are in place, explain why not.

CMS ensures PII is not improperly or inadvertently modified or destroyed by only allowing a small number of users the ability to add or change PII.  Individuals who provide or modify PII cannot repudiate that action because the PII provided must be used to sign into the system. CMS ensures that PII is available when needed because PII is used as a user's login credentials and the system has a 99.9% availability.  The PII is sufficiently accurate for the purposes needed because it is only collected and used for login credentials. Outdated, unnecessary, irrelevant, incoherent, and inaccurate PII is removed from the system as soon as it is identified. Contractor users review the data continuously.  At least twice a year CMS requires all MAC users to review user accounts and update/archive users as appropriate. CMS deactivates accounts after 60 days of inactivity. 

 

Identify who will have access to the PII in the system and the reason why they require access.

  • Users: Users have access to their account
    information so they can see the name and e-mail address associated with their account.

  • Administrators: Administrators have access to PII because they perform account maintenance and can assist users with resetting their passwords.
  • Developers: Developers have access to PII because they

    perform account maintenance and can assist users with resetting their passwords.

  • Contractors: A subset of Medicare Administrative Contractor (MAC) users require access to PII to perform account maintenance and can assist users with resetting their passwords. The MACs are direct contractors of CMS. 

Describe the procedures in place to determine which system users (administrators, developers, contractors, etc.) may access PII.

System users are assigned roles when their accounts are created.  These roles dictate what PII a user can view.  
Users are given the lowest level role possible that allows them to perform their job.

Describe the methods in place to allow those with access to PII to only access the minimum amount of information necessary to perform their job.

The system has predetermined roles that limit the information each role can view based on the employee's responsibilities.   

Identifying training and awareness provided to personnel (system owners, managers, operators, contractors and/or program managers) using the system to make them aware of their responsibilities for protecting the information being collected and maintained.

All contractors and CMS employees are required to complete the annual CMS' Security and Privacy Awareness Training.  Users also receive a user guide relative to each database that, in addition to guidance on how to use the system, describes the appropriate uses of the information in the database(s).

Describe training system users receive (above and beyond general security and privacy awareness training)

Not applicable

Do contracts include Federal Acquisition Regulation and other appropriate clauses ensuring adherence to privacy provisions and practices?

Yes

Describe the process and guidelines in place with regard to the retention and destruction of PII. Cite specific records retention schedules.

Accounts are checked weekly for activity.  Accounts are deactivated after 60 days of inactivity. Deactivation requires the new account request process to be followed for reactivation. Accounts records are maintained indefinitely for historical audit capabilities.  PII is retained and destroyed in accordance with National Archives and Records Administration (NARA) General Records Schedule (GRS) 3.2, items 030: Temporary. Destroy when business use ceases; and 031: Temporary. Destroy 6 years after password is altered or user account is terminated, but longer retention is authorized if required for business use.

Describe, briefly but with specificity, how the PII will be secured in the system using administrative, technical, and physical controls.

The PCSP System is protected by multiple physical security measures, including guards, limited access based on role, key cards, locks, and Closed-Captioned TV (CCTV). The PCSP System uses technical controls including user accounts and passwords (passwords must be “strong” passwords and changed regularly, according to CMS security policy), and HTTPS via Private Key Infrastructure (PKI). The systems are monitored with Intrusion Detection System and Intrusion Prevention is also implemented. Audit logs are available to server administrators. The PCSP System is protected by administrative controls – a security review was completed under CMS direction by Emagine IT, there are complete, approved System Security and Contingency Plans, and files (application and database) are backed up regularly and stored offsite. CMS assigns users with “least privilege” and they can only review or share what has been assigned.

Identify the publicly-available URL:

PCID - https://www.p-cid.com/

PIES - https://www.pie-system.com/

QCM - https://www.qcmscores.com/

QWCM - https://www.qwcmscores.com/

Does the website have a posted privacy notice?

Yes

Is the privacy policy available in a machine-readable format?

No

Does the website use web measurement and customization technology?

No

Session Cookies - Collects PII?:

No

Does the website have any information or pages directed at children under the age of thirteen?

No

Does the website contain links to non-federal government website external to HHS?

No