Provider Statistical and Reimbursement System
Privacy Impact Assessment (PIA) published by CMS as an Operating Division of the U.S. Department of Health and Human Services
Date signed: 2/28/2025
| PIA Questions | PIA Answers | |
|---|---|---|
| OPDIV: | CMS | |
| PIA Unique Identifier: | P-3760448-661046 | |
| Name: | Provider Statistical and Reimbursement System | |
| The subject of this PIA is which of the following? | Major Application | |
| Identify the Enterprise Performance Lifecycle Phase of the system. | Operate | |
| Is this a FISMA-Reportable system? | Yes | |
| Does the system include a Website or online application available to and for the use of the general public? | Yes | |
| Identify the operator: | Agency | |
| Is this a new or existing system? | Existing | |
| Does the system have Security Authorization (SA)? | Yes | |
| Date of Security Authorization | 7/11/2024 | |
| Indicate the following reason(s) for updating this PIA. Choose from the following options. | PIA Validation (PIA Refresh/Annual Review) | |
| Describe in further detail any changes to the system that have occurred since the last PIA. | The Provider Statistical and Reimbursement (PS&R) System produces a variety of reports for Medicare Administrative Contractors (MACs), Centers for Medicare & Medicaid Services (CMS), providers, and Program Safeguard Contractors (PSCs). These reports accumulate statistical and payment data for hospitals, hospital complexes, skilled nursing facilities (SNFs), hospices, end stage renal disease facilities, comprehensive outpatient rehab facilities, and home health agencies, rural health clinics (RHCs) and Community Mental Health Centers (CMHCs). There have been no major changes to the PS&R system since the last revision of the PIA. | |
| Describe the purpose of the system | The PS&R system is comprised of 4 applications: PS&R, System for Tracking and Audit and Reimbursement (STAR), Medicare Cost Report E-Filing system (MCREF), and Visor. STAR, MCREF, and Visor are PS&R subsystems and for the purposes of this document “PS&R” refers to the entire system (including STAR, MCREF, and Visor), except where explicitly stated. The PS&R System is used by Part A/B Medicare Administrative Contractors (A/B MACs) to accumulate the statistical and reimbursement data applicable to the Medicare claims processed. It summarizes these data on reports that are used by medical providers and A/B MACs to complete key elements of the Medicare Cost Report (MCR). PS&R data are subsequently used by the A/B MACs to reconcile MCRs. PS&R permits the A/B MACs and providers to utilize the system produced reports to accumulate statistical and payment data for hospitals, hospital complexes, skilled nursing homes, and home health agencies. The Provider Statistical and Reimbursement (PS&R) System also provides functionality that allows providers to submit MCRs and supporting documentation to CMS electronically through a subsystem of PS&R known as the Medicare Cost Report E-Filing system (MCREF). Providers submit their MCR and all supporting documentation through the MCREF webpage and the MCR is parsed for relevant data and stored in the System for Tracking Audit and Reimbursement (STAR) database. The MCR is also stored in a file repository within MCREF for long term storage. The CMS Visor subsystem allows authorized users to view dashboards, visualizations, and reports related to PS&R/STAR data. Visor consists of a web-based, java front end and Tableau data visualizations. | |
| Describe the type of information the system will collect, maintain (store), or share. (Subsequent questions will identify if this information is PII and ask about the specific data elements) | The PS&R System receives all Medicare Part A claims after they are finalized and paid by the CMS Part A Claims processing system, Fiscal Intermediary Standard System (FISS). FISS sends PS&R the paid claims and PS&R loads the claims into its system, performs additional payment calculations, and assigns the claims and the claims’ line items to the appropriate PS&R report types. PS&R receives/tracks all user report request parameters. PS&R also tracks Part A provider information entered by MAC users (e.g., provider number, address, facility names, Periodic Interim Payments (PIP) status, bankruptcy status, servicing MACs, relationships with home offices, relationships with other providers, certification dates, decertification dates, change of ownership dates, change of MAC dates, etc.), part A provider annual cost report information (e.g., cost report reminder letters, cost report past due letters, cost report acceptance dates, tentative settlement dates, desk review / audit dates, cost report data, appeals data, reopening data, wage index dates, Tax Equity and Fiscal Responsibility Act (TEFRA) dates, provider based determination dates, interim rate review dates and types, etc.), change log information (i.e., stores before/after data for a changes made by users and identifies which user made the change and when), and report request. The two categories of PS&R users are general users and web service users. PS&R system users consist of CMS users, MAC users, and providers who are authenticated using the Identity Management system (IDM) authentication server. PS&R web service users are authenticated using the Extensible Markup Language (XML) Gateway. User identifiers are assigned by IDM. PS&R regularly uses PII to retrieve system records including Medicare Health Insurance Claim Numbers (HICN) User id, Medicare Beneficiary Identifier (MBI), Social Security Number (SSN) about Patients, Name, date of birth, email, phone numbers, mailing address, medical record number, financial information, providers, medical interns/residents, and Medicare Administrative Contractors (MACs). PS&R retains records in compliance with Bucket 3 of the CMS Records Schedule. The disposition for these records is a minimum of 7 years and the Bucket allows for longer retention based on Agency business needs. | |
| Provide an overview of the system and describe the information it will collect, maintain (store), or share, either permanently or temporarily. | PS&R is a Medicare Part A claims reporting system and a system for tracking Part A provider annual cost report reimbursement, review, and audit. The system contains Medicare part A claims which are sent to PS&R from the FISS, as well as Medicare Cost Report (MCR) data that is submitted by MACs into STAR, and MCR data submitted by providers via MCREF. Providers use claim reports from PS&R to create their Medicare Part A cost report each year, and CMS and MACs track these cost reports through the audit and reimbursement process. PS&R regularly uses PII to retrieve system records including Medicare Health Insurance Claim Numbers (HICN) User id, Medicare Beneficiary Identifier (MBI), Social Security Number (SSN) about Patients, Name, date of birth, email, phone numbers, mailing address, medical record number, financial information, providers, medical interns/residents, and Medicare Administrative Contractors (MACs). | |
| Does the system collect, maintain, use or share PII? | Yes | |
| Indicate the type of PII that the system will collect or maintain. |
| |
| Indicate the categories of individuals about whom PII is collected, maintained or shared. |
| |
| How many individuals' PII in the system? | 1,000,000 or more | |
| For what primary purpose is the PII used? | Personally Identifiable Information (PII) is used for claim payment research and validation by CMS, MAC, and provider users. | |
| Describe the secondary uses for which the PII will be used (e.g. testing, training or research) | PII may be used to assist in system release user testing - verifying that PS&R implements changes correctly for specific claims. | |
| Describe the function of the SSN. | SSN is used to track interns and residents doing rotations at Medicare Part A providers; tracking of interns and residents is needed to finalize Medicare reimbursement to teaching hospitals. | |
| Cite the legal authority to use the SSN. | Authority for maintenance is given under provisions of sections 1816, 1862(b) and 1874 of Title XVIII of the Social Security Act (the Act) (42 United States Code (USC) sections 1395 (h), 1395y(b), and 1395kk). | |
| Identify legal authorities governing information use and disclosure specific to the system and program. | Authority for maintenance is given under provisions of sections 1816, 1862(b) and 1874 of Title XVIII of the Social Security Act (the Act) (42 United States Code (USC) sections 1395 (h), 1395y(b), and 1395kk). | |
| Are records on the system retrieved by one or more PII data elements? | Yes | |
| Identify the number and title of the Privacy Act System of Records (SORN) that is being used to cover the system or identify if a SORN is being developed. | FISS SORN - 09-70-0503 | |
| Identify the sources of PII in the system: Directly from an individual about whom the information pertains | ||
| Identify the sources of PII in the system: Government Sources |
| |
| Identify the sources of PII in the system: Non-Government Sources |
| |
| Identify the OMB information collection approval number and expiration date | Not Applicable | |
| Is the PII shared with other organizations? | Yes | |
| Identify with whom the PII is shared or disclosed and for what purpose. |
| |
| Within HHS Explanation: CMS and MACs require information including SSN to audit Medicare reimbursement. | ||
| Describe any agreements in place that authorizes the information sharing or disclosure (e.g. Computer Matching Agreement, Memorandum of Understanding (MOU), or Information Sharing Agreement (ISA)). | CMS is responsible for ensuring that MAC organizations have the proper authorization to access PII data in the PS&R system. | |
| Describe the procedures for accounting for disclosures | PS&R follows all CMS guidelines for disclosure of information. Access to PS&R is controlled through role-based access control managed by the Identity Management (IDM) system. IDM assigns roles to users and audits account activity including the data that users can access. | |
| Describe the process in place to notify individuals that their personal information will be collected. If no prior notice is given, explain the reason. | Users accept the terms and conditions specified in the System Use Notification before they are authenticated in CMS IDM. The user approved these terms and conditions when they registered their user ID in the CMS authentication system. These users voluntarily provided their personal information to receive user IDs and access to CMS applications. The PS&R system does not collect PII directly from individuals. The information is present on the paid claims record, the format of which is specified by another CMS system. PII is collected by these other systems where they are responsible for notifying individuals whose information are being collected. | |
| Is the submission of the PII by individuals voluntary or mandatory? | Voluntary | |
| Describe the method for individuals to opt-out of the collection or use of their PII. If there is no option to object to the information collection, provide a reason. | Users cannot opt-out because they must be authenticated before they are granted access to PS&R system. | |
| Describe the process to notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changes since the notice at the time of original collection). Alternatively, describe why they cannot be notified or have their consent obtained. | Users logging into the PS&R system are notified of any unsuccessful login attempts through authentication functions within the CMS Identity Management system. Under certain conditions, CMS will make disclosure of PII with consent of the subject individual, or his/her legal representative, or in accordance with a fiscal agent. These conditions of agreement are listed in the current FISS system of record (SOR), Section V: “Effects of the Modified System of Records on Individual Rights”. PS&R does not directly notify individuals concerning expected changes in use or disclosure of their PII. If major system changes occur that impact the use and/or disclosure to the PII data, then CMS would publish a new SOR, and invite feedback during the comment period established. | |
| Describe the process in place to resolve an individual's concerns when they believe their PII has been inappropriately obtained, used, or disclosed, or that the PII is inaccurate. If no process exists, explain why not. | Published instructions in the FISS SORN under 'Notification Procedures' state how subject individuals may contact the CMS Privacy Office system manager. CMS and MAC PS&R users are trained to contact the CMS IT Service Desk, if they feel their user credentials have been compromised or a breach has occurred. The IT Service Desk will open a service request (SR) ticket and notify the PS&R business owner and project officer individuals. | |
| Describe the process in place for periodic reviews of PII contained in the system to ensure the data's integrity, availability, accuracy and relevancy. If no processes are in place, explain why not. | PS&R receives PII from a CMS claims processing system, and is not responsible for verifying its accuracy, only reporting on what the claims system provided. No modifications to the PII are possible within PS&R – the data is used for reporting only and is not editable. PS&R’s reporting availability is verified daily to make sure the appropriate users can access the PII. Only CMS and MAC administrative users can access PS&R PII (this access is controlled through the CMS Authentication system); MAC admins and providers are not able to access PII. | |
| Identify who will have access to the PII in the system and the reason why they require access. |
| |
| Describe the procedures in place to determine which system users (administrators, developers, contractors, etc.) may access PII. | PS&R is built to only allow CMS, MAC, and system maintainer users' direct access to PII. These users must have CMS User Id and they must have requested approval through the CMS access provisioning system. A user's role within PS&R is governed by the CMS authentication system and is outside of the scope of PS&R. Provider users are unable to directly view PII through the system. Rather, if a provider needs to view a PS&R report with PII on it, it must request this report from its MAC and the MAC may provide the report to the provider outside of the PS&R system proper. Any such release of PII is under governance by their own PII procedures. | |
| Describe the methods in place to allow those with access to PII to only access the minimum amount of information necessary to perform their job. | PS&R reports only display to users a subset of PII available from claims. This subset of data was identified by CMS as the minimum amount of data needed for Part A claim payment reconciliation. This is role-based, and access is based on least privilege principle. Users are granted access on need-to-know basis. | |
| Identifying training and awareness provided to personnel (system owners, managers, operators, contractors and/or program managers) using the system to make them aware of their responsibilities for protecting the information being collected and maintained. | Each user of the PS&R system is trained on how to use the system and are briefed on their responsibilities to the system. Employees are also provided with yearly security training. CMS is required to provide role-based Information Security (IS) training to employees and contractors who have specialized roles within CMS' Information Security (IS) program. CMS users are required to complete computer-based training (CBT) courses regarding information security and privacy awareness before receiving access to the CMS network and as part of the annual recertification process. The PS&R System Maintainer team members are required to complete corporate information security training when hired and annually thereafter. CGI's CMS account training coordinator tracks training activities and attendance. | |
| Describe training system users receive (above and beyond general security and privacy awareness training) | System users are CMS, MAC, and provider employees who are bound by their normal PII security policies and training requirements which require CMS users to take Computer-Based Training (CBT) courses regarding information system security awareness. Users must complete these courses prior to accessing the CMS network. | |
| Do contracts include Federal Acquisition Regulation and other appropriate clauses ensuring adherence to privacy provisions and practices? | Yes | |
| Describe the process and guidelines in place with regard to the retention and destruction of PII. Cite specific records retention schedules. | PII within PS&R is housed in the production environment and governed by its record retention policy. Data in PS&R is managed using Bucket 3 of the CMS Records Schedule. The disposition for these records is a minimum of 7 years and the Bucket allows for longer retention based on Agency business needs. Records Schedule Number: DAA-0440-2015-0004 | |
| Describe, briefly but with specificity, how the PII will be secured in the system using administrative, technical, and physical controls. | The PS&R data is securely stored in a Data Center. All PS&R data is stored in buildings secured by electronic entry devices and physical security controls. Users are required to sign onto the PS&R system with an approved user-id and password to request this information. Information is secured at each MAC data center. Once in the PS&R system, access is restricted to the applicable MAC, who has the responsibility for forwarding the detail and summary reports to its providers. | |
| Identify the publicly-available URL: | https://mcref.cms.gov | |
| Does the website have a posted privacy notice? | Yes | |
| Is the privacy policy available in a machine-readable format? | No | |
| Does the website use web measurement and customization technology? | Yes | |
| Select the type of website measurement and customization technologies is in use and if is used to collect PII. (Select all that apply) | Session Cookies | |
| Session Cookies - Collects PII?: No | ||
| Does the website have any information or pages directed at children under the age of thirteen? | No | |
| Does the website contain links to non-federal government website external to HHS? | Yes | |
| Is a disclaimer notice provided to users that follow external links to websites not owned or operated by HHS? | No | |