Skip to main content

Recovery Audit Contractor Region 3

Privacy Impact Assessment (PIA) published by CMS as an Operating Division of the U.S. Department of Health and Human Services

Date signed: 9/6/2022

PIA Information for Recovery Audit Contractor Region 3
PIA QuestionsPIA Answers
OPDIV:CMS
PIA Unique Identifier:P-7672600-877018
Name:Recovery Audit Contractor Region 3
The subject of this PIA is which of the following?Major Application
Identify the Enterprise Performance Lifecycle Phase of the system.Operate
Is this a FISMA-Reportable system?Yes
Does the system include a Website or online application available to and for the use of the general public?No
Identify the operator:Contractor
Is this a new or existing system?Existing
Does the system have Security Authorization (SA)?Yes
Date of Security Authorization4/5/2023
Indicate the following reason(s) for updating this PIA. Choose from the following options.PIA Validation (PIA Refresh/Annual Review)
Describe in further detail any changes to the system that have occurred since the last PIA.Not applicable, no changes have occurred since the Privacy Impact Assessment (PIA) was last finalized.
Describe the purpose of the systemThe purpose of the Recovery Audit Contractor Regions 2 and 3 (RACs- 2 and 3) system is to identify and document overpayments and underpayments made by the Centers for Medicare & Medicaid Services (CMS) to medical service providers. The function of this system is to perform recovery auditing services as authorized by the Center for Medicare and Medicaid Services (CMS). RACs- 2 and 3 cover the following geographical areas: Alabama, Arkansas, Colorado, Florida, Georgia, Louisiana, Mississippi, New Mexico, North Carolina, Oklahoma, South Carolina, Tennessee, Texas, Virginia, West Virginia
Describe the type of information the system will collect, maintain (store), or share. (Subsequent questions will identify if this information is PII and ask about the specific data elements)

The RACs- 2 and 3 system maintains patient and provider information in relation to Medicare payment claims. This information is not collected directly by the RACs- 2 and 3 system. The information is collected by the CMS National Claims History (NCH) system which has its own PIA. The information is transferred once a month to RACs- 2 and 3 is through a secured data file transfer directly from NCH. 

The RACs- 2 and 3 system contains the following information about patients: name, date of birth, mailing address, telephone number, health insurance claim number (HICN), sex, ethnicity, medical notes, medical record information (procedure codes, diagnosis codes, dates of service, total charges, Medicare payment amount), and Medicare Beneficiary Identifier. The system also contains information about providers, such as: National Provider Identifier (NPI), facility name and address, and provider name and telephone number.

The RACs- 2 and 3 system users are internal and input a username and password to access the information in the system. The following user information is stored in the system First Name, Last Name, Display Name, Office Location, Telephone Number, E-mail Address, Job Title, Department, and Manager Name.

RACs- 2 and 3 keeps records required to be retained by HIPAA for (PHI) at least six (6) years from the date of its creation or the date when it was last in effect, whichever is later to fulfill the purpose(s) identified in the Notice of Privacy Practices or as required by law. 

Provide an overview of the system and describe the information it will collect, maintain (store), or share, either permanently or temporarily.

The RACs- 2 and 3 system shares data with other CMS systems to include, Fiscal Intermediary Standard System (FISS), Multi-Carrier System (MCS), and the Recovery Audit Contractor Data Warehouse (RACDW). It does not collect PII from Medicare beneficiaries.  Data is sent to the Virtual Data Center (VDC).

For Medicare beneficiaries, the system is used to predict, identify, manage and analyze medical claims; receive data; execute queries; audit results; create and submit adjustments; and generate letters and reports.

The following data elements are maintained in support of claims management, auditing, and letter generation: name, date of birth, mailing address, telephone number, health insurance claim number (HICN), sex, ethnicity, medical notes, medical record information (procedure codes, diagnosis codes, dates of service, total charges, Medicare payment amount), and Medicare Beneficiary Identifier. This data is used to evaluate Medicare claims and to identify improper payments made on claims of health care services provided to Medicare beneficiaries. If an overpayment is identified, the system performs the business functions necessary to recover Medicare’s funds.  If an underpayment is identified, the system performs the business functions necessary to reimburse the additional funds.

Medicare claims needing to be reprocessed are submitted to organizations that handle Medicare claims.

The RACs- 2 and 3 system regularly uses PII to retrieve medical records directly from Providers and a healthcare information management company. The PII includes using the last name, first initial, date of birth, claim number, medical record number, and date of service.

The RACs 2- and 3 system user information maintained is used for system authentication, security and integrity.

Does the system collect, maintain, use or share PII?Yes
Indicate the type of PII that the system will collect or maintain.
  • Social Security Number
  • Name
  • Date of Birth
  • Other - Health Insurance Claim Number/Medicare Beneficiary Identifier, sex, race, written medical records, procedure codes, diagnosis codes, dates of service, office location, telephone number, email address, job title, department, manager name, Medicare Beneficiary Identifier, mailing address, medical notes, medical record information (procedure codes, diagnosis codes, dates of service, total charges, Medicare payment amount), National Provider Identifier (NPI), facility name, provider name and telephone number, username and password.
Indicate the categories of individuals about whom PII is collected, maintained or shared.
  • Employees
  • Patients
How many individuals' PII in the system?1,000,000 or more
For what primary purpose is the PII used?The primary purpose for Personally Identifiable Information (PII) is to identify claims that were improperly paid by CMS. Any PII element contained in a claim could be used to identify an improper payment.
Describe the secondary uses for which the PII will be used (e.g. testing, training or research)Previously reviewed claims that contain PII are used to train and re-train auditors for the purpose of identifying improper payments.
Describe the function of the SSN.A redacted form of the Social Security Number (SSN) is provided on an Additional Documentation Request (ADR) letter so a provider can identify the claims being audited and provide the correct medical records for those claims.
Cite the legal authority to use the SSN.Medicare Prescription Drug, Improvement, and Modernization Act of 2003 – Created RAC demonstration project Section 1893(h) of the above Act – Creation of national RAC program
Identify legal authorities​ governing information use and disclosure specific to the system and program.Medicare Prescription Drug, Improvement, and Modernization Act of 2003 – Created RAC demonstration project Section 1893(h) of the above Act – Creation of national RAC program
Are records on the system retrieved by one or more PII data elements?Yes
Identify the number and title of the Privacy Act System of Records (SORN) that is being used to cover the system or identify if a SORN is being developed.RACs- 2 and 3 does not develop a SORN. However, claims information is received from CMS through the file National Claims History, SORN # 09-70-0558.
Identify the sources of PII in the system: Directly from an individual about whom the information pertainsOther - RACs- 2 and 3 does not collect Personally Identifiable Information from Individuals.
Identify the sources of PII in the system: Government SourcesOther - Other - National Claims History (NCH), SORN# 09-70- 0558 – This is the monthly claims file received from CMS on processed Medicare claims, and it is used to identify improper payments. Additional research may be conducted in other systems or sources: Fiscal Intermediary Shared System (FISS), SORN #09- 70-0503; Medicare Multi-Carrier Claims System (MCS), SORN #09-70-0501; Common Working File (CWF), SORN# 09-70-0526; Medicare Appeals System (MAS), SORN# 09-70-0566; Healthcare Integrated General Ledger (HIGLAS); and RAC Data Warehouse Quality Improvement System.
Identify the sources of PII in the system: Non-Government Sources 
Identify the OMB information collection approval number and expiration dateThe application does not collect PII directly from individuals. The PIIs are obtained from another CMS system.
Is the PII shared with other organizations?Yes
Identify with whom the PII is shared or disclosed and for what purpose.Within HHS Private Sector
 

Private Sector Explanation: Once an improper payment has been identified, the claim information (containing Personally Identifiable Information (PII) is sent to the Medicare Administrative Contractors (MAC) so they can adjust the claim. This allows CMS to collect overpayments or return underpayments.

Additionally, in connection with performance of the services under RACs- 2 and 3 contracts # HHSM- 500-2016-00081C and #HHSM-500-2016-00082C, and their respective Statements of Work, RACs- 2 and 3 may share or disclose information containing PII with applicable MACs, Zone Program Integrity Contractor (ZPICs), Qualified Independent Contractor (QICs) and/or Administrative QIC (AdQICs); including by sending information to the Fiscal Intermediary Shared System (FISS), SORN #09- 70-0503; Medicare Multi-Carrier Claims System (MCS), SORN #09-70-0501; and RAC Data

Warehouse Quality Improvement System.

Describe any agreements in place that authorizes the information sharing or disclosure (e.g. Computer Matching Agreement, Memorandum of Understanding (MOU), or Information Sharing Agreement (ISA)).

RACs- 2 and 3 Contracts #HHSM-500-2016- 00081C and #HHSM-500-2016-00082C, the recovery audit contracts for Regions 2 and 3, and their respective Statements of Work, contemplate information sharing and disclosure with Medicare providers, as well as MACs, Zone Program Integrity Contractors (ZPIC), Qualified Independent Contractors (QICs) and Administrative Qualified Independent Contractors (AdQICs) and others as indicated by the CMS Contracting Officer’s Representative (COR), in connection with our performance of services. Pursuant to the

Statements of Work, we are party to Joint Operating Agreements with each applicable MAC, ZPIC, QIC and AdQIC to encompass all communication between ourselves and them.

Describe the procedures for accounting for disclosuresNot applicable. The Personally Identifiable Information (PII) used in this system is obtained from other CMS systems and is not collected from individuals. If there is a need for accounting for disclosure, the systems from which the PIIs are obtained would be responsible for notifying the individuals the date, nature, and purpose of each disclosure; via the name and address of each.
Describe the process in place to notify individuals that their personal information will be collected. If no prior notice is given, explain the reason.Not Applicable. RACs- 2 and 3 does not collect Personally Identifiable Information (PII) from Individuals and therefore does not provide prior notice to individuals. The information in the system is received from CMS and CMS Medicare providers in connection with the RACs- 2 and 3 performance of the services under contracts # HHSM-500-2016- 00081C and # HHSM-500-2016-00082C, and their respective Statements of Work (SOWs).
Is the submission of the PII by individuals voluntary or mandatory?Voluntary
Describe the method for individuals to opt-out of the collection or use of their PII. If there is no option to object to the information collection, provide a reason.RACs- 2 and 3 does not collect information from individuals; any option to opt-out would be handled by CMS.
Describe the process to notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changes since the notice at the time of original collection). Alternatively, describe why they cannot be notified or have their consent obtained.The option to opt-out of the collection of PII is the responsibility of the CMS system that originally collects the PII from individuals. 
Describe the process in place to resolve an individual's concerns when they believe their PII has been inappropriately obtained, used, or disclosed, or that the PII is inaccurate. If no process exists, explain why not.The process to address an individual’s concern that their PII has been used or disclosed inappropriately, or that the information is inaccurate, is governed by the CMS Policy, which describes an individual’s right to request access to, or obtain a copy of, PII maintained by the RACs- 2 and 3, to request an amendment to PII and to request a restriction of PII disclosures. Direct requests from patients to the CMS are addressed by the Compliance and Privacy Officer.
Describe the process in place for periodic reviews of PII contained in the system to ensure the data's integrity, availability, accuracy and relevancy. If no processes are in place, explain why not.Data integrity checks are conducted on an on-going basis, being performed on all source data to ensure the ingested information matches the source. These checks include statistical analysis at the data field level, aggregate level stratifications, and source to destination record count validations. Back-up copies of the databases are maintained in both the information systems online storage and backup media. Incremental data backups are conducted throughout the day to provide recovery points to minimize loss of availability in the event of an outage.
Identify who will have access to the PII in the system and the reason why they require access.
  • Users: Auditors have access to the data for the purpose of identifying improper payments.
  • Administrators: Information Technology System Administrators have access to the system that contains the PII data for the purpose of maintaining the system and its components.
  • Developers: Information Technology Application Developers have access to the system that contains the PII data for the purpose of maintaining the Applications used by the Auditors. 
Describe the procedures in place to determine which system users (administrators, developers, contractors, etc.) may access PII.Access to PII is controlled through account access according to a user's job duties as decided by their supervisor.
Describe the methods in place to allow those with access to PII to only access the minimum amount of information necessary to perform their job.Access to PII is implemented through secured channels where users are placed in groups accordingly, based on their necessity to access PII. Within the application, further access permissions are granted and removed by the supervisor.
Identifying training and awareness provided to personnel (system owners, managers, operators, contractors and/or program managers) using the system to make them aware of their responsibilities for protecting the information being collected and maintained.All RACs- 2 and 3 personnel working on the CMS audit receive Information Security and HIPAA training that is retaken annually.
Describe training system users receive (above and beyond general security and privacy awareness training)All RACs- 2 and 3 personnel working on the CMS audit receive HIPAA, Fraud Waste and Abuse, and Conflict of Interest training that is retaken annually.
Do contracts include Federal Acquisition Regulation and other appropriate clauses ensuring adherence to privacy provisions and practices?Yes
Describe the process and guidelines in place with regard to the retention and destruction of PII. Cite specific records retention schedules.RACs- 2 and 3 maintains two types of data containing PII/PHI: work product and claims data received from CMS for its contract work. RACs- 2 and 3 retains its work product (PII/PHI) according to NARA GRS No. N1-440-04-3 (Bucket 3 - Financial Records); Records will be destroyed no sooner than 7 years after cutoff or until the records are no longer needed, whichever comes first. RACs- 2 and 3 retains claims data received from CMS (PHI/PII) for 30 days after expiration of the contract as specified in our SOWs with CMS (Upon request of the Contracting Officer, or the expiration of this contract, whichever shall come first, the contractor shall return or destroy all data given to the contractor by the government). According to the section on Records Retention Storage in Medicare Integrity Program Manual, Ch. 3 § 3.2.3.10, “Recovery Auditors shall comply with the record retention requirements in its SOWs.” There is no applicable NARA GRS number for the claims data received from CMS.
Describe, briefly but with specificity, how the PII will be secured in the system using administrative, technical, and physical controls.The PII utilized by the system are secured using administrative, technical, and physical controls in accordance with National Institute of Standards and Technology (NIST) Special Publications (SP) 800-53. Some of these controls are; 1) policies, and procedures designed to manage (1) the selection, development, implementation, and maintenance of the security measures designed to protect the PII and (2) the conduct of those with access to the PII, 2) encryption, automatic logoff, and 2-factor authorization; and 3) facility access controls and disposal controls.