Skip to main content

Recovery Audit Contractor Region 4

Privacy Impact Assessment (PIA) published by CMS as an Operating Division of the U.S. Department of Health and Human Services

Date signed: 11/5/2024

PIA Information for Recovery Audit Contractor Region 4
PIA QuestionsPIA Answers
OPDIV:CMS
PIA Unique Identifier:P-4495157-599825
Name:Recovery Audit Contractor Region 4
The subject of this PIA is which of the following?Major Application
Identify the Enterprise Performance Lifecycle Phase of the system.Operate
Is this a FISMA-Reportable system?Yes
Does the system include a Website or online application available to and for the use of the general public?Yes
Identify the operator:Contractor
Is this a new or existing system?Existing
Does the system have Security Authorization (SA)?Yes
Date of Security Authorization1/25/2024
Indicate the following reason(s) for updating this PIA. Choose from the following options.PIA Validation (PIA Refresh/Annual Review)
Describe in further detail any changes to the system that have occurred since the last PIA.Since the previously signed PIA (2020), there was an ownership and subsequent system name change from Health Management Systems (HMS) to Cotiviti GOV Services (Cotiviti).
Describe the purpose of the systemThe Recovery Audit Program’s mission is to identify and correct Medicare improper payments through the efficient detection and collection of overpayments made on claims of health care services provided to Medicare beneficiaries, and the identification of underpayments to providers so that the CMS can implement actions that will prevent future improper payments in Recovery in all 50 states. The Region 4 Recovery Audit Contractor is assigned this responsibility in states (AK, AZ, CA, HI, ID, MT, ND, NV, OR, SD, UT, WA, WY, PA, DE, NJ, MD & Washington DC) that make up Region 4. 
Describe the type of information the system will collect, maintain (store), or share. (Subsequent questions will identify if this information is PII and ask about the specific data elements)The system stores National Claims History data and skilled nursing facility Minimum Data Set (SNF MDS), which is Medicare claims beneficiary Region 4 post-payment claim data received from CMS, used to identify improper Medicare payments, medical records and our claim determinations of findings or no findings. Information containing PII includes Medicare Health Insurance Claim (HIC) Number, Name, Medical Records Number, Medical Records, Medical Notes, Employee/Business Partners names, User ID, phone numbers, emails, Unique Patient Identifier (UPI), Medicare Beneficiary Identifier (MBI), Date of Birth (DOB), Date of Death, Taxpayer IDs, Mailing Address, and Therapy Records. This information is maintained by Recovery Audit Contractor (RAC) Region 4 until contract end. The system does not hold system-specific access credentials such as username and passwords.
Provide an overview of the system and describe the information it will collect, maintain (store), or share, either permanently or temporarily.

Cotiviti GOV Services (Cotiviti) is the Recovery Audit Contractor (RAC) for Region 4 and is charged with identifying and correcting overpayments and underpayments made under the Fee for Service (FFS) Medicare systems. Cotiviti GOV Services (Cotiviti) does not collect PII from beneficiaries directly; however, our system electronically receives, stores and shares, when required, national claims history data received from CMS, information, and documentation received from the provider and reviewed by Region 4 for Medicare overpayments and underpayments. When required claims data is shared with the Medicare Administrative Contractors (MAC) through the CMS secure Network Data Mover line. 

Information containing PII for Patients includes Name, Medical Records Number, Medical Records, Medical Notes, User ID, Therapy Records, Medicare HIC Number, UPI, MBI, Date of Birth, and Date of Death.

Information containing PII for Beneficiaries includes Name, Medical Records Number, Medical Records, Medical Notes, User ID, Therapy Records, Medicare HIC Number, UPI, MBI, Date of Birth, and Date of Death.

Information containing PII for Business Partners/Contacts includes Employee/Business Partner names, phone numbers, addresses, and email addresses.

PII data elements are used as part of the retrieval process when querying records for audit purposes.

Does the system collect, maintain, use or share PII?Yes
Indicate the type of PII that the system will collect or maintain.
  • Name
  • E-Mail Address
  • Phone Numbers
  • Medical Notes
  • Taxpayer ID
  • Date of Birth
  • Mailing Address
  • Medical Records Number
  • Date of Death
  • Other - Medicare HIC Number, Medical Notes, MBI, User ID, Medical Records, and Unique Patient Identifier (UPI)
  • Therapy records
Indicate the categories of individuals about whom PII is collected, maintained or shared.
  • Business Partners/Contacts (Federal, state, local agencies)
  • Patients
  • Other - Beneficiaries
How many individuals' PII in the system?1,000,000 or more
For what primary purpose is the PII used?PII data is used for post-claim processing to identify over and under payments.
Describe the secondary uses for which the PII will be used (e.g. testing, training or research)N/A
Describe the function of the SSN.N/A, SSN not received
Cite the legal authority to use the SSN.N/A, SSN not received
Identify legal authorities​ governing information use and disclosure specific to the system and program.Medicare Prescription Drug, Improvement, and Modernization Act of 2003 – Created RAC demonstration project Section 1893(h) of the above Act – Creation of national RAC program
Are records on the system retrieved by one or more PII data elements?Yes
Identify the number and title of the Privacy Act System of Records (SORN) that is being used to cover the system or identify if a SORN is being developed.Under the Recovery Audit Contracts (RAC) with CMS, RAC-4 does not design, develop, operate, or maintain a system of records as defined in the Privacy Act.  CMS has not assigned a System of Record Notice number to RAC-4.  The SORN that applies to the systems from which RAC-4 retrieves records by one or more PII data elements, is National Claims History, SORN# 09-70-0558. RAC-4 uses PII collected in connection with its CMS agreement only for purposes of providing services relating to CMS payment or healthcare operations. Information is exchanged only with other CMS contractors authorized to receive such information.
Identify the sources of PII in the system: Directly from an individual about whom the information pertains
  • Other - Within the CMS OPDIV through the CMS Network Data Mover (NDM) connection.
Identify the sources of PII in the system: Government Sources
  • Within the OPDIV
  • Other - Through the CMS Network Data Mover (NDM) connection.
Identify the sources of PII in the system: Non-Government Sources
  • Other - N/A
Identify the OMB information collection approval number and expiration dateN/A - Cotiviti does not collect data, it is received from CMS directly through Network Data Mover (NDM).
Is the PII shared with other organizations?Yes
Identify with whom the PII is shared or disclosed and for what purpose.
  • Within HHS: PII, when required, is shared with the Medicare Administrative Contractors (MAC), to the extent of the terms of the Joint Operating Agreement (JOA) established between contractors. This PII includes Medicare HIC Number, Date of Birth, Therapy Records, Taxpayer ID, Date of Death, Name, Medical Records Number, Medical Records, Employee/Business Partner names, User ID, phone numbers, and emails. The MACs receive PII to support the appeal process and to allow for adjustment of the claim for the improper payment findings.
Describe any agreements in place that authorizes the information sharing or disclosure (e.g. Computer Matching Agreement, Memorandum of Understanding (MOU), or Information Sharing Agreement (ISA)).N/A - Cotiviti does not use a CMA or an ISA
Describe the procedures for accounting for disclosuresN/A
Describe the process in place to notify individuals that their personal information will be collected. If no prior notice is given, explain the reason.N/A - Cotiviti does not collect personal information directly from the individual. 
Is the submission of the PII by individuals voluntary or mandatory?Voluntary
Describe the method for individuals to opt-out of the collection or use of their PII. If there is no option to object to the information collection, provide a reason.Cotiviti does not collect personal information directly from the individual.
Describe the process to notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changes since the notice at the time of original collection). Alternatively, describe why they cannot be notified or have their consent obtained.Cotiviti does not collect personal information directly from the individual.
Describe the process in place to resolve an individual's concerns when they believe their PII has been inappropriately obtained, used, or disclosed, or that the PII is inaccurate. If no process exists, explain why not.Cotiviti does not collect personal information directly from the individual.
Describe the process in place for periodic reviews of PII contained in the system to ensure the data's integrity, availability, accuracy and relevancy. If no processes are in place, explain why not.The PII within the system is verified for accuracy and integrity for historical national claims history data using RAC Region 4 databases and CMS Legacy system queries where the results must match otherwise discrepancies will be revealed. The systems hardware, applications, and storage are monitored 24/7 for system availability. Log and system notifications are reviewed regularly.
Identify who will have access to the PII in the system and the reason why they require access.
  • Users: Review staff, Customer Service and Management require access to the national claim's history data, which includes Medicare HIC Number, Date of Birth, Date of Death, Taxpayer ID, Therapy Records, Employees/Business Partners, Name, Medical Records Number, Medical Records, PII to perform Claim review to identify overpaid and underpaid Medicare Claims

     

  • Administrators: Administrators require access to PII the national claims history data, which includes Medicare HIC Number, Date of Birth, Date of Death, Taxpayer ID, Therapy Records, Employees/Business Partners, Name, Medical Records Number, Medical Records to provide oversight and quality assurance to ensure appeals information is accurate.

     

  • Developers: Perform application operations support

     

  • Contractors: Non-Direct Contractors: Security auditors ensure all CMS, Federal Information Security Management Act (FISMA) security standards, procedures and guidelines are met. The security auditors also validate proper security controls are in place to protect PII information.
Describe the procedures in place to determine which system users (administrators, developers, contractors, etc.) may access PII.Access to PII information by system users is determined utilizing role base access based on Least Privileges. RAC Region 4 has created the following roles: System Administrators containing full access to the systems to which they are assigned for system maintenance and support. Application Administrators have limited access to the operating system functions, but full access to assigned application components for application maintenance enhancement and future releases. Security auditors and analysts have access to auditing and security monitoring for security control audits and reporting in addition to monitoring environmental activity. Medical Record Reviewers and Provider Services are provided the access to PII as needed to determine the correct identification of the beneficiary for the claim they are reviewing or assisting providers with. These roles are given least privileges to perform their duties and will have to request approval before being granted escalated privileges.
Describe the methods in place to allow those with access to PII to only access the minimum amount of information necessary to perform their job.

The system is maintained using the security concept of least privilege. Only employees with a need to work with PII are provided access to PII. Application and database developers have full access to data. End users such as medical reviewers and provider service representatives are provided access using applications controlling their access to just the PII within the scope of their review and to meet their job requirements. Software is used to track and log events.

Users are granted a specific level of access to the operating system on which they are working. This access is only granted after an approval process is performed via the ticket management system. After approval, access is granted for specific named role access to a system. Users with certain access can only perform specific actions on that system, such as Windows server administrators cannot perform administrator functions on a Linux system. Each role has a minimum privilege need to accomplish the assigned work. Users are assigned to roles based on the concept of least privileges. Administrator roles are granted so that they can perform only the tasks which they need to while blocking them out from all other tasks. Employees must be authorized by their manager as well as the Information System Security Officer (ISSO) to perform privileged functions. Active Directory is used to enforce least privilege in conjunction with our ticketing system and audit log reviews for escalated privileges.

Identifying training and awareness provided to personnel (system owners, managers, operators, contractors and/or program managers) using the system to make them aware of their responsibilities for protecting the information being collected and maintained.

RAC Region 4 institutes a security awareness and training program providing all government programs personnel with general security awareness training upon hire (before accessing RAC Region 4 systems) and annual refresher training thereafter.

All employees undergo annual Compliance, Code of Conduct and Health Insurance Portability and Accountability Act (HIPAA) training as well as Mandatory annual Security & Privacy Awareness Computer Based Training (CBT), Annual Social Networking Training, Annual Phishing Awareness Training, Annual IT Security and Awareness Training. In addition, there is a notification posted prior to accessing CMS data stating responsibilities for protecting the information collected.

Describe training system users receive (above and beyond general security and privacy awareness training)

All users including medical reviewers are provided specialized training utilizing in-house applications to enable them to perform their job duties. The training covers how to work with PII, how to use the applications, and security measures in place, and IT end user best practices. Specific training includes Annual Rules of Behavior Training, Annual Conflict of Interest Training and Disclosure, Annual Portable Device and Removable Storage Training, Annual Incident Response Management training (InfoSec personnel), Annual Contingency Planning training (InfoSec personnel), Additional Operational and Technical training (System Admin), Additional InfoSec training (InfoSec personnel).

The Information System Security Officer (ISSO) is responsible for ensuring that all personnel are appropriately trained and have completed annual security awareness and training. User training consists of a one-hour course emphasizing security awareness and policies The curriculum includes the purpose of security, security contacts, the Health Insurance Portability and Accountability Act (HIPAA), privacy awareness, types of malicious activities, recognition of security incidents and the requirement to report them. Training includes Rules of Behavior, such as securing sensitive information, securing workstations, using licensed software; prohibitions against network or workstation modification, incident reporting and password management are covered in Security Awareness Training. In addition, building and physical security guidelines are stressed to staff Corporate Code of Conduct training is given annually via web training in the Learning Management System (LMS). 

Do contracts include Federal Acquisition Regulation and other appropriate clauses ensuring adherence to privacy provisions and practices?Yes
Describe the process and guidelines in place with regard to the retention and destruction of PII. Cite specific records retention schedules.RAC-4 maintains two types of data containing PII/PHI: work product and claims data received from CMS for its contract work. RAC-4 retains its work product (PII/PHI) according to National Archives and Records Administration (NARA) GRS No. N1-440-04-3 (Bucket 3 - Financial Records); Records will be destroyed no sooner than 7 years after cutoff or until the records are no longer needed, whichever comes first. RAC-4 retains claims data received from CMS (PHI/PII) for 30 days after expiration of the contract as specified in our statements of work (SOWs) with CMS (Upon request of the Contracting Officer, or the expiration of this contract, whichever shall come first, the contractor shall return or destroy all data given to the contractor by the government). According to the section on Records Retention Storage in Medicare Integrity Program Manual, Ch. 3 § 3.2.3.10, “Recovery Auditors shall comply with the record retention requirements in its SOWs.” There is no applicable NARA GRS number for the claims data received from CMS.
Describe, briefly but with specificity, how the PII will be secured in the system using administrative, technical, and physical controls.

Physical: This includes multiple physical security measures within data centers which maintain 24/7 Security Staff and Physical Access Control System (PACS) using Secure-Card Key Access, Biometric Scanners, and Alarms. Physical destruction of PII is handled utilizing shred bins, locked in secure areas that only the company can access. Shredding is done onsite.

Technical: Encryption is implemented for all backup storage, data connections, and databases. Intrusion detection and prevention solutions are employed, and the system is scanned daily for application and system vulnerabilities.

Administrative: Policies and Procedures have been created for securing PII in the RAC Region 4 system. Examples include the security awareness and training policy, access control policies, record retention policy, and audit monitoring and logging policies and controls.

Identify the publicly-available URL:https://rac4info.cotiviti.com
Does the website have a posted privacy notice?Yes
Is the privacy policy available in a machine-readable format?Yes
Does the website use web measurement and customization technology?No
Does the website have any information or pages directed at children under the age of thirteen?No
Does the website contain links to non-federal government website external to HHS?Yes
Is a disclaimer notice provided to users that follow external links to websites not owned or operated by HHS?No