Recovery Audit Contractor Region 4
Privacy Impact Assessment (PIA) published by CMS as an Operating Division of the U.S. Department of Health and Human Services
Date signed: 11/5/2024
| PIA Questions | PIA Answers |
|---|---|
| OPDIV: | CMS |
| PIA Unique Identifier: | P-4495157-599825 |
| Name: | Recovery Audit Contractor Region 4 |
| The subject of this PIA is which of the following? | Major Application |
| Identify the Enterprise Performance Lifecycle Phase of the system. | Operate |
| Is this a FISMA-Reportable system? | Yes |
| Does the system include a Website or online application available to and for the use of the general public? | Yes |
| Identify the operator: | Contractor |
| Is this a new or existing system? | Existing |
| Does the system have Security Authorization (SA)? | Yes |
| Date of Security Authorization | 1/25/2024 |
| Indicate the following reason(s) for updating this PIA. Choose from the following options. | PIA Validation (PIA Refresh/Annual Review) |
| Describe in further detail any changes to the system that have occurred since the last PIA. | Since the previously signed PIA (2020), there was an ownership and subsequent system name change from Health Management Systems (HMS) to Cotiviti GOV Services (Cotiviti). |
| Describe the purpose of the system | The Recovery Audit Program’s mission is to identify and correct Medicare improper payments through the efficient detection and collection of overpayments made on claims of health care services provided to Medicare beneficiaries, and the identification of underpayments to providers so that the CMS can implement actions that will prevent future improper payments in Recovery in all 50 states. The Region 4 Recovery Audit Contractor is assigned this responsibility in states (AK, AZ, CA, HI, ID, MT, ND, NV, OR, SD, UT, WA, WY, PA, DE, NJ, MD & Washington DC) that make up Region 4. |
| Describe the type of information the system will collect, maintain (store), or share. (Subsequent questions will identify if this information is PII and ask about the specific data elements) | The system stores National Claims History data and skilled nursing facility Minimum Data Set (SNF MDS), which is Medicare claims beneficiary Region 4 post-payment claim data received from CMS, used to identify improper Medicare payments, medical records and our claim determinations of findings or no findings. Information containing PII includes Medicare Health Insurance Claim (HIC) Number, Name, Medical Records Number, Medical Records, Medical Notes, Employee/Business Partners names, User ID, phone numbers, emails, Unique Patient Identifier (UPI), Medicare Beneficiary Identifier (MBI), Date of Birth (DOB), Date of Death, Taxpayer IDs, Mailing Address, and Therapy Records. This information is maintained by Recovery Audit Contractor (RAC) Region 4 until contract end. The system does not hold system-specific access credentials such as username and passwords. |
| Provide an overview of the system and describe the information it will collect, maintain (store), or share, either permanently or temporarily. | Cotiviti GOV Services (Cotiviti) is the Recovery Audit Contractor (RAC) for Region 4 and is charged with identifying and correcting overpayments and underpayments made under the Fee for Service (FFS) Medicare systems. Cotiviti GOV Services (Cotiviti) does not collect PII from beneficiaries directly; however, our system electronically receives, stores and shares, when required, national claims history data received from CMS, information, and documentation received from the provider and reviewed by Region 4 for Medicare overpayments and underpayments. When required claims data is shared with the Medicare Administrative Contractors (MAC) through the CMS secure Network Data Mover line. Information containing PII for Patients includes Name, Medical Records Number, Medical Records, Medical Notes, User ID, Therapy Records, Medicare HIC Number, UPI, MBI, Date of Birth, and Date of Death. Information containing PII for Beneficiaries includes Name, Medical Records Number, Medical Records, Medical Notes, User ID, Therapy Records, Medicare HIC Number, UPI, MBI, Date of Birth, and Date of Death. Information containing PII for Business Partners/Contacts includes Employee/Business Partner names, phone numbers, addresses, and email addresses. PII data elements are used as part of the retrieval process when querying records for audit purposes. |
| Does the system collect, maintain, use or share PII? | Yes |
| Indicate the type of PII that the system will collect or maintain. |
|
| Indicate the categories of individuals about whom PII is collected, maintained or shared. |
|
| How many individuals' PII in the system? | 1,000,000 or more |
| For what primary purpose is the PII used? | PII data is used for post-claim processing to identify over and under payments. |
| Describe the secondary uses for which the PII will be used (e.g. testing, training or research) | N/A |
| Describe the function of the SSN. | N/A, SSN not received |
| Cite the legal authority to use the SSN. | N/A, SSN not received |
| Identify legal authorities governing information use and disclosure specific to the system and program. | Medicare Prescription Drug, Improvement, and Modernization Act of 2003 – Created RAC demonstration project Section 1893(h) of the above Act – Creation of national RAC program |
| Are records on the system retrieved by one or more PII data elements? | Yes |
| Identify the number and title of the Privacy Act System of Records (SORN) that is being used to cover the system or identify if a SORN is being developed. | Under the Recovery Audit Contracts (RAC) with CMS, RAC-4 does not design, develop, operate, or maintain a system of records as defined in the Privacy Act. CMS has not assigned a System of Record Notice number to RAC-4. The SORN that applies to the systems from which RAC-4 retrieves records by one or more PII data elements, is National Claims History, SORN# 09-70-0558. RAC-4 uses PII collected in connection with its CMS agreement only for purposes of providing services relating to CMS payment or healthcare operations. Information is exchanged only with other CMS contractors authorized to receive such information. |
| Identify the sources of PII in the system: Directly from an individual about whom the information pertains |
|
| Identify the sources of PII in the system: Government Sources |
|
| Identify the sources of PII in the system: Non-Government Sources |
|
| Identify the OMB information collection approval number and expiration date | N/A - Cotiviti does not collect data, it is received from CMS directly through Network Data Mover (NDM). |
| Is the PII shared with other organizations? | Yes |
| Identify with whom the PII is shared or disclosed and for what purpose. |
|
| Describe any agreements in place that authorizes the information sharing or disclosure (e.g. Computer Matching Agreement, Memorandum of Understanding (MOU), or Information Sharing Agreement (ISA)). | N/A - Cotiviti does not use a CMA or an ISA |
| Describe the procedures for accounting for disclosures | N/A |
| Describe the process in place to notify individuals that their personal information will be collected. If no prior notice is given, explain the reason. | N/A - Cotiviti does not collect personal information directly from the individual. |
| Is the submission of the PII by individuals voluntary or mandatory? | Voluntary |
| Describe the method for individuals to opt-out of the collection or use of their PII. If there is no option to object to the information collection, provide a reason. | Cotiviti does not collect personal information directly from the individual. |
| Describe the process to notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changes since the notice at the time of original collection). Alternatively, describe why they cannot be notified or have their consent obtained. | Cotiviti does not collect personal information directly from the individual. |
| Describe the process in place to resolve an individual's concerns when they believe their PII has been inappropriately obtained, used, or disclosed, or that the PII is inaccurate. If no process exists, explain why not. | Cotiviti does not collect personal information directly from the individual. |
| Describe the process in place for periodic reviews of PII contained in the system to ensure the data's integrity, availability, accuracy and relevancy. If no processes are in place, explain why not. | The PII within the system is verified for accuracy and integrity for historical national claims history data using RAC Region 4 databases and CMS Legacy system queries where the results must match otherwise discrepancies will be revealed. The systems hardware, applications, and storage are monitored 24/7 for system availability. Log and system notifications are reviewed regularly. |
| Identify who will have access to the PII in the system and the reason why they require access. |
|
| Describe the procedures in place to determine which system users (administrators, developers, contractors, etc.) may access PII. | Access to PII information by system users is determined utilizing role base access based on Least Privileges. RAC Region 4 has created the following roles: System Administrators containing full access to the systems to which they are assigned for system maintenance and support. Application Administrators have limited access to the operating system functions, but full access to assigned application components for application maintenance enhancement and future releases. Security auditors and analysts have access to auditing and security monitoring for security control audits and reporting in addition to monitoring environmental activity. Medical Record Reviewers and Provider Services are provided the access to PII as needed to determine the correct identification of the beneficiary for the claim they are reviewing or assisting providers with. These roles are given least privileges to perform their duties and will have to request approval before being granted escalated privileges. |
| Describe the methods in place to allow those with access to PII to only access the minimum amount of information necessary to perform their job. | The system is maintained using the security concept of least privilege. Only employees with a need to work with PII are provided access to PII. Application and database developers have full access to data. End users such as medical reviewers and provider service representatives are provided access using applications controlling their access to just the PII within the scope of their review and to meet their job requirements. Software is used to track and log events. Users are granted a specific level of access to the operating system on which they are working. This access is only granted after an approval process is performed via the ticket management system. After approval, access is granted for specific named role access to a system. Users with certain access can only perform specific actions on that system, such as Windows server administrators cannot perform administrator functions on a Linux system. Each role has a minimum privilege need to accomplish the assigned work. Users are assigned to roles based on the concept of least privileges. Administrator roles are granted so that they can perform only the tasks which they need to while blocking them out from all other tasks. Employees must be authorized by their manager as well as the Information System Security Officer (ISSO) to perform privileged functions. Active Directory is used to enforce least privilege in conjunction with our ticketing system and audit log reviews for escalated privileges. |
| Identifying training and awareness provided to personnel (system owners, managers, operators, contractors and/or program managers) using the system to make them aware of their responsibilities for protecting the information being collected and maintained. | RAC Region 4 institutes a security awareness and training program providing all government programs personnel with general security awareness training upon hire (before accessing RAC Region 4 systems) and annual refresher training thereafter. All employees undergo annual Compliance, Code of Conduct and Health Insurance Portability and Accountability Act (HIPAA) training as well as Mandatory annual Security & Privacy Awareness Computer Based Training (CBT), Annual Social Networking Training, Annual Phishing Awareness Training, Annual IT Security and Awareness Training. In addition, there is a notification posted prior to accessing CMS data stating responsibilities for protecting the information collected. |
| Describe training system users receive (above and beyond general security and privacy awareness training) | All users including medical reviewers are provided specialized training utilizing in-house applications to enable them to perform their job duties. The training covers how to work with PII, how to use the applications, and security measures in place, and IT end user best practices. Specific training includes Annual Rules of Behavior Training, Annual Conflict of Interest Training and Disclosure, Annual Portable Device and Removable Storage Training, Annual Incident Response Management training (InfoSec personnel), Annual Contingency Planning training (InfoSec personnel), Additional Operational and Technical training (System Admin), Additional InfoSec training (InfoSec personnel). The Information System Security Officer (ISSO) is responsible for ensuring that all personnel are appropriately trained and have completed annual security awareness and training. User training consists of a one-hour course emphasizing security awareness and policies The curriculum includes the purpose of security, security contacts, the Health Insurance Portability and Accountability Act (HIPAA), privacy awareness, types of malicious activities, recognition of security incidents and the requirement to report them. Training includes Rules of Behavior, such as securing sensitive information, securing workstations, using licensed software; prohibitions against network or workstation modification, incident reporting and password management are covered in Security Awareness Training. In addition, building and physical security guidelines are stressed to staff Corporate Code of Conduct training is given annually via web training in the Learning Management System (LMS). |
| Do contracts include Federal Acquisition Regulation and other appropriate clauses ensuring adherence to privacy provisions and practices? | Yes |
| Describe the process and guidelines in place with regard to the retention and destruction of PII. Cite specific records retention schedules. | RAC-4 maintains two types of data containing PII/PHI: work product and claims data received from CMS for its contract work. RAC-4 retains its work product (PII/PHI) according to National Archives and Records Administration (NARA) GRS No. N1-440-04-3 (Bucket 3 - Financial Records); Records will be destroyed no sooner than 7 years after cutoff or until the records are no longer needed, whichever comes first. RAC-4 retains claims data received from CMS (PHI/PII) for 30 days after expiration of the contract as specified in our statements of work (SOWs) with CMS (Upon request of the Contracting Officer, or the expiration of this contract, whichever shall come first, the contractor shall return or destroy all data given to the contractor by the government). According to the section on Records Retention Storage in Medicare Integrity Program Manual, Ch. 3 § 3.2.3.10, “Recovery Auditors shall comply with the record retention requirements in its SOWs.” There is no applicable NARA GRS number for the claims data received from CMS. |
| Describe, briefly but with specificity, how the PII will be secured in the system using administrative, technical, and physical controls. | Physical: This includes multiple physical security measures within data centers which maintain 24/7 Security Staff and Physical Access Control System (PACS) using Secure-Card Key Access, Biometric Scanners, and Alarms. Physical destruction of PII is handled utilizing shred bins, locked in secure areas that only the company can access. Shredding is done onsite. Technical: Encryption is implemented for all backup storage, data connections, and databases. Intrusion detection and prevention solutions are employed, and the system is scanned daily for application and system vulnerabilities. Administrative: Policies and Procedures have been created for securing PII in the RAC Region 4 system. Examples include the security awareness and training policy, access control policies, record retention policy, and audit monitoring and logging policies and controls. |
| Identify the publicly-available URL: | https://rac4info.cotiviti.com |
| Does the website have a posted privacy notice? | Yes |
| Is the privacy policy available in a machine-readable format? | Yes |
| Does the website use web measurement and customization technology? | No |
| Does the website have any information or pages directed at children under the age of thirteen? | No |
| Does the website contain links to non-federal government website external to HHS? | Yes |
| Is a disclaimer notice provided to users that follow external links to websites not owned or operated by HHS? | No |