Recovery Audit Contractor Regions 1, 2 and 5
Privacy Impact Assessment (PIA) published by CMS as an Operating Division of the U.S. Department of Health and Human Services
Date signed: 11/21/2024
| PIA Questions | PIA Answers |
|---|---|
| OPDIV: | CMS |
| PIA Unique Identifier: | P-4602902-085545 |
| Name: | Recovery Audit Contractor Regions 1, 2 and 5 |
| The subject of this PIA is which of the following? | Major Application |
| Identify the Enterprise Performance Lifecycle Phase of the system. | Operate |
| Is this a FISMA-Reportable system? | Yes |
| Does the system include a Website or online application available to and for the use of the general public? | No |
| Identify the operator: | Contractor |
| Is this a new or existing system? | Existing |
| Does the system have Security Authorization (SA)? | Yes |
| Date of Security Authorization | 5/5/2023 |
| Indicate the following reason(s) for updating this PIA. Choose from the following options. |
|
| Describe in further detail any changes to the system that have occurred since the last PIA. | No equipment or environmental changes have been made since the last PIA. Only the addition of CMS RAC Region 2 which is being implemented in the same equipment and environment as CMS RAC Region 1 and 5. Slight corrections in PIA-011 to remove some acronyms.
|
| Describe the purpose of the system | This information system is used by the CMS Recovery Audit Contractor (RAC) for Region 1, 2 and 5 and is referred to as RAC 1, 2 and 5. Region 1 encompasses the Northeastern part of the United States Medicare PART A&B (Parts A&B) claim reviews: Connecticut, Delaware, District of Columbia, Maine, Maryland, Massachusetts, New Hampshire, New Jersey, New York, Pennsylvania, Rhode Island, and Vermont. Region 2 encompasses the Central part of the United States Medicare PART A&B (Parts A&B) claim reviews: Arkansas, Colorado, Iowa, Illinois, Kansas, Louisiana, Missouri, Minnesota, Mississippi, Nevada, New Mexico, Oklahoma, Texas, and Wisconsin. Region 5 encompasses Durable Medical Equipment (DME), Home Health, and Hospice Claim reviews for the entire United States of America. The purpose of the RAC 1, 2 and 5 system are for auditing Medicare claims to ensure providers/hospitals are following proper billing guidelines and whether there were any incorrect payments. |
| Describe the type of information the system will collect, maintain (store), or share. (Subsequent questions will identify if this information is PII and ask about the specific data elements) | Recovery Audit Contractor Regions 1, 2 and 5 system maintains patient and provider information in relation to Medicare payment claims. This information is not collected directly by the Recovery Audit Contractor Regions 1, 2 and 5 system. The information is collected by CMS' National Claims History (NCH) system which has its own PIA. The information is transferred once a month to Recovery Audit Contractor Regions 1, 2 and 5 via a secured data file transfer directly from NCH. Recovery Audit Contractor Regions 1, 2 and 5 system contains the following personally identifiable information (PII) about patients: social security number (SSN), taxpayer ID, date of death, therapy records, Medicare beneficiary identifier, name, date of birth, mailing address, telephone number, health insurance claim number (HICN), sex, ethnicity, medical notes, medical record information (procedure codes, diagnosis codes, dates of service, total charges, Medicare payment amount) and provider credentials to access the Claims Status website are also stored in the Recovery Audit Contractor Region 1, 2 and 5 system. The system also contains information about providers, such as: National Provider Identifier (NPI), facility name and address, and provider name and telephone number. PII records are maintained and stored for 7 years unless requested to be deleted. |
| Provide an overview of the system and describe the information it will collect, maintain (store), or share, either permanently or temporarily. | Recovery Audit Contractor Regions 1, 2 and 5 system supports the auditing of paid Medicare claims to determine if the claim was billed accurately and has followed standard medical guidelines. Recovery Audit Contractor Regions 1, 2 and 5 system maintains patient and provider information in relation to Medicare payment claims, which is used for verification purposes to ensure the correct records are being reviewed for the audit. This information collected from CMS NCH may contain the following PII about patients: name, date of birth, mailing address, telephone number, health insurance claim number (HICN), sex, ethnicity, medical notes, medical record information (procedure codes, diagnosis codes, dates of service, total charges, Medicare payment amount). The system also contains information about providers, such as: National Provider Identifier (NPI), facility name and address, and provider name and telephone number. There are also copies of correspondence with the providers regarding the accuracy or inaccuracy of a paid claim(s) that are stored in the system for record retrieval purposes. The information is transferred to the system by a secure network connection to CMS. Recovery Audit Contractor Regions 1, 2 and 5 system does not directly connect to any other CMS information system or directly collect this information. The information is collected by CMS' NCH system which has its own PIA. The information is transferred once a month to Recovery Audit Contractor Regions 1, 2 and 5 via a secured data file transfer directly from NCH. At the front end of the connection is the CMS National Claims History system. At the back end of the connection is the Recovery Auditors claims auditing system. |
| Does the system collect, maintain, use or share PII? | Yes |
| Indicate the type of PII that the system will collect or maintain. |
|
| Indicate the categories of individuals about whom PII is collected, maintained or shared. | Patients |
| How many individuals' PII in the system? | 1,000,000 or more |
| For what primary purpose is the PII used? | Recovery Audit Contractor Regions 1, 2 and 5 system accurately tracks Medicare claims being audited by Contractor and provides transparency to medical service providers via the Recovery Audit Contractor Regions 1, 2 and 5 provider portal. Qualified customer service staff members assist providers when they have questions or need information regarding the audit review process. Role-based user credentials are used to access Recovery Audit Contractor Regions 1, 2 and 5 data to perform the various functions of the system. The Recovery Audit Contractor Regions 1, 2 and 5 audit team reviews claims paid to medical providers by CMS RAC 1, 2 and 5 through either a complex review that includes a professional review of medical records or through an automated data analysis, which does not require review of medical records. As part of the audit process for review of Medicare claims, the Recovery Audit Contractor Regions 1, 2 and 5 system receives Medicare Claims that include the following beneficiary information: Beneficiary name, Beneficiary Identifier MBI (or HICN), Date of birth, Date of death if deceased The complex reviews are conducted by appropriately qualified auditors such as nurses and certified coders. These individuals are required to follow Medicare policy and guidelines when reviewing provider claims and the related medical records requested and scanned into the Recovery Audit Contractor Regions 1, 2 and 5 system. Claims auditors can access claim information, provider information, medical records associated with the claim, enter notes and associated result findings (if any) during the review. The data and the results of their reviews are securely stored in the Recovery Audit Contractor Regions 1, 2 and 5 system. Auditors and customer service representatives can access all information associated with the overpayment/ underpayment such as the claims, records, letters, and auditors’ notes. After review results letters have been sent to providers, the providers can call the Performant customer service center for the “discussion period” or, they may send discussion requests through mail, fax, or the esMD (Electronic Submission of Medical Documentation) system. The discussion reviewers can access all information associated with the overpayment or underpayment such as the claims, records, letters, and auditors’ notes, and can answer the provider’s questions. All call notes are documented in the Recovery Audit Contractor Regions 1, 2 and 5 system. |
| Describe the secondary uses for which the PII will be used (e.g. testing, training or research) | None |
| Describe the function of the SSN. | By default, the SSN is not leveraged as part of the contract. SSN is at times included in the HICN but HICN have been transitioned to use Medicare Beneficiary Identifier (MBI). Only historical HICNs may contain SSN. HICN is used for correspondence with providers to identify Medicare claim. |
| Cite the legal authority to use the SSN. | EXECUTIVE ORDER 9397 NUMBERING SYSTEM FOR FEDERAL ACCOUNTS RELATING TO INDIVIDUAL PERSONS |
| Identify legal authorities governing information use and disclosure specific to the system and program. | Sections 1816, and 1874, 1874(a) and 1875 of Title XVIII of the Social Security Act; 42 United States Code (U.S.C.) 1395h, 1395kk, and 1395ll |
| Are records on the system retrieved by one or more PII data elements? | Yes |
| Identify the number and title of the Privacy Act System of Records (SORN) that is being used to cover the system or identify if a SORN is being developed. | 09-70-0558 National Claims History (NCH) SORN history: 71 FR 67137 (11/20/06); updated 76 FR 65196 (10/20/11), 78 FR 23938 (4/23/13), 78 FR 32257 (5/29/13), *83 FR 6591 (2/14/18) |
| Identify the sources of PII in the system: Directly from an individual about whom the information pertains |
|
| Identify the sources of PII in the system: Government Sources |
|
| Identify the sources of PII in the system: Non-Government Sources |
|
| Identify the OMB information collection approval number and expiration date | Not applicable. There is no OMB approval number because the system does not collect information from 10 or more members of the public, per the Paperwork Reduction Act. |
| Is the PII shared with other organizations? | No |
| Describe the process in place to notify individuals that their personal information will be collected. If no prior notice is given, explain the reason. | Not applicable. Notice is responsibility of CMS and not Recovery Audit Contractor Regions 1, 2 and 5. Recovery Audit Contractor Regions 1, 2 and 5 does not collect information directly from an individual. CMS is covered by their own PIA. |
| Is the submission of the PII by individuals voluntary or mandatory? | Voluntary |
| Describe the method for individuals to opt-out of the collection or use of their PII. If there is no option to object to the information collection, provide a reason. | Recovery Audit Contractor Regions 1, 2 and 5 does not interact with Medicare Beneficiary (patient) directly as part of the Recovery Audit Contractor Regions 1, 2 and 5 contract. Medicare Beneficiary (patient) has no option for opt-out of the collection or use of their PII with Recovery Audit Contractor Regions 1, 2 and 5 system. Recovery Audit Contractor Regions 1, 2 and 5 system is not the authoritative source of PII obtained from National Claims History for RAC 1, 2 & 5. Recovery Audit Contractor Regions 1, 2 and 5 contractor only receives and does not modify any of the PII from National Claims History for RAC 1, 2 & 5. Any such requests for modification of PII will be redirected to CMS RAC 1, 2 and 5 COR. In case the beneficiary does contact Recovery Audit Contractor Regions 1, 2 and 5 contractor, the beneficiary is redirected to contact the provider if they believe their PII is inaccurate. Should the Medicare Beneficiary believe their PII has been inappropriately obtained, used, or disclosed by Recovery Audit Contractor Regions 1, 2 and 5 contractor, the Recovery Audit Contractor Regions 1, 2 and 5 compliance department will perform an investigation to include information security on the concern. Should the investigation determine data is inappropriately obtained, used or disclosed, Recovery Audit Contractor Regions 1, 2 and 5 contractor will submit a security incident ticket with the CMS helpdesk along with any corrective actions required. |
| Describe the process to notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changes since the notice at the time of original collection). Alternatively, describe why they cannot be notified or have their consent obtained. | Recovery Audit Contractor Regions 1, 2 and 5 does not interact with Medicare Beneficiary (patient) directly as part of the Recovery Audit Contractor Regions 1, 2 and 5 contract and Recovery Audit Contractor Regions 1, 2 and 5 system is not the authoritative source of PII obtained from CMS RAC 1, 2 and 5. As such, CMS RAC 1, 2 and 5 is responsible for the notification and obtaining of consent of individual's PII when major changes occur and is covered by CMS RAC 1, 2 and 5 PIA. |
| Describe the process in place to resolve an individual's concerns when they believe their PII has been inappropriately obtained, used, or disclosed, or that the PII is inaccurate. If no process exists, explain why not. | Recovery Audit Contractor Regions 1, 2 and 5 does not interact with Medicare Beneficiary (patient) directly as part of the Recovery Audit Contractor Regions 1, 2 and 5 contract. Medicare Beneficiary (patient) has no option for opt-out of the collection or use of their PII with Recovery Audit Contractor Regions 1, 2 and 5 system. Recovery Audit Contractor Regions 1 and 5 system is not the authoritative source of PII obtained from National Claims History for RAC 1, 2 & 5. Recovery Audit Contractor Regions 1, 2 and 5 contractor only receives and does not modify any of the PII from National Claims History for RAC 1, 2 & 5. Any such requests for modification of PII will be redirected to CMS RAC 1, 2 and 5 COR. In case the beneficiary does contact Recovery Audit Contractor Regions 1, 2 and 5 contractor, the beneficiary is redirected to contact the provider if they believe their PII is inaccurate. Should the Medicare Beneficiary believe their PII has been inappropriately obtained, used, or disclosed by Recovery Audit Contractor Regions 1, 2 and 5 contractor, the Recovery Audit Contractor Regions 1, 2 and 5 compliance department will perform an investigation to include information security on the concern. Should the investigation determine data is inappropriately obtained, used or disclosed, Recovery Audit Contractor Regions 1, 2 and 5 contractor will submit a security incident ticket with the CMS helpdesk along with any corrective actions required. |
| Describe the process in place for periodic reviews of PII contained in the system to ensure the data's integrity, availability, accuracy and relevancy. If no processes are in place, explain why not. | The Recovery Audit Contractor Regions 1, 2 and 5 system is designed with logic checks to ensure data accuracy and integrity. Yearly, the CMS Office of Financial Management (OFM) is required to review and update data collection processes to ensure data collected is relevant and accurate. In addition, protection of the integrity and availability of PII is reviewed at least every quarter by a series of automated and manual review processes. Databases are updated and validated and are redundant allowing for the availability of the information. The security controls for the database is constantly reviewed to ensure safeguards are in place to protect the data. |
| Identify who will have access to the PII in the system and the reason why they require access. |
|
| Describe the procedures in place to determine which system users (administrators, developers, contractors, etc.) may access PII. | Recovery Audit Contractor Regions 1, 2 and 5 uses role-based access controls to ensure that users, administrators, and developers are granted access on a "need-to-know" and "need-to-access" for their assigned job duties. Recovery Audit Contractor Regions 1, 2 and 5 individuals requesting access must complete an Account Request form prior to account creation and indicates the person's name, email, phone number and access level needed. This form is reviewed and approved by the Recovery Audit Contractor Regions 1, 2 and 5 system manager prior to account creation. |
| Describe the methods in place to allow those with access to PII to only access the minimum amount of information necessary to perform their job. | There are several methods for restricting access. First, is to program user interfaces to limit the display of PII to only those elements needed to perform specific tasks. Second, is to limit the transmission of PII to validate information rather than copy or pull information from another authoritative source. Third, system administrators review user accounts at least semi-annually. Any anomalies are addressed and resolved by contacting the user and modifying their user data, or by removing their access if no longer required. Activities of all Recovery Audit Contractor Regions 1, 2 and 5 users including system and database administrators are logged and reviewed by a designated individual to identify any unusual activity. |
| Identifying training and awareness provided to personnel (system owners, managers, operators, contractors and/or program managers) using the system to make them aware of their responsibilities for protecting the information being collected and maintained. | Recovery Audit Contractor Regions 1, 2 and 5 staff who access or operate Recovery Audit Contractor Regions 1, 2 and 5 system are required to complete the annual CMS Security Awareness training provided annually as a Computer Based Training (CBT) course. Contractor also completes annual corporate security awareness training and complete annual HIPAA training. Recovery Audit Contractor Regions 1, 2 and 5 administrators with privileged access must also complete role-based security training commensurate with the position they are working in on an annual basis. |
| Describe training system users receive (above and beyond general security and privacy awareness training) | Recovery Audit Contractor Regions 1, 2 and 5 Administrators with privileged access must complete role-based security training commensurate with the position they are working in on an annual basis. Recovery Audit Contractor Regions 1, 2 and 5 users and administrators must also take annual HIPAA training along with Security Awareness Training. Additionally, Recovery Audit Contractor Regions 1, 2 and 5 developers are required to take training on secure coding best practices. |
| Do contracts include Federal Acquisition Regulation and other appropriate clauses ensuring adherence to privacy provisions and practices? | Yes |
| Describe the process and guidelines in place with regard to the retention and destruction of PII. Cite specific records retention schedules. | Recovery Audit Contractor Regions 1, 2 and 5 follows the CMS Records Schedule, Section III. Medicare - Program Related which cites the National Archives and Records Administration (NARA) Disposition Authority: N1-440-04-3, which states that records will be destroyed after a total retention of six (6) years and three (3) months. |
| Describe, briefly but with specificity, how the PII will be secured in the system using administrative, technical, and physical controls. | Recovery Audit Contractor Regions 1, 2 and 5 system is in data center within a surrounding secure area. The security measures in place are the use of dual factor authentication with card key access system and biometrics; an active intrusion alarm system, and video surveillance to monitor and record physical access. Administrative controls such as written policy, procedures and guidelines have been established for system access. Access to the system is limited to authorized users. Each user is granted access based on the principle of least privilege. From a technical perspective, PII is secured via firewalls, encrypted transmissions and connections, intrusion detection systems, anti-virus and email content filtering software. Additionally, the use of portable storage devices is blocked. |