Recovery Audit Contractor Regions 3, 4, and 5
Date signed: 3/16/2026
| PIA Questions | PIA Answers |
|---|---|
| OPDIV: | CMS |
| PIA Unique Identifier: | P-7672600-877018 |
| Name: | Recovery Audit Contractor Regions 3, 4, and 5 |
| The subject of this PIA is which of the following? | Major Application |
| Identify the Enterprise Performance Lifecycle Phase of the system. | Operate |
| Is this a FISMA-Reportable system? | Yes |
| Does the system include a Website or online application available to and for the use of the general public? | Yes |
| Identify the operator: | Contractor |
| Is this a new or existing system? | Existing |
| Does the system have Security Authorization (SA)? | Yes |
| Date of Security Authorization | 4/3/2026 |
| Indicate the following reason(s) for updating this PIA. Choose from the following options. |
|
| Describe in further detail any changes to the system that have occurred since the last PIA. | No system changes have occurred since the Privacy Impact Assessment (PIA) was last finalized; however, the Recovery Audit Contractor Region 3 (RAC-3) system is no longer processing RAC-2 data and was awarded the 2025 RAC contracts for regions 3, 4, and 5. The RAC-3 system is currently processing data for regions 3, 4, and 5. |
| Describe the purpose of the system | The purpose of the Recovery Audit Contractor Region 3 (RAC-3) system, which contains data for 2025 RAC contract regions 3, 4, and 5 (further defined as the RAC-3 System), is to identify and document overpayments and underpayments made by the Centers for Medicare & Medicaid Services (CMS) to healthcare providers. The function of this system is to perform recovery auditing services as authorized by the Center for Medicare and Medicaid Services (CMS). The RAC-3 System covers all states and territories in the United States. |
| Describe the type of information the system will collect, maintain (store), or share. (Subsequent questions will identify if this information is PII and ask about the specific data elements) | The RAC-3 System maintains patient and provider information in relation to Medicare payment claims. This information is not collected directly by the RAC-3 System. The information is collected by the CMS National Claims History (NCH) system which has its own PIA. The information is transferred once a month to the RAC-3 System through a secure data file transfer directly from NCH. The RAC-3 System contains the following information about patients: name, date of birth, mailing address, telephone number, health insurance claim number (HICN), sex, ethnicity, medical notes, medical record information (procedure codes, diagnosis codes, dates of service, total charges, Medicare payment amount), and Medicare Beneficiary Identifier. The system also contains information about providers, such as: National Provider Identifier (NPI), facility name and address, and provider name and telephone number. The RAC-3 System users are internal and input a username and password to access the information in the system. The following user information is stored in the system First Name, Last Name, Display Name, Office Location, Telephone Number, E-mail Address, Job Title, Department, and Manager Name. The RAC-3 System keeps records required to be retained by Health Insurance Portability and Accountability Act (HIPAA) for Protected Health Information (PHI) at least six (6) years from the date of its creation or the date when it was last in effect, whichever is later to fulfill the purpose(s) identified in the Notice of Privacy Practices or as required by law. |
| Provide an overview of the system and describe the information it will collect, maintain (store), or share, either permanently or temporarily. | The RAC-3 System shares data with other CMS systems to include, Fiscal Intermediary Standard System (FISS), Multi-Carrier System (MCS), ViPS Medicare System (VMS), and the Recovery Audit Contractor Data Warehouse (RACDW). It does not collect PII from Medicare beneficiaries. Data is sent to the Virtual Data Center (VDC). For Medicare beneficiaries, the system is used to predict, identify, manage and analyze medical claims; receive data; execute queries; audit results; create and submit adjustments; and generate letters and reports. The following data elements are maintained in support of claims management, auditing, and letter generation: name, date of birth, mailing address, telephone number, health insurance claim number (HICN), sex, ethnicity, medical notes, medical records number, medical record information (procedure codes, diagnosis codes, dates of service, total charges, Medicare payment amount), and Medicare Beneficiary Identifier. This data is used to evaluate Medicare claims and to identify improper payments made on claims of health care services provided to Medicare beneficiaries. If an overpayment is identified, the system performs the business functions necessary to recover Medicare’s funds. If an underpayment is identified, the system performs the business functions necessary to reimburse the additional funds. Medicare claims needing to be reprocessed are submitted to organizations that handle Medicare claims. The RAC-3 System regularly uses PII to retrieve medical records directly from Providers and a healthcare information management company. The PII includes using the last name, first initial, date of birth, claim number, medical record number, and date of service. The RAC-3 System user information maintained is used for system authentication, security and integrity. |
| Does the system collect, maintain, use or share PII? | Yes |
| Indicate the type of PII that the system will collect or maintain. |
|
| Indicate the categories of individuals about whom PII is collected, maintained or shared. |
|
| How many individuals' PII in the system? | 1,000,000 or more |
| For what primary purpose is the PII used? | The primary purpose for Personally Identifiable Information (PII) is to identify claims that were improperly paid by CMS. Any PII element contained in a claim could be used to identify an improper payment. |
| Describe the secondary uses for which the PII will be used (e.g. testing, training or research) | Previously reviewed claims that contain PII are used to train and re-train auditors for the purpose of identifying improper payments. |
| Describe the function of the SSN. | A Health Insurance Claim (HIC) number when used in place of a Medicare Beneficiary Identifier (MBI) may be provided on an Additional Documentation Request (ADR) letter so a provider can identify the claims being audited and provide the correct medical records for those claims. A HIC number could contain an SSN. |
| Cite the legal authority to use the SSN. | Medicare Prescription Drug, Improvement, and Modernization Act of 2003 – Created RAC demonstration project Section 1893(h) of the above Act – Creation of national RAC program |
| Identify legal authorities governing information use and disclosure specific to the system and program. | Medicare Prescription Drug, Improvement, and Modernization Act of 2003 – Created RAC demonstration project Section 1893(h) of the above Act – Creation of national RAC program. |
| Are records on the system retrieved by one or more PII data elements? | Yes |
| Identify the number and title of the Privacy Act System of Records (SORN) that is being used to cover the system or identify if a SORN is being developed. | The RAC-3 System does not develop a SORN. However, claims information is received from CMS through the file National Claims History, SORN # 09-70-0558. |
| Identify the sources of PII in the system: Directly from an individual about whom the information pertains |
|
| Identify the sources of PII in the system: Government Sources |
|
| Identify the sources of PII in the system: Non-Government Sources | |
| Identify the OMB information collection approval number and expiration date | The RAC-3 System does not collect PII directly from individuals. Data is received from CMS directly through Network Data Mover (NDM). |
| Is the PII shared with other organizations? | Yes |
| Identify with whom the PII is shared or disclosed and for what purpose. |
|
| Describe any agreements in place that authorizes the information sharing or disclosure (e.g. Computer Matching Agreement, Memorandum of Understanding (MOU), or Information Sharing Agreement (ISA)). | RAC-3 Contract #75FCMC25CJ006, the recovery audit contract for Region 3, RAC-4 Contract #75FCMC25CJ007, the recovery audit contract for Region 4, RAC-5 Contract #75FCMC25CJ008, the recovery audit contract for Region 5, and their respective Statements of Work, contemplate information sharing and disclosure with Medicare providers, as well as MACs, Unified Program Integrity Contractors (UPIC), Qualified Independent Contractors (QICs) and Administrative Qualified Independent Contractors (AdQICs) and others as indicated by the CMS Contracting Officer’s Representative (COR), in connection with our performance of services. Pursuant to the Statements of Work, we are party to Joint Operating Agreements with each applicable MAC, UPIC, QIC and AdQIC to encompass all communication between ourselves and them. |
| Describe the procedures for accounting for disclosures | Not applicable. The Personally Identifiable Information (PII) used in this system is obtained from other CMS systems and is not collected from individuals. If there is a need for accounting for disclosure, the systems from which the PIIs are obtained would be responsible for notifying the individuals of the date, nature, and purpose of each disclosure; via the name and address of each. |
| Describe the process in place to notify individuals that their personal information will be collected. If no prior notice is given, explain the reason. | Not Applicable. The RAC-3 System does not collect Personally Identifiable Information (PII) from Individuals and therefore does not provide prior notice to individuals. The information in the system is received from CMS and CMS Medicare providers in connection with the RACs- 3, 4, and 5 performance of the services under contracts #75FCMC25CJ006, #75FCMC25CJ007, and #75FCMC25CJ008, and their respective Statements of Work (SOWs). |
| Is the submission of the PII by individuals voluntary or mandatory? | Voluntary |
| Describe the method for individuals to opt-out of the collection or use of their PII. If there is no option to object to the information collection, provide a reason. | The RAC-3 System does not collect information from individuals; any option to opt-out would be handled by CMS. |
| Describe the process to notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changes since the notice at the time of original collection). Alternatively, describe why they cannot be notified or have their consent obtained. | The option to opt-out of the collection of PII is the responsibility of the CMS system that originally collects the PII from individuals. |
| Describe the process in place to resolve an individual's concerns when they believe their PII has been inappropriately obtained, used, or disclosed, or that the PII is inaccurate. If no process exists, explain why not. | The process to address an individual’s concern that their PII has been used or disclosed inappropriately, or that the information is inaccurate, is governed by the CMS Policy, which describes an individual’s right to request access to, or obtain a copy of, PII maintained by the RAC-3 System, to request an amendment to PII and to request a restriction of PII disclosures. Direct requests from patients to CMS are addressed by the Compliance and Privacy Officer. |
| Describe the process in place for periodic reviews of PII contained in the system to ensure the data's integrity, availability, accuracy and relevancy. If no processes are in place, explain why not. | Data integrity checks are conducted on an on-going basis, being performed on all source data to ensure the ingested information matches the source. These checks include statistical analysis at the data field level, aggregate level stratifications, and source to destination record count validations. Back-up copies of the databases are maintained in both the information systems online storage and backup media. Incremental data backups are conducted throughout the day to provide recovery points to minimize loss of availability in the event of an outage. |
| Identify who will have access to the PII in the system and the reason why they require access. |
|
| Describe the procedures in place to determine which system users (administrators, developers, contractors, etc.) may access PII. | Access to PII is controlled through account access according to a user's job duties as decided by their supervisor. All users are granted access based on least privileged access through role based groups. |
| Describe the methods in place to allow those with access to PII to only access the minimum amount of information necessary to perform their job. | Access to PII is implemented through secured channels where users are placed in groups, accordingly, based on their necessity to access PII. Within the application, further access permissions are granted and removed by the supervisor. |
| Identify training and awareness provided to personnel (system owners, managers, operators, contractors and/or program managers) using the system to make them aware of their responsibilities for protecting the information being collected and maintained. | All RAC-3 System personnel working on the CMS audit receive Information Security and HIPAA training that is retaken annually. |
| Describe training system users receive (above and beyond general security and privacy awareness training) | All RAC-3 System personnel working on the CMS audit receive HIPAA, Fraud Waste and Abuse, and Conflict of Interest training that is retaken annually. |
| Do contracts include Federal Acquisition Regulation and other appropriate clauses ensuring adherence to privacy provisions and practices? | Yes |
| Describe the process and guidelines in place with regard to the retention and destruction of PII. Cite specific records retention schedules. | The RAC-3 System maintains two types of data containing PII/PHI: work product and claims data received from CMS for its contract work. The RAC-3 System retains its work product (PII/PHI) according to NARA GRS No. N1-440-04-3 (Bucket 3 - Financial Records); Records will be destroyed no sooner than 7 years after cutoff or until the records are no longer needed, whichever comes first. The RAC-3 System retains claims data received from CMS (PHI/PII) as specified in our SOWs with CMS (Upon request of the Contracting Officer, or the expiration of this contract, whichever shall come first, the contractor shall return or destroy all data given to the contractor by the government). According to the section on Records Retention Storage in Medicare Integrity Program Manual, Ch. 3 § 3.2.3.10, “Recovery Auditors shall comply with the record retention requirements in its SOWs.” There is no applicable NARA GRS number for the claims data received from CMS. |
| Describe, briefly but with specificity, how the PII will be secured in the system using administrative, technical, and physical controls. | The PII utilized by the system are secured using administrative, technical, and physical controls in accordance with National Institute of Standards and Technology (NIST) Special Publications (SP) 800-53. Some of these controls are Administrative: policies, and procedures designed to manage (1) the selection, development, implementation, and maintenance of the security measures designed to protect the PII and (2) the conduct of those with access to the PII, Technical: encryption, automatic logoff, and 2-factor authorization; and Physical: facility access controls and disposal controls. |
| Identify the publicly-available URL: | Cotiviti Provider Portal |
| Does the website have a posted privacy notice? | Yes |
| Is the privacy policy available in a machine-readable format? | Yes |
| Does the website use web measurement and customization technology? | No |
| Does the website have any information or pages directed at children under the age of thirteen? | No |
| Does the website contain links to non-federal government website external to HHS? | Yes |
| Is a disclaimer notice provided to users that follow external links to websites not owned or operated by HHS? | No |
Privacy Impact Assessment (PIA) published by CMS as an Operating Division of the U.S. Department of Health and Human Services