Skip to main content

Risk Adjustment Suite of Systems

Privacy Impact Assessment (PIA) published by CMS as an Operating Division of the U.S. Department of Health and Human Services

Date signed: 6/17/2024

PIA information for Risk Adjustment Suite of Systems

OPDIV:

CMS

PIA Unique Identifier:

P-2454792-079917

Name:

Risk Adjustment Suite of Systems

The subject of this PIA is which of the following?

Major Application

Identify the Enterprise Performance Lifecycle Phase of the system.

Operate

Is this a FISMA-Reportable system?

Yes

Does the system include a Website or online application available to and for the use of the general public?

No

Identify the operator:

Agency

Is this a new or existing system?

Existing

Does the system have Security Authorization (SA)?

Yes

Date of Security Authorization

3/1/2024

Indicate the following reason(s) for updating this PIA. Choose from the following options.

  • Significant System Management Change

  • PIA Validation (PIA Refresh/Annual Review)

Describe in further detail any changes to the system that have occurred since the last PIA.

Risk Adjustment Suite of Systems (RASS) applications have migrated from the Centers for Medicare & Medicaid Services (CMS) Mainframe in the Baltimore Data Center (BDC) to the Amazon Web Services (AWS) Cloud environment. RASS also uses the CMS Ashburn (ADC) environment to share files via Electronic File Transfer (EFT) with partners who are not yet ready to send/receive files in AWS Cloud. The business has conducted Adaptive Capabilities Tests (ACT) and performed Security Impact Assessments for renewal of third year annual authorization to operate (ATO).

Describe the purpose of the system

The Risk Adjustment Suite of Systems (RASS) consists of the following three systems:

  • Risk Adjustment System (RAS)

  • Risk Adjustment Processing System (RAPS)

  • Encounter Database for Risk Adjustment (EDRA)

The RASS serves four major business functions. The RAS performs the primary function to compute Risk Adjustment Factors (RAF) or RAF scores for each Medicare beneficiary using the regression models that were developed using Statistical Analysis Software (SAS). These scores are a relative weight of predicted health risks for each beneficiary based on their past medical history data. RAS receives the most current data for each beneficiary from three sources: RAPS, Common Medicare Environment (CME), and Integrated Data Repository Cloud (IDRC) system. It processes data extracted from these three systems to compute the RAF scores. These scores are sent to the Medicare Advantage Rx (MARx) payment system, which determines the beneficiary level payments for the Medicare Advantage (MA) and Prescription Drug Plans (PDPs).

RAPS supports the RAS primary business function by receiving, processing, and storing Medicare Advantage Organization (MAO) risk adjustment claims data. MAOs submit beneficiary data through the Front-End System (FES) at the Palmetto GBA Data Center. FES receives, stores, and transmits correctly formatted beneficiary data to RAS via RAPS.

The EDRA system extracts encounter data from IDRC monthly and transforms the data with the addition of necessary indicators to identify diagnosis data that is allowable or not allowable for risk adjustment. During the monthly EDRA cycle, a single extract from IDRC occurs for the prior month’s encounter data submissions. These diagnoses are stored in the database for use in model runs and monthly reporting to MA plans.

RAS, RAPS, and EDRA are covered under this Privacy Impact Assessment. 

Describe the type of information the system will collect, maintain (store), or share. (Subsequent questions will identify if this information is PII and ask about the specific data elements)

RASS requires Medicare Advantage and Medicare Advantage Prescription Drug submitters to provide the Medicare Beneficiary Identifier (MBI), ICD-10-CM Diagnosis Code, Service from date, Service through date, Provider Type (Hospital Inpatient, Hospital Outpatient and Physician), Patient Control Number (optional) and Date of Birth (optional) for routine use.  Submission of PII data is mandatory as a condition of payment.  The submitted data is necessary to comply with the Medicare Modernization Act payment provisions listed in 422.310(b) of the Federal Register. 

As routine, the RASS downloads Personally Identifiable Information (PII) including MBI, Beneficiary Identification Code (BIC) and Beneficiary Name, as well as non-PII program and system data from IDRC and BIC. The extracted or shared data is for routine use and is necessary to comply with the Medicare Modernization Act payment provisions.

RASS uploads PII including the Medicare Beneficiary Identifier (MBI), Beneficiary Identification Code (BIC) and Beneficiary Name) and non-PII program and system data to Medicare Advantage Prescription Drug System. The shared data is for routine use and is necessary to comply with the Medicare Modernization Act reporting and payment provisions.

Non-PII and system data refers to data that is pulled from the BIC, IDRC, and RAPS that involves any of the following:

  • Beneficiary Low Income Territory - Captures the Low-Income Part D Enrollees who reside in the US Territories.  Also captures the risk adjustment dates so that MARx can properly risk adjust the Part D payment to the plans in which the beneficiary is enrolled.

  • Beneficiary Medicare Advantage Prescription Drug (MAPD) Enrollment - Contains Medicare Beneficiary's delivery selections, MA, MA PDP or PDP, and coverage periods for the selection. Additionally, other characteristics relevant to the selection are captured.  Both current and historical data are retained by RASS.

  • Beneficiary Medicare Advantage Medicaid Eligibility - Contains Medicaid Eligibility periods for a Medicare/Medicaid Beneficiary's enrolled in either Medicare Advantage Plans or Medicare Advantage Plans and PDP.  Both historical and current information is captured.

  • Beneficiary Medicare Status - captures the combination of reasons why a beneficiary is entitled to Medicare (i.e. Disabled and End Stage Renal Disease (ESRD)).

  • Beneficiary Point-of-Sale - A beneficiary who has been identified by the Point-of-Sale contractor as Medicaid eligible.

  • Beneficiary Medicare Part A Entitlement - contains periods of Part A entitlement for a Medicare Beneficiary.

  • Beneficiary Medicare Part B Entitlement - contains periods of Part B enrollment coverage for a Medicare Beneficiary.

RASS follows the CMS Enterprise User Authentication (EUA) system guidelines and access to PII is given on a restricted need to know basis. An access review of users that have access to PII and their user-roles is performed every 365 days.

PII collected from users/system administrators in order to access the system, consists of user credentials (i.e. username, password, Personal Identity Verification (PIV) card and/or email address). Users' system administrators include OpDiv employees and direct contractors (using HHS user credentials only).

Provide an overview of the system and describe the information it will collect, maintain (store), or share, either permanently or temporarily.

The Risk Adjustment Suite of Systems (RASS) consists of the Risk Adjustment System (RAS), the Risk Adjustment Processing System (RAPS) and Encounter Database for Risk Adjustment (EDRA).

The RAS serves two major business functions. The RAS performs the primary function to compute Risk Adjustment Factors (RAF) or RAF scores for each Medicare beneficiary using regression models that were developed using Statistical Analysis Software (SAS). These scores are a relative weight of predicted health risks for each beneficiary based on their past medical history data. RAS receives the most current data for each beneficiary from three sources: RAPS, Beneficiary Information on the Cloud (BIC), and the Integrated Data Repository on the Cloud (IDRC). It processes data extracted from these three systems to compute the RAF scores. These scores are then sent to the Medicare Advantage Rx (MARx) payment system, which determines the beneficiary level payments for the Medicare Advantage (MA) and Prescription Drug Plans (PDPs).

RAPS supports the RAS primary business function by receiving, processing, and storing Medicare Advantage Organization (MAO) risk adjustment claims data. MAOs submit beneficiary data through the Customer Support Front-End System (CSFES) at the Palmetto GBA Data Center. CSFES receives, stores, and transmits correctly formatted beneficiary data to RAS via RAPS.

Risk Adjustment System/Risk Adjustment Processing System requires Medicare Advantage and Medicare Advantage Prescription Drug submitters to provide Medicare Beneficiary Identifier (MBI), ICD-10-CM Diagnosis Code, Service from date, Service through date, Provider Type (Hospital Inpatient, Hospital Outpatient and Physician), Patient Control Number (optional) and Date of Birth (optional) for routine use.  Submission of PII data is required as a condition of payment.  The submitted data is necessary to comply with the Medicare Modernization Act payment provisions.

The Risk Adjustment System ingests Personally Identifiable Information (PII) including MBI, Beneficiary Identification Code (BIC) and Beneficiary Name, as well as non-PII program and system data from the IDRC and BIC. The extracted or shared data is for routine use and is necessary to comply with the Medicare Modernization Act payment provisions.

RAS shares encrypted PII including Medicare, Beneficiary Identifier, Health Insurance Claim Number, and Beneficiary Name and non-PII program and system data with MARx and IDRC. The shared data is for routine use and is necessary to comply with the Medicare Modernization Act reporting and payment provisions.

RAPS performs edit/update functions on Medicare Advantage Organization (MAO) beneficiary diagnosis data input files daily. These input files are transmitted through CSFES to RAPS using an encrypted s3 bucket within the CMS AWS environment. RAPS performs edits on the input file data and then stores the data in the RAPS database. After the final edits are completed, RAPS transmits the return files and error reports to CSFES using an encrypted s3 bucket within the CMS AWS environment for distribution to the MAOs.

To receive access to the RASS data, a user must have a CMS user ID as well as the appropriate CMS Enterprise User Access EUA job codes. RASS is a batch system and therefore does not have a graphical user interface for viewing data. RAS and RAPS data is stored within the IDRC, and a user must request access to this system to view it. All user ID and job code requests must follow the CMS EUA rules and guidelines and be approved by the RASS business owner.

PII collected from users/system administrators in order to access the system, consists of user credentials (i.e. username, password, Personal Identity Verification (PIV) card and/or email address). Users' system administrators include OpDiv employees and direct contractors (using HHS user credentials only).  

Does the system collect, maintain, use or share PII?

Yes

Indicate the type of PII that the system will collect or maintain.

  • Name

  • E-Mail Address

  • Date of Birth

  • Other - MBI; BIC; ICD-9-CM Diagnosis Code, Service from date, Service through date, Provider Type (Hospital Inpatient, Hospital Outpatient and Physician), Patient Control Number,  Personal Identity Verification (PIV) card; Diagnosis Codes; user ID and password

Indicate the categories of individuals about whom PII is collected, maintained or shared.

  • Employees

  • Vendors/Suppliers/Contractors

  • Patients

How many individuals' PII in the system?

1,000,000 or more

For what primary purpose is the PII used?

RAPS receives PII, health and other claims data via the Customer Support Front End System (CSFES), which formats the initial data from Medicare Advantage (MA) and Medicare Advantage Prescription Drug (MAPD) organizations, submits the formatted data to RAS, and returns submission reports to the submitters.  The collection is required to generate health risk scores for MA and MAPD enrolled Medicare beneficiaries.

Integrated Data Repository on the Cloud (IDRC) provides FFS PII, health and other claims data to RASS. This collection is required to generate health risk scores for all Medicare beneficiaries.

Beneficiary Information on the Cloud (BIC) provides PII and beneficiaries demographic data to RASS. This collection is required to generate health risk scores for Medicare beneficiaries.

Medicare Advantage Prescription Drug System (MARx) receives PII, RAFs and other data from RAS, and provides the data outcomes to MAOs. This collection is required to generate MA payments and reports at and on the Medicare beneficiary level.

Users’ system administrators include OpDiv employees and direct contractors (using HHS user credentials only).  PII collected from users/system administrators to access (authenticate) the system, consists of user credentials (i.e. username, password, Personal Identity Verification (PIV) card and/or email address).

Describe the secondary uses for which the PII will be used (e.g. testing, training or research)

RASS does not have any secondary uses for PII.

Describe the function of the SSN.

The SSN is not used in RASS.  The MBI is now used in place of the SSN.

Cite the legal authority to use the SSN.

The SSN is not used in RASS. The MBI is now used in place of the SSN.

Identify legal authorities​ governing information use and disclosure specific to the system and program.

Sections 1853(a),1860D-15(c) and 1894(d)(2) (42 U.S.C. 1395w-23, 1395w-115, and 1395eee) ; Title 42 C.F.R. §§ 422.304(a),422.310, 423.329, and 460.180.

Are records on the system retrieved by one or more PII data elements?

Yes

Identify the number and title of the Privacy Act System of Records (SORN) that is being used to cover the system or identify if a SORN is being developed.

09-70-0508- CMS Risk Adjustment Suite of Systems (RASS)

Identify the sources of PII in the system: Directly from an individual about whom the information pertains

Online

Identify the sources of PII in the system: Government Sources

Within the OPDIV

Identify the OMB information collection approval number and expiration date

The OMB information collection approval number and expiration date are as follows: 0938-0878 expires 07/31/2026. RASS does not collect information from a patient, nor does it collect information directly from Admins and CMS staff.

Is the PII shared with other organizations?

Yes

Identify with whom the PII is shared or disclosed and for what purpose.

  • Other Federal Agency/Agencies: The information is shared with other federal agencies such as Department of Justice (DOJ), Government Accountability Office (GAO), Office of the Inspector General (OIG). This shared for data analytics, research and periodic and annual audits performed by such agencies. Users can access the data via the CMS Data Center and IDRC Environments.

Describe any agreements in place that authorizes the information sharing or disclosure (e.g. Computer Matching Agreement, Memorandum of Understanding (MOU), or Information Sharing Agreement (ISA)).

The following agreements are in place that authorizes the information sharing disclosure: Memorandum of Understanding (MOU), Data Use Agreement (DUA), and Non-Disclosure agreements.

Describe the procedures for accounting for disclosures

RASS adheres to the CMS Computer Security Incident Response program and HHS directives. Whenever a security breach is suspected or detected, the appropriate parties (CMS and/or CMS contractors) are notified. Then the CMS IT Service Desk and CMS CISO are both notified with information detailing the breach and an IT Service Request is opened to conduct an investigation into the situation. If necessary, the RASS ISSO and/or business owner will take further action according to the severity of the breach if recommended by the CMS IT Service Desk or CMS CISO. For all data disclosures, requestors asking for data and information from the RASS must complete a CMS DUA which tracks who the disclosure was with, the reason for the disclosure as well as the date of the disclosure.

Describe the process in place to notify individuals that their personal information will be collected. If no prior notice is given, explain the reason.

Prior to coming to this system, the process to notify individuals that their personal information will be collected occurs at the provider level at the time of services rendered. RASS is not a public facing system and the data therein is only accessible within the boundaries of CMS systems and networks.

In order to receive access to the RASS data, a user must have a CMS user ID as well as the appropriate RASS job codes. RASS is a batch system and therefore does not have a graphical user interface for viewing the data. The RASS data is stored within the Integrated Data Repository on the Cloud (IDRC) and a user must request access to this system as well to view it. All user ID and job code requests must follow the CMS Enterprise User Access (EUA) rules and guidelines and be approved by the RASS business owner.

Is the submission of the PII by individuals voluntary or mandatory?

Voluntary

Describe the method for individuals to opt-out of the collection or use of their PII. If there is no option to object to the information collection, provide a reason.

Participation in Medicare Advantage (MA) and Medicare Advantage Prescription Drug (MAPD) plans is voluntary and requires an affirmative election to join.  When an individual enrolls in a plan, as part of the application package, the beneficiary is required to sign the Agreement Page.  Thus, MMA enrollment equates to beneficiary consent.

RASS adheres to CMS policy regarding notifying and obtaining consent in regard to PII information. The Privacy Act permits CMS to disclose information without an individual’s consent if the information is used for a purpose that is compatible with the purpose(s) for which the information was collected.  Any such disclosure of data is known as a “routine use.” CMS policy prohibits the release even of non-identifiable information, except pursuant to “routine use.”

RASS does not interact with the beneficiary, and this is done prior to the information coming to CMS and into the RASS system.

Contractors and CMS staff do not directly enter their personally identifiable data into the system or to gain entry to the system.

Describe the process to notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changes since the notice at the time of original collection). Alternatively, describe why they cannot be notified or have their consent obtained.

RASS does not notify individuals whose PII is in the system when major changes occur to the system. Under the Privacy Act, CMS can collect this information and The Privacy Rule covers all the safeguards RASS is required to have in place to protect the PII when major changes are made to the system.

Contractors and CMS staff do not directly enter their personally identifiable data into the system or to gain entry to the system.

Describe the process in place to resolve an individual's concerns when they believe their PII has been inappropriately obtained, used, or disclosed, or that the PII is inaccurate. If no process exists, explain why not.

The subject individual contacts the system manager, and reasonably identifies the record and specifies the information to be contested. The contact states the corrective action sought and the reasons for the correction with supporting justification.  These procedures are in accordance with HHS department regulation 45 CFR 5b.7.

 

Contractors and CMS staff do not directly enter their personally identifiable data into the system or use to gain entry to the system.

Describe the process in place for periodic reviews of PII contained in the system to ensure the data's integrity, availability, accuracy and relevancy. If no processes are in place, explain why not.

Periodic review of PII data is performed during the annual RASS Security Control Assessment as well as during the annual Privacy Impact Assessment review. Reviews are also performed when data within RASS falls outside the scope of the 10-year data retention schedule.

RASS follows the CMS Enterprise User Authentication system guidelines and access to PII is given on a restricted need-to-know basis. An access review of users that have access to PII and their user-roles is performed every 365 days.

The PII data within the RASS are protected by the CMS EUA guidelines and permissions and only production job IDs have the authority to update PII data in the RASS applications. RASS is a batch application and RASS does not have a User Interface that allows change of the PII data. RAPS is an AWS application. Users are trained during on-boarding and annually thereafter on HHS CMS Information security policy and re-certification program; background checks prior to system access; and additional Index Analytics policies and HIPAA training on security standards for handling, disclosure, and destruction of confidential or sensitive regulated data.

Since RASS is a batch system, the PII data is only available on the AWS cloud and CMS mainframe. This PII data can be extracted to a cloud file and made available on the cloud or mainframe. RASS uses all current PII data, from various sources, in all system processes for the purposes needed of RAS. RAPS and EDRA is an AWS application. All unnecessary, irrelevant, incoherent, and inaccurate PII is removed from the system when a data file is found to be incorrect or corrupted by application processes and model re-runs that replace the original batch file.

Identify who will have access to the PII in the system and the reason why they require access.

  • Users: CMS internal staff uses RASS to utilize beneficiary data in developing the health risk factors to be used for payment, to analyze the performance of plans and to address the concerns of MAOs.

  • Administrators: Required to support administration activities, interactions of internal users and external interfacing activities.

  • Developers: Required to maintain, test, validate and support health risk factor development and MAOs.

  • Contractors: Required to maintain, test, validate and support health risk factor development and MAOs. These contractors are direct contractors. Direct contractors are contractors that operate on behalf of the agency and use the agency's credentials when doing so.

Describe the procedures in place to determine which system users (administrators, developers, contractors, etc.) may access PII.

RASS follows the CMS Enterprise User Authentication system guidelines and access to PII is given on a restricted need to know basis. An access review of users that have access to PII and their user-roles is performed every 365 days.

Describe the methods in place to allow those with access to PII to only access the minimum amount of information necessary to perform their job.

RASS follows the CMS EUA guidelines and access to PII is given on a restricted need to know basis. An access review of users that have access to PII and their user-roles is performed every 365 days. RASS data has job codes associated with specified user roles and access levels for RASS and the IDRC. Based on a user role, the user is granted access to only the data within the view requested. If more detailed information is requested, then a justification for the needed data is requested as well.

Identifying training and awareness provided to personnel (system owners, managers, operators, contractors and/or program managers) using the system to make them aware of their responsibilities for protecting the information being collected and maintained.

In order to access RASS data, a CMS User ID is required. In order to receive a CMS User ID, a user must complete the mandatory CMS Computer Based Training and Privacy Training after initial user ID creation and also on an annual basis thereafter to retain CMS system access. This annual training is required by CMS and the CMS Chief Information Security Officer (CISO) and is mandatory for all CMS Users.

In addition to the CMS Security Awareness and Privacy Act training, during the on-boarding process and annually thereafter, all Index RASS contractor employees are required to complete the following privacy related training, which covers Privacy Act requirements and related security requirements.  These courses emphasize the CMS requirements for the protection of the confidentiality and integrity of personally identifiable information (PII) and protected health information.

Describe training system users receive (above and beyond general security and privacy awareness training)

None.

Do contracts include Federal Acquisition Regulation and other appropriate clauses ensuring adherence to privacy provisions and practices?

Yes

Describe the process and guidelines in place with regard to the retention and destruction of PII. Cite specific records retention schedules.

HHS and CMS do have policies and guidelines in place with regards to the retention and destruction of PII. RASS will adhere to the HHS and CMS policies for retention and destruction of data. RASS does have a data retention policy where PII/PHI data will be retained for 10 years. Records are maintained with identifiers per the CMS Master Security Plan for 10 years per National Archives and Records Administration (NARA). Per DAA-GRS-2013-0006-0003, Destroy 1 year(s) after user account is terminated or password is altered or when no longer needed for investigative or security purposes, whichever is appropriate.

RASS is also included in the CMS Records Schedule under XIV. Electronic System, Section T - Medicare Advantage and Rx Plan Operations (MARPO). According to the CMS records schedule, data are deleted when they have been entered into the Master Files or database and verified, or when no longer required to support reconstruction of, or serves as a backup to, a master file or database, whichever is later. Please refer to pages 116-117 of the referenced document below for more clarification.

http://intranet.cms.gov/Component/OSORA/IRISG/DRIS/RM/Downloads/CMS-Records-Schedule-E13.pdf

Describe, briefly but with specificity, how the PII will be secured in the system using administrative, technical, and physical controls.

All of the RASS applications (i.e., RAS, RAPS, EDRA) utilizes the AWS application controls that are in place per the Enterprise User Administration (EUA) as far as technical and administrative electronic access to records.  They also rely heavily upon CMS enterprise components to process their transactions and authenticate users.  Thus, RASS inherits the security controls in place for the CMS infrastructure that are contained in the Master Security Plan and CMS Data Center General Support System (GSS) System Security Plan (SSP) to support their external Business partners, enterprise file transfers and user authentications, and further inherits the security controls and guidelines for User and Data Assets, Physical architecture, Information and Data flows, MAO’s connectivity to CMS and external Business partners’ information sharing functions and separate security agreements.

Technical Controls:
RASS inherits controls from the CMS Ashburn Data Center, AWS, and utilizes the RACF controls that are in place per the EUA as far as technical and administrative electronic access to records.  RASS has implemented the CMS ARS controls and 800-53 Security controls for a Moderate system for access control, auditing, and media protection of the RASS.
  
Physical Controls:
The RASS is maintained in the CMS Data Center and AWS East that has strict physical security controls in place including: guards, mantraps, surveillance/closed circuit TV, and key cards. Access to the RASS is strictly monitored from a physical perspective.

Administrative Controls:
Access to the RASS is granted through EUA job code-based role access and is based on CMS Contracting Officer Representative (COR) and ISSO approval along with RASS PM approval. The administrative and user accounts for the RASS system are reviewed every 365 days.