Supplemental Medical Review Contractor System
Privacy Impact Assessment (PIA) published by CMS as an Operating Division of the U.S. Department of Health and Human Services
Date signed: 11/30/2023
| PIA Questions | PIA Answers |
|---|---|
| OPDIV: | CMS |
| PIA Unique Identifier: | P-7059126-605104 |
| Name: | Supplemental Medical Review Contractor System |
| The subject of this PIA is which of the following? | Major Application |
| Identify the Enterprise Performance Lifecycle Phase of the system. | Operate |
| Is this a FISMA-Reportable system? | Yes |
| Does the system include a Website or online application available to and for the use of the general public? | No |
| Is this a new or existing system? | Existing |
| Does the system have Security Authorization (SA)? | Yes |
| Date of Security Authorization | 5/25/2023 |
| Indicate the following reason(s) for updating this PIA. Choose from the following options. | Other - PIA expires 6/17/2023 |
| Describe in further detail any changes to the system that have occurred since the last PIA. | No changes to the system. |
| Describe the purpose of the system | The purpose of the Supplemental Medical Review Contractor System (SMRC) is to perform and/or provide support for a variety of tasks aimed at lowering the improper payment rates and increasing efficiencies of the Medical Review (MR) functions primarily for Medicare Fee-for-Service (FFS); other product line analysis are limited and may include Medicaid FFS, private and group health insurance lines of business and Prescription Drug Plan (Part D). One of the primary tasks will be conducting large volumes of nationwide MR as directed by CMS. The MR will be performed on Medicare FFS claims for Part A, Part B, and Medicare Durable Medical Equipment, Prosthetics, Orthotics, and Supplies (DMEPOS) programs. |
| Describe the type of information the system will collect, maintain (store), or share. (Subsequent questions will identify if this information is PII and ask about the specific data elements) | The information is collected, maintained or disseminated for these three groups: 1) Beneficiaries - This information includes name, date of birth, Medicare beneficiary identifier (MBI), mailing address, phone numbers, medical record numbers, medical notes, military status and/or records, employment status and or records, health insurer name/plan, health insurer group number, patient marriage and employment status for the purpose of processing and paying claims. 2) Providers - This information includes name, tax ID number (can sometimes be the SSN of the provider), mailing address, phone numbers, financial account information and/or numbers, certificates, device identifiers, email address, for the purpose of processing and paying claims. 3) Supplemental Medical Review Contractor (SMRC) contractors and CMS employees- This information includes user name, password, email address and name. |
| Provide an overview of the system and describe the information it will collect, maintain (store), or share, either permanently or temporarily. | The Supplemental Medical Review Contractor (SMRC) system performs tasks aimed at lowering the improper payment rates and increasing efficiencies of the Medical Review (MR) functions for Medicare Fee-for-Service (FFS). Medicare beneficiary claims data processed was collected by providers at the time of service and includes information necessary to process Medicare Fee-For-Service claims. Data from providers is maintained to validate that the provider is registered to submit Medicare claims and registered to inquire about claim status. Finally, data regarding SMRC contractors and CMS employees is used in order to access the system.
The SMRC System regularly uses Medicare PII to retrieve Medicare system records of beneficiaries who are receiving Medicare services. The PII includes the Medicare beneficiary’s last name, Medicare Beneficiary Identifier (MBI) and beneficiary claim data that can include date of service, diagnosis or procedure codes and medical notes. |
| Does the system collect, maintain, use or share PII? | Yes |
| Indicate the type of PII that the system will collect or maintain. |
|
| Indicate the categories of individuals about whom PII is collected, maintained or shared. |
|
| How many individuals' PII in the system? | 100,000-999,999 |
| For what primary purpose is the PII used? | Beneficiary PII is collected from patients to identify as eligible for Medicare, verify receipt of service and to properly pay claims. Provider PII is collected to verify the provider's eligibility to participate in the Medicare program. Also, SMRC contractor and CMS employee PII is collected to verify the system user's identity and credentials. |
| Describe the secondary uses for which the PII will be used (e.g. testing, training or research) | Not applicable. |
| Describe the function of the SSN. | The Social Security Number (SSN) is the tax ID for some providers. |
| Cite the legal authority to use the SSN. | Budget and Accounting Procedures Act at 31 U.S.C. 3512(d) requires use of a taxpayer identifying number. |
| Identify legal authorities governing information use and disclosure specific to the system and program. | Budget and Accounting Procedures Act at 31 U.S.C. 3512(d) requires use of a taxpayer identifying number. |
| Are records on the system retrieved by one or more PII data elements? | Yes |
| Identify the number and title of the Privacy Act System of Records (SORN) that is being used to cover the system or identify if a SORN is being developed. | Published: 09-70-0503 Fiscal Intermediary Shared System 09-70-0501 Medicare Multi-Carrier Claims System 09-70-0526 Common Working File (CWF)
|
| Identify the sources of PII in the system: Directly from an individual about whom the information pertains | In-Person |
| Identify the sources of PII in the system: Non-Government Sources | Private Sector |
| Identify the OMB information collection approval number and expiration date | N/A |
| Is the PII shared with other organizations? | Yes |
| Identify with whom the PII is shared or disclosed and for what purpose. | Private Sector: Health Care Providers, CMS contractors for medical review and reporting results. |
| Describe any agreements in place that authorizes the information sharing or disclosure (e.g. Computer Matching Agreement, Memorandum of Understanding (MOU), or Information Sharing Agreement (ISA)). | CMS determines how and with whom Medicare data is disclosed. As directed by CMS via contractual arrangements, the Supplemental Medical Review Contractor (SMRC) shares data with other CMS contractors for the purposes of lowering the improper payment rates and increasing efficiencies. |
| Describe the procedures for accounting for disclosures | Data that is shared with other contractors designated by CMS is tracked and accounted for through case management software tools that are part of the collection of systems processed as part of the Supplemental Medical Review Contractor (SMRC). The accounting of disclosure includes the date, nature and purpose of the disclosure along with the name and address of the individual or agency to whom the disclosure was made. |
| Describe the process in place to notify individuals that their personal information will be collected. If no prior notice is given, explain the reason. | For the beneficiary, written notice is given when the beneficiary initially enrolls in the Medicare program and written or orally each time the beneficiary applies for service at a provider. For the provider, written notice is provided during enrollment for a website user ID. For the Supplemental Medical Review Contractor (SMRC) contractors and CMS employees, written notice is provided when they apply for a job. |
| Is the submission of the PII by individuals voluntary or mandatory? | Voluntary |
| Describe the method for individuals to opt-out of the collection or use of their PII. If there is no option to object to the information collection, provide a reason. | When a beneficiary's data is collected and sent to the Medicare system, the beneficiary has already agreed to share their information, so there is not an ability for them to opt out of PII data collection. A provider can opt out of providing PII to the Supplemental Medical Review Contractor (SMRC), but they will be denied access to medical review inquiry. The SMRC contractors and CMS employees cannot opt out of providing PII because the collection of the data is necessary for employment. |
| Describe the process to notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changes since the notice at the time of original collection). Alternatively, describe why they cannot be notified or have their consent obtained. | A System of Records Notice (SORN) was filed for the systems used to support the SMRC. For Medicare Part A, the SORN is 09-70-0503 (Fiscal Intermediary Shared System or FISS); for Medicare Part B, the SORN is 09-70-0501 (Medicare Multi Carrier System or MCS); and 09-70-0526 for the Medicare Common Working File (CWF). Due to the large number of beneficiaries and providers that would be impacted by a change, obtaining individual consent is not feasible. Therefore, in accordance with the Privacy Act, a new SORN would be published with a 60-day comment period to notify individuals of a change in use and/or disclosure of data by the Supplemental Medical Review Contractor System. Beneficiaries are also notified each calendar year of any changes to the Medicare program when they receive their Medicare and You Handbook. |
| Describe the process in place to resolve an individual's concerns when they believe their PII has been inappropriately obtained, used, or disclosed, or that the PII is inaccurate. If no process exists, explain why not. | Medicare beneficiaries are notified annually in the Medicare & You handbook of their right to file a complaint if they believe their privacy rights have been violated. A phone number is included in the handbook and there is more information on www.medicare.gov. The phone number is 1-800-Medicare. When a beneficiary calls this number, they are contacting a CMS system known as the Next Generation Desktop (NGD), which is a system that is separate from the Supplemental Medical Review Contractor (SMRC). Complaints are resolved, managed and recorded in the NGD system. |
| Describe the process in place for periodic reviews of PII contained in the system to ensure the data's integrity, availability, accuracy and relevancy. If no processes are in place, explain why not. | The Medicare claims the Supplemental Medical Review Contractor (SMRC) performs medical reviews on use the Common Working File (CWF) eligibility file and verification processes to ensure PII is timely, accurate and relevant. Integrity is maintained through system security and control processes that are reviewed by external auditors. Availability is maintained through system redundancies and SMRC is required to annually test disaster recovery capabilities. |
| Identify who will have access to the PII in the system and the reason why they require access. |
|
| Describe the procedures in place to determine which system users (administrators, developers, contractors, etc.) may access PII. | Access to the systems is given based on need to know and job responsibilities to perform medical review of Medicare claims using a user ID and role-based access. Access is obtained using a Supplemental Medical Review Contractor (SMRC) access request form. The form must be approved by the designated approvers prior to access being granted. |
| Describe the methods in place to allow those with access to PII to only access the minimum amount of information necessary to perform their job. | Access to the systems is controlled using security software. The user is given the least amount of access required to perform their job duties and is explicitly denied access by the security software unless otherwise granted. |
| Identifying training and awareness provided to personnel (system owners, managers, operators, contractors and/or program managers) using the system to make them aware of their responsibilities for protecting the information being collected and maintained. | All Supplemental Medical Review Contractor (SMRC) contractors and CMS employees are required to take annual training regarding the security and privacy requirements for protecting PII. In addition, role-based training is provided to individuals with significant access or security responsibilities. This annual role-based training is required by the CMS Chief Information Officer Directive 12-03. All training is modeled on and is consistent with training offered by the Department of Health and Human Services and CMS. |
| Describe training system users receive (above and beyond general security and privacy awareness training) | In addition to the general security and privacy awareness training, users must sign rules of behavior. Also, throughout the year, users are provided with privacy and security related information via Noridian Now, and other privacy and security bulletins to provide ongoing awareness of their security and privacy responsibilities. |
| Do contracts include Federal Acquisition Regulation and other appropriate clauses ensuring adherence to privacy provisions and practices? | Yes |
| Describe the process and guidelines in place with regard to the retention and destruction of PII. Cite specific records retention schedules. | In accordance with the NARA RCS Job Number N1-440-04-003, records are maintained in a secure storage area with identifiers. Records are closed at the end of the fiscal year, in which paid, and destroyed after 6 years and 3 months. All claims-related records are encompassed by the document preservation order and will be retained until notification is received from Department of Justice. |
| Describe, briefly but with specificity, how the PII will be secured in the system using administrative, technical, and physical controls. | Access to the systems is given based on need to know and job responsibilities to review Medicare claims. The Supplemental Medical Review Contractor (SMRC) uses security software and procedural methods to provide “least privilege access” to grant or deny access to data based upon need to know. External audits also verify these controls are in place and functioning. Technical controls used include user identification, passwords, Multi Factor Authentication, firewalls, virtual private networks and intrusion detection systems. Physical controls used include guards, identification badges, key cards, cipher locks and closed-circuit televisions. |