Skip to main content

Transformed Medicaid Statistical Information System

Privacy Impact Assessment (PIA) published by CMS as an Operating Division of the U.S. Department of Health and Human Services

Date signed: 4/27/2022

PIA Information for the Transformed Medicaid Statistical Information System
PIA Questions PIA Answers
OPDIV:CMS
PIA Unique Identifier:P-8995810-154848
Name:Transformed Medicaid Statistical Information System
The subject of this PIA is which of the following?Major Application
Identify the Enterprise Performance Lifecycle Phase of the system.Operate
Is this a FISMA-Reportable system?Yes
Does the system include a Website or online application available to and for the use of the general public?No
Identify the operator:Agency
Is this a new or existing system?Existing
Does the system have Security Authorization (SA)?Yes
Date of Security Authorization7/14/2023
Indicate the following reason(s) for updating this PIA. Choose from the following options.PIA Validation (PIA Refresh/Annual Review)
Describe in further detail any changes to the system that have occurred since the last PIA.

T-MSIS has undergone functional enhancements, added/updated data sharing methods (all with internal CMS partners), and updated technologies for security and performance since the last PIA review. None of the changes indicated PIA impact. There has not been a change to the way data is collected, used or stored. All sharing of PII is conducted with internal CMS partners.   The following is a summary of changes:

Internal interconnection from CMS Cloud/AWS Redshift to AWS SAS Viya.
Updated data processing and sharing method with MACBIS Data Warehouse (DataConnect).
T-MSIS internal data processing functions and methods.
Implementation of Containerization (Docker) deployment for existing T-MSIS processes.
Vertical scaling of compute and storage instances.
Internal interconnection via T-MSIS S3 access by IDR (CMS system).
Internal connection to MACBIS Data Warehouse S3 bucket for aggregated Medicare/Medicaid Modernization Act (MMA) data.

Describe the purpose of the system

Transformed Medicaid Statistical Information System (T-MSIS) is the system that receives and processes Medicaid eligibility and claims data that State Medicaid agencies submit to CMS as a result of the Balanced Budget Act (BBA) of 1997.

T-MSIS is a critical component of achieving the Medicaid and Children’s Health Insurance Program (CHIP) Business Information Solution (MACBIS) goals. The goal of T-MSIS is to collect a baseline set of data and to use a common expandable and sustainable platform towards a CMS Medicaid and CHIP Business Information Solution system.

T-MSIS is used to reduce State burdens currently impacted by multiple CMS requests for data, and to better enable States to perform their core responsibilities of Medicaid and CHIP program oversight, administration, and program integrity.

Describe the type of information the system will collect, maintain (store), or share. (Subsequent questions will identify if this information is PII and ask about the specific data elements)

T-MSIS contains the minimum required data elements obtained from individual states necessary to support administration of the Medicaid program at the federal level, Medicaid-related research of policy issues, quality and effectiveness of care, and to combat fraud. These file extracts are submitted on a monthly basis in the form of electronic file transfers to CMS. The file extracts submitted by the States consist of 8 file types: 1) Eligibles, 2) Providers, 3) Managed care organizations, 4) Third Party Liability obligations, and 5-8) four types of Claims (Prescription, Long Term Care, Inpatient, and Other).

Personally identifiable information (PII), including Protected Health Information (PHI) is submitted to CMS by the States via Secure Electronic File Transfer and from the MACBIS Data Warehouse System (which has its own PIA) via direct S3 access points. The PII includes: the assigned Medicaid identification number; Social Security Number; Health Insurance Claim Number; Date of Birth; sex; ethnicity and race; medical services; equipment information; supplies for which Medicaid reimbursement is requested; and materials used to determine amount of benefits allowable under Medicaid. Information on Physicians and other Providers of services to the beneficiary consists of assigned provider identification number, information used to determine whether a sanction or suspension is warranted and data related to the Medicare/Medicaid Modernization Act (MMA).

T-MSIS does not collect, process or store user credentials for its end users; rather, identification, authentication and authorization for access to T-MSIS is performed by the CMS Identity Management (IDM) access control software, which transmits information about authorized user identity, roles, and accesses via integration with the CMS Enterprise Portal.

T-MSIS does collect, process, and store user credentials for a limited number Direct Contractors involved in back-end system support, administration, and operations roles.

The information collected and stored for these administrative users consist of the direct contractor’s name, user identifier, and business e-mail address.

These user identifiers are assigned to the user via the CMS Enterprise User Management (EUA) access control software.

For all users, T-MSIS records user activity within the T-MSIS system for audit purposes, and stores the user identifier associated with a user’s actions in the T-MSIS audit logs.

Provide an overview of the system and describe the information it will collect, maintain (store), or share, either permanently or temporarily.

The primary purpose of T-MSIS is to establish an accurate, current, and comprehensive database containing standardized enrollment, eligibility, and paid claims of Medicaid beneficiaries to be used for the administration of Medicaid at the federal level, produce statistical reports, support Medicaid related research, and assist in the detection of fraud and abuse in the Medicaid program.  Information in this system will also be used to support regulatory and policy functions performed within the agency or by a contractor or consultant, another federal or state agency, agency of a state government, an agency established by state law, or its fiscal agent, support research of policy issues, quality and effectiveness of care, and of epidemiological projects, support constituent requests made to a congressional representative, support litigation involving the agency related to this system of records, and combat fraud and abuse in certain federally funded health care programs. The PII includes: the assigned Medicaid identification number; Social Security Number; Health Insurance Claim Number; Date of Birth; sex; ethnicity and race; medical services; equipment information; supplies for which Medicaid reimbursement is requested; and materials used to determine amount of benefits allowable under Medicaid. T-MSIS uses a unique identifier referred to as the MSIS Identifier. Records can be retrieved using this data element. In states that use Social Security Number (SSN) as their MSIS Identifier, records can be retrieved by SSN. The records are kept for 5 years and then destroyed.

The T-MSIS application captures information about its users’ activities within the T-MSIS system in audit logs for the purpose of ensuring system usage in accordance with rules of behavior, managing system operations, and ensuring confidentiality, integrity, and availability of its data. This auditing process collects the user identifiers (not including credentials) of authenticated users who are active in the system and logs details of user activity in the system. The audit logs are retained and managed on a retention schedule in accordance with the current CMS Information Systems Security and Privacy Policy (IS2P2). 

Does the system collect, maintain, use or share PII?Yes
Indicate the type of PII that the system will collect or maintain.
  • Social Security Number
  • Name
  • E-Mail Address
  • Phone Numbers
  • Date of Birth
  • Mailing Address
  • Other - Race/Ethnicity, Health insurance claim number (HICN), Unique Physician Identification Number (UPIN), sex, citizenship/immigration status, user identifiers
Indicate the categories of individuals about whom PII is collected, maintained or shared.
  • Employees
  • Public Citizens
  • Other - Medicaid/CHIP beneficiaries (and/or individuals eligible for benefits), Providers, Direct Contractors
How many individuals' PII in the system?1,000,000 or more
For what primary purpose is the PII used?

The primary purpose of the PII used by T-MSIS is to support the mission of providing health benefits and services to beneficiaries of the Medicaid and Children's Health Insurance Program (CHIP) programs in accordance with Federal statutes or regulations.

Included in the scope of this activity is maintaining PII/PHI necessary to support continued operations and oversight of the Medicaid and Children's Health Insurance Program (CHIP) programs, including information used to prevent, detect, identify, and address fraud, waste, and abuse in such programs.

T-MSIS does not collect PII or PHI directly from the individual. Rather, T-MSIS receives PII/PHI from the States. It is the responsibility of the states, or their data sources, to have a notice of privacy practices that states the primary purpose of collecting and using the PII. T-MSIS is designed to help states improve their data quality. T-MSIS runs analytics on the data including PII to detect anomalies indicative of poor data quality (e.g., if a person had a medical treatment after the date of their death) so that CMS can work with states to improve their data.

User credential information for direct contractor system administrators is collected to control system access.

User identifier information for all system users is captured in the T-MSIS audit logs to ensure user activity in the system is in accordance with rules of behavior, support overall system operations activities (such as isolation of technical issues), and protect confidentiality, integrity, and availability of the system’s data.

User identifier information is disclosed only to direct contractors involved in support of these activities and CMS employees overseeing these activities and/or identified as having security and privacy responsibilities requiring access to this information.

Describe the secondary uses for which the PII will be used (e.g. testing, training or research)T-MSIS uses PII to support analysis and research, and to perform quality assurance and other validation testing activities that cannot otherwise be performed without the use of such data.
Describe the function of the SSN.T-MSIS uses a unique identifier referred to as the MSIS Identifier. Records can be retrieved using this data element. In states that use Social Security Number (SSN) as their MSIS Identifier, records can be retrieved by SSN.
Cite the legal authority to use the SSN.The legal authority to use the SSN is 1902(a)(6) of the Social Security Act (42 U.S.C. 1396a(a)(6).
Identify legal authorities​ governing information use and disclosure specific to the system and program.AUTHORITY FOR MAINTENANCE OF THE SYSTEM: Authority for maintenance of the system is given under section 1902(a)(6) of the Social Security Act (42 U.S.C. 1396a(a)(6)), and Title IV of the Balanced Budget Act (Public Law 105– 33). Also, the following legal authority applies; 5 U.S.C. Section 301, Departmental Regulations.
Are records on the system retrieved by one or more PII data elements?Yes
Identify the number and title of the Privacy Act System of Records (SORN) that is being used to cover the system or identify if a SORN is being developed.

09-70-0541

Medicaid Statistical Information System

Identify the sources of PII in the system: Directly from an individual about whom the information pertainsOther - N/A
Identify the sources of PII in the system: Government SourcesWithin the OPDIV
Identify the sources of PII in the system: Non-Government SourcesOther - N/A
Identify the OMB information collection approval number and expiration date

Medicaid Statistical Information System (MSIS) and the Transformed - Medicaid Statistical Information System (T-MSIS):

OMB# 0938-0345

Expiration Date: 11/30/2027

Is the PII shared with other organizations?No
 

Within HHS Explanation: Within the Operating Division

Users are typically business owners and program staff who evaluate and report on the Medicaid and Children's Health Insurance Program (CHIP) programs.

 
Describe the process in place to notify individuals that their personal information will be collected. If no prior notice is given, explain the reason.

Not applicable. The notification is the responsibility of the State/Local/Tribal government sources of the data.

For user credential information, notification is the responsibility of the organization responsible for the access control system which issues the original user credentials.

Is the submission of the PII by individuals voluntary or mandatory?Voluntary
Describe the method for individuals to opt-out of the collection or use of their PII. If there is no option to object to the information collection, provide a reason.Not applicable. The method for individuals to opt-out of the collection or use of their PII is the responsibility of the State/Local/Tribal government sources of the data or the organization responsible for the access control system which issues the original user credentials. T-MSIS does not collect information directly from individuals. 
Describe the process to notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changes since the notice at the time of original collection). Alternatively, describe why they cannot be notified or have their consent obtained.Not applicable. The method for obtaining consent from the individuals whose PII is in the system when major changes occur to the system is the responsibility of the State/Local/Tribal government sources of the data or the organization responsible for the access control system which issues and maintains the original user credentials. T-MSIS does not collect information directly from individuals. 
Describe the process in place to resolve an individual's concerns when they believe their PII has been inappropriately obtained, used, or disclosed, or that the PII is inaccurate. If no process exists, explain why not.The method for obtaining consent from the individuals whose PII is in the system when major changes occur to the system is the responsibility of the State/Local/Tribal government sources of the data or the organization responsible for access control systems issuing and maintaining the user credentials. Therefore, that office or organization would handle an individual’s questions or concerns as well as how those concerns would be investigated and resolved.
Describe the process in place for periodic reviews of PII contained in the system to ensure the data's integrity, availability, accuracy and relevancy. If no processes are in place, explain why not.

Centers for Medicare and Medicaid Services (CMS) has a continuous monitoring program based on the National Institutes of Science and Technology (NIST) recommendations to ensure system integrity, availability & confidentiality. This includes general processes, policies, and procedures defined under the CMS Information Systems Security and Privacy Policy (IS2P2), and specific security and privacy control implementations documented in the T-MSIS System Security Plan (SSP) and within the CMS FISMA Controls Tracking System (CFACTS) for T-MSIS. The individual enrollment application is designed with logic checks to ensure data accuracy and integrity.

Centers for Medicare and Medicaid Services (CMS)/Center for Consumer Information and Insurance Oversight (CCIIO) has established an Enrollment Resolution and Reconciliation program to provide services necessary to resolve errors and reconcile discrepancies in enrollment data between the Health Insurance Exchange, State Based Marketplaces, issuer community, and CMS. Yearly, CCIIO is required to review and update the enrollment process to ensure data collected is relevant to the health insurance enrollment process.

Identify who will have access to the PII in the system and the reason why they require access.
  • Users: Users are typically business owners and program staff who evaluate and report on the Medicaid program.
  • Administrators: Administrators are those charged with maintaining the database on the mainframe and mid-tier platforms.
  • Developers: Developers gather the business rules and apply them to the systematic process of storage and manipulation.
  • Contractors: Contractors also gather the business rules and apply them to the systematic process of storage and manipulation. The Contractors are direct contractors for HHS.
  • Others: Some users need PII in order to link T-MSIS data to data from other systems (e.g., Medicare for analysis of dual Medicaid/Medicare enrollees).
Describe the procedures in place to determine which system users (administrators, developers, contractors, etc.) may access PII.T-MSIS uses role-based access to determine access to PII. T-MSIS users request access and then the CMS T-MSIS administrators approve the request to permit different levels of access, dependent on the assigned role. T-MSIS enforces the principle of least privilege in a number of ways: Most machine configuration is fully automated, so administrators are the only people with root level access to production systems; All infrastructure is managed by AWS, so no one working on T-MSIS has physical access to machines; Each machine has specific roles assigned to it, and it can only make AWS API calls approved by those roles. This includes all access to Amazon S3; Each machine has specific security groups applied to it that limits its network capabilities, both incoming and outgoing.
Describe the methods in place to allow those with access to PII to only access the minimum amount of information necessary to perform their job.Internal administrative and data science accounts are provided only to people working on T-MSIS with CMS IDs who have a business need to use one of those accounts. This default 'user' role that limits the access to PII to only the users. Then the user requests additional role(s) and the T-MSIS administrators will approve the request based on the principle of least privilege. The additional role a user requests is pre-determined so that the user doesn't actually have choices.
Identifying training and awareness provided to personnel (system owners, managers, operators, contractors and/or program managers) using the system to make them aware of their responsibilities for protecting the information being collected and maintained.To fulfill the annual training requirement, it is mandatory for all users with a CMS issued User ID to complete the CMS Information Technology Security and Privacy - Computer Based Training (ITSP-CBT) during annual recertification of their CMS user IDs.  
Describe training system users receive (above and beyond general security and privacy awareness training)Not applicable. System users do not receive training above and beyond general security and privacy awareness training.
Do contracts include Federal Acquisition Regulation and other appropriate clauses ensuring adherence to privacy provisions and practices?Yes
Describe the process and guidelines in place with regard to the retention and destruction of PII. Cite specific records retention schedules.

T-MSIS follows the National Archives and Records Administration (NARA) General Records Schedule (GRS) 3.1 - General Technology Management Records (DAA-GRS-2013-0005-0004), for retention and destruction of user credential information captured in system audit logs. T-MSIS retains audit records for a minimum of ninety (90) days and archives old records for a minimum of one (1) year to provide support for after-the-fact investigations of security incidents and to meet regulatory and CMS information retention requirements. 

The Medicaid and CHIP program information follows the standard CMS Records Schedules (DAA-0440-2015-0007). This general CMS records schedule is sub-divided into collections of related records types, known as Buckets.

T-MSIS follows the following CMS Records Schedules: Bucket 5 (Beneficiary Records) for information on eligible beneficiaries and related information involving the Medicaid and Children’ Health Insurance Program (CHIP) programs.

CMS retains identifiable data for a total period not to exceed 10 years after the final determination of the case is completed. All claims-related records are encompassed by the document preservation order and are retained until notification is received from Department of Justice (DOJ).

Describe, briefly but with specificity, how the PII will be secured in the system using administrative, technical, and physical controls.Administrative controls include: Security and Privacy Training for all users, HHS Rules of Behavior Policy and user acknowledgment, CMS/T-MSIS policies regarding the maintenance of confidentiality, integrity and availability of data residing in the system and data about the system. Technical controls include: Logical access controls that employ Role Based Access based on basis of Least Privileged; Authorization controls that grant permission to authorized personnel with approved User ID and password; Deployment of firewalls with "deny all, permit by exception" access control lists, port security and intrusion detection systems. Physical controls include: Guards; Personal Identity Verification (PIV) Cards; Key Cards; and Closed Circuit TV (CCTV) for monitoring.