Transformed Medicaid Statistical Information System
Privacy Impact Assessment (PIA) published by CMS as an Operating Division of the U.S. Department of Health and Human Services
Date signed: 4/27/2022
PIA Questions | PIA Answers | |
---|---|---|
OPDIV: | CMS | |
PIA Unique Identifier: | P-8995810-154848 | |
Name: | Transformed Medicaid Statistical Information System | |
The subject of this PIA is which of the following? | Major Application | |
Identify the Enterprise Performance Lifecycle Phase of the system. | Operate | |
Is this a FISMA-Reportable system? | Yes | |
Does the system include a Website or online application available to and for the use of the general public? | No | |
Identify the operator: | Agency | |
Is this a new or existing system? | Existing | |
Does the system have Security Authorization (SA)? | Yes | |
Date of Security Authorization | 7/14/2023 | |
Indicate the following reason(s) for updating this PIA. Choose from the following options. | PIA Validation (PIA Refresh/Annual Review) | |
Describe in further detail any changes to the system that have occurred since the last PIA. | T-MSIS has undergone functional enhancements, added/updated data sharing methods (all with internal CMS partners), and updated technologies for security and performance since the last PIA review. None of the changes indicated PIA impact. There has not been a change to the way data is collected, used or stored. All sharing of PII is conducted with internal CMS partners. The following is a summary of changes: Internal interconnection from CMS Cloud/AWS Redshift to AWS SAS Viya. | |
Describe the purpose of the system | Transformed Medicaid Statistical Information System (T-MSIS) is the system that receives and processes Medicaid eligibility and claims data that State Medicaid agencies submit to CMS as a result of the Balanced Budget Act (BBA) of 1997. T-MSIS is a critical component of achieving the Medicaid and Children’s Health Insurance Program (CHIP) Business Information Solution (MACBIS) goals. The goal of T-MSIS is to collect a baseline set of data and to use a common expandable and sustainable platform towards a CMS Medicaid and CHIP Business Information Solution system. T-MSIS is used to reduce State burdens currently impacted by multiple CMS requests for data, and to better enable States to perform their core responsibilities of Medicaid and CHIP program oversight, administration, and program integrity. | |
Describe the type of information the system will collect, maintain (store), or share. (Subsequent questions will identify if this information is PII and ask about the specific data elements) | T-MSIS contains the minimum required data elements obtained from individual states necessary to support administration of the Medicaid program at the federal level, Medicaid-related research of policy issues, quality and effectiveness of care, and to combat fraud. These file extracts are submitted on a monthly basis in the form of electronic file transfers to CMS. The file extracts submitted by the States consist of 8 file types: 1) Eligibles, 2) Providers, 3) Managed care organizations, 4) Third Party Liability obligations, and 5-8) four types of Claims (Prescription, Long Term Care, Inpatient, and Other). Personally identifiable information (PII), including Protected Health Information (PHI) is submitted to CMS by the States via Secure Electronic File Transfer and from the MACBIS Data Warehouse System (which has its own PIA) via direct S3 access points. The PII includes: the assigned Medicaid identification number; Social Security Number; Health Insurance Claim Number; Date of Birth; sex; ethnicity and race; medical services; equipment information; supplies for which Medicaid reimbursement is requested; and materials used to determine amount of benefits allowable under Medicaid. Information on Physicians and other Providers of services to the beneficiary consists of assigned provider identification number, information used to determine whether a sanction or suspension is warranted and data related to the Medicare/Medicaid Modernization Act (MMA). T-MSIS does not collect, process or store user credentials for its end users; rather, identification, authentication and authorization for access to T-MSIS is performed by the CMS Identity Management (IDM) access control software, which transmits information about authorized user identity, roles, and accesses via integration with the CMS Enterprise Portal. | |
Provide an overview of the system and describe the information it will collect, maintain (store), or share, either permanently or temporarily. | The primary purpose of T-MSIS is to establish an accurate, current, and comprehensive database containing standardized enrollment, eligibility, and paid claims of Medicaid beneficiaries to be used for the administration of Medicaid at the federal level, produce statistical reports, support Medicaid related research, and assist in the detection of fraud and abuse in the Medicaid program. Information in this system will also be used to support regulatory and policy functions performed within the agency or by a contractor or consultant, another federal or state agency, agency of a state government, an agency established by state law, or its fiscal agent, support research of policy issues, quality and effectiveness of care, and of epidemiological projects, support constituent requests made to a congressional representative, support litigation involving the agency related to this system of records, and combat fraud and abuse in certain federally funded health care programs. The PII includes: the assigned Medicaid identification number; Social Security Number; Health Insurance Claim Number; Date of Birth; sex; ethnicity and race; medical services; equipment information; supplies for which Medicaid reimbursement is requested; and materials used to determine amount of benefits allowable under Medicaid. T-MSIS uses a unique identifier referred to as the MSIS Identifier. Records can be retrieved using this data element. In states that use Social Security Number (SSN) as their MSIS Identifier, records can be retrieved by SSN. The records are kept for 5 years and then destroyed. The T-MSIS application captures information about its users’ activities within the T-MSIS system in audit logs for the purpose of ensuring system usage in accordance with rules of behavior, managing system operations, and ensuring confidentiality, integrity, and availability of its data. This auditing process collects the user identifiers (not including credentials) of authenticated users who are active in the system and logs details of user activity in the system. The audit logs are retained and managed on a retention schedule in accordance with the current CMS Information Systems Security and Privacy Policy (IS2P2). | |
Does the system collect, maintain, use or share PII? | Yes | |
Indicate the type of PII that the system will collect or maintain. |
| |
Indicate the categories of individuals about whom PII is collected, maintained or shared. |
| |
How many individuals' PII in the system? | 1,000,000 or more | |
For what primary purpose is the PII used? | The primary purpose of the PII used by T-MSIS is to support the mission of providing health benefits and services to beneficiaries of the Medicaid and Children's Health Insurance Program (CHIP) programs in accordance with Federal statutes or regulations. Included in the scope of this activity is maintaining PII/PHI necessary to support continued operations and oversight of the Medicaid and Children's Health Insurance Program (CHIP) programs, including information used to prevent, detect, identify, and address fraud, waste, and abuse in such programs. T-MSIS does not collect PII or PHI directly from the individual. Rather, T-MSIS receives PII/PHI from the States. It is the responsibility of the states, or their data sources, to have a notice of privacy practices that states the primary purpose of collecting and using the PII. T-MSIS is designed to help states improve their data quality. T-MSIS runs analytics on the data including PII to detect anomalies indicative of poor data quality (e.g., if a person had a medical treatment after the date of their death) so that CMS can work with states to improve their data. User credential information for direct contractor system administrators is collected to control system access. User identifier information for all system users is captured in the T-MSIS audit logs to ensure user activity in the system is in accordance with rules of behavior, support overall system operations activities (such as isolation of technical issues), and protect confidentiality, integrity, and availability of the system’s data. User identifier information is disclosed only to direct contractors involved in support of these activities and CMS employees overseeing these activities and/or identified as having security and privacy responsibilities requiring access to this information. | |
Describe the secondary uses for which the PII will be used (e.g. testing, training or research) | T-MSIS uses PII to support analysis and research, and to perform quality assurance and other validation testing activities that cannot otherwise be performed without the use of such data. | |
Describe the function of the SSN. | T-MSIS uses a unique identifier referred to as the MSIS Identifier. Records can be retrieved using this data element. In states that use Social Security Number (SSN) as their MSIS Identifier, records can be retrieved by SSN. | |
Cite the legal authority to use the SSN. | The legal authority to use the SSN is 1902(a)(6) of the Social Security Act (42 U.S.C. 1396a(a)(6). | |
Identify legal authorities governing information use and disclosure specific to the system and program. | AUTHORITY FOR MAINTENANCE OF THE SYSTEM: Authority for maintenance of the system is given under section 1902(a)(6) of the Social Security Act (42 U.S.C. 1396a(a)(6)), and Title IV of the Balanced Budget Act (Public Law 105– 33). Also, the following legal authority applies; 5 U.S.C. Section 301, Departmental Regulations. | |
Are records on the system retrieved by one or more PII data elements? | Yes | |
Identify the number and title of the Privacy Act System of Records (SORN) that is being used to cover the system or identify if a SORN is being developed. | 09-70-0541 Medicaid Statistical Information System | |
Identify the sources of PII in the system: Directly from an individual about whom the information pertains | Other - N/A | |
Identify the sources of PII in the system: Government Sources | Within the OPDIV | |
Identify the sources of PII in the system: Non-Government Sources | Other - N/A | |
Identify the OMB information collection approval number and expiration date | Medicaid Statistical Information System (MSIS) and the Transformed - Medicaid Statistical Information System (T-MSIS): OMB# 0938-0345 Expiration Date: 11/30/2027 | |
Is the PII shared with other organizations? | No | |
Within HHS Explanation: Within the Operating Division Users are typically business owners and program staff who evaluate and report on the Medicaid and Children's Health Insurance Program (CHIP) programs. | ||
Describe the process in place to notify individuals that their personal information will be collected. If no prior notice is given, explain the reason. | Not applicable. The notification is the responsibility of the State/Local/Tribal government sources of the data. For user credential information, notification is the responsibility of the organization responsible for the access control system which issues the original user credentials. | |
Is the submission of the PII by individuals voluntary or mandatory? | Voluntary | |
Describe the method for individuals to opt-out of the collection or use of their PII. If there is no option to object to the information collection, provide a reason. | Not applicable. The method for individuals to opt-out of the collection or use of their PII is the responsibility of the State/Local/Tribal government sources of the data or the organization responsible for the access control system which issues the original user credentials. T-MSIS does not collect information directly from individuals. | |
Describe the process to notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changes since the notice at the time of original collection). Alternatively, describe why they cannot be notified or have their consent obtained. | Not applicable. The method for obtaining consent from the individuals whose PII is in the system when major changes occur to the system is the responsibility of the State/Local/Tribal government sources of the data or the organization responsible for the access control system which issues and maintains the original user credentials. T-MSIS does not collect information directly from individuals. | |
Describe the process in place to resolve an individual's concerns when they believe their PII has been inappropriately obtained, used, or disclosed, or that the PII is inaccurate. If no process exists, explain why not. | The method for obtaining consent from the individuals whose PII is in the system when major changes occur to the system is the responsibility of the State/Local/Tribal government sources of the data or the organization responsible for access control systems issuing and maintaining the user credentials. Therefore, that office or organization would handle an individual’s questions or concerns as well as how those concerns would be investigated and resolved. | |
Describe the process in place for periodic reviews of PII contained in the system to ensure the data's integrity, availability, accuracy and relevancy. If no processes are in place, explain why not. | Centers for Medicare and Medicaid Services (CMS) has a continuous monitoring program based on the National Institutes of Science and Technology (NIST) recommendations to ensure system integrity, availability & confidentiality. This includes general processes, policies, and procedures defined under the CMS Information Systems Security and Privacy Policy (IS2P2), and specific security and privacy control implementations documented in the T-MSIS System Security Plan (SSP) and within the CMS FISMA Controls Tracking System (CFACTS) for T-MSIS. The individual enrollment application is designed with logic checks to ensure data accuracy and integrity. Centers for Medicare and Medicaid Services (CMS)/Center for Consumer Information and Insurance Oversight (CCIIO) has established an Enrollment Resolution and Reconciliation program to provide services necessary to resolve errors and reconcile discrepancies in enrollment data between the Health Insurance Exchange, State Based Marketplaces, issuer community, and CMS. Yearly, CCIIO is required to review and update the enrollment process to ensure data collected is relevant to the health insurance enrollment process. | |
Identify who will have access to the PII in the system and the reason why they require access. |
| |
Describe the procedures in place to determine which system users (administrators, developers, contractors, etc.) may access PII. | T-MSIS uses role-based access to determine access to PII. T-MSIS users request access and then the CMS T-MSIS administrators approve the request to permit different levels of access, dependent on the assigned role. T-MSIS enforces the principle of least privilege in a number of ways: Most machine configuration is fully automated, so administrators are the only people with root level access to production systems; All infrastructure is managed by AWS, so no one working on T-MSIS has physical access to machines; Each machine has specific roles assigned to it, and it can only make AWS API calls approved by those roles. This includes all access to Amazon S3; Each machine has specific security groups applied to it that limits its network capabilities, both incoming and outgoing. | |
Describe the methods in place to allow those with access to PII to only access the minimum amount of information necessary to perform their job. | Internal administrative and data science accounts are provided only to people working on T-MSIS with CMS IDs who have a business need to use one of those accounts. This default 'user' role that limits the access to PII to only the users. Then the user requests additional role(s) and the T-MSIS administrators will approve the request based on the principle of least privilege. The additional role a user requests is pre-determined so that the user doesn't actually have choices. | |
Identifying training and awareness provided to personnel (system owners, managers, operators, contractors and/or program managers) using the system to make them aware of their responsibilities for protecting the information being collected and maintained. | To fulfill the annual training requirement, it is mandatory for all users with a CMS issued User ID to complete the CMS Information Technology Security and Privacy - Computer Based Training (ITSP-CBT) during annual recertification of their CMS user IDs. | |
Describe training system users receive (above and beyond general security and privacy awareness training) | Not applicable. System users do not receive training above and beyond general security and privacy awareness training. | |
Do contracts include Federal Acquisition Regulation and other appropriate clauses ensuring adherence to privacy provisions and practices? | Yes | |
Describe the process and guidelines in place with regard to the retention and destruction of PII. Cite specific records retention schedules. | T-MSIS follows the National Archives and Records Administration (NARA) General Records Schedule (GRS) 3.1 - General Technology Management Records (DAA-GRS-2013-0005-0004), for retention and destruction of user credential information captured in system audit logs. T-MSIS retains audit records for a minimum of ninety (90) days and archives old records for a minimum of one (1) year to provide support for after-the-fact investigations of security incidents and to meet regulatory and CMS information retention requirements. The Medicaid and CHIP program information follows the standard CMS Records Schedules (DAA-0440-2015-0007). This general CMS records schedule is sub-divided into collections of related records types, known as Buckets. T-MSIS follows the following CMS Records Schedules: Bucket 5 (Beneficiary Records) for information on eligible beneficiaries and related information involving the Medicaid and Children’ Health Insurance Program (CHIP) programs. CMS retains identifiable data for a total period not to exceed 10 years after the final determination of the case is completed. All claims-related records are encompassed by the document preservation order and are retained until notification is received from Department of Justice (DOJ). | |
Describe, briefly but with specificity, how the PII will be secured in the system using administrative, technical, and physical controls. | Administrative controls include: Security and Privacy Training for all users, HHS Rules of Behavior Policy and user acknowledgment, CMS/T-MSIS policies regarding the maintenance of confidentiality, integrity and availability of data residing in the system and data about the system. Technical controls include: Logical access controls that employ Role Based Access based on basis of Least Privileged; Authorization controls that grant permission to authorized personnel with approved User ID and password; Deployment of firewalls with "deny all, permit by exception" access control lists, port security and intrusion detection systems. Physical controls include: Guards; Personal Identity Verification (PIV) Cards; Key Cards; and Closed Circuit TV (CCTV) for monitoring. |