ViPS Medicare Shared System
Privacy Impact Assessment (PIA) published by CMS as an Operating Division of the U.S. Department of Health and Human Services
Date signed: 1/10/2025
PIA Questions | PIA Answers |
---|---|
OPDIV: | CMS |
PIA Unique Identifier: | P-8485017-205856 |
Name: | ViPS Medicare Shared System |
The subject of this PIA is which of the following? | Major Application |
Identify the Enterprise Performance Lifecycle Phase of the system. | Operate |
Is this a FISMA-Reportable system? | Yes |
Does the system include a Website or online application available to and for the use of the general public? | No |
Identify the operator: | Agency |
Is this a new or existing system? | Existing |
Does the system have Security Authorization (SA)? | Yes |
Date of Security Authorization | 3/9/2023 |
Indicate the following reason(s) for updating this PIA. Choose from the following options. | PIA Validation (PIA Refresh/Annual Review) |
Describe in further detail any changes to the system that have occurred since the last PIA. | ViPS Medicare Shared System (VMS) Development environment has moved to the 365 DataCenters NJ facility at the 365 DataCenters building at 410 Commerce Blvd, Carlstadt, NJ. |
Describe the purpose of the system | The CMS Durable Medical Equipment (DME) Claims Processing System is a critical component of the Fee-For-Service (FFS) program, processing over $6 billion dollars of Medicare claims a year, supporting Medicare's mission to provide quality health care to beneficiaries. ViPS Medicare System (VMS) is the shared system used by the Durable Medical Equipment Medicare Administrative Contractors (DME MACs) to process claims for physician services, diagnostic tests, ambulance services, durable medical equipment, prosthetics, orthotics and supplies (DMEPOS) and other services/supplies that are not covered by Medicare Part A. |
Describe the type of information the system will collect, maintain (store), or share. (Subsequent questions will identify if this information is PII and ask about the specific data elements) | The information collected, maintained or disseminated includes name, date of birth, Medicare Beneficiary Identifier (MBI), health insurance claim number, mailing address, phone numbers, medical record numbers, medical notes, bank account information and/or numbers, certificates, email addresses, military status and/or records, employment status and/or records, employer or school name, education records, medical notes, health insurer name/plan, health insurer group number, patient name, marital status, and employment status, financial account info, device identifiers, diagnosis and procedure codes, place of service codes, and provider name and address. User's ID and passwords also reside and are managed by VMS. The VMS user's IDs and passwords are synchronized by the CMS Enterprise User Administrator system (EUA) to CMS user IDs. |
Provide an overview of the system and describe the information it will collect, maintain (store), or share, either permanently or temporarily. | The DME claims processing system, using the VMS shared system processes claims submitted by Medicare providers. The information in the VMS is used to process and pay DME claims. The DME claims processing system is a batch processing system and retrieves by name, HCIN, MBI, or any identifier that can uniquely identify an individual. The system uses patient information and provider information that is collected on a Medicare claim form to process and pay a Medicare provider's claim. That information includes the diagnosis and procedures codes, place of service, provider name and address, and dates of service. The information collected in VMS, maintained or disseminated includes name, date of birth, Medicare Beneficiary Identifier (MBI), health insurance claim number, mailing address, phone numbers, medical record numbers, medical notes, bank account information and/or numbers, certificates, device identifiers, email addresses, military status and/or records, employment status and/or records, employer or school name, education records, medical notes, health insurer name/plan, health insurer group number, patient name, marital status, and employment status, financial account info, device identifiers, diagnosis and procedure codes, place of service codes, and provider name and address. The VMS interfaces with The Common Working File (CWF) which is a pre-payment validation and authorization claims processing system for Medicare Part A, Part B, and Durable Medicare Equipment Prosthetics, Orthotics, and Supplies (DMEPOS) claims. The CWF is a separate system that has its own authority to operate and Privacy Impact Assessment (PIA). |
Does the system collect, maintain, use or share PII? | Yes |
Indicate the type of PII that the system will collect or maintain. |
|
Indicate the categories of individuals about whom PII is collected, maintained or shared. |
|
How many individuals' PII in the system? | 1,000,000 or more |
For what primary purpose is the PII used? | Information is used to process and pay Medicare provider claims. It is also used to verify patient data between Medicare Supplemental Insurers, if necessary, as well as beneficiary entitlement and for ensuring accuracy of payment. Internal system user's credentials are used in order to gain system access for operational support. |
Describe the secondary uses for which the PII will be used (e.g. testing, training or research) | None. |
Describe the function of the SSN. | Not applicable. |
Cite the legal authority to use the SSN. | Not applicable. |
Identify legal authorities governing information use and disclosure specific to the system and program. | Sections 1842, 1862 (b) and 1874 of Title XVIII of the Social Security Act (The Act) (42 United States Code (U.S.C.) 1395u, 1395y (b), and 1395kk). |
Are records on the system retrieved by one or more PII data elements? | Yes |
Identify the number and title of the Privacy Act System of Records (SORN) that is being used to cover the system or identify if a SORN is being developed. | Medicare Multi-Carrier Claims System, 09-70-0501 Fiscal Intermediary Shared System, 09-70-0503 National Provider System, 09–70–0008 |
Identify the sources of PII in the system: Directly from an individual about whom the information pertains |
|
Identify the sources of PII in the system: Government Sources |
|
Identify the sources of PII in the system: Non-Government Sources | Private Sector |
Identify the OMB information collection approval number and expiration date | OMB No. 0938-0787; Expires: 10/2024 The associated PAPERWORK REDUCTION ACT (PRA) package is still under Office of Management and Budget (OMB) review. The OMB control number will remain the same, but it will not have a new expiration date until OMB formally reapproves the package. It is not anticipated to receive the approval before late January to early February 2025. The system team has the intent to resubmit the PIA once the updated OMB Control Number has been issued. |
Is the PII shared with other organizations? | Yes |
Identify with whom the PII is shared or disclosed and for what purpose. |
|
Describe any agreements in place that authorizes the information sharing or disclosure (e.g. Computer Matching Agreement, Memorandum of Understanding (MOU), or Information Sharing Agreement (ISA)). | There are Computer Matching Agreements (CMAs) in place between CMS and SSA, IRS, RRB and participating States. |
Describe the procedures for accounting for disclosures | CMS tracks disclosures of information from the system in the Enterprise Privacy Policy Engine (EPPE). The EPPE system tracks the disclosure of the information to the third parties that are determined to be able to receive the information. No DUAs are completed. |
Describe the process in place to notify individuals that their personal information will be collected. If no prior notice is given, explain the reason. | For the beneficiary, written notice is given when the beneficiary initially enrolls in the Medicare program, and written or orally each time the beneficiary applies for service at a provider. For CMS employees, written notice is provided when they apply for a job. |
Is the submission of the PII by individuals voluntary or mandatory? | Voluntary |
Describe the method for individuals to opt-out of the collection or use of their PII. If there is no option to object to the information collection, provide a reason. | When a beneficiary’s data is collected and sent to the VMS system, the beneficiary has already agreed to share their information, so there is not an ability for them to opt out of PII data collection. CMS employees and contractors cannot opt out of providing PII for user credentials because the collection of the data is necessary for employment. |
Describe the process to notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changes since the notice at the time of original collection). Alternatively, describe why they cannot be notified or have their consent obtained. | Due to the large number of beneficiaries and providers that would be impacted by a change, obtaining individual consent is not feasible. Therefore, in accordance with the Privacy Act, a new System of Record Notice (SORN) would be published with a 60-day comment period to notify individuals of a change in use and/or disclosure of data by the VMS system. |
Describe the process in place to resolve an individual's concerns when they believe their PII has been inappropriately obtained, used, or disclosed, or that the PII is inaccurate. If no process exists, explain why not. | Individuals are notified of their right to complain about how their information is obtained, used or disclosed in the Medicare Notice of Privacy Practices. Individuals are told to notify Medicare's call center. The call center takes the complaint, and the complaint is directed to the business owner for this claims processing activity to resolve the issue. CMS employee and direct contractor users must report PII issues to their organization's security officer. |
Describe the process in place for periodic reviews of PII contained in the system to ensure the data's integrity, availability, accuracy and relevancy. If no processes are in place, explain why not. | Integrity is maintained through system security and control processes that are reviewed by external auditors. Availability is maintained through system redundancies and VMS is required to annually test disaster recovery capabilities. Relevancy and accuracy are maintained by the interactions with the shared systems (FISS and Medicare Part B Shared System (MCS)). |
Identify who will have access to the PII in the system and the reason why they require access. |
|
Describe the procedures in place to determine which system users (administrators, developers, contractors, etc.) may access PII. | VMS uses role-based access limitations and least privilege controls to restrict PII availability. Role-based job codes must be applied for and approved by the designated approvers prior to access being granted. |
Describe the methods in place to allow those with access to PII to only access the minimum amount of information necessary to perform their job. | Administrators and Contractors have role-based access which limits their access to PII data. Users must have a VMS job code in their EUA user profile before they are granted access to VMS. |
Identifying training and awareness provided to personnel (system owners, managers, operators, contractors and/or program managers) using the system to make them aware of their responsibilities for protecting the information being collected and maintained. | Security Awareness and Privacy training is provided to each user on an annual basis. Users acknowledge successful training after passing a test at the end of training and the system verifies completion. Included in the training is education about how to properly handle sensitive data. Security personnel receive job related training by attending conferences, forums, and other specific training on an annual basis. Security based role training is recorded within the security department. |
Describe training system users receive (above and beyond general security and privacy awareness training) | Not any. |
Do contracts include Federal Acquisition Regulation and other appropriate clauses ensuring adherence to privacy provisions and practices? | Yes |
Describe the process and guidelines in place with regard to the retention and destruction of PII. Cite specific records retention schedules. | Per National Archives and Records Administration: PII records are retained temporarily. Cutoff at the end of the fiscal year (FY). Delete/destroy 6 years and 3 months after cutoff, or when no longer needed for Agency business, whichever is later. (Disposition Authority: N1-440-09-14) |
Describe, briefly but with specificity, how the PII will be secured in the system using administrative, technical, and physical controls. | Access to the systems is given based on need to know and job responsibilities to process Medicare claims. Medicare Claims Processing Standard Systems maintainers use security software and methods to provide “least privilege access.” They will utilize software which as a part of the security systems that provides access control and auditing functionality, the ability to grant or deny access to data based upon need to know. Sometimes, in order to fix programmatic problems, programmers are granted temporary access in order to fix and ensure that errors are fixed. The temporary access may be granted for a day or other short periods of time that can be controlled through security software. External audits also verify these controls. Technical controls used include user identification, passwords, firewalls, virtual private networks and intrusion detection systems. Physical controls used include guards, identification badges, key cards, cipher locks and closed circuit televisions. |