83 FR 46951 - Privacy Act of 1974; System of Records
DEPARTMENT OF HEALTH AND HUMAN SERVICES
Centers for Medicare & Medicaid Services Federal Register Volume 83, Issue 180 (September 17, 2018)
Centers for Medicare & Medicaid Services
Federal Register Volume 83, Issue 180 (September 17, 2018)
| Page Range | 46951-46954 | |
| FR Document | 2018-20063 |
[Federal Register Volume 83, Number 180 (Monday, September 17, 2018)] [Notices] [Pages 46951-46954] From the Federal Register Online [www.thefederalregister.org] [FR Doc No: 2018-20063] ----------------------------------------------------------------------- DEPARTMENT OF HEALTH AND HUMAN SERVICES Centers for Medicare & Medicaid Services Privacy Act of 1974; System of Records AGENCY: Centers for Medicare & Medicaid Services (CMS), Department of Health and Human Services (HHS). ACTION: Notice of a modified system of records. ----------------------------------------------------------------------- SUMMARY: The Department of Health and Human Services (HHS), Centers for Medicare & Medicaid Services (CMS), proposes to modify or alter an existing system of records subject to the Privacy Act, System No. 09- 70-0541, titled ``Medicaid Statistical Information System (MSIS).'' This system of records covers the Medicaid dataset. The dataset includes standardized enrollment, eligibility, and paid claims of Medicaid recipients and is used to administer Medicaid at the Federal level, produce statistical reports, support Medicaid related research, and assist in the detection of fraud and abuse in the Medicare and Medicaid programs. CMS is adding two new routine use as numbers three and 10. CMS is including two routine uses that were published on February 14, 2018, and are numbered as eight and nine in the routine use section below. In addition, CMS is changing the name of the system of records to: Transformed-Medicaid Statistical Information System (T- MSIS) and making other modifications which are explained below. DATES: In accordance with 5 U.S.C. 552a(e)(4) and (11), this notice is applicable September 17, 2018, subject to a 30-day period in which to comment on the routine uses. Submit any comments by October 17, 2018. ADDRESSES: Written comments should be submitted by mail or email to: CMS Privacy Act Officer, Division of Security, Privacy Policy & Governance, Information Security & Privacy Group, Office of Information Technology, CMS, Location N1-14-56, 7500 Security Boulevard, Baltimore, MD 21244-1870, or walter.stone@cms.hhs.gov. FOR FURTHER INFORMATION CONTACT: General questions about the system of records may be submitted to Darlene Anderson, Health Insurance Specialist, Data and Systems Group, Center for Medicaid and CHIP Services (CMCS), CMS, Mail Stop S2-22-16, 7500 Security Boulevard, Baltimore, MD 21244, Telephone 410-786- 9828 or email to Darlene.Anderson@cms.hhs.gov. SUPPLEMENTARY INFORMATION: I. Program and IT System Changes Prompting This SORN Modification The Transformed Medicaid Statistical Information System (T-MSIS) is replacing the Medicaid Statistical Information System (MSIS) as the information technology (IT) system housing the national Medicaid dataset. It is a joint effort by the States and CMS to build a Medicaid dataset that addresses problems identified with Medicaid data in MSIS. T-MSIS provides improved program monitoring and oversight, technical assistance with states, policy implementation and data-driven and high- quality Medicaid program and Children's Health Insurance Program (CHIP) that ensure better care, access to coverage, and improved health. To improve Medicaid program oversight, CMS is requiring States to submit new files and data elements in T-MSIS which were not collected in MSIS, for the purpose of improving the quality of the data extracts the States submit to CMS on a quarterly or other periodic basis. Following consultation with a wide array of stakeholders, CMS established over 1,000 data elements for T-MSIS. This expands on the approximately 400 data elements collected in MSIS. T-MSIS builds on the original five MSIS files (eligibility and four types of claims: Inpatient, long-term care, pharmacy, and other) by adding files for third-party liability, information from managed-care plans, and providers. New T-MSIS Analytic Files (TAF) include: Beneficiary Files: Monthly beneficiary summary, annual beneficiary summary, Claims Files: Inpatients, long-term care, pharmacy and other files: Provider and Managed Care Files. Currently, each state submits five extracts to CMS on a quarterly basis. These data are used by CMS to assist in federal reporting for the Medicaid and CHIP. Several reasons culminated in the CMS mission to improve the Medicaid dataset repository, including incomplete data, questionable results, multiple data collections from states, multiple federal data platforms and analytic difficulties in interpreting and presenting the results. In addition, timeliness issues have prompted CMS to re-evaluate its processes and move toward a streamlined delivery, along with an enhanced data repository. The new T-MSIS extract format is expected to further CMS goals for improved timeliness, reliability and robustness through monthly updates and an increase in the amount of data requested. II. Modifications to SORN 09-70-0541 The following modifications have been made to SORN 09-70-0541 in order to reflect changes to the system of records resulting from the IT system change from MSIS to T-MSIS and to update the SORN generally:The SORN has been reformatted to conform to the revised template prescribed in Office of Management and Budget (OMB) Circular A-108, issued December 23, 2016. The name of the system of records has been changed from ``Medicaid Statistical Information System (MSIS)'' to ``Transformed-- Medicaid Statistical Information System (T-MSIS), HHS/CMS/CMCS.'' Address information in the System Location and System Manager(s) sections has been updated. The Authority section now cites applicable U.S. Code provisions instead of public laws. The Purpose section added information collecting over 1000 new data elements to perform expanded data analytics. The T-MSIS data set contains: enhanced information about beneficiary eligibility, beneficiary and provider enrollment, service utilization, claims and managed care data, and expenditure data for Medicaid and CHIP. The categories of individuals have not changed, but they are now more clearly delineated as Medicaid recipients and Medicaid providers. The Categories of Records section now specifies categories of records, in addition to a listing data elements. Including these categories for the existing five categories, the list has been expanded to add new categories (i.e., files for third-party liability, information from managed-care plans, and providers.) and additional examples of data elements (such as tax identification number/employer identification number (TIN/EIN), national provider identifier (NPI), Social Security Number (SSN), prescriber identification number, and other assigned clinician numbers). The Record Source Categories section has added non- Medicare individuals, third party data submitter who are individuals; i.e., Third Party Administrators (TPA); contact persons and authorized representatives (such as parents and guardians of Medicare [[Page 46952]] recipients who are minors) as sources of information. The following changes have been made to the Routine Uses section: [cir] Two new routine uses have been added, numbered as three and 10. [cir] The two breach response-related routine uses which were added February 14, 2018, are now numbered as eight and nine, and [cir] CMS grantees were removed from routine use number one. There are no changes to the Storage section. The Retrieval section now indicates that information will be retrieved by name, address, and Tax Identification Number (TIN)/ Employer Identification Number (EIN) pertaining to third party data submitters. Records about contact persons will be retrieved by name, email address and business address. The Retention and Disposal section changes retention of Medicaid record to a period of 10 years after the final determination of the case is completed. In addition, any claims-related records encompassed by a document preservation order may be retained longer (i.e., until notification is received from the Department of Justice). The Safeguards section has been updated to reflect most recent publications and guidance governing the use and protections of the data maintained in this SOR. Records Access, Contesting, and Notification procedures sections has been expanded to provide clarity and better understanding of procedures to follow. Barbara Demopulos, CMS Privacy Advisor, Division of Security, Privacy Policy and Governance, Information Security and Privacy Group, Office of Information Technology, Centers for Medicare& Medicaid Services. SYSTEM NAME AND NUMBER Transformed--Medicaid Statistical Information System (T-MSIS), HHS/ CMS/CMCS, System No. 09-07-0541. SECURITY CLASSIFICATION: Unclassified. SYSTEM LOCATION: The address of the agency component responsible for the system of records is: The CMS Data Center, 7500 Security Boulevard, North Building, First Floor, Baltimore, Maryland 21244-1850 and at various contractor sites. SYSTEM MANAGER(S): Director, Data and Systems Group, Center for Medicaid and CHIP Services, CMS Mail Stop S2-22-16, 7500 Security Boulevard, Baltimore, Maryland 21244-1850. AUTHORITY FOR MAINTENANCE OF THE SYSTEM: The specific authority that authorizes the maintenance of the records in the system is given under Sec. 1902(a)(6) of the Social Security Act (the Act) (42 United States Code (U.S.C.) 1396a (a)(6)), Sec. 4753(a) (1396a (i)(1)(B)) of the Balanced Budget Act of 1997 (Public Law (Pub. L. 105- 33)), Sec. 4201 of the American Reinvestment and Recovery Act of 2009 (ARRA) (Pub. L. 111-5), and in accordance with Sec. Sec. 402(c), 1561, 2602, 4302, 6402(c), 6504(a), 6504(b) of the Patient Protection and Affordable Care Act (ACA) (Pub. L. 111-148). PURPOSE(S) OF THE SYSTEM: The primary purpose of the system is to establish an accurate, current, and comprehensive database containing standardized enrollment, eligibility, and paid claims of Medicaid recipients to be used for the administration of Medicaid at the Federal level, produce statistical reports, support Medicaid related research, and assist in the detection of fraud and abuse in the Medicare and Medicaid programs. T-MSIS will also provide benefits to the states by reducing the number of reports CMS requires of the states, provides data needed to improve beneficiary quality of care, assess beneficiary to care and enrollment, improve program integrity, and support our states, the private market, and stakeholders with key information. CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM: The records in this system of records are about the following categories of individuals: Medicaid recipients (including individuals in the dual eligible population, individuals enrolled in the CHIP program, and non- Medicare individuals); Medicaid providers (i.e., physicians and providers of healthcare services to the Medicaid and CHIP population); Any non-Medicare individuals whose information is contained in a record about a Medicaid recipient or Medicaid provider; Third party data submitters; i.e., third party administrators or independent insurance company personnel who are required to report claims information pertaining to Medicaid recipients, and Contact persons such as parents and guardians of Medicare recipients who are minors, CHIP recipients, and non-Medicare individuals. CATEGORIES OF RECORDS IN THE SYSTEM: A. The system of records consists of the following categories of records, which contain information about Medicaid recipients and Medicaid providers, and non-Medicaid individuals and contact persons for CHIP recipients and non-Medicare population. Original MSIS files: [cir] Eligibility files [cir] Claims files (for inpatient claims, long-term care claims, pharmacy claims, and other claims). New Files added to T-MSIS database: [cir] Third-party liability [cir] information from managed care plans [cir] providers New T-MSIS analytic files (TAF): [cir] Beneficiary files (monthly beneficiary summary, annual beneficiary summary); [cir] claims files (for inpatients claims, long-term care claims, pharmacy claims, and other claims); [cir] providers of healthcare services to the Medicaid and CHIP population); and [cir] Managed Care Plans B. Information about Medicaid recipients, includes data elements such as name, address, assigned Medicaid identification number, SSN, Medicare beneficiary identifier (MBI), date of birth, gender, ethnicity and race, medical services, equipment, and supplies for which Medicaid reimbursement is requested. Information will also include the recipient's individually identifiable health information, i.e., health care utilization and claims data, health insurance claim number (HICN), Medicare beneficiary identifier (MBI), and SSN. Information about Medicaid providers in the above records includes data elements such as contact information (such as the provider's name, address, phone number, email address, date of birth, business address, Tin/EIN, national provider identifier (NPI), SSN, prescriber identification number, and other assigned clinician numbers) and information about health care services the clinician provided to Medicare recipients and the measures and activities the clinician used in providing the services. Information about any non-Medicaid individuals would include data elements such as those listed above for Medicaid recipients such as name, address, phone number, email address, and SSN or other identifying number. Information about contact persons for CHIP recipients and non- Medicare individuals includes data elements such as name, address, phone number, email address, TIN/EIN, or other identifying number. [[Page 46953]] RECORD SOURCE CATEGORIES: Information in the system of records is obtained from State Medicaid agencies or Territories, which collect the information directly from Medicaid recipients or their authorized representatives (such as parents and guardians of Medicare recipients who are minors or from Medicaid providers). ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES OF USERS AND PURPOSES OF SUCH USES: A. The agency may disclose a record about an individual Medicaid recipient or Medicaid provider from this system of records to parties outside HHS, without the individual's prior written consent, pursuant to these routine uses: 1. To support agency contractors, and consultants who have been engaged by the agency to assist in the performance of a service related to the collection and who need to have access to the records in order to perform the activity. 2. To assist another Federal or state agency, agency of a state government, an agency established by state law, or its fiscal agent to: a. Contribute to the accuracy of CMS' proper management of Medicare/Medicaid benefits; b. Enable such agency to administer a Federal health benefits program, or as necessary to enable such agency to fulfill a requirement of a Federal statute or regulation that implements a health benefits program funded in whole or in part with Federal funds; and/or c. Assist Federal/state Medicaid programs. 3. To assist another Federal or state agency, agency of a state government, an agency established by state law, or its fiscal agent to enable such agency to administer a Federal benefits program, or as necessary to enable such agency to fulfill a requirement of a Federal statute or regulation funded in whole or in part with Federal funds. 4. To an individual or organization for a research project or in support of an evaluation project related to the prevention of disease or disability, the restoration or maintenance of health, or payment related projects. 5. To the Department of Justice (DOJ), court or adjudicatory body when: a. The agency or any component thereof; b. Any employee of the agency in his or her official capacity; c. Any employee of the agency in his or her individual capacity where the DOJ has agreed to represent the employee; or d. The United States Government is a party to litigation or has an interest in such litigation, and by careful review, CMS determines that the records are both relevant and necessary to the litigation and that the use of such records by the DOJ, court or adjudicatory body is compatible with the purpose for which the agency collected the records. 6. To a CMS contractor (including, but not necessarily limited to fiscal intermediaries and carriers) that assists in the administration of a CMS-administered health benefits program, or to a grantee of a CMS-administered grant program, when disclosure is deemed reasonably necessary by CMS to prevent, deter, discover, detect, investigate, examine, prosecute, sue with respect to, defend against, correct, remedy, or otherwise combat fraud, waste, and abuse in such program. 7. To another Federal agency or to an instrumentality of any governmental jurisdiction within or under the control of the United States (including any State or local governmental agency), that administers, or that has the authority to investigate potential fraud, waste, and abuse in, a health benefits program funded in whole or in part by Federal funds, when disclosure is deemed reasonably necessary by CMS to prevent, deter, discover, detect, investigate, examine, prosecute, sue with respect to, defend against, correct, remedy, or otherwise combat fraud, waste, and abuse in such programs. 8. Records may be disclosed to appropriate agencies, entities, and persons when (a) HHS suspects or has confirmed that there has been a breach of the system of records; (b) HHS has determined that as a result of the suspected or confirmed breach there is a risk of harm to individuals, HHS (including its information systems, programs, and operations), the Federal government, or national security; and (c) the disclosure made to such agencies, entities, and persons is reasonably necessary to assist in connection with HHS' efforts to respond to the suspected or confirmed breach or to prevent, minimize, or remedy such harm. 9. Records may be disclosed to another Federal agency or Federal entity, when HHS determines that information from this system of records is reasonably necessary to assist the recipient agency or entity in (a) responding to a suspected or confirmed breach or (b) preventing, minimizing, or remedying the risk of harm to individuals, the recipient agency or entity (including its information systems, programs, and operations), the Federal government, or national security, resulting from a suspected or confirmed breach. 10. Records may be disclosed to the U.S. Department of Homeland Security (DHS) if captured in an intrusion detection system used by HHS and DHS pursuant to a DHS cybersecurity program that monitors internet traffic to and from Federal government computer networks to prevent a variety of types of cybersecurity incidents. B. Additional Circumstances Affecting Routine Use Disclosures: To the extent this system contains Protected Health Information (PHI) as defined by HHS regulation ``Standards for Privacy of Individually Identifiable Health Information'' (45 Code of Federal Regulations (CFR) Parts 160 and 164, Subparts A and E), disclosures of such PHI that are otherwise authorized by these routine uses may only be made if, and as, permitted or required by the ``Standards for Privacy of Individually Identifiable Health Information'' (see 45 CFR 164.512(a)(1)). The disclosures authorized by publication of the above routine uses pursuant to 5 U.S.C. 552a(b)(3) are in addition to other disclosures authorized directly in the Privacy Act at 5 U.S.C. 552a(b)(2) and (b)(4)-(11). POLICIES AND PRACTICES FOR STORAGE OF RECORDS: All records are stored on computer diskette, and magnetic media. POLICIES AND PRACTICES FOR RETRIEVAL OF RECORDS: The data collected on Medicaid recipients, Medicare beneficiaries (and any non-Medicare individuals) are retrieved by the individual's name, Medicare beneficiary identifier (MBI), health insurance claim number (HICN), SSN, address, and date of birth. The data collected on physicians or providers of services will be retrieved by the provider's name, address, NPI, TIN/EIN and other identifying provider numbers. Information about third party data submitters who are individuals will be retrieved by name, address, and TIN/EIN. Records about contact persons will be retrieved by name, email address and business address. POLICIES AND PRACTICES FOR RETENTION AND DISPOSAL OF RECORDS: CMS will retain identifiable T-MSIS data for a total period not to exceed 10 years after the final determination of the case is completed. The final determination decision encompass the potential timeframe it takes for a claims to be finalized as States can sometimes send incomplete claims data or claims not yet fully covered due to dispute or other considerations for Medicaid eligibility. Any claims-related records encompassed by a document [[Page 46954]] preservation order may be retained longer (i.e., until notification is received from the Department of Justice). ADMINISTRATIVE, TECHNICAL, AND PHYSICAL SAFEGUARDS: CMS has safeguards in place to prevent records from being accessed by unauthorized persons and monitors authorized users to ensure against excessive or unauthorized use. Examples of these safeguards include but not limited to: Protecting the facilities where records are stored or accessed with security guards, badges and cameras, securing hard-copy records in locked file cabinets, file rooms or offices during off-duty hours, limiting access to electronic databases to authorized users based on roles and two-factor authentication (user ID and password), using a secured operating system protected by encryption, firewalls, and intrusion detection systems, requiring encryption for records stored on removable media, and training personnel in Privacy Act and information security requirements. Records that are eligible for destruction are disposed of using destruction methods prescribed by NIST SP 800-88. Personnel having access to the system have been trained in the Privacy Act and information security requirements. Employees who maintain records in the system are instructed not to release data until the intended recipient agrees to implement appropriate management, operational and technical safeguards sufficient to protect the confidentiality, integrity and availability of the information and information systems, and to prevent unauthorized access. The Information Technology (IT) system used to house the records conforms to all applicable Federal laws and regulations and Federal, HHS, and CMS policies and standards as they relate to information security and data privacy. These laws and regulations may apply but are not limited to: The Privacy Act of 1974; the Federal Information Security Management Act of 2002; the Federal Information Security Modernization Act of 2014; the Computer Fraud and Abuse Act of 1986; the Health Insurance Portability and Accountability Act of 1996; the E- Government Act of 2002; the Clinger-Cohen Act of 1996; the Medicare Modernization Act of 2003; and the corresponding implementing regulations. OMB Circular A-130, Management of Federal Resources, and Security of Federal Automated Information Resources also applies to the SOR. Federal, HHS, and CMS policies and standards include but are not limited to: All pertinent National Institute of Standards and Technology publications; the HHS Information Security and Privacy Policy Handbook (IS2P), the CMS Acceptable Risk Safeguards (ARS), and the CMS Information Security and Privacy Policy (IS2P2). RECORD ACCESS PROCEDURES: An individual seeking access to a record about him/her in this system of records must submit a written request to the System Manager indicated above. The request must contain the individual's name and particulars necessary to distinguish between records on subject individuals with the same name, such as NPI or TIN, and should also reasonably specify the record(s) to which access is sought. To verify the requester's identity, the signature must be notarized or the request must include the requester's written certification that he/she is the person he/she claims to be and that he/she understands that the knowing and willful request for or acquisition of records pertaining to an individual under false pretenses is a criminal offense subject to a $5,000 fine. CONTESTING RECORD PROCEDURES: Any subject individual may request that his/her record be corrected or amended if he/she believes that the record is not accurate, timely, complete, or relevant or necessary to accomplish a Department function. A subject individual making a request to amend or correct his record shall address his request to the-System Manager indicated, in writing, and must verify his/her identity in the same manner required for an access request. The subject individual shall specify in each request: (1) The system of records from which the record is retrieved; (2) The particular record and specific portion which he/she is seeking to correct or amend; (3) The corrective action sought (e.g., whether he/ she is seeking an addition to or a deletion or substitution of the record); and, (4) His/her reasons for requesting correction or amendment of the record. The request should include any supporting documentation to show how the record is inaccurate, incomplete, untimely, or irrelevant. NOTIFICATION PROCEDURES: Individuals wishing to know if this system contains records about them should write to the System Manager indicated above and follow the same instructions under Record Access Procedures. EXEMPTIONS PROMULGATED FOR THE SYSTEM: None. HISTORY: Medicaid Statistical Information System (MSIS), System No. 09-07-0541 last published in full at 71 FR 65527 (Nov. 8, 2006), as amended 78 FR 32257 (May 29, 2013), and updated 83 FR 6591 (Feb. 14, 2018). [FR Doc. 2018-20063 Filed 9-14-18; 8:45 am] BILLING CODE 4120-03-P
![Federal Register / Vol. 83, No. 180 / Monday, September 17, 2018 / Notices 46951
Dated: September 12, 2018. Anderson, Health Insurance Specialist, processes and move toward a
Kathleen Cantwell, Data and Systems Group, Center for streamlined delivery, along with an
Director, Office of Strategic Operations and Medicaid and CHIP Services (CMCS), enhanced data repository. The new T–
Regulatory Affairs. CMS, Mail Stop S2–22–16, 7500 MSIS extract format is expected to
[FR Doc. 2018–20153 Filed 9–14–18; 8:45 am] Security Boulevard, Baltimore, MD further CMS goals for improved
BILLING CODE 4120–01–P 21244, Telephone 410–786- 9828 or timeliness, reliability and robustness
email to Darlene.Anderson@ through monthly updates and an
cms.hhs.gov. increase in the amount of data
DEPARTMENT OF HEALTH AND SUPPLEMENTARY INFORMATION:
requested.
HUMAN SERVICES
I. Program and IT System Changes II. Modifications to SORN 09–70–0541
Centers for Medicare & Medicaid Prompting This SORN Modification The following modifications have
Services been made to SORN 09–70–0541 in
The Transformed Medicaid Statistical
Information System (T–MSIS) is order to reflect changes to the system of
Privacy Act of 1974; System of records resulting from the IT system
Records replacing the Medicaid Statistical
Information System (MSIS) as the change from MSIS to T–MSIS and to
AGENCY: Centers for Medicare & information technology (IT) system update the SORN generally:
Medicaid Services (CMS), Department • The SORN has been reformatted to
housing the national Medicaid dataset.
of Health and Human Services (HHS). conform to the revised template
It is a joint effort by the States and CMS
prescribed in Office of Management and
ACTION: Notice of a modified system of to build a Medicaid dataset that
Budget (OMB) Circular A–108, issued
records. addresses problems identified with
December 23, 2016.
Medicaid data in MSIS. T–MSIS • The name of the system of records
SUMMARY: The Department of Health and provides improved program monitoring
Human Services (HHS), Centers for has been changed from ‘‘Medicaid
and oversight, technical assistance with Statistical Information System (MSIS)’’
Medicare & Medicaid Services (CMS), states, policy implementation and data-
proposes to modify or alter an existing to ‘‘Transformed—Medicaid Statistical
driven and high-quality Medicaid Information System (T–MSIS), HHS/
system of records subject to the Privacy program and Children’s Health
Act, System No. 09–70–0541, titled CMS/CMCS.’’
Insurance Program (CHIP) that ensure • Address information in the System
‘‘Medicaid Statistical Information better care, access to coverage, and
System (MSIS).’’ This system of records Location and System Manager(s)
improved health. sections has been updated.
covers the Medicaid dataset. The dataset To improve Medicaid program
includes standardized enrollment, • The Authority section now cites
oversight, CMS is requiring States to applicable U.S. Code provisions instead
eligibility, and paid claims of Medicaid submit new files and data elements in
recipients and is used to administer of public laws.
Medicaid at the Federal level, produce
T–MSIS which were not collected in • The Purpose section added
MSIS, for the purpose of improving the information collecting over 1000 new
statistical reports, support Medicaid quality of the data extracts the States
related research, and assist in the data elements to perform expanded data
submit to CMS on a quarterly or other analytics. The T–MSIS data set contains:
detection of fraud and abuse in the periodic basis. Following consultation
Medicare and Medicaid programs. CMS enhanced information about beneficiary
with a wide array of stakeholders, CMS eligibility, beneficiary and provider
is adding two new routine use as established over 1,000 data elements for
numbers three and 10. CMS is including enrollment, service utilization, claims
T–MSIS. This expands on the and managed care data, and expenditure
two routine uses that were published on approximately 400 data elements
February 14, 2018, and are numbered as data for Medicaid and CHIP.
collected in MSIS. T–MSIS builds on • The categories of individuals have
eight and nine in the routine use section the original five MSIS files (eligibility not changed, but they are now more
below. In addition, CMS is changing the and four types of claims: Inpatient, long- clearly delineated as Medicaid
name of the system of records to: term care, pharmacy, and other) by recipients and Medicaid providers.
Transformed-Medicaid Statistical adding files for third-party liability, • The Categories of Records section
Information System (T–MSIS) and information from managed-care plans, now specifies categories of records, in
making other modifications which are and providers. New T–MSIS Analytic addition to a listing data elements.
explained below. Files (TAF) include: Beneficiary Files: Including these categories for the
DATES: In accordance with 5 U.S.C. Monthly beneficiary summary, annual existing five categories, the list has been
552a(e)(4) and (11), this notice is beneficiary summary, Claims Files: expanded to add new categories (i.e.,
applicable September 17, 2018, subject Inpatients, long-term care, pharmacy files for third-party liability, information
to a 30-day period in which to comment and other files: Provider and Managed from managed-care plans, and
on the routine uses. Submit any Care Files. providers.) and additional examples of
comments by October 17, 2018. Currently, each state submits five data elements (such as tax identification
ADDRESSES: Written comments should extracts to CMS on a quarterly basis. number/employer identification number
be submitted by mail or email to: CMS These data are used by CMS to assist in (TIN/EIN), national provider identifier
Privacy Act Officer, Division of federal reporting for the Medicaid and (NPI), Social Security Number (SSN),
Security, Privacy Policy & Governance, CHIP. Several reasons culminated in the prescriber identification number, and
Information Security & Privacy Group, CMS mission to improve the Medicaid other assigned clinician numbers).
daltland on DSKBBV9HB2PROD with NOTICES
Office of Information Technology, CMS, dataset repository, including incomplete • The Record Source Categories
Location N1–14–56, 7500 Security data, questionable results, multiple data section has added non-Medicare
Boulevard, Baltimore, MD 21244–1870, collections from states, multiple federal individuals, third party data submitter
or walter.stone@cms.hhs.gov. data platforms and analytic difficulties who are individuals; i.e., Third Party
FOR FURTHER INFORMATION CONTACT: in interpreting and presenting the Administrators (TPA); contact persons
General questions about the system of results. In addition, timeliness issues and authorized representatives (such as
records may be submitted to Darlene have prompted CMS to re-evaluate its parents and guardians of Medicare
VerDate Sep<11>2014 17:47 Sep 14, 2018 Jkt 244001 PO 00000 Frm 00042 Fmt 4703 Sfmt 4703 E:\FR\FM\17SEN1.SGM 17SEN1](https://thefederalregister.org/doc/83_FR_47131/page/1.svg)
![46954 Federal Register / Vol. 83, No. 180 / Monday, September 17, 2018 / Notices
preservation order may be retained All pertinent National Institute of HISTORY:
longer (i.e., until notification is received Standards and Technology publications; • Medicaid Statistical Information
from the Department of Justice). the HHS Information Security and System (MSIS), System No. 09–07–0541
Privacy Policy Handbook (IS2P), the last published in full at 71 FR 65527
ADMINISTRATIVE, TECHNICAL, AND PHYSICAL
SAFEGUARDS:
CMS Acceptable Risk Safeguards (ARS), (Nov. 8, 2006), as amended 78 FR 32257
and the CMS Information Security and (May 29, 2013), and updated 83 FR 6591
CMS has safeguards in place to
Privacy Policy (IS2P2). (Feb. 14, 2018).
prevent records from being accessed by
unauthorized persons and monitors RECORD ACCESS PROCEDURES:
[FR Doc. 2018–20063 Filed 9–14–18; 8:45 am]
authorized users to ensure against An individual seeking access to a BILLING CODE 4120–03–P
excessive or unauthorized use. record about him/her in this system of
Examples of these safeguards include records must submit a written request to
but not limited to: Protecting the DEPARTMENT OF HEALTH AND
the System Manager indicated above. HUMAN SERVICES
facilities where records are stored or The request must contain the
accessed with security guards, badges individual’s name and particulars
and cameras, securing hard-copy Administration for Children and
necessary to distinguish between Families
records in locked file cabinets, file records on subject individuals with the
rooms or offices during off-duty hours, same name, such as NPI or TIN, and Submission for OMB Review;
limiting access to electronic databases to should also reasonably specify the Comment Request
authorized users based on roles and record(s) to which access is sought. To
two-factor authentication (user ID and verify the requester’s identity, the Title: How TANF Agencies Support
password), using a secured operating signature must be notarized or the Families Experiencing Homelessness.
system protected by encryption, OMB No.: New Collection.
request must include the requester’s
firewalls, and intrusion detection Description: The Office of Planning,
written certification that he/she is the
systems, requiring encryption for Research, and Evaluation (OPRE),
person he/she claims to be and that he/
records stored on removable media, and Administration for Children and
she understands that the knowing and
training personnel in Privacy Act and Families (ACF) at the U.S. Department
willful request for or acquisition of
information security requirements. of Health and Human Services (HHS) is
records pertaining to an individual
Records that are eligible for destruction conducting the, ‘‘How TANF Agencies
under false pretenses is a criminal
are disposed of using destruction Support Families Experiencing
offense subject to a $5,000 fine.
methods prescribed by NIST SP 800–88. Homelessness,’’ project through a
Personnel having access to the system CONTESTING RECORD PROCEDURES: contract with Abt Associates in
have been trained in the Privacy Act Any subject individual may request partnership with MEF Associates. This
and information security requirements. that his/her record be corrected or project will assist HHS in understanding
Employees who maintain records in the amended if he/she believes that the the extent to which TANF agencies
system are instructed not to release data record is not accurate, timely, complete, across the country are using TANF
until the intended recipient agrees to or relevant or necessary to accomplish funds to serve and support families
implement appropriate management, a Department function. A subject experiencing or are at-risk of
operational and technical safeguards individual making a request to amend or homelessness. It also will document the
sufficient to protect the confidentiality, correct his record shall address his approaches and strategies used by
integrity and availability of the request to the-System Manager TANF agencies to serve these families.
information and information systems, indicated, in writing, and must verify We are seeking OMB approval for four
and to prevent unauthorized access. his/her identity in the same manner elements of the study: (1) The TANF
The Information Technology (IT) required for an access request. The Administrator Web Survey (tailored for
system used to house the records subject individual shall specify in each both state and county respondents), (2)
conforms to all applicable Federal laws request: (1) The system of records from a Site Visit Discussion Guide for TANF
and regulations and Federal, HHS, and which the record is retrieved; (2) The staff, (3) a Site Visit Discussion Guide
CMS policies and standards as they particular record and specific portion for Staff at Continuums of Care (CoC)/
relate to information security and data which he/she is seeking to correct or Partner Organizations, and (4) a Site
privacy. These laws and regulations amend; (3) The corrective action sought Visit Focus Group Guide.
may apply but are not limited to: The (e.g., whether he/she is seeking an TANF Administrator Web Survey. We
Privacy Act of 1974; the Federal addition to or a deletion or substitution will administer an online survey to all
Information Security Management Act of the record); and, (4) His/her reasons state and territory TANF administrators
of 2002; the Federal Information for requesting correction or amendment as well as a selection of three county
Security Modernization Act of 2014; the of the record. The request should TANF administrators from each state.
Computer Fraud and Abuse Act of 1986; include any supporting documentation The survey will collect information
the Health Insurance Portability and to show how the record is inaccurate, about the agencies’ overall approaches
Accountability Act of 1996; the E- incomplete, untimely, or irrelevant. toward addressing family homelessness
Government Act of 2002; the Clinger- and the extent to which TANF funds,
Cohen Act of 1996; the Medicare NOTIFICATION PROCEDURES: assessments, tools, additional services,
Modernization Act of 2003; and the Individuals wishing to know if this and partners are used in these efforts.
corresponding implementing system contains records about them Discussion protocols during site visits
daltland on DSKBBV9HB2PROD with NOTICES
regulations. should write to the System Manager to TANF agencies. The study team will
OMB Circular A–130, Management of indicated above and follow the same visit five purposefully selected TANF
Federal Resources, and Security of instructions under Record Access agencies. During these two-day visits,
Federal Automated Information Procedures. the project staff will use the Site Visit
Resources also applies to the SOR. Discussion Guide for TANF Staff to
Federal, HHS, and CMS policies and EXEMPTIONS PROMULGATED FOR THE SYSTEM: conduct interviews with TANF office
standards include but are not limited to: None. staff, use the Site Visit Focus Group
VerDate Sep<11>2014 17:47 Sep 14, 2018 Jkt 244001 PO 00000 Frm 00045 Fmt 4703 Sfmt 4703 E:\FR\FM\17SEN1.SGM 17SEN1](https://thefederalregister.org/doc/83_FR_47131/page/4.svg)
Document Created: 2018-09-15 01:37:13
Document Modified: 2018-09-15 01:37:13
| Category | Regulatory Information | |
| Collection | Federal Register | |
| sudoc Class | AE 2.7: GS 4.107: AE 2.106: | |
| Publisher | Office of the Federal Register, National Archives and Records Administration | |
| Section | Notices | |
| Action | Notice of a modified system of records. | |
| Dates | In accordance with 5 U.S.C. 552a(e)(4) and (11), this notice is applicable September 17, 2018, subject to a 30-day period in which to comment on the routine uses. Submit any comments by October 17, 2018. | |
| Contact | General questions about the system of records may be submitted to Darlene Anderson, Health Insurance Specialist, Data and Systems Group, Center for Medicaid and CHIP Services (CMCS), CMS, Mail Stop S2-22-16, 7500 Security Boulevard, Baltimore, MD 21244, Telephone 410-786- 9828 or email to [email protected] | |
| FR Citation | 83 FR 46951 |
2024 Federal Register | Disclaimer | Privacy Policy
USC | CFR | eCFR