SUPPORTING STATEMENT
CROWNWeb Authentication Service (CAS)
(CMS-10267)
A. Background
The Office of Clinical Standards and Quality (OCSQ) is replacing two legacy applications that collect information for the CMS-2728 End Stage Renal Disease Medical Evidence Report Medicare Entitlement and/or Patient Registration (OMB No. 0938-0046) and the CMS-2746 ESRD Death Notification (OMB No. 0938-0448). The new system, replacing these two legacy applications, is known as the “Consolidated Renal Operations in a Web Enabled Network (CROWNWeb).” CROWNWeb is the system that is mandated for the Final Rule published April 15, 2008, with the title “Medicare and Medicaid Programs Conditions for Coverage for End-Stage Renal Disease Facilities.” Due to the sensitivity of the data available in CROWNWeb, CMS must ensure that only authorized dialysis facility and ESRD Network Organization personnel have access to CROWNWeb data and that only data pertaining to their own patients is available to facility personnel. The CROWNWeb Authentication System (CAS) is the system that will be used in creating and maintaining these CROWNWeb user accounts.
B. Justification
1. Need and Legal Basis
The need and legal basis information provided by the CMS Information Security Officer (ISSO) is listed below. Since the CAS account form is for the collection of personally identifiable information and the assignment of CROWNWeb system privileges, the web pages referenced below govern User Identification (need for, creation of, care of, handling of, preservation, authentication, storage, association, and authorization).
http://www.cms.hhs.gov/InformationSecurity/12_Laws_Regs.asp
http://csrc.nist.gov/publications/PubsFIPS.html (particularly FIPS 198, 199 AND 201-1)
http://csrc.nist.gov/publications/PubsSPs.html (particular SP 800-53 Rev 2)
http://csrc.nist.gov/publications/PubsByLR.html (SP 800-63 V1.0.2)
2. Information Users
The CROWNWeb Authentication Service (CAS) application must be completed by any person needing access to the CROWNWeb system which include includes CMS employees, ESRD Network Organization staff and dialysis facilities staff. The CROWNWeb system is the system used as the collection point of data necessary for entitlement of ESRD patients to Medicare benefits and Federal Government monitoring and assessing of quality and type of care provided to renal patients. The data collected in CAS will provide the necessary security measures for creating and maintaining active CROWNWeb user accounts and collection of audit trail information required by the CMS Information Security Officers (ISSO). The total active CAS accounts are expected to reach 13,000.
3. Improved Information Technology
The CAS system will allow the creation and maintenance of active CROWNWeb user accounts to be improved greatly because the system allows the security administrators governing these user accounts to be closer to their public. There is also a separation of duty to ensure security measures are met. CMS approves ESRD networks and network’s approve facilities that they monitor. An approved facility and network manager must approve the applicant’s request by signing their access form, the applicant’s identity must also be verified by a notary, and the security administrator will create the account but the actual activation of the account is performed by the help desk staff after verifying that the necessary approvals and procedures have been followed. Because this process is automated and handled in a web based system, the automation of this process has made it quicker. Also, account violations will be able to be identified and dealt with quicker, thus improving system security. Annual recertification processes and additional security features required by the CMS ISSO have also been incorporated.
Since the digital signatures are not available in the CAS system, the form must be completed by the applicant, signed/approved by their manager, and notarized. The form must be kept on file at the CAS help desk once the account is activated.
4. Duplication of Similar Information
Since the CAS account form not only collects applicant information but roles and access specific to the CROWNWeb system, there is no other form in place or system available to collect this information. Also, the user community of the CROWNWeb application, specifically the ESRD networks and dialysis facilities are specific to CROWNWeb so their personal information is not available in other CMS identity management systems.
5. Small Businesses
A small business would be described as a provider that is not a member of a chain organization and/or has a small dialysis patient population. These providers are legislatively required to maintain the same patient information and to report on this information in the same manner as all other providers of renal services. The ESRD networks will enter the accounts for smaller facilities that do not have the staff size to handle the separation of duties or the data entry burden. Also, limited and approved CMS staff has access rights to assist in the Security Administrator data entry burden should assistance be requested and authorization be provided by the ESRD Networks or dialysis facilities.
6. Less Frequent Collection
Due to the sensitivity of the data within CROWNWeb, the CAS Account form must be collected in order to ensure that only authorized dialysis facility and ESRD Network Organization personnel have access to CROWNWeb data and that only data pertaining to their own patients is available to facility personnel.
7. Special Circumstances
Only one CAS user account is created per CROWNWeb user and the recertification process is only performed annually.
There is no written response necessary in fewer than 30 days. The form, when completed, approved and notarized creates the user account.
Only the original/signed/notarized copy of the CAS form is required and kept by one entity and that is the CAS help desk which has the responsibility of activating the user account.
The form is required to be retained by the CAS Help Desk for 7 years.
The form has no connection to a statistical survey.
There are no requirements for statistical data classification.
Since the data collected on the CAS form contains personally identifiable information, confidentiality rules apply. We are following all the regulations mandated by the CMS Information Security Officer.
No trade secrets or confidential information is involved in this process.
8. Federal Register Notice/Outside Consultation
The CAS account form is required for identity and security management of individuals accessing the “Consolidated Renal Operations in a Web Enabled Network (CROWNWeb) system”. CROWNWeb is the system that is mandated for the Final Rule published April 15, 2008, with the title “Medicare and Medicaid Programs Conditions for Coverage for End-Stage Renal Disease Facilities.”
9. Payment/Gifts to Respondents
No payments or gifts are made to respondents.
10. Confidentiality
A confidentiality statement is provided on the CAS account form as it related to the Privacy Act regulations.
11. Sensitive Questions
Personally identifiable information is requested on the CAS account form. The information collected on the CAS account form includes (asterisk denotes required fields):
Type of Request
*Create Account or Change Account or Disable Account
*Date Requested
*CROWNWeb User ID for change or disable
Personnel Information
Prefix
*First Name
Middle Initial
*Last Name
Suffix
*Personal Address
*Birthdate
Home Phone
Cell Phone
Identification Information
*Identification Used
*ID Number
*Issued By
*Expiration Date
Business Information
*Business Name
*Email Address
*Job Title
*Phone Number
Fax Number
*Business Address
*Approving Manager’s Name
*Manager’s Email Address
*Manager’s Job Title
*Manager’s Phone Number
CROWNWeb Access
*System Access Required for the Applicant’s Job Role
12. Burden Estimates (Total Hours & Wages)
Respondents for the 1st Year: 13,000
Completion Time: 30 minutes
Responses per year: 1 time effort
Total Burden: 6,500 (respondents x completion time)
Wages: $254,410 (total burden x hourly rate of $39.14)
Respondents for 2nd and 3rd Years: 1,300 per year (2,600 total)
Completion Time: 30 minutes
Responses per year: 1 time effort
Total Burden: 1,300 (respondents x completion time)
Wages: $50,882 (total burden x hourly rate of $39.14)
Note: $39.14 is the hourly rate of the RN staff nurse used in the Conditions for Coverage for ESRD Facilities Final Rule dated April 15, 2008.
Note: Breakdown for completion time -
5 minutes to complete form
5 minutes to obtain management approval signature
10 minutes to get form notarized
10 minutes for CAS SA to verify form and enter form data into CAS
Startup Mailing cost: $67,730 ($5.21 fee for USPS Certified/Return Receipt x 13,000 forms)
Annual Mailing cost: $6,773 ($5.21 fee for USPS Certified/Return Receipt x 1,300 forms)
All forms must be mailed USPS certified/return receipt to the CAS help desk and the System Administrator (SA) when the SA is not co-located with the applicant. Only 10% additional forms are expected yearly (5% due to change and 5% new users).
13. Capital Costs
No capital costs are expected since the data entry collection system is a web based system. The security administrator’s which are responsible for entering in the CAS account forms only need a computer that has internet access.
14. Cost to the Federal Government
The expected annual cost to the Federal Government to cover the expense of the CAS help desk facility to verify, activate, and maintain CAS account forms, and to provide CMS requested audit reporting will be contracted out and is expected to cost approximately $324,000.
15. Changes to Burden
Since this is a new information collection, the initial cost will be much higher than the annual costs because it includes the creation of 13,000 CROWNWeb user accounts. The yearly account creation and form updates for subsequent years are expected to be 1,300 forms. The maintenance cost is in the help desk support which is not expected to change. It is anticipated that the CAS help desk cost will remain at $324,000.
16. Publication and Tabulation Dates
The information collected on the CAS Account Form is used solely for the creation and maintenance of CROWNWeb user accounts.
17. Expiration Date
CMS would like an exemption from displaying the expiration date as these forms are used on a continuing basis. To include an expiration date would result in having to discard a potentially large number of forms.
18. Certification Statement
There are no exceptions to the certification statement.
File Type | application/msword |
Author | HCFA Software Control |
Last Modified By | CMS |
File Modified | 2008-06-02 |
File Created | 2008-06-02 |