OWCP Central Bill Process (CBP)
In accordance with Department of Labor (DOL) guidelines the Office of Worker's Compensation Programs (OWCP) conducted a Privacy Impact Assessment (PIA) on the Central Bill Process (CBP).
The CBP services are supported by seven components: the CBP major application (MA), Achieve and Omnitrack, Trading Partner Management System (TPMS), Prescription Benefits Management (PBM), Stored Information Retrieval (SIR), Web Portal, and DOL Strategic Business Unit (DOL SBU).
OWCP, in conjunction with the Office of the Chief Information Officer (OCIO), has determined that CBP processes privacy information from other OWCP Privacy Act systems of records. As such, this document has been prepared to describe the information collected by CBP; what it is used for; who has access to the information; how the information can be corrected; and in general terms how the information is secured.
The CBP outsourced business process is used by Office of Worker's Compensation Programs (OWCP) located in Washington, D.C. CBP is managed by OWCP/Division of Administration and Operations (DAO) and provides bill processing services for three OWCP Programs: Division of Federal Employees' Compensation (DFEC); Division of Coal Mine Workers' Compensation (DCMWC); and Division of Energy Employees Occupational Illness Compensation (DEEOIC). The three Programs have district offices (DO) as follows:
The DFEC DOs are located in Boston, MA; New York, NY; Philadelphia, PA; Jacksonville, FL; Cleveland, OH; Chicago, IL; Kansas City, MO; Dallas, TX; Denver, CO; San Francisco, CA; Seattle, WA; Washington, DC and Hearings and Reviews. The DOs process compensation claims and medical bills, and authorize wage replacement and medical benefits.
The DCMWC DOs are located in Johnstown, PA; Greensburg, PA; Charleston, WV; Parkersburg, WV; Pikeville, KY; Mount Sterling, KY; Columbus, OH and Denver, CO
The DEEOIC DO'S are located in Jacksonville, FL; Cleveland, OH; Denver, CO and Seattle, WA. In addition there is an office of the Final Adjudication Branch in Washington, DC.
The CBP contractor manages four (4) Centers. The Centers are located in Pittsburgh, PA (data), London, KY (mail and image processing), Tallahassee, FL (bill processing), and Atlanta, GA (data). Bill processing data is processed by personnel in Tallahassee where fee schedules are applied, duplicate edits against archival history are conducted, and a payment tape is prepared for transmission to the Treasury Department.
This PIA covers the entire CBP outsourced business process, but does not cover the entire compensation process for the three programs involved. Those are addressed in the PIAs for each major application supporting the program offices.
The DOL, in compliance with federal privacy laws, regulations, and directives, is responsible for ensuring personally identifiable information (PII) that Department agencies collect, store, and transmit is properly protected
CBP is a business process contracted out by the OWCP. The contractor wholly owns, manages, and operates the environments and automated tools that support OWCP's outsourced process and conducts similar operations for other clients.
CBP operations process medical bills, support the prior authorization of services, and respond to inquiries related to medical services from claimants and providers. CBP operations support three of OWCP's programs: Division of Federal Employees' Compensation (DFEC), Division of Energy Employees Occupational Illness Compensation (DEEOIC), and Division of Coal Mine Workers' Compensation (DCMWC).
Characterization of the Information
CBP collects PII on:
- Individuals filing claims for black lung (pneumoconiosis) benefits under the provisions of Black Lung Benefits Act, as amended, including miners, and their surviving spouses, children, dependent parents and siblings;
- Individuals and/or their survivors who file claims seeking benefits under the Federal Employees' Compensation Act (FECA) by reason of injuries sustained while in the performance of duty. The FECA applies to all civilian federal employees, including various classes of persons who provide or have provided personal service to the government of the United States, and to other persons as defined by law such as state or local law enforcement officers, and their survivors, who were injured or killed while assisting in the enforcement of federal law. In addition, the FECA covers employees of the Civil Air Patrol, Peace Corps Volunteers, Job Corps students, Volunteers in Service to America, members of the National Teacher Corps, certain student employees, members of the Reserve Officers Training Corps, certain former prisoners of war, and employees of particular commissions and other agencies.
- Insurance carriers or employers can file claims seeking reimbursement under the War Hazards Act (WHCA) for injuries to qualified overseas employees which "proximately results from a war risk hazard." The employees are typically those covered by the Defense Base Act, the Non-Appropriated Fund Instrumentalities Act, those employed directly by the United States, and those providing welfare or similar servicers for the Armed Forces of the United States. DFEC pays benefits in accordance with the Division of Longshore and Harbor Workers' Compensation's (DLHWC) compensation order. If a claim for reimbursement is accepted under the WHCA, DFEC can pay the individual and/or the survivor directly, rather than make payments to the insurance company or employer. The War Hazards Compensation Act also applies to persons: detained by hostile forces; missing under circumstances supporting an inference that the absence is a result of belligerent action; marooned due to the failure of the United States or its contractors to repatriate. If a detention benefit claim is accepted under the WHCA, DFEC can pay part of the benefit directly the employee's dependents. The injury must occur outside the United States. The employee must not be an active-duty member of the Armed Forces.
- Individuals or their survivors who claim benefits under the Energy Employees Occupational Illness Compensation Program Act (EEOICPA). These individuals include, but are not limited to, federal employees or survivors of federal employees; employees or survivors of employees of the Department of Energy, its predecessor agencies, and their contractors and subcontractors; and members of the armed forces;
In addition to these individuals, the system contains records of medical providers, attorneys representing claimants, coal mine operators (workers' compensation insurance carriers), rehabilitation counselors, nurses, and other health care professionals who provide information in support of compensation claims.
What are the sources of the PII in the information system?
PII is provided to the agency in a variety of ways including:
- Forms submitted either by the individual claimant or their employer/agency. These include forms: CA-1, CA-2, CM-911, CM-912, EE-1, and EE-2.
- Medical bills and other medical records and evaluations provided by a variety of health care professionals including physicians, hospitals, rehabilitation centers, and nurses.
- Employment data provided by employers, unions and other federal agencies.
- Communication between attorneys' representing claimants and the agency.
- Other records of communication including notes on phone calls, letters, etc.
Not all documents that are part of the compensation claims process are part of the central bill payment process. As its name indicates, the Central Bill Process focuses on the payment of medical bills that have been submitted on behalf of claimants.
What is the PII being collected, used, disseminated, or maintained?
- First and/or last name
- Date of birth
- Social Security Number (SSN)
- Residential address
- Personal phone numbers (e.g., phone, fax, cell)
- Mailing address (e.g., P.O. Box)
- Personal E-Mail address
- Business Address (Non-sensitive PII)
- Business E-Mail address
- Medical information including physician's notes
- Medical record number
- Financial Account Information and/or Numbers
- Certificates (e.g., birth, death, marriage)
- Legal documents or notes (e.g., divorce decree, criminal records)
- Tax ID / EIN
How is the PII collected?
The contractor receives paper and electronic medical bills from medical providers, claimants, and District Offices. They also receive paper and electronic pharmacy bills from providers and claimants. Contract staff prepares and organizes these documents at the contractor facilities. The images of the documents are stored on a server. All inbound and outbound call reference notes are also transcribed and are available electronically to support the bill payment process. A secured Web portal is provided to allow providers and claimants on-line read-only access to information about their claims.
Some information from case forms that were described above is received by CBP from the OWCP program office systems electronically for the purpose of establishing the claimant records in CBP.
How will the information be checked for accuracy?
The images of the documents received by the contractor are electronically indexed, verified, and quality checked before being transmitted to DOL and to the contractor State Healthcare for adjudication and payment processing. The CBP also has a series of data entry edit checks that help to ensure accuracy. Additionally, data is reviewed for accuracy routinely by the contractor's staff.
What specific legal authorities, arrangements, and/or agreements defined the collection of information?
The information CBP processes is gathered under OWCP's authority, which is given through the following:
(1) OWCP has been authorized by Congress (Public Law 103-333: Departments of Labor, Health and Human Services, and Education, and Related Agencies Appropriations Act, 108 Stat. 2539, September 30, 1994) to require persons who file notices of injury and or claims for compensation under the FECA and its extensions to disclose certain identifying information, including SSN. Consequently, applicable regulations concerning the filing of a notice of injury and claim for compensation, including 20 C.F.R. §§ 10.100 (traumatic injury), 10.101 (occupational disease), and 10.105 (death), have been amended to expressly require the reporting of the injured worker's SSN. These regulations were published on November 25, 1998, and were effective January 4, 1999. See 63 F.R. 65284.
(2) OWCP has been authorized by Congress (Public Law 92-303: Act to amend the Federal Coal Mine Health and Safety Act of 1969) to require persons who file notices of injury and/or claims for compensation under the Black Lung Benefits Act of 1972 and its extensions to disclose certain identifying information, including SSN. Consequently, applicable regulations, including 20 CFR 702.202 concerning the employer's report of an employee's injury or death, have been amended to expressly require the reporting of the injured worker's SSN. The amended regulations are contained in the Federal Register dated December 23, 1993 (58 FR 68032).
(3) OWCP has been authorized by Congress (Public Law 106-398: National Defense Authorization, Fiscal Year 2001) to require persons who file notices of injury and/or claims for compensation under the Energy Employees Occupational Illness Compensation Act of 2000 and its extensions to disclose certain identifying information, including SSN. Consequently, applicable regulations, including 20 CFR 702.202 concerning the employer's report of an employee's injury or death, have been amended to expressly require the reporting of the injured worker's SSN. The amended regulations are contained in the Federal Register dated December 23, 1993 (58 FR 68032).
Privacy Impact Analysis
There are many potential risks when medical information is recorded about an individual, such as identity theft, certain types of insurance coverage being refused if certain medical information became public, loss of employment, etc. The OWCP understands its obligation to safeguard this information to prevent any of the potential risks from being realized. In contracting out the medical bill payment function the OWCP has required the contractor's operation to be in full compliance with Federal security guidance to ensure proper safeguards are in place to prevent the accidental release of information that has been entrusted to the organization. Throughout the remainder of this document examples of those safeguards have been explained to illustrate this commitment to prevention of PII being compromised.
Uses of the PII
The following questions are intended to clearly delineate the use of information and the accuracy of the data being used.
Describe all the uses of the PII
CBP uses the collected PII as critical information for the purposes of identifying claimants, providers and making payment determinations based on personal medical information.
CBP operations provide the following functions which in some part depend on PII:
- Input and process bills
- Provide remittance advice to providers and claimants
- Provide working hour support to claimants and providers for inquiries and appeals
- Provide electronic file of approved payments to OWCP for transmission to the Treasury Department
- Provide medical review recommendations to Claims Examiner for prior authorization requests and appeals related to accepted conditions
- Provide assistance to DOL/OWCP in using ICD-9 nomenclature to ensure the specificity and accuracy of ICD-9 codes assigned as accepted conditions
- Provide statistics for quality reviews including utilization review and fraud and abuse detection
- Manage and track correspondence and inquiries
- Maintain interfaces as defined by DOL/OWCP
- Maintain, retain, and make available bill payment history as needed by the programs
- Provide timely and accurate reports to OWCP
Bill processing data is transmitted to a central location where fee schedules are applied, duplicate edits against archival history are conducted, and a payment tape is prepared for transmission to the Treasury Department.
What types of tools are used to analyze data and what type of data may be produced?
Data mining and some pattern recognition are used to look for instances of potential fraud, as well as for reporting purposes, i.e. to determine if performance goals are being met.
Will the system derive new data, or create previously unavailable data, about an individual through aggregation of the collected information?
The system provides images of existing data (bills, correspondence), adjudicates bills for payment determination, and transmits payment files for federal certification.
If the system uses commercial or publicly available data, please explain why and how it is used.
CBP uses the following medical code reference files obtained from third party vendors to adjudicate the bill for payment determination:
- International Classification of Diseases, version 9 (ICD-9)
- Diagnoses Related Group (DRG)
- Current Procedural Terminology System (CPTS)
- Health Care Common Procedural Coding System (HCPCS)
- National Drug Codes (NDC)
Privacy Impact Analysis
All system users are required to read and sign the Rules of Behavior before being granted access to the system. CBP uses least privilege principles to ensure that only those who need access to the data to fulfill the agency's mission are given access in addition to the authentication controls discussed above.
The system maintains only PII that is necessary and relevant to accomplish the purpose for which it is being collected.
The following questions are intended to outline how long information will be retained after the initial collection.
How long is information retained in the system?
Paper bills for DFEC, DCMWC and DEEOIC are converted to electronic images and records. Paper bills for DFEC and DCMWC are destroyed after 90 days.
Paper case records for DEEOIC are sent to the Federal Records Center (FRC) once they are eligible (five years after the case has been put in closed status). They are destroyed 20 years after the case is closed.
Has the retention schedule been approved by the DOL agency records officer and the National Archives and Records Administration (NARA)?
The Archivist of the United States signed the "Request for Records Disposition Authority", Job Number: N1-271-02-01on April 30, 2004, which includes DFEC and DCMWC. For DEEOIC the Archivist of the United States signed the "Request for Records Disposition Authority", Job Number: N1-271-06-01 on October 12, 2010..
How is it determined that PII is no longer required?
The OWCP programs, under which PII records are collected and processed, are authorized by Congress to collect such information. Because these records are part of the official record that justifies the compensation decisions made by OWCP, they are required to be maintained as part of the audit record for the agency.
What efforts are being made to eliminate or reduce PII that is collected, stored or maintained by the system if it is no longer required?
PII is only stored on the system for a period of up to seven years. After that, non-active records are copied to tape and the archived records are stored at a separate backup facility.
Privacy Impact Analysis
The electronic records are secured with numerous security controls.
Internal Sharing and Disclosure
The following questions are intended to define the scope of sharing within the Department of Labor.
With which internal organization(s) is the PII shared, what information is shared, and for what purpose?
Electronic case records can be requested by the following organizations outside of the OWCP program for auditing purposes: the DOL Office of Inspector General (OIG) and the Office of the Chief Financial Officer (OCFO) for audit purposes; and the Office of the Solicitor (SOL) for litigation support.
How is the PII transmitted or disclosed?
Access to data is provided via "read only" auditor user accounts for temporary periods required by the auditors. If any PII has to be transmitted to an auditor, it is done through an encrypted E-Mail attachment, password protected E-Mail attachment, or CD.
Privacy Impact Analysis
The sharing of data with internal users is limited to SOL for litigation support; and the OIG and OCFO and their designated auditors. All auditors are required to sign strict non-disclosure agreements, read and sign Rules of Behavior and complete security screening before they are authorized to access to any data. The information is being shared with auditors and the SOL for civil or criminal law enforcement.
The PII is protected by encryption while it is transmitted from the contractor to OWCP.
External Sharing and Disclosure
The following questions are intended to define the content, scope, and authority for information sharing external to DOL which includes federal, state and local government, and the private sector.
With which external organization(s) is the PII shared, what information is shared, and for what purpose?
As part of its contract with OWCP, CBP prepares files for transmission to the U.S. Treasury for payments to be made. These payments are authorized and approved by the OWCP program office, so no transaction is completed without the intervention of authorized federal staff who confirms the payments.
Claimant and Providers can access their own information via the Call Center, or the Web Portal. PII is also shared with the DOL contracted providers: field nurses, and Voc Rehab counselors. FECA users can access the Interactive Voice Response System (IVRS) to utilize bill status inquiry, claimant eligibility inquiry, and medical authorization inquiry functionality. Federal agencies under the FECA program can also access data on claims initiated by them through read only access via the Web Portal.
Is the sharing of PII outside the Department compatible with the original collection? If so, is it covered by an appropriate routine use in a SORN? If so, please describe. If not, please describe under what legal mechanism the program or system is allowed to share the PII outside of DOL.
All collection and sharing of data is for the purpose of providing benefits to claimants. The process has been contracted out to facilitate the collection of medical bills and the payment of those bills. All the data in CBP is covered under the SORNs for the FECA, Black Lung and Energy programs as indicated above. CBP collects the initial claimant information based on the submission of bills. Bills collected by CBP are then entered. This bill data is then compared with claimant data. The integrated Federal Employees' Compensation (iFECS) Program electronically transmits claimant data to the Central Bill Process for bill and authorization processing.
How is the information shared outside the Department and what security measures safeguard its transmission?
CBP shares information only as authorized by DOL to facilitate bill processing services. Claimant and Providers can access their own information via the Call Center or the Web Portal once their identity has been validated. Providers must be enrolled and have a valid user ID/password to reach a restricted page, where they can access PII for their specific claims. PII is also shared with the DOL contracted providers: field nurses, and Voc Rehab counselors. FECA users can access the Interactive Voice Response System (IVRS) to utilize bill status inquiry, claimant eligibility inquiry, and medical authorization inquiry functionality.
Field Nurses and Voc Rehab counselors get data from DOL directly via the DOL Web Portal. The DOL Web Portal is running Secure Sockets Layer (SSL) Encryption to protect data being transmitted to the specialist. This is the same secure access that providers and claimants utilize to view their specific data identified by their case number or Provider ID
The transmission of data to Treasury is done through a direct connection which includes two factor authentication and encryption of the data.
Privacy Impact Analysis
A contract between the U.S. Department of Labor and the contractor covers the external sharing of data.
The following questions are directed at notice to the individual of the scope of PII collected, the right to consent to uses of said information, and the right to decline to provide information.
Was notice provided to the individual prior to collection of PII?
Per the DFEC CA-1 and CA-2 forms on the DOL web site, the claimants are given notice that they have to provide this information if they wish to be eligible for OWCP benefits. Please see the disclaimer below, this was taken off the CA-1 and CA-2 forms.
"In accordance with the Privacy Act of 1974, as amended (5 U.S.C. 552a), you are hereby notified that: (1) The Federal Employees' Compensation Act, as amended and extended (5 U.S.C. 8101, et seq.) (FECA) is administered by the Office of Workers' Compensation Programs of the U.S. Department of Labor, which receives and maintains personal information on claimants and their immediate families. (2) Information which the Office has will be used to determine eligibility for and the amount of benefits payable under the FECA, and may be verified through computer matches or other appropriate means. (3) Information may be given to the Federal agency which employed the claimant at the time of injury in order to verify statements made, answer questions concerning the status of the claim, verify billing, and to consider issues relating to retention, rehire, or other relevant matters. (4) Information may also be given to other Federal agencies, other government entities, and to private-sector agencies and/or employers as part of rehabilitative and other return-to-work programs and services. (5) Information may be disclosed to physicians and other health care providers for use in providing treatment or medical/vocational rehabilitation, making evaluations for the Office, and for other purposes related to the medical management of the claim. (6) Information may be given to Federal, state and local agencies for law enforcement purposes, to obtain information relevant to a decision under the FECA, to determine whether benefits are being paid properly, including whether prohibited dual payments are being made, and, where appropriate, to pursue salary/administrative offset and debt collection actions required or permitted by the FECA and/or the Debt Collection Act. (7) Disclosure of the claimant's social security number (SSN) or tax identifying number (TIN) on this form is mandatory. The SSN and/or TIN), and other information maintained by the Office, may be used for identification, to support debt collection efforts carried on by the Federal government, and for other purposes required or authorized by law. (8) Failure to disclose all requested information may delay the processing Note: This notice applies to all forms requesting information that you might receive from the Office in connection with the processing and adjudication of the claim you filed under the FECA."
Per the DCMWC CM-911 and CM-912 forms on the DOL web site, the claimants are given notice that they have to provide this information if they wish to be eligible for OWCP benefits. Please see the disclaimer below, which is from the CM-911 and CM-912 forms:
"In accordance with the Privacy Act of 1974, as amended (5 U.S.C. 552a) you are hereby notified that: (1) the Black Lung Benefits Act (BLBA) (30 U.S.C. 901 et. seq.) as amended, is administered by the Office of Workers' Compensation Programs (OWCP) of the U.S. Department of Labor, which receives and maintains personal information, relative to this application, or claimants and their immediate families. (2) information obtained by OWCP will be used to determine eligibility for the amount of benefits payable under the BLBA; (3) information may be given to coal mine operators potentially liable for payment of the claim, or to the insurance carrier or other entity which secured the operator's compensation liability; 4) information may be given to the physicians or medical service providers for use in providing treatment, making evaluations and for other purposes relating to the medical management of the claim; (5) information may be given to the Department of Labor's Office of Administrative Law Judges, or other person, board or organization, which is authorized or required to render decisions with respect to the claim or other matters arising in connection with the claim; (6) information may be given to Federal, state or local agencies for law enforcement purposes, to obtain information relevant to a decision under the BLBA, to determine whether benefits are being or have been paid properly, and, where appropriate, to pursue administrative offset and/or debt collection actions required or permitted by law;(7) disclosure of the claimant's Social Security Number (SSN) or tax identifying number (TIN) on this form is voluntary. and the SSN and/or TIN and other information maintained by the OWCP may be used for identification and for other purposes authorized by law;(8) failure to disclose all requested information, may delay the processing of this claim or the payment of benefits, or may result in an unfavorable decision or reduced level of benefits."
Per the DEEOIC EE-1 and EE-2 forms on the DOL web site, the claimants are given notice that they have to provide this information if they wish to be eligible for OWCP benefits. Please see the disclaimer below, which is from the EE-1 and EE-2 forms:
"In accordance with the Privacy Act of 1974, as amended (5 U.S.C. 552a), you are hereby notified that: (1) The Energy Employees Occupational Illness Compensation Program Act (42 U.S.C. 7384 et seq.) (EEOICPA) is administered by the Office of Workers' Compensation Programs of the U.S. Department of Labor, which receives and maintains personal information on claimants and their immediate families. (2) Information which the Office has received will be used to determine eligibility for, and the amount of, benefits payable under EEOICPA, and may be verified through computer matches or other appropriate means. (3) Information may be given to the Federal agencies or private entities that employed the claimant at the time of injury in order to verify statements made, answer questions concerning the status of the claim, verify billing, and to consider other relevant matters. (4) Information may be disclosed to physicians and other health care providers for use in providing treatment or medical rehabilitation, making evaluations for the Office of Workers' Compensation Programs and for other purposes related to the medical management of the claim. (5) Information may be given to Federal, state, and local agencies for law enforcement purposes, to obtain information relevant to a decision under the EEOICPA, to determine whether benefits are being paid properly, including whether prohibited payments have been made, and, where appropriate, to pursue salary/administrative offset and debt collection actions required or permitted by the Debt Collection Act. (6) Disclosure of the claimant's social security number (SSN) or tax identification number (TIN) is mandatory. The SSN or TIN, and other information maintained by the Office, may be used for identification, to support debt collection efforts carried on by the Federal government, and for other purposes required or authorized by law. (7) Failure to disclose all requested information may delay the processing of the claim or the payment of benefits, or may result in an unfavorable decision."
Do individuals have the opportunity and/or right to decline to provide information?
Yes, OWCP has the following statements included in our claimant forms which are shared by all three programs.
Claim for Medical Reimbursement form OWCP 915 OMB No. 1240-0007
"I certify that the information above is correct and that the reimbursement requested is for expenses paid by me for the treatment of my covered condition. I am aware that any person who knowingly makes any false statement or misrepresentation to obtain reimbursement from OWCP is subject to civil penalties and/or criminal prosecution.
I authorize any provider named above to release information to the US Department of Labor, OWCP if necessary for the proper adjudication of this claim."
Medical Travel Refund Request form OWCP 957 OMB No. 1240-0037
"This report is authorized by the Federal Employees' Compensation Act (5 USC 8103(a)), the Black Lung Benefits Act (30 USC 901; 20 CFR 725.406 and 725.701) and the Energy Employees Occupational Illness Compensation Program Act of 2000, (42 USC 7384 and 20 CFR 30.701). While you are not required to respond, this information is required to obtain reimbursement for travel expenses. The method of collecting information complies with the Freedom of Information Act, the Privacy Act of 1974 and OMB Circ. 108. This form should be used for medically related travel covered by the Federal Employees' Compensation Act, the Black Lung Benefits Act and the Energy Employees Occupational Illness Compensation Program Act of 2000."
Health Insurance Claim form OWCP 1500 OMB No. 1240-0044
"PATIENT'S OR AUTHORIZED PERSON'S SIGNATURE I authorize the release of any medical or other information necessary to process this claim. I also request payment of government benefits either to myself or to the party who accepts assignment below."
Patients may refuse to sign the form if they do not wish their health care providers to share their medical information.
Do individuals have the right to consent to particular uses of the information? If so, how does the individual exercise the right?
No, individuals do not have the right to consent to particular uses of their personal information. The information is used only for the purposes of managing the compensation claim.
Privacy Impact Analysis
Specific notice of the need to collect and use privacy data to process a claim is included on the appropriate OWCP Program's claim form to ensure that all claimants are aware of the data necessary to complete their claim and its uses. In addition, System of Records Notices (SORNs) which outline the users of privacy data for this system are available to the public via the DOL internet. Providers also receive notice of the need and use of privacy data as specified on the provider enrollment forms.
Access, Redress, and Correction
The following questions are directed at an individual's ability to ensure the accuracy of the information collected about them.
What are the procedures that allow individuals to gain access to their information?
Claimants have the right to request a copy of their file at any time from the OWCP program under which they seek benefits.
What are the procedures for correcting inaccurate or erroneous information?
Providers can submit written documentation requesting updated information for their provider file. Claimants can also submit written documentation requesting updated information for their claimant file.
How are individuals notified of the procedures for correcting their information?
Questions and Answers for correcting information are available on the DOL web site. Q and A documents are available for both Federal Employees Compensation Act and Coal Mine Workers Compensation at http://www.dol.gov/owcp/owcpcomp.htm.
Similar information is available for the Energy Employees Occupational Illness Compensation program under the "I want to..." list on the page http://www.dol.gov/owcp/energy/index.htm
If no formal redress is provided, what alternatives are available to the individual?
Individuals have access, redress, and amendment rights under the Privacy Act for their records, and the procedures pertaining thereto are documented in the Privacy Act system of records notice.
Privacy Impact Analysis
Electronic access to the claimant's records is strictly limited to authorized individuals to preserve the privacy of the claimant. Only the claimant can request copies of their records to avoid any potential breach of privacy.
More information about the data that is collected and its uses is contained in the following System of Records Notices (SORNs). (Note: These SORNs cover more than just the central bill payment process. They cover the entire compensation claims process for each OWCP program.):
- DOL/GOVT-1 - Office of Workers' Compensation Programs, Federal Employees' Compensation Act File
- DOL/ESA-6 - Benefits Claims File
- DOL/ESA-30 - Automated Support Package
- DOL/ESA-43 - Rehabilitation Files
- DOL/ESA-49 - Office of Workers' Compensation Programs, Energy Employees' Occupational Illness Compensation Program Act File
Technical Access and Security
The following questions are intended to describe technical safeguards and security measures.
What procedures are in place to determine which users may access the system and are they documented?
The contractor has put in place access control measures that include documented user access authorization, encryption, least privilege, and a dedicated portal for information transfer.
Will Department contractors have access to the system?
Yes, this is a Contractor-operated system.
Describe what privacy training is provided to users, either generally or specifically relevant to the program or system?
Annual Information System Security and Privacy Awareness Training which has a privacy module or component to it.
What auditing measures and technical safeguards are in place to prevent misuse of data?
The contractor uses the concept of least privilege as described above. Access is granted only after authorization based on documented access request policies. Logs for certain system functions are also reviewed on a regular basis to check for any misuse or other issues.
All contractor operations are required to have security audits and assessments conducted of their operations on an annual basis. All contractor systems must have system level auditing enabled to provide for reasonable response in the event of a security situation. IT system auditing and security testing is an essential aspect of how we ensure the integrity and availability of our computing systems. Auditing and assessments also provide us the ability to be more effective in preventing security vulnerabilities.
Privacy Impact Analysis
The contractor, in conjunction with OWCP, makes periodic updates to its risk assessment to ensure that risks to both security and privacy are being reviewed and updated on a regular basis. In addition the controls that have been put in place by the contractor are audited both internally and by external auditors on a regular basis. These audits test the controls the contractor has put in place and any deficiencies identified are promptly addressed.
Based on the results of these internal and external audits OWCP finds that there are appropriate administrative, technical and physical safeguards in place to ensure the security and confidentiality of the information.
The following questions are directed at critically analyzing the selection process for any technologies utilized by the system, including system hardware, RFID, biometrics, and other technology.
What stage of development is the system in, and what project development life cycle was used?
Operations and Maintenance.
The DOL System Development Life Cycle Management (SDLCM) Manual.
Does the project employ technology which may raise privacy concerns? If so please discuss their implementation?
CBP allows limited access via its on-line web portal to claimants, providers, and other Federal agencies under the FECA program to allow them to review their own information. User authentication is required to connect to the web-portal and users are limited to those records that pertain to their own claim(s). There is also a call center that is available to claimants and providers to assist them with their claims and to determine claim status. The call center also requires authentication of callers before any information of a sensitive (PII) nature is discussed.
CBP also uses the concept of least privilege to ensure that users are given access only to the information that they are required to have access to for performance of their jobs. Logging of transactions and access is also done and those logs are periodically reviewed to determine if attempts have been made to access data from either an outside source or an unauthorized user.
As a result of performing the PIA, what choices has the agency made regarding the information technology system and collection of information?
- OWCP has completed the PIA for CBP which is currently in operation. OWCP has determined that the safeguards and controls for this moderate system adequately protect the information.
- OWCP has determined that it is collecting the minimum necessary information for the proper performance of a documented agency function.