Implementation of the Multi-factor Authentication on the Medicare Secondary Payer Recovery Portal

CMS, Conditional Payments, Mandatory Insurer Reporting, Medicare, Medicare Set-Aside Blog on September 10, 2015 | Posted by Erin O'Neill, PA-C, JD

The Centers for Medicare & Medicaid Services (CMS) has implemented the optional Remote Identity Proofing (RIDP)/Multi-factor Authentication (MFA) services on the Medicare Secondary Payer Recovery Portal (MSPRP). These services are part of a new identity management solution provided by CMS as part of the Strengthening Medicare and Repaying Taxpayers (SMART) Act.

Today, CMS posted a Frequently Asked Questions (FAQ) document outlining the background of these two services and providing answers to specific questions regarding these processes. This document can be downloaded from the Coordination of Benefits & Recovery Overview – What’s New Section,  available at the following link:

https://www.cms.gov/Medicare/Coordination-of-Benefits-and-Recovery/Coordination-of-Benefits-and-Recovery-Overview/Whats-New/Whats-New.html

Remote Identity Proofing (RIDP) is the process by which CMS will validate the information provided by an individual requesting electronic access to protected CMS information or systems, to verify that the individual is who they say they are. CMS will be utilizing the Experian identity verification system to remotely perform this service. When logging onto the MSPRP, the individual will be given the option to RIDP. When selecting this option, the individual will be asked to provide their full legal name, social security number, date of birth, current residential address and personal telephone number. Experian will utilize this information to generate a set of questions that can only be answered by that individual. Additional information regarding these questions and this process can be found in the document available at the above noted link.

Multi-Factor Authentication (MFA) involves the use of two or more different authentication factors to verify the identity of an end user. Users requesting access to a CMS application with a level of assurance (LOA) 3 security level, must be authenticated using MFA. CMS will be utilizing Symantec’s Validation and Identity Protection (VIP) service to provide this MFA. Users must download the free Symantec software to their desktop or pre-registered smartphone. The Symantec VIP application will generate a One-Time Password (OTP). When logging onto the MSPRP and requesting access to protected information classified as a LOA 3 security application, the user will be prompted to enter their username and password as well as the one-time password generated by the Symantec VIP software. Verified users will have access to view unmasked claim data on the Portal. Users may continue to utilize the portal without going through the MFA process but will not have the benefits of viewing unmasked data. Additional information regarding this process can also be found in the document available at the above noted link.