2015-12-04

Date
Subject
Medicare HETS 270/271 - HETS Provider GUI (HPG) - Information Bulletin - December 3, 2015
User Community
HETS 270/271

Medicare HETS 270/271 HPG Users:

Effective on Sunday, December 6, 2015 the CMS Enterprise Portal and HETS Provider GUI (HPG) will begin offering new identity management services provided by the Centers for Medicare & Medicaid Services (CMS).  The CMS Enterprise Portal and HETS Provider GUI (HPG) will require all HPG Users (new and existing) to register for and begin using Multi-Factor Authentication (MFA) services.  CMS may also require new HPG Users to utilize Remote Identity Proofing (RIDP). These two services will help improve CMS’ ability to reduce fraud and ensure system security by implementing security measures that enhance the ability of identifying a given individual and the type of data they are able to access. The purpose of this email is to provide you with background on both of these services to best prepare you for this new offering.

A new version of the HPG User Guide (version 1-9) is now available online here:    (Please refresh your browser to ensure that you are viewing version 1-9.)

Key Points

  • Effective Sunday, December 6, 2015 all HPG Users will be required to utilize MFA when signing into the CMS Enterprise Portal. Current HPG Users will not be required to complete the RIDP process, but must utilize MFA.  Options to obtain an MFA One Time Password (OTP) for each HPG login include a computer application, phone/device application, SMS service, email or a telephone based Interactive Voice Response (IVR) system.
  • HPG Users will need to utilize a MFA OTP (in conjunction with their CMS Enterprise Portal User ID and password) every time they sign into HPG.
  • New HPG Users may need to complete the RIDP process in order to complete the HPG application process.  RIDP is the process of validating sufficient information about you (e.g., credit history, personal demographic information, and other indicators) to uniquely identify an individual.
  • HPG Users should manually enter all internet addresses (Uniform Resource Locators, or URLs) into your internet browsers.  CMS discourages Users from utilizing browser bookmarks with the HPG application.
  • Existing HPG Users should focus on Sections 4.3.4 (MFA) and Section 4.3.6 (Login to the HPG Application) of the HPG User Guide (linked above) to prepare for changes coming as of December 6, 2015.

Below is a list of FAQs that will assist HPG Users as they prepare for this upcoming change. Please contact the Help Desk if you have any additional questions.

MFA & RIDP FAQs

Multi-Factor Authentication (MFA)

What is Multi-Factor Authentication (MFA)?

MFA is an approach to security authentication that requires you to provide more than one form of a credential in order to prove your identity. CMS is requiring MFA service for CMS Enterprise Portal and HETS Provider GUI (HPG) Users. CMS uses Symantec’s Validation and Identity Protection (VIP) service to add a layer of protection for your online identity. Symantec’s VIP utilizes government-certified technology and techniques to provide this multi-factor authentication.

How do we use MFA?

CMS uses MFA to grant access to the CMS Enterprise Portal and the HETS Provider GUI (HPG). Users will be asked to enter their CMS Enterprise Portal username, password and a One Time Password (OTP) that is generated by Symantec VIP software to gain access to the HETS Provider GUI (HPG). The OTP can be generated by a free Symantec application that can be downloaded to your desktop or smartphone, or alternatively, you can receive an OTP via a Short Message Service (SMS) or voice phone call once you have registered your phone in the CMS Enterprise Portal. The “Where can we get the MFA software?” section below provides the necessary information to install the Symantec application on your desktop or smartphone.

How do I get an MFA credential?

The CMS Enterprise Portal will prompt you to register an MFA credential when you request access to the HETS Provider GUI (HPG) and have not already registered an MFA credential in the CMS Enterprise Portal. You will be given a choice of MFA token delivery methods. The primary MFA token delivery method is to download software and install it on your computer or a mobile device. Alternatively, if you require special support, you can set up SMS or voice token to deliver your MFA credential. Where to get the MFA software is discussed below.

Where can I get the MFA software?

You will need MFA software if you choose to receive your MFA credential on a computer or laptop or a mobile device. You will be required to download the MFA software from Symantec and install it in your device of choice.

To download the desktop software for Windows or Mac, navigate to the Symantec VIP Center site at https://idprotect.vip.symantec.com/desktop/home.v  and follow the instructions.

If using an iPhone, Android, Blackberry, or other mobile device, use your device to navigate to the Symantec VIP Center mobile site at https://m.vip.symantec.com/home.v and follow the instructions.

SMS OTP and Voice OTP options do not require a software download.

I am being asked to type a Credential ID. Where do I find the Credential ID?

The Credential ID is the 12-digit alphanumeric number on the top of the soft token that was downloaded to your device from Symantec. The Credential ID begins with four letters and ends with eight numbers. In the example below, the token displays the credential ID as VSST57144377.

How do I use Multi-Factor Authentication?

When you access the CMS Enterprise Portal, the system will display the MFA login screen. You will be required to enter your CMS Enterprise Portal User ID, password, and the VIP security code. If you have registered an MFA token device, enter your user ID and password and the security code that is displayed on your MFA token device.

For your protection, an MFA device automatically generates a new security code each time it counts down from a 30-second timer.

If you have registered an MFA SMS token or MFA Voice token, when you access the CMS Enterprise Portal, the system will send you a security code via text message or voice call to the number you registered in your account.

For your protection a security code sent via SMS or Voice counts down from a 30-minute timer.

How do I register additional devices to my user account?

You can register up to five MFA credentials in your user account. Additional MFA credentials can be added to your account after you have been prompted by the CMS Enterprise Portal to set up the first MFA credential. The “Register your Smartphone or Computer” hyperlink on the “My Profile” page will appear once you have successfully set up your first MFA credential. You can click on the link and add additional MFA devices to your user account.  Please note that you cannot use the same phone number for the SMS and Voice (IVR) services – a single phone number can only be tied to one service at a time.

Will I be charged cell phone time each time I use Symantec VIP MFA on my mobile device?

It depends on what delivery method you use. The Symantec VIP MFA software is free. Once the Symantec VIP MFA application is downloaded and installed on the phone it does not utilize any cell time to generate the six-digit security code. Cell or network traffic is used to download the application to one’s mobile device. There are no recurring charges associated the use of either software option. If you choose not to use the software option and select SMS or Voice OTP, carrier charges may apply.

How do I register for MFA if I receive an error when installing the software on my computer?

If you are having trouble downloading and installing the MFA software on your desktop or laptop, it is possibly due to your company’s IT policy that disables users from installing any software on their company-provided machines. Check with your company’s IT department for assistance. If your company does not allow you to install MFA software, one alternative is to use a mobile device that you control, or you can also use a voice call to obtain the OTP. You can refer to other instructions in this FAQ document for information on cell phone installation and voice token usage.

I cannot use the desktop MFA software or the mobile phone MFA software.

The CMS Enterprise Portal allows you to set up a voice or SMS delivery method for your OTP that does not require an MFA software download. You can register a phone number and select SMS or Voice OTP, and then the CMS Enterprise Portal can register your phone number and delivery method with Symantec. After your MFA is activated, when you request access to the CMS Enterprise Portal you will receive either a phone call or text message that contains your OTP, depending on the delivery method that you select.

The SMS and Voice OTP expire within thirty minutes of when they are sent, so please make sure you provide a phone number that will be accessible to you during your typical work hours. As an example, do not use a residential phone number if you will normally log in from your place of employment.

I cannot download Symantec VIP on my BlackBerry.

If your BlackBerry is a company-provided BlackBerry, your IT department may have locked down your device and disallowed users from loading applications. Check with your IT department to see if you have the required permissions to download an application on your BlackBerry. Some companies have also allowed the download of applications on their BlackBerries but only over Wi-Fi networks. If this is the case, connect your BlackBerry to a Wi-Fi network to download Symantec VIP by typing the following link for the Symantec VIP Center mobile site in the BlackBerry browser: https://m.vip.symantec.com/home.v

Can I access multiple Applications if I’m multi-factor authenticated?

Once you have been multi-factor authenticated in the CMS Enterprise Portal, if you do not log out of the system, you can access other protected CMS Applications that require MFA without having to be authenticated again with an MFA credential. If you log out of the system, when you log in, you will be asked to present your MFA credential when accessing a protected CMS Application.

Remote Identity Proofing (RIDP)

What is Remote Identity Proofing?

RIDP is the process of validating sufficient information about you (e.g., credit history, personal demographic information, and other indicators) to uniquely identify an individual. RIDP is a required service for most HETS Provider GUI (HPG) Users – existing HPG Users will not be required to complete the RIDP process. New HPG Users that have previously completed an RIDP process for the CMS Enterprise Portal will not need to complete the process again.  CMS uses Experian to remotely perform identity proofing.

You may have already encountered RIDP through various interactions with banking systems, credit reporting agencies, and shipping companies. The Experian identity verification service is used by CMS to confirm your identity when you need to access a protected CMS Application. When you log in to the CMS Enterprise Portal and request access to HETS Provider GUI (HPG), you will be prompted to RIDP if you have not been previously identity proofed to the level of assurance required by the CMS Enterprise Portal. You will be asked to provide a set of core credentials, which include:

• Full Legal Name

• Social Security Number

• Date of Birth

• Current Residential Address

• Personal Phone Number

The Experian identity verification service will use your core credentials to locate your personal information in Experian and generate a set of questions, referred to as out-of-wallet questions. Experian will attempt to verify your identity to the appropriate level of assurance with the information you provided. Most users are able to complete the ID proofing process in under five minutes. If you encounter problems with RIDP, you will be asked to contact Experian Support Services via phone to resolve any issues.  Please see the ‘Remote Identity Proofing Tips for Success’ section in this email for some tips on navigating the ID proofing process successfully.

What happens to the data submitted for identity proofing?

The CMS Enterprise Portal collects your personal information, described as data that is unique to you as an individual, such as name, address, telephone number, Social Security Number, and date of birth. The CMS Enterprise Portal uses this personal information only to verify your identity. Your information will be sent to Experian, an external identity verification provider, to help us confirm your identity. If collected, we will validate your Social Security Number with Experian only for the purpose of verifying your identity. Experian verifies the information you give us against their records and may present you with questions based on your credit profile, called out-of-wallet questions. The out-of-wallet questions and answers, including financial history, are strictly between you and the RIDP service Experian; neither the CMS Enterprise Portal nor the HETS Provider GUI (HPG) will store them. Experian is required by law to securely maintain this data for seven years. For more information regarding how CMS uses the information you provide, please read the CMS Privacy Act Statement at:

Will RIDP affect my credit?

No, this type of inquiry does not affect your credit score and you will not incur any charges related to this credit score inquiry. When you identity proof, Experian creates something called a soft inquiry. Soft inquiries are visible only to you, the consumer, and no one else. Soft inquiries have no impact on your credit report, history, or score other than being recorded and maintained for 23 months.

What happens if my identity cannot be verified during the online RIDP process?

If Experian cannot identity proof you online, you will be asked to contact either the Experian Verification Support Services Help Desk or the HETS Provider GUI (HPG) Help Desk, depending on the reason you failed RIDP. The system will provide you with a reference number to track your case. The Experian Help Desk cannot assist you if you do not have the reference number. If you are asked to contact the HETS Provider GUI (HPG) Help Desk, you will be given a response code to help the HETS Provider GUI (HPG) Help Desk perform the manual identity proofing process with you.

What happens if my identity cannot be verified during the Experian phone proofing RIDP process?

If you contact the Experian Verification Support Services Help Desk and your identity cannot be verified, you will be referred to the HETS Provider GUI (HPG) Help Desk to complete the manual identity proofing process.

How do I contact the HETS Provider GUI (HPG) Help Desk?

The HETS Provider GUI (HPG) Help Desk is open Monday through Friday from 7:00 a.m. to 7:00 p.m., Eastern Standard Time (EST).

You can contact the HPG Help Desk using either of the following methods:

• Email address:

• Phone Number: (866) 324-7315

What are the Experian Help Desk hours of operation?

The Experian Help Desk is open Monday through Friday from 8:30 a.m. to 10:00 p.m., Saturday from 10:00 a.m. to 8:00 p.m., and Sunday from 11:00 a.m. to 8:00 p.m., EST.

Remote Identity Proofing Tips for Success

Name:

• You must use your full legal name. Refer to your Driver’s License or financial account information.

• Your surname has to match the surname Experian has for you on file.

• Do not use nicknames.

• If you have a two-part name, enter the second part in the middle name field. (i.e., Billy Bob would have Billy in the first name field and Bob in the middle name field)

Address:

• Enter your current residential address:

•  Address where you receive financial statements including credit cards and/or utilities

• Address you most consistently use for billing purposes

• Address associated with your credit report

• If you have a recent change in address, you can try to ID proof with a prior address.

• Do not enter any extraneous symbols in the address field. If you want to confirm the correct format, visit USPS Look Up a Zip Code at: https://tools.usps.com/go/ZipLookupAction!input.action

Phone:

• Enter a personal landline phone number (if you have one).

• A cell phone can be used, but a residential landline is preferred.

Out-of-Wallet Questions:

• You will be asked a series of questions regarding your personal financial transactions/information.

• Try to collect all of your information together before attempting the session.

• Download a free copy of your credit report at www.annualcreditreport.com .

Consent:

• You will be asked to give consent to verify your identity information from your credit report.

• The information is utilized only for purposes of identity proofing – “you are who you say you are.”

• The consent of utilizing the information does post as a soft inquiry on your credit report. The soft inquiry is visible only to you.

• The consent/inquiry does not affect your credit score.

Exclusions:

• If you have a Victim’s Statement or a blocked or frozen file, you will NOT be able to complete the identity proofing process online. After attempting online, you will be directed to call Experian’s Consumer Services @ 1-866-578-5409 to have the alert temporarily lifted so that you can attempt the ID proofing process.

• If you are listed as deceased on the Social Security Administration’s (SSA) Death Master File, you will not be able to complete the identity proofing process online. You may contact the SSA at 1-800-269-0271. They will be able to make sure that your information is being reported correctly.