This section provides an overview of RDS Secure Website user registration.
All Retiree Drug Subsidy (RDS) participants must complete Registration to access the RDS Secure Website (SWS). The Registration process requires a user to enter personal information and create a Login ID and Password. CMS' RDS Center sends an email confirming the activation of the user's Login ID and Password within 48 hours after the Registration process is completed. Updated Federal security policies also require that each RDS Secure Website account must activate Multi-Factor Authentication (MFA) prior to accessing the RDS Secure Website. Refer to Multi-Factor Authentication for more information, as well as step-by-step instructions to activate MFA.
User Management is the responsibility of the Plan Sponsor. For data integrity and security purposes, CMS’ RDS Center does not alter registered user information on the user’s behalf.
Due to the sensitive nature of this data, the user should contact the RDS Center directly should assistance be required. One individual should not contact the RDS Center on another individual’s behalf. Do not include any Protected Health Information (PHI), as defined in the Health Insurance Portability and Accountability Act (HIPAA), or Personally Identifiable Information (PII) in the correspondence, such as User ID, Password, MBI, SSN, DOB, etc.
Federal Security Regulations require that a user log in to CMS' RDS Secure Website (SWS) at least once every 180 days to maintain an active account. Active user accounts are required to perform many tasks in the RDS Program, such as completing and submitting applications and completing Reconciliation.
Users with disabled accounts should refer to Enable Your User Account for more information about maintaining an active account, as well as step-by-step instructions to enable their user account.
Individuals are responsible for maintaining and protecting their RDS Secure Website account access. It is a violation of Federal law to share or transfer user accounts or Login and Password information. Do not share the QR code, Secret Key, Google Authenticator token, one-time token or any other account information with anyone. Activate your MFA configuration with your own personal device, not the device of another person.
If a security violation has been suspected by the RDS Center, the compromised account shall be terminated. If the user requires access to the Secure Website again, they will be required to be invited to each Plan Sponsor account and/or application they will perform work on and complete registration again, including being required to activate a new MFA configuration for the new account.
CMS' RDS Center shall not share your personal information with any third-party, except for disclosures required by law.
In order to access the RDS Secure Website, all users are required to read and accept the Login Warning each time they log in.
The Account Manager Registration takes place during the new Plan Sponsor Registration process. For more information, refer to Create a New Plan Sponsor Account.
A new Account Manager reassigned for an existing Plan Sponsor receives an invitation email to begin Registration within 48 hours after the user role is reassigned. Registration can begin after the email invitation is received.
The Authorized Representative, Actuary, and Designee receive an invitation email to begin Registration within 48 hours after the user role is assigned. Registration can begin after the email invitation is received.
Vendors identified by the Plan Sponsor are asked to contact CMS' RDS Center to establish a Vendor ID and Electronic Data Interchange (EDI) requirements.
During Registration, each user selects two Security Questions and enters Answers to those Security Questions.
The Security Questions are used to protect personal information and reset passwords. When the Secure Website prompts a user to answer Security Questions, the user is required to enter their own personal Security Question answers.
Note: Security Questions can only be changed once in a 24-hour period.
The Security Questions will be locked after multiple incorrect Answers are entered to the Security Questions.
To unlock Security Questions, refer to Change Or Reset Security Questions or contact CMS' RDS Center.
Each user creates a Login ID during Registration, which allows access to the RDS Secure Website.
Create a Login ID based on the following requirements:
Each user creates and maintains a Password, which allows access to the RDS Secure Website.
Passwords are based on the following requirements:
Note: A Password can only be changed once in a 24-hour period. CMS’ RDS Center cannot unlock user accounts on an individual’s behalf.
Passwords expire every 180 days and must be changed to access the RDS Secure Website.
IMPORTANT: When a user account becomes locked after multiple failed login attempts for any reason—invalid Login ID, Password, or MFA code, or any combination of these—
Due to security reasons, the RDS Center does not have the authority to unlock accounts for Secure Website users. As a result, the 24 hours IMMEDIATELY PRECEDING a deadline can be very difficult to obtain remediation regarding account login issues, potentially resulting in a missed deadline and possible loss of subsidy.
Refer to Instructions to Access the RDS Secure Website for step-by-step login instructions. Refer to the RDS Secure Website Login Quick Start Guide for support and best practices for logging in and communication with CMS’ RDS Center.
CMS' RDS Center offers an RDS Welcome Kit to help new Account Managers, Authorized Representatives, Actuaries, and Designees become acquainted with the RDS Program and their role-specific tasks.
The RDS Welcome Kit offers: