Skip to main content

Privacy Impact Assessment (PIA)

CMS requires Privacy Impact Assessments for systems handling sensitive data. Business Owners and ISSOs must complete them for new or changed systems. PIAs ensure privacy compliance and are published for transparency.

Last Reviewed: 1/30/2025

Contact: Privacy Office | privacy@cms.hhs.gov

All completed PIAs (including TPWA PIAs) for CMS systems are posted online to offer transparency to the publicView CMS PIAs here.

What is a Privacy Impact Assessment (PIA)? 

A Privacy Impact Assessment (PIA) is an analysis of how personally identifiable information (PII) is collected, used, shared, and maintained. The PIA demonstrates that Business/System owners have consciously incorporated privacy protections into their systems to safeguard information supplied by the public. 

PIAs are required by the E-Government Act of 2002, which improves the management of Federal electronic government services and processes. Section 208 of the E-Government Act specifically requires PIAs to be created when a federal agency develops or procures new information technology that involves the collection, maintenance, or dissemination of information in identifiable form. 

Because the E-Government Act also includes a provision requiring PIAs to be published publicly on agency websites, they also support transparency and accountability to the public. At the Centers for Medicare & Medicaid Services (CMS), we publish PIAs on CyberGeek (see the full PIA list here) to comply with the E-Government Act and to communicate with the public about how we address privacy concerns and safeguard sensitive information.

Why are PIAs important?

PIAs are more than a document — they are a process intended to give visibility into privacy risks and identify optimal ways of protecting personal information. PIAs are important because they help Business Owners and system teams: 

  • Determine the risks of creating, collecting, using, processing, storing, maintaining, disseminating, disclosing, and disposing of PII within FISMA systems.
  • Examine and evaluate protections for handling information to mitigate potential privacy concerns.
  • Develop new solutions to manage PII if current collection methods aren’t optimized.
  • Ensure that information is handled in a manner that supports all applicable legal, regulatory, and policy requirements regarding privacy.

Who completes PIAs? 

Privacy Impact Assessments (PIAs) are a team effort. The Information System Security Officer (ISSO) leads the effort on behalf of the Business/System Owner to assess the privacy safeguards and complete the PIA questionnaire in CFACTS. To ensure accurate completion of the PIA, the ISSO receives support from experts within the CMS Information Security and Privacy Group (ISPG), which may include:

  • Division of Security, Privacy, Policy & Oversight (DSPPO) 
  • Cyber Risk Advisors (CRAs)
  • Privacy Advisors

After the PIA is completed by CMS system stakeholders, it is reviewed and signed by privacy staff at the U.S. Department of Health and Human Services (HHS).

Instructions and tips for the PIA process can be found in the CMS Privacy Impact Assessment (PIA) Handbook. If you need help, contact the Privacy Office: Privacy@cms.hhs.gov.

 

more to be added