Accountable Care Organization Management System
Privacy Impact Assessment (PIA) published by CMS as an Operating Division of the U.S. Department of Health and Human Services
Date signed: 12/5/2023
| PIA Questions | PIA Answers |
|---|---|
| OPDIV: | CMS |
| PIA Unique Identifier: | P-9934897-772857 |
| Name: | Accountable Care Organization Management System |
| The subject of this PIA is which of the following? | Major Application |
| Identify the Enterprise Performance Lifecycle Phase of the system. | Operate |
| Is this a FISMA-Reportable system? | Yes |
| Does the system include a Website or online application available to and for the use of the general public? | Yes |
| Is this a new or existing system? | Existing |
| Does the system have Security Authorization (SA)? | Yes |
| Date of Security Authorization | 11/1/2023 |
| Indicate the following reason(s) for updating this PIA. Choose from the following options. | Significant System Management Change |
| Describe in further detail any changes to the system that have occurred since the last PIA. | Introduction of new functionality to support the Medicare Electronic Application Request Information System (MEARIS). The MEARIS module adds a new website link that allows medical professionals to submit applications related to coding and payment. The individuals' name and email address are collected so a response to the applications can be provided. |
| Describe the purpose of the system | The Shared Savings Program (SSP) Accountable Care Organization (ACO) program was established by the Affordable Care Act (ACA) in 2010 to coordinate care among multiple Medicare fee-for-service providers. An ACO is a group of doctors, hospitals and other health care providers that manages and coordinates care while following the SSP requirements. To implement the ACO SSP program, the ACO-Management System (ACO-MS) supports the SSP ACOs’ enrollment and management, and grants access to reports that provide feedback on cost saving efforts and healthcare improvements. The ACO-MS will provide additional flexibility to continue to expand operational activities through a flexible automated system as the SSP program continues to grow in size and complexity. One expansion module is the Medicare Electronic Application Request Information System (MEARIS) module. MEARIS replaces a mail and email process with an electronic method to submit and track coding and payment applications. A second expansion module is the Hospital Price Transparency (HPT) module. HPT provides an interface for comparing costs of hospital services from various providers. |
| Describe the type of information the system will collect, maintain (store), or share. (Subsequent questions will identify if this information is PII and ask about the specific data elements) | The Accountable Care Organization - Management System (ACO-MS) collects personal information and ACO information. Personal information collected includes the individual’s name, Social Security Number and date of birth to support user identity proofing and to create a user ID. This information is transmitted to the CMS Identity Management (IDM) system and then the individual’s SSN and date of birth are deleted from ACO-MS. For ACO-MS, personal information collected includes the individual’s name, mailing address, phone numbers and user credentials to provide access to the ACO-MS. The ACO information collected is non-personal information that CMS requires to participate in the Shared Savings Program. This includes ACO application data and information on participating providers and suppliers. Reports available to the ACOs will contain information collected, maintained or disseminated that includes Medicare beneficiary PII such as name, date of birth, health information claim number, mailing address, phone numbers, medical records for the purpose of supporting regulatory, reimbursement and policy functions of shared savings programs and to combat fraud, waste and abuse in certain health benefits programs. The Medicare Electronic Application Request Information System (MEARIS) module collects the submitters name, email and phone number. The Hospital Price Transparency (HPT) module does not collect any personal information. |
| Provide an overview of the system and describe the information it will collect, maintain (store), or share, either permanently or temporarily. | The information collected will be used for four purposes. The first is to identity proof individuals requesting a user ID. This data is electronically transmitted to the CMS Identity Management (IDM) system, which is a separate system with its own PIA. Once the individual’s identity is confirmed by the CMS IDM system, they will be allowed to log onto the Accountable Care Organization – Management System (ACO-MS) by supplying a user ID and password that is authenticated by IDM. Second, information collected and maintained by the ACO-MS is used to provide access to ACO-MS system and to contact users. Third, ACO information is used to submit applications for participation in the Shared Savings Program, manage ACO agreements, approve ACO affiliated providers and suppliers, identify overlaps in participation with other CMS Advanced Payment Models, and to submit and maintain changes in agreements with CMS. Fourth, reports containing beneficiary data are shared with the ACOs to improve the quality of care in a cost-effective manner. Information can be retrieved by ACO and by user ID. The Medicare Electronic Application Request Information System (MEARIS) module uses the information collected to respond to the application submitter. |
| Does the system collect, maintain, use or share PII? | Yes |
| Indicate the type of PII that the system will collect or maintain. |
|
| Indicate the categories of individuals about whom PII is collected, maintained or shared. |
|
| How many individuals' PII in the system? | 1,000,000 or more |
| For what primary purpose is the PII used? | Beneficiary claims information and Accountable Care Organization (ACO) eligibility and contact information will be used to support the regulatory, reimbursement and policy functions of the shared savings programs and to combat fraud, waste and abuse in certain health benefits programs. Also, ACO users and CMS employee PII is collected to provide access to data they are authorized to see. |
| Describe the secondary uses for which the PII will be used (e.g. testing, training or research) | Not applicable |
| Describe the function of the SSN. | The SSN is required for Identity Proofing users of the Accountable Care Organization - Management System (ACO-MS). The SSN is forwarded to the CMS Identity Management (IDM) system to accurately identify the individual requesting access to ACO-MS. IDM requires the use of the SSN. |
| Cite the legal authority to use the SSN. | 42 U.S.C. 1395 et seq section 1899 |
| Identify legal authorities governing information use and disclosure specific to the system and program. | 5 U.S.C 3, Departmental Regulations, and 42 U.S.C. 1395 et seq section 1899 |
| Are records on the system retrieved by one or more PII data elements? | No |
| Identify the sources of PII in the system: Directly from an individual about whom the information pertains | Online |
| Identify the sources of PII in the system: Government Sources | Within the OPDIV |
| Identify the sources of PII in the system: Non-Government Sources | Private Sector |
| Identify the OMB information collection approval number and expiration date | 0938-1236 (IDM) 8/31/2025 0938-0935 (HPMS) 3/31/2026 |
| Is the PII shared with other organizations? | Yes |
| Identify with whom the PII is shared or disclosed and for what purpose. | Private Sector |
| Within HHS Explanation: | N/A |
| Other Federal Agency/ Agencies Explanation: | N/A |
| State or Local Agency/ Agencies Explanation: | N/A |
| Private Sector Explanation: | To provide Accountable Care Organizations with information they need to meet requirements. |
| Describe any agreements in place that authorizes the information sharing or disclosure (e.g. Computer Matching Agreement, Memorandum of Understanding (MOU), or Information Sharing Agreement (ISA)). | All participating providers must have a Data Use Agreement (DUA) in place to be able to access the information that is available from the ACO-MS system. A DUA records whose data will be shared and what data is to be shared. |
| Describe the procedures for accounting for disclosures | Accountable Care Organizations (ACO) participants must sign a Data Use Agreement prior to gaining access to the Accountable Care Organization Management System. All data is provided to the ACOs via reporting and the distribution of each report is tracked. CMS monitors the distribution of the reports and can identify those ACOs that have received and those ACOs that have not received their reports. |
| Describe the process in place to notify individuals that their personal information will be collected. If no prior notice is given, explain the reason. | Users must give consent before providing PII in the form of an online disclaimer. Accountable Care Organization (ACO) users must sign a Data Use Agreement prior to gaining access to the Accountable Care Organization Management System. All data is provided to the ACOs via reporting and the distribution of each report is tracked. CMS monitors the distribution of the reports and can identify those ACOs that have received and those ACOs that have not received their reports. Medicare beneficiaries are notified their personal information is being collected by the provider at the time of service. |
| Is the submission of the PII by individuals voluntary or mandatory? | Voluntary |
| Describe the method for individuals to opt-out of the collection or use of their PII. If there is no option to object to the information collection, provide a reason. | The users have an option to opt-out of providing information but would then be unable to create an account within the Accountable Care Organization Management System (ACO-MS). CMS employees and direct contractors cannot opt out to complete their job duties. Medicare beneficiaries who do not want to have their data shared have the option to decline to have their data shared by signing a form or calling 1-800-Medicare with questions or concerns. The Next Generation Desktop-Medicare Beneficiary Portal hosts the 1-800-Medicare phone number and collects information that is forwarded to the ACO-MS. |
| Describe the process to notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changes since the notice at the time of original collection). Alternatively, describe why they cannot be notified or have their consent obtained. | In the event of a major change, the new changes would be published in the ACO-MS application. This would be accomplished by posting a message on the home web page. |
| Describe the process in place to resolve an individual's concerns when they believe their PII has been inappropriately obtained, used, or disclosed, or that the PII is inaccurate. If no process exists, explain why not. | Individuals are notified and encouraged to contact the Consolidated Business Operations Support Center (CBOSC) for any questions and concerns pertaining to the integrity of their personal information. The CBOSC is a help desk for the ACO program. Individuals requiring technical support may reach the CBOSC via email at aposd@cms.hhs.gov or via telephone by calling 1-888-734-6433 (option 2). For Operational and Program Support, individuals are encouraged to send inquiries to SharedSavingsProgram@cms.hhs.gov. |
| Describe the process in place for periodic reviews of PII contained in the system to ensure the data's integrity, availability, accuracy and relevancy. If no processes are in place, explain why not. | Data is provided to the Accountable Care Organizations (ACOs) for their review. This way the ACO can verify the accuracy and relevancy of the data. Integrity is maintained through system security and control processes that are evaluated by independent assessors. Availability is maintained through system redundancies. |
| Identify who will have access to the PII in the system and the reason why they require access. | Others - Production support: is used to maintain the system. |
| Describe the procedures in place to determine which system users (administrators, developers, contractors, etc.) may access PII. | Access to the systems is given based on need to know and job responsibilities to obtain reports, maintain the system or correct programming errors using a user id and role-based access. Access is obtained using a CMS access request form. The form is approved by the designated approvers prior to access being granted. |
| Describe the methods in place to allow those with access to PII to only access the minimum amount of information necessary to perform their job. | Access to the system is controlled using security software. The user, administrator or programmer is given the least amount of access required to obtain information and to perform their job duties and is explicitly denied access by the security software unless otherwise granted. |
| Identifying training and awareness provided to personnel (system owners, managers, operators, contractors and/or program managers) using the system to make them aware of their responsibilities for protecting the information being collected and maintained. | All administrators and developers are required to take annual training regarding security and privacy requirements for protecting PII. In addition, role-based training is provided to individuals with significant access or security responsibilities. This annual role-based training is required by the CMS Chief Information Officer Directive 12-03 |
| Describe training system users receive (above and beyond general security and privacy awareness training) | In addition to the general security and privacy awareness training, users must acknowledge rules of behavior. Also, throughout the year, users are provided with newsletters, messages and security bulletins. |
| Do contracts include Federal Acquisition Regulation and other appropriate clauses ensuring adherence to privacy provisions and practices? | Yes |
| Describe the process and guidelines in place with regard to the retention and destruction of PII. Cite specific records retention schedules. | In accordance with National Archives Record Control Schedule DAA-0440-2012-0014, records containing PII will be maintained for a period of up to 6 years after the annual cutoff and destroyed in accordance with existing agency and federal government guidelines, policies and procedures. |
| Describe, briefly but with specificity, how the PII will be secured in the system using administrative, technical, and physical controls. | Access to the system is given based on job responsibilities and on a need-to-know basis. ACO-MS is located within a CMS approved datacenter. CMS uses security software and procedural methods to provide “least privilege access” to grant or deny access to data based upon a need-to-know. External audits also verify these controls are in place and functioning. Technical controls include user identification, passwords, firewalls, virtual private networks and intrusion detection systems. Physical controls include guards, identification badges, keycards, cipher locks and closed-circuit televisions. |
| Identify the publicly-available URL: | https://acoms.cms.gov https://mearis.cms.gov https://hpt.cms.gov |
| Does the website have a posted privacy notice? | Yes |
| Is the privacy policy available in a machine-readable format? | Yes |
| Does the website use web measurement and customization technology? | Yes |
| Select the type of website measurement and customization technologies is in use and if is used to collect PII. (Select all that apply) | Session Cookies |
| Web Beacons - Collects PII?: | No |
| Web Bugs - Collects PII?: | No |
| Session Cookies - Collects PII?: | No |
| Persistent Cookies - Collects PII?: | No |
| Other - Collects PII?: | No |
| Does the website have any information or pages directed at children under the age of thirteen? | No |
| Does the website contain links to non-federal government website external to HHS? | No |