Acumen General Support System

OPDIV:

CMS

PIA Unique Identifier:

P-2832860-618877

Name:

Acumen General Support System

The subject of this PIA is which of the following?

General Support System

Identify the Enterprise Performance Lifecycle Phase of the system.

Operate

Is this a FISMA-Reportable system?

Yes

Does the system include a Website or online application available to and for the use of the general public?

No

Identify the operator:

Contractor

Is this a new or existing system?

Existing

Does the system have Security Authorization (SA)?

Yes

Date of Security Authorization

9/6/2024

Indicate the following reason(s) for updating this PIA. Choose from the following options.

PIA Validation (PIA Refresh/Annual Review)

Describe in further detail any changes to the system that have occurred since the last PIA.

There have been no major or significant changes to the system since the last PIA.

Describe the purpose of the system

The Acumen General Support System (GSS) provides a secure computing platform for users to analyze healthcare-related data for Centers for Medicare & Medicaid Services (CMS) and CMS-affiliated federal, state, and local agencies.  The GSS also provides infrastructure resources to an Acumen major application, Acumen Web Portals (AWP), which has its own PIA.

Describe the type of information the system will collect, maintain (store), or share. (Subsequent questions will identify if this information is PII and ask about the specific data elements)

The Acumen GSS stores and maintains information about three types of individuals:

Beneficiaries - This information includes Social Security Number (SSN), name, date of birth, health insurance claim number (HICN), Medicare Beneficiary Identifier (MBI), mailing address, phone numbers, e-mail address, medical record numbers, health insurer name/plan, health insurer group number, taxpayer ID, and financial account information for the purpose of analyzing administrative healthcare data and linking these data to other sources of data for analytic purposes in support of CMS related efforts including fraud, waste, and abuse investigations.

Providers - This information includes name, tax ID number, mailing address, phone numbers, financial account information and/or numbers, certificates, device identifiers, and email address for the purpose of analyzing claims and linking these claims to other sources of data for analytic purposes in support of CMS related efforts.

User credentials – This information consists of a user ID, full name, and contact information (phone number and email).

Provide an overview of the system and describe the information it will collect, maintain (store), or share, either permanently or temporarily.

The Acumen General Support System (GSS) provides a secure computing platform for users to analyze healthcare-related data for CMS and CMS-affiliated federal, state, and local agencies.

In support of this functionality, the Acumen GSS maintains (stores) two major types of information: (1) CMS entitlement, enrollment, and utilization data; and (2) user credential information. Per (1), CMS data encompass Medicare, Medicaid, and supplementary healthcare-related data. These data are necessary to enabling system users to conduct research tasks defined by CMS. Users of the Acumen GSS regularly use identifiers by Medicare Beneficiary Identifier (MBI), HIC, SSN, name, date of birth (DOB), and addresses, to retrieve system records on individuals who are members of the public to perform statistical research on behalf of CMS. Per (2), the Acumen GSS collects and maintains (stores) user credential information, which consist of full name and contact information (phone number and email). The system needs this information to define and authenticate authorized Acumen GSS users.

Does the system collect, maintain, use or share PII?

Yes

Indicate the type of PII that the system will collect or maintain.

• Social Security Number

• Name
• E-Mail Address
• Phone Numbers
• Medical Notes
• Taxpayer ID
• Date of Birth
• Mailing Address
• Medical Records Number
• Financial Account Info
• Other - Health Insurance Claim Number (HICN), Medicare Beneficiary Identifier (MBI), Government administrative assistance program(s) enrollment/application information and associated administrative claims data.

Indicate the categories of individuals about whom PII is collected, maintained or shared.

• Employees

• Patients

• Other - Physicians

How many individuals' PII in the system?

1,000,000 or more

For what primary purpose is the PII used?

The contractor uses Personal Identifiable Information (PII) to conduct statistical analyses on a broad range of CMS topics of interest, including the quality and effectiveness of care provided; investigations into fraud, waste, and abuse in select health benefits programs; risk adjustment for payment validation for Part C and D programs and premium stabilization of Marketplace plans; and current programs as well as proposed program changes. 

Describe the secondary uses for which the PII will be used (e.g. testing, training or research)

In addition to research, the contractor uses PII to test the accuracy of linkages made between and across multiple CMS data files.

Describe the function of the SSN.

The SSN is the tax ID for some providers. For beneficiaries, the SSN is combined with a two-digit Beneficiary Identification Code (BIC) to form the Medicare Health Insurance Claim Number (HICN), which is used to determine the beneficiary’s eligibility and to process claims. The HICN is used by numerous CMS Medicare Fee-For-Service systems and CMS requires that the contractor use the HICN to analyze claims.

Cite the legal authority to use the SSN.

Medicare Prescription Drug Improvement and Modernization Act of 2003, Medicare Improvements for Patients and Providers Act of 2008 (MIPPA), and Sections 1862 (b), 1874, 1881(b), and 1899 of Title XVIII of the Social Security Act (The Act) (42 United States Code (U.S.C.) 1395u, 1395y (b), and 1395kk).

Identify legal authorities​ governing information use and disclosure specific to the system and program.

Sections 1862 (b) and 1874 of Title XVIII of the Social Security Act (The Act) (42 United States Code (U.S.C.) 1395u, 1395y (b), and 1395kk)

Are records on the system retrieved by one or more PII data elements?

Yes

Identify the number and title of the Privacy Act System of Records (SORN) that is being used to cover the system or identify if a SORN is being developed.

09-70-0539 - Long Term Care Hospitals Quality Reporting Program (LTCH QRP), 09-70-0595 - Evaluation of Drug Usage Under the Staff Time and Resource Intensity Verification Study (STRIVE), 09-70-0598 – ACO Database System, 09-70-0565 - ASPEN Complaints/Incidents Tracking System (ACTS), HHS/CMS/CMSO, 09-70-0555 - National Provider System (NPS), 09-70-0500 - Health Plan Management System (HPMS), 09-70-0501 - Carrier Medicare Claims Records, 09-70-0502 - Health Insurance Master Record, 09-70-0503 - Intermediary Medicare Claims Records (IMCR), 09-70-0506 - CMS Encounter Data System (EDS), 09-70-0508 - CMS Risk Adjustment Suite of Systems (RASS), 09-70-0511 - CMS Risk Adjustment Data Validation System (RAD-V), 09-70-0514 - Medicare Provider Analysis and Review (MEDPAR), 09-70-0519 - Current Beneficiary Survey, 09-70-0520 - End State Renal Disease (ESRD) Medical Information System (PMMIS), 09-70-0521 - Inpatient Rehabilitation Facilities Patient Assessment Instrument (IRF-PAI), 09-70-0522 - Home Health Agency Outcome and Assessment Information Set (HHA OASIS), 09-70-0525 - Medicare Physician Identification and Eligibility System (MPIES), 09-70-0526 - Common Working File (CWF), 09-70-0527 - HCFA Program Integrity Case Files, 09-70-0528 - Long Term Care Minimum Data Set (LTC MDS), 09-70-0532 - Provider Enrollment, Chain, and Ownership System (PECOS), 09-70-0534 - Medicare Exclusion Database (MED), 09-70-0535 - 1-800 Medicare Choices Helpline (HELPLINE), HHS/HCFA/CBS, 09-70-0536 - Medicare Beneficiary Database (MBD), 09-70-0541 - Medicaid Statistical Information System (MSIS and T-MSIS), 09-70-0552 - Medicare Premium Withhold System (PWS), 09-70-0553 - Medicare Drug Data Processing System (DDPS), 09-70-0555 - National Plan and Provider Enumeration System (NPPES), 09-70-0557 - Medicare True Out-Out-of-Pocket Expenditures System (TrOOP), 09-70-0558 - National Claims History (NCH), 09-70-0560 - Health Insurance Exchanges (HIX) Program, 09-70-0564 - Medicare Prescription Drug Plan Finder (MPDPF) System, 09-70-0565 - ASPEN Complaints/Incidents Tracking System (ACTS), HHS/CMS/CMSO, 09-70-0571 - Medicare Integrated Data Repository (IDR), 09-70-0578 - Medicaid Program and State Children's Health Insurance Program (SCHIP) Payment Error Rate Measurement (PERM), 09-70-0588 - Medicare Advantage Prescription Drug System (MARx), 09-70-0528 - Long Term Care-Minimum Data Set (MDS), 09-70-0522 - OASIS, 09-90-0250 - Early Retirement Reinsurance Program (ERRP); 13VA047 - Individuals Submitting Invoices-Vouchers for Payment-VA; 77VA10A4 - Health Care Provider Credentialing and Privileging Records-VA; 23VA10NB3 - Non-VA Care (Fee) Records-VA; 09-20-0136 - Epidemiologic Studies and Surveillance of Disease Problems;

Identify the sources of PII in the system: Directly from an individual about whom the information pertains

Identify the sources of PII in the system: Government Sources

• Within the OPDIV

• Other HHS OPDIV
• State/Local/Tribal
• Other Federal Entities

Identify the sources of PII in the system: Non-Government Sources

Private Sector

Identify the OMB information collection approval number and expiration date

Not Applicable to the Acumen GSS.

Is the PII shared with other organizations?

Yes

Identify with whom the PII is shared or disclosed and for what purpose.

• Within HHS: CMS, Office of Assistant Secretary for Preparedness and Response (ASPR), Office of Assistant Secretary for Planning and Evaluation (ASPE), and the US Food and Drug Administration (FDA) obtain analytic reports from the contractor in accordance with the contractor's contractual obligations.

• Other Federal Agency/Agencies: Congressional Agencies, National Institute of Health (NIH) affiliated surveys, and Department of Justice (DOJ) obtain tabular and analytic reports in accordance with CMS's agreements with DOJ, NIH affiliated surveys, and congressional agencies.
• Private Sector: CMS-authorized contractors obtain analytic reports in accordance with data agreement authorization and contractual obligations to share and/or collaborate with other CMS-authorized contractors.
• State or Local Agency/Agencies: State of California's Department of Health Care Services (CA DHCS) obtain analytic reports in accordance with CMS's agreements with CA DHCS.

Describe any agreements in place that authorizes the information sharing or disclosure (e.g. Computer Matching Agreement, Memorandum of Understanding (MOU), or Information Sharing Agreement (ISA)).

The CMS Business Owner for the Acumen GSS has established a Memorandum of Understanding (MOU) that articulates the terms and conditions for using the Acumen GSS to share information. Those terms include composing a CMS Privacy Office memo describing the data authorizations of the parties involved, the data to be transferred, and the frequency of those transfers.

The CMS Business Owner has also established Information Sharing Agreements (ISA) when an Acumen GSS analytic task entails sharing sensitive information with other federal government agencies.

Describe the procedures for accounting for disclosures

The contractor documents distributions of analytic reports to external, CMS-authorized organizations via the contractor's internally developed report tracking system, which records information on each report distribution and enables contractor staff to trace analytic results back to data sources and the beneficiaries contained therein. 
Sensitive information is stored, maintained, used and shared based on the terms and conditions associated to the active data agreements in place to enabling the contractor to conduct a wide range of research specified by CMS or other government agency clients. Data are retained and/or shared with other organizations when governing organization authorities approve. In addition, for transfers of sensitive information to non-CMS party that is not on the contractor's Data Use Agreement (DUA), the contractor also notifies its CMS Business Owner, who then notifies the CMS Privacy Office detailing the transfer with information such as content description, purpose, date/frequency, and the recipient. 
Data that is shared with the CMS Virtual Data Centers to process Part A claims in the Fiscal Intermediary Standard System, Part B claims in the Multi-Carrier System, or Viable Information Processing Systems (ViPS) Medicare System is tracked and accounted for through daily reporting and balancing routines. Data that is shared with other contractors designated by CMS is tracked and accounted for through case management software tools that are part of the collection of systems processed as part of the contractor’s workflow.

Describe the process in place to notify individuals that their personal information will be collected. If no prior notice is given, explain the reason.

The Acumen GSS only collects contact information (full name, work address, work email, and work phone number) from prospective users, which Acumen GSS support staff then use to create Acumen GSS user credentials. Since the collection of such information is entirely voluntary, the Acumen GSS does not provide notifications about the collection of such information.

Other than account creation, Acumen GSS does not collect information from individuals directly; instead, the Acumen GSS maintains (stores) data that CMS collects outside of the system and then transmits to the system for research tasks authorized via the systems of record (SORs) associated with the Acumen GSS.

Is the submission of the PII by individuals voluntary or mandatory?

Voluntary

Describe the method for individuals to opt-out of the collection or use of their PII. If there is no option to object to the information collection, provide a reason.

The Acumen GSS only collects contact information (full name, work address, work email, and work phone number) from prospective users, which Acumen GSS support staff then use to create Acumen GSS user credentials. Since the collection of such information is entirely voluntary, the Acumen GSS enables prospective system users the option to not gain access to the system and thus opt-out of contact information collection.

Other than account creation, Acumen GSS does not collect information from individuals directly; instead, the Acumen GSS maintains (stores) data that CMS collects outside of the system and then transmits to the system for research tasks authorized via the SORs associated with the Acumen GSS.  The source systems managed/operated by CMS are responsible for providing methods for individuals to opt-out of the collection or use of their PII and documenting such methods in their own separate PIAs.

Describe the process to notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changes since the notice at the time of original collection). Alternatively, describe why they cannot be notified or have their consent obtained.

If a major change to the Acumen GSS occurs that impacts how collected user account information (full name, work address, work email, and work phone number) were used or disclosed, the Acumen GSS will send a company-wide email alert for all internal staff and display a notification page for all external users. This notification page is displayed when user logs into the application, contains changes to the Acumen GSS’s privacy policy and requires user’s acknowledgement before the user can proceed to use the application. For internal users, since PII is required to access the system, if those individuals do not consent to the changes, they can stop using the Acumen GSS.

Except for user account information (full name, work address, work email, and work phone number), the system maintains (stores) data that CMS collects outside of the system and then transmits to the system for the contractor to conduct research covered within the SORs associated with the Acumen GSS. All contractor-proposed system changes that impact those PII are vetted by the CMS Business Owner of the Acumen GSS to ensure that such changes fall within the Federal Information Security Management Act of 2002 (FISMA) security parameters of the system as well as within the scope of the SORs associated with it. As such, system modifications never include the direct collection of PII from individuals and never fall outside of the research purposes authorized by the system's associated SORs.

Describe the process in place to resolve an individual's concerns when they believe their PII has been inappropriately obtained, used, or disclosed, or that the PII is inaccurate. If no process exists, explain why not.

If an individual has concerns about his/her user account information in Acumen GSS, the individual can contact the Acumen GSS support team, by email or phone, to report the issue. The support team logs the issue in its ticketing system. The issue would be investigated and further action would be taken if necessary.

For all other PII, if an individual believed his or her PII had been inappropriately obtained, used, or disclosed or that his or her PII is inaccurate, the individual would contact CMS directly, and CMS would push the issue to all relevant internal organizations and contractors, including CMS staff responsible for taking in individuals' concerns about their PII.

Describe the process in place for periodic reviews of PII contained in the system to ensure the data's integrity, availability, accuracy and relevancy. If no processes are in place, explain why not.

To periodically verify the integrity, availability, and relevancy of the CMS data contained within the Acumen GSS, the Acumen GSS contractor performs the following tasks:

Deploys, tracks, and maintains continuous monitoring tools to detect unauthorized modifications to PII.

Restricts access to raw source data obtained from CMS to a specific group of privileged and limited users.

Conducts data comparison—such as frequency checks of variables, claim amount, and claim payment sum on the processed data, against CMS’ IDR on a weekly basis. Under this process, the Acumen GSS contractor identifies and deletes any outdated, unnecessary, irrelevant, and inaccurate PII.

Identify who will have access to the PII in the system and the reason why they require access.

• Users: To conduct CMS-approved analysis and/or obtain analysis findings.

• Administrators: To ensure that system is prepared for and can properly handle data collection and analysis.

• Contractors: These are direct contracts that require access to validate submitted analysis.

Describe the procedures in place to determine which system users (administrators, developers, contractors, etc.) may access PII.

The contractor ensures that staff access to PII is granted strictly on a need-to-know basis and only in relations with the staff's job duties. The contractor also maintains segregation of duties within its system and data components such that its staff is further restricted from gaining unnecessary access and/or level of access to sensitive data. To do so, the contractor manages access groups according to the principle of least privilege, restricting access to sensitive folders and files, including files with PII, to users who have both a valid reason relevant to his/her job duties and approval to access such information. 

Describe the methods in place to allow those with access to PII to only access the minimum amount of information necessary to perform their job.

Although the contractor does not directly collect CMS-related PII, the contractor does obtain CMS authorization to access and use confidential CMS data, including PII, through CMS data use agreements (DUAs). These DUAs mandate that the contractor only request and obtain access to the minimum data necessary to its data analytic work. 

Beyond conforming to DUA’s minimum data necessary requirement, the contractor limits internal staff’s access to PII elements to those staff members who must leverage PII to create versions of CMS data that randomize key personal identifiers (e.g., HICN or SSN) via a Link ID and strip any unnecessary PII elements from all research-oriented data files. Acumen research analysts then use this Link ID in their research work to trace beneficiary-level events. The processed data and any subsets are then controlled using Microsoft's Active Directory (AD) technology. Specifically, the contractor uses AD access groups and roles to restrict access to ensure users have minimum data necessary. Only upon confirmed authorization from the CMS DUA and appropriate approvals, access is granted to requesting users.

Such activities and the acquisition of confidential CMS data are reviewed at least once every 365-days, whenever the contractor’s CMS DUAs approach expiration, and whenever project terms evolve to ensure that Acumen only retains the confidential CMS data necessary to its work.

Identifying training and awareness provided to personnel (system owners, managers, operators, contractors and/or program managers) using the system to make them aware of their responsibilities for protecting the information being collected and maintained.

Acumen GSS contractor staff undergo Information System Security Awareness and Privacy Awareness Training prior to gaining any access Acumen GSS resources, on an annual basis thereafter, and whenever Training content changes (as a result of new or revised CMS requirements). This training includes online and PowerPoint-based content customized to contractor’s specific working environment, information privacy requirements (such as Health Insurance Portability and Accountability Act of 1996 (HIPAA)), FISMA security requirement, industry security practices, sensitive information handling, insider threat detection, rules of behavior documentation, and a security and privacy awareness quiz, which all contractor staff must take and pass with a score of 80% to gain or retain information system access.

For contractor staff with privileged access or significant security responsibilities, CMS mandates additional role-based training (with varying hours of commitment based on the sensitivity of a staff member’s job duties) that those staff must complete prior to gaining any privileged access or security responsibilities and on an annual basis thereafter.

Describe training system users receive (above and beyond general security and privacy awareness training)

As part of the contractor's security and privacy awareness training, the organization has instituted role-based training for employees whose positions include substantial security tasks and/or responsibilities or direct access to sensitive CMS resources. Such training must be completed before an employee gains access to the GSS (both in terms of a new hire and an existing employee who either acquires a new position within the organization or whose position expands to include security-related tasks and/or responsibilities), on an annual basis thereafter, and whenever the security posture of the GSS changes.

Do contracts include Federal Acquisition Regulation and other appropriate clauses ensuring adherence to privacy provisions and practices?

Yes

Describe the process and guidelines in place with regard to the retention and destruction of PII. Cite specific records retention schedules.

Unless (1) the agency or organization governing PII instructs the Acumen GSS contractor to destroy its PII or (2) the legal authorization agreement authorizing the Acumen GSS to store PII expires or is revoked (at which point, the Acumen GSS contractor will destroy the specific PII requested with methods compliant with NIST SP-800-88 rev. 1 within 30-days), the Acumen GSS maintains records containing PII in accordance with National Archives and Records Administration (NARA) Records Control Schedules (RCS) DAA-0440-2015-0002 for a period of up to 7-years after the annual cutoff at the end of calendar year. 

Per the user credential information that the Acumen GSS collects and stores, the Acumen GSS requires security-related system users to review user accounts every 90-days to determine if access is still required (per CMS security requirements) and disable any unnecessary accounts. However, the Acumen GSS maintains all disabled user PII indefinitely for future security forensic purposes and in accordance with CMS security requirements.

Describe, briefly but with specificity, how the PII will be secured in the system using administrative, technical, and physical controls.

The Acumen GSS secures all PII contained within the system via administrative, technical, and physical controls. 

Per administrative security, the Acumen GSS contractor only grants contractor staff access to the GSS after two separate and senior contractor staff members—including the contractor’s Data Security Officer—authorize the staff member’s access request. By policy, the two authorizing staff members must confirm the staff member’s need to access the GSS and, in the case of PII, the specific job duties that warrant granting PII access to the staff member. For non-contractor users, the CMS Contract Office Representative (COR) or CMS COR’s designated approver must approve each prospective user’s access request before the Acumen GSS contractor creates and disseminates GSS credentials to a prospective user. 

The Acumen GSS contractor also establishes a policy of blocking any system administrator, regardless of seniority, from directly accessing any sensitive data, including PII.

Per technical security, the Acumen GSS implements the principle of least privilege as well as a role-based access control to ensure system administrators and users are granted access on a "need-to-know" and "need-to-access" basis that commensurate with their assigned duties. Further, the Acumen GSS protects all sensitive information—including PII—via Access Control Lists (ACLs) and two-factor authentication requirements. Moreover, the Acumen GSS features auto-logging, which Acumen GSS security staff review periodically and in compliance with CMS-specified timelines.

Per physical security, the Acumen GSS contractor stores all Acumen GSS resources within a secure facility, featuring restricted access, video-based monitoring, and multiple alarm systems.