Acumen General Support System
Privacy Impact Assessment (PIA) published by CMS as an Operating Division of the U.S. Department of Health and Human Services
Date signed: 11/5/2024
PIA Questions | PIA Answers |
---|---|
OPDIV: | CMS |
PIA Unique Identifier: | P-2832860-618877 |
Name: | Acumen General Support System |
The subject of this PIA is which of the following? | General Support System |
Identify the Enterprise Performance Lifecycle Phase of the system. | Operate |
Is this a FISMA-Reportable system? | Yes |
Does the system include a Website or online application available to and for the use of the general public? | No |
Identify the operator: | Contractor |
Is this a new or existing system? | Existing |
Does the system have Security Authorization (SA)? | Yes |
Date of Security Authorization | 9/6/2024 |
Indicate the following reason(s) for updating this PIA. Choose from the following options. | PIA Validation (PIA Refresh/Annual Review) |
Describe in further detail any changes to the system that have occurred since the last PIA. | There have been no major or significant changes to the system since the last PIA. |
Describe the purpose of the system | The Acumen General Support System (GSS) provides a secure computing platform for users to analyze healthcare-related data for Centers for Medicare & Medicaid Services (CMS) and CMS-affiliated federal, state, and local agencies. The GSS also provides infrastructure resources to an Acumen major application, Acumen Web Portals (AWP), which has its own PIA. |
Describe the type of information the system will collect, maintain (store), or share. (Subsequent questions will identify if this information is PII and ask about the specific data elements) | The Acumen GSS stores and maintains information about three types of individuals: |
Provide an overview of the system and describe the information it will collect, maintain (store), or share, either permanently or temporarily. | The Acumen General Support System (GSS) provides a secure computing platform for users to analyze healthcare-related data for CMS and CMS-affiliated federal, state, and local agencies. |
Does the system collect, maintain, use or share PII? | Yes |
Indicate the type of PII that the system will collect or maintain. |
|
Indicate the categories of individuals about whom PII is collected, maintained or shared. |
|
How many individuals' PII in the system? | 1,000,000 or more |
For what primary purpose is the PII used? | The contractor uses Personal Identifiable Information (PII) to conduct statistical analyses on a broad range of CMS topics of interest, including the quality and effectiveness of care provided; investigations into fraud, waste, and abuse in select health benefits programs; risk adjustment for payment validation for Part C and D programs and premium stabilization of Marketplace plans; and current programs as well as proposed program changes. |
Describe the secondary uses for which the PII will be used (e.g. testing, training or research) | In addition to research, the contractor uses PII to test the accuracy of linkages made between and across multiple CMS data files. |
Describe the function of the SSN. | The SSN is the tax ID for some providers. For beneficiaries, the SSN is combined with a two-digit Beneficiary Identification Code (BIC) to form the Medicare Health Insurance Claim Number (HICN), which is used to determine the beneficiary’s eligibility and to process claims. The HICN is used by numerous CMS Medicare Fee-For-Service systems and CMS requires that the contractor use the HICN to analyze claims. |
Cite the legal authority to use the SSN. | Medicare Prescription Drug Improvement and Modernization Act of 2003, Medicare Improvements for Patients and Providers Act of 2008 (MIPPA), and Sections 1862 (b), 1874, 1881(b), and 1899 of Title XVIII of the Social Security Act (The Act) (42 United States Code (U.S.C.) 1395u, 1395y (b), and 1395kk). |
Identify legal authorities governing information use and disclosure specific to the system and program. | Sections 1862 (b) and 1874 of Title XVIII of the Social Security Act (The Act) (42 United States Code (U.S.C.) 1395u, 1395y (b), and 1395kk) |
Are records on the system retrieved by one or more PII data elements? | Yes |
Identify the number and title of the Privacy Act System of Records (SORN) that is being used to cover the system or identify if a SORN is being developed. | 09-70-0539 - Long Term Care Hospitals Quality Reporting Program (LTCH QRP), 09-70-0595 - Evaluation of Drug Usage Under the Staff Time and Resource Intensity Verification Study (STRIVE), 09-70-0598 – ACO Database System, 09-70-0565 - ASPEN Complaints/Incidents Tracking System (ACTS), HHS/CMS/CMSO, 09-70-0555 - National Provider System (NPS), 09-70-0500 - Health Plan Management System (HPMS), 09-70-0501 - Carrier Medicare Claims Records, 09-70-0502 - Health Insurance Master Record, 09-70-0503 - Intermediary Medicare Claims Records (IMCR), 09-70-0506 - CMS Encounter Data System (EDS), 09-70-0508 - CMS Risk Adjustment Suite of Systems (RASS), 09-70-0511 - CMS Risk Adjustment Data Validation System (RAD-V), 09-70-0514 - Medicare Provider Analysis and Review (MEDPAR), 09-70-0519 - Current Beneficiary Survey, 09-70-0520 - End State Renal Disease (ESRD) Medical Information System (PMMIS), 09-70-0521 - Inpatient Rehabilitation Facilities Patient Assessment Instrument (IRF-PAI), 09-70-0522 - Home Health Agency Outcome and Assessment Information Set (HHA OASIS), 09-70-0525 - Medicare Physician Identification and Eligibility System (MPIES), 09-70-0526 - Common Working File (CWF), 09-70-0527 - HCFA Program Integrity Case Files, 09-70-0528 - Long Term Care Minimum Data Set (LTC MDS), 09-70-0532 - Provider Enrollment, Chain, and Ownership System (PECOS), 09-70-0534 - Medicare Exclusion Database (MED), 09-70-0535 - 1-800 Medicare Choices Helpline (HELPLINE), HHS/HCFA/CBS, 09-70-0536 - Medicare Beneficiary Database (MBD), 09-70-0541 - Medicaid Statistical Information System (MSIS and T-MSIS), 09-70-0552 - Medicare Premium Withhold System (PWS), 09-70-0553 - Medicare Drug Data Processing System (DDPS), 09-70-0555 - National Plan and Provider Enumeration System (NPPES), 09-70-0557 - Medicare True Out-Out-of-Pocket Expenditures System (TrOOP), 09-70-0558 - National Claims History (NCH), 09-70-0560 - Health Insurance Exchanges (HIX) Program, 09-70-0564 - Medicare Prescription Drug Plan Finder (MPDPF) System, 09-70-0565 - ASPEN Complaints/Incidents Tracking System (ACTS), HHS/CMS/CMSO, 09-70-0571 - Medicare Integrated Data Repository (IDR), 09-70-0578 - Medicaid Program and State Children's Health Insurance Program (SCHIP) Payment Error Rate Measurement (PERM), 09-70-0588 - Medicare Advantage Prescription Drug System (MARx), 09-70-0528 - Long Term Care-Minimum Data Set (MDS), 09-70-0522 - OASIS, 09-90-0250 - Early Retirement Reinsurance Program (ERRP); 13VA047 - Individuals Submitting Invoices-Vouchers for Payment-VA; 77VA10A4 - Health Care Provider Credentialing and Privileging Records-VA; 23VA10NB3 - Non-VA Care (Fee) Records-VA; 09-20-0136 - Epidemiologic Studies and Surveillance of Disease Problems; |
Identify the sources of PII in the system: Directly from an individual about whom the information pertains | |
Identify the sources of PII in the system: Government Sources |
|
Identify the sources of PII in the system: Non-Government Sources | Private Sector |
Identify the OMB information collection approval number and expiration date | Not Applicable to the Acumen GSS. |
Is the PII shared with other organizations? | Yes |
Identify with whom the PII is shared or disclosed and for what purpose. |
|
Describe any agreements in place that authorizes the information sharing or disclosure (e.g. Computer Matching Agreement, Memorandum of Understanding (MOU), or Information Sharing Agreement (ISA)). | The CMS Business Owner for the Acumen GSS has established a Memorandum of Understanding (MOU) that articulates the terms and conditions for using the Acumen GSS to share information. Those terms include composing a CMS Privacy Office memo describing the data authorizations of the parties involved, the data to be transferred, and the frequency of those transfers. The CMS Business Owner has also established Information Sharing Agreements (ISA) when an Acumen GSS analytic task entails sharing sensitive information with other federal government agencies. |
Describe the procedures for accounting for disclosures | The contractor documents distributions of analytic reports to external, CMS-authorized organizations via the contractor's internally developed report tracking system, which records information on each report distribution and enables contractor staff to trace analytic results back to data sources and the beneficiaries contained therein. |
Describe the process in place to notify individuals that their personal information will be collected. If no prior notice is given, explain the reason. | The Acumen GSS only collects contact information (full name, work address, work email, and work phone number) from prospective users, which Acumen GSS support staff then use to create Acumen GSS user credentials. Since the collection of such information is entirely voluntary, the Acumen GSS does not provide notifications about the collection of such information. |
Is the submission of the PII by individuals voluntary or mandatory? | Voluntary |
Describe the method for individuals to opt-out of the collection or use of their PII. If there is no option to object to the information collection, provide a reason. | The Acumen GSS only collects contact information (full name, work address, work email, and work phone number) from prospective users, which Acumen GSS support staff then use to create Acumen GSS user credentials. Since the collection of such information is entirely voluntary, the Acumen GSS enables prospective system users the option to not gain access to the system and thus opt-out of contact information collection. |
Describe the process to notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changes since the notice at the time of original collection). Alternatively, describe why they cannot be notified or have their consent obtained. | If a major change to the Acumen GSS occurs that impacts how collected user account information (full name, work address, work email, and work phone number) were used or disclosed, the Acumen GSS will send a company-wide email alert for all internal staff and display a notification page for all external users. This notification page is displayed when user logs into the application, contains changes to the Acumen GSS’s privacy policy and requires user’s acknowledgement before the user can proceed to use the application. For internal users, since PII is required to access the system, if those individuals do not consent to the changes, they can stop using the Acumen GSS. |
Describe the process in place to resolve an individual's concerns when they believe their PII has been inappropriately obtained, used, or disclosed, or that the PII is inaccurate. If no process exists, explain why not. | If an individual has concerns about his/her user account information in Acumen GSS, the individual can contact the Acumen GSS support team, by email or phone, to report the issue. The support team logs the issue in its ticketing system. The issue would be investigated and further action would be taken if necessary. |
Describe the process in place for periodic reviews of PII contained in the system to ensure the data's integrity, availability, accuracy and relevancy. If no processes are in place, explain why not. | To periodically verify the integrity, availability, and relevancy of the CMS data contained within the Acumen GSS, the Acumen GSS contractor performs the following tasks: Deploys, tracks, and maintains continuous monitoring tools to detect unauthorized modifications to PII. Restricts access to raw source data obtained from CMS to a specific group of privileged and limited users. Conducts data comparison—such as frequency checks of variables, claim amount, and claim payment sum on the processed data, against CMS’ IDR on a weekly basis. Under this process, the Acumen GSS contractor identifies and deletes any outdated, unnecessary, irrelevant, and inaccurate PII. |
Identify who will have access to the PII in the system and the reason why they require access. |
|
Describe the procedures in place to determine which system users (administrators, developers, contractors, etc.) may access PII. | The contractor ensures that staff access to PII is granted strictly on a need-to-know basis and only in relations with the staff's job duties. The contractor also maintains segregation of duties within its system and data components such that its staff is further restricted from gaining unnecessary access and/or level of access to sensitive data. To do so, the contractor manages access groups according to the principle of least privilege, restricting access to sensitive folders and files, including files with PII, to users who have both a valid reason relevant to his/her job duties and approval to access such information. |
Describe the methods in place to allow those with access to PII to only access the minimum amount of information necessary to perform their job. | Although the contractor does not directly collect CMS-related PII, the contractor does obtain CMS authorization to access and use confidential CMS data, including PII, through CMS data use agreements (DUAs). These DUAs mandate that the contractor only request and obtain access to the minimum data necessary to its data analytic work. |
Identifying training and awareness provided to personnel (system owners, managers, operators, contractors and/or program managers) using the system to make them aware of their responsibilities for protecting the information being collected and maintained. | Acumen GSS contractor staff undergo Information System Security Awareness and Privacy Awareness Training prior to gaining any access Acumen GSS resources, on an annual basis thereafter, and whenever Training content changes (as a result of new or revised CMS requirements). This training includes online and PowerPoint-based content customized to contractor’s specific working environment, information privacy requirements (such as Health Insurance Portability and Accountability Act of 1996 (HIPAA)), FISMA security requirement, industry security practices, sensitive information handling, insider threat detection, rules of behavior documentation, and a security and privacy awareness quiz, which all contractor staff must take and pass with a score of 80% to gain or retain information system access. |
Describe training system users receive (above and beyond general security and privacy awareness training) | As part of the contractor's security and privacy awareness training, the organization has instituted role-based training for employees whose positions include substantial security tasks and/or responsibilities or direct access to sensitive CMS resources. Such training must be completed before an employee gains access to the GSS (both in terms of a new hire and an existing employee who either acquires a new position within the organization or whose position expands to include security-related tasks and/or responsibilities), on an annual basis thereafter, and whenever the security posture of the GSS changes. |
Do contracts include Federal Acquisition Regulation and other appropriate clauses ensuring adherence to privacy provisions and practices? | Yes |
Describe the process and guidelines in place with regard to the retention and destruction of PII. Cite specific records retention schedules. | Unless (1) the agency or organization governing PII instructs the Acumen GSS contractor to destroy its PII or (2) the legal authorization agreement authorizing the Acumen GSS to store PII expires or is revoked (at which point, the Acumen GSS contractor will destroy the specific PII requested with methods compliant with NIST SP-800-88 rev. 1 within 30-days), the Acumen GSS maintains records containing PII in accordance with National Archives and Records Administration (NARA) Records Control Schedules (RCS) DAA-0440-2015-0002 for a period of up to 7-years after the annual cutoff at the end of calendar year. |
Describe, briefly but with specificity, how the PII will be secured in the system using administrative, technical, and physical controls. | The Acumen GSS secures all PII contained within the system via administrative, technical, and physical controls. |