Acumen Web Portals
Privacy Impact Assessment (PIA) published by CMS as an Operating Division of the U.S. Department of Health and Human Services
Date signed: 10/25/2024
PIA Questions | PIA Answers |
---|---|
OPDIV: | CMS |
PIA Unique Identifier: | P-9690857-262684 |
Name: | Acumen Web Portals |
The subject of this PIA is which of the following? | Major Application |
Identify the Enterprise Performance Lifecycle Phase of the system. | Operate |
Is this a FISMA-Reportable system? | Yes |
Does the system include a Website or online application available to and for the use of the general public? | Yes |
Identify the operator: | Contractor |
Is this a new or existing system? | New |
Does the system have Security Authorization (SA)? | Yes |
Date of Security Authorization | 9/27/2024 |
Describe the purpose of the system | The Acumen Web Portals (AWP) Application enables Centers for Medicare and Medicaid Services (CMS), Acumen, and/or CMS-designated organizations to securely exchange project data as well as securely discuss project tasks online. |
Describe the type of information the system will collect, maintain (store), or share. (Subsequent questions will identify if this information is PII and ask about the specific data elements) | The AWP Application stores and maintains information about three groups: Beneficiaries - This information includes Social Security Number (SSN), name, date of birth, health insurance claim number, mailing address, phone numbers, e-mail address, medical record numbers, health insurer name/plan, health insurer group number, taxpayer identification (ID), and financial account information for the purpose of analyzing claims and linking these claims to other sources of data for analytic purposes in support of CMS operations. Providers - This information includes name, User credentials – This information consists of a user ID, full name, and contact information (work phone number and work email). |
Provide an overview of the system and describe the information it will collect, maintain (store), or share, either permanently or temporarily. | The AWP Application enables CMS and/or CMS-designated organizations to securely exchange contract-related deliverables and securely discuss contract-related matters. Although the AWP Application supports a number of CMS-defined workflows, the Application broadly provides the following online capabilities: Data Transfer Project Discussions Data Visualizations Information Archives The Application obtains full name of its users (internal employees and employees from federal, state, and local agencies), and contact information (work address, work phone number, and work email) to create the necessary user credentials to access the Application. |
Does the system collect, maintain, use or share PII? | Yes |
Indicate the type of PII that the system will collect or maintain. |
|
Indicate the categories of individuals about whom PII is collected, maintained or shared. |
|
How many individuals' PII in the system? | 1,000,000 or more |
For what primary purpose is the PII used? | The contractor, Acumen, uses Personally Identifier Information (PII) to conduct statistical analyses of wide ranging CMS topics and issues, including the quality and effectiveness of care provided; investigations into fraud, waste, and abuse in select health benefits programs; risk adjustment for payment validation for Part C and D programs and premium stabilization of Marketplace plans; and current programs as well as proposed program changes. |
Describe the secondary uses for which the PII will be used (e.g. testing, training or research) | In addition to research, the contractor uses PII to test the accuracy of linkages made between and across multiple CMS data files. |
Describe the function of the SSN. | The SSN is the tax ID for some providers. For beneficiaries, the SSN is combined with a two-digit Beneficiary Identification Code (BIC) to form the Medicare HICN, which is used to determine the beneficiary’s eligibility and to process claims. The HICN is used by numerous CMS Medicare Fee-For-Service systems and CMS requires that the contractor use the HICN to analyze claims. |
Cite the legal authority to use the SSN. | CMS grants the contractor the authority to use SSN for linkage and linkage verification purposes under different legal authorities, including the Medicare Prescription Drug Improvement and Modernization Act of 2003 and Medicare Improvements for Patients and Providers Act of 2008 (MIPPA). CMS is authorized by the MEDICARE PRESCRIPTION DRUG, IMPROVEMENT, AND MODERNIZATION ACT OF 2003 to improve care and reduce costs in in the chronically ill population. The agency shall research total episode costs and look across existing data sets. Therefore, CMS must be able to match and verify beneficiary enrollment, service utilization, quality assessment, comorbidities, and other indications in the data. The MIPPA program originated as part of the end-stage renal disease (ESRD) payment bundle. Under the ESRD Prospective Payment System (ESRD PPS) – Section 153(b) of Pub. L. 110-275, the MIPPA amended section 1881(b) of the Social Security Act to require the implementation of an ESRD bundled payment system effective January 1, 2011. Under MIPPA, the ESRD PPS replaced the previous basic case-mix adjusted composite payment system and the methodologies for the reimbursement of separately billable outpatient ESRD-related items and services. Sections 1862 (b) and 1874 of Title XVIII of the Social Security Act (The Act) (42 United States Code (U.S.C.) 1395u, 1395y (b), and 1395kk) |
Identify legal authorities governing information use and disclosure specific to the system and program. | Sections 1862 (b) and 1874 of Title XVIII of the Social Security Act (The Act) (42 United States Code (U.S.C.) 1395u, 1395y (b), and 1395kk) |
Are records on the system retrieved by one or more PII data elements? | No |
Identify the sources of PII in the system: Directly from an individual about whom the information pertains | Other - Do not collect PII directly from individuals. |
Identify the sources of PII in the system: Government Sources |
|
Identify the sources of PII in the system: Non-Government Sources | Private Sector |
Identify the OMB information collection approval number and expiration date | Not Applicable to the AWP Application. |
Is the PII shared with other organizations? | Yes |
Identify with whom the PII is shared or disclosed and for what purpose. |
|
Describe any agreements in place that authorizes the information sharing or disclosure (e.g. Computer Matching Agreement, Memorandum of Understanding (MOU), or Information Sharing Agreement (ISA)). | The CMS Business Owner for the AWP Application has established a Memorandum of Understanding that articulates the terms and conditions for the contractor to use the Application to share information. These terms include composing a CMS Privacy Office memo describing the data authorizations of the parties involved, the data to be transferred, and the frequency of those transfers. The CMS Business Owner has also established Information Sharing Agreements (ISA) when an AWP Application task entails sharing sensitive information with other federal government agencies. |
Describe the procedures for accounting for disclosures | The contractor documents distributions of analytic reports to external, CMS-authorized organizations via the contractor's internally developed report tracking system, which records information on each report distribution and enables contractor staff to trace analytic results back to data sources and the beneficiaries contained therein. |
Describe the process in place to notify individuals that their personal information will be collected. If no prior notice is given, explain the reason. | The AWP Application only collects contact information (full name, work address, work email, and work phone number) from prospective users, which AWP Application support staff then use to create AWP Application user credentials. The contractor provides a Privacy Policy statement in the AWP Application that advises individuals of how their contact information will be used. Other than account creation, AWP Application does not collect information from individuals directly. |
Is the submission of the PII by individuals voluntary or mandatory? | Voluntary |
Describe the method for individuals to opt-out of the collection or use of their PII. If there is no option to object to the information collection, provide a reason. | The AWP Application only collects contact information (full name, work address, work email, and work phone number) from prospective users, which AWP Application support staff then use to create AWP Application user credentials. Since the collection of such information is entirely voluntary, the AWP Application provides prospective system users with the option to not gain access to the system and thus opt-out of contact information collection. Other than account creation, AWP Application does not collect information from individuals directly. |
Describe the process to notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changes since the notice at the time of original collection). Alternatively, describe why they cannot be notified or have their consent obtained. | If a major change to the AWP Application occurs that impacts how collected user account information (full name, work address, work email, and work phone number) will be used or disclosed, the AWP Application then displays a notification page for all users when they log in to the Application. The page specifies changes to the Application’s Privacy Policy and requires user’s acknowledgment before the user can proceed to use the application. For PII that is not user account information collected by AWP Application, CMS Business Owner of the Acumen GSS vets all contractor-proposed system changes and ensures that such changes fall within the FISMA security parameters of the system as well as within the scope of the System of Records (SORs) associated with it. As such, system modifications never include the direct collection of PII from individuals and never fall outside of the research purposes authorized by the system's associated SORs. |
Describe the process in place to resolve an individual's concerns when they believe their PII has been inappropriately obtained, used, or disclosed, or that the PII is inaccurate. If no process exists, explain why not. | Regarding account information (full name, work address, work email, and work phone number), if the individual believes the information is inaccurate, the individual can contact the CMS Contract Office Representative (COR) or CMS COR’s designated approver, who has access in the AWP Application to make any necessary corrections to the user account information. If the individual believes the user account information was inappropriately used or disclosed, the individual can contact the AWP Application support team, by email or phone, to report the issue. The support team logs the issue in its ticketing system. The issue would be investigated, and further action would be taken if necessary. For all other PII, if an individual believed his or her PII had been inappropriately obtained, used, or disclosed or that his or her PII is inaccurate, the individual would contact CMS directly, and CMS would push the issue to all relevant internal organizations and contractors, including CMS staff responsible for taking in individuals' concerns about their PII. |
Describe the process in place for periodic reviews of PII contained in the system to ensure the data's integrity, availability, accuracy and relevancy. If no processes are in place, explain why not. | To periodically verify the accuracy, integrity, availability, and relevancy of the CMS data contained within the AWP Application, the AWP Application contractor performs the following tasks: - Deploys, tracks, and maintains continuous monitoring tools to detect unauthorized modifications to PII; |
Identify who will have access to the PII in the system and the reason why they require access. |
|
Describe the procedures in place to determine which system users (administrators, developers, contractors, etc.) may access PII. | The contractor ensures that access to PII is granted strictly on a need-to-know basis. To do so, the contractor leverages CMS-designated Compliance Officers, who are responsible for identifying AWP Application users and whether they warrant access to reports that contain confidential and, when contractually necessary, personally identifiable information. For additional information on these roles, refer to the AWP Application System Security Plan (SSP). |
Describe the methods in place to allow those with access to PII to only access the minimum amount of information necessary to perform their job. | Although the contractor does not directly collect CMS-related PII, the contractor does obtain CMS authorization to access and use confidential CMS data, including PII, through CMS data use agreements (DUAs). These DUAs mandate that the contractor only request and obtain access to the minimum data necessary to its data analytic work. Beyond conforming to CMS DUAs' minimum data necessary requirement, the contractor limits internal staff’s access to PII elements to those staff members who must leverage PII to create versions of CMS data that randomize key personal identifiers (e.g., HICN or SSN) via a Link ID and strip any unnecessary PII elements from all research-oriented data files. The contractor's research analysts then use this Link ID in their research work to trace beneficiary-level events. Such activities and the acquisition of confidential CMS data are reviewed at least once every 365 days, whenever the contractor’s CMS DUAs approach expiration, and whenever project terms evolve to ensure that Acumen only retains confidential CMS data necessary to its work. For the AWP Application users, the contractor leverages CMS-designated Compliance Officers to control and limit PII access, as Officers are responsible for identifying AWP Application users who warrant access to reports that contain confidential and, when contractually necessary, personally identifiable information. For additional information on these roles, refer to the AWP Application SSP. |
Identifying training and awareness provided to personnel (system owners, managers, operators, contractors and/or program managers) using the system to make them aware of their responsibilities for protecting the information being collected and maintained. | For the AWP Application, the contractor uses the Acumen GSS security and privacy awareness training policy to train internal project participants on Application-related security measures. For external project participants who use the AWP Application, the contractor trains those users on Application security via the "Acumen Security Policy," Portal user guides, and the security as well as privacy policies published in the Application. In conjunction, these documents instruct external users on the appropriate method of accessing and using the Application. In addition, the contractor configures the Application so that external project participants must re-certify their agreement with the "Acumen Security Policy" at least once every three hundred sixty-five days and whenever the contractor updates the Policy. |
Describe training system users receive (above and beyond general security and privacy awareness training) | Security personnel receive job related training by attending conferences, forums, "on the job" trainings, and other specific trainings throughout the year. Security personnel must obtain necessary training before granting privileged access to the system. Security personnel must complete role-based training to continue to maintain privileged access to the system. Topics of training include detecting and handling of the latest security threats; updates to privacy regulations; and most recent best practices for securing systems and applications used to support AWP. Security-based role training is recorded within the security department. |
Do contracts include Federal Acquisition Regulation and other appropriate clauses ensuring adherence to privacy provisions and practices? | Yes |
Describe the process and guidelines in place with regard to the retention and destruction of PII. Cite specific records retention schedules. | Unless the agency or organization governing PII instructs the AWP Application contractor to destroy its PII or the legal authorization agreement authorizing the AWP Application to store PII expires or is revoked (at which point, the AWP Application contractor will destroy the specific PII requested with methods compliant with NIST SP-800-88 rev. 1 within 30 days), the AWP Application maintains records containing PII in accordance with: National Archives and Records Administration (NARA) GENERAL RECORDS SCHEDULE: Per the user credential information that the AWP Application collects and stores, the AWP Application requires security-related system users to review user accounts annually to determine if access is still required (per CMS security requirements) and disable any unnecessary accounts. However, the AWP Application maintains all disabled user PII indefinitely for future security forensic purposes and in accordance with CMS security requirements. |
Describe, briefly but with specificity, how the PII will be secured in the system using administrative, technical, and physical controls. | The contractor has established the following security controls in relation to PII resources transmitted through the AWP Application. Physical security controls include but are not limited to:
The Systems Administrator performs regular reviews of all access lists and logging to ensure planned and real-time system activities remain accurate and appropriate. Also, a list of those authorized to gain access to secure computing environments is in place.
There are no publicly accessible areas at the organization. Group Policy enforces workstation locking when not in use. Additionally, individuals with access to PII are responsible by policy and Rules of Behavior (ROB) to ensure non-authorized individuals do not have access to any PII. All visitors must sign in at the reception desk and be escorted around the Acumen premises at all times. Technical controls include but are not limited to: Border protection devices on all tiers, such as firewalls (Checkpoint and Cisco) and intrusion detection prevention (IDP).
Administrative controls include but are not limited to:
Administrator access is granted based on the concept of Segregation of Duties. Application users are granted access by Acumen after verification with and approval by the Application's Compliance Officer. Specific details and complete list of all controls are documented in the Application's SSP. |
Identify the publicly-available URL: | https://account.programinfo.us |
Does the website have a posted privacy notice? | Yes |
Is the privacy policy available in a machine-readable format? | Yes |
Does the website use web measurement and customization technology? | No |
Does the website have any information or pages directed at children under the age of thirteen? | No |
Does the website contain links to non-federal government website external to HHS? | Yes |
Is a disclaimer notice provided to users that follow external links to websites not owned or operated by HHS? | No |