Skip to main content

Acumen Web Portals

Privacy Impact Assessment (PIA) published by CMS as an Operating Division of the U.S. Department of Health and Human Services

Date signed: 10/25/2024

View all CMS PIAs
PIA information for the Acumen Web Portals
PIA QuestionsPIA Answers

OPDIV:

CMS

PIA Unique Identifier:

P-9690857-262684

Name:

Acumen Web Portals

The subject of this PIA is which of the following?

Major Application

Identify the Enterprise Performance Lifecycle Phase of the system.

Operate

Is this a FISMA-Reportable system?

Yes

Does the system include a Website or online application available to and for the use of the general public?

Yes

Identify the operator:

Contractor

Is this a new or existing system?

New

Does the system have Security Authorization (SA)?

Yes

Date of Security Authorization

9/27/2024

Describe the purpose of the system

The Acumen Web Portals (AWP) Application enables Centers for Medicare and Medicaid Services (CMS), Acumen, and/or CMS-designated organizations to securely exchange project data as well as securely discuss project tasks online. 

Describe the type of information the system will collect, maintain (store), or share. (Subsequent questions will identify if this information is PII and ask about the specific data elements)

The AWP Application stores and maintains information about three groups:

Beneficiaries - This information includes Social Security Number (SSN), name, date of birth, health insurance claim number, mailing address, phone numbers, e-mail address, medical record numbers, health insurer name/plan, health insurer group number, taxpayer identification (ID), and financial account information for the purpose of analyzing claims and linking these claims to other sources of data for analytic purposes in support of CMS operations.

Providers - This information includes name,
tax ID number, mailing address, phone numbers, financial account information and/or numbers, certificates, device identifiers, and email address for the purpose of analyzing administrative healthcare data and linking these data to other sources of data for analytic purposes in support of CMS operations including fraud, waste, and abuse investigations.

User credentials – This information consists of a user ID, full name, and contact information (work phone number and work email). 

Provide an overview of the system and describe the information it will collect, maintain (store), or share, either permanently or temporarily.

The AWP Application enables CMS and/or CMS-designated organizations to securely exchange contract-related deliverables and securely discuss contract-related matters.

Although the AWP Application supports a number of CMS-defined workflows, the Application broadly provides the following online capabilities:

Data Transfer
The Application establishes methods of secure data exchange—including encrypting transmitted data and instituting restricted levels of access to sensitive materials—without unduly constraining the activities of Web Portal users. Users of this Application do not need to use any personal identifiers to retrieve files held in the system. The files may include information about patients, medical device suppliers, and physicians or providers.

Project Discussions
The Application enables geographically dispersed participants to discuss potentially sensitive project information through secure online discussion boards.

Data Visualizations
The Application provides authorized users with visualizations (such as graphs, charts, and heat maps) of data sources that help users to better understand and analyze those data sources.

Information Archives
Finally, the Application serves as a centralized information archive, retaining project-related communications and materials such that real-time and historical project information can be accessed by authorized project participants.

The Application obtains full name of its users (internal employees and employees from federal, state, and local agencies), and contact information (work address, work phone number, and work email) to create the necessary user credentials to access the Application.  

Does the system collect, maintain, use or share PII?

Yes

Indicate the type of PII that the system will collect or maintain.

  • Social Security Number

  • Name

  • E-mail Address

  • Phone Numbers

  • Medical Notes

  • Taxpayer ID

  • Date of Birth

  • Mailing Address

  • Medical Records Number

  • Financial Account Info

  • Device Identifiers

  • Date of Death

  • Other - Health Insurance Claim Number (HICN), Government administrative assistance program(s) enrollment/application information and associated administrative claims data, gender, race, date of death, health insurer group number

Indicate the categories of individuals about whom PII is collected, maintained or shared.

  • Employees

  • Business Partners/Contacts (Federal, state, local agencies)

  • Vendors/Suppliers/Contractors

  • Patients

  • Other - Physicians

How many individuals' PII in the system?

1,000,000 or more

For what primary purpose is the PII used?

The contractor, Acumen, uses Personally Identifier Information (PII) to conduct statistical analyses of wide ranging CMS topics and issues, including the quality and effectiveness of care provided; investigations into fraud, waste, and abuse in select health benefits programs; risk adjustment for payment validation for Part C and D programs and premium stabilization of Marketplace plans; and current programs as well as proposed program changes. 

Describe the secondary uses for which the PII will be used (e.g. testing, training or research)

In addition to research, the contractor uses PII to test the accuracy of linkages made between and across multiple CMS data files.

Describe the function of the SSN.

The SSN is the tax ID for some providers. For beneficiaries, the SSN is combined with a two-digit Beneficiary Identification Code (BIC) to form the Medicare HICN, which is used to determine the beneficiary’s eligibility and to process claims. The HICN is used by numerous CMS Medicare Fee-For-Service systems and CMS requires that the contractor use the HICN to analyze claims.

Cite the legal authority to use the SSN.

CMS grants the contractor the authority to use SSN for linkage and linkage verification purposes under different legal authorities, including the Medicare Prescription Drug Improvement and Modernization Act of 2003 and Medicare Improvements for Patients and Providers Act of 2008 (MIPPA).

CMS is authorized by the MEDICARE PRESCRIPTION DRUG, IMPROVEMENT, AND MODERNIZATION ACT OF 2003 to improve care and reduce costs in in the chronically ill population. The agency shall research total episode costs and look across existing data sets. Therefore, CMS must be able to match and verify beneficiary enrollment, service utilization, quality assessment, comorbidities, and other indications in the data.

The MIPPA program originated as part of the end-stage renal disease (ESRD) payment bundle. Under the ESRD Prospective Payment System (ESRD PPS) – Section 153(b) of Pub. L. 110-275, the MIPPA amended section 1881(b) of the Social Security Act to require the implementation of an ESRD bundled payment system effective January 1, 2011. Under MIPPA, the ESRD PPS replaced the previous basic case-mix adjusted composite payment system and the methodologies for the reimbursement of separately billable outpatient ESRD-related items and services.

Sections 1862 (b) and 1874 of Title XVIII of the Social Security Act (The Act) (42 United States Code (U.S.C.) 1395u, 1395y (b), and 1395kk)

Identify legal authorities​ governing information use and disclosure specific to the system and program.

Sections 1862 (b) and 1874 of Title XVIII of the Social Security Act (The Act) (42 United States Code (U.S.C.) 1395u, 1395y (b), and 1395kk)

Are records on the system retrieved by one or more PII data elements?

No

Identify the sources of PII in the system: Directly from an individual about whom the information pertains

Other - Do not collect PII directly from individuals.

Identify the sources of PII in the system: Government Sources

  • Within the OPDIV

  • Other HHS OPDIV

  • State/Local/Tribal

  • Other Federal Entities

Identify the sources of PII in the system: Non-Government Sources

Private Sector

Identify the OMB information collection approval number and expiration date

Not Applicable to the AWP Application.

Is the PII shared with other organizations?

Yes

Identify with whom the PII is shared or disclosed and for what purpose.

  • Within HHS: CMS, Office of Assistant Secretary for Preparedness and Response (ASPR), Office of Assistant Secretary for Planning and Evaluation (ASPE), and the US Food and Drug Administration (FDA) obtain analytic reports from the contractor in accordance with the contractor's contractual obligations.

  • Other Federal Agency/Agencies: Congressional Agencies, National Institutes of Health (NIH) affiliated surveys, and Department Of Justice (DOJ) obtain tabular and analytic reports in accordance with CMS's agreements with DOJ, NIH affiliated surveys, and congressional agencies.

  • Private Sector: CMS-authorized contractors obtain analytic reports in accordance with data agreement authorization and contractual obligations to share and/or collaborate with other CMS-authorized contractors.

  • State or Local Agency/Agencies: State of California's Department of Health Care Services (CA DHCS) obtain analytic reports in accordance with CMS's agreements with CA DHCS.

Describe any agreements in place that authorizes the information sharing or disclosure (e.g. Computer Matching Agreement, Memorandum of Understanding (MOU), or Information Sharing Agreement (ISA)).

The CMS Business Owner for the AWP Application has established a Memorandum of Understanding that articulates the terms and conditions for the contractor to use the Application to share information. These terms include composing a CMS Privacy Office memo describing the data authorizations of the parties involved, the data to be transferred, and the frequency of those transfers.

The CMS Business Owner has also established Information Sharing Agreements (ISA) when an AWP Application task entails sharing sensitive information with other federal government agencies.

Describe the procedures for accounting for disclosures

The contractor documents distributions of analytic reports to external, CMS-authorized organizations via the contractor's internally developed report tracking system, which records information on each report distribution and enables contractor staff to trace analytic results back to data sources and the beneficiaries contained therein. 
Sensitive information is stored, maintained, used and shared based on the terms and conditions associated to the active data agreements in place to enabling the contractor to conduct a wide range of research specified by CMS or other government agency clients. Data are retained and/or shared with other organizations when governing organization authorities approve. In addition, for transfers of sensitive information to non-CMS party that is not on the contractor's Data Use Agreement (DUA), the contractor also notifies its CMS Business Owner, who then notifies the CMS Privacy Office detailing the transfer with information such as content description, purpose, date/frequency, and the recipient. 
Data that is shared with the CMS Virtual Data Centers to process Part A claims in the Fiscal Intermediary Standard System, Part B claims in the Multi-Carrier System, or Viable Information Processing Systems (ViPS) Medicare System (VMS) is tracked and accounted for through daily reporting and balancing routines. Data that is shared with other contractors designated by CMS is tracked and accounted for through case management software tools that are part of the collection of systems processed as part of the contractor’s workflow.

Describe the process in place to notify individuals that their personal information will be collected. If no prior notice is given, explain the reason.

The AWP Application only collects contact information (full name, work address, work email, and work phone number) from prospective users, which AWP Application support staff then use to create AWP Application user credentials. The contractor provides a Privacy Policy statement in the AWP Application that advises individuals of how their contact information will be used.

Other than account creation, AWP Application does not collect information from individuals directly.

Is the submission of the PII by individuals voluntary or mandatory?

Voluntary

Describe the method for individuals to opt-out of the collection or use of their PII. If there is no option to object to the information collection, provide a reason.

The AWP Application only collects contact information (full name, work address, work email, and work phone number) from prospective users, which AWP Application support staff then use to create AWP Application user credentials. Since the collection of such information is entirely voluntary, the AWP Application provides prospective system users with the option to not gain access to the system and thus opt-out of contact information collection.

Other than account creation, AWP Application does not collect information from individuals directly.

Describe the process to notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changes since the notice at the time of original collection). Alternatively, describe why they cannot be notified or have their consent obtained.

If a major change to the AWP Application occurs that impacts how collected user account information (full name, work address, work email, and work phone number) will be used or disclosed, the AWP Application then displays a notification page for all users when they log in to the Application. The page specifies changes to the Application’s Privacy Policy and requires user’s acknowledgment before the user can proceed to use the application.  

For PII that is not user account information collected by AWP Application, CMS Business Owner of the Acumen GSS vets all contractor-proposed system changes and ensures that such changes fall within the FISMA security parameters of the system as well as within the scope of the System of Records (SORs) associated with it. As such, system modifications never include the direct collection of PII from individuals and never fall outside of the research purposes authorized by the system's associated SORs.

Describe the process in place to resolve an individual's concerns when they believe their PII has been inappropriately obtained, used, or disclosed, or that the PII is inaccurate. If no process exists, explain why not.

Regarding account information (full name, work address, work email, and work phone number), if the individual believes the information is inaccurate, the individual can contact the CMS Contract Office Representative (COR) or CMS COR’s designated approver, who has access in the AWP Application to make any necessary corrections to the user account information. If the individual believes the user account information was inappropriately used or disclosed, the individual can contact the AWP Application support team, by email or phone, to report the issue. The support team logs the issue in its ticketing system. The issue would be investigated, and further action would be taken if necessary.

For all other PII, if an individual believed his or her PII had been inappropriately obtained, used, or disclosed or that his or her PII is inaccurate, the individual would contact CMS directly, and CMS would push the issue to all relevant internal organizations and contractors, including CMS staff responsible for taking in individuals' concerns about their PII.

Describe the process in place for periodic reviews of PII contained in the system to ensure the data's integrity, availability, accuracy and relevancy. If no processes are in place, explain why not.

To periodically verify the accuracy, integrity, availability, and relevancy of the CMS data contained within the AWP Application, the AWP Application contractor performs the following tasks:

- Deploys, tracks, and maintains continuous monitoring tools to detect unauthorized modifications to PII; 
- Restricts access to raw source data obtained from CMS to a specific group of privileged and limited users;
- Conducts data comparison—such as frequency checks of variables, claim amount, and claim payment sum on the processed data, against CMS’ IDR on a weekly basis.  Under this process, the AWP Application contractor identifies and deletes any outdated, unnecessary, irrelevant, and inaccurate PII.

Identify who will have access to the PII in the system and the reason why they require access.

  • Users: To conduct CMS-approved analysis and/or obtain analysis findings.

  • Contractors: These are direct contractors that require access to validate submitted analysis.

  • Others - Compliance Officers have access to data, in addition to their user authorization privileges.

Describe the procedures in place to determine which system users (administrators, developers, contractors, etc.) may access PII.

The contractor ensures that access to PII is granted strictly on a need-to-know basis. To do so, the contractor leverages CMS-designated Compliance Officers, who are responsible for identifying AWP Application users and whether they warrant access to reports that contain confidential and, when contractually necessary, personally identifiable information. For additional information on these roles, refer to the AWP Application System Security Plan (SSP).

Describe the methods in place to allow those with access to PII to only access the minimum amount of information necessary to perform their job.

Although the contractor does not directly collect CMS-related PII, the contractor does obtain CMS authorization to access and use confidential CMS data, including PII, through CMS data use agreements (DUAs). These DUAs mandate that the contractor only request and obtain access to the minimum data necessary to its data analytic work.

Beyond conforming to CMS DUAs' minimum data necessary requirement, the contractor limits internal staff’s access to PII elements to those staff members who must leverage PII to create versions of CMS data that randomize key personal identifiers (e.g., HICN or SSN) via a Link ID and strip any unnecessary PII elements from all research-oriented data files. The contractor's research analysts then use this Link ID in their research work to trace beneficiary-level events. Such activities and the acquisition of confidential CMS data are reviewed at least once every 365 days, whenever the contractor’s CMS DUAs approach expiration, and whenever project terms evolve to ensure that Acumen only retains confidential CMS data necessary to its work.

For the AWP Application users, the contractor leverages CMS-designated Compliance Officers to control and limit PII access, as Officers are responsible for identifying AWP Application users who warrant access to reports that contain confidential and, when contractually necessary, personally identifiable information. For additional information on these roles, refer to the AWP Application SSP.

Identifying training and awareness provided to personnel (system owners, managers, operators, contractors and/or program managers) using the system to make them aware of their responsibilities for protecting the information being collected and maintained.

For the AWP Application, the contractor uses the Acumen GSS security and privacy awareness training policy to train internal project participants on Application-related security measures. For external project participants who use the AWP Application, the contractor trains those users on Application security via the "Acumen Security Policy," Portal user guides, and the security as well as privacy policies published in the Application. In conjunction, these documents instruct external users on the appropriate method of accessing and using the Application. In addition, the contractor configures the Application so that external project participants must re-certify their agreement with the "Acumen Security Policy" at least once every three hundred sixty-five days and whenever the contractor updates the Policy.

Describe training system users receive (above and beyond general security and privacy awareness training)

Security personnel receive job related training by attending conferences, forums, "on the job" trainings, and other specific trainings throughout the year.  Security personnel must obtain necessary training before granting privileged access to the system.  Security personnel must complete role-based training to continue to maintain privileged access to the system. 

Topics of training include detecting and handling of the latest security threats; updates to privacy regulations; and most recent best practices for securing systems and applications used to support AWP. Security-based role training is recorded within the security department.

Do contracts include Federal Acquisition Regulation and other appropriate clauses ensuring adherence to privacy provisions and practices?

Yes

Describe the process and guidelines in place with regard to the retention and destruction of PII. Cite specific records retention schedules.

Unless the agency or organization governing PII instructs the AWP Application contractor to destroy its PII or the legal authorization agreement authorizing the AWP Application to store PII expires or is revoked (at which point, the AWP Application contractor will destroy the specific PII requested with methods compliant with NIST SP-800-88 rev. 1 within 30 days), the AWP Application maintains records containing PII in accordance with: National Archives and Records Administration (NARA) GENERAL RECORDS SCHEDULE:
- 3.2: Information Systems Security Records for "Item 020: Computer security incident handling, reporting and follow-up records," "Item 035: Cybersecurity logging records," "Item 040: System backups and tape library records,"  "Item 050: Backups of master files and databases" and 
- 4.2: Information Access and Protection Records for "Item 140: Personally Identifiable Information Extract Logs."

Per the user credential information that the AWP Application collects and stores, the AWP Application requires security-related system users to review user accounts annually to determine if access is still required (per CMS security requirements) and disable any unnecessary accounts. However, the AWP Application maintains all disabled user PII indefinitely for future security forensic purposes and in accordance with CMS security requirements.  

Describe, briefly but with specificity, how the PII will be secured in the system using administrative, technical, and physical controls.

The contractor has established the following security controls in relation to PII resources transmitted through the AWP Application.

Physical security controls include but are not limited to:


Key information system resources for the organization are maintained in a highly secure interior room with only one controlled entrance and no windows. There are no workspaces in this environment. 


Intrusion alarms (motion detection) are armed during non-business hours and notify Acumen’s alarm service if an alarm is activated.

The Systems Administrator performs regular reviews of all access lists and logging to ensure planned and real-time system activities remain accurate and appropriate.  Also, a list of those authorized to gain access to secure computing environments is in place. 


Other alerts monitor the organization’s physical environment, including, but not limited to, fire protection sprinklers and an environmental monitoring device. 

There are no publicly accessible areas at the organization. 

Group Policy enforces workstation locking when not in use. Additionally, individuals with access to PII are responsible by policy and Rules of Behavior (ROB) to ensure non-authorized individuals do not have access to any PII.

All visitors must sign in at the reception desk and be escorted around the Acumen premises at all times. 

Technical controls include but are not limited to:

Border protection devices on all tiers, such as firewalls (Checkpoint and Cisco) and intrusion detection prevention (IDP).


Application users require two separate passwords: one user-generated and one Acumen-generated (i.e., generated by a password-generation system and not known by any Acumen staff) before accessing PII data.

Administrative controls include but are not limited to:


All Application activities, whether performed by administrators or users, are logged, and reviewed periodically.  Review periods are in compliance with CMS requirements.


All accounts are created based on the concept of least privilege.

Administrator access is granted based on the concept of Segregation of Duties. 

Application users are granted access by Acumen after verification with and approval by the Application's Compliance Officer.

Specific details and complete list of all controls are documented in the Application's SSP.

Identify the publicly-available URL:

https://account.programinfo.us
https://ahrq.programinfo.us/
https://ASPR.programinfo.us/
https://cbo.programinfo.us/
https://ccsq.programinfo.us/
https://CDC.programinfo.us/
https://cm.programinfo.us/
https://cmmi.programinfo.us/
https://DAC.programinfo.us/
https://DataExchange.programinfo.us/
https://Demo.programinfo.us/
https://demo2.programinfo.us/
https://doj.programinfo.us
https://enclavetools.programinfo.us
https://fda.programinfo.us/
https://gcoms.programinfo.us
https://hhs.programinfo.us/
https://hrsa.programinfo.us/
https://macpac.programinfo.us/
https://medi-medi.programinfo.us/
https://medpac.programinfo.us/
https://mmco.programinfo.us/
https://NIH.programinfo.us/
https://one.programinfo.us/
https://openpayments.programinfo.us/
https://partd.programinfo.us/
https://platforms.skyshaper.us/
https://programintegrity.programinfo.us/
https://projects.programinfo.us/
https://pubhealth.programinfo.us/
https://reporting.programinfo.us/
https://sdrcassistance.programinfo.us/

Does the website have a posted privacy notice?

Yes

Is the privacy policy available in a machine-readable format?

Yes

Does the website use web measurement and customization technology?

No

Does the website have any information or pages directed at children under the age of thirteen?

No

Does the website contain links to non-federal government website external to HHS?

Yes

Is a disclaimer notice provided to users that follow external links to websites not owned or operated by HHS?

No