AdvanceMed GSS

OPDIV:

CMS

PIA Unique Identifier:

P-4844893-812019

Name:

AdvanceMed GSS

The subject of this PIA is which of the following?

General Support System

Identify the Enterprise Performance Lifecycle Phase of the system.

Operate

Is this a FISMA-Reportable system?

Yes

Does the system include a Website or online application available to and for the use of the general public?

No

Identify the operator:

Contractor

Is this a new or existing system?

Existing

Does the system have Security Authorization (SA)?

Yes

Date of Security Authorization

6/15/2022

Indicate the following reason(s) for updating this PIA. Choose from the following options.

PIA Validation (PIA Refresh/Annual Review)

Describe in further detail any changes to the system that have occurred since the last PIA.

Upgraded to ARS 5.0 controls implementation.

AdvanceMed nomenclature changed to Empower AI

Describe the purpose of the system

The AdvanceMed General Support System (AdMed-GSS) is the set of information resources (physical, logical, and organizational) that provide employees with the functionality to carry out programs, contracts, and task orders. The AdMed-GSS will serve as the common shared infrastructure and platform for CMS Major Applications hosted by AdvanceMed on the AdMed-GSS. This system will be covered in this PIA. The other major applications are covered by their own PIAs and they are CERT-RC and PERM-NCIRC.

Describe the type of information the system will collect, maintain (store), or share. (Subsequent questions will identify if this information is PII and ask about the specific data elements)

The AdvanceMed General Support System (Admed-GSS) serves as the general support system for CMS Major Applications (e.g. Medicaid-CHIP Payment Error Rate Measurement – NCI RC (PERM NCIRC) and Comprehensive Error Rate Testing - RC (CERT RC)). Personal Identifiable Information (PII)/Protected Health Information (PHI) is collected, maintained, and shared on the AdMed GSS to support the business objectives and task orders associated with the respective CMS Major Applications. As a result, the type of information the AdMed GSS collects, maintains, and shares are as follows: Usernames and passwords. This system will be covered in this PIA. The other major applications are covered by their own PIAs and they are CERT-RC and PERM-NCIRC.

Provide an overview of the system and describe the information it will collect, maintain (store), or share, either permanently or temporarily.

The AdvanceMed General Support System (Admed-GSS) serves as the general support system (as defined in Appendix III to OMB Circular No A-130) providing the common information technology, resources, and platform for CMS Major Application. The system’s business objective is to enable Empower artificial intelligence (AI) to deliver services per the CMS programs, contracts, and tasks orders. The AdMed GSS provides information technology services on behalf of the business. Empower AI (TM) personnel who access or use the system do not use any personal identifiers to retrieve records held in the system. This system will be covered in this PIA. PII for systems hosted on the GSS are addressed in their own PIAs.

Does the system collect, maintain, use or share PII?

Yes

Indicate the type of PII that the system will collect or maintain.

Other - Usernames and passwords

Indicate the categories of individuals about whom PII is collected, maintained or shared.

• Employees

• Vendors/Suppliers/Contractors
• Other - The AdvanceMed GSS system collects user credential information for end users, developers, and administrators.

How many individuals' PII in the system?

1,000,000 or more

For what primary purpose is the PII used?

The system will only use the minimum personal data necessary to achieve the purpose of CMS programs, contracts, and task orders. The AdvanceMed GSS is a hosting platform for major applications. User credential information is used to gain access into the system to perform medical record reviews and for maintenance of the system by developers and administrators.

Describe the secondary uses for which the PII will be used (e.g. testing, training or research)

There is no secondary use for the PII in the system.

Describe the function of the SSN.

Not Applicable

Cite the legal authority to use the SSN.

Not Applicable

Identify legal authorities​ governing information use and disclosure specific to the system and program.

The authority for information use and disclosure within the system is given under the provisions of sections 1842,1862(b) and 1874 of Title XVIII of the Social Security Act (The Act) (42 United States Code (U.S.C.) 1395u, 1395y(b), 1395kk), 5 USC 301 and departmental regulations.

Are records on the system retrieved by one or more PII data elements?

No

Identify the sources of PII in the system: Directly from an individual about whom the information pertains

Identify the sources of PII in the system: Government Sources

Identify the sources of PII in the system: Non-Government Sources

Other - The system only collects PII from non-government sources, such as system users, developers and system administrators (i.e., usernames and passwords)

Identify the OMB information collection approval number and expiration date

Not Applicable.  The system does not collect PII directly from the public or individuals. The system only collects PII from non-government sources, such as system users, developers and system administrators (i.e., usernames and passwords).

Is the PII shared with other organizations?

No

Describe the process in place to notify individuals that their personal information will be collected. If no prior notice is given, explain the reason.

The AdvanceMed General Support System (Admed-GSS) does not collect PII/PHI directly from the individuals. PII/PHI data is collected by CMS, State, and Medical providers. Process for notifying individuals that their personal information will be collected is a function of CMS, state, and medical providers. This system will be covered in this PIA. PII for systems hosted on the GSS are addressed in their own PIAs. 

Is the submission of the PII by individuals voluntary or mandatory?

Voluntary

Describe the method for individuals to opt-out of the collection or use of their PII. If there is no option to object to the information collection, provide a reason.

The AdvanceMed General Support System (Admed-GSS) does not collect PII/PHI directly from the individuals. PII/PHI data is collected by CMS, State, and Medical providers. The method of individuals to opt-out of the collection or use of their PII is a function of CMS, state, and Medical providers. This system will be covered in this PIA. PII for systems hosted on the GSS are addressed in their own PIAs.  

Describe the process to notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changes since the notice at the time of original collection). Alternatively, describe why they cannot be notified or have their consent obtained.

 The AdvanceMed General Support System (Admed-GSS) does not collect PII/PHI directly from the individuals. PII/PHI data is collected by CMS, State, and Medical providers. The process to notify and obtain consent from the individuals is a function of CMS, State, and Medical providers. This system will be covered in this PIA. PII for systems hosted on the GSS are addressed in their own PIAs. 

Describe the process in place to resolve an individual's concerns when they believe their PII has been inappropriately obtained, used, or disclosed, or that the PII is inaccurate. If no process exists, explain why not.

The AdvanceMed General Support System (Admed-GSS) does not directly collect PII/PHI from individuals. Data is collected by CMS, State, or Medical Providers. If individuals want to resolve a concern they believe their PII has been inappropriately obtained, used, or disclosed or that the PII is inaccurate, must contact CMS, State, or Medical Provider in which the data originated. This system will be covered in this PIA. PII for systems hosted on the GSS are addressed in their own PIAs.

Describe the process in place for periodic reviews of PII contained in the system to ensure the data's integrity, availability, accuracy and relevancy. If no processes are in place, explain why not.

PII is collected by CMS, State, or Medical Providers prior to being sent to the AdMed General Support System (GSS). Therefore, the accuracy and relevancy of the PII is a function of the CMS, State, and Medical Providers in which the data originated. This system will be covered in this PIA. PII for systems hosted on the GSS are addressed in their own PIAs.

However, The AdMed GSS provides secured and encrypted communications between all offices, as well as firewall protection against unauthorized intrusions. In addition, backups are performed daily to ensure critical data can always be recovered to ensure data integrity, availability, accuracy and relevancy.

Identify who will have access to the PII in the system and the reason why they require access.

• Users: AdvanceMed General Support System (Admed-GSS) users access PII on the system to perform the job functions to deliver services to CMS in accordance with defined programs, contracts, and task orders. As such, all PII is covered via the individual contracts via separate PIAs.

• Administrators: Database administrators have access to PHI due to their elevated permissions that are required to perform daily database administrative functions. As such, all PII is covered via the individual contracts via separate PIAs.
• Developers: Developers are responsible for developing and testing of CMS Major Application components and therefore will have access to PII and PHI in the process. As such, all PII is covered via the individual contracts via separate PIAs.
• Contractors: The contractor (both direct and non-direct/independent) performs user, administrative and developer functions previously mentioned for AdMed General Support System (GSS).

Describe the procedures in place to determine which system users (administrators, developers, contractors, etc.) may access PII.

Access to the AdvanceMed General Support System (Admed-GSS) PII is based on pre-defined user roles which permissions system users receive. The pre-defined user roles are approved by Empower AI Managers/Supervisors to ensure that system users only have access to PII that corresponds with their job function.

Describe the methods in place to allow those with access to PII to only access the minimum amount of information necessary to perform their job.

AdvanceMed General Support System (Admed-GSS)) enforces the concept of least privilege to access PII data so that users can access only the minimum amount of PII needed to perform their job function. This is done through first determining the user’s role prior to account creation and then placing users in the appropriate organizational unit that has the predefined least privileges, such as access denied, read-only or edit.

Identifying training and awareness provided to personnel (system owners, managers, operators, contractors and/or program managers) using the system to make them aware of their responsibilities for protecting the information being collected and maintained.

Prior to accessing the AdvanceMed General Support System (Admed-GSS) and Major Applications hosted within, all personnel are required to complete Empower AI Security and Privacy Awareness Training, and sign Rules of Behavior for Use of HHS Information and IT Resources Policy, as well as Empower AI Rules of Behavior – Acceptable Use Policy to certify they understand their responsibility in protecting PII on the system. Users are also required to repeat this training on an annual basis.

Describe training system users receive (above and beyond general security and privacy awareness training)

AdvanceMed General Support System (Admed-GSS) system users, developers and administrators are trained, at a minimum annually, on the appropriate incident handling and reporting procedures pertaining to the potential unauthorized disclosure of PII and PHI. In addition, all personnel with significant security responsibilities take supplemental training specific to their job function, as recommended by National Institute of Standards and Technology (NIST). The said training is completed annually and reported to the CMS ISSO.

Do contracts include Federal Acquisition Regulation and other appropriate clauses ensuring adherence to privacy provisions and practices?

Yes

Describe the process and guidelines in place with regard to the retention and destruction of PII. Cite specific records retention schedules.

The AdvanceMed General Support System (Admed-GSS) and hosted CMS Major Application Information is retained off site at a secure storage facility for a period of 10 years, in accordance with the National Archives and Records Administration (NARA) guideline DAA-GRS-2013-0008-0001.

This records schedule has been verified.

Describe, briefly but with specificity, how the PII will be secured in the system using administrative, technical, and physical controls.

To secure PII, Empower AI implements administrative, technical and physical controls recommended by CMS Acceptable Risk Safeguards (ARS) 5.0. A detailed personnel screening process is performed prior to requesting or approving access to the AdMed GSS. All Empower AI personnel with access to the AdMed GSS and CMS Major Applications must complete mandatory CMS Security Awareness and Privacy training, as well as sign a Security Policy Acknowledgement form to certify they understand their responsibility in protecting PII on the system. Follow-on training is required annually, or sooner in the event of a breach or security violation pertaining to PII. There is a mandatory Empower AI Security and Privacy Awareness Training that need to be completed prior to accessing AdMed GSS. Lastly, all personnel with access to the AdvanceMed GSS must also sign an Empower AI Rules of Behavior at the completion of their security training.

The AdMed GSS is monitored using a number of automated security tools to detect any unauthorized user activity and to ensure user compliance. Personnel that fail to meet the AdMed GSS security requirements, or those that violate the terms outlined in the Rules of Behavior will have their user account and system privileges revoked and will be reprimanded in accordance with Empower AI policies.

Federal Information Processing Standards (FIPS) 140-2 compliant encryption is used to protect PII/PHI. Perimeter firewalls are configured to encrypt data in transit and full-disk encryption is enabled to protect devices for data at rest. All AdMed GSS users are uniquely identified and authenticated using CMS approved multifactor authentication tokens before accessing the network. 
 

The AdMed GSS resides in the Evoque Co-location data center. This facility implements physical and environmental control to protect PII and sensitive data. Facility access is controlled by Security Officers and badging system with a personnel authorization managed via portal. The facility is monitored with a closed-circuit television (CCTV) and alarm system strategically placed throughout key points of the facility. The AdMed GSS has a designated cage area that is physically segregated with restricted access. In addition, the facility implements environmental protection controls (e.g., fire suppression, humidity sensors, power generators, etc.).