Agent Broker Registry
Privacy Impact Assessment (PIA) published by CMS as an Operating Division of the U.S. Department of Health and Human Services
Date signed: 9/23/2024
PIA Questions | PIA Answers |
---|---|
OPDIV: | CMS |
PIA Unique Identifier: | P-8068226-196381 |
Name: | Agent Broker Registry |
The subject of this PIA is which of the following? | Major Application |
Identify the Enterprise Performance Lifecycle Phase of the system. | Operate |
Is this a FISMA-Reportable system? | Yes |
Does the system include a Website or online application available to and for the use of the general public? | No |
Identify the operator: | Agency |
Is this a new or existing system? | New |
Does the system have Security Authorization (SA)? | Yes |
Date of Security Authorization | 1/2/2024 |
Describe the purpose of the system | The Agent Broker Registry serves as the central hub for all Agent Broker (AB) details. This includes AB registration, completed training, information exchange with Find Local Help (FLH) / Help on Demand (HOD) platforms, issue escalation, compliance checks for ABs' licenses and Level of Authorization (LOA) based on their state, and reporting for Center for Medicare and Medicaid Services Center for Consumer Information and Insurance Oversight’s (CMS/CCIIO) as well as State Department of Insurance (DOI). Additionally, it provides Help Desk support. |
Describe the type of information the system will collect, maintain (store), or share. (Subsequent questions will identify if this information is PII and ask about the specific data elements) | ABR will collect Agent Broker (AB) Type information, Completion of various trainings, state of licensing, state(s) providing active LOAs, AB address (street, city, state, zip code (5), Email address, CMS Portal ID, National Provider Number (NPN), Registry terminations, Registry Reinstatements, and AB Name and Alias information. Most of this information comes from Identity Management System (IDM), Corner Stone, Marketplace Learning Management System (MLMS), Marketplace data, National Identification Provider Registry (NIPR) system, and Watchlist Information. Some specific reports generated by the system may be accessed via the CMS Enterprise Portal, Agent Broker Registry Reporting (GUI) system if the user has the proper role. The system also pushes data to Granicus for automated emails, Data.Healthcare.gov for Registration Terminations, Registration Completions, and Registration Reports by State. Alias information is sent to IDM for name updates to keep IDM and NIPR names in sync. Historic data is maintained from the beginning of the program (2014) to present. All data is maintained and stored in the system indefinitely until the client says otherwise. usernames are generated through IDM portal and passwords are created by the individual. |
Provide an overview of the system and describe the information it will collect, maintain (store), or share, either permanently or temporarily. | Agent broker Registry collects and stores permanently Agent Broker (AB) Type information such as Completion dates of required trainings, state or states of licensing, Agent Broker address (street, city, state, zip code), Email address, CMS Portal ID or username, National Provider Number (NPN), Registry terminations and Reinstatements, as well as AB Name and Alias information. ABR utilizes AB NPN numbers to retrieve AB information from IDM portal and/or NIPR and its contents are only accessible to those with IDM or NIPR approved login credentials (i.e.: username and passwords). all aforementioned PII are collected for communication and tracking purposes and to ensure AB compliance with CMS policies. |
Does the system collect, maintain, use or share PII? | Yes |
Indicate the type of PII that the system will collect or maintain. |
|
Indicate the categories of individuals about whom PII is collected, maintained or shared. | Other - Agents and Brokers |
How many individuals' PII in the system? | 100,000-999,999 |
For what primary purpose is the PII used? | communication and Tracking |
Describe the secondary uses for which the PII will be used (e.g. testing, training or research) | Reporting to CMS. |
Describe the function of the SSN. | ABR does not collect Social Security Numbers SSN. |
Cite the legal authority to use the SSN. | ABR does not collect Social Security Numbers (SSN). |
Identify legal authorities governing information use and disclosure specific to the system and program. | Authority for maintenance, collection and disclosure of information is given under sections 2719, 2723 and 2761 of the Public Health Service Act and section 1321(c) of the Affordable Care Act. |
Are records on the system retrieved by one or more PII data elements? | Yes |
Identify the number and title of the Privacy Act System of Records (SORN) that is being used to cover the system or identify if a SORN is being developed. | Health Insurance Exchange (HIX) SORN: 09-70-0560, published February 6, 2013, and updated May 27, 2013, October 23, 2013, and February 14, 2018. |
Identify the sources of PII in the system: Directly from an individual about whom the information pertains |
|
Identify the sources of PII in the system: Government Sources | Other Federal Entities |
Identify the sources of PII in the system: Non-Government Sources | Commercial Data Broker |
Identify the OMB information collection approval number and expiration date | OMB Control No: 0938-1204, IRC Reference No: 202207-0938-019, Previous ICR Reference No: 201903-0938-015. Status: Active Submitted 07/29/2022. EXPIRES 08/31/2025. Type of Information Collection: Extension without change of a currently approved collection. |
Is the PII shared with other organizations? | No |
Describe the process in place to notify individuals that their personal information will be collected. If no prior notice is given, explain the reason. | The notification banner on NIPR, where ABR obtains its information, is visible. Agent brokers cannot directly access or input information into ABR. |
Is the submission of the PII by individuals voluntary or mandatory? | Voluntary |
Describe the method for individuals to opt-out of the collection or use of their PII. If there is no option to object to the information collection, provide a reason. | The notification banner on NIPR, where ABR obtains its information, is visible. Agent brokers cannot directly access or input information into ABR. |
Describe the process to notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changes since the notice at the time of original collection). Alternatively, describe why they cannot be notified or have their consent obtained. | The notification banner on NIPR, where ABR obtains its information, is visible. Agent brokers cannot directly access or input information into ABR. |
Describe the process in place to resolve an individual's concerns when they believe their PII has been inappropriately obtained, used, or disclosed, or that the PII is inaccurate. If no process exists, explain why not. | Agent brokers do not have access or input information directly into ABR. Concerns regarding PII inaccuracy or misuse will be corrected or resolved in NIPR, IDM and cornerstone. |
Describe the process in place for periodic reviews of PII contained in the system to ensure the data's integrity, availability, accuracy and relevancy. If no processes are in place, explain why not. | The NPN validation process. To keep up with their NPI requirements, Agent brokers are required to be compliant with their LOA and licensing requirements according to their home state. |
Identify who will have access to the PII in the system and the reason why they require access. |
|
Describe the procedures in place to determine which system users (administrators, developers, contractors, etc.) may access PII. | Access to any AB PII is regulated based on the roles and responsibilities of individuals. The system or business owner determines access privileges for different roles within the organization. For developers, access is granted through a Center for Medicare and Medicaid services/Enterprise user administration CMS/EUA account, and they are assigned appropriate job codes for Virtual Private Network (VPN) applications. Only developers have access to the backend system and Amazon Web Services (AWS) services. On the other hand, users are authenticated and authorized through the IDM enterprise portal before they can gain access to the ABR-UI (user interface). This ensures that access to PII is controlled and limited to only those who have the appropriate roles and responsibilities within the organization. |
Describe the methods in place to allow those with access to PII to only access the minimum amount of information necessary to perform their job. | All developers have access to user data stored in backend databases and AWS services. To ensure business continuity, it is necessary for all users to have the appropriate CMS/EUA job codes assigned to them. Additional users have role-based access, limiting their interactions to specific interfaces. |
Identifying training and awareness provided to personnel (system owners, managers, operators, contractors and/or program managers) using the system to make them aware of their responsibilities for protecting the information being collected and maintained. | Annual security and privacy awareness training and CMS standard trainings. |
Describe training system users receive (above and beyond general security and privacy awareness training) | Health Insurance Portability and Accountability (HIPAA) Privacy and Security Training. |
Do contracts include Federal Acquisition Regulation and other appropriate clauses ensuring adherence to privacy provisions and practices? | Yes |
Describe the process and guidelines in place with regard to the retention and destruction of PII. Cite specific records retention schedules. | As a standard practice, data will be kept for a duration of 7 years. After this period, decisions regarding data archiving will be made by the GTL. The archiving process will utilize Glacier, an AWS service, to store input and output files for potential future needs. However, upon the client (CMS) requests, ABR will maintain all data indefinitely until instructed otherwise. |
Describe, briefly but with specificity, how the PII will be secured in the system using administrative, technical, and physical controls. | All data, whether containing Personally Identifiable Information (PII) or not, is securely encrypted when stored in Amazon S3 and the Agency's Business Repository (ABR) database. Access to ABR is strictly controlled based on individuals' job roles defined by their EUA (Enterprise User Authentication) job codes. This ensures that users only have access to the data and functions necessary for their specific roles, aligning with security controls like AC-3 and AC-6. To monitor the system's security, ABR employs a Splunk dashboard that generates weekly timestamped reports detailing all system accesses. These reports are reviewed by the ABR security team for any irregularities. If critical issues are detected, they are promptly escalated to the GTL (Government Technical Lead), following the guidelines established in controls like AU-6, AU-8, and AU-11. All backup data for ABR is securely stored in AWS GovCloud, ensuring data resilience and compliance with governmental data protection standards. |