APM Management System
Privacy Impact Assessment (PIA) published by CMS as an Operating Division of the U.S. Department of Health and Human Services
Date signed: 4/9/2024
| PIA Questions | PIA Answers |
|---|---|
OPDIV: | CMS |
PIA Unique Identifier: | P-4781714-796011 |
Name: | APM Management System |
The subject of this PIA is which of the following? | Major Application |
Identify the Enterprise Performance Lifecycle Phase of the system. | Operate |
Is this a FISMA-Reportable system? | Yes |
Does the system include a Website or online application available to and for the use of the general public? | No |
Identify the operator: | Contractor |
Is this a new or existing system? | Existing |
Does the system have Security Authorization (SA)? | Yes |
Date of Security Authorization | 4/18/2024 |
Indicate the following reason(s) for updating this PIA. Choose from the following options. | PIA Validation (PIA Refresh/Annual Review) |
Describe in further detail any changes to the system that have occurred since the last PIA. | Changes to the system since the last PIA: Added interconnections to share data with other CMS/Medicare and Medicaid Innovation (CMMI) systems supporting model operations and CMS internal data repositories to retrieve provider/beneficiary reference data; added/updated several new dashboards and reports; implemented data share to CMS internal data repository; and added/updated file validation rules. |
Describe the purpose of the system | The Alternative Payment Model (APM) Management System (AMS) is a CMMI participant management operations and analytical system for CMMI models. The system: (a) consolidates model and participation information that CMS needs for eligibility determination; (b) tracks model participants; and (c) enables cross model analysis that supports portfolio management. AMS has several dashboards and reports that help CMS/CMMI leadership analyze and understand the effectiveness and reach of CMMI Models. AMS also shares consolidated participation data with other CMS/CMMI system and CMS internal data stores. |
Describe the type of information the system will collect, maintain (store), or share. (Subsequent questions will identify if this information is PII and ask about the specific data elements) | AMS retrieves and stores the following types of information (from CMS internal data stores): (a) model information (i.e., a list of Centers for Medicare and Medicaid Innovation (CMMI) program and their characteristic); (b) participants in those models (e.g., providers, beneficiary, health plans); and (c) key activities completed by those participants (e.g., payment information, quality results). AMS stores the following model information: Model ID, Model start date, Model end date, Model long name, and Model short name, Model characteristics and quality metrics. AMS stores the following Provider information: entity name, Taxpayer ID Number (TIN), TIN Name, Entity ID, Entity Name, business address, mailing address, National Provider Identification (NPI), NPI Name, CMS certification number (CCN), CCN Name, start date, and end date. AMS provides extensive reporting and analytics of model data and model participation data for CMMI leadership. The CMMI office analyze the reach and effectiveness of the CMMI Models. AMS is designed for internal CMS users and CMS direct contractors, acting on behalf of the agency carrying out agency-related functions. AMS utilizes email addresses, user ID and passwords, and these login credentials are used to grant access to the system. The login credentials (user ID) used to access AMS are provided to users by CMS’s Enterprise User Administration (EUA) and has its own PIA. |
Provide an overview of the system and describe the information it will collect, maintain (store), or share, either permanently or temporarily. | The AMS system stores, consolidates, and standardizes the CMMI Models data including entity information. The data is validated and verified by the CMMI model teams and uploaded to AMS-by-AMS users. The AMS data is made available to authorized CMS programs, such as the Quality Payment Program (QPP), that depend on the AMS data. The QPP Program is an innovative payment model that gives tools and resources to health care providers to enable them to provide the best possible care to patients. AMS provides participation data to the QPP to support quality payments and scoring. The information AMS stores are entity information such as Entity Name, Taxpayer ID Number (TIN), TIN Name, Entity ID, business address, mailing address, National Provider Identification (NPI), NPI Name, CMS certification number (CCN), CCN Name, Health Insurance Claim Number (HICN) and/or Medicare Beneficiary Identifier (MBI), start date, and end date. AMS also collects Model information which includes Model ID, Model start date, Model end date, Model long name, and Model short name, Model characteristics and quality metrics. AMS also stores beneficiary detail records and biographic including Date of Birth, Medicare Beneficiary Identifier (MBI), Health Insurance Claim Number (HICN), Beneficiary Link Key, Original Entitlement Reason, Medicare status, Benefit type, Enrollment type, Election type, Performance year, Alternative Payment Model (APM)s test various payment and service delivery models that aim to achieve better care for patients, better health for our communities, and lower costs through improvement for our health care system. AMS retrieves records using NPI, TIN, NPI name, Entity ID, Entity Names, and CCN name. APM Entity, provider and beneficiary data validated and consolidated by AMS are exported to other CMS internal data stores. |
Does the system collect, maintain, use or share PII? | Yes |
Indicate the type of PII that the system will collect or maintain. |
|
Indicate the categories of individuals about whom PII is collected, maintained or shared. |
|
How many individuals' PII in the system? | 1,000,000 or more |
For what primary purpose is the PII used? | The primary purpose for the use of Personally Identifiable Information (PII) in the AMS system is for the QPP program. AMS provides QPP with data that enables QPP to determine the eligibility of health care providers to join the QPP program. Providers cannot register for QPP or know their Qualified APM Participant Status without providing their PII. Beneficiary records and data are used by Portfolio Management for quarterly reports. AMS also sends the provider and beneficiary participation data to internal CMS data stores. For user credentials, the primary purpose is for authorized credentialing to the AMS system and for any authorized system logging purposes. |
Describe the secondary uses for which the PII will be used (e.g. testing, training or research) | None |
Describe the function of the SSN. | None |
Cite the legal authority to use the SSN. | Not Applicable |
Identify legal authorities governing information use and disclosure specific to the system and program. | The Patient Protection and Affordable Care Act, Section 3021 |
Are records on the system retrieved by one or more PII data elements? | Yes |
Identify the number and title of the Privacy Act System of Records (SORN) that is being used to cover the system or identify if a SORN is being developed. | Published: Performance Measurement and Reporting System (PMRS) #09-70-0584 Published: Master Demonstration, Evaluation, and Research Studies (DERS) SORN #09-70-0591 |
Identify the sources of PII in the system: Directly from an individual about whom the information pertains | N/A |
Identify the sources of PII in the system: Government Sources | Within the OPDIV |
Identify the sources of PII in the system: Non-Government Sources | N/A |
Identify the OMB information collection approval number and expiration date | Not applicable |
Is the PII shared with other organizations? | No |
Describe the process in place to notify individuals that their personal information will be collected. If no prior notice is given, explain the reason. | The PII within this system is collected by CMMI model teams that participate in the APMs. The CMMI model teams are responsible for notifying entities that their personal information will be collected. |
Is the submission of the PII by individuals voluntary or mandatory? | Voluntary |
Describe the method for individuals to opt-out of the collection or use of their PII. If there is no option to object to the information collection, provide a reason. | The provision of PII is "voluntary" as that term is used by the Privacy Act. However, to participate in the Model, participants must provide PII including all the information collected and used by AMS. For user credentials, end-users cannot object to providing PII during CMSs authentication system account registration as it is needed to properly verify user identity and create their account. User credentials are provided by CMS's EUA and has its own PIA. |
Describe the process to notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changes since the notice at the time of original collection). Alternatively, describe why they cannot be notified or have their consent obtained. | Changes to AMS that would involve changes in uses and disclosures of participants’ PII are not expected to occur. If such changes were to occur, CMS will inform participants’ using multiple channels, including direct mailings; notices on the CMS web site (including edits to CMS's posted Privacy Policy), or changes to the relevant systems of records notices. Changes involving uses and disclosures of authentication information are also not expected to occur. In the event of such changes, employees will be notified by notices on the CMS intranet; newsletters; updates to the relevant systems of records notices; e-mails to affected individuals; and through supervisors and system owners. |
Describe the process in place to resolve an individual's concerns when they believe their PII has been inappropriately obtained, used, or disclosed, or that the PII is inaccurate. If no process exists, explain why not. | The PII within this system is collected by CMMI model teams that participate in the models. CMMI models are voluntary, and participants choose to apply to the model and opt-in to supplying PII information. The CMMI model teams that provide entity PII to AMS, are responsible for addressing and resolving their participant's concerns when the entities believe their PII has been inappropriately obtained, used, or disclosed, or that the PII is inaccurate. System user's credential information is collected via registration with CMS's authentication system; therefore, no process exists for AMS. The issue should be reported to the CMS IT Service Desk and escalated to the CMS authentication system administrators. User credentials are provided by CMS's EUA and has its own PIA. |
Describe the process in place for periodic reviews of PII contained in the system to ensure the data's integrity, availability, accuracy and relevancy. If no processes are in place, explain why not. | The model teams conduct periodic reviews of PII submitted to AMS to ensure the data's integrity, availability, accuracy, and relevancy. The model teams use PII data to communicate with external users and update inaccurate information when it is found. Additionally, users renew their participation with models yearly and provide updated information. In addition, the AMS performs automated checks as it imports data to help ensure data validity. The AMS team conducts periodic reviews of Model data, AMS follows the CMS Security and Privacy program and complies with the CMS Acceptable Risk Safeguards to ensure data integrity, availability, accuracy, and relevancy. AMS System Administrators review user accounts at least quarterly. Any anomalies are addressed and resolved by contacting the user, or by removing their access if no longer required. Activities of all users are logged and reviewed by the AMS system administrator to identify abnormal activities, and if any are found they are reported to the AMS business owner, and the Information System Security Officer (ISSO). For user credentials, CMS's EUA and has its own PIA. It performs its own account auditing to review the user credentials containing PII. |
Identify who will have access to the PII in the system and the reason why they require access. |
|
Describe the procedures in place to determine which system users (administrators, developers, contractors, etc.) may access PII. | To obtain access to AMS, users must first obtain credentials via the registration process for CMS's enterprise user administration and authentication system. Once the user has received a user ID and password, a request must be made for access to the AMS system and role. Roles are assigned and access is granted, to AMS and the PII it contains, based upon principle of least privilege, and "need-to-know" or "need-to-access" requirements to perform their assigned duties. The approvers will review the request and justification and approve or reject the request. AMS System Administrators review user accounts at least quarterly. Any anomalies are addressed and resolved by contacting the user, or by removing their access if no longer required. Activities of all users are logged and reviewed by the AMS system administrator to identify abnormal activities, and if any are found they are reported to the AMS business owner, and the ISSO. |
Describe the methods in place to allow those with access to PII to only access the minimum amount of information necessary to perform their job. | Access to PII is provided to users based upon Privacy Acts requirement of least privilege as well as role-based access controls to ensure users are granted access on a "need-to-know" and "need-to-access" and separation of duties commensurate with their assigned duties. AMS System Administrators review user accounts at least quarterly. Any anomalies are addressed and resolved by contacting the user, or by removing their access if no longer required. Activities of all users are logged and reviewed by the AMS system administrator to identify abnormal activities, and if any are found they are reported to the AMS business owner, and the ISSO. |
Identifying training and awareness provided to personnel (system owners, managers, operators, contractors and/or program managers) using the system to make them aware of their responsibilities for protecting the information being collected and maintained. | All CMS employees and direct contractors are required to complete mandatory security and privacy awareness training prior to gaining access to the CMS network. Each year thereafter, the user must get recertified. In the event they fail to complete the recertification training, the user's access will be terminated. CMS also requires users, on an annual basis, to complete Role-Based Training and HHS Records and Retention Training. |
Describe training system users receive (above and beyond general security and privacy awareness training) | Not Applicable. The internal users are already familiar with the data and the user interface is intuitive enough to not require specialized training. |
Do contracts include Federal Acquisition Regulation and other appropriate clauses ensuring adherence to privacy provisions and practices? | Yes |
Describe the process and guidelines in place with regard to the retention and destruction of PII. Cite specific records retention schedules. | The application adheres to data retention and destruction policies/procedures that follow National Archives and Record Administration (NARA) guidelines related to data retention and National Institute of Standards and Technology (NIST) guidelines related to data destruction. More specifically, AMS adheres to the following NARA general records schedule guidelines: DAA-0440-2015-0008-0001; Destroy no sooner than 7 year(s) after cutoff but longer retention is authorized |
Describe, briefly but with specificity, how the PII will be secured in the system using administrative, technical, and physical controls. | To secure PII, AMS follows the CMS Security and Privacy program and complies with the CMS Acceptable Risk Safeguards which are aligned to Health and Human Services (HHS) policies and to NIST requirements. AMS PII is secured with security controls as required by the CMS Security Program. Administrative: The AMS system uses the principle of least privilege as well as a role-based access control to ensure system administrators, and users are granted access on a "need-to-know" and "need- to- access" commensurate with their assigned duties. Physical: Controls include secure buildings, secure data center, and security guards. Technical: Controls include but are not limited to user authentication with least privilege authorization, firewalls, Intrusion Detection and Prevention systems (IDS/IPS), hardware configured to NIST standards, encryption of data at rest and in transit, and auditing. |