Beneficiary and Family Centered Care Atrezzo Next Generation
Date signed: 4/15/2025
| PIA Questions | PIA Answers |
|---|---|
| OPDIV: | CMS |
| PIA Unique Identifier: | P-4242049-864743 |
| Name: | Beneficiary and Family Centered Care Atrezzo Next Generation |
| The subject of this PIA is which of the following? | Major Application |
| Identify the Enterprise Performance Lifecycle Phase of the system. | Initiate |
| Is this a FISMA-Reportable system? | Yes |
| Does the system include a Website or online application available to and for the use of the general public? | Yes |
| Identify the operator: | Contractor |
| Is this a new or existing system? | New |
| Does the system have Security Authorization (SA)? | No |
| Planned Date of Authorization | 6/30/2025 |
| Describe the purpose of the system | Beneficiary and family Centered Care Atrezzo Next Generation (BFCC ANG) provides a platform for receiving and processing Medicare beneficiaries' appeals, ensuring compliance with regulatory requirements and is designed to centralize and automate the appeals workflow, reduce manual errors, and provide real-time data tracking and reporting capabilities. |
| Describe the type of information the system will collect, maintain (store), or share. (Subsequent questions will identify if this information is PII and ask about the specific data elements) | BFCC ANG will collect, maintain and share beneficiary name, date of birth, mailing address, email address, phone number, medical record number, medical notes and legal documents. Medicare Beneficiary Identifier (MBI). |
| Provide an overview of the system and describe the information it will collect, maintain (store), or share, either permanently or temporarily. | BFCC ANG uses beneficiary name, date of birth, email address, phone number, medical notes, legal documents, Medicare Beneficiary Identifier (MBI) to associate the beneficiary information to the appeal (e.g., statement as to why they believe they should not be discharged from a home or have their skilled services terminated) |
| Does the system collect, maintain, use or share PII? | Yes |
| Indicate the type of PII that the system will collect or maintain. |
|
| Indicate the categories of individuals about whom PII is collected, maintained or shared. |
|
| How many individuals' PII in the system? | 100,000-999,999 |
| For what primary purpose is the PII used? | Beneficiary name, Medicare beneficiary Identifier, email address, date of birth, and medical notes, legal documents, phone number is used in the appeals process to determine eligibility, analyze medical records, communicate review outcome decisions with involved parties, and document appeal decisions. |
| Describe the secondary uses for which the PII will be used (e.g. testing, training or research) | Secondary uses are for Testing: De-identified PII may be used in controlled, secure environments to test system functionality, upgrades, or new features; Training: Limited and de-identified PII may be utilized to train staff on navigating ANG, entering data, and processing appeals efficiently; Audit and Quality Assurance: PII may be reviewed as part of internal audits or quality assurance processes to ensure compliance with CMS regulations, identify operational inefficiencies, and enhance service delivery; Reporting and Analytics: Aggregated, de-identified PII data may be used to analyze trends, measure performance, and improve system workflows. Such analysis supports data-driven decisions and enhances the overall appeals process. |
| Describe the function of the SSN. | Not Applicable. |
| Cite the legal authority to use the SSN. | Not Applicable. |
| Identify legal authorities governing information use and disclosure specific to the system and program. | Code of Federal Regulations (CFR) 42 Section 494. 180 (h) and Sections 226A, 1875, and 1881 of the Social Security Act (the Act) (Title 42 United States Code (U.S.C.), sections 426–1, 1395ll, and 1395rr). TRHCA - 2006 Tax Relief and Health Care Act MMSEA - Medicare, Medicaid and SCHIP Extension Act of 2007 MIPPA - Medicare Improvements for Patients and Providers Act of 2008 |
| Are records on the system retrieved by one or more PII data elements? | No |
| Identify the sources of PII in the system: Directly from an individual about whom the information pertains |
|
| Identify the sources of PII in the system: Government Sources | Other HHS OPDIV |
| Identify the sources of PII in the system: Non-Government Sources | |
| Identify the OMB information collection approval number and expiration date | Not Applicable. |
| Is the PII shared with other organizations? | No |
| Describe the process in place to notify individuals that their personal information will be collected. If no prior notice is given, explain the reason. | The collection of information is done at the Quality Improvement Organization (QIO) facility level. At QIO facility, users are given an informed consent form stating the uses of their PII. Providers are responsible for notifying users that their information will be collected and shared. |
| Is the submission of the PII by individuals voluntary or mandatory? | Voluntary |
| Describe the method for individuals to opt-out of the collection or use of their PII. If there is no option to object to the information collection, provide a reason. | If the individuals wish to opt-out of providing their PII at the source of collection which is in the physician office, they may wave the collection of data at this facility. |
| Describe the process to notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changes since the notice at the time of original collection). Alternatively, describe why they cannot be notified or have their consent obtained. | Beneficiary and Family Centered Care Atrezzo Next Generation (BFCC ANG) does not obtain or notify individuals concerning their PII. CMS and the Quality Improvement Organizations (QIO) have the responsibility to notify the individuals. |
| Describe the process in place to resolve an individual's concerns when they believe their PII has been inappropriately obtained, used, or disclosed, or that the PII is inaccurate. If no process exists, explain why not. | ANG does not obtain or notify individuals concerning their PII. CMS and the Quality Improvement Organizations (QIO) have the responsibility to handle any concerns identified by individuals. |
| Describe the process in place for periodic reviews of PII contained in the system to ensure the data's integrity, availability, accuracy and relevancy. If no processes are in place, explain why not. | All data is scanned upon import to ensure the received information is complete and relevant. Database integrity checks are performed on a scheduled Integrity, the data are scanned to ensure that information has not been compromised. Functionally, reviewers assess the completeness, relevancy, and accuracy of quality review information as part of their review process integral to the work process. Additionally, the Privacy Impact Assessment document and System Security Plan will be reviewed annually. An annual Cybersecurity and Risk Assessment Program (CSRAP) will be conducted to ensure compliance with the CMS Acceptable Risk Standards (ARS). |
| Identify who will have access to the PII in the system and the reason why they require access. |
|
| Describe the procedures in place to determine which system users (administrators, developers, contractors, etc.) may access PII. | Privileged account access needs to be approved by the requestor’s manager, appropriate infrastructure or operations team, and the security team. Requests must include the reason for the request. Role Based Access Control (RBAC) is used to assign privileged roles. The RBAC based security allows roles and rights to be assigned and to ensure that only the required rights are granted to an individual user. Leveraging RBAC, only the roles/permissions required to complete taskings are assigned for each account. Privileged/administrative accounts are separate and have the required roles/permissions assigned to complete privileged tasking. |
| Describe the methods in place to allow those with access to PII to only access the minimum amount of information necessary to perform their job. | The system uses role-based access control to grant only the access that is necessary to the user. Every application to access the system is reviewed by management for need and appropriateness prior to being granted access. Monthly reviews are performed on accounts with elevated rights to ensure that access is still appropriate and necessary. |
| Identify training and awareness provided to personnel (system owners, managers, operators, contractors and/or program managers) using the system to make them aware of their responsibilities for protecting the information being collected and maintained. | All CMS employees and direct contractors with access to CMS networks, applications, or data must complete mandatory annual Privacy Awareness Training. All ANG users are required to take the CMS Cyber Awareness challenge and the Identifying and Safeguarding Personally Identifiable Information (PII) training within sixty (60) days of entering a position that requires role-specific training, and within every 365 days thereafter. |
| Describe training system users receive (above and beyond general security and privacy awareness training) | All CMS employees and contractors with elevated levels of access, such as system or database administrators, must take additional role-based training, as required. |
| Do contracts include Federal Acquisition Regulation and other appropriate clauses ensuring adherence to privacy provisions and practices? | Yes |
| Describe the process and guidelines in place with regard to the retention and destruction of PII. Cite specific records retention schedules. | BFCC ANG follows the CMS Record Retention Schedule, published April 2015, under the Health Care Quality Improvement Systems (HCQIS) Disposition Authority: N1-440-09-3-Temporary. Delete/destroy after 4 survey cycles or 7 years whichever is later
|
| Describe, briefly but with specificity, how the PII will be secured in the system using administrative, technical, and physical controls. | Administrative controls include but are not limited to: Contingency plans and annual testing, backups of all files, offsite storage of backup files, background checks for all personnel, incident response procedures for timely response to security and privacy incidents, initial security training with refresher courses annually, and annual role based security training for personnel with assigned security roles and responsibilities. The physical security of the data center where the system resides includes the use of access cards for entry, security guards, and video monitoring. Technical controls include but not limited to user authentication with least privilege authorization, firewalls, Intrusion Detection and Prevention systems (IDS/IPS), encrypted communications, hardware configured with a deny all/except approach, auditing, and correlation of audit logs from all systems. Management controls include but are not limited to: Certification and Accreditation (C&A), annual security assessments, monthly management of outstanding corrective action plans, ongoing risk assessment, and automated continuous monitoring. |
| Identify the publicly-available URL: | Website is currently in the development stage. |
| Does the website have a posted privacy notice? | No |
| Is the privacy policy available in a machine-readable format? | No |
| Does the website use web measurement and customization technology? | No |
| Does the website have any information or pages directed at children under the age of thirteen? | No |
| Does the website contain links to non-federal government website external to HHS? | No |
Privacy Impact Assessment (PIA) published by CMS as an Operating Division of the U.S. Department of Health and Human Services