Blue Button API On Fast Healthcare Interoperability Resources
Privacy Impact Assessment (PIA) published by CMS as an Operating Division of the U.S. Department of Health and Human Services
Date signed: 5/29/2024
PIA Questions | PIA Answers |
---|---|
OPDIV: | CMS |
PIA Unique Identifier: | P-1048045-000365 |
Name: | Blue Button API On Fast Healthcare Interoperability Resources |
The subject of this PIA is which of the following? | Major Application |
Identify the Enterprise Performance Lifecycle Phase of the system. | Operate |
Is this a FISMA-Reportable system? | Yes |
Does the system include a Website or online application available to and for the use of the general public? | Yes |
Identify the operator: | Contractor |
Point of Contact (POC) Title: | Director, DHHS/CMS/OA/OEDA/DASG |
Point of Contact (POC) Name: | Yadira Sanchez |
Point of Contact (POC) Organization: | CMS Office of Enterprise Data and Analytics |
Is this a new or existing system? | Existing |
Does the system have Security Authorization (SA)? | Yes |
Date of Security Authorization | 1/6/2025 |
Indicate the following reason(s) for updating this PIA. Choose from the following options. | PIA Validation (PIA Refresh/Annual Review) |
Describe in further detail any changes to the system that have occurred since the last PIA. | None |
Describe the purpose of the system | Blue Button Application Programming Interface on Fast Healthcare Interoperability Resources (BBAPI) increases electronic access to health care information by giving Medicare beneficiaries the ability to connect their Medicare Part A, Part B, and Part D claims information to applications that they trust. Applications, created by independent developers and not endorsed or certified by CMS, can be mobile applications, personal heath record platforms or research programs. These applications integrate with the BBAPI adding value for beneficiaries, providers, care organizations, and researchers to reduce patient burden, streamline information about different kinds of care over time, uncover new insights that can improve health outcomes, and the ability to access and monitor health information in one place. The beneficiary's ability to see and receive their own health records is a legal right under the Health Insurance Portability and Accountability Act (HIPAA). |
Describe the type of information the system will collect, maintain (store), or share. (Subsequent questions will identify if this information is PII and ask about the specific data elements) | The claims data in the BBAPI is obtained from the following source systems which are covered under their own PIA: Chronic Condition Warehouse (CCW), Medicare Multi-Carrier Claims System (MCS), Fiscal Intermediary Shared System (FISS), Accountable Care Organization-Operational System (ACO-OS). Claims data maintained in the BBAPI includes explanation of benefits (EOB) for Part A, Part B and Part D claims data, coverage data (i.e., Medicare plan type) and patient information that includes name, date of birth, sex, race, address, and deceased date. Provider information includes mailing address and tax number. An encrypted non-reversible hash of the Health Insurance Claim Number (HICN) and Medicare Beneficiary Identification (MBI) number are only maintained and used for beneficiary matching. System access information on beneficiaries including details of the user, data accessed, and application authorization is maintained in the system. BBAPI regularly uses PII to retrieve system records including using personal identifiers such as the name and user ID number of CMS employees and direct contractors authorized to control and authenticate access to the system. Data is maintained (stored) in the system permanently.
|
Provide an overview of the system and describe the information it will collect, maintain (store), or share, either permanently or temporarily. | BBAPI provides Fast Healthcare Interoperability Resources (FHIR)-formatted claims data for individual Medicare beneficiaries, to registered third-party applications with beneficiary authorization. (FHIR is a standard for exchanging healthcare information electronically). A Medicare beneficiary chooses an application to connect their Medicare claims information. The application redirects the beneficiary to the BBAPI for authorization. The beneficiary verifies their identity using their MyMedicare.gov username and password (NOTE: username and password for MyMedicare.gov are not maintained by BBAPI). The patient identifier (i.e., HICN and MBI) is sent to the BBAPI for beneficiary matching. Provider's mailing address and tax number is also used for matching. Token-based authentication is used to allow the application to verify their identity, and in return receive a unique access token. The application must supply this token on every request made to the BBAPI on behalf of the beneficiary. Using the access token, the application makes a request to the BBAPI for the beneficiary data. BBAPI transmits the beneficiary data that includes, if applicable: explanation of benefits (EOB) for Part A, Part B and Part D claims data, coverage data (Medicare plan type) and patient information that includes name, date of birth, sex, race, address, and deceased date to the application. The data is then made available to the beneficiary using the application. BBAPI collects and maintains system access information on beneficiaries that includes details of the user, data accessed and application authorization to validate every access made by an application to the BBAPI. BBAPI regularly uses PII to retrieve system records including using personal identifiers such as the name and user ID number of CMS employees and direct contractors authorized to control and authenticate access to the system. BBAPI regularly uses PII including using personal identifiers such as the hashes of the HICN and MBI to retrieve the claims data of Medicare beneficiaries. |
Does the system collect, maintain, use or share PII? | Yes |
Indicate the type of PII that the system will collect or maintain. |
|
Indicate the categories of individuals about whom PII is collected, maintained or shared. |
|
How many individuals' PII in the system? | 1,000,000 or more |
For what primary purpose is the PII used? | BBAPI is designed for external access that enables an authenticated beneficiary to grant access to their PII to one or more applications of their choice. Access granted by a beneficiary releases their PII to the application. BBAPI regularly uses PII to retrieve system records including using personal identifiers such as the name and user ID number of CMS employees and direct contractors authorized to control and authenticate access to the system.
|
Describe the secondary uses for which the PII will be used (e.g. testing, training or research) | Not Applicable. |
Describe the function of the SSN. | Not Applicable. |
Cite the legal authority to use the SSN. | Not Applicable. |
Identify legal authoritiesā governing information use and disclosure specific to the system and program. | Sections 1902(a)(6), 1142(c)(6) of Title XVIII of the Social Security Act Sections 1842, 1862 (b) and 1874 of Title XVIII of the Social Security Act (42 United States Code (U.S.C.) 1395u, 1395y (b), and 1395kk) Sections 1816, 1862 (b) and 1874 of Title XVIII of the Social Security Act (42 U.S.C. 1395(h), 1395y (b), and 1395kk) Section 723 of the Medicare Prescription Drug Improvement and Modernization Act of 2003 (Pub. L. 108-173) Title IV of the Balanced Budget Act (Pub. L. 105-33). |
Are records on the system retrieved by one or more PII data elements? | Yes |
Identify the number and title of the Privacy Act System of Records (SORN) that is being used to cover the system or identify if a SORN is being developed. | 09-70-0573 Chronic Condition Warehouse (CCW), 09-70-0501 Medicare Multi-Carrier Claims System (MCS), 09-70-0503 Fiscal Intermediary Shared System (FISS), 09-70-0598, ACO Database System (ACO-OS) |
Identify the sources of PII in the system: Directly from an individual about whom the information pertains | Other - non-government sources |
Identify the sources of PII in the system: Government Sources | Within the OPDIV |
Identify the sources of PII in the system: Non-Government Sources |
|
Identify the OMB information collection approval number and expiration date | Not Applicable. |
Is the PII shared with other organizations? | No |
Describe the process in place to notify individuals that their personal information will be collected. If no prior notice is given, explain the reason. | The claims data in the BBAPI is obtained from the following source systems which are covered under their own PIA: CCW, MCS, FISS, and ACO-OS. Notice is the responsibility of the source systems. |
Is the submission of the PII by individuals voluntary or mandatory? | Voluntary |
Describe the method for individuals to opt-out of the collection or use of their PII. If there is no option to object to the information collection, provide a reason. | The claims data in the BBAPI is obtained from the following source systems which are covered under their own PIA: CCW, MCS, FISS, and ACO-OS. These systems are responsible for providing methods for individuals to opt-out of collection or use of PII. A Medicare beneficiary chooses an application to connect their Medicare claims information. The application redirects the beneficiary to the BBAPI for authorization. The beneficiary verifies their identity using their MyMedicare.gov username and password (NOTE: username and password for MyMedicare.gov are not collected by BBAPI). The beneficiary is provided with an authorization screen. Within the authorization screen, the beneficiary has the option to approve or decline authorization. If the beneficiary approves authorization, token-based authentication is used to allow the application to verify their identity, and in return receive a unique access token. The application must supply this token on every API call (request) made to the BBAPI on behalf of the beneficiary. The application retains access to retrieve information for the beneficiary if the token remains valid. If a beneficiary revokes the authorization to their information, the token is invalidated, and the application will be unable to retrieve any information for the beneficiary. Medicare beneficiaries can revoke the authorization by using these methods: Beneficiaries can access their MyMedicare.gov account and revoke the authorization to the application. Medicare Call Center agents can assist a beneficiary with revoking authorization to the application. Contact information: 1-800-MEDICARE (1-800-633-4227) Beneficiaries can choose whether or not to share their personal information such as name, address, date of birth, race, and sex with the application. When the beneficiary reaches the authorization screen, radio buttons let a beneficiary select only one of two choices: share all your data or share healthcare data, but not personal info. The default selection is to share all data. If a beneficiary later decides they want to change their selection, they will need to repeat the authorization process. |
Describe the process to notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changes since the notice at the time of original collection). Alternatively, describe why they cannot be notified or have their consent obtained. | The claims data in the BBAPI is obtained from the following source systems which are covered under their own PIA: CCW, MCS, FISS, and ACO-OS. These source systems are responsible to provide notices and obtain consent when major changes occur to their systems. |
Describe the process in place to resolve an individual's concerns when they believe their PII has been inappropriately obtained, used, or disclosed, or that the PII is inaccurate. If no process exists, explain why not. | The claims data in the BBAPI is obtained from the following source systems which are covered under their own PIA: CCW, MCS, FISS, and ACO-OS. BBAPI system administrators can revoke application credentials for concerns that PII has been inappropriately obtained, used, or disclosed. This would prevent the application from using the BBAPI to access information for any beneficiary that provided an authorization. If a beneficiary has concerns that their PII has been inappropriately obtained, used, or disclosed, or that the PII is inaccurate, they can use these methods for resolution: Beneficiaries can access their MyMedicare.gov account and revoke the authorization to the application. Beneficiaries can contact 1-800-MEDICARE (1-800-633-4227). Medicare call center agents have scripts available that can assist a beneficiary with a concern about an application that is connected to their information. |
Describe the process in place for periodic reviews of PII contained in the system to ensure the data's integrity, availability, accuracy and relevancy. If no processes are in place, explain why not. | The claims data in the BBAPI is obtained from the following source systems which are covered under their own PIA: CCW, MCS, FISS, and ACO-OS. These source systems are responsible for periodic reviews of PII contained in the system to ensure the data's integrity, availability, accuracy, and relevancy. |
Identify who will have access to the PII in the system and the reason why they require access. |
|
Describe the procedures in place to determine which system users (administrators, developers, contractors, etc.) may access PII. | Access to PII is granted using the principles of least privilege and need to know; users are only granted access to PII based on their job responsibilities needed to perform their assigned duties. Role creation involves an analysis for the role definition and type of access. |
Describe the methods in place to allow those with access to PII to only access the minimum amount of information necessary to perform their job. | BBAPI system administrators, developers and direct contractors may be required to review PII maintained in the system to validate the mapping of data. In these instances, PII is restricted to only those users who are needed to perform the necessary validation. The BBAPI platform is designed to automate software deployment. Software can be deployed to application servers by source-controlled scripts, without manual intervention, enabling deployments to be closely monitored and avoiding the need to access PII. Security information and event management (SIEM) tools are used to monitor access and detect anomalies. Any anomalies are addressed and resolved by contacting the user, modifying their user access, or by removing their access if no longer required. Activities of all users including system administrators are logged and reviewed to identify abnormal activities. |
Identifying training and awareness provided to personnel (system owners, managers, operators, contractors and/or program managers) using the system to make them aware of their responsibilities for protecting the information being collected and maintained. | Security and privacy awareness training is provided to each user on an annual basis. All users are required to complete training to obtain a user account and annually thereafter. Required training includes annual Department of Health and Human Services (HHS) Information Systems Security Awareness Training, annual HHS Privacy Training, reading, and attesting to the Rules of Behavior for Use of HHS Information Resources (HHS RoB) |
Describe training system users receive (above and beyond general security and privacy awareness training) | Role-based training is required for those with significant information security and privacy responsibilities. BBAPI system administrators, developers and direct contractors are required to complete annual role-based training. A sample list of role-based training includes Incident Response exercises, Contingency Planning exercises |
Do contracts include Federal Acquisition Regulation and other appropriate clauses ensuring adherence to privacy provisions and practices? | Yes |
Describe the process and guidelines in place with regard to the retention and destruction of PII. Cite specific records retention schedules. | Records are maintained in accordance with the National Archives and Records Administration (NARA) records schedule: DM-0440-2015-0008. Records are retained for 7 years unless longer retention is authorized.
|
Describe, briefly but with specificity, how the PII will be secured in the system using administrative, technical, and physical controls. | BBAPI implements multi-tier architecture, separating different components of the system into subnets. Each subnet is separated by a firewall that is configured to deny all traffic, unless explicitly allowed. Administrative controls include annual security and privacy training for the proper handling of information, configuration management, change management, periodic review of users, and deletion or revoking of user accounts. Technical controls include multi-factor authentication, session locks, encryption, mutual transport layer security (TLS), firewalls, vulnerability scans, penetration testing, and monitoring. Physical controls include a secure AWS data center, video surveillance, intrusion detection systems, uninterruptible power supply (UPS), back-up generators, environmental controls to maintain a constant operating temperature, smoke detection sensors, and sprinkler systems. |
Identify the publicly-available URL: | https://bluebutton.cms.gov/ https://sandbox.bluebutton.cms.gov/ |
Does the website have a posted privacy notice? | Yes |
Is the privacy policy available in a machine-readable format? | Yes |
Does the website use web measurement and customization technology? | Yes |
Select the type of website measurement and customization technologies is in use and if is used to collect PII. (Select all that apply) | Other - Google Analytics. This web analytics service is not being used to collect PII. Google Analytics is being used to determine how users are navigating through the BBAPI website and documentation to provide helpful insights that can be used to improve performance. |
Web Beacons - Collects PII?: | No |
Web Bugs - Collects PII?: | No |
Session Cookies - Collects PII?: | No |
Persistent Cookies - Collects PII?: | No |
Other - Collects PII?: | No |
Does the website have any information or pages directed at children under the age of thirteen? | No |
Does the website contain links to non-federal government website external to HHS? | No |