Capitol Bridge Worker’s Compensation Case Tracking System
Date signed: 2/7/2022
| PIA Questions | PIA Answers |
|---|---|
OPDIV: | CMS |
PIA Unique Identifier: | P-7345179-108169 |
Name: | Capitol Bridge Worker’s Compensation Case Tracking System |
The subject of this PIA is which of the following? | Major Application |
Identify the Enterprise Performance Lifecycle Phase of the system. | Operate |
Is this a FISMA-Reportable system? | Yes |
Does the system include a Website or online application available to and for the use of the general public? | No |
Identify the operator: | Contractor |
Is this a new or existing system? | New |
Does the system have Security Authorization (SA)? | Yes |
Date of Security Authorization | 1/24/2025 |
Describe the purpose of the system | Capitol Bridge is the prime contract holder of the CMS Workers’ Compensation Review Contractor (WCRC) contract in which we evaluate workers’ compensation Medicare set-aside arrangement (WCMSA) proposals and project future medical costs, including prescription drugs, related to the workers’ compensation (WC) injury, illness, or disease that would be otherwise reimbursable by Medicare. |
Describe the type of information the system will collect, maintain (store), or share. (Subsequent questions will identify if this information is PII and ask about the specific data elements) | The Capitol Bridge Worker Compensation Case Tracking System collects and stores abstract case identification information only and does not collect or store any PII other than user profile information for the Capitol Bridge employees using this system. Case-specific data collected and stored within the system is data that allows cases to be tracked through each stage of their respective workflows, along with generic quality management data (audit scores, operator performance, turnaround times, etc.). |
Provide an overview of the system and describe the information it will collect, maintain (store), or share, either permanently or temporarily. | The Capitol Bridge Worker Compensation Case Tracking System is business logic that operates wholly within an established, secure ServiceNow environment. It stores tracking information on cases to ensure that each case received for review is accounted for as it flows from one stage of its workflow to the next, along with quality gate information to ensure that specific checks are made and documented as they work their way through the system. PII stored within the system is limited to the names, UserIDs and email addresses of Capitol Bridge employees and subcontractors using this system for case review. |
Does the system collect, maintain, use or share PII? | Yes |
Indicate the type of PII that the system will collect or maintain. |
|
Indicate the categories of individuals about whom PII is collected, maintained or shared. | Employees |
How many individuals' PII in the system? | <100 |
For what primary purpose is the PII used? | Names, UserIDs, passwords and email address of employees using the system are the only PII stored in the system, and they are collected to control system access |
Describe the secondary uses for which the PII will be used (e.g. testing, training or research) | N/A |
Describe the function of the SSN. | N/A |
Cite the legal authority to use the SSN. | N/A |
Identify legal authorities governing information use and disclosure specific to the system and program. | 5 USC Section 301, Departmental Regulations. |
Are records on the system retrieved by one or more PII data elements? | No |
Identify the sources of PII in the system: Directly from an individual about whom the information pertains | Other - N/A No PII is collected directly from individuals |
Identify the sources of PII in the system: Government Sources | Within the OPDIV |
Identify the sources of PII in the system: Non-Government Sources | Other - N/A |
Identify the OMB information collection approval number and expiration date | N/A |
Is the PII shared with other organizations? | No |
Describe the process in place to notify individuals that their personal information will be collected. If no prior notice is given, explain the reason. | The personal identifiable information that include UserIDs, passwords and email address are generated by system administrators based on the first and last name information provided by Capitol Bridge employees. Employee are asked for this information as a part of the onboarding process. Employees are also informed of their user id, initial password and email address as a part of their onboarding process. |
Is the submission of the PII by individuals voluntary or mandatory? | Voluntary |
Describe the method for individuals to opt-out of the collection or use of their PII. If there is no option to object to the information collection, provide a reason. | N/A because users PII which includes names, UserID, password and email address are required to access the system. |
Describe the process to notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changes since the notice at the time of original collection). Alternatively, describe why they cannot be notified or have their consent obtained. | If CMS changes its practices with regard to the collection or handling of PII related to CBWCCBTS. Capitol Bridge will adopt measures to provide any required notice and obtain consent from individuals regarding the collection and/or use of PII. Capitol Bridge will send an email to notify users of the system about any changes to the PII collection procedures.
|
Describe the process in place to resolve an individual's concerns when they believe their PII has been inappropriately obtained, used, or disclosed, or that the PII is inaccurate. If no process exists, explain why not. | Individuals who suspect their PII has been inappropriately obtained, used or disclosed in relationship to the CBWCCTS have a number of avenues available to address their concerns. They may contact the administrators of CBWCCTS where their information is held. Individuals may then make further requests for their information to be corrected or amended as needed. Employees or direct contractors with such concerns can additionally work with their supervisors, the CMS 24-hour technical assistance line, and other channels. A list of contacts for various applications are publicly available from CMS.gov as well. |
Describe the process in place for periodic reviews of PII contained in the system to ensure the data's integrity, availability, accuracy and relevancy. If no processes are in place, explain why not. | PII is provided voluntarily by the individual. The individual is responsible for providing accurate information. Accuracy is ensured by individual review at the time of reporting. Personnel may correct/update their information themselves and ensure their PII is relevant and necessary to be granted access to the system. Access is granted and restricted at the individual level as appropriate to the individual's duties (role-based access). Integrity and availability are protected by security controls selected and implemented in the course of providing the system with an authority to operate (ATO). Controls are selected based on NIST guidance concerning the ATO process, appropriate to the system's level of risk as determined using NIST's Federal Information Processing Standards (FIPS) 199. CBWCCTS performs annual reviews to evaluate user access. One of the controls includes information system backups reflecting the requirements in contingency plans as well as other agency requirements for backing up information |
Identify who will have access to the PII in the system and the reason why they require access. |
|
Describe the procedures in place to determine which system users (administrators, developers, contractors, etc.) may access PII. | Individuals designated as account management personnel are provided access to account management functionality via access controls in accordance with least privilege. Role assignment determines access control. |
Describe the methods in place to allow those with access to PII to only access the minimum amount of information necessary to perform their job. | Based on user group assignments users are granted read, write and execute privileges to specific assigned data elements. Additionally, two-factor authentication and encryption provide technical controls for potential access to PII. |
Identifying training and awareness provided to personnel (system owners, managers, operators, contractors and/or program managers) using the system to make them aware of their responsibilities for protecting the information being collected and maintained. | Annual security awareness training is required for all personnel. CMS supplies the training as part of new employee orientation and is required annually for the length of employment/access to CMS systems. Training on account management policies and procedures are provided for administrative, account management personnel. |
Describe training system users receive (above and beyond general security and privacy awareness training) | Account use and maintenance documentation is provided to all users who receive an account. The documentation provides instruction on initial account setup and ongoing use. |
Do contracts include Federal Acquisition Regulation and other appropriate clauses ensuring adherence to privacy provisions and practices? | Yes |
Describe the process and guidelines in place with regard to the retention and destruction of PII. Cite specific records retention schedules. | Accounts are checked weekly for activity. Accounts are initially deactivated after 60 days and are permanently deactivated after 90 days of inactivity. The latter requires a new account request process to be followed for reactivation. Per NARA approved records retention schedule: Delete/destroy when agency determines they are no longer needed for administrative, legal, audit or other operational purposes |
Describe, briefly but with specificity, how the PII will be secured in the system using administrative, technical, and physical controls. | The administrative controls in place are: system access control in accordance with least privilege, request and approval for access through the Enterprise User Administration (EUA) and role-based access function approvals. Technical controls used to secure PII are the use of encryption on stored PII and while it is being transmitted. Additionally, PII is only accessible by administrative personnel who have established an encrypted connection - Secure Sockets Layer Virtual Private Network (SSL VPN). CBWCCTS is housed in the ServiceNow FedRAMP Gov High data center with physical controls that include all system servers which are protected by guards, locked facility doors, and climate control. |