CCIIO Customer Relations Management System
Privacy Impact Assessment (PIA) published by CMS as an Operating Division of the U.S. Department of Health and Human Services
Date signed: 11/22/2024
PIA Questions | PIA Answers |
---|---|
OPDIV: | CMS |
PIA Unique Identifier: | P-5882866-285645 |
Name: | CCIIO Customer Relations Management System |
The subject of this PIA is which of the following? | Major Application |
Identify the Enterprise Performance Lifecycle Phase of the system. | Operate |
Is this a FISMA-Reportable system? | Yes |
Does the system include a Website or online application available to and for the use of the general public? | Yes |
Identify the operator: | Contractor |
Is this a new or existing system? | Existing |
Does the system have Security Authorization (SA)? | Yes |
Date of Security Authorization | 12/13/2022 |
Indicate the following reason(s) for updating this PIA. Choose from the following options. | PIA Validation (PIA Refresh/Annual Review) |
Describe in further detail any changes to the system that have occurred since the last PIA. | A new Federally Facilitated Marketplace Assister Community (FFM-AC) platform has been created to conduct outreach (through Assister Support) for consumers transitioning from Medicaid to Marketplace coverage. |
Describe the purpose of the system | The CCRMS supports customer service efforts related to back-office functions of the Affordable Care Act (ACA) and the Marketplace. CCRMS is hosted in the Federal Risk and Authorization Management Program (FedRAMP) accredited cloud hosting environments of Salesforce NA21 Instance and AWS East/West. CCRMS is not hosted in the CMS Enterprise Salesforce. Salesforce Cloud Re-Insurance Contribution System (RICS) The system ingests data from www.pay.gov for the remittance of Reinsurance Contributions and related discrepancies. Risk Adjustment and Re-Insurance (RARI)/ Risk Adjustment Data Validation (RADV)/Vendor Management (VM) MATS System Plan and Issuer Data Reporting (SPIDR) Within the Salesforce environment, CCRMS developers use the Salesforce Visualforce framework. Visualforce is a framework that allows developers to build sophisticated, custom user interfaces that can be hosted natively on the Salesforce Lightning platform. The Visualforce framework includes a tag-based markup language, like HTML, and a set of server-side “standard controllers” that make basic database operations, such as queries and saves, very simple to perform. From those provisions, seven workstreams were identified that required CCIIO to build new or modify existing system functionality. Of these seven, the IDR and Complaints workstreams were added to MATS.
IDRE Application- landing page and application web form for an entity to apply to become a certified IDRE Complaints AWS
|
Describe the type of information the system will collect, maintain (store), or share. (Subsequent questions will identify if this information is PII and ask about the specific data elements) | CCRMS collects, maintains, and stores information at multiple levels: Pertaining to individual and company names, email addresses, phone numbers, mailing addresses, taxpayer identification numbers, date of birth, medical record number, medical notes, financial account information and social security numbers. User ID, Enrollment accounts, payment information, Issuer EDGE enrollment and claim data (this is not maintained at the enrollee level).
|
Provide an overview of the system and describe the information it will collect, maintain (store), or share, either permanently or temporarily. | The CCRMS supports customer service efforts related to back-office functions of the ACA and the Marketplace. CCRMS is hosted in the FedRAMP accredited multitenant cloud hosting environments of Salesforce NA21 Instance (Salesforce Enterprise Integration (SEI)) and consumes services from AWS GovCloud and AWS Commercial. CCRMS is not hosted in the Center for Medicare and Medicaid Innovation Cloud Service Provider Salesforce (CMMI CSP SF). CCRMS is comprised of the following Salesforce SaaS: RICS: The system receives and processes inquiries from plan sponsors, tracks the inquiry progress through to resolution and response. It ingests data from www.pay.gov for the remittance of Reinsurance Contributions and related discrepancies. RARI/ RADV/VM: The system receives and processes inquiries from organizations that participate in the Marketplace. It brings together the processes of intaking and responding to questions, hosting a library with program information, and intaking and completing audit processes. MATS: The system collects and processes inquiries from Marketplace Assisters and organization that support to consumers in completion, enrollment, and eligibility assistance. SPIDR: SPIDR is a platform that provides automation to facilitate continuous process improvement to support the highly complex operations related to the design, display, certification, and management of qualified health plans. It collects, evaluates, and certifies QHPs from Issuers; and allows users to access their Issuer/Plans and Case information configured to meet the CCIIO needs for managing and reporting on Issuer and Plan Management activities. IDR: The IDR establishes an independent pathway for issuers, providers, and consumers to settle payment disputes, providing information on payment practices to inform future policymaking, establish an effective IDRE certification process that ensures IDR parties have easy access to qualified and carefully evaluated federal IDREs to help successfully resolve their IDR case. Complaints: Complaints is an established process to receive issuer and provider complaints of violations of No Surprise Act rules, including non-compliance with out-of-network service billing (payer is billed by provider and doesn't think they should be), and non-payment by payer to provider (provider submits complaint against payer). The information provided will be stored permanently and will not be shared with organizations outside of the agency, except for social security number, which are stored temporarily and sent to external partners. As a result, the Personal Identifiable Information (PII) that is collected to retrieve system records includes first/ last name, email address, social security number, phone number, medical notes, taxpayer id, date of birth, mailing address, medical records number, financial account number, userid, enrollment accounts, payment information, and claim data. The users authorized to have access are employees, public citizens, patients and Federal, State and Local Agencies. |
Does the system collect, maintain, use or share PII? | Yes |
Indicate the type of PII that the system will collect or maintain. |
|
Indicate the categories of individuals about whom PII is collected, maintained or shared. |
|
How many individuals' PII in the system? | 1,000,000 or more |
For what primary purpose is the PII used? | The PII purposes:
User identification, validation, and authorization (name, email, and phone number). The information is needed to create user accounts as well as complete any help desk service request that is initiated by the individual.
RADV audit. PII for individuals is collected by the system for individuals enrolled in the medical plans covered by the Marketplace. The information is needed to audit the accuracy of the information on the EDGE servers. |
Describe the secondary uses for which the PII will be used (e.g. testing, training or research) | N/A |
Describe the function of the SSN. | Social Security number (SSN) is received as part of consumer data and sent downstream to external partners. SSN are not permanently stored within Salesforce, they are temporarily stored. |
Cite the legal authority to use the SSN. | Sections 1411 and 1414 of the ACA |
Identify legal authorities governing information use and disclosure specific to the system and program. | 5 U.S.C. § 552a(e)(3) |
Are records on the system retrieved by one or more PII data elements? | Yes |
Identify the number and title of the Privacy Act System of Records (SORN) that is being used to cover the system or identify if a SORN is being developed. | 09-70-0560 Health Insurance Exchanges (HIX) Program 09-70-0516 Complaints Against Health Insurance Issuers and Health Plans (CAHII) 09-70-0511 CMS Risk Adjustment Data Validation System (RAD-V) |
Identify the sources of PII in the system: Directly from an individual about whom the information pertains | Online |
Identify the sources of PII in the system: Government Sources | Within the OPDIV |
Identify the sources of PII in the system: Non-Government Sources |
|
Identify the OMB information collection approval number and expiration date | OMB collection approval number 0938-1187 - expiration date 06/30/2025 |
Is the PII shared with other organizations? | Yes |
Identify with whom the PII is shared or disclosed and for what purpose. | Within HHS: The company or plan information is used to validate CCRMS users to obtain a log in to the system. The enrollee level details are used to validate the necessary HHS RADV audits of Issuers. |
Describe any agreements in place that authorizes the information sharing or disclosure (e.g. Computer Matching Agreement, Memorandum of Understanding (MOU), or Information Sharing Agreement (ISA)). | Data Use Agreements (DUA’s): MATS/SPIDR DUA CONT-2021-56912 |
Describe the procedures for accounting for disclosures | The CCRMS follows the CMS/ HHS Vulnerability Disclosure Policy, as well as the CMS.gov Privacy Policy. Disclosure Statement: “HHS is committed to timely correction of vulnerabilities. However, we recognize that public disclosure of a vulnerability in absence of a readily available corrective action likely increases versus decreases risk. Accordingly, we require that you refrain from sharing information about discovered vulnerabilities for 90 calendar days after you have received our acknowledgement of receipt of your report. If you believe others should be informed of the vulnerability prior to our implementation of corrective actions, we require that you coordinate in advance with us. We may share vulnerability reports with the Cybersecurity and Infrastructure Security Agency (CISA), as well as any affected vendors. We will not share names or contact data of security researchers unless given explicit permission.” For more details, reference the Vulnerability Disclosure Policy | HHS.gov Privacy Policy: Protecting your information is very important to us. This privacy policy describes what information we collect, why we collect it, and what we do with it, available at Privacy Policy | CMS. |
Describe the process in place to notify individuals that their personal information will be collected. If no prior notice is given, explain the reason. | No prior notification is required. PII data that is collected is through the plan sponsors or organizations who participate in the Federally Funded Marketplace. |
Is the submission of the PII by individuals voluntary or mandatory? | Voluntary |
Describe the method for individuals to opt-out of the collection or use of their PII. If there is no option to object to the information collection, provide a reason. | There is no "opt out" feature required. The information is required for identification, validations, and authorization by the individual to complete the help desk transaction. |
Describe the process to notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changes since the notice at the time of original collection). Alternatively, describe why they cannot be notified or have their consent obtained. | CCRMS sub systems contain privacy statements on each of the forms completed by the plan sponsor or organization. Normally, no further notifications are required once the user completes the form validation and verification process. A user would be notified via email of major system changes. |
Describe the process in place to resolve an individual's concerns when they believe their PII has been inappropriately obtained, used, or disclosed, or that the PII is inaccurate. If no process exists, explain why not. | The individual may contact the specific work stream Help Desk directly by email. This process initiates a ticket number by which a Help Desk agent will respond appropriately to the contact information the user provided. |
Describe the process in place for periodic reviews of PII contained in the system to ensure the data's integrity, availability, accuracy and relevancy. If no processes are in place, explain why not. | The CCIIO Customer Relations Management Team conducts reviews of any discrepancies reported by either automated auditing controls, user submitted discrepancies, or manual auditing. Any variation in the accuracy or integrity of the information is logged and reported to CCIIO leadership with details of the audit and additional actions taken for remediation. |
Identify who will have access to the PII in the system and the reason why they require access. |
|
Describe the procedures in place to determine which system users (administrators, developers, contractors, etc.) may access PII. | The administrative procedures in place to determine which system users may access PII are authentication and authorization rules that give specific permissions to each user role. Role-based access is based on the principle of 'least privilege' where users are given 'need to know' and 'need to access' permissions. All user roles and authorizations for the system are documented in the CCRMS System Security and Privacy Plan (SSPP). Acquiring PII within Salesforce requires individuals to access either CMS IDM or username/password with two factor authentication enabled. |
Describe the methods in place to allow those with access to PII to only access the minimum amount of information necessary to perform their job. | The system controls in place for access to PII include role-based access permissions, and limits on the PII that is displayed so that only the minimum amount of PII is visible to users. Users are assigned different roles corresponding to different levels of access to data as well as the ability to perform specific actions (e.g., read, update, delete). |
Identifying training and awareness provided to personnel (system owners, managers, operators, contractors and/or program managers) using the system to make them aware of their responsibilities for protecting the information being collected and maintained. | All CCRMS personnel undergo corporate and project-specific training at time of hire and annually thereafter. This training includes the CMS Information Systems Security and Privacy Awareness (ISSPA) course (mandatory for all users of CMS Information Systems when users are initially issued their CMS User ID) and review/ signature of the HHS Rules of Behavior, with content specific to the protection of PII.
CCRMS personnel must also complete project-specific training before starting work on the project or receiving access to additional roles within CCRMS. |
Describe training system users receive (above and beyond general security and privacy awareness training) | CCRMS personnel are to complete role-based training on at least an annual basis. Training courses are provided by the agency or contractor and include content about updates to the Cloud Service Providers (Amazon Web Services, Salesforce), policy and procedure updates, and proper use of the information system. |
Do contracts include Federal Acquisition Regulation and other appropriate clauses ensuring adherence to privacy provisions and practices? | Yes |
Describe the process and guidelines in place with regard to the retention and destruction of PII. Cite specific records retention schedules. | CCRMS operates in accordance with the CMS CCIIO Records Retention Schedule File Plan, National Records Association (NARA), and General Records Schedule (GRS) 3.2 (N1-GRS-07-3 item 13a2). |
Describe, briefly but with specificity, how the PII will be secured in the system using administrative, technical, and physical controls. | PII is secured in the system using administrative, technical, and physical controls, in accordance with policies and regulations detailed in the CMS Information Security Acceptable Risk Safeguards-Minimum Security Requirements (ARS). Administrative controls include role-based permissions to access CCRMS web pages and applications, request and authentication through the CMS IDM system, security and network policies and procedures as well as security and privacy training regarding securing PII. Technical controls include role-based access, inactivity timeout, multi-factor authentication, data encrypted at rest, data encrypted while being transmitted electronically, network firewall, anti-virus/malware prevention, intrusion detection/ prevention technologies, centralized event log monitoring and event alerts. CCRMS, being hosted in the cloud inherit physical security controls from the FedRAMP Salesforce Government Cloud and Amazon Web Services GovCloud and Commercial. |
Identify the publicly-available URL: | https://nsa-idr.cms.gov/billdisputes https://nsa-idr.cms.gov/providerresponse https://nsa-idr.cms.gov/idreapplication |
Does the website have a posted privacy notice? | Yes |
Is the privacy policy available in a machine-readable format? | Yes |
Does the website use web measurement and customization technology? | Yes |
Select the type of website measurement and customization technologies is in use and if is used to collect PII. (Select all that apply) | Session Cookies |
Web Beacons - Collects PII?: | No |
Web Bugs - Collects PII?: | No |
Session Cookies - Collects PII?: | No |
Persistent Cookies - Collects PII?: | No |
Other - Collects PII?: | No |
Does the website have any information or pages directed at children under the age of thirteen? | No |
Does the website contain links to non-federal government website external to HHS? | No |