Center for Medicare and Medicaid Innovation Cloud Service Provider Salesforce
Privacy Impact Assessment (PIA) published by CMS as an Operating Division of the U.S. Department of Health and Human Services
Date signed: 6/29/2022
| PIA Questions | PIA Answers |
|---|---|
OPDIV: | CMS |
PIA Unique Identifier: | P-7938949-242159 |
Name: | Center for Medicare and Medicaid Innovation Cloud Service Provider Salesforce |
The subject of this PIA is which of the following? | Major Application |
Identify the Enterprise Performance Lifecycle Phase of the system. | Operate |
Is this a FISMA-Reportable system? | Yes |
Does the system include a Website or online application available to and for the use of the general public? | No |
Identify the operator: | Contractor |
Is this a new or existing system? | Existing |
Does the system have Security Authorization (SA)? | Yes |
Date of Security Authorization | 1/27/2023 |
Indicate the following reason(s) for updating this PIA. Choose from the following options. | PIA Validation (PIA Refresh/Annual Review) |
Describe in further detail any changes to the system that have occurred since the last PIA. | The Centers for Medicare and Medicaid Innovation (CMMI) Cloud Service Provider Salesforce (CSP SF) now uses Centers for Medicare and Medicaid Services (CMS) Shared Services, Salesforce Enterprise Integration (SEI) for anti-virus scanning capabilities, Okta/Cloud Identity and Access Management (IDM) for single sign-on (SSO) with multi factor authentication (MFA), and the CMS Security Operations Center (SOC) as-a-Service to support audit logging review, security operations, and incident response. No new privacy risks were introduced with these changes. |
Describe the purpose of the system | The Center for Medicare and Medicaid Innovation (CMMI) Center leverages Federal Risk and Management Program (FedRAMP) agency authorized cloud Salesforce. CMMI system Cloud Service Provider Salesforce (CMMI CSP SF) enables the CMMI to quickly stand-up web-based portals, allowing stakeholders to make initial model submissions, collaborate on innovative ideas, and provide model participant progress reports. CMMI CSP SF includes the following software modules: Letter of Intent, Request for Application, Application Review and Scoring, POST Manage Awardees/Participants (Organization) via POST (Project Officer Support Tool), Case Management, Reports and Dashboards, Surveys, Upload/Download Files, Email Alerts, and Connect Community. |
Describe the type of information the system will collect, maintain (store), or share. (Subsequent questions will identify if this information is PII and ask about the specific data elements) | The types of information collected or maintained in CMMI CSP SF include Names, Email address, Mailing Address, Financial Account info, Phone numbers, provider attestations, Taxpayer IDs (TIN), Legal Documents, National Provider Identifier (NPI), CMS Certification Number (CCN), Employment Status, and Provider Transaction Access Number (PTAN). The information is collected from providers, awardee organizations, model participants, and CMS employees and direct contractors. User credentials are managed by Okta/IDM and are used to grant access to the system. User credentials are not stored in the CMMI CSP SF. CMMI CSP SF only stores the user’s First Name, Last Name, and Email Address. Users of CMMI CSP SF consist of system administrators, maintainers, developers, direct contractors, and model participants. |
Provide an overview of the system and describe the information it will collect, maintain (store), or share, either permanently or temporarily. | CMMI leverages Salesforce’s rapid cloud-based development solutions to support its operational needs. Salesforce is currently supporting various models within CMMI. The active models require a broad range of solutions throughout their lifecycle. Salesforce enables CMMI to quickly stand-up web-based portals, allowing stakeholders to submit letters of intent, deploy applications, innovative ideas, and periodic progress reports. Salesforce has also been used to develop management tools supporting Model Program teams, program participants, and Awardees. CMMI CSP SF is used to support the “Solicitation & Building”, and the “Run, Evaluation & Scale” stages of the Model Life Cycle (MLC). Solicitation & Building are handled through online portals for the submission of Letters of Intent, and for submission of Applications to participate in various models. Model participant and project management tools are used to support the Run, Evaluate & Scale stage of the MLC for the various models to use the Salesforce platform. The PII data collected belongs to external organization contacts (hospital, Accountable Care Organization), state agency contacts and providers as well as CMS/CMMI program team members and CMS/CMMI direct contractors working in the Salesforce environment. Information collected or maintained in CMMI CSP SF includes Name, E-Mail Address, Mailing Address, Financial Account Info, Phone Numbers, provider attestations, Taxpayer ID (TIN), Legal Documents, and Other: National Provider Identifier (NPI), CMS Certification Number (CCN), Employment Status, and Provider Transaction Access Number (PTAN). This information is used by the CMMI program team for contact and validation purposes. Fields that are used to conduct searches within CMMI CSP SF are First Name, Last Name and Email Address. User credentials are not stored in the CMMI CSP SF. |
Does the system collect, maintain, use or share PII? | Yes |
Indicate the type of PII that the system will collect or maintain. |
|
Indicate the categories of individuals about whom PII is collected, maintained or shared. |
|
How many individuals' PII in the system? | 1,000,000 or more |
For what primary purpose is the PII used? | PII is used to determine a provider's and/or practice's eligibility to participate in a specific CMMI programs. |
Describe the secondary uses for which the PII will be used (e.g. testing, training or research) | PII is used to create system accounts and then is used to retrieve Contact History and Cases. |
Describe the function of the SSN. | Not applicable. The SSN is not collected, maintained or transmitted. |
Cite the legal authority to use the SSN. | Not applicable. |
Identify legal authorities governing information use and disclosure specific to the system and program. | Affordable Care Act (ACA) Sec. 3021; 5 USC 301 Departmental Regulations |
Are records on the system retrieved by one or more PII data elements? | Yes |
Identify the number and title of the Privacy Act System of Records (SORN) that is being used to cover the system or identify if a SORN is being developed. | Published: SORN 09-70-0591 Master Demonstration, Evaluation, and Research Studies (DERS) |
Identify the sources of PII in the system: Directly from an individual about whom the information pertains |
|
Identify the sources of PII in the system: Government Sources |
|
Identify the sources of PII in the system: Non-Government Sources | Private Sector |
Identify the OMB information collection approval number and expiration date | Not applicable |
Is the PII shared with other organizations? | No |
Describe the process in place to notify individuals that their personal information will be collected. If no prior notice is given, explain the reason. | All participants in CMMI awards based programs are provided with a Notice of Privacy Practice that states that although they can elect to not share data for certain processes, as a condition of participating in the awards program, their information will be shared for certain purposes, such as quality assessment and reporting. CMMI CSP SF end-users are given Terms and Conditions during the CMS account registration process which include Consent to Monitoring, Protecting Your Privacy, and Consent to Collection of Personal Identifiable Information (PII). Users will be emailed at the email address provided during registration if there are any changes in the Terms and Conditions. |
Is the submission of the PII by individuals voluntary or mandatory? | Voluntary |
Describe the method for individuals to opt-out of the collection or use of their PII. If there is no option to object to the information collection, provide a reason. | The provision of PII is "voluntary" as that term is used by the Privacy Act. However, in order to participate in the awards programs, Individuals must provide their PII. This information is used to determine whether an individual or organization can participate in a CMMI awardee based program. If the individual opts not to provide PII, their participation in the program will be denied. CMMI CSP SF system users, who are CMS employees, direct contractors, and model participants, must provide PII in order for system administrators to authenticate their identity and provide them with access to CMMI CSP SF. |
Describe the process to notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changes since the notice at the time of original collection). Alternatively, describe why they cannot be notified or have their consent obtained. | When major changes to the system occurs that involves changes in disclosure and/ or data uses since the time of the collection, the process to notify and obtain consent from the individuals whose PII is in the system is to provide an updated online privacy notice that is presented to users upon logging into the site. Changes involving uses and disclosures of authentication information are also not expected to occur. In the event of such changes, employees will be notified by notices on the CMS intranet; newsletters; updates to the relevant systems of records notices; e-mails to affected individuals; and through supervisors and system owners. |
Describe the process in place to resolve an individual's concerns when they believe their PII has been inappropriately obtained, used, or disclosed, or that the PII is inaccurate. If no process exists, explain why not. | If an individual has concerns that their personally identifiable information (PII) has been inappropriately obtained, used, or disclosed or that the PII is inaccurate, the individual can contact the CMS Privacy Officer. Information on how users can contact these individuals is provided in the online privacy notice. If an individual has concerns with their user credential information, the issue should be reported to the CMS Help Desk. |
Describe the process in place for periodic reviews of PII contained in the system to ensure the data's integrity, availability, accuracy and relevancy. If no processes are in place, explain why not. | In accordance with the CMS Acceptable Risk Safeguards (ARS), the CMS model teams conduct ongoing identification, review, and reduction of PII to ensure only the minimum PII holdings needed for system operations and administration are retained. The PII data is also reviewed for relevancy and accuracy. The system provides access control (using role-based permissions), and auditing of data access/modification to secure the data. |
Identify who will have access to the PII in the system and the reason why they require access. |
|
Describe the procedures in place to determine which system users (administrators, developers, contractors, etc.) may access PII. | To obtain access to CMMI CSP SF, users must first obtain credentials via CMMI CSPS SF’s registration process. Once the user has received a user id and password, a request must be made for a CMMI CSP SF specific application role. Roles are assigned, and access is granted, to CMMI CSP SF and the PII it contains, based upon principle of least privilege and "need-to- know" or "need-to-access" requirements to perform their assigned duties. The approvers will review the request and provided justification and either approve or reject the request. Roles of users are clearly delineated in the Salesforce Operations and Maintenance Manual. The manual provides procedures for ascribing roles to users on the individual's need to know for specific information in order to fulfill their job duties. This process includes administrators, developers, contractors, etc. System Administrators review user accounts at least semi-annually. Any anomalies are addressed and resolved by contacting the user, and modifying their user data, or by removing their access if no longer required. Activities of all users including system administrators are logged and reviewed by Business Owner Representatives to identify abnormal activities if any. If any abnormal activities are found, they are reported to the business owner, and the ISSO. |
Describe the methods in place to allow those with access to PII to only access the minimum amount of information necessary to perform their job. | The system enforces role-based access based on least privilege model to enforce the protection of data from unauthorized personnel. The application controls data access such that the organizational user will be restricted to access only the data pertaining to their organization. |
Identifying training and awareness provided to personnel (system owners, managers, operators, contractors and/or program managers) using the system to make them aware of their responsibilities for protecting the information being collected and maintained. | All Centers for Medicare and Medicaid Services (CMS) employees and CMS direct contractors are required to complete mandatory security and privacy awareness training prior to gaining access to the CMS network. Each year thereafter, the user must get recertified. In the event they failed to complete the recertification training, the user's access will be terminated. CMS also requires users on an annual basis to complete Role Based Training and HHS Records and Retention Training. |
Describe training system users receive (above and beyond general security and privacy awareness training) | CMS and contractor personnel with responsibilities regarding security, incident handling, and/or contingency activities are provided additional training and perform tabletop exercises that test their roles' responsibilities. Refresher training/exercises are repeated at least annually. |
Do contracts include Federal Acquisition Regulation and other appropriate clauses ensuring adherence to privacy provisions and practices? | Yes |
Describe the process and guidelines in place with regard to the retention and destruction of PII. Cite specific records retention schedules. | The application adheres to data retention and destruction policies/procedures that follow National Archives and Record Administration (NARA) guidelines related to data retention and NIST guidelines related to data destruction. More specifically, CMMI CSP SF adheres to the following NARA general records schedule guidelines: Provider and Health Plan Records - DAA-0440-2015-0008-0001; Destroy no sooner than 7 year(s) after cutoff but longer retention is authorized |
Describe, briefly but with specificity, how the PII will be secured in the system using administrative, technical, and physical controls. | To secure PII, CMMI CSP SF follows, and the direct contractor is bound by contract to follow, the CMS Security and Privacy program and complies with the CMS Acceptable Risk Safeguards which are aligned to Health and Human Services (HHS) policies and to NIST requirements. CMMI CSP SF PII is secured with security controls as required by the CMS Security Program. Administrative: Users are provided with privacy training to understand how to properly handle and disclose privacy data. The system uses the principle of least privilege as well as a role-based access control to ensure system administrators, and users are granted access on a "need-to-know" and "need- to- access" commensurate with their assigned duties. Users must receive manager approval to gain access to the system. Technical: The data in CMMI CSP SF is secured behind a firewall and through application security. Technical security controls include, but are not limited to audit controls, user accounts, passwords, and access limitation. Physical: The Data Center, hosting the application, has security guards and controlled access rooms with locks to guard against unauthorized access. |