Centers for Medicare and Medicaid Innovation-Innovation Payment Contractor
Date signed: 4/4/2025
| PIA Questions | PIA Answers |
|---|---|
| OPDIV: | CMS |
| PIA Unique Identifier: | P-2646445-801840 |
| Name: | Centers for Medicare and Medicaid Innovation-Innovation Payment Contractor |
| The subject of this PIA is which of the following? | Major Application |
| Identify the Enterprise Performance Lifecycle Phase of the system. | Operate |
| Is this a FISMA-Reportable system? | Yes |
| Does the system include a Website or online application available to and for the use of the general public? | No |
| Identify the operator: | Contractor |
| Is this a new or existing system? | Existing |
| Does the system have Security Authorization (SA)? | Yes |
| Date of Security Authorization | 7/26/2023 |
| Indicate the following reason(s) for updating this PIA. Choose from the following options. | PIA Validation (PIA Refresh/Annual Review) |
| Describe in further detail any changes to the system that have occurred since the last PIA. | There are no new privacy risks associated with below changes. NGS has made a number of updates to our Portal to make it more valuable to our users. Model Participants can have Designated Officials (DOs) and Authorized Officials (AOs), they are now able to view and print if desired their 1099s from prior tax years. There is also new functionality whereby annually, are required to validate and attest to the accuracy of the banking information that the IPC has on file; they are able to update the banking, too, using previously existing functionality. There is also a Participant User role for Participants although none of the Models we support have opted to use it. There is also a new role for Model Owners (MOs) that provides several management tools to these users, including the ability to upload files required to issue payments, access to demand letters and accounts receivable information as well as an informational screen that lets review and update their payment and/or demand schedules. This same functionality has also been deployed for CMS Users, primarily for CMMI staff researching for a Human Centered Design project. No new PII elements have been added since the last PIA was approved. |
| Describe the purpose of the system | The CMMI-IPC system is a Major Application deployed at the Amazon Web Service (AWS) Cloud US-East-1 service center. The purpose of the Centers for Medicare and Medicaid Innovation-Innovation Payment Contractor (CMMI-IPC) is to issue non-claims-based payments and provide related financial management services via Healthcare Integrated General Ledger Accounting System (HIGLAS) to CMMI for multiple models. The goal of the program is testing new health care payment and service delivery models that have the potential to lower Medicare, Medicaid, and Children’s Health Insurance Program (CHIP) spending while maintaining or improving the quality of beneficiaries’ care. NGS developed multiple Payment Modules that are built around the external HIGLAS Financial Payment application. HIGLAS provides project-based accounting allowing financial transactions of various payment models to be partitioned and managed independently. NGS is not responsible for the HIGLAS and CHIP PIAs. NGS maintain its own PIA that outlines the security and Privacy parameters for the information contained within it Additionally, the CMMI-IPC portal performs the following business functions: Gives Designated Officials (representing participants) the ability to enter, update and attest to the validity of banking information to streamline payments; the ability to view payment and demand information; access to a resource library with current versions of program documents. Gives Model Owners the ability to track participant demographics (completed portal onboarding, entered banking, etc.); upload payment and demands; access to a resource library with the current versions of program documents.
|
| Describe the type of information the system will collect, maintain (store), or share. (Subsequent questions will identify if this information is PII and ask about the specific data elements) | IPC stores participant payment information including banking information to process payments. The CMMI IPC system uses the following information in the Model payment process: the Provider name, model ID, address, email address, and federal taxpayer ID. Financial account information including bank account and routing numbers, and payment amounts are also used in the payment process. IPC utilizes user ID and password, and these login credentials are used to grant access to the system. The login credentials (user ID) used to access IPC are provided to users by CMS enterprise identity management system. CMS's identity management system is covered by its own PIA. System administrators, developers, and maintainers utilize credentials provided by the data center hosting IPC.
|
| Provide an overview of the system and describe the information it will collect, maintain (store), or share, either permanently or temporarily. | The IPC's payment system is designed to process model payment information from CMMI model teams and disperse funds to model participants based on the direction of the CMMI model. Specifically, the IPC payment system application provides each eligible model participant their earned model payment. After receipt of the payment information file from the model team, funds requested from CMS, and payment is disbursed to the appropriate participant. Should the model identify an overpayment, the IPC payment system will issue a demand letter to the participant and begin debt collection activities. At a high-level, the IPC system consists of the following subsystem services: The Medicare banking information is preserved in the 588 database table. Banking information can be entered into the IPC Portal via information obtained from other CMS systems, entered the Portal by the participants or provided by the Model team on electronic CMSS-588 forms. The portal authenticates and authorizes participants to see a masked set of financial information that will be used for payment for the models they are participating in. The provider will then have a choice to confirm the information by submitting an attestation or the information is not correct they will be directed to either electronically enter and sign a new Electronic Fund Transfer (EFT) Authorization Agreement (CMS Form 588) for CMMI payments or submit a new 588 form. IPC authorized users are provided access to CMMI Model participant records based upon their assignment. Users can filter on Models that they are assigned to. Login credentials are provided by CMS's enterprise identity management system and used to grant access to the system. Users of IPC are the system administrators, maintainers and developers. Participant representatives and Model Team owners. NGS is not responsible for the EIDM PIA. A retention schedule has not been established by CMMI; all program data still exists.
|
| Does the system collect, maintain, use or share PII? | Yes |
| Indicate the type of PII that the system will collect or maintain. |
|
| Indicate the categories of individuals about whom PII is collected, maintained or shared. |
|
| How many individuals' PII in the system? | 10,000-49,999 |
| For what primary purpose is the PII used? | The primary purposes for the use of PII are to properly disburse model payments and issue 1099s to Providers; and to conduct debt collection activities when necessary. |
| Describe the secondary uses for which the PII will be used (e.g. testing, training or research) | None |
| Describe the function of the SSN. | CMMI-IPC does not store or collect SSN. |
| Cite the legal authority to use the SSN. | Not applicable. |
| Identify legal authorities governing information use and disclosure specific to the system and program. | Affordable Care Act (ACA) Section 3021 and 5 U.S.C. 301, Departmental Regulations. |
| Are records on the system retrieved by one or more PII data elements? | No |
| Identify the sources of PII in the system: Directly from an individual about whom the information pertains |
|
| Identify the sources of PII in the system: Government Sources |
|
| Identify the sources of PII in the system: Non-Government Sources |
|
| Identify the OMB information collection approval number and expiration date | Not applicable. |
| Is the PII shared with other organizations? | Yes |
| Identify with whom the PII is shared or disclosed and for what purpose. |
|
| Describe any agreements in place that authorizes the information sharing or disclosure (e.g. Computer Matching Agreement, Memorandum of Understanding (MOU), or Information Sharing Agreement (ISA)). | IPC uses the standard NGS Master Services Agreement (MSA) for all vendors who send/receive sensitive information. CMMI-IPC shares information with US Bank solely related to the providers' financial account information. This agreement is acknowledged through the execution of Purchase Orders (PO). IPC shares information with print vendor contractor solely related to the issuance of 1099s and demand letters to providers. This agreement is acknowledged through the execution of Purchase Orders (PO). |
| Describe the procedures for accounting for disclosures | There are no disclosures of PII other than those that are permissible for CMMI IPC to operate. The system accounts for all disclosures by maintaining an audit record of what information is disclosed to the external parties and for what purpose. The sharing of information between external parties is documented and covered via Interconnection Service Agreements (ISA) documented within CMS’s tracking system and IPC documentation. |
| Describe the process in place to notify individuals that their personal information will be collected. If no prior notice is given, explain the reason. | All major system changes concerning personally identifiable information (PII) are published for comment in the Federal Register as part of a modification of the applicable System of Record (SOR). PII within this system is collected by CMMI Model teams who are responsible for notifying individuals that their personal information is being collected. IPC end-users are given Terms and Conditions during the CMS account registration process which include Consent to Monitoring, Protecting Your Privacy, and Consent to Collection of Personal Identifiable Information (PII). Users will be emailed at the email address provided during registration if there are any changes in the Terms and Conditions. |
| Is the submission of the PII by individuals voluntary or mandatory? | Voluntary |
| Describe the method for individuals to opt-out of the collection or use of their PII. If there is no option to object to the information collection, provide a reason. | Within the IPC system, there is not an opt-out option because the PII is used to make payments on behalf of CMMI. The provision of PII is "voluntary" as that term is used by the Privacy Act. However, to receive payment disbursements, Individuals must provide PII including all the information collected and used by IPC. IPC system users must provide PII for system administrators to authenticate their identity and provide them with access to IPC. The system's support personnel (administrators, developers) access the IPC system, for troubleshooting purposes, through the CMS Enterprise Portal and are notified at the time of login that they are accessing a government system and that there is no option to opt-out if they want to perform their job functions. |
| Describe the process to notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changes since the notice at the time of original collection). Alternatively, describe why they cannot be notified or have their consent obtained. | Changes to IPC that would involve changes in uses and disclosures of PII are not expected to occur. If such changes were to occur, CMS will inform individuals using multiple channels, including direct mailings; notices on the CMS web site (including edits to CMS's posted Privacy Policy), or changes to the relevant systems of records notices. Changes involving uses and disclosures of authentication information are also not expected to occur. In the event of such changes, employees will be notified by notices on the CMS intranet; newsletters; updates to the relevant systems of records notices; e-mails to affected individuals; and through supervisors and system owners. |
| Describe the process in place to resolve an individual's concerns when they believe their PII has been inappropriately obtained, used, or disclosed, or that the PII is inaccurate. If no process exists, explain why not. | If a user believes their PII has been inappropriately obtained, used, or disclosed, the user must contact the IPC Service Desk who will assign an incident ticket to the IPC Computer Security Incident Response Team, who will investigate and determine any additional steps. The individual may also contact the CMS IT Service Desk by email or telephone. Details of the incident are logged and investigated to determine if further action is required to resolve the concern. |
| Describe the process in place for periodic reviews of PII contained in the system to ensure the data's integrity, availability, accuracy and relevancy. If no processes are in place, explain why not. | The CMMI-IPC application receives PII from CMMI Models which collect and validate PII for integrity and accuracy at the time of collection. The integrity of this data is maintained by ensuring any discrepancy between the PII sent and received is resolved prior to additional processing. CMMI-IPC receives information from the US Treasury, US Bank, and print vendor to ensure only valid information is processed. All information collected and used by IPC is determined to be relevant for disbursement and verifying payments. If CMMI determines that it no longer has a need for certain data elements, it will request changes to the IPC system and stop collecting those data elements. Data availability is protected by security controls selected as appropriate. IPC follows the CMS Security and Privacy program and complies with the CMS Acceptable Risk Safeguards, and National Institute of Standards and Technology (NIST) documents such as its Special Publications to select controls appropriate to the level of risk of the system, determined using NIST's Federal Information Processing Standard 199. |
| Identify who will have access to the PII in the system and the reason why they require access. |
|
| Describe the procedures in place to determine which system users (administrators, developers, contractors, etc.) may access PII. | Access to PII is granted based on the user's role following the principles of minimum necessary and least privilege. Managers must approve all system access and re-certify that access within every 365 days. User accounts are reviewed at least annually. Any anomalies are addressed and resolved by contacting the user, or by removing their access if no longer required. Activities of all users are logged and reviewed by the system administrator to identify abnormal activities, and if any are found they are reported to the business owner, and the ISSO. |
| Describe the methods in place to allow those with access to PII to only access the minimum amount of information necessary to perform their job. | The system employs role-based access controls. Access is based on least privilege, explicitly denied unless otherwise granted. Access controls limit the ability for administrators, developers, and contractors to access PII. |
| Identify training and awareness provided to personnel (system owners, managers, operators, contractors and/or program managers) using the system to make them aware of their responsibilities for protecting the information being collected and maintained. | Security Awareness and Privacy training is provided to each user on a 365-day basis. Users acknowledge successful training after passing a test at the end of training and the system verifies completion. Included in the training is education about how to properly handle sensitive data. |
| Describe training system users receive (above and beyond general security and privacy awareness training) | Security personnel are expected to receive job related training by attending conferences, forums, and other specific training on an annual basis. Security based role training is recorded within the security department. |
| Do contracts include Federal Acquisition Regulation and other appropriate clauses ensuring adherence to privacy provisions and practices? | Yes |
| Describe the process and guidelines in place with regard to the retention and destruction of PII. Cite specific records retention schedules. | The application adheres to data retention and destruction policies/procedures that follow National Archives and Record Administration (NARA) guidelines related to data retention and NIST guidelines related to data destruction. More specifically, IPC adheres to the following NARA general records schedule guidelines: DAA-0440-2015-0004-0001; Destroy no sooner than 7 year(s) after cutoff but longer retention is authorized |
| Describe, briefly but with specificity, how the PII will be secured in the system using administrative, technical, and physical controls. | To secure PII, IPC follows, and the direct contractor is bound by contract to follow, the CMS Security and Privacy program and complies with the CMS Acceptable Risk Safeguards which are aligned to Health and Human Services (HHS) policies and to National Institute of Standards and Technology (NIST) requirements. IPC PII is secured with security controls as required by the CMS Security Program. Administrative: IPC Users are provided with privacy training to understand how to properly handle and disclose privacy data. The system also uses the principle of least privilege as well as role-based access control to ensure system administrators, and users are granted access on a "need-to-know" and "need- to- access" commensurate with their assigned duties. Users must receive manager approval to gain access to the system. Technical: The data in IPC is secured behind a firewall and through application security. Technical security controls include, but are not limited to user accounts, passwords, and access limitation. Physical: AWS Availability Zones are built to be independent and are physically separated from one another. Employee access is given to approved employees and is based on the principle of least privilege. Additional information on AWS Physical Security can be found here: https://aws.amazon.com/compliance/data-center/controls/ |
Privacy Impact Assessment (PIA) published by CMS as an Operating Division of the U.S. Department of Health and Human Services