Centralized Data Exchange
Date signed: 4/25/2024
| PIA Questions | PIA Answers |
|---|---|
| OPDIV: | CMS |
| PIA Unique Identifier: | P-7097612-776726 |
| Name: | Centralized Data Exchange |
| The subject of this PIA is which of the following? | Major Application |
| Identify the Enterprise Performance Lifecycle Phase of the system. | Operate |
| Is this a FISMA-Reportable system? | Yes |
| Does the system include a Website or online application available to and for the use of the general public? | No |
| Identify the operator: | Agency |
| Is this a new or existing system? | Existing |
| Does the system have Security Authorization (SA)? | Yes |
| Date of Security Authorization | 12/14/2023 |
| Indicate the following reason(s) for updating this PIA. Choose from the following options. | PIA Validation (PIA Refresh/Annual Review) |
| Describe in further detail any changes to the system that have occurred since the last PIA. | Changes to the Centralized Data Exchange (CDX) application since the last PIA include enhancements to support the Center for Medicare and Medicaid Innovation (CMMI) strategic initiative for collecting Health Equity-related data and model specific functionality. CDX was also migrated to a new cloud service provider. |
| Describe the purpose of the system | CDX is a secure and reusable platform that enables the CMMI to exchange, store, and validate health related data with internal and external partners. The application uses modern cloud-based technology, electronic health information standards such as Health Level Seven International (HL7) Fast Healthcare Interoperability Resources (FHIR), and application programming interfaces (APIs). CDX is built upon a robust cloud-based platform that collects Big Data and aides in the progression of this data into Intelligent Digital data based upon health information standards. This progression will support data liquidity and third-party app integration with Certified Electronic Health Record (EHR) Technology (CEHRT); thus, producing a refinement of clinical evidence based on quality clinical data captured through care delivery and this will support the mission of CMMI to positively drive the reform of healthcare in America. CDX is part of the CMMI support of and rollout of the interoperability rule. CDX allows data driven, value-based care support to model teams such that they can include interoperability in the model design, review the model flow and show how data sharing can help drive change. |
| Describe the type of information the system will collect, maintain (store), or share. (Subsequent questions will identify if this information is PII and ask about the specific data elements) | Types of information CDX receives, stores, and validates include Medicare Beneficiary Identifier (MBI), National Provider Identifier (NPI), Medical Records Number, Tax Identification Numbers (TIN), Medical Notes, Mailing Address, Clinical data, Sociodemographic data (e.g., age, sex, education, migration background and ethnicity, religious affiliation, marital status, household, employment, and income), and social needs data (e.g., food insecurity, housing instability, or social isolation). CDX will receive, store, and maintain all data that is uploaded to CDX. The user can delete the files from the User Interface, but the information will be retained in the database until it is archived per the data retention policy. All users will only have access to data that they originally uploaded into CDX or was shared with them by a user that had access to that data in CDX. A user’s ability to share data that was shared with them and not originally posted by themselves, depends on their user role. Data will be stored in accordance with each Model team requirements and allow the submission of data using multiple formats. All models will be able to share data through CDX utilizing its sharing capability. CDX utilizes user ID and passwords, and these login credentials are used to grant access to the system. The CDX end users include CMS internal users (system owners and operators, model teams, and direct contractors) and external entities (model participants and their respective business associates/representatives). The login credentials (user ID) used to access CDX are provided to users by CMS enterprise identity management system. |
| Provide an overview of the system and describe the information it will collect, maintain (store), or share, either permanently or temporarily. | CDX provides the capability to replace the current file upload/download features embedded into individual systems with one centralized CMMI file exchange solution. CDX provides a user interface (UI) to enable users to perform ad-hoc exchanges and uses APIs to exchange data via fast healthcare interoperability resources (FHIR) and other APIs according to the interoperability rules of the Affordable Care Act. PII including MBI, NPI, Medical Records Number, TIN, Medical Notes, Mailing Address, Clinical data, Sociodemographic data (e.g., age, sex, education, migration background and ethnicity, religious affiliation, marital status, household, employment, and income), and social needs data (e.g., food insecurity, housing instability, or social isolation) is received, stored in and shared through the service that CDX provides to those with access. Login credentials are provided by CMS's enterprise identity management system and used to grant access to the system. The primary consumer of the CDX service is the Model Team and Model Participants. The CDX end users include CMS internal users (system owners and operators, model teams, and direct contractors) and external entities (model participants and their respective business associates/representatives). |
| Does the system collect, maintain, use or share PII? | Yes |
| Indicate the type of PII that the system will collect or maintain. |
|
| Indicate the categories of individuals about whom PII is collected, maintained or shared. |
|
| How many individuals' PII in the system? | 10,000-49,999 |
| For what primary purpose is the PII used? | CDX is a data exchange and technically does not use PII |
| Describe the secondary uses for which the PII will be used (e.g. testing, training or research) | N/A. CDX does not utilize PII for any other purposes. |
| Describe the function of the SSN. | N/A. CDX does not collect SSN. |
| Cite the legal authority to use the SSN. | N/A |
| Identify legal authorities governing information use and disclosure specific to the system and program. | Affordable Care Act (ACA) Sec. 3021 |
| Are records on the system retrieved by one or more PII data elements? | No |
| Identify the sources of PII in the system: Directly from an individual about whom the information pertains | |
| Identify the sources of PII in the system: Government Sources |
|
| Identify the sources of PII in the system: Non-Government Sources | |
| Identify the OMB information collection approval number and expiration date | N/A. Information is not collected directly from the individual. |
| Is the PII shared with other organizations? | No |
| Describe the process in place to notify individuals that their personal information will be collected. If no prior notice is given, explain the reason. | The information that is submitted is sourced from existing medical records that have already been collected by the provider. Responsibility for patient notification resides at the point of information collection from the individual. However, all Medicare participants are provided with a Notice of Privacy Practice that states that although they can elect to not share data for certain processes, as a condition of participating in Medicare, their information will be shared for certain purposes, such as quality assessment and reporting. CDX user’s authentication is provided by CMS's enterprise identity management system and used to grant access to the system. |
| Is the submission of the PII by individuals voluntary or mandatory? | Voluntary |
| Describe the method for individuals to opt-out of the collection or use of their PII. If there is no option to object to the information collection, provide a reason. | The information that is submitted is sourced from existing health related data that have already been collected by the provider. Responsibility for patient opt-out process resides at the point of information collection from the individual. All system user login credentials are provided by CMS's enterprise identity management system and used to grant access to the system. |
| Describe the process to notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changes since the notice at the time of original collection). Alternatively, describe why they cannot be notified or have their consent obtained. | The information that is submitted is sourced from existing medical records that have already been collected by the provider. Changes to CDX that would involve changes in uses and disclosures of beneficiaries' PII are not expected to occur. If such changes were to occur, CMS will inform individuals using multiple channels, including direct mailings; notices on the CMS website (including edits to CMS's posted privacy policy), or changes to the relevant systems of records notices. Changes involving uses and disclosures of authentication information are also not expected to occur. In the event of such changes, employees will be notified by notices on the CMS intranet; newsletters; updates to the relevant systems of records notices; e-mails to affected individuals; and through supervisors and system owners. |
| Describe the process in place to resolve an individual's concerns when they believe their PII has been inappropriately obtained, used, or disclosed, or that the PII is inaccurate. If no process exists, explain why not. | The information that is submitted is sourced from existing medical records that have already been collected by the provider. Responsibility for patient concerns regarding the use of PII resides at the point of information collection from the individual. If reportable, security will notify the CMS Help Desk within 1 hour of the incident occurring. (If the event is unreportable, security will notify the Help Desk to close the ticket). The CMS Help Desk Representative will serve as the CMS First Respondent in documenting and assessing the incident to ensure that the incident has been contained. The incident will be escalated and routed to the appropriate CMS group per CMS Incident Response Policy to determine the severity and course of action for mitigation. System user's credential information is collected via registration with CMS's authentication system; therefore, no process exists within CDX to address these concerns. Any perceived issue should be reported to the CMS Help Desk and escalated to the CMS authentication system administrators. |
| Describe the process in place for periodic reviews of PII contained in the system to ensure the data's integrity, availability, accuracy and relevancy. If no processes are in place, explain why not. | CDX does not directly collect data from individuals. CMS IS2P2 requires business owners to Conduct initial evaluation of PII/PHI holdings and review holdings annually to ensure, to the maximum extent practicable, that such holdings are accurate, relevant, timely, and complete and reduce PII holdings to the minimum necessary for the proper performance of the documented CMS function for all information systems containing PII/PHI. Data availability is protected by security controls selected as appropriate. CDX follows the CMS Security and Privacy program and complies with the CMS Acceptable Risk Safeguards, and National Institute of Standards and Technology (NIST) documents such as its Special Publications to select controls appropriate to the level of risk of the system, determined using NIST's Federal Information Processing Standard 199. |
| Identify who will have access to the PII in the system and the reason why they require access. |
|
| Describe the procedures in place to determine which system users (administrators, developers, contractors, etc.) may access PII. | User roles are established and managed in a way to ensure that users are only able to access data that pertains to their own organization. Roles are assigned and access is granted, to CDX and the PII it contains, based upon principle of least privilege, and "need-to-know" or "need-to-access" requirements to perform their assigned duties. System Administrators review user accounts at least semi-annually. Any anomalies are addressed and resolved by contacting the user, or by removing their access if no longer required. Activities of all users are logged and reviewed by the system administrator to identify abnormal activities, and if any are found they are reported to the business owner, and the ISSO. |
| Describe the methods in place to allow those with access to PII to only access the minimum amount of information necessary to perform their job. | The system enforces role-based access controls, based on a least privilege model, to enforce the protection of data from unauthorized personnel. The application controls data access, such that the organizational user will be restricted to only access the data pertaining to their own organization. |
| Identify training and awareness provided to personnel (system owners, managers, operators, contractors and/or program managers) using the system to make them aware of their responsibilities for protecting the information being collected and maintained. | All CMS employees and direct contractors are required to complete mandatory security and privacy awareness training prior to gaining access to the CMS Network. Each year, thereafter, the user must get recertified. In the event they fail to complete the recertification training, the user's access will be terminated. All CDX end-users will be provided notification at the commencement of each session, to make them aware of their responsibilities for protecting the PII/PHI information being shared, collected and maintained. |
| Describe training system users receive (above and beyond general security and privacy awareness training) | CMS also requires CMS employees and direct contractors, on an annual basis, to complete Role-Based Training and HHS Records and Retention Training. Employees are also required to complete Annual Refresher Training, Insider Threat Training, and Open Web Application Security Project (OWASP) Training (exclusively for the project team i.e., developers, testers, & BAs). |
| Do contracts include Federal Acquisition Regulation and other appropriate clauses ensuring adherence to privacy provisions and practices? | Yes |
| Describe the process and guidelines in place with regard to the retention and destruction of PII. Cite specific records retention schedules. | The application adheres to data retention and destruction policies/procedures that follow National Archives and Record Administration (NARA) guidelines related to data retention and NIST guidelines related to data destruction. More specifically, CDX adheres to the following NARA general records schedule guidelines: DAA-0440-2015-0007-0001; Destroy no sooner than 10 year(s) after cutoff but longer retention is authorized. And DAA-GRS-2013-0005-0003, 5-year retention. |
| Describe, briefly but with specificity, how the PII will be secured in the system using administrative, technical, and physical controls. | To secure PII, CDX follows, and the direct contractors are bound by contract to follow, the CMS Security and Privacy program and complies with the CMS Acceptable Risk Safeguards which are aligned to Health and Human Services (HHS) policies and to NIST requirements. CDX PII is secured with security controls as required by the CMS Security Program. Administrative: Users are provided with privacy training to understand how to properly handle and disclose privacy data. The system uses the principle of least privilege as well as a role-based access control to ensure system administrators, and users are granted access on a "need-to-know" and "need- to- access" commensurate with their assigned duties. Users must receive manager approval to gain access to the system. Technical: The data in CDX is secured behind a various infrastructure and through application security controls. Technical security controls include, but are not limited to audit controls, user accounts, passwords, and access limitation. All data at rest in CDX is encrypted with a FIPS 140-2 compliant encryption algorithm. Physical: The Data Center, hosting the application, has security guards and controlled access rooms with locks to guard against unauthorized access. |
| Session Cookies - Collects PII?: No |
Privacy Impact Assessment (PIA) published by CMS as an Operating Division of the U.S. Department of Health and Human Services