Chronic Condition Data Warehouse
Privacy Impact Assessment (PIA) published by CMS as an Operating Division of the U.S. Department of Health and Human Services
Date signed: 5/29/2024
| PIA Questions | PIA Answers |
|---|---|
| OPDIV: | CMS |
| PIA Unique Identifier: | P-5754498-529482 |
| Name: | Chronic Condition Data Warehouse |
| The subject of this PIA is which of the following? | Major Application |
| Identify the Enterprise Performance Lifecycle Phase of the system. | Operate |
| Is this a FISMA-Reportable system? | Yes |
| Does the system include a Website or online application available to and for the use of the general public? | Yes |
| Identify the operator: | Contractor |
| Is this a new or existing system? | Existing |
| Does the system have Security Authorization (SA)? | Yes |
| Date of Security Authorization | 4/29/2022 |
| Indicate the following reason(s) for updating this PIA. Choose from the following options. | PIA Validation (PIA Refresh/Annual Review) |
| Describe in further detail any changes to the system that have occurred since the last PIA. | The Chronic Condition Data Warehouse has completed a multi-year migration to the Amazon Web Services (AWS) cloud. AWS now provides Infrastructure as a Service (IaaS) components, such as networking, storage, and servers. A Software as a Service (SaaS) vendor Snowflake also provides data warehouse services. The way personally identifiable information and protected heath information (PII/PHI) is collected and shared has not changed. The fundamental way in which PII/PHI is maintained has not changed. However, the technical controls to prevent and monitor for unauthorized access are using cloud-based resources instead of physical devices. The Chronic Condition Data Warehouse is using Federal Risk and Authorization Management Program (FedRAMP) certified cloud vendors to provide assurance that the operations and activities of the vendor and its customers do not impair operations or provide unauthorized access to data. During the migration, the Chronic Condition Data Warehouse moved petabytes of data from the on-premises data center to the cloud. Encrypted communications links have been established to conduct the transfer and data was moved in stages. Each transfer underwent a quality assurance review to ensure that the integrity of the data was maintained. A decommission plan was established to sanitize physical servers and storage devices in the data center once they are no longer needed. This prevents potential unauthorized disclosure of personally identifiable and protected health information that were handled by those systems. |
| Describe the purpose of the system | The Chronic Condition Data Warehouse has completed a multi-year migration to the Amazon Web Services (AWS) cloud. AWS now provides Infrastructure as a Service (IaaS) components, such as networking, storage, and servers. A Software as a Service (SaaS) vendor Snowflake also provides data warehouse services. The Chronic Condition Data Warehouse was designed for the Centers for Medicare & Medicaid Services (CMS) to support research, policy analysis, quality improvements, and demonstrations using Medicare/Medicaid patient level information linked across all claims, eligibility data, nursing home, home health assessments, and CMS beneficiary survey data. The purpose of this system is to collect and maintain a person-level view of identifiable data to establish a data repository to study chronically ill Medicare beneficiaries. This system utilizes data extraction tools to support accessing data by chronic conditions and process complex customized research data requests related to chronic illnesses. |
| Describe the type of information the system will collect, maintain (store), or share. (Subsequent questions will identify if this information is PII and ask about the specific data elements) | The Chronic Condition Data Warehouse (CCW) maintains administrative use and claims data that includes personally identifiable information (PII) and protected health information (PHI) on patients and providers participating in Medicare and Medicaid programs. The PII and PHI includes Social Security Number, Name, Medical Notes, Military Status, Taxpayer ID, Date of Birth, Mailing Address, Medical Records Number, Provider Number, National Provider Identifier Number, Health Insurance Claim ID, Medicare Beneficiary Identifier (MBI), Sex, Race, Ethnicity, and Date of Death. Additional PII includes information necessary to control access to the Chronic Condition Data Warehouse. This information includes UserID, Password, Email Address, and Business Address. |
| Provide an overview of the system and describe the information it will collect, maintain (store), or share, either permanently or temporarily. | The primary purpose for the Chronic Condition Data Warehouse’s (CCW) use of the information it collects, uses, and maintains is to establish a data repository to study chronically ill Medicare beneficiaries. This system utilizes data extraction tools to support accessing data by chronic conditions and processes complex customized research data requests related to chronic illnesses. The Chronic Condition Data Warehouse regularly uses PII to retrieve records and perform analysis using: The Chronic Condition Data Warehouse collects and maintains user credentials to control and authenticate access to the system. The general user community consists of external researchers, CMS employees, and CMS direct contractors that will use the Chronic Condition Data Warehouse to obtain access to authorized research data. Internal support staff users responsible for maintaining the system consist of CMS employees and direct contractors. Internal support staff personnel regularly use Name, User ID, and Email Address to retrieve records of users authorized to access the Chronic Condition Data Warehouse. |
| Does the system collect, maintain, use or share PII? | Yes |
| Indicate the type of PII that the system will collect or maintain. |
|
| Indicate the categories of individuals about whom PII is collected, maintained or shared. |
|
| How many individuals' PII in the system? | 1,000,000 or more |
| For what primary purpose is the PII used? | This system employs data extraction tools to support accessing data by chronic conditions and process complex customized research data requests related to chronic illnesses. Information retrieved from this system may be disclosed to: (1) Support regulatory, reimbursement, and policy functions performed within the agency or by a contractor, grantee, consultant or other legal agent; (2) assist another Federal or state agency with information to contribute to the accuracy of CMS's proper payment of Medicare benefits, enable such agency to administer a Federal health benefits program, or to enable such agency to fulfill a requirement of Federal statute or regulation that implements a health benefits program funded in whole or in part with Federal funds; (3) support an individual or organization for a research project or in support of an evaluation project related to the prevention of disease or disability, the restoration or maintenance of health, or payment related projects; (4) support Quality Improvement Organizations (QIO); (5) support litigation involving the agency; and (6) combat fraud and abuse in certain Federally-funded health benefits programs. User credentials are collected to control system access. |
| Describe the secondary uses for which the PII will be used (e.g. testing, training or research) | N/A |
| Describe the function of the SSN. | The Social Security Number is used for two purposes: (1) The SSN is used to link historical patient records that were established prior to the implementation of the Medicare Beneficiary Identifier (MBI). (2) The Social Security Number (SSN) and Medicare Beneficiary Identifier (MBI) are used to create an encrypted beneficiary identifier which is used in place of the SSN on all extracted data from the warehouse. |
| Cite the legal authority to use the SSN. | Medicare Prescription Drug, Improvement, and Modernization Act of 2003. (Section 723); Social Security Act (Title XVIII) |
| Identify legal authorities governing information use and disclosure specific to the system and program. | Affordable Care Act, 45 CFR 155.210(e); Patient Protection and Affordable Care Act; Section 723 of the Medicare Prescription Drug Improvement and Modernization Act of 2003 |
| Are records on the system retrieved by one or more PII data elements? | Yes |
| Identify the number and title of the Privacy Act System of Records (SORN) that is being used to cover the system or identify if a SORN is being developed. | 09–70–0573 - Chronic Condition Warehouse Date: 10/31/2014 09-70-0538 Individuals Authorized Access to Centers for Medicare & Medicaid Services Computer Services (IACS) Date: 2/14/2018 |
| Identify the sources of PII in the system: Directly from an individual about whom the information pertains | Online |
| Identify the sources of PII in the system: Government Sources | Within the OPDIV |
| Identify the sources of PII in the system: Non-Government Sources |
|
| Identify the OMB information collection approval number and expiration date | N/A |
| Is the PII shared with other organizations? | Yes |
| Identify with whom the PII is shared or disclosed and for what purpose. |
|
| Within HHS Explanation: | To Center for Medicare and Medicaid Innovation (CMMI) for the purpose of testing innovative payment and service delivery models to reduce program expenditures while preserving or enhancing the quality of care for those individuals who receive Medicare, Medicaid, or Children’s Health Insurance Program (CHIP) benefits as established by section 1115A of the Social Security Act (as added by section 3021 of the Affordable Care Act). To Policy & Data Analytics Group (PDAG) for work associated with geographic variation in spending and utilization for Medicare and Medicaid beneficiaries. To Information Products and Analytics Group (IPAG) to update the statistics that Office of Enterprise Data and Analytics (OEDA) posts on the CMS public website about the geographic variation in the prevalence of chronic conditions among the Medicare population, as well as other public use files generated from the Geographic Variation Database (GVDB) and other sources such as nursing home assessments. To Office of Minority Health (OMH) – OMH provides funding to external users conducting research focused on improving the effectiveness, efficiency, economy, and quality of services delivered to all Medicare beneficiaries. |
| Other Federal Agency/ Agencies Explanation: | Department of Justice for Data Use Agreement Fulfillment, Research, Fraud and Abuse |
| State or Local Agency/ Agencies Explanation: | State agencies to assist Medicaid programs within the state; for Data Use Agreement Fulfillment, Research, Fraud and Abuse |
| Private Sector Explanation: | To an individual or organization for a research project or in support of an evaluation project related to the prevention of disease or disability, the restoration or maintenance of health, or payment related projects, Data Use Agreement Fulfillment, Research. To Quality Improvement Organizations (QIO) in connection with review of claims, or in connection with studies or other review activities conducted pursuant to Part B of Title XI of the Act, and in performing affirmative outreach activities to individuals for the purpose of establishing and maintaining their entitlement to Medicare benefits or health insurance plans. |
| Describe any agreements in place that authorizes the information sharing or disclosure (e.g. Computer Matching Agreement, Memorandum of Understanding (MOU), or Information Sharing Agreement (ISA)). | Information sharing with particular entities are handled through a Data Use Agreement (DUA) that specifies the individuals allowed to access the data and the type and extent of data the individuals are allowed to access. The establishment and maintenance of Data Use agreements are handled through the CMS Enterprise Privacy Policy Engine (EPPE) system. |
| Describe the procedures for accounting for disclosures | The CMS Enterprise Privacy Policy Engine (EPPE) maintains a tracking of the authorization for data within the Chronic Condition Data Warehouse. The Chronic Condition Data Warehouse maintains the Data Access Request Tracking System (DART) to track the actual data sets that are provided under a specific Data User Agreement. The information in DART is retained in accordance with the records disposition authority DAA-0440-2015-0007-0001. |
| Describe the process in place to notify individuals that their personal information will be collected. If no prior notice is given, explain the reason. | Not Applicable Notice is the responsibility of the systems providing data to the Chronic Condition Data Warehouse: Medicare Drug Data Processing System, Medicare Beneficiary Database, Medicare Advantage Prescription Drug System, Medicaid Statistical Information System, Retiree Drug Subsidy Program, Common Working File, National Claims History, Enrollment Database, Carrier Medicare Claims Record, Intermediary Medicare Claims Record, Unique Physician/Provider Identification Number, Medicare Supplier Identification File, a Current Beneficiary Survey, National Plan & Provider Enumerator System, Long Term Care Minimum Data Set (MDS), Home Health Agencies (HHA) Outcome and Assessment Information Set (OASIS), and Integrated Data Repository. |
| Is the submission of the PII by individuals voluntary or mandatory? | Voluntary |
| Describe the method for individuals to opt-out of the collection or use of their PII. If there is no option to object to the information collection, provide a reason. | Opt-out is the responsibility of the systems providing data to the Chronic Condition Data Warehouse: Medicare Drug Data Processing System, Medicare Beneficiary Database, Medicare Advantage Prescription Drug System, Medicaid Statistical Information System, Retiree Drug Subsidy Program, Common Working File, National Claims History, Enrollment Database, Carrier Medicare Claims Record, Intermediary Medicare Claims Record, Unique Physician/Provider Identification Number, Medicare Supplier Identification File, a Current Beneficiary Survey, National Plan & Provider Enumerator System, Long Term Care Minimum Data Set (MDS), Home Health Agencies (HHA) Outcome and Assessment Information Set (OASIS), and Integrated Data Repository. |
| Describe the process to notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changes since the notice at the time of original collection). Alternatively, describe why they cannot be notified or have their consent obtained. | Notification of changes is the responsibility of the systems providing data to the Chronic Condition Data Warehouse: Medicare Drug Data Processing System, Medicare Beneficiary Database, Medicare Advantage Prescription Drug System, Medicaid Statistical Information System, Retiree Drug Subsidy Program, Common Working File, National Claims History, Enrollment Database, Carrier Medicare Claims Record, Intermediary Medicare Claims Record, Unique Physician/Provider Identification Number, Medicare Supplier Identification File, a Current Beneficiary Survey, National Plan & Provider Enumerator System, Long Term Care Minimum Data Set (MDS), Home Health Agencies (HHA) Outcome and Assessment Information Set (OASIS), and Integrated Data Repository. |
| Describe the process in place to resolve an individual's concerns when they believe their PII has been inappropriately obtained, used, or disclosed, or that the PII is inaccurate. If no process exists, explain why not. | Individuals who wish to resolve concerns regarding personally Identifiable Information have the following options: 1. Contact the Chronic Condition Data Warehouse Help Desk; or 2. Contact the CMS Help Desk; 3. Individuals may file complaints directly to the Secretary, HHS through the OCR HIPAA website (found at Internet web address - https://www.hhs.gov/hipaa/filing-a-complaint/) |
| Describe the process in place for periodic reviews of PII contained in the system to ensure the data's integrity, availability, accuracy and relevancy. If no processes are in place, explain why not. | Data files are loaded into the Chronic Condition Warehouse on a periodic basis from the other CMS databases. Any corrections in the original collection will be propagated into the Chronic Condition Warehouse up until the final cutoff date for the data set. Routine reviews and automated database integrity checks are used to maintain the integrity of the data while in the Chronic Condition Warehouse. |
| Describe the procedures in place to determine which system users (administrators, developers, contractors, etc.) may access PII. | Access to Chronic Condition Warehouse is approved by Centers for Medicare & Medicaid Services, Account Access (CAA). Access is granted using the principle of least privilege, users are only granted access to PII, PHI based on their job responsibilities needed to perform their job. Role creation involves an analysis for the role definition and type of access, periodic access attestations are conducted to ensure the level of access is maintained for each of the roles. |
| Describe the methods in place to allow those with access to PII to only access the minimum amount of information necessary to perform their job. | Users are granted access based on their job duties and permissions are established based on their approved job codes assigned to their user IDs. CCW has implemented role-based access controls and conducts periodic access attestations. |
| Identifying training and awareness provided to personnel (system owners, managers, operators, contractors and/or program managers) using the system to make them aware of their responsibilities for protecting the information being collected and maintained. | The Centers for Medicare & Medicaid Services requires all employees and direct contractors to undergo annual Security Awareness Training for each user to maintain their access to the system. General users of the Chronic Condition Warehouse are required to complete security awareness training to obtain an account. |
| Describe training system users receive (above and beyond general security and privacy awareness training) | The Chronic Condition Warehouse Maintainer undergoes additional role-based training specific to the targeted roles of Program and Business Managers, System Administrators, and Developers. |
| Do contracts include Federal Acquisition Regulation and other appropriate clauses ensuring adherence to privacy provisions and practices? | Yes |
| Describe the process and guidelines in place with regard to the retention and destruction of PII. Cite specific records retention schedules. | Records are maintained and disposed of in accordance with the records disposition authority approved by the Archivist of the United States. Records are destroyed or deleted after 30 years. Retention and disposal statements are pursuant to NARA Disposition Authority DAA-0440-2015-0007-0001. Routine records will be disposed of when the agency determines they are no longer needed for administrative, legal, audit, or other operational purposes. These retention and disposal statements are pursuant to NARA General Records Schedule GRS 3.2-030, "Systems access records. Systems not requiring special accountability for access.” Records from this system that are needed for audit purposes will be disposed of six (6) years after a user’s account becomes inactive. These retention and disposal statements are pursuant to NARA General Records Schedule GRS 3.2-031, "System access records. Systems requiring special accountability for access." |
| Describe, briefly but with specificity, how the PII will be secured in the system using administrative, technical, and physical controls. | The Chronic Condition Warehouse uses National Institute of Standards and Technology (NIST), approved encryption tools for encrypting protected health information or personally identifiable information data files. A data-masking technique is applied to the beneficiary identifier for all PII, and PHI included in a data request. PII and PHI files are encrypted. The decryption password is electronically mailed only to the person identified as the recipient of the data. CCW uses an approved courier service (with tracking receipt) to deliver all data extracts containing identifiable data. Deliveries require signature, and email confirmation of receipt is requested. The Data Center undergoes annual security assessment and authorization. Physical and environmental controls include Badging, Loading dock staging area, Operating Area Access Agreements, and Surveillance Monitoring. |
| Identify the publicly-available URL: | https://www.ccwdata.org |
| Does the website have a posted privacy notice? | Yes |
| Is the privacy policy available in a machine-readable format? | No |
| Does the website use web measurement and customization technology? | Yes |
| Select the type of website measurement and customization technologies is in use and if is used to collect PII. (Select all that apply) |
|
| Does the website have any information or pages directed at children under the age of thirteen? | No |
| Does the website contain links to non-federal government website external to HHS? | Yes |
| Is a disclaimer notice provided to users that follow external links to websites not owned or operated by HHS? | Yes |