CMS Acquia Cloud

Date signed: 5/22/2025

PIA for CMS Acquia Cloud
PIA Questions	PIA Answers
OPDIV:	CMS
PIA Unique Identifier:	P-1167734-149272
Name:	CMS Acquia Cloud
The subject of this PIA is which of the following?	General Support System
Identify the Enterprise Performance Lifecycle Phase of the system.	Operate
Is this a FISMA-Reportable system?	Yes
Does the system include a Website or online application available to and for the use of the general public?	Yes
Identify the operator:	Agency
Is this a new or existing system?	Existing
Does the system have Security Authorization (SA)?	Yes
Date of Security Authorization	6/6/2025
Indicate the following reason(s) for updating this PIA. Choose from the following options.	PIA Validation (PIA Refresh/Annual Review) Other - Addition of two new applications to Acquia Cloud and transition to Acquia Cloud Next
Describe in further detail any changes to the system that have occurred since the last PIA.	Addition of the following new applications, EMTALA (Emergency Medical Treatment and Labor Act) and ALOHA (Acquia Logs Output and Health Automation) to the Acquia Cloud system boundary, along with the transition to a new hosting environment, Acquia Cloud Next.
Describe the purpose of the system	Acquia Cloud is a Drupal-tuned application lifecycle management suite with a complete infrastructure to support Drupal deployment workflow processes from development and staging through to production. It has a strong focus on security and compliance, a robust API, and automated deployment from a version-controlled code repository. It runs on proven open-source technologies that Acquia has selected, tested, and optimized for Drupal The Acquia web content management platform includes several subsystems. The following sites are currently in scope for Acquia: CMS Homepage CMS Innovation Center CMS Marketplace OpenPayments Data HomePage Medicare Homepage Marketplace HealthCare Data Medicaid & CHIP Open Data HomePage Performance Indicator Reporting System Login File an EMTALA complaint (EMTALA) Aloha-UF Infraops Backends (ALOHA) Aloha Infraops Backends (ALOHA) The ALOHA URLs are internal. They provide logging and monitoring between the frontend and backend of Acquia. Of the above listed sites, sdis.medicaid.gov and the EMTALA complaint form are the only sites that collect Personally Identifiable Information (PII) or Protected Health Information (PHI). For the State Data Information System (SDIS), the PII is collected in support of account creation. For EMTALA, the PII/PHI data is only collected, encrypted, and sent to CMSNet via QualityNet. EMTALA is a project that the CMS Office of Administration is spearheading for the White House. The goal is to support a consumer page to gather their information, encrypt the data, and send the encrypted data to QualityNet via CMSNet. PHI and PII will be transmitted to and collect from the consumer page using Transport Layer Security (TLS Version 1.2) encryption based on a patient's visit to a medical provider.
Describe the type of information the system will collect, maintain (store), or share. (Subsequent questions will identify if this information is PII and ask about the specific data elements)	The data fields appearing on the EMTALA Complaint form on CMS Homepage and being collected from public users are as follows Last Name First Name Phone Email Relationship to patient (I am the patient, I'm filing a complaint for someone else, I work at this hospital, I prefer not to say) U.S. State or Territory Hospital Name When did the problem happen? Describe the situation in detail. Be sure to include The people who were involved (Examples witnesses, hospital staff) What actions you took If the hospital tried to address the situation Any concerns about sharing your information with the state Have you reported this problem before? If so, what office did you report this problem to? NOTE The system of records notice (SORN) applicable to this information collect is the ASPEN Complaints/Incident Tracking System (ACTS) 09-70-0565, published at Privacy Act of 1974; Report of a Modified or Altered System of Records) As required by the state, State Data Information System (SDIS) Performance Indicator Reporting System, the following fields are collected and maintained to create establish a user account Password Email Username (pre-defined by Drupal) Role (State Editor) State affiliation Time zone
Provide an overview of the system and describe the information it will collect, maintain (store), or share, either permanently or temporarily.	The Acquia Cloud System is a Federal Risk and Authorization Management Program (FedRAMP) authorized Cloud Service Provider system. Its platform is built on Amazon web Services (AWS) and inherits infrastructure layer controls from Amazon. Amazon AWS has received a FedRAMP authorization for the infrastructure layer. Acquia Cloud utilizes Drupal website content management tool to provide support for the public with healthcare consumer information. This system supports the CMS e-Government presence and the official public Agency websites for the Centers for Medicare & Medicaid Services. As of January 2022, authentication for all sites will be established via Single Sign on methodology. Physical Security System personnel who access or use the system do not use any personal identifiers to retrieve records held in the system. In this system, the SDIS site collects or stores the Password, Email, Username, Role, State affiliations and Time zone to establish a User ID/account with the appropriate state. All other sites areall authenticated via EUA ID and password. For Enterprise User Administration (EUA) details, please see PIA for EUA.
Does the system collect, maintain, use or share PII?	Yes
Indicate the type of PII that the system will collect or maintain.	Name E-Mail Address Phone Numbers Other - This is specifically for the SDIS application under Open Data only. There are two pieces of identifiable information of corporate PII that are captured in SDIS from users. These are names, email, and location. However, first name and last name are not required, but they are optional to add. Many state user emails are in the form of firstname.lastname@state.gov. Other user types are all authenticated via Enterprise User Administration (EUA) ID and password. EUA has an approved PIA. Additional data for EMTALA complaint form is being collected from public users, including Relationship to patient, US State/Territory, Hospital Name, Names of people involved (witnesses, hospital staff).
Indicate the categories of individuals about whom PII is collected, maintained or shared.	Employees Public Citizens Other - Employees: State Government employees for SDIS; Public citizens filing a complaint, names of witnesses, including hospital staff.
How many individuals' PII in the system?	100-499
For what primary purpose is the PII used?	In Acquia Cloud, the SDIS application collects PII to establish a state user ID and to collect complaints from hospital patients using the EMTALA form.
Describe the secondary uses for which the PII will be used (e.g. testing, training or research)	Not applicable.
Describe the function of the SSN.	Not Applicable.
Cite the legal authority to use the SSN.	Not Applicable.
Identify legal authorities governing information use and disclosure specific to the system and program.	5 USC 301
Are records on the system retrieved by one or more PII data elements?	Yes
Identify the number and title of the Privacy Act System of Records (SORN) that is being used to cover the system or identify if a SORN is being developed.	ASPEN Complaints/Incidents Tracking System (ACTS) 09-70-0565, 83 FR 6591 (2/14/2018) 1-800 Medicare Helpline (HELPLINE), System No. 09-70-0535, 83 FR 659 (2/14/2018) “Health Insurance Exchanges (HIX) Program” (No. 09-70-0560), 83 FR 659 (2/14/2018)
Identify the sources of PII in the system: Directly from an individual about whom the information pertains	In-person Online
Identify the sources of PII in the system: Government Sources	Within the OPDIV State/Local/Tribal
Identify the sources of PII in the system: Non-Government Sources	Other - Individual users/customers using the EMTALA form. OMB package identifier: CMS-10892, OMB Control Number: 0938-1185, Expiration Date 03/31/2026.
Identify the OMB information collection approval number and expiration date	CMS Identifier: CMS-10892 Title: Emergency Medical Treatment and Labor Act (EMTALA) Complaint Form OMB Control Number: 0938-1185() Expiration Date*: 03/31/2026
Is the PII shared with other organizations?	Yes
Identify with whom the PII is shared or disclosed and for what purpose.	State or Local Agency/Agencies: Performance Indicator Reporting System Login allows external user accounts from state agency users. State agency users with the 'State editor' role cannot see any other user, even within the same state
Describe any agreements in place that authorizes the information sharing or disclosure (e.g. Computer Matching Agreement, Memorandum of Understanding (MOU), or Information Sharing Agreement (ISA)).	Not Applicable.
Describe the procedures for accounting for disclosures	Not Applicable. There are no procedures accounting for disclosures because user credential is acquired directly from state users.
Describe the process in place to notify individuals that their personal information will be collected. If no prior notice is given, explain the reason.	A CMS Privacy Notice is posted on the same website as the EMTALA complaint form, Emergency Room Rights. There is no mechanism in place to notify individuals when their information is collected because the information capture occurs at the source system level that is covered by its own PIA. State users' PII is only captured after they are made aware that they are accessing the system. Also, system admins do not automatically add a state user in the DKAN tool, they have to come to us to request addition as a state user. First, the potential state user requests that CMS add them to the Drupal Knowledge Archive Network (DKAN) tool as a potential state data entry user. Second, CMS asks for their names and state/work-related email to create their profile. Once a profile is created, the state user now has access. The only personal information that is collected from the state users are their first and last names, and state/work email (with prior notice). No other information is collected from state users.
Is the submission of the PII by individuals voluntary or mandatory?	Voluntary
Describe the method for individuals to opt-out of the collection or use of their PII. If there is no option to object to the information collection, provide a reason.	First Name, Last Name are required for the submission of the EMTALA complaint form. Name and email address are required for the creation of a user account. The account creation is voluntary and PII is required to create an account. State users are not collected and added to the system without their prior knowledge. Also, system admins do not automatically add a state user in the DKAN tool. They have to come to us to request addition as a state user. First, the potential state user requests that CMS add them to the DKAN tool as a potential state data entry user. Second, CMS asks for their names and state/work-related email to create their profile. Once a profile is created, the state user now has access. The only personal information that is collected from the state users are their first and last names, and state/work email (with prior notice). No other information is collected from state user. CMS user credentials are not initially provided by Acquia It is acquired by the CMS source system- EUA is covered by a separate PIA.
Describe the process to notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changes since the notice at the time of original collection). Alternatively, describe why they cannot be notified or have their consent obtained.	A Privacy Act Statement is made available to individuals during the account creation process and within the Privacy Policy of the website. State users are not collected and added to the system without their prior knowledge. Also, system admins do not automatically add a state user in the DKAN tool. They have to come to us to request addition as a state user. First, the potential state user requests that CMS add them to the DKAN tool as a potential state data entry user. Second, CMS asks for their names and state/work-related email to create their profile. Once a profile is created, the state user now has access. The only personal information that is collected from the state users are their first and last names, and state/work email (with prior notice). No other information is collected from state users. The EMTALA form only requires first and last names, which are voluntarily supplied by the consumer. CMS user credentials are not initially provided by Acquia. They are acquired by the CMS source system - EUA (FISMA name) - which is covered by a separate PIA.
Describe the process in place to resolve an individual's concerns when they believe their PII has been inappropriately obtained, used, or disclosed, or that the PII is inaccurate. If no process exists, explain why not.	No process exists for the EMTALA and State Medicaid websites. For the state Medicaid websites, aggregate data is collected at the state level. The only information needed from a state username and email address for registration. Users can request to change their email addresses. No privacy-related data is stored within the Acquia Cloud system. For the EMTALA complaint form, only first name and last name are required fields. All other fields are optional. There is a privacy notice on the website to notify the consumer (patient) of their rights. CMS user credentials are not initially provided by Acquia. They are acquired by the CMS source system- EUA is covered by a separate PIA. State users are not collected and added to the system without their prior knowledge. Also, system admins do not automatically add a state user in the DKAN tool. They have to come to us to request addition as a state user. First, the potential state user requests that CMS add them to the DKAN tool as a potential state data entry user. Second, CMS asks for their names and state/work-related email to create their profile. Once a profile is created, the state user now has access. The only personal information that is collected from the state users are their first and last names, and state/work email (with prior notice). No other information is collected from state users.
Describe the process in place for periodic reviews of PII contained in the system to ensure the data's integrity, availability, accuracy and relevancy. If no processes are in place, explain why not.	The system receives PII from another system, therefore, it is covered under EUA’s PIA. If a state user is no longer affiliated with the state or the project, the user account is deactivated. Hence, that user has no access to the portal. State user PII is provided by the user, and the user ensures the data's accuracy.
Identify who will have access to the PII in the system and the reason why they require access.	Administrators: CMS Admin users have access to state user data. CMS Admin access to state user data allows these users the ability to assist state users with any issues they have entering in their data. CMS Admin users also export the data to use on other platforms. Contractors: Some Administrators are also contractors. These contractors are direct contractors who provide support for the SDIS system.
Describe the procedures in place to determine which system users (administrators, developers, contractors, etc.) may access PII.	Each system user’s access is determined by the CMS EUA job codes that are assigned to the respective user.
Describe the methods in place to allow those with access to PII to only access the minimum amount of information necessary to perform their job.	Acquia User Interface (UI) administrators possess complete administrative privileges for all applications within their assigned organizational unit. There are no additional restrictions on this access. Users without Acquia UI administrative rights access applications via the Drupal frontend. Their access is governed by EUA job codes, which are linked to specific roles within the Acquia applications. These roles dictate the scope of data visibility and modification. EUA job code assignments follow the principle of least privilege, are determined by job responsibilities, and are subject to periodic audits and revocations as job duties change.
Identify training and awareness provided to personnel (system owners, managers, operators, contractors and/or program managers) using the system to make them aware of their responsibilities for protecting the information being collected and maintained.	All CMS users are required to complete the annual CMS Security Awareness training provided annually as a Computer Based Training (CBT) course. Direct contractors also complete their annual corporate security training. Individuals with privileged access must also complete role-based security training commensurate with the position they are working in.
Describe training system users receive (above and beyond general security and privacy awareness training)	Privileged users must also complete role-based security training commensurate with the position they are working in.
Do contracts include Federal Acquisition Regulation and other appropriate clauses ensuring adherence to privacy provisions and practices?	Yes
Describe the process and guidelines in place with regard to the retention and destruction of PII. Cite specific records retention schedules.	Acquia will follow the CMS Records Schedule, which is aligned with the National Archives Records Administration (NARA) Records Control Schedule. DM-0440-2015-0006-0001, Enrollment Records, Request for Records Disposition Authority ODF System access records. Systems not requiring special accountability for access. These records are created as part of the user. These are user identification records generated identification and authorization process to gain according to preset requirements, typically system access to systems. Records are used to monitor inappropriate systems access by users. Includes records such as user profiles log-in files password files audit trail files and extracts system usage files cost-back files used to assess charges for system use Records are cut off at end of calendar year. Destroy no sooner than 7-years after cut off but longer retention is authorized.
Describe, briefly but with specificity, how the PII will be secured in the system using administrative, technical, and physical controls.	Administrative – Acquia will follow the least privilege principle, meaning that only those that require access to the data to perform their duties are actually granted that access. In addition, all CMS employees and contractors are required to take privacy and security awareness training that explains the requirements for handling sensitive data. All security controls are reviewed both internally and by an auditor from a third-party accredited organization (3PAO) during Security Control Assessments (SCA) to ensure compliance with CMS security standards. Technical - The Acquia system is built using industry best practices and independently reviewed against Federal Information Security Management Act (FISMA) and NIST Security and Privacy controls to ensure technical, operational, and management controls are properly applied. This includes the necessary Federal Information Processing Standard (FIPS) 140-2 encryption standards to protect the PII both in transit and at rest. In addition, IServ uses the following security principles: define-in-depth, continuous monitoring, and role-based access control. Physical - This system is located in a world-class cloud-based data center which provides premier physical control protections. The services used within the data center undergo their own Security Control Assessment (SCA) from a Third-Party Assessment Organization (3PAO) to ensure compliance with all physical security controls. In addition, the cloud-based environment is FedRAMP certified, including all physical security controls
Identify the publicly-available URL:	CMS Homepage CMS Innovation Center CMS Marketplace Open Payments Data Medicare Homepage Marketplace Datasets Medicaid & CHIP Open Data Performance Indicator Reporting System Login EMTALA Complaint Form(EMTALA) Aloha-UF Infraops Backends (ALOHA) Aloha Infraops Backends (ALOHA) These sites are all hosted on Acquia Cloud.
Does the website have a posted privacy notice?	Yes
Is the privacy policy available in a machine-readable format?	Yes
Does the website use web measurement and customization technology?	No
	Other - Collects PII?: No
Does the website have any information or pages directed at children under the age of thirteen?	No
Does the website contain links to non-federal government website external to HHS?	Yes
Is a disclaimer notice provided to users that follow external links to websites not owned or operated by HHS?	Yes

Privacy Impact Assessment (PIA) published by CMS as an Operating Division of the U.S. Department of Health and Human Services

View all CMS PIAs