Skip to main content

CMS QIO Platform

Date signed: 6/27/2025

PIA information for the CMS QIO Platform system
OPDIV:CMS
PIA Unique Identifier:P-6845674-295924
Name:CMS QIO Platform
The subject of this PIA is which of the following?Major Application
Identify the Enterprise Performance Lifecycle Phase of the system.Operate
Is this a FISMA-Reportable system?Yes
Does the system include a Website or online application available to and for the use of the general public?No
Identify the operator:Contractor
Is this a new or existing system?New
Does the system have Security Authorization (SA)?Yes
Date of Security Authorization12/18/2025
Describe the purpose of the systemThe CMS QIO Platform (CQP) Information System is a new system that was granted it's first authority to operate in May 2024. CQP is built on the Salesforce Government Cloud Plus FedRAMP Cloud Service Provider PaaS/SaaS Platform and designed to serve as a 'single pane of glass' solution to CMS and stakeholders of the CMS Quality Improvement Organization (QIO) program. The system collects, attributes, analyzes, and synthesizes data from a range of sources and generate reports, dashboards, and insights. The system allows for data ingestion, access management, storage, and exchange of data between CMS, QIO awardees, CMS support contractors, data analysts, providers & beneficiaries. CQPs business purpose is to collect, analyze and synthesize provider data to identify and enroll providers that have been identified for performance challenges based on measurement and enforcement data, who serve populations where health disparities or inequities exist or who have limited access to quality improvement resources
Describe the type of information the system will collect, maintain (store), or share. (Subsequent questions will identify if this information is PII and ask about the specific data elements)

All data in the CQP originates from other CMS authorized systems (internal and operational) or by direct entry by Quality Improvement Organizations (QIO) program support contractors. Data that is ingested from CMS operational systems is limited to data from the Program Resource System (PRS) which is part of the QualityNet Enterprise Services (Qnet-ES) Federal Information Security Management Act (FISMA) system and the Center for Clinical Standards and Quality (CCSQ) Data Repository and Analytics Platform (CDRAP) FISMA system. Both systems have their own Privacy Impact Assessment (PIA) respectfully. CQP User accounts are created via Health Care Quality Information Systems (HCQIS) Access Roles and Profile (HARP)/Okta (Qnet-ES FISMA system) Just-In-Time (JIT) provisioning and will not be manually entered. The user record is created once the user accesses the CQP Access Portal site. CQP collects and maintains user's username, first name, last name and email address for all CQP users (federal employees and contractors).  

Provider Contact details captured is entered by QIO Contract personnel and collects provider information: Name, Office/mailing Address, Phone Number, email address, Tax Identification Number (TIN), CMS Certification Number (CCN) and National Provider Identifier (NPI).  

Provide an overview of the system and describe the information it will collect, maintain (store), or share, either permanently or temporarily.

CQP supports the following processes: enrollment of priority providers; initial and ongoing provider level assessments to define the organizational readiness and the needs and priorities of a particular community and its participants; approval process for Provider Quality Action Plan, documentation of QIO interventions, and reporting of quality outcomes and performance metrics. Users of the CQP system are required to provide some personally identifiable information (PII) to uniquely determine eligibility and identify approved personnel and contractors accessing the CQP system. The provider data that is collected is used to administer and evaluate data driven initiatives including enrollment, assessments, quality action plans, intervention activities, outcome reporting and supports issuance of notices.    

CQP supports the following processes: enrollment of priority providers; initial and ongoing provider level assessments to define the organizational readiness and the needs and priorities of a particular community and its participants; approval process for Provider Quality Action Plan, documentation of QIO interventions, and reporting of quality outcomes and performance metrics.

Users of the CQP system are required to provide some PII in order to uniquely determine eligibility and identify approved personnel and contractors accessing the CQP system.  

The provider data collected is used to administer and evaluate data driven initiatives including enrollment, assessments, quality action plans, intervention activities, outcome reporting and will support issuance of notices.

Does the system collect, maintain, use or share PII?Yes
Indicate the type of PII that the system will collect or maintain.
  • Name
  • E-Mail Address
  • Phone Numbers
  • Taxpayer ID
  • Mailing Address
  • Other - The CQP system may collect provider information which includes Name, Office/mailing Address, Phone Number, email address, Tax Identification Numbers (TIN), National Provider Identifier (NPI) and CMS Certification Number (CCN). Note: Office/Mailing address may also be a home address if an individual provider has a practice set up in their home. CQP user information collected includes the following user profile attributes:User.Username (user.email)User.FederationIdentifier (user.login)User.FirstName (user.firstName)User.LastName (user.lastName)User.Email (user.email)Contact.LastName (user.lastName)User.Profield (Customer Community Plus Login User CMS)Contact.FirstName (user.fisrtName)Contact.RecordType (CQP Portal)User.Account (CQP Portal)
Indicate the categories of individuals about whom PII is collected, maintained or shared.
  • Employees
  • Public Citizens
  • Business Partners/Contacts (Federal, state, local agencies)
  • Vendors/Suppliers/Contractors
  • Other - The CQP system may collect provider information which includes Name, Office/mailing Address, Phone Number, email address, Tax Identification Numbers (TIN), National Provider Identifier (NPI) and CMS Certification Number (CCN). Note: Office/Mailing address may also be a home address if an individual provider has a practice set up in their home.
How many individuals' PII in the system?100,000-999,999
For what primary purpose is the PII used?PII is needed to maintain a list of points of contacts for health care facilities and other organizations to coordinate and collaborate on Health Care initiatives and activities. PII is also utilized for login credentials, meaning fine-grain access as a role-based system.
Describe the secondary uses for which the PII will be used (e.g. testing, training or research)Internal Centers for Medicare & Medicaid Services (CMS) data analysts have access to this data to support analytics, reporting, research and surveys.
Describe the function of the SSN.Not Applicable. SSNs are not directly or indirectly collected within the CQP system. 
Cite the legal authority to use the SSN.Not Applicable. SSNs are not directly or indirectly collected within the CQP system. 
Identify legal authorities​ governing information use and disclosure specific to the system and program.
  • Code of Federal Regulations (CFR) 42 Section 494. 180 (h) and Sections 226A, 1875, and 1881 of the Social Security Act (the Act) (Title 42 United States Code (U.S.C.), sections 426–1, 1395ll, and 1395rr).
  • TRHCA - 2006 Tax Relief and Health Care Act.
  • MMSEA - Medicare, Medicaid, and SCHIP Extension Act of 2007.
Are records on the system retrieved by one or more PII data elements?Yes
Identify the number and title of the Privacy Act System of Records (SORN) that is being used to cover the system or identify if a SORN is being developed.
  • Published: 09-70-0536 - Medicare Beneficiary Database (MBD) published 12/4/2006.
  • Published: 09-70-0538 - Individuals Authorized Access to Centers for Medicare & Medicaid Services (CMS) Computer Services (IACS) published 7/26/2002 and updated 12/13/2007 
Identify the sources of PII in the system: Directly from an individual about whom the information pertains
  • Online
Identify the sources of PII in the system: Government Sources
  • Within the OPDIV
Identify the sources of PII in the system: Non-Government Sources
  • Private Sector
Identify the OMB information collection approval number and expiration dateAn OMB number is not required for the CQP system because information is not collected directly from an individual about whom the information pertains. User Credentials are handled and stored by HARP.
Is the PII shared with other organizations?No
 
  • Within HHS Explanation: PII is to be shared or disclosed in support of the QIO Program related operational processes and oversight.
Describe the process in place to notify individuals that their personal information will be collected. If no prior notice is given, explain the reason.The collection of personal information is done at the QIO facility level and not directly by CQP. At QIO facility level, users are given an informed consent form stating the uses of their PII. Providers are responsible for notifying users that their information will be collected and shared.
Is the submission of the PII by individuals voluntary or mandatory?Voluntary
Describe the method for individuals to opt-out of the collection or use of their PII. If there is no option to object to the information collection, provide a reason.Individuals do not have the ability to opt-out of providing their PII. PII is required to create an individual's account and to log in to the system, if individuals do not wish to provide their PII, the user will not be able to create an account or log in to the CQP system.
Describe the process to notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changes since the notice at the time of original collection). Alternatively, describe why they cannot be notified or have their consent obtained.CQP does not obtain or notify individuals concerning their PII. CMS and the QIOs have the responsibility to notify the individuals.
Describe the process in place to resolve an individual's concerns when they believe their PII has been inappropriately obtained, used, or disclosed, or that the PII is inaccurate. If no process exists, explain why not.Individuals with concerns who believe their PII has been inappropriately obtained, used, or disclosed, or that the PII is inaccurate are referred to the QIO Security Point of Contact (SPOC). A CCSQ Service Center security incident report is entered into the ticketing system to track their concern and an Incident Number generated. The Security Points of Contact for the offending group and any recipients of PII are brought into the loop and Security Incident Procedures are followed. All PII is sanitized per the procedures, and anyone who had received it signs a form stating so. All communications to the Customer would be through the CCSQ Service Center.
Describe the process in place for periodic reviews of PII contained in the system to ensure the data's integrity, availability, accuracy and relevancy. If no processes are in place, explain why not.

HARP supports CQP Account Management and Identification and Authentication of users that are registered through HARP prior to being approved for a role in the CQP (Salesforce) Portal. HARP is responsible for verifying the accuracy of PII collected on the user's behalf during the registration process.  The internal user accounts are synced with HARP so that if an edit is made, (i.e. editing an email address) the email address in Salesforce will reflect the changes. 

Information is received from other QualityNet systems for use in the CQP system on an as-requested basis. All data is checked upon import to ensure the information received is complete and relevant. Once the data is in the CQP environment, information stores are backed-up in accordance with CMS requirements. Database integrity checks are performed on a scheduled basis to ensure that information has not been compromised. Functionally, reviewers assess the completeness, relevancy, and accuracy of quality review information as part of their review process integral to the work process.

Additionally, the Privacy Impact Assessment document and System Security Plan will be reviewed annually. Annual Adaptability Controls Testing (ACT) is conducted to ensure compliance with the CMS Acceptable Risk Standards (ARS).

Identify who will have access to the PII in the system and the reason why they require access.
  • Users: QIO Users who are privileged to see PII/PHI will be able to do so after requesting the appropriate permissions for review and getting approval by a Security Officer, in order to do their work within the CMS QIO Platform (CQP).
  • Administrators: Approved Contractors and CMS system administrators will have full access to see PII/PHI will be able to do so after requesting the appropriate permissions for review and getting approval by a Security Officer, in order to do their work within the CMS QIO Platform (CQP).
  • Contractors: QIO Direct Contractors who are privileged to see PII/PHI will be able to do so after requesting the appropriate permissions for review and getting approval by a Security Officer, in order to do their work within the CMS QIO Platform (CQP).
Describe the procedures in place to determine which system users (administrators, developers, contractors, etc.) may access PII.

Access requests are to be tracked within CQP. Each contract organization will have a Security Officer (SO) responsible for approving/vetting requests and higher-level administrator access, is to be reserved for Administered Data Objects (ADO) team and CMS.    

CQP access to PII is based on a user’s specific job function, or role. Each role is evaluated for the minimum necessary access levels needed of the role to perform the tasks necessary for the job. These roles are formally validated and serve as the basis for access to all PII. When an individual is hired, they are onboarded onto CQP and will request a role that will go out to their Security Officer. Once access requests are reviewed and approved, they will be assigned permissions automatically by the system, that may allow them access to PII/PHI data, if required to perform their work duties.

Describe the methods in place to allow those with access to PII to only access the minimum amount of information necessary to perform their job.

For planning, approving, and auditing, CQP uses a Roles and Responsibilities matrix to review and track what roles are available for request and what permissions those roles will have that is aligned to CQP system features and data sets, which will be consistent with program level Data Use Agreements (DUA).

As QIO contractor and organizations are added. All changes to the role and permissions mapping logic within the system will go through peer review before released. Users will only be assigned these pre-configured roles and permissions after requesting them within CQP and an approval has been obtained by their assigned Security Officer. 

Identify training and awareness provided to personnel (system owners, managers, operators, contractors and/or program managers) using the system to make them aware of their responsibilities for protecting the information being collected and maintained.Security and Ethics Trainings are conducted annually via: Centers for Medicare & Medicaid Services (CMS) Annual Security Awareness Training (CBT) and Records Management Training. CMS employees and contractors with elevated levels of access, such as system or database administrators, have to take additional 4 hours minimum of Role-Based Security Training (RBST) as required.
Describe training system users receive (above and beyond general security and privacy awareness training)CQP users receive functional training via webinars and presentations when new users are onboarded and after significant functionality changes in the application. CMS employees and contractors with elevated levels of access, such as system or database administrators, have to take additional role-based training as required.
Do contracts include Federal Acquisition Regulation and other appropriate clauses ensuring adherence to privacy provisions and practices?Yes
Describe the process and guidelines in place with regard to the retention and destruction of PII. Cite specific records retention schedules.CQP will follows the CMS Record Schedule Bucket 6, published April 2017, under the Disposition Authority Number DM-0440-2015-0008-0001. Delete/destroy after 4 survey cycles or 10 years whichever is later. Assessment Data will be destroyed when 20 years old.
Describe, briefly but with specificity, how the PII will be secured in the system using administrative, technical, and physical controls.

Administrative Controls: Include, but not limited to contingency plans and annual testing, backups of all files, offsite storage of backup files, background checks for all personnel, incident response procedures for timely response to security and privacy incidents, initial security training with refresher courses annually, and annual role-based security training for personnel with assigned security roles.

Physical Controls: The physical security of the Salesforce Government Cloud Plus Cloud Service Provider (CSP) where the system resides is a Federal Information Processing Standards (FIPS) 199 Security Category High-Impact and includes the use of access cards for entry, security guards, and video monitoring.

Technical Controls: Include but are not limited to user authentication with least privilege authorization, firewalls, intrusion Detection and Prevention systems, encrypted communication (data at rest and data in transit, using FIPS 140-2 requirements). Hardware is configured with a deny all/except approach, auditing, and correlation of audit logs from all systems.

Management Controls: Include but are not limited to Certification and Accreditation (C&A), annual security assessments, monthly management of outstanding corrective action plans, ongoing risk assessments, and automated continuous monitoring.

Privacy Impact Assessment (PIA) published by CMS as an Operating Division of the U.S. Department of Health and Human Services

View all CMS PIAs