Data Exchange System
Privacy Impact Assessment (PIA) published by CMS as an Operating Division of the U.S. Department of Health and Human Services
Date signed: 11/5/2024
| PIA Questions | PIA Answers | |
|---|---|---|
| OPDIV: | CMS | |
| PIA Unique Identifier: | P-4147469-717162 | |
| Name: | Data Exchange System | |
| The subject of this PIA is which of the following? | Major Application | |
| Identify the Enterprise Performance Lifecycle Phase of the system. | Operate | |
| Is this a FISMA-Reportable system? | Yes | |
| Does the system include a Website or online application available to and for the use of the general public? | Yes | |
| Identify the operator: | Agency | |
| Is this a new or existing system? | Existing | |
| Does the system have Security Authorization (SA)? | Yes | |
| Date of Security Authorization | 4/4/2024 | |
| Indicate the following reason(s) for updating this PIA. Choose from the following options. | PIA Validation (PIA Refresh/Annual Review) | |
| Describe in further detail any changes to the system that have occurred since the last PIA. | N/A | |
| Describe the purpose of the system | The purpose of the Data Exchange (DEX) system is to build an authoritative consolidated data system related to the Section 3021 models and Section 3022 programs of the Affordable Care Act, allowing for the communication and exchange of data between CMS and service providers. DEX is a platform that allows State Medicaid Agencies and CMS to exchange information and files related to Medicaid Terminations and Medicare Revocations. Medicaid Terminations and Medicare Revocations are shared between State Medicaid agencies. Users’ login periodically to report individuals committing either, or both, Medicare, and Medicaid fraud. CMS reviews the submission and publishes the information of these providers for all states to review and begin their terminations process. All States are required to search the Death Master File (DMF) to identify and terminate bad actors that are using Social Security Numbers (SSN) of the deceased. CMS generates reports to ensure all terminations are being processed. | |
| Describe the type of information the system will collect, maintain (store), or share. (Subsequent questions will identify if this information is PII and ask about the specific data elements) | DEX collects Provider information, which contains both PII and non PII information such as: First and Last Name: Used to search / identify provider name in DEX (PII) Doing business As Practice Address or addresses (PII) Correspondence Address (PII) Termination Reason DEX uses the CMS Enterprise Identity Management (EIDM) system, to authenticate and authorize user access to the DEX system. The DEX system does not maintain the credentials since this is done within the CMS Identity Management (IDM). DEX relies on Portal IDM to authenticate and authorize user access. The application is hosted inside CMS. Portal and user management (registration/authentication) is handled by CMS Identity Management (IDM) system which is managed by the Portal IDM team. To access any data stored in DEX, users must be successfully logged into the IDM Portal to have access to the DEX application. When a new user requests an EIDM account, CMS/Center for Program Integrity (CPI) authority reviews the request and grants access to the user. Authorization credentials include username, password and a multifactor authentication code sent to registered emails or phone numbers. Respective program CMS admins, State Medicaid Agency admins are the common users who have access to application and data stored. | |
| Provide an overview of the system and describe the information it will collect, maintain (store), or share, either permanently or temporarily. | DEX is a platform that allows for the exchange of information and files related to Medicaid Terminations and Medicare Revocations of service providers, by State Medicaid Agencies and CMS. DEX users, comprised of authorized CMS admins and State Medicaid Agency admins, who login periodically, through the CMS EIDM portal, to report Providers who have been either terminated from the Medicaid program, or have their Medicare provider privileges revoked, due to committing either; or both; Medicare and Medicaid fraud. DEX uses PII (NPI, SSN, EIN) to retrieve matching information, either manually via text input or templated input files by authorized users. The retrieved information includes deceased user details across the country, medical provider details and their associated termination records. The search functionality used on daily basis by different users. The following information is captured so that it can be shared between all the states that use the information to identify the provider and terminate them from their state’s programs: NPI (PII) - Provider identifier | |
| Describe why the information listed in question PIA-012 is collected. The response to this question should consider all information, whether or not it is PII. The response to this question should also specify what information is collected about each category of individual and should document and discuss if records are retrieved by PII elements. Reminder: If you answer Yes to question PIA-022 regarding the method of record retrieval, include in the response to question PIA-013 a brief description of the retrieval practice. Note the PII used and categories of individuals to whom the PII relates. An example is: The Physical Security System (PSS) regularly use PII to retrieve system records including using the last name, employee ID number, and/or work phone number of CMS employees, contractors, and members of the public authorized to access the main campus and satellite offices. | ||
| Does the system collect, maintain, use or share PII? | Yes | |
| Indicate the type of PII that the system will collect or maintain. |
| |
| Indicate the categories of individuals about whom PII is collected, maintained or shared. | Other -Providers who are enrolled in Medicare and Medicaid programs; - DEX does not store user data; -Authorized DEX users' login through the CMS Identity Management (IDM) System portal. | |
| How many individuals' PII in the system? | 1,000,000 or more | |
| For what primary purpose is the PII used? | The PII is needed by the Data Exchange System to capture details/identifying providers that are terminated from the Medicaid and from Medicare programs. | |
| Describe the secondary uses for which the PII will be used (e.g. testing, training or research) | None | |
| Describe the function of the SSN. | SSN of providers is used to validate and establish identity of a provider that is terminated in a Medicaid Program and/or revoked in Medicare | |
| Cite the legal authority to use the SSN. | Section 6501 of the Affordable Care Act (ACA) amends § 1902(a)(39) of the Social Security Act (the Act) and requires State Medicaid agencies to terminate the participation of any individual or entity if such individual or entity is terminated under Medicare or any other State Medicaid plan. CMS also indicated in final implementing regulations at 42 CFR § 455.101, that the requirement to terminate under § 6501 of the ACA only applies in cases where providers, suppliers or eligible professionals have been terminated or had their billing privileges revoked “for cause.” | |
| Identify legal authorities governing information use and disclosure specific to the system and program. | Medicare Exclusion Database (MED)(09-70-0534)(71 Federal Register, 70967 December 7, 2006). | |
| Are records on the system retrieved by one or more PII data elements? | Yes | |
| Identify the number and title of the Privacy Act System of Records (SORN) that is being used to cover the system or identify if a SORN is being developed. | The SORN to be used for this collection will be the Medicare Exclusion Database (MED) (09-70-0534) (71 Federal Register, 70967 December 7, 2006).
| |
| Identify the sources of PII in the system: Directly from an individual about whom the information pertains | Other - State Medicaid Agencies input the PII into DEX system using the User Interface. And CMS uploads a file which has PII using an import process and shares it with State Medicaid Agencies. | |
| Identify the OMB information collection approval number and expiration date | Affordable Care Act Section 3021 is exempt from Paperwork Reduction Act. | |
| Is the PII shared with other organizations? | Yes | |
| Identify with whom the PII is shared or disclosed and for what purpose. | State or Local Agency/Agencies | |
| State or Local Agency/ Agencies Explanation: | The provider information (PII included) is shared with State Medicaid Agencies (SMA), to track and identify fraudulent Medicaid and Medicare providers, for termination from their state programs. | |
| Describe any agreements in place that authorizes the information sharing or disclosure (e.g. Computer Matching Agreement, Memorandum of Understanding (MOU), or Information Sharing Agreement (ISA)). | CMS has Data Use Agreements (DUA) and Information Exchange Agreement (IEA), which state the terms and conditions for the data exchange between CMS and the State Medicaid Agencies, including the privacy and security safeguards to ensure that the information is protected. | |
| Describe the procedures for accounting for disclosures | We use an application local setup wrapped as a middleware before we process any Application Programming Interface (API) request, those requests are stored in an encrypted database and can be audited if need be. The backups of the Database take place daily and weekly. Any user's request is logged and stored. | |
| Describe the process in place to notify individuals that their personal information will be collected. If no prior notice is given, explain the reason. | DEX is a data exchange system for Medicare/Medicaid provider enrollment information between CMS and State Medicaid Agencies. CMS does not have a direct relationship with the providers and does not collect PII information directly from the provider. DEX does not notify individuals of the collection of their personal information, that is the responsibility is on the State Agency to notify the provider. | |
| Is the submission of the PII by individuals voluntary or mandatory? | Voluntary | |
| Describe the method for individuals to opt-out of the collection or use of their PII. If there is no option to object to the information collection, provide a reason. | There are no options to opt-out as PII information is not collected directly from providers or individuals | |
| Describe the process to notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changes since the notice at the time of original collection). Alternatively, describe why they cannot be notified or have their consent obtained. | The State Medicaid Agencies (SMA) are responsible for the Medicaid provider enrollment process. CMS does not handle this process and does not collect PII information directly from the provider or individual. | |
| Describe the process in place to resolve an individual's concerns when they believe their PII has been inappropriately obtained, used, or disclosed, or that the PII is inaccurate. If no process exists, explain why not. | The State Medicaid Agencies are responsible for the Medicaid provider enrollment process. CMS does not handle the Medicaid provider enrollment process and does not collect PII information directly from the provider or individual. Providers that enroll are aware of the Medicaid provider enrollment requirements. | |
| Describe the process in place for periodic reviews of PII contained in the system to ensure the data's integrity, availability, accuracy and relevancy. If no processes are in place, explain why not. | Before the data is entered into DEX by the State Medicaid Agency, CMS validates identifiers through the State Medicaid Agencies reporting process. CMS reviews the data after the information is reported. CMS and State Medical Agencies are responsible for the accuracy of data, DEX only serves as the hosting environment for the processing of information exchange. DEX data is available to authorized users upon completion of CMS required security awareness trainings, completion of background checks, and approval/ provision of access to the portal via the CMS Identity Management System. | |
| Identify who will have access to the PII in the system and the reason why they require access. |
| |
| Describe the procedures in place to determine which system users (administrators, developers, contractors, etc.) may access PII. | The data will only be accessed by the development contractor initially to load and processed the data to the DEX system. Once the data is initially loaded, the development contractor will not have access to the data. Any system administrator access to the data will require CMS approval and monitored via automatic alerts and notifications. | |
| Describe the methods in place to allow those with access to PII to only access the minimum amount of information necessary to perform their job. | DEX implements role-based access, limiting user access and assigning permissions to only authorized CMS Users. Developers with prior approval from CMS can access and load the data. All access to the data will be fully monitored via logs, alerts, and notifications. Furthermore, SSNs are not accessible to any of the SMAs and are visible only to the CMS Users. | |
| Identifying training and awareness provided to personnel (system owners, managers, operators, contractors and/or program managers) using the system to make them aware of their responsibilities for protecting the information being collected and maintained. | CMS Security Awareness Training/ and PII/PHI training yearly conducted as per CMS policies. All DEX employees are mandated to do the annual CMS Security Awareness Training/ and PII/PHI training. | |
| Describe training system users receive (above and beyond general security and privacy awareness training) | N/A | |
| Do contracts include Federal Acquisition Regulation and other appropriate clauses ensuring adherence to privacy provisions and practices? | Yes | |
| Describe the process and guidelines in place with regard to the retention and destruction of PII. Cite specific records retention schedules. | DEX data follows the Bucket 1 retention schedule of DAA-0440-2015-0001-0001. | |
| Describe, briefly but with specificity, how the PII will be secured in the system using administrative, technical, and physical controls. | DEX is hosted in the CMS AWS environment, and implements several security controls measures for the security of the DEX PII, amongst which include: Administrative controls such as the annual CMS Security Awareness Training/ and PII/PHI training, for all DEX employees, contractors, and users. This training addresses proper use, implementation, management and security of data and the information systems. This training is mandatory for all who have access to DEX The implementation of MOUs between CMS and the SMA, for the proper use and confidentiality of DEX data. DEX also utilizes least privilege, when granting access, allowing only authorized accesses for users (or processes acting on behalf of users) that are necessary to accomplish the assigned tasks. DEX also utilizes technical controls such as firewalls, network monitoring and intrusion detection, and user identification / passwords, multi factor authentication, data encryption, for safeguarding the flow and access to DEX data, as provided to systems within the CMS boundary. | |
| Identify the publicly-available URL: | https://portal.cms.gov | |
| Does the website have a posted privacy notice? | Yes | |
| Is the privacy policy available in a machine-readable format? | Yes | |
| Does the website use web measurement and customization technology? | No | |
| Does the website have any information or pages directed at children under the age of thirteen? | No | |
| Does the website contain links to non-federal government website external to HHS? | No | |