Deliverable Administration, Report, and Repository Tool
Privacy Impact Assessment (PIA) published by CMS as an Operating Division of the U.S. Department of Health and Human Services
Date signed: 2/15/2024
OPDIV: | CMS |
|---|---|
PIA Unique Identifier: | P-4994757-105380 |
Name: | Deliverable Administration, Report, and Repository Tool |
The subject of this PIA is which of the following? | Major Application |
Identify the Enterprise Performance Lifecycle Phase of the system. | Operate |
Is this a FISMA-Reportable system? | Yes |
Does the system include a Website or online application available to and for the use of the general public? | No |
Identify the operator: | Contractor |
Is this a new or existing system? | Existing |
Does the system have Security Authorization (SA)? | Yes |
Date of Security Authorization | 4/28/2022 |
Indicate the following reason(s) for updating this PIA. Choose from the following options. | PIA Validation (PIA Refresh/Annual Review) |
Describe in further detail any changes to the system that have occurred since the last PIA. | There are no new changes to the system, however, DARRT is in the Operations and Maintenance stage which includes bug fixes and software security fixes. The system has not been requested to collect new Personally Identifiable Information (PII) or Protected Health Information (PHI) elements. |
Describe the purpose of the system | The Deliverable Administration Review and Repository Tool (DARRT) is a cloud-based solution providing a program management tool for CMS and Quality Improvement Organization (QIO) users. DARRT is operational and provides the following functions: Deliverables - provides CMS Center for Clinical Standards and Quality for the Centers (CCSQ) contractors, CCSQ Central Office staff and CMS Regional Office staff a central location for the submission, review and storage of Quality Improvement contractor related artifacts and including but not limited to Contract Deliverables and Quality Measure Reports Quality Improvement Initiative (QII) - initiation and tracking As defined in 42 CFR 476.1, a Quality Improvement Initiative (QII) is any formal plan designed to assist a provider(s) and/or practitioner(s) in identifying the root cause of a confirmed quality of care concern, develop a framework in which to address the concern and improve a process or system. The improvements may relate to safety, healthcare, health, and value and involve providers, practitioners, beneficiaries, and/or communities. QIIs may consist of system-wide (organization-based) and/or non-system-wide (practitioner-based) activities. System-wide QIIs are improvement activities that may require technical assistance and interventions as defined in 42 CFR 476.1. Non-system-wide QIIs may not warrant technical assistance or interventions, but the Beneficiary and Family Centered Care-Quality Improvement Organizations (BFCC-QIO) shall propose recommendations regarding the quality-of-care concern. |
Describe the type of information the system will collect, maintain (store), or share. (Subsequent questions will identify if this information is PII and ask about the specific data elements) | Deliverable Administration, Review, and Repository Tool (DARRT) stores contract deliverable information such as task orders, result documentation, periodic reports, deliverable definitions, and submission files. The type of Personal Identifiable Information (PII)/Protected Health Information (PHI) that could be uploaded to DARRT includes Name Phone Number Medical Notes Date of Birth Medical Records Number Medical notes such as patient diagnosis, lab results, and provider information DARRT has warning banners in place to let users know not to upload PII/PHI to the system. There is a chance that documents needed by the application for documentation may contain PII or PHI. This could be name, phone number, date of birth, medical record number, medical notes such as patient diagnosis, lab results, and provider information reflected in the Quality Improvement Initiative (QII) Referral Documentation section of DARRT. Any Personal Identifiable Information (PII) that is uploaded as a comment or attachment is not used by the application. Any attachments that are uploaded to DARRT are encrypted at rest using industry best practices. Login credentials (User ID and password) are handled and stored by Okta (CMS single sign on provider) via the Healthcare Quality Information System (HCQIS) Access Roles and Profile (HARP) system managed by Alcor. DARRT maintains user authorization mapping as well, for the purposes of determining what a user has access to read or write upon accessing the system. |
Provide an overview of the system and describe the information it will collect, maintain (store), or share, either permanently or temporarily. | QIOs, who are direct contractors, monitor the appropriateness, effectiveness, and quality of care provided to Medicare beneficiaries. QIOs provide critical support by submitting reports to the Centers for Medicare and Medicaid Services (CMS) that contain quality indicators and information for health plans, providers, and practitioners to improve the quality of care provided to Medicare beneficiaries. The Deliverable Administration, Review, and Repository Tool (DARRT) system stores non-PII (Personal Identifiable Information) data, specifically that pertaining to Deliverable Definitions, which is just metadata about the Submission File. As stated earlier, a deliverable is a requirement that contractors must meet in a timely manner. Specific deliverables are listed in the Schedule of Deliverables. Contractors submit documents to a deliverable. The Contracting Officer (COR) reviews the files submitted to the deliverable and determines if the files meet the criteria for the deliverable. When uploading submission files, it is possible that end users may add data that contains PII/PHI. DARRT currently has a warning banner in place to remind users not to upload any data that may contain PII/PHI. |
Does the system collect, maintain, use or share PII? | Yes |
Indicate the type of PII that the system will collect or maintain. |
|
Indicate the categories of individuals about whom PII is collected, maintained or shared. | Patients |
How many individuals' PII in the system? | <100 |
For what primary purpose is the PII used? | The Personal Identifiable Information (PII) is not used by the application. It is possible that documents needed by the application for documentation may contain PII or Protected Health Information (PHI). This could be First/Last names of patients, patient diagnosis, lab results, name of providers. |
Describe the secondary uses for which the PII will be used (e.g. testing, training or research) | There are no secondary uses for the Personal Identifiable Information (PII) since we do not encourage PII to be entered into Deliverable Administration, Review, and Repository Tool (DARRT). |
Describe the function of the SSN. | Not Applicable
|
Cite the legal authority to use the SSN. | Not Applicable |
Identify legal authoritiesā governing information use and disclosure specific to the system and program. | The statutory authority for this system is given under the provisions of sections 226A, 1875, and 1881 of the Social Security Act (the Act) (Title 42 United States Code (U.S.C.), section s 426-1, 1395ll, and 1395rr) and 5 USC 301, Departmental Regulations. |
Are records on the system retrieved by one or more PII data elements? | No |
Identify the sources of PII in the system: Directly from an individual about whom the information pertains | Online |
Identify the sources of PII in the system: Government Sources | Within the OPDIV |
Identify the sources of PII in the system: Non-Government Sources | Other - Other - Documents uploaded to DARRT relating to QII (Quality Improvement Initiative) Referrals are not supposed to contain PII/PHI but may contain it as the system does not check for PII/PHI. We also have QIO confidential information that is an additional layer of confidential information. Note: Provider and individual physician names may be uploaded to the following areas within DARRT. This is not traditional PHI or PII, but it is still confidential information. QII Referral Documentation(s) Deliverable D.14 reports the results of focused reviews. Deliverable D.16 is the monitoring and reporting requirements, Livanta provides a monthly report of its sanction's activities. |
Identify the OMB information collection approval number and expiration date | Not Applicable |
Is the PII shared with other organizations? | No |
Describe the process in place to notify individuals that their personal information will be collected. If no prior notice is given, explain the reason. | Not Applicable |
Is the submission of the PII by individuals voluntary or mandatory? | Voluntary |
Describe the method for individuals to opt-out of the collection or use of their PII. If there is no option to object to the information collection, provide a reason. | Not Applicable
|
Describe the process to notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changes since the notice at the time of original collection). Alternatively, describe why they cannot be notified or have their consent obtained. | Not Applicable |
Describe the process in place to resolve an individual's concerns when they believe their PII has been inappropriately obtained, used, or disclosed, or that the PII is inaccurate. If no process exists, explain why not. | Not Applicable |
Describe the process in place for periodic reviews of PII contained in the system to ensure the data's integrity, availability, accuracy and relevancy. If no processes are in place, explain why not. | To ensure the system's data integrity, the application encrypts all data in transit as well as data at rest using the department of defense's best practice encryption standards. To ensure data availability, the system is hosted with Amazon's cloud datacenter and has backup zones in the case that the datacenter suffers failure. To ensure data accuracy, DARRT creates reports within the application that give metrics on the data contained within the application. We do not encourage Protected Health Information (PHI) or Personal Identifiable Information (PII) to be entered into DARRT. There is a chance that documents needed by the application for documentation may contain PII or PHI. This could be name, phone number, date of birth, medical record number, medical notes such as patient diagnosis, lab results, and provider information reflected in the Quality Improvement Initiative (QII) Referral Documentation section of DARRT. Any Personal Identifiable Information (PII) that is uploaded as a comment or attachment is not used by the application. Any attachments that are uploaded to DARRT are encrypted at rest using industry best practices. Currently there is no process in place to conduct periodic reviews of PII contained in the system. All attachments are encrypted at rest the moment they are uploaded to the DARRT application. |
Identify who will have access to the PII in the system and the reason why they require access. |
|
Describe the procedures in place to determine which system users (administrators, developers, contractors, etc.) may access PII. | Not Applicable |
Describe the methods in place to allow those with access to PII to only access the minimum amount of information necessary to perform their job. | Not Applicable |
Identifying training and awareness provided to personnel (system owners, managers, operators, contractors and/or program managers) using the system to make them aware of their responsibilities for protecting the information being collected and maintained. | All system users are required to take the annual CMS Cyber Awareness Challenge Computer Based Training (CBT) as well as the annual Identifying and Safeguarding Personally Identifiable Information training required by CMS. These satisfy security awareness training for the system owners. In addition, personnel with security roles are required to take security role-based training annually. These trainings cover technical concepts specific to developers and engineers. |
Describe training system users receive (above and beyond general security and privacy awareness training) | Security and Privacy Awareness training is offered to all users. Direct contractors that have elevated levels of access, such as system or database administrators, must take 4 hours of additional role-based security training as required by CMS on an annual basis. |
Do contracts include Federal Acquisition Regulation and other appropriate clauses ensuring adherence to privacy provisions and practices? | Yes |
Describe the process and guidelines in place with regard to the retention and destruction of PII. Cite specific records retention schedules. | DARRT follows the CMS Record Schedule, published April 2015, under the Health Care Quality Improvement Systems (HCQIS) Disposition Authority: N1-440-09-3- Temporary. Delete/destroy after 4 survey cycles or 10 years whichever is later. |
Describe, briefly but with specificity, how the PII will be secured in the system using administrative, technical, and physical controls. | Administrative controls include, but not limited to contingency plans and annual testing, backups of all files, offsite storage of backup files, background checks for all personnel, incident response procedures for timely response to security and privacy incidents, initial security training with refresher courses annually, and annual role-based security training for personnel with assigned security roles. The physical security of the data center where the system resides includes the use of access cards for entry, security guards, and video monitoring. Technical controls include but are not limited to user authentication with least privilege authorization, firewalls, intrusion Detection and Prevention systems, encrypted communication (data at rest and data is accessed using FIPS 140-2 requirements). Hardware configured with a deny all/except approach, auditing, and correlation of audit logs from all systems. Management Controls include but are not limited to: Certification and Accreditation (C&A), annual security assessments, monthly management of outstanding corrective action plans, ongoing risk assessments, and automated continuous monitoring. |