Skip to main content

Document Storage and Retrieval System

Privacy Impact Assessment (PIA) published by CMS as an Operating Division of the U.S. Department of Health and Human Services

Date signed: 6/8/2022

PIA information for: Document Storage and Retrieval System 

OPDIV:

CMS

PIA Unique Identifier:

P-7869561-032820

Name:

Document Storage and Retrieval System

The subject of this PIA is which of the following?

Major Application

Identify the Enterprise Performance Lifecycle Phase of the system.

Operate

Is this a FISMA-Reportable system?

Yes

Does the system include a Website or online application available to and for the use of the general public?

No

Identify the operator:

Agency

Is this a new or existing system?

Existing

Does the system have Security Authorization (SA)?

Yes

Date of Security Authorization

4/20/2023

Indicate the following reason(s) for updating this PIA. Choose from the following options.

PIA Validation (PIA Refresh/Annual Review)

Describe in further detail any changes to the system that have occurred since the last PIA.

Photographic Identifiers and Legal Documents are now included in the type of PII that the system will collect or maintain.

Describe the purpose of the system

The Document Storage and Retrieval System (DSRS) is a support system used to centrally store documents provided by the consumer, insurance providers, and system generated notices. Documents are uploaded to the DSRS via consumer portal or by Federally Facilitated Marketplace (FFM) and Plan Management (PM). Each document uploaded to DSRS is tagged with a document ID for retrieval. Authorized CMS systems can retrieve documents from DSRS by document ID. 

Describe the type of information the system will collect, maintain (store), or share. (Subsequent questions will identify if this information is PII and ask about the specific data elements)

The DSRS application stores and maintains consumers' Personally Identifiable Information (PII), Federally Facilitated Marketplace (FFM) generated Notices sent to consumers, and Plan Management data.

Data Elements:

  • Social Security Number

  • Name

  • Driver's License Number

  • Mother's Maiden Name

  • E-Mail Address

  • Phone Numbers

  • Military Status

  • Taxpayer ID

  • Date of Birth

  • Photographic Identifiers

  • Mailing Address

  • Legal Documents

  • Employment Status

  • Passport Number

  • Other: Alien Registration Number (A-Number)

Provide an overview of the system and describe the information it will collect, maintain (store), or share, either permanently or temporarily.

DSRS provides client systems with the capability to store documents (i.e. driver’s license, Passport, wage documentation, certification of citizenship, immigration documents, etc.) in a centralized storage location for access by other authorized systems. Client systems can access documents by performing searches based on specific document attributes. Client systems have limited access to the documents stored within DSRS based on pre-defined validation and authorization rules prescribed by the document source system. 

The client systems that utilize DSRS to store and retrieve documents include the Federally Facilitated Marketplace (FFM) Eligibility and Enrollment (E&E) system, Plan Management (PM) and Enhanced Direct Enrollment system. Specific documents stored in DSRS vary per client system and are organized by document category to capture the highest level of hierarchy. Examples of document categories stored in DSRS include Notices and Consumer Uploaded Documents. 

Documents sourced by consumers are used for various types of casework to include referring cases to insurers, resolving 1095A tax forms, informing consumers of resolutions or appeal rights and to adjudicate matters that would impact insurance plan eligibility. 

Documents in the repository are collected to resolve data matching issues (DMI), special enrollment period verification issues (SVI), and remote identity proofing (RIDP) failures. PII contained within these documents is intended to resolve/adjudicate the verification issues and support casework.

Records will be maintained for ten years until they become inactive, at which time they will be retired or destroyed. These procedures are in accordance with published records schedules of the Centers for Medicare & Medicaid Services as approved by the National Archives and Records Administration General Records Schedule 20 (GRS 20) for electronic records.

Does the system collect, maintain, use or share PII?

Yes

Indicate the type of PII that the system will collect or maintain.

  • Social Security Number

  • Name

  • Driver's License Number

  • Mother's Maiden Name

  • E-Mail Address

  • Phone Numbers

  • Military Status

  • Taxpayer ID

  • Date of Birth

  • Photographic Identifiers

  • Mailing Address

  • Legal Documents

  • Employment Status

  • Passport Number

  • Other - Alien Registration Number (A-Number)

Indicate the categories of individuals about whom PII is collected, maintained or shared.

Public Citizens

How many individuals' PII in the system?

1,000,000 or more

For what primary purpose is the PII used?

PII is not used by DSRS in any capacity except storage.

Describe the secondary uses for which the PII will be used (e.g. testing, training or research)

N/A

Describe the function of the SSN.

Social Security Numbers (SSNs) are part of documents provided by the consumer. SSNs may be included in consumers tax return or other documents. SSN are not used by DSRS in any capacity except storage.

Cite the legal authority to use the SSN.

Affordable Care Act (ACA), Section 1414 Affordable Care Act (ACA), Section 1411, 42 U.S.C. Section 18081

Identify legal authorities​ governing information use and disclosure specific to the system and program.

Affordable Care Act (ACA), Section 1414 Affordable Care Act (ACA), Section 1411, 42 U.S.C. Section 18081

Are records on the system retrieved by one or more PII data elements?

No

Identify the sources of PII in the system: Directly from an individual about whom the information pertains

  • In-Person

  • Online

Identify the sources of PII in the system: Government Sources

  • Within the OPDIV

Identify the sources of PII in the system: Non-Government Sources

  • Members of the Public

  • Other - EDE Partners

Identify the OMB information collection approval number and expiration date

CMS Form Number: CMS-10400 Title: Establishment of Exchanges and Qualified Health Plans

OMB control number: 0938-1156

ICR Reference Number: 202406-0938-009 - Extension without change of a currently approved collection was received By OIRA on 6/18/2024. 

Expiration Date: TBD 

Is the PII shared with other organizations?

Yes

Identify with whom the PII is shared or disclosed and for what purpose.

Private Sector: EDE Partners to assist public with enrollment within ACA.

Describe any agreements in place that authorizes the information sharing or disclosure (e.g. Computer Matching Agreement, Memorandum of Understanding (MOU), or Information Sharing Agreement (ISA)).

No sharing agreements are in place. Information is collected by the CMS Federally Facilitated Marketplaces (FFM) system.

Describe the procedures for accounting for disclosures

Not applicable.

Describe the process in place to notify individuals that their personal information will be collected. If no prior notice is given, explain the reason.

There is no process in place to notify individuals that their personal information will be collected because DSRS system receives PII data that is collected from the Federally Facilitated Marketplaces (FFM) databases. Individual notification is the responsibility of the FFM system and the process is described on the FFM privacy policy website. FFM Databases are covered by a separate PIA.

Is the submission of the PII by individuals voluntary or mandatory?

Voluntary

Describe the method for individuals to opt-out of the collection or use of their PII. If there is no option to object to the information collection, provide a reason.

There is no method in place for individuals to opt-out of the collection or use of their PII within DSRS. Public citizens' PII stored within this system is not collected by DSRS. The PII is collected from the individual by the CMS Federally Facilitated Marketplaces (FFM) and the process is described on the FFM privacy policy website. FFM Databases are covered by a separate PIA.

Describe the process to notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changes since the notice at the time of original collection). Alternatively, describe why they cannot be notified or have their consent obtained.

Should a major change occur to the DSRS system, the process to notify and obtain consent from the individual consumer regarding PII will be to update the privacy statement on healthcare.gov. FFM will ensure the System of Records Notice (SORN) will also be updated and posted to the Federal Register to inform the public and provide a means to comment. FFM Databases are covered by a separate PIA.

Describe the process in place to resolve an individual's concerns when they believe their PII has been inappropriately obtained, used, or disclosed, or that the PII is inaccurate. If no process exists, explain why not.

If an individual has a concern about their PII, the process to report a PII related issue is to contact the Health Insurance Marketplace call center at 1-800-318-2596 and describe the concern. The call center would investigate and work with the individual to resolve their concern.

Describe the process in place for periodic reviews of PII contained in the system to ensure the data's integrity, availability, accuracy and relevancy. If no processes are in place, explain why not.

DSRS adheres to a CMS implemented process that is based on the National Institutes of Science and Technology (NIST) recommendations to ensure system integrity, availability, accuracy, and relevancy that is reviewed annually.

PII stored within DSRS is collected from the individual consumer by the Federally Facilitated Marketplaces (FFM) CMS system, and the individual enrollment application is designed with logic checks to ensure data accuracy and integrity.  The Center for Consumer Information and Insurance Oversight (CCIIO) is required to review and update the enrollment process on a yearly basis to ensure that all data collected is relevant to the health insurance enrollment process.

Identify who will have access to the PII in the system and the reason why they require access.

  • Administrators: DSRS system administrators may have access to PII as part of their maintenance support activities.

  • Contractors: Direct contractors who manage DSRS require the capability to fully access the DSRS system and data to perform system troubleshooting. However, there is no day to day or business function need for Direct Contractors to access PII in DSRS.

  • Others - Caseworkers: Other Users include case workers who can retrieve PII from DSRS. Case workers have access to PII in order to retrieve consumer information for enrollment reconciliation, appeals cases, and discrepancy resolution.

Describe the procedures in place to determine which system users (administrators, developers, contractors, etc.) may access PII.

Individuals requesting access to DSRS must sign an account request form prior to account creation. Account request form must indicate access level needed. This form is reviewed and approved by DSRS managers. DSRS uses the principle of least privilege to ensure system administrators are granted access on a "need-to-know" basis. 

Only validated administrators have access to DSRS. Managers must approve all system access and re-certify that access within every 365 days.

Describe the methods in place to allow those with access to PII to only access the minimum amount of information necessary to perform their job.

Internal CMS employees and direct contractors will be limited to view PII to only those elements needed to perform specific tasks.   DSRS internal System Administrators are managed by role-based access controls utilizing Red Hat Enterprise Linux (RHEL) Identity Management (IDM) at the Operating System level for account management to ensure privileged users with access to PII have a "need-to-know" and a "need-to-access".

Identifying training and awareness provided to personnel (system owners, managers, operators, contractors and/or program managers) using the system to make them aware of their responsibilities for protecting the information being collected and maintained.

Federal and Contractor personnel who access or operate a CMS system are required to complete the annual CMS Security Awareness Training provided annually as a Computer-Based Training (CBT) course.  Contractors also complete their annual corporate Security Awareness Training. Personnel with privileged access must also complete role-based security training commensurate with their assigned duties and receive additional job related training by attending conferences, forums, and other specific training on an annual basis.

Describe training system users receive (above and beyond general security and privacy awareness training)

N/A - There is no training specific for DSRS.

Do contracts include Federal Acquisition Regulation and other appropriate clauses ensuring adherence to privacy provisions and practices?

Yes

Describe the process and guidelines in place with regard to the retention and destruction of PII. Cite specific records retention schedules.

Records will be maintained until they become inactive, at which time they will be retired or destroyed, which is ten years.  These procedures are in accordance with published records schedules DAA-0440-2015-0006-0001 of the Centers for Medicare & Medicaid Services as approved by the National Archives and Records Administration General Records Schedule 3.2 (GRS 3.2) for electronic records.

Describe, briefly but with specificity, how the PII will be secured in the system using administrative, technical, and physical controls.

Administrative controls such as written policy, procedures and guidelines have been established. System users are required to take annual Security and Privacy awareness training. Third-party assessments are done to validate the implementation of the system controls that have been implemented to prevent unauthorized access, to safeguard the data in the event of a disaster, and to audit activity within the application.
The technical controls in place are firewalls and encryption to prevent unauthorized access. Other technical controls include security scans, penetration testing, intrusion detection and prevention systems (IDS/IPS) and computer system controls that prevent users without administrative or developer access to log into a test environment and the test environment and usable application are not joined together.