Document Storage and Retrieval System
Privacy Impact Assessment (PIA) published by CMS as an Operating Division of the U.S. Department of Health and Human Services
Date signed: 6/8/2022
OPDIV: | CMS |
|---|---|
PIA Unique Identifier: | P-7869561-032820 |
Name: | Document Storage and Retrieval System |
The subject of this PIA is which of the following? | Major Application |
Identify the Enterprise Performance Lifecycle Phase of the system. | Operate |
Is this a FISMA-Reportable system? | Yes |
Does the system include a Website or online application available to and for the use of the general public? | No |
Identify the operator: | Agency |
Is this a new or existing system? | Existing |
Does the system have Security Authorization (SA)? | Yes |
Date of Security Authorization | 4/20/2023 |
Indicate the following reason(s) for updating this PIA. Choose from the following options. | PIA Validation (PIA Refresh/Annual Review) |
Describe in further detail any changes to the system that have occurred since the last PIA. | Photographic Identifiers and Legal Documents are now included in the type of PII that the system will collect or maintain. |
Describe the purpose of the system | The Document Storage and Retrieval System (DSRS) is a support system used to centrally store documents provided by the consumer, insurance providers, and system generated notices. Documents are uploaded to the DSRS via consumer portal or by Federally Facilitated Marketplace (FFM) and Plan Management (PM). Each document uploaded to DSRS is tagged with a document ID for retrieval. Authorized CMS systems can retrieve documents from DSRS by document ID. |
Describe the type of information the system will collect, maintain (store), or share. (Subsequent questions will identify if this information is PII and ask about the specific data elements) | The DSRS application stores and maintains consumers' Personally Identifiable Information (PII), Federally Facilitated Marketplace (FFM) generated Notices sent to consumers, and Plan Management data. Data Elements:
|
Provide an overview of the system and describe the information it will collect, maintain (store), or share, either permanently or temporarily. | DSRS provides client systems with the capability to store documents (i.e. driver’s license, Passport, wage documentation, certification of citizenship, immigration documents, etc.) in a centralized storage location for access by other authorized systems. Client systems can access documents by performing searches based on specific document attributes. Client systems have limited access to the documents stored within DSRS based on pre-defined validation and authorization rules prescribed by the document source system. |
Does the system collect, maintain, use or share PII? | Yes |
Indicate the type of PII that the system will collect or maintain. |
|
Indicate the categories of individuals about whom PII is collected, maintained or shared. | Public Citizens |
How many individuals' PII in the system? | 1,000,000 or more |
For what primary purpose is the PII used? | PII is not used by DSRS in any capacity except storage. |
Describe the secondary uses for which the PII will be used (e.g. testing, training or research) | N/A |
Describe the function of the SSN. | Social Security Numbers (SSNs) are part of documents provided by the consumer. SSNs may be included in consumers tax return or other documents. SSN are not used by DSRS in any capacity except storage. |
Cite the legal authority to use the SSN. | Affordable Care Act (ACA), Section 1414 Affordable Care Act (ACA), Section 1411, 42 U.S.C. Section 18081 |
Identify legal authorities governing information use and disclosure specific to the system and program. | Affordable Care Act (ACA), Section 1414 Affordable Care Act (ACA), Section 1411, 42 U.S.C. Section 18081 |
Are records on the system retrieved by one or more PII data elements? | No |
Identify the sources of PII in the system: Directly from an individual about whom the information pertains |
|
Identify the sources of PII in the system: Government Sources |
|
Identify the sources of PII in the system: Non-Government Sources |
|
Identify the OMB information collection approval number and expiration date | CMS Form Number: CMS-10400 Title: Establishment of Exchanges and Qualified Health Plans OMB control number: 0938-1156 ICR Reference Number: 202406-0938-009 - Extension without change of a currently approved collection was received By OIRA on 6/18/2024. Expiration Date: TBD |
Is the PII shared with other organizations? | Yes |
Identify with whom the PII is shared or disclosed and for what purpose. | Private Sector: EDE Partners to assist public with enrollment within ACA. |
Describe any agreements in place that authorizes the information sharing or disclosure (e.g. Computer Matching Agreement, Memorandum of Understanding (MOU), or Information Sharing Agreement (ISA)). | No sharing agreements are in place. Information is collected by the CMS Federally Facilitated Marketplaces (FFM) system. |
Describe the procedures for accounting for disclosures | Not applicable. |
Describe the process in place to notify individuals that their personal information will be collected. If no prior notice is given, explain the reason. | There is no process in place to notify individuals that their personal information will be collected because DSRS system receives PII data that is collected from the Federally Facilitated Marketplaces (FFM) databases. Individual notification is the responsibility of the FFM system and the process is described on the FFM privacy policy website. FFM Databases are covered by a separate PIA. |
Is the submission of the PII by individuals voluntary or mandatory? | Voluntary |
Describe the method for individuals to opt-out of the collection or use of their PII. If there is no option to object to the information collection, provide a reason. | There is no method in place for individuals to opt-out of the collection or use of their PII within DSRS. Public citizens' PII stored within this system is not collected by DSRS. The PII is collected from the individual by the CMS Federally Facilitated Marketplaces (FFM) and the process is described on the FFM privacy policy website. FFM Databases are covered by a separate PIA. |
Describe the process to notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changes since the notice at the time of original collection). Alternatively, describe why they cannot be notified or have their consent obtained. | Should a major change occur to the DSRS system, the process to notify and obtain consent from the individual consumer regarding PII will be to update the privacy statement on healthcare.gov. FFM will ensure the System of Records Notice (SORN) will also be updated and posted to the Federal Register to inform the public and provide a means to comment. FFM Databases are covered by a separate PIA. |
Describe the process in place to resolve an individual's concerns when they believe their PII has been inappropriately obtained, used, or disclosed, or that the PII is inaccurate. If no process exists, explain why not. | If an individual has a concern about their PII, the process to report a PII related issue is to contact the Health Insurance Marketplace call center at 1-800-318-2596 and describe the concern. The call center would investigate and work with the individual to resolve their concern. |
Describe the process in place for periodic reviews of PII contained in the system to ensure the data's integrity, availability, accuracy and relevancy. If no processes are in place, explain why not. | DSRS adheres to a CMS implemented process that is based on the National Institutes of Science and Technology (NIST) recommendations to ensure system integrity, availability, accuracy, and relevancy that is reviewed annually. |
Identify who will have access to the PII in the system and the reason why they require access. |
|
Describe the procedures in place to determine which system users (administrators, developers, contractors, etc.) may access PII. | Individuals requesting access to DSRS must sign an account request form prior to account creation. Account request form must indicate access level needed. This form is reviewed and approved by DSRS managers. DSRS uses the principle of least privilege to ensure system administrators are granted access on a "need-to-know" basis. |
Describe the methods in place to allow those with access to PII to only access the minimum amount of information necessary to perform their job. | Internal CMS employees and direct contractors will be limited to view PII to only those elements needed to perform specific tasks. DSRS internal System Administrators are managed by role-based access controls utilizing Red Hat Enterprise Linux (RHEL) Identity Management (IDM) at the Operating System level for account management to ensure privileged users with access to PII have a "need-to-know" and a "need-to-access". |
Identifying training and awareness provided to personnel (system owners, managers, operators, contractors and/or program managers) using the system to make them aware of their responsibilities for protecting the information being collected and maintained. | Federal and Contractor personnel who access or operate a CMS system are required to complete the annual CMS Security Awareness Training provided annually as a Computer-Based Training (CBT) course. Contractors also complete their annual corporate Security Awareness Training. Personnel with privileged access must also complete role-based security training commensurate with their assigned duties and receive additional job related training by attending conferences, forums, and other specific training on an annual basis. |
Describe training system users receive (above and beyond general security and privacy awareness training) | N/A - There is no training specific for DSRS. |
Do contracts include Federal Acquisition Regulation and other appropriate clauses ensuring adherence to privacy provisions and practices? | Yes |
Describe the process and guidelines in place with regard to the retention and destruction of PII. Cite specific records retention schedules. | Records will be maintained until they become inactive, at which time they will be retired or destroyed, which is ten years. These procedures are in accordance with published records schedules DAA-0440-2015-0006-0001 of the Centers for Medicare & Medicaid Services as approved by the National Archives and Records Administration General Records Schedule 3.2 (GRS 3.2) for electronic records. |
Describe, briefly but with specificity, how the PII will be secured in the system using administrative, technical, and physical controls. | Administrative controls such as written policy, procedures and guidelines have been established. System users are required to take annual Security and Privacy awareness training. Third-party assessments are done to validate the implementation of the system controls that have been implemented to prevent unauthorized access, to safeguard the data in the event of a disaster, and to audit activity within the application. |