Durable Medical
Privacy Impact Assessment (PIA) published by CMS as an Operating Division of the U.S. Department of Health and Human Services
Date signed: 11/8/2023
| PIA Questions | PIA Answers |
|---|---|
OPDIV: | CMS |
PIA Unique Identifier: | P-1222392-611640 |
Name: | Durable Medical Equipment Prosthetics, Orthotics and Supplies Bidding System |
The subject of this PIA is which of the following? | Major Application |
Identify the Enterprise Performance Lifecycle Phase of the system. | Operate |
Is this a FISMA-Reportable system? | Yes |
Does the system include a Website or online application available to and for the use of the general public? | Yes |
Identify the operator: | Agency |
Is this a new or existing system? | Existing |
Does the system have Security Authorization (SA)? | Yes |
Date of Security Authorization | 6/28/2024 |
Indicate the following reason(s) for updating this PIA. Choose from the following options. | PIA Validation (PIA Refresh/Annual Review) |
Describe in further detail any changes to the system that have occurred since the last PIA. | DBidS is operating within CMS AWS cloud environment. |
Describe the purpose of the system | Durable Medical Equipment Prosthetics, Orthotics & Supplies Bidding System (DBidS) is a web application for Durable Medical Equipment (DME) suppliers who wish to bid for specific product categories in a prescribed competitive bidding area. The bidding window is for a 60-day period, and those suppliers that do not participate or are not awarded a contract cannot bill Medicare. |
Describe the type of information the system will collect, maintain (store), or share. (Subsequent questions will identify if this information is PII and ask about the specific data elements) | The type of information the system collects includes the supplier’s organization and demographic information along with their bid data. Supplier’s organization and demographic data consists of the organization name, taxpayer ID, address, phone number(s), e-mail address and contact name(s). Bid data consists of the type, quantity, and price of certain durable medical equipment items. To be granted access to the application, the user must provide their User ID and password. These two elements are maintained by a separate access control software and not the application. The separate access control software is called Identity Management System (IDM). The user also has a user role assigned to the DBidS account. |
Provide an overview of the system and describe the information it will collect, maintain (store), or share, either permanently or temporarily. | The system collects supplier’s organization and demographic information to determine which region of the country the supplier operates in. Bid data is collected and evaluated based on the supplier’s eligibility, its financial stability, and the bid price. Contracts are then awarded to the suppliers who offer the best price and meet applicable quality and financial standards. Users enter the application though a separate access control software that passes on the User ID, password, and user role to the application. The User ID and user role is used to determine what type of access the user has to the application. |
Does the system collect, maintain, use or share PII? | Yes |
Indicate the type of PII that the system will collect or maintain. |
|
Indicate the categories of individuals about whom PII is collected, maintained or shared. | Vendors/Suppliers/Contractors |
How many individuals' PII in the system? | 500-4,999 |
For what primary purpose is the PII used? | The User ID and Password allows the user to access the application. The User Role determines which data they can access. The other PII information is used to contact the supplier(s) to notify them whether or not they won the bid for a contract with the government. |
Describe the secondary uses for which the PII will be used (e.g. testing, training or research) | Not applicable. |
Describe the function of the SSN. | Not applicable. |
Cite the legal authority to use the SSN. | Not applicable. |
Identify legal authorities governing information use and disclosure specific to the system and program. | Section 302 of the Medicare Modernization Act of 2003, |
Are records on the system retrieved by one or more PII data elements? | No |
Identify the sources of PII in the system: Directly from an individual about whom the information pertains | Online |
Identify the sources of PII in the system: Government Sources | Other - Provider Enrollment Chain and Ownership System; Enterprise Identity Management System |
Identify the sources of PII in the system: Non-Government Sources | Other - Suppliers direct online entry |
Identify the OMB information collection approval number and expiration date | Office of Management and Budget #0938-1016; Expiration date: 12/31/2021 |
Is the PII shared with other organizations? | Yes |
Identify with whom the PII is shared or disclosed and for what purpose. | Private Sector: Provided to the Competitive Bidding Implementation Contractor (CBIC) who performs the bid evaluation for Competitive Bidding. |
Describe any agreements in place that authorizes the information sharing or disclosure (e.g. Computer Matching Agreement, Memorandum of Understanding (MOU), or Information Sharing Agreement (ISA)). | All sharing or disclosures of system PII is governed by a signed Data Use Agreement between the government and the private contractor who evaluates all bids. |
Describe the procedures for accounting for disclosures | A record will not be created when PII is shared with another system or is disclosed outside the system because a signed Data User Agreement governs the use of PII data by the private contractors that maintains the application and evaluates the bids.
|
Describe the process in place to notify individuals that their personal information will be collected. If no prior notice is given, explain the reason. | On the system login page, the user is presented with a Terms and Conditions page which notifies the individual that their personal information may be collected for lawful government purpose. This is presented prior to allowing the user to login to access the system. |
Is the submission of the PII by individuals voluntary or mandatory? | Voluntary |
Describe the method for individuals to opt-out of the collection or use of their PII. If there is no option to object to the information collection, provide a reason. | On the system login page, the user is presented with a Terms and Conditions page which notifies the individual that their personal information may be collected for lawful government purpose. There is an option to “Accept” the Terms and Conditions. |
Describe the process to notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changes since the notice at the time of original collection). Alternatively, describe why they cannot be notified or have their consent obtained. | In the event the data uses have changed, notification will occur, and/or an opportunity for consent will be provided before an individual’s PII will be used for a purpose materially different from that given at the time of collection. Notification will be provided in the form of an e-mail and/or letter to the user(s) impacted by the change at the time the change in use has been determined. |
Describe the process in place to resolve an individual's concerns when they believe their PII has been inappropriately obtained, used, or disclosed, or that the PII is inaccurate. If no process exists, explain why not. | If the individual’s PII in the system has been inappropriately obtained, used, or disclosed; they may contact the Help Desk for assistance. If the individual’s PII in the system is inaccurate, they may update the information they provided in the system up until the time of contract award. After the contract award is announced, they may contact the Help Desk for assistance in correcting their information by completing a Change of Information form. |
Describe the process in place for periodic reviews of PII contained in the system to ensure the data's integrity, availability, accuracy and relevancy. If no processes are in place, explain why not. | Users of the system can review and/or modify their information anytime during the 60-day Bid Window. Before the close of the 60-day Bid Window, the user must certify that all information provided are true, accurate, and complete. After the 60-day Bid Window, they are allowed to review, but not modify, their information for up to 90 days after bidding closes. This is to ensure the integrity of the data prior to having the bids evaluated. Once the bids have been evaluated and the contract awards have been determined and announced, the data is kept for 90 days then removed/deleted from the system and no longer made available. |
Identify who will have access to the PII in the system and the reason why they require access. |
|
Describe the procedures in place to determine which system users (administrators, developers, contractors, etc.) may access PII. | The system enforces role-based security. The Help Desk role is granted by a government task lead (business owner) to the contractor responsible for assisting end users of the system. The Developer role is granted by a government task lead (system owner) to the contractor responsible for maintaining the system. |
Describe the methods in place to allow those with access to PII to only access the minimum amount of information necessary to perform their job. | The system enforces role-based security. Contractors with the role of Help Desk have access to view user demographic and bid data to assist individuals with completing their bid. Contractors with the role of Developer have access to view user demographic and bid data to support and troubleshoot any system issues. |
Identifying training and awareness provided to personnel (system owners, managers, operators, contractors and/or program managers) using the system to make them aware of their responsibilities for protecting the information being collected and maintained. | All Centers for Medicare & Medicaid Services personnel and contractors/business partners are required to receive general security, privacy awareness and Health Insurance Portability and Accountability Act (HIPAA) training. This includes, Annual HHS Information Systems Security Awareness Training, Annual HHS Privacy Training, Reading the Rules of Behavior for Use of HHS Information Resources and signing the accompanying acknowledgement, and Health Insurance Portability and Accountability Act training. All training is provided and tracked online (computer-based training). |
Describe training system users receive (above and beyond general security and privacy awareness training) | Not applicable |
Do contracts include Federal Acquisition Regulation and other appropriate clauses ensuring adherence to privacy provisions and practices? | Yes |
Describe the process and guidelines in place with regard to the retention and destruction of PII. Cite specific records retention schedules. | The Centers for Medicare & Medicaid Services General Support System adheres to data retention and destruction policies/procedures maintained by the Consolidated Information Technology Infrastructure Contract. Additionally, for the Provider/Supplier and Durable Medical Equipment Supplier Application |
Describe, briefly but with specificity, how the PII will be secured in the system using administrative, technical, and physical controls. | Administrative control: The system enforces role-based security managed by IDM. All Help Desk and Developer roles are reviewed weekly by a government task lead for appropriate access. Roles are removed from those contractors who no longer require it. IDM users are also required to complete annual Security and Privacy Awareness training. Technical control: DBidS is hosted in the CMS AWS. Cloud VPN is required to access AWS and MFA is utilized. AWS access control mechanism such as CloudTamer and AWS Active Directory (EUA) manage access to DBidS specific VPCs. Security groups are configured to control the inbound traffic. Tools such as Splunk, Nessus are all utilized to detect security related activities. Physical control: DBidS resides in AWS cloud. Physical control is managed by AWS. |
Identify the publicly-available URL: | http://dbids.cms.gov/ (Note: The URL is only available during active Durable Medical Equipment Prosthetics, Orthotics and Supplies Bidding System bidding window). |
Does the website have a posted privacy notice? | Yes |
Is the privacy policy available in a machine-readable format? | Yes |
Does the website use web measurement and customization technology? | Yes |
Select the type of website measurement and customization technologies is in use and if is used to collect PII. (Select all that apply) | Session Cookies |
Web Beacons - Collects PII?: | No |
Web Bugs - Collects PII?: | No |
Session Cookies - Collects PII?: | No |
Persistent Cookies - Collects PII?: | No |
Other - Collects PII?: | No |
Does the website have any information or pages directed at children under the age of thirteen? | No |
Does the website contain links to non-federal government website external to HHS? | Yes |
Is a disclaimer notice provided to users that follow external links to websites not owned or operated by HHS? | No |