Enterprise Privacy Policy Engine Cloud
Privacy Impact Assessment (PIA) published by CMS as an Operating Division of the U.S. Department of Health and Human Services
Date signed: 7/24/2023
| PIA Questions | PIA Answers |
|---|---|
OPDIV: | CMS |
PIA Unique Identifier: | P-4766593-542686 |
Name: | Enterprise Privacy Policy Engine Cloud |
The subject of this PIA is which of the following? | Major Application |
Identify the Enterprise Performance Lifecycle Phase of the system. | Operate |
Is this a FISMA-Reportable system? | Yes |
Does the system include a Website or online application available to and for the use of the general public? | Yes |
Identify the operator: | Contractor |
Is this a new or existing system? | New |
Does the system have Security Authorization (SA)? | No |
Planned Date of Authorization | 7/1/2023 |
| Describe the purpose of the system | The Enterprise Privacy Policy Engine Cloud (EPPEC) is a system used to track CMS Data Use Agreements (DUAs). A DUA is a binding agreement governing data usage by a User (an individual or entity). CMS provides the User with data that resides in a CMS System of Record (SOR) that is identified in the DUA. The DUA details how the CMS provided information may be used, for how long the information may be used, and how the information must be protected. The DUA is signed by the User, a Custodian (mutually agreed upon by the User and CMS), a sponsoring Federal agency and the CMS representative. The EPPEC system shall allow for the more efficient tracking and adjudicating on requests for CMS Personally Identifiable Information / Personal Health Information (PII/PHI) data, while reducing security and privacy risks. Also, EPPEC standardizes and automates the DUA process. |
Describe the type of information the system will collect, maintain (store), or share. (Subsequent questions will identify if this information is PII and ask about the specific data elements) | EPPEC collects name, address, phone number, email address, CMS User Enterprise Identity Management (EIDM) ID, Enterprise User Agreement (EUA) ID for those that are entering into a DUA with CMS or those who are overseeing a Data Use Agreement as a CMS employee. No financial data is collected by EPPEC. |
| Provide an overview of the system and describe the information it will collect, maintain (store), or share, either permanently or temporarily. | EPPEC collects name, address, phone number, email address and CMS User ID and password for those that are entering into a DUA with CMS or those who are overseeing a Data Use Agreement as a CMS employee. This information is required in order to grant the requested DUA. Prior to disclosing PII data, CMS policy requires the requestor to submit a formal request for data that CMS must approve. The formal request consists of completing a DUA. The DUA includes the following information: requestor name, email address, phone number, mailing address. EPPEC Complies with the Federal Information Security Management Act (FISMA) by ensuring that the data is properly protected at all times. |
Does the system collect, maintain, use or share PII? | Yes |
Indicate the type of PII that the system will collect or maintain. |
|
Indicate the categories of individuals about whom PII is collected, maintained or shared. |
|
How many individuals' PII in the system? | 50,000-99,999 |
For what primary purpose is the PII used? | The PII data in EPPEC is used to track disclosures of CMS PII data through Data Use Agreements. The PII data that is collected is contact information of the data user that receives the data, as well as, the CMS employee and contractor data authorizer that approves the disclosure. |
| Describe the secondary uses for which the PII will be used (e.g. testing, training or research) | N/A |
| Describe the function of the SSN | N/A |
Cite the legal authority to use the SSN. | n/a |
| Identify legal authorities governing information use and disclosure specific to the system and program. | Section 10332 of the Patient Protection and Affordable Care Act (ACA); 42 CFR 401.101–401.148 and sec 1106(a) of the Social Security Act, 42 U.S.C. 1306(a). |
Are records on the system retrieved by one or more PII data elements? | Yes |
Identify the number and title of the Privacy Act System of Records (SORN) that is being used to cover the system or identify if a SORN is being developed. | HHS SORN: Records About Restricted Dataset Requestors, 09-90-1401 |
Identify the sources of PII in the system: Directly from an individual about whom the information pertains |
|
Identify the sources of PII in the system: Government Sources |
|
Identify the sources of PII in the system: Non-Government Sources |
|
Is the PII shared with other organizations? | No |
| Describe the process in place to notify individuals that their personal information will be collected. If no prior notice is given, explain the reason. | Before users are allowed to logon to EPPEC, they are required to select "I agree to the Terms & Conditions". This "I agree to the Terms & Conditions" button notifies the user of the following: OMB No.0938-1236 | Expiration Date: 08/31/2025 | Paperwork Reduction Act Updated Departmental Standard Warning Banner for HHS Information Systems, Memo dated July 14, 2016. This warning banner provides privacy and security notices consistent with applicable federal laws, directives, and other federal guidance for accessing this Government system, which includes (1) this computer network, (2) all computers connected to this network, and (3) all devices and storage media attached to this network or to a computer on this network. This information system is provided for Government-authorized use only. Unauthorized or improper use of this system is prohibited and may result in disciplinary action and/or civil and criminal penalties. Personal use of social media and networking sites on this system is limited as to not interfere with official work duties and is subject to monitoring. By using this system, you understand and consent to the following: The Government may monitor, record, and audit your usage, including usage of personal devices and email systems for official duties or to conduct HHS business. Therefore, you have no reasonable expectation of privacy regarding any communication or data transiting or stored on this system. At any time, and for any lawful Government purpose, the government may monitor, intercept, and search and seize any communication or data transiting or stored on this system. Any communication or data transiting or stored on this system may be disclosed or used for any lawful Government purpose. |
Is the submission of the PII by individuals voluntary or mandatory? | Voluntary |
Describe the method for individuals to opt-out of the collection or use of their PII. If there is no option to object to the information collection, provide a reason. | Individuals do not have the choice to opt-out of the use or collection of their PII. There is no method for users to opt-out in the EPPEC system. Users are not allowed to log on and gain access to the system if they do not select the "I agree" button (to agree to terms) when signing on. The data in this system is based on the application’s business need for storing them in EPPEC system and is covered by the application’s SORN. |
Describe the process to notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changes since the notice at the time of original collection). Alternatively, describe why they cannot be notified or have their consent obtained. | Individuals whose PII is in EPPEC are notified via individual emails if major changes were to occur in the system that change the use and/or disclosure of the PII. |
Describe the process in place to resolve an individual's concerns when they believe their PII has been inappropriately obtained, used, or disclosed, or that the PII is inaccurate. If no process exists, explain why not. | We would work with the EPPEC Chief Information Security Office (CISO) immediately if a user's PII is obtained, used or disclosed inappropriately. In the event that a user's PII has been obtained, used or disclosed inappropriately, the EPPEC team will notify the Security Officer or Director of Operations to report the incident to CMS within 1 hour. A notification will go out to the CMS Contracting Officer and the CMS IT Service Desk at 410-786-2580, 800-562-1963 or CMS_IT_Service-Desk@cms.hhs.gov. Any individual who has concerns should contact CMS through the Office for Civil Rights (OCR), which can be done by visiting https://www.hhs.gov/hipaa/filing-a-complaint/. Information about the ability to file a complaint is available at this same address. In the event that the Internet is not accessible, and you have questions about this topic, CMS can be reached by phone at 1-800-MEDICARE (1-800-633-4227). When calling, ask to speak to a customer support rep about Medicare’s Privacy Notice. TTY users may call 1-800-486-2048. Individuals who wish to file a complaint directly without access to the Internet may directly call OCR at 1-800-368-1019. TTY users may call 1-800-537-7697 to file their complaints. |
Describe the process in place for periodic reviews of PII contained in the system to ensure the data's integrity, availability, accuracy and relevancy. If no processes are in place, explain why not. | Only authenticated CMS employee or contract support users of EPPEC are able to modify or destroy the PII within EPPEC. The EPPEC system has back up servers to ensure PII/requestor contact information is readily available. A yearly review process has been implemented where data users ensure that their DUA contact information is valid and accurate. Any outdated, unnecessary, irrelevant, and/or inaccurate PII is removed from the system during the annual review if not at the time of the contact information change such as an organization change, etc. There’s periodic review of DUA data by (OEDA) Management team. The team is in charge of validating inaccurate information to ensure accuracy of information. EPPEC has a process for archiving and extending the DUA. EPPEC has implemented segregation of roles based on the principle of least privilege. Only a few designated Administrators have access to the database. Data is encrypted at rest and in transit thus ensuring data integrity. There are nightly and weekly system backups thus ensuring availability of data at all times. Old information is archived. |
Identify who will have access to the PII in the system and the reason why they require access. |
|
| Describe the procedures in place to determine which system users (administrators, developers, contractors, etc.) may access PII. | The system administrator determines user roles which have been created in the system. As requestors come into the system, the business owner makes a determination based on the requestor's authority to receive CMS data. EPPEC Administrators will possess access to all information and all other roles will receive access commensurate with their own permissions level (e.g., they will have access to DUAs and the information therein if they have sufficient justification for that role in EPPEC for their organization). |
Describe the methods in place to allow those with access to PII to only access the minimum amount of information necessary to perform their job. | User Roles have been created within the system that limit access to PII within the system based on a "need to know" basis. A review of the roles and their access are conducted bi-weekly, monthly, and yearly to ensure that only the minimum PII necessary is accessed per job role. |
Identifying training and awareness provided to personnel (system owners, managers, operators, contractors and/or program managers) using the system to make them aware of their responsibilities for protecting the information being collected and maintained. | All CMS users are required to take annual CMS Information Security and Privacy training that make them aware of these responsibilities. External stakeholders agree to the CMS terms of use when accessing CMS systems via the Enterprise Portal and are obligated to provide appropriate training at the organizational level to be compliant. |
Describe training system users receive (above and beyond general security and privacy awareness training) | Any users that have specialized roles within CMS (executives, managers, ISSOs, database administrators, etc.) take role-based privacy and security training in accordance with the Federal Information Security Management Act (FISMA) of 2002 and 5 CFR 930, "Information Security Responsibilities for Employees Who Manage or Use Federal Information Systems." |
Do contracts include Federal Acquisition Regulation and other appropriate clauses ensuring adherence to privacy provisions and practices? | Yes |
Describe the process and guidelines in place with regard to the retention and destruction of PII. Cite specific records retention schedules. | EPPEC records will be held temporarily. They will be deleted when the related master file or database has been deleted per Disposition Authority: NARA’s General Record Schedule 3.1, Item 012 - Information technology development project |
Describe, briefly but with specificity, how the PII will be secured in the system using administrative, technical, and physical controls. | The PII within EPPEC is secured in the following ways: |
| Identify the publicly-available URL: | https://portal.cms.gov |
Does the website have a posted privacy notice? | Yes |
Is the privacy policy available in a machine-readable format? | Yes |
Does the website use web measurement and customization technology? | No |
Does the website have any information or pages directed at children under the age of thirteen? | No |
Does the website contain links to non-federal government website external to HHS? | No |