Skip to main content

Exchange Automated IT Solution

Privacy Impact Assessment (PIA) published by CMS as an Operating Division of the U.S. Department of Health and Human Services

Date signed: 8/24/2023

PIA Information for the Exchange Automated IT Solution
PIA QuestionsPIA Answers

OPDIV:

CMS

PIA Unique Identifier:

P-6897289-761192

Name:

Exchange Automated IT Solution

The subject of this PIA is which of the following?

Major Application

Identify the Enterprise Performance Lifecycle Phase of the system.

Operate

Is this a FISMA-Reportable system?

Yes

Does the system include a Website or online application available to and for the use of the general public?

No

Identify the operator:

Agency

Is this a new or existing system?

New

Does the system have Security Authorization (SA)?

Yes

Date of Security Authorization

5/31/2023

Describe the purpose of the system

RESPONSE to QUESTION: The system supports the Health and Human Services (HHS) Centers for Medicare and Medicaid Services (CMS) comply with regulatory laws that were defined in the administration of the Affordable Care Act (ACA). As part of the ACA, the Payment Integrity Information Act of 2019 (PIIA) (Public Law No. 116-117) requires government agencies to identify, report, and reduce improper payments in the government's programs and activities. CMS must obtain a statistically valid estimate of the annual number of improper payments, implement a plan to reduce improper payments, and report annually in the Agency Financial Report (AFR). 
 

The Exchange Automated IT Solution (EAITS) helps manage the postmortem evaluations and audits of ACA applications to validate whether they were correctly processed. This system provides a workflow, documentation, and reporting solution to complete these reviews. These reviews are required as part of Appendix C of the Office of Management and Budget (OMB) Circular No. A-123 for agencies (i.e., HHS CMS) to review their programs and activities annually and identify those that may be susceptible to significant improper payments. 

Describe the type of information the system will collect, maintain (store), or share. (Subsequent questions will identify if this information is PII and ask about the specific data elements)

RESPONSE TO QUESTION: The Exchange Automated IT Solution (EAITS) collects source information, through data ingestion, from the Multidimensional Insurance Data Analytics System (MIDAS). MIDAS is the system of record and the type of information ingested into EAITS is application data that helps CMS assess the validity and accuracy of payments made by CMS. The type of data that helps identify applicants include:
    Affordable Care Act Application Data
    Employment Data
Insurance Coverage
Social Security Number
Name
Driver's License Number
E-Mail Address
Date of Birth
Mailing Address
Financial Account Info
Passport Number
Mother's Maiden Name
Phone Numbers
Military Status
Medical Records Number
Employment Status

————————

[BC(1]Please note that the bullets were removed as they’re not 508 compliant.
The length in which the information is stored in EAITS adheres to OMB Circular A-130, par. 8a(1)(k). This policy requires CMS to incorporate records management and archival functions into the design, development, and implementation of information systems. In addition, EAITS complies with HHS and CMS records retention guideline (CMS Bucket 9: Compliance and Program Integrity). This policy requires EAITS to retain for audit purposes its records for seven (7) years. Afterwards, disposition will follow CMS Records Schedule Number DAA-0440-2015-0012-0001.
EAITS employs Single Sign On (SSO) so system-specific access credentials are managed through CMS credentials.

Provide an overview of the system and describe the information it will collect, maintain (store), or share, either permanently or temporarily.

RESPONSE TO QUESTION: The information listed in question PIA-012 is collected to assist CMS in the audit of improper payments as part of the execution of the Affordable Care Act (ACA). As part of the ACA, the Payment Integrity Information Act of 2019 (PIIA) (Public Law No. 116-117) requires government agencies to identify, report, and reduce improper payments in the government's programs and activities. CMS must obtain a statistically valid estimate of the annual number of improper payments, implement a plan to reduce improper payments, and report annually in the Agency Financial Report (AFR). The collected data includes all relevant data fields required to validate ACA applicants, their employment and insurance coverage, and insurance payments. For CMS to validate that applicants are real, and payments are valid, PII data is collected to cross referenced to identify payment anomalies like duplicate payments, unauthorized applicants, etc.  

Does the system collect, maintain, use or share PII?

Yes

Indicate the type of PII that the system will collect or maintain.

  • Social Security Number

  • Name
  • Driver's License Number
  • Mother's Maiden Name
  • E-Mail Address
  • Phone Numbers
  • Military Status
  • Date of Birth
  • Mailing Address
  • Medical Records Number
  • Financial Account Info
  • Employment Status
  • Passport Number
  • Other - The Exchange Automated IT Solution (EAITS) collects source information, through data ingestion, from the Multidimensional Insurance Data Analytics System (MIDAS). MIDAS is the system of record and the type of information ingested into EAITS is application data that helps CMS assess the validity and accuracy of payments made by CMS. The type of data that helps identify applicants include: Affordable Care Act Application DataEmployment DataInsurance CoverageSocial Security NumberNameDriver's License NumberE-Mail AddressDate of BirthMailing AddressFinancial Account InfoPassport NumberMother's Maiden NamePhone NumbersMilitary StatusMedical Records NumberEmployment Status

Indicate the categories of individuals about whom PII is collected, maintained or shared.

Public Citizens

How many individuals' PII in the system?

500-4,999

For what primary purpose is the PII used?

To validate that the customers transaction was correctly processed - We are auditing a sample of previous years submissions.   

Describe the secondary uses for which the PII will be used (e.g. testing, training or research)

None

Describe the function of the SSN.

RESPONSE TO QUESTION: The Exchange Automated IT Solution (EAITS) collects source information, through data ingestion, from the Multidimensional Insurance Data Analytics System (MIDAS). MIDAS is the system of record and the type of information ingested into EAITS is application data that helps CMS assess the validity and accuracy of payments made by CMS. 
The application data is data related to payments made as part of the Affordable Care Act (ACA). This application data contains one or many applicants uniquely differentiated through their SSN. In addition, the collected data includes all relevant data fields required to validate ACA applicants, their employment and insurance coverage, and insurance payments. For CMS to validate that applicants are real, and payments are valid, SSN is used to cross reference identity, identify payment anomalies, and flag unauthorized applicants, 

 

 

Cite the legal authority to use the SSN.

The review process is part of the Patient Protection and Affordable Care Act, referred to as the Affordable Care Act a health care reform law enacted in March 2010. In addition, we also operate under the Payment Integrity Act 2019. Section 1411(c) of the ACA requires the Secretary to submit certain information provided by applicants under section 1411(b) of the ACA to other Federal officials for verification, including income and family size information to the Secretary of the Treasury. Section 1411(d) of the ACA provides that the Secretary must verify the accuracy of information provided by applicants under section 1411(b) of the ACA.

Identify legal authorities​ governing information use and disclosure specific to the system and program.

The review process is part of the Patient Protection and Affordable Care Act, referred to as the Affordable Care Act a health care reform law enacted in March 2010. In addition, we also operate under the Payment Integrity Act 2019. Section 1411(c) of the ACA requires the Secretary to submit certain information provided by applicants under section 1411(b) of the ACA to other Federal officials for verification, including income and family size information to the Secretary of the Treasury. Section 1411(d) of the ACA provides that the Secretary must verify the accuracy of information provided by applicants under section 1411(b) of the ACA.

Are records on the system retrieved by one or more PII data elements?

No

Identify the sources of PII in the system: Directly from an individual about whom the information pertains

Online

Identify the sources of PII in the system: Government Sources

Within the OPDIV

Identify the sources of PII in the system: Non-Government Sources

Members of the Public

Identify the OMB information collection approval number and expiration date

EAITS is not using any data / information not already owned or collected by CMS. Therefore, an additional OMB control number is not applicable.

Is the PII shared with other organizations?

No

Describe the process in place to notify individuals that their personal information will be collected. If no prior notice is given, explain the reason.

The system is not collecting the information.   System only uses data that was originally collected by other approved CMS systems.   

Is the submission of the PII by individuals voluntary or mandatory?

Voluntary

Describe the method for individuals to opt-out of the collection or use of their PII. If there is no option to object to the information collection, provide a reason.

Customers can elect to apply for Affordable Care Act.   This isn't mandatory.   

Describe the process to notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changes since the notice at the time of original collection). Alternatively, describe why they cannot be notified or have their consent obtained.

N/A the system is not collecting the information.   System only uses data that was originally collected by other approved CMS systems.   

Describe the process in place to resolve an individual's concerns when they believe their PII has been inappropriately obtained, used, or disclosed, or that the PII is inaccurate. If no process exists, explain why not.

N/A the system is not collecting the information.   System only uses data that was originally collected by other approved CMS systems.   

Describe the process in place for periodic reviews of PII contained in the system to ensure the data's integrity, availability, accuracy and relevancy. If no processes are in place, explain why not.

EAITS solution (Appian) doesn't maintain or store PII.   Data will reside in CMS Cloud storage before CMS firewalls.   Users can only access exchange transactions temporarily via Appian. 

Identify who will have access to the PII in the system and the reason why they require access.

  • Users: The system doesn't maintain the PII, but users can access the data from CMS Cloud in order to perform reviews in EAITS (Appian). 

  • Contractors: Contractors are the users of the system. The contractors are direct.

Describe the procedures in place to determine which system users (administrators, developers, contractors, etc.) may access PII.

All users have a business need to review the exchange data.   

Describe the methods in place to allow those with access to PII to only access the minimum amount of information necessary to perform their job.

Midas houses all data globally for the exchange data.   Our solution only displays a pre-determined sample of the population of records.   

Identifying training and awareness provided to personnel (system owners, managers, operators, contractors and/or program managers) using the system to make them aware of their responsibilities for protecting the information being collected and maintained.

See CMS Privacy and Awareness training.   

Describe training system users receive (above and beyond general security and privacy awareness training)

Developed internal user guide to train new users of system functionality and proper use.   

Do contracts include Federal Acquisition Regulation and other appropriate clauses ensuring adherence to privacy provisions and practices?

Yes

Describe the process and guidelines in place with regard to the retention and destruction of PII. Cite specific records retention schedules.

Per Division of Records and Information Systems, EAITS will adhere to the following

CMS Bucket 9: Compliance and Program Integrity

DAA-0440-2015-0012-0001

Temporary

Cutoff at the end of the calendar year.

Destroy no sooner than 7 year(s) after cutoff but longer retention is authorized

Describe, briefly but with specificity, how the PII will be secured in the system using administrative, technical, and physical controls.

Appian Cloud has a comprehensive security and compliance program that meets several industry standards and frameworks (e.g., SOC2, PCI-DSS, ISAE 3402, GxP, HIPAA, ISO/IEC 27001:2013, FedRAMP) see more here https://appian.com/support/resources/trust/compliance.html. Additionally, Strict role-based access controls and security enable only authorized users to see and access relevant data.