Skip to main content

Expanded Data Feedback Reporting

Privacy Impact Assessment (PIA) published by CMS as an Operating Division of the U.S. Department of Health and Human Services

Date signed: 6/11/2024

PIA information for Expanded Data Feedback Reporting

OPDIV:

CMS

PIA Unique Identifier:

P-7390523-405116

Name:

Expanded Data Feedback Reporting

The subject of this PIA is which of the following?

Major Application

Identify the Enterprise Performance Lifecycle Phase of the system.

Operate

Is this a FISMA-Reportable system?

Yes

Does the system include a Website or online application available to and for the use of the general public?

No

Identify the operator:

Agency

Is this a new or existing system?

Existing

Does the system have Security Authorization (SA)?

Yes

Date of Security Authorization

12/6/2023

Indicate the following reason(s) for updating this PIA. Choose from the following options.

  • Internal Flow or Collection

  • PIA Validation (PIA Refresh/Annual Review)

Describe in further detail any changes to the system that have occurred since the last PIA.

Migrated to a new cloud service provider and altered the character of data and removed SSN and Driver’s License Number (DLN).

Describe the purpose of the system

The Expanded Data Feedback Reporting (EDFR) application is an important tool supporting the Centers for Medicare & Medicaid Services (CMS) Center for Medicare and Medicaid Innovation (CMMI) innovation models. It provides actionable data to innovation model participants to help them ensure they are meeting model goals and effectively working to provide better care at lower cost. 

By providing timely, relevant, and evidence-based data, EDFR supports innovation model participants in their work to successfully participate in the model and better serve patients.

The purpose of the Expanded Data Feedback Reporting (EDFR) system is to meet the following objectives:

Support innovation model data and analytic needs applications

Provide access to relevant data from appropriate data sources

Maximize effective use of open source and other existing industry solutions

Describe the type of information the system will collect, maintain (store), or share. (Subsequent questions will identify if this information is PII and ask about the specific data elements)

EDFR maintains Personally Identifiable Information (PII) and Protected Health Information (PHI) contained in claims data and medical records data. The health claim data containing PII/PHI that is collected, maintained, or shared may include but is not limited to: Data of Birth, e-mail address, Health Insurance Claim Number (HICN) and/or Medicare Beneficiary Identifier (MBI), Legal Documents, Mailing Address, Medicaid ID, Medical Notes, Medical Records Number, Name, National Provider Identifier (NPI), Phone Numbers, Provider Address, Provider e-mail Address, Provider Name, Provider Phone Number, Taxpayer ID and Taxpayer Identification Number (TIN).

No user credentials are collected by the system. EDFR users consists of the application end-users, system administrators, maintainers, developers, and direct contractors. EDFR utilizes user ID and passwords login credentials to grant access to the system by users/administrators. Login credentials are not collected, maintained, or stored by the EDFR system; rather, identification, authentication, and authorization for access to EDFR is performed by CMS’s Identity & Access Management System enterprise shared services responsible for authenticating user’s credentials before they are given access. The CMS Enterprise Identity Management (EIDM) resides outside of the EDFR authorization boundary and is operated under its own PIA and authority to operate (ATO).

Provide an overview of the system and describe the information it will collect, maintain (store), or share, either permanently or temporarily.

EDFR maintains Personally Identifiable Information (PII) and Protected Health Information (PHI) contained in claims data and medical records data. The health claim data containing PII/PHI that is collected, maintained, or shared may include but is not limited to: Data of Birth, e-mail address, Health Insurance Claim Number (HICN) and/or Medicare Beneficiary Identifier (MBI), Legal Documents, Mailing Address, Medicaid ID, Medical Notes, Medical Records Number, Name, National Provider Identifier (NPI), Phone Numbers, Provider Address, Provider e-mail Address, Provider Name, Provider Phone Number, Taxpayer ID and Taxpayer Identification Number (TIN).

EDFR regularly uses PII to retrieve system records, pertaining to patients, including using the Data of Birth, Name, Mailing Address, Medical Record Numbers, health insurance claim number (HICN), and Medical Notes.

Does the system collect, maintain, use or share PII?

Yes

Indicate the type of PII that the system will collect or maintain.

  • Name

  • E-Mail Address

  • Phone Numbers

  • Medical Notes

  • Taxpayer ID

  • Date of Birth

  • Mailing Address

  • Medical Records Number

  • Other - Health Insurance Claim Number (HICN), and/or Medicare Beneficiary Identifier (MBI), Legal Documents, Medicaid ID, National Provider Identifier (NPI), Provider Address, Provider e-mail Address, Provider Name, Provider Phone Number, and Taxpayer Identification Number (TIN).

Indicate the categories of individuals about whom PII is collected, maintained or shared.

  • Business Partners/Contacts (Federal, state, local agencies)

  • Vendors/Suppliers/Contractors

  • Patients

How many individuals' PII in the system?

1,000,000 or more

For what primary purpose is the PII used?

The primary purpose of the PII used in EDFR is to perform calculations to measure the quality of healthcare services and protocols used. This information will be used to inform other CMS Programs that may result in recommendations for best practices or research protocols, or otherwise for developing and innovating health care treatments within the Medicare program. 

There are no user credentials collected by the system. EDFR utilizes user ID and passwords login credentials to grant access to the system by users/administrators. User Credential PII is provided via CMS's enterprise identity management system and is used to support user access identification, authentication, and authorization to EDFR.

Describe the secondary uses for which the PII will be used (e.g. testing, training or research)

Not Applicable

Describe the function of the SSN.

NA

Cite the legal authority to use the SSN.

NA

Identify legal authorities​ governing information use and disclosure specific to the system and program.

Affordable Care Act (ACA) Section 3021

Are records on the system retrieved by one or more PII data elements?

Yes

Identify the number and title of the Privacy Act System of Records (SORN) that is being used to cover the system or identify if a SORN is being developed.

SOR#: 09-70-0591 DERS, Master Demonstration, Evaluation, and Research Studies for the Office of Research, Development and Information)

Identify the sources of PII in the system: Directly from an individual about whom the information pertains

Other - Other - EDFR does not collect PII/PHI directly from public.

Identify the sources of PII in the system: Government Sources

Within the OPDIV

Identify the sources of PII in the system: Non-Government Sources

Private Sector

Identify the OMB information collection approval number and expiration date

NA.

Is the PII shared with other organizations?

No

Describe the process in place to notify individuals that their personal information will be collected. If no prior notice is given, explain the reason.

Not Applicable. EDFR does not obtain direct collection of PII from an individual. EDFR receives its data from Implementation Contractor and CMS’s data warehouse. EDFR is a recipient of PII that is sourced from existing medical records already been collected by the provider. Responsibility for patient notification resides at the point of information collection from the individual by the provider. However, all Medicare participants are provided with a Notice of Privacy Practice that states that although they can elect to not share data for certain processes, as a condition of participating in Medicare, their information will be shared for certain purposes, such as quality assessment and reporting. 

EDFR end-users are given Terms and Conditions during the CMS account registration process which include Consent to Monitoring, Protecting Your Privacy, and Consent to Collection of Personal Identifiable Information (PII). Users will be emailed at the email address provided during registration if there are any changes in the Terms and Conditions.

Is the submission of the PII by individuals voluntary or mandatory?

Voluntary

Describe the method for individuals to opt-out of the collection or use of their PII. If there is no option to object to the information collection, provide a reason.

This is Not Applicable as EDFR does not directly collect data from individuals/beneficiaries. EDFR is the recipient of PII that is sourced from existing medical records that have already been collected by the patient provider. EDFR does not obtain direct collection of PII from an individual. The patient provider is responsible for providing individuals with an option to opt out notification.  Responsibility for patient notification resides at the point of information collection from the individual by the provider. However, all Medicare participants are provided with a Notice of Privacy Practice that states that although they can elect to not share data for certain processes, as a condition of participating in Medicare, their information will be shared for certain purposes, such as quality assessment and reporting.

EDFR system users, who are CMS employees and direct contractors, must provide PII in order for system administrators to authenticate their identity and provide them with access to EDFR. EDFR end-users are given Terms and Conditions during the CMS account registration process which include Consent to Monitoring, Protecting Your Privacy, and Consent to Collection of Personal Identifiable Information (PII). Users will be emailed at the email address provided during registration if there are any changes in the Terms and Conditions.

Describe the process to notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changes since the notice at the time of original collection). Alternatively, describe why they cannot be notified or have their consent obtained.

The information that is submitted is sourced from existing medical records that have already been collected by the provider.

Changes to EDFR that would involve changes in uses and disclosures of beneficiaries' PII are not expected to occur. In the event that such changes were to occur, CMS will inform individuals using multiple channels, including direct mailings; notices on the CMS web site (including edits to CMS's posted Privacy Policy), or changes to the relevant systems of records notices.

Changes involving uses and disclosures of authentication information are also not expected to occur. In the event of such changes, employees will be notified by notices on the CMS intranet; newsletters; updates to the relevant systems of records notices; e-mails to affected individuals; and through supervisors and system owners.

Describe the process in place to resolve an individual's concerns when they believe their PII has been inappropriately obtained, used, or disclosed, or that the PII is inaccurate. If no process exists, explain why not.

If an individual has concerns that their personally identifiable information (PII) has been inappropriately obtained, used, or disclosed or that the PII is inaccurate, the individual can contact the CMS Help Desk for assistance.

System user's credential information is collected via registration with CMS's authentication
system, therefore, no process exists for EDFR. The issue should be reported to the CMS Help Desk and escalated to the CMS authentication system administrators.

Describe the process in place for periodic reviews of PII contained in the system to ensure the data's integrity, availability, accuracy and relevancy. If no processes are in place, explain why not.

The information that is submitted is sourced from existing medical records that have already been collected by the provider. Responsibility for patient concerns regarding the use of PII resides at the point of information collection from the individual.

The CMS Data Warehouse provides PII to EDFR. The Data Repository owner is responsible for conducting periodic reviews of PII contained in their system to ensure the data's integrity and accuracy. EDFR is not used to directly affect the rights and interests of data subjects, and so periodic checks of data integrity and accuracy do not affect the efficient and appropriate use of EDFR.

All information collected and used by EDFR is determined to be relevant by CMMI staff. CMMI staff use all data elements to construct analyses of claims data and generate quality measures. If CMMI determines that it no longer has a need for certain data elements, it will request changes to the EDFR system and stop collecting those data elements.

Data availability is protected by security controls selected as appropriate. EDFR follows the CMS Security and Privacy program and complies with the CMS Acceptable Risk Safeguards, and National Institute of Standards and Technology (NIST) documents such as its Special Publications to select controls appropriate to the level of risk of the system, determined using NIST's Federal Information Processing Standard 199.

Identify who will have access to the PII in the system and the reason why they require access.

  • Users: EDFR users who are authorized to view beneficiary data.

  • Administrators: Administrators are responsible for assigning user roles to user accounts. As such, they may be exposed to user's PII.

  • Contractors: EDFR is managed by direct contractor personnel. Direct contractors who have system administration roles may also be exposed to the user's PII that is stored in the system as part of their approved responsibility.

Describe the procedures in place to determine which system users (administrators, developers, contractors, etc.) may access PII.

To obtain access to EDFR, users must first obtain CMS credentials via CMS’s registration process. Once the user has received a user id and password, a request must be made for access to the EDFR system and an EDFR specific application role.

User roles are established and managed in a way to ensure that users are only able to access data that pertains to their own organization. Roles are assigned and access is granted, to EDFR and the PII it contains, based upon principle of least privilege and "need-to-know" or "need-to-access" requirements to perform their assigned duties.

System Administrators review user accounts at least semi-annually. Any anomalies are addressed and resolved by contacting the user, or by removing their access if no longer required. Activities of all users are logged and reviewed by the system administrator to identify abnormal activities, and if any are found they are reported to the business owner, and the ISSO.

Describe the methods in place to allow those with access to PII to only access the minimum amount of information necessary to perform their job.

The system enforces role-based access controls, based on a least privilege model, to enforce the protection of data from unauthorized personnel. The application controls data access, such that the organizational user will be restricted to only access the data pertaining to their own organization.

Identifying training and awareness provided to personnel (system owners, managers, operators, contractors and/or program managers) using the system to make them aware of their responsibilities for protecting the information being collected and maintained.

All CMS employees and contractors are required to complete mandatory security and privacy awareness training prior to gaining access to the CMS Network. Each year, thereafter, the user must get recertified. In the event they fail to complete the recertification training, the user's access will be terminated.

Describe training system users receive (above and beyond general security and privacy awareness training)

CMS requires users, on an annual basis, to complete Role-Based Training and HHS Records and Retention Training.

Do contracts include Federal Acquisition Regulation and other appropriate clauses ensuring adherence to privacy provisions and practices?

Yes

Describe the process and guidelines in place with regard to the retention and destruction of PII. Cite specific records retention schedules.

The application adheres to data retention and destruction policies/procedures that follow NARA guidelines related to data retention. More specifically, EDFR adheres to the following NARA general records schedule guidelines:

DAA-0440-2015-0009-0003; Research and analysis data will be destroyed 10 year(s) after cutoff or when no longer needed for agency business occurs, whichever is later.

DAA-0440-2015-0007-0001; Beneficiary records will be destroyed no sooner than 10 year(s) after cutoff, but longer retention is authorized.

Describe, briefly but with specificity, how the PII will be secured in the system using administrative, technical, and physical controls.

To secure PII, EDFR follows the CMS Security and Privacy program and complies with the CMS Acceptable Risk Safeguards which are aligned to Health and Human Services (HHS) policies and to NIST requirements.

EDFR PII is secured with security controls as required by the CMS Security Program.

Administrative: The EDFR system uses the principle of least privilege as well as a role-based access control to ensure system administrators, and users are granted access on a "need-to-know" and "need- to- access" commensurate with their assigned duties. Users must receive manager approval to gain access to the system.

Technical: EDFR utilizes FIPS 140-2 compliant cryptography for both data in transit and data at rest, which complies with applicable federal laws, Executive Orders, directives, policies, regulations, standards and guidance. The data in EDFR is secured behind an approved firewall and through application security. Technical security controls include, but are not limited to user accounts, passwords, and access limitation.

Physical: The hosting data center site is secured with locked rooms and guards.