FFM Eligibility Appeals Support
Privacy Impact Assessment (PIA) published by CMS as an Operating Division of the U.S. Department of Health and Human Services
Date signed: 12/4/2023
PIA Questions | PIA Answers |
---|---|
OPDIV: | CMS |
PIA Unique Identifier: | P-5409514-257435 |
Name: | FFM Eligibility Appeals Support |
The subject of this PIA is which of the following? | General Support System |
Identify the Enterprise Performance Lifecycle Phase of the system. | Operate |
Is this a FISMA-Reportable system? | Yes |
Does the system include a Website or online application available to and for the use of the general public? | No |
Identify the operator: | Contractor |
Is this a new or existing system? | Existing |
Does the system have Security Authorization (SA)? | Yes |
Date of Security Authorization | 10/4/2024 |
Indicate the following reason(s) for updating this PIA. Choose from the following options. | PIA Validation (PIA Refresh/Annual Review) |
Describe in further detail any changes to the system that have occurred since the last PIA. | Not applicable |
Describe the purpose of the system | The FFM (Federally Facilitated Marketplaces) Eligibility Appeals Support (FEAS) system is a General Support System (GSS) that provides the technology infrastructure to support business processes outside of the CMS’ Eligibility Appeals Case Management System (EACMS). It is made up of hardware and software that the Eligibility Appeals Operation Support (EAOS) staff use to perform the functions of the program. EACMS handles the FFM and State-based Marketplaces (SBM) eligibility appeals case management, appeals hearings and informal resolution of eligibility appeals received from the FFM and SBM. |
Describe the type of information the system will collect, maintain (store), or share. (Subsequent questions will identify if this information is PII and ask about the specific data elements) | The FEAS system temporarily collects and maintains appeal request forms or supporting documentation from a request for addition information that are either mailed or faxed (manually submitted) for EAOS staff to review and upload within the Eligibility Appeals Case Management System (EACMS). |
Provide an overview of the system and describe the information it will collect, maintain (store), or share, either permanently or temporarily. | The FFM (Federally Facilitated Marketplaces) Eligibility Appeals Support (FEAS) system is a General Support System (GSS) that provides the technology infrastructure to support business processes outside of the CMS’ Eligibility Appeals Case Management System (EACMS). It is made up of hardware and software that the Eligibility Appeals Operation Support (EAOS) staff use to perform the functions of the program. The FEAS system temporarily collects and maintains appeal request forms or supporting documentation from a request for addition information that are either mailed or faxed (hard copies) for EAOS staff to review and upload within the Eligibility Appeals Case Management System (EACMS). Type of documents temporarily received and maintained are Marketplace Appeal Request Forms, Individual Pay Stubs, Wage and Tax Statement (W-2), Tax Forms such as Form 1040. An individual record subject who wishes to know if this system contains records about him or her should write to the system manager who will require the system name, and for verification purposes, the subject individual’s name (woman’s maiden name, if applicable), and SSN (furnishing the SSN is voluntary, but it may make searching for a record easier and prevent delay). |
Does the system collect, maintain, use or share PII? | Yes |
Indicate the type of PII that the system will collect or maintain. |
|
Indicate the categories of individuals about whom PII is collected, maintained or shared. |
|
How many individuals' PII in the system? | 500-4,999 |
For what primary purpose is the PII used? | To process Appeal Requests, research supporting documentation, build a case file, manage a hearing process, and document decisions for effectuation by CMS. |
Describe the secondary uses for which the PII will be used (e.g. testing, training or research) | Not applicable |
Describe the function of the SSN. | SSN is not used by the FEAS system. However, documents that are submitted for review by appellants could have their SSN listed on it. (e.g., W-2 Form for proof of income). An individual record subject who wishes to know if this system contains records about him or her should write to the system manager who will require the system name, and for verification purposes, the subject individual’s name (woman’s maiden name, if applicable), and SSN (furnishing the SSN is voluntary, but it may make searching for a record easier and prevent delay) |
Cite the legal authority to use the SSN. | 26 U.S.C 6103 as defined by the CMS Health Insurance Exchanges (HIX) Program Altered System of Records Notice (SORN). https://www.federalregister.gov/documents/2013/10/23/2013-24861/privacy-act-of-1974-report-of-an-altered-cms-system-of-records-notice |
Identify legal authorities governing information use and disclosure specific to the system and program. | Patient Protection and Affordable Care Act (PPACA) (Pub. L. 111–148) as amended by the Health Care and 5 USC 301, Departmental regulations |
Are records on the system retrieved by one or more PII data elements? | Yes |
Identify the number and title of the Privacy Act System of Records (SORN) that is being used to cover the system or identify if a SORN is being developed. | 09-70-0560 Health Insurance Exchanges (HIX) Program
|
Identify the sources of PII in the system: Directly from an individual about whom the information pertains | Hard Copy |
Identify the sources of PII in the system: Government Sources | Within the OPDIV |
Identify the sources of PII in the system: Non-Government Sources | Members of the Public |
Identify the OMB information collection approval number and expiration date | Not applicable |
Is the PII shared with other organizations? | No |
Describe the process in place to notify individuals that their personal information will be collected. If no prior notice is given, explain the reason. | The Marketplace Appeal Request Form notifies the individuals that their personal information will be collected. Please see verbiage below that is provided on the form. Privacy & Use of Your Information |
Is the submission of the PII by individuals voluntary or mandatory? | Voluntary |
Describe the method for individuals to opt-out of the collection or use of their PII. If there is no option to object to the information collection, provide a reason. | The requested information is voluntary, failing to provide it may delay or prevent an individual the ability to obtain health coverage through the Marketplace, advance payment of the premium tax credits, cost sharing reductions, or an exemption from the shared responsibility payment. |
Describe the process to notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changes since the notice at the time of original collection). Alternatively, describe why they cannot be notified or have their consent obtained. | An individual record subject who wishes to know if this system contains records about him or her should write to the system manager who will require the system name, and for verification purposes, the subject individual’s name (woman’s maiden name, if applicable), and SSN (furnishing the SSN is voluntary, but it may make searching for a record easier and prevent delay) |
Describe the process in place to resolve an individual's concerns when they believe their PII has been inappropriately obtained, used, or disclosed, or that the PII is inaccurate. If no process exists, explain why not. | To contest a record, the subject individual should contact the system manager named above, and reasonably |
Describe the process in place for periodic reviews of PII contained in the system to ensure the data's integrity, availability, accuracy and relevancy. If no processes are in place, explain why not. | Integrity: Federally Facilitated Marketplaces (FFM) Eligibility Appeals Support (FEAS) system perform periodic reviews of PII stored. These processes include manual review of exchange data extracts. Incoming hard copy appeals information are reviewed daily for discrepancies. All appeals discrepancies are reviewed and documented. Accuracy: All documented appellant discrepancies are updated in EACMS by the EACMS Appeals Team. For Employees, all discrepancies are documented and updated by the EACMS Operations Team. Availability: FEAS system is available from Monday to Friday 6:30 AM to 9:00 PM EST and Data matching technologies are in use to both review accuracy and availability of Eligibility Appeal Data. Relevancy: Federally Facilitated Marketplaces (FFM) Eligibility Appeals Support (FEAS) system staff perform periodic quality assurance reviews of the PII |
Identify who will have access to the PII in the system and the reason why they require access. |
|
Describe the procedures in place to determine which system users (administrators, developers, contractors, etc.) may access PII. | Access to PII information by system users is determined utilizing role base access based on Least Privileges. FEAS has created the following roles: System Administrators containing full access to the systems to which they are assigned for system maintenance and support. Application Administrators have limited access to the operating system functions, but full access to assigned application components for application maintenance enhancement and future releases. Security auditors and analysts have access to auditing and security monitoring for security control audits and reporting in addition to monitoring environmental activity. These roles are given least privileges to perform their duties and will have to request approval before being granted escalated privileges. |
Describe the methods in place to allow those with access to PII to only access the minimum amount of information necessary to perform their job. | The FEAS system enforces the CMS ARS Moderate security and privacy controls baseline. These security and privacy controls ensure that the FEAS system is operating within the CMS defined risk appetite and that the PII data is protected in accordance with federal requirements such as the Federal Information Security |
Identifying training and awareness provided to personnel (system owners, managers, operators, contractors and/or program managers) using the system to make them aware of their responsibilities for protecting the information being collected and maintained. | Both CMS employees and direct contractors with access to CMS information systems are required to complete the annual CMS Security and Privacy Awareness training provided annually as a Computer Based Training (CBT) course. The direct contractors also complete their annual corporate security training. |
Describe training system users receive (above and beyond general security and privacy awareness training) | CMS employees and direct contractors with privileged access are required to complete role-based training and meet continuing education requirements of their role. There are additional training options available, such as conferences, seminars and classroom training provided by CMS/HHS. |
Do contracts include Federal Acquisition Regulation and other appropriate clauses ensuring adherence to privacy provisions and practices? | Yes |
Describe the process and guidelines in place with regard to the retention and destruction of PII. Cite specific records retention schedules. | FEAS follows the records retention guidelines are specified in the National Archives and Records Administration (NARA) General Records Schedule (GRS) DAA-0440-2014-0003, which states that records will be destroyed after 10 years of the calendar year when the records were created; and GRS 3.2, which states that records will be destroyed after a maximum of six years. |
Describe, briefly but with specificity, how the PII will be secured in the system using administrative, technical, and physical controls. | Administrative: Policies and Procedures have been created on securing PII in the FEAS system. An example of these, there are Security Awareness and Training (SAT) policies, policies on the storage of PII, access control policies are used for login access, policies for following the NARA record retention policy. Also, FEAS has policies on continuous monitoring of the system and audit log reviews. Technical: Encryption for all backup tapes and data connections, and data base encryption at the field level. Additionally, multiple intrusion detection and prevention methodologies are employed, and the system is tested regularly (multiple times a year) for application vulnerabilities, and daily for system vulnerabilities. Physical: This includes multiple physical security measures within Pittston, PA site. This includes onsite security guards, 24/7 CCTV Monitoring, Radio-Frequency Identification Cards (RFID) to limit access to only approved staff, and Alarmed Doors with forced open or left open alerts. |