Skip to main content

FFM Eligibility Appeals Support

Privacy Impact Assessment (PIA) published by CMS as an Operating Division of the U.S. Department of Health and Human Services

Date signed: 12/4/2023

PIA Information for the FFM Eligibility Appeals Support
PIA QuestionsPIA Answers

OPDIV:

CMS

PIA Unique Identifier:

P-5409514-257435

Name:

FFM Eligibility Appeals Support

The subject of this PIA is which of the following?

General Support System

Identify the Enterprise Performance Lifecycle Phase of the system.

Operate

Is this a FISMA-Reportable system?

Yes

Does the system include a Website or online application available to and for the use of the general public?

No

Identify the operator:

Contractor

Is this a new or existing system?

Existing

Does the system have Security Authorization (SA)?

Yes

Date of Security Authorization

10/4/2024

Indicate the following reason(s) for updating this PIA. Choose from the following options.

PIA Validation (PIA Refresh/Annual Review)

Describe in further detail any changes to the system that have occurred since the last PIA.

Not applicable

Describe the purpose of the system

The FFM (Federally Facilitated Marketplaces) Eligibility Appeals Support (FEAS) system is a General Support System (GSS) that provides the technology infrastructure to support business processes outside of the CMS’ Eligibility Appeals Case Management System (EACMS). It is made up of hardware and software that the Eligibility Appeals Operation Support (EAOS) staff use to perform the functions of the program.

EACMS handles the FFM and State-based Marketplaces (SBM) eligibility appeals case management, appeals hearings and informal resolution of eligibility appeals received from the FFM and SBM.

Describe the type of information the system will collect, maintain (store), or share. (Subsequent questions will identify if this information is PII and ask about the specific data elements)

The FEAS system temporarily collects and maintains appeal request forms or supporting documentation from a request for addition information that are either mailed or faxed (manually submitted) for EAOS staff to review and upload within the Eligibility Appeals Case Management System (EACMS).

Type of documents temporarily received and maintained are Marketplace Appeal Request Forms, Individual Pay Stubs, Wage and Tax Statement (W-2), Tax Forms such as Form 1040.

The unstructured data elements that the FEAS system could temporary collect and maintain within the documents submitted for review and uploaded in the EACMS are the following:

First and Last Name of Individuals appealing, Date of Birth, Phone Numbers, Mailing Address, Taxpayer ID, Social Security Number, Employment Status, Medical Notes, email address, financial information, user credentials (user ID and password), Dependents, Wages, Employer's Name and Address, Marital Status, individual's maiden name.

Provide an overview of the system and describe the information it will collect, maintain (store), or share, either permanently or temporarily.

The FFM (Federally Facilitated Marketplaces) Eligibility Appeals Support (FEAS) system is a General Support System (GSS) that provides the technology infrastructure to support business processes outside of the CMS’ Eligibility Appeals Case Management System (EACMS). It is made up of hardware and software that the Eligibility Appeals Operation Support (EAOS) staff use to perform the functions of the program.

The FEAS system temporarily collects and maintains appeal request forms or supporting documentation from a request for addition information that are either mailed or faxed (hard copies) for EAOS staff to review and upload within the Eligibility Appeals Case Management System (EACMS).

Type of documents temporarily received and maintained are Marketplace Appeal Request Forms, Individual Pay Stubs, Wage and Tax Statement (W-2), Tax Forms such as Form 1040.

An individual record subject who wishes to know if this system contains records about him or her should write to the system manager who will require the system name, and for verification purposes, the subject individual’s name (woman’s maiden name, if applicable), and SSN (furnishing the SSN is voluntary, but it may make searching for a record easier and prevent delay).

Does the system collect, maintain, use or share PII?

Yes

Indicate the type of PII that the system will collect or maintain.

  • Social Security Number

  • Name
  • E-Mail Address
  • Phone Numbers
  • Medical Notes
  • Taxpayer ID
  • Date of Birth
  • Mailing Address
  • Financial Account Info
  • Employment Status
  • Other - Other - user credentials (user ID and password), Dependents, Wages, Employer's Name and Address, Maiden Name, Marital Status

Indicate the categories of individuals about whom PII is collected, maintained or shared.

  • Employees

  • Public Citizens

How many individuals' PII in the system?

500-4,999

For what primary purpose is the PII used?

To process Appeal Requests, research supporting documentation, build a case file, manage a hearing process, and document decisions for effectuation by CMS.

Describe the secondary uses for which the PII will be used (e.g. testing, training or research)

Not applicable

Describe the function of the SSN.

SSN is not used by the FEAS system. However, documents that are submitted for review by appellants could have their SSN listed on it. (e.g., W-2 Form for proof of income).

An individual record subject who wishes to know if this system contains records about him or her should write to the system manager who will require the system name, and for verification purposes, the subject individual’s name (woman’s maiden name, if applicable), and SSN (furnishing the SSN is voluntary, but it may make searching for a record easier and prevent delay)

Cite the legal authority to use the SSN.

26 U.S.C 6103 as defined by the CMS Health Insurance Exchanges (HIX) Program Altered System of Records Notice (SORN). https://www.federalregister.gov/documents/2013/10/23/2013-24861/privacy-act-of-1974-report-of-an-altered-cms-system-of-records-notice

Identify legal authorities​ governing information use and disclosure specific to the system and program.

Patient Protection and Affordable Care Act (PPACA) (Pub. L. 111–148) as amended by the Health Care and
Education Reconciliation Act of 2010 (Pub. L. 111–152) collectively the Affordable Care Act. Title 42 U.S.C.
18031, 18041, 18081—18083 and section 1414 of the Affordable Care Act

5 USC 301, Departmental regulations

Are records on the system retrieved by one or more PII data elements?

Yes

Identify the number and title of the Privacy Act System of Records (SORN) that is being used to cover the system or identify if a SORN is being developed.

09-70-0560 Health Insurance Exchanges (HIX) Program

 

Identify the sources of PII in the system: Directly from an individual about whom the information pertains

Hard Copy

Identify the sources of PII in the system: Government Sources

Within the OPDIV

Identify the sources of PII in the system: Non-Government Sources

Members of the Public

Identify the OMB information collection approval number and expiration date

Not applicable

Is the PII shared with other organizations?

No

Describe the process in place to notify individuals that their personal information will be collected. If no prior notice is given, explain the reason.

The Marketplace Appeal Request Form notifies the individuals that their personal information will be collected. Please see verbiage below that is provided on the form.

Privacy & Use of Your Information
The Marketplace protects the privacy and security of information about you that you’ve provided. To view the Privacy Act Statement, go to HealthCare.gov/individual-privacy-act-statement. We’re authorized to collect the information on this form and any supporting documentation, including Social Security numbers, under the Patient Protection and Affordable Care Act (Public Law No. 111–148), as amended by the Health Care and Education Reconciliation Act of 2010 (Public Law No. 111–152), implementing regulations in 45 CFR part 155, subpart F, and the Social Security Act. For more information about the privacy and security of your information, visit HealthCare.gov/privacy. 

Is the submission of the PII by individuals voluntary or mandatory?

Voluntary

Describe the method for individuals to opt-out of the collection or use of their PII. If there is no option to object to the information collection, provide a reason.

The requested information is voluntary, failing to provide it may delay or prevent an individual the ability to obtain health coverage through the Marketplace, advance payment of the premium tax credits, cost sharing reductions, or an exemption from the shared responsibility payment.

Describe the process to notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changes since the notice at the time of original collection). Alternatively, describe why they cannot be notified or have their consent obtained.

An individual record subject who wishes to know if this system contains records about him or her should write to the system manager who will require the system name, and for verification purposes, the subject individual’s name (woman’s maiden name, if applicable), and SSN (furnishing the SSN is voluntary, but it may make searching for a record easier and prevent delay)

Describe the process in place to resolve an individual's concerns when they believe their PII has been inappropriately obtained, used, or disclosed, or that the PII is inaccurate. If no process exists, explain why not.

To contest a record, the subject individual should contact the system manager named above, and reasonably
identify the record and specify the information being contested. The individual should state the corrective action sought and the reasons for the correction with supporting justification. (These procedures are in accordance with Department regulation 45 CFR 5b.7.) 

Describe the process in place for periodic reviews of PII contained in the system to ensure the data's integrity, availability, accuracy and relevancy. If no processes are in place, explain why not.

Integrity: Federally Facilitated Marketplaces (FFM) Eligibility Appeals Support (FEAS) system perform periodic reviews of PII stored. These processes include manual review of exchange data extracts. Incoming hard copy appeals information are reviewed daily for discrepancies. All appeals discrepancies are reviewed and documented.

Accuracy: All documented appellant discrepancies are updated in EACMS by the EACMS Appeals Team. For Employees, all discrepancies are documented and updated by the EACMS Operations Team. 

Availability: FEAS system is available from Monday to Friday 6:30 AM to 9:00 PM EST and Data matching technologies are in use to both review accuracy and availability of Eligibility Appeal Data.

Relevancy: Federally Facilitated Marketplaces (FFM) Eligibility Appeals Support (FEAS) system staff perform periodic quality assurance reviews of the PII 

Identify who will have access to the PII in the system and the reason why they require access.

  • Users: Users of the FEAS system will have access to the PII to process appeal requests, research supporting documentation, build a case file, manage a hearing process, and document decisions for effectuation by CMS.

  • Administrators: Administrators will have indirect access to the PII data due to the fact they have privileged access to the infrastructure supporting the FEAS system. 
  • Contractors: Security auditors ensure all CMS, FISMA security standards, procedures and guidelines are met. The security auditors also validate proper security controls are in place to protect PII information.

    Direct contractors can also be users of FEAS and perform appeals operations support as case workers.

Describe the procedures in place to determine which system users (administrators, developers, contractors, etc.) may access PII.

Access to PII information by system users is determined utilizing role base access based on Least Privileges. FEAS has created the following roles:

System Administrators containing full access to the systems to which they are assigned for system maintenance and support.

Application Administrators have limited access to the operating system functions, but full access to assigned application components for application maintenance enhancement and future releases.

Security auditors and analysts have access to auditing and security monitoring for security control audits and reporting in addition to monitoring environmental activity. 

These roles are given least privileges to perform their duties and will have to request approval before being granted escalated privileges.

Describe the methods in place to allow those with access to PII to only access the minimum amount of information necessary to perform their job.

The FEAS system enforces the CMS ARS Moderate security and privacy controls baseline. These security and privacy controls ensure that the FEAS system is operating within the CMS defined risk appetite and that the PII data is protected in accordance with federal requirements such as the  Federal Information Security
Modernization Act of 2014 (FISMA), Privacy Act of 1974 (“Privacy Act”) and the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

 

Identifying training and awareness provided to personnel (system owners, managers, operators, contractors and/or program managers) using the system to make them aware of their responsibilities for protecting the information being collected and maintained.

Both CMS employees and direct contractors with access to CMS information systems are required to complete the annual CMS Security and Privacy Awareness training provided annually as a Computer Based Training (CBT) course. The direct contractors also complete their annual corporate security training.

Describe training system users receive (above and beyond general security and privacy awareness training)

CMS employees and direct contractors with privileged access are required to complete role-based training and meet continuing education requirements of their role. 

There are additional training options available, such as conferences, seminars and classroom training provided by CMS/HHS.

Do contracts include Federal Acquisition Regulation and other appropriate clauses ensuring adherence to privacy provisions and practices?

Yes

Describe the process and guidelines in place with regard to the retention and destruction of PII. Cite specific records retention schedules.

FEAS follows the records retention guidelines are specified in the National Archives and Records Administration (NARA) General Records Schedule (GRS) DAA-0440-2014-0003, which states that records will be destroyed after 10 years of the calendar year when the records were created; and GRS 3.2, which states that records will be destroyed after a maximum of six years.

https://www.archives.gov/files/records-mgmt/rcs/schedules/departments/department-of-health-and-human-services/rg-0440/daa-0440-2014-0003_sf115.pdf

Describe, briefly but with specificity, how the PII will be secured in the system using administrative, technical, and physical controls.

Administrative: Policies and Procedures have been created on securing PII in the FEAS system. An example of these, there are Security Awareness and Training (SAT) policies, policies on the storage of PII, access control policies are used for login access, policies for following the NARA record retention policy. Also, FEAS has policies on continuous monitoring of the system and audit log reviews. 

Technical: Encryption for all backup tapes and data connections, and data base encryption at the field level. Additionally, multiple intrusion detection and prevention methodologies are employed, and the system is tested regularly (multiple times a year) for application vulnerabilities, and daily for system vulnerabilities.

Physical: This includes multiple physical security measures within Pittston, PA site. This includes onsite security guards, 24/7 CCTV Monitoring, Radio-Frequency Identification Cards (RFID) to limit access to only approved staff, and Alarmed Doors with forced open or left open alerts.