Skip to main content

Financial Information and Vouchering System Next Generation

Privacy Impact Assessment (PIA) published by CMS as an Operating Division of the U.S. Department of Health and Human Services

Date signed: 1/31/2025

PIA information for Financial Information and Vouchering System Next Generation
PIA QuestionsPIA Answers

OPDIV:

CMS

PIA Unique Identifier:

P-2451152-701565

Name:

Financial Information and Vouchering System Next Generation

The subject of this PIA is which of the following?

Major Application

Identify the Enterprise Performance Lifecycle Phase of the system.

Operate

Is this a FISMA-Reportable system?

Yes

Does the system include a Website or online application available to and for the use of the general public?

Yes

Identify the operator:

Contractor

Is this a new or existing system?

Existing

Does the system have Security Authorization (SA)?

Yes

Date of Security Authorization

12/11/2024

Indicate the following reason(s) for updating this PIA. Choose from the following options.

PIA Validation (PIA Refresh/Annual Review)

Describe in further detail any changes to the system that have occurred since the last PIA.

The system is in its maintenance and operation phases. Therefore, the only changes occur for operational and security bug fixes. 

Describe the purpose of the system

The Financial Information and Vouchering System Next Generation (FIVS NG) is a Center for Medicare & Medicaid Services (CMS) Major Application (MA). FIVS NG is a financial management tool that provides the ability to submit budgets and invoices, certify invoices, make payment justifications, submission of administrative suspension notices, provides funds control capability and maintains other financial documents.

 

Additionally, FIVS NG provides CMS leadership insight into the Quality Improvement Organization (QIO) performance, specifically as it relates to program management. All users are internal to FIVS NG and made up of Application Development Organization (ADO), QIOs, Health Care Quality Improvement System (HCQIS) Data Center and CMS stakeholders, as a result, the FIVS NG system does not have any system interconnections.

Describe the type of information the system will collect, maintain (store), or share. (Subsequent questions will identify if this information is PII and ask about the specific data elements)

FIVS NG uses HCQIS Access Roles and Profile (HARP) for authentication and authorization of users. Once authorized, users’ access is verified at a page level, based on pre-defined permissions associated to their application role(s). 

Sharing of information outside of the FIVS NG application group can only be approved by CMS.

FIVS NG is a program management tool that provides QIO users the ability to; Define and Manage Contracts, Submit Business Proposals, Submit Budget Estimates, and Submit invoices (vouchers).

FIVS NG provides CMS insight into QIO performance, specifically as it relates to program management and control. The system allows CMS employees and direct contractors users to:

Make payment justifications and submit administrative suspension notices, generate reports on what the QIOs submit to FIVS NG including reports comparing budget estimates to submitted vouchers, and track the timeliness of voucher certifications performed by CMS users.

FIVS NG also provides Common Account Number (CAN) control functionality that both CMS and QIOs use.

The following user information is collected, maintained, and stored by FIVS NG for accountability purposes: name and email address. Additionally, usernames are collected to confirm authorized users to the FIVS NG system.

Information stored within the FIVS NG system is kept for at least 10 years.

Provide an overview of the system and describe the information it will collect, maintain (store), or share, either permanently or temporarily.

The Financial Information Vouchering System Next Generation (FIVS NG) passes, stores, maintains, and reports on financial data. FIVS NG receives voucher data as spreadsheet entries of financial data QIOs and this data is sent as a Voucher Detail Page for QIOs and CMS. FIVS NG is an existing program management tool that addresses the following business needs; providing QIOs with a means for entering and managing monthly invoice Information and providing CMS with a way to be able to review that information.

User profile information is received from HARP, including name and email address, is collected and stored to facilitate the role request process in FIVS NG. Upon approval of FIVS NG roles, the users’ profile from HARP (limited to username, name, and email address) is synced to the FIVS NG database for the provisioning of the valid account and completion of the registration process. End user will leverage their HARP username and password to access FIVS NG.  End-users include individuals from CMS’s central & regional office and QIOs users from across the country. User account information is not shared with any other system or user group. 

Information related to financial information, applications, commercial information or trade secrets are received in confidence (i.e., proprietary, contract bidding information, sensitive information about patents, and information protected by the Cooperative Research and Development Agreement). Also included is information about payments, payroll, automated decision making, procurement, market-sensitive, inventory, other financially related systems, and site operating and security expenditures. The Financial Data used for accounting verification, voucher authorization, and reporting.

Does the system collect, maintain, use or share PII?

Yes

Indicate the type of PII that the system will collect or maintain.

  • Name

  • E-Mail Address

  • Other - Username is collected to grant users access to the FIVS NG system, after HARP authentication and authorization.

Indicate the categories of individuals about whom PII is collected, maintained or shared.

  • Employees

  • Vendors/Suppliers/Contractors

How many individuals' PII in the system?

100-499

For what primary purpose is the PII used?

The users’ name and email address are the elements required to provision a user account with FIVS NG, which allows the users access to the application.

 

Describe the secondary uses for which the PII will be used (e.g. testing, training or research)

Email address is used to send email notifications to the associated user where applicable.

 

Describe the function of the SSN.

Not Applicable

Cite the legal authority to use the SSN.

Not Applicable

Identify legal authorities​ governing information use and disclosure specific to the system and program.

5 USC 301 - Departmental Regulations, Health and Human Services Health Information Privacy Policy.

Are records on the system retrieved by one or more PII data elements?

No

Identify the sources of PII in the system: Directly from an individual about whom the information pertains

Not Applicable

Identify the sources of PII in the system: Government Sources

Within the OPDIV

Identify the sources of PII in the system: Non-Government Sources

Not Applicable

Identify the OMB information collection approval number and expiration date

Not Applicable

Is the PII shared with other organizations?

No

  

Describe the process in place to notify individuals that their personal information will be collected. If no prior notice is given, explain the reason.

Not applicable. Notice is the responsibility of HARP.

Is the submission of the PII by individuals voluntary or mandatory?

Voluntary

Describe the method for individuals to opt-out of the collection or use of their PII. If there is no option to object to the information collection, provide a reason.

Collection of Personal Identifiable Information (PII) is received from HARP as it is required for access to the FIVS NG system. HARP is covered by its own separate Privacy Impact Assessments (PIA).

Describe the process to notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changes since the notice at the time of original collection). Alternatively, describe why they cannot be notified or have their consent obtained.

Users are notified through release notes on the application home page explaining the changes that have been made. A memo is generated, approved by CMS, and posted on the application website, as well as being emailed by CMS to all application users notifying them of the change.

 

Additionally, all PII consent updates are made to the users directly at the HARP level which is covered by its own separate PIA.

Describe the process in place to resolve an individual's concerns when they believe their PII has been inappropriately obtained, used, or disclosed, or that the PII is inaccurate. If no process exists, explain why not.

Users can contact the CMS IT Service Desk, via email or phone, to report concerns when they believe their PII is being inappropriately used. Alternatively, users will be able to correct any inaccuracies in their PII using the HARP self-service tool.

User issue or concerns are addressed on a case-by-case basis in the workflow described below;

Complaint is filed by a stakeholder, the compliant is received in the form of ServiceNow tickets or via direct communication with the Program Team. The complaint is then reviewed and if it is deemed valid, it will be added to ADO backlog and then prioritized when planning for the next release starts. Levels of Effort (LOE) are determined to address the complaint, and then present to the Program Team. The standard agile development lifecycle is followed to address complaint item. 

The FIVS NG System follows the CMS Incident Response and Breach Notification Procedures, as well as the QualityNet Incident Response procedures.

Describe the process in place for periodic reviews of PII contained in the system to ensure the data's integrity, availability, accuracy and relevancy. If no processes are in place, explain why not.

Integrity – The source of PII is provided by HARP and FIVS NG is unable to edit users PII information.

Availability – The source of PII is provided by HARP and FIVS NG is unable to edit users PII information. In the event users want to edit and/or access their PII information, users will have to go through HARP’s Self-Service portal.

Accuracy – The source of PII is provided by HARP and FIVS NG is unable to edit users PII information. In the event users want to edit their PII information, users will have to go through HARP’s Self-Service portal.

Relevancy - Business owners approve the need for a user account and administrators are responsible for monitoring content for relevancy.

Identify who will have access to the PII in the system and the reason why they require access.

  • Administrators - Administrators will have read-only access for user administration such as account provisioning, and role management.

  • Contractors - Direct Contractors to CMS, in their role as an administrator (Help Desk, Database or System), have access to PII as required and manage user accounts.

Describe the procedures in place to determine which system users (administrators, developers, contractors, etc.) may access PII.

Within the application, roles are defined based on the level of access needed for the completion of duties within FIVS NG and these roles are determined by the FIVS NG CMS Government Task Lead (GTL). Users with administrative privileges require access to account information for management purposes. FIVS NG employs the principle of least privilege, as well as a Role-Based Access Control (RBAC). This ensures “need-to-know" and "need-to-access" with assigned duties.

Describe the methods in place to allow those with access to PII to only access the minimum amount of information necessary to perform their job.

FIVS NG employs RBAC to ensure that only the minimum amount of access is granted for each role to perform their duties.

Identifying training and awareness provided to personnel (system owners, managers, operators, contractors and/or program managers) using the system to make them aware of their responsibilities for protecting the information being collected and maintained.

System personnel participate in CMS' Annual Security Awareness and Privacy training. Training on account management policies and procedures are provided for administrative, account management personnel.

Describe training system users receive (above and beyond general security and privacy awareness training)

Not Applicable

Do contracts include Federal Acquisition Regulation and other appropriate clauses ensuring adherence to privacy provisions and practices?

Yes

Describe the process and guidelines in place with regard to the retention and destruction of PII. Cite specific records retention schedules.

National Archives and Records Administration (NARA), General Records Schedule (GRS) 3.2 states that FIVS NG will destroy/delete when 7-years 6-months, 10-years 6-months, or 20-years 6-months old, based on the maximum level of operation of the Certification Authority, or when no longer needed for business, whichever is later.

Describe, briefly but with specificity, how the PII will be secured in the system using administrative, technical, and physical controls.

All FIVS NG system PII is secured with a variety of security controls as required by FISMA and the CMS Security Program.

Administrative controls include but are not limited to: contingency plans and annual testing, backups of all files, offsite storage of backup files, background checks for all personnel, incident response procedures for timely response to security and privacy incidents, initial security training with refresher courses annually, and annual role-based security training for personnel with assigned security roles and responsibilities.

Technical controls include, but are not limited to user authentication with least privilege authorization, firewalls, Intrusion Detection and Prevention systems (IDS/IPS), hardware configured with NIST security checklists, encrypted communications, data encryption at rest hardware configured with a deny all/except approach, auditing, and correlation of audit logs from all systems. Management controls include but are not limited to: Certification and Accreditation (C&A), annual security assessments, monthly management of outstanding corrective action plans, ongoing risk assessments, and automated continuous monitoring.

The integrity of the data is protected via edits at the application level. Data transmitted through the QualityNet Exchange Internet application is protected during transmission and at rest through a CMS-approved encryption protocol. 

The physical security of the data center where the system resides includes the use of access cards for entry, security guards, and video monitoring.

Identify the publicly-available URL:

https://fivsng.cms.gov

Does the website have a posted privacy notice?

No

Is the privacy policy available in a machine-readable format?

No

Does the website use web measurement and customization technology?

No

Does the website have any information or pages directed at children under the age of thirteen?

No

Does the website contain links to non-federal government website external to HHS?

No