Financial Management External Data Gathering Environment
Privacy Impact Assessment (PIA) published by CMS as an Operating Division of the U.S. Department of Health and Human Services
Date signed: 9/11/2024
PIA Questions | PIA Answers |
---|---|
OPDIV: | CMS |
PIA Unique Identifier: | P-3354126-967226 |
Name: | Financial Management External Data Gathering Environment |
The subject of this PIA is which of the following? | Major Application |
Identify the Enterprise Performance Lifecycle Phase of the system. | Operate |
Is this a FISMA-Reportable system? | Yes |
Does the system include a Website or online application available to and for the use of the general public? | No |
Identify the operator: | Contractor |
Is this a new or existing system? | Existing |
Does the system have Security Authorization (SA)? | Yes |
Date of Security Authorization | 10/4/2024 |
Indicate the following reason(s) for updating this PIA. Choose from the following options. | PIA Validation (PIA Refresh/Annual Review) |
Describe in further detail any changes to the system that have occurred since the last PIA. | None |
Describe the purpose of the system | The purpose of the Financial Management (FM) External Data Gathering Environment (EDGE) is to allow Centers for Medicare and Medicaid Services (CMS) to perform Financial Management (FM) functions in relation to the operation of the Federally Facilitated Marketplaces (FFM) and State-based Marketplaces (SBM). FM EDGE is comprised of the following business areas: Enrollment and Payment Module (EPM), Payment Processing Module (PPM), EDGE Calculation Module (ECM), Extended Data Gathering Environment (EDGE), Operational Analytics (OA), and Quality Assurance-Opera (QAO). Financial Management (FM) performs policy based financial transactions with Issuers and provides support for risk mitigation programs (the three Rs – Risk Adjustments [RA], Reinsurance [RI], Risk Corridors [RC] and High-Cost Risk Pool (HCRP)) for Issuers, Consumers, and State Insurance Actuaries. Functional capabilities include: |
Describe the type of information the system will collect, maintain (store), or share. (Subsequent questions will identify if this information is PII and ask about the specific data elements) | Following type of information is collected from the Insurance providers: DOB |
Provide an overview of the system and describe the information it will collect, maintain (store), or share, either permanently or temporarily. | Responsibility for the operations, maintenance, and security of the External Data Gathering Environment (EDGE) Server rests with the Issuers following CMS EDGE Server Provisioning and Registration to configure and acquire Issuer EDGE Servers. Each Issuer provides the data stored on its EDGE Server, and only that Issuer has access to the data stored on it. There is no direct connection between the Issuer EDGE Server and CMS, and only Reports without individual enrollee data is shared with CMS. Financial Management (FM) performs financial transactions with Issuers and provides support for risk mitigation programs for Issuers, Consumers, and State Insurance Actuaries. Functional capabilities include: 1. Collect financial Issuer data; 2. Support reconciliation; 3. Collect data to support risk adjustment program; and 4. Calculate Issuers’ credits for risk-mitigation programs (reinsurance, risk corridors, risk adjustments and high-cost risk pools). The Issuer EDGE Server runs processes to receive, validate, store, and report on Issuer medical, pharmaceutical, and supplemental claims and enrollee data. The data is used to evaluate and perform Risk Adjustment (RA), Reinsurance (RI) and High-Cost Risk Pool (HCRP) calculations for Issuers and other stakeholders. There are four components of EDGE consisting of 1. Manual Registration; 2. Registration and Provisioning; 3. File Ingest; and 4. Risk Adjustments (RA), Reinsurance (RI) and High-Cost Risk Pool (HCRP) Calculation and Reports. |
Does the system collect, maintain, use or share PII? | Yes |
Indicate the type of PII that the system will collect or maintain. |
|
Indicate the categories of individuals about whom PII is collected, maintained or shared. |
|
How many individuals' PII in the system? | 1,000,000 or more |
For what primary purpose is the PII used? | To process policy-based payments and generate Issuer reports and state reports. |
Describe the secondary uses for which the PII will be used (e.g. testing, training or research) | Not applicable |
Describe the function of the SSN. | stored as part of the Issuer and State reports provided to FM EDGE |
Cite the legal authority to use the SSN. | 42 U.S.C Section 18081 Affordable Care Act (ACA), Section 1414 Affordable Care Act (ACA), Section 1411 5 U.S.C. 301, Departmental Regulation |
Identify legal authorities governing information use and disclosure specific to the system and program. | Patient Protection and Affordable Care Act (Public Law No. 111–148), as amended by the Health Care and Education Reconciliation Act of 2010 (Public Law No. 111–152) Title 42 U.S.C. sections 18031, 18041, 18081—18083 and section 1414. 5 USC Section 301, Departmental regulations. |
Are records on the system retrieved by one or more PII data elements? | No |
Identify the sources of PII in the system: Directly from an individual about whom the information pertains | Other - enrolment and claims data collected by the Issuers in 13 states, in person and online, are the sources of PII in the system. |
Identify the sources of PII in the system: Government Sources | Within the OPDIV |
Identify the sources of PII in the system: Non-Government Sources | Other - Enrollment and claims data collected by the Issuers in 13 states, in person and online, are the sources of PII in the system. |
Identify the OMB information collection approval number and expiration date | |
Is the PII shared with other organizations? | Yes |
Identify with whom the PII is shared or disclosed and for what purpose. |
|
Describe any agreements in place that authorizes the information sharing or disclosure (e.g. Computer Matching Agreement, Memorandum of Understanding (MOU), or Information Sharing Agreement (ISA)). | Information Sharing Agreement (ISAs) are in place between CMS and Acumen and RTI, respectively. |
Describe the procedures for accounting for disclosures | The Privacy Policy contains information about privacy and use of information. This policy also contains a link to the Privacy Act Statement and other information related to disclosures. Per language in the CMS and Interconnection Security Agreements, parties are required to report privacy breaches or suspected breaches to CMS within one (1) hour of detection. Disclosure of privacy information between systems is managed under routine use notices, and legal agreements such as a Data Use Agreement. In addition, system logs maintain transaction information only (not the PII itself) as a record or accounting of each time it discloses information related to disclosures. |
Describe the process in place to notify individuals that their personal information will be collected. If no prior notice is given, explain the reason. | Not applicable, FM EDGE does not collect data directly. There is no process within FM EDGE to notify individuals that their personal information will be collected because data is not collected directly from individuals. It is provided by the Issuers or through CMS Healthcare.gov. Individuals with concerns about PII misuse or disclosure would contact the above entities that collected the information. |
Is the submission of the PII by individuals voluntary or mandatory? | Voluntary |
Describe the method for individuals to opt-out of the collection or use of their PII. If there is no option to object to the information collection, provide a reason. | The method for individuals to opt-out of the collection or use of their PII is provided by the Issuers. FM EDGE does not provide a method for individuals to opt-out of the collection or use of PII because Issuers collect the information directly from individuals. |
Describe the process to notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changes since the notice at the time of original collection). Alternatively, describe why they cannot be notified or have their consent obtained. | There is no process in place to notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system because it is the Issuers' responsibility to notify the individuals. The System of Record Notice will be updated if major changes occur to the system and posted on the HHS website after the Issuers are notified. |
Describe the process in place to resolve an individual's concerns when they believe their PII has been inappropriately obtained, used, or disclosed, or that the PII is inaccurate. If no process exists, explain why not. | There is no process in place within FM EDGE to resolve an individual's concern regarding PII. Since there is no direct link between the EDGE Servers and the individuals, it is up to the Issuers who collect an individual's information to resolve any concerns regarding inappropriately obtained, used, disclosed, or inaccurate PII information. |
Describe the process in place for periodic reviews of PII contained in the system to ensure the data's integrity, availability, accuracy and relevancy. If no processes are in place, explain why not. | The Risk Adjustment Data Validation (RADV) process on the EDGE Server is used to ensure the integrity and quality of the data provided by issuers operating inside and outside the Marketplace under the HHS-operated risk adjustment program. The review of the supporting documentation for enrollees selected as part of the sample increases the level of assurance that payments and charges calculated by HHS are based on correct health risk status of issuers’ enrolled populations. RADV promotes confidence, consistency, and levels the playing field by establishing uniform audit procedures over this review. |
Identify who will have access to the PII in the system and the reason why they require access. |
|
Describe the procedures in place to determine which system users (administrators, developers, contractors, etc.) may access PII. | EDGE uses role-based access controls to verify administrators and contractors are granted access on a "need-to-know" and "need-to-access" basis commensurate with their assigned duties. |
Describe the methods in place to allow those with access to PII to only access the minimum amount of information necessary to perform their job. | There are three methods for restricting access. First, is to program user interfaces to limit the display of PII to only those elements needed to perform specific tasks. Second, is to limit the transmission of PII to validate information rather |
Identifying training and awareness provided to personnel (system owners, managers, operators, contractors and/or program managers) using the system to make them aware of their responsibilities for protecting the information being collected and maintained. | CMS employees and contractor personnel who access or operate a CMS system are required to complete the annual CMS Security and Privacy Awareness Training provided annually. Contractors also complete their annual corporate Security Awareness Training.
|
Describe training system users receive (above and beyond general security and privacy awareness training) | Not applicable |
Do contracts include Federal Acquisition Regulation and other appropriate clauses ensuring adherence to privacy provisions and practices? | Yes |
Describe the process and guidelines in place with regard to the retention and destruction of PII. Cite specific records retention schedules. | FM EDGE complies with the GRS 3.1, 3.2, and 4.3 retention schedules. Records are maintained for six (6) years and three (3) months, or unless needed for administrative, legal, audit, or other operational purposes. |
Describe, briefly but with specificity, how the PII will be secured in the system using administrative, technical, and physical controls. | The EDGE system does not store PII and uses encrypted communications between the systems that exchange data, administrative controls such as written policy, procedures, and guidelines have been established. FM and supporting Operational Analytics (OA)/Quality Assurance Opera (QAO) PII is stored encrypted within FedRAMP approved Cloud Service Provider database services and hosts within cloud data center infrastructure that provides all physical controls. Third-party assessment validated the logical and technical controls that have been implemented to prevent unauthorized access, safeguard the data in the event of a disaster, and audit activity within the application. |