Skip to main content

Financial Management External Data Gathering Environment

Privacy Impact Assessment (PIA) published by CMS as an Operating Division of the U.S. Department of Health and Human Services

Date signed: 9/11/2024

PIA Information for the Financial Management External Data Gathering Environment
PIA QuestionsPIA Answers

OPDIV:

CMS

PIA Unique Identifier:

P-3354126-967226

Name:

Financial Management External Data Gathering Environment

The subject of this PIA is which of the following?

Major Application

Identify the Enterprise Performance Lifecycle Phase of the system.

Operate

Is this a FISMA-Reportable system?

Yes

Does the system include a Website or online application available to and for the use of the general public?

No

Identify the operator:

Contractor

Is this a new or existing system?

Existing

Does the system have Security Authorization (SA)?

Yes

Date of Security Authorization

10/4/2024

Indicate the following reason(s) for updating this PIA. Choose from the following options.

PIA Validation (PIA Refresh/Annual Review)

Describe in further detail any changes to the system that have occurred since the last PIA.

None

Describe the purpose of the system

The purpose of the Financial Management (FM) External Data Gathering Environment (EDGE) is to allow Centers for Medicare and Medicaid Services (CMS) to perform Financial Management (FM) functions in relation to the operation of the Federally Facilitated Marketplaces (FFM) and State-based Marketplaces (SBM). FM EDGE is comprised of the following business areas: Enrollment and Payment Module (EPM), Payment Processing Module (PPM), EDGE Calculation Module (ECM), Extended Data Gathering Environment (EDGE), Operational Analytics (OA), and Quality Assurance-Opera (QAO). Financial Management (FM) performs policy based financial transactions with Issuers and provides support for risk mitigation programs (the three Rs – Risk Adjustments [RA], Reinsurance [RI], Risk Corridors [RC] and High-Cost Risk Pool (HCRP)) for Issuers, Consumers, and State Insurance Actuaries. Functional capabilities include: 
1. Collect and reports financial Issuer data; 
2. Support reconciliation; 
3. Collect data to support risk adjustment program; and 
4. Calculate Issuers’ credits for risk-mitigation programs (Risk Adjustments [RA], Reinsurance [RI], Risk Corridors [RC] and High-Cost Risk Pool (HCRP). 
The Issuer’s External Data Gathering Environment (EDGE) Server runs processes to receive, validate, store, and report on Issuer medical, pharmaceutical, and supplemental claims and enrollee data. Issuers maintain ownership of their respective EDGE server and all enrollee data, and only provides EDGE application Reports without Issuer collected individual data to CMS. The Reports are used to evaluate and perform Risk Adjustment and Reinsurance calculations for Issuers and other stakeholders. CMS processes policy-based payments for Advanced Premium Tax Credit (APTC), Cost Sharing Reduction (CSR), and User Fee (UF) for both the Federally Facilitated Exchange (FFE) and State Based Exchange (SBE) states.

Describe the type of information the system will collect, maintain (store), or share. (Subsequent questions will identify if this information is PII and ask about the specific data elements)

Following type of information is collected from the Insurance providers:

DOB
SSN
Sex
APTC Amount
Cost Sharing Reduction Amount
Qualified Health Plan ID
First Name
Middle Name
Last Name
Marital Status Code
City Name
State Code
Postal code
County Code
Telephone Number
Rating Area
Exchange Assigned Member ID
Total Premium Amount
Group Policy Number
Contract Code
Member Start Date
Member End Date4
Race
Ethnicity
PHI—Diagnosis Service and Drug codes

Provide an overview of the system and describe the information it will collect, maintain (store), or share, either permanently or temporarily.

Responsibility for the operations, maintenance, and security of the External Data Gathering Environment (EDGE) Server rests with the Issuers following CMS EDGE Server Provisioning and Registration to configure and acquire Issuer EDGE Servers. Each Issuer provides the data stored on its EDGE Server, and only that Issuer has access to the data stored on it. There is no direct connection between the Issuer EDGE Server and CMS, and only Reports without individual enrollee data is shared with CMS. Financial Management (FM) performs financial transactions with Issuers and provides support for risk mitigation programs for Issuers, Consumers, and State Insurance Actuaries. Functional capabilities include: 1. Collect financial Issuer data; 2. Support reconciliation; 3. Collect data to support risk adjustment program; and 4. Calculate Issuers’ credits for risk-mitigation programs (reinsurance, risk corridors, risk adjustments and high-cost risk pools). The Issuer EDGE Server runs processes to receive, validate, store, and report on Issuer medical, pharmaceutical, and supplemental claims and enrollee data. The data is used to evaluate and perform Risk Adjustment (RA), Reinsurance (RI) and High-Cost Risk Pool (HCRP) calculations for Issuers and other stakeholders. There are four components of EDGE consisting of 1. Manual Registration; 2. Registration and Provisioning; 3. File Ingest; and 4. Risk Adjustments (RA), Reinsurance (RI) and High-Cost Risk Pool (HCRP) Calculation and Reports.
Both Manual Registration and Registration and Provisioning are strictly for Issuers to configure and acquire their EDGE Servers for each Issuers data and creating the Summary Reports to be submitted to CMS. File Ingest is where Issuers submit individual user enrollments and claims the Issuer has collected and that resides only on the Issuers' side and is not provided to CMS EDGE. RA, RI and HCRP Calculation and Reports are comprised of remote commands executed on the EDGE Servers. Summaries and Summary Reports are stored in CMS Marketplace Oracle Database, and Reports are detailed and sent back to the Issuers. There is no direct connection between the Issuer EDGE Server and the CMS Amazon Web Service (AWS) Environment. Operational Analytics (OA) ensures data integrity and accuracy across Marketplace’s Enrollments, Claims and Payments, provides data driven decision support for operational and policy decision making, and enables efficient functioning of the three premium stabilization programs, Risk Adjustment, Risk Corridors and Reinsurance. Quality Assurance Opera (QAO) provides FM EDGE the capability to analyze and perform independent validation of FM data, such as policy-based payments, based on Federally Facilitated Marketplace (FFM) system enrollee data. 

Does the system collect, maintain, use or share PII?

Yes

Indicate the type of PII that the system will collect or maintain.

  • Social Security Number

  • Name
  • E-Mail Address
  • Phone Numbers
  • Medical Notes
  • Date of Birth
  • Mailing Address
  • Medical Records Number
  • Financial Account Info
  • Other - Sex Race Ethnicity PHI-Diagnosis Service and Drug codes Qualified Health Plan ID Marital Status CodeRating  Area Exchange  Assigned Member IDGroup Policy NumberContract CodeMember Start DateMember End Date4

Indicate the categories of individuals about whom PII is collected, maintained or shared.

  • Employees

  • Public Citizens

  • Patients

  • Other - Private Sector

How many individuals' PII in the system?

1,000,000 or more

For what primary purpose is the PII used?

To process policy-based payments and generate Issuer reports and state reports.
PII also supports quality assurance validation of various data associated with the Affordable Care Act (ACA) Enrollment Stabilization effort and supports operational and policy-based decision making. This includes beneficiary and enrollment data to include Policy metadata and Beneficiary demographic data.

Describe the secondary uses for which the PII will be used (e.g. testing, training or research)

Not applicable

Describe the function of the SSN.

stored as part of the Issuer and State reports provided to FM EDGE

Cite the legal authority to use the SSN.

42 U.S.C Section 18081 Affordable Care Act (ACA), Section 1414 Affordable Care Act (ACA), Section 1411 5 U.S.C. 301, Departmental Regulation

Identify legal authorities​ governing information use and disclosure specific to the system and program.

Patient Protection and Affordable Care Act (Public Law No. 111–148), as amended by the Health Care and Education Reconciliation Act of 2010 (Public Law No. 111–152) Title 42 U.S.C. sections 18031, 18041, 18081—18083 and section 1414.

5 USC Section 301, Departmental regulations.

Are records on the system retrieved by one or more PII data elements?

No

Identify the sources of PII in the system: Directly from an individual about whom the information pertains

Other - enrolment and claims data collected by the Issuers in 13 states, in person and online, are the sources of PII in the system.

Identify the sources of PII in the system: Government Sources

Within the OPDIV

Identify the sources of PII in the system: Non-Government Sources

Other - Enrollment and claims data collected by the Issuers in 13 states, in person and online, are the sources of PII in the system.

Identify the OMB information collection approval number and expiration date

 

Is the PII shared with other organizations?

Yes

Identify with whom the PII is shared or disclosed and for what purpose.

  • Private Sector: Issuers for Reporting
    The Risk Adjustment Data Validation (RADV) process on the EDGE Server is used to ensure the integrity and quality of the data provided by issuers operating inside and outside the Marketplace under the HHS-operated risk adjustment program. The review of the supporting documentation for enrollees selected as part of the sample increases the level of assurance that payments and charges calculated by HHS are based on correct health risk status of issuers’ enrolled populations. RADV promotes confidence, consistency, and levels the playing field by establishing uniform audit procedures over this review. 

    Risk Adjustment Data Validation (RADV) reports are sent to General Dynamics Information Technology (GDIT), and the Risk Adjustment Data Validation Population Statistics (RADVPS) reports are sent to OPERA and GDIT for sampling purposes. Additionally, RA recalibration reports are sent to Research Triangle Institute (RTI) for RA model changes. PII Data is masked prior to being sent over to the third parties.

  • State or Local Agency/Agencies: States For Reporting

Describe any agreements in place that authorizes the information sharing or disclosure (e.g. Computer Matching Agreement, Memorandum of Understanding (MOU), or Information Sharing Agreement (ISA)).

Information Sharing Agreement (ISAs) are in place between CMS and Acumen and RTI, respectively.

Describe the procedures for accounting for disclosures

The Privacy Policy contains information about privacy and use of information. This policy also contains a link to the Privacy Act Statement and other information related to disclosures.

Per language in the CMS and Interconnection Security Agreements, parties are required to report privacy breaches or suspected breaches to CMS within one (1) hour of detection.

Disclosure of privacy information between systems is managed under routine use notices, and legal agreements such as a Data Use Agreement.  In addition, system logs maintain transaction information only (not the PII itself) as a record or accounting of each time it discloses information related to disclosures.

Describe the process in place to notify individuals that their personal information will be collected. If no prior notice is given, explain the reason.

Not applicable, FM EDGE does not collect data directly. There is no process within FM EDGE to notify individuals that their personal information will be collected because data is not collected directly from individuals. It is provided by the Issuers or through CMS Healthcare.gov. Individuals with concerns about PII misuse or disclosure would contact the above entities that collected the information.

Is the submission of the PII by individuals voluntary or mandatory?

Voluntary

Describe the method for individuals to opt-out of the collection or use of their PII. If there is no option to object to the information collection, provide a reason.

The method for individuals to opt-out of the collection or use of their PII is provided by the Issuers.  FM EDGE does not provide a method for individuals to opt-out of the collection or use of PII because Issuers collect the information directly from individuals. 

Describe the process to notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changes since the notice at the time of original collection). Alternatively, describe why they cannot be notified or have their consent obtained.

There is no process in place to notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system because it is the Issuers' responsibility to notify the individuals.  The System of Record Notice will be updated if major changes occur to the system and posted on the HHS website after the Issuers are notified.

Describe the process in place to resolve an individual's concerns when they believe their PII has been inappropriately obtained, used, or disclosed, or that the PII is inaccurate. If no process exists, explain why not.

There is no process in place within FM EDGE to resolve an individual's concern regarding PII. Since there is no direct link between the EDGE Servers and the individuals, it is up to the Issuers who collect an individual's information to resolve any concerns regarding inappropriately obtained, used, disclosed, or inaccurate PII information.

Describe the process in place for periodic reviews of PII contained in the system to ensure the data's integrity, availability, accuracy and relevancy. If no processes are in place, explain why not.

The Risk Adjustment Data Validation (RADV) process on the EDGE Server is used to ensure the integrity and quality of the data provided by issuers operating inside and outside the Marketplace under the HHS-operated risk adjustment program. The review of the supporting documentation for enrollees selected as part of the sample increases the level of assurance that payments and charges calculated by HHS are based on correct health risk status of issuers’ enrolled populations. RADV promotes confidence, consistency, and levels the playing field by establishing uniform audit procedures over this review.

Identify who will have access to the PII in the system and the reason why they require access.

  • Administrators: System administrators do not specifically access or use PII as part of their system maintenance and support activities. However, because they need to have administrator access to perform their maintenance and support activities may have access to PII. This access is limited to only those individuals that require this access to perform their job responsibilities.

  • Contractors: Direct Contractors, in their role as an administrator, would have access to PII in accordance with that role.

Describe the procedures in place to determine which system users (administrators, developers, contractors, etc.) may access PII.

EDGE uses role-based access controls to verify administrators and contractors are granted access on a "need-to-know" and "need-to-access" basis commensurate with their assigned duties.

Describe the methods in place to allow those with access to PII to only access the minimum amount of information necessary to perform their job.

There are three methods for restricting access. First, is to program user interfaces to limit the display of PII to only those elements needed to perform specific tasks. Second, is to limit the transmission of PII to validate information rather
than copy or pull information from another authoritative source. Third, is to implement role-based access controls and auditing to ensure those with access is on a "need-to-know" and "need to access" basis.

Identifying training and awareness provided to personnel (system owners, managers, operators, contractors and/or program managers) using the system to make them aware of their responsibilities for protecting the information being collected and maintained.

CMS employees and contractor personnel who access or operate a CMS system are required to complete the annual CMS Security and Privacy Awareness Training provided annually. Contractors also complete their annual corporate Security Awareness Training. 

 

Describe training system users receive (above and beyond general security and privacy awareness training)

Not applicable

Do contracts include Federal Acquisition Regulation and other appropriate clauses ensuring adherence to privacy provisions and practices?

Yes

Describe the process and guidelines in place with regard to the retention and destruction of PII. Cite specific records retention schedules.

FM EDGE complies with the GRS 3.1, 3.2, and 4.3 retention schedules. Records are maintained for six (6) years and three (3) months, or unless needed for administrative, legal, audit, or other operational purposes.

Describe, briefly but with specificity, how the PII will be secured in the system using administrative, technical, and physical controls.

The EDGE system does not store PII and uses encrypted communications between the systems that exchange data, administrative controls such as written policy, procedures, and guidelines have been established. FM and supporting Operational Analytics (OA)/Quality Assurance Opera (QAO) PII is stored encrypted within FedRAMP approved Cloud Service Provider database services and hosts within cloud data center infrastructure that provides all physical controls. Third-party assessment validated the logical and technical controls that have been implemented to prevent unauthorized access, safeguard the data in the event of a disaster, and audit activity within the application.