Health Insurance and Oversight System
Privacy Impact Assessment (PIA) published by CMS as an Operating Division of the U.S. Department of Health and Human Services
Date signed: 12/19/2024
OPDIV: | CMS |
|---|---|
PIA Unique Identifier: | P-3906017-027802 |
Name: | Health Insurance and Oversight System |
The subject of this PIA is which of the following? | Major Application |
Identify the Enterprise Performance Lifecycle Phase of the system. | Operate |
Is this a FISMA-Reportable system? | Yes |
Does the system include a Website or online application available to and for the use of the general public? | No |
Identify the operator: | Contractor |
Is this a new or existing system? | Existing |
Does the system have Security Authorization (SA)? | Yes |
Date of Security Authorization | 3/18/2022 |
Indicate the following reason(s) for updating this PIA. Choose from the following options. | PIA Validation (PIA Refresh/Annual Review) |
Describe in further detail any changes to the system that have occurred since the last PIA. | The Health Insurance and Oversight System (HIOS) system includes multiple modules that are integrated into the system to provide support. The HIOS application resides in the Amazon Web Services (AWS) cloud, which is hosted at the US East Region (Northern Virginia). The HIOS system completed an infrastructure migration from the legacy AWS V3 architecture to the AWS V4 architecture. AWS V4 architecture includes various improvements to account structure, user access, user roles, and network structure. |
Describe the purpose of the system | Health Insurance Oversight System HIOS (HIOS) is a complex, tightly integrated set of 20 application modules that continues to evolve as new provisions of the Affordable Care Act (ACA), and the Consolidated Appropriations Act (CAA) are implemented. The principal function of HIOS is to serve as the government's primary data collection vehicle and staging area for data provided by various external sources. These data sources submit their data directly into HIOS by securely logging into HIOS via the Internet. In its role as the primary data collection vehicle, HIOS also serves as the entry point for the Federally facilitated Marketplace (FFM) (covered in a separate PIA) efforts. More importantly, HIOS handles all user management functions and manages user role provisioning across multiple Center for Consumer Information and Insurance Oversight (CCIIO) systems. HIOS has been implemented in a modular fashion to support the CCIIO programs associated with health insurance reform and the implementation and management of the health benefit marketplaces. |
Describe the type of information the system will collect, maintain (store), or share. (Subsequent questions will identify if this information is PII and ask about the specific data elements) | The information collected, stored, shared, and retained within HIOS is based on healthcare plan year and is replaced or updated annually. HIOS PORTAL provides access controls for each module and allows system administrators to perform account management functionality to create accounts, edit information and assign roles. HIOS Plan Finder (PF) collects State and Private Market Issuer health insurance product information. Rate and Benefits Information System (RBIS) provides Market Issuer users with the capability to submit and manage detailed product benefit and eligibility information about their plan offerings. Medical Loss Ratio (MLR) data includes premiums paid to Market Issuer, claims amounts paid, applicable fees, expenses related to resolution of claims. Rate Review Justification (RRJ) supports the CCIIO and the States' Departments of Insurance (DOI) ability to review health insurance premium rates to track all rate changes and bring visibility to unreasonable rate increases. Rate Review Grant (RRG) collects reports provided by the states, on how they utilize grant funding, metrics regarding rate change data submitted to them by Market Issuers and the States’ review of these rate changes. External Review Election (ERE) collects information related to the External Review process of appeals health insurance plan decisions concerning denied payments for a service or treatment. Non-Federal Government Health Plans (Non-Fed) NON-FED allows both self-funded and fully insured health insurance plans to register their organization and elect to exempt those plans from 7 provisions of title XXVII of the Public Health Service (PHS) Act. Assister module ASSISTER MODULE allows Assister Organizations to create, edit, attest, and certify assister records. Marketplace Quality Module (MQM) provides score ratings. Users can review/preview ratings and the data will be available for data dissemination to the Analytic platform, and Federal and State Marketplaces. The Navigator Resources (NR) Module displays policy information and provides links to resources Navigators need to assist consumers in selecting their healthcare options. The State Flexibility Grant (SFG) module allows for functionality is where State Grantees participating in the State Flexibility to Stabilize the Market Grant Program may upload required quarterly, annual, and final narrative progress reports. The Pharmacy Benefit Manager (PBM) module allows Pharmacy Benefit Manager companies to submit pharmacy transparency data required by CMS. The Pharmacy Drug Data Collection (RxDC) module will facilitate the collection of data from Issuers, Third Party Administrators (TPA’s), Group Health Plans (GHP)/Organization, and Prescription Benefit Managers (PBM). Gag Clause Prohibition Compliance Attestation (GCPCA) system provides a channel for the federal government to electronically collect annual attestations from plans and issuers and identify those who have not attested to compliance with CAA Division BB, Title II, Section 201 gag clause attestation. Document Collection Module (DCM) State Document Collection (SDC) provides States with the ability to submit the Effective Rate Review Survey via online submission for review by the CCIIO. DCM Market Conduct Module (MCM) allows HHS users to create requests to Market Issuers for documentation in support of a Market Conduct Examination (MCE). DCM Form Filing Module (FFM) allows Market Issuers to upload their insurance plan filings of policy forms and program information (deductibles, coverage, prescription benefits) and add supporting documentation to these submissions. DCM Minimum Essential Coverage (MEC) module allows users to create submissions on behalf of their organizations, consisting of Certifying Official contact information and any documentation pertaining to their MEC plan(s). ECP allows State Grantees to upload narrative progress reports to comply with the Health Insurance Enforcement and Consumer Protections Grant reporting requirements. |
Provide an overview of the system and describe the information it will collect, maintain (store), or share, either permanently or temporarily. | HIOS is a web-based application that allows CMS's CCIIO to collect health insurance plan data from state entities and Market Issuers. It is aggregated with other CMS data sources and made public on a separate CMS consumer- facing website, www.cms.gov (http://www.cms.gov/). The data collected through HIOS is published in various formats like reports, fact sheets and other informational documents.
|
Does the system collect, maintain, use or share PII? | Yes |
Indicate the type of PII that the system will collect or maintain. |
|
Indicate the categories of individuals about whom PII is collected, maintained or shared. |
|
How many individuals' PII in the system? | 10,000-49,999 |
For what primary purpose is the PII used? | HIOS collects PII to contact users either by email or phone as needed. Within the Assister module, an individual's business-related PII is used to certify them to provide services to consumers. |
Describe the secondary uses for which the PII will be used (e.g. testing, training or research) | Not applicable |
Describe the function of the SSN. | Not applicable |
Cite the legal authority to use the SSN. | Not applicable |
Identify legal authorities governing information use and disclosure specific to the system and program. | Authority for maintenance, collection and disclosures of information is given under sections 2719, 2723, and 2761 of the Public Health Service Act and section 1321(c) of the Affordable Care Act and 5 USC Section 301, Departmental regulations. |
Are records on the system retrieved by one or more PII data elements? | Yes |
Identify the number and title of the Privacy Act System of Records (SORN) that is being used to cover the system or identify if a SORN is being developed. | Health Insurance Exchange (HIX) SORN: 09-70-0560, |
Identify the sources of PII in the system: Directly from an individual about whom the information pertains |
|
Identify the sources of PII in the system: Government Sources |
|
Identify the sources of PII in the system: Non-Government Sources | Private Sector |
Identify the OMB information collection approval number and expiration date | OMB Control Number 0938-1236. Expiration Date 8/31/2025. |
Is the PII shared with other organizations? | No |
Describe the process in place to notify individuals that their personal information will be collected. If no prior notice is given, explain the reason. | HIOS does not directly notify individuals because it is accessed through IDM. When a user logs into IDM, there is a Terms and Conditions statement that the user must click the "I Agree" button to move forward. It states that their information is being collected. Additionally, when someone creates a new user account, there is a "Consent to Monitoring & Collection of Personally Identifiable Information" introduction displayed on the Terms & Conditions page. The person can elect to "Decline" the Terms and Conditions and then no account will be created. The users are also provided disclaimer notification once in the HIOS portal which also must be acknowledged by clicking "I agree". |
Is the submission of the PII by individuals voluntary or mandatory? | Voluntary |
Describe the method for individuals to opt-out of the collection or use of their PII. If there is no option to object to the information collection, provide a reason. | There isn't an 'option to object,' since the process is voluntary and necessary only if an account creation is desired. The person can elect to "Decline" the Terms and Conditions and then no account will be created. |
Describe the process to notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changes since the notice at the time of original collection). Alternatively, describe why they cannot be notified or have their consent obtained. | Since the HIOS system is part of the IDM environment, notification of any major changes to the system related to PII would be done by IDM, in the form of online notices on portal.CMS.gov. Additionally, the HIX SORN will be updated on the Federal Register. |
Describe the process in place to resolve an individual's concerns when they believe their PII has been inappropriately obtained, used, or disclosed, or that the PII is inaccurate. If no process exists, explain why not. | Within the HIOS portal there is a notice that individuals may contact the Marketplace Service Desk (MSD) at a toll-free number or at the designated email address, if they have any questions or concerns regarding the use of their PII in HIOS. The MSD would contact the individual and investigate the concern. If necessary, there might be changes made to the user's access or PII. |
Describe the process in place for periodic reviews of PII contained in the system to ensure the data's integrity, availability, accuracy and relevancy. If no processes are in place, explain why not. | PII is submitted and managed (including any corrections) by the user. Incorrect data is corrected while using the system by updating whichever element is incorrect, for example, a name change, new telephone number, or email address. HIOS administrators maintain the allowable/registered users by deleting, reactivating and assigning users to modules. The availability of the user accounts is managed on the backend by IDM since that is where the initial creation of the user account occurs. There are processes in place to review the current users and eliminate any inactive accounts such as user accounts of individuals are removed from the group or automatically disable inactive HIOS accounts within 60 days. Data integrity and availability is also managed by security technologies, including firewalls and encryption layers. |
Identify who will have access to the PII in the system and the reason why they require access. |
|
Describe the procedures in place to determine which system users (administrators, developers, contractors, etc.) may access PII. | Those with access to PII have only the minimum amount of information necessary to perform their job in accordance with the least privilege principle. There is a process in place for requesting, establishing, issuing, and closing user accounts and tracking access authorizations. The disabling of inactive accounts and auditing of user accounts allow those with access to PII to only access the minimum amount of information necessary to perform their job. |
Describe the methods in place to allow those with access to PII to only access the minimum amount of information necessary to perform their job. | HIOS users are granted the minimum access necessary to perform their job function. There are different levels of access depending on the role of the individual accessing HIOS, in accordance with role-based privileges. All HIOS users are authenticated via the IDM system credentials. If an individual is removed from a module or automatically disabled, then the account is made inactive in HIOS within 60 days. There is also multi-factor authentication of the user for access (two log-in screens). The direct contractor accounts are reviewed annually in order to determine if a user still requires access to the data. |
Identifying training and awareness provided to personnel (system owners, managers, operators, contractors and/or program managers) using the system to make them aware of their responsibilities for protecting the information being collected and maintained. | All CMS employees and direct contractors with access to CMS networks, applications, or data must complete mandatory annual Security and Privacy Awareness Training. Since HIOS is a CMS application, the system personnel must take the CMS Security Awareness training. Direct contractors also complete their own annual corporate security training. |
Describe training system users receive (above and beyond general security and privacy awareness training) | CMS employees and direct contractors with privileged access are required to complete role-based training and meet continuing education requirements commensurate with their role and participate in an annual contingency planning exercise. |
Do contracts include Federal Acquisition Regulation and other appropriate clauses ensuring adherence to privacy provisions and practices? | Yes |
Describe the process and guidelines in place with regard to the retention and destruction of PII. Cite specific records retention schedules. | The HIOS system is subject to the HIX SORN which states: These records will be maintained until they become inactive, at which time they will be retired or destroyed in accordance with published records schedules for CMS, as approved by the National Archives and Records Administration (NARA). The CMS Records Schedule notes that inactive HIOS records should be transferred to inactive storage after one year and destroyed after 7 years, unless necessary in the investigation of fraud or overutilization of services. If needed for those scenarios the records are retained until the resolution of the investigation. General Records Schedule (GRS) 3.2. Item 010, Disposition Authority: DAA-GRS-2013-0006-0001. Destroy after 7 years after system is superseded by a new iteration or when no longer needed for agency/IT administrative purposes to ensure a continuity of security controls throughout the life of the system. |
Describe, briefly but with specificity, how the PII will be secured in the system using administrative, technical, and physical controls. | PII is secured in the system using administrative, technical, and physical controls, in accordance with policies and regulations detailed in the CMS Information Security Acceptable Risk Safeguards- Minimum Security Requirements (ARS). Administrative controls include role-based permissions to access HIOS modules, request and authentication through the CMS IDM system, and periodic review of users and deletion of non-active accounts. Technical controls include access is allowable through one of 3 internet gateways: limitation on the number of concurrent sessions two concurrent sessions, inactivity timeout, multi-factor authentication and intrusion detection and prevention software. Physical controls include video monitoring of the data center where the system resides; controlled heating, air conditioning, smoke, and fire suppression systems; and restricted access with fencing and security guards. |