Healthcare Integrated General Ledger Accounting System
Date signed: 2/18/2025
| PIA Questions | PIA Answers |
|---|---|
| OPDIV: | CMS |
| PIA Unique Identifier: | P-4351765-042664 |
| Name: | Healthcare Integrated General Ledger Accounting System |
| The subject of this PIA is which of the following? | Major Application |
| Identify the Enterprise Performance Lifecycle Phase of the system. | Operate |
| Is this a FISMA-Reportable system? | Yes |
| Does the system include a Website or online application available to and for the use of the general public? | No |
| Identify the operator: | Contractor |
| Is this a new or existing system? | Existing |
| Does the system have Security Authorization (SA)? | Yes |
| Date of Security Authorization | 2/10/2023 |
| Indicate the following reason(s) for updating this PIA. Choose from the following options. | PIA Validation (PIA Refresh/Annual Review) |
| Describe in further detail any changes to the system that have occurred since the last PIA. | Not applicable. |
| Describe the purpose of the system | The Healthcare Integrated General Ledger Accounting System (HIGLAS) is a federal financial system used by the Centers for Medicare & Medicaid Services (CMS) to support legislative mandates, including the 2003 Medicare Prescription Drug, Improvement, and Modernization Act (MMA). HIGLAS provides CMS’s ability to process Medicare, Medicaid, (Part A, Part B, Children's Health Insurance Plan [CHIP], Durable Medical Equipment [DME], Railroad Retirement Board [RRB]), Center for Consumer Information and Insurance Oversight (CCIIO) Insurance Exchanges, and Administrative Program Accounting (APA) data. HIGLAS is the CMS system of record for financial transactions and financial reporting. The Consolidated Budget System (CBS) is a component of HIGLAS that supports the implementation of a fully integrated budget formulation and execution business system. CBS supports CMS’s ability to produce agency-wide budget deliverables by automating many of the manual business processes inherent in budget development. |
| Describe the type of information the system will collect, maintain (store), or share. (Subsequent questions will identify if this information is PII and ask about the specific data elements) | The Healthcare Integrated General Ledger Accounting System (HIGLAS) uses Health Insurance Claim (HIC) numbers, Social Security Numbers (SSN), Employee Identification Numbers (EIN), Taxpayer Identification Numbers (TIN), Financial Account Information, names, date of birth (DOB), mailing addresses, e-mail addresses, and phone numbers to verify individual payees' payments, bank accounts, and routing numbers for the purpose of processing and paying claims. |
| Provide an overview of the system and describe the information it will collect, maintain (store), or share, either permanently or temporarily. | The Healthcare Integrated General Ledger Accounting System (HIGLAS) is a uniform, integrated, accounting system that is used to process Medicare, Medicaid, Children's Healthcare Insurance Program (CHIP), and Affordable Care Act payments. The HIGLAS Medicare Administrative Contractors (MACs) use Health Insurance Claim (HIC) numbers, Social Security Numbers (SSN), Employee Identification Numbers (EIN), Taxpayer Identification Numbers (TIN), Financial Account Information, names, date of birth (DOB), mailing addresses, e-mail addresses, and phone numbers to verify individual payees' payments, bank accounts, and routing numbers for the purpose of timely processing and payment of claims. Personally Identifiable Information (PII) data is acquired and used by the Internal Revenue Services (IRS) for taxes and claims payments; Department of Treasury for debt collection and claims payments; and the Social Security Administration (SSA) for SSN and name validation. These entities have their own PIAs. Information is stored permanently based on NARA records retention schedule. |
| Does the system collect, maintain, use or share PII? | Yes |
| Indicate the type of PII that the system will collect or maintain. |
|
| Indicate the categories of individuals about whom PII is collected, maintained or shared. |
|
| How many individuals' PII in the system? | 1,000,000 or more |
| For what primary purpose is the PII used? | PII is used to verify payees and provide accurate, timely payments for employees' payroll, travel expenses, and claims payments. |
| Describe the secondary uses for which the PII will be used (e.g. testing, training or research) | PII is not used for any secondary purposes. |
| Describe the function of the SSN. | The SSN is used to process CMS employee payroll, travel payments, Medicare/Medicaid/Children's Healthcare Insurance Program (CHIP) claims payments, taxes, debt collection and Social Security Administration (SSA) processing. |
| Cite the legal authority to use the SSN. | Budget and Accounting Act of 1950 (Pub. L. 81-784); Debt Collection Act of 1982 (Pub. L. 97-365); Debt Collection Improvement Act of 1996 (Pub. L. 104-134, sec. 31001), E.O. 9397. |
| Identify legal authorities governing information use and disclosure specific to the system and program. | Budget and Accounting Act of 1950 (Pub. L. 81-784); Debt Collection Act of 1982 (Pub. L. 97-365); Debt Collection Improvement Act of 1996 (Pub. L. 104-134, sec. 31001); E.O. 9397; 5.U.S.C. Section 301 Departmental Regulations. |
| Are records on the system retrieved by one or more PII data elements? | Yes |
| Identify the number and title of the Privacy Act System of Records (SORN) that is being used to cover the system or identify if a SORN is being developed. | 09-90-0024 Unified Financial Management SYS (UFMS) |
| Identify the sources of PII in the system: Directly from an individual about whom the information pertains | |
| Identify the sources of PII in the system: Government Sources |
|
| Identify the sources of PII in the system: Non-Government Sources | |
| Identify the OMB information collection approval number and expiration date | No OMB collection approval is needed. PII is not collected directly from individuals with whom the information pertains and an OMB approval is not applicable. |
| Is the PII shared with other organizations? | Yes |
| Identify with whom the PII is shared or disclosed and for what purpose. |
|
| Describe any agreements in place that authorizes the information sharing or disclosure (e.g. Computer Matching Agreement, Memorandum of Understanding (MOU), or Information Sharing Agreement (ISA)). | Treasury Fiscal Services, Internal Revenue Service and Social Security Administration, Interconnectivity Security Agreements (ISAs) and Memorandums of Understanding (MOUs) are agreed to and signed by both parties. The ISA outlines security measures in place to protect the confidentiality, integrity, and availability of the information being shared. The MOU outlines the business justification for sharing information, and how each party will use the shared information. |
| Describe the procedures for accounting for disclosures | The CMS direct contractor and CMS employees shall report the date and time when events occurred or discovered; name of system, program, or network effected by the incident; impact analysis. All confirmed security incidents and events shall be reported to the CMS IT Service Desk in accordance with the procedures set forth in the CMS Information Security Incident Handling and Breach Analysis/Notification Procedures. |
| Describe the process in place to notify individuals that their personal information will be collected. If no prior notice is given, explain the reason. | HIGLAS does not collect PII directly from individuals. The collecting agency/information systems (listed below) which directly collect the PII sent to HIGLAS are responsible for providing individuals information about the use of their PII. Those systems are covered by their own PIAs. Treasury, Social Security Administration (SSA), Internal revenue Services (IRS), Department of Health & Human Services (HHS), National Institute of Health (NIH), CMS Automated Plan Payment Systems (APPS), CMS Benefits Coordination & Recovery System (BCRC), CMS Direct Billing System, Fiscal Intermediary Shared System (FISS), Marketplace Data Exchange, Medicaid & Children' Health Insurance Program Budget Expenditure System, Multi-Carrier System, Quality Improvement and Evaluation System, ViPS Medicare Shared System, CMS Component, CMS Concur Government Edition (CGE), Medicare Secondary Payer Systems Contractor - Major Application, ViPS Medicare Shared System. |
| Is the submission of the PII by individuals voluntary or mandatory? | Voluntary |
| Describe the method for individuals to opt-out of the collection or use of their PII. If there is no option to object to the information collection, provide a reason. | HIGLAS does not have an option for opt out. Opt out is the responsibility of the agency/information systems (listed below) which directly collect the PII sent to HIGLAS. Those systems are covered by their own PIAs. Treasury, Social Security Administration (SSA), Internal revenue Services (IRS), Department of Health & Human Services (HHS), National Institute of Health (NIH), CMS Automated Plan Payment Systems (APPS), CMS Benefits Coordination & Recovery System (BCRC), CMS Direct Billing System, Fiscal Intermediary Shared System (FISS), Marketplace Data Exchange, Medicaid & Children' Health Insurance Program Budget Expenditure System, Multi-Carrier System, Quality Improvement and Evaluation System, ViPS Medicare Shared System, CMS Component, CMS Concur Government Edition (CGE), Medicare Secondary Payer Systems Contractor - Major Application, ViPS Medicare Shared System. |
| Describe the process to notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changes since the notice at the time of original collection). Alternatively, describe why they cannot be notified or have their consent obtained. | HIGLAS does not have an option for individuals to provide consent. The process to notify and obtain consent from individuals whose PII is in the system is the responsibility of the agency/information systems (listed below) which directly collect the information sent to HIGLAS. Those systems are covered by their own PIAs. Treasury, Social Security Administration (SSA), Internal revenue Services (IRS), Department of Health & Human Services (HHS), National Institute of Health (NIH), CMS Automated Plan Payment Systems (APPS), CMS Benefits Coordination & Recovery System (BCRC), CMS Direct Billing System, Fiscal Intermediary Shared System (FISS), Marketplace Data Exchange, Medicaid & Children' Health Insurance Program Budget Expenditure System, Multi-Carrier System, Quality Improvement and Evaluation System, ViPS Medicare Shared System, CMS Component, CMS Concur Government Edition (CGE), Medicare Secondary Payer Systems Contractor - Major Application, ViPS Medicare Shared System, |
| Describe the process in place to resolve an individual's concerns when they believe their PII has been inappropriately obtained, used, or disclosed, or that the PII is inaccurate. If no process exists, explain why not. | Any suspected or confirmed loss of PII is reported to the CMS Help Desk and Incident Response Teams in accordance with federal and agency requirements and policies / within 60 minutes of identification. The CMS Privacy Office is responsible for addressing individual's concerns by providing the following: Breach notification as needed and without unreasonable delay, in coordination with HHS as well as individuals affected by the breach. The notification includes: the source of the breach, a brief description of the breach, the date it was discovered, and the type of PII involved. |
| Describe the process in place for periodic reviews of PII contained in the system to ensure the data's integrity, availability, accuracy and relevancy. If no processes are in place, explain why not. | HIGLAS does not collect PII from individuals. Within HIGLAS, there are strict configuration management and data integrity checks to support monitoring changes to the systems data. All changes to the data are logged to support audit review. Role-based access is strictly enforced and all transactions against the database are audited on a daily basis to ensure that specific Segregation of Duties (SODs) constraints are applied accurately to all HIGLAS job functions, thus ensuring only authorized personnel can modify HIGLAS data. |
| Identify who will have access to the PII in the system and the reason why they require access. |
|
| Describe the procedures in place to determine which system users (administrators, developers, contractors, etc.) may access PII. | Role-based access controls within the application is used to identify users and grant required access as authorized. HIGLAS Access Control Procedures, HIGLAS Separation of Duties (SOD) Rules and HIGLAS Role-Based Access Control (RBAC) Procedure are used in granting users access to the system. |
| Describe the methods in place to allow those with access to PII to only access the minimum amount of information necessary to perform their job. | Role-based access controls within application is used to identify users and grant required access as authorized. Job mapping to standard roles and responsibilities were established with least privilege access. |
| Identify training and awareness provided to personnel (system owners, managers, operators, contractors and/or program managers) using the system to make them aware of their responsibilities for protecting the information being collected and maintained. | Security awareness training is conducted as new hires join the team and it is also conducted on annual basis to ensure systems users are aware of the security requirements and their continued compliance. |
| Describe training system users receive (above and beyond general security and privacy awareness training) | Role-based security awareness training conducted on regular basis to ensure systems users are aware of the security requirements as part of their day to day job activities. Users complete The Department of Health and Human Services (HHS) Privacy Awareness Training annually. |
| Do contracts include Federal Acquisition Regulation and other appropriate clauses ensuring adherence to privacy provisions and practices? | Yes |
| Describe the process and guidelines in place with regard to the retention and destruction of PII. Cite specific records retention schedules. | Per CMS Records Disposition Manual Bucket 1 Leadership and Operations Records. DAA-0440-2015-0001-0001. Transfer to the National Archives 15 years after cutoff. Bucket 3 Financial Program Records. Disposition Authority DAA-0440-2015-0004-0001. Destroyed no sooner than seven (7) years after cutoff. Bucket 5 Beneficiary Records. Disposition Authority DM-0440-2015-0007-0001. Destroyed no sooner than 10 years after cutoff. |
| Describe, briefly but with specificity, how the PII will be secured in the system using administrative, technical, and physical controls. | Access request must be approved by the user's Manager before they can be granted access to the system. Users who no longer require access to the system are removed promptly. Some of the technological controls providing IT security services to this system include access control with denial by default implementation, multi-layer firewall architectures, the use of passwords and two factor authentication, least privilege implementation of user access rights with only proven need to know as the approval criteria, and complete auditability of all sensitive transactions with individual accountability. Some of the physical controls include perimeter fencing, Closed Circuit TV (CCTV) monitoring, armed security guard patrolling, raised caged floors, required security clearances, and restricted access to the server room. |
Privacy Impact Assessment (PIA) published by CMS as an Operating Division of the U.S. Department of Health and Human Services