HEDIS Patient Data

Privacy Impact Assessment (PIA) published by CMS as an Operating Division of the U.S. Department of Health and Human Services

Date signed: 12/27/2023

View all CMS PIAs

PIA Information on HEDIS Patient Data
PIA Questions	PIA Answers
OPDIV:	CMS
PIA Unique Identifier:	P-5810589-853732
Name:	HEDIS Patient Data
The subject of this PIA is which of the following?	Major Application
Identify the Enterprise Performance Lifecycle Phase of the system.	Operate
Is this a FISMA-Reportable system?	Yes
Does the system include a Website or online application available to and for the use of the general public?	Yes
Identify the operator:	Contractor
Is this a new or existing system?	Existing
Does the system have Security Authorization (SA)?	Yes
Date of Security Authorization	12/6/2023
Indicate the following reason(s) for updating this PIA. Choose from the following options.	PIA Validation (PIA Refresh/Annual Review)
Describe in further detail any changes to the system that have occurred since the last PIA.	All communications from the HEDIS PLD application are now routed through a CMS SMTP relay.
Describe the purpose of the system	The purpose of system is to oversee the annual data collection and management of the Healthcare Effectiveness Data and Information Set (HEDIS®) Patient Level Detail (PLD) Data Collection for Medicare Advantage (MA) organizations for the Centers for Medicare & Medicaid Services (CMS). The HEDIS PLD data are used in the CMS MA Star Ratings and the MA Quality Bonus Payments program. The HEDIS PLD is a tool used by more than 90 percent of America's health plans to measure performance on important dimensions of care and service. Because so many plans collect HEDIS data, and because the measures are so specifically defined, HEDIS makes it possible to compare the performance of health plans on an "apples-to-apples" basis. Health plans also use HEDIS results themselves to see where they need to focus their improvement efforts. To compare health plan performance; data, based on HEDIS measures, is submitted by MA Plans via text files; this data is then validated and, if valid, stored via an automated service. MA Plans are then alerted whether their files were accepted or rejected.
Describe the type of information the system will collect, maintain (store), or share. (Subsequent questions will identify if this information is PII and ask about the specific data elements)	Patient-Level Detail Data: The HEDIS PLD system collects and stores Patient-Level Detail Data from the MA Plans. The system shares the extract of all the successful submission with research organizations that have CMS approved Data Use Agreement (DUA) for data research purposes. The HEDIS PLD system collects and stores the following information: Patient-Level Detail Data: Medicare Beneficiary Identifier (MBI) Last Name First Name City State Zip Code Sex Birth Date Plan ID Number Special Needs Plan (SNP) Enrollee Type Member Months Other information for each HEDIS quality measure assessing the effectiveness of care and access/availability of services. MA Submission List: The system collects and stores participating MA Plan information. This information is received from the National Committee for Quality Assurance (NCQA) about which plans are required to participate in the upcoming submission. MA Submission List: CMS_CONTRACT_NUMBER ORG_NAME FIRST_NAME LAST_NAME LAST_NAME_SUFFIX TITLE PHONE_NUMBER PHONE_NUMBER_EXT FAX_NUMBER EMAIL_ADDR ROLE EMAIL ERROR_LOG REGION ORG_TYPE PLAN_TYPE ENROLLMENT_SIZE VOLUNTEER Special Needs Plan (SNP)_ENROLLEE PLD_1 PLD_2 NCQA_SUBMISSION_ID Submission Documentation: The system creates and stores submission documents in the approved format and shares it with the participating MA Plans. In addition, HEDIS PLD system stores information related to the health-data submitted by the MA Plans as part of the submission process, the file-validation logs, and access-logs. The following files contain the entirety of the information collected, validated, stored, and shared. Also, HEDIS Patient Data may store information pertaining to the internal operations of a network or computer system, including network and device addresses; system and protocol addressing schemes implemented at an agency; and network management information protocols, community strings, or network information packets. Note: The entire database is archived after the submission window is closed for the year. The HEDIS PLD system also stores the documents from previous years of submission process on the website.
Provide an overview of the system and describe the information it will collect, maintain (store), or share, either permanently or temporarily.	The HEDIS PLD application consists of the following general components which support the collection of performance measures: 1. File-Watcher is a software component for polling, validating, and storing provider-submitted data. The File-Watcher shall run as a polling service, detecting files as they arrive and queueing them for processing. Files shall be processed on a first-come-first-serve basis. The International Business Machines (IBM) Connect:Direct is a file server established to house provider-submitted data files. The Scope Infotech team administers this server and coordinates with the CMS Electronic File Transfer (EFT) to establish Firewall rules before the submission begins. The file server will be a secure server for receiving provider-submitted data files from CMS EFT transmissions. The files will be staged in a designated directory until detected and processed by the File-Watcher polling program. 2. The Database is available for saving provider-submitted data. The following components explains the system work-flow: CMS EFT, which moves provider-submitted data files from CMS infrastructure to a designated server running IBM Connect: Direct software. The HEDIS Patient Level Data Web-Portal, which displays processed file results. The results of the file processing are stored on a CMS Microsoft Azure Government SQL server as a Service. 3. Web-Portal is a web-based application that is designed to disseminate, at minimum, HEDIS patient-level data submission information, processed file status, and processed file error reports 4. Service-Desk is an application that is designed to collect, and process Technical Assistance Requests received from MA Contracts, their third-party vendors, and other program participants. Service-Desk application includes establishing and maintaining name and contact information for HEDIS PLD POC, including the Medicare contracts for which the POC is responsible. It also provides ad-hoc reports to the CMS who view and download submission reports. 5. Simple Mail Transfer Protocol (SMTP) Relay send emails to the MA Plan to keep them informed on the status of their submitted HEDIS PLD Files. All communications from the HEDIS PLD application are routed through a SMTP relay via the CMS email server. Submission Documentation: The system creates and shares content such as documents and resources, and frequently asked questions (FAQs) which are referenced by the MA Plans during the submission process.
Does the system collect, maintain, use or share PII?	Yes
Indicate the type of PII that the system will collect or maintain.	Name E-Mail Address Phone Numbers Date of Birth Mailing Address Medical Records Number Other - Medicare Beneficiary Identifier (MBI), sex
Indicate the categories of individuals about whom PII is collected, maintained or shared.	Other - MA Plan beneficiaries
How many individuals' PII in the system?	1,000,000 or more
For what primary purpose is the PII used?	The purpose is to oversee the annual data collection and management of the HEDIS PLD for MA organizations for the CMS. The HEDIS PLD data are used in the CMS MA Star Ratings and the MA Quality Bonus Payments program.
Describe the secondary uses for which the PII will be used (e.g. testing, training or research)	The purpose is to oversee the sharing of the HEDIS PLD data with various approved external agencies with CMS-approved DUA for the purposes of research.
Describe the function of the SSN.	SSN is not collected.
Cite the legal authority to use the SSN.	SSN is not collected.
Identify legal authorities governing information use and disclosure specific to the system and program.	Authority is given under section 1875 of the Social Security Act (the Act) (42 U.S.C. 1395ll). Authority for maintenance and dissemination of Health Plan information is also given under the Balanced Budget Act of 1997 (Pub. L. 105–33). 42 CFR 422.503 and 42 CFR 422.504.
Are records on the system retrieved by one or more PII data elements?	No
Identify the sources of PII in the system: Directly from an individual about whom the information pertains	Online
Identify the sources of PII in the system: Non-Government Sources	Other - National Committee for Quality Assurance (NCQA), MA Plan
Identify the OMB information collection approval number and expiration date	OMB Control Number: 0938-1028 Expiration Date: 07/31/2024
Is the PII shared with other organizations?	Yes
Identify with whom the PII is shared or disclosed and for what purpose.	Other Federal Agency/Agencies: The HEDIS PLD data is not directly accessible by users of the system. The Patient level data is extracted into an export and is securely transmitted to external federal agencies and private research institutions with appropriate Data user Agreements (DUA) with CMS. Federal agencies include the Veteran Affairs and the Chronic Conditions Warehouse (CCW). Private Sector: The HEDIS PLD data is not directly accessible by users of the system. The Patient level data is extracted into an export and is securely transmitted to external federal agencies and private research institutions with appropriate Data user Agreements (DUA) with CMS.
Describe any agreements in place that authorizes the information sharing or disclosure (e.g. Computer Matching Agreement, Memorandum of Understanding (MOU), or Information Sharing Agreement (ISA)).	Data Use Agreement. DUA Number: CONT-2016-50517. The DUA is for HEDIS data, and it expires 08/29/2025.
Describe the procedures for accounting for disclosures	Disclosures for data in HEDIS are accounted for through the Data Use Agreements.
Describe the process in place to notify individuals that their personal information will be collected. If no prior notice is given, explain the reason.	Not applicable. The notice is the responsibility of the MA plans and the members’ providers collecting the PII according to the guidelines of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule. The HIPAA Privacy Rule permits a provider to disclose protected health information to a health plan for the quality-related health care operations of the health plan, provided that the health plan has or had a relationship with the individual who is the subject of the information, and the protected health information requested pertains to the relationship. See 45 CFR 164.506(c)(4). Thus, a provider may disclose protected identifiable health information to a health plan for the plan’s HEDIS purposes, so long as the period for which information is needed overlaps with the period for which the individual is or was enrolled as a member in the health plan.
Is the submission of the PII by individuals voluntary or mandatory?	Voluntary
Describe the method for individuals to opt-out of the collection or use of their PII. If there is no option to object to the information collection, provide a reason.	For the MA Plans to participate in the HEDIS PLD data submission and to use the HEDIS PLD Web-Portal, a user’s PII must be provided. The MA Plan Users do not have the option to opt out of providing this information.
Describe the process to notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changes since the notice at the time of original collection). Alternatively, describe why they cannot be notified or have their consent obtained.	The information is received from health plans, a covered entity, which is providing Protected Health Information (PHI) to CMS as part of its health care operations. We do not foresee any changes in the system in terms of disclosures and/or data uses, but if this were to occur, the health plans would need to directly contact their enrollees.
Describe the process in place to resolve an individual's concerns when they believe their PII has been inappropriately obtained, used, or disclosed, or that the PII is inaccurate. If no process exists, explain why not.	Users of the system that access the HEDIS PLD web portal only have access to see their own first name and last name as part of their login. Helpdesk users accessing the Service desk portal have access to see all users full name, email address and phone number. No other PII including HEDIS data of the Member plans is directly accessible to users of the web portal or service desk portal. If a user believes this information has been obtained, accessed or used in an inappropriate manner, they can contact the HEDIS PLD Help Desk at hedispld_helpdesk@cms.hhs.gov. The HEDIS PLD helpdesk will review the situation and consult with CMS and NCQA to resolve the situation as appropriate.
Describe the process in place for periodic reviews of PII contained in the system to ensure the data's integrity, availability, accuracy and relevancy. If no processes are in place, explain why not.	The initial list of MA Plan users is provided by NCQA. Any changes to the MA Plan Users are approved by NCQA before the changes are implemented. Primary MA Plan users can reach out to the HEDIS PLD Service desk users by email, phone or through the web-portal application and request to add secondary MA Plan users within their organization. When a user no longer requires access to the Web-Portal, the system administrator removes their access to the application.
Identify who will have access to the PII in the system and the reason why they require access.	Administrators: Users with administrator role have access to the name, phone number and email addresses of the MA Plan users to support issues during the submission period and to add secondary Point of Contact (POCs) Contractors: The contractors are direct CMS contractors and provide system operations, maintenance, and Help Desk support services for the application. Others: MA Plan Primary and Secondary Point of Contact (POC's) who have access to the system can see their own First name and Last name as part of their login.
Describe the procedures in place to determine which system users (administrators, developers, contractors, etc.) may access PII.	The MA Plan users will register in IDM for a user account and use the IDM credentials to log into the HEDIS PLD application. The Service desk users will request the HEDIS PLD Service Desk (SD) job code in End User Authentication (EUA) and, upon approval, use their EUA credentials to log into the HEDIS PLD application. After successful authentication, the user information and role are verified against the HEDIS PLD database and appropriate role-based access is provided to the user. All roles are pre-determined and loaded into the system database at the beginning of the submission process
Describe the methods in place to allow those with access to PII to only access the minimum amount of information necessary to perform their job.	The HEDIS Patient Data restricts access to PII depending on the role granted to the user. Users without the appropriate role cannot access the PII.
Identifying training and awareness provided to personnel (system owners, managers, operators, contractors and/or program managers) using the system to make them aware of their responsibilities for protecting the information being collected and maintained.	The team completes the Information Security and Privacy Awareness Training, which includes computer-based training in their responsibility to protect sensitive information. This training is provided by CMS.
Describe training system users receive (above and beyond general security and privacy awareness training)	Annually, prior to the HEDIS PLD data submission, a Submission Instructions Document is uploaded to CMS.gov and the HEDIS PLD Web-Portal. This document provides detailed instructions to the user about the use of the application and data submission.
Do contracts include Federal Acquisition Regulation and other appropriate clauses ensuring adherence to privacy provisions and practices?	Yes
Describe the process and guidelines in place with regard to the retention and destruction of PII. Cite specific records retention schedules.	General Records Schedule (GRS): DAA-0440-2012-0009 / 0001 DAA-0440-2012-0013 / 0001 N1-440-09-06 / 2 N1-440-10-07 / 2/a N1-440-10-07 / 2/b N1-440-10-07 / 2/c N1-440-10-07 / 2/d Disposition Authority: DAA-0440-2015-0007-0001 Record Schedule Number: DAA-0440-2015-0007 The data retention process and guidelines will follow Records Management Schedule Bucket 5 - Beneficiary Records. The cutoff is at the end of calendar year. The data will be retained for 10 years after cutoff.
Describe, briefly but with specificity, how the PII will be secured in the system using administrative, technical, and physical controls.	The administrative controls in place to secure the PII include access control. The user authentication is provided by CMS Okta Identity Management (IDM). The user will register in IDM for a user account and use the IDM credentials to login to the HEDIS PLD application. The Service Desk users (privileged users) will request the HEDIS PLD SD job code in End User Authentication (EUA) and, upon approval, use their EUA credentials to log into the HEDIS PLD application. After successful authentication, the HEDIS PLD backend middleware performs role-based authorization to verify if the user exists in the database and has the appropriate access to the application. A POC list provided by NCQA will be imported to the database table and while inserting the data, a role will be assigned to the MA contracts user at the beginning of the submission process. For the Service Desk users, an insert script will be created and executed on the database table and a role will be assigned to the user while inserting to the database table. Encryption: In transit - HEDIS PLD website uses a Secure Sockets Layer (SSL) certificate to encrypt all the data between the user and the website; At rest - Storage disks and Databases are encrypted by Microsoft Azure Government (MAG). The technical controls in place are firewalls that prevent unauthorized access, encrypted access when users log into the application, and a tiered system architecture which means users can log into the application but not into any test environment. The testing and active applications are not joined together. The physical controls in place are addressed by MAG. The HEDIS PLD system is hosted in the MAG (Azure), US-East Region. The data center is in a facility in Northern Virginia. The HEDIS PLD maintenance team accesses the HEDIS PLD system by CMS authentication and access controls by using security tokens and user credentials.
Identify the publicly-available URL:	https://mapld.scopeinfotechinc.com
Does the website have a posted privacy notice?	No
Is the privacy policy available in a machine-readable format?	No
Does the website use web measurement and customization technology?	Yes
Select the type of website measurement and customization technologies is in use and if is used to collect PII. (Select all that apply)	Session Cookies - No
Does the website have any information or pages directed at children under the age of thirteen?	No
Does the website contain links to non-federal government website external to HHS?	Yes
Is a disclaimer notice provided to users that follow external links to websites not owned or operated by HHS?	No

Authorization to Operate (ATO)

Ongoing Authorization (OA)

Assessments & Audits

CMS Policies and Guidance

Federal Policies and Guidance

Application Security

Security Operations

Risk Management and Reporting

Agreements

Privacy Activities

Privacy Resources

Reporting & Compliance

System Security

Tests & Assessments

HEDIS Patient Data