Skip to main content

Innovation Center

Privacy Impact Assessment (PIA) published by CMS as an Operating Division of the U.S. Department of Health and Human Services

Date signed: 10/3/2024

PIA Information for the Innovation Center
PIA QuestionsPIA Answers

OPDIV:

CMS

PIA Unique Identifier:

P-9875844-525622

Name:

Innovation Center

The subject of this PIA is which of the following?

Major Application

Identify the Enterprise Performance Lifecycle Phase of the system.

Operate

Is this a FISMA-Reportable system?

Yes

Does the system include a Website or online application available to and for the use of the general public?

No

Identify the operator:

Contractor

Is this a new or existing system?

Existing

Does the system have Security Authorization (SA)?

Yes

Date of Security Authorization

5/17/2024

Indicate the following reason(s) for updating this PIA. Choose from the following options.

PIA Validation (PIA Refresh/Annual Review)

Describe in further detail any changes to the system that have occurred since the last PIA.

PIA Validation. Changes since the last PIA renewal have been minimal, and on the code level only. 

Describe the purpose of the system

The purpose of the Innovation Center (IHP) is to provide a common access point to various Centers for Medicare & Medicaid Innovation (CMMI) applications to which users have been granted access. Users access the application via a secured connection.   These integrated CMMI applications have their own Privacy Impact Assessment (PIA).

IHP also provides users the ability to request access and roles to CMMI applications. IHP provides a tab to a CMMI specific access request page which lists the various CMMI applications that have been integrated with IHP. Based on the application selection, the roles that can be requested under the application will be listed. Users will be able to request only one role per application. 

IHP works in conjunction with Centers for Medicare & Medicaid Services (CMS's) enterprise identity management (IDM) system.

Describe the type of information the system will collect, maintain (store), or share. (Subsequent questions will identify if this information is PII and ask about the specific data elements)

IHP uses user information to map users with specific roles within the application. IHP retrieves general user information from CMS's enterprise identify management system then collects and stores the following information from users: First Name, Last Name, User ID, Enterprise User Administration (EUA) ID, email address, user IHP role, user contact phone numbers, Model Participants Identifiers, and business address.

IHP utilizes user ID and passwords, and these login credentials are used to grant access to the system. Users of IHP are the system administrators, CMMI Users and direct contractors. The login credentials (user ID) used to access IHP are provided to users by CMS identity management system, which has its own PIA. IHP does not collect, maintain, or share login credentials

Provide an overview of the system and describe the information it will collect, maintain (store), or share, either permanently or temporarily.

IHP is a web application that is accessible by users authenticated by CMS's enterprise identity management system and is available to users authorized as a CMMI user. The IHP web application is the common access point to various CMMI applications that users have been granted access to. IHP provides a tab to a CMMI specific request access page that lists CMMI applications that have been integrated with IHP. Based on application selection, the various roles that can be requested under the application are listed. Users will not be able to request for multiple roles for the same application.

IHP collects and stores the following information: First Name, Last Name, User ID, EUA ID, email address, user IHP roles, user contact phone numbers, Model Participants Identifiers, and business address.

Login credentials are provided by CMS's identity management system, which has its own PIA, and are used to grant access to the system. Users of IHP are the system administrators, Model Application Users, and direct contractors.

Administrators and CMMI users retrieve Personal Identifiable Information (PII) of individuals to support Operations and Maintenance (O&M) activities related to access requests approvals and rejections. Authorized users retrieve records using First Name, Last Name, and email address.

Does the system collect, maintain, use or share PII?

Yes

Indicate the type of PII that the system will collect or maintain.

  • Name

  • E-Mail Address
  • Phone Numbers
  • Other - User ID, EUA ID, user IHP role, user contact phone numbers, Model Participants Identifiers and Business Address

Indicate the categories of individuals about whom PII is collected, maintained or shared.

Employees

How many individuals' PII in the system?

10,000-49,999

For what primary purpose is the PII used?

The primary purpose of the system is to collect and maintain individually identifiable information to assign, control, track, and report authorized access to and use of CMMI computerized information and resources, for those individuals who apply for and are granted access across multiple CMMI systems and business contexts.

Describe the secondary uses for which the PII will be used (e.g. testing, training or research)

None

Describe the function of the SSN.

Not Applicable

Cite the legal authority to use the SSN.

Not Applicable

Identify legal authorities​ governing information use and disclosure specific to the system and program.

Affordable Care Act (ACA) Section 3021

Are records on the system retrieved by one or more PII data elements?

Yes

Identify the number and title of the Privacy Act System of Records (SORN) that is being used to cover the system or identify if a SORN is being developed.

Individuals Authorized Access to CMS Computer Services (IACS), System SORN 09-70-0538

Health Insurance Exchanges (HIX) Program SORN 09-70-0560

Identify the sources of PII in the system: Directly from an individual about whom the information pertains

 

Identify the sources of PII in the system: Government Sources

Within the OPDIV

Identify the sources of PII in the system: Non-Government Sources

 

Identify the OMB information collection approval number and expiration date

N/A

Is the PII shared with other organizations?

No

Describe the process in place to notify individuals that their personal information will be collected. If no prior notice is given, explain the reason.

Not applicable as IHP does not collect PII/Protected health information (PHI) directly from individuals.

The information that is submitted to IHP is sourced from CMS IDM. Responsibility for user notification resides at IDM which is covered by its own PIA.

IHP end-users are provided with Terms and Conditions during the CMS IDM account registration process which includes Consent to Monitoring, Protecting Your Privacy, and Consent to Collection of PII. Users will be emailed at the email address provided during registration if there are any changes in the Terms and Conditions.

Is the submission of the PII by individuals voluntary or mandatory?

Voluntary

Describe the method for individuals to opt-out of the collection or use of their PII. If there is no option to object to the information collection, provide a reason.

Innovation Center is not the source system.

The information that is submitted to IHP is sourced from CMS IDM system. It is IDM's duty to provide individuals with an option to opt out which is covered by its own PIA.

The provision of PII is "voluntary" as that term is used by the Privacy Act. Individuals may opt out of providing their personally identifiable information (PII) however, this information is used to determine whether access to a requested application is necessary and/or useful and if so, the information will be used to determine what role will be required in order for the individual to perform the necessary or needed actions. If an individual opts not to provide PII, their request for access to specific applications will be denied.

IHP system users, who are CMS employees and direct contractors, must provide PII in order for system administrators to authenticate their identity and provide them with access to IHP.

Describe the process to notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changes since the notice at the time of original collection). Alternatively, describe why they cannot be notified or have their consent obtained.

When major changes to the system occurs that involves changes in disclosure and/ or data uses since the time of the collection, the process to notify and obtain consent from the individuals whose PII is in the system is to provide an updated online privacy notice that is presented to users upon logging into the site.

Changes involving uses and disclosures of authentication information are also not expected to occur. In the event of such changes, employees will be notified by notices on the CMS intranet; newsletters; updates to the relevant systems of records notices; e-mails to affected individuals; and through supervisors and system owners.

Describe the process in place to resolve an individual's concerns when they believe their PII has been inappropriately obtained, used, or disclosed, or that the PII is inaccurate. If no process exists, explain why not.

If an individual has concerns that their PII has been inappropriately obtained, used, or disclosed or that the PII is inaccurate, the following procedures should take place:

The user should cease what they are doing and notify their application helpdesk.

The application Help Desk will open a ticket and escalate the ticket to the IHP help desk who will then notify IT Management and the security team.

The security team will investigate the event to determine if it is reportable.

If reportable, security will notify the CMS Help Desk within 1 hour of the incident occurring. (If the event is unreportable, security will notify the IHP help desk to close the ticket).

The CMS Help Desk Representative will serve as the CMS First Respondent in documenting and assessing the incident to ensure that the incident has been contained.

The incident will be escalated and routed to the appropriate CMS group per CMS Incident Response Policy to determine the severity and course of action for mitigation.

Describe the process in place for periodic reviews of PII contained in the system to ensure the data's integrity, availability, accuracy and relevancy. If no processes are in place, explain why not.

IHP uses only the minimum PII elements that are necessary for supporting access to each of the CMMI models accessed through IHP. These elements are evaluated for accuracy, integrity, and relevancy on an initial and annual basis to ensure PII continues to be necessary to accomplish the model's scope. Access to this data is kept secure on the application and is only accessible by internal system users, administrators, maintainers, and direct contractors.

The Information that is submitted to IHP is sourced from CMS IDM. Responsibility of evaluating PII accuracy, integrity and relevancy resides at the point of information collection from the individual.

The Innovation Center periodically reviews the IHP Application Summary and Privileged User Reports. The User Access Report contains a record of all successful access to the Innovation Center application, time of access and the privilege of the user at the time of access. The Application Summary Report captures application and application user information to ensure that users don't have elevated privileges. User accounts are terminated if they are no longer employed on the IHP contract along with reviewing log files for configuration changes, errors, and anomalies to ensure the system's confidentiality, integrity, and availability.

Data availability and integrity is protected by security controls selected as appropriate. IHP follows the CMS Security and Privacy program and complies with the CMS Acceptable Risk Safeguards, and National Institute of Standards and Technology (NIST) documents such as its Special Publications to select controls appropriate to the level of risk of the system, determined using NIST's Federal Information Processing Standard 199.

Identify who will have access to the PII in the system and the reason why they require access.

  • Users: Approves or rejects requests of administrator accounts.

  • Administrators: As administrators assign roles to users, they may be exposed to the user's PII to link access rights to a specific user's name.

  • Contractors: Direct Contractors who act in the role of administrators may be exposed to the user's PII to link access rights to a specific user's name.

Describe the procedures in place to determine which system users (administrators, developers, contractors, etc.) may access PII.

Roles of users are clearly delineated in the Innovation Center Operations and Maintenance Manual. The manual provides procedures for ascribing roles to users which is based on the principle of least privilege and "need-to-know" or "need-to-access" for specific information to fulfill their job duties.

System Administrators review user accounts at least bi-monthly. Any anomalies are addressed and resolved by contacting the user, or by removing their access if no longer required. Activities of all users are logged and reviewed by the system administrator and IHP support team to identify abnormal activities, and if any are found they are reported to the business owner, and the Information System Security Officer (ISSO).

Describe the methods in place to allow those with access to PII to only access the minimum amount of information necessary to perform their job.

The system enforces role-based access based on least privilege model to enforce the protection of data from unauthorized personnel.  The application controls data access such that the organizational user will be restricted to access only the data pertaining to their organization.  

Identifying training and awareness provided to personnel (system owners, managers, operators, contractors and/or program managers) using the system to make them aware of their responsibilities for protecting the information being collected and maintained.

All CMS employees and direct contractors are required to complete mandatory security and privacy awareness training prior to gaining access to the CMS network. Each year thereafter, the user must get recertified. In the event they fail to complete the recertification training, the user's access will be terminated. CMS also requires users, on an annual basis, to complete Role-Based Training and Health and Human Services (HHS) Records and Retention Training.

Describe training system users receive (above and beyond general security and privacy awareness training)

Not applicable.

Do contracts include Federal Acquisition Regulation and other appropriate clauses ensuring adherence to privacy provisions and practices?

Yes

Describe the process and guidelines in place with regard to the retention and destruction of PII. Cite specific records retention schedules.

The application adheres to data retention and destruction policies/procedures that follow National Archives and Record Administration (NARA) guidelines related to data retention and NIST guidelines related to data destruction. More specifically, IHP adheres to the following NARA general records schedule guidelines:

DAA-GRS-2013-0006-0003: Destroy 1 year(s) after user account is terminated or password is altered or when no longer needed for investigative or security purposes, whichever is appropriate

Describe, briefly but with specificity, how the PII will be secured in the system using administrative, technical, and physical controls.

To secure PII, IHP follows, and the direct contractor is bound by contract to follow, the CMS Security and Privacy program and complies with the CMS Acceptable Risk Safeguards which are aligned to HHS policies and to NIST requirements.

IHP PII is secured with security controls as required by the CMS Security Program.

Administrative: Innovation Center uses the principle of least privilege as well as a role-based access control to ensure system administrators, and users are granted access on a "need-to-know" and "need-to-access" commensurate with their assigned duties. Users must receive manager approval to gain access to the system.

Technical: Innovation Center is secured behind a firewall and through application security. Technical security controls include, but are not limited to user accounts, passwords, and access limitation.

Physical: The data center site is secured with locked rooms and guards.