Inquiry Management System
Date signed: 6/27/2025
| PIA Questions | PIA Answers |
|---|---|
| OPDIV: | CMS |
| PIA Unique Identifier: | P-9689259-660596 |
| Name: | Inquiry Management System |
| The subject of this PIA is which of the following? | Major Application |
| Identify the Enterprise Performance Lifecycle Phase of the system. | Operate |
| Is this a FISMA-Reportable system? | Yes |
| Does the system include a Website or online application available to and for the use of the general public? | No |
| Identify the operator: | Agency |
| Is this a new or existing system? | Existing |
| Does the system have Security Authorization (SA)? | Yes |
| Date of Security Authorization | 3/1/2024 |
| Indicate the following reason(s) for updating this PIA. Choose from the following options. | PIA Validation (PIA Refresh/Annual Review) |
| Describe in further detail any changes to the system that have occurred since the last PIA. | There are no system changes |
| Describe the purpose of the system | The Inquiry Management System (IMS) utilizes Salesforce ServiceCloud’s out-of-the-box workflow rules or process builder to automate the workflow steps namely – Intake, Triage, Addressing the Inquiry, and Reporting. Additional tasks include: Utilize role-based access to implement the Case Coordinator, Subject Matter Expert (SME), Reviewer, and Business Administrator roles in the application. IMS is available on multiple browsers, including the following versions running on the Windows platform: Microsoft® Internet Explorer® 11 and Apple® Safari® version 12.x on macOS; the most recent stable versions of Microsoft Edge, Mozilla® Firefox®, and Google Chrome™ are also supported. The Salesforce email-to-case functionality shall be utilized to create a case when emails are sent to the following Outlook mailboxes: Riskadjustmentoperations@cms.hhs.gov Case numbers are text/numeric/alphanumeric, with the option of being auto generated by Salesforce. Users are able to complete fields using various methods such as text fields, date fields, check boxes and dropdown menus. SMEs and reviewers have the ability to upload supporting documents in multiple formats to support various case management tasks. IMS sends notifications and reminders if tasks are delayed or left uncompleted for any reason. Users log in to view requests, including processing times. The system sends timely reminders and alerts to SMEs or reviewers using Salesforce workflows and email alerts to decrease processing times. The IMS application utilizes services provided by Salesforce used as Platform as a Service (PaaS) that includes all requirements to develop and deploy an IT solution within the cloud including: Infrastructure Development Coding/Software Network Security |
| Describe the type of information the system will collect, maintain (store), or share. (Subsequent questions will identify if this information is PII and ask about the specific data elements) | IMS collects and stores:
IMS does not retrieve any data using PII elements. |
| Provide an overview of the system and describe the information it will collect, maintain (store), or share, either permanently or temporarily. | In 1997, the Balanced Budget Act, Public Law 105-33, established the Medicare + Choice program, (later renamed as the Medicare Advantage (MA) Program), which authorizes the Centers for Medicare and Medicaid Services (CMS) to enter into contracts with a variety of different managed care entities to provide and underwrite Medicare benefits on a risk basis. Over the past several years, the MA program has seen dramatic growth. Today, more than 23 million individuals, representing about 35% of Medicare beneficiaries, are enrolled in the MA program. The entities providing original Medicare benefits (and often Medicare Part D prescription drug benefits, too) under the MA program are referred to as Medicare Advantage Organizations (MAOs). The Medicare Plan Payment Group (MPPG) is responsible for calculating and making monthly capitated payments to Medicare Advantage Organizations (MAOs) for the provision of medical services and items to Medicare beneficiaries under Part C as well as payments for the Medicare prescription drug benefit under Part D. MPPG regularly receives inquiries from MAOs and other entities. The Inquiry Management System (IMS), which is developed, operated and maintained by Radiant Infotech (CMS contractor), utilizes the Salesforce Service Cloud, enhances the current inquiry management process by modernizing the workflow and tracking inquiries throughout the life of the inquiry, resulting in timely resolution of all inquiries. IMS provides the following: Efficient workflow for the mailbox management process, including receiving new inquiries automatically through the Outlook mailboxes, automatically assigning the responsible party, notifying the responsible party, and sending responses back to inquirers. Increased transparency by storing responses and providing users the ability to look at inquiries based upon similar topics and by historical inquiries received by inquirers. Improved reporting including reports identifying time to resolve cases, time spent on certain tasks within the workflow, aging, inquiries by user, status or category, user activity reports, etc. MAO staff do not access, log into or use the IMS. MAO staff can only initiate cases by sending an email inquiry to select MPPG mailboxes, as described in section PIA-011.The IMS may store and collect the following information for MAO staff. E-mail address First Name Last Name Phone Number Organization Name Organization Address The IMS is used by CMS employees, and well as by Vendors/Suppliers/Contractors, to process these inquires. These IMS users log into the system using their EUA credentials, which are stored in the CMS EUA system and Okta. The IMS does not store or collect user login credentials (such as EUA password, MFA preference, MFA tokens, etc.). The IMS stores only the following for these user categories: EUA ID E-mail address First Name Last name Phone Number Organization Name Organization Address IMS does not retrieve any data using PII elements. |
| Does the system collect, maintain, use or share PII? | Yes |
| Indicate the type of PII that the system will collect or maintain. |
|
| Indicate the categories of individuals about whom PII is collected, maintained or shared. |
|
| How many individuals' PII in the system? | <100 |
| For what primary purpose is the PII used? | IMS uses an inquirer’s email to communicate with them and respond to their inquiries. First name, last name, and email are also used by the system to provision with Single Sign-On with Salesforce Enterprise Integration (SEI) system (another CMS system) which is covered by its own PIA. |
| Describe the secondary uses for which the PII will be used (e.g. testing, training or research) | There is no secondary use of PII. |
| Describe the function of the SSN. | We do not collect or ask for Social Security Number. However, this information is contained in the email body that is stored by the IMS. |
| Cite the legal authority to use the SSN. | E.O. 9397 |
| Identify legal authorities governing information use and disclosure specific to the system and program. | IMS is a CMS owned system and any governing information use and disclosure can reference 5 USC 301, Departmental Regulations. |
| Are records on the system retrieved by one or more PII data elements? | No |
| Identify the sources of PII in the system: Directly from an individual about whom the information pertains |
|
| Identify the sources of PII in the system: Government Sources |
|
| Identify the sources of PII in the system: Non-Government Sources |
|
| Identify the OMB information collection approval number and expiration date | N/A |
| Is the PII shared with other organizations? | No |
| Describe the process in place to notify individuals that their personal information will be collected. If no prior notice is given, explain the reason. | Information is provided voluntarily by the MAO staff member/representative when they submit an inquiry via email to the Risk Adjustment Operations and Risk Adjustment Policy CMS resource mailboxes in order to receive a response to their inquiry. This includes their first name, last name, email address and in some cases their email signatures might contain Company name, address, and phone number. We do not collect or ask for Social Security Number or Date of Birth. This information is contained in the email body that is stored by the IMS. Due to the nature for which the information is provided, we will not be providing a disclaimer/disclosure on the inquiry responses sent from the MPPG IMS. |
| Is the submission of the PII by individuals voluntary or mandatory? | Voluntary |
| Describe the method for individuals to opt-out of the collection or use of their PII. If there is no option to object to the information collection, provide a reason. | The inquirer’s PII information – first name, last name and emails address is required by CMS Risk Adjustment Operation (RAO) and Risk Adjustment Policy (RAP) mailboxes to address and respond to their inquiries. IMS does not use this information for any purpose other than communicating with inquirers. Sometimes, an email from inquirer might contain their business address and phone number as part of email signature. Again, CMS or IMS does not use this information for any purpose other than official communication. |
| Describe the process to notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changes since the notice at the time of original collection). Alternatively, describe why they cannot be notified or have their consent obtained. | The IMS application does not disclose or use PII information collected from the individuals as part of the inquiry management workflow. IMS application users communicate on a one-one basis with inquirers whose PII might be stored in the system. If and when major changes happen that require consent/notification to individuals, CMS or Radiant Infotech Project management will email or call them. Additionally, the Onboarding Form will be updated to reflect the disclosure changes, if applicable. |
| Describe the process in place to resolve an individual's concerns when they believe their PII has been inappropriately obtained, used, or disclosed, or that the PII is inaccurate. If no process exists, explain why not. | IMS is obligated to report known or suspected security or privacy incidents involving CMS information or information systems must be reported immediately to the CMS IT Service Desk by calling 410-786-2580 or 1-800-562-1963, or via e-mail to CMS_IT_Service_Desk@cms.hhs.gov. We will also report CMS ISSO and IMS Business Owner via CMS email and phone call to communicate concerns and/or resolution related to PII issue. |
| Describe the process in place for periodic reviews of PII contained in the system to ensure the data's integrity, availability, accuracy and relevancy. If no processes are in place, explain why not. | Radiant Infotech, the IMS development and maintenance contractor, will conduct periodic training of staff to ensure proper handling of the PII information and relevancy. In order to ensure that integrity and accuracy of PII data that IMS collects, we do not allow the application users to edit (add or delete) any PII data. The IMS system audits and tracks any data changes to ensure that there is no misuse of data. IMS is built using Salesforce Service Cloud platform which guarantees high availability. |
| Identify who will have access to the PII in the system and the reason why they require access. |
|
| Describe the procedures in place to determine which system users (administrators, developers, contractors, etc.) may access PII. | The System Administrator's job responsibility includes the ability to create, assign, and remove access to the IMS modules. No other users have this job responsibility, and they are solely responsible for managing user access. MPPG-IMS employs the concept of least privilege for Administrator specific duties and information systems in accordance with risk assessments to mitigate risk to CMS operations, assets, and individuals. Application uses Role Based Access Control (RBAC) to perform system security administration such as account maintenance, security log review, and applying access controls and permissions. Administrators have access to the bare minimum of PII in order to do their jobs of creating and removing user access in the system. For security model, we adopt least privilege approach. Using access request tools, we only grant access to a user to data that is needed to perform day-to-day jobs. If elevated access is required temporarily for troubleshooting purposes, etc. we audit users’ actions and promptly remove once the assigned task is complete. The CMS users and direct contractors will have access the system to perform their daily task. We are calling them direct contractors because they use HHS credentials (EUA ID) to access the system. The system administrator will assign the IMS roles that these users will have based on role authorization matrix provided by CMS Management. |
| Describe the methods in place to allow those with access to PII to only access the minimum amount of information necessary to perform their job. | Roles Based Access Control (RBAC) will be implemented and enforced for all IMS users.
|
| Identify training and awareness provided to personnel (system owners, managers, operators, contractors and/or program managers) using the system to make them aware of their responsibilities for protecting the information being collected and maintained. | All Radiant Infotech staff supporting the MPPG-IMS contract sign Non-Disclosure Agreements (NDAs) as part of employment and agree to protect the "confidential information/records" and must only use this information for purpose of performing official Contract duties. Details in the NDA can be provided upon request. All Radiant Infotech staff abide by CMS privacy training. This includes the cyber security awareness and training provided by the CMS Chief Information Security Officer (CISO) on an annual basis. |
| Describe training system users receive (above and beyond general security and privacy awareness training) | The Radiant Infotech staff are considered Direct Contractors and currently receive and follow the CMS mandated security and privacy training required as part of receiving a CMS EUA and PIV card. This includes the cyber security awareness and training provided by the CMS CISO on an annual basis. |
| Do contracts include Federal Acquisition Regulation and other appropriate clauses ensuring adherence to privacy provisions and practices? | Yes |
| Describe the process and guidelines in place with regard to the retention and destruction of PII. Cite specific records retention schedules. | IMS follows CMS guidelines, standards and procedures with regard to retention and destruction of PII as it pertains to Administrative Management. For reference, the MPPG-IMS system falls into Bucket 2 – Administrative Management for the CSM Records Schedule DAA-0440-2015-0002 |
| Describe, briefly but with specificity, how the PII will be secured in the system using administrative, technical, and physical controls. | IMS is secured by CMS’ IDM/Okta Single Sign-On (SSO) infrastructure. As a result, all application users, including the System Administrator, will we required to establish their identity by providing EUA ID, EUA password and a temporary access token (also called Multi-Factor Authentication or MFA Token) to gain access to the MPPG-IMS application. Administrative controls include user training, system documentation that advises on proper user implementation of need to know and minimum necessary principles when awarding access, and others. Technical controls which are inherited through Salesforce Federal Risk and Authorization Management Program (FedRAMP) certification include firewalls, network monitoring and intrusion detection. Physical controls include that all system servers are protected by guards, locked facility doors, and climate controls. |
Privacy Impact Assessment (PIA) published by CMS as an Operating Division of the U.S. Department of Health and Human Services