Skip to main content

Internet Quality Improvement and Evaluation System

Privacy Impact Assessment (PIA) published by CMS as an Operating Division of the U.S. Department of Health and Human Services

Date signed: 5/9/2022

PIA information for: Internet Quality Improvement and Evaluation System

OPDIV:

CMS

PIA Unique Identifier:

P-8015377-175958

Name:

Internet Quality Improvement and Evaluation System

The subject of this PIA is which of the following?

Major Application

Identify the Enterprise Performance Lifecycle Phase of the system.

Operate

Is this a FISMA-Reportable system?

Yes

Does the system include a Website or online application available to and for the use of the general public?

Yes

Identify the operator:

Contractor

Is this a new or existing system?

Existing

Does the system have Security Authorization (SA)?

Yes

Date of Security Authorization

8/29/2022

Indicate the following reason(s) for updating this PIA. Choose from the following options.

  • PIA Validation (PIA Refresh/Annual Review)

  • Other - Removal of QSEP as it has been separated into its own FISMA system

Describe in further detail any changes to the system that have occurred since the last PIA.

None

Describe the purpose of the system

The Internet Quality Improvement and Evaluation System (iQIES) supports the Center for Clinical Standards and Quality (CCSQ) in its functions to coordinate the Centers for Medicare & Medicaid Services (CMS) quality programs and oversee survey, certification, and enforcement programs. iQIES supports CMS in its coordination of national Medicare program policies and operations. Business owners in these Centers determine what type of data iQIES collects.

iQIES supports the collection, analysis, and reporting of provider and beneficiary specific outcomes of care and performance data across a multitude of delivery websites for use in improving the quality of services provided by the Medicare and Medicaid programs.

iQIES consists of databases housed at CMS with direct access for CMS staff, state agency staff, providers and suppliers, approved accrediting organizations, and other approved users.

iQIES provides software for nursing homes, home health agencies, inpatient rehabilitation facilities, long term care hospitals and swing bed facilities to collect assessment data on residents/patients, submit it to CMS and generate reports in support of participation in CMS quality reporting initiatives and programs.

iQIES provides software for state and federal users to certify providers and suppliers, schedule surveys, collect and track survey results, record and track complaints or incidents, and implement enforcement activities. 

Providers, State Agency staff, CMS Regional and Central Office staff, and other approved users will be able to run standard, pre-determined reports through the iQIES reporting features that will run against a national database containing assessment and survey and certification data.

Describe the type of information the system will collect, maintain (store), or share. (Subsequent questions will identify if this information is PII and ask about the specific data elements)

Information used within iQIES includes: Name, Date of Birth (DOB), Social Security Number (SSN), mailing address, phone number, email address, Provider Name, Provider Number, National Provider Identification Number, Medical Notes, Medical Record Number, Health Insurance Claim Number (HICN), race/ethnicity, and sex. Other PII includes: User Credentials (User ID and Password).

Provide an overview of the system and describe the information it will collect, maintain (store), or share, either permanently or temporarily.

iQIES is a national repository that contains resident and patient assessment data. It includes clinical data of patients and residents. The data offers a multidimensional view of residents/patients functional capacities. It is used to collect and validate data on provider and beneficiary specific outcomes of care and performance for use in improving the quality and cost effectiveness of services provided by the Medicare, Medicaid, and Clinical Laboratory Improvement Amendment (CLIA) programs.  iQIES replaces functionality provided by the legacy Quality Improvement and Evaluation System (QIES) and provides a common look and feel, collects only the data that is needed, all while making the system more accessible, portable and intuitive to use than QIES. iQIES eliminates the complex web of multiple databases and external process needed to move, consolidate, and manage data in QIES.  iQIES will be a single solution with many services that is secure, web-based, nimble to enhance, and efficient to manage. iQIES will reside in Amazon Web Services (AWS) in a private cloud platform.

The following directives are in place with regards to information retention for iQIES:

As of October 7, 2019, CMS approved a 10-year record retention policy which applies to both patient assessment and survey/certification records.  This new policy is effective immediately.  Therefore, the new business rule for assessment data is to delete 10 years from the assessment 'Target Date', except for assessments with a known exclusion. A known exclusion is when an assessment record is past the data retention period, but is associated with a current litigation hold, then the assessment would be excluded from the deletion process.

iQIES Intermediary Records: Inputs and outputs are retained in accordance with NARA GRS 5.2, Item 020.  Temporary. Destroy upon verification of successful creation of the final document or file, or when no longer needed for business use, whichever is later.

iQIES collects both PII and non-PII patient data from patient assessments that are submitted by health care providers. This includes Name, Date of Birth (DOB), Social Security Number (SSN), Provider Name, Provider Number, National Provider Identification Number, Medical Notes, Medical Record Number, Health Insurance Claim Number (HICN), race/ethnicity, and sex.  iQIES collects the following PII to allow providers to search for patients they will be submitting assessments for, Name, Date of Birth (DOB) and Social Security Number (SSN). Users can only retrieve patient records for providers that are linked to their iQIES account through the user role access request process.

Does the system collect, maintain, use or share PII?

Yes

Indicate the type of PII that the system will collect or maintain.

  • Social Security Number

  • Name

  • E-Mail Address

  • Phone Numbers

  • Medical Notes

  • Date of Birth

  • Mailing Address

  • Medical Records Number

  • Other - Provider Name, Provider Number, National Provider Identification Number, Health Insurance Claim Number (HICN), Race/ethnicity, and sex. User Credentials (User ID and Password) are used to gain access to the system.

Indicate the categories of individuals about whom PII is collected, maintained or shared.

  • Employees

  • Vendors/Suppliers/Contractors

  • Patients

How many individuals' PII in the system?

1,000,000 or more

For what primary purpose is the PII used?

iQIES contains resident, patient assessment, and clinical data. The Personally Identifiable Information (PII) and Protected Health Information (PHI) is used for payment, quality of care, and tracking/processing complaints and incidents reported against Medicare and Medicaid providers and suppliers. The purpose is to measure outcome monitoring, patient risk factors, and to aid in the administration of the survey and certification of Medicare and Medicaid providers, suppliers, and laboratories in enrolled in the CLIA program.

Describe the secondary uses for which the PII will be used (e.g. testing, training or research)

N/A

Describe the function of the SSN.

The SSN is key to ensuring accuracy (matching the claim to proper beneficiary and proper payment).

iQIES users are Centers for Medicare & Medicaid Services (CMS) Central Office and Regional Office staff, States, and surveyors.  iQIES also shares data with State agencies, Fiscal Intermediaries (FIs), Regional Home Health Intermediaries (RHHIs), and Quality Improvement Organizations (QIOs) for the purpose of health care quality and payment. Also, data may be disclosed to entities that meet Privacy Act requirements for routine uses as stated in the System of Record (SOR).  These entities must have a Data Use Agreement (DUA). iQIES uses several patient identifiers together, one being the SSN, to ensure an accurate matching so that an episode/stay is created for each patient.  The episodes/stays are used to calculate quality measures (QMs), which uses multiple assessments for each patient for each provider. These measures are publicly reported by CMS.  In addition, CMS uses the patient assessments to determine payment for each Medicare beneficiary.

Cite the legal authority to use the SSN.

Medicare Improvements for Patients and Providers Act (MIPPA), 2008

Identify legal authorities​ governing information use and disclosure specific to the system and program.

Medicare Improvements for Patients and Providers Act (MIPPA), 1974, Section 153c

Medicare, Medicaid and SCHIP Extension Act (MMSEA), 2007

Medicare Improvements for Patients and Providers Act (MIPPA), 2008

Health Insurance Portability and Accountability Act (HIPAA), Privacy Rule

Tax Relief and Health Care Act (TRHCA)

Affordable Care Act (ACA), 45 CFR 155.210(e)

5 USC Section 301, Departmental Regulations

Are records on the system retrieved by one or more PII data elements?

Yes

Identify the number and title of the Privacy Act System of Records (SORN) that is being used to cover the system or identify if a SORN is being developed.

Published:  ASPEN Complaints/Incidents Tracking System (ACTS) 09-70-0565
Hospice Item Set (HIS) 09-70-0548
Inpatient Rehabilitation Facilities – Patient Assessment Instrument (IRF-PAI) 09-70-0521
Long Term Care Hospitals Quality Reporting Program (LTCH QRP) 09-70-0539
Long Term Care Minimum Data Set (LTCMDS) 09-70-0528
HHA Outcome and Assessment Information Set (OASIS) 09-70-0522

Identify the sources of PII in the system: Directly from an individual about whom the information pertains

Online

Identify the sources of PII in the system: Government Sources

  • Other HHS OPDIV

  • State/Local/Tribal

  • Other Federal Entities

Identify the sources of PII in the system: Non-Government Sources

Private Sector

Identify the OMB information collection approval number and expiration date

Not Applicable

Is the PII shared with other organizations?

Yes

Identify with whom the PII is shared or disclosed and for what purpose.

  • Within HHS: Centers for Disease Control and Prevention (CDC) to meet joint agency priorities related to Healthcare Associated Infection (HAI) prevention and quality reporting and improvement initiatives

  • Other Federal Agency/Agencies: Social Security Administration (SSA) uses the admission and discharge information for care received to administer the Supplemental Security Income (SSI) program efficiently and to identify Special Veteran’s Benefits (SVB) beneficiaries who are no longer residing outside of the United States

  • Private Sector: Payment and quality of care.

  • State or Local Agency/Agencies: Tracks and process complaints and incidents reported against Medicare and Medicaid providers and suppliers.

Describe any agreements in place that authorizes the information sharing or disclosure (e.g. Computer Matching Agreement, Memorandum of Understanding (MOU), or Information Sharing Agreement (ISA)).

Disclosure of Nursing Care Facility Admission and Discharge Information, Identifier: SSA Match #1076 | CMS Match #2016-05 | HHS DIB #1611 Recipient: Social Security Administration (SSA)

Interagency Agreement (IAA), CMS IAA #IA16-212 and CMS IAA #IA16-213, Recipient: Centers for Disease Control and Prevention (CDC)

Describe the procedures for accounting for disclosures

iQIES follows CMS Incident Response and Breach Notification Procedures; The Privacy Act of 1974 (5 U.S.C. § 522a) and the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule (45 C.F.R Parts 160 and 164), allows the Centers for Medicare and Medicaid (CMS) to disclose information without an individual’s consent if the information is to be used for a purpose that is compatible with the purpose(s) for which the information was collected. Any such compatible use of data is known as a ‘‘routine use.’’ The proposed routine uses in this system meet the compatibility requirement of the Privacy Act.

 

Authorized PII/PHI disclosure of information to a third party outside of HHS only occurs when an authorized iQIES user runs a report in the system where the contents include PII or PHI data. IQIES captures every execution of such reports in the iQIES database. 

 

The information stored in the database for each report execution includes the iQIES username, the report run, the report execution date, and other metadata about the report execution incident for tracking purposes. The user's address is linked to their iQIES username. 

Describe the process in place to notify individuals that their personal information will be collected. If no prior notice is given, explain the reason.

Long Term Care Hospitals who submit patient assessments to iQIES are responsible for providing notice to patients. System users are notified that their PII is being collected by a system banner that is presented upon entering a user's credentials.

Is the submission of the PII by individuals voluntary or mandatory?

Voluntary

Describe the method for individuals to opt-out of the collection or use of their PII. If there is no option to object to the information collection, provide a reason.

The original collectors (Private Sector) communicate directly with beneficiaries. 

Members of the public submitting a complaint against a provider or supplier have the option to remain anonymous. Perpetrators implicated in complaints do not have the option to object to the information collection because they are the subject of the complaint. 

There is no opt-out capability as login credentials (User ID and Password) are required to access iQIES.

Describe the process to notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changes since the notice at the time of original collection). Alternatively, describe why they cannot be notified or have their consent obtained.

The original collectors (Private Sector) communicate directly with beneficiaries.  A notice in the Federal Register would be made if major systems change occurred in iQIES.  Login credentials (User ID and Password) are required to access iQIES.

Describe the process in place to resolve an individual's concerns when they believe their PII has been inappropriately obtained, used, or disclosed, or that the PII is inaccurate. If no process exists, explain why not.

Resolution for any concerns regarding the inappropriate use or disclosure of PII including login credentials (User ID and Password) is addressed by CMS. CMS employees engage their local help desk system to make corrections.

Describe the process in place for periodic reviews of PII contained in the system to ensure the data's integrity, availability, accuracy and relevancy. If no processes are in place, explain why not.

iQIES stores its data in a transactional database layer with rigidly enforced referential integrity; all data (PII containing or otherwise) is guaranteed to maintain this integrity in order to be initially stored within the system.  Accuracy and relevancy of all data is ensured in an ongoing fashion through data submission validation rules built into the application data submission process.  iQIES database subsystems are continuously monitored and report findings to a logging dashboard to ensure continuous availability of all data (PII or otherwise). 

 

iQIES staff will conduct annual reviews of PII data to evaluate the data’s accuracy and integrity.  These checks will look for duplicated PII/PHI data fields in Patient related tables, inconsistencies in the Vendor/Provider tables, evaluate geographic data for integrity, and will check other data fields against known data sets.

Identify who will have access to the PII in the system and the reason why they require access.

  • Users: Users may access PII authorized under a Data Use Agreement.

  • Administrators: System Administrators may access PII to manage the system and troubleshoot potential issues.

  • Developers: Developers may access PII to troubleshoot potential issues.

  • Contractors: Direct contractors authorized by CMS may access PII to conduct tasks under the assigned contract.

Describe the procedures in place to determine which system users (administrators, developers, contractors, etc.) may access PII.

System user access to PII is given by assigning roles to the user account.  The process of assigning these privileges utilizes the principle of least privilege.  Users are only granted access based on their job responsibilities. To ensure the level of access is maintained for each of the roles, the role creation process involves analysis of the role definition and type of access granted by the role. Periodic account and access review ensures that system users are still authorized to view PII.

Describe the methods in place to allow those with access to PII to only access the minimum amount of information necessary to perform their job.

iQIES uses the principle of least privilege as well as role based access control to ensure system administrators and users are granted access on a "need-to-know" and "need-to-access" corresponding with their assigned duties. System Administrators review user accounts at least semi-annually. Any anomalies are addressed and resolved by contacting the user, modifying their user role(s), or by removing their access if no longer required. Activities of all users including system administrators are logged and reviewed by the iQIES Information System Security Officer (ISSO) to identify abnormal activities if any.

Identifying training and awareness provided to personnel (system owners, managers, operators, contractors and/or program managers) using the system to make them aware of their responsibilities for protecting the information being collected and maintained.

CMS and Direct Contractors undergo annual Security Awareness Training (SAT) for general network and system access. Standard users (States, CMS partners, etc.) are not required to take SAT in order to use the iQIES system. 


CMS requires all employees and contractors with elevated or privileged access to undergo role based training and general security training.
 
Standard users (States, CMS partners, etc.) are not required to take SAT in order to use the iQIES system. However, all must be aware of Federal Security and Privacy standards and guidelines such as; Health Insurance Portability and Accountability Act (HIPAA), Privacy Act of 1974, E-Government Act and the Federal Information Security Management Act (FISMA).

Describe training system users receive (above and beyond general security and privacy awareness training)

Based on role, selected iQIES Contractors and CMS personnel are provided the following training in addition to general security and privacy awareness training:

  • Scaled Agile Framework (SAFe) Product Owner / Product Manager training

  • SAFe Advanced Scrum Master training

  • Certified Scrum Master training

Do contracts include Federal Acquisition Regulation and other appropriate clauses ensuring adherence to privacy provisions and practices?

Yes

Describe the process and guidelines in place with regard to the retention and destruction of PII. Cite specific records retention schedules.

iQIES has a National Archives and Records Administration (NARA) Records Disposition Authorization, DAA-0440-2015-0009-0003, which states that records are destroyed when 10 years old, or when no longer needed for Agency business, whichever is later. 

AWS follows the techniques detailed in Department of Defense (DoD) 5220.22-M (“National Industrial Security Program Operating Manual”) or National Institute of Standard Technology Special Publication (NIST SP) 800-88 (“Guidelines for Media Sanitization”) to destroy data as part of the decommissioning process.

Describe, briefly but with specificity, how the PII will be secured in the system using administrative, technical, and physical controls.

Administrative: Only access necessary to perform respective job duties is granted.  Authentication and access control profiles are maintained.  Users may only view information and perform tasks according to pre-assigned security and access control profiles determined by the system administrator.


Technical: The following controls are in place to minimize the possibility of unauthorized access, use or dissemination of the data in the system: User Identification, passwords, firewall, Virtual Private Network (VPN), Encryption, and Intrusion Detection System (IDS).


Physical:  The Data Center where information is stored uses Guards, ID badges, Key Cards, Cipher Locks, Biometrics and Closed Circuit TV to secure physical controls.

Identify the publicly-available URL:

https://iqies.cms.gov

Does the website have a posted privacy notice?

Yes

Is the privacy policy available in a machine-readable format?

Yes

Does the website use web measurement and customization technology?

Yes

Select the type of website measurement and customization technologies is in use and if is used to collect PII. (Select all that apply)

Session Cookies

  • Web Beacons - Collects PII?: No

  • Web Bugs - Collects PII?: No

  • Session Cookies - Collects PII?: No

  • Persistent Cookies - Collects PII?: No

  • Other - Collects PII?: No

Does the website have any information or pages directed at children under the age of thirteen?

No

Does the website contain links to non-federal government website external to HHS?

No