Skip to main content

Maryland Primary Care Program System

Privacy Impact Assessment (PIA) published by CMS as an Operating Division of the U.S. Department of Health and Human Services

Date signed: 6/16/2022

PIA Information for Maryland Primary Care Program System
PIA QuestionsPIA Answers
OPDIV:CMS
PIA Unique Identifier:P-5713120-630359
Name:Maryland Primary Care Program System
The subject of this PIA is which of the following?Major Application
Identify the Enterprise Performance Lifecycle Phase of the system.Operate
Is this a FISMA-Reportable system?Yes
Does the system include a Website or online application available to and for the use of the general public?No
Is this a new or existing system?Existing
Does the system have Security Authorization (SA)?Yes
Date of Security Authorization11/16/2022
Indicate the following reason(s) for updating this PIA. Choose from the following options.PIA Validation (PIA Refresh/Annual Review)
Describe in further detail any changes to the system that have occurred since the last PIA.There have been no changes to the information system that affect the PIA responses since the last PIA submission/approval.
Describe the purpose of the systemThe Maryland Primary Care Program (MDPCP) Model is designed to support Practices along the continuum of transformation to deliver better care to patients and promote smarter spending. MDPCP is both a care delivery and payment redesign model. MDPCP provides participating Practices and Care Transformation Organizations (CTOs) with tools to assist with providing information pertaining to their demographic, practice, and organizational information and composition; their reporting of practice and quality milestones, as well as to provide a platform where participating Practices and CTOs can download reports essential to their success in this initiative. The Center for Medicare & Medicaid Innovation (CMMI) and contractors supporting the initiative will use MDPCP to monitor the progress and compliance of participating Practices and CTOs.
Describe the type of information the system will collect, maintain (store), or share. (Subsequent questions will identify if this information is PII and ask about the specific data elements)

The types of information collected, maintained, or disseminated through the MDPCP System include: 

Demographic information and various Practice and CTO contacts

Practice information including organizational details including MDPCP practice ID number, and Tax ID Number (TIN)

CTO information including organizational details and TIN

Beneficiary information including name, date of birth, and Medicare Beneficiary Identifier (MBI).

Health Information Technology (IT) information including Vendor Roster that contains Name, CMS Electronic Health Record (EHR) Certification ID, Phone Number and Email

Composition information including Practitioner Roster which has Name, National Provider Identifier (NPI) and Email

Composition information including Staff Roster collected are Name and Email

Participation Agreement Documents

Letters of Support Documents

Practice Reporting information on a daily and monthly basis

CTO Reporting information on a daily and monthly basis

MDPCP processes the following PII elements:
Name
E-Mail Address
Phone Numbers
Taxpayer ID
Date of Birth
Mailing Address
Medical Records Number
Other - Other - NPI, Medicare Beneficiary Identifier (MBI), Sex, Age, Race, Date of Death, Enterprise Identity Data Management (EIDM) User ID, Practice Name, Maryland Board of Physicians License Number, and MDPCP practice ID number.

Provide an overview of the system and describe the information it will collect, maintain (store), or share, either permanently or temporarily.

MDPCP will collect Practice reporting information that CTOs will attest to on a quarterly basis. This reporting is a status of the participating practices’ progress towards meeting the goals of the initiative. These goals are monitored by CMS, supporting contractors, and participating payers. MDPCP provides participating practices with tools to assist with their reporting such as the ability to download supporting reports essential to their success in this initiative. The CMMI, participating payers and contractors supporting the initiative use MDPCP to monitor the progress and compliance of participating practices. 

MDPCP maintains demographic information and organization information about the participating MDPCP practices and CTOs, as well as the demographic information of points of contacts and participating providers. This information is necessary for model operations and serves as a single point of reference for practices, CTOs and other MDPCP stakeholders. MDPCP Practices, CTOs, and participating payers receive information on a routine basis to support their work in the model. For Practices and CTOs, these include Payment and Attribution, Beneficiary Attribution Reports, other Administrative documents such as Participation Agreements and Letters of Support. Participating payers also receive their Provider Roster reports through MDPC. This is critical information for payer operations because it determines the providers in MDPCP who are to receive care management fees. 

Login credentials are provided by CMS's enterprise identity management system and used to grant access to the system. MDPCP is accessible only to stakeholders involved in the model and is a vehicle with which CMS is able to securely provide information to and collect information from stakeholders.

MDPCP users use PII to retrieve system records including using the name, or NPI. Admin users have the ability to search with user id information and MDPCP practice ID number.

Does the system collect, maintain, use or share PII?Yes
Indicate the type of PII that the system will collect or maintain.
  • Name
  • E-Mail Address
  • Phone Numbers
  • Taxpayer ID
  • Date of Birth
  • Mailing Address
  • Medical Records Number
  • Other - Other - NPI, Medicare Beneficiary Identifier (MBI), Sex, Age, Race, Date of Death, Enterprise Identity Data Management (EIDM) User ID, Practice Name, Maryland Board of Physicians License Number, and MDPCP practice ID number.
Indicate the categories of individuals about whom PII is collected, maintained or shared.
  • Employees
  • Business Partners/Contacts (Federal, state, local agencies)
  • Patients
  • Other - MDPCP Model participating Practices and CTOs
How many individuals' PII in the system?50,000-99,999
For what primary purpose is the PII used?

Demographic information of MDPCP practice sites, CTOs, participating providers, and practice information are used to determine eligibility and beneficiary attribution/alignment (the process of using Medicare claims data to associate beneficiaries with clinicians providing their care).

Beneficiary information is shared with MDPCP practices to verify beneficiaries, understand from whom they are receiving care management fees, and implement all the five functions of MDPCP care delivery transformation.

Practice and CTO Point of Contact (POC) information is collected to enable CMS to have a communication point of contact for each participating practice and CTO in MDPCP.

Collected information is also used to populate reports such as the Beneficiary Attribution, Practice Roster and CTO Roster reports. These reports are securely provided to the Operations contractor for uploading to MDPCP. MDPCP users associated with certain roles are only permitted to download reports applicable to their roles and practice association.

Describe the secondary uses for which the PII will be used (e.g. testing, training or research)Not applicable
Describe the function of the SSN.Not applicable. MDPCP is not used to collect, store, use, or disclose SSN.
Cite the legal authority to use the SSN.Not applicable
Identify legal authorities​ governing information use and disclosure specific to the system and program.Affordable Care Act (ACA) Section 3021, 5 USC 301 Departmental Regulations
Are records on the system retrieved by one or more PII data elements?Yes
Identify the number and title of the Privacy Act System of Records (SORN) that is being used to cover the system or identify if a SORN is being developed.Published: SOR#: 09-70-0591 DERS, Master Demonstration, Evaluation, and Research Studies for the Office of Research, Development and Information
Identify the sources of PII in the system: Directly from an individual about whom the information pertains
  • Online
  • Other - CTOs provide their contact information online.
Identify the sources of PII in the system: Non-Government SourcesOther - Care Transformation Organization
Identify the OMB information collection approval number and expiration dateNot applicable
Is the PII shared with other organizations?No
Describe the process in place to notify individuals that their personal information will be collected. If no prior notice is given, explain the reason.

Not applicable. Notice is the responsibility of the providers. 

The information that is submitted is sourced from existing medical records that have already been collected by the provider. Responsibility for patient notification resides at the point of information collection from the individual. However, all Medicare participants are provided with a CMS Notice of Privacy Practice that states that although they can elect to not share data for certain processes, as a condition of participating in Medicare, their information will be shared for certain purposes, such as quality assessment and reporting.

MDPCP end-users are given Terms and Conditions during the CMS account registration process which include Consent to Monitoring, Protecting Your Privacy, and Consent to Collection of Personal Identifiable Information (PII).

Is the submission of the PII by individuals voluntary or mandatory?Voluntary
Describe the method for individuals to opt-out of the collection or use of their PII. If there is no option to object to the information collection, provide a reason.

It is the responsibility of the providers to provide individuals with an option to opt out. 

The provision of PII is "voluntary" as that term is used by the Privacy Act. However, in order to receive benefits under the Medicare program, individuals must provide PII including all of the information collected and used by MDPCP.

Beneficiaries are provided with a Letter from their provider that include instructions on how to opt out of and manage their data sharing preferences.

MDPCP users must provide PII in order for system administrators to authenticate their identity and provide them with access to MDPCP.

Describe the process to notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changes since the notice at the time of original collection). Alternatively, describe why they cannot be notified or have their consent obtained.

Changes to MDPCP that involve uses and disclosures of beneficiaries' PII or authentication information are not expected to occur. In the event that such changes were to occur, CMS informs beneficiaries using multiple channels, including direct mailings; notices on the CMS web site (including edits to CMS's posted Privacy Policy), or changes to the relevant Systems of Records notices.

In the event of changes involving uses and disclosures of authentication information, employees will be notified by notices on the CMS Intranet; newsletters; updates to the relevant Systems of Records notices; E-mails to affected individuals; and through supervisors and system owners.

Describe the process in place to resolve an individual's concerns when they believe their PII has been inappropriately obtained, used, or disclosed, or that the PII is inaccurate. If no process exists, explain why not.MDPCP personnel (e.g., providers, practice and CTO POCs) who believe their PII has been inappropriately obtained, used, or disclosed, or that the PII is inaccurate may contact MDPCP Support via e-mail or phone to address any issues with MDPCP System's use of their PII. Medicare beneficiaries may contact their provider or 1-800-MEDICARE to report concerns regarding the use of their PII.

MDPCP user's credential information is collected via registration with CMS's authentication system. The issue should be reported to the CMS Help Desk and escalated to the CMS authentication system administrators.
Describe the process in place for periodic reviews of PII contained in the system to ensure the data's integrity, availability, accuracy and relevancy. If no processes are in place, explain why not.

CTO POCs review their CTO information, Practice POCs review their practice information and beneficiary information at least quarterly to ensure the data’s accuracy and relevancy.

Data availability and integrity is protected by security controls selected as appropriate. MDPCP follows the CMS Security and Privacy program and complies with the CMS Acceptable Risk Safeguards, and National Institute of Standards & Technology (NIST) documents such as its Special Publications to select controls appropriate to the level of risk of the system, determined using NIST's Federal Information Processing Standard 199.

Identify who will have access to the PII in the system and the reason why they require access.
  • Users: Practice, Support, CMMI, CTO, Admin, and learning and diffusion (L&D) users access the MDPCP Application to perform the respective duties as outlined by the Program.
  • Administrators: Database administrators (DBA) provide maintenance for the system. Administrators include direct contractors.
  • Developers: Application Development Organization (ADO) direct contractors provide maintenance support including Post PROD testing, File ingestion and verification, and Troubleshooting PROD issues.
  • Contractors: Direct contractors provide implementation and Application Support.
Describe the procedures in place to determine which system users (administrators, developers, contractors, etc.) may access PII.

Role-based access is utilized to ensure users have access to only what is necessary to perform duties related to their specific role/function with MDPCP. Access to MDPCP System PII is determined by user role type, associated CTO(s) and associated practice(s). Roles and access capabilities are defined in the system’s Operations and Maintenance Manual and approved by the MDPCP Business owner.

System Administrators review user accounts at least semi-annually. Any anomalies are addressed and resolved by contacting the user, or by removing their access if no longer required. Activities of all users are logged and reviewed by the system administrator to identify abnormal activities, and if any are found they are reported to the business owner, and the Information Systems Security Officer (ISSO).
Development Contractor conducts smoke testing following each production deployment to ensure the applications features and functions are operational.

Describe the methods in place to allow those with access to PII to only access the minimum amount of information necessary to perform their job.MDPCP users access the application via CMS’s enterprise identity management system. The system enforces role-based access based on least privilege model to enforce the protection of data from unauthorized personnel.  The application controls data access such that the organizational user will be restricted to access only the data pertaining to their organization. Role based access is determined by the business requirements of MDPCP, and its implementation is detailed in the system requirements of the MDPCP System.  These roles cover MDPCP Practices, Support, Admin, CMMI, L&D, CTO users, participating payers, and supporting contractors that may have access to PII. System admins staff manage the role-based access controls.
Identifying training and awareness provided to personnel (system owners, managers, operators, contractors and/or program managers) using the system to make them aware of their responsibilities for protecting the information being collected and maintained.All CMS employees and direct contractors are required to complete mandatory security and privacy awareness training prior to gaining access to the CMS network. Each year thereafter, users must get re-certified. In the event they fail to complete the recertification training, the user's access will be terminated. CMS also requires users, on an annual basis, to complete Role Based Training and HHS Records and Retention Training. Users are also required to complete HIPAA training.
Describe training system users receive (above and beyond general security and privacy awareness training)MDPCP personnel with responsibilities regarding security, incident handling, and/or contingency activities are provided additional training and perform tabletop exercises that test their roles' responsibilities.
Do contracts include Federal Acquisition Regulation and other appropriate clauses ensuring adherence to privacy provisions and practices?Yes
Describe the process and guidelines in place with regard to the retention and destruction of PII. Cite specific records retention schedules.

The application adheres to data retention and destruction policies/procedures that follow National Archives and Record Administration (NARA) guidelines related to data retention and NIST guidelines related to data destruction. More specifically, MDPCP adheres to the following NARA general records schedule guidelines:

Beneficiary RecordsDAA-0440-2015-0007-0001; Destroy no sooner than 10 year(s) after cutoff but longer retention is authorized

Provider and Health Plan RecordsDAA-0440-2015- 0008-0001; Destroy no sooner than 7 year(s) after cutoff but longer retention is authorized

Describe, briefly but with specificity, how the PII will be secured in the system using administrative, technical, and physical controls.

To secure PII, MDPCP follows, and the direct contractor is bound by contract to follow, the CMS Security and Privacy program and complies with the CMS Acceptable Risk Safeguards which are aligned to HHS policies and to NIST requirements.

Access to the system is given based on need to know and job responsibilities. System maintainers use security software and methods to provide role-based “least privilege access.” MDPCP System Users utilize their individual user id and password to access the MDPCP System. Users are required to agree to the Terms and Conditions within the CMS Computer Systems Security Requirements, which contains HHS’s Rules of Behavior. System activity logs are reviewed to monitor the system and user activities for issues. Controls used include:

Administrative: The MDPCP System uses the principle of least privilege as well as a role-based access control to ensure system administrators, and users are granted access on a "need-to-know" and "need- to- access" commensurate with their assigned duties. Users must receive manager approval to gain access to the system. 

Technical: The data in MDPCP is secured behind a firewall and through application security. Technical security controls include but are not limited to virtual private networks (VPN), intrusion detection systems (IDS), user accounts, passwords, and access limitation.

Physical: The data center site is secured with guards, identification badges, key cards, locks and closed-circuit televisions.