Skip to main content

Measure Authoring Development integrated Environment

Privacy Impact Assessment (PIA) published by CMS as an Operating Division of the U.S. Department of Health and Human Services

Date signed: 7/29/2022

PIA Information for Measure Authoring Development integrated Environment
PIA QuestionsPIA Answers
OPDIV:CMS
PIA Unique Identifier:P-9261213-845342
Name:Measure Authoring Development integrated Environment
The subject of this PIA is which of the following?Major Application
Identify the Enterprise Performance Lifecycle Phase of the system.Operate
Is this a FISMA-Reportable system?Yes
Does the system include a Website or online application available to and for the use of the general public?Yes
Identify the operator:Contractor
Is this a new or existing system?Existing
Does the system have Security Authorization (SA)?Yes
Date of Security Authorization10/20/2022
Indicate the following reason(s) for updating this PIA. Choose from the following options.
  • Significant System Management Change
  • New Public Access
Describe in further detail any changes to the system that have occurred since the last PIA.

The Measure Authoring Tool (MAT) is adding a new component to eventually replace the original MAT + Bonnie Tooling. The Measure Authoring Development Integrated Environment (MADiE) application will (eventually) provide the same functionality as the MAT and Bonnie applications. The MADiE Application uses the same PII data but strictly pulls from the Healthcare Quality Information System (HCQIS) Access, Roles and Profile Management System (HARP) system for PII elements. Only the first name, last name, telephone number and HARP ID are utilized in the system for user identification purposes required as a FISMA moderate system.

There has been no change to the types of information collected or stored.

Describe the purpose of the system

Measure Authoring tool system is designed to allow electronic Clinical Quality Measure (eCQM) developers to compose electronic measures and export eCQMs in Health Quality Measures Format (HQMF), Human Readable, Clinical Quality Language (CQL), Expression Logical Model (ELM), and JSON file formats. Electronic measure creation and maintenance requires the use of Value Set information that will be provided through integration with the National Library of Medicine (NLM) Value Set Authority Center (VSAC).  The MAT tool is also integrated with the Bonnie testing tool developed by MITRE to test eCQMs.
 
The objective of the Measure Authoring Tool system, (MAT) is to become the standard under which electronic measures are built and are defined for use in other governmental and non-governmental systems. The MAT system is an open source project and is maintained in partnership with members of the measure development community which consists of Center for Medicare and Medicaid Services (CMS), Healthcare Information System (HSIS), Value Set Authority Center (VSAC), Enterprise Science and Computing (EASC), and The MITRE Corporation.

The MADiE application is a modernization effort to replace the functionality of the legacy applications (MAT and Bonnie Apps). This will bring new development principles and technologies, improving performance and functionality, while continuing to support the same mission and purpose of the legacy applications. The MADiE application will continue utilize the same partners and data providers to support the needs of the eCQM community.

Describe the type of information the system will collect, maintain (store), or share. (Subsequent questions will identify if this information is PII and ask about the specific data elements)MAT (Measure Authoring Tool) FISMA System collects information about persons. The information is collected via the User Registration Form, and via the Contact Us page of the MAT website or through users registering for HCQIS Access, Roles and Profile Management System (HARP) accounts and requesting the MADiE Role. 
The help desk collects First Name, Last Name, Middle Initial, Business Email (may potentially be personal email address), Business Phone Number (may potentially be personal phone number), and Business Name for the purpose of account administration and collaboration between measure developers. Authorized system administrators and help desk personnel access the data for the purpose of account administration and correspondence.  Only the name and the email address of the user are shared with and stored by the MAT application. 
HCQIS Access, Roles and Profile Management System (HARP) is used as the Authentication, and it also does identity proofing. Registering on the MAT webpage grants access to the MAT application but at HARP account is required to log in.
The system discloses PII to authorized help desk and program personnel for the purpose of sending e-mail notifications regarding system changes and system status.
The system discloses PII to the registered users for the purposes of sharing measure definitions.
In the normal course of business, the MAT does not share PII with external entities. In the event user interactions indicate evidence of criminal activity, a threat to the government, or a threat to the public, PII may be shared with appropriate agency officials or law enforcement.
Provide an overview of the system and describe the information it will collect, maintain (store), or share, either permanently or temporarily.Measure Authoring Tool (MAT) system is made up of three (3) primary applications: Bonnie, MAT, and MADiE. These applications are accessed via the URLs listed below. The MAT systems a production environment for measure development, where registered users build and export standardized measure definitions for use in other systems (Note: The MAT application only builds definitions for measures; however, the MAT does not actually compute the measures or access any data that is used to compute a measure.) Bonnie allows users to use the MAT measures and create synthetic patients to test these measures. MADiE is a combination of the functionality of the MAT Application and the Bonnie Application.
 
The Quality Net General Support system provides the virtualized infrastructure and the performance and security monitoring functions necessary for Federal Information Security Management Act (FISMA) compliance, where the production system is hosted.
 
The FISMA System is designed to allow electronic Clinical Quality Measure (eCQM) developers to compose eCQM logic and export eCQMs in Health Quality Measures Format (HQMF), human readable, Clinical Quality Language (CQL), Expression Logical Model (ELM) and JSON file formats. eCQM composition requires the use of Value Set information that is provided through integration with the National Library of Medicine (NLM) Value Set Authority Center (VSAC). The MAT tool is also integrated with the Bonnie testing tool developed by MITRE to test eCQMs. The MADiE system currently is integrated with both MAT and Bonnie to allow transfers of information to the MADiE application.
 
There are 2 types of PII collection for the MAT System:
 
The system collects the following information for the purposes of account registration (identity proofing is handled through HARP): First Name, Last Name, Middle Initial, Business Email (may potentially be personal email address), Business Phone Number (may potentially be personal phone number), and Business Name.
 
This information is shared with system administrators for the purpose of establishing a user account in the Measure Authoring Tool. This information is stored outside the web site.
 
The system uses First Name, Last Name, Middle Initial, Business Email (may be a personal email address), and Business Name for the purposes of establishing an account in the Measure Authoring Tool.
 
This information is shared with authorized system administrators for the purposes of managing a user’s account in the Measure Authoring Tool.
 
E-mail address is shared with authorized system administrators, authorized program managers, and authorized Help Desk personnel for the purpose of sending email notifications regarding account status changes and changes to the MAT system.
 
First Name, Last Name, and Organization are shared with other registered MAT users for the purpose of sharing measure definitions, and for providing a history of changes to measure definitions.
 
The system collects Name and Email to respond to questions or comments submitted through the email link on the Contact Us page of the web site.
 
This information is shared with the MAT Help Desk and authorized program personnel for the purposes of responding to the individual’s inquiry.
Does the system collect, maintain, use or share PII?Yes
Indicate the type of PII that the system will collect or maintain.
  • Name
  • E-Mail Address
  • Phone Numbers
  • Other - HARP User ID
Indicate the categories of individuals about whom PII is collected, maintained or shared.
  • Employees
  • Public Citizens
  • Business Partners/Contacts (Federal, state, local agencies)
How many individuals' PII in the system?100-499
For what primary purpose is the PII used?Compliance with FISMA/NIST requirements to identify users of a system. Individuals must provide their PII for the setup and maintenance of their individual accounts to respond to questions or comments submitted through the email link on the Contact Us page of the web site.
Describe the secondary uses for which the PII will be used (e.g. testing, training or research)Not applicable
Describe the function of the SSN.Not applicable
Cite the legal authority to use the SSN.Not applicable.
Identify legal authorities​ governing information use and disclosure specific to the system and program.Affordable Care Act, Section 3021 is the legal authority governing information use and disclosure specific to the system and program.
Are records on the system retrieved by one or more PII data elements?Yes
Identify the number and title of the Privacy Act System of Records (SORN) that is being used to cover the system or identify if a SORN is being developed.The Privacy Act System of Records Notices (SORN) used by MAT is SORN 09-70-0538 Individuals Authorized Access to CMS Computer Services (IACS) whose primary purpose is to outline the collection and maintenance of individually identifiable information to assign, control, track, and report authorized access to and use of CMS' computerized information and resources.
Identify the sources of PII in the system: Directly from an individual about whom the information pertains
  • Online
  • Email
Identify the sources of PII in the system: Government SourcesWithin the OPDIV
Identify the sources of PII in the system: Non-Government SourcesMembers of the Public
Identify the OMB information collection approval number and expiration dateMAT is exempt from needing an OMB information collection approval number per the Medicare Access and CHIP Reauthorization Act of 2015 (MACRA) legislation. 
Is the PII shared with other organizations?No
Describe the process in place to notify individuals that their personal information will be collected. If no prior notice is given, explain the reason.A Privacy Policy link is provided at the bottom of each page of the public web site and within the Measure Authoring Tool.  (https://www.cms.gov/privacy)
The privacy policy includes a link to http://www.usa.gov/optout-instructions.shtml, which provides instructions on blocking cookies.
Individuals are instructed to contact the Help Desk with any questions or concerns regarding the privacy policy.
Is the submission of the PII by individuals voluntary or mandatory?Voluntary
Describe the method for individuals to opt-out of the collection or use of their PII. If there is no option to object to the information collection, provide a reason.

The collection and use of PII in the Measure Authoring Tool and Bonnie only pertains to users of the system and is required for the purposes of account registration and management. Therefore, there is no option for users to opt-out of the collection of their user ID and password as it is necessary to perform their job. Use of the Measure Authoring Tool is voluntary.

The privacy policy includes a link to http://www.usa.gov/optout-instructions.shtml, which provides instructions on blocking cookies. 

Describe the process to notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changes since the notice at the time of original collection). Alternatively, describe why they cannot be notified or have their consent obtained.A Privacy Policy link is provided in the footer of each page of the public web site and within the Measure Authoring Tool.  https://www.cms.gov/privacy)
The following actions are taken to notify individuals of any changes to the privacy policy:
1. A News and Alerts message is posted on the public web site.
2. Email notifications are sent to registered users of the Measure Authoring Tool
3. Privacy policy is updated on the public web site.
Describe the process in place to resolve an individual's concerns when they believe their PII has been inappropriately obtained, used, or disclosed, or that the PII is inaccurate. If no process exists, explain why not.Individuals are instructed to contact the MAT Help Desk with any questions or concerns regarding the privacy policy. Individuals are provided with a contact person through the SORNs who will address their concern and triage as necessary.
Describe the process in place for periodic reviews of PII contained in the system to ensure the data's integrity, availability, accuracy and relevancy. If no processes are in place, explain why not.

As PII is related to accounts for registered users, PII is checked for accuracy as part of quarterly account audits.

E-mail bounce back messages trigger a review of relevant accounts.

MAT system maintainers have implemented both unique and regular indexes to support data integrity and prompt data retrieval. Data is encrypted at rest, which supports data integrity. Data access is limited to system administrators and end users with authorized access. Logs are maintained to track any changes made to data that include who modified a particular file and when those changes were made. The data sets used by the MAT are under the purview of the CMS Data Integrity Board. 

Identify who will have access to the PII in the system and the reason why they require access.
  • Users: For purpose of sharing measure definitions with other users.
  • Administrators: For purpose of administering accounts of registered users and for issuing email notifications.
Describe the procedures in place to determine which system users (administrators, developers, contractors, etc.) may access PII.Administration of the system is divided between development, test, and production systems.
MAT system design, development, and support staff must have their access approved by the MAT system owner, before being provided access to the MAT system and system information.
Developers do not access production systems. Administration is separated by duties. Separate personnel administer servers, network, and applications with only the rights necessary to carry out assigned duties. Within the application, role base access is utilized to assure users have access to only what is necessary to perform their specific requirements.  
Describe the methods in place to allow those with access to PII to only access the minimum amount of information necessary to perform their job.Access to PII is restricted by role-based access controls to authorized personnel, who are provided the minimum necessary access to perform the job functions of the individual’s assigned role.
Identifying training and awareness provided to personnel (system owners, managers, operators, contractors and/or program managers) using the system to make them aware of their responsibilities for protecting the information being collected and maintained.MAT system design, development, and support staff are required to take CMS privacy and security training prior to initial system access and annually for continued access to MAT Application data.
Describe training system users receive (above and beyond general security and privacy awareness training)Not applicable.
Do contracts include Federal Acquisition Regulation and other appropriate clauses ensuring adherence to privacy provisions and practices?Yes
Describe the process and guidelines in place with regard to the retention and destruction of PII. Cite specific records retention schedules.

Account registration and corresponding accounts for the measure authoring community are retained in accordance with General Records Schedule (GRS) 3.2 Information Technology and Management Records DAA-GRS-2013-0006-0003, "Destroy 1 year(s) after user account is terminated or password is altered or when no longer needed for investigative or security purposes, whichever is appropriate."

System audit logs retained in accordance with General Records Schedule, Electronic Records GRS GRS 4.3, item 020, "Delete/destroy when the agency determines they are no longer needed for administrative, legal, audit, or other operational purposes."

Retention policies are in line with the NARA guidelines outlined in N1-GRS-03-1 which states, "Destroy/delete when 5 years old or 1 year after responsible office determines that there are no unresolved issues, whichever is longer. (N1-GRS-03-1 item 1a)."

Data destruction policies follow NIST guidelines provided in NIST Special Publication 800-88 Revision 1, Guidelines for Media Sanitization.

Electronic records such as passwords are cleared from the system when changed. End of life hard drives and paper records are destroyed via a certified and bonded shred company.

Electronic records are purged.  Paper records are destroyed via a certified shred company.

Describe, briefly but with specificity, how the PII will be secured in the system using administrative, technical, and physical controls.

Technical controls include but are not limited to: 
Authorized users: Unique identification and password authentication for access Measure Authoring Tool.
Separation of duties, filters and parameters are set up in accordance with an approved configuration to enforce the security policy.
 
Destruction of electronic information, as appropriate, via sanitization of the systems holding the information.
Audit of events initiated by each individual user, i.e., entry of UserID and password, program initiation, file creation, file deletion, file open, file close, and other user related actions,
Audit trails identify the individual user initiating the event, date, and time the event occurred, success, or failure of each event, and location where the event was initiated,

Security training and ongoing awareness programs, such as posters and newsletters. 
Access controls, including termination procedures to ensure only authorized personnel have access to facilities and systems, commensurate with their job duties.
Review of system activity logs to monitor for issues, Risk Management plans to include Risk assessments, Security Plans, Continuity of Operations/Disaster Recovery plans.
Background and reference checks are performed on all HCIS personnel. 

Identify the publicly-available URL:

https://www.emeasuretool.cms.gov


https://bonnie.healthit.gov/


https://bonnie-fhir.healthit.gov/

https://bonnie-prior.healthit.gov/

https://madie.cms.gov (TBD)

Does the website have a posted privacy notice?Yes
Is the privacy policy available in a machine-readable format?Yes
Does the website use web measurement and customization technology?Yes
Select the type of website measurement and customization technologies is in use and if is used to collect PII. (Select all that apply)
  • Session Cookies
  • Persistent Cookies
 Session Cookies - Collects PII?: No
Persistent Cookies - Collects PII?: No
Does the website have any information or pages directed at children under the age of thirteen?No
Does the website contain links to non-federal government website external to HHS?No