Skip to main content

Measures Management System

Privacy Impact Assessment (PIA) published by CMS as an Operating Division of the U.S. Department of Health and Human Services

Date signed: 9/23/2024

PIA Information for Measures Management System
PIA QuestionsPIA Answers
OPDIV:CMS
PIA Unique Identifier:P-7105418-963722
Name:Measures Management System
The subject of this PIA is which of the following?Major Application
Identify the Enterprise Performance Lifecycle Phase of the system.Operate
Is this a FISMA-Reportable system?Yes
Does the system include a Website or online application available to and for the use of the general public?Yes
Is this a new or existing system?Existing
Does the system have Security Authorization (SA)?Yes
Date of Security Authorization9/7/2023
Indicate the following reason(s) for updating this PIA. Choose from the following options.
  • Significant System Management Change
  • PIA Validation (PIA Refresh/Annual Review)
Describe in further detail any changes to the system that have occurred since the last PIA.The Measure Management System (MMS) Centers for Medicare and Medicaid Services CMS Measures Inventory Tool (CMIT) Environment, applications hosting was moved off  the batCAVE platform as a service (PaaS) environment within the Amazon Web Services (AWS) Center for Medicare and Medicaid Services (CMS) Cloud infrastructure as a service (IaaS) environment. The CMIT Environment leverages computer, networking, and storage resources which are managed by the MMS Contractor, and resides in the AWS CMS Cloud. It is secured at the Moderate Categorization level per Federal Information Processing Standard (FIPS) 199/200.
Describe the purpose of the systemThe CMS Measures Inventory Tool (CMIT) environment contains five distinct applications, CMIT, the Measure and Instrument Development and Support (MIDS) Library, the MUC Entry/Review Information Tool (MERIT), the Measure Management System (MMS) Hub Website, and the Environmental Scan Support – Data Gathering System (ESS DGS). The CMIT Application manages the technical information about CMS’s quality measures and is used as the source for publication of the CMS list of quality measures. The MIDS Library Application is used to collect the current and historical contract deliverables submitted on MIDS contracts and to provide authorized users with access to a central repository where they can search, browse, upload, and download those deliverables. The MERIT Application houses the Measures Under Consideration (MUC) System. This application provides authorized users the ability to search, browse, export, submit, track, and advance new measures through a defined workflow. The MMS Hub Website is an informational website for all stakeholders in CMS quality measures. The website provides support and guidance to measure developers for developing quality measures. For each quality measure, CMIT presents users with a list of relevant medical journal articles from PubMed, PubMed Central, and Cumulated Index to Nursing and Allied Health Literature (CINAHL). Additionally, CMIT enables the user to execute a “De Novo” environmental scan which identifies journal articles relevant to a new quality measure described by the user. The Environmental Scan Support – Data Gathering System (ESS DGS) builds the data supporting these functions by applying Natural Language Processing (NLP) and semantic processing to the quality measures and to all the publicly available journal articles on PubMed, PubMed Central, and Cumulated Index to Nursing and Allied Health Literature (CINAHL).
Describe the type of information the system will collect, maintain (store), or share. (Subsequent questions will identify if this information is PII and ask about the specific data elements)

The CMIT Application collects, maintains, and shares information about the quality measures which CMS uses in its programs. The system tracks measures throughout their lifecycle from concept to retirement. This information includes mostly public information such as measure title, program names, health conditions addressed, and domains addressed. It may also contain proprietary information that is not intended for the public, such as details surrounding measure development methodologies. Measure information in CMIT is retained for as long as is needed to support Measure Development. The MIDS Library Application collects the current and historical contract deliverables submitted on MIDS contracts and provides authorized users with a central repository where they can search, browse, upload, and download those deliverables. Some of these documents will be public, but some may contain proprietary information such as contract budgets and discussions of proprietary methods. Contract deliverables in the MIDS Library are retained for as long as is needed to support Measure Development. The MUC Entry/Review Information Tool (MERIT) application collects information about quality measures which are being submitted for inclusion in CMS quality programs. This information includes mostly public information such as measure title, program names, health conditions addressed, and domains addressed. It may also contain proprietary information that is not intended for the public, such as details surrounding measure development methodologies. Measure development information in MERIT is retained for as long as is needed to support Measure Development. To control access, all three applications allow for the ability to authenticate through HCQIS Access Roles and Profile (HARP), a separate system, which provides a userid and password for authentication; or the application's legacy/embedded login capability which collects username, first and last name, e-mail address and password (for legacy login only). User Information is retained for as long as is needed to support Measure Development or when no longer needed for investigative or security purposes, whichever is appropriate. User accounts are created by request from the user with approval from the Government Task Leads (CMS GTL) 

The Environmental Scan Support – Data Gathering System (ESS DGS) is a back-end system that identifies relevant literature for each quality measure or set of quality measure concepts and provides insight into that literature. The data gathered by the ESS DGS is public and is displayed to all users in CMIT. The DNMS (De Novo Measure Scan), a component of the ESS DGS is used to query against the scanned literature to identify journal articles relevant to a new quality measure described by the user and is available through authorized access to the CMIT environment.

Provide an overview of the system and describe the information it will collect, maintain (store), or share, either permanently or temporarily.Quality measure information is collected to fulfill CMS's obligation to manage quality measure development and maintenance. On CMS authority and approval, subsets of this information are shared with other measure development organizations and with the public.
In the CMIT Application, unauthenticated users can search, view, filter, sort, compare and export measures that CMS uses across its incentive programs. Based on role (measure user, measure editor, configuration editor, administrator), authenticated/authorized users may view measure details, create, review, and publish revisions for measures, rate relevancy of publications to measures, view aggregated ratings for publications and measures, or administer user accounts.
The MIDS Library Application is used to collect the current and historical contract deliverables submitted on MIDS contracts and to provide authorized users with a central repository where they can search, browse, upload, and download those deliverables. Some of these documents will be public, but some may contain proprietary information such as contract budgets and discussions of proprietary methods.  Additional roles are added to the accounts in CMIT to support the MIDS Library, including editors, CMS MMS leads, CMS task order leads, contractors, contractor reviewing officials (ROs), and administrators.
The MERIT Application houses the Measures Under Consideration (MUC) System. This application provides authorized users the ability to search, browse, export, submit, track, and advance new measures through a defined workflow. The application allows authorized users to export the accepted new measures for the Measures under Consideration List (MUC List) which is required by regulation to be made publicly available by December 1 of each year. Many data fields are needed to specify the origin, rationale, operation, and applicability of each candidate measure. Not all measures will be accepted and made publicly available on the MUC List. Additional roles are added to the accounts in CMIT to support MERIT, including CMS POC, Battelle Measure Manager, CMS Approver, Prerulemaking (PRM) User, and administrators.
Authentication into the CMIT, MERIT, and MIDS Library Applications require two-factor authentication and can be performed with one of two options. The first option is through HARP. HARP allows for integration of the CMS EUA and PIV authentication which makes authentication for those users with EUAs and PIVs easier. This includes CMS employees and many CMS contractor employees. The second option is CMIT's legacy/embedded login capability comprised of a password and either a Google Authenticator or a Symantec VIP token code. Legacy users activate their accounts via time-limited links sent through e-mail and can reset their passwords via time-limited links sent through e-mail. User account information includes username, last name, first name, e-mail address, and password (for legacy login only).
The MMS Hub Website is an informational website for all stakeholders in CMS quality measures. The website provides support and guidance to measure developers for developing quality measures and provides educational and informative materials to other stakeholders to promote involvement and awareness of quality measures and the measure lifecycle. All information posted on the website is public. At present, the only authenticated roles are content maintainers and administrators. The MMS Website is based on Drupal running on an Apache HTTPD with PHP and MySQL platform.
Does the system collect, maintain, use or share PII?Yes
Indicate the type of PII that the system will collect or maintain.
  • Name
  • E-Mail Address
  • Other - Username and password
Indicate the categories of individuals about whom PII is collected, maintained or shared.
  • Employees
  • Vendors/Suppliers/Contractors
How many individuals' PII in the system?500-4,999
For what primary purpose is the PII used?The Personally Identifiable Information (PII) (username, e-mail address, and password) are used to validate user accounts, provide secure, self-service password reset capability, and to provide user notifications.
Describe the secondary uses for which the PII will be used (e.g. testing, training or research)N/A
Describe the function of the SSN.N/A
Cite the legal authority to use the SSN.N/A
Identify legal authorities​ governing information use and disclosure specific to the system and program.42 CFR 401.101-401.148; section 1106(a) of the social security act; 42 U.S.C. 1306(a); Executive Order 9397; Debt Collection Improvement Act; 31 U.S.C. 7701 (c)(1); 5 U.S.C. 552a(b)(1)
Are records on the system retrieved by one or more PII data elements?Yes
Identify the number and title of the Privacy Act System of Records (SORN) that is being used to cover the system or identify if a SORN is being developed.IACS 09-70-0538
Identify the sources of PII in the system: Directly from an individual about whom the information pertainsEmail
Identify the sources of PII in the system: Government Sources
  • Within the OPDIV
  • Other HHS OPDIV
Identify the sources of PII in the system: Non-Government SourcesPrivate Sector
Identify the OMB information collection approval number and expiration dateCMIT is exempt from Paperwork Reduction Act (PRA) Clearance as the PII collected (email address, username, password) is used only for the purposes of account creation per https://pra.digital.gov/do-i-need-clearance/pra-and-the-internet/. Website functionality falls under "Website display customization" and "Filtering agency data" which allows users to save and run queries to filter and view data using their account.
Is the PII shared with other organizations?No
Describe the process in place to notify individuals that their personal information will be collected. If no prior notice is given, explain the reason.Prior to creation of a user account, the user is asked to provide consent via e-mail. This e-mail request for consent contains the privacy notice.
Is the submission of the PII by individuals voluntary or mandatory?Voluntary
Describe the method for individuals to opt-out of the collection or use of their PII. If there is no option to object to the information collection, provide a reason.Individuals can choose not to create an account thus avoiding collection of PII. However, submission of the PII is required to have an account as the e-mail address is used to provide additional verification of identity.
Describe the process to notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changes since the notice at the time of original collection). Alternatively, describe why they cannot be notified or have their consent obtained.Any modifications to the privacy policy are sent to the users via e-mail. This e-mail includes instructions for requesting deletion of their account including PII.
Describe the process in place to resolve an individual's concerns when they believe their PII has been inappropriately obtained, used, or disclosed, or that the PII is inaccurate. If no process exists, explain why not.The privacy notice includes instructions for submitting questions or concerns about the use of PII via e-mail, telephone, or postal mail. These requests are sent to the support e-mail box for the Measures Management System (MMS), of which CMIT, MIDS Library, MERIT, and MMS Web applications are a part. MMS support responds to these e-mails within one business day. Such requests are reported to CMS.
Describe the process in place for periodic reviews of PII contained in the system to ensure the data's integrity, availability, accuracy and relevancy. If no processes are in place, explain why not.Each user's e-mail address must be correct in order to activate their account or reset their password. Each user can see their e-mail address on their profile page. Accounts are reviewed on a quarterly basis with the CMS task lead. Accounts without a login in the last 60 days require reactivation through emails. Accounts without a login for more than 400 days are fully disabled. Users that are fully disabled must go through the account approval process again (through the MMS Support desk) to reactivate their account.
Identify who will have access to the PII in the system and the reason why they require access.
  • Users: Users are able to see their name and email address on their profile page only.
  • Administrators: Administrators perform account management including creation, review, deletion amendment of user accounts, and troubleshooting.
  • Contractors: Users are a combination of direct and indirect contractors; however, Administrator and User Administrator roles are only given to Direct MMS Contractors
Describe the procedures in place to determine which system users (administrators, developers, contractors, etc.) may access PII.Membership to a role with access to PII is only granted upon approval of the project manager and upon completion of required training. Changes to policy governing which roles may access PII must be approved by the business owner and CMS ISSO.
Describe the methods in place to allow those with access to PII to only access the minimum amount of information necessary to perform their job.The CMIT, MIDS Library, and MERIT applications only collect username, e-mail address, and password (for legacy login only) for system users. All are necessary for management of authentication and the assignment of roles to enable users to perform their assigned function while maintaining least privilege. Only those users assigned to the Administrator role can view, add, or edit PII. Only those users with a need to manage user accounts are assigned to the administrator role. Passwords are securely hashed with a salt.
Identifying training and awareness provided to personnel (system owners, managers, operators, contractors and/or program managers) using the system to make them aware of their responsibilities for protecting the information being collected and maintained.The CMIT Environment privacy policy and notice is sent to all personnel on an annual basis and when changes occur to the privacy policy. In addition, all system developers, system administrators, measure editors, and task managers are required to complete CMS security and privacy training on an annual basis.
Describe training system users receive (above and beyond general security and privacy awareness training)The system security plan requires all system developers, system administrators, measure editors, and task managers to receive privacy training. All users receive a copy of the privacy notice.
Do contracts include Federal Acquisition Regulation and other appropriate clauses ensuring adherence to privacy provisions and practices?Yes
Describe the process and guidelines in place with regard to the retention and destruction of PII. Cite specific records retention schedules.User accounts are retained as long as the user is active, and the CMS task lead continues to indicate need during quarterly reviews. Accounts and accompanying PII are deleted when no longer needed. Per National Archives and Records Administration (NARA), N1-GRS-95-2 item 1c; Disposition Instruction Retention Period: Destroy 1 year(s) after user account is terminated or password is altered or when no longer needed for investigative or security purposes, whichever is appropriate.
Describe, briefly but with specificity, how the PII will be secured in the system using administrative, technical, and physical controls.Administrative Controls: Access to the CMIT Environment PII is denied to all contractors and service providers unless warranted. Personnel with access are required to adhere to the policies and procedures documented in the system security plan and this PIA. CMIT Environment system and application account reviews occur quarterly. System administrators monitor vulnerability scans through Security Hub reports fed by Tenable Nessus Scans in real-time; Application code is scanned through pipelines (pipeline tools: GitLeaks, Semgrep, ClamAV, Grype) for vulnerabilities. No known critical vulnerabilities are deployed to production unless approved by the CMS ISSO and CMS Contracting Officer’s Representative (COR); audit logs are ingested into the SEIM for automated alerts and actions. The privacy officer produces privacy reports as required by applicable contracts. A record of CMIT Environment PII disclosures is maintained and communicated to CMS. Users can request corrections using instructions in the privacy notice which is included on the website. System administrators receive annual training on securing systems. Application developers, administrators, editors, and task managers must complete privacy and cybersecurity training annually. Accounts are disabled or deleted at the request of the user, CMS task lead, or after 60 days of inactivity. Accounts with PII are sometimes created in our Implementation (IMPL) Environment to allow limited stakeholders to provide feedback on prospective changes or to perform acceptance testing. Otherwise, PII is not used for testing or development. Applications do not share PII with any other system. All privacy related requests go to the MMS support desk which provides an initial response within one business day. System procedures include an incident response plan which covers PII. All personnel receive background checks. The CMIT Environment has an appointed privacy officer with the responsibility and authority to ensure adherence to privacy laws and policies by establishing necessary controls including policies, procedures, precautions, and training.
Technical Controls: Applications only collect a user's e-mail address and name, which is the minimal information required to maintain a user account. Intrusion detection software provides continuous monitoring. PII is validated and revalidated through user registration and review processes. The integrity of a user's e-mail address is protected through the activation and reactivation procedure. PII is only displayed on the administrators' account management page. Applications restrict access to account information to administrators only. CMIT Environment PII is retained as long as the account is active. A user's request for an account is considered consent to collect PII. The privacy notice is available on the Application sites. The privacy notice contains instructions for submitting requests, questions, complaints, or concerns. Users can review their PII on their account page. The information resides in a database using AES-256 Server Side encryption in the AWS CMS Cloud. The system includes vulnerability scanning, log monitoring, and intrusion detection. All data is backed up and replicated across at least two Availability Zones for redundancy.
Physical Controls: The CMS Cloud leverages the AWS Federal Risk and Authorization Management Program (FedRAMP) package to inherit permission sets from the Cloud Service Provider (CSP). The CMIT Environment inherits the system physical and environmental protection controls associated with hardware components within AWS fully from AWS physical infrastructure.
Identify the publicly-available URL:https://cmit.cms.gov
https://cmsmerit.cms.gov
https://mmshub.cms.gov
https://cmit-impl.cms.gov/cmit
https://cmsmerit-impl.cms.gov/merit
https://mmshub-impl.cms.gov/
Does the website have a posted privacy notice?Yes
Is the privacy policy available in a machine-readable format?Yes
Does the website use web measurement and customization technology?Yes
Select the type of website measurement and customization technologies is in use and if is used to collect PII. (Select all that apply)Persistent Cookies - Collects PII?: No
Does the website have any information or pages directed at children under the age of thirteen?No
Does the website contain links to non-federal government website external to HHS?Yes
Is a disclaimer notice provided to users that follow external links to websites not owned or operated by HHS?No