Skip to main content

Medicaid and CHIP DataConnect

Privacy Impact Assessment (PIA) published by CMS as an Operating Division of the U.S. Department of Health and Human Services

Date signed: 6/29/2022

PIA Information for Medicaid and CHIP DataConnect
PIA QuestionsPIA Answers
OPDIV:CMS
PIA Unique Identifier:P-9407701-774884
Name:Medicaid and CHIP DataConnect
The subject of this PIA is which of the following?Major Application
Identify the Enterprise Performance Lifecycle Phase of the system.Operate
Is this a FISMA-Reportable system?Yes
Does the system include a Website or online application available to and for the use of the general public?No
Is this a new or existing system?New
Does the system have Security Authorization (SA)?Yes
Date of Security Authorization1/24/2025
Describe the purpose of the system

The Medicaid and CHIP (Children's Health Insurance Program) DataConnect (MAC-DC) system supports the analysis of Medicaid eligibility and claims data that State Medicaid agencies submit to Centers for Medicare & Medicaid Services (CMS) as a result of the Balanced Budget Act (BBA) of 1997.

The primary function of Medicaid and CHIP DataConnect is to integrate data to accommodate CMS business and analytic needs to provide timely, accurate information in the support of Center for Medicaid and CHIP Services (CMCS) program oversight functions and other CMS business needs that utilize Medicaid and Children's Health Insurance Program (CHIP) data.

Medicaid and CHIP DataConnect supports its primary function through a unified analytic platform that ensures data sourced from MAC-DC systems are integrated appropriately to support analysis of evolving health care delivery reforms, access to coverage, and to enable proper monitoring and oversight. Aside from data needed to support the multi-billion dollar waiver negotiations, CMS will use MAC-DC data for program integrity, evaluation of demonstrations, actuarial analysis, quality of care analysis, and to share this rich data set with states, stakeholders, and the research community.

Describe the type of information the system will collect, maintain (store), or share. (Subsequent questions will identify if this information is PII and ask about the specific data elements)

Personally Identifiable Information (PII) data is collected/provided to Medicaid and CHIP DataConnect via the T-MSIS FISMA System, which is covered by its own PIA. Medicaid and CHIP DataConnect processes and maintains this data for research analysis and reporting.

The PII/Protected Health Information (PHI) used by Medicaid and CHIP DataConnect includes: the assigned Medicaid records number; social security number; health insurance claim number; date of birth; phone number; citizenship/immigration status; sex; ethnicity and race; mailing address; medical services; equipment information; supplies for which Medicaid reimbursement is requested; and materials used to determine amount of benefits allowable under Medicaid.

The system also collects information on physicians and other providers of services to the beneficiary consisting of an assigned provider identification number, and information used to determine whether a sanction or suspension is warranted.

The Medicaid and CHIP DataConnect system collects, processes, and stores user credentials for a limited number of direct contractors who are involved in system support, administration, and operations roles. The information collected and stored for these administrative users consists of the direct contractor’s name, user identifier, and business e-mail address. These user identifiers are assigned to the user via the CMS Enterprise User Management (EUA) access control software for all users. EUA is covered by its own PIA.  Medicaid and CHIP DataConnect records user activity within the data warehouse system for audit purposes and stores the user identifier associated with a user’s actions in the Medicaid and CHIP DataConnect audit logs.

Information (to include PII/PHI & user credentials) is currently retained for 7 years in accordance with defined frequency and National Archives and Records Administration (NARA) retention schedules.

Provide an overview of the system and describe the information it will collect, maintain (store), or share, either permanently or temporarily.

Medicaid and CHIP DataConnect is an analytics and reporting system that maintains and shares the minimum required data elements (obtained from T- MSIS via individual states) necessary to support administration of the Medicaid program at the federal level, Medicaid-related research of policy issues, quality, and effectiveness of care, and to combat fraud.

Information is maintained and shared temporarily, as information is retained for 7 years in accordance with defined frequency and NARA retention schedules. Information necessary to support the function of this system is as follows:

Medicaid records number; social security number; health insurance claim number; date of birth; sex; ethnicity and race; mailing address; phone number; citizenship/immigration status; medical services; equipment information; supplies for which Medicaid reimbursement is requested; materials used to determine amount of benefits allowable under Medicaid, direct contractor’s name, user identifier, and business e-mail address.

Does the system collect, maintain, use or share PII?Yes
Indicate the type of PII that the system will collect or maintain.
  • Social Security Number
  • Name
  • E-Mail Address
  • Phone Numbers
  • Date of Birth
  • Mailing Address
  • Medical Records Number
  • Other - Other - Race/Ethnicity, Health insurance claim number (HICN), Unique Physician Identification Number (UPIN), sex, citizenship/immigration status, medical services, user credentials, and information used to determine whether a sanction or suspension is warranted.
Indicate the categories of individuals about whom PII is collected, maintained or shared.
  • Employees
  • Public Citizens
  • Other - Other - Medicaid/CHIP beneficiaries (and/or individuals eligible for benefits), PROVIDERS
How many individuals' PII in the system?1,000,000 or more
For what primary purpose is the PII used?The primary purpose of the PII used by Medicaid and CHIP DataConnect is to support the analysis of health benefits and services to beneficiaries of the Medicaid and Children's Health Insurance Program (CHIP) programs in accordance with Federal statutes or regulations. Medicaid and CHIP DataConnect generates business intelligence reports that support research and quality assurance based on user defined parameters.
Describe the secondary uses for which the PII will be used (e.g. testing, training or research)Medicaid and CHIP DataConnect uses PII to support analysis/research and to perform quality assurance that cannot otherwise be performed without the use of such data
Describe the function of the SSN.In Medicaid and CHIP DataConnect, the Social Security Number (SSN) is used as a unique identifier, referred to as the MSIS Identifier. Records can be retrieved using the SSN.
Cite the legal authority to use the SSN.42 U.S.C. 1396a(a)(6), 1396b(r), and 18001 et seq.
Identify legal authorities​ governing information use and disclosure specific to the system and program.AUTHORITY FOR MAINTENANCE OF THE SYSTEM: Authority for maintenance of the system is given under section 1902(a)(6) of the Social Security Act (42 U.S.C. 1396a(a)(6)), and Title IV of the Balanced Budget Act (Public Law 105– 33). Also, the following legal authority applies; 5 U.S.C. Section 301, Departmental Regulations.
Are records on the system retrieved by one or more PII data elements?Yes
Identify the number and title of the Privacy Act System of Records (SORN) that is being used to cover the system or identify if a SORN is being developed.

Medicaid and CHIP DataConnect does not directly collect any data covered under a SORN.

For specifics on each set of ingested data, the individual sourcing system’s SORN should be consulted for details (T-MSIS SORN: 09-70-0541).

Identify the sources of PII in the system: Government SourcesWithin the OPDIV
Identify the OMB information collection approval number and expiration dateNot Applicable. Data Collection occurs from T- MSIS to Medicaid and CHIP DataConnect. Collection of information does not occur within Medicaid and CHIP DataConnect.
Is the PII shared with other organizations?Yes
Identify with whom the PII is shared or disclosed and for what purpose.
  • Within HHS
  • Other Federal Agency/Agencies
  • State or Local Agency/Agencies
Within HHS Explanation:Users are typically business owners and program staff who evaluate and report on the Medicaid and Children's Health Insurance Program (CHIP) programs. HHS Office of the Inspector General (OIG) has oversight responsibility for this data and is granted full access for oversight and audit purposes.
Other Federal Agency/ Agencies Explanation:Census Bureau, Congressional Budget Office (CBO), Office of management and Budget (OMB), Government Accountability Office (GAO), Medicaid and CHIP Payment and Access Commission (MACPAC), Office of the Inspector General (OIG), and Department of Justice (DOJ). 
Users are typically business owners and program staff who evaluate, report, and/or provide oversight on the Medicaid and Children's Health Insurance Program (CHIP) programs.
State or Local Agency/ Agencies Explanation:All States, DC, US Possessions. Users are typically business owners and program staff who evaluate and report on the Medicaid and Children's Health Insurance Program (CHIP) programs.
Describe any agreements in place that authorizes the information sharing or disclosure (e.g. Computer Matching Agreement, Memorandum of Understanding (MOU), or Information Sharing Agreement (ISA)).

Medicaid and CHIP DataConnect requires all non- organizational individuals to have a valid Data Use Agreements (DUA) in place to receive access to Medicaid and CHIP DataConnect data. The DUA does not allow sharing or disclosure of information outside of the individuals or parties named in the agreement, unless specifically authorized in writing.

Medicaid and CHIP DataConnect has no Memorandum of Understanding (MOU) in place with external organizations as Medicaid and CHIP DataConnect does not currently support direct access to data by local/state and federal agencies. An exception to this is the Information Sharing Agreement (ISA) currently in place with the Health and Human Services (HHS) Office of the Inspector General (OIG).

Describe the procedures for accounting for disclosures

An Information Sharing Agreement (ISA) is currently in place with the Health and Human Services (HHS) Office of the Inspector General (OIG), including the Health Insurance Portability and Accountability Act (HIPAA) disclosure policy 45 Code of Federal Regulations (CFR) 164.528.

In order to document the sharing and disclosures of data, requests must come in writing via email to the Centers for Medicaid and CHIP Services (CMCS) Director.

Describe the process in place to notify individuals that their personal information will be collected. If no prior notice is given, explain the reason.

Not Applicable. Information is provided to Medicaid and CHIP DataConnect via the T-MSIS FISMA System.

Notification is provided at the State/Local/Tribal government level as that is where information collection occurs. Notification of collection for PII/ PHI is covered in the T-MSIS PIA.

Is the submission of the PII by individuals voluntary or mandatory?Voluntary
Describe the method for individuals to opt-out of the collection or use of their PII. If there is no option to object to the information collection, provide a reason.

Not Applicable. Information is provided to Medicaid and CHIP DataConnect via the T-MSIS FISMA System.

Collection is provided at the State/Local/Tribal government level. Individuals are given the opportunity to opt-out at the State/Local/Tribal government level at the time of information collection. Opt-out for collection of PII/PHI is covered in the T-MSIS PIA

Describe the process to notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changes since the notice at the time of original collection). Alternatively, describe why they cannot be notified or have their consent obtained.Not Applicable. The method for obtaining consent from the individuals whose PII is in the system when major changes occur to the system is the responsibility of the State/Local/Tribal government sources of the data or the organization responsible for the access control system which issues and maintains the original information. Medicaid and CHIP DataConnect does not collect information directly from individuals. Notification and consent related to major system changes is covered in the T-MSIS PIA.
Describe the process in place to resolve an individual's concerns when they believe their PII has been inappropriately obtained, used, or disclosed, or that the PII is inaccurate. If no process exists, explain why not.The method for obtaining consent from the individuals whose PII is in the system when major changes occur to the system is the responsibility of the State/Local/Tribal government sources of the data or the organization responsible for access control systems issuing and maintaining the user credentials. Therefore, that office or organization would handle an individual’s questions or concerns as well as how those concerns would be investigated and resolve.
Describe the process in place for periodic reviews of PII contained in the system to ensure the data's integrity, availability, accuracy and relevancy. If no processes are in place, explain why not.

Centers for Medicare and Medicaid Services (CMS) has a continuous monitoring program based on the National Institute of Science and Technology (NIST) recommendations to ensure system integrity, availability & confidentiality. This includes general processes, policies, and procedures defined under the CMS Information Systems Security and Privacy Policy (IS2P2), and specific security and privacy control implementations documented in the Medicaid and CHIP DataConnect System Security Plan (SSP) and within the CMS FISMA Controls Tracking System (CFACTS) for MAC-DC. The individual enrollment application is designed with logic checks to ensure data accuracy and integrity.

Centers for Medicare and Medicaid Services (CMS)/Center for Consumer Information and Insurance Oversight (CCIIO) has established an Enrollment Resolution and Reconciliation program to provide services necessary to resolve errors and reconcile discrepancies in enrollment data between the Health Insurance Exchange, State Based Marketplaces, issuer community, and CMS.

Yearly, CCIIO is required to review and update the enrollment process to ensure data collected is relevant to the health insurance enrollment process.

Identify who will have access to the PII in the system and the reason why they require access.
  • Users: Medicaid and CHIP DataConnect does not itself have front end users, access to the system's information is gained through connected Business Intelligence tools. Users are typically business owners and program staff who evaluate and report on the Medicaid program. PII is granted to this category of individual to assist with analytics, research, and reporting. Additionally, in some cases to link Medicaid and CHIP DataConnect data to data from other systems (e.g., Medicare for analysis of dual Medicaid/Medicare enrollees). PII/PHI this category can access: the assigned Medicaid records number; social security number; health insurance claim number; date of birth; sex; ethnicity and race; mailing address; medical services; equipment information; supplies for which Medicaid reimbursement is requested; and materials used to determine amount of benefits allowable under Medicaid. Information on physicians and other providers of services to the beneficiary consists of an assigned provider identification number, and information used to determine whether a sanction or suspension is warranted.
  • Administrators: Administrators are those charged with maintaining the database. PII/PHI this category can access to perform job duties: 
    the assigned Medicaid records number; social security number; health insurance claim number; date of birth; sex; ethnicity and race; mailing address; medical services; equipment information; supplies for which Medicaid reimbursement is requested; and materials used to determine amount of benefits allowable under Medicaid. Information on physicians and other providers of services to the beneficiary consists of an assigned provider identification number, information used to determine whether a sanction or suspension is warranted, direct contractor’s name, user identifier, and business e-mail address.
  • Developers: Developers gather the business rules and apply them to the systematic process of storage and manipulation. PII/PHI this category can access to perform job requirements: the assigned Medicaid records number; social security number; health insurance claim number; date of birth; sex; ethnicity and race; mailing address; medical services; equipment information; supplies for which Medicaid reimbursement is requested; and materials used to determine amount of benefits allowable under Medicaid. Information on physicians and other providers of services to the beneficiary consists of an assigned provider identification number, and information used to determine whether a sanction or suspension is warranted
  • Contractors: Direct contractors also gather the business rules and apply them to the systematic process of storage and manipulation. PII/PHI this category can access: the assigned Medicaid records number; social security number; health insurance claim number; date of birth; sex; ethnicity and race; mailing address; medical services; equipment information; supplies for which Medicaid reimbursement is requested; and materials used to determine amount of benefits allowable under Medicaid. Information on physicians and other providers of services to the beneficiary consists of an assigned provider identification number, and information used to determine whether a sanction or suspension is warranted.
Describe the procedures in place to determine which system users (administrators, developers, contractors, etc.) may access PII.Medicaid and CHIP DataConnect uses role-based access to determine access to PII. Medicaid and CHIP DataConnect users request access and then the CMS Medicaid and CHIP DataConnect administrators approve the request to permit different levels of access, dependent on the assigned role. Medicaid and CHIP DataConnect enforces the principle of least privilege in a number of ways: Most machine configuration is fully automated, so administrators are the only people with administrative-level access to production systems; All infrastructure is managed by Amazon Web Services
(AWS), so no one working on Medicaid and CHIP DataConnect has physical access to machines; Each machine has specific roles assigned to it, and it can only make AWS Application Programming Interface (API) calls approved by those roles. This includes all access to Amazon S3; Each machine has specific security groups applied to it that limits its network capabilities, both incoming and outgoing.
Describe the methods in place to allow those with access to PII to only access the minimum amount of information necessary to perform their job.

Internal administrative and data science accounts are provided only to people working on Medicaid and CHIP DataConnect with CMS IDs who have a business need to use one of those accounts. Role based access control is implemented to contain access to PII and PHI to only those roles required to view based on the principles of least privilege. Users may request additional role(s) based on job needs.

Medicaid and CHIP DataConnect administrators are required to review and approve those requests based on user need and job requirements.

Identifying training and awareness provided to personnel (system owners, managers, operators, contractors and/or program managers) using the system to make them aware of their responsibilities for protecting the information being collected and maintained.To fulfill the annual training requirement, it is mandatory for all users with a CMS issued User ID to complete the IT Security Computer Based Training (CBT) - Information Security Awareness Training during annual recertification of their CMS user IDs.
Describe training system users receive (above and beyond general security and privacy awareness training)Not Applicable. System users do not receive training above and beyond general security and privacy awareness training
Do contracts include Federal Acquisition Regulation and other appropriate clauses ensuring adherence to privacy provisions and practices?Yes
Describe the process and guidelines in place with regard to the retention and destruction of PII. Cite specific records retention schedules.

Medicaid and CHIP DataConnect follows the National Archives and Records Administration (NARA) General Records Schedule (GRS) 3.1 - General Technology Management Records (disposition DAA-GRS-2013-0005-0004); item 20, for retention and destruction of user credential information captured in system audit logs. This has a retention period of temporary. Medicaid and CHIP DataConnect retains audit records for a minimum of ninety (90) days and archives old records for a minimum of one (1) year to destroy three (3) years after agreement control measures, procedures, project, activity, or transaction is obsolete, completed, terminated or superseded, but longer retention is authorized if required for business use to provide support for after-the-fact investigations of security incidents and to meet regulatory and CMS information retention requirements.

The Medicaid and CHIP program information follows the standard CMS Records Schedules (DAA-0440-2015-0007). DAA-0440-2015-0007 refers to the CMS bucket schedule Bucket 5: Beneficiary Records; sub-bucket 5: beneficiary records.

Medicaid and CHIP DataConnect follows the following CMS Records Schedules: sub-bucket 5 (Beneficiary Records) for information on eligible beneficiaries and related information involving the Medicaid and Children's Health Insurance Program (CHIP) programs. This has a retention period of destroy no sooner than 10 year(s) after cutoff but longer retention is authorized.

Describe, briefly but with specificity, how the PII will be secured in the system using administrative, technical, and physical controls.Administrative controls include: Rules of Least Privilege. Technical controls include: authorized personnel with approved User ID and password; data encryption firewalls and intrusion detection systems. Physical controls include: Guards; PIV Cards; Key Cards; and Closed-Circuit TV (CCTV) for monitoring.