Medicaid And CHIP Financial
Date signed: 5/22/2025
| PIA Questions | PIA Answers |
|---|---|
| OPDIV: | CMS |
| PIA Unique Identifier: | P-8717605-846562 |
| Name: | Medicaid And CHIP Financial |
| The subject of this PIA is which of the following? | Major Application |
| Identify the Enterprise Performance Lifecycle Phase of the system. | Operate |
| Is this a FISMA-Reportable system? | Yes |
| Does the system include a Website or online application available to and for the use of the general public? | Yes |
| Identify the operator: | Contractor |
| Is this a new or existing system? | Existing |
| Does the system have Security Authorization (SA)? | Yes |
| Date of Security Authorization | 6/16/2022 |
| Indicate the following reason(s) for updating this PIA. Choose from the following options. | Other - PIA Renewal |
| Describe in further detail any changes to the system that have occurred since the last PIA. | MACFin migrated into Green Field architecture. MACFin System architecture diagram has been revised in CFACTS. |
| Describe the purpose of the system | The Medicaid and CHIP Financial (MACFin) system will evolve from the existing Medicaid Budget and Expenditure System (MBES)/ Children’s Health Insurance Program Budget and Expenditure System (CBES) and Incurred but Not Reported Survey System (IBNRS), which are essential systems for Federal and state administration of the Medicaid program and Children’s Health Insurance Program (CHIP). MACFin will improve the technology, functionality, and efficiency of the existing financial reporting processes. To provide a more consolidated solution to Medicaid financial administration and oversight, it will also integrate and automate financial management processes currently external to Medicaid Budget and Expenditure System (MBES)/Children’s Health Insurance Program Budget and Expenditure System (CBES). The modernized system aims to improve the accuracy of over $550 billion in annual state-reported budget and expenditure data, which CMS (Centers for Medicare and Medicaid Services) uses to determine Federal payment amounts to states and territories for the Medicaid and CHIP programs. Additionally, MACFin also aims to enhance the Federal and state oversight of Medicaid and CHIP expenditures to ensure that expenditures comply with federal law and regulations. MACFin will also empower the Federal and state administration to evolve efficiently with ongoing programmatic and technological changes. MACFin replaces several independent smaller legacy systems and tools with a new system that uses a state-of-the-art technology platform to make future enhancements and modifications. Once implemented, MACFin integrates and automates financial management processes for a consolidated solution, thereby providing improved adaptability, flexibility, functionality, and efficiency for the following systems: Medicaid Budget and Expenditure System/State Children's Health Insurance Program Budget and Expenditure System (MBES-CBES). Financial Information Reporting System (FIRS). Incurred but Not Reported Survey System (IBNRS)-Medicaid and CHIP. Disproportionate Share Hospital (DSH) Payment Financial Database. MACFin demands strict accuracy and functionality to support managing budget, accounting, and expenditure forecasts for one of the most significant line items in federal and state budgets. The information that MACFin collects and stores is state Medicaid program financial information (budget and expenditure). MACFin calculates Disproportionate Share Hospital (DSH) allotments and provides DSH reporting. The application will store and maintain PII (name and email addresses) it collects when users go to Portal and register. When users attempt to access the system, the user enters their usernames and passwords for system access credentials. |
| Describe the type of information the system will collect, maintain (store), or share. (Subsequent questions will identify if this information is PII and ask about the specific data elements) | The MACFin system will collect, maintain (store), or share email, first name, last name and username of the user via Portal. All the information is processed through user provisioning at the Identity Management (IDM) portal level (e-mail, first name, last name, user identification (ID)) that was originally captured in the system when users attempt to access the system, the user enters their usernames and passwords for system access credentials. The information that MACFin collects and stores is state Medicaid program financial information. MACFin calculates Disproportionate Share Hospital (DSH) allotments and provide DSH reporting. The application will store and maintain PII (name and email addresses) it collects when users go to Portal and register. When users attempt to access the system, the user enters their usernames and passwords for system access credentials. User access is authenticated through CMS IDM; Username and password provides access privileges to the particular user. IDM is covered by its own PIA. |
| Provide an overview of the system and describe the information it will collect, maintain (store), or share, either permanently or temporarily. | The Medicaid and CHIP Financial (MACFin) system will evolve from the existing Medicaid Budget and Expenditure System (MBES)/ Children’s Health Insurance Program Business and Expenditure System (CBES) and Incurred but Not Reported System (IBNRS), which are essential systems for Federal and state administration of the Medicaid program and Children’s Health Insurance Program (CHIP). MACFin will improve the technology, functionality, and efficiency of the existing financial reporting processes. The information that MACFin collects and stores is state Medicaid program financial information. In its initial release, MACFin calculates Disproportionate Share Hospital (DSH) allotments and provide DSH reporting. The application will store and maintain PII (name and email addresses) it collects when users go to Portal and register. When users attempt to access the system, the user enters their usernames and passwords for system access credentials. User access is validated through Portal IDM; username and password provide access privileges to the user. |
| Does the system collect, maintain, use or share PII? | Yes |
| Indicate the type of PII that the system will collect or maintain. |
|
| Indicate the categories of individuals about whom PII is collected, maintained or shared. |
|
| How many individuals' PII in the system? | 500-4,999 |
| For what primary purpose is the PII used? | User information is stored to send notifications to the user from the MACFin system. |
| Describe the secondary uses for which the PII will be used (e.g. testing, training or research) | Not applicable |
| Describe the function of the SSN. | Not applicable |
| Cite the legal authority to use the SSN. | Not applicable |
| Identify legal authorities governing information use and disclosure specific to the system and program. | 5 USC Section 301, Departmental Regulations |
| Are records on the system retrieved by one or more PII data elements? | No |
| Identify the sources of PII in the system: Directly from an individual about whom the information pertains |
|
| Identify the sources of PII in the system: Government Sources |
|
| Identify the sources of PII in the system: Non-Government Sources |
|
| Identify the OMB information collection approval number and expiration date | OMB # 0938 – 1265 Expiration Date 07/30/2027 |
| Is the PII shared with other organizations? | No |
| Describe the process in place to notify individuals that their personal information will be collected. If no prior notice is given, explain the reason. | Through the CMS Enterprise Portal and IDM (IDentity Management). Portal/IDM provides the guidance and control for user authentication and authorization. MACFin leverages CMS enterprise portal and IDM for user authentication. MACFin uses CMS IDM roles for initial user authorization. Fine-grained user roles and other authorization information are contained within the MACFin application. A Privacy Act Statement is required and provided to individuals when their information is solicited for The application will store and maintain PII (name and email addresses) it collects when users go to Portal and register. When users attempt to access the system, the user enters their usernames and passwords for system access credentials. User information is stored to send notifications to the user from the MACFin system. |
| Is the submission of the PII by individuals voluntary or mandatory? | Voluntary |
| Describe the method for individuals to opt-out of the collection or use of their PII. If there is no option to object to the information collection, provide a reason. | MACFin uses the CMS Enterprise Portal and IDM (IDentity Management) as a point of entry and presentation of MACFin system features while using the CMS Identity Management (IDM) for authentication of users. Both CMS Enterprise Portal and IDM are considered shared services of CMS with notification, consent, and disclosure of user registration PII being handled by these shared services. Through banners and informational notices posted on the CMS Enterprise Portal. When users attempt to access the system, the user enters their usernames and passwords for system access credentials. |
| Describe the process to notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changes since the notice at the time of original collection). Alternatively, describe why they cannot be notified or have their consent obtained. | MACFin uses the CMS Enterprise Portal and IDM (IDentity Management) as a point of entry and presentation of MACFin system features while using the CMS Identity Management (IDM) for authentication of users. Both CMS Enterprise Portal and IDM are considered shared services of CMS with notification, consent, and disclosure of user registration PII being handled by these shared services. |
| Describe the process in place to resolve an individual's concerns when they believe their PII has been inappropriately obtained, used, or disclosed, or that the PII is inaccurate. If no process exists, explain why not. | If an individual has any issues will be resolved by contacting the MACFin Help Desk: Email: MACFinHelpDesk@dcca.com; Phone: 1-833-879-6075; 9AM-6PM Eastern. A PII breach incident is created with the CMS IT Service Desk (410-786-2580) within 1 hour of discovery. Analysis and action are taken to resolve the breach. Notification to the ISSO is communicated in parallel to the CMS IT Service desk notification. The loss of PII would initiate the MACFin Incident Response and Contingency Plans. The term “incident” is defined as any willfully created event, suspected event, condition, or vulnerability that could pose a threat to the confidentiality, integrity, or availability of the MACFin System or MACFin user information, information systems, applications, and data. Regardless of how the issue was found, a Service Now (CMS ITSM ServiceName) Incident will be created for tracking purposes and remediation. |
| Describe the process in place for periodic reviews of PII contained in the system to ensure the data's integrity, availability, accuracy and relevancy. If no processes are in place, explain why not. | The username and email are validated against the IDM repository at least once every 365 days. MACFin would encrypt data at rest using AWS Key Management Service (KMS) and be in compliance with CMS ARS requirements. All users must have an authorized username and password to enter the application. Once in the application, users can only access functions and data for which they have been explicitly granted access as documented in control AC-2 (role-based). CMS portal would provide transport encryption via HTTPS. RDS-FIPS 140 compliant encryption (data at rest). The MACFin application enforces CMS approved encryption standards in transit and at rest; Department of Health and Human Services (HHS) dictates that TLS/SSL protocols be utilized as part of HTTPS. The implementation is done by an SSL certificate that has been validated under the Cryptographic Module Validation Program. The MACFin application configures operating system controls to disable public "read" and "write" access to all system-related files, objects, and directories as well as files, objects, and directories that contain sensitive information. |
| Identify who will have access to the PII in the system and the reason why they require access. |
|
| Describe the procedures in place to determine which system users (administrators, developers, contractors, etc.) may access PII. | Administrators will be able to view PII in support of users when there are support inquiries made about role management within the MACFin application. Administrators will have access to user management functionality. Authorization for these users will be provided directly by the MACFin Business Owner representative. The MACFin application end users utilize role-based access control to get access to information. The release team will have access to manage higher environment, and the Development team will not be able to modify data in higher environments due to separation of duties. |
| Describe the methods in place to allow those with access to PII to only access the minimum amount of information necessary to perform their job. | Administrators will be able to view names and email addresses to provide role management support. All access to PII data is logged and able to be audited. |
| Identify training and awareness provided to personnel (system owners, managers, operators, contractors and/or program managers) using the system to make them aware of their responsibilities for protecting the information being collected and maintained. | Enterprise User Administration (EUA) based Computer Based Training (CBT), Data Computer Corporation of America (DCCA) Security Awareness training, and MACFin user manuals provide training and awareness system users. PII may only be released when authorized, there is a need to know, and adequate assurances of protection have been provided. Applicable policy mandates establishing policy regarding access to PII, including PHI are the Privacy Act of 1974, E-Government Act of 2002 (Section 208) and HIPAA. |
| Describe training system users receive (above and beyond general security and privacy awareness training) | DevSecOP Tools and ISPG Cloud Trainings. |
| Do contracts include Federal Acquisition Regulation and other appropriate clauses ensuring adherence to privacy provisions and practices? | Yes |
| Describe the process and guidelines in place with regard to the retention and destruction of PII. Cite specific records retention schedules. | MACFin Retention Record schedule is with Disposition Authority Number DM-0440-2015-0004-0001. For Financial Records (Programmatic), “Destroy no sooner than 7 year(s) after cutoff but longer retention is authorized”. The MACFin application handles and retains information within the MACFin application and information output from the system in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and operational requirements. The MACFin team retains and audits records for ninety (90) days and archives old records one (1) year to provide support for after-the-fact investigations of security incidents and to meet regulatory and CMS information retention requirements. |
| Describe, briefly but with specificity, how the PII will be secured in the system using administrative, technical, and physical controls. | Administrative: PII is secured with user security training, separation of duties of staff having access to PII, and labeling of PII data. Technical: PII is secured with encryption during collection transport to the MACFin database starting with SSL and then the data is encrypted at rest within the database using the AWS RDS KMS service. Physical: Physical security controls are inherited from the Amazon Web Services data center where MACFin related PII is stored. The MACFin application configures operating system controls to disable public "read" and "write" access to all system-related files, objects, and directories as well as files, objects, and directories that contain sensitive information. Internal communications within MACFin will be accomplished through inter-zone traffic being communicated over JMS (Java Message Service) from EAP (Enterprise Application Platform) in the app zone into AMQ (ActiveMQ) in the data zone. All requests from the app zone and data zone will traverse this bridge. No traffic between zones will be communicated outside of the JMS – AMQ bridge thus ensuring a control for data inter-zone. Authentication will be via https through the portal and IDM, no user connectivity to data zone. Privacy by design implies that data will be protected by technology. Data at rest will be stored in Amazon Web Service (AWS) RDS which is FIPS 140 (Federal Information Processing Standards) compliant and also encrypted at rest. The MACFin application does not process, implement and store PII according to the XLC (Expedited Life Cycle) Document Design. The MACFin application team restricts the use of portable storage and mobile devices on information systems and networks containing personally identifiable information (II), without using device ownership, media sanitization and encryption controls. |
| Identify the publicly-available URL: | CMS Enterprise Portal Login |
| Does the website have a posted privacy notice? | Yes |
| Is the privacy policy available in a machine-readable format? | Yes |
| Does the website use web measurement and customization technology? | Yes |
| Select the type of website measurement and customization technologies is in use and if is used to collect PII. (Select all that apply) |
|
| Does the website have any information or pages directed at children under the age of thirteen? | No |
| Does the website contain links to non-federal government website external to HHS? | No |
Privacy Impact Assessment (PIA) published by CMS as an Operating Division of the U.S. Department of Health and Human Services