Medicaid Drug Programs
Privacy Impact Assessment (PIA) published by CMS as an Operating Division of the U.S. Department of Health and Human Services
Date signed: 8/23/2022
| PIA Questions | PIA Answers |
|---|---|
| OPDIV: | CMS |
| PIA Unique Identifier: | P-9577496-276883 |
| Name: | Medicaid Drug Programs |
| The subject of this PIA is which of the following? | Major Application |
| Identify the Enterprise Performance Lifecycle Phase of the system. | Operate |
| Is this a FISMA-Reportable system? | Yes |
| Does the system include a Website or online application available to and for the use of the general public? | Yes |
| Identify the operator: | Agency |
| Is this a new or existing system? | Existing |
| Does the system have Security Authorization (SA)? | Yes |
| Date of Security Authorization | 7/8/2022 |
| Indicate the following reason(s) for updating this PIA. Choose from the following options. | PIA Validation (PIA Refresh/Annual Review) |
| Describe in further detail any changes to the system that have occurred since the last PIA. | Medicaid Drug Programs (MDP) has absorbed the business functions of the legacy Medicaid Drug Rebate (MDR) and Drug Data Reporting (DRR) system. Additionally, MDP has assumed responsibility and business functions previously provided by the legacy MDR system, Federal Upper Limit pricing (FUL) processes, annual Drug Utilization Review survey and report (DUR), and the Branded Prescription Drugs (BPD) processes with the IRS." |
| Describe the purpose of the system | Medicaid Drug Programs (MDP) is the modernized solution for Center of Medicare and Medicaid Services (CMS), states, and drug manufactures to manage and oversee the Medicaid Drug Rebate program to ensure that Medicaid drug expenses comply with Federal regulations and statutes. MDP has assumed responsibility and business functions previously provided by the legacy Medicaid Drug Rebate (MDR) system, Federal Upper Limit pricing (FUL) processes, annual Drug Utilization Review survey and report (DUR), and the Branded Prescription Drugs (BPD) processes with the IRS. The MDP product improves upon the technology, functionality, and efficiency of the existing out-patience prescription drug reporting processes and the continuous development of this product will further improve analysis, data sharing, program monitoring, impact analysis, metrics, program-to-operations comparisons, state-to-state comparisons, and the support manufacturers and other stakeholders receive. MDP will provide CMS the ability to properly oversee the Medicaid Drug Programs while providing support to drug manufacturing companies and state agencies; and data to the IRS for the Branded Prescription Drug program. The MDP product supports rebate agreement administration; product, monthly pricing and the quarterly data file submission process; state data submissions processes; drug utilization review process; drug utilization discrepancy process; federal upper limit calculation process; and rebate calculation process. |
| Describe the type of information the system will collect, maintain (store), or share. (Subsequent questions will identify if this information is PII and ask about the specific data elements) | The system will collect and store User Credentialing Information (User ID, User Name, User Email address), however, the user's access to the application is validated by the CMS Enterprise Portal through CMS Identity Management (IDM). IDM is covered by its own Privacy Impact Assessment. The system also collects Drug Manufacturer Information (Drug Product and confidential drug pricing data per OMB #0938-0578, expires: 05/31/2024); and stores State Drug Utilization Information (State Drug Utilization data). The system also collects phone numbers, mailing addresses and names. The users of the system are CMS Employees, Drug Manufacturers, and States. |
| Provide an overview of the system and describe the information it will collect, maintain (store), or share, either permanently or temporarily. | The product and quarterly pricing data that is collected by MDP is used to calculate quarterly rebate amounts that drug manufacturers pay to the states, who in turn collect the Federal and State Government's portion. The product and monthly pricing data also is used to determine the Federal Upper Limit (FUL) amounts. The state drug utilization data does not contain confidential data fields and stored in MDP for use by CMS, States and drug manufacturers to verify utilization reflected on state drug rebate invoices. |
| Does the system collect, maintain, use or share PII? | Yes |
| Indicate the type of PII that the system will collect or maintain. |
|
| Indicate the categories of individuals about whom PII is collected, maintained or shared. |
|
| How many individuals' PII in the system? | 500-4,999 |
| For what primary purpose is the PII used? | The PII is required to create a user account within IDM which allows the user to access the application. |
| Describe the secondary uses for which the PII will be used (e.g. testing, training or research) | There is not a secondary use for PII. |
| Describe the function of the SSN. | Not Applicable |
| Cite the legal authority to use the SSN. | Not Applicable |
| Identify legal authoritiesā governing information use and disclosure specific to the system and program. | 5 USC 301, Departmental Regulations |
| Are records on the system retrieved by one or more PII data elements? | No |
| Identify the sources of PII in the system: Directly from an individual about whom the information pertains |
|
| Identify the sources of PII in the system: Government Sources | Within the OPDIV |
| Identify the sources of PII in the system: Non-Government Sources | Private Sector |
| Identify the OMB information collection approval number and expiration date | OMB #0938-0578, expires 05/31/2024 |
| Is the PII shared with other organizations? | No |
| Describe the process in place to notify individuals that their personal information will be collected. If no prior notice is given, explain the reason. | Users are notified as part of the process to access CMS systems that PII will be collected. |
| Is the submission of the PII by individuals voluntary or mandatory? | Voluntary |
| Describe the method for individuals to opt-out of the collection or use of their PII. If there is no option to object to the information collection, provide a reason. | The warning on every user's computer when they log into the HHS domain explains that you are agreeing to be monitored while using the computer and the network. So, if you click on OK and continue to log in, it means you accept the conditions of the warning. Therefore, if you log into the computer or the domain, everything you do is being monitored and is in the purview of the government. And since you log in with your user name, that information is part of what is being monitored. This is why there is no option to opt-out of the collection or use of PII, unless you choose not to log into the government computer or the domain. The PII being collected is limited to name and email address for federal employees and supporting contractors. |
| Describe the process to notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changes since the notice at the time of original collection). Alternatively, describe why they cannot be notified or have their consent obtained. | If CMS changes its practices with regard to the collection or handling of PII related to MDP, CMS will adopt measures to provide any required notice and obtain consent from individuals regarding the collection and/or use of PII. This may include e-mail to individuals, adding or updating online notices or other available means to inform the individual. |
| Describe the process in place to resolve an individual's concerns when they believe their PII has been inappropriately obtained, used, or disclosed, or that the PII is inaccurate. If no process exists, explain why not. | In the event an employee believes that their PII has been inappropriately obtained, used, or disclosed, the employee may contact the HHS Computer Security Incident Response Center, HHS Information Technology Infrastructure and Operations (ITIO) Service Desk, or OS Incident Response Team directly to report an incident via email. Users are provided the Computer Security Incident Response Center's (CSIRC) email address via the Annual Security Awareness trainings. The HHS ITIO Service Desk can also provide each email address to any users upon request. |
| Describe the process in place for periodic reviews of PII contained in the system to ensure the data's integrity, availability, accuracy and relevancy. If no processes are in place, explain why not. | The logs in MDP are coming from Email system and Active Directory where the system owners already have processes in place for data integrity, availability, accuracy, and relevancy. MDP simply gets a copy of this information. When the data reaches the MDP servers, only the MDP administrators can access this information. |
| Identify who will have access to the PII in the system and the reason why they require access. |
|
| Describe the procedures in place to determine which system users (administrators, developers, contractors, etc.) may access PII. | Individuals designated as account management personnel are provided access to account management functionality via access controls in accordance with 'least privilege. |
| Describe the methods in place to allow those with access to PII to only access the minimum amount of information necessary to perform their job. | MDP uses the principle of least privilege as well as a role based access control to ensure system administrators, and users are granted access on a "need-to-know" and "need-to-access" commensurate with their assigned duties. System Administrators review user accounts at least semi-annually. Any anomalies are addressed and resolved by contacting the user, and modifying their user data, or by removing their access if no longer required. Activities of all users including system administrators are logged and reviewed by the MDP Information System Security Officer (ISSO) to identify abnormal activities if any. |
| Identifying training and awareness provided to personnel (system owners, managers, operators, contractors and/or program managers) using the system to make them aware of their responsibilities for protecting the information being collected and maintained. | All users are required to complete the annual CMS Security and Privacy Awareness training provided annually as a Computer Based Training (CBT) course. Direct Contractors also complete their annual corporate security training. Individuals with privileged access must also complete role-based security training commensurate with the position they are working. |
| Describe training system users receive (above and beyond general security and privacy awareness training) | CMS employees and direct contractors with privileged access are required to complete role-based training and meet continuing education requirements commensurate with their role. Other training avenues such as conferences, seminars and classroom training provided by CMS/HHS is available apart from the regular annual training. |
| Do contracts include Federal Acquisition Regulation and other appropriate clauses ensuring adherence to privacy provisions and practices? | Yes |
| Describe the process and guidelines in place with regard to the retention and destruction of PII. Cite specific records retention schedules. | MDP adheres to CMS Security Policies to ensure the confidentiality, integrity, and availability of the PII data. This includes encryption standard, role-based access control, and chain of custody processes. National Archives & Record Administration (NARA) record retention follows: IT Security schedule 817-4 for Incident Response Unclassified Systems. Record retention is for 1 year after cut off (N1-64-08-12, item 27) System Engineering: Schedule 820 with destruction 5 years after cut-off (N1-64-08-12, item 33) and Data Management schedules 821-1 and 821-2. |
| Describe, briefly but with specificity, how the PII will be secured in the system using administrative, technical, and physical controls. | Only designated personnel will have accounts within MDP system and access control will be implemented based on the user's role. Any PII data will be stored on MDP servers and secured in an MDP data center. |
| Identify the publicly-available URL: | https://portal.cms.gov |
| Does the website have a posted privacy notice? | Yes |
| Is the privacy policy available in a machine-readable format? | Yes |
| Does the website use web measurement and customization technology? | Yes |
| Select the type of website measurement and customization technologies is in use and if is used to collect PII. (Select all that apply) |
|
| Does the website have any information or pages directed at children under the age of thirteen? | No |
| Does the website contain links to non-federal government website external to HHS? | No |