Medicare Authenticated Experience
Privacy Impact Assessment (PIA) published by CMS as an Operating Division of the U.S. Department of Health and Human Services
Date signed: 3/11/2025
| PIA Questions | PIA Answers |
|---|---|
| OPDIV: | CMS |
| PIA Unique Identifier: | P-4937336-530704 |
| Name: | Medicare Authenticated Experience |
| The subject of this PIA is which of the following? | Major Application |
| Identify the Enterprise Performance Lifecycle Phase of the system. | Operate |
| Is this a FISMA-Reportable system? | Yes |
| Does the system include a Website or online application available to and for the use of the general public? | Yes |
| Identify the operator: | Agency |
| Is this a new or existing system? | Existing |
| Does the system have Security Authorization (SA)? | Yes |
| Date of Security Authorization | 12/14/2023 |
| Indicate the following reason(s) for updating this PIA. Choose from the following options. | Anonymous to Non-Anonymous |
| Describe in further detail any changes to the system that have occurred since the last PIA. | The last PIA described the retrieval of data from BEDAP for presentation to the consumer and stated the data was not kept over 24 hours. That has changed, and Medicare Authenticated Experience (MAX) will now be retrieving the same data elements from BEDAP as before, in addition to storing it within MAX for use in predictive modeling to identify people who can benefit from Medicare benefits, including subsidy programs.
|
| Describe the purpose of the system | The MAX System was developed for the Centers for Medicare & Medicaid Services (CMS) agency-wide eMedicare initiative. The goal of MAX is to provide a seamless, omnichannel, customer experience to meet the growing expectations and needs of tech-savvy Medicare beneficiaries. The products delivered under the MAX task order will provide a personalized Medicare experience and outreach, focusing on individual beneficiaries, and be part of a broader integrated website that offers digital products across multiple channels and enables beneficiaries to explore their care choices, explore and enroll in health plans, and read and print important Medicare information. |
| Describe the type of information the system will collect, maintain (store), or share. (Subsequent questions will identify if this information is PII and ask about the specific data elements) | MAX does not collect Protected Health Information (PHI)/Personally Identifiable information (PII), it receives PHI/PII from the BEDAP system which is subsystem under Medicare Online Support System (MOSS) and returns this data to the consumer.
Part B effective date. User zip code and county data logged in Splunk is archived and stored for 1 year should any audit of the system need to take place. Splunk is the enterprise SIEM (Security information and event management) tool used by CMS to collect and store security audit events. MCT will store/transmit the following PII/PHI: Beneficiary Name, Health Insurance Claim Number (HICN)/Medicare Beneficiary Identifier (MBI), and Drug Plan to/from external CMS system integrations. This data will be stored in a separate database from the HPMS collected data. BEDAP: BEDAP stores PII/PHI about Medicare beneficiaries, including eligibility & enrollment, Medicare claims (including prescription drug events), digital services utilization, email interactions (subscribes/unsubscribes/clicks/opens), Short Message Service (SMS) interactions (subscribes/unsubscribes/replies), and call center contact history. In the future, BEDAP will also store data from the Federal Trade Commission (FTC) related to do-not-call list membership. CCXP: The information being collected from data.medicare.gov is all facility information (address, phone, etc.) and some demographic information, all of which is public information.
|
| Provide an overview of the system and describe the information it will collect, maintain (store), or share, either permanently or temporarily. | The products delivered under the MAX task order will provide a personalized Medicare experience, focusing on individual Medicare beneficiaries, and be part of a broader integrated website that offers digital products across multiple channels and enables beneficiaries to explore their care choices, explore and enroll in health plans, participate in outreach and read and print important Medicare information.
BEDAP: BEDAP stores PII/PHI about Medicare beneficiaries, including eligibility & enrollment, Medicare claims (including prescription drug events), digital services utilization, email interactions (subscribes/unsubscribes/clicks/opens), Short Message Service (SMS) interactions (subscribes/unsubscribes/replies), and call center contact history. In the future, BEDAP will also store data from the Federal Trade Commission (FTC) related to do-not-call list membership.
System administrators log on with a user ID and password. System administrators are CMS employees and direct contractors. Login credentials are maintained for as long as the system user requires access.)
|
| Does the system collect, maintain, use or share PII? | Yes |
| Indicate the type of PII that the system will collect or maintain. |
|
| Indicate the categories of individuals about whom PII is collected, maintained or shared. |
|
| How many individuals' PII in the system? | 1,000,000 or more |
| For what primary purpose is the PII used? | MAX utilizes the following elements to retrieve beneficiary information to provide personalized beneficiary experience when viewing Medicare information on the website. Medicare Beneficiary Identification (ID) (MBI) or Health Insurance Claim Number (HICN), along with email address will be collected also with: last name Address zip code or city Race Unique alphanumeric identifier MBOI MAX uses PII elements in predictive modeling to identify people who can benefit from Medicare benefits, including subsidy programs. Reference data elements listed in Appendix A. |
| Describe the secondary uses for which the PII will be used (e.g. testing, training or research) | Not applicable |
| Describe the function of the SSN. | MAX System does not use SSN |
| Cite the legal authority to use the SSN. | N/A |
| Identify legal authorities governing information use and disclosure specific to the system and program. | Authority for maintenance of the system is given under sections 1102, 1804(b), and 1851(d) of the Social Security Act (42 United States Code (U.S.C.) 1302, 1395b–2(b), and 1395w– 21(d)), 5 USC 301, Departmental Regulations, Title 42 U.S.C. section 1395w–21 (d) (Pub. L. 105–3, the Balanced Budget Act of 1997), Balanced Budget Act of 1997 (Title IV, Subtitle H, Chapter 4, Sec. 4732, Inflation Reduction Act of 2022 (Subtitle B, Part 5, Sec. 11404) and Medicare Prescription Drug, Improvement and Modernization Act of 2003 (MMA) (Title 1, SEC. 1860D–14). |
| Are records on the system retrieved by one or more PII data elements? | Yes |
| Identify the number and title of the Privacy Act System of Records (SORN) that is being used to cover the system or identify if a SORN is being developed. | Published: 1–800 Medicare Helpline (HELPLINE), System No. 09–70–0535 |
| Identify the sources of PII in the system: Directly from an individual about whom the information pertains |
|
| Identify the sources of PII in the system: Government Sources |
|
| Identify the sources of PII in the system: Non-Government Sources |
|
| Identify the OMB information collection approval number and expiration date | Title: Medicare Authorization to Disclose Personal Health Information (CMS-10106) OMB#: 0938-0930 Expires: November 30, 2025 |
| Is the PII shared with other organizations? | No |
| Describe the process in place to notify individuals that their personal information will be collected. If no prior notice is given, explain the reason. | A Privacy Act Statement is made available to individuals during the account creation process and within the Privacy Policy of the website. In addition, the following language is listed in the Privacy Policy for each website: CMS websites do not collect any Personally Identifiable Information (PII) about individuals during their visit unless they choose to provide it to us. |
| Is the submission of the PII by individuals voluntary or mandatory? | Voluntary |
| Describe the method for individuals to opt-out of the collection or use of their PII. If there is no option to object to the information collection, provide a reason. | The MAX system has no Opt-out because the user login via Medicare.gov and session token is established. This token is provided by the Scalable Login System (SLS). Once the token is established, MAX presents them a unified session across all mymedicare.gov. This allows for the consistent header to know which user and access to their display information to be the same across all pages. It does this by looking up information in BEDAP for information that isn't provided by SLS. |
| Describe the process to notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changes since the notice at the time of original collection). Alternatively, describe why they cannot be notified or have their consent obtained. | MAX does not have a process to notify individuals whose Personally Identifiable Information (PII) is in the system when major changes occur to the system. Individuals submit Personally Identifiable Information (PII) for the purpose of obtaining search results from Medicare.gov. If CMS makes a major change related to PII, they will update online notices on CMS.gov (https://www.cms.gov/About-CMS/Agency-Information/Aboutwebsite/Privacy-Policy) and Medicare.gov (https://www.medicare.gov/privacy-policy). |
| Describe the process in place to resolve an individual's concerns when they believe their PII has been inappropriately obtained, used, or disclosed, or that the PII is inaccurate. If no process exists, explain why not. | If a user believes their Personally Identifiable Information (PII) has been inappropriately obtained, used, or disclosed: They should first contact the Medicare Call Center at 1-800-MEDICARE (1-800-633-4227). The Medicare Call Center will then report the issue to the Office of Communications (OC) / Web and Emerging Technologies Group (WETG) and the CMS Privacy Office who will investigate the incident. WETG will work with its resources and the Privacy Office to determine the root cause of the issue, resolve the immediate issue, and put in additional safeguards to ensure that the issue does not occur again. If a user believes their Personally Identifiable Information (PII) is inaccurate: They should first contact the Medicare Call Center at 1-800-MEDICARE (1-800 PIA-029-633-4227). The Medicare Call Center may be able to address the inaccurate PII, depending on exactly where the data is stored. If the Medicare Call Center is unable to resolve the inaccurate PII date issue on their own, they will then report the issue to the Office of Communications (OC) / WETG, WETG will work with the individual to have their data corrected. |
| Describe the process in place for periodic reviews of PII contained in the system to ensure the data's integrity, availability, accuracy and relevancy. If no processes are in place, explain why not. | CMS has a National Institute of Standards and Technology (NIST) compliant continuous monitoring program to ensure system integrity, availability, accuracy, and relevancy. The source data for MAX is contained within BEDAP sub-system of MOSS. MOSS has its own PIA. All web transactions and software functions are logged, and logs are aggregated into Splunk and stored for 1 year should any audit of the system need to take place. All logs in Splunk are reviewed for anomalies by the MAX team.
|
| Identify who will have access to the PII in the system and the reason why they require access. |
|
| Describe the procedures in place to determine which system users (administrators, developers, contractors, etc.) may access PII. | CMS uses role-based access controls to ensure administrators and contractors are granted access on a "need-to-know" and "need-to-access" commensurate with their assigned duties. CMS grants access to those the accounts. This is a shared responsibility between CMS and contractors, Oddball, Blast Analytics and (Amazon Web Services) AWS - |
| Describe the methods in place to allow those with access to PII to only access the minimum amount of information necessary to perform their job. | There are three methods for restricting access. First, is to program user interfaces to limit the display of PII to only those elements needed to perform specific tasks. Second, is to limit the transmission of Personally Identifiable Information (PII) to validate information rather than copy or pull information from another authoritative source. Third, is to implement role-based access controls and auditing to ensure those with access have a "need-to-know" and "need to access". |
| Identifying training and awareness provided to personnel (system owners, managers, operators, contractors and/or program managers) using the system to make them aware of their responsibilities for protecting the information being collected and maintained. | Both Federal and CMS Contractor staff who access or operate a CMS system are required to complete the annual CMS Security Awareness training provided annually as Computer Based Training (CBT) course. Contractors also complete their annual corporate security training. Individuals with privileged access must also complete their annual role-based security training commensurate with the position they are working in. |
| Describe training system users receive (above and beyond general security and privacy awareness training) | CMS employees and CMS direct contractors with privileged access are required to complete role-based training and meet continuing education requirements commensurate with their role. Certificates of role-based training are kept on file. Training may include but not limited to Online System Administrator specific training, ISSO training, Security based training, Developer training specific to the tools the developer uses, Computer-based training, conferences, and Webinars are also used for role-based training. Certain role-based certification training may also have an expiration date, the trainee should continue his/her training to comply with the requirements of that certification such as but not limited to Continuing Education Units (CEU) or additional required professional publications, and Professional Organizational meetings such as Computing Technology Industry Association (CompTIA), International Systems Security Certification Consortium (ISC2), Amazon Web Services (AWS) certification training etc., professional meetings. Security based training such as Security Awareness Training is taken annually. |
| Do contracts include Federal Acquisition Regulation and other appropriate clauses ensuring adherence to privacy provisions and practices? | Yes |
| Describe the process and guidelines in place with regard to the retention and destruction of PII. Cite specific records retention schedules. | MAX follows the CMS Records Schedule, which is aligned with the National Archives Records Administration (NARA) Records Control Schedule Systems and Data Security Records Systems Not Requiring Special Accountability for Access Beneficiary Records MAX follows the Data Destruction Standards prescribed in NIST Special Publication (SP) 800-88.
|
| Describe, briefly but with specificity, how the PII will be secured in the system using administrative, technical, and physical controls. | Administrative – MAX follows the least privilege principle, meaning that only those that require access to the data to perform their duties are granted that access. In addition, all CMS employees and contractors are required to take privacy and security awareness training that explains the requirements for handling sensitive data. All security controls are reviewed both internally and by an auditor from a third-party accredited organization (3PAO) during Adaptive Control Testing (ACT) to ensure compliance with CMS security standards. Technical - MAX system is built using industry best practices and independently reviewed against FISMA and NIST Security and Privacy controls to ensure technical, operational, and management controls are properly applied. This includes the necessary FIPS 140-2 encryption standards to protect the PII both in transit and at rest. In addition, MAX uses the following security principles: define-in-depth, continuous monitoring, and role-based access control. Physical - This system is in a world-class Tier-1 network data center which provides premier physical control protections. The data center undergoes its own ACT from a 3PAO to ensure compliance with all physical security controls. |
| Identify the publicly-available URL: | api.medicare.gov |
| Does the website have a posted privacy notice? | No |
| Is the privacy policy available in a machine-readable format? | No |
| Does the website use web measurement and customization technology? | Yes |
| Select the type of website measurement and customization technologies is in use and if is used to collect PII. (Select all that apply) | Persistent Cookies Other - Google Analytics and Tealium. Tealium may collect PII if a user has explicitly opted in. Web Usage stats via New Relic which is used as an application monitoring tools - No PII is collected. |
| Web Beacons - Collects PII?: No | |
| Web Bugs - Collects PII?: No | |
| Session Cookies - Collects PII?: No | |
| Persistent Cookies - Collects PII?: Yes | |
| Other - Collects PII?: Yes | |
| Does the website have any information or pages directed at children under the age of thirteen? | No |
| Does the website contain links to non-federal government website external to HHS? | Yes |
| Is a disclaimer notice provided to users that follow external links to websites not owned or operated by HHS? |