Multidimensional Insurance Data Analytics System

The Multidimensional Insurance Data Analytics System (MIDAS) solution provides mission-critical functionality that Centers for Medicare & Medicaid Services (CMS) requires to implement and manage many provisions of the Affordable Care Act (ACA).  In order to complete and sustain the various tasks mandated by the law, CMS created an analytics system that is capable of supporting and informing these enterprise functions.  This includes a data repository and analytics solution for capturing, aggregating, and analyzing health insurance and related information to support improved decision making, improved business processes and improved services to consumers, states, issuers, and other stakeholders.

MIDAS provides the following high-level functions:

--Integrates data from multiple internal operational source systems into a single data store
--Provides access to standardized reporting, ad hoc queries, and data visualization
--Provides tools to allow data analysts to work directly with the data in the system to create custom reports, dashboards, and analytics
--Provides operational reporting on the data collected and maintained

Additionally, MIDAS supports operational functions needed by CMS to manage ACA-related processes.  MIDAS supports these processes through the following mechanisms:

--Ingesting data from external stakeholders including issuers and State-based Marketplaces
--Providing detailed data extracts of data in MIDAS to other CMS systems or processes to support operations

MIDAS does not collect or store user credentials. Authentication and authorization for MIDAS admins and end users is provided by Microsoft Active Directory Domain Services which is controlled by the CMS Cloud Computing Services (CCS) Team's Amazon Web Services (AWS) cloud. The CMS AWS Cloud general support system (GSS). The CMS AWS Cloud is covered by a separate PIA.

All data in MIDAS originates from other internal or external operational systems supporting the Affordable Care Act (ACA).  MIDAS ingest data from these upstream systems. 

Federally-Facilitated Marketplace (FFM)

Financial Management (FM)
Data Services Hub (DSH)
Health Insurance Oversight System (HIOS)
Health Insurance Casework System (HICS)
State-based Marketplaces (SBM)

Federally Facilitated (FF)

Enrollment Baseline Data (EBD)

Logistics Management Institute (LMI)

Electronic Data Interchange (EDI)

National Insurance Producer Registry (NIPR)

EDGE Recal (FFM)

EDGE Recal (RTI)

OPERA (OA)

INCON

Center for Program Integrity CPI (Reli Group)

Duty First (DFC)

ISSUERS

MIDAS has data from multiple ACA-related systems at Centers for Medicare & Medicaid Services (CMS) and data from external partners including issuers and state-based Marketplaces.  The data contained in MIDAS includes:

-- Consumer eligibility and enrollment data (includes names, addresses, email, phone, date of birth, Social Security Number (SSN), Passport number, and employment status)
-- Issuer Plan Management data
-- Consumer system account data (includes name and email address)
-- Issuer Vendor Management data

Data in MIDAS is maintained indefinitely at this time. DAA-GRS-2013-0007-0013 advises to delete/destroy Personally Identifiable Information (PII) data when business use ceases. 

The data contained in MIDAS supports the following functions:

Consumer Assistance (45 CFR 155.205), Navigator Program (45 CFR 155.210), Agent Broker program (45 CFR 155.220): Data may support Centers for Medicare & Medicaid Services (CMS) certification of individuals assisting qualified individuals, employees and enrollees to enroll in Qualified Health Plans (QHP) through the Exchange. These individuals are required to register with an Exchange prior to providing any assistance.

Qualified Health Plan (QHP) certification (45 CFR 155.1000): Issuers are required to report contact information and business identifying information of QHPs seeking certification, as well as other information necessary to administer and evaluate the program.

Eligibility Determinations (45 CFR 155. 300, 155.305, 155.310), Eligibility Appeals (45 CFR 155.355) Exemption Determinations (45 CFR 155.605): Data may support eligibility determinations, eligibility appeals, and exemption determinations for any applicant/enrollee who applies or appeals, or on whose behalf an application is filed. Data also may support disclosure of information to another Federal agency, agency of a State government, a non-profit entity operating an Exchange for a State, an agency established by State law, or its fiscal agent about applicants in order to obtain information that help CMS, pursuant to agreements with CMS, to determine the eligibility of applicants to enroll in QHPs through an Exchange, in insurance affordability programs, or for a certification of exemption from the individual responsibility requirement.

Submission of Notices (45 CFR 155.230): Data may be used to support issuance of notices.

Premium Payment (45 CFR 155.240): Data may support the Exchange notification to QHP Issuers of premium payment due from enrollees.

Small Business Health Opportunity Program (SHOP) (Subpart H): Data may support information necessary for determining eligibility and enrolling qualified employees in SHOP and stores SHOP employer records.

Enrollment in QHPs (45 CFR 155.400): Data may support determination of eligibility for enrollment in QHPs and storage of enrollment records.

Oversight and Financial Integrity (45 CFR 155.200(c)):  Data may be used to fulfill the Federally-facilitated Exchange's (FFE) responsibility for performing oversight functions with respect to issuer compliance with market-wide and Exchange specific standards in connection with QHPs certified by the FFE.

Administration of Advance Premium Tax Credits (APTC) and Cost Sharing Reductions (CSR) (45 CFR 155.340): Data may be used to support advance payments made to issuers on a monthly basis for APTC and CSR for eligible enrollees, and information about cost-sharing payments necessary to reconcile estimates of cost-sharing reductions with actual cost-sharing reductions.

Coordination with Medicaid, Children's Health Insurance Program (CHIP), Basic Health Plan (BHP) and Pre-Existing Conditions Insurance Plan (PCIP) (45 CFR 155.345): Data may be used to support determinations of eligibility.

Only authorized users can access/retrieve MIDAS data. They need to be connected to the CMS virtual private network (VPN) and sign in with their Enterprise User Administration (EUA) credentials before access the data.  

• Social Security Number
• Name
• E-Mail Address
• Phone Numbers
• Date of Birth
• Mailing Address
• Employment Status
• Passport Number
• Other - -- Consumer eligibility and enrollment data (includes all the above and addresses)-- Issuer Plan Management data-- Consumer system account data (includes name and email address)-- Issuer Vendor Management data No Federal Tax Information (FTI) is contained in MIDAS.  FTI is used in the Federal and State-based Exchanges but MIDAS does not receive FTI from these systems. MIDAS receives other data from these systems but specifically excludes FTI.

• Employees
• Public Citizens
• Business Partners/Contacts (Federal, state, local agencies)
• Vendors/Suppliers/Contractors
• Other - Public Citizen data collected is from Consumers in Health Insurance Marketplaces.  
  Business partner data collected is of Health Insurance issuers.

Section 1414 of the Patient Protection and Affordable Care Act (ACA)

The ACA (1411(g)) permits the use and disclosure of personally-identifiable information (PII) collected or created by an Exchange to ensure the efficient operation of the Exchange. 45 CFR 155.260 was originally drafted with the understanding that Exchange minimum functions would ensure the efficient operation of the Exchange. Later it became clear that there were additional uses and disclosures that would not necessarily fit into the Exchange minimum function but ensured the efficient operation of an Exchange so the new version of the regulation permits the Secretary of the Department of Health and Human Services (DHHS) to determine that the disclosure of PII for purposes other than Exchange minimum functions can be made as long as certain substantive and procedural steps are followed and the consent of the subject individuals is obtained.

HIX 09-70-0560   February 6, 2013

HIX 09-70-0560   May 27, 2013

HIX 09-70-0560   October 23, 2013

HIX 09-70-0560   February 14, 2018

• Within the OPDIV
• Other Federal Entities

• Within HHS
• Other Federal Agency/Agencies
• Private Sector
• State or Local Agency/Agencies

-- Support for Health Insurance Marketplace program related operational processes.
-- Oversight and financial integrity reporting and quality activities.
-- Office of the Assistant Secretary for Planning and Evaluation (HHS ASPE) - To support oversight and financial reporting and quality activities.

--HHS Office of Inspector General (HHS OIG) - To support HHS OIG audits and law enforcement investigations

-- Veterans Health Administration - Consumer eligibility determinations for Marketplace coverage
-- US Dept of Defense - Consumer eligibility determinations for Marketplace coverage
-- US Dept of Homeland Security - Consumer eligibility determinations for Marketplace coverage
-- Internal Revenue Service to verify household income and family size for eligibility and exemption determinations
-- Social Security Administration - Consumer eligibility determinations for Marketplace coverage
-- Office of Personnel Management - Consumer eligibility determinations for Marketplace coverage
-- Peace Corps - Consumer eligibility determinations for Marketplace coverage
-- U.S. Government Accountability Office (U.S. GAO) - To support GAO audits

--Congressional Budget Office for research, analysis, and budget projections

Computer Matching Agreements (CMAs)
2016-08 (CMA btw. Centers for Medicare & Medicaid Services (CMS) and Veterans Health Administration)
2016-02 (CMA btw. CMS and US Dept of Defense)
2018-09 (CMA btw. CMS and Internal Revenue Service) [a work in progress]
2018-09 (CMA btw. CMS and US Dept of Homeland Security) [a work in progress]
2016-11 (CMA btw. CMS and State-based Exchanges)
2016-09 (CMA btw. CMS and Social Security Administration)
2016-14 (CMA btw. CMS and Office of Personnel Management) 
2016-15 (CMS btw. CMS and Peace Corps)

Information Exchange Agreements (IEAs)
2013-01 (IEA btw. CMS and Internal Revenue Service)
2013-02 (IEA btw. CMS and State-based Exchanges)
2013-03 (IEA btw. CMS and State Medicaid/Children's Health Insurance Program (CHIP) Agencies)

The PII contained in MIDAS is collected from other source systems.  The source systems identified in the System of Record and Notice (SORN) have the responsibility to notify individuals.

HIX 09-70-0560   February 6, 2013
HIX 09-70-0560   May 27, 2013
HIX 09-70-0560   October 23, 2013

HIX 09-70-0560   February 14, 2018

The PII contained in MIDAS is collected from other source systems.  The source systems identified in the System of Record and Notice (SORN) have the responsibility to notify individuals.

All major system changes concerning personally-identifiable information (PII) are published for comment in the Federal Register as part of a modification of the applicable SORN.

HIX 09-70-0560   February 6, 2013
HIX 09-70-0560   May 27, 2013
HIX 09-70-0560   October 23, 2013

HIX 09-70-0560   February 14, 2018

An individual record subject who wishes to know if MIDAS system contains records about him or her should write to the system manager who will require the system name, and for verification purposes, the subject individual’s name (woman’s maiden name, if applicable), and social security number (SSN) (furnishing the SSN is voluntary, but it may make searching for a record easier and prevent delay).

An individual seeking access to records about him or her in this system should write to the system manager and reasonably specify the record contents being sought. (These procedures are in accordance with Department regulation 45 CFR 5b.5(a)(2).)

To contest a record, the subject individual should contact the system manager, and reasonably identify the record and specify the information being contested. The individual should state the corrective action sought and the reasons for the
correction with supporting justification. (These procedures are in accordance with Department regulation 45 CFR 5b.7.)

System Manager:
Director, Consumer Information and Insurance Systems Group, Center for Consumer Information and Insurance Oversight, Centers for Medicare & Medicaid Services
7501 Wisconsin Ave, 9th Floor
Bethesda, MD 20814

• Users: Centers for Medicare & Medicaid Services (CMS) and HHS Data Analysts and designated contractor data analysts need access to this data to support reporting, analytics, and support for operational processes
• Administrators: Administrators are required in order to support system operations and maintenance
• Developers: Development of detailed data extracts from MIDAS that are provided to other systems or operational processes to support overall Affordable Care Act (ACA)-related functions at Centers for Medicare & Medicaid Services (CMS)
• Contractors: MIDAS is a contractor-managed system.  The contractor, and its sub-contractors are direct contractors for this system and require access to the personally-identifiable information (PII) to support system operations, upgrades, and maintenance.  

MIDAS applies the principle of least privilege as well as a role-based view on granting rights. All access for the groups is requested and approved before being granted. All Production access requires Program Manager approval. 
Each user is assigned a Role and each Role's rights are restricted to only the data and server resources needed to perform their job. Access requests are tracked via service request tickets. For planning, approving, and auditing, MIDAS utilizes a Roles and Responsibilities matrix to review and track what resources are accessible at the application level as well as the server level. A monthly audit is performed for system accounts and biweekly audit of user accounts is required.  New MIDAS project team members are processed through an on boarding process that defines their role and all information and approvals are archived in a trackable service request.

MIDAS is hosted in a secure, Federal Information Security Management Act (FISMA)-compliant data center and the Federal Risk and Authorization Management Program (FedRAMP) approved cloud.  Physical access to the system is limited to data center administrators only.  User access is also dependent upon Centers for Medicare & Medicaid Services (CMS) approval.