Skip to main content

National Data Warehouse

Privacy Impact Assessment (PIA) published by CMS as an Operating Division of the U.S. Department of Health and Human Services

Date signed: 2/10/2023

View all CMS PIAs
PIA Information for National Data Warehouse
PIA QuestionsPIA Answers
OPDIV:CMS
PIA Unique Identifier:P-2786908-452998
Name:National Data Warehouse
The subject of this PIA is which of the following?Major Application
Identify the Enterprise Performance Lifecycle Phase of the system.Operate
Is this a FISMA-Reportable system?Yes
Does the system include a Website or online application available to and for the use of the general public?No
Identify the operator:Contractor
Is this a new or existing system?Existing
Does the system have Security Authorization (SA)?Yes
Date of Security Authorization10/23/2024
Indicate the following reason(s) for updating this PIA. Choose from the following options.PIA Validation (PIA Refresh/Annual Review)
Describe in further detail any changes to the system that have occurred since the last PIA.Migrate existing application from Virtual Data Center (VDC) to Cloud Service Provider (CSP)
Describe the purpose of the system

In response to key Contact Center: Connect (C3) initiatives and Medicare reform legislation, CMS implemented the National Data Warehouse (NDW) to Integrate data from multiple operational source systems, provide timely, accurate, and consistent reporting, function as the central metadata repository of the business logic, serve as a business intelligence tool, enabling users to create reports in a variety of formats, such as dashboards, heat maps, and grid reports; and provide solutions that offer end users high-quality support through tools such as report reference guides, training, and NDW Help Desk support.


NDW has been designated an Essential Supporting Activity (ESA) of the CMS. ESAs are prioritized critical functions that an organization must maintain during continuity activation.

Describe the type of information the system will collect, maintain (store), or share. (Subsequent questions will identify if this information is PII and ask about the specific data elements)

NDW receives data from contractor systems, such as 800-Medicare for contacts with Next Generation Desktop (NGD), Interactive Voice Response (IVR), Call Traffic and Web interactions, Print Fulfillment, Language Translation services, and Contact Center Training and Content (CTC) contact scoring data.


During the CCO contact with beneficiaries, pertinent information (e.g., Health Insurance Claim Number (HICN), Medicare Beneficiary Identifier (MBI), name, address, city, state, ZIP Code, phone numbers, and date of birth) is collected to generate statistics on beneficiary and consumer activities.


Access to the NDW Amazon Web Services (AWS) is only available from CMSNet, the internal, private network hosted by CMS. Users (CMS employees and CCO direct contractors) are required to enter credentials, consisting of a User ID and Password to access the application. A formal user credential request process ensures that all users are approved by CMS to access NDW reports. The C3 Security Form must be completed during this user request which may collect user email address, desk phone number, desk location, and name.


Data is retained within the NDW database until removal is requested by CMS.

Provide an overview of the system and describe the information it will collect, maintain (store), or share, either permanently or temporarily.

The NDW uses MicroStrategy Business Intelligence (BI) software through a web-based interface. The application server provides access to reports and analytics, and the database server stores information in an Oracle database that is not available for direct end user access.

NDW application credentials are provisioned through a CMS system. A valid login session is required before viewing the initial application menu. All users are either CMS Federal employees or their direct contractors. Information stored in the NDW is received from contracted data providers on a set schedule and includes information about beneficiary contact with the Contact Center through various channels (e.g., 800-Medicare). All information received by the NDW application is provided through a secure file transfer mechanism using the CMS Enterprise File Transfer (EFT) architecture on a regular schedule.

Data providers include LIS Solutions (language translation services), Maximus (Automated Call Distributor), National Government Services (NGS) (Next Generation Desktop (NGD) activity and Contact Center Training and Content (CTC)), USA Images (printed material), and Verizon (Genesys Call Routing, Interactive Voice Response (IVR), and Inbound Call Detail Traffic). Examples of reporting includes Average Hold Time (AHT), Average Speed of Answer (ASA), number of calls for each geographic area, and analysis of information used for contractor performance assessment.

Beneficiary information provided by CCO source systems listed above is used by CMS to monitor and improve the beneficiary experience, and to help individuals and small employers exploring the Medicare Marketplace. Most Beneficiary contact occurs the CMS Call Center staff (contractor Customer Service Representative (CSRs)) and is used to improve CSR service as well as allow CMS to report on operations.

The NDW application queries the C3 Lightweight Directory Protocol as a Service (LDAPaaS) with C3 Security ID during system authentication process, but not on a regular, schedule cycle. Records in the NDW database (e.g., individual call records with information about individual Beneficiaries) are loaded daily with information received from upstream CCO contractors. Record may include PII (e.g., Name, Address, Phone Number, HICN, and/or MBI). The NDW application does not query upstream systems to "receive" records, but rather receives a report of activity collected by the upstream system. 

Does the system collect, maintain, use or share PII?Yes
Indicate the type of PII that the system will collect or maintain.
  • Name
  • E-Mail Address
  • Phone Numbers
  • Date of Birth
  • Mailing Address
  • Other - NDW Application User Credentials (User ID and Password), HICN, MBI, and employee desk location. Free form text fields may contain other information entered by the CSR and may include PII.
Indicate the categories of individuals about whom PII is collected, maintained or shared.
  • Employees
  • Public Citizens
  • Business Partners/Contacts (Federal, state, local agencies)
How many individuals' PII in the system?1,000,000 or more
For what primary purpose is the PII used?

NDW serves as the central repository for capturing, aggregating, and analyzing PII information related to the Medicare beneficiary and consumer experience. PII information, such as the address and phone number are used to aggregate information for analysis and improvement of CCO services provided to the beneficiary.

System user PII is used to authenticate and gain access for system maintenance and system operations.

Describe the secondary uses for which the PII will be used (e.g. testing, training or research)None
Describe the function of the SSN.N/A
Cite the legal authority to use the SSN.N/A
Identify legal authoritiesā€‹ governing information use and disclosure specific to the system and program.Patient Protection and Affordable Care Act (PPACA) (Public Law 111-148) as amended by the Health Care and Education Reconciliation Act of 2010 (Public Law 111-152), collectively the Affordable Care Act. Title 42 U.S.C. 18031, 18041, 18081-18083 and section 1414 of the Affordable Care Act.
Are records on the system retrieved by one or more PII data elements?No
Identify the sources of PII in the system: Directly from an individual about whom the information pertainsOnline
Identify the sources of PII in the system: Government SourcesWithin the OPDIV
Identify the sources of PII in the system: Non-Government Sources 
Identify the OMB information collection approval number and expiration dateNot applicable for collection of user credentials.
Is the PII shared with other organizations?No
Describe the process in place to notify individuals that their personal information will be collected. If no prior notice is given, explain the reason.The NDW application does not directly collect information from individual Beneficiaries. The only PII collected directly by the NDW application is the User ID and password  that are required at login.A notification appears before a user logs in (warning banner) indicating that information may be monitored, recorded, and audited. Acceptance of this statement is required by clicking "OK" before proceeding to the screen where PII (User ID and Password) is voluntarily entered. The application records every instance of user access.
Is the submission of the PII by individuals voluntary or mandatory?Voluntary
Describe the method for individuals to opt-out of the collection or use of their PII. If there is no option to object to the information collection, provide a reason.The NDW application does not collect information directly from individual Beneficiaries. The only PII collected directly by the NDW application is the User ID and Password required at login. Entry of User ID and Password is voluntary, but required in order to login to the NDW application and access CMS data. CMS Acceptable Risk Safeguard (ARS) security policy requires that all access to systems containing CMS data (e.g., the NDW Application) must be controlled by an approved Access Control (AC) mechanism. User credentials are issued after a requestor submits an access form through the account request process. There is no option to opt-out or object to the information collection since CMS ARS required AC mechanisms must be satisfied before allowing access to CMS data.
Describe the process to notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changes since the notice at the time of original collection). Alternatively, describe why they cannot be notified or have their consent obtained.The NDW application does not directly collect information from individual Beneficiaries. The only PII collected directly by the NDW application is the User ID and Password required at login. Notice of changes to the NDW application is available via the CCO Connect Portal > News > Bulletin Board, which offers articles on enhanced features, new/updated reports, outages notices, and training opportunities.
Describe the process in place to resolve an individual's concerns when they believe their PII has been inappropriately obtained, used, or disclosed, or that the PII is inaccurate. If no process exists, explain why not.

The NDW Help Desk is the central point of contact if an NDW Application user is concerned about the PII used to access the system. The NDW Help Desk is available through email or phone as published in the NDW Bulletin Board and within the NDW Application after login.

The NDW Help Desk logs all requests in the CMS Application Lifecycle Management (ALM) Quality Center (QC) system for assignment to the appropriate functional area. A ticket number is provided to the requestor to track the activity through completion. Issues not adequately addressed by the NDW Help Desk can be addressed to the CMS Office of Communications (OC) , Contact Center Operations Group (CCOG), or the C3 Help Desk (c3helpdesk@myc3helpdesk.com or 866-804-0685, option #2).

Describe the process in place for periodic reviews of PII contained in the system to ensure the data's integrity, availability, accuracy and relevancy. If no processes are in place, explain why not.PII (e.g., User ID and Password) entered by NDW Application users to validate access is reviewed regularly as documented in the MicroStrategy License Review Process Standard Operating Procedure (SOP). The SOP describes activities completed by the NDW Security Officer to ensure integrity, availability, accuracy, and relevancy of account information. The application request process is reviewed and each account that is created, modified, and deleted is logged to verify that actions were completed as described in support process documentation. Accounts are reviewed regularly to ensure that inactive accounts are removed in compliance with CMS ARS. The NDW Security Officer reviews NDW Help Desk requests that pertain to access requests. Report of this regular review are provided to CMS through the Biweekly Project Dashboard (BPD).
Identify who will have access to the PII in the system and the reason why they require access.

  • Users: The purpose of this system is to track the nature of customer service interaction. All levels of users require access to the customer interaction data to troubleshoot issues and/or provide analysis. Users have access to PII to execute reports that provide information about caller interactions and produce reports such as AHT, ASA, or analysis of questions based on regional area.

    NDW application users include CMS Federal employees and direct contractors.

  • Administrators: Administrators can execute reports/queries to assess the performance of the application and to troubleshoot issues. Due to the nature of administrator access, direct queries against the database may yield PII.

     

  • Developers: Similar to administrators, developers can execute reports and queries to verify the validity of new/updated report and queries. Due to the nature of their access, developers can use application tools to direct query and validate reports.

 

  • Contractors: The purpose of this system is to track the nature of customer service interaction. All levels of users require access to the customer interaction data to troubleshoot issues and/or provide analysis.

    NDW application users include CMS Federal employees and direct contractors.

Describe the procedures in place to determine which system users (administrators, developers, contractors, etc.) may access PII.

Role-based access is applied to enforce least privilege rights to system users, and therefore access to PII. This includes Users, Administrators (including Operating System, Applications, and Database administrators), and Developers as described in Question 31. CMS sets guidelines for access to the Development and Production contractors in the NDW application Performance Work Statement (PWS) and approves role-based access for all administrators and developers.

If the NDW Development (direct) Contractor determines that additional system roles are required, the purpose and scope of the new role are defined and approved by the CMS Contracting Officer's Representative (COR). The NDW System Security Plan contains a list of CMS approved roles. The NDW Security Officer reviews the roles and role membership each quarter to ensure compliance and documents the activity in the BPD to record compliance.

Describe the methods in place to allow those with access to PII to only access the minimum amount of information necessary to perform their job.

All NDW users are assigned to security groups that limit report type and data access the Role-based access enforces least privilege.

Examples include the Medicare Administrative Contractors, who are only able to access data specific to their area of responsibility. The system is partitioned to ensure only user required data is available.

Identifying training and awareness provided to personnel (system owners, managers, operators, contractors and/or program managers) using the system to make them aware of their responsibilities for protecting the information being collected and maintained.All users are subject to CMS' Rules of Behavior (RoB) that define responsibilities for using CMS systems. CMS requires that all users complete annual RoB and Computer Based Training for System Security and Privacy Awareness Training.
Describe training system users receive (above and beyond general security and privacy awareness training)To satisfies CMS Minimum Security Requirements standards, all NDW application users are provided training based on job duties and application access requirements. Administrators (e.g., operating system, application, and database) with elevated privileges are required to complete eight hours of security specific training each year.
Do contracts include Federal Acquisition Regulation and other appropriate clauses ensuring adherence to privacy provisions and practices?Yes
Describe the process and guidelines in place with regard to the retention and destruction of PII. Cite specific records retention schedules.

The retention policy for this system is specified in National Archives and Records Administration (NARA) Guidance for Patient Protection and Affordable Care Act - Private Health Insurance Systems section 8 - Cutoff annually. Destroy seven years after cutoff.

Disposition Authority: DAA-0440-2012-0005-0013.

Describe, briefly but with specificity, how the PII will be secured in the system using administrative, technical, and physical controls.

PII in the NDW database is protected through layers of security which includes administrative controls over issuing accounts to end users and system administrators for access to the application and operating system. Firewall and data network access controls enforce technical controls that limit inter-service process connections to predefined devices and ports. Physical access controls in the Cloud Service Provider (CSP) hosting the NDW application include electronic door locks and monitoring, video cameras, and testing of access and environmental controls.

Administrative controls are verified through an independent audit function which includes regular reviews of system access changes and license reviews. The audit function is performed by a direct contractor separate from the Production direct contractor to ensure independence.

The NDW AWS inherits security controls from the AWS CSP General Support System (GSS) that are required to comply with a Moderate Impact system containing PII. A separate CSP PIA describes how the GSS satisfies CMS ARS requirements.