Skip to main content

Next Generation Desktop

Privacy Impact Assessment (PIA) published by CMS as an Operating Division of the U.S. Department of Health and Human Services

Date signed: 1/25/2023

PIA Information for Next Generation Desktop
PIA Questions PIA Answers
OPDIV:CMS
PIA Unique Identifier:P-6855158-258143
Name:Next Generation Desktop
The subject of this PIA is which of the following?Major Application
Identify the Enterprise Performance Lifecycle Phase of the system.Operate
Is this a FISMA-Reportable system?Yes
Does the system include a Website or online application available to and for the use of the general public?No
Identify the operator:Contractor
Is this a new or existing system?Existing
Does the system have Security Authorization (SA)?Yes
Date of Security Authorization5/13/2022
Indicate the following reason(s) for updating this PIA. Choose from the following options.PIA Validation (PIA Refresh/Annual Review)
Describe in further detail any changes to the system that have occurred since the last PIA.The Next Generation Desktop (NGD) continually reviews and updates the supporting system components and functionality. However, those changes do not directly impact the privacy posture of the system, introduce new risks to privacy or include any additional elements of personally identifiable or protected health information (PII and PHI).
Describe the purpose of the system

The Next Generation Desktop (NGD) is a Centers for Medicare and Medicaid (CMS) Customer Relationship Management (CRM) system. It was created to handle inquiries for the 1-800-Medicare Helpline and the Affordable Care Act (ACA) Federally Facilitated Marketplace (FFM) Helpline. NGD relies on a team of customer service representatives (CSR) to interact with the beneficiaries. Beneficiaries and the general public do not have direct access to the NGD system.

NGD supports the Virtual Call Center Strategy (VCS) initiatives of the CMS Office of Communications, Call Center Operations Group.

The purpose of NGD is: to provide a resource for beneficiaries and future beneficiaries on general information regarding Medicare and ACA coverages so that the beneficiaries can make informed Medicare decisions; to allow CSRs access to information on Medicare and ACA coverages if a beneficiary has a question about their coverage; and to provide a source for CMS to track consumer interactions about eligibility, enrollment, payment questions and general consumer assistance.

Describe the type of information the system will collect, maintain (store), or share. (Subsequent questions will identify if this information is PII and ask about the specific data elements)

The NGD accesses and stores information about Medicare and ACA beneficiaries. This information is transferred from several other CMS systems that maintain their own Privacy Impact Assessments (PIA) and system security for the information in them.

The separate CMS systems are: Fiscal Intermediary Shared System (FISS), Common Working File (CWF), Medicare Beneficiary Record (MBR), Eligibility Database (EDB), Multi-Carrier System (MCS), Viable Medicare Shared System (VMS) and the National Data Warehouse (NDW). 
 
Beneficiary information that NGD accesses includes Medicare Beneficiary Identifier (MBI) or Health Insurance Claim Number (HICN) - as historic information, name, date of birth, sex, employment status, medical claims information (including Medical Records numbers), telephone number, address, and relationship to beneficiary.  Only the beneficiary's MBI or HICN, name, and e-mail address are stored in NGD order to provide support. Access to Medicare beneficiary information requires callers to submit identifying information.

NGD CSRs access general, publicly available Medicare and ACA healthcare information such as medical plans, links to other CMS resources, scripts to respond to general coverage questions, telephone numbers of other CMS resources and providers' names, addresses and phone numbers.

The NGD maintains a caller history log for CMS auditing and evaluation purposes. The information includes length of call, CSR identifiers, MBI and medical claim number (if applicable).

Information collected by NGD for the system support staff, CMS employees and direct contractors, includes their username, password and business email address. The username is provided as part of the employment process and the password is created by the user.

Provide an overview of the system and describe the information it will collect, maintain (store), or share, either permanently or temporarily.

The NGD is a CSR/CSM platform used to interact with Medicare and ACA beneficiaries and the general public that may have questions about Medicare or ACA. NGD accesses beneficiaries' information, general information about Medicare and ACA, limited medical provider information and system user information.

This information is from several other CMS systems that maintain PIAs for the information in them. The separate CMS systems are: Fiscal Intermediary Shared System (FISS), Common Working File (CWF), Medicare Beneficiary Record (MBR), Eligibility Database (EDB), Multi-Carrier System (MCS), Viable Medicare Shared System (VMS) and the National Data Warehouse (NDW). 
 
Beneficiary information that NGD accesses includes Medicare Beneficiary Identifier (MBI) or prior Health Insurance Claim Number (HICN), name, date of birth, sex, employment status, medical claims information (including Medical Records numbers), telephone number, address, and relationship to beneficiary.  Only the beneficiary's MBI or HICN, name, and e-mail address are stored in NGD order to provide support. Access to Medicare beneficiary information requires callers to submit identifying information. PII is accessed by the CSR for the duration of the call to answer questions, any changes are stored temporarily and transferred to the NDW system nightly. As mentioned, NDW is a separate CMS system with its own PIA for the information contained in it.

NGD accesses general Medicare and ACA healthcare information such as medical plans, links to other CMS resources, scripts to respond to general coverage questions, telephone number of other CMS resources and providers' names, addresses and phone numbers. This information is accessible for as long as it is applicable.

The NGD maintains a caller history log for CMS auditing and evaluation purposes. The information includes length of call, CSR identifiers, MBI and medical claim number (if applicable). The history logs are kept in the active NGD database for 3 years after the interactions are set to a status of “Done”. Then, the completed interactions are purged. For calls, completing the interaction usually takes place within a minute or so of the person hanging up.

Information collected by NGD for the system support staff, CMS employees and direct contractors, includes their username, password and business email address. The username is provided as part of the employment process and the password is created by the user. System user information is retained for the duration of the user's employment.

NGD uses PII to retrieve beneficiary records such as name, Medicare number, Medicare Beneficiary Identifier (MBI). System users' username and password are used to log onto the system.

Does the system collect, maintain, use or share PII?Yes
Indicate the type of PII that the system will collect or maintain.
  • Name
  • E-Mail Address
  • Phone Numbers
  • Date of Birth
  • Mailing Address
  • Medical Records Number
  • Employment Status
  • Other - Medical claims information, Medicare Beneficiary Identifier (MBI), Health Insurance Claim Number (HICN); Username, Password, Sex, Relationship to the Beneficiary.
Indicate the categories of individuals about whom PII is collected, maintained or shared.
  • Employees
  • Public Citizens
  • Vendors/Suppliers/Contractors
How many individuals' PII in the system?1,000,000 or more
For what primary purpose is the PII used?

PII of beneficiaries is used to respond to questions about Medicare or ACA coverage.

The PII of NGD system support staff is used to access the functionality of the system. 

Describe the secondary uses for which the PII will be used (e.g. testing, training or research)Secondary uses of PII are for internal CMS application testing and training on the system for internal system support users.
Describe the function of the SSN.Not applicable.
Cite the legal authority to use the SSN.Not applicable.
Identify legal authorities​ governing information use and disclosure specific to the system and program.

Authority for maintenance of the system is given under sections 1102, 1804(b), and 1851(d) of the Social Security Act (42 United States Code (U.S.C.) 1302, 1395b–2(b), and 1395w– 21(d)), and OMB Circular A–123, Internal Control Systems, and Title 42 U.S.C. section 1395w–21(d) (Pub. L. 105–3, the Balanced Budget Act of 1997).

Patient Protection and Affordable Care Act (PPACA) (Pub. L. 111–148) as amended by the Health Care and Education Reconciliation Act of 2010 (Pub. L. 111–152) collectively the Affordable Care Act. Title 42 U.S.C.18031, 18041, 18081—18083 and section 1414 of the Affordable Care Act.

The Medicare Modernization Act of 2013

5 U.S.C. Section 301 Departmental Regulations

Are records on the system retrieved by one or more PII data elements?Yes
Identify the number and title of the Privacy Act System of Records (SORN) that is being used to cover the system or identify if a SORN is being developed.1-800 Medicare Helpline (HELPLINE), 09-70-0535. Published 5/12/2003, updated 2/26/2008 and 2/14/2018.
Identify the sources of PII in the system: Directly from an individual about whom the information pertains
  • In-Person
  • Online
Identify the sources of PII in the system: Government Sources
  • Within the OPDIV
Identify the sources of PII in the system: Non-Government Sources
  • Members of the Public
Identify the OMB information collection approval number and expiration dateNot Applicable
Is the PII shared with other organizations?No
Describe the process in place to notify individuals that their personal information will be collected. If no prior notice is given, explain the reason.

Prior to assisting a caller, the CSR advises the caller that their personal information may be needed to provide answers to their questions.

When NGD CSRs access the system, they are presented with the CMS warning banner that they are accessing a government system.

NGD support staff (CMS employees and direct contractors) are notified as part of the general employment hire/onboarding process that personal information is needed to work at CMS or to have access to CMS information systems. 

Is the submission of the PII by individuals voluntary or mandatory?Voluntary
Describe the method for individuals to opt-out of the collection or use of their PII. If there is no option to object to the information collection, provide a reason.

In order to obtain assistance with their benefits, a beneficiary would need to provide some PII to receive accurate assistance. However, a beneficiary can prevent the information about the interaction from being associated with their Medicare records by refusing to provide a Medicare number or a name when calling. The call is then treated as a ‘contact’ call that comes from a member of the general public rather than a call about a specific beneficiary’s healthcare information.

There is a ‘do not call’ option that the beneficiary may activate by simply requesting it when speaking with a CSR. This option is noted and prevents further contact with the beneficiary.

There is no opt-out process for staff that support NGD application. The PII is required to log into the system to perform their job functions. 

Describe the process to notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changes since the notice at the time of original collection). Alternatively, describe why they cannot be notified or have their consent obtained.

The NGD system is a platform to verify a beneficiary's information stored in other CMS systems. There is not a process to notify a beneficiary that major changes have occurred to NGD as changes would not directly impact the PII.

Support staff for NGD are notified of any major changes that occur to the system via email and/ or NGD program meetings. 

Describe the process in place to resolve an individual's concerns when they believe their PII has been inappropriately obtained, used, or disclosed, or that the PII is inaccurate. If no process exists, explain why not.

A beneficiary can advise the CSR that their PII is inaccurate and can provide updated information over the telephone. If they believe their PII has been inappropriately obtained, used or disclosed they would be directed to contact medicare.gov help desk.

NGD system support staff (CMS employees and direct contractors) would contact either the CMS Help Desk or follow their corporate procedures to report any concerns.

Describe the process in place for periodic reviews of PII contained in the system to ensure the data's integrity, availability, accuracy and relevancy. If no processes are in place, explain why not.NGD receives a validation crosswalk of PII from the CMS systems that collect and source the PII to ensure the PII accuracy and integrity. The other CMS systems are responsible for reviewing and maintaining the accuracy of the PII.  Activity logs of CSR interactions are periodically reviewed to ensure the relevancy of PII. User account information is monitored and reviewed to determine the validity and relevancy of accounts. Accounts can be deactivated or deleted based on usage by system administrators and managers.
Identify who will have access to the PII in the system and the reason why they require access.
  • Users: Users are the Call Center CSRs. They have access to PII to service tAhe calls from Medicare and Marketplace beneficiaries.
  • Administrators: Some types of administrators (database, business analyst) may have access to PII to manage user accounts.
  • Contractors: In their roles as administrators or call center employees, CMS direct contractors would have access to PII in accordance to the functions of those roles. 
Describe the procedures in place to determine which system users (administrators, developers, contractors, etc.) may access PII.System user access to PII is restricted based on the principles of least privilege and the system role. Access needs are determined by NGD management. System administrators, network administrators and developers have very limited access to PII to perform their job functions. Business analysts, and system administrators access PII only as required. All of these system accounts are reviewed annually and are authorized by management.
Describe the methods in place to allow those with access to PII to only access the minimum amount of information necessary to perform their job.System users are assigned specific application and database access and responsibilities according to their specific roles, which limits the amount of PII that they may access. This access is determined by their position and reviewed annually by managers and system administrators.
Identifying training and awareness provided to personnel (system owners, managers, operators, contractors and/or program managers) using the system to make them aware of their responsibilities for protecting the information being collected and maintained.All CMS employees and direct contractors with access to CMS information systems are required to take an Annual Security and Privacy Awareness Training course. CMS employees take the CMS Information Systems Security and Privacy Training (ISSPT). CMS direct contractors may take the ISSPT and also the annual training provided by their company. Training completion is acknowledged, and a certificate of completion is provided. 
Describe training system users receive (above and beyond general security and privacy awareness training)

Role-based training is required for each user with significant security responsibilities who access the system. This training is acknowledged via the completion of training documentation prior to accessing the system.

Administrators with elevated privileges are required to complete additional security-specific training on an annual basis.

Additionally, the NGD National Site Administrator (NSA) and Local Site Administrators (LSA) attend training sessions conducted by the NGD Training team and must pass a certification exam prior to accessing NGD.

Do contracts include Federal Acquisition Regulation and other appropriate clauses ensuring adherence to privacy provisions and practices?Yes
Describe the process and guidelines in place with regard to the retention and destruction of PII. Cite specific records retention schedules.NGD follows the CMS Records Control Schedules (RCS) files with the National Archives and Records Administration (NARA). In accordance with DAA-0440-2015-000, Bucket 5 "Beneficiary Records," which states that records are retained for up to 30 years. NGD also follows additional NARA General Records Schedules (GRS) 3.1 and 3.2. The destruction of records varies, with the longest length of time being 7 years unless the records are required for other business, legal or investigative use.
Describe, briefly but with specificity, how the PII will be secured in the system using administrative, technical, and physical controls.

The NGD system secures PII with the following technical controls; a multi-tiered technology architecture, multiple types and layers of firewalls, intrusion detection technology and encryption of connections/access, multifactor authentication, encryption of data in transit and at rest. 

Administrative controls include strict role-based access, training of personnel, account review and auditing of user activities, including disabling accounts.

The NGD system and supporting infrastructure is housed in a CMS FISMA ATO-ed datacenter. The physical controls include the use of ID badges, pin numbers and access cards, video monitoring of the data centers and 24-hour security guards.