Office of Hearings Case and Document Management System
Privacy Impact Assessment (PIA) published by CMS as an Operating Division of the U.S. Department of Health and Human Services
Date signed: 10/31/2023
| PIA Questions | PIA Answers |
|---|---|
| OPDIV: | CMS |
| PIA Unique Identifier: | P-8635389-834629 |
| Name: | Office of Hearings Case and Document Management System |
| The subject of this PIA is which of the following? | Major Application |
| Identify the Enterprise Performance Lifecycle Phase of the system. | Operate |
| Is this a FISMA-Reportable system? | Yes |
| Does the system include a Website or online application available to and for the use of the general public? | Yes |
| Is this a new or existing system? | Existing |
| Does the system have Security Authorization (SA)? | Yes |
| Date of Security Authorization | 4/18/2024 |
| Indicate the following reason(s) for updating this PIA. Choose from the following options. | PIA Validation (PIA Refresh/Annual Review) |
| Describe in further detail any changes to the system that have occurred since the last PIA. | There have been changes to Office of Hearings Case and Document Management System (OH CDMS) in the following areas. Provider Reimbursement Review Board (PRRB) and Medicare Geographic Classification Review Board (MGCRB) have been updated to make the system more user friendly in terms of processing for the internal Office of Hearings users. The changes made allow OH Staff to be more successful and more efficient in completing their regular tasks. The original Hearing Officer Case Tracker (HOCT) has been updated and split into two modules Medicare Advantage-Risk Adjustment Data Validation (MA-RADV) and non-Risk Adjustment Data Validation (RADV) appeals Hearing Officer (HOM). These changes were done to accommodate the differences between the two types of appeals and how they are processed. With these improvements, regardless of module, there has been no additional gathering and/or storing of either PII or PHI data. All updates have been to either correct previously non-functioning System functionality or to streamline existing functionalities for all modules. |
| Describe the purpose of the system | The Office of Hearings and Inquiries has developed and implemented the OH CDMS system which is aimed at achieving an automated workflow and electronic filing system to minimize paper processing and increase the accuracy of the appeal process. OH CDMS allows for transparency between users and consist of four (4) modules: 1) Provider Reimbursement Review Board (PRRB) 2) Medicare Geographic Classification Review Board (MGCRB) and Computation 3) Hearing Officer (HOM). 4) Medicare Advantage (MA) Risk Adjustment Data Validation (RADV). Each of the four (4) modules are a standalone that run independently of each other.
|
| Describe the type of information the system will collect, maintain (store), or share. (Subsequent questions will identify if this information is PII and ask about the specific data elements) | The OH CDMS system collects and maintains/stores appeal information for PRRB, MGCRB, and HOM, and MA RADV. This information is collected from institutional appellants including hospitals, Medicare Administrative Contractors (MACs), Appeals Support Contractor (ASC), Representative Organizations, states, and CMS employees/contractors. The type of information collected includes Provider Name, Provider Number, Contact Information, appeal type, actions, outcomes, and user information. In addition, document files in MA RADV and HOM may contain patient specific information, for example medical record information. These are required as the Contractors or CMS employees review, evaluate and determine the outcome of an appeal. |
| Provide an overview of the system and describe the information it will collect, maintain (store), or share, either permanently or temporarily. | The OH CDMS system was created to migrate from a paper based manual process case management system to a more automated process that includes storing of data and uploaded electronic documentation files for cases created to track the appeal and the related activity throughout the appeal's lifecycle. The system supports an appeal from the initial request, the maintenance of the appeal, corresponding with the PRRB, MGCRB, HOM and MA RADV, and the outcome or decisions on the appeal request.
|
| Does the system collect, maintain, use or share PII? | Yes |
| Indicate the type of PII that the system will collect or maintain. |
|
| Indicate the categories of individuals about whom PII is collected, maintained or shared. |
|
| How many individuals' PII in the system? | 500-4,999 |
| For what primary purpose is the PII used? | PII may be included in document files only needed to review and render decisions on the MA RADV or HOM appeals. |
| Describe the secondary uses for which the PII will be used (e.g. testing, training or research) | PII is used to create system accounts and then is used to retrieve Contact History and Cases |
| Describe the function of the SSN. | The SSN is not explicitly collected, maintained, or transmitted. |
| Cite the legal authority to use the SSN. | The SSN is not explicitly collected, maintained, or transmitted. |
| Identify legal authorities governing information use and disclosure specific to the system and program. | Health Insurance Portability and Accountability Act of 1996 (HIPAA), Public Law 104–191, which was enacted on August 21, 1996. Through subtitle F of title II of that law, the Congress added to title XI of the Social Security Act a new part C, entitled ‘‘Administrative Simplification.’’ (Public Law 104–191 affects several titles in the United States Code); 5 USC 552 a(e) (1); 45 CFR 164.514 (e); 44. USC.3544; 42 USC 1306. |
| Are records on the system retrieved by one or more PII data elements? | Yes |
| Identify the number and title of the Privacy Act System of Records (SORN) that is being used to cover the system or identify if a SORN is being developed. | The SORN applicable to this system is Medicare Appeals System (09-70-0566) Published: SORN 09-70-3005 Correspondence Tracking Management System (CTMS) Published: SORN 09-70-0008 National Provider System (NPS) Published: SORN 09-70-0591 Master Demonstration, Evaluation, and Research Studies (DERS) |
| Identify the sources of PII in the system: Directly from an individual about whom the information pertains |
|
| Identify the sources of PII in the system: Government Sources |
|
| Identify the sources of PII in the system: Non-Government Sources | Other - This does not apply to the system. |
| Identify the OMB information collection approval number and expiration date | OMB information collection approval exempt because of Patient Protection and Affordable Care ACT of 2010. P.L. 111-148 section 1115A |
| Is the PII shared with other organizations? | No |
| Describe the process in place to notify individuals that their personal information will be collected. If no prior notice is given, explain the reason. | Near the bottom of the login page is a privacy notice: "CMS will safeguard the information provided to us in accordance with the Privacy Act of 1974, as amended (5 U.S.C. Section 552a)." The notice provides a link to the CMS Privacy Website. Links on the privacy site led to HHS sites addressing PIAs and SORNs. |
| Is the submission of the PII by individuals voluntary or mandatory? | Mandatory |
| Describe the method for individuals to opt-out of the collection or use of their PII. If there is no option to object to the information collection, provide a reason. | Individuals may not opt out of providing their personally identifiable information (PII). The registered user must provide their business contact details to utilize the CDMS system. There is a manual identification process that allows the user to complete user access request forms. The forms are sent out to the user by the Help Desk and the user is instructed to return the forms to the Office of Hearings. Once the forms are processed by the Office of Hearings then the appropriate information is provided to the System Administrator for completing the user access request. |
| Describe the process to notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changes since the notice at the time of original collection). Alternatively, describe why they cannot be notified or have their consent obtained. | When major changes to the system occurs that involves changes in disclosure and/or data uses since the time of the collection, the process to notify and obtain consent from the individuals whose personally identifiable information (PII) is in the system is to provide an updated online privacy notice that is presented to users upon linking to the site. |
| Describe the process in place to resolve an individual's concerns when they believe their PII has been inappropriately obtained, used, or disclosed, or that the PII is inaccurate. If no process exists, explain why not. | If an individual believes that a covered entity or business associate violated his/her health information privacy rights or committed another violation of the Privacy, Security or Breach Notification Rules, he/she may file a complaint with the Office for Civil Rights (OCR). The individual may also file a Health Insurance Portability and Accountability Act of 1996 compliant via email at hipaacomplaint@hhs.gov. An individual can contact the Help Desk for general assistance. To speak with a Helpdesk representative, call 1(833)-783-8255. Email inquiries can be sent to OHCDMS_Support@cms.hhs.gov |
| Describe the process in place for periodic reviews of PII contained in the system to ensure the data's integrity, availability, accuracy and relevancy. If no processes are in place, explain why not. | As part of the complaint investigation and resolution process employed by OH CDMS, there are monthly reviews to ensure that users don't have elevated privileges, user accounts are terminated if they are no longer employed on the OH CDMS contract, along with reviewing log files for configuration changes, errors, and anomalies to ensure confidentiality, integrity, and availability. |
| Identify who will have access to the PII in the system and the reason why they require access. |
|
| Describe the procedures in place to determine which system users (administrators, developers, contractors, etc.) may access PII. | Roles of users are clearly delineated in the Create, Review, Update and Delete (CRUD) matrix. The matrix provides permissions approved for the user roles which is based on the individual's need to know for specific information to fulfill their job duties. This process includes administrators, developers, contractors, etc. |
| Describe the methods in place to allow those with access to PII to only access the minimum amount of information necessary to perform their job. | Role Based Access is granted to individuals who access the system to minimize the amount of data available to only that which is necessary to accomplish their specific job responsibilities. |
| Identifying training and awareness provided to personnel (system owners, managers, operators, contractors and/or program managers) using the system to make them aware of their responsibilities for protecting the information being collected and maintained. | All Centers for Medicare and Medicaid Services (CMS) employees and CMS direct contractors are required to complete annual mandatory Information Systems Security Awareness and HHS Privacy Training. This training is required prior to gaining access and required to maintain access to all CMS systems. All CMS employees and CMS direct contractors are required to read and acknowledge The Rules of Behavior For Use of HHS Information Resources. A signed and dated acknowledgment is required. |
| Describe training system users receive (above and beyond general security and privacy awareness training) | CMS and contractor personnel with responsibilities regarding security, incident handling, and/or contingency activities are provided additional training and perform tabletop exercises that test their roles' responsibilities. Refresher training/exercises are repeated at least annually. Additional training includes Insider Threat Training and Role-based System Security Training as needed. |
| Do contracts include Federal Acquisition Regulation and other appropriate clauses ensuring adherence to privacy provisions and practices? | Yes |
| Describe the process and guidelines in place with regard to the retention and destruction of PII. Cite specific records retention schedules. | CMS websites keep data collected long enough to achieve the specified objective for which they were collected. The data generated from these activities (including Salesforce) falls under the National Archives and Records Administration (NARA) General Records Schedule (GRS) 3.1 – General Technology Management Records and will be handled according to the requirements of that schedule.
|
| Describe, briefly but with specificity, how the PII will be secured in the system using administrative, technical, and physical controls. | Administrative: Users are provided with privacy training to understand how to properly handle and disclose privacy data. Technical: Role based access has been employed by the application to ensure that users only have access to the data which is needed in the performance of the specific jobs. Physical: Physical controls are administered by the Salesforce Data Center facility where the application will physically reside. The Salesforce facility has security guards and controlled access rooms with cipher locks to guard against unauthorized access. |
| Identify the publicly-available URL: | User must access production via the EIDM portal using the following link: https://sei.cms.gov
|
| Does the website have a posted privacy notice? | Yes |
| Is the privacy policy available in a machine-readable format? | Yes |
| Does the website use web measurement and customization technology? | Yes |
| Select the type of website measurement and customization technologies is in use and if is used to collect PII. (Select all that apply) | Session Cookies - No |
| Does the website have any information or pages directed at children under the age of thirteen? | No |
| Does the website contain links to non-federal government website external to HHS? | No |