Skip to main content

Open Payments System

Date signed: 5/1/2024

PIA information for the Open Payments System
PIA QuestionsPIA Answers
OPDIV:CMS
PIA Unique Identifier:P-9014573-741056
Name:Open Payments System
The subject of this PIA is which of the following?Major Application
Identify the Enterprise Performance Lifecycle Phase of the system.Operate
Is this a FISMA-Reportable system?Yes
Does the system include a Website or online application available to and for the use of the general public?Yes
Identify the operator:Agency
Is this a new or existing system?Existing
Does the system have Security Authorization (SA)?Yes
Date of Security Authorization8/1/2023
Indicate the following reason(s) for updating this PIA. Choose from the following options.PIA Validation (PIA Refresh/Annual Review)
Describe in further detail any changes to the system that have occurred since the last PIA.

As required by the Open Payments provisions that were included in the Patient Protection and Affordable Care Act (ACA) the Open Payments System allows for applicable manufacturers and applicable Group Purchasing Organizations (GPOs) to annually report payments and other transfers of value made to Physicians and Teaching Hospitals (THs), including certain information regarding the ownership or investment interests held by Physicians or their immediate family members. CMS is required to compile the submitted data and publish it on a public website.

The Open Payments System has undergone the following changes since the last Privacy Impact Assessment (PIA) was conducted:

A new Portlet titled "CMS Compliance Portal" was added within the Open Payments project folders. The new portlet contains functionality for the CMS Compliance Team to meet requirements for the Open Payments program.

An enhancement was added to provide teaching hospitals a utility to search for a physician's Open Payments Profile ID by the National Provider Identifier (NPI). The new functionality allows for teaching hospitals to upload a list of NPIs to Open Payments, and Open Payments will return the list of Open Payments IDs that can be used to verify against the publication.

An enhancement was added to store emails/notifications generated by the system so that all user types can view messages sent to them in the last 365 days. The Messages landing page allows users to filter and sort the list of emails sent to their organization.

An enhancement was added to automate the manual process of merging multiple Open Payments user profiles automatically. Creating two different Profile IDs for the same Physician is a known system behavior that has to do with the order in which the Physician information is received by the Open Payments System. 

Based on these changes no new Personally Identifiable Information (PII) data has been collected, maintained, or stored by the Open Payments System.

Describe the purpose of the system

As part of the Affordable Care Act (ACA), the Centers for Medicare & Medicaid Services (CMS) Open Payments System (OPS) was created to provide a repository of information about the financial relationships between physicians and teaching hospitals with pharmaceutical and medical device manufacturers (applicable manufacturers) and Group Purchasing Organizations (GPO).

Applicable manufacturers and GPO that participate in U.S. federal health care programs are required to report certain payments (monetary and non-monetary) made to physicians and teaching hospitals. They must also report any ownership or investment interest that physicians, or their immediate family members, have in their company. These payments may include consulting fees, research grants, entertainment and travel reimbursements, and payments made from the industry to medical practitioners.

Describe the type of information the system will collect, maintain (store), or share. (Subsequent questions will identify if this information is PII and ask about the specific data elements)

OPS collects information about physicians such as their name, medical practice information, Job Title, and Employee Identification Number (EIN), business address, email address, primary practice address (if outside the United States), business phone number, state medical license, National Provider Identifier (NPI) and nature of payments received.

The nature of payment categories are as follows: consulting fees; compensation for services other than consulting, including serving as faculty or as a speaker at an event other than a continuing education program; gifts or vacations; entertainment, like tickets to events; food and drinks; travel and lodging; educational expenses, including textbooks and continuing medical education courses; research activities; and ownership and investment interests in medical manufacturers or Group Purchasing Organization (GPO).

OPS collects information about teaching hospitals that receive compensation from manufacturers and GPO such as hospital name, address, a designated contact person’s name, business email and telephone and types of payments. Types of payments are grants and space rental/facility rental fees.

OPS has business information about the manufacturing companies and GPO that report into the system such as business name, address, and contact person(s) telephone and email.

To access OPS, a user must first register and log into the CMS Identity Management (IDM) web portal each time they wish to use OPS. IDM is the access control portal and is where user credentials are collected, stored, and maintained. Then the user creates a user ID and password to access OPS while in the IDM portal.

The "users" include Physician, Physician's Authorized Representative, Teaching Hospital authorized officials, Teaching Hospital authorized representatives, Applicable Manufacturers and Applicable GPOs, Principal Investigators, and Contractors (Database Administrators (DBA), Developers, Help Desk, Business Analyst (BA) Team, and Testing Team).

Provide an overview of the system and describe the information it will collect, maintain (store), or share, either permanently or temporarily.

The Open Payment System (OPS) is a national disclosure program that promotes transparency on the financial relationships between the healthcare industry, Applicable Manufacturers (AM) and Group Purchasing Organizations (GPO), and healthcare providers, individual physicians, and teaching hospitals. The OPS program information is publicly available on CMS' website, Open Payments Program.

The information collected through OPS from applicable manufacturers and GPOs is the company profile information to identify them as participants in the program. The information collected about physicians such as name, practice type, Job Title, EIN, business address, telephone and email, and the nature, context, and amount of payment. In addition, NPI and Medical License number is provided by the physicians. When registering in the Open Payments system, physicians must enter all of the state license numbers they hold, as well as their NPI number (if they have one). The Job Title is provided during entity user profile creation. The EIN is provided during entity profile creation. For teaching hospitals, the information is the name of the hospital, the physician involved and the address, telephone and contact for the hospital, along with the nature, context and number of payments.

The nature of payments includes direct monetary payments and various non-monetary payments: compensation for services other than consulting, including serving as faculty or as a speaker at an event other than a continuing education program; gifts or vacations; entertainment, like tickets to events; food and drinks; travel and lodging; educational expenses, including textbooks and continuing medical education courses; research activities; and ownership and investment interests in medical manufacturers or GPO.

OPS user credentials are collected and maintained by the Identity Management (IDM). IDM is external to OPS and the PII within IDM is covered by a separate PIA. After initial log into the IDM system, a user inputs a user ID and password to gain access to OPS. Only the OPS end users' IDM user ID is stored in Open Payments. The "users" include Physician, Physician's Authorized Representative, Teaching Hospital authorized officials, Teaching Hospital authorized representatives, Applicable Manufacturers and Applicable GPOs, Principal Investigators, and Contractors (DBA, Developers, Help Desk, BA Team, and Testing Team).

The Open Payments System regularly uses PII to retrieve system records including using the first name, middle name, last name, IDM User ID, email address, phone number, physician NPI, and Physician License and License State about Physicians, Physician's Authorized Representative, Teaching Hospital authorized officials, Teaching Hospital authorized representatives, Applicable Manufacturers and Applicable GPOs, Principal Investigators, and Contractors (DBA, Developers, Help Desk, BA Team, and Testing Team).

Does the system collect, maintain, use or share PII?Yes
Indicate the type of PII that the system will collect or maintain.
  • Name
  • E-Mail Address
  • Phone Numbers
  • Mailing Address
  • Other - Job Title, Business Name, Business Address, Business Email, Business Phone Number, Physician License State and License Number(s), Primary practice address (if outside the United States), state medical license, National Provider Identifier (NPI), Employer Identification Number (EIN) and user credentials (user ID and password)
Indicate the categories of individuals about whom PII is collected, maintained or shared.
  • Employees
  • Public Citizens
  • Vendors/Suppliers/Contractors
  • Other - Teaching Hospitals
How many individuals' PII in the system?100,000-999,999
For what primary purpose is the PII used?The primary purpose of PII is for the reporting of the financial relationship between physicians and applicable manufacturers and GPOs. User credentials are used to access the OPS system.
Describe the secondary uses for which the PII will be used (e.g. testing, training or research)Not applicable.
Describe the function of the SSN.Not applicable.
Cite the legal authority to use the SSN.Not applicable.
Identify legal authorities​ governing information use and disclosure specific to the system and program.Title 42 U.S.C. § 1128G [42 U.S.C. 1320a–7h] and 5 USC Section 301, Departmental regulations
Are records on the system retrieved by one or more PII data elements?Yes
Identify the number and title of the Privacy Act System of Records (SORN) that is being used to cover the system or identify if a SORN is being developed.Open Payments System SORN:  09-70-0507, published February 14, 2018.
Identify the sources of PII in the system: Directly from an individual about whom the information pertains
  • In-person
  • Online
Identify the sources of PII in the system: Government Sources
  • Within the OPDIV
Identify the sources of PII in the system: Non-Government Sources
  • Members of the Public
  • Private Sector
Identify the OMB information collection approval number and expiration dateThe OMB control number for information collection is 0938-1237.TheOMB is currently on a temporary month to month approval until the final re-approval per the CMS Paperwork Reduction Act Specialist.
Is the PII shared with other organizations?No
Describe the process in place to notify individuals that their personal information will be collected. If no prior notice is given, explain the reason.

When an individual creates a new user account in IDM, there is a "Consent to Monitoring & Collection of Personally-Identifiable Information (PII)" introduction displayed on the Terms & Conditions page. The person can elect to "Decline" to accept the Terms and Conditions and then no account will be created. 

Then, each time a user accesses the login section of IDM, to access to OPS, there is a Terms and Conditions statement that the user must click the "I Agree" button to move forward. It states that their personal information is being collected.

Is the submission of the PII by individuals voluntary or mandatory?Voluntary
Describe the method for individuals to opt-out of the collection or use of their PII. If there is no option to object to the information collection, provide a reason.Users are aware of the requirement to submit PII when applying for a new user ID and to obtain access to IDM and OPS. There isn't an 'option to object,' since the process is necessary for access to OPS.
Describe the process to notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changes since the notice at the time of original collection). Alternatively, describe why they cannot be notified or have their consent obtained.There has been no change in the disclosure and/or data uses since the notice at the time of original collection.  The OPS is accessed through the IDM environment, so any major changes to the system will be updated by IDM on CMS Enterprise Portal. Any changes to how OPS collect information will be updated on the SORN and published in the Federal Register for a 60-day comment period by members of the public.  All user groups (physicians, teaching hospitals, contractors, etc.) are notified the same way by updating and publishing the SORN.
Describe the process in place to resolve an individual's concerns when they believe their PII has been inappropriately obtained, used, or disclosed, or that the PII is inaccurate. If no process exists, explain why not.

The redress process in place to resolve a user's concerns when they believe their PII has been inappropriately obtained, used, or disclosed, or that the PII is inaccurate is for the user to contact the Help Desk via phone or email. Depending on the issue, the trouble ticket could be created by CMS IT Service Desk or the Open Payments Help Desk.

If it is a security incident, then the Help Desk, application team & infrastructure team work together to investigate further, identify a fix, and ensure it is implemented/resolved.
If it is not a security incident, say, just the mailing address disclosed is incorrect, then the users can update the profile information themselves on the CMS Portal.

For the OPS program participants such as applicable manufacturers, GPOs, teaching hospitals, the users update their own PII within the system. For example, if the physician's PII record within the OP application is inaccurate, the physician uses the Review and Dispute functionality of the OP application to get it corrected. The applicable manufacturer or GPO that created the record reviews the disputed information and works with physicians or teaching hospitals to review and correct or update any disputed information. The dispute resolution is captured within the OPS and the information is updated.

Describe the process in place for periodic reviews of PII contained in the system to ensure the data's integrity, availability, accuracy and relevancy. If no processes are in place, explain why not.

Any incorrect data is corrected by the users themselves while using the system, by updating whichever element is incorrect in their profile, like a name change or new telephone.

The integrity of PII is managed by firewalls and encryption layers. Full-device encryption is employed to protect the confidentiality and integrity of information on approved mobile devices.

Throughout the year, the OPS allows the applicable manufacturers and GPOs to submit payment information via bulk file uploads. The physicians included in those reports can review and dispute any incorrect information about themselves.

The dispute and resolution functions of the OPS system maintains the relevancy of PII in the system.

For the user credentials, the OPS system administrators are responsible for maintaining the allowable/registered users by deleting, reactivating or confirming the user accounts. There are processes in place to review the current users between IDM and OPS and eliminate any inactive accounts.

For the OPS program participants such as applicable manufacturers, GPOs, teaching hospitals, the users update their own PII within the system. For example, if the physician's PII record within the OP application is inaccurate, the physician uses the Review and Dispute functionality of the OP application to get it corrected. The applicable manufacturer or GPO that created the record reviews the disputed information and works with physicians or teaching hospitals to review and correct or update any disputed information. The dispute resolution is captured within the OPS and the information is updated.

Identify who will have access to the PII in the system and the reason why they require access.
  • Users: The users who have access to PII are the AM/GPO and the physicians. The AM/GPO access is needed so they can upload information relating to physicians & teaching hospitals into the OPS as part of their function.  The physicians and teaching hospitals have access only to their own information in reports generated by the system.  Such access is needed so they can verify the accuracy of the information reported.
  • Administrators: Authorized users such as Administrators are provided with a minimum necessary system access for the performance of required tasks. Administrators do not normally have access to PII but may need incidental access for the performance of some tasks.
  • Developers: Authorized users such as Developers are provided with a minimum necessary system access to perform system maintenance. Developers do not typically have access to PII but may need incidental access for the performance of some tasks.
  • Contractors: Authorized users such as Direct Contractors in their roles as Administrators and Developers may have access to PII in those roles to perform job functions.
Describe the procedures in place to determine which system users (administrators, developers, contractors, etc.) may access PII.Those with access to PII have only the minimum amount of information necessary to perform their job in accordance with the least privilege principle.  There is a process in place for requesting, establishing, issuing, and closing user accounts and tracking access authorizations. The disabling of inactive accounts and auditing of user accounts allow those with access to PII to only access the minimum amount of information necessary to perform their job.
Describe the methods in place to allow those with access to PII to only access the minimum amount of information necessary to perform their job.OPS users are granted the minimum access necessary to perform their job function. There are different levels of access depending on the role of the individual accessing OPS, in accordance with role-based privileges. All users are authenticated via the IDM process.  OPS help desk roles are reviewed monthly, and access is disabled upon termination.  Certain user types go through annual recertification to recertify their access.
Identify training and awareness provided to personnel (system owners, managers, operators, contractors and/or program managers) using the system to make them aware of their responsibilities for protecting the information being collected and maintained.All CMS employees and direct contractors with access to CMS networks, applications, or data must complete mandatory annual Privacy Awareness Training annually. Prior to accessing the CMS network, and as part of the annual re-certification process, a Computer-Based Training (CBT) course regarding information system security awareness is completed. 
Describe training system users receive (above and beyond general security and privacy awareness training)CMS employees and contractors with privileged access are required to complete role-based training and meet continuing education requirements commensurate with their role and participate in an annual contingency planning exercise. Additionally, contractors also complete corporate information security training prior to being assigned to a project and repeat annually.
Do contracts include Federal Acquisition Regulation and other appropriate clauses ensuring adherence to privacy provisions and practices?Yes
Describe the process and guidelines in place with regard to the retention and destruction of PII. Cite specific records retention schedules.

OPS contains both Financial and Provider/Health Plan records and is covered by the following records retention schedules:

Bucket 3, Financial Records, Financial Records (Programmatic) falls under DAA -0440-2015-004-001 and has a Temporary retention which is to Destroy no sooner than 7 years after cutoff but longer retention is authorized.


Bucket 6, Provider and Health Plan Records, falls under DAA-GRS-2013-005-003 which has a Temporary retention which is to Destroy no sooner than 7 years after cutoff but longer retention is authorized.

GRS 3.1, Item 51 General Technology Management Records. Data administration records. All documentation for temporary electronic records and documentation not necessary for preservation of permanent records, fall under DAA-GRS-2013-005-0003. These records have a Temporary retention of 5 years.

Describe, briefly but with specificity, how the PII will be secured in the system using administrative, technical, and physical controls.

PII will be secured in the system using these administrative, technical, and physical controls. The administrative controls include inactivity timeout, more than one method of authentication required to verify user's identity, annual account reviews, and user trainings.

OPS is part of a CMS Data Center, and the access is controlled by cameras, biometrics readers and badge readers.  Also, personnel who no longer require authorization are promptly removed from all access lists. 

The technical controls include firewalls to prevent unauthorized system access, encrypted access when users obtain the IDM authentication (approval) to log into the application and a tiered system architecture which means users can only log into the application but not into any test environment and the testing and active applications are not joined together.

Identify the publicly-available URL:Open Payments Program
Does the website have a posted privacy notice?Yes
Is the privacy policy available in a machine-readable format?Yes
Does the website use web measurement and customization technology?Yes
Select the type of website measurement and customization technologies is in use and if is used to collect PII. (Select all that apply)
  • Session Cookies - Collects PII?: No
Does the website have any information or pages directed at children under the age of thirteen?No
Does the website contain links to non-federal government website external to HHS?Yes
Is a disclaimer notice provided to users that follow external links to websites not owned or operated by HHS?No

Privacy Impact Assessment (PIA) published by CMS as an Operating Division of the U.S. Department of Health and Human Services

View all CMS PIAs