Skip to main content

Q-Net

Privacy Impact Assessment (PIA) published by CMS as an Operating Division of the U.S. Department of Health and Human Services

Date signed: 5/1/2024

PIA Information for Q-Net
PIA QuestionsPIA Answers
OPDIV:CMS
PIA Unique Identifier:P-5378460-030817
Name:Q-Net
The subject of this PIA is which of the following?General Support System
Identify the Enterprise Performance Lifecycle Phase of the system.Operate
Is this a FISMA-Reportable system?Yes
Does the system include a Website or online application available to and for the use of the general public?No
Identify the operator:Contractor
Is this a new or existing system?Existing
Does the system have Security Authorization (SA)?Yes
Date of Security Authorization6/30/2023
Indicate the following reason(s) for updating this PIA. Choose from the following options.PIA Validation (PIA Refresh/Annual Review)
Describe in further detail any changes to the system that have occurred since the last PIA.No changes have occurred since the last PIA
Describe the purpose of the system

QualityNet (Q-Net) is a general support system (GSS) that supports thirteen (13) diverse Center for Clinical Standards and Quality (CCSQ) Information Technology (IT) major applications (MA), in addition to supporting Network of Quality Improvement and Innovation Contractors (NQIIC) communities, and Clinical Data Abstraction Center (CDAC) via hosting, supporting, and maintenance of its AWS infrastructure, Commercial off-the-Shelf (COTS) applications and tools. The thirteen (13) MAs that operate and are supported, are not a part of the GSS boundary.

Q-Net is built and maintained within a CCSQ GOCO (Government Owned Contractor Operated) instance of Amazon Web Services (AWS) as the Cloud Service Provider (CSP) for hosting the supported Q-Net implementation. The GSS leverages the AWS East/West Regions for redundancy. The primary goal of the Q-Net Cloud is to add agility and flexibility to the delivery of Information Technology (IT) infrastructure and contractors to facilitate faster delivery of application services to Q-Net end users.

There are two (2) different service models within the Q-Net cloud which are leveraged under the CCSQ contract (Managed-Service and Self–Service). The Managed service model allows Application Developer Organizations (ADO) to update/maintain their system and manage their lower environments. Under the Self–Service model, the ADO is responsible for update/maintenance of their system, as well as managing servers and all environments.

Describe the type of information the system will collect, maintain (store), or share. (Subsequent questions will identify if this information is PII and ask about the specific data elements)

The system is a General Support System (GSS) and does not directly collect or store information. The applications, systems services and tools residing in the GSS collect and store information. Therefore, individual Privacy Impact Assessments (PIAs) have been prepared and submitted for those specific applications and systems residing on this GSS. 

The QualityNet (QNet) Wide Area Network (WAN)/Local Area Network (LAN) network configuration provides the WAN/LAN connectivity and support for the Health Care Quality Improvement System that comprises of 13 Major Applications that collect information and operate within QNet network infrastructure:

CCSQ Data repository and Analytics Platform (CDRAP);
Delivery Administration, Report, and Repository Tool (DARRT);
Data Element Library (DEL); 
ESRD Quality Reporting System (EQRS); 
Financial Information and Vouchering System Next generation (FIVS NG);
Hospital Quality Reporting (HQR);
Internet Quality Improvement and Evaluation System (iQIES); 
Measure Authoring Tool (MAT);
Quality Improvement and Evaluation System (QIES); 
Quality Management and Review System (QMARS); 
QNET Enterprise Services (QNET ES); 
Quality Service Center (QSC); 
Survey and Certification Quality, Certification and Oversight Reports (SC QCOR). 

The GSS validates a user’s identity and access privileges via Health Care Quality Information Systems (HCQIS) Access Roles and Profile (HARP) which is covered by a separate PIA. 

Additionally, Q-Net uses AWS Active Directory (AD) for authentication. Only active AD accounts can log into AWS. User credentials are stored in Q-Net, which include, username, user ID, name, organization, work email address, phone number, and sometimes title.

Provide an overview of the system and describe the information it will collect, maintain (store), or share, either permanently or temporarily.

The system is a General Support System (GSS) and does not directly collect or store information. The applications/systems residing on the GSS collect and store information. Therefore, individual PIAs have been prepared and submitted for the applications/systems residing on this GSS. 

The QualityNet (QNet) Wide Area Network (WAN)/Local Area Network (LAN) network configuration provides the WAN/LAN connectivity and support for the Health Care Quality Improvement System that comprises of 13 Major Applications that collect information and operate within QNet network infrastructure:

CCSQ Data repository and Analytics Platform (CDRAP);
Delivery Administration, Report, and Repository Tool (DARRT);
Data Element Library (DEL); 
ESRD Quality Reporting System (EQRS); 
Financial Information and Vouchering System Next generation (FIVS NG);
Hospital Quality Reporting (HQR);
Internet Quality Improvement and Evaluation System (iQIES); 
Measure Authoring Tool (MAT);
Quality Improvement and Evaluation System (QIES); 
Quality Management and Review System (QMARS); 
QNET Enterprise Services (QNET ES); 
Quality Service Center (QSC); 
Survey and Certification Quality, Certification and Oversight Reports (SC QCOR).

The GSS validates a user’s identity and access privileges via HARP which is covered by a separate PIA.

Additionally, Q-Net uses AWS Active Directory for authentication. Only active AD accounts can log into AWS. Additionally, User credentials are stored in Q-Net, which include, username, user ID, name, organization, work email address, phone number, and sometimes title.

Does the system collect, maintain, use or share PII?Yes
Indicate the type of PII that the system will collect or maintain.
  • Name
  • E-Mail Address
  • Phone Numbers
  • Other - User account information: username / user ID, organization, and sometimes title.
Indicate the categories of individuals about whom PII is collected, maintained or shared.
  • Employees
  • Vendors/Suppliers/Contractors
How many individuals' PII in the system?500-4,999
For what primary purpose is the PII used?The Personally Identifiable Information (PII) is user credentials, used to control access to the system.
Describe the secondary uses for which the PII will be used (e.g. testing, training or research)Not applicable
Describe the function of the SSN.Not applicable
Cite the legal authority to use the SSN.Not applicable
Identify legal authorities​ governing information use and disclosure specific to the system and program.5 USC 301, Departmental Regulations
Are records on the system retrieved by one or more PII data elements?No
Identify the sources of PII in the system: Directly from an individual about whom the information pertains
  • In-Person
Identify the sources of PII in the system: Government Sources
  • Within the OPDIV
Identify the sources of PII in the system: Non-Government Sources 
Identify the OMB information collection approval number and expiration dateNot applicable for user account credentials.
Is the PII shared with other organizations?No
Describe the process in place to notify individuals that their personal information will be collected. If no prior notice is given, explain the reason.Users provide their PII to have their user account created.
Is the submission of the PII by individuals voluntary or mandatory?Voluntary
Describe the method for individuals to opt-out of the collection or use of their PII. If there is no option to object to the information collection, provide a reason.Users would not be able to perform their work if the PII is not collected to create the user account. There is no option to opt out.
Describe the process to notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changes since the notice at the time of original collection). Alternatively, describe why they cannot be notified or have their consent obtained.Users would be notified via email should the system undergo disclosure or data use changes and would be provided instructions on the steps to follow should they chose to not consent to the disclosure or data use changes.
Describe the process in place to resolve an individual's concerns when they believe their PII has been inappropriately obtained, used, or disclosed, or that the PII is inaccurate. If no process exists, explain why not.Any concerns of misuse of PII are reported to the QualityNet Help Desk, and the QualityNet Incident Response Procedures are followed, which include elevation of PII incidents to CMS. The CMS Incident Response Procedures are then followed.
Describe the process in place for periodic reviews of PII contained in the system to ensure the data's integrity, availability, accuracy and relevancy. If no processes are in place, explain why not.The PII stored in Q-Net is limited to user account information. User accounts are disabled after 60-days of inactivity. Reports are generated and reviewed weekly to ensure accounts are disabled appropriately.
Identify who will have access to the PII in the system and the reason why they require access.
  • Users: Users have access to PII to perform their job duties.
  • Administrators: Administrators have authority to create user accounts.
  • Contractors: All contractors are users and/or administrators in this system. All contractors are direct contractors.
Describe the procedures in place to determine which system users (administrators, developers, contractors, etc.) may access PII.Administrators responsible for user account creation are allowed access to PII. The audit team monitors for the creation of elevated accounts to ensure proper approvals are secured. The audit team also monitors the list of authorized elevated accounts every 14 days.
Describe the methods in place to allow those with access to PII to only access the minimum amount of information necessary to perform their job.The PII collected is limited to the minimum data required to create a user account and provide a method to communicate with other users.
Identifying training and awareness provided to personnel (system owners, managers, operators, contractors and/or program managers) using the system to make them aware of their responsibilities for protecting the information being collected and maintained.All system users are required to take the CMS Cyber Awareness Challenge Computer Based Training (CBT) as well as the Identifying and Safeguarding Personally Identifiable Information (PII) training endorsed by CMS. This training is required upon initial hire and annually thereafter.
Describe training system users receive (above and beyond general security and privacy awareness training)Additional training includes annual Role Based Security Training.
Do contracts include Federal Acquisition Regulation and other appropriate clauses ensuring adherence to privacy provisions and practices?Yes
Describe the process and guidelines in place with regard to the retention and destruction of PII. Cite specific records retention schedules.

User credentials are maintained until the user is no longer working on the system, or access is no longer required. The credentials are removed from the system as part of the routine maintenance of terminations and account maintenance. The General Records Schedule (GRS) is DAA-GRS-2013-0006 which states the retention period is "Destroy 1 year(s) after user account is terminated or password is altered or when no longer needed for investigative or security purposes, whichever is appropriate."

Each major application that resides on this system documents its retention policy in its respective PIA.

Describe, briefly but with specificity, how the PII will be secured in the system using administrative, technical, and physical controls.

Administrative controls include but are not limited to contingency plans and annual testing, backups of all files, background checks for all personnel, incident response procedures for timely response to security and privacy incidents, Initial security training with refresher courses annually, and annual role-based security training for personnel with assigned security roles and responsibilities.

Technical controls include but are not limited to user authentication with least privilege authorization, firewalls, Intrusion Detection and Prevention systems (IDS/IPS), encrypted communications, auditing, and correlation of audit logs from systems.

Management controls include but are not limited to: Authority to Operate (ATOs), annual security assessments, monthly management of outstanding corrective action plans, ongoing risk assessments, and automated continuous monitoring.

The physical controls are handled through Amazon Web Services (AWS) since this system had a full migration.