Skip to main content

QNET Enterprise Services

Date signed: 5/30/2025

PIA for QNET Enterprise Services
PIA Questions PIA Answer
OPDIV:CMS
PIA Unique Identifier:P-2648298-637555
Name:QNET Enterprise Services
The subject of this PIA is which of the following?Major Application
Identify the Enterprise Performance Lifecycle Phase of the system.Operate
Is this a FISMA-Reportable system?Yes
Does the system include a Website or online application available to and for the use of the general public?Yes
Identify the operator:Contractor
Is this a new or existing system?Existing
Does the system have Security Authorization (SA)?Yes
Date of Security Authorization1/10/2025
Indicate the following reason(s) for updating this PIA. Choose from the following options.Significant System Management Change
Describe in further detail any changes to the system that have occurred since the last PIA.Since the last PIA, Splunk has migrated to QualityNet Enterprise Services (QNET ES) boundary from QNet General Support System (GSS). Splunk is a Security Incident and Event Management (SIEM) tool that generates audit records which contain, but are not limited to the following information: event occurrence, date/time stamp of occurrence, where the event occurred in the form of IP address or hostname, the source of the event, the outcome of the event, the user ID, and the action taken. Splunk leverages Health Care Quality Improvement System (HCQIS) Access Roles and Profile (HARP) for authentication and authorization. Splunk infrastructure resides in AWS single tenant accounts (one for non-production and one for Production).

FileCloud was decommissioned, Managed File Transfer (MFT) was renamed Unified File Management (UFM) without impact to privacy. There was integration of Udacity with HARP, and two new QNP public forms were created. Below are details on Udacity and QNP forms:

Udacity is a global education technology organization that helps employees gain new technical skillsets through their hands-on, project-based learning programs focusing on developing mastery and fluency in fields such as Data Science, Artificial Intelligence, Cloud, Business, Cybersecurity, and Programming and Development. The learning paths within the tool are customized to fit CMS organization skill gaps and includes courses that range from 1 hour to 120 hours to complete. Security Officials approve Udacity HARP roles, and Udacity admins manually check which HARP role the user has before adding Udacity specific roles within Udacity. The current users of Udacity are CMS users.

QNP has added a form relating to the Acute Hospital Care at Home Individual Waiver – waiver requests to waive §482.23(b) and (b)(1) of the Hospital Conditions of Participation, which require nursing services to be provided on premises 24 hours a day, 7 days a week and the immediate availability of a registered nurse for care of any patient.

Another form added to QNP facilitates Monoclonal Antibodies Directed Against Amyloid for the Treatment of Alzheimer’s Disease CED Study Registry - this Registry for Monoclonal Antibodies Directed Against Amyloid for the Treatment of Alzheimer's Disease (AD) collects information from providers to facilitate and ensure appropriate patient selection in the use of monoclonal antibodies directed against amyloid (antiamyloid mAb) approved by the FDA for the treatment of AD based upon evidence of efficacy from a direct measure of clinical benefit.

Unified File Management (UFM), CCSQ QualityNet Slack, SurveyMonkey, QualityNet, Atlassian (HCQIS Confluence, HCQIS Jira), Program Resource System (PRS), and TestRail, Udacity were added to the QNET ES Boundary.
Describe the purpose of the system

QNET ES comprises of multiple application services supporting various Health Care Quality Information System (HCQIS) functions. The functions supported by each application service are provided below.

HCQIS Access, Roles and Profile Management System (HARP) is the QualityNet Identity Management (IDM) system for the CMS Center for Clinical Standards & Quality (CCSQ) user community. The system is comprised of three components: Okta, Saviynt and Common UI. HARP assigns, controls, tracks, and reports authorized access to and use of Centers for Medicare & Medicaid Services (CMS), computerized information and resources, across multiple CMS systems and business contexts.

Unified File Management (UFM) is an application for the CMS QualityNet community to securely transfer data files over the internet using GoAnywhere Managed File Transfer. GoAnywhere is a commercial-off-the-shelf (COTS) product. UFM provides the capabilities for transferring data files from person-to-person(s) using UFM Secure Mail or from person-to-system through UFM Secure Forms.

QualityNet Portal (QNP)/QualityNet is a public-facing website located at QualityNet. It is used to provide healthcare quality improvement news, resources, and data reporting tools used by healthcare providers in support of select CMS quality reporting programs. In addition, QNP consists of QualityNet Mailer (list serve) and Program Resource Repository (PRS 2.0).

CCSQ QualityNet Slack is a software-as-a-service (SaaS) digital communication platform that allows users to message and collaborate with individuals, and groups within the CCSQ Community. Modes of communication and collaboration include channels, direct messaging, voice calls, screen share, and file sharing.

QualityNet Atlassian is a collection of collaboration and planning application services available to CMS, CMS contractors, and CMS stakeholders. The Atlassian suite includes the following tools:

QualityNet Jira: A work management system used by software development and Agile teams to create, manage, and track tasks and workflows. 

QualityNet Confluence: A group collaboration and document management tool used for storing documents and content publication for CMS audience.


QualityNet SurveyMonkey is a survey tool used for creating, tracking, and analyzing survey responses.

TestRail is used for planning, organizing, executing, and reporting on testing activities in support of application development organizations (ADOs) within the HCQIS environment. It provides capabilities for tracking and recording testing progress at multiple levels of the software development life cycles.

Udacity: is an online learning tool that provides curriculum based on various subject areas in Information Technology, Business, etc.

Splunk is a SIEM tool for searching and exploring data. It can help predict, identify, and solve problems related to business, information technology (IT), DevOps, and security in real time. Splunk is an advanced and scalable form of software that indexes and searches for log files within a system and analyzes data for operational intelligence. The software is responsible for capturing, correlating, and indexing real-time data, from which it creates alerts, dashboards, graphs, reports, and visualizations. This helps CMS QualityNet recognize common data patterns, diagnose potential problems, apply intelligence to business operations, and produce metrics.

Describe the type of information the system will collect, maintain (store), or share. (Subsequent questions will identify if this information is PII and ask about the specific data elements)

HARP collects, maintains, and stores Full Name, Address, Phone Number, E-mail Address, and User ID credentials of CMS Employees, Public Citizens, Business Partners/Contacts (Federal, State, Local Agencies), and Vendors/Suppliers/Contractors. It also collects the last 4 digits of the Social Security Number (SSN) via the Office of Information Technology (OIT) instance of Okta for remote identity proofing. In addition to user information, HARP collects and maintains information about Quality Program applications, associated organizations, application roles, user profile management, and associated Security Officers that provide user administration and access approval activities. User profile attributes are not purged from the system. Roles and Organizations are removed if the organization is offboarded.

UFM stores user account information including First Name, Last Name, Email Address, and Phone Number in local GoAnywhere Accounts. Disabled or inactive UFM accounts are not purged from the system. 

The UFM system does not open or read the data file content or validate any of the file content of the data files. All files are encrypted in transit and at rest. Data files transferred may contain PII/PHI information. The data files are scanned using anti-virus software. File transmission information is used to track files submission for data upload.

QNP/QualityNet collects, maintains, and shares content from the user community and made available for public consumption on the website. It also collects usernames and roles. The collected contents are stored if they remain relevant and valid to the program. Public forms like the Alzheimer’s Disease CED Study Registry collect MBI. PRS collects and shares Beneficiary information including Full Name, Medicare Beneficiary Identifier (MBI), Health Care Insurance Claim Number (HICN), Claim Account Number (CAN), last 4 digits of SSN, Date of Birth, Address, Coverage information, Sex, Primary Payer Code, Railroad Retirement Board (RRB), Taxpayer ID, Medical Records Number, and Telephone Number. 

CCSQ QualityNet Slack collects and stores collaboration data from CCSQ users, contractors, and CMS users in Channels, Direct Messaging, File Sharing, and data shared with Slack from other QualityNet applications using Slack plug-ins. Slack also collects and stores user data including Name, User ID credentials, and email address. The user credentials are created in HARP. Slack retains user data for 13 months or until explicitly removed by the user or admin before that.

QualityNet Atlassian:

QualityNet Confluence acts as a data repository for the CCSQ community to collect, maintain, and share data on its public facing pages. The data stored in Confluence includes CMS specific project data, collaboration data for CCSQ contractors, file uploads, provider data, and user data including PII/PHI. Confluence also stores user credential data including Name, User ID, and Email. User credentials are created in HARP. The collected user data is stored if it remains relevant and valid to the program. User generated information is stored until it is explicitly removed by the user or an admin.

QualityNet Jira is an Agile workflow management application for the CCSQ community which collects and maintains CMS specific project data, collaboration data for CCSQ contractors, file uploads, provider data, and user data including PII/PHI. Jira also stores user credential data including Name, User ID, and Email. User credentials are created in HARP. The collected user data is stored if it remains relevant and valid to the program. User generated information is stored until it is explicitly removed by the user or an admin.

QualityNet SurveyMonkey collects, maintains, and shares survey data from CCSQ users. The surveys do not contain any PII/PHI information. SurveyMonkey also stores username, first name, last name, and email information for CCSQ users. User credentials are created in HARP. The collected user data is stored if it remains relevant and valid to the program. User generated survey data is stored until it is explicitly removed by the user or an admin.

TestRail does not collect, maintain, or share information including PII.

Udacity stores username, first name, last name, and email information of CCSQ users. User credentials are created in HARP.

Splunk collects application and operating system logs. Splunk also stores username and email address of the Splunk users. CCSQ contractors are responsible for not forwarding sensitive information like PII or PHI to Splunk.

Provide an overview of the system and describe the information it will collect, maintain (store), or share, either permanently or temporarily.

HARP collects Full Name, Address, Phone Number, Date of Birth (DoB), phone number, SSN (last 4 digits), E-mail Address, and User ID credentials of CMS Employees, Public Citizens, Business Partners/Contacts (Federal, State, Local Agencies), and Vendors/Suppliers/Direct Contractors. This information is used for remote identity proofing. In addition, the Help Desk use PII daily to verify user identity when addressing account access issues.  

UFM system utilizes the GoAnywhere Commercial-off-the-Shelf (COTS) product for the secure transfer of community user data. The GoAnywhere COTS product stores a local user account for user authentication. The GoAnywhere local accounts include the following information: HARP user identifier, first name, last name, phone number, organization of employees. The personal identifiers are used daily to maintain permissions and access between UFM and HARP applications, and for resolving user accounts access issues. Data files transferred may contain encrypted PII/PHI information.

QNP/QualityNet is a public facing website. It utilizes HARP user identifier, first name, last name, phone number, organization of employees. HARP collects, stores, and maintain the collected information. Within QNP, PRS collects and shares Beneficiary information including Full Name, Medicare Beneficiary Identifier (MBI), Health Care Insurance Claim Number (HICN), Claim Account Number (CAN), last 4 digits of SSN, Date of Birth, Address, Coverage information, Sex, Primary Payer Code, Primary Payer Code, Railroad Retirement Board (RRB) identifier, Taxpayer ID, Medical Records Number, and Telephone Number.

CCSQ QualityNet Slack collects and stores data from CCSQ users via Channels, direct messaging, file share, and voice/video call functionality. Slack also stores user data including Name, user ID, and email within its SaaS cloud. Information is stored in Slack to facilitate collaboration between CCSQ user community.

QualityNet Atlassian:

QualityNet Confluence acts as a data repository for the CCSQ community and it’s intended to securely store CMS specific project data, collaboration data for CCSQ direct contractors, file uploads, provider data, and user data including PII/PHI. Confluence also stores Name, HARP ID, email, HCQIS Active Directory ID for CCSQ users. Information is stored in Confluence to facilitate collaboration between CCSQ user community.

QualityNet Jira acts as an Agile workflow management tool for the CCSQ community and it’s intended to securely store CMS specific project data, collaboration data for CCSQ direct contractors, file uploads, provider data, and user data including PII/PHI. Jira also stores Name, HARP ID, email, HCQIS Active Directory ID for CCSQ users. Information is stored in Jira to facilitate collaboration between CCSQ user community.

QualityNet SurveyMonkey collects, maintains, and shares survey data from CCSQ users. The surveys do not contain any PII/PHI information. SurveyMonkey also stores username, first name, last name, and email information for CCSQ users. Information is stored in SurveyMonkey to enable survey functionality for the CCSQ user community.

TestRail does not collect, maintain, or share information including PII. It is used for tracking and recording testing progress at multiple levels of the software development life cycles.

Udacity stores username, first name, last name, and email information for CCSQ users.

Splunk stores username and email information for user account management purposes.

Does the system collect, maintain, use or share PII?Yes
Indicate the type of PII that the system will collect or maintain.
  • Social Security Number
  • Name
  • E-Mail Address
  • Phone Numbers
  • Medical Notes
  • Taxpayer ID
  • Date of Birth
  • Mailing Address
  • Medical Records Number
  • Other - QNP/QualityNet: User ID/Passwords and Roles, Medicare Beneficiary Identifier (MBI), Health Care Insurance Claim Number (HICN), Claim Account Number (CAN), Coverage information, Sex, Primary Payer Code, Railroad Retirement Board (RRB), organization of employees. HARP: full name, address, phone number, and user ID credentials. UFM: The PII uploaded by user community is determined by the Line of Business user community. The UFM application does not open or read the content of the data file.
Indicate the categories of individuals about whom PII is collected, maintained or shared.
  • Employees
  • Public Citizens
  • Business Partners/Contacts (Federal, state, local agencies)
  • Vendors/Suppliers/Contractors
  • Patients
  • Other - QNP/QualityNet: Employees, UFM: Employees, HARP: CMS Employees, Public Citizens, Business Partners/Contacts (Federal, State, Local Agencies), Vendors/Suppliers/Direct Contractors, and CCSQ QualityNet Slack/QualityNet SurveyMonkey/Atlassian: CCSQ users.
How many individuals' PII in the system?1,000,000 or more
For what primary purpose is the PII used?

HARP: Full name, address, phone number, email address data of birth and user ID credentials are used to verify the identity of CMS Quality Program users.

UFM: UFM stores the UFM users first name, last name, email address, and phone number in local GoAnywhere Accounts for account management. UFM User IDs are used for identity management purposes. UFM does not read, update, or validate the information contained within the end user data files as processing the data files is the responsibility of the end user. Data files transferred may contain PII/PHI.

QNP/QualityNet: User ID and Password are used to configure access to the Web Content Manager. The Alzheimer’s Disease CED Study Registry collects MBI for claims requests. PRS Health Service provider and Beneficiary PII/PHI elements are used to look up information regarding HSP and/or Beneficiaries.

CCSQ QualityNet Slack/QualityNet SurveyMonkey/Atlassian: Full name, User ID credentials, and email information for CCSQ users is stored for user management, auditing, and incident response functions performed by application admins and security personnel.

QualityNet Atlassian (Confluence and Jira) may also store user generated/uploaded PII/PHI information to enable collaboration between project teams or to provide a secure storage for the information.

TestRail: N/A – No PII collected/used by the system.

Udacity: Full name and email information for CCSQ users is stored for user management, auditing, and incident response functions performed by application admins and security personnel.

Splunk: Username and email information for CCSQ users are stored for user management, auditing, and incident response functions performed by application admins and security personnel.

Describe the secondary uses for which the PII will be used (e.g. testing, training or research)None
Describe the function of the SSN.

SSN is used for identity proofing of user prior to access to the HARP system. SSN is collected during registration of new user account. They are collected and stored in Saviynt. Only the last four (4) digits are stored in HARP.

HARP collects SSN and sends it to Experian for remote identity proofing. Experian is third-party identity verification service provider.

Cite the legal authority to use the SSN.Executive Order 9397
Identify legal authorities​ governing information use and disclosure specific to the system and program.

Authority for maintenance of the system is given under Executive Order 9397, the Debt Collection Improvement Act, 31 United States Code (U.S.C.) § 7701(c)(1), and 5 U.S.C. 552a(b)(1), and 301.

The statutory authority is described in the provisions of sections 226A, 1875, and 1881 of the Social Security Act (Title 42 United States Code (U.S.C.), sections 426-1, 1395ll, and 1395rr).

Are records on the system retrieved by one or more PII data elements?Yes
Identify the number and title of the Privacy Act System of Records (SORN) that is being used to cover the system or identify if a SORN is being developed.

09-70-0538 – Individuals Authorized Access to Centers for Medicare & Medicaid Services (CMS) Computer Services (IACS).

ASPEN Complaints/Incidents Tracking System (ACTS) 09-70-0565

Hospice Item Set (HIS) 09-70-0548

Inpatient Rehabilitation Facilities – Patient Assessment Instrument (IRF-PAI) 09-70-0521

Long Term Care Hospitals Quality Reporting Program (LTCH QRP) 09-70-0539

Long Term Care Minimum Data Set (LTCMDS) 09-70-0528

HHA Outcome and Assessment Information Set (OASIS) 09-70-0522

Provider Enrollment, Chain, and Ownership System (PECOS) 09-70-0532

Medicare Beneficiary Database (MBD) 09-70-0536

Identify the sources of PII in the system: Directly from an individual about whom the information pertains
  • In-person
  • Online
  • Other - Non-Government Sources – Private sector
Identify the sources of PII in the system: Government Sources
  • Within the OPDIV
  • State/Local/Tribal
Identify the sources of PII in the system: Non-Government Sources
  • Members of the Public
  • Private Sector
Identify the OMB information collection approval number and expiration dateNo OMB information collection approval is required because PII is not collected directly from the individual about whom the information contains.
Is the PII shared with other organizations?No
Describe the process in place to notify individuals that their personal information will be collected. If no prior notice is given, explain the reason.Personal information is only collected at the time that the CMS employee, direct contractor, or affiliate applies for access to the system. Page 3 of Application for Access to CMS Systems informs individuals that their PII is being collected and the purposes for collecting the PII. Users are authenticated via the Enterprise User Administration system, and as such, QNET ES does not collect PII directly from users for authentication purposes.
Is the submission of the PII by individuals voluntary or mandatory?Voluntary
Describe the method for individuals to opt-out of the collection or use of their PII. If there is no option to object to the information collection, provide a reason.Users can choose not to provide this information. However, users that do not provide this information will not be granted access. PII is required to verify the identity of users accessing CMS systems.
Describe the process to notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changes since the notice at the time of original collection). Alternatively, describe why they cannot be notified or have their consent obtained.PII is used only for user account management. This purpose is communicated to the user at the time of collection when the account is created. All users must re-certify their access within every 365 days and by doing so the user is consenting to the continued use of their PII. Additionally, PII may be used only by technical and project staff with role-based access as necessary in performance of job duties. Any change to the use of the individuals PII is governed by the PII Use change process. First, the nature of the change is cleared with the Product Owner, the ADO team and the ISSO. The change is documented in the Privacy Policy and other appropriate security documentation (PIA, System Security Plan (SSP) etc.). The user community is then notified of the PII use change and the updated Privacy Policy via email.
Describe the process in place to resolve an individual's concerns when they believe their PII has been inappropriately obtained, used, or disclosed, or that the PII is inaccurate. If no process exists, explain why not.

Individuals with concerns about PII collection and disclosure should follow the QualityNet Incident Response Procedures and contact the QualityNet Service Desk.

QualityNet Service Desk
Phone: 1-866-288-8912 (TRS 711)
TTY: 877-715-6222
E-Mail: QNET Support Email

The QualityNet Service Desk generates security incident tickets and assigns them to the appropriate team.

Describe the process in place for periodic reviews of PII contained in the system to ensure the data's integrity, availability, accuracy and relevancy. If no processes are in place, explain why not.All users must re-certify their access within every 365 days. PII is used by Help Desk personnel to identify points of contact for return calls related to information system or information technology related issues. Point of contact information is verified during the issue remediation process by Help Desk personnel. Help Desk personnel ask for the user's contact information during each engagement, even if the information has already been provided in previous calls or engagements.
Identify who will have access to the PII in the system and the reason why they require access.
  • Administrators:
    • UFM - UFM Administrator users need access to the user account information such as first name, last name, email address to review valid user accounts.
    • QNP/QualityNet: PII in the QNP content management system consists of username and password. No one will have access to a user’s password. Usernames will be visible to the QNP administrator (general, site, or content administrators) who are responsible for administering roles and access to the site and must be able to access user accounts to add or remove user access privileges.
    • CCSQ QualityNet Slack/QualityNet SurveyMonkey/Atlassian: Full name, User ID credentials, and email information for CCSQ users is stored for user management, auditing, and incident response functions performed by application admins and security personnel. For QualityNet Atlassian, Admin users do not require access to the data files which may contain PII/PHI uploaded by application users.
    • Udacity: Full name and email information for CCSQ users is stored for user management, auditing, and incident response functions performed by application admins and security personnel.
    • Splunk: Username and email information for CCSQ users are stored for user management, auditing, and incident response functions performed by application admins and security personnel.
  • Contractors:
    • HARP: CMS direct contractors with the approved HARP Security Official (SO) role have access to PII within the Security Official component of HARP which allows them to approve user role requests for each application. As a safeguard, users’ activities are logged and stored in Splunk for future audits and review.
    • QNP/QualityNet: CMS direct contractors with the approved PRS General User role have access to PII and PHI within PRS to maintain CMS Programs and provide hospital information used in Hospital Quality Reporting (HQR) applications. As a safeguard, users’ activities are logged and stored in Splunk for future audits and review.
Describe the procedures in place to determine which system users (administrators, developers, contractors, etc.) may access PII.QNET ES applies the principle of least privilege as well as role-based method of granting rights. All users are assigned a role and each role’s rights are restricted to only data and server resources needed to perform their job. All Production access requires Program Manager as well CMS approval.
Describe the methods in place to allow those with access to PII to only access the minimum amount of information necessary to perform their job.QNET ES applies the principle of least privilege as well as role-based method of granting rights. All users are assigned a role and each role’s rights are restricted to only data and server resources needed to perform their job.
Identify training and awareness provided to personnel (system owners, managers, operators, contractors and/or program managers) using the system to make them aware of their responsibilities for protecting the information being collected and maintained.

All system and site users are required to take the “Cyber Awareness Challenge” and “Identifying Safeguarding Personal Identifiable Information (PII)” provided by ccsq Department of Defense (DoD) Cyber Exchange. In addition, they must complete the HHS Records Management Training before they are granted user credentials. This training is required to be renewed annually for all existing users.

All users are trained to perform the duties necessary to work within the system to perform their specific job functions. In addition, individuals in roles with Significant Security Responsibility (SSR) are required to complete annual Role Based Training (RBT).

Describe training system users receive (above and beyond general security and privacy awareness training)Training opportunities are available through CMS-sponsored events, online Computer Based Training (CBT) and outside seminars with management's approval.
Do contracts include Federal Acquisition Regulation and other appropriate clauses ensuring adherence to privacy provisions and practices?Yes
Describe the process and guidelines in place with regard to the retention and destruction of PII. Cite specific records retention schedules.Data is stored and destroyed in accordance with the CMS Records schedule which follows National Archives and Records Administration (NARA) General Record Schedules (GRS), specifically, GENERAL RECORDS SCHEDULE 3.2: Information Systems Security Records.
Describe, briefly but with specificity, how the PII will be secured in the system using administrative, technical, and physical controls.

PII is secured with a variety of security controls as required by CMS Acceptable Risk and Safeguards (ARS) and the CMS Security Program requirements.

Physical controls include, but are not limited to:

All physical controls inherited from AWS - the Cloud Service Provider (CSP) where QNET-ES currently resides.

Technical controls include but are not limited to:

user authentication with least privilege authorization

fire walls

Intrusion Detection and Intrusion Prevention systems (IDS/IPS)

Software configured with NIST security checklists

encrypted communications

hardware configured with a deny all/except approach

auditing and correlation of audit logs from all systems


Administrative controls include but are not limited to:

CMS Authorization to Operate

annual security assessments

monthly management of outstanding corrective action plans

ongoing risk assessments

automated continuous monitoring

background checks for all personnel

incident response procedures for timely response to security and privacy incidents

initial security training with refresher courses annually

annual role-based security training for personnel with assigned security roles and responsibilities

contingency plans and annual testing

Identify the publicly-available URL:

QNP/QualityNet: QualityNet
HARP: HARP Login
UFM: HARP MTF Login 
CCSQ QualityNet Slack: HCQIS.SLACK
QualityNet SurveyMonkey: HARP Login
QualityNet Atlassian:

QualityNet Confluence: QNET Confluence

QualityNet Jira: QNET Jira


TestRailQNET Test Rail

Udacity: Udacity

Does the website have a posted privacy notice?Yes
Is the privacy policy available in a machine-readable format?Yes
Does the website use web measurement and customization technology?No
Does the website have any information or pages directed at children under the age of thirteen?No
Does the website contain links to non-federal government website external to HHS?No

Privacy Impact Assessment (PIA) published by CMS as an Operating Division of the U.S. Department of Health and Human Services

View all CMS PIAs