Skip to main content

Qualified Entity Certification Program CRM System

Privacy Impact Assessment (PIA) published by CMS as an Operating Division of the U.S. Department of Health and Human Services

Date signed: 2/15/2024

PIA Information on Qualified Entity Certification Program CRM System
PIA QuestionsPIA Answers
OPDIV:CMS
PIA Unique Identifier:P-2113752-430334
Name:Qualified Entity Certification Program CRM System
The subject of this PIA is which of the following?Major Application
Identify the Enterprise Performance Lifecycle Phase of the system.Operate
Is this a FISMA-Reportable system?Yes
Does the system include a Website or online application available to and for the use of the general public?Yes
Identify the operator:Agency
Point of Contact (POC) Title:Centers for Medicare & Medicaid Services (CMS) Information System Security Officer (ISSO)
Is this a new or existing system?New
Does the system have Security Authorization (SA)?No
Planned Date of Authorization1/1/2024
Describe the purpose of the systemThe Qualified Entity Certification Program (QECP) is the certification arm of the Medicare Data Sharing Program. The purpose of the QECP is to evaluate and certify an entity’s ability to serve as a Qualified Entity (QE) who are organizations that use Medicare Data to produce and publicly disseminate CMS-approved reports on provider performance. Each of these entities goes through a multi-phased process where they are evaluated based on their clinical data, ability to securely store their data, and other factors. Once approved, the entities must also adhere to the rules of the program by providing certain reports on at least an annual basis and reapplying to maintain their qualified status. To accommodate these activities, OEDA uses a Salesforce Customer Relationship Management (CRM) cloud-based application since June of 2019. With the implementation of the CRM, the objective was to create a state-of-the-art application to increase the overall number of entities participating in the program by improving the application and reapplication process, enhancing data collection activities to improve self-help tools for users, and provide better reporting and analytics for OEDA. 
Describe the type of information the system will collect, maintain (store), or share. (Subsequent questions will identify if this information is PII and ask about the specific data elements)The QECP CRM collects and maintains/stores information related to organization who have considered becoming Qualified Entities (QEs). The information we collect pertains primarily to the organizations who are applying such as the organization name, address, phone, security information related to their storage of claims data, and the substantive nature of the claims data the organization stores. In addition, the system collects PII in the context of first name, last name, phone, and email address, organizations name and digital signatures of users who register for this system on behalf of this organization. The system also collects and stores Portable Document Format (PDF) documents and have a digital signature on them, which serves as verification that the signatory is attesting that whatever information being provided by the QEs is truthful.  
Provide an overview of the system and describe the information it will collect, maintain (store), or share, either permanently or temporarily.The purpose of the QECP is to evaluate and certify an entity’s ability to serve as a QE. To that end, the QECP CRM needs to collect information that allows organizations to register and provide information necessary to become certified and stay certified. This information must also be attested to.  The PII collected is to support user registration of the system. Email addresses are used to communicate with users to support and assist them through the process.
Does the system collect, maintain, use or share PII?Yes
Indicate the type of PII that the system will collect or maintain.
  • Name
  • E-Mail Address
  • Phone Numbers
  • Other - Digital Signatures on PDF documents and Organization name
Indicate the categories of individuals about whom PII is collected, maintained or shared.Other - All users of the system will be required to provide this. Corporate officers or others obligated to bind the QEs such as Chief Executive Officers (CEO)s or Directors may digitally sign documents.
How many individuals' PII in the system?100-499
For what primary purpose is the PII used?The primary purpose is to register for the application.
Describe the secondary uses for which the PII will be used (e.g. testing, training or research)Not Applicable
Describe the function of the SSN.Not Applicable
Cite the legal authority to use the SSN.Not Applicable
Identify legal authorities​ governing information use and disclosure specific to the system and program.CMS Office of Enterprise Data Analytics (OEDA)
Are records on the system retrieved by one or more PII data elements?Yes
Identify the number and title of the Privacy Act System of Records (SORN) that is being used to cover the system or identify if a SORN is being developed.SORN is Not Applicable to the QECP CRM system.
Identify the sources of PII in the system: Directly from an individual about whom the information pertains
  • In-Person
  • Online
  • Other - We collect the email, phone, and names of the user provided to set up the account. It is limited to user registration. We also collect the signatory of the corporate officer whose digital signature is provided,
Identify the sources of PII in the system: Government SourcesOther - CMS Government employees who have access to the CRM. We only have name and email of the two employees.
Identify the sources of PII in the system: Non-Government SourcesOther - The QE organizations who want to participate in the QECP.
Identify the OMB information collection approval number and expiration date

0938-1144 

Title: Application and Triennial Re-application to Be a Qualified Entity to Receive Medicare Data for Performance Measurement (Affordable Care Act (ACA) Section 10332) (CMS-10394) 

Exp: 09-30-2025 

0938-1309 

Title: QECP Annual Report Workbook Submission Requirement for Qualified Entities under ACA Section 10332 (CMS-10589) 

Exp: 08/31/2024

Is the PII shared with other organizations?No
Describe the process in place to notify individuals that their personal information will be collected. If no prior notice is given, explain the reason.They are notified at the time of registration that their name and email is required. There are Frequently Asked Questions (FAQs) and knowledge articles to help guide users through this process.
Is the submission of the PII by individuals voluntary or mandatory?Voluntary
Describe the method for individuals to opt-out of the collection or use of their PII. If there is no option to object to the information collection, provide a reason.They are not permitted to opt out if they want to use the system
Describe the process to notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changes since the notice at the time of original collection). Alternatively, describe why they cannot be notified or have their consent obtained.They are notified at the time of registration that their name and email is required
Describe the process in place to resolve an individual's concerns when they believe their PII has been inappropriately obtained, used, or disclosed, or that the PII is inaccurate. If no process exists, explain why not.If an individual believes that a covered entity or business associate violated his/her health information privacy rights or committed another violation of the Privacy, Security or Breach Notification Rules, he/she may file a complaint with the Office for Civil Rights (OCR). The individual may also file a Health Insurance Portability and Accountability Act of 1996 compliant via email at hipaacomplaint@hhs.gov. If you have any questions or concerns about your PII, please contact us at support@qemedicaredata.org. QECP will review and respond within 1 business day.  
Describe the process in place for periodic reviews of PII contained in the system to ensure the data's integrity, availability, accuracy and relevancy. If no processes are in place, explain why not.As part of the complaint investigation and resolution process employed by QECP CRM, there are monthly reviews to ensure that users don't have elevated privileges, user accounts are terminated if they are no longer employed on the QECP CRM contract, along with reviewing log files for configuration changes, errors, and anomalies to ensure confidentiality, integrity, and availability. 
Identify who will have access to the PII in the system and the reason why they require access.
  • Users: As part of the QECP team they are required to communicate and correspond with QE users.
  • Administrators: As part of the QECP team they are required to communicate and correspond with QE users, assign roles to users, and may be exposed to the user's personally identifiable information (PII) to link access rights to a specific user's name.
  • Developers: As part of the QECP team they are required to test design enhancements as needed.
  • Contractors:  QECP CRM Direct Contractors who act in the role of administrators may be exposed to the user's personally identifiable information (PII) to link access rights to a specific user's name.
  • Others - All QECP contractor personnel and government staff have access to this information.
Describe the procedures in place to determine which system users (administrators, developers, contractors, etc.) may access PII.

It is a general requirement that all contractor, subcontractor, and government personnel can review contact records.  

Also, administrators are required to communicate and correspond with QE users, assign roles to users, and may be exposed to the user's personally identifiable information (PII) to link access rights to a specific user's name. Only users who have a business need to access PII are assigned a role with PII access.

Describe the methods in place to allow those with access to PII to only access the minimum amount of information necessary to perform their job. Role Based Access is granted to individuals who access the system in an effort to minimize the amount of data available to only that which is necessary to accomplish their specific job responsibilities.
Identifying training and awareness provided to personnel (system owners, managers, operators, contractors and/or program managers) using the system to make them aware of their responsibilities for protecting the information being collected and maintained.

All Centers for Medicare and Medicaid Services (CMS) employees and CMS direct contractors are required to complete annual mandatory Information Systems Security Awareness and HHS Privacy Training. This training is required prior to gaining access and required to maintain access to all CMS systems.

All CMS employees and CMS direct contractors are required to read and acknowledge The Rules of Behavior for Use of HHS Information Resources. A signed and dated acknowledgment is required.

Describe training system users receive (above and beyond general security and privacy awareness training)

Contractors and subcontractors staff engage in monthly data security trainings. External users of the system are trained by contractor and subcontractor personnel directly. Users also have access to knowledge articles and FAQs on how to use the application. These trainings are applicable to administrators.

Also, personnel with responsibilities regarding security, incident handling, and/or contingency activities are provided additional training and perform tabletop exercises that test their roles' responsibilities. Refresher training/exercises are repeated at least annually. Additional training includes 

Insider Threat Training and Role-based System Security Training as needed.

Do contracts include Federal Acquisition Regulation and other appropriate clauses ensuring adherence to privacy provisions and practices?Yes
Describe the process and guidelines in place with regard to the retention and destruction of PII. Cite specific records retention schedules.

CMS websites keep data collected long enough to achieve the specified objective for which they were collected. The data generated from these activities (including Salesforce) falls under the National Archives and Records Administration (NARA) General Records Schedule (GRS) 3.1 – General Technology Management Records and will be handled according to the requirements of that schedule (Item 012 - Information technology development project records: Special purpose computer programs and applications).

Information technology operations and maintenance records. 

Information Technology Operations and Maintenance records relate to the activities associated with the operations and maintenance of the basic systems and services used to supply the agency and its staff with access to computers and data telecommunications. Includes the activities associated with IT equipment, IT systems, and storage media, IT system performance testing, asset and configuration management, change management, and maintenance on network infrastructure.  Includes records such as files identifying IT facilities and sites, files concerning implementation of IT facility and site management, and equipment support services provided to specific sites reviews, site visit reports, trouble reports, equipment service histories, reports of follow-up actions and related correspondence.

Describe, briefly but with specificity, how the PII will be secured in the system using administrative, technical, and physical controls.

Administrative: Users are provided with privacy training to understand how to properly handle and disclose privacy data. 

Technical: Role based access has been employed by the application to ensure that users only have access to the data which is needed in the performance of the specific jobs. Also, Technical controls include the inherited and enforced controls of the Salesforce cloud. This includes the requirement that any user attempting to access the application must login using multi-factor authentication (MFA).

Physical: Physical controls are administered by the Salesforce Data Center facility where the application will physically reside. The Salesforce facility has security guards and controlled access rooms with cipher locks to guard against unauthorized access.

Identify the publicly-available URL:https://www.qemedicaredata.org/ 
Does the website have a posted privacy notice?Yes
Is the privacy policy available in a machine-readable format?Yes
Does the website use web measurement and customization technology?Yes
Select the type of website measurement and customization technologies is in use and if is used to collect PII. (Select all that apply)
  • Web Beacons - Collects PII?: No
  • Web Bugs - Collects PII?: No
  • Session Cookies - Collects PII?: No
  • Persistent Cookies - Collects PII?: No
  • Other - Collects PII?: No
Does the website have any information or pages directed at children under the age of thirteen?No
Does the website contain links to non-federal government website external to HHS?Yes
Is a disclaimer notice provided to users that follow external links to websites not owned or operated by HHS?Yes