Qualified Health Plan Directory Pilot
Date signed: 4/24/2025
| PIA Questions | PIA Answers |
|---|---|
| OPDIV: | CMS |
| PIA Unique Identifier: | P-1475657-863927 |
| Name: | Qualified Health Plan Directory Pilot |
| The subject of this PIA is which of the following? | Major Application |
| Identify the Enterprise Performance Lifecycle Phase of the system. | Operate |
| Is this a FISMA-Reportable system? | Yes |
| Does the system include a Website or online application available to and for the use of the general public? | Yes |
| Identify the operator: | Contractor |
| Is this a new or existing system? | New |
| Does the system have Security Authorization (SA)? | No |
| Planned Date of Authorization | 4/7/2025 |
| Describe the purpose of the system | The Qualified Healthcare Plan (QHP) Directory Pilot single source of truth database will be prepared using publicly available provider directory data from several sources such as NPPES (National Plan and Provider Enumeration System), machine readable, Transformed Medicaid Statistical Information System (T-MSIS), and Network Adequacy. This data will be ingested and cleansed, flowing through a data store in a medallion architecture. The QHP Directory Pilot application will include a web portal that can be accessed by providers, CMS personnel, and contractor Application Development Organization (ADO) personnel via authenticated login. The QHP Directory Pilot application will access a database that contains the single source of truth provider directory information. Providers will be able to update data that is associated with their NPI to correct as needed. |
| Describe the type of information the system will collect, maintain (store), or share. (Subsequent questions will identify if this information is PII and ask about the specific data elements) | The QHP Directory Pilot application will access a database that contains the single source of truth provider directory information. Providers will be able to update data that is associated with their National Provider Identifier (NPI) to correct as needed. Data collected, stored and transmitted includes provider information: Full name, QHP Directory will not store or save data related to SSN or TIN. The aforementioned data will be retrieved from CMS IAM when users sign in. The information will be displayed to the user, but will not persist in the Single Source of Truth database. |
| Provide an overview of the system and describe the information it will collect, maintain (store), or share, either permanently or temporarily. | The QHP Directory Pilot single source of truth database will be prepared using publicly available provider directory data from several sources including: NPPES , machine readable, T-MSIS, and Network Adequacy. This data will be ingested and cleansed, flowing through a data store in a medallion architecture. The QHP Directory Pilot application will include a web portal that can be accessed by providers, CMS personnel, and contractor ADO personnel via authenticated login. The QHP Directory Pilot application will access a database that contains the single source of truth provider directory information. Providers will be able to update data that is associated with their NPI to correct as needed. Data collected, stored, and transmitted includes provider information: Full name, QHP Directory Pilot will not store or save data related to Social Security Number (SSN) or Tax Identification Number (TIN). The aforementioned data will be retrieved from CMS Identity and Access management (IAM) when users sign in. The information will be displayed to the user, but will not persist in the Single Source of Truth database. QHP Directory Pilot will use CMS IDM platform to authenticate CMS and contractor users and will use CMS IAM platform to authenticate provider users. |
| Does the system collect, maintain, use or share PII? | Yes |
| Indicate the type of PII that the system will collect or maintain. |
|
| Indicate the categories of individuals about whom PII is collected, maintained or shared. |
|
| How many individuals' PII in the system? | 100,000-999,999 |
| For what primary purpose is the PII used? | QHP Directory uses PII to control system access. PII is part of the information needed to maintain an accurate provider directory. |
| Describe the secondary uses for which the PII will be used (e.g. testing, training or research) | Not Applicable. |
| Describe the function of the SSN. | The SSN is used to retrieve credentials from CMS IAM and verify the user. The SSN is not collected in QHP Directory, but is displayed for the user. |
| Cite the legal authority to use the SSN. | 42 U.S.C Section 18081 Affordable Care Act (ACA), Section 1414 Affordable Care Act (ACA), Section 1411 5 U.S.C. 301, Departmental Regulation, E.O. 9397. |
| Identify legal authorities governing information use and disclosure specific to the system and program. | Patient Protections and Affordable Care Act (Public Law No. 111-148), as amended by the Health Care and Education Reconciliation Act of 2010 (Public Law No. 111-151) Title 42 U.S.C sections 18031, 18041, 18081 - 18083 and section 1414. 5 USC Section 301, Departmental Regulations |
| Are records on the system retrieved by one or more PII data elements? | Yes |
| Identify the number and title of the Privacy Act System of Records (SORN) that is being used to cover the system or identify if a SORN is being developed. | Health Information Exchange (HIX) 09-70-0560 02/06/2013 and updated 5/27/2013 and 10/23/2013 |
| Identify the sources of PII in the system: Directly from an individual about whom the information pertains |
|
| Identify the sources of PII in the system: Government Sources |
|
| Identify the sources of PII in the system: Non-Government Sources |
|
| Identify the OMB information collection approval number and expiration date | OMB control number (approved 8/15/22): CMS-10803/OMB control number: 0938-NEW; CMS-10803/OMB control number: 0938-1415 Expiration Date 12/31/2027 |
| Is the PII shared with other organizations? | No |
| Describe the process in place to notify individuals that their personal information will be collected. If no prior notice is given, explain the reason. | Users will see the following displayed on login: PII Disclosure The Centers for Medicare & Medicaid Services (CMS) is committed to ensuring the security of your Personally Identifiable Information (PII). This policy outlines the types of PII we collect, how we use and protect it, and your rights regarding this information. Information We Collect Name In addition, the following technical details are collected automatically when you interact with the QHP Directory Pilot: IP address and approximate geographic location How We Use Your Information Provide access to the QHP Directory Pilot
How We Protect Your Information Sharing of Information Request access to the PII CMS holds about you
Contact Information This policy is subject to updates. Any material changes will be communicated through official CMS channels. |
| Is the submission of the PII by individuals voluntary or mandatory? | Voluntary |
| Describe the method for individuals to opt-out of the collection or use of their PII. If there is no option to object to the information collection, provide a reason. | Users are notified of the method to opt-out in the new user welcome email. |
| Describe the process to notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changes since the notice at the time of original collection). Alternatively, describe why they cannot be notified or have their consent obtained. | Users will receive emails regarding the system when they are affected by major changes. Usernames and passwords are not distributed so system modification will not change how data is protected. |
| Describe the process in place to resolve an individual's concerns when they believe their PII has been inappropriately obtained, used, or disclosed, or that the PII is inaccurate. If no process exists, explain why not. | Individuals can change PII related information by editing their provider information after logging into the QHP Directory Pilot Portal. This PII that can be edited by users includes full name, phone number, date of birth, email address, and physical address. If PII has been inappropriately disclosed, obtained or used, users will receive written notice regarding privacy breaches. HHS Office for Civil Rights can receive individual's concerns regarding PII or PHI which can then notify CMS of potential issues. |
| Describe the process in place for periodic reviews of PII contained in the system to ensure the data's integrity, availability, accuracy and relevancy. If no processes are in place, explain why not. | A user audit is performed on a monthly basis. User audits consist of review of user activity, failed login attempts, inactive users, and password changes are conducted by the QHP Directory Information System Security Officer (ISSO). The QHP Directory Pilot Program Privacy Officer also conducts a monthly audit of PII usage. |
| Identify who will have access to the PII in the system and the reason why they require access. |
|
| Describe the procedures in place to determine which system users (administrators, developers, contractors, etc.) may access PII. | Role-based access control, need to know, and least privilege principles guide, which system users have access to PII or not. Only those that need access to PII are given access if their work duties must involve PII data. |
| Describe the methods in place to allow those with access to PII to only access the minimum amount of information necessary to perform their job. | QHP Directory Pilot and CMS uses role-based access control, least privilege and need to know security methodology to ensure only the authorized and authenticated users have access to PII related information if required by their work duties. |
| Identify training and awareness provided to personnel (system owners, managers, operators, contractors and/or program managers) using the system to make them aware of their responsibilities for protecting the information being collected and maintained. | All CMS users are required to complete the annual CMS Security and Privacy Awareness training provided annually as Computer Based Training (CBT) course. Any individuals with privileged access must also complete role-based security training commensurate with the position they are working. Contractors also complete their own annual corporate security training. |
| Describe training system users receive (above and beyond general security and privacy awareness training) | No additional training required. |
| Do contracts include Federal Acquisition Regulation and other appropriate clauses ensuring adherence to privacy provisions and practices? | Yes |
| Describe the process and guidelines in place with regard to the retention and destruction of PII. Cite specific records retention schedules. | QHP Directory Pilot follows the CMS Records Schedule published April 2015 and the National Archives and Records Administration (NARA) General Records Schedule (GRS) 3.1, 3.2, 4.3, and 5.1. Specifically, National Archives Records Association (NARA), General Records Schedule (GRS) 3.2 states that QHP Directory Pilot will destroy/delete when 7 years 6 months, 10 years 6 months, or 20 years 6 months old, based on the maximum level of operation of the Certification Authority, or when no longer needed for business, whichever is later; and GRS 5.2 states that QHP Directory Pilot will delete/destroy when agency determines they are no longer needed for administrative, legal, audit or other operational purposes. |
| Describe, briefly but with specificity, how the PII will be secured in the system using administrative, technical, and physical controls. | QHP Directory Pilot uses role-based access control, least privilege and need to know security methodology to ensure only the authorized and authenticated users have access to PII related information if required by their work duties. QHP Directory Pilot integrates with CMS I&A platform to perform authentication and multifactor authentication for providers. The general public can use an unauthenticated mode to search for the provider directory. CMS IDM is used to authenticate CMS and contractor personnel. Encryption is used by the QHP Directory Pilot system for data in transit and at rest. Physical controls will be inherited from Amazon Web Services. QHP Directory Pilot will reside in CMS AWS East. |
| Identify the publicly-available URL: | Website is currently in the development stage and is not available at this time. |
| Does the website have a posted privacy notice? | Yes |
| Is the privacy policy available in a machine-readable format? | No |
| Does the website use web measurement and customization technology? | Yes |
| Select the type of website measurement and customization technologies is in use and if is used to collect PII. (Select all that apply) |
|
| Does the website have any information or pages directed at children under the age of thirteen? | No |
| Does the website contain links to non-federal government website external to HHS? | No |
Privacy Impact Assessment (PIA) published by CMS as an Operating Division of the U.S. Department of Health and Human Services