Quality Improvement and Evaluation System

OPDIV:

CMS

PIA Unique Identifier:

P-1077200-216920

Name:

Quality Improvement and Evaluation System

The subject of this PIA is which of the following?

Major Application

Identify the Enterprise Performance Lifecycle Phase of the system.

Operate

Is this a FISMA-Reportable system?

Yes

Does the system include a Website or online application available to and for the use of the general public?

No

Identify the operator:

Contractor

Is this a new or existing system?

Existing

Does the system have Security Authorization (SA)?

Yes

Date of Security Authorization

7/12/2022

Indicate the following reason(s) for updating this PIA. Choose from the following options.

PIA Validation (PIA Refresh/Annual Review)

Describe in further detail any changes to the system that have occurred since the last PIA.

N/A

Describe the purpose of the system

The Quality Improvement and Evaluation System (QIES) supports the collection, analysis, and reporting of provider and beneficiary specific outcomes of care and performance data across a multitude of delivery websites for use in improving the quality and cost effectiveness of services provided by the Medicare and Medicaid programs. QIES consists of databases housed in the States and at the Centers for Medicare and Medicaid (CMS) with direct access for Quality Improvement Organizations (QIO) that support the Center for Clinical Standards and Quality (CCSQ) QualityNet (QNet) program.  QIES supports these organizations in the following ways: CCSQ uses quality information, Center for Medicare (CM) uses payment information, and Disabled and Elderly Health Programs Group (DEHPG) uses Medicaid survey information. 
  
QIES Data Management System (DMS) tools act as a staging area where the assessment data submitted by hospice facilities is edited, and validation reports are made available to CMS organizations.
 
QIES interfaces nationally with providers, state surveyors, and CMS Central Office (CO) and Regional Office (RO) via the QIES-to-Success portal.
 
Through the QIES-to-Success portal, stakeholders have access to the reporting subsystem, CASPER (Certification And Survey Provider Enhanced Reporting), which offers a standard, pre-determined reports library that pulls data from the QIES national assessment and survey database.

QIES Automated Survey Processing Environment (ASPEN) suite provides software for state and federal surveyors to schedule surveys, collect and track survey results, complaint investigations and enforcement activities. In addition, QIES collects Emergency Medical Treatment & Labor Act (EMTALA) complaints from cms.gov into the ACTS system. 

Describe the type of information the system will collect, maintain (store), or share. (Subsequent questions will identify if this information is PII and ask about the specific data elements)

Information used within QIES includes Personally Identifiable Information (PII) and Protected Health Information (PHI): Name, Date of Birth (DOB), Social Security Number (SSN), mailing address, phone number, email address, Provider Name, Provider Number, Unique Provider Identification Number, National Provider Identification Number, Medical Notes, Medical Record Number, Medicare Beneficiary Identifier (MBI), race/ethnicity, and sex. 

Regarding whose information is collected, there are two different types of data:

Users who register to submit assessment data for a provider, the data collected during registration is name, DOB (though not required), SSN (though not required), home address, work phone, work email address.  The DOB and SSN fields were added to help facilitate the migration of users to the security system that preceded HARP. 

The other PII/PHI fields mentioned are part of assessment collection data.  Separate from the User ID data, Hospice providers submit assessment data for patients/residents as part of the terms of their Medicare certification.

The period of retention for this information is 10 years.

Other PII includes the User Credentials (User ID and Password) required to use QIES. User IDs and initial, temporary, passwords are provided by the QIES System Administrator. 

User IDs are kept in the system if accounts are active.  Inactive IDs are deleted after 365 days of inactivity.  When users self-register for an account the password they choose at registration is valid for 60 days.  After 60 days the password will expire and must be changed.  QIES System Administrators do manually assign temporary passwords when needed.  The user is required to change the temporary password when they login.   

Provide an overview of the system and describe the information it will collect, maintain (store), or share, either permanently or temporarily.

QIES is a national repository that contains resident and patient assessment data. including clinical data of patients and residents. The data offers a comprehensive view of resident/patient functional capacities. The data is used for payment of providers and evaluation of quality of care. The information helps CMS staff to identify health problems. QIES also contains information that tracks, and processes complaints and incidents reported against Medicare and Medicaid providers and suppliers.

The purpose is to measure clinical outcomes and patient risk factors, and to aid in the administration of the survey and certification of Medicare and Medicaid providers and suppliers and CLIA (Clinical Laboratory Improvement Amendments Act) laboratories. 

The data contains PII data, including Name, Date of Birth (DOB), Social Security Number (SSN), mailing address, phone number, email address, Provider Name, Provider Number, Unique Provider Identification Number (UPIN), National Provider Identification Number (NPI), Medical Notes, Medical Record Number, Medicare Beneficiary Identifier (MBI), race/ethnicity, and sex.

Other PII includes User Credentials (User ID and Password). The submission of this data is voluntary but required to use the system.  

CMS analysts use QIES to provide oversight of the States, conduct data analysis, review cases, run reports and prepare surveys. Data for these operations is pulled using individual elements of PII listed above or a combination thereof.

Does the system collect, maintain, use or share PII?

Yes

Indicate the type of PII that the system will collect or maintain.

• Social Security Number

• Name
• E-Mail Address
• Phone Numbers
• Medical Notes
• Date of Birth
• Mailing Address
• Medical Records Number
• Other - Provider Name, Provider Number, Unique Provider Identification Number, National Provider Identification Number, Medical Record Number, Medicare Beneficiary Identifier, race/ethnicity, and sex, User Credentials (User ID and Password)

Indicate the categories of individuals about whom PII is collected, maintained or shared.

• Employees

• Patients

How many individuals' PII in the system?

10,000-49,999

For what primary purpose is the PII used?

QIES contains Nursing Home resident/patient assessment information, and clinical data. The PII and PHI is used for payment, measurement of quality of care, and tracking/processing complaints and incidents reported against Medicare and Medicaid providers and suppliers. The purpose is to measure clinical outcome monitoring, patient risk factors, and to aid in the administration of the survey and certification of Medicare and Medicaid providers, suppliers, and Clinical Laboratory Improvement Amendments (CLIA) entities. The PII and PHI data includes Name, DOB, SSN, mailing address, phone number, email address, Provider Name, Provider Number, UPIN, NPI, Medical Notes, Medical Record Number, Medicare Beneficiary Identifier (MBI), race/ethnicity, and sex. Other PII includes User Credentials (User ID and Password).

QIES users are Centers for Medicare and Medicaid (CMS) Central Office and Regional Office staff.  QIES also shares data with State agencies, Fiscal Intermediaries (FIs), Regional Home Health Intermediaries (RHHIs), and Quality Improvement Organizations (QIOs) for the purpose of health care quality and payment. Also, data may be disclosed to entities that meet Privacy Act requirements for routine uses as stated in the System of Record Notice (SORN).  These entities must have a Data Use Agreement (DUA). QIES uses several patient identifiers together, one being the SSN, to ensure an accurate matching so that an episode/stay is created for each patient.  The episodes/stays are used to calculate quality measures (QMs), which uses multiple assessments for each patient for each provider. These measures are publicly reported by CMS.  In addition, CMS uses the patient assessments to determine payment for each Medicare beneficiary.

Describe the secondary uses for which the PII will be used (e.g. testing, training or research)

N/A

Describe the function of the SSN.

The Social Security Number (SSN) is used for accuracy when matching the claim to proper beneficiary and proper payment.

Cite the legal authority to use the SSN.

Medicare Improvements for Patients and Providers Act (MIPPA), 2008, E.O. 9397

Identify legal authorities​ governing information use and disclosure specific to the system and program.

Medicare Improvements for Patients and Providers Act (MIPPA) 2008, 1974, Section 153c
Medicare, Medicaid, and SCHIP Extension Act (MMSEA), 2007
Tax Relief and Health Care Act (TRHCA)
Affordable Care Act (ACA), 45 CFR 155.210(e)

Are records on the system retrieved by one or more PII data elements?

Yes

Identify the number and title of the Privacy Act System of Records (SORN) that is being used to cover the system or identify if a SORN is being developed.

ASPEN Complaints/Incidents Tracking System (ACTS) 09-70-0565
Hospice Item Set (HIS) 09-70-0548
Inpatient Rehabilitation Facilities – Patient Assessment Instrument (IRF-PAI) 09-70-0521
Long Term Care Hospitals Quality Reporting Program (LTCH QRP) 09-70-0539
Long Term Care Minimum Data Set (LTCMDS) 09-70-0528
HHA Outcome and Assessment Information Set (OASIS) 09-70-0522

Identify the sources of PII in the system: Directly from an individual about whom the information pertains

Online

Identify the sources of PII in the system: Government Sources

• Other HHS OPDIV

• State/Local/Tribal
• Other Federal Entities

Identify the sources of PII in the system: Non-Government Sources

Private Sector

Identify the OMB information collection approval number and expiration date

Not applicable per the QIES Contract Officer Representative (COR)

Is the PII shared with other organizations?

Yes

Identify with whom the PII is shared or disclosed and for what purpose.

• Within HHS: Centers for Disease Control and Prevention (CDC) to meet joint agency priorities related to Healthcare Associated Infection (HAI) prevention and quality reporting and improvement initiatives.

• Other Federal Agency/Agencies: Social Security Administration (SSA) uses the admission and discharge information for care received to administer the Supplemental Security Income (SSI) program efficiently and to identify Special Veteran’s Benefits (SVB) beneficiaries who are no longer residing outside of the United States.
• Private Sector: Private Sector: Payment and quality of care.
• State or Local Agency/Agencies: State or Local Agency/Agencies: Track and process complaints and incidents reported against Medicaid providers and suppliers.

Describe any agreements in place that authorizes the information sharing or disclosure (e.g. Computer Matching Agreement, Memorandum of Understanding (MOU), or Information Sharing Agreement (ISA)).

Computer Matching Agreement (CMA), Title: Disclosure of Nursing Care Facility Admission and Discharge Information, Identifier: HHS 2309

Interagency Agreements (IAAs):  IA24-11 Social Security Administration; IA24-14 Centers for Disease Control and Prevention (CDC) 

Describe the procedures for accounting for disclosures

CMS Incident Response and Breach Notification Procedures; The Privacy Act of 1974 (5 U.S.C. § 522a) and the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule (45 C.F.R Parts 160 and 164), allows CMS to disclose information without an individual’s consent if the information is to be used for a purpose that is compatible with the purpose(s) for which the information was collected. Any such compatible use of data is known as a ‘‘routine use.’’ The proposed routine uses in this system meet the compatibility requirement of the Privacy Act.

Describe the process in place to notify individuals that their personal information will be collected. If no prior notice is given, explain the reason.

Third parties (providers) are responsible for providing notice to patients.

QIES system users are notified that their PII is being collected by a system banner that is presented upon entering a user’s credentials.

Is the submission of the PII by individuals voluntary or mandatory?

Voluntary

Describe the method for individuals to opt-out of the collection or use of their PII. If there is no option to object to the information collection, provide a reason.

Members of the public do not interact with the QIES system. The original collectors (providers) communicate directly with beneficiaries on the use of their PII.

There is no opt-out capability for QIES system users - at the States, CMS HQ and Regional Offices - as login credentials (User ID and Password) are required to access the system.

Describe the process to notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changes since the notice at the time of original collection). Alternatively, describe why they cannot be notified or have their consent obtained.

The original collectors (providers) obtain consent directly from beneficiaries. 

This PIA would be updated if a major change to the system were to occur. Notification of the public would not be sought as these changes would otherwise by transparent. 

Describe the process in place to resolve an individual's concerns when they believe their PII has been inappropriately obtained, used, or disclosed, or that the PII is inaccurate. If no process exists, explain why not.

Resolution of any concerns regarding the inappropriate use or disclosure of a beneficiary's PII are first addressed to the relevant provider. A beneficiary has recourse to CMS if this does not address any issues.

Describe the process in place for periodic reviews of PII contained in the system to ensure the data's integrity, availability, accuracy and relevancy. If no processes are in place, explain why not.

Routine reviews and automatic database validation are used to ensure data integrity and availability within QIES.

PII is also reviewed for accuracy and relevancy by the user upon data entry into the application in addition to system defined validation by the application.

Identify who will have access to the PII in the system and the reason why they require access.

• Users: Users may access PII authorized under a Data Use Agreement.

• Administrators: System Administrators may access PII to manage the system and troubleshoot potential issues.

• Developers: Developers may access PII to troubleshoot potential issues.

• Contractors: Direct contractors authorized by CMS may access PII to conduct tasks under the assigned contract.

Describe the procedures in place to determine which system users (administrators, developers, contractors, etc.) may access PII.

System user access to PII is given by assigning specific roles/privileges to each user account.  The process of assigning these privileges utilizes the principle of least privilege.  Users are only granted access based on their job responsibilities. To ensure the level of access is maintained for each of the roles, the role creation process involves analysis of the role definition and type of access granted by the role. Periodic account and access review ensures that system users are still authorized to view PII.  Inactive accounts are automatically expired at set intervals following the CMS Acceptable Risk Safeguards (ARS) requirements.

Describe the methods in place to allow those with access to PII to only access the minimum amount of information necessary to perform their job.

QIES uses the principle of least privilege as well as role-based access control (RBAC) to ensure system administrators and users are granted access on a "need-to-know" and "need-to-access" basis corresponding with their assigned duties. System Administrators review user accounts at least semi-annually. Any anomalies are addressed and resolved by contacting the user, modifying their user role(s), or by removing their access if no longer required. 

Identifying training and awareness provided to personnel (system owners, managers, operators, contractors and/or program managers) using the system to make them aware of their responsibilities for protecting the information being collected and maintained.

Describe training system users receive (above and beyond general security and privacy awareness training)

QIES Maintainers undergo annual Role Based Training (RBT) specific to the targeted roles of Program and Business Managers, System Administrators, and Developers.

Do contracts include Federal Acquisition Regulation and other appropriate clauses ensuring adherence to privacy provisions and practices?

Yes

Describe the process and guidelines in place with regard to the retention and destruction of PII. Cite specific records retention schedules.

QIES has a National Archives and Records Administration (NARA) Records Schedule Number DAA-0440-2015-0009, Records Disposition Authorization, N1-440-09-003, which states that records are destroyed when 10 years old, or when no longer needed for Agency business, whichever is later.

Describe, briefly but with specificity, how the PII will be secured in the system using administrative, technical, and physical controls.

Administrative: Only access necessary to perform respective job duties is granted.  Authentication and access control profiles are maintained.  Users may only view information and perform tasks according to pre-assigned security and access control profiles determined by the system administrator.

Technical: The following controls are in place to minimize the possibility of unauthorized access, use or dissemination of the data in the system: User Identification, passwords, firewall, Virtual Private Network (VPN), Encryption, Intrusion Detection System (IDS).

Physical: QIES resides in the Amazon Web Services (AWS) Eastern Zone.

State Data Centers where information is stored use Guards, ID badges, Key Cards, Cipher Locks, Biometrics and Closed-Circuit TV to secure physical controls.

Session Cookies - Collects PII?:

No