Skip to main content

Quality Payment Program

Privacy Impact Assessment (PIA) published by CMS as an Operating Division of the U.S. Department of Health and Human Services

Date signed: 1/22/2024

PIA information for Quality Payment Program
PIA QuestionsPIA Answers
OPDIV:CMS
PIA Unique Identifier:P-8975634-526459
Name:Quality Payment Program
The subject of this PIA is which of the following?Major Application
Identify the Enterprise Performance Lifecycle Phase of the system.Operate
Is this a FISMA-Reportable system?Yes
Does the system include a Website or online application available to and for the use of the general public?Yes
Identify the operator:Contractor
Is this a new or existing system?Existing
Does the system have Security Authorization (SA)?Yes
Date of Security Authorization1/13/2025
Indicate the following reason(s) for updating this PIA. Choose from the following options.PIA Validation (PIA Refresh/Annual Review)
Describe in further detail any changes to the system that have occurred since the last PIA.

The Quality Payment Program (QPP) internal Claims application has implemented a method of de-identifying Personally Identifiable Information (PII) taken from the Integrated Data Repository on Cloud (IDRC) and moving that de-identified data into lower tier environments for development purposes. IDRC is a separate Federal Information Security Management Act (FISMA) system that has an authority to operate (ATO) covering its lower tier environments while QPP’s ATO only covers the production environment. The team can now run tests on obfuscated data in lower tier environments before pushing changes into production.

Previously, IDR was in a data center in Baltimore. At the end of 2023, the physical data center was decommissioned, so QPP moved to IDR’s cloud offering.

Describe the purpose of the systemThe purpose of Quality Payment Program (QPP) is streamlining and strengthening value and quality-based payments for all physicians, rewarding participation in Advanced Alternative Payment Models (APMs) that create the strongest incentives for high-quality, coordinated, and efficient care, and giving doctors and other clinicians flexibility regarding how they participate in the new payment system.
The Quality Payment Program (QPP) was designed to be deployed in three releases. The first release of QPP was a public informational website hosted on cms.gov that requires no registration or account creation to access. The website provides an overview of the Quality Payment Program (QPP). The second QPP release, which went live in January 2017, implemented a moderate security baseline to support the hosting of Personally Identifier Information (PII) and Protected Health Information (PHI) data. Release 2 included user authentication supported by the existing Identify & Access (I&A) and Enterprise Identity Management (EIDM) systems in conjunction with the Okta identity as a service (IaaS) solution. In release 2, participating providers can log into the QPP application to view their provider information on record. This information is received from Centers for Medicare and Medicaid Services (CMS) Provider Enrollment Chain and Ownership System (PECOS), which is covered by its own Privacy Impact Assessment (PIA). The third release, which is live as of January 2018, enabled clinicians to login with Okta to view their submission information and preliminary scoring results, enabled new submissions and reporting methods via Application Programming Interfaces (APIs), as well as implemented new and improved measures and analytics. Quality Payment Program (QPP) System of Records Notice (SORN) 09-70-0539 was also issued in March of 2018 which replaced existing Performance Measurement and Reporting System (PMRS) and Physician Quality Reporting Initiative (PQRI) SORNs.
Describe the type of information the system will collect, maintain (store), or share. (Subsequent questions will identify if this information is PII and ask about the specific data elements)

Quality Payment Program (QPP) consolidates information from several existing Medicare reporting programs: The Value-Based Modifier (VBM), and the Electronic Health Record (EHR) Meaningful Use Program. This information will be received from the Centers for Medicare and Medicaid Services (CMS) Integrated Data Repository (IDR) and originates from the CMS Provider Enrollment Chain and Ownership System (PECOS) system which is separately accredited.

The system receives and stores quality measures data from eligible clinicians, group practices, and Advanced Alternative Payment Models (APMs).  The measures data will be comprised of three categories:  Quality, Improvement Activities (IA), and Advancing Care Information (ACI). Each category is a set on measures or activities.  The IA and ACI categories are practice specific measures/activities, while the quality category measures across an aggregation of all beneficiaries in a practice.

Quality Payment Program (QPP) system does not collect user credentials from system and database administrators, CMS employees and direct contractors. QPP system users access a separate system, Amazon Web Services (AWS), to obtain access to QPP.

End user clinicians are registered users of the Health Care Quality Information System (HCQIS) Access Roles and Profile (HARP) system, which Okta Identity as a Service (IDaaS) references for initial authentication. There is no new user registration currently. Collection of user credential all occurs in these separate systems outside the boundary of QPP.

Provide an overview of the system and describe the information it will collect, maintain (store), or share, either permanently or temporarily.

The following Provider Information is being collected from other Centers for Medicare and Medicaid Services (CMS) data sources (Provider Enrollment Chain and Ownership System (PECOS), shared with Quality Payment Program (QPP), and maintained temporarily within the QPP database:

Provider Base: Provider Base Identifier, Enrollment Identifier, Provider Enrollment Type Code, Provider Entity Type Code, Provider First Approved Date, Provider First Name, Provider Sex Code, Provider Last Approved Date, Provider Last Name, Provider Middle Name, National Provider Identifier (NPI) Number, Provider Organization Name, PECOS Identifier, Geographic United States Postal Service (USPS) State Code, Provider Enrollment Status Code, Tax Identifier Number (TIN) Number, Provider TIN Type Code, End Date, Status Date

Provider Reassignment: Provider Reassignment Identifier, Assignee Identifier, Reassigned to Identifier, Effective Date, End Date

Provider Specialty: Provider Specialty Identifier, Provider Base Identifier, Specialty Code

Specialty Reference: Specialty Description

Provider Address: Provider Address Identifier, Provider Base Identifier, Address Type Code, City Name, Line 1 Address, Line 2 Address, Geographic USPS State Code, ZIP Code

Provider Special Scenario: Provider Special Scenario Identifier, Provider Relationship Identifier, Program Year Number, Run Number, Critical Access Hospital Switch, Provider Aggregation Level Code, Beneficiary Visit Count, Allowed Charge Amount, Low Volume Exclusion Qualification Switch, Cause Low Volume Switch, Patient Facing Encounter Count, Less than 100 Patient Facing Provider Count, National Provider Identifier (NPI) Total Count, Meet Non Patient Facing Criteria Percent, Non Patient Facing Qualification Switch, Hospital Based Covered Professional Services Amount, Total Covered Professional Services Amount, Hospital Based Services Percent, Hospital Based Clinician Qualification Switch, Clinician Count, Provider Small Group Switch, Highest Part B Charge Specialty Name, Multiple Specialty Switch, Merit Based Incentive Payment System Eligible Clinician Switch, Rural Qualification Switch, Provider First Claim Number, Health Professional Shortage Area Qualification Switch

No User Credentials are being collected directly by the QPP application. For authentication, QPP leverages the HCQIS Access Roles and Profile (HARP) system coupled with the Okta identity as a service (IDaaS) solution. Only users who have existing HARP accounts will be able to access QPP to view their provider information on record. No user credential information is stored within the QPP application database.

User credentials used by a Provider to access QPP will be stored within the Federal Risk and Authorization Management Program (FedRAMP) approved and CMS assessed Okta Identity as a Services (IDaaS) solution.

Okta User Credential information: Username, first name, Last name, Middle name, Primary email, Honorific suffix, NPI status code, NPI, Primary phone, Profile status code, Security status code, Registration status code, Country code, Record status code, Password status, Hard locked code, Security questions attempts, User information attempts, Source Type, Password Source.

Developer and Administrator access to the QPP backend is managed through Amazon Web Services (AWS) by the Infrastructure Contractor for the CMS AWS instance, General Dynamics.

Regarding records access using PII information, clinicians/providers using QPP would be able to authenticate using their HARP credentials and then based off their user role/entitlement (User or Security Official) have access to their own information or their organization's information respectively.  The Tax Identifier Number (TIN) is used as a unique record identifier and helps CMS to attribute quality of care to a specific provider. Determining accurate quality of care will help to improve Medicare payments for provider's services. The TIN is what ties the HARP users (provider/clinician) to their appropriate records within QPP. Records can also be queried using PII fields including First Name, Last Name, and Mailing Address. 

Does the system collect, maintain, use or share PII?Yes
Indicate the type of PII that the system will collect or maintain.
  • Social Security Number
  • Name
  • Taxpayer ID
  • Mailing Address
  • Other - Other - Provider Base Identifier, Enrollment Identifier, Provider Enrollment Type Code, Provider Entity Type Code, Provider First Approved Date, Provider First Name, Provider Provider Last Approved Date, Provider Last Name, Provider Middle Name, NPI Number, Provider, Organization Name, PECOS Identifier, Geographic USPS State Code, Provider Enrollment Status Code, TIN, Provider TIN Type Code, Provider Reassignment Identifier, Assignee Identifier, Reassigned To Identifier, Provider Specialty Identifier, Specialty Code, Provider Address Identifier, Address Type Code, City Name,  Address, Geographic USPS State Code, ZIP Code, Provider Special Scenario Identifier, Provider Relationship Identifier, Program Year Number, Run Number, NPI Total Count, Hospital Based Covered, Provider First Claim Number
Indicate the categories of individuals about whom PII is collected, maintained or shared.
  • Public Citizens
  • Vendors/Suppliers/Contractors
  • Other - Hospitals and Providers
How many individuals' PII in the system?1,000,000 or more
For what primary purpose is the PII used?PII is used to attribute quality of care to specific providers. The Taxpayer Identification Number (TIN) is used as a unique record identifier. Determining accurate quality of care will help improve Medicare payments for provider’s services.
Describe the secondary uses for which the PII will be used (e.g. testing, training or research)No secondary uses for PII
Describe the function of the SSN.SSNs may be collected as TINs for individual providers and are used as unique record identifiers to attribute quality of care to a specific provider.
Cite the legal authority to use the SSN.Authority is given under sections 1124 and 1124A of the Social Security Act.
Identify legal authorities​ governing information use and disclosure specific to the system and program.Authority is given under provisions of sections 1102(a) (Title 42 U.S.C. 1302(a)), 1128 (42 U.S.C. 1320a–7), 1814(a)) (42 U.S.C. 1395f(a)(1), 1815(a) (42 U.S.C. 1395g(a)), 1833(e) (42 U.S.C. 1395I(3)), 1871 (42 U.S.C. 1395hh), and 1886(d)(5)(F), (42 U.S.C. 1395ww(d)(5)(F) of the Social Security Act; 1842(r) (42 U.S.C. 1395u(r)); section 1124(a)(1) (42 U.S.C. 1320a–3(a)(1), and 1124A (42 U.S.C. 1320a–3a), section 4313, as amended, of the BBA of 1997; and section 31001(i) (31 U.S.C. 7701) of the DCIA (Pub. L. 104–134), as amended.
Are records on the system retrieved by one or more PII data elements?Yes
Identify the number and title of the Privacy Act System of Records (SORN) that is being used to cover the system or identify if a SORN is being developed.Quality Payment Program (QPP) SORN 09-70-0539 has its own SORN which was initially published on 02/14/2018, reviewed annually or more often depending on system changes.
Identify the sources of PII in the system: Directly from an individual about whom the information pertains
  • Online
Identify the sources of PII in the system: Government Sources
  • Within the OPDIV
Identify the sources of PII in the system: Non-Government Sources
  • Members of the Public
  • Other - Hospitals and Providers
Identify the OMB information collection approval number and expiration dateQuality Payment Program/Merit-Based Incentive Payment System (MIPS) (CMS-10621) OMB Control Number 0938-1314 expires 1/31/2028.
Is the PII shared with other organizations?No
Describe the process in place to notify individuals that their personal information will be collected. If no prior notice is given, explain the reason.Not applicable as user credential personal information is collected completely outside of the scope of QPP through CMS accredited FISMA system HARP, which has its own PIA listed under the QualityNet Enterprise Services (QNET ES) FISMA Moderate system. Notification is provided by the source system, HARP, at the time of collection. 
Is the submission of the PII by individuals voluntary or mandatory?Voluntary
Describe the method for individuals to opt-out of the collection or use of their PII. If there is no option to object to the information collection, provide a reason.

Reporting quality payment data is purely voluntary by Eligible Professionals (i.e., health care delivery professionals) or Group Practices. Opt out procedures at the physician or at the Group Practice level is not known to QPP. This is external to the Program. Opt out occurs at the physician/facility level, external to the QPP system.

System user's credential information is collected by Okta, HARP, Enterprise User Administration (EUA), and therefore no process exists within QPP.

Describe the process to notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changes since the notice at the time of original collection). Alternatively, describe why they cannot be notified or have their consent obtained.

Notification of collection of physician Personally Identifiable Information/Protected Health Information (PII/PHI) also occurs outside of the scope of the QPP system at the facility level via the quality measures data forms submitted by the physicians or qualified data registries.

System user's credential information is collected by Okta and HARP, and therefore no process exists within QPP.

Describe the process in place to resolve an individual's concerns when they believe their PII has been inappropriately obtained, used, or disclosed, or that the PII is inaccurate. If no process exists, explain why not.

Individuals with concerns about PII collection and disclosure are referred to the local Quality Improvement Organization (QIO) Security Point of Contact (POC). If the QIO is not able to assist the individual directly, they will raise the issue to the Quality Net Enterprise Service Desk by issuing a ticket.

System user's credential information is collected by Okta, HARP, and EUA, and therefore no process exists within QPP. Users will need to contact the QualityNet Service Desk to resolve PII complaints.

Describe the process in place for periodic reviews of PII contained in the system to ensure the data's integrity, availability, accuracy and relevancy. If no processes are in place, explain why not.Physicians and facilities are required to annually (at minimum) verify the information they have submitted is still accurate and relevant. Modifications to the data are logged and can be attributed specifically to the user doing the modifications via their CMS enterprise credentials. If PII is somehow accidentally or intentionally destroyed by a user responsible for that PII, it can be restored from backup.
Identify who will have access to the PII in the system and the reason why they require access.
  • Users: Users are provided a user manual and have access to only their own PII for the purpose of verifying accuracy.
  • Administrators: Administrators have access to the system to ensure it is running properly. Generally, PII access is not necessary to resolve issues, but in some cases it is necessary. Admins sign non-disclosure agreements and take annual CMS-required security and privacy training as a requirement of their role.
  • Developers: Developers have access to the PII for development and testing purposes for system enhancements, fixes, and provider assistance (help desk). Developers sign non-disclosure agreements and take annual CMS-required security and privacy training as a requirement of their role.
  • Contractors: Direct contractors are comprised of administrators and help desk personnel. Direct contractors may have access to PII for purposes of troubleshooting user and system issues. Direct contractors sign non-disclosure agreements and take annual CMS-required security and privacy training as a requirement of their role.
Describe the procedures in place to determine which system users (administrators, developers, contractors, etc.) may access PII.

All users of the system have access to PII, the extent of which depends on their system role. System roles have been defined within the system security plan (SSP) for QPP and were created and approved by the Business Owner and Product Owners of QPP. Roles are reviewed at least annually to determine if they are still applicable.

Providers with a HARP account is assigned a specific user role within Okta to access QPP.

Developer and Administrator access to the QPP backend is managed through Amazon Web Services (AWS). This access requires a CMS Enterprise User Administration (EUA) account with specific Job codes which define the user role.

Describe the methods in place to allow those with access to PII to only access the minimum amount of information necessary to perform their job.

All providers are assigned a standard user role within Okta designed to give the least privilege required to perform their duties. There are no advanced user roles for providers.

Developer and Administrator access to the QPP backend is managed through Amazon Web Services (AWS) by the Infrastructure Contractor for the CMS AWS instance, General Dynamics. Users are required to first register with the CMS Enterprise User Administration (EUA) and request the proper job codes (requiring CMS Access Administrators (CAA) and Contract Officer Representative (COR) approval) to allow them. Jira and EUA are used to request and get approval for specific roles, group membership and access. Users must request specific job codes for specific access through EUA. EUA Job codes define the access to the applications and roles needed within the application. Least privilege access is enforced using this method.

Identifying training and awareness provided to personnel (system owners, managers, operators, contractors and/or program managers) using the system to make them aware of their responsibilities for protecting the information being collected and maintained.

All system users are required to take the CMS Cyber Awareness Challenge Computer Based Training (CBT) annually as well as the Identifying and Safeguarding Personally Identifiable Information (PII) training endorsed by CMS.

Security and Privacy Awareness training is offered through Computer Based Training to all users. Training is required to acquire and hold a HARP account (used for Okta QPP authentication). HARP is responsible for enforcing current, up-to-date training. Contractors that have elevated levels of access, such as system or database administrators, must take additional role-based training as required within the CMS Acceptable Risk Safeguards (ARS) controls for security.

Describe training system users receive (above and beyond general security and privacy awareness training)Not applicable.
Do contracts include Federal Acquisition Regulation and other appropriate clauses ensuring adherence to privacy provisions and practices?Yes
Describe the process and guidelines in place with regard to the retention and destruction of PII. Cite specific records retention schedules.QPP follows the CMS Record Schedule, more specifically the Center for Clinical Standards and Quality (CCSQ) File Plan. This is inherited from the National Archives and Records Administration (NARA). NARA has recently made changes to Federal Advisory Committee Act (FACA), Freedom of Information Act (FOIA), Information Technology (IT), transitory files, travel, Records management, forms management and Contract Officer Representative (COR) information and responsibilities. The disposal authority for QPP is DAA-0440-2015-0009-0003 and calls for destruction of data after 10 years.
Describe, briefly but with specificity, how the PII will be secured in the system using administrative, technical, and physical controls.QPP hosted PII is secured with a variety of security controls as required by FISMA and the CMS Security Program. Operational controls include but are not limited to: contingency plans and annual testing, backups of all files, offsite storage of backup files, physical security including secure buildings with access cards for entry, secure data center requiring additional access permissions for entry, security guards, background checks for all personnel, incident response procedures for timely response to security and privacy incidents, initial security training with refresher courses annually, and annual role based security training for personnel with assigned security roles and responsibilities. Technical controls include but are not limited to user authentication with least privilege authorization, firewalls, Intrusion Detection and Prevention systems (IDS/IPS), hardware configured with the National Institute of Standards and Technology (NIST) security checklists, encrypted communications, hardware configured with a deny all/except approach, auditing, and correlation of audit logs from all systems. Management controls include but are not limited to: Assessment and Authorization (A&A), annual security assessments, monthly management of outstanding corrective action plans, ongoing risk assessments, and automated continuous monitoring.
Identify the publicly-available URL:

https://qpp.cms.gov.

The QPP Website has posted its own Privacy Notice/Policy and Third-Party Websites and Applications (TPWA) tools that are employed when the general public visits the website.

Does the website have a posted privacy notice?Yes
Is the privacy policy available in a machine-readable format?Yes
Does the website use web measurement and customization technology?Yes
Select the type of website measurement and customization technologies is in use and if is used to collect PII. (Select all that apply)
  • Session Cookies
  • Persistent Cookies
 Web Beacons - Collects PII?: No
Web Bugs - Collects PII?: No
Session Cookies - Collects PII?: No
Persistent Cookies - Collects PII?: No
Other - Collects PII?:
Does the website have any information or pages directed at children under the age of thirteen?No
Does the website contain links to non-federal government website external to HHS?Yes
Is a disclaimer notice provided to users that follow external links to websites not owned or operated by HHS?Yes