Quality, Safety and Education Portal

• Other - This system's authorization and PIA were previously approved through CCSQ's iQIES system. QSEP is being brought out from under the umbrella of iQIES to be its own, standalone system

Surveyor Minimum Qualifications Test (SMQT): Transitioned this test from in-person mode on QSEP (implemented FY 2022)

Role requests, approvals, etc. have been moved to QSEP, from Savyint. This was completed by May 2024.

Contractor Surveyors: Contractor Surveyors are now required to complete the Surveyor Skills Review (SSR) assessments yearly starting with FY 2025. As part of this, a new role (Contractor Training Coordinator - CTC) has been added to QSEP.

Communications Platform: A new communications functionality - between CMS Quality, Safety, and Education Division (QSED) and State Directors - was introduced as part of the October 2024 release. A new role - State Director - was added to accomplish this.

Annual User Account Review: This was completed and went live in May 2023. As part of this, Security Officials (SO's) need to validate the accounts associated with their roles annually.

My Dashboard: a new landing page, displaying metrics associated with each role/user, was incrementally implemented during the FY 2024.

Training Initiation Form: This was migrated from Microsoft Forms to QSEP during FY 2023. This form is used by specific end users to notify CMS of any training changes.

NICE CXone Interactive Voice Response (IVR) for QSEP Help Desk was introduced during FY 2023.

Surveyor Skills Review (SSR): Emergency preparedness (EP) was included as secondary SSR and required to be completed by Surveyors undertaking EP survey.

Training Plan: Timelines were added to the Training plan to guide the users on completion timelines.

The Quality, Safety & Oversight Group (QSOG) provides Health Care Survey and Certification Processes training and course ware to more than 10,000 users nationwide, which includes State and Federal Surveyors, State Training Coordinators (STC), Regional Training Administrators (RTA), and Central Office Training Coordinators (TC). The Quality, Safety & Education Portal website (QSEP Portal) is a cloud-hosted Learning Management System (LMS). The system is available 24x7. QSEP supports QSOG’s educational programs and provides administrative tools to effectively manage the National Surveyor Training Program (NSTP).

The main business function of QSEP is to deliver statutorily mandated training to State Agency and Federal surveyors, who provide survey and oversight to Medicare and Medicaid facilities around the country.

QSEP hosts more than 150 online courses, webinars, videos, and other instructional content that its users can access "anywhere at any time", using a web browser. The system is essential to QSOG's mandate to increase access to surveyor training by replacing most instructor-led "live" training with digital course content hosted and delivered online. QSEP provides site access to Healthcare Providers/Suppliers, Accrediting Organizations, Department of Health and Human Services (HHS) employees and contractors, Quality Improvement Organizations, Advocacy Groups, and the General Public.

QSEP currently stores the following non-sensitive Personal Identifiable Information (PII) data elements:

student's first name

student's last name

student business telephone/fax numbers

student business email address (work, potentially home for self-registered users)

supervisor's first name

supervisor's last name

supervisor business telephone/fax numbers

supervisor business email address

The elements above are used only to identify users and enable reporting functionality within QSEP. Excluding students’ first and last names, all data elements collected are considered non-sensitive. QSEP provides system functionality where users can update any PII related to their accounts. The QSEP Team attempts to always maintain a minimal dataset, following strict data retention policies mandated by HHS/CMS. In addition, the QSEP Team follows the Principle of Least Privilege for all user accounts and role-related system access.

No Protected health information (PHI) is stored within the system.

The Quality, Safety & Oversight Group (QSOG) provides Health Care Survey and Certification Processes training and course ware to more than 10,000 users nationwide, which include State and Federal Surveyors, State Training Coordinators (STC), Regional Training Administrators (RTA), and Central Office Training Coordinators (TC). The Quality, Safety & Education Portal website (QSEP - QSEP Portal) is a cloud-hosted Learning Management System (LMS). The system is available 24x7. QSEP supports QSOG’s educational programs and provides administrative tools to effectively manage the National Surveyor Training Program (NSTP).

The elements captured in PIA-012 are used only to identify users and enable reporting functionality within QSEP. The information collected helps in tracking training and test/assessment completions, generate email notifications (for instance, to notify Regional Training Administrators (RTA) / State Training Coordinators (STC) on completion status of the assessments, and to notify the end user on the status of completions).

• Name
• E-Mail Address
• Phone Numbers

• Employees
• Business Partners/Contacts (Federal, state, local agencies)
• Vendors/Suppliers/Contractors

• Online

• Within the OPDIV
• State/Local/Tribal

• Members of the Public
• Private Sector

QSEP accounts are created and maintained in the HCQIS Access and Role Permissions (HARP) which serves as the secure identity management portal. QSEP users are redirected and authenticated against HARP. When a QSEP user logs in to HARP and redirects to QSEP after successful login, PII data is validated with HARP, and if any changes, they are then updated in QSEP. 

For Customer PII:
Integrity – Only the DevOps team has access to the database. Data updates done is tracked in the audit table, which is reviewed regularly to ensure the integrity of data. Users access QSEP via defined roles, which are reviewed and approved by Security Officials (SO) on role request creation and by the SO during the Annual Account Review (AAR) process. Splunk dashboard and scripts are reviewed by DevOps and the QSEP Security Analyst.

Availability – New Relic alerts notify the QSEP team on system availability. In addition, the QSEP Help Desk team notifies QSEP DevOps when performance degradation is observed. 

Accuracy – Only the DevOps team has access to the database. Data updates are tracked in the audit table, which is reviewed regularly to ensure the integrity of data. Users access QSEP via defined roles, which are reviewed and approved by Security Officials (SO) on role request creation and by the SO during the Annual Account Review (AAR) process. Splunk dashboard and scripts are reviewed by DevOps and the QSEP Security Analyst. The QSEP team provides monthly data on multiple parameters to CMS to gauge the health and accuracy of the system.

Relevancy – The QSEP team reviews the audit table, runs scripts against Splunk to get statistics, provides various reports to CMS monthly provides monthly data on multiple parameters to CMS which ensure information is processed and delivered as expected. The QSEP Help Desk analyzes each help desk request.

For User PII:

Integrity – Every time that a user logs into QSEP via HCQIS Access Roles and Permissions (HARP), the user's PII data in QSEP is validated against HARP and if there are changes, the updates are applied to QSEP. Ony the QSEP DevOps team has access to the QSEP database. Actions performed on the database or undertaken via QSEP are audited via the QSEP audit table. Splunk QSEP dashboard provides a view into various logs to track DevOps activities.

Availability –  New Relic alerts notify the QSEP team on system availability. In addition, the QSEP Help Desk team notifies QSEP DevOps when performance degradation is observed. 

Accuracy – Every time that a user logs into QSEP via HCQIS Access Roles and Permissions (HARP), the user's PII data in QSEP is validated against HARP and if there are changes, the updates are applied to QSEP. Ony the QSEP DevOps team has access to the QSEP database. Actions performed on the database or undertaken via QSEP are audited via the QSEP audit table. Splunk QSEP dashboard provides a view into various logs to track DevOps activities.

Relevancy – QSEP maintains PII data that is needed for reporting and certificates. No other PII is maintained or collected via QSEP. Automated scripts are executed to ensure information is processed and delivered as expected.

• Users: QSEP users have access to their own PII data, via the Profile option, training certs, and reports. Any changes to PII needs to be done from HARP.
• Developers: QSEP DevOps are responsible for maintaining the database's performance, implementing security measures, and performing regular backups and recovery operations. Their access allows them to promptly address any vulnerabilities, apply necessary patches, and monitor for unauthorized access or anomalies. By having controlled and audited access, they can effectively safeguard PII against breaches and ensure compliance with data protection regulations. This access is governed by strict policies and role-based access controls to minimize risks and maintain data security.

All system and site administrator users are required to take an online Security Awareness Training and Identifying and Safeguarding Personally Identifiable Information Computer based training before they are granted user credentials. This training is required to be renewed annually for all existing users. All users are trained to perform the duties necessary to work within the system to perform their specific job functions.

Personnel with Security Significant Responsibility (SSR) such as developers, infrastructure/system administrators, database administrators, architects, security engineers, etc., also complete CMS Agency Role-Based Training (RBT) requirements on an annual basis, corresponding to the user’s National Institute of Standards and Technology (NIST) National Initiative for Cybersecurity Education (NICE) role. Any new Application Development Organizational (ADO) users or existing ADO users with a new role complete RBST requirement within 60-days of beginning their new role.

Administrative: QSEP administrative controls include but are not limited to contingency plans and annual testing, backups of all files, offsite storage of backup files, background checks for all personnel, incident response procedures for timely response to security and privacy incidents, Initial security training with refresher courses annually, and annual role-based security training for personnel with assigned security roles and responsibilities.

Technical: Technical controls include but are not limited to user authentication with least privilege authorization, firewalls, Intrusion Detection and Prevention systems (IDS/IPS), encrypted communications, hardware configured with a deny all/except approach, auditing, and correlation of audit logs from all Systems.

Physical: Management controls include but are not limited to: Certification and Accreditation (C&A), annual security assessments, monthly management of outstanding corrective action plans, ongoing risk assessments, and automated continuous monitoring.

• Session Cookies - Collects PII?: No
• Persistent Cookies - Collects PII?: No