Skip to main content

Quality Service Center

Privacy Impact Assessment (PIA) published by CMS as an Operating Division of the U.S. Department of Health and Human Services

Date signed: 11/21/2024

PIA Information for the Quality Service Center
PIA QuestionsPIA Answers

OPDIV:

CMS

PIA Unique Identifier:

P-8518514-087582

Name:

Quality Service Center

The subject of this PIA is which of the following?

Major Application

Identify the Enterprise Performance Lifecycle Phase of the system.

Operate

Is this a FISMA-Reportable system?

Yes

Does the system include a Website or online application available to and for the use of the general public?

Yes

Identify the operator:

Contractor

Is this a new or existing system?

Existing

Does the system have Security Authorization (SA)?

Yes

Date of Security Authorization

3/22/2023

Indicate the following reason(s) for updating this PIA. Choose from the following options.

  • Internal Flow or Collection

  • Other - URL address added

Describe in further detail any changes to the system that have occurred since the last PIA.

The Quality Service Center (QSC) application since the last PIA consist of ServiceNow platform upgrade and a screen recording feature for NICE CXone. This feature for NICE CXone captures the screen of the service center agent that is assisting a user through an active interaction.

The changes listed below posed no risk to the system or introduced the collection of new PII elements. 

NICE CXone Screen Recording - This new feature is recording the Service Center Agent Screen while on an active interaction (inbound call, email, web, or live chat support). NICE CXone call recording and screen recording data storage is managed by the NICE CXone Software as a Service (SaaS) Vendor. Call and screen recordings are available within NICE CXone for a short-term period of 60 days for the following lines of business that the Service Center support - End Stage Renal Disease Quality Reporting System (EQRS), Quality Payment Program (QPP), Hospital Quality Reporting (HQR), Internet Quality Improvement and Evaluation System (iQIES), and Quality Improvement and Evaluation System (QIES). For the Services and Operations Support Team (SOS) all screen recordings are deleted after 14 days. For EQRS, QPP, HQR, and QIES/iQIES, all audio and screen recordings are moved to long term storage after 60 days. Lastly, after 365 days in long term storage the recording is removed from storage and is no longer accessible.

ServiceNow Washington Upgrade - CCSQ will gain several new features provided by the Washington version. All available features were FedRAMP approved for release into the CCSQ production instance. 

Describe the purpose of the system

QSC (Quality Service Center) is a customer service management system used for tracking, monitoring, recording and the reporting of user and internal inquires. QSC supports CMS’ Quality Initiatives and IT (Information Technology) systems owned by CMS’ (Centers for Medicare and Medicaid Services) Center for Clinical Standards and Quality (CCSQ) that support these initiatives.
Callers are health care providers such as physicians, clinicians, hospitals, nursing homes, skilled nursing facilities, health care providers’ program assistance. It also supports the internal processes needed to support the infrastructure and applications that support these quality initiatives. QSC provides IT Service Management, Change Management, Asset Procurement and Management, Hardware and Software Discovery, a Configuration Management Database (CMDB) for HCQIS, and Security Incident (SI) and issue tracking.

Describe the type of information the system will collect, maintain (store), or share. (Subsequent questions will identify if this information is PII and ask about the specific data elements)

The QSC system, collects, maintains and stores IT data such as help desk procedures, technical assistance documentation, Incident Management, Problem Management, Change Management, Asset/Procurement Management, Knowledge Management, Discovery/Configuration Management Database, Service Request/Service Catalog and Employee Self Service Portal (ESS). Request include password reset enrollment, Security Incident, and Customer Service Management for internal users. Service Catalog offerings include Self-service AD Password Reset, Hardship Claims, User Onboarding, and Targeted Review. Additionally, QSC collects and maintains the username, first name, last name, organization name, mailing address, email address, phone number, National Provider Identifier (NPI), Tax Identification Number (TIN), Social Security Number (SSN), Medical Record Number, Medicare Claim Number, Medicare Beneficiary Identifier, Date of Birth (DOB), Date of Death (DOD), Patient Identifier Number (PIN) and Ethnicity.


The QSC system for Manual Identity Proofing, collects, maintains, and stores temporarily the following Personal Identifiable Information(PII)/Protected Health Information (PHI): first name, last name, organization name, mailing address, email address, phone number, photographic identifiers, driver's license, biometric identifiers, mother's maiden name, medical record number, medical notes, financial account info, certificates, legal documents, military status, employment status, passport number, taxpayer id, user credentials, user id and names, national provider identifier, organization name, Medicare beneficiary identifier, patient identifier number, ethnicity, Medicare contract number, and/or organization identification number. The Manual Identity Proofing process is not captured in the screen recording process. However, audio recording may be captured for an inbound call to the Service Center if individual is needing assistance with the manual identity proofing process.

ServiceNow backup of tickets have a retention period of 14 days.

NICE CXone application within the QSC system stores call and screen recordings within NICE CXone data storage. NICE CXone data storage is managed by the NICE CXone Software as a Service (SaaS) Vendor. Call and screen recordings that come in for EQRS, QPP, iQIES/QIES and HQR are available within NICE CXone for a short-term period of 60 days. After 60 days it is moved to long term storage within the SaaS Vendor for 365 days. After 365 days it is and then deleted.

For Services and Operations Support (SOS) Agents, Screen Recordings for all calls, chats, emails, and web cases are available for 14 days (This included Manual Proofing Cases). After 14 days the screen recordings are deleted from NICE CXone. SOS Audio Recordings for the SOS Team is encrypted and maintained in storage for sixty (60) days. After this initial storage period, we utilize long term storage for up to one (1) year. After one (1) year the recordings are permanently deleted.

Provide an overview of the system and describe the information it will collect, maintain (store), or share, either permanently or temporarily.

This customer service management system is used for tracking, monitoring, recording and reporting of all supporting help desks, users, and Internal/external inquiries. Additionally, the NICE CXone is used for monitoring of Service Center Representatives screens during a call for quality and training purposes. The data collected is used to create, track, and monitor IT service requests, incident, problems, infrastructure change requests, work orders, tasks, and assets. The following data elements are collected directly from the customer to their inquiries and requests for support: user name, first name, last name, organization name, mailing address, email address, phone number, National Provider Identifier (NPI), Tax Identification Number (TIN), Social Security Number (SSN), Medical Record Number, Medicare Claim Number, Medicare Beneficiary Identifier, Date of Birth (DOB), Date of Death (DOD), Patient Identifier Number (PIN) and Ethnicity.

This Manual Identity Proofing process may request some of the following to confirm user identity: first name, last name, organization name, mailing address, email address, phone number, photographic identifiers, driver's license, biometric identifiers, mother's maiden name, medical record number, medical notes, financial account info, certificates, legal documents, military status, employment status, passport number, taxpayer id, user credentials, user id and names, national provider identifier, organization name, Medicare beneficiary identifier, patient identifier number, ethnicity, Medicare contract number, and/or organization identification number. All requested information for Manual Identity Proofing is removed from ServiceNow tickets after the user identity has been confirmed. The Manual Identity Proofing process is captured in the screen recording process. These recordings are deleted after 14 days within NICE CXone. However, audio recording may be captured for an inbound call to the Service Center if individual is needing assistance with the manual identity proofing process.

NICE CXone administrators is able to delete phone/screen recordings. However, administrators cannot manipulate specific segments in an interaction. 

The customer service management system regularly uses PII to retrieve system records including using the first name, last name, email, and/or phone number of CMS employees, contractors, and health care providers to track, monitor, retrieve and reporting of customer inquiries.

The reporting environment enables authorized users; direct contractors and CMS government employees, to generate reports based on criteria fields about the tickets stored within the application. This information is used for internal purpose only and is not shared with third parties.

Customer information is collected and stored to facilitate contact through resolution of their inquiries and to run reports to evaluate the program.

Help desk procedures and technical assistance documentation provide help desk personnel the tools for effective resolution to caller/user inquiries.

Does the system collect, maintain, use or share PII?

Yes

Indicate the type of PII that the system will collect or maintain.

  • Social Security Number

  • Name
  • Driver's License Number
  • Mother's Maiden Name
  • E-Mail Address
  • Phone Numbers
  • Medical Notes
  • Certificates
  • Military Status
  • Taxpayer ID
  • Date of Birth
  • Photographic Identifiers
  • Biometric Identifiers
  • Mailing Address
  • Medical Records Number
  • Financial Account Info
  • Legal Documents
  • Employment Status
  • Passport Number
  • Other - User Credentials: User ID and Names, National Provider Identifier, Organization name, Medicare Beneficiary Identifier, Patient Identifier Number, Ethnicity, Medicare Contract Number, Organization Identification Number

Indicate the categories of individuals about whom PII is collected, maintained or shared.

  • Employees

  • Public Citizens
  • Business Partners/Contacts (Federal, state, local agencies)
  • Vendors/Suppliers/Contractors
  • Patients

How many individuals' PII in the system?

50,000-99,999

For what primary purpose is the PII used?

QSC - PII (Personal Identifiable Information) is used for caller identification, user account information, correlation to QSC ticket information and customer/program support.

NICE CXone - PII from the Service Desk contractors is used to create user accounts to support the applications.

Describe the secondary uses for which the PII will be used (e.g. testing, training or research)

QSC - Caller and provider information is used to run reports to evaluate the program.

NICE CXone - PII is potentially captured in audio recordings / screen recordings which is used for internal quality assurance and training.

Describe the function of the SSN.

QSC - The patient's SSN is collected directly from dialysis facilities staff who contact the End Stage Renal Disease (ESRD) program help desk. The collection/use of the SSN cannot be eliminated. This is a key field that needs to be captured for any discrepancies with what is listed in the End Stage Renal Disease Quality Reporting System (EQRS) for any modification request. 

NICE CXone - SSN is not collected or maintained.

Cite the legal authority to use the SSN.

QSC - Executive Order 9397

Identify legal authorities​ governing information use and disclosure specific to the system and program.

QSC - Medicare, Medicaid, and SCHIP Extension Act of 2007 (MMSEA) (Pub. L. 110–173) and the Medicare Improvements for Patients and Providers Act of 2008 (MIPPA) (Pub. L.110–275). 1848(k)(2)(B) of the Social Security Act (the Act) (42 U.S.C.1395w–4), Section 101(c) of division B of the Tax Relief and Health Care Act of 2006; 5 USC 301, Departmental Regulations (TRHCA), and Sections 226A, 1875, and 1881 of the Social Security Act (the Act) (Title 42 United States Code (U.S.C.), sections 426–1, 1395ll, and 1395rr).

Are records on the system retrieved by one or more PII data elements?

Yes

Identify the number and title of the Privacy Act System of Records (SORN) that is being used to cover the system or identify if a SORN is being developed.

SORN 09-70-0584, Performance Measurement and Reporting System (PMRS)
SORN 09-70-0571, Medicare Integrated Data Repository (IDR)
SORN 09-70-0565, Automated Survey Processing Environment (ASPEN) Complaints/Incidents Tracking System (ACTS)
SORN 09-70-0558, National Claims History (NCH)
SORN 09-70-0553, Medicare Drug Data Processing System (DDPS)
SORN 09-70-0548, Hospice Item Set (HIS) System
SORN 09-70-0539, (Quality Payment Program (QPP)
SORN 09-70-0539, Long Term Care Hospitals Quality Reporting Program (LTCH QRP)
SORN 09-70-0536, Medicare Beneficiary Database (MBD)
SORN 09-70-0532, Provider Enrollment, Chain, and Ownership System (PECOS)
SORN 09-70-0528, Long Term Care-Minimum Data Set (MDS)
SORN 09-70-0522, HHA Outcome and Assessment Information Set (OASIS)
SORN 09-70-0521, Inpatient Rehabilitation Facilities – Patient Assessment Instrument (IRF-PAI)
SORN 09-70-0520, ESRD Program Management and Medical Information (PMMIS)
SORN 09-70-0502, Enrollment Database (EDB)

Identify the sources of PII in the system: Directly from an individual about whom the information pertains

  • In-Person

  • Online
  • Email
  • Other - Phone

Identify the sources of PII in the system: Government Sources

Within the OPDIV

Identify the sources of PII in the system: Non-Government Sources

  • Members of the Public

  • Private Sector
  • Other - Providers, Clinicians, & Government Contractors

Identify the OMB information collection approval number and expiration date

QSC and NICE CXone - Not applicable for user credential information.

Is the PII shared with other organizations?

No

Describe the process in place to notify individuals that their personal information will be collected. If no prior notice is given, explain the reason.

QSC - Help desk support asks each inquiring customer for their information to record at the beginning of each call. The CCSQ Support central is an unauthenticated portal that has been implemented in the QSC Environment. Requestors will navigate to this portal and will use the create ticket functionality to submit contact and case details which include Email Address, First Name, Last Name, Phone Number, Organization Name, Program, Subject, and the reason for contacting support.


The Public portal allows the providers (Hospitals, Clinicians, Doctors, etc.) to track the status of an existing ticket with secure one-time password sent to the requestor’s email. The data is not displayed until the secure code is entered and page is viewable only for user who enters the secure code. This Portal also provides requestors the ability to add comments in text area which stores the entered value in additional comments in Case, Incident and RITM tables upon submission. All authorized users must provide the personal information necessary to establish their user account. Personal information is only collected at the time that the CMS employee, direct contractor, or affiliate applies for access to the system. Page 3 of Application for Access to CMS Systems informs individuals that there PII is being collected and the purposes for collecting the PII.

NICE CXone - 

Service Center agents ask each inquiring customer for their information to record at the beginning of each call. Additionally, Nice CXone notify callers that their calls will be recorded for quality assurance and training purposes.

All authorized users must provide the personal information necessary to establish their user account. Personal information is only collected at the time that the CMS employee, direct contractor, or affiliate applies for access to the system. 

Is the submission of the PII by individuals voluntary or mandatory?

Voluntary

Describe the method for individuals to opt-out of the collection or use of their PII. If there is no option to object to the information collection, provide a reason.

QSC and NICE CXone - The caller has the option to not provide their information. Authorized users’ personal information is necessary to establish their user account and a method to contact customers with the resolution of their call.

Describe the process to notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changes since the notice at the time of original collection). Alternatively, describe why they cannot be notified or have their consent obtained.

QSC and NICE CXone - Major change notifications are not provided to callers as system changes do not include data use or disclosure changes.

Authorized users are notified of changes to the system by memos or training in their job. Systems changes do not include data use or disclosure changes.

All authorized users must re-certify their access within every 365 days. By doing so the users are consenting to the continued use of their PII. PII will only be used for the purposes given at the time of collection. PII will only be used as necessary in performance of job duties.

Describe the process in place to resolve an individual's concerns when they believe their PII has been inappropriately obtained, used, or disclosed, or that the PII is inaccurate. If no process exists, explain why not.

QSC and NICE CXone - Any concerns from customers or account holders concerning misuse of PII are reported to the QSC Service Center support, and the QualityNet Incident Response Procedures are followed, which include elevation of PII incidents to CMS. The CMS Incident Response Procedures are then followed.

Describe the process in place for periodic reviews of PII contained in the system to ensure the data's integrity, availability, accuracy and relevancy. If no processes are in place, explain why not.

For Customer PII:
Integrity – Initial contact with Service Center is made by customers using email, CCSQ Self-Portal or phone call (utilizes NICE CXone). Email and Self-Portal inquiries automatically record the customer’s first name, last name, phone number and email address. PII obtained through phone inquiries are verified with the caller by Service Center support, which utilize NICE CXone.

Availability – Both QSC and NICE CXone have Real-time data synchronization dispersing data to geographically separated data centers, enabling hot fail over. Backups provide a second means to ensure availability. Availability is the responsibility of the SaaS providers.

Accuracy – Both QSC and NICE CXone, the Service Center agent updates any incorrect data is corrected in the course of using the system by updating whichever elements are incorrect, such as name change or new telephone number or email address.

Relevancy – Both QSC and NICE CXone only collect PII relevant to the call by the Service Center support.

For User PII:
The initial source of PII is from System Access Request form completed by the user to establish the account for both QSC and NICE CXone.

Account information is periodically reviewed for Integrity, accuracy, and relevancy by system administrators and management. Accounts inactive for 60 days are disabled and the user is removed from access lists as part of the periodic review process. The designated point of contact for each organization is provided a list of their individuals quarterly. They inform either the QSC or NICE CXone administrators which accounts should be deactivated. 

Terminated/transferred users’ accounts are disabled immediately, removing the ability of the user to authenticate for both QSC and NICE CXone.

Identify who will have access to the PII in the system and the reason why they require access.

  • Users: QSC - The user is responsible to enter the caller's PII into the system and provide support to customer’s inquiries.

    NICE CXone - The user is only able to view their own user information. 

  • Administrators: QSC - Administrators have access to modify forms, add fields, query all data, and run reports.

    NICE CXone - Administrators have access to create, modify and update users' information.

  • Developers: QSC - Developers configure and test software.

    NICE CXone - There are no developers.

  • Contractors: QSC - Contractors are the users of the system and enter the PII into the system. All contractors are "direct contractors" of CMS; They have HHS credentials and work directly on behalf of CMS for these services.

    NICE CXone - Contractors are the users of the system and are considered “direct contractors” of CMS.

  • Others: QSC - Clinicians have the ability to enter information in the hardship and the targeted reviews form.

Describe the procedures in place to determine which system users (administrators, developers, contractors, etc.) may access PII.

The QSC application has built in role and permission schemes which have been tailored to fit the needs of CMS. During that process, the use of PII was determined to be appropriate for internal business uses only, for verification of identity and for possible security incident investigations. It was determined that only Administrators and two specific user communities require access to PII. Service Center Users need access to PII for verification purposes to reset other Users' passwords.

Database Administrators have access to PII in order to maintain the database which stores the PII. Contractors are a part of the Administrator, Service Center, and Database user communities.

Nice CXone has established a least privileged process to only allow access to user information based on business needs. Nice CXone application has a built-in role and permissions to restrict only Administrators to access users account information.

Describe the methods in place to allow those with access to PII to only access the minimum amount of information necessary to perform their job.

QSC Users' system access is limited to the functions needed to perform their job functions. All activity within the QSC application is subject to audit logging and monitoring. Any modification of ticket data, including any PII information, is traceable back to an individual that last made a change to the ticket, via a username and timestamp associated with the activity. Direct access to underlying data that contains PII is subject to a logging and monitoring process which details any user selection or modification of data by means other than the use of QSC application.

Additionally, only database administrators are given direct logical access to the underlying QSC data. All other system and application user accounts do not have approval, authorization, or the logical permissions necessary to alter or manipulate the information within the database directly.

 

Nice CXone user’s system access is limited to the functions needed to perform their job functions. All activity within the Nice CXone application is subject to audit logging and monitoring.

Additionally, Administrators is the role that allows access to user information and is needed to create, manage and update users' information.

Identifying training and awareness provided to personnel (system owners, managers, operators, contractors and/or program managers) using the system to make them aware of their responsibilities for protecting the information being collected and maintained.

Al QSC and NICE CXone system users are required to take the CMS Cyber Awareness Challenge Computer Based Training (CBT) as well as the Identifying and Safeguarding Personally Identifiable Information (PII) training endorsed by CMS as well as Records Management training. This training is required upon initial hire, prior to gaining system access, and annually thereafter.

Describe training system users receive (above and beyond general security and privacy awareness training)

All QSC and NICE CXone users undergo a formal training program prior to using the system.

Do contracts include Federal Acquisition Regulation and other appropriate clauses ensuring adherence to privacy provisions and practices?

Yes

Describe the process and guidelines in place with regard to the retention and destruction of PII. Cite specific records retention schedules.

QSC and NICE CXone follows the CMS Record Schedule, more specifically the Center for Clinical Standards and Quality (CCSQ) File Plan. The disposal authority for QSC is N1-440-09-3 and mandates destruction of data after 7 years.

Describe, briefly but with specificity, how the PII will be secured in the system using administrative, technical, and physical controls.

For both QSC and NICE CXone administrative controls include, but are not limited to: contingency plans and annual testing, backups of all files, offsite storage of backup files, background checks for all personnel, incident response procedures for timely response to security and privacy incidents, Initial security training with refresher courses annually, and annual role based security training for personnel with assigned security roles and responsibilities.
The physical security of the data centers where the system resides is governed by FedRAMP. They ensure the use of access cards for entry, security guards, and video monitoring prior to granting FedRAMP authorization.

Technical controls include but are not limited to user authentication with least privilege authorization, firewalls, Intrusion Detection and Prevention systems (IDS/IPS), encrypted communications, hardware configured with a deny all/except approach, auditing, and correlation of audit logs from all Systems.

Management controls include but are not limited to: Certification and Accreditation (C&A), annual security assessments, monthly management of outstanding corrective action plans, ongoing risk assessments, and automated continuous monitoring.

Identify the publicly-available URL:

QSC -

https://cmsqualitysupport.servicenowservices.com/qnet_qa

https://cmsqualitysupport.servicenowservices.com/qsep 

https://cmsqualitysupport.servicenowservices.com/cms_1135

https://cmsqualitysupport.servicenowservices.com/ccsq_support_central

https://cmsqualitysupport.servicenowservices.com/sp_ess

https://cmsqualitysupport.servicenowservices.com/iqies_hcd_form

https://cmsqualitysupport.servicenowservices.com/cms_hh

Does the website have a posted privacy notice?

Yes

Is the privacy policy available in a machine-readable format?

Yes

Does the website use web measurement and customization technology?

Yes

Select the type of website measurement and customization technologies is in use and if is used to collect PII. (Select all that apply)

  • Session Cookies

  • Other - For QSC and NICE CXone, no fields designated to collect PII, however, there are free form text fields that a user could enter text.

Web Beacons - Collects PII?:

No

Web Bugs - Collects PII?:

No

Session Cookies - Collects PII?:

No

Persistent Cookies - Collects PII?:

No

Other - Collects PII?:

No

Does the website have any information or pages directed at children under the age of thirteen?

No

Does the website contain links to non-federal government website external to HHS?

No