Quality Service Center
Privacy Impact Assessment (PIA) published by CMS as an Operating Division of the U.S. Department of Health and Human Services
Date signed: 11/21/2024
| PIA Questions | PIA Answers |
|---|---|
OPDIV: | CMS |
PIA Unique Identifier: | P-8518514-087582 |
Name: | Quality Service Center |
The subject of this PIA is which of the following? | Major Application |
Identify the Enterprise Performance Lifecycle Phase of the system. | Operate |
Is this a FISMA-Reportable system? | Yes |
Does the system include a Website or online application available to and for the use of the general public? | Yes |
Identify the operator: | Contractor |
Is this a new or existing system? | Existing |
Does the system have Security Authorization (SA)? | Yes |
Date of Security Authorization | 3/22/2023 |
Indicate the following reason(s) for updating this PIA. Choose from the following options. |
|
Describe in further detail any changes to the system that have occurred since the last PIA. | The Quality Service Center (QSC) application since the last PIA consist of ServiceNow platform upgrade and a screen recording feature for NICE CXone. This feature for NICE CXone captures the screen of the service center agent that is assisting a user through an active interaction. The changes listed below posed no risk to the system or introduced the collection of new PII elements. NICE CXone Screen Recording - This new feature is recording the Service Center Agent Screen while on an active interaction (inbound call, email, web, or live chat support). NICE CXone call recording and screen recording data storage is managed by the NICE CXone Software as a Service (SaaS) Vendor. Call and screen recordings are available within NICE CXone for a short-term period of 60 days for the following lines of business that the Service Center support - End Stage Renal Disease Quality Reporting System (EQRS), Quality Payment Program (QPP), Hospital Quality Reporting (HQR), Internet Quality Improvement and Evaluation System (iQIES), and Quality Improvement and Evaluation System (QIES). For the Services and Operations Support Team (SOS) all screen recordings are deleted after 14 days. For EQRS, QPP, HQR, and QIES/iQIES, all audio and screen recordings are moved to long term storage after 60 days. Lastly, after 365 days in long term storage the recording is removed from storage and is no longer accessible. ServiceNow Washington Upgrade - CCSQ will gain several new features provided by the Washington version. All available features were FedRAMP approved for release into the CCSQ production instance. |
Describe the purpose of the system | QSC (Quality Service Center) is a customer service management system used for tracking, monitoring, recording and the reporting of user and internal inquires. QSC supports CMS’ Quality Initiatives and IT (Information Technology) systems owned by CMS’ (Centers for Medicare and Medicaid Services) Center for Clinical Standards and Quality (CCSQ) that support these initiatives. |
Describe the type of information the system will collect, maintain (store), or share. (Subsequent questions will identify if this information is PII and ask about the specific data elements) | The QSC system, collects, maintains and stores IT data such as help desk procedures, technical assistance documentation, Incident Management, Problem Management, Change Management, Asset/Procurement Management, Knowledge Management, Discovery/Configuration Management Database, Service Request/Service Catalog and Employee Self Service Portal (ESS). Request include password reset enrollment, Security Incident, and Customer Service Management for internal users. Service Catalog offerings include Self-service AD Password Reset, Hardship Claims, User Onboarding, and Targeted Review. Additionally, QSC collects and maintains the username, first name, last name, organization name, mailing address, email address, phone number, National Provider Identifier (NPI), Tax Identification Number (TIN), Social Security Number (SSN), Medical Record Number, Medicare Claim Number, Medicare Beneficiary Identifier, Date of Birth (DOB), Date of Death (DOD), Patient Identifier Number (PIN) and Ethnicity.
ServiceNow backup of tickets have a retention period of 14 days. NICE CXone application within the QSC system stores call and screen recordings within NICE CXone data storage. NICE CXone data storage is managed by the NICE CXone Software as a Service (SaaS) Vendor. Call and screen recordings that come in for EQRS, QPP, iQIES/QIES and HQR are available within NICE CXone for a short-term period of 60 days. After 60 days it is moved to long term storage within the SaaS Vendor for 365 days. After 365 days it is and then deleted. For Services and Operations Support (SOS) Agents, Screen Recordings for all calls, chats, emails, and web cases are available for 14 days (This included Manual Proofing Cases). After 14 days the screen recordings are deleted from NICE CXone. SOS Audio Recordings for the SOS Team is encrypted and maintained in storage for sixty (60) days. After this initial storage period, we utilize long term storage for up to one (1) year. After one (1) year the recordings are permanently deleted. |
Provide an overview of the system and describe the information it will collect, maintain (store), or share, either permanently or temporarily. | This customer service management system is used for tracking, monitoring, recording and reporting of all supporting help desks, users, and Internal/external inquiries. Additionally, the NICE CXone is used for monitoring of Service Center Representatives screens during a call for quality and training purposes. The data collected is used to create, track, and monitor IT service requests, incident, problems, infrastructure change requests, work orders, tasks, and assets. The following data elements are collected directly from the customer to their inquiries and requests for support: user name, first name, last name, organization name, mailing address, email address, phone number, National Provider Identifier (NPI), Tax Identification Number (TIN), Social Security Number (SSN), Medical Record Number, Medicare Claim Number, Medicare Beneficiary Identifier, Date of Birth (DOB), Date of Death (DOD), Patient Identifier Number (PIN) and Ethnicity. This Manual Identity Proofing process may request some of the following to confirm user identity: first name, last name, organization name, mailing address, email address, phone number, photographic identifiers, driver's license, biometric identifiers, mother's maiden name, medical record number, medical notes, financial account info, certificates, legal documents, military status, employment status, passport number, taxpayer id, user credentials, user id and names, national provider identifier, organization name, Medicare beneficiary identifier, patient identifier number, ethnicity, Medicare contract number, and/or organization identification number. All requested information for Manual Identity Proofing is removed from ServiceNow tickets after the user identity has been confirmed. The Manual Identity Proofing process is captured in the screen recording process. These recordings are deleted after 14 days within NICE CXone. However, audio recording may be captured for an inbound call to the Service Center if individual is needing assistance with the manual identity proofing process. NICE CXone administrators is able to delete phone/screen recordings. However, administrators cannot manipulate specific segments in an interaction. The customer service management system regularly uses PII to retrieve system records including using the first name, last name, email, and/or phone number of CMS employees, contractors, and health care providers to track, monitor, retrieve and reporting of customer inquiries. The reporting environment enables authorized users; direct contractors and CMS government employees, to generate reports based on criteria fields about the tickets stored within the application. This information is used for internal purpose only and is not shared with third parties. Customer information is collected and stored to facilitate contact through resolution of their inquiries and to run reports to evaluate the program. Help desk procedures and technical assistance documentation provide help desk personnel the tools for effective resolution to caller/user inquiries. |
Does the system collect, maintain, use or share PII? | Yes |
Indicate the type of PII that the system will collect or maintain. |
|
Indicate the categories of individuals about whom PII is collected, maintained or shared. |
|
How many individuals' PII in the system? | 50,000-99,999 |
For what primary purpose is the PII used? | QSC - PII (Personal Identifiable Information) is used for caller identification, user account information, correlation to QSC ticket information and customer/program support. NICE CXone - PII from the Service Desk contractors is used to create user accounts to support the applications. |
Describe the secondary uses for which the PII will be used (e.g. testing, training or research) | QSC - Caller and provider information is used to run reports to evaluate the program. NICE CXone - PII is potentially captured in audio recordings / screen recordings which is used for internal quality assurance and training. |
Describe the function of the SSN. | QSC - The patient's SSN is collected directly from dialysis facilities staff who contact the End Stage Renal Disease (ESRD) program help desk. The collection/use of the SSN cannot be eliminated. This is a key field that needs to be captured for any discrepancies with what is listed in the End Stage Renal Disease Quality Reporting System (EQRS) for any modification request. NICE CXone - SSN is not collected or maintained. |
Cite the legal authority to use the SSN. | QSC - Executive Order 9397 |
Identify legal authorities governing information use and disclosure specific to the system and program. | QSC - Medicare, Medicaid, and SCHIP Extension Act of 2007 (MMSEA) (Pub. L. 110–173) and the Medicare Improvements for Patients and Providers Act of 2008 (MIPPA) (Pub. L.110–275). 1848(k)(2)(B) of the Social Security Act (the Act) (42 U.S.C.1395w–4), Section 101(c) of division B of the Tax Relief and Health Care Act of 2006; 5 USC 301, Departmental Regulations (TRHCA), and Sections 226A, 1875, and 1881 of the Social Security Act (the Act) (Title 42 United States Code (U.S.C.), sections 426–1, 1395ll, and 1395rr). |
Are records on the system retrieved by one or more PII data elements? | Yes |
Identify the number and title of the Privacy Act System of Records (SORN) that is being used to cover the system or identify if a SORN is being developed. | SORN 09-70-0584, Performance Measurement and Reporting System (PMRS) |
Identify the sources of PII in the system: Directly from an individual about whom the information pertains |
|
Identify the sources of PII in the system: Government Sources | Within the OPDIV |
Identify the sources of PII in the system: Non-Government Sources |
|
Identify the OMB information collection approval number and expiration date | QSC and NICE CXone - Not applicable for user credential information. |
Is the PII shared with other organizations? | No |
Describe the process in place to notify individuals that their personal information will be collected. If no prior notice is given, explain the reason. | QSC - Help desk support asks each inquiring customer for their information to record at the beginning of each call. The CCSQ Support central is an unauthenticated portal that has been implemented in the QSC Environment. Requestors will navigate to this portal and will use the create ticket functionality to submit contact and case details which include Email Address, First Name, Last Name, Phone Number, Organization Name, Program, Subject, and the reason for contacting support.
NICE CXone - Service Center agents ask each inquiring customer for their information to record at the beginning of each call. Additionally, Nice CXone notify callers that their calls will be recorded for quality assurance and training purposes. All authorized users must provide the personal information necessary to establish their user account. Personal information is only collected at the time that the CMS employee, direct contractor, or affiliate applies for access to the system. |
Is the submission of the PII by individuals voluntary or mandatory? | Voluntary |
Describe the method for individuals to opt-out of the collection or use of their PII. If there is no option to object to the information collection, provide a reason. | QSC and NICE CXone - The caller has the option to not provide their information. Authorized users’ personal information is necessary to establish their user account and a method to contact customers with the resolution of their call. |
Describe the process to notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changes since the notice at the time of original collection). Alternatively, describe why they cannot be notified or have their consent obtained. | QSC and NICE CXone - Major change notifications are not provided to callers as system changes do not include data use or disclosure changes. Authorized users are notified of changes to the system by memos or training in their job. Systems changes do not include data use or disclosure changes. All authorized users must re-certify their access within every 365 days. By doing so the users are consenting to the continued use of their PII. PII will only be used for the purposes given at the time of collection. PII will only be used as necessary in performance of job duties. |
Describe the process in place to resolve an individual's concerns when they believe their PII has been inappropriately obtained, used, or disclosed, or that the PII is inaccurate. If no process exists, explain why not. | QSC and NICE CXone - Any concerns from customers or account holders concerning misuse of PII are reported to the QSC Service Center support, and the QualityNet Incident Response Procedures are followed, which include elevation of PII incidents to CMS. The CMS Incident Response Procedures are then followed. |
| Describe the process in place for periodic reviews of PII contained in the system to ensure the data's integrity, availability, accuracy and relevancy. If no processes are in place, explain why not. | For Customer PII: Availability – Both QSC and NICE CXone have Real-time data synchronization dispersing data to geographically separated data centers, enabling hot fail over. Backups provide a second means to ensure availability. Availability is the responsibility of the SaaS providers. Accuracy – Both QSC and NICE CXone, the Service Center agent updates any incorrect data is corrected in the course of using the system by updating whichever elements are incorrect, such as name change or new telephone number or email address. Relevancy – Both QSC and NICE CXone only collect PII relevant to the call by the Service Center support. For User PII: Account information is periodically reviewed for Integrity, accuracy, and relevancy by system administrators and management. Accounts inactive for 60 days are disabled and the user is removed from access lists as part of the periodic review process. The designated point of contact for each organization is provided a list of their individuals quarterly. They inform either the QSC or NICE CXone administrators which accounts should be deactivated. Terminated/transferred users’ accounts are disabled immediately, removing the ability of the user to authenticate for both QSC and NICE CXone. |
Identify who will have access to the PII in the system and the reason why they require access. |
|
Describe the procedures in place to determine which system users (administrators, developers, contractors, etc.) may access PII. | The QSC application has built in role and permission schemes which have been tailored to fit the needs of CMS. During that process, the use of PII was determined to be appropriate for internal business uses only, for verification of identity and for possible security incident investigations. It was determined that only Administrators and two specific user communities require access to PII. Service Center Users need access to PII for verification purposes to reset other Users' passwords. Database Administrators have access to PII in order to maintain the database which stores the PII. Contractors are a part of the Administrator, Service Center, and Database user communities. Nice CXone has established a least privileged process to only allow access to user information based on business needs. Nice CXone application has a built-in role and permissions to restrict only Administrators to access users account information. |
Describe the methods in place to allow those with access to PII to only access the minimum amount of information necessary to perform their job. | QSC Users' system access is limited to the functions needed to perform their job functions. All activity within the QSC application is subject to audit logging and monitoring. Any modification of ticket data, including any PII information, is traceable back to an individual that last made a change to the ticket, via a username and timestamp associated with the activity. Direct access to underlying data that contains PII is subject to a logging and monitoring process which details any user selection or modification of data by means other than the use of QSC application. Additionally, only database administrators are given direct logical access to the underlying QSC data. All other system and application user accounts do not have approval, authorization, or the logical permissions necessary to alter or manipulate the information within the database directly.
Nice CXone user’s system access is limited to the functions needed to perform their job functions. All activity within the Nice CXone application is subject to audit logging and monitoring. Additionally, Administrators is the role that allows access to user information and is needed to create, manage and update users' information. |
Identifying training and awareness provided to personnel (system owners, managers, operators, contractors and/or program managers) using the system to make them aware of their responsibilities for protecting the information being collected and maintained. | Al QSC and NICE CXone system users are required to take the CMS Cyber Awareness Challenge Computer Based Training (CBT) as well as the Identifying and Safeguarding Personally Identifiable Information (PII) training endorsed by CMS as well as Records Management training. This training is required upon initial hire, prior to gaining system access, and annually thereafter. |
Describe training system users receive (above and beyond general security and privacy awareness training) | All QSC and NICE CXone users undergo a formal training program prior to using the system. |
Do contracts include Federal Acquisition Regulation and other appropriate clauses ensuring adherence to privacy provisions and practices? | Yes |
Describe the process and guidelines in place with regard to the retention and destruction of PII. Cite specific records retention schedules. | QSC and NICE CXone follows the CMS Record Schedule, more specifically the Center for Clinical Standards and Quality (CCSQ) File Plan. The disposal authority for QSC is N1-440-09-3 and mandates destruction of data after 7 years. |
Describe, briefly but with specificity, how the PII will be secured in the system using administrative, technical, and physical controls. | For both QSC and NICE CXone administrative controls include, but are not limited to: contingency plans and annual testing, backups of all files, offsite storage of backup files, background checks for all personnel, incident response procedures for timely response to security and privacy incidents, Initial security training with refresher courses annually, and annual role based security training for personnel with assigned security roles and responsibilities. Technical controls include but are not limited to user authentication with least privilege authorization, firewalls, Intrusion Detection and Prevention systems (IDS/IPS), encrypted communications, hardware configured with a deny all/except approach, auditing, and correlation of audit logs from all Systems. Management controls include but are not limited to: Certification and Accreditation (C&A), annual security assessments, monthly management of outstanding corrective action plans, ongoing risk assessments, and automated continuous monitoring. |
Identify the publicly-available URL: | QSC - https://cmsqualitysupport.servicenowservices.com/qnet_qa https://cmsqualitysupport.servicenowservices.com/qsep https://cmsqualitysupport.servicenowservices.com/cms_1135 https://cmsqualitysupport.servicenowservices.com/ccsq_support_central https://cmsqualitysupport.servicenowservices.com/sp_ess https://cmsqualitysupport.servicenowservices.com/iqies_hcd_form https://cmsqualitysupport.servicenowservices.com/cms_hh |
Does the website have a posted privacy notice? | Yes |
Is the privacy policy available in a machine-readable format? | Yes |
Does the website use web measurement and customization technology? | Yes |
Select the type of website measurement and customization technologies is in use and if is used to collect PII. (Select all that apply) |
|
Web Beacons - Collects PII?: | No |
Web Bugs - Collects PII?: | No |
Session Cookies - Collects PII?: | No |
Persistent Cookies - Collects PII?: | No |
Other - Collects PII?: | No |
Does the website have any information or pages directed at children under the age of thirteen? | No |
Does the website contain links to non-federal government website external to HHS? | No |