Reusable Framework
Privacy Impact Assessment (PIA) published by CMS as an Operating Division of the U.S. Department of Health and Human Services
Date signed: 7/8/2024
| PIA Questions | PIA Answers |
|---|---|
OPDIV: | CMS |
PIA Unique Identifier: | P-5799165-899336 |
Name: | Reusable Framework |
The subject of this PIA is which of the following? | Major Application |
Identify the Enterprise Performance Lifecycle Phase of the system. | Operate |
Is this a FISMA-Reportable system? | Yes |
Does the system include a Website or online application available to and for the use of the general public? | No |
Identify the operator: | Contractor |
Is this a new or existing system? | Existing |
Does the system have Security Authorization (SA)? | Yes |
Date of Security Authorization | 12/10/2024 |
Indicate the following reason(s) for updating this PIA. Choose from the following options. | PIA Validation (PIA Refresh/Annual Review) |
Describe in further detail any changes to the system that have occurred since the last PIA. | Since the last PIA was updated, the ET3 model has been decommissioned from use. The ET3 model officially reached end of life on February 29, 2024, and it will be kept until December 31, 2024. The model data still exists in the environment, but access has been limited to Admin and support users only. All model users’ access has been removed. Once the December 31, 2024, deadline has been reached, the ET3 model and all data will be removed at that time. ET3 data includes Social Security Number (SSN) and Driver's License Number (DLN). |
Describe the purpose of the system | The purpose of the Center for Medicare and Medicaid Innovation (CMMI) Reusable Framework (RFX) system is to identify candidate reusable services and build them out in an iterative manner. The CMMI Reusable Framework will support CMMI in its need to standardize and promote reuse of CMMI specific services in a consistent manner that will lead to significant savings in costs for infrastructure, licensing, development, and maintenance. The framework will allow CMMI to be more agile in assembling systems that are necessary to support future models. RFX allows CMMI to rapidly deploy applications, within RFX framework, to support the various CMMI Models at a cost savings. RFX contains modules that provide specific services which can be deployed per each model’s requirements. Some of the services RFX provides include the following:
|
Describe the type of information the system will collect, maintain (store), or share. (Subsequent questions will identify if this information is PII and ask about the specific data elements) | The system collects and or maintains Personally Identifiable Information (PII) and Protected Health Information (PHI). This includes health insurance claim numbers (HICN) and/or Medicare Beneficiary Identifier (MBI), Medicaid ID, e-mail address, mailing address, name, date of birth, phone numbers, provider name, provider address, provider phone number, provider e-mail address, taxpayer ID, Medical notes, Legal documents, National Provider Identifier (NPI), and Medical Records Number. Since the ET3 model has become inactive, and awaiting full decommission, the collection of PII and PHI data has been significantly reduced. Social Security Number (SSN) and Driver License Number (DLN) is no longer collected. The data collected during the active life of the ET3 model, has been restricted to Administration duties only. All ET3 model users have been placed inactive, so they no longer have access to the data. This data, SSN and DLN, will reside in the environment, until December 31, 2024. Once full decommission takes place, the SSN and DLN will be purged and will no longer need to be maintained. RFX utilizes user ID and passwords, and these login credentials are used to grant access to the system. Users of RFX are the system administrators, maintainers and developers, and direct contractors. The login credentials used to access RFX are provided to users by CMS’s Identity Management (IDM) system. RFX does not collect, maintain, or share login credentials. |
Provide an overview of the system and describe the information it will collect, maintain (store), or share, either permanently or temporarily. | The CMMI Reusable Framework supports CMMI in its need to standardize and promote the reuse of CMMI specific services in a consistent manner. The application gathers data to include PII/PHI from other CMS systems and from providers to develop and deliver models that support the CMMI programs. The type of PII/PHI collected includes HICN and/or MBI, Medicaid ID, e-mail address, mailing address, name, date of birth, phone numbers, provider name, provider address, provider phone number, provider e-mail address, taxpayer ID, Medical notes, Legal documents, National Provider Identifier (NPI), and Medical Records Number. Since the ET3 model has become inactive, and awaiting full decommission, the collection of PII and PHI data has been significantly reduced. SSN and DLN is no longer collected. The data collected during the active life of the ET3 model, has been restricted to Administration duties only. All ET3 model users have been placed inactive, so they no longer have access to the data. This data, SSN and DLN, will reside in the environment, until December 31, 2024. Once full decommission takes place, the SSN and DLN will be purged and will no longer need to be maintained.
RFX authorized users retrieve Beneficiaries records using Name (First Name, Middle Name, Last Name), DOB, Zip Code, MBI and Medicaid ID data elements. |
Does the system collect, maintain, use or share PII? | Yes |
Indicate the type of PII that the system will collect or maintain. |
|
Indicate the categories of individuals about whom PII is collected, maintained or shared. |
|
How many individuals' PII in the system? | 100,000-999,999 |
For what primary purpose is the PII used? | The PII will be used in the development of the various CMMI models to test health care innovation and delivery. Model team collects the PII from Model Participants for the purpose of Model operations and evaluation. User Credential PII is provided via CMS's identity management system account registration and is used to access the system to support operations. |
Describe the secondary uses for which the PII will be used (e.g. testing, training or research) | Not applicable. |
Describe the function of the SSN. | The ET3 model has become inactive in the RFX platform and does not collect any new SSN data. The SSN data currently housed within the ET3 model has been restricted to only Admin access and will be fully removed upon complete decommissioning of the model. The full decommissioning of the model is set for December 31, 2024. |
Cite the legal authority to use the SSN. | Affordable Care Act (ACA) Sec. 3021. E.O.9397 The ET3 model has become inactive in the RFX platform and does not collect any new SSN data. The SSN data currently housed within the ET3 model has been restricted to only Admin access and will be fully removed upon complete decommissioning of the model. The full decommissioning of the model is set for December 31, 2024. |
Identify legal authorities governing information use and disclosure specific to the system and program. | Affordable Care Act (ACA) Sec. 3021. |
Are records on the system retrieved by one or more PII data elements? | Yes |
Identify the number and title of the Privacy Act System of Records (SORN) that is being used to cover the system or identify if a SORN is being developed. | Master Demonstration, Evaluation and Research Studies for ORDI, SORN 09-70-0591, Pub. 04/19/2007
|
Identify the sources of PII in the system: Directly from an individual about whom the information pertains | Other - RFX does not collect PII/PHI directly from public. |
Identify the sources of PII in the system: Government Sources |
|
Identify the sources of PII in the system: Non-Government Sources | Private Sector |
Identify the OMB information collection approval number and expiration date | Not applicable. |
Is the PII shared with other organizations? | No |
Describe the process in place to notify individuals that their personal information will be collected. If no prior notice is given, explain the reason. | Not applicable. The information that is submitted to RFX is sourced from existing medical records that have already been collected by the provider. Responsibility for patient notification resides at the point of information collection from the individual. However, all Medicare participants are provided with a Notice of Privacy Practice that states that although they can elect to not share data for certain processes, as a condition of participating in Medicare, their information will be shared for certain purposes, such as quality assessment and reporting. RFX end-users are given Terms and Conditions during the CMS account registration process which include Consent to Monitoring, Protecting Your Privacy, and Consent to Collection of Personal Identifiable Information (PII). Users will be emailed at the email address provided during registration if there are any changes in the Terms and Conditions. |
Is the submission of the PII by individuals voluntary or mandatory? | Voluntary |
Describe the method for individuals to opt-out of the collection or use of their PII. If there is no option to object to the information collection, provide a reason. | It is the CMS source system’s duty to provide individuals with an option to opt out. The information that is submitted is sourced from existing medical records that have already been collected by the provider. Responsibility for patient opt-out process resides at the point of information collection from the individual. The provision of PII is "voluntary" as that term is used by the Privacy Act. However, to receive benefits under the Medicare program, Individuals must provide PII including all the information collected and used by RFX. RFX system users, who are CMS employees and direct contractors, must provide PII for system administrators to authenticate their identity and provide them with access to RFX. |
Describe the process to notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changes since the notice at the time of original collection). Alternatively, describe why they cannot be notified or have their consent obtained. | The information that is submitted is sourced from existing medical records that have already been collected by the provider. Changes to RFX that would involve changes in uses and disclosures of beneficiaries' PII are not expected to occur. If such changes were to occur, CMS will inform individuals using multiple channels, including direct mailings; notices on the CMS website (including edits to CMS's posted privacy policy), or changes to the relevant systems of records notices. Changes involving uses and disclosures of authentication information are also not expected to occur. In the event of such changes, employees will be notified by notices on the CMS intranet; newsletters; updates to the relevant systems of records notices; e-mails to affected individuals; and through supervisors and system owners. |
Describe the process in place to resolve an individual's concerns when they believe their PII has been inappropriately obtained, used, or disclosed, or that the PII is inaccurate. If no process exists, explain why not. | The information that is submitted is sourced from existing medical records that have already been collected by the provider. Responsibility for patient concerns regarding the use of PII resides at the point of information collection from the individual. If an individual has concerns that their PII has been inappropriately obtained, used, or disclosed or that the PII is inaccurate, the following procedures should take place: If the user believes an incident has occurred, the user should cease what they are doing and notify Model Specific Helpdesk. The Help Desk will create a ticket and will notify RFX Management and RFX Security team. RFX security team will investigate the event. If reportable, security will notify the CMS Help Desk within 1 hour of the incident occurring. (If the event is unreportable, security will notify the Help Desk to close the ticket). The CMS Help Desk Representative will serve as the CMS First Respondent in documenting and assessing the incident to ensure that the incident has been contained. The incident will be escalated and routed to the appropriate CMS group per CMS Incident Response Policy to determine the severity and course of action for mitigation. |
Describe the process in place for periodic reviews of PII contained in the system to ensure the data's integrity, availability, accuracy and relevancy. If no processes are in place, explain why not. | Model staff collect only the minimum PII elements that are necessary for supporting each of the models within RFX. These elements are evaluated for accuracy, integrity, and relevancy on an initial and annual basis to ensure PII continues to be necessary to accomplish the model’s scope. Access to this data is kept secure on the application and is only accessible by internal system users, administrators, maintainers, and direct contractors.
|
Identify who will have access to the PII in the system and the reason why they require access. |
|
Describe the procedures in place to determine which system users (administrators, developers, contractors, etc.) may access PII. | To obtain access to RFX, users must first obtain CMS credentials via CMS’s registration process. Once the user has received a user id and password, a request must be made for access to the RFX system and a RFX specific application role. Roles are assigned and access is granted, to RFX and the PII it contains, based upon principle of least privilege, and "need-to-know" or "need-to-access" requirements to perform their assigned duties. The approvers will review the request and provided justification and either approve or reject the request. System Administrators review user accounts at least semi-annually. Any anomalies are addressed and resolved by contacting the user, and modifying their user data, or by removing their access if no longer required. Activities of all users including system administrators are logged and reviewed by Business Owner Representatives to identify abnormal activities if any. If any abnormal activities are found, they are reported to the business owner, and the Information System Security Officer (ISSO). |
Describe the methods in place to allow those with access to PII to only access the minimum amount of information necessary to perform their job. | The system enforces role-based access based on least privilege model to enforce the protection of data from unauthorized personnel. The application controls data access such that the organizational user will be restricted to access only the data pertaining to their organization. |
Identifying training and awareness provided to personnel (system owners, managers, operators, contractors and/or program managers) using the system to make them aware of their responsibilities for protecting the information being collected and maintained. | All Centers for Medicare and Medicaid Services (CMS) employees and CMS direct contractors are required to complete mandatory security and privacy awareness training prior to gaining access to the CMS network. Each year thereafter, the user must get recertified. In the event they failed to complete the recertification training, the user's access will be terminated. CMS also requires users on an annual basis to complete Role-Based Training and HHS Records and Retention Training. The direct contractor provides Role-Based Training regarding security and privacy for its employees that access the system. Employees are also required to complete Annual Refresher Training, Insider Threat Training, and OWASP Training (exclusively for the project team i.e., developers, testers, & Business Analysts (BAs)). |
Describe training system users receive (above and beyond general security and privacy awareness training) | The direct contractor provides Role-Based Training regarding security and privacy for its employees that access the system. Employees are also required to complete Annual Refresher Training, Insider Threat Training, and the Open Worldwide Application Security Project (OWASP) Training (exclusively for the project team i.e., developers, testers, & BAs). |
Do contracts include Federal Acquisition Regulation and other appropriate clauses ensuring adherence to privacy provisions and practices? | Yes |
Describe the process and guidelines in place with regard to the retention and destruction of PII. Cite specific records retention schedules. | The application adheres to data retention and destruction policies/procedures that follow National Archives and Record Administration (NARA) guidelines related to data retention and NIST guidelines related to data destruction. More specifically, RFX adheres to the following NARA general records schedule guidelines: DAA-0440-2015-0007-0001; Destroy no sooner than 10 year(s) after cutoff but longer retention is authorized |
Describe, briefly but with specificity, how the PII will be secured in the system using administrative, technical, and physical controls. | To secure PII, RFX follows, and the direct contractor is bound by contract to follow, the CMS Security and Privacy program and complies with the CMS Acceptable Risk Safeguards which are aligned to Health and Human Services (HHS) policies and to NIST requirements. RFX PII is secured with security controls as required by the CMS Security Program. Administrative: Users are provided with privacy training to understand how to properly handle and disclose privacy data. The system uses the principle of least privilege as well as a role-based access control to ensure system administrators, and users are granted access on a "need-to-know" and "need- to- access" commensurate with their assigned duties. Users must receive manager approval to gain access to the system. Technical: The data in RFX is secured behind a firewall and through application security. Technical security controls include, but are not limited to audit controls, user accounts, passwords, and access limitation. Physical: The Data Center, hosting the application, has security guards and controlled access rooms with locks to guard against unauthorized access. |