Survey and Certification and Clinical Laboratories Improvement Amendments Act
Privacy Impact Assessment (PIA) published by CMS as an Operating Division of the U.S. Department of Health and Human Services
Date signed: 7/8/2024
| PIA Questions | PIA Answers |
|---|---|
OPDIV: | CMS |
PIA Unique Identifier: | P-4363748-046867 |
Name: | Survey and Certification and Clinical Laboratories Improvement Amendments Act |
The subject of this PIA is which of the following? | Major Application |
Identify the Enterprise Performance Lifecycle Phase of the system. | Operate |
Is this a FISMA-Reportable system? | Yes |
Does the system include a Website or online application available to and for the use of the general public? | Yes |
Identify the operator: | Contractor |
Is this a new or existing system? | Existing |
Does the system have Security Authorization (SA)? | Yes |
Date of Security Authorization | 5/21/2024 |
Indicate the following reason(s) for updating this PIA. Choose from the following options. | PIA Validation (PIA Refresh/Annual Review) |
Describe in further detail any changes to the system that have occurred since the last PIA. | Since the last PIA (6/17/2021), migrated system to Centers for Medicare and Medicaid Services (CMS) Version 4 (V4) Amazon Web Services (AWS) accounts, utilizing Relational Database Services (RDS) Structured Query Language (SQL) Server in V4 as database and migrated to Windows server v 2019, added Dev life cycle when we migrated to CloudV4, implemented DevSecOps pipeline for building The Survey and Certification and Clinical Laboratory Improvement Amendments (SCCLIA) Infrastructure components (AppServer, WebServer, database and load balancers, integrated SCCLIA Application Github Repo with Snyk for Security vulnerability scanning. No other changes were made. |
Describe the purpose of the system | The Survey and Certification and Clinical Laboratory Improvement Amendments (SC-CLIA) Budget System is the repository for information associated with Survey & Certification (S&C) and Clinical Laboratory Improvement Amendments (CLIA) programs. The system is also used for creating reports based on the stored information. CLIA program: The Centers for Medicare & Medicaid Services (CMS) ensure laboratory service providers quality and regulate all laboratory testing performed on humans in the U.S. In total, CLIA covers approximately 260,000 laboratory entities. The Division of Clinical Laboratory Improvement & Quality, within the Quality, Safety & Oversight Group, under the Center for Clinical Standards and Quality (CCSQ) has the responsibility for implementing the CLIA Program. The objective of the CLIA program is to ensure quality laboratory testing. Although all clinical laboratories must be properly certified to receive Medicare or Medicaid payments, CLIA has no direct Medicare or Medicaid program responsibilities. S&C program: CMS maintains oversight for compliance with the health and safety standards for laboratories and acute and continuing care providers serving Medicare and Medicaid beneficiaries. The survey (inspection) for this determination is done on behalf of CMS by individual State Survey Agencies. The functions the States perform for CMS under the agreements in Section 1864 of the Social Security Act (SSA) are referred to collectively as the Certification process. |
Describe the type of information the system will collect, maintain (store), or share. (Subsequent questions will identify if this information is PII and ask about the specific data elements) | The agency collects information from State Agencies regarding the S&C and CLIA programs. The system contains budget and expenditure information, survey workload information, information about equipment purchases, and lists of employee positions. The budget and expenditure information includes aggregate budgeted and actual salary and direct cost information for categories of workers (aggregates; not for individual workers) participating in the State S&C and CLIA activities; and an estimate of total funds required by the State for S&C activities. The survey workload associated information consists of planned and accomplished number of visits per type of provider. For the S&C program, the types of providers include various kinds of hospitals, health clinics, hospices, and nursing facilities. For CLIA activities, these types of provider are various types of laboratories. The equipment purchase information includes such information as a description of the equipment needed to perform the S&C and CLIA activities; the number of units on hand, additional needed, and replacement needed; and unit, gross, and net cost. The lists of positions for both S&C and CLIA activities contains the position title, name of the position holder, work location, staff years, funds required, and annual salary. All these positions are State Agency employees. The information collected in the system is the minimum required to accomplish the purpose of this effort. The system user community consists of people who are CMS employees, CMS direct contractors, State Agency employees, and State Agency direct contractors. The information collected about these users consists of the Healthcare Quality Information System (HCQIS) Access Roles and Profile Management System (HARP) user ID, the name, and the email address as provided by HARP. HARP is a CMS system which has a separate PIA. |
Provide an overview of the system and describe the information it will collect, maintain (store), or share, either permanently or temporarily. | OVERVIEW of SC/CLIA The agency collects information from State Agencies regarding the S&C program and CLIA program using SC-CLIA. This information collection happens on a publicly available web site. This web site can only be accessed by users authorized to perform their job duties through the system. SC-CLIA uses a total of nine online forms to collect the information from State Agencies. INFORMATION COLLECTED and MAINTAINED by SC-CLIA SC-CLIA is used by State Agencies to submit information on the following forms: S&C Program: CMS-435 – State Survey Agency Budget/Expenditure Report: budgeted or actual salaries and direct costs for State Agency personnel involved in survey and certification activities aggregated by category. CMS-434 – State Survey Agency Certification Workload Report: planned or accomplished number of visits per type of provider. CMS-1465A – State Agency Budget List of Positions: list of State Agency employees involved in S&C activities with position title, name (first, last, middle initial), city where located, staff years, funds required, and annual salary. CMS-1466 – State Agency Schedule for Equipment: list of equipment needed for the administration of Section 1864 of the SSA with description of the equipment, number of units on hand, number of additional and replacement units needed, unit cost, gross cost, and net cost. CMS-EST – State Agency Estimate of Expenditures: estimate of funds required for Title XIX of the SSA (Medicaid), split in Federal Share and State Share. CLIA Program: CMS-102 – CLIA Budget/Expenditure Report: budgeted or actual salaries and direct costs for State Agency personnel involved in CLIA activities aggregated by category. CMS-105 – CLIA Planned Workload Reports: planned or accomplished number of visits per type of providers (laboratories). CMS-1466 – CLIA Schedule for Equipment Purchases: list of equipment needed for the CLIA program with description of the equipment, number of units on hand, number of additional and replacement units needed, unit cost, gross cost, and net cost. CMS-1465A – CLIA State Agency Budget List of Positions: list of State Agency employees involved in CLIA activities with position title, name (first, last, middle initial), city where located, staff years, funds required, and annual salary. State Agency personnel certify that the information provided is correct by adding their name and title to the submission. Then CMS Regional Office (RO) personnel review the State Agency submissions and approve the submissions. CMS Central Office (CO) personnel create reports based on the certified and approved information and perform system maintenance. All information is used to provide states with quarterly Medicaid S&C grant awards, annual Medicare S&C awards, and annual CLIA awards. No information about individuals is collected, with the following exceptions. Name and work e-mail address of system users (about 250), needed to grant appropriate system access to the users and to communicate with users. Name, city where located, and salaries of State Agency workers involved in S&C or CLIA activities, needed to provide funds to the States to perform these activities. |
Does the system collect, maintain, use or share PII? | Yes |
Indicate the type of PII that the system will collect or maintain. |
|
Indicate the categories of individuals about whom PII is collected, maintained or shared. |
|
How many individuals' PII in the system? | 100-499 |
For what primary purpose is the PII used? | Name of system users is required to establish the identity of the users. Email address of system users is needed to communicate with the system user. Position title, city where located, and salary for State Agency employees involved in S&C or CLIA activities are needed to determine if funds for the position must be provided by the federal government. |
Describe the secondary uses for which the PII will be used (e.g. testing, training or research) | Company email address is required for the purpose of business correspondence. |
Describe the function of the SSN. | N/A. The Social Security Number (SSN) is not collected. |
Cite the legal authority to use the SSN. | N/A. The SSN is not collected. |
Identify legal authorities governing information use and disclosure specific to the system and program. | 5 USC Section 301, Departmental Regulations Section1864 of the Social Security Act Clinical Laboratory Improvement Amendments of 1988. |
Are records on the system retrieved by one or more PII data elements? | No |
Identify the sources of PII in the system: Directly from an individual about whom the information pertains |
|
Identify the sources of PII in the system: Government Sources |
|
Identify the sources of PII in the system: Non-Government Sources | n/a |
Identify the OMB information collection approval number and expiration date | OMB Collection Approval No. 0938-0599; expiration date: 12/31/2021. The OMB Collection number is expired but it is currently in process for renewal per OSORA. The new OMB number will be added as soon as it's approved by OSORA |
Is the PII shared with other organizations? | No |
Describe the process in place to notify individuals that their personal information will be collected. If no prior notice is given, explain the reason. | SC-CLIA does not collect any Personal Identifiable Information (PII) from the individual. Rather, SC-CLIA obtains this information from the CMS Healthcare Quality Information System (HCQIS) Access Roles and Profile Management System (HARP) or the State Agency. Therefore, HARP and the State Agencies are responsible for notifying individuals that their personal information will be collected. |
Is the submission of the PII by individuals voluntary or mandatory? | Voluntary |
Describe the method for individuals to opt-out of the collection or use of their PII. If there is no option to object to the information collection, provide a reason. | Opt-out is not available. The following paragraphs explain why: Name of system users is required to establish the identity of the users so they can be authorized to access the system. This is performed by HARP and covered under its PIA. Email address of system users is needed to communicate with the system user for events affecting their use of the system. Email addresses are collected by HARP and covered under its PIA. HARP User IDs are used in SC-CLIA to uniquely identify users. This information is needed so the system can track who made what change. HARP User IDs are maintained by HARP and covered under its PIA. Position Title, city where located, name, and salary for State Agency employees involved in S&C or CLIA activities are needed to determine if funds for the position must be provided by the federal government. State Agencies are responsible for collecting this data. |
Describe the process to notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changes since the notice at the time of original collection). Alternatively, describe why they cannot be notified or have their consent obtained. | No such major changes are planned or anticipated. However, if a major change to the SC-CLIA system were to occur that affected the users' PII, an email notification would be sent out as an alert message. |
Describe the process in place to resolve an individual's concerns when they believe their PII has been inappropriately obtained, used, or disclosed, or that the PII is inaccurate. If no process exists, explain why not. | After the initial log on screen, there is a welcome screen which provides SC-CLIA Point of Contact (POC) information. If an individual has concerns, they are instructed to contact a POC. Additionally, an individual would contact the CMS IT help desk by telephone or email to report any concerns. The help desk would investigate and determine if additional action is needed or whether it was resolvable by the individual updating their account information. |
Describe the process in place for periodic reviews of PII contained in the system to ensure the data's integrity, availability, accuracy and relevancy. If no processes are in place, explain why not. | Admin Audit Report and User Audit Report is inherited from HARP. |
Identify who will have access to the PII in the system and the reason why they require access. |
|
Describe the procedures in place to determine which system users (administrators, developers, contractors, etc.) may access PII. | Administrators designated as account management personnel are provided access to account management functionality via access controls in accordance with 'Least Privilege' and may access the PII in the system, (Name, HARP User ID, and email address). |
Describe the methods in place to allow those with access to PII to only access the minimum amount of information necessary to perform their job. | Access to all data, including all data that can be considered PII, is limited to the absolute minimum needed for performing the job. This is enforced by the following distinct roles (role-based access): State User: a user working for a State Agency is assigned to that role with access to only the data for that State (the minimum for the job) Regional Office (RO) User: a user working for the CMS Regional Office is assigned to that role with access to only the data for the States in the region(s) (the minimum for the job). Central Office (CO) User: a user working for the CMS Central Office is assigned to that role with access to all data except user administration data (the minimum for the job); Admin User: a user working for the CMS Central Office to administer users and the application; this role can access all data in the system, but that is required for the job; Note that the number of Admin Users is only 4 (four) at the time of writing and is not expected to increase. |
Identifying training and awareness provided to personnel (system owners, managers, operators, contractors and/or program managers) using the system to make them aware of their responsibilities for protecting the information being collected and maintained. | System personnel and all system users participate in mandatory annual CMS Security Awareness and Privacy training. Training on account management policies and procedures are provided for administrative, account management personnel on annual basis. |
Describe training system users receive (above and beyond general security and privacy awareness training) | Not applicable |
Do contracts include Federal Acquisition Regulation and other appropriate clauses ensuring adherence to privacy provisions and practices? | Yes |
Describe the process and guidelines in place with regard to the retention and destruction of PII. Cite specific records retention schedules. | SC-CLIA is a financial system and follows the retention schedule defined in Centers for Medicare & Medicaid Services (CMS) Records Schedule, Records Schedule Number DAA-0440-2015-0004. This schedule specifies the retention schedule as: "Destroy no sooner than 7 year(s) after cutoff but longer retention is authorized." SC-CLIA retains all data, including PII, indefinitely as allowed per this schedule. |
Describe, briefly but with specificity, how the PII will be secured in the system using administrative, technical, and physical controls. | Administrative controls in place are Rules of least Privilege, authorized personnel with approved user Id and password. Technical controls used to secure PII are firewall and intrusion detection systems. Physical controls include door locks, Personal Identification & Verification (PIV) badges; Key Cards; Closed Circuit TV (CCTV). |
Identify the publicly-available URL: | |
Does the website have a posted privacy notice? | No |
Is the privacy policy available in a machine-readable format? | No |
Does the website use web measurement and customization technology? | Yes |
Select the type of website measurement and customization technologies is in use and if is used to collect PII. (Select all that apply) | Persistent Cookies: Does NOT collect PII |
Does the website have any information or pages directed at children under the age of thirteen? | No |
Does the website contain links to non-federal government website external to HHS? | No |