Virtual Audit Management System
Privacy Impact Assessment (PIA) published by CMS as an Operating Division of the U.S. Department of Health and Human Services
Date signed: 11/13/2024
| PIA Questions | PIA Answers |
|---|---|
| OPDIV: | CMS |
| PIA Unique Identifier: | P-9020203-208894 |
| Name: | Virtual Audit Management System |
| The subject of this PIA is which of the following? | Major Application |
| Is this a FISMA-Reportable system? | Yes |
| Does the system include a Website or online application available to and for the use of the general public? | No |
| Identify the operator: | Agency |
| Point of Contact (POC) Title: | ISSO |
| Is this a new or existing system? | Existing |
| Does the system have Security Authorization (SA)? | Yes |
| Date of Security Authorization | 3/11/2022 |
| Indicate the following reason(s) for updating this PIA. Choose from the following options. | PIA Validation (PIA Refresh/Annual Review) |
| Describe in further detail any changes to the system that have occurred since the last PIA. | VAMS as an application hosts TeamMate Software (developed by Wolters Klewer (WK)) in 2 separate infrastructures to satisfy different business group needs from CMS to accommodate Affordable Care Act (ACA) and No Surprises Transparency (NST). ACA infrastructure used to include Teammate AM version 12.6 which is changed to TeamMate (TM) Plus which is a web-based application. Each software version of TM Plus exists in their own Amazon Web Services (AWS) Boundaries and do not have any dependencies nor integrations with each. |
| Describe the purpose of the system | The Virtual Audit Management System (VAMS) is a system used by Centers for Medicare & Medicaid Services/Center for Consumer Information and Insurance Oversight (CMS/CCIIO) to provision and maintain a leading Commercial Off the shelf (COTS) product for the ACA/CMS No Surprises & Transparency Act System (NST) auditing of healthcare entities. The auditing COTS product being utilized by CMS is known as TeamMate Plus, from the Wolters Kluwer organization. CMS’ auditing activities are crucial operations to ensure compliance and reduce fraud, helping to save the Federal government significant funds. CMS/CCIIO conducts various audits/reviews over several healthcare entities to ensure compliance with the regulations issued as part of the ACA and NST. CCIIO uses the National Association of Insurance Commissioners (NAIC) Market Regulation Handbook to conduct Federal Market Conduct Examinations. |
| Describe the type of information the system will collect, maintain (store), or share. (Subsequent questions will identify if this information is PII and ask about the specific data elements) | VAMS collects documentation from Qualified Health Plans (QHPs) and non-QHPs to allow for audit and additional review in accordance with the ACA. The documents include details of operations, such as operations and maintenance manuals, insurance form filings and insurance rates documentation. To access VAMS, there are a limited number of registered users that input a user ID and password. User IDs and passwords are created in the AWSCLOUD Active Directory system. The users must provide their name, email address and telephone number to create a user ID and password. The Issuer Oversight Compliance Reviews database in TeamMate does include Personally Identifiable Information (PII) and Protected health information (PHI). Agents and Broker data may include spreadsheets with names and positions, and practice addresses. The following PII is included in the system: License Number; Social Security Number (SSN); VAMS TM Plus which is a web-based application is only accessible on the CMS network (CMS Zscaler). Since non-CMS contractors do not have access to CMSNET, they need the CMS Zscaler to be able to access the application. Users must have an Enterprise User Administration (EUA) ID and a list of Job codes assigned to their EUA profile. Additionally, The CMS TeamMate Champion (TM Plus admin user) will need to create an account for the new user in TM+ using the following information from the user. First Name, Last Name, Email, EUA ID - (as username), Phone Number. Information within VAMS is stored for 10 years or until CMS requires to hold in the system. |
| Provide an overview of the system and describe the information it will collect, maintain (store), or share, either permanently or temporarily. | VAMS hosts software developed by Wolters Kluwer called TeamMate Plus which is an audit management tool that allows CCIIO to create and manage the analysis, audits, examinations, form filings, rate review analysis and the associated documents and work papers of Health Plans and conduct investigations. Additionally, to access VAMS, users input a user ID and password. This information is maintained for as long as the user requires access for job functions. For TM Plus, users will use their EUA ID within Identity Management (IDM) to login and access the software. Finally, information may include the following details: policy number, certificate number (identifies a member under a group health insurance master contract) subscriber ID, name, diagnostic and procedure codes, address, member ID, enrollment or termination dates, Provider name, Provider address, provider Tax ID Number (in some cases, depending on what the Issuer submits). Authentication to VAMS requires that the user enter PII in the form of a username. The username contains the users First Name and Last Name |
| Does the system collect, maintain, use or share PII? | Yes |
| Indicate the type of PII that the system will collect or maintain. |
|
| Indicate the categories of individuals about whom PII is collected, maintained or shared. |
|
| How many individuals' PII in the system? | 500-4,999 |
| For what primary purpose is the PII used? | PII is required to identify VAMS system users and allow access to VAMS. PII is also included as necessary to support audits of health insurance entities and for ACA and NST CMS Business groups to conduct audits and investigations. The Issuer Oversight Compliance Reviews database in TeamMate plus does include a significant amount of PII and PHI. Agents and Broker data may include spreadsheets with names and positions, and practice addresses |
| Describe the secondary uses for which the PII will be used (e.g. testing, training or research) | Not applicable. |
| Describe the function of the SSN. | SSN may be included in documents related to the audits or investigation of various components, including Issuer Oversight and CCIIO Oversight Group. |
| Cite the legal authority to use the SSN. | Patient Protection and Affordable Care Act of 2010, sections 1411 and 1414, codified at 45 C.F.R. 155.310 and 26 U.S.C. 6103 |
| Identify legal authorities governing information use and disclosure specific to the system and program. | 5 USC Section 301, Departmental Regulations |
| Are records on the system retrieved by one or more PII data elements? | Yes |
| Identify the number and title of the Privacy Act System of Records (SORN) that is being used to cover the system or identify if a SORN is being developed. | 09-70-0560, Health Insurance Exchanges Program |
| Identify the sources of PII in the system: Directly from an individual about whom the information pertains |
|
| Identify the sources of PII in the system: Government Sources | Within the OPDIV |
| Identify the sources of PII in the system: Non-Government Sources |
|
| Identify the OMB information collection approval number and expiration date | Not applicable for the creation of user credentials. |
| Is the PII shared with other organizations? | No |
| Describe the process in place to notify individuals that their personal information will be collected. If no prior notice is given, explain the reason. | To get into the VAMS TM Plus software/tool, a user must first log into the IDM. Users must enter EUA ID within IDM which allows to proceed further only upon selecting the terms and conditions. These terms and conditions provide users the details for collection of data. |
| Is the submission of the PII by individuals voluntary or mandatory? | Voluntary |
| Describe the method for individuals to opt-out of the collection or use of their PII. If there is no option to object to the information collection, provide a reason. | Users cannot opt-out of collection or use of PII (their user credentials) because it is required to access the VAMS system. For situations in which the system requests PII from individuals and those individuals do not have the choice to opt-out of the use or collection of their PII, individuals cannot opt-out because the information is necessary for users to be contacted. |
| Describe the process to notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changes since the notice at the time of original collection). Alternatively, describe why they cannot be notified or have their consent obtained. | Major changes to the VAMS system, including a change in authentication mechanism for user credentials, will include multiple communications to the users following the VAMS Release and Version Management Plan. This plan includes emailing individuals with PII in the system to inform them of major changes that will take place. Additionally, since the users are logged into AWS or IDM that system is responsible for notifying the users of any changes to that system's parameters |
| Describe the process in place to resolve an individual's concerns when they believe their PII has been inappropriately obtained, used, or disclosed, or that the PII is inaccurate. If no process exists, explain why not. | VAMS system users can contact the Federal Exchange Program Systems (FEPS) Help Desk which is the Marketplace Service Desk at 855-267-1515 or by email at CMS_FEPS@cms.hhs.gov with any concerns regarding their user credentials. They can also contact the CMS Information Technology (IT) Help Desk at 1-800-562-1963 or 410-786-2580 or by email at CMS_IT_Service_Desk@cms.hhs.gov to report PII concerns related to AWS or IDM. A user can either email or call the Help Desk. The Help Desk may engage the Exchange Operation Center (XOC), if additional support or investigation is required for resolution of the concern. |
| Describe the process in place for periodic reviews of PII contained in the system to ensure the data's integrity, availability, accuracy and relevancy. If no processes are in place, explain why not. | There are automated processes within the VAMS system that ensures that a user's ID, email address, and name are accurate. This process includes the implementation of a tool that emails a user when his or her password will expire. Availability of PII is managed by automated tools at the AWSCLOUD level that automatically notifies engineers when the system is offline. Quarterly audits of the business requirements and user accounts ensure integrity of the user accounts by reviewing the status of users and removal of inactive accounts. PII accuracy is maintained by automated emails to users when their password is set to expire and if it has expired. Relevancy is reviewed through a quarterly audit of system requirements as they related to the relevancy of PII captured (i.e. usernames and email addresses still required). |
| Identify who will have access to the PII in the system and the reason why they require access. |
|
| Describe the procedures in place to determine which system users (administrators, developers, contractors, etc.) may access PII. | Administrative controls within the system ensure that only the users with the proper permissions have access to PII within the system. Specifically, this user group (users) contains all users within the system. Users who have not been granted the role of 'User' cannot access PII within VAMS. Access to PII is granted based on the user's role following the principles of minimum necessary and least privilege. Access to the 'User' group is granted by System Administrators. This group is audited quarterly. |
| Describe the methods in place to allow those with access to PII to only access the minimum amount of information necessary to perform their job. | Access to PII is granted based on the user's role following the principles of minimum necessary and least privilege. Administrators must approve all system access and re-certify that access within every 365 days. Only administrators may change PII within the system. All actions are logged. Technical controls for this access are provided through the Active Directory maintenance tool within AWSCLOUD. Authority to use this tool is only given by the AWSCLOUD administrators. Only the CCIIO Business owners that are identified by CMS PE workstream leads are granted the role of a CMS PE Champion within TM Plus. CMS PE Champions are able to create an account within TM Plus software/tool |
| Identifying training and awareness provided to personnel (system owners, managers, operators, contractors and/or program managers) using the system to make them aware of their responsibilities for protecting the information being collected and maintained. | CMS employees and support contractors with CMS accounts must take the annual Security and Privacy Awareness training provided by CMS on an annual basis. Users acknowledge successful training after passing a test at the end of training and the system verifies completion. Included in the training is education about how to properly handle sensitive data |
| Describe training system users receive (above and beyond general security and privacy awareness training) | There is no training above and beyond the CMS regular Security Awareness and Privacy training. |
| Do contracts include Federal Acquisition Regulation and other appropriate clauses ensuring adherence to privacy provisions and practices? | Yes |
| Describe the process and guidelines in place with regard to the retention and destruction of PII. Cite specific records retention schedules. | All PII will be retained for as long as necessary or until system retirement. After system retirement, data destruction will be handled per the established CMS guidelines. This will include deletion of data from physical drives, and formal documentation of data destruction with signed confirmation by the contractor and business owner. Per National Archives Record Association approved record Disposition Authority, General Records Schedule (GRS) 24, item 13a1: Destroy/delete when 7 years 6 months, 10 years 6 months, or 20 years 6 months old, based on the maximum level of operation of the Certification Authority, or when no longer needed for business, whichever is later |
| Describe, briefly but with specificity, how the PII will be secured in the system using administrative, technical, and physical controls. | The administrative controls in place to secure the PII include access control - request and authentication through the AWSCLOUD system or IDM System, periodic review of users and deletion of non-active accounts, role-based access for developers and administrators. The technical controls in place are firewalls that prevent unauthorized access, encrypted access when users access VAMS and computer system controls that prevent users without administrative or developer access to log into a test environment. The test environment and usable application are not joined together. VAMS is hosted in the AWSCLOUD that employs physical controls and monitoring to restrict physical access and ensure the security of doors; the efficacy of heating and air conditioning, smoke and fire alarms, and fire suppression systems; and by employing cameras, fencing and security guards. |