Process that identifies and mitigates privacy risks for CMS systems regarding the use of Personally Identifiable Information (PII)
What is a Privacy Impact Assessment (PIA)?
A Privacy Impact Assessment (PIA) is an analysis of how personally identifiable information (PII) is collected, used, shared, and maintained. The purpose of a PIA is to demonstrate that system owners have consciously incorporated privacy protections within their systems for information supplied by the public.
PIAs are required by the E-Government Act of 2002, which Congress enacted to improve the management of Federal electronic government services and processes. Section 208 of the E-Government Act specifically requires PIAs to be created when a federal agency develops or procures new information technology that involves the collection, maintenance, or dissemination of information in identifiable form.
Further, because the E-Government Act also includes a provision requiring PIAs to be published publicly on agency websites, they allow CMS to communicate more clearly with the public about how we handle information, including how we address privacy concerns and safeguard information. Copies of completed PIAs are posted on the HHS website upon completion to offer transparency to the public.
Who completes Privacy Impact Assessments (PIAs)?
Privacy Impact Assessments (PIAs) are a team effort. The Information System Security Officer (ISSO) leads the effort on behalf of the System/Business Owner to complete the questions required to submit a compliant assessment. The ISSO receives support from the ISPG Division of Security, Privacy, Policy & Oversight (DSPPO) and works in partnership with ISPG Cyber Risk Advisors (CRAs) to accurately complete the PIA.
The CMS Privacy Impact Assessment Handbook has all the steps and instructions for successfully completing a PIA.
Types of privacy assessments
Protecting user privacy through system security is a core mission of CMS. The type of information collected by a system determines what kind of assessment is required. The HHS PIA & PTA Writer’s Handbook provides guidance and questions to help system owners and ISSOs determine which privacy assessment is right for their specific needs.
There are four main types of privacy assessments:
Privacy Impact Assessments (PIAs)
PIAs are an analysis of how personally identifiable information is handled. PIAs are important because they help system owners:
- Determine the risks of creating, collecting, using, processing, storing, maintaining, disseminating, disclosing, and disposing of PII within FISMA systems.
- Examine and evaluate protections for handling information to mitigate potential privacy concerns.
- Develop new solutions to manage PII if current collection methods aren’t optimized.
- Ensure that information is handled in a manner that supports all applicable legal, regulatory, and policy requirements regarding privacy.
PIAs must be completed in the following situations:
- For all new systems that collect PII from 10 or more members of the general public, a PIA is required to be completed as part of the broader Authority to Operate (ATO) process.
- For every existing system that collects PII from 10 or more members of the general public, a PIA must be reviewed and re-approved once every three years. System/Business Owners and Information System Security Officers (ISSOs) must review and revise as necessary and submit PIAs for re-approval no later than three years from the last HHS approval date.
- For any existing system undergoing a major change, an updated PIA is required.
- An existing system going through the ATO process may need to update its PIA paperwork if it’s close to expiring; an ATO cannot be completed with an expired or incomplete PIA.
If your FISMA system does not meet the requirements above, it may not require a traditional PIA. In these instances, there may be other Privacy compliance requirements for your system or application. If you’re unsure which assessment is right for you, the Privacy Office can help you make the right choice from the following options:
Internal Privacy Impact Assessments
Internal PIAs are similar to the PIAs described above but are only conducted for systems that collect PII of CMS employees and direct contractors only. Like a PIA, an internal PIA must be updated when a major change is planned for an IT system or electronic information collection. Unlike a traditional PIA, an internal PIA is not published on the HHS website and is not subject to the three-year review requirement.
Privacy Threshold Analysis (PTA)
A PTA is an analysis performed in lieu of a formal PIA for systems that do not collect, disseminate, maintain, or dispose of PII. The PTA must be updated during a major change or if the manner in which electronic information is collected is changed. It is possible that a major change (e.g., the addition of PII) could result in a PTA meeting the threshold to be a PIA. Since HHS uses an interactive form for PIAs, a separate document is not necessary to complete a PTA. PTAs are not published on the HHS website and are not subject to the three-year review requirement.
Third-Party Website Application (TPWA) Privacy Impact Assessment
A TPWA is an analysis of third-party websites or application technologies (like social media platforms) used by CMS to communicate and engage with members of the public. The TPWA PIA has different questions based on the specific risks and compliance requirements for TPWAs as outlined by OMB M-10-23. However, the PIA and TPWA PIA require approval from HHS and are published on the HHS public web page.
What is considered a major change?
A major change is something that alters the privacy risk associated with the use of a particular IT system. An example of a major change that would require an update to the PIA is a decision to collect social security numbers for an information system that previously was not collecting social security numbers. According to OMB M-03-22, PIAs should be reviewed following the major changes including, but not limited to:
Conversions: A conversion from paper-based information collection methods to electronic systems (e.g. records currently in paper form will be scanned or otherwise added into a system).
Anonymous to Non-Anonymous: When the system previously collected information about users that did not identify them, but has changed to collect information that makes anonymity impossible.
Significant System Management Changes: The introduction of new applications or technologies to an existing system significantly changes the process of how PII is managed within the system.
Significant Merging: When agency and/or government databases holding PII are merged, centralized, matched with other databases, or otherwise significantly manipulated.
New Public Access: When user-authenticating technology (e.g., password, digital certificate, biometric) is newly applied to an electronic information system that can be accessed by the public.
Commercial Sources: When PII is obtained from commercial or public sources and is integrated into the existing government information systems databases.
New Interagency Uses: When agencies work together on shared functions involving significant new uses or exchanges of PII.
Internal Flow or Collection: When alteration of a business process results in significant new uses or disclosures of information or incorporation into the system of additional PII.
Alteration in Character of Data: When a new type of PII is added to a pre-existing collection and raises the risk to personal privacy, such as the addition of health or privacy information.
How to complete a Privacy Impact Assessment (PIA)
HHS issues the master guidance for the completion of PIAs. ISPG has taken the guidance provided by HHS and translated it into a questionnaire that can be found on CFACTS. ISSOs can log in to CFACTS to complete the questionnaire with guidance from the System/Business Owner and the assigned Cyber Risk Advisor (CRA).
A step by step guide to answering the questions required to complete the PIA can be found within the PIA & PTA Writer’s Handbook, which is written by HHS and can be found as a resource on the front page of each individual question in CFACTS. You can also check out the CMS Privacy Impact Assessment Handbook for guidance and tips to ensure that your PIA is written correctly.
The procedures below give a summary review of the actions necessary to complete a new PIA or modify an existing PIA.
Produced by: SO/BO, ISSO, Cyber Risk Advisor
Following any of the scenarios or major changes that would require the completion of a PIA, the System/Business Owner works with the ISSO to draft a new or revised PIA in CFACTS. Upon completion of the new or revised PIA, the System/Business Owner or ISSO will contact the CRA for review. In CFACTS, the queue for the System/Business owner or ISSO is “ISSO Submitter '' for the PIA.
Produced by: CRA, Privacy Advisor
The CRA reviews the PIA in collaboration with the Privacy Advisor and coordinates recommended changes with the system/business owner or ISSO. Any identified privacy risks or compliance issues should be resolved before submission to the Senior Official for Privacy (SOP) for approval. If the SOP or Senior Agency Official for Privacy (SAOP) recommends changes, the review process will continue from this step as needed until the PIA is approved and finalized by the SAOP.
Produced by: CMS Senior Official for Privacy (SOP), Final Approver
The SOP or designated Final Approver will review the PIA and recommend approval to HHS if no changes are recommended.
Produced by: Senior Agency Official for Privacy (SAOP)
The SAOP will designate staff to review all PIAs before approval for signature. If no changes are recommended, the SOP and SAOP will digitally sign the PIA. Once signed by the SOP and SAOP, the PIA is approved and complete for a length of time as discussed above.
HHS will submit the final PIA for publication to the HHS PIA internet site.
We are here to help if you have questions about your PIA. You can send an email to the Privacy Office: privacy@cms.hhs.gov. Or check in the CMS Slack community: #ispg-sec_privacy-policy.
You can also review the CMS Privacy Impact Assessment Handbook for tips and guidance on completing your PIA.