Privacy Impact Assessment (PIA)
The CMS Privacy Office provides the technical and management support necessary for the agency to achieve compliance with Title II and III of the E-Government Act of 2002 and the Federal Information Security Management Act (FISMA). A key component of this legislation is the completion, publication, and submission of information technology (IT) system Privacy Impact Assessments (PIAs). Conducting a PIA facilitates the identification of systems that contain personally identifiable information (PII) and satisfies system compliance with all relevant privacy laws, regulations, and guidance. The PIA process also ensures that privacy protections are incorporated into every stage of an IT system's life cycle, and measures the effectiveness of these protections. CMS Privacy Office policy requires that all systems have a current PIA, which requires an annual review of the assessment by CMS System Business Owners and Information System Security Officers (ISSO) and approval that it meets privacy compliance by the CMS Privacy Office. Also, should the CMS System undergo a significant change at any time, the assessment is required to be completed at that time as well and submitted to the CMS Privacy Office for approval.
Due to an HHS policy change, the Privacy Impact Assessment (PIA) submission process will be undergoing an extensive redesign this year. The Department is requiring all systems to complete a new PIA “smart form” that will be unique to them. In the next months we will be migrating the information from last year’s submission into the new smart form, and then e-mailing them to you. You will be asked to review your PIA, make any required changes, and return to us.
If you have any questions, please send an e-mail to PIA@cms.hhs.gov.
The CMS PIAs are viewable on the Department of Health and Human Services (DHHS) PIA web page.