Privacy Impact Assessment (PIA)

Privacy Impact Assessment (PIA)

In accordance with the E-Government Act of 2002 and OMB Memorandum 03-22, CMS is required to conduct Privacy Impact Assessments (PIA). A PIA is an analysis of how personally identifiable information (PII) is collected, used, shared, and maintained. The purpose of a PIA is to demonstrate that system owners have consciously incorporated privacy protections within their systems for information supplied by the public.


PIAs are a critical tool for:


  • Spotting privacy risks
  • Complying with federal regulations and laws
  • Identifying collections of Personally Identifiable Information (PII) and/or Protected Health Information (PHI)
  • Identifying CMS information systems subject to the Privacy Act of 1974


Additionally, OMB Memorandum 10-23 requires CMS to conduct a PIA for each use of a Third Party Website and Application (TPWA). A TPWA is an analysis of third-party websites or application technologies (like social media platforms) used by CMS to communicate and engage with members of the public. 


If you have any questions, please contact 


View signed CMS PIAs on the HHS PIA website. 

Page Last Modified:
11/21/2023 06:14 PM