ACO/SSP: Accountable Care Organization/ Shared Savings Program
The Medicare Shared Savings Program portlet offers Accountable Care Organizations access to program information, including ACO-specific reports and other programmatic information
ACO Help Desk Contact the ACO Information Center at 1 (888) 734-6433 (select option 2) if you have any questions about using the ACO Portlet features. TTY/TDD: 1 (888) 734-6563
APS: Advanced Provider Screening
Advanced Provider Screening (APS) Help Desk For issues with the APS application:
Contact the CITIC Help Desk at: (410) 786-2580
Send email to: CMS_IT_SERVICE_DESK@cms.hhs.gov
ASETT
ASETT is a Web-based application that allows individuals and organizations to file electronic HIPAA/ACA complaints for alleged violations of the HIPAA/ACA Transaction and Code Sets (TCS) and Unique Identifiers (UIs), and operating rules regulations and other regulations that the client determines.
ASETT Helpdesk
Email: asett@actionet.com
Phone: (703) 951-6810
Point of Contact: Karah Jarvis/Kylee Haddock
Hours of Operations: 9AM to 5PM.
BCRS: Benefits Coordination and Recovery System
BCRS: Benefits Coordination and Recovery System Help Desk For issues related to the BCRS Application, please contact the COB&R Help Desk
BIGAPPS (APPS): Automated Plan Payment System
Bundled Payments EFT: Bundled Payments for Care Improvement Data File Transfer
Bundled Payments Help Desk Team provides email support for technical and program related questions.
Email: BundledPayments@cms.hhs.gov
BRES: Business Rules Enterprise Services
Business Rules Enterprise Services. CMS BRES is a business rule management system that enables organizational policies â and the operational decisions associated with those policies â to be defined, deployed, monitored, and maintained separately from application code.
CBIC: DMEPOS Competitive Bidding Program Suppliers
Connexion is the Durable Medical Equipment, Prosthetics, Orthotics & Supplies (DMEPOS) Competitive Bidding Program gateway that provides you with a secure, fast and convenient way to access your competitive bidding information. In order to access Connexion, please visit https://www.dmecompetitivebid.com and click on the Connexion link.
Competitive Bidding Implementation Contractor (CBIC) customer service center
Phone: 1 (877) 577-5331
CERRS: CCIIO Enrollment Resolution and Reconciliation System
CERRS Help Desk Team provides phone and email support for technical and program related questions.
Phone: 1 (703) 554-2807
Email: help.desk@cognosante.com
CNC: Compromised Number Checklist
COB: Coordination of Benefits
COB Help Desk Team provides phone and email support for technical and program related questions.
Phone: 1 (800) 927-8069
Email: mapdhelp@cms.hhs.gov
Enterprise Cognos Reports
For issues with the Enterprise Cognos Reports:
Contact the CMS IT Service Desk at: (410) 786-2580 or (800) 562-1963
Send email to: CMS_IT_SERVICE_DESK@cms.hhs.gov
CPC: Comprehensive Primary Care
Comprehensive Primary Care (CPC) Help Desk Information Contact the CPC Help Desk at CPCiSupport@Telligen.org.
Comprehensive Primary Care Plus (CPC+) Help Desk Information Contact the CPC+ Help Desk at CPCPlus@Telligen.org.
DBidS: DMEPOS Bidding System
Durable Medical Equipment, Prosthetics, Orthotics & Supplies (DMEPOS) Bidding System - The DMEPOS Bidding System is for suppliers submitting a bid for selected products in a particular Competitive Bidding Area (CBA).
Help Desk name: Competitive Bidding Implementation Contractor (CBIC) customer service center
Help Desk phone number: 1 (877) 577-5331
Help Desk email address: cbic.admin@palmettogba.com
DDR: Drug Data Reporting for Medicaid
DDR Help Desk For technical assistance, please contact DDRHelpDesk@dcca.com 1-833-879-6075.
DESY: Data Extract System
The Data Extract System (DESY) is a user-friendly system that allows authorized users to enter requests for data from various CMS data repositories. A user can only request data within the guidelines of their Data Use Agreement (DUA).
Please email your questions and comments to the DESY support mailbox, desy_support@cms.hhs.gov.
DEX: Data Exchange System
Contact the DEX Help Desk at DEXSupport@cms.hhs.gov
DSH: Disproportionate Share Hospital
The Disproportionate Share Hospital (DSH) allotment is the amount of money allocated to the states annually to cover the costs of hospitals that provide care to a significantly disproportionate number of low-income patients whose services are not paid by other payers such as Medicare, Medicaid, the Children's Health Insurance Program (CHIP) or other health insurance.
The DSH automated process is totally self-service. It allows DSH hospitals to submit data requests via an internet-facing application and be retrieved by the requestor the next business day.
Help Desk Name: DSH Data Request Support Team
E-mail Address: dshquestions@cms.hhs.gov
Hours of Operations: Monday thru Friday 8am to 5pm EST
ECRS: Electronic Correspondence Referral System Web
This application allows authorized users to fill out various online forms and electronically transmit requests for changes to existing Common Working File (CWF) Medicare Secondary Payer (MSP) information, and inquiries concerning possible MSP coverage.
Electronic Correspondence Referral System (ECRS) ECRSHELP
Phone: (646) 458-6740
Email: ECRSHELP@ehmedicare.com
ELMO: Eligibility & Enrollment Medicare Online
Eligibility and Enrollment Medicare Online (ELMO) is a common user interface system for Medicare Beneficiary Demographics, Entitlement/Eligibility, Health Status, Utilization, Low-In Subsidy (LIS), Direct Billing, Third Party Billing, Enrollment, and Premium Information. The intended users of this system are CMS Central Office Users, Regional office Users, Social Security Administrative Users, Railroad Board Users, and only authorized contractors that have a Data use agreement with CMS.
Contact the MAPD HD at MAPDHelp@cms.hhs.gov or 1 (800) 927-8069
Hours of Operation for the ELMO Application are 8:00am to 6:00pm ET.
EPPE: Enterprise Privacy Policy Engine
For issues with the EPPE application:
Contact the EPPE Help Desk at: 1 (844) 377-3382
Send email to: eppe@cms.hhs.gov
ESD: Evidence Documentation System
The ESD is a web based application that provides users the ability to search for people or applications, review evidence documentation in order to adjudicate inconsistencies and search for and create exemptions.
eRPT:Electronic Retroactive Processing Transmission
The Electronic Retroactive Processing Transmission (eRPT) is a web-based application designed to facilitate and manage the electronic submissions, workflow processing, and storage of documentation associated with retroactive enrollment change requests from Medicare Advantage Organizations (MAOs), Medicare Advantage Prescription Drug Plans (MA-PDs), Cost Plans, Program of All Inclusive Care for the Elderly (PACE), Medicare-Medicaid Plans (MMPs), and Prescription Drug Plans (PDPs).
Email: mapdhelp@cms.hhs.gov
Phone: 1 (800) 927-8069
FFSDCS: Fee-For-Service Data Collection System
For issues with the ASP/CLFS application:
Contact the FFSDCS Help Desk at: 1 (844) 876-0765
Send email to: asphelpdesk@dcca.com for ASP application or clfshelpdesk@dcca.com for CLFS application.
HIOS/FFE: Health Insurance Oversight System
FFE / HIOS : Please contact the Marketplace Service Desk (MSD) at CMS_FEPS@cms.hhs.gov or 1 (855) CMS-1515 1 (855) 267-1515.
FFM/Training-Agents/Brokers/Assisters
Agents/Brokers must request FFM/Training system access here, and then request the Agent/Broker role on the next page. Assisters must first request FFM/Training system access here, and then request the Assister role on the next page
GIS: Gentran Integration Suite
GIS Help Desk Team provides email support for technical and program related questions.
Email: gentran-support@cms.hhs.gov
HATS: Host Access Transformation Services
HATS Help Desk Contact your local help desk. Escalation to the appropriate external help desks will be handled by the local help desk.
HDT (Precviously HPG): HIPAA Eligibility Transaction System (HETS) Desktop
HIPAA Eligibility Transaction System (HETS) Desktop
Email: mcare@cms.hhs.gov
HUE: Hadoop User Experience
Hadoop User Experience Help Desk All service requests (SR) and incidents (INC) should to be submitted to Remedy directly at https://remedy.cms.gov, by emailing the service desk at CMS_IT_Service_Desk@cms.hhs.gov or by calling the service desk at 410-786-2580 / 800-562-1963. Please request that these tickets be assigned to the GDIT > LSDR > Hadoop team.
For questions, promotions, SRFs, TWS, Kerberos password resets, account and access issues, or other items that require immediate support, you can email the IDRH team directly at DL-HIT-LSDR-HADOOP@gdit.com.
IC: Innovation Center
•Access multiple CMMI applications with a single-sign on
•View application-specific reports
Here is the help desk information for applications supported by the IC Landing Page:
•ACO - by phone at 1-888-734-6433, Option 1 or by email NextGenerationACOModel@cms.hhs.gov
•AHC - by phone at 1-844-711-2664, Option 4 or by email AHCModelDataSystem@cms.hhs.gov
•BPCI Advanced - by email BPCIAdvanced@cms.hhs.gov
•CJR - CJRSupport@cms.hhs.gov
•CPC Plus - by email CPCPlus@telligen.com
•EDFR - by phone at 1-888-734-6433 , Option 6 or by email IDOSServiceDesk@cms.hhs.gov
•Enh.MTM - by phone at 1-844-474-3375 or by email EnhancedMTM@cms.hhs.gov
•HHVBP - by phone at 1-844-280-5628 or by email HHVBPquestions@cms.hhs.gov
•HPI - by email HPI_PORTAL_Support@cms.hhs.gov
•InCK - by email HealthyChildrenAndYouth@cms.hhs.gov
•MDPCP - by phone at 1-844-711-2664, Option 7 or by email marylandmodel@cms.hhs.gov
•MH - by phone at 1-844-711-2664, Option 3 or by email mhmodel@cms.hhs.gov
•OCM - by phone at 1-844-711-2664, Option 2 or by email OCMSupport@cms.hhs.gov
•PCF - by phone at 1-888-517-7753 or by email PCF@telligen.com
•QMAT - by phone at 1-888-734-6433 or by email ESRD-CMMI@cms.hhs.gov
•ROM - by email radiationtherapy@cms.hhs.gov
IDHD: Restricted Use Application
IDHD Help Desk Team provides phone and email support for technical and program related questions.
Phone: 1 (855) 870-4411
Email: EIDMSupport@qssinc.com
ISV: Internet Server
ISV Help Desk Team provides email support for technical and program related questions.
Email: ISV-Support@cms.hhs.gov
LSDM: Health Information Technology for Economic and Clinical Healths
MA/MA-PD/PDP/CC: Medicare Advantage/Prescription Drug/Prescription Drug Plan/Cost Contracts/ Medicaid State Agency
Contact Helpdesk at
Email: mapdhelp@cms.hhs.gov
Phone: 1 (800) 927-8069
Medicaid and CHIP Business Information Solutions
Data Driven Decision Making
Medicaid and CHIP Financial (MACFin)
MACFin will replace several independent smaller legacy systems and tools with a new system that uses a state-of-the-art technology platform. Once fully implemented, MACFin will provide improved adaptability, flexibility, functionality, and efficiency for the following systems:
Medicaid Budget and Expenditure System/State Children's Health Insurance Program Budget and Expenditure System (MBES-CBES)
Financial Issues Reporting System (FIR/FIRS)
Incurred But Not Reported Survey System (IBNRS-Medicaid and CHIP)
Disproportionate Share Hospital (DSH) Payment Financial Database
Upper Payment Limit (UPL)
Medicaid Quality Control (MQC) Claims processing System
MACFin demands strict accuracy and functionality to support managing budget, accounting, and expenditure forecasts for one of the most significant line items in federal and state budgets
MACPro: Medicaid and CHIP Program
Medicaid and CHIP Program System (MACPro) is a web-based system for the submission, review, and management support of Medicaid and CHIP initiatives, including Medicaid State Plans and Quality Measures Reporting.
For issues with the MACPro application:
Email: MACPro_HelpDesk@cms.hhs.gov
Phone: (301) 547-4688
MAISTRO: Medicare Administration Issue Tracker & Reporting of Operations System
MAISTRO Help Desk Please contact CMS IT Service desk to report any MAISTRO application issues.
Email at CMS _IT_SERVICE_DESK@cms.hhs.gov
Phone:(410) 786-2580 or 1 (800) 562-1963
MARx/MAPD: Medicare Advantage & Prescription Drug Systems
Medicare Advantage Prescription Drug system. MARx is one of the Medicare Modernization Act (MMA) systems that support the various activities required to provide and administer Medicare Managed Care and Prescription Drug coverage. MARx maintains enrollment, payment, and premium data for beneficiary enrollments into Medicare Part C and Part D Plans.
MARx Help Desk: Please contact CMS IT Service desk to report and MARx application issues.
Email at mapdhelp@cms.hhs.gov
Phone:1 (800) 927-8069
MCU: Marketplace Change Utility
The Marketplace Change Utility (MCU) portlet allows it's users to search, view, and download information about Healthcare.gov consumers, insurance applications, and insurance policies, plans, and issuers. ESDCU provides various tools to search, analyze, and in some cases modify data associated with FFM.
Help Desk Contact Information
For issues with the MCU application, please contact the Marketplace Service Desk (MSD): 1 (855) CMS-1515 or 1 (855) 267-1515
Email Help Desk: CMS_FEPS@cms.hhs.gov
MDM: Master Data Management
Master Data Management Help Desk
Medicaid Drug Program (MDP)
MDP Help Desk
For technical assistance, please contact DDRHelpDesk@dcca.com Phone: 1-833-879-6075
MDR: MDR State Exchange
MDR Help Desk Team provides phone and email support for technical and program related questions.
Phone: 1 (800) 927-8069
Email: mapdhelp@cms.hhs.gov
MDX
Send email to: MDX_Helpdesk@cms.hhs.gov
MED: Medicare Exclusion Database
For issues with the MED application:
The Medicare Exclusion Database, MED, is updated monthly with sanction and reinstatement information on excluded providers, and is made available to approved entities only.
Help Desk name: External User Services (EUS)
Help Desk phone number: 1 (866) 484-8049
Help Desk email address: EUSSupport@cgi.com
MH: Million Hearts Cardiovascular Disease Risk Reduction Model
MH Model Help Desk Team provides phone and email support for technical and program related questions.
Phone: 1-844-711-2664, press Option 3
Email: mhmodel@cms.hhs.gov
Hours of Business:
8:30am-7:30pm Eastern Standard Time, Monday- Friday
Closed Federal holidays
All inquiries will receive a ticket number within 24 hours
Please have your LOI number handy when contacting the MH Model Help Desk. Please do not email any PHI/PII or your Organization specific confidential information.
Marketplace Learning Management System (MLMS)
The MLMS delivers online learning content for agents, brokers as well as Navigators, Certified Application Counselors and non-Navigator Assistance Personnel in the Federally-facilitated Marketplace and State Partnership Marketplaces. It facilitates the training and registration of these user groups to enable them to assist consumers with enrollment through the Federally-facilitated Marketplaces.
Help Desk: Please contact the MLMS Help Desk at MLMShelpdesk@cms.hhs.gov
For Password Resets Only, please contact the Marketplace Service Desk (MSD) at CMS_FEPS@cms.hhs.gov or 855-267-1515
Enterprise MicroStrategy Reports
For issues with the Enterprise MicroStrategy Reports:
Contact the CMS IT Service Desk at: (410) 786-2580 or (800) 562-1963
Send email to: CMS_IT_SERVICE_DESK@cms.hhs.gov
myCGS: myCGS DME Portal
The myCGS DME portal allows users to access Medicare information, including eligibility, claim status, denial status and more. MyCGS is available to suppliers of durable medical equipment, prosthetics, orthotics, and supplies.
For issues with the muCGS application:
Email: cgs.dme.mac.email.inquiries@cgsadmin.com
Phone: 1 (866) 270-4909
Novitasphere Portal
For issues with the Novitasphere application:
Internet Portal for Novitas Solutions, Inc. Submit Enrollment form to Novitas EDI first!
Email: WebsiteEDI@Novitas-Solutions.com
Phone: 1-855-880-8424
NPICS: National Provider Identifier Crosswalk System
OCM: Oncology Care Model
OCM Help Desk Team provides email and phone support for technical and program related questions
Email: OCMSupport@cms.hhs.gov
Phone: 1-844-711-2664 (1-844-711-CMMI), press Option 2
Hours of Business:
8:30 A.M. to 6:00 P.M. Eastern Standard Time
PII/PHI Please do not email any confidential information.
OnePI: One Program Integrity
The system that provides a single source of information for all Centers for Medicare & Medicaid fraud, waste, and abuse activities. The system provides streamlined, centralized access and analysis for standardized Medicaid data across multiple states, integrated with data from Medicare Parts A, B, and D.
Welcome to CMS Open Payments
The Open Payments (commonly known as the Physician Payments Sunshine Act) system satisfies the reporting requirement in Centers for Medicare & Medicaid Services (CMS) regulation. The Affordable Care Act regulation requires applicable manufacturers and applicable group purchasing organizations (GPOs) to annually report payments and other transfers of value made to physicians and teaching hospitals, as well as certain information regarding the ownership or investment interests held by physicians or their immediate family members.
For issues with the OP application:
Contact the OP Help Desk at: Openpayments@cms.hhs.gov
Welcome to PECOS
PECOS: (Provider Enrollment, Chain and Ownership System) is Medicare's provider/supplier enrollment system. It is the national database (source) of all Medicare provider and supplier enrollment information. Medicare providers and suppliers submit enrollment applications to enroll in Medicare and become eligible for reimbursement of Medicare services provided.
- There are 2 PECOS interfaces available through this portal:
- PECOS Administrative Interface (AI) which enables Medicare Contractors to capture enrollment information submitted through either a paper or electronic enrollment application. PECOS AI also enables other authorized users to view Medicare enrollment information.
- PECOS Data Mart which enables authorized users access to perform self-service reporting through standard reports, dashboards, extracts and ad hoc report capabilities
PECOS Help Desk For login issues, application latency, or system outages please contact the CMS IT Service Desk by phone at 1-800-562-1963 or by email at cms_it_service_desk@cms.hhs.gov.For errors within the PECOS AI interface or PECOS Data Mart, or questions on data within the applications, please visit the EUS portal page at https://eus.custhelp.com
PMDA: Performance Metrics Database & Analytics
For issues with the PMDA application:
Contact the Section 1115 PMDA Help Desk at: (443) 775-3226
Send email to: pmda1115_cvp_help@cvpcorp.com
PRIS: Payment Recovery Information System
PQRS: Physician Quality Reporting System
For issues with the PQRS application:
Physician Value - Physician Quality Reporting System Program. This portal allows access to applications such as Submissions, Web Interface, Feedback Dashboard and Reports and, if applicable, electing CAHPS.
QualityNet Help desk
Help Desk phone number - 1 (866) 288-8912
Help Desk email address - qnetsupport@hcqis.org
PSR/STAR
Provider Statistical and Reimbursement/System for Tracking Audit and Reimbursement.
For issues with the PSR/STAR application:
Email: eussupport@cgi.com
Phone: 1 (866) 484-8049
QARM: Quality Net Authorization & Role Management
For issues with the QARM application:
Please contact the QualityNet Help Desk from Monday to Friday 7 a.m - 7 p.m CST at: 1 (866)-288-8912, TY at 1 (877)-715-6222, Fax at 1 (888)-329-7377
For ESRD Support email at qnetsupport-esrd@hcqis.org
RNSGUI: Research and Support Graphical User Interface
Salesforce
For issues with the Salesforce application:
Help Desk Information:
SERTS: State Exchange Resource Tracking System
For issues with the SERTS application:
Please contact the Marketplace Service Desk (MSD): 1 (855) CMS-1515 or 1 (855) 267-1515
Email Help Desk: CMS_FEPS@cms.hhs.gov
SERVIS: State Exchange Resource Virtual Information System
For issues with the SERVIS application:
Please contact the Marketplace Service Desk (MSD): 1 (855) CMS-1515 or 1 (855) 267-1515
Email Help Desk: CMS_FEPS@cms.hhs.gov
SHIM: Enrollment and Payment Portal
SHOP is the enrollment and payment portal for small businesses to purchase insurance and provide support services to enroll their employees in a health insurance program.
For issues with the SHIM application:
Phone: 1 (800) 706-7893
SPOT(FCSO): First Coast Service Options Internet Portal
The SPOT offers an array of self-service resources to furnish essential Medicare processing information within a secure, online environment.
For issues with the SPOT application:
Email: fcsospothelp@fcso.com
Phone: 1 (855) 416-4199
TCPI: Services Tracking Analysis and Reporting System
T-MSIS: Transformed Medicaid Statistical Information System
For support issues, please visit the State Support Help Center.
UCM: Unified Case Management
The Unified Case Management (UCM) system supports cooperation, communication and management between regional Program Integrity Contractors to ensure a standardized national approach to the prevention and detection of fraud, waste and abuse in Medicare and Medicaid program spending.
For issues with the UCM application:
Please direct any questions to the UCM Help Desk at: 1-833-353-3375 or by email at UCMHelpDesk@cms.hhs.gov
zONE: Opportunity to Network and Engage
(zONE - accessible via direct URL at https://zone.cms.gov w/ approved Portal role)
Opportunity to Network and Engage (zONE) is a social platform for organizations and individuals partnering and working with the Centers for Medicare & Medicaid Services (CMS). It is a secure, collaborative venue for States, Issuers, business and technology teams to connect, communicate, and share information such as reuse documents, resources and best practices.
For issues with the zONE application, please contact the Marketplace Service Desk (MSD): 1 (855) CMS-1515 or 1 (855) 267-1515
Email Help Desk: CMS_FEPS@cms.hhs.gov
Sign Up for Email Alerts
Already a Subscriber?
Log In
Terms & Conditions
OMB No.0938-1236 | Expiration Date: 03/31/2021 | Paperwork Reduction Act
Updated Departmental Standard Warning Banner for HHS Information Systems, Memo dated July 14, 2016
This warning banner provides privacy and security notices consistent with applicable federal laws, directives, and other federal guidance for accessing this Government system, which includes (1) this computer network, (2) all computers connected to this network, and (3) all devices and storage media attached to this network or to a computer on this network. This information system is provided for Government-authorized use only.
Unauthorized or improper use of this system is prohibited and may result in disciplinary action and/or civil and criminal penalties.
Personal use of social media and networking sites on this system is limited as to not interfere with official work duties and is subject to monitoring.
By using this system, you understand and consent to the following: The Government may monitor, record, and audit your usage, including usage of personal devices and email systems for official duties or to conduct HHS business. Therefore, you have no reasonable expectation of privacy regarding any communication or data transiting or stored on this system. At any time, and for any lawful Government purpose, the government may monitor, intercept, and search and seize any communication or data transiting or stored on this system.
Any communication or data transiting or stored on this system may be disclosed or used for any lawful Government purpose.
Please Agree to the Terms & Conditions
Your MFA status is currently being retrieved.
HHS Rules of Behavior
July 24, 2013
This Department of Health and Human Services (HHS or Department) standard is effective immediately:
The Rules of Behavior for Use of HHS Information Resources (HHS RoB) provides the rules that govern the appropriate use of all HHS information resources for Department users, including federal employees, contractors, and other system users. The HHS RoB, in conjunction with the HHS Policy for Personal Use of Information Technology Resources[1] (as amended), are issued under the authority of the Policy for Information Systems Security and Privacy (IS2P).[2] The prior HHS RoB (dated August 26, 2010) is made obsolete by the publication of this updated version.
All new users of HHS information resources must read the HHS RoB and sign the accompanying acknowledgement form before accessing Department data or other information, systems, and/or networks. This acknowledgement must be completed annually thereafter, which may be done as part of annual HHS Information Systems Security Awareness Training. By signing the form users reaffirm their knowledge of, and agreement to adhere to, the HHS RoB. The HHS RoB may be presented to the user in hardcopy or electronically. The userâÂÂs acknowledgement may be obtained by written signature or, if allowed per Operating Division (OpDiv) or Staff Division (StaffDiv) policy and/or procedure, by electronic acknowledgement or signature.
The HHS RoB cannot account for every possible situation. Therefore, where the HHS RoB does not provide explicit guidance, personnel must use their best judgment to apply the principles set forth in the standards for ethical conduct to guide their actions.[3]
Non-compliance with the HHS RoB may be cause for disciplinary actions. Depending on the severity of the violation and management discretion, consequences may include one or more of the following actions:
Suspension of access privileges;
Revocation of access to federal information, information systems, and/or facilities;>
Reprimand;
Termination of employment;
Removal or disbarment from work on federal contracts or projects
Monetary fines; and/or
Criminal charges that may result in imprisonment.
HHS OpDivs may require users to acknowledge and comply with OpDiv-level policies and requirements, which may be more restrictive than the rules prescribed herein. Supplemental rules of behavior may be created for specific systems[4] that require users to comply with rules beyond those contained in this document. In such cases users must also sign these supplemental rules of behavior prior to receiving access to these systems and must comply with ongoing requirements of each individual system to retain access (such as re-acknowledging the system-specific rules by signature each year). System owners must document any additional system-specific rules of behavior and any recurring requirement to sign the respective acknowledgement in the security plan for their systems. Each OpDiv Chief Information Officer (CIO) must implement a process to obtain and retain the signed rules of behavior for such systems and must ensure that user access to such system information is prohibited without a signed acknowledgement of system-specific rules and a signed acknowledgement of the HHS RoB.
National security systems, as defined by the Federal Information Security Management Act (FISMA), must independently or collectively implement their own system-specific rules.
These HHS RoB apply to local, network, and remote use[5] of HHS information (in both electronic and physical forms) and information systems by any individual.
Users of HHS information and systems must acknowledge the following statements:
I assert my understanding that:
Use of HHS information and systems must comply with Department and OpDiv policies, standards, and applicable laws
Use for other than official assigned duties is subject to the HHS Policy for Personal Use of IT Resources, (as amended);[6]
Unauthorized access to information or information systems is prohibited; and
Users must prevent unauthorized disclosure or modification of sensitive information.[7]
I must:
General Security Practices
Follow HHS security practices whether working at my primary workplace or remotely;
Accept that I will be held accountable for my actions while accessing and using HHS information and information systems;
Ensure that I have appropriate authorization to install and use software, including downloaded software on HHS systems and that before doing so I will ensure that all such software is properly licensed, approved, and free of malicious code;
Wear an identification badge (or badges, if applicable) at all times, except when they are being used for system access in federal facilities;
Lock workstations and remove Personal Identity Verification (PIV) cards from systems when leaving them unattended;
Use assigned unique identification and authentication mechanisms, including PIV cards, to access HHS systems and facilities;
Complete security awareness training (i.e., HHS Information Systems Security Awareness Training) before accessing any HHS system and on an annual basis thereafter and complete any specialized role-based security or privacy training, as required by HHS policies;[8]
Permit only authorized HHS users to use HHS equipment and/or software;
Take all necessary precautions to protect HHS information assets[9] (including but not limited to hardware, software, personally identifiable information (PII), protected health information (PHI), and federal records [media neutral]) from unauthorized access, use, modification, destruction, theft, disclosure, loss, damage, or abuse, and treat such assets in accordance with any information handling policies;
Immediately report to the appropriate incident response organization or help desk (pursuant to OpDiv policy and/or procedures) all lost or stolen HHS equipment; known or suspected security incidents;[10]known or suspected information security policy violations or compromises; or suspicious activity in accordance with OpDiv procedures;
Notify my OpDiv/StaffDiv Personnel Security Representative (PSR) when I plan to bring government-owned equipment on foreign travel (per requirements defined by the Office of Security and Strategic Information (OSSI));[11]
Maintain awareness of risks involved with clicking on e-mail or text message web links; and
Only use approved methods for accessing HHS information and HHS information systems
Privacy
Understand and consent to having no expectation of privacy while accessing HHS computers, networks, or e-mail;
Collect information from members of the public only as required by my assigned duties and permitted by the Privacy Act of 1974, the Paperwork Reduction Act, and other relevant laws;
Release information to members of the public including individuals or the media only as allowed by the scope of my duties and the law;
Refrain from accessing information about individuals unless specifically authorized and required as part of my assigned duties;
Use PII and PHI only for the purposes for which it was collected and consistent with conditions set forth by stated privacy notices such as those provided to individuals at the point of data collection and published System of Records Notices; and
Ensure the accuracy, relevance, timeliness, and completeness of PII, as is reasonably necessary and to the extent possible, to assure fairness in making determinations about an individual.
Sensitive Information
Treat computer, network and web application account credentials as private sensitive information and refrain from sharing accounts;
Secure sensitive information, regardless of media or format, when left unattended;
Keep sensitive information out of sight when visitors are present;
Sanitize or destroy electronic media and papers that contain sensitive data when no longer needed, in accordance with the HHS Policy for Records Management[12] and sanitization policies, or as otherwise lawfully directed by management;
Access sensitive information only when necessary to perform job functions; and
Properly protect (e.g., encrypt) HHS sensitive information at all times while stored or in transmission, in accordance with the HHS Standard for Encryption of Computing Devices.[13]
I must not:
Violate, direct, or encourage others to violate HHS policies or procedures;
Circumvent security safeguards, including violating security policies or procedures or reconfiguring systems, except as authorized;
Use another personâÂÂs account, identity, password/passcode/PIN, or PIV card or share my password/passcode/PIN;
Remove data or equipment from the agency premises without proper authorization;
Use HHS information, systems, and hardware to send or post threatening, harassing, intimidating, or abusive material about others in public or private messages or forums;
Exceed authorized access to sensitive information;
Share or disclose sensitive information except as authorized and with formal agreements that ensure third-parties will adequately protect it;
Transport, transmit, e-mail, remotely access, or download sensitive information unless such action is explicitly permitted by the manager or owner of such information and appropriate safeguards are in place per HHS policies concerning sensitive information;
Use sensitive information for anything other than the purpose for which it has been authorized;
Access information for unauthorized purposes;
Use sensitive HHS data for private gain or to misrepresent myself or HHS or for any other unauthorized purpose;
Store sensitive information in public folders or other insecure physical or electronic storage locations;
Knowingly or willingly conceal, remove, mutilate, obliterate, falsify, or destroy information;
Copy or distribute intellectual property including music, software, documentation, and other copyrighted materials without written permission or license from the copyright owner;
Modify or install software without prior proper approval per OpDiv procedures;
Conduct official government business or transmit/store sensitive HHS information using non-authorized equipment or services; or
Use systems (either government issued or non-government) without the following protections in place to access sensitive HHS information:
Antivirus software with the latest updates;
Anti-spyware and personal firewalls;
A time-out function that requires re-authentication after no more than 30 minutes of inactivity on remote access; and
Approved encryption[14] to protect sensitive information stored on recordable media, including laptops, USB drives, and external disks; or transmitted or downloaded via e-mail or remote connections.
I must refrain from the following activities when using federal government systems, which are prohibited per the HHS Policy for Personal Use of Information Technology Resources,[15] (as amended):
Unethical or illegal conduct;
Sending or posting obscene or offensive material;
Sending or forwarding chain letters, e-mail spam, inappropriate messages, or unapproved newsletters and broadcast messages;
Sending messages supporting prohibited partisan political activity as restricted under the Hatch Act;[16]
Conducting any commercial or for-profit activity;
Using peer-to-peer (P2P) software except for secure tools approved in writing by the OpDiv CIO (or designee) to meet business or operational needs;
Sending, retrieving, viewing, displaying, or printing sexually explicit, suggestive text or images, or other offensive material;
Creating and/or operating unapproved Web sites or services;
Allowing personal use of HHS resources to adversely affect HHS systems, services, and co-workers (such as using non-trivial amounts of storage space or bandwidth for personal digital photos, music, or video);
Using the Internet or HHS workstation to play games or gamble; and
Posting Department information to external newsgroups, social media and/other other types of third-party website applications,[17] or other public forums without authority, including information which is at odds with departmental missions or positions. This includes any use that could create the perception that the communication was made in my official capacity as a federal government employee, unless I have previously obtained appropriate Department approval.
Addendum: HHS Rules of Behavior for Privileged User Accounts
The HHS Rules of Behavior for Privileged User Accounts is an addendum to the HHS Rules of Behavior for Use of Information Resources (HHS RoB) and provides common rules on the appropriate use of all HHS information technology resources for all Department Privileged Users,[18] including federal employees, interns, and contractors. Privileged User account roles have elevated privileges above those in place for general user accounts regardless of account scope (e.g., both local and domain administrator accounts). Potential compromise of Privileged User accounts carries a risk of substantial damage and therefore Privileged User accounts require additional safeguards.
All users of Privileged User accounts for Department information technology resources must read these standards and sign the accompanying acknowledgement form in addition to the HHS RoB before accessing Department data/information, systems, and/or networks in a privileged role. The same signature acknowledgement process followed for the HHS RoB applies to the Privileged User accounts. Each Operating Division (OpDiv) must maintain a list of Privileged User accounts.
I understand that as a Privileged User, I must:
Protect all Privileged User account passwords/passcodes/Personal Identity Verification (PIV) personal identified numbers (PINs) on Low, Moderate, and High systems;
Comply with all system/network administrator responsibilities in accordance with HHS policy;
Use my Privileged User account(s) for official administrative actions only;
Notify system owners immediately when privileged access is no longer required; and
Complete any specialized role-based security or privacy training as required before receiving privileged system access.
I understand that as a Privileged User, I must not:
Share Privileged User account(s) or password(s)/passcode(s)/PIV PINs;
Install, modify, or remove any system hardware or software without system owner written approval;
Remove or destroy system audit, security, event, or any other log data;
Acquire, possess, trade, or use hardware or software tools that could be employed to evaluate, compromise, or bypass information systems security controls;
Introduce unauthorized code, Trojan horse programs, malicious code, or viruses into HHS information systems or networks;
Knowingly write, code, compile, store, transmit, or transfer malicious software code, to include viruses, logic bombs, worms, and macro viruses;
Use Privileged User account(s) for day-to-day communications;
Elevate the privileges of any user without prior approval from the system owner;
Use privileged access to circumvent HHS policies or security controls;
Use a Privileged User account for Web access except in support of administrative related activities; or;
Modify security settings on system hardware or software without the approval of a system administrator and/or a system owner.
CMS Privacy Act Statement
The Privacy Act of 1974, as amended at 5 United States Code (U.S.C.) 552a, protects records that can be retrieved by personal identifiers such as a name, social security number, or other identifying number or symbol. An individual is entitled access to his or her records and to request correction of these records as applicable.
The Privacy Act prohibits disclosure of these records without an individual's written consent unless one of the twelve disclosure exceptions enumerated in the Act applies. These records are held in Privacy Act Systems of Records (SOR). A notice of any such system is published in the Federal Register. These notices identify the legal authority for collecting and storing the records, individuals about whom records will be collected, what kinds of information will be collected, and the routine uses for the records.
As with the Freedom of Information Act (FOIA), the Privacy Act binds only Federal agencies, and covers only records in the possession and control of Federal agencies.
In addition to the Privacy Act, the Centers for Medicare & Medicaid Services (CMS) is required to follow the Department of Health and Human Services (DHHS) Privacy Act Regulations at 45 Code of Federal Regulations (C.F.R.) Part 5b.