CMS Privacy Notice for the Electronic Prescribing for Controlled Substances (EPCS) Website
Table of Contents
Data Sources used by the EPCS Website
Types of Information We Collect
How CMS uses information collected by the EPCS Website
How CMS uses cookies and other technologies on the EPCS Website
Your choices about tracking and data collection by the EPCS Website
How the EPCS Website uses third-party websites and applications
How long CMS keeps EPCS Website-related data and how it is accessed
Electronic Prescribing for Controlled Substances (EPCS) Website Privacy Policy
Protecting your privacy is very important to us. We’re telling you about our privacy policy so you know what information we collect, why we collect it, and what we do with it. This privacy notice is for the Electronic Prescribing for Controlled Substances (EPCS) Website at qualitypaymentprogram.cms.gov, which will be referred to in the remainder of this policy as the “EPCS Website”. The EPCS Website is maintained and operated by the Centers for Medicare & Medicaid Services (CMS). This privacy notice aligns with the CMS Privacy Policy .
CMS, operating the EPCS Website, does not collect name, contact information, social security number or other similar information unless you choose to provide it. We do collect other limited information automatically from visitors who read, browse, and/or download information from the EPCS Website. We do this so we can understand how the site is being used and how we can make it more helpful. See the Types of Information We Collect section below for more information .
Personally identifiable information (PII), defined by the Office of Management and Budget (OMB), refers to information which can be used to distinguish or trace an individual's identity, such as their name, social security number, biometric records, etc. alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual, such as date and place of birth, mother’s maiden name, etc.
CMS does not sell any information entered into the EPCS Website. For information on how we share information, see How CMS uses information collected by the EPCS Website .
Data Sources used by the EPCS Website
EPCS leverages data from existing datasets located in the CMS Enterprise Data Lake (EDL).
Since EPCS does not collect any new information from its users and does not transform or compile data into new/unique data, EPCS is not a System of Record. If there are any concerns about the accuracy or completeness of data in EPCS, CMS support will need to be contacted. The contact point may differ depending on which information is inaccurate or incomplete. Contact and support information is detailed within each SORN listed below.
EPCS uses the Provider Enrollment, Chain, and Ownership System (PECOS) dataset which is owned by the CMS Office of Financial Management (OFM). PECOS is covered by the System Of Record Notice (SORN) 09-70-0532 . PECOS Application and support desk can be found here: https://pecos.cms.hhs.gov/
EPCS uses the National Plan and Provider Enumeration System (NPPES) dataset which is owned by the Office of Financial Management (OFM). NPPES is covered by the System Of Record Notice (SORN) 09-70-0555. NPPES Application and support desk can be found here: https://nppes.cms.hhs.gov/
EPCS uses the Medicare Part D Claims dataset which is part of the Medicare Integrated Data Repository (IDR) owned by the Office of Information Technology (OIT), formally referenced as the Office of Information Services (OIS). This dataset is covered by the System Of Record Notice (SORN) 09-70-0571.
Types of Information We Collect
Information which is automatically collected:
When you browse:
Certain information about your visit can be collected when you browse websites. When you browse the EPCS Website, we, and in some cases our third-party service provider(s), can collect the following types of information about your visit, including:
- Domain (for example, comcast.com, if you are using a Comcast account) from which you accessed the Internet.
- IP address (an IP or internet protocol address is a number that is automatically assigned to a device connected to the Web).
- Operating system (which is software that directs a computer’s basic functions such as executing programs and managing storage) for the device that you are using and information about the browser you used when visiting the site.
- Date and time of your visit
- Pages you visited
- Address of the website/search engine that connected you to the EPCS Website (such as google.com or bing.com)
- Device type (desktop computer, tablet, or type of mobile device)
- Screen resolution
- Browser language
- Geographic location
- Time spent on page
- Scroll depth - The measure of how much of a web page was viewed
- User events (e.g. clicking a button)
(See How the EPCS Website uses third-party websites and applications below for more information.)
Information which you may provide:
When you request information:
If you choose to receive alerts or e-newsletters, CMS will collect information including your email address to deliver the alerts or e-newsletters. We use this information to complete the subscription process and provide you with information. You can opt out of these communications at any time by editing your subscription preferences.
For specific details on the data collected by the systems that make up the EPCS Website, as well as Third-Party Websites and Applications (TPWA), please view the Privacy Impact Assessments (PIAs) located at under the sections for Centers for Medicare & Medicaid Services at: https://www.hhs.gov/pia/index.html .
HHS PIAs for CMS Systems supporting the EPCS Website:
- Amazon Web Services: https://www.hhs.gov/sites/default/files/cms-amazon-web-services.pdf
HHS PIAs for CMS TPWA supporting the EPCS Website:
- Google Analytics: https://www.hhs.gov/sites/default/files/cms-google-analytics.pdf
- New Relic: https://www.hhs.gov/sites/default/files/cms-new-relic.pdf
- Tealium: https://www.hhs.gov/sites/default/files/cms-tealium.pdf
EPCS Waiver Application
Paperwork Reduction Act (PRA) Disclosure Statement:
The CMS Electronic Prescribing for Controlled Substances (EPCS) Program collects information from Medicare prescribers as part of the EPCS Application hardship waiver request and review process. According to the Paperwork Reduction Act of 1995, no persons are required to respond to a collection of information unless it displays a valid OMB control number. The valid OMB control number for this information collection is 0938-1455 (Expires 11/20/2025). This is a voluntary information collection, however, failure to submit necessary information may affect CMS efforts to review your hardship waiver request and could negatively impact your EPCS status.
The time required to complete this information collection is estimated to average 0.1667 hours per response, including the time to review instructions, search existing data resources, gather the data needed, and complete and review the information collection. In addition to the OMB control number, authority for the collection of this information is covered under section 1860D-4(7) of the Social Security Act (the Act), as added by Section 2003 of the SUPPORT for Patients and Communities Act of 2018 which mandates EPCS. CMS may use and disclose the prescriber’s responses as specified in the System of Records Notice (SORN) “Quality Payment Program (QPP)”, System No. 09-70-0539, 83 Federal Register 6587, February 14, 2018, and as permitted by the Privacy Act of 1974. If you have comments concerning the accuracy of the time estimate(s) or suggestions for improving this form, please write to CMS, 7500 Security Boulevard, Attn: PRA Reports Clearance Officer, Mail Stop C4-26-05, Baltimore, Maryland 21244-1850.
****CMS Disclosure**** Please do not send applications, claims, payments, medical records, or any documents containing sensitive information to the PRA Reports Clearance Office. Please note that any correspondence not pertaining to the information collection burden approved under the associated OMB control number listed on this form will not be reviewed, forwarded, or retained. If you have any questions or concerns regarding where to submit your documents, please contact EPCS-EPrescribe@cms.hhs.gov.
How CMS uses information collected by the EPCS Website
CMS websites use a variety of Web measurement software tools. We use them to collect the information listed in the “Types of information collected” section above. The tools collect information automatically and continuously. No PII is collected by these tools.
When conducting surveys and improving services:
CMS also uses online surveys to collect opinions and feedback. You don’t have to answer these questions. If you do answer these questions, do not include any PII in your answers. We analyze and use the information from these surveys to improve the site’s operation and content. The information is available only to CMS managers, members of the CMS communications and Web teams, and other designated federal staff and contractors who require this information to perform their job functions and duties.
When using third-party tools for website analytics:
CMS uses a variety of third-party web tools for web analytics. CMS uses these tools to collect basic information about visits to the EPCS Website. This information is then used to maintain the EPCS Website including: monitoring site stability, measuring site traffic, optimizing site content, and may help make the site more useful to visitors.
The CMS staff analyzes the data collected from these tools. The reports are available only to CMS managers, members of the CMS communications and web teams, and other designated federal staff and contractors who need this information to perform their job functions and duties.
Data from CMS website measurement tools is kept as long as needed to support the mission of the EPCS Website.
See How the EPCS Website uses third-party websites and applications below for more information on how these tools work.
How CMS uses cookies and other technologies on the EPCS Website
The Office of Management and Budget Memorandum M-10-22, Guidance for Online Use of Web Measurement and Customization Technologies, allows federal agencies to use session and persistent cookies to improve the delivery of services.
When you visit a website, its server may generate a piece of text known as a "cookie" to place on your device. The cookie, which is unique to your browser, allows the server to "remember" specific information about your visit while you are connected. The cookie makes it easier for you to use the dynamic features of Web pages. Information that you enter into the application is not associated with cookies on the EPCS Website. Depending on the third-party tool's business practices, privacy policies, terms of service, and/or the you selected, information you have provided to third parties could be used to identify you when you visit the EPCS Website. These third parties do not/will not share your identity with CMS or Department of Health and Human Services (HHS).
There are two types of cookies, single session (temporary), and multi-session (persistent). Single session cookies last only as long as your Web browser is open. Once you close your browser, the session cookie disappears. Persistent cookies are stored on your device for longer periods. Both types of cookies create an ID that is unique to your device.
- Session Cookies: We use session cookies for technical purposes such as to allow better navigation through our site. These cookies let our server know that you are continuing a visit to our site. The OMB Memorandum M-10-22 Guidance defines our use of session cookies as "Usage Tier 1—Single Session." The policy says, "This tier encompasses any use of single session web measurement and customization technologies."
- Persistent Cookies: We use persistent cookies to understand the differences between new and returning visitors to the EPCS Website. Persistent cookies remain on your device between visits to our site until they expire or are removed by the user. The OMB Memorandum M-10-22 Guidance defines our use of persistent cookies as "Usage Tier 2—Multi-session without personally identifiable information." The policy says, "This tier encompasses any use of multi-session Web measurement and customization technologies when no PII is collected." We do not use persistent cookies to collect PII. CMS does not identify a user by using such technologies.
CMS also uses the following technologies on the EPCS Website:
- Website Log Files - Are used as an analysis tool to tell how visitors use the EPCS Website, how often they return, and how they navigate through the site.
Your Choices About Tracking and Data Collection by EPCS
The EPCS Website offers which gives you control over what tracking and data collection takes place during your visit. Third-party tools are enabled by default to provide a quality consumer experience.
The provides you with the choice to opt-in or to opt-out of the different categories of third-party tools used by the EPCS Website analytic tools. The prevents third-party tools from loading regardless of your cookie settings, which provides consumers with an additional layer of privacy that prevents the tool from loading at all. Because the creates a cookie in your browser, the opt-in and opt-out choices you make through the will only be effective on the device and browser you used to make your choices, and your choices will expire when the cookie expires. Once the cookie is created, the will retain your settings for 3 years from the date of your most recent visit. Thereafter, you may revisit the to renew your opt-in and opt-out choices.
Please note that by opting out of cookies, you will disable cookies from all sources, not just from CMS websites. If you disable cookies in your browser, our will not be able to store your preferences and will not function properly. If you do not wish to use our to opt-out of the tools used by the EPCS Website, you can opt-out of tools individually.
Privacy Information Regarding Third-party Services
The following table lists the third-party services currently used by CMS in conjunction with the EPCS Website and provides links to the privacy policies for each third-party service provider. See the list of third-party tools for more information on how to opt-out individually to each service. Links are provided below to the instructions for opting out of each service and a link where you can learn more about each service by reviewing the CMS Third-party Website Privacy Impact Assessment.
| Third-party Tool | Purpose and Use | Third-party Privacy Policy | How to Opt-Out for this Service | CMS Third-party Website and Application Privacy Impact Assessment |
|---|---|---|---|---|
Third-party Tool: Google Analytics | Purpose and Use: Collects and analyzes data on visitor interaction with the EPCS Website to help make the site more useful to visitors. This is a tier 2 usage, Persistent Cookies are used. | Third-party Privacy Policy: https://support.google.com/analytics/answer/6004245 | How to Opt-Out for this Service: Google provides a browser plug-in that will allow you to opt-out of all Google Analytics measurements, which can be found at https://tools.google.com/dlpage/gaoptout | CMS Third-party Website and Application Privacy Impact Assessment: Google Analytics, T-5991099-891893, https://www.hhs.gov/sites/default/files/cms-google-analytics.pdf |
Third-party Tool: New Relic | Purpose and Use: Monitors and evaluates the web and system transactions of the EPCS Website to assist with troubleshooting. This is a tier 1 usage, Session Cookies are used. | Third-party Privacy Policy: https://newrelic.com/privacy | How to Opt-Out for this Service: https://newrelic.com/privacy | CMS Third-party Website and Application Privacy Impact Assessment: New Relic, https://www.hhs.gov/sites/default/files/cms-new-relic.pdf |
| Third-party Tool | Purpose and Use | Third-party Privacy Policy | How to Opt-Out for this Service | CMS Third-party Website and Application Privacy Impact Assessment |
|---|---|---|---|---|
Third-party Tool: Tealium | Purpose and Use: The EPCS Website uses Tealium as a solution for the EPCS Website staff to manage website tags from a single interface. Specifically, the tool allows CMS to control which third-party tools are enabled/disabled. Tealium, through its , also allows consumers to choose which types of third-party tools are enabled / disabled during their visit. | Third-party Privacy Policy: https://tealium.com/privacy/ | How to Opt-Out for this Service: | CMS Third-party Website and Application Privacy Impact Assessment: https://www.hhs.gov/sites/default/files/cms-tealium.pdf |
If you opt-out of the tools used by the EPCS Website via the or by opting out of the tools directly, you will still have access to information and resources at the EPCS Website.
How the EPCS Website uses third-party websites and applications
As a response to OMB Memorandum M-10-06, Open Government Directive, the EPCS Website leverages a variety of technologies and social media services to communicate and interact with the public. These third-party websites and applications include popular social networking and media sites, open source software communities, and more.
Third-party Websites:
Your activity on the third-party websites that the EPCS Website links to (such as Facebook or Twitter) is governed by the security and privacy policies of those sites. You should review the privacy policies of all websites before using them so that you understand how your information may be used. You should also adjust on your account on any third-party website to match your preferences.
Website Analytics Tools:
These tools collect basic site usage information such as: how many visits the EPCS Website receives, the pages visited by consumers, time spent on the site, the number of return visits to the site, the approximate location of the device used to access the site, types of devices used, etc. This information is then used to maintain the website including: monitoring site stability, measuring site traffic, optimizing site content, and improving the consumer experience. Use the EPCS Website to opt-out of website analytics tools.
CMS may consider new third-party tools or the use of new third-party websites, but CMS will first assess a tool or website before it is used in connection with the EPCS Website. CMS will provide notice to the public before adding any new tool to the EPCS Website. These assessments include a description about how information will be collected, accessed, secured, and stored. Risk assessments for third-party websites and applications are available at https://www.hhs.gov/pia/index.html .
For further information about the EPCS Website privacy policy, please contact the CMS Privacy Officer via e-mail at Privacy@cms.hhs.gov or by telephone at 410-786-5357.
Third-party services are web-based technologies that are not exclusively operated or controlled by a government entity, or that involve significant participation of a non-government entity. These services may be separate websites or may be applications embedded within CMS websites. The list of third-party services at https://www.hhs.gov/pia/index.html has links to third-party privacy policies used by HHS.
How long CMS keeps EPCS Website-related data and how it is accessed
CMS will keep data collected long enough to achieve the specified objective for which they were collected. Once the specified objective is achieved, the data will be retired or destroyed in accordance with published draft records schedules of CMS as approved by the National Archives and Records Administration (NARA).
CMS does not store information from cookies on CMS systems. The persistent cookies used with third-party tools on the EPCS Website can be stored on a user’s local system and are set to expire at varying time periods depending upon the cookie. CMS assesses whether the expiration date of a cookie exceeds one year and provides an explanation as to why cookies with a longer life are used on the site in the associated Third-Party Website or Application Privacy Impact Assessment(s).
Children and privacy on the EPCS Website
We believe in the importance of protecting the privacy of children online. The Children’s Online Privacy Protection Act (COPPA) governs information gathered online from or about children under the age of 13. The EPCS Website is not intended to solicit information of any kind from children under age 13. If you believe that we have received information from a child under age 13, please contact the CMS Privacy Officer via e-mail at Privacy@cms.hhs.gov or by telephone at 410-786-5357.
Links to other sites
The EPCS Website may link to other HHS sites, other government sites, and/or to private organizations. We link to other websites solely for your convenience and education. When you follow a link to an external site, you are leaving the EPCS Website and are subject to the privacy policy of the sites you’re visiting.
Non-federal websites do not necessarily operate under the same laws, regulations, and policies as federal websites. Aside from third-party websites highlighted in this privacy notice, CMS is not responsible for the contents of external web pages, and a link to a page does not constitute an endorsement.
To learn more about our policies for linking to sites run by third parties, see How the EPCS Website uses third-party websites and applications .
Your Privacy on Social Media Sites
CMS uses Social Media Sites (listed below) in order to increase government transparency, enhance information sharing, promote public participation, and encourage collaboration with the agency.
Please note that Social Media Sites are not government websites or applications; they are controlled or operated by the Social Media Site. CMS does not own, manage, or control social media sites. In addition, CMS does not collect, maintain or disseminate information posted by visitors to those sites. If you choose to provide information to a Social Media Site through registration or other interaction with the site the use of any information you provide is controlled by your relationship with the Social Media site. For example, any information that you provide to register on Facebook is voluntarily contributed and is not maintained by CMS. This information may be available to CMS Social Media Page Administrators in whole or part, based on a user's on the Social Media site. Although you may voluntarily contribute to a Social Media Site with the intent to share the information with others on a CMS Social Media Page, to protect your privacy, please do not disclose personally identifiable information about yourself or others.
CMS does not keep separate records or accounting of any Social Media Site users or their interaction with the EPCS Website pages on Social Media Sites. CMS does not store or share this information. User information is retained by Social Media Sites in accordance with the Site’s policies. See each Social Media Site’s privacy policy to see how long user information is retained after an account has been deleted. Social Media Site users can learn more about how their information is used and maintained by each Social Media Site by visiting their privacy policy.
Qualitypaymentprogram.cms.gov is not currently using any social media sites as a means to communicate, share information about the program, encourage interaction and to promote participation.
Additional privacy information
If you would like more information about the application of the Privacy Act at CMS, please read the Privacy Act of 1974 located at https://www.cms.gov/Research-Statistics-Data-and-Systems/Computer-Data-and-Systems/Privacy/PrivacyActof1974.html .
Published Date: December 13, 2022