SSNJ Memo

DEFENSE HEALTH AGENCY

7700 ARLINGTON BOULEVARD, SUITE 5101
FALLS CHURCH, VIRGINIA 22042-5101

DHA Privacy
Office Review

DHA Privacy and Civil Liberties
Director

MEMORANDUM FOR DEFENSE PRIVACY, CIVIL LIBERTIES AND TRANSPARENCY
DIVISION
SUBJECT: Justification for the Continued Use of the Social Security Number (SSN) in the
Centralized Credentials Quality Assurance System (CCQAS), Department of Defense
Information Technology Portfolio Repository (DITPR) #136
This memorandum is written to satisfy the requirement established in the Department of
Defense Instruction, 1000.30, Reduction of Social Security Number (SSN) Use within DoD
(DODI 1000.30), dated August 1, 2012, with respect to the Centralized Credentials Quality
Assurance System (CCQAS). The Department of Defense (DoD) Information Technology
Portfolio Repository (DITPR) identification number assigned to CCQAS is 136. This
memorandum provides justification for the continued collection and use of SSNs by CCQAS.
The System of Records Notice applicable to CCQAS is EDHA 09 (November 18, 2013, 78
FR 69076) (Attachment 1). The Privacy Impact Assessment for CCQAS (CCQAS_DD Form
2930(PIA)_FINAL_07.29.2015.pdf) became effective July 22, 2015 (Attachment 2).
CCQAS is a Tri-service, web-based program that automates credentialing, privileging,
risk management, and adverse actions processes. The system also provides the capability to
query licensing activities and generate local standard and ad hoc letters and management reports.
It is critical for tracking and storing information about providers’ demographics, education,
licenses, certifications, affiliations, Medical Treatment Facilities (MTF) assignments,
malpractice, insurance data, and adverse action reporting. CCQAS also gives MTF commanders
the ability to track providers’ medical readiness training information. CCQAS has a Risk
Management Module that allows MTFs to create and view detailed information on claims,
incidents, and disability cases originating at that particular MTF, including patient and provider
information, allegations, and standard of care assessments.
CCQAS currently tracks this information for Army, Air Force, and Navy Active Duty,
Reserve, and Guard component health care providers, as well as civilian and contracted health
care providers employed within the direct care system. CCQAS is available online from any
location with World Wide Web access, at any time, to approved users.
In accordance with DODI 1000.30, continued use of SSNs within CCQAS must be
justified by one or more Acceptable Use Cases set forth in DODI 1000.30. The Acceptable Use
Cases to CCQAS are:

2. c (2) Law Enforcement, National Security, Credentialing and 2.c (5) Confirmation of
Employment Eligibility. Federal statute requires that all persons employed within the United
States must provide a SSN or comparable identifier to prove that he or she is eligible to work for
or with the government of the United States.
In order for a health care provider to practice at an MTF, he or she must undergo the
credentialing process that entails an extensive verification of the provider’s qualifications to
perform the requested medical procedures. The SSN is the essential personal identifier to assure
that the information for an individual that is obtained from among thousands of non-DoD
agencies and organizations is tied to the correct MHS provider within CCQAS. For example, the
SSN must be used when confirming and verifying education with a particular institute (there are
over one hundred accredited U.S. medical schools), and/or background checks with the police
departments (there are over 10,000 local police departments in the U.S.). As required by DoDD
6025.13, “Military Health System (MHS) Clinical Quality Assurance (CQA) Program
Regulation”, evidence of qualifying educational degrees must be verified through primary
sources. Organizations like the National Student Clearinghouse require SSNs for identification.
With regard to background checks with police departments, these are required is accordance with
DoD Instruction 1402.5, “Criminal History Background Checks on Individuals in Child Care
Services.” Therefore, continued use of the SSN within CCQAS is critical to support the
credentialing process as it is unlikely that all non-DoD agencies and organizations that need to be
contacted for credentials verification purposes will cease to use SSNs for identification purposes
within the lifetime of the CCQAS application.
2. c. (8) Computer Matching. CCQAS receives one data element, the National Provider
Identifier, from the Defense Medical Human Resources System- internet (DMHRSi) via the
Enterprise-Wide Database. Health care provider information in DMHRSi currently uses SSNs as
the personal identifier. Until DMHRSi, from which CCQAS obtains data using SSNs, has been
modified/upgraded to replace SSNs with DoD Electronic Data Interchange Personal Identifiers,
CCQAS will need to continue using SSNs for verification that an individual’s CCQAS records
are accurately updated with information obtained from DMHRSi as specified by the DMHRSi
Justification for the Use of the Social Security Number Memorandum for Record in the Defense
Medical Human Resources System, Internet (DMHRSi); DITPR ID 130, signed by DHMHRSi
Project Officer, SDD/Clinical Support Program Management Office, Defense Health Agency
(DHA).
On January 5, 2016, the Defense Privacy, Civil Liberties and Transparency Division
accepted the DMHRSi justification and determined further review of this system will be required
on a biennial basis and a new justification will be provided if any change to the System of
Records Notice is submitted.
Although the need to continue the use of SSNs with CCQAS is significant, the following
steps have been taken to reduce vulnerability of SSN within CCQAS:
1) After the deployment of CCQAS V2.10, CCQAS generated forms include only the
last 4 digits of SSN’s
2) CCQAS uses role-based access to control visibility of SSN to a limited subset of
“trusted users” such as Credentialing Officers.

3) No data is allowed to leave CCQAS via an interface or messaging system because it
is protected medical quality assurance information under 10 U.S.C 1102,
Confidentiality of Medical Quality Assurance Records; Qualified Immunity for
Participants.
4) CCQAS is not a “public” system accreditation and security profile, and ensures
Information Assurance Vulnerability Alerts (IAVAs) are applied in a timely manner
5) CCQAS is centrally hosted at Defense Information Systems Agency (DISA) facilities
to ensure physical access to the system is limited.
The CCQAS Project Manager is Mr. Timothy M. Larson. Mr. Larson can be reached at
(703) 681-6187 or [email protected].

Timothy M. Larson
CCQAS Project Manager
J6 (HIT) – Solutions Delivery Division

Attachments:
As stated