Third Party Websites and Applications Privacy Impact Assessment - Enhanced Direct Enrollment Partner Websites
Dated Signed: July 9, 2018
TPWA Unique Identifier (UID): T-6759175-019631
Tool(s) covered by this TPWA: Enhanced Direct Enrollment Partner Websites
Is this a new TPWA? No
If an existing TPWA, please provide the reason for revision: TPWA PIA Validation (TPWA PIA Refresh/Annual Review)
Will the use of a third-party Website or application create a new or modify an existing HHS/OPDIV System of Records Notice (SORN) under the Privacy Act? No
Will the use of a third-party Website or application create an information collection subject to OMB clearance under the Paperwork Reduction Act (PRA)? No
Does the third-party Website or application contain Federal Records? Yes
Describe the specific purpose for the OPDIV use of the third-party Website or application:
In response to stakeholder input and based on the experiences of the Federally-facilitated Exchange (FFE), CMS is broadening the customer service channels by which consumers may submit eligibility applications to the FFE with the assistance of licensed health insurance issuers or web-based agents or brokers (web-brokers) (collectively, Enhanced Direct Enrollment Partners or EDE Partners). Specifically, CMS is implementing a program under which consumers may submit application information to an EDE Partner’s website and receive an eligibility determination from the FFE, without the need to be redirected to HealthCare.gov.
Have the third-party privacy policies been reviewed to evaluate any risks and to determine whether the Website or application is appropriate for OPDIV use? Yes
Describe alternative means by which the public can obtain comparable information or services if they choose not to use the third-party Website or application:
Consumers may apply and shop for coverage on HealthCare.gov, via phone with the HealthCare.gov call center, or with the assistance of Navigators, certified application counselors, or non-web-based agents or brokers.
Does the third-party Website or application have appropriate branding to distinguish the OPDIV activities from those of nongovernmental actors? Yes
How does the public navigate to the third party Website or application from the OPDIV?
Consumers may navigate to EDE Partner websites from HealthCare.gov or may navigate directly to EDE Partner websites without starting on HealthCare.gov.
Please describe how the public navigates to the third party Website or application:
The consumer would visit the third-party website from their internet browser, or the consumer can visit a third party website via an external hyperlink which will be on HealthCare.gov.
If the public navigates to the third-party Website or application via an external hyperlink, is there an alert to notify the public that they are being directed to a nongovernmental Website?
There will not be a specific alert to notify the public they are being redirected. However, there is language in the privacy statement on HealthCare.gov about linking to nongovernmental websites. “We also require both issuers and web-brokers to display language on their sites noting, “Attention: This website is operated by [Name of Company] and is not the Health Insurance Marketplace℠ website at HealthCare.gov…”
Is an OPDIV Privacy Notice posted on the third-party Website or application?
To the extent feasible, an OPDIV Privacy Notice should be posted on each EDE partner’s website as required by OMB Memorandum 10-23, https://obamawhitehouse.archives.gov/sites/default/files/omb/assets/memoranda_2010/m10-23.pdf
Is the OPDIV's Privacy Notice prominently displayed at all locations on the third-party Website or application where the public might make PII available?
To the extent feasible, an OPDIV Privacy Notice should be prominently displayed at all locations on each EDE partner’s website or application where the public might make PII available.
Is PII collected by the OPDIV from the third-party Website or application? No
Will the third-party Website or application make PII available to the OPDIV? Yes
Describe the PII that will be collected by the OPDIV from the third-party Website or application and/or the PII which the public could make available to the OPDIV through the use of the third-party Website or application and the intended or expected use of the
Consumers who wish to apply for coverage under a qualified health plan (QHP) through the Federally-facilitated Exchange (FFE) with the assistance of an EDE Partner may submit to the EDE Partner information, including PII, required to complete an FFE application for coverage. With the consumer’s specific consent, the EDE Partner will collect this information through their website and transmit it to CMS in its capacity as operator of the FFE and provider of eligibility and enrollment services to State-based Exchanges that rely on the FFE’s information technology platform for their eligibility and enrollment functions (SBE-FPs).
The FFE will use PII transmitted from EDE Partners to make eligibility determinations for insurance affordability programs, which include enrollment in a QHP, Medicaid, or Children's Health Insurance Program (CHIP), as well as eligibility for advance payments of the premium tax credit and cost sharing reductions. The FFE may also use the PII for program support for business operations of Plan Management, Eligibility and Enrollment (including integration with Appeals), and Financial Management.
Below are the PII elements which consumers may make available to CMS through EDE Partner websites:
Social Security Number
Date of Birth
Driver's License Number
Mother's Maiden Name
Describe the type of PII from the third-party Website or application that will be shared, with whom the PII will be shared, and the purpose of the information sharing:
In order to verify and process Exchange applications submitted through EDE Partners, determine eligibility, and operate the FFE, CMS will need to share selected information outside of CMS, including to:
- Other federal agencies, (such as the Internal Revenue Service, Social Security Administration and Department of Homeland Security), state agencies (such as Medicaid or CHIP) or local government agencies.
CMS may use the information consumers provide in computer matching programs with any of these groups to make eligibility determinations, to verify continued eligibility for enrollment in a qualified health plan or other insurance affordability program, or to process appeals of eligibility determinations.
- Other verification sources including consumer reporting agencies;
- Employers identified on applications for eligibility determinations;
- Applicants/enrollees, and authorized representatives of applicants/enrollees;
- Agents, Brokers, and issuers of Qualified Health Plans, as applicable, who are certified by CMS who assist applicants/enrollees, namely DE Partners;
- CMS contractors engaged to perform a function for the Exchange; and
- Anyone else as required by law or allowed under the Privacy Act System of Records Notice associated with this collection (CMS Health Insurance Exchanges System (HIX), CMS System No. 09-70-0560, as amended, 78 Federal Register, 8538, March 6, 2013, and 78 Federal Register, 32256, May 29, 2013).
If PII is shared, how are the risks of sharing PII mitigated?
CMS has in place multiple safeguards to mitigate the risk associated with PII sharing. Amongst these safeguards are written agreements with all parties with whom PII is shared including Computer Matching Agreements with other Federal agencies, Information Exchange Agreements with state agencies, and contracts with vendor partners. Each of these agreements provide for protecting the confidentiality and integrity of information shared in the course of operations of the FFE and include provisions that limit the use of PII shared.
Each EDE Partner is required to execute an ‘Enhanced Direct Enrollment Agreement’ with CMS (the EDE Partner Agreement) that permits the EDE Partner to obtain informed consent from individuals for any use or disclosure of information that is not related to the CMS-authorized functions of the EDE Partner described in relevant CMS regulations, the EDE Agreement, and any other relevant agreements with CMS that were in effect as of the time the PII was collected. Such consent must be subject to a right of revocation.
Will the PII from the third-party Website or application be maintained by the OPDIV? Yes
If PII will be maintained, indicate how long the PII will be maintained: No less than 10 years.
Describe how PII that is used or maintained will be secured:
CMS ensures that all information received from EDE Partners is stored in the CMS Health Insurance Exchanges System (HIX), the system of record for Exchange eligibility and enrollment information. The FFM maintains compliance with CMS’s Acceptable Risk Safeguards (ARS) and all relevant federal privacy requirements. CMS’s ARS compliance ensures that the information in the FFE system is in compliance with all relevant FISMA, NIST and FIPS guidelines and standards.
What other privacy risks exist and how will they be mitigated?
CMS approves and registers EDE Partners to collect information directly from consumers to be transmitted to the FFE for an eligibility determination as described in the response to Question 18 above. CMS’s relationship with the EDE Partners presents the risk that consumers may erroneously expect that their personal information will be safeguarded by EDE Partners exactly as it is when in the hands of a federal agency. Because consumers will be able to obtain an eligibility determination from the FFE without ever visiting the HealthCare.gov website, there is also risk that consumers will assume that the EDE Partner’s site and the PII entered therein, will be maintained and controlled by a government agency and with the same level of security standards and privacy protections.
EDE Partners will have access to sensitive PII that is not traditionally required on applications for health insurance in the individual market, including but not limited to income, smoking status, pregnancy status, and a listing of members of applicant households. Also, if the EDE Partner obtains informed consent, the consumer may provide additional information to the EDE Partner. EDE Partners also will have access to information contained in FFE-produced eligibility determination notices that will contain consumer PII and other sensitive consumer information (e.g., the fact that the information the consumer provided to the EDE partner did not match with that in federal records). To mitigate risk that such information is used improperly or for purposes not authorized by federal law, each EDE Partner must sign a written agreement binding itself, its employees, and other downstream entities to specific privacy and security standards designed to protect consumer PII (the EDE Partner Agreement). Each EDE Partner will also obtain consumers’ specific consent allowing the EDE Partner to submit the consumer’s PII to the FFE and to have access to the consumer’s FFE eligibility determination(s).
The EDE Partner Agreement also requires that EDE Partners appropriately secure PII and limit the use and disclosure of consumer PII submitted to and received from the FFE to only those lawful purposes outlined in the EDE Partner Agreement that are necessary to assist consumers with applying for FFE coverage and other insurance affordability programs (and to any purposes for which the EDE Partner contained the consumer’s written, specific consent). EDE Partners are also prohibited from selling or sharing consumer PII submitted to or received from the FFE. In order to mitigate risks to the security and confidentiality of consumer PII, EDE Partners are required to implement and provide audit results for 292 security and privacy controls which are based on FISMA, NIST and FIPS. These security and privacy controls are intended to ensure that consumer PII is housed in a secure operating environment inclusive of systems, organizational policies and procedures and operational processes and internal controls. Further the referenced controls require that information only be used by authorized individuals and that access to PII is on a need to know basis only for transacting eligibility and Exchange business operations. The terms of the EDE Partner Agreement prohibit EDE Partners from using the subject information to further non-related commercial or other corporate interests including cross-selling, marketing or advertising of other products. EDE Partner Agreements may be terminated at any time by CMS should inappropriate use or disclosure be discovered by CMS, either directly or through the report of a consumer or other third party.
The EDE Partner Agreement, as well as federal law, authorizes CMS to immediately terminate the EDE Partner’s authority to collect, use, or disclose PII from Exchange applicants based on serious EDE Partner misconduct in relation to PII, including any failure to appropriately use or secure PII. Consumers can also contact the FFE call center to report any concerns related to their PII or an EDE Partner.
CMS and EDE Partners take a number of steps to ensure the security and confidentiality of data as it moves between EDE Partners and the FFE. This includes using the TLS 1.2 cryptographic protocol leveraging the SHA-256 cryptographic hash. This communication method ensures the security, privacy, integrity and authenticity of the communication.
EDE Partners will deliver a consumer’s Exchange application information to CMS’s FFE eligibility and enrollment platform through software-to-software information exchange interfaces, known as application program interfaces (APIs). The business logic and workflow used to generate information for EDE Partners and transmitted through the APIs is the same as HealthCare.gov. Though the information will be subject to the same data verification and validation routines as normal human input, there is some residual risk that consumer PII could be mistranslated between an EDE Partner’s system and the FFE as a result of, but not limited to programming errors, data translation, field level validation, and variable constraints. Such errors could result in delayed or erroneous eligibility determinations. Erroneous eligibility determination can also result in unanticipated tax liability for consumers who are found eligible for and receive advance premium tax credits based on erroneous application information.
To mitigate these risks, CMS requires each EDE Partner to engage an independent, third party auditor to conduct an operational readiness review (ORR), one of the goals of which is to ensure that information is accurately conveyed to the FFE. Consumers also may challenge erroneous eligibility determinations through the FFE’s appeals process.
For example, EDE Partner websites may utilize a variety of information technology/web tools that collect and use information about a consumer’s visit to the website to, among other things, improve user experience, understand a user’s preference, measure the efficacy of marketing efforts, and for other business functions. These tools may collect various types of identifiable and non-identifiable information, such as the date and time of a consumer’s visit, as well as the consumer’s IP or Mac address (an IP or internet protocol address is a number that is automatically given to a computer connected to the Web), browser, device, device screen size, operating system, geolocation (including precise locations), and language. EDE Partners may not store this information at all, or they may store it indefinitely. Information related to these activities will be described in the EDE Partner’s website privacy notice.
EDE Partner websites also may use tracking information to make it easier for consumers to use dynamic features of web pages. They may also use this information to collect information about consumers’ perceived interests in insurance-related and non-insurance-related products or services so that the EDE Partner or its partners can arrange for advertisements regarding these products or services to display on other sites consumers visit on the Internet. Consumers can also learn about these activities through the EDE Partner’s website privacy notice.
EDE Partner website privacy notices also contain information regarding other tools that may be in use on the website, including web tools that improve the user experience, and other tools that may use consumer information in some manner.
EDE Partners may also describe in their privacy notices other elements of their web activities that consumers may consider before opting to use an EDE Partner websites. EDE Partners may use third party applications to support digital advertising and marketing activities, including, but not limited to, Adobe Marketing Cloud, Facebook Ads, Good Ad words, Google Tag Manager, and Ad roll. These applications may be supported by EDE Partners’ installation on their websites of web tools such as cookies (session and persistent) and pixels that track user activity on EDE Partner websites and across the Web. EDE Partners might also match or link non-PII tracking data with other data sources to, among other things, expand and analyze its records, identify new customers, and provide products and services that may be of interest to consumers.
EDE Partners may aggregate tracking data and analyze it in many combinations and across many dimensions for various purposes, including, but not limited, to optimizing web performance, improving consumer experience on its website, and generating reports on consumer activity on their websites. EDE Partners also may use this information to track and reduce occurrences of bugs and site crashes, increase site performance, and optimizing user experience for the most commonly-used devices.
For example, EDE Partners may use data regarding web viewing behaviors or application use gathered to predict consumer preferences or interests. This ‘targeted advertising’ (also known as online behavioral or interest-based advertising) uses data collected from a particular computer or device regarding a consumer’s web viewing behaviors or application use to predict user preferences or interests. The EDE Partner can then have ads delivered to computers or devices based on the user’s preferences or interests inferred from his or her web viewing behaviors or application use.
Some EDE Partners also offer website visitors the option to opt out of specific marketing programs using applications such as the TRUSTe opt-out site. Other EDE Partners may not offer specific options allowing consumers to opt out of internet tracking. However, consumers may take steps to opt out of tracking, including, but not limited to, setting their browsers to reject cookies, or clearing their browser’s cache and cookie history which can prevent tracking using cookies, but may disable some site functionality.
CMS will conduct periodic reviews of EDE Partner privacy policies and practices to ensure that they continue to align with agency objectives, federal law, and the EDE Partner Agreement, and that EDE Partners’ practices do not present unreasonable or unknown risks to consumer privacy. EDE Partner websites and their supporting information technology platforms will also be subject to periodic audits by CMS.