Chartbeat
Date signed: 8/8/2018
| TPWA PIA Questions | TPWA PIA Answers |
|---|---|
| OPDIV: | CMS |
| TPWA Unique Identifier (UID): | T-1494462-247155 |
| Is this a new TPWA? | Yes |
| Please provide the reason for revision. | Not applicable |
| Will the use of a third-party Website or application create a new or modify an existing HHS/OPDIV System of Records Notice (SORN) under the Privacy Act? | No |
| Indicate the SORN number (or identify plans to put one in place.) |
|
| Will the use of a third-party Website or application create an information collection subject to OMB clearance under the Paperwork Reduction Act (PRA)? | No |
| Indicate the OMB approval number and approval number expiration date (or describe the plans to obtain OMB clearance.) |
|
| Does the third-party Website or application contain Federal Records? | No |
| Describe the specific purpose for the OPDIV use of the third-party Website or application: | The Centers for Medicare & Medicaid Services (CMS) uses Chartbeat to collect, report, and analyze visitor interactions on CMS’ websites, including CMS.gov, Medicare.gov, MyMedicare.gov, HealthCare.gov, CuidadoDeSalud.gov, Medicaid.gov, InsureKidsNow.gov, and various subdomains of the above top-level domains (TLDs). These TLDs are hereafter referred to as “CMS’ websites.” CMS uses this information to measure the number of concurrent visitors to our sites and its various sections and to help make them more useful to visitors. Chartbeat's ability to provide real-time consumer traffic numbers and deliver them to an easy to use dashboard allows CMS to react to unexpected spikes in traffic as well as pinpoint the source of this traffic. Among other things, Chartbeat allows CMS’ websites to make needed technical changes to react to unexpected traffic spikes. CMS staff, including contractors, analyze and report using the data that is collected by Chartbeat. The reports are available only to CMS managers, teams who implement CMS programs represented on CMS’ websites, members of the CMS communications and web teams, and other designated federal staff and contractors who need this information to perform their duties. The information that is collected by Chartbeat is only available to CMS website managers, members of the CMS communications and Web teams, and other designated staff federal employees and contracting teams who need this information to perform their duties. |
| Have the third-party privacy policies been reviewed to evaluate any risks and to determine whether the Website or application is appropriate for OPDIV use? | Yes |
| Describe alternative means by which the public can obtain comparable information or services if they choose not to use the third-party Website or application: | If consumers do not want Chartbeat to collect information related to their visits to CMS’ websites, consumers can use other means of interaction, including but not limited to paper applications, call centers, or in-person assisters. In addition to these options, a consumer can use the Tealium iQ Privacy Manager on each CMS website’s privacy page and "opt out" of having data collected about their device by Chartbeat. Alternatively, a consumer can disable their cookies if they do not want their information to be collected by Chartbeat. |
| Does the third-party Website or application have appropriate branding to distinguish the OPDIV activities from those of nongovernmental actors? | No |
| How does the public navigate to the third party Website or application from the OPIDIV? | Not applicable |
| Please describe how the public navigate to the third-party website or application: | Not applicable - the public does not navigate to Chartbeat. Chartbeat works in the background. |
| If the public navigate to the third-party website or application via an external hyperlink, is there an alert to notify the public that they are being directed to a nongovernmental Website? | No |
| Has the OPDIV Privacy Policy been updated to describe the use of a third-party Website or application? | Yes |
| Provide a hyperlink to the OPDIV Privacy Policy: | https://www.medicare.gov/privacy/ https://www.healthcare.gov/privacy/ Additional privacy policies for subdomains of the above websites. |
| Is an OPDIV Privacy Notice posted on the third-party Website or application? | No |
| Confirm that the Privacy Notice contains all of the following elements: (i) An explanation that the Website or application is not government-owned or government-operated; (ii) An indication of whether and how the OPDIV will maintain, use, or share PII that becomes available; (iii) An explanation that by using the third-party Website or application to communicate with the OPDIV, individuals may be providing nongovernmental third-parties with access to PII; (iv) A link to the official OPDIV Website; and (v) A link to the OPDIV Privacy Policy. | No |
| Is the OPDIV's Privacy Notice prominently displayed at all locations on the third-party Website or application where the public might make PII available? | No |
| Is PII collected by the OPDIV from the third-party Website or application? | No |
| Will the third-party Website or application make PII available to the OPDIV? | No |
| Describe the PII that will be collected by the OPDIV from the third-party Website or application and/or the PII which the public could make available to the OPDIV through the use of the third-party Website or application and the intended or expected use of the PII: | Not applicable - CMS does not collect any PII through the use of Chartbeat. |
| Describe the type of PII from the third-party Website or application that will be shared, with whom the PII will be shared, and the purpose of the information sharing: | Not applicable - PII is not stored or shared. |
| If PII is shared, how are the risks of sharing PII mitigated? | Not applicable |
| Will the PII from the third-party Website or application be maintained by the OPDIV? | No |
| If PII will be maintained, indicate how long the PII will be maintained: | Not applicable |
| Describe how PII that is used or maintained will be secured: | Not applicable |
| What other privacy risks exist and how will they be mitigated? | CMS will use of Chartbeat in a manner that protects the privacy of consumers who visit CMS’ websites and respects the intent of those visitors. CMS will conduct periodic reviews of Chartbeat's privacy practices to ensure its policies continue to align with agency objectives and privacy policies and do not present unreasonable or unmitigated risks to consumer privacy. Chartbeat is employed solely for the purposes of improving CMS' services and activities online related to operating CMS’ websites. Risk #1: Persistent cookies are used by Chartbeat on CMS’ websites and can be stored on a user’s local browser. A consumer's referring URL, device type, time spent on site or page, visitor frequency, browser type, size and technology, operating system and Geographic data is collected, based on the IP address, although a consumer’s device location is an approximation. Chartbeat's cookies are stored on the user's local browser for three years by default. Mitigation: Chartbeat's privacy policies, notices from CMS’ websites, information published by Chartbeat about its privacy policies, and the ability for consumers to opt-out of providing their information to Chartbeat maximizes consumers’ ability to protect their information and mitigate risks to their privacy. Consumers can also use the Tealium iQ Privacy Manager on each CMS website’s privacy page and "opt out" of having data collected about them by Chartbeat. CMS will not deploy the Chartbeat tool if the website is not using Tealium iQ. Risk #2: The information collected by Chartbeat is created and maintained by Chartbeat. Chartbeat may aggregate and "anonymize" Traffic Data from CMS’ websites with that from other websites to provide benchmarking data and other functionality. Mitigation: Chartbeat will not disclose aggregated traffic data in a manner that reveals the identity of a CMS or a Healthcare.gov consumer without CMS's express prior consent. |
Third-Party Web and Application (TPWA) Privacy Impact Assessment (PIA) published by CMS as an Operating Division of the U.S. Department of Health and Human Services