Skip to main content

Exchange Consumer Web Services

Privacy Impact Assessment (PIA) published by CMS as an Operating Division of the U.S. Department of Health and Human Services

Date signed: 12/5/2023

PIA Information for the Exchange Consumer Web Services
PIA QuestionsPIA Answers

OPDIV:

CMS

PIA Unique Identifier:

P-3878123-222043

Name:

Exchange Consumer Web Services

The subject of this PIA is which of the following?

Major Application

Identify the Enterprise Performance Lifecycle Phase of the system.

Operate

Is this a FISMA-Reportable system?

Yes

Does the system include a Website or online application available to and for the use of the general public?

Yes

Identify the operator:

Contractor

Is this a new or existing system?

Existing

Does the system have Security Authorization (SA)?

Yes

Date of Security Authorization

8/7/2023

Indicate the following reason(s) for updating this PIA. Choose from the following options.

PIA Validation (PIA Refresh/Annual Review)

Describe in further detail any changes to the system that have occurred since the last PIA.

There have been no changes to the Exchange Consumer Web Services (ECWS) since the previous PIA review. 

Describe the purpose of the system

The Exchange Consumer Web Services (ECWS) is an internal CMS application that deploys and maintains educational information about the Federally Facilitated Marketplace (FFM) on the HealthCare.gov website. ECWS also monitors the performance of HealthCare.gov website. The CMS Office of Communication (OC) is responsible for providing guidance and oversight for the ECWS.

Describe the type of information the system will collect, maintain (store), or share. (Subsequent questions will identify if this information is PII and ask about the specific data elements)

The following information is processed, shared or stored by ECWS: Affordable Care Act (ACA) healthcare regulations and information; a glossary of healthcare terminology related to Healthcare.gov; and website performance statistics, such as the date and time a consumer visits a web page, and the pages visited. To access ECWS for support services, a system user inputs a user ID and password. The user ID and password is managed by Enterprise User Administration (EUA). EUA is a separate system that is covered by a separate PIA and is used to control access to the system. 

Provide an overview of the system and describe the information it will collect, maintain (store), or share, either permanently or temporarily.

The ECWS is an application used to support the Healthcare.gov website by updating and removing educational information about the ACA, the FFM, a glossary of terminology relating to Healthcare.gov, and the common headers and footers seen on the website. The educational information is to assist consumers in understanding the ACA, the FFM and for locating healthcare information. The information shared by ECWS is ‘static’ which means it is in a readable format but not able to be modified by the public. 

ECWS also monitors the performance of HealthCare.gov website. This is achieved by collecting and storing website performance statistics information about HealthCare.gov website such as the date and time a page has been visited, and the pages visited by the public. 

To support the ECWS functions, system personnel (administrators, developers and users) input their user credentials, a CMS Enterprise User Administration (EUA) user ID and password. System users are CMS employees and direct contractors. The collection of the user credentials is through the Github Enterprise Server located within the Exchange Website Support Tools (EWST) system boundary, which then allows the system users to access the ECWS application. EWST is responsible for the security parameters of the information (including user credentials) collected and maintained within it and conducts its own PIA. 

Does the system collect, maintain, use or share PII?

Yes

Indicate the type of PII that the system will collect or maintain.

Other - Enterprise User Administration (EUA) user ID and password.

Indicate the categories of individuals about whom PII is collected, maintained or shared.

Employees

How many individuals' PII in the system?

<100

For what primary purpose is the PII used?

ECWS uses PII for logging into and access to the system. 

Describe the secondary uses for which the PII will be used (e.g. testing, training or research)

Not applicable

Describe the function of the SSN.

Not applicable

Cite the legal authority to use the SSN.

Not applicable

Identify legal authorities​ governing information use and disclosure specific to the system and program.

The Affordable Healthcare Act, Section 1411

5 USC Section 301 Departmental Regulations

Are records on the system retrieved by one or more PII data elements?

No

Identify the sources of PII in the system: Directly from an individual about whom the information pertains

  • In-Person

  • Online

Identify the sources of PII in the system: Government Sources

Within the OPDIV

Identify the sources of PII in the system: Non-Government Sources

Not applicable

Identify the OMB information collection approval number and expiration date

Not applicable

Is the PII shared with other organizations?

No

Describe the process in place to notify individuals that their personal information will be collected. If no prior notice is given, explain the reason.

As an internal CMS system, ECWS does not have a process to directly notify the system users that their personal information is being collected. The notification occurs at the EUA logon page, as part of the process to obtain general access to CMS systems as a CMS employee or direct contractor. 

The EUA system has a banner at the logon page that advises that an individual is accessing a government system and that by accessing, the user consents to the collection of personal information.

Is the submission of the PII by individuals voluntary or mandatory?

Voluntary

Describe the method for individuals to opt-out of the collection or use of their PII. If there is no option to object to the information collection, provide a reason.

The PII, user ID and password, are required to access ECWS. Therefore, there is no method to opt-out.

Describe the process to notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changes since the notice at the time of original collection). Alternatively, describe why they cannot be notified or have their consent obtained.

There is not a process within ECWS to notify system users of a major change that may affect their PII. Because ECWS is an internal CMS system, the notification would occur through normal CMS information channels.

Describe the process in place to resolve an individual's concerns when they believe their PII has been inappropriately obtained, used, or disclosed, or that the PII is inaccurate. If no process exists, explain why not.

If an individual has concerns that their PII has been inappropriately obtained, used, or disclosed, or that the PII is inaccurate, they would contact CMS IT Service Desk either by email or telephone. The CMS IT Service Desk would then inform the CMS Cyber Information Center (CCIC) who would investigate and determine if there needs to be any further action. 

Describe the process in place for periodic reviews of PII contained in the system to ensure the data's integrity, availability, accuracy and relevancy. If no processes are in place, explain why not.

ECWS relies on the EUA system to manage the integrity, availability and reliability of the PII, user credentials. EUA has processes in place to monitor the EUA accounts, assign and provide approval for access to ECWS. The ECWS users assist with accuracy by managing their own user credentials. The ECWS system administrators maintain the allowable/ registered users by deleting, reactivating or confirming the user accounts. There are processes in place to review the current users between EUA and ECWS and eliminate any inactive accounts and assigning and removing access to ECWS. The integrity of PII is managed by firewalls and encryption layers. Full-device encryption is employed to protect the confidentiality and integrity. 

 

 

Identify who will have access to the PII in the system and the reason why they require access.

  • Administrators: The administrators have access to PII to generate a list of system users and manage and assign access to ECWS.

  • Contractors: Direct contractors, in their role as an administrator, would have access to PII as described in the "Administrators" explanation above.

Describe the procedures in place to determine which system users (administrators, developers, contractors, etc.) may access PII.

Access to PII is limited to the ECWS system administrators. ECWS uses the principle of least privilege as well as a role-based access control to ensure system administrators are granted access on a "need-to-know" and "need-to-access" basis. 

Describe the methods in place to allow those with access to PII to only access the minimum amount of information necessary to perform their job.

ECWS uses the principle of least privilege as well as a role-based access control to ensure system administrators are granted access on a "need-to-know" and "need-to-access" commensurate with their assigned duties. 

User accounts are reviewed annually or on an as needed basis when a user is terminated from the project and their access is removed. Activities of all users are logged and reviewed weekly to identify any abnormal activities.

Identifying training and awareness provided to personnel (system owners, managers, operators, contractors and/or program managers) using the system to make them aware of their responsibilities for protecting the information being collected and maintained.

All personnel (direct contractors and CMS employees) are required to complete the annual CMS Security and Privacy Awareness training provided annually as Computer Based Training (CBT) course. Direct contractors also complete their annual corporate security training. 

Describe training system users receive (above and beyond general security and privacy awareness training)

Not applicable

Do contracts include Federal Acquisition Regulation and other appropriate clauses ensuring adherence to privacy provisions and practices?

Yes

Describe the process and guidelines in place with regard to the retention and destruction of PII. Cite specific records retention schedules.

The retention and destruction of ECWS data is governed by the CMS Records Schedule. This schedule is aligned with the National Archives and Records Administration (NARA) guidelines for data retention and destruction.  The following CMS Records Schedule Items apply:

https://www.cms.gov/Regulations-and-Guidance/Guidance/CMSRecordsSchedule/index.html

Analytic and Research Files (restricted) Disposition Authority Number DAA-0440-2015-0009-0002
Transfer to the National Archives for Accessioning: 20 year(s) after cutoff. 

Research and Program Analysis: Supporting Records
Disposition Authority Number: DAA-0440-2015-0009-0003
Cutoff Instruction: Cutoff at the end of the calendar year.
Retention Period: Destroy 10 year(s) after cutoff or when no longer needed for agency business, whichever is later.

In addition, the ECWS application follows the Data Destruction Standards prescribed in NIST Special Publication (SP) 800-88.

Describe, briefly but with specificity, how the PII will be secured in the system using administrative, technical, and physical controls.

The administrative controls in place to secure the PII include role-based access and permissions, periodic review of users and deletion of non-active accounts. 

 

The technical controls in place are firewalls that prevent unauthorized access, encrypted access when users log into ECWS, security scans, penetration testing and intrusion detection and prevention technologies. There is also active penetration testing and a tiered system architecture which means the testing, development and production environments are separated and only assigned users may access each one. 

 

The physical controls in place are as follows: the use of security cards and pass codes, video monitoring, security guards and a separately located backup system.

Identify the publicly-available URL:

www.HealthCare.gov

Does the website have a posted privacy notice?

Yes

Is the privacy policy available in a machine-readable format?

Yes

Does the website use web measurement and customization technology?

Yes

Select the type of website measurement and customization technologies is in use and if is used to collect PII. (Select all that apply)

  • Web Beacons

  • Session Cookies

  • Persistent Cookies

Web Beacons - Collects PII?:

No

Web Bugs - Collects PII?:

 

Session Cookies - Collects PII?:

No

Persistent Cookies - Collects PII?:

No

Other - Collects PII?:

No

Does the website have any information or pages directed at children under the age of thirteen?

No

Does the website contain links to non-federal government website external to HHS?

Yes

Is a disclaimer notice provided to users that follow external links to websites not owned or operated by HHS?

Yes