Skip to main content

Exchange Operations Center

Privacy Impact Assessment (PIA) published by CMS as an Operating Division of the U.S. Department of Health and Human Services

Date signed: 12/28/2023

PIA Information for Exchange Operations Center
PIA QuestionsPIA Answers
OPDIV:CMS
PIA Unique Identifier:P-7500088-985404
Name:Exchange Operations Center
The subject of this PIA is which of the following?General Support System
Identify the Enterprise Performance Lifecycle Phase of the system.Operate
Is this a FISMA-Reportable system?Yes
Does the system include a Website or online application available to and for the use of the general public?Yes
Is this a new or existing system?Existing
Does the system have Security Authorization (SA)?Yes
Date of Security Authorization1/5/2024
Indicate the following reason(s) for updating this PIA. Choose from the following options.
  • Internal Flow or Collection
  • PIA Validation (PIA Refresh/Annual Review)
  • New Interagency Uses
Describe in further detail any changes to the system that have occurred since the last PIA.

System user accounts are created for 3rd party vendor software (Google Workspace) and stored on the vendor web portals.

For 2018, the Direct Enrollment (DE) Partner Program has been implemented. The Program allows DE Partners (Insurance Issuers and Web Brokers) to collect information from consumers who choose to provide their information to the DE Partners. When working with consumers, DE Partners will enter consumer information into a HealthCare.gov application for eligibility and enrollment directly from the DE Partner Website. This Program enables consumers to complete their applications, receive eligibility results, and enroll in plans when working with DE Partners and without leaving DE Partner Website(s).

Describe the purpose of the system

The Exchange Operations Center (XOC) is an operations center that simply monitors the systems that comprise the Federally Facilitated Marketplace (FFM) and Data Services Hub (DSH) Technologies.  

The Eligibility and Enrollment (E&E) functionally is used to verify an applicant's eligibility for health insurance, plan selection and enrollment through the Affordable Care ACT (ACA) Marketplace available online at healthcare.gov.

Describe the type of information the system will collect, maintain (store), or share. (Subsequent questions will identify if this information is PII and ask about the specific data elements)

The Exchange Operations Center (XOC) can retrieve data files which contain the social security number, name, Mothers' maiden name, email address, phone number, military status, taxpayer identification, date of birth, mailing address, financial account numbers, legal documents, password, userID, employment status and foreign activity when there is a data breach or data spillage resulting from an HHS Numbered Incident.  

The XOC ensures all systems / applications data elements are electronically masked in accordance with existing HHS Federal Privacy Laws for Advertising, social media, and Web Analytics. 

Information found is only shared within CMS during an actual Security Incident. XOC staff directly involved in a specific HHS Incident, must provide their unique name, both first and last, Employment Status and Contractor affiliation, phone number and email address on the Incident Report filled out using an HHS issued Template.

XOC does not store the data, but it is captured during the verify and validate steps of the actual investigation.  XOC does provide forensics evidence and operational artifacts into ServiceNow, the Incident CMS ticket system which is covered by a separate PIA.

The XOC is a secure enclave, for Federal Facilitated Marketplace and State Based Exchanges (SBM) to securely move PII data elements to the trusted Federal Data Partners using DSH secure hub website portals, including the Enterprise Portal, Enterprise Identity Management (EIDM), and Enhanced Direct Enrollment. EIDM, FFM and DSH are also CMS systems which are covered in a separate PIA.

XOC also supports Enhanced Direct Enrollment Partner websites, which has an existing Third-Party Website and Application (TPWA) PIA.

Provide an overview of the system and describe the information it will collect, maintain (store), or share, either permanently or temporarily.

The Exchange Operations Center does not retrieve PII by default, but geographical regional searches can result in a limited number of records, not to exceed the first 1,000.

Agent. Broker and Issuer information is stored as a coded string separately masking their private identity.

The Exchange Operations Center is a focal point for monitoring other autonomous systems supporting and coordinating the processes and activities of Agents, Brokers, and Issuers that ensure applicants get the proper health insurance each ACA Open Enrollment period, from November 1 to December 15, each calendar year, as well as Special Enrollment Needs, from December 16 to October 30.

Personally identifiable information can be shared temporarily with a Call Center Representative, via 1-800 toll free services, to assist the submitter of the Federal or State application.

 

Does the system collect, maintain, use or share PII?Yes
Indicate the type of PII that the system will collect or maintain.
  • Social Security Number
  • Name
  • Mother's Maiden Name
  • E-Mail Address
  • Phone Numbers
  • Military Status
  • Foreign Activities
  • Taxpayer ID
  • Date of Birth
  • Mailing Address
  • Financial Account Info
  • Legal Documents
  • Employment Status
  • Other - UserID, password, Contractor Affiliation
Indicate the categories of individuals about whom PII is collected, maintained or shared.
  • Employees
  • Business Partners/Contacts (Federal, state, local agencies)
  • Vendors/Suppliers/Contractors
  • Other - Only CMS employees and CMS contractors
How many individuals' PII in the system?500-4,999
For what primary purpose is the PII used?System records, not to exceed 1,000 rows, are queried exclusively to investigate a data breach and report the specific details of the specific privacy violation performed by either an Agent, Broker, Issuer, or System Administrator in accordance with CMS ARS 3.1 Privacy policies for any known data breach or data spillage in accordance with HHS Security Standards. User credentials are collected for the purpose of controlling system access 
Describe the secondary uses for which the PII will be used (e.g. testing, training or research)N/A
Describe the function of the SSN.

The Exchange Operations Center includes a record of the actual SSNs pulled from the FFM, DSH, and CMS systems, and provides a secure list to the CMS security and privacy office or breach response team.

XOC system does not actively collect, store or process PHI or PII. XOC as part of its day-to-day business function is responsible for participating and coordinating special investigations related to security and privacy related incidents. As part such investigations, XOC staff members may have access to, or receive PII or PHI, for further research and analysis. This sensitive information may result in storage or transmission within XOC system boundary.

All staff members are trained to limit their exposure to sensitive information. All sensitive information is encrypted during transmission (primarily through email).

Cite the legal authority to use the SSN.Patient Protection and Affordable Care Act (Pub L. 222-248), Pub L. 111-152 and E.O. 9397.
Identify legal authorities​ governing information use and disclosure specific to the system and program.5 USC 301, Departmental Regulations, Patient Protection and Affordable Care Act (Pub L. 222-248), Pub L. 111-152 and E.O.9397.
Are records on the system retrieved by one or more PII data elements?Yes
Identify the number and title of the Privacy Act System of Records (SORN) that is being used to cover the system or identify if a SORN is being developed.Published: 09-70-0560
Identify the sources of PII in the system: Directly from an individual about whom the information pertains
  • Online
  • Email
  • Other - New Relic, Splunk, Layer 7
Identify the sources of PII in the system: Government Sources
  • Within the OPDIV
  • Other HHS OPDIV
  • Other Federal Entities
Identify the sources of PII in the system: Non-Government Sources
  • Members of the Public
  • Commercial Data Broker
  • Private Sector
Identify the OMB information collection approval number and expiration dateN/A
Is the PII shared with other organizations?No
Describe the process in place to notify individuals that their personal information will be collected. If no prior notice is given, explain the reason.

Individuals requesting access must sign an Acceptable User Agreements prior to account creation. Account request form must also be filled indicating name, email, phone number and access level needed. This form is reviewed and approved by the System information Security Officer (ISSO) prior to account creation.

All data is stored in the CMS controlled portal in accordance with established business rules for processing a federal applicant, both for the Issuers and Purchasers of a specific health insurance plan.

Is the submission of the PII by individuals voluntary or mandatory?Voluntary
Describe the method for individuals to opt-out of the collection or use of their PII. If there is no option to object to the information collection, provide a reason.Potential user cannot 'opt-out' of providing their PII (email, name and phone number). This PII is needed to create a user account in order to perform their job duties and gain access into FFM and DSH to monitor system performance and failed transactions along with any failed login attempts within the different system components.
Describe the process to notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changes since the notice at the time of original collection). Alternatively, describe why they cannot be notified or have their consent obtained.Individuals requesting access must sign an Acceptable User Agreements prior to account creation.
Describe the process in place to resolve an individual's concerns when they believe their PII has been inappropriately obtained, used, or disclosed, or that the PII is inaccurate. If no process exists, explain why not.Account holders can contact the Access Control team via email.
Describe the process in place for periodic reviews of PII contained in the system to ensure the data's integrity, availability, accuracy and relevancy. If no processes are in place, explain why not.

In order to maintain the integrity, availability, accuracy, and relevancy of the PII, system Administrators review user accounts at least semi-annually. Any anomalies are addressed and resolved by contacting the user, and modifying their user data, or by removing their access if no longer required. 

 

Under this process, outdated, unnecessary, irrelevant, and inaccurate PII is identified and deleted. The PII is available as needed and is sufficient (minimum required) for the purposes needed. Only system administrators can create or modify PII. Activities of all users including system administrators are logged and reviewed by XOC System information Security Officer (ISSO) to identify abnormal activities if any.

Identify who will have access to the PII in the system and the reason why they require access.
  • Users: Users monitor system performance and failed transactions along with any failed login attempts within the different system components
  • Administrators: Administrators create the accounts for the users and modify account information if necessary.
  • Developers: Developing secure code for consumer facing business needs
  • Contractors: CMS direct contractors, as users or administrators required to coordinate Infrastructure Change Requests across three to nineteen contracts.
Describe the procedures in place to determine which system users (administrators, developers, contractors, etc.) may access PII.

System user accounts are created for 3rd party vendor software (Google Workspace) and stored on the vendor web portals. Individuals requesting access must sign an Acceptable User Agreement prior to account creation. Account request form must also be filed indicating name, email, phone number and access level needed. This form is reviewed and approved by the System information Security Officer (ISSO) prior to account creation. XOC uses the principle of least privilege as well as a role-based access control to ensure system administrators, and users are granted access on a "need-to-know" and "need-to-access" commensurate with their assigned duties. System Administrators review user accounts at least semi-annually. Any anomalies are addressed and resolved by contacting the user, and modifying their user data, or by removing their access if no longer required. Activities of all users including system administrators are logged and reviewed by XOC ISSO to identify abnormal activities if any.

 

Describe the methods in place to allow those with access to PII to only access the minimum amount of information necessary to perform their job.XOC uses the principle of least privilege as well as a role-based access control to ensure system administrators, and users are granted access on a "need-to-know" and "need-to-access" commensurate with their assigned duties. System Administrators review user accounts at least semi-annually. Any anomalies are addressed and resolved by contacting the user, and modifying their user data, or by removing their access if no longer required. Activities of all users including system administrators are logged and reviewed by XOC ISSO to identify abnormal activities if any.
Describe training system users receive (above and beyond general security and privacy awareness training)CMS employees and contractors with privileged access are required to complete role-based training and meet continuing education requirements commensurate with their role. Other training avenues such as conferences, seminars and classroom training provided by CMS/HHS is available apart from the regular annual training.
Do contracts include Federal Acquisition Regulation and other appropriate clauses ensuring adherence to privacy provisions and practices?Yes
Describe the process and guidelines in place with regard to the retention and destruction of PII. Cite specific records retention schedules.

National Archives and Records Administration (NARA), General Records Schedule (GRS) 5.1 Common Office Records and 5.2 Transitory Record states that XOC will destroy/delete no sooner than 7 years or when no longer needed for business, whichever is later and GRS 2.4 Employee Records states that XOC will delete/destroy no sooner than 7 years or when agency determines they are no longer needed for administrative, legal, audit or other operational purposes.

 

System Administrators review user accounts at least quarterly to remove user PII if access is no longer required.

Describe, briefly but with specificity, how the PII will be secured in the system using administrative, technical, and physical controls.

XOC uses the principle of least privilege as well as a role-based access control to ensure system administrators, and users are granted access on a "need-to-know" and "need-to-access" commensurate with their assigned duties. System Administrators review user accounts at least semi-annually. Any anomalies are addressed and resolved by contacting the user, and modifying their user data, or by removing their access if no longer required. Activities of all users including system administrators are logged and reviewed by XOC ISSO to identify abnormal activities if any.

XOC is located at a secured facility. Physical controls are in place such as security guards to ensure access to the buildings is granted to only authorize individuals. Identification of personnel is checked at the facility.  

XOC is built using industry best practices and independently reviewed against Federal Information Security Management Act (FISMA) and National Institute of Science and Technology (NIST) Security and Privacy controls to ensure technical, operational, and management controls are properly applied. 
Personally Identifiable Information (PII) in XOC is secured administratively by ensuring that the system goes through the Assessment and Authorization (A&A) process, and all documentation is submitted to the Information Security & Privacy Group (ISPG) that supports the system and to comply with Federal Information Security Management Act (FISMA) regulations.

Identify the publicly-available URL:hc.gov redirects to healthcare.gov
Does the website have a posted privacy notice?Yes
Is the privacy policy available in a machine-readable format?Yes
Does the website use web measurement and customization technology?Yes
Select the type of website measurement and customization technologies is in use and if is used to collect PII. (Select all that apply)
  • Session Cookies
  • Persistent Cookies
Web Beacons - Collects PII?:No
Web Bugs - Collects PII?:No
Session Cookies - Collects PII?:No
Persistent Cookies - Collects PII?:No
Does the website have any information or pages directed at children under the age of thirteen?No
Does the website contain links to non-federal government website external to HHS?Yes
Is a disclaimer notice provided to users that follow external links to websites not owned or operated by HHS?Yes