Skip to main content

Federally Facilitated Exchange Analysis Tools

Privacy Impact Assessment (PIA) published by CMS as an Operating Division of the U.S. Department of Health and Human Services

Date signed: 10/10/2023

PIA Information for the Federally Facilitated Exchange Analysis Tools
PIA QuestionsPIA Answers

OPDIV:

CMS

PIA Unique Identifier:

P-9594868-634874

Name:

Federally Facilitated Exchange Analysis Tools

The subject of this PIA is which of the following?

Major Application

Identify the Enterprise Performance Lifecycle Phase of the system.

Operate

Is this a FISMA-Reportable system?

Yes

Does the system include a Website or online application available to and for the use of the general public?

No

Identify the operator:

Contractor

Is this a new or existing system?

Existing

Does the system have Security Authorization (SA)?

Yes

Date of Security Authorization

12/15/2023

Indicate the following reason(s) for updating this PIA. Choose from the following options.

PIA Validation (PIA Refresh/Annual Review)

Describe in further detail any changes to the system that have occurred since the last PIA.

None

Describe the purpose of the system

The Center for Consumer Information and Insurance Oversight (CCIIO) uses the Federally Facilitated Exchange Analysis Tools (FFEAT) system to review health insurance companies' (issuers) applications, rates and benefit packages to become Qualified Health Plans (QHP) and Stand-Alone Dental Plans (SADP) that are offered on the Federally-Facilitated Marketplace (FFM). QHP and SADP are offered to the general public and to small businesses under the provisions of the Affordable Care Act (ACA) on the FFM website, healthcare.gov. 

The FFEAT's suite of reporting and analytic tools provide CCIIO with timely ad-hoc analysis and reports and reviews of health plans.

Describe the type of information the system will collect, maintain (store), or share. (Subsequent questions will identify if this information is PII and ask about the specific data elements)

The FFEAT system stores information for user access. This includes the individual's full name, business email address, user ID and password.

The FFEAT system stores information that describes health and dental plans. This information includes the issuers, QHP and SADP name and business contact information for corporate representatives, and insurance plan descriptions, rates, plan options and benefits and operational plans. The information about the issuers, QHP and SADP does not include any information about the general public or individuals insured in any plan.

During the review of insurance and dental plan submissions, reviewers record the outcome of reviews by adding comments, identifying deficiencies and performing supervisory and Quality Assurance (QA) approval. Audit logs are maintained that capture the user, date and time of all system actions to facilitate audit.

Provide an overview of the system and describe the information it will collect, maintain (store), or share, either permanently or temporarily.

CCIIO uses FFEAT to perform ad-hoc analysis and prepare high level reports to summarize various aspects of the healthcare marketplace, including: reports that show premiums, benefit package characteristics, and other data elements relative to the product offerings that issuers are offering on the FFM; county coverage maps and reports that indicate full-shelf (or the lack thereof) counties where there is adequate competition of plans in the FFM; year-over-year comparison reports and analyses of what products QHP issuers offered on the FFM; deficiency counts by review area where issuers need to correct or update their QHP applications in order to be in compliance with CMS regulations to be certified to sell QHPs on the FFM.

FFEAT allows the CCIIO to review QHPs and SADPs are meeting specific benefit and value standards. Types of reviews that are performed include: administrative, compliance plan, licensure, good standing, accreditation, network adequacy, service area, essential health benefits, actuarial value, and cost sharing evaluations. During the review of health and dental plan submissions, reviewers record the outcome of reviews by adding comments, identifying deficiencies and performing supervisory and QA approval. Audit logs are maintained that capture the user, date and time of all system actions to manage and facilitate audits.

The information captured during review is used to provide feedback to issuers. Any deficiencies identified in an issuer's submission are corrected by the issuer. The deficient submission is resubmitted and reviewed again. After a complete review with no deficiencies and certification by CCIIO, issuer submissions are offered for sale on healthcare.gov/FFM. The FFEAT system stores information that describes health and dental plans. This information includes the issuers, QHP and SADP name and business contact information for corporate representatives, and insurance plan descriptions, rates, plan options and benefits and operational plans. 

The FFEAT system stores user information about the FFEAT staff that conduct the reviews and the system support staff that provide administrative services. The user information is full name, email address, user ID and password. 

Does the system collect, maintain, use or share PII?

Yes

Indicate the type of PII that the system will collect or maintain.

  • Name

  • E-Mail Address
  • Other - Password, User ID

Indicate the categories of individuals about whom PII is collected, maintained or shared.

  • Employees

  • Business Partners/Contacts (Federal, state, local agencies)
  • Vendors/Suppliers/Contractors

How many individuals' PII in the system?

500-4,999

For what primary purpose is the PII used?

The PII is used to authenticate users when they log into FFEAT.

Describe the secondary uses for which the PII will be used (e.g. testing, training or research)

None

Describe the function of the SSN.

NA - SSN is not collected or stored

Cite the legal authority to use the SSN.

NA - SSN is not used by the system

Identify legal authorities​ governing information use and disclosure specific to the system and program.

5 USC Section 301, Departmental Regulations

Are records on the system retrieved by one or more PII data elements?

Yes

Identify the number and title of the Privacy Act System of Records (SORN) that is being used to cover the system or identify if a SORN is being developed.

Health Information Exchange (HIX) 09-70-0560 02/06/2013 and updated 5/27/2013 and 10/23/2013

Identify the sources of PII in the system: Directly from an individual about whom the information pertains

  • In-Person

  • Email

Identify the sources of PII in the system: Government Sources

Within the OPDIV

Identify the sources of PII in the system: Non-Government Sources

Private Sector

Identify the OMB information collection approval number and expiration date

Not applicable for user credentials

 

Is the PII shared with other organizations?

No

Describe the process in place to notify individuals that their personal information will be collected. If no prior notice is given, explain the reason.

Prospective users of FFEAT must sign an account request form. New users receive a welcome email with instructions that includes a notification that their name and business email address are maintained for authentication purposes.

Is the submission of the PII by individuals voluntary or mandatory?

Voluntary

Describe the method for individuals to opt-out of the collection or use of their PII. If there is no option to object to the information collection, provide a reason.

Users are notified of the method to opt-out in the new user welcome email.

Describe the process to notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changes since the notice at the time of original collection). Alternatively, describe why they cannot be notified or have their consent obtained.

FFEAT users receive regular emails about the system, including notices of changes to the system. User IDs and passwords are never distributed, so system modification will not alter how the information is protected.

Describe the process in place to resolve an individual's concerns when they believe their PII has been inappropriately obtained, used, or disclosed, or that the PII is inaccurate. If no process exists, explain why not.

If an individual has a concern regarding use of their PII, they are instructed to contact the FFEAT Program Privacy Officer.

Describe the process in place for periodic reviews of PII contained in the system to ensure the data's integrity, availability, accuracy and relevancy. If no processes are in place, explain why not.

A user audit is performed on a monthly basis.  User audits consist of review of user activity, failed login attempts, inactive users, and password changes are conducted by the FFEAT Information System Security Officer (ISSO).  The FFEAT Program Privacy Officer also conducts a monthly audit of PII usage.

Identify who will have access to the PII in the system and the reason why they require access.

  • Administrators: An administrator has access to PII to facilitate the process of managing user accounts, creating new user accounts and disabling inactive user accounts.  Also, administrators conducting monthly audits access system logs that show users ID and time and date of the system access. There are no Logistic Management Institute (LMI) subcontractors who are administrators.

  • Contractors: Direct contractors are administrators that have access to PII to facilitate the process of managing user accounts, creating new user accounts and disabling inactive user accounts.  Also, administrators conducting monthly audits access system logs that show users ID and time and date of the system access. Direct contractors are Logistics Management Institute (LMI) employees who have been provided CMS credentials to access the system for the above purposes.

Describe the procedures in place to determine which system users (administrators, developers, contractors, etc.) may access PII.

Prospective users of FFEAT must sign an account request form. Users and their roles are reviewed and approved by the business owner before access is granted to FFEAT and users are granted access on a "need-to-access" basis for their assigned duties. A user audit is performed on a monthly basis. User audits consist of review of user activity, failed login attempts, inactive users, and password changes are conducted by FFEAT ISSO.  

Describe the methods in place to allow those with access to PII to only access the minimum amount of information necessary to perform their job.

FFEAT uses the principle of least privilege as well as a role-based access control to ensure system administrators, and users are granted access on a "need-to-know" and "need-to-access" commensurate with their assigned duties. A user audit is performed on a monthly basis. User audits consist of review of user activity, failed login attempts, inactive users, and password changes are conducted by FFEAT ISSO. Passwords are obfuscated by design and can only be changed by an administrator.

Identifying training and awareness provided to personnel (system owners, managers, operators, contractors and/or program managers) using the system to make them aware of their responsibilities for protecting the information being collected and maintained.

All users are required to complete the annual CMS Security and Privacy Awareness training provided annually as Computer Based Training (CBT) course. Any individuals with privileged access must also complete role-based security training commensurate with the position they are working. Contractors also complete their own annual corporate security training.

Describe training system users receive (above and beyond general security and privacy awareness training)

No additional training is required.

Do contracts include Federal Acquisition Regulation and other appropriate clauses ensuring adherence to privacy provisions and practices?

Yes

Describe the process and guidelines in place with regard to the retention and destruction of PII. Cite specific records retention schedules.

FFEAT follows the CMS Records Schedule and the National Archives and Records Administration (NARA) General Records Schedule (GRS) 5.1 Common Office Records and 5.2 Transitory Records schedules.  Based on this guidance, FFEAT will destroy/delete relevant data when no longer needed for business, administrative, legal, audit or other operational purposes.  System Administrators review user accounts at least quarterly to remove user PII if access is no longer required.

Describe, briefly but with specificity, how the PII will be secured in the system using administrative, technical, and physical controls.

FFEAT uses the principle of least privilege as well as a role-based access control to ensure system administrators, and users are granted access on a "need-to-know" and "need-to-access" basis that commensurate with their assigned duties. Users and their roles are reviewed and approved by the business owner before access is granted to FFEAT A user audit is performed on a monthly basis. User audits consist of review of user activity, failed login attempts, inactive users, and password changes are conducted by FFEAT ISSO. The FFEAT Program Privacy Officer also conducts a monthly audit of PII usage.

Encryption is used for all backup tapes and data connections. Additionally, multiple intrusion detection and prevention methodologies are employed, and the system is tested regularly (multiple times a year) for application vulnerabilities, and daily for system vulnerabilities. Access is provided by multi-factor authentication and the system is not publicly available. 

 

FFEAT is located in Amazon Web Services (AWS) GovCloud US-West