Find Local Help
Privacy Impact Assessment (PIA) published by CMS as an Operating Division of the U.S. Department of Health and Human Services
Date signed: 10/3/2024
PIA Questions | PIA Answers |
---|---|
OPDIV: | CMS |
PIA Unique Identifier: | P-1023324-778844 |
Name: | Find Local Help |
The subject of this PIA is which of the following? | Major Application |
Identify the Enterprise Performance Lifecycle Phase of the system. | Operate |
Is this a FISMA-Reportable system? | Yes |
Does the system include a Website or online application available to and for the use of the general public? | Yes |
Identify the operator: | Contractor |
Is this a new or existing system? | Existing |
Does the system have Security Authorization (SA)? | Yes |
Date of Security Authorization | 9/11/2024 |
Indicate the following reason(s) for updating this PIA. Choose from the following options. | PIA Validation (PIA Refresh/Annual Review) |
Describe in further detail any changes to the system that have occurred since the last PIA. | It has been determined that the system Upkeep Tool is no longer used to collect Personally Identifiable Information (PII) from consumers. The Upkeep Tool has been decommissioned. Agents/Brokers information is collected externally from FLH and is delivered to FLH by an external source, Help on Demand. |
Describe the purpose of the system | Find Local Help (FLH) supports the public search capability of Healthcare.gov web content. The purpose of FLH is to allow the public to locate health insurance resources in their locality/state. |
Describe the type of information the system will collect, maintain (store), or share. (Subsequent questions will identify if this information is PII and ask about the specific data elements) | Login credentials for applications are stored in application databases. Login credentials for local access to back end systems are stored on the back end systems. This includes usernames and password hashes. |
Provide an overview of the system and describe the information it will collect, maintain (store), or share, either permanently or temporarily. | The Find Local Help (FLH) is a tool, available to the public as a link (https://localhelp.healthcare.gov/) on
|
Does the system collect, maintain, use or share PII? | Yes |
Indicate the type of PII that the system will collect or maintain. |
|
Indicate the categories of individuals about whom PII is collected, maintained or shared. |
|
How many individuals' PII in the system? | <100 |
For what primary purpose is the PII used? | Usernames and passwords are used by System Administrators to access backend systems (servers) of the FLH system. Consumers - To contact public consumers of FLH if there is any question about information submitted to the application for correction. |
Describe the secondary uses for which the PII will be used (e.g. testing, training or research) | None |
Describe the function of the SSN. | N/A - SSN is not collected by this system |
Cite the legal authority to use the SSN. | N/A - SSN is not collected by this system |
Identify legal authorities governing information use and disclosure specific to the system and program. | The Affordable Healthcare Act, Section 1411 |
Are records on the system retrieved by one or more PII data elements? | Yes |
Identify the number and title of the Privacy Act System of Records (SORN) that is being used to cover the system or identify if a SORN is being developed. | Published: SORN 09-70-0560, Health Insurance Exchange (HIX) Program |
Identify the sources of PII in the system: Directly from an individual about whom the information pertains | Online |
Identify the sources of PII in the system: Government Sources |
|
Identify the sources of PII in the system: Non-Government Sources | Private Sector |
Identify the OMB information collection approval number and expiration date | N/A for user credential information collection.
|
Is the PII shared with other organizations? | No |
Describe the process in place to notify individuals that their personal information will be collected. If no prior notice is given, explain the reason. | There is a privacy notice available on the Healthcare.gov website available as a link for consumers to read about the collection and uses of their data. No prior notice is given by the FLH application itself. CMS employee and contractor credentials are stored in the system. The expectation of credentials being saved by CMS systems is inherent to employment. Employees do not have an expectation of User IDs remaining private from within the organization. The individual requesting access to FLH contacts their CMS component`s, CMS Access Administrator (CAA) via email, providing the CAA with their Name, User ID, and email address. The CAA, in turn, enters the data into the Enterprise User Administration (EUA) system, requesting approval for access to the appropriate user job code. This action initiates an email to the FLH System Administrator (SA), requesting his/her approval in EUA. Upon approval, EUA notifies the individuals that their request has been granted. HHS Form 745, ID badge request form, notifies the individual that their personal information will be collected. |
Is the submission of the PII by individuals voluntary or mandatory? | Voluntary |
Describe the method for individuals to opt-out of the collection or use of their PII. If there is no option to object to the information collection, provide a reason. | An option for users to opt-out of having their login credentials stored within applications or on local systems they access is not available because it is fundamental to the function of the system. |
Describe the process to notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changes since the notice at the time of original collection). Alternatively, describe why they cannot be notified or have their consent obtained. | Username and password information used for local access (operating system level). Changes to FLH do not affect the use of this information and System Administrators are not informed about changes to the system relevant to their credentials. System Administrators do not have the opportunity to consent to system changes. Health Insurance providers who provided contact information are not informed about changes to the system and are not given an opportunity to consent to changes to the system. |
Describe the process in place to resolve an individual's concerns when they believe their PII has been inappropriately obtained, used, or disclosed, or that the PII is inaccurate. If no process exists, explain why not. | CMS employee and contractor information is stored in the system along with consumer personal information. For CMS employees and contractors, the expectation of names and company e-mail addresses being saved by CMS systems is inherent to employment. Employees do not have an expectation of this information remaining private within the organization. Consumers who are associated with businesses that have their public information available on the application can submit PII in the form of their first and last names, email address and phone number to be contacted in case of questions about corrections to information submitted. If an employee or a consumer has a reason to believe that their personal information has been compromised, they can create a ticket with the CMS IT Service Desk at 1 -800-562-1963, which would inform the CMS Cyber Awareness Information Center (CCIC), who would investigate the matter and respond. In addition, the login credentials, name and email address within this system are collected by Enterprise User Administration (EUA). The EUA PIA describes the process in place to resolve an individual`s concerns when they believe their PII has been inappropriately obtained, used, or disclosed, or that the PII is inaccurate. Individual`s concerns involving their PII (user credentials), are addressed by the Enterprise Administration User team (a function of the contractor, Lockheed Martin). |
Describe the process in place for periodic reviews of PII contained in the system to ensure the data's integrity, availability, accuracy and relevancy. If no processes are in place, explain why not. | CMS IDs which are used as usernames for local access are created by the Enterprise User Administration (EUA) system. The information is initially entered into EUA via a request form, for the sake of receiving access to CMS system. The form must be approved by the employee’s manager and contracting officer's representative (COR). The EUA system automatically requires users to review their access information annually or they are locked out of all CMS systems. Further, when an employee or contractor is terminated, their access to CMS systems is terminated and their EUA information is deleted. |
Identify who will have access to the PII in the system and the reason why they require access. |
|
Describe the procedures in place to determine which system users (administrators, developers, contractors, etc.) may access PII. | Access to FLH systems is provided through EUA. Prospective users must request a CMS ID through a request form, which must be approved by the employee’s manager and COR. After the CMS ID is received, then the individual would request entitlement (job codes) through the EUA system. Entitlement requests for User or Administrator roles for various tools are directed to the System Owners for approval. |
Describe the methods in place to allow those with access to PII to only access the minimum amount of information necessary to perform their job. | All FLH tools and local systems maintain User and Administrator roles, which limit access within each application or system. |
Identifying training and awareness provided to personnel (system owners, managers, operators, contractors and/or program managers) using the system to make them aware of their responsibilities for protecting the information being collected and maintained. | Both CMS employees and direct contractor staff who access or operate a CMS system are required to complete the annual CMS Security Awareness training provided annually as Computer-Based Training (CBT) course. Direct contractors also complete their annual corporate security training. This training addresses the proper handling of PII. CMS employees and direct contractors with privileged access are required to complete the annual role-based training and meet continuing education requirements commensurate with their role. Other training avenues such as conferences, seminars and classroom training provided by CMS/HHS are available apart from the regular annual training. |
Describe training system users receive (above and beyond general security and privacy awareness training) | Ad Hoc Employees receive twice-yearly "Game Day" Exercises," where incident response is practiced and documented. Additionally, Ad Hoc provides basic level annual security training taught by security officers within the company. |
Do contracts include Federal Acquisition Regulation and other appropriate clauses ensuring adherence to privacy provisions and practices? | Yes |
Describe the process and guidelines in place with regard to the retention and destruction of PII. Cite specific records retention schedules. | The retention and destruction of FLH data is governed by the CMS Records Schedule. This schedule is aligned with the National Archives and Records Administration (NARA) guidelines for data retention and destruction. The following CMS Records Schedule Items apply: https://www.cms.gov/Regulations-and-Guidance/Guidance/CMSRecordsSchedule/index.html Enrollment Records Beneficiary Records Provider and Health Plan Records Analytic and Research Files (restricted) Disposition Authority Number DAA-0440-2015-0009-0002 Research and Program Analysis: Supporting Records In addition, the FLH application follows the Data Destruction Standards prescribed in the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-88. |
Describe, briefly but with specificity, how the PII will be secured in the system using administrative, technical, and physical controls. | FLH has a public interface with no login required. FLH also has an internal interface for Reviewers and Approvers of requests by Insurance providers to add contact information. Access to the internal network must receive approval though the EUA system and credentials are stored in the CMS Lightweight Directory Access Protocol (LDAP) and not on the FLH system. This is role-based access control. FLH backend systems require that individuals who have received role-based training and have a need-to-know may request access to these systems through a JIRA ticket. System Administrators can access backend systems within the Amazon Web Services (AWS) environment using OpenVPN which requires two-factor authentication. After connecting to an internal Gateway into the environment over the virtual private network (VPN), they are required to have a cryptographic private key on their client system which matches a public key present on the target system. This allows a Secure Shell (SSH) session to be created using which implements Federal Information Processing Standard (FIPS) 140-2 compliant encryption. FLH physical infrastructure exists in the Federal Risk and Authorization Management Program (FEDRAMP) accredited AWS east region and inherits its physical and administrative security controls regarding system infrastructure. AWS data centers and physical servers are only accessible to authorized personnel. The Office of Communications AWS Cloud Team authorizes remote access to FLH servers. |
Identify the publicly-available URL: | https://localhelp.healthcare.gov/#/ This link is part of healthcare.gov and takes public users to the FLH system |
Does the website have a posted privacy notice? | Yes |
Is the privacy policy available in a machine-readable format? | Yes |
Does the website use web measurement and customization technology? | No |
Does the website have any information or pages directed at children under the age of thirteen? | No |
Does the website contain links to non-federal government website external to HHS? | Yes |
Is a disclaimer notice provided to users that follow external links to websites not owned or operated by HHS? | No |