Google Vertex
Date signed: 5/28/2025
| TPWA PIA Questions | TPWA PIA Answers |
|---|---|
| OPDIV: | CMS |
| TPWA Unique Identifier (UID): | T-4820288-833431 |
| Is this a new TPWA? | Yes |
| Please provide the reason for revision | Not Applicable |
| Will the use of a third-party Website or application create a new or modify an existing HHS/OPDIV System of Records Notice (SORN) under the Privacy Act? | No |
| Indicate the SORN number (or identify plans to put one in place.) |
|
| Will the use of a third-party Website or application create an information collection subject to OMB clearance under the Paperwork Reduction Act (PRA)? | No |
| Indicate the OMB approval number and approval number expiration date (or describe the plans to obtain OMB clearance.) |
|
| Does the third-party Website or application contain Federal Records? | No |
| Describe the specific purpose for the OPDIV use of the third-party Website or application: | Google Vertex (also known as Vertex Artificial intelligence [AI]) provides an AI-driven search experience tailored for healthcare environments, such as Medicare.gov users. This platform enables users to efficiently access and navigate complex healthcare data. By leveraging machine learning and natural language processing, Vertex AI Search delivers a Google Search-like experience, allowing users to find relevant information quickly and easily. The Third-Party Website and Application (TPWA) Privacy Impact Assessment (PIA) will be updated to reflect any future AI use cases that introduce new privacy risks." |
| Have the third-party privacy policies been reviewed to evaluate any risks and to determine whether the Website or application is appropriate for OPDIV use? | No |
| Describe alternative means by which the public can obtain comparable information or services if they choose not to use the third-party Website or application: | They can either navigate directly to the page they are looking for, or they can use other search engines, such as Brave, and perform a Medicare.gov site-specific search there. |
| Does the third-party Website or application have appropriate branding to distinguish the OPDIV activities from those of nongovernmental actors? | Yes |
| How does the public navigate to the third party Website or application from the OPIDIV? | Incorporated or embedded on HHS Website |
| Please describe how the public navigate to the third-party website or application: | When they click the search icon in the upper-right area of the page, enter a search term, and press enter. |
| If the public navigate to the third-party website or application via an external hyperlink, is there an alert to notify the public that they are being directed to a nongovernmental Website? | No |
| Has the OPDIV Privacy Policy been updated to describe the use of a third-party Website or application? | No |
| Provide a hyperlink to the OPDIV Privacy Policy: | https://www.medicare.gov/privacy-policy/third-party-privacy-policies |
| Is an OPDIV Privacy Notice posted on the third-party Website or application? | No |
| Confirm that the Privacy Notice contains all of the following elements: (i) An explanation that the Website or application is not government-owned or government-operated; (ii) An indication of whether and how the OPDIV will maintain, use, or share PII that becomes available; (iii) An explanation that by using the third-party Website or application to communicate with the OPDIV, individuals may be providing nongovernmental third-parties with access to PII; (iv) A link to the official OPDIV Website; and (v) A link to the OPDIV Privacy Policy. | |
| Is the OPDIV's Privacy Notice prominently displayed at all locations on the third-party Website or application where the public might make PII available? | |
| Is PII collected by the OPDIV from the third-party Website or application? | No |
| Will the third-party Website or application make PII available to the OPDIV? | Yes |
| Describe the PII that will be collected by the OPDIV from the third-party Website or application and/or the PII which the public could make available to the OPDIV through the use of the third-party Website or application and the intended or expected use of the PII: | We do not intentionally collect PII; however, a small number of Medicare.gov users may enter information like MBIs or SSNs into the search. To mitigate these risks, we configured a regular expression in Adobe CJA to detect and redact both MBIs and SSNs. |
| Describe the type of PII from the third-party Website or application that will be shared, with whom the PII will be shared, and the purpose of the information sharing: | We are not sharing this PII with anyone. |
| If PII is shared, how are the risks of sharing PII mitigated? | Not applicable |
| Will the PII from the third-party Website or application be maintained by the OPDIV? | No |
| If PII will be maintained, indicate how long the PII will be maintained: | |
| Describe how PII that is used or maintained will be secured: | All search queries entered into the search box are collected in the search agent's data storage bucket and can be reviewed by administrators in the Analytics tab when viewing agent information in the Agent Builder User Interface. Applicable controls will be layered at each point in the data flow:
|
| What other privacy risks exist and how will they be mitigated? | The risk is that query data is sent to other applications (Adobe CJA and Splunk). To mitigate these risks, we set up a regular expression in Adobe CJA to identify both MBIs and SSNs and redact them. We can also configure logging in Splunk to notify the team if any strings that appear to contain PII end up in our custom search endpoint. |
Third-Party Web and Application (TPWA) Privacy Impact Assessment (PIA) published by CMS as an Operating Division of the U.S. Department of Health and Human Services