Health Plan Finder Application
Privacy Impact Assessment (PIA) published by CMS as an Operating Division of the U.S. Department of Health and Human Services
Date signed: 6/6/2024
| PIA Questions | PIA Answers |
|---|---|
| OPDIV: | CMS |
| PIA Unique Identifier: | P-3847502-912520 |
| Name: | Health Plan Finder Application |
| The subject of this PIA is which of the following? | Major Application |
| Identify the Enterprise Performance Lifecycle Phase of the system. | Operate |
| Is this a FISMA-Reportable system? | Yes |
| Does the system include a Website or online application available to and for the use of the general public? | Yes |
| Is this a new or existing system? | Existing |
| Does the system have Security Authorization (SA)? | Yes |
| Date of Security Authorization | 2/26/2025 |
| Indicate the following reason(s) for updating this PIA. Choose from the following options. | PIA Validation (PIA Refresh/Annual Review) |
| Describe in further detail any changes to the system that have occurred since the last PIA. | None |
| Describe the purpose of the system | The Health Plan Finder application (HPF) is part of the Federally Facilitated Marketplaces (FFM) public website, healthcare.gov. Consumers may provide basic information to review and compare different healthcare insurance plan options. HPF is part of the Healthcare.gov (HC.gov) Integration project and includes four systems: Finder.HealthCare.gov is the URL for the HPF application, a federal government website that helps users that do not qualify for the Advance Premium Tax Credit (APTC) find non-qualified health insurance plans that meet the federal mandate for coverage. The HPF application targets two primary audiences 1) individuals and families that do not qualify for the APTC and 2) employees of small businesses. Finder.Healthcare.gov/#services provides users with instructions on interfacing to the Health Insurance Oversight System (HIOS) Finder Application Program Interface (API) for data extraction. The site also has descriptions of each API and samples of the HIOS API data. CompanyProfiles.HealthCare.gov is an application that allows users to review an issuer’s Medical Loss Ratio (MLR) results for the either the most recent reporting year or the year selected by the user. RateReview.Healthcare.gov provides access to rate review submissions that meet the 10% threshold for a justification review. Rate reviews are submitted by issuers using two different templates. The Universal Rate Review (URR) template, which is submitted through the FFM. The URR application is used for Affordable Care Act (ACA) compliant products, which meet all ACA requirements for inclusions on state and federal healthcare insurance exchanges. The Rate Review Justification (RRJ) template, which is submitted through the HIOS rate review application, is used for transitional & student products, which are not typically compliant with all ACA regulation and protections but are still subject to rate review requirements. The Rate Review application has a single gateway that allows the user to select the type of search they wish to execute. |
| Describe the type of information the system will collect, maintain (store), or share. (Subsequent questions will identify if this information is PII and ask about the specific data elements) | The tools within HPF do not store any data in the application. The inputs are requested from the user to provide information for the current session only. Applications : Finder.healthcare.gov: For primary user: ZIP code, start Coverage Date, Sex, Date of Birth (DOB), Tobacco Usage (if yes - Months Since Last Usage) For spouse / dependents: Relation to Primary, Lives with Primary, Sex, DOB, Tobacco Usage (if yes - Months Since Last Usage) CompanyProfiles.healthcare.gov: State, Company, National Association of Insurance Commissioners (NAIC) Number, Medical Loss Ratio (MLR) Operating Year. RateReview.healthcare.gov: State, Company Metrics Tools -Domain from which you access the Internet - IP address (an IP or internet protocol address is a number that is automatically given to a computer connected to the Web) - Operating system on your computer and information about the browser you used when visiting the site - Date and time of your visit - Pages you visited -Address of the website that connected you to HealthCare.gov (such as google.com or bing.com) |
| Provide an overview of the system and describe the information it will collect, maintain (store), or share, either permanently or temporarily. | The HPF application is primarily to assist consumers with reviewing and comparing healthcare insurance plans offered through the FFM and determine which one is best for their family. The information input by the consumer is temporary and is automatically deleted after the consumer leaves the web page. The tools within HPF do not store any data in the application. The inputs are requested from the user to provide information for the current session only. Applications : Finder.healthcare.gov: For primary user: ZIP code, start Coverage Date, Sex, Date of Birth (DOB), Tobacco Usage (if yes - Months Since Last Usage) For spouse / dependents: Relation to Primary, Lives with Primary, Sex, DOB, Tobacco Usage (if yes - Months Since Last Usage) CompanyProfiles.healthcare.gov: State, Company, National Association of Insurance Commissioners (NAIC) Number, Medical Loss Ratio (MLR) Operating Year. RateReview.healthcare.gov: State, Company Metrics Tools -Domain from which you access the Internet - IP address (an IP or internet protocol address is a number that is automatically given to a computer connected to the Web) - Operating system on your computer and information about the browser you used when visiting the site - Date and time of your visit - Pages you visited -Address of the website that connected you to HealthCare.gov (such as google.com or bing.com) HPF support staff do not access the system directly with user credentials but access through another CMS system, Amazon Web Services (AWS) Identity and Access Management (IAM), which has its own PIA for the personally identifiable information (PII) that resides within it. |
| Does the system collect, maintain, use or share PII? | Yes |
| Indicate the type of PII that the system will collect or maintain. |
|
| Indicate the categories of individuals about whom PII is collected, maintained or shared. | Public Citizens |
| How many individuals' PII in the system? | <100 |
| For what primary purpose is the PII used? | The primary purpose of using PII is to provide individuals optional healthcare insurance plans to review and compare to select the one the best meets their needs. |
| Describe the secondary uses for which the PII will be used (e.g. testing, training or research) | Not applicable |
| Describe the function of the SSN. | Not applicable |
| Cite the legal authority to use the SSN. | Not applicable |
| Identify legal authorities governing information use and disclosure specific to the system and program. | Patient Protection and Affordable Care Act (Public Law No. 111–148), as amended by the Health Care and Education Reconciliation Act of 2010 (Public Law No. 111–152) Affordable Care Act Title 42 U.S.C. sections 18031, 18041, 18081—18083 and section 1321(c) and 1414 |
| Are records on the system retrieved by one or more PII data elements? | No |
| Identify the sources of PII in the system: Directly from an individual about whom the information pertains | Online |
| Identify the sources of PII in the system: Non-Government Sources | Members of the Public |
| Identify the OMB information collection approval number and expiration date | OMB# 0938-1086 and expiration date: 12/30/2020. Collection has been submitted to OIRA as of 02/18/2021. Will update when approved. https://www.federalregister.gov/documents/2021/02/09/2021-02580/agency-information-collection-activities-submission-for-omb-review-comment-request |
| Is the PII shared with other organizations? | No |
| Describe the process in place to notify individuals that their personal information will be collected. If no prior notice is given, explain the reason. | All the information collected can be seen by the user on the form inputs. The information collected is only used to retrieve basic plan data. No inputs from the user are stored in the HPF system. The information they enter is only used during their web session and is deleted once their visit is complete. The following text is displayed prior to entering any information in the HPF site: Your privacy is protected. Read our privacy policy. Your answers are used by HealthCare.gov only to help generate your insurance options. The site does not keep this information. It deletes the information after your visit is done. A link is embedded in that text that takes the user to the following web page: https://www.healthcare.gov/privacy/ |
| Is the submission of the PII by individuals voluntary or mandatory? | Voluntary |
| Describe the method for individuals to opt-out of the collection or use of their PII. If there is no option to object to the information collection, provide a reason. | Users have the option to research health plans available to them via other sources/websites and can therefore choose to not enter the HPF system and not enter their information into the HPF web forms. |
| Describe the process to notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changes since the notice at the time of original collection). Alternatively, describe why they cannot be notified or have their consent obtained. | HPF does not store any data entered by the user. The information they enter is only used during their web session and is deleted once their visit is complete. |
| Describe the process in place to resolve an individual's concerns when they believe their PII has been inappropriately obtained, used, or disclosed, or that the PII is inaccurate. If no process exists, explain why not. | All the information collected can be seen by the user on the form inputs. In addition, the information collected is only used to retrieve basic plan data. No inputs from the user are stored in the HPF system. If the user enters their information incorrectly, they can simply re-enter their information in the form fields and re-submit the form to retrieve updated plan results. |
| Describe the process in place for periodic reviews of PII contained in the system to ensure the data's integrity, availability, accuracy and relevancy. If no processes are in place, explain why not. | CMS has a National Institute of Standards and Technology (NIST)-compliant continuous monitoring program with regularly scheduled system audits, at least annually, and monthly/quarterly scanning to ensure system integrity and availability. As part of CMS, HPF is included within that monitoring system. To ensure the integrity, availability, accuracy, and relevancy of the PII in HPF, the following methodologies are used. HPF users can manage their own PII by editing their profile after they have registered with the system for data integrity, accuracy, and relevancy. HPF staff do not have backend access to PII, only users do. The information they enter is only used during their web session and is deleted once their visit is complete. |
| Identify who will have access to the PII in the system and the reason why they require access. |
|
| Describe the procedures in place to determine which system users (administrators, developers, contractors, etc.) may access PII. | The HPF user interfaces limit the display of PII to only those elements needed to perform specific tasks. Role-based access controls to ensure system support staff (CMS Health Insurance Oversight System (HIOS) are granted access on a "need-to-know" and "need-to-access" basis which correspond to their assigned duties. The CMS System Owner determines who has an administrative account via HIOS on this system and reviews all accounts periodically and as needed. As provided by the HPF System Security Plan (SSP), system support staff users access HPF through AWS, which uses role-based access and job code access and assigns user credentials to specific individuals per CMS HIOS guidance. |
| Describe the methods in place to allow those with access to PII to only access the minimum amount of information necessary to perform their job. | Per the HPF SSP document, access to HPF is through AWS which uses role-based access controls, disables old or inactive accounts, and uses multi-factor authentication to allow access to any applications that it hosts. |
| Identifying training and awareness provided to personnel (system owners, managers, operators, contractors and/or program managers) using the system to make them aware of their responsibilities for protecting the information being collected and maintained. | Both CMS employees and contractor (including direct contractors) staff who access or operate HPF are required to complete the annual CMS Security Awareness training provided annually as computer-based training (CBT) course. Contractors (including direct contractors) also complete their annual corporate security training. Individuals with privileged access must also complete annual role-based security training commensurate with the position they are working in.
|
| Describe training system users receive (above and beyond general security and privacy awareness training) | CMS employees and contractors with privileged access are required to complete annual role-based training and meet continuing education requirements commensurate with their role. This training is required to maintain Enterprise User Administration (EUA) access. |
| Do contracts include Federal Acquisition Regulation and other appropriate clauses ensuring adherence to privacy provisions and practices? | Yes |
| Describe the process and guidelines in place with regard to the retention and destruction of PII. Cite specific records retention schedules. | HPF follows the CMS Records Schedule that was published in April 2015 and the National Archives and Records Administration General Records Schedule (GRS) 5.1 and 5.2 (July 2017). Specifically, for PII that is securely stored in the Marketplace Lite (MPL) database, the National Archives Records Association (NARA), General Records Schedule (GRS) 5.1 states that HPF will destroy such record immediately after copying to a recordkeeping system or otherwise preserving, but longer retention is authorized if required for business use. GRS 5.2 states that HPF will destroy records upon verification of successful creation of the final document or file, or when no longer needed for business use, whichever is later. |
| Describe, briefly but with specificity, how the PII will be secured in the system using administrative, technical, and physical controls. | Technical: To protect the data in transit, all communication on the HPF website is performed over an encrypted channel, namely HTTPS. Any data that is used during the user’s session is encrypted and stored in a secure session cookie. Administrative: Only system administrators that are required to perform maintenance tasks have remote access to the servers and this requires multi-factor authentication. Physical: In addition, HPF is hosted on a Federal Risk and Authorization Management Program (FedRAMP) certified environment, which provides additional layers of security at the physical and network layers that include security guards, climate-controlled facilities, identity verification for access. |
| Identify the publicly-available URL: | (1) https://finder.healthcare.gov (2) https://companyprofiles.healthcare.gov (3) https://ratereview.healthcare.gov/ |
| Does the website have a posted privacy notice? | Yes |
| Is the privacy policy available in a machine-readable format? | Yes |
| Does the website use web measurement and customization technology? | Yes |
| Select the type of website measurement and customization technologies is in use and if is used to collect PII. (Select all that apply) | Session Cookies |
| Session Cookies - Collects PII?: | No |