Help On Demand
Date signed: 11/17/2020
| TPWA PIA Questions | TPWA PIA Answers |
|---|---|
| OPDIV: | CMS |
| TPWA Unique Identifier (UID): | T-8504754-660404 |
| Is this a new TPWA? | No |
| Please provide the reason for revision. | Revising the PIA as part of the review process for Help On Demand. |
| Will the use of a third-party Website or application create a new or modify an existing HHS/OPDIV System of Records Notice (SORN) under the Privacy Act? | No |
| Indicate the SORN number (or identify plans to put one in place.) |
|
| Will the use of a third-party Website or application create an information collection subject to OMB clearance under the Paperwork Reduction Act (PRA)? | No |
| Indicate the OMB approval number and approval number expiration date (or describe the plans to obtain OMB clearance.) |
|
| Does the third-party Website or application contain Federal Records? | No |
| Describe the specific purpose for the OPDIV use of the third-party Website or application: | Help On Demand is an online application that will allow consumers to request assistance from CMS-registered agents and brokers in real time. Agents and brokers with a valid state license to sell health insurance can opt into the program after completing the annual CMS Agent Broker Exchange training and registration and signing the applicable agreements. After setting up a Help On Demand profile, agents and brokers must accept the Help On Demand Terms of Use for Agents and Brokers. Consumers request assistance via the Help On Demand website and provide basic contact information, including name, phone number or email address (depending on the consumer’s preferred mode of communication), city, state, zip code and preferred language). After the consumer enters his or her contact information, Help On Demand matches the consumer with an agent or broker who is available, speaks the consumer’s language, licensed in the consumer’s state, and registered with the Marketplace. This information will not be shared with CMS. If more than one agent or broker meets these criteria, Help On Demand directs the referral to the agent or broker who is geographically closest to the consumer. That agent or broker receives a notification from Help On Demand via email, text, and/or app notification, and has 15 minutes to accept or reject the referral before it moves to the next agent or broker who meets the criteria. No consumer personal information is provided to the agent or broker via these notifications. The agent or broker must log into the Help On Demand application, accept the referral, and then access consumer contact information through Help On Demand’s secure platform and provide Exchange enrollment assistance directly to that consumer. Once the agent or broker connects with a consumer, Help On Demand’s role in their interaction ends, and the relationship between the consumer and the agent and broker is governed by CMS’s regulation governing agent and brokers (45 C.F.R. 155.220) and CMS’s agreement with its registered agents and brokers. |
| Have the third-party privacy policies been reviewed to evaluate any risks and to determine whether the Website or application is appropriate for OPDIV use? | Yes |
| Describe alternative means by which the public can obtain comparable information or services if they choose not to use the third-party Website or application: | Consumers are able to use the existing Find Local Help tool to locate agents and brokers in their area for enrollment assistance. Consumers are also able to access this comparable information by contacting the Federal Exchange’s Call Center or other resources by using the redirect to https://www.healthcare.gov/contact-us/ displayed on the consumer landing page. |
| Does the third-party Website or application have appropriate branding to distinguish the OPDIV activities from those of nongovernmental actors? | Yes |
| How does the public navigate to the third party Website or application from the OPIDIV? | An external hyperlink from an HHS Website or Website operated on behalf of HHS. |
| Please describe how the public navigate to the third-party website or application: | The consumer will select a dynamic hyperlink (secure redirect) from the HealthCare.gov website. When a consumer clicks on the hyperlink to Help On Demand, they are delivered to the Help On Demand landing page with links to the CMS Privacy Notice that informs the consumer that Help On Demand is operated by a CMS contractor and that their use of the site is subject to the security standards and privacy policies of the Help On Demand website and BigWave Systems. Consumers are also informed that personally identifiable information they enter on the Help On Demand site will not be shared with HealthCare.gov or CMS and that CMS’s provision of a link to the site does not constitute an endorsement of the site, BigWave Systems, or the agents and brokers with whom they connect through the site. |
| If the public navigate to the third-party website or application via an external hyperlink, is there an alert to notify the public that they are being directed to a nongovernmental Website? | Yes |
| Has the OPDIV Privacy Policy been updated to describe the use of a third-party Website or application? | Yes |
| Provide a hyperlink to the OPDIV Privacy Policy: | https://www.healthcare.gov/privacy |
| Is an OPDIV Privacy Notice posted on the third-party Website or application? | Yes |
| Confirm that the Privacy Notice contains all of the following elements: (i) An explanation that the Website or application is not government-owned or government-operated; (ii) An indication of whether and how the OPDIV will maintain, use, or share PII that becomes available; (iii) An explanation that by using the third-party Website or application to communicate with the OPDIV, individuals may be providing nongovernmental third-parties with access to PII; (iv) A link to the official OPDIV Website; and (v) A link to the OPDIV Privacy Policy. | Yes |
| Is the OPDIV's Privacy Notice prominently displayed at all locations on the third-party Website or application where the public might make PII available? | Yes |
| Is PII collected by the OPDIV from the third-party Website or application? | No |
| Will the third-party Website or application make PII available to the OPDIV? | No |
| Describe the PII that will be collected by the OPDIV from the third-party Website or application and/or the PII which the public could make available to the OPDIV through the use of the third-party Website or application and the intended or expected use of the PII: | CMS will not collect PII from Help On Demand and PII will not be made available to CMS. |
| Describe the type of PII from the third-party Website or application that will be shared, with whom the PII will be shared, and the purpose of the information sharing: | Help On Demand will not share with CMS PII provided to Help on Demand by consumers who wish to use the service. Rather, Help on Demand will fulfill its purpose by collecting PII from consumers and sharing it directly with participating agents and brokers. Such PII will include: name, phone number or email address (depending on the consumer’s preferred mode of communication), city, state, zip code and preferred language. Consumer PII will be shared only with participating Help On Demand agents and brokers who are registered with CMS and have requested to participate in the Help On Demand program. The Help On Demand system will share individual PII with only the one agent or broker who accepts the consumer’s request via the web application. |
| If PII is shared, how are the risks of sharing PII mitigated? | PII is only shared with the individual agent or broker who accepted the consumer’s request. CMS does not obtain information regarding the individual or broker. |
| Will the PII from the third-party Website or application be maintained by the OPDIV? | No |
| Describe how PII that is used or maintained will be secured: | CMS does not collect, store or share consumer PII submitted to Help On Demand. Help On Demand shares consumer PII with the single agent or broker who receives and timely accepts the referral to contact the consumer and assist with an Exchange application and/or enrollment. That agent or broker must log into the Help On Demand application in order to access the consumer PII. The Help on Demand solution is hosted in BigWave System’s Amazon AWS GovCloud using HIPAA/HITECH compliant services. AWS offers a commercial off-the-shelf infrastructure platform geared to public sector clients and government contractors with industry recognized certifications and audits such as ISO 27001, FedRAMP, and the Service Organization Control Reports (SOC1, SOC2, and SOC3). |
| What other privacy risks exist and how will they be mitigated? | Risk: Submission of PII to websites over the Internet presents the risk that the PII may be accessed/intercepted/used by third parties in a manner that the submitter did not intend. BigWave Systems makes no warranties or representations regarding the security of the data submitted to the Help On Demand application, and use of the Help On Demand website is at the consumer’s own risk. Mitigation: Although there is no 100% guarantee that consumer PII will not be intercepted when it is transmitted over the Internet, Help On Demand’s terms of use and privacy policy and notices from CMS and HealthCare.gov clearly outline these risks, which maximizes consumers’ ability to protect their information and mitigate risks to their privacy, including by opting out of submitting information directly to Help on Demand. Consumers can seek enrollment assistance directly from the Marketplace’s Call Center and through the ‘Find Local Help’ functionality on HealthCare.gov. To further protect consumer PII, BigWave Systems also has implemented privacy and security controls that limit the number of personnel who have access to consumer data, as well as background checks and ongoing security and privacy training. Moreover, all remote access to the BigWave Systems’ Development and testing environments is secured via a multi-factor authentication system. Risk: Consumers may misunderstand how their information will be used by the Help On Demand service and BigWave Systems. CMS and BigWave Systems may change or restrict use of the Help On Demand website and/or make changes to the services provided through the site at any time without notice. Mitigation: In an effort to help consumers understand how their information will be used and other terms affecting their use of the Help on Demand website and service, the Help On Demand website displays Help On Demand’s Terms of Use and Privacy Policy, as well as a CMS Privacy Notice. Help On Demand’s Terms of Use and Privacy Policy clearly explains that consumer PII submitted to the Help On Demand website will be used only to connect the consumer with an agent or broker who is available to provide Marketplace application and enrollment assistance. |
Third-Party Web and Application (TPWA) Privacy Impact Assessment (PIA) published by CMS as an Operating Division of the U.S. Department of Health and Human Services