Skip to main content

Marketplace Electronic Data Interchange

Privacy Impact Assessment (PIA) published by CMS as an Operating Division of the U.S. Department of Health and Human Services

Date signed: 12/19/2024

PIA Information for the Marketplace Electronic Data Interchange
PIA QuestionsPIA Answers

OPDIV:

CMS

PIA Unique Identifier:

P-6234705-944727

Name:

Marketplace Electronic Data Interchange

The subject of this PIA is which of the following?

Major Application

Identify the Enterprise Performance Lifecycle Phase of the system.

Operate

Is this a FISMA-Reportable system?

Yes

Does the system include a Website or online application available to and for the use of the general public?

No

Identify the operator:

Contractor

Is this a new or existing system?

Existing

Does the system have Security Authorization (SA)?

Yes

Date of Security Authorization

1/30/2025

Indicate the following reason(s) for updating this PIA. Choose from the following options.

PIA Validation (PIA Refresh/Annual Review)

Describe in further detail any changes to the system that have occurred since the last PIA.

Migration from Amazon Web Service (AWS) V3 environment to V4 environment, resulting in the elimination of the Application Zone tier. Facilitated encryption of data in transit, via the Centers for Medicare and Medicaid Services (CMS) Program of All-Inclusive Care for the Elderly (PACE) solution. Simple Mail Transfer Protocol (SMTP) encryption for email alerts.

Describe the purpose of the system

The Marketplace Electronic Data Interchange (MPEDI) is used in the Health Insurance Marketplace to:

Provide data validation and transformation for the X12 compliant data sets received from different issuers.

Provide enrollment transmission, effectuation, and reconciliation with Issuers.

Send vendor/payee information and invoice information to Healthcare Integrated General Ledger Accounting System (HIGLAS).

Create Payee Netting Reports (PNR) to enable the Preliminary Payment Report (PPR) approval processes.

Describe the type of information the system will collect, maintain (store), or share. (Subsequent questions will identify if this information is PII and ask about the specific data elements)

The MPEDI system processes Electronic Data Interchange (EDI) files – which are in the form of Java Messaging System (JMS) messages. JMS is a computer application language used to produce and consume messages that can then be used by other software applications. When they are received by MPEDI the JMS messages contain name, address, date of birth (DOB), taxpayer identification (ID), mother's maiden name, and social security number (SSN) for the Health Insurance Marketplace applicants. This information is stored for three months.

The system only collects information (i.e. user credentials) about system administrators to control access. The Edifecs Transaction Manager (TM) is the interface used for administration and only contains user credentials for administrators. The credential information collected and maintained is name, phone number, email address, username, and password. This information is also stored for three months.

Provide an overview of the system and describe the information it will collect, maintain (store), or share, either permanently or temporarily.

MPEDI is used in the Health Insurance Marketplace to transmit enrollments and financial information to issuers (Health Insurance Companies). The system transmits this information back from the issuers as well so that the Marketplace data can be updated. The MPEDI system processes EDI files which contain name, address, DOB, and SSN information for the applicants. This information is stored in the MPEDI system.

MPEDI is not involved in the direct collection of Personal Identifiable Information (PII) from individuals, it is transferred via machine language from the Federally Facilitated Marketplace (FFM), which is covered under a separate PIA.

The system only collects information (i.e. user credentials) about system administrators to control access. The Edifecs TM is the interface used for administration and only contains user credentials for administrators. The credential information collected and maintained is name, phone number, email address, username and password. 

Does the system collect, maintain, use or share PII?

Yes

Indicate the type of PII that the system will collect or maintain.

  • Social Security Number

  • Name

  • Mother's Maiden Name

  • E-mail Address

  • Phone Numbers

  • Taxpayer ID

  • Date of Birth

  • Mailing Address

  • Other - System administrator’s user credentials

Indicate the categories of individuals about whom PII is collected, maintained or shared.

  • Employees

  • Public Citizens

  • Vendors/Suppliers/Contractors

How many individuals' PII in the system?

1,000,000 or more

For what primary purpose is the PII used?

For the issuers to enroll someone in the Health Insurance Marketplace they need the PII and also this PII is required to be sent in the standard Accredited Standards Committee (ASC)  X12 EDI 834 Enrollment Implementation Format when someone needs to be enrolled in the health plan. ASC X12 EDI 834 is a standard data format developed and maintained by ASC for electronically exchanging health plan enrollment data between employers and health insurance carriers. ASC X12 EDI 834s are used to transmit Health Insurance enrollment information to the issuers.

Describe the secondary uses for which the PII will be used (e.g. testing, training or research)

N/A

Describe the function of the SSN.

MPEDI does not use SSN. MPEDI only processes EDI files containing SSNs for Health Insurance Marketplace applicants. PII, including SSNs, are translated by MPEDI and submitted back to issuers.

Cite the legal authority to use the SSN.

Section 1411 of the Patient Protection and Affordable Care Act (ACA).

Identify legal authorities​ governing information use and disclosure specific to the system and program.

Sections 10332 and 1414 of the Patient Protection and ACA. 5 United States Code (USC) Section 301, Departmental Regulations.

Are records on the system retrieved by one or more PII data elements?

No

Identify the sources of PII in the system: Directly from an individual about whom the information pertains

Online

Identify the sources of PII in the system: Government Sources

Within the OPDIV

Identify the sources of PII in the system: Non-Government Sources

Members of the Public

Identify the OMB information collection approval number and expiration date

Office of Management and Budget (OMB) Control Numbers:
CMS Form Number: CMS-10400
Title: Establishment of Qualified Health Plans and American Health Benefit Exchanges
OMB control number: 0938-1156
Expiration Date: 06/30/2024

Is the PII shared with other organizations?

Yes

Identify with whom the PII is shared or disclosed and for what purpose.

  • Other Federal Agency/Agencies

  • Private Sector

Within HHS Explanation:

NA

Other Federal Agency/ Agencies Explanation:

HIGLAS and the Federally Facilitated Marketplace to process enrollment and financial information.

State or Local Agency/ Agencies Explanation:

NA

Private Sector Explanation:

Multiple insurance providers (Issuers) for enrollment in Health Insurance Marketplace.

Describe any agreements in place that authorizes the information sharing or disclosure (e.g. Computer Matching Agreement, Memorandum of Understanding (MOU), or Information Sharing Agreement (ISA)).

Not applicable. There are no agreements in place. The data sharing that occurs in the MPEDI system are EDI files, which are in the form of JMS messages. JMS messages are a computer application language used to produce and to consume messages that can then be used by other software applications. 

This sharing of the PII in the MPEDI is not subject to an agreement because MPEDI is merely passing the data from one system to another (machine-to-machine) while translating the file type that goes back and forth. MPEDI is part of the Federal Data Services Hub (FDSH) data exchange “common infrastructure”.

Describe the procedures for accounting for disclosures

Not applicable. The MPEDI is not involved in the direct collection of PII from individuals, it is transferred from the FFM.

Refer to the PIA for FFM for the procedures related to the accounting for disclosures.

Describe the process in place to notify individuals that their personal information will be collected. If no prior notice is given, explain the reason.

Not applicable. Individuals cannot be notified or have their consent obtained because MPEDI is not involved in the direct collection of PII from individuals, it is transferred from the FFM.

Refer to the PIA for FFM for the procedures related to the accounting for disclosures.

Is the submission of the PII by individuals voluntary or mandatory?

Voluntary

Describe the method for individuals to opt-out of the collection or use of their PII. If there is no option to object to the information collection, provide a reason.

Not applicable. There is no option to opt-out via the MPEDI. The MPEDI does not directly collect PII, it is transferred from the FFM.

Refer to the PIA for FFM.

Describe the process to notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changes since the notice at the time of original collection). Alternatively, describe why they cannot be notified or have their consent obtained.

Should a major change occur, the privacy statement on healthcare.gov will be updated. Consent is obtained by the system with which the data originates.

Describe the process in place to resolve an individual's concerns when they believe their PII has been inappropriately obtained, used, or disclosed, or that the PII is inaccurate. If no process exists, explain why not.

The PII within this system is not collected by the MPEDI. The PII is collected from the individual by another CMS system, which is the FFM. The PIA for the FFM should reflect how the collection process is addressed.

An individual can contact the Health Insurance Marketplace call center at 1-800-318-2596, if he or she believes his or her PII has been inappropriately obtained, used, disclosed, or that the PII is inaccurate.

Describe the process in place for periodic reviews of PII contained in the system to ensure the data's integrity, availability, accuracy and relevancy. If no processes are in place, explain why not.

There is no process of periodic reviews of PII contained in the MPEDI because there is no collection of PII within the system. Processing and transfers of data are done at the machine level.

Identify who will have access to the PII in the system and the reason why they require access.

  • Administrators: Administrators have the capability to view PII, but cannot modify the PII within MPEDI. As part of the inherent workflow of the system, administrators can access the data files containing PII, but do not use it because there is no need for them to in their job functions.

  • Contractors: Direct Contractors have the capability to view PII but cannot modify the PII within MPEDI. As part of the inherent workflow of the system, Contractors require access to the Transaction Manager in MPEDI, where the PII is housed, to perform daily tasks. Contractors cannot modify the PII within MPEDI.

Describe the procedures in place to determine which system users (administrators, developers, contractors, etc.) may access PII.

Access to production is provided only to those who are within the EDI support team and only those resources will have access to the PII. Any additional data requests require approval from Sparksoft Corp, FDSH leadership, the FDSH Government Task Lead (GTL) and the CMS Change Control Board (CCB).

MPEDI uses the principle of least privilege, as well as a role-based access control (RBAC) to ensure system administrators and users are granted access on a "need-to-know" and "need-to-access" basis commensurate with their assigned duties.

Describe the methods in place to allow those with access to PII to only access the minimum amount of information necessary to perform their job.

MPEDI is designed with RBAC. RBAC restricts system access control to authorized users only and users can only access information granted in their role. 

Identifying training and awareness provided to personnel (system owners, managers, operators, contractors and/or program managers) using the system to make them aware of their responsibilities for protecting the information being collected and maintained.

Federal employees and direct contractors who access or operate a CMS system are required to complete the annual CMS Security Awareness training provided as a Computer Based Training (CBT) course. Individuals with privileged access must also complete role-based security training commensurate with the position they hold.

Describe training system users receive (above and beyond general security and privacy awareness training)

Not applicable.

Do contracts include Federal Acquisition Regulation and other appropriate clauses ensuring adherence to privacy provisions and practices?

Yes

Describe the process and guidelines in place with regard to the retention and destruction of PII. Cite specific records retention schedules.

CMS follows the National Archives and Records Administration (NARA) General Record Schedules (GRS), GRS 3.1 General Technology Management, GRS 3.2 Information Systems Security Records, GRS 4.1 Records Management Records, and GRS 3.4 Input Records, Output Records, and Electronics for the retention and destruction of PII within MPEDI. the Records Disposition Authority and General Records Schedules falls under DAA-0440-2015-0006-0001. The retention and destruction of data for the MPEDI is handled by AWS, which is the Cloud Services Provider for the MPEDI.

Describe, briefly but with specificity, how the PII will be secured in the system using administrative, technical, and physical controls.

Physical Controls: Physical controls are inherited from the AWS Cloud Services Provider. Personnel having access to the system have been trained in the Privacy Act and information security requirements. All technical and administrative controls will remain the same. 

Technical Controls: Access to records in the system are limited to authorized CMS personnel and contractors through password security, encryption in both the storage and transmission of data, firewalls, and secured operating systems. 

Administrative Controls: MPEDI is built using industry best practices and the PII will be secured administratively by ensuring that the system goes through the Certification and Accreditation process and all documentation is submitted to Office Technology Solutions supporting the system and staying in compliance with the Federal Information Security Management Act (FISMA) regulations. The system is stored in the AWS Cloud and accessed via a Virtual Private Network (VPN).