Marketplace Notice Production Services
Date signed: 8/26/2025
| OPDIV: | CMS |
|---|---|
| PIA Unique Identifier: | P-5948891-460554 |
| Name: | Marketplace Notice Production Services |
| The subject of this PIA is which of the following? | Major Application |
| Identify the Enterprise Performance Lifecycle Phase of the system. | Operate |
| Is this a FISMA-Reportable system? | Yes |
| Does the system include a Website or online application available to and for the use of the general public? | Yes |
| Identify the operator: | Contractor |
| Is this a new or existing system? | Existing |
| Does the system have Security Authorization (SA)? | Yes |
| Date of Security Authorization | 11/15/2024 |
| Indicate the following reason(s) for updating this PIA. Choose from the following options. | PIA Validation (PIA Refresh/Annual Review) |
| Describe in further detail any changes to the system that have occurred since the last PIA. | The Marketplace Notice Production Services (MNPS) Administrators, Developers, and Information Systems Security Officer (ISSO) have the appropriate authorized and approved permissions to make changes to the MNPS system based of their respective roles and responsibilities. There have been no major changes to the MNPS environment since the last PIA; however, the following minor changes are made on an ongoing basis as per requirement: The MNPS Administrators makes software updates and perform patching activities to support MNPS mission, business requirements, and compliance efforts. The MNPS Developers implements content updates to the PDF Forms to support MNPS mission and business requirements. The MNPS ISSO ensures Federal Regulations & Standards have been followed and provides updates to MNPS related documentations on an as-needed basis when major and/or minor implementations have been applied. |
| Describe the purpose of the system | Marketplace Notice Production Services (MNPS) was established under the Affordable Care Act (ACA) to support the Centers for Medicare & Medicaid Services (CMS). Its purpose is to assist individuals, families, and employers apply or enroll in health coverage through the Health Insurance Marketplace. Additionally, MNPS does not utilize any functions from Health and Human Services (HHS). |
| Describe the type of information the system will collect, maintain (store), or share. (Subsequent questions will identify if this information is PII and ask about the specific data elements) | The MNPS supports Notice Generations, Appeals and Exemptions, as well as Issuer Onboarding. The MNPS Notice Generation does not collect any Personal Identifiable Information (PII) related information. Notice Generation is a web based service that is called on from external applications to generate Notice Portable Document Format (PDF)'s. The MNPS Exemptions does not collect, maintain (store), or share and PII. MNPS provides content within PDFs for users to fill out, sign, download, and mail to the Health Insurance Marketplace. The MNPS Issuer Onboarding collects the following PII related information: Last Name, First Name, Primary Phone, Secondary Phone Number, Email Address, and Qualified Health Plan Identifier. The MNPS Structured Query Database (SQL DB) is used to store PII related information and is encrypted and compliant according to FIPS 140-2 standards. Additionally, other non-PII related information that is collected is Partner Name, Address, Email Address, Tax Payer Identifier Number, Phone Number, Fax Number, Trading Partner ID, Payee Group Number, Clearinghouse Name, Clearinghouse TPID, EDI Transaction or Service, Version, Reason for Request A/C/D, Start Date, End Date, and Optional Clearinghouse Relationship (TPID). |
| Provide an overview of the system and describe the information it will collect, maintain (store), or share, either permanently or temporarily. | Marketplace Notice Production Services (MNPS) was established under the Affordable Care Act (ACA) to support the Centers for Medicare & Medicaid Services (CMS). Its purpose is to assist individuals, families, and employers apply or enroll in health coverage through the Health Insurance Marketplace. MNPS supports Notice Generations, Appeals and Exemptions, as well as Issuer Onboarding. Additionally, MNPS does not utilize any functions from Health and Human Services (HHS). The MNPS Notice Generation does not collect any PII related information. Notice Generation is a web based service that is called on from external applications to generate Notice PDF's. The MNPS Exemptions does not collect, maintain (store), or share and PII. MNPS Exemptions provides content within PDFs for users to fill out, sign, download, and mail to the Health Insurance Marketplace. The MNPS Issuer Onboarding collects the following PII related information: Last Name, First Name, Primary Phone, Secondary Phone Number, Email Address, and Qualified Health Plan Identifier. The MNPS SQL DB is used to store PII related information and is encrypted and compliant according to FIPS140-2 standards. Additionally, PII is not shared. |
| Does the system collect, maintain, use or share PII? | Yes |
| Indicate the type of PII that the system will collect or maintain. |
|
| Indicate the categories of individuals about whom PII is collected, maintained or shared. |
|
| How many individuals' PII in the system? | 100,000-999,999 |
| For what primary purpose is the PII used? | The primary purpose of collecting PII is to enroll issuers. |
| Describe the secondary uses for which the PII will be used (e.g. testing, training or research) | There is no secondary use for which PII will be used. |
| Describe the function of the SSN. | MNPS does not collect, maintain, or store SSN. |
| Cite the legal authority to use the SSN. | MNPS does not collect, maintain, or store SSN. |
| Identify legal authoritiesā governing information use and disclosure specific to the system and program. |
|
| Are records on the system retrieved by one or more PII data elements? | No |
| Identify the sources of PII in the system: Directly from an individual about whom the information pertains |
|
| Identify the sources of PII in the system: Government Sources |
|
| Identify the sources of PII in the system: Non-Government Sources |
|
| Identify the OMB information collection approval number and expiration date |
|
| Is the PII shared with other organizations? | No |
| Describe the process in place to notify individuals that their personal information will be collected. If no prior notice is given, explain the reason. | MNPS is a sub system to Federal Facilitated Marketplace (FFM); therefore, FFM would be responsible for prior notifications regarding the collection of PII related information. Additionally, FFM maintains and has its own separate PIA. |
| Is the submission of the PII by individuals voluntary or mandatory? | Voluntary |
| Describe the method for individuals to opt-out of the collection or use of their PII. If there is no option to object to the information collection, provide a reason. | MNPS is a sub system to FFM; therefore, in order to opt-out, individuals will need to notify FFM. Individuals would contact the FFM helpdesk at 855-267-1515 or email at FFM Helpdesk. Additionally, FFM maintains and has its own separate PIA. |
| Describe the process to notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changes since the notice at the time of original collection). Alternatively, describe why they cannot be notified or have their consent obtained. | MNPS is a sub system to FFM; therefore, FFM would be responsible for notification and consent of individuals regarding PII. Individuals would contact the FFM helpdesk at 855-267-1515 or email at FFM Helpdesk. Additionally, FFM maintains and has its own separate PIA. |
| Describe the process in place to resolve an individual's concerns when they believe their PII has been inappropriately obtained, used, or disclosed, or that the PII is inaccurate. If no process exists, explain why not. | MNPS is a sub system to FFM; therefore, FFM would be responsible for notification and consent of individuals regarding PII. Individuals would contact the FFM helpdesk at 855-267-1515 or email at FFM Helpdesk. Additionally, FFM maintains and has its own separate PIA. |
| Describe the process in place for periodic reviews of PII contained in the system to ensure the data's integrity, availability, accuracy and relevancy. If no processes are in place, explain why not. | The MNPS environment is reviewed annually for data integrity, availability, accuracy, and relevancy. |
| Identify who will have access to the PII in the system and the reason why they require access. |
|
| Describe the procedures in place to determine which system users (administrators, developers, contractors, etc.) may access PII. | Only MNPS Administrators and Developers which are Direct Contractors using CMS credentials are considered CMS employees have access to PII related information based on its appropriate roles and responsibilities. |
| Describe the methods in place to allow those with access to PII to only access the minimum amount of information necessary to perform their job. | Only MNPS Administrators and Developers which are Direct Contractors using CMS credentials are considered CMS employees have access to PII related information based on its appropriate roles and responsibilities. All MNPS Administrators and Developers have read, signed, and acknowledged the Rules of Behavior. |
| Identify training and awareness provided to personnel (system owners, managers, operators, contractors and/or program managers) using the system to make them aware of their responsibilities for protecting the information being collected and maintained. | All MNPS Administrators and Developers which are Direct Contractors using CMS credentials are considered CMS employees have taken Security Awareness and Privacy Training. Additionally, All MNPS Administrators and Developers have read, signed, and acknowledged the Rules of Behavior. |
| Describe training system users receive (above and beyond general security and privacy awareness training) | MNPS Administrators and Developers which are Direct Contractors using CMS credentials are considered CMS employees are required to take and complete Role-based training and continuous education requirements based on the appropriate Roles and Responsibilities. |
| Do contracts include Federal Acquisition Regulation and other appropriate clauses ensuring adherence to privacy provisions and practices? | Yes |
| Describe the process and guidelines in place with regard to the retention and destruction of PII. Cite specific records retention schedules. | There is 10-year records retentions schedule, per current CCIIO Records Management information, and approved by OSORA. |
| Describe, briefly but with specificity, how the PII will be secured in the system using administrative, technical, and physical controls. | Access to the MNPS environment is based on a need to know basis. Only vetted and approved MNPS Administrators and Developers which are Direct Contractors using CMS credentials have access to the MNPS environment. All MNPS Administrators and Developers have taken Security Awareness and Privacy Training. Additionally, All MNPS Administrators and Developers have read, signed, and acknowledged the Rules of Behavior. MNPS adheres to NIST 800-53 for all technical control requirements. The MNPS Administrators and Developers utilizes CMS MFA for access and authentication. The MNPS instance of the CMS AWS environment contains Web Application Firewall (WAF) for network access, Virtual Private Network (VPN) for secured and encrypted sessions, Transport Layer Security (TLS) for data in transit, FIPS 140-2 compliance standards for data at rest, Network and Data Monitoring for anomalies and Intrusion Detection. Additionally, the MNPS environment is scanned weekly for vulnerability and compliance requirements. MNPS is an instance within the CMS AWS environment; therefore, physical controls do not apply. |
| Identify the publicly-available URL: | The two (2) publicly-available URL's for MNPS are the following:
|
| Does the website have a posted privacy notice? | Yes |
| Is the privacy policy available in a machine-readable format? | Yes |
| Does the website use web measurement and customization technology? | Yes |
| Select the type of website measurement and customization technologies is in use and if is used to collect PII. (Select all that apply) |
|
| Does the website have any information or pages directed at children under the age of thirteen? | No |
| Does the website contain links to non-federal government website external to HHS? | No |
Privacy Impact Assessment (PIA) published by CMS as an Operating Division of the U.S. Department of Health and Human Services