Skip to main content

Marketplace Outreach Data System

Privacy Impact Assessment (PIA) published by CMS as an Operating Division of the U.S. Department of Health and Human Services

Date signed: 11/22/2024

PIA Information for the Marketplace Outreach Data System
PIA QuestionsPIA Answers

OPDIV:

CMS

PIA Unique Identifier:

P-1838448-130005

Name:

Marketplace Outreach Data System

The subject of this PIA is which of the following?

Major Application

Identify the Enterprise Performance Lifecycle Phase of the system.

Operate

Is this a FISMA-Reportable system?

Yes

Does the system include a Website or online application available to and for the use of the general public?

No

Identify the operator:

Contractor

Is this a new or existing system?

Existing

Does the system have Security Authorization (SA)?

Yes

Date of Security Authorization

9/22/2023

Indicate the following reason(s) for updating this PIA. Choose from the following options.

PIA Validation (PIA Refresh/Annual Review)

Describe in further detail any changes to the system that have occurred since the last PIA.

OMB information collection approval expiration updated to 07/31/2027

Describe the purpose of the system

The Marketplace Outreach Data System (MODS) is a Centers for Medicare & Medicaid Services (CMS) internal application which compiles consumer contact data from the Multidimensional Insurance Data Analytics System (MIDAS), GovDelivery, and the CMS Call Center into an analytics database. The information is used for targeted outreach (communication) efforts and research on the effectiveness of outreach efforts in connection with consumers who have expressed interest in enrolling in or begun the process of enrolling in the Federally Facilitated Marketplaces (FFM).

Describe the type of information the system will collect, maintain (store), or share. (Subsequent questions will identify if this information is PII and ask about the specific data elements)

MODS receives information from both MIDAS and GovDelivery daily through a secure Electronic File Transfer (EFT) method and information on a weekly basis from the CMS FFM Call Center. 

MODS receives daily snapshots of the following data from MIDAS about the people seeking health insurance on the FFM website, healthcare.gov. Contact information, which includes: name; email address; phone number; and mailing address. Account information, such as: account creation date and last login date. Application information, such as: date of birth, application creation date, application submission date, cost-sharing reduction eligibility and tax credit eligibility information. Insurance plan information, such as: insurer, plan coverage level, plan start date, and plan end date.

 

MODS receives snapshots, every two hours of the following data from CMS email vendor GovDelivery: Subscriber data about people seeking health insurance on the FFM, including email address; and date subscribed and date unsubscribed; and Analytics data about emails received from GovDelivery to subscribers including the date the person opened the email and date they clicked a link in an email.

 

MODS receives weekly snapshots of the following data from CMS’ call center: the caller’s name, phone number, call time and duration, and call result, such as whether the person was directed back to the FFM website.

 

MODS receives snapshots weekly, of the following data from the Chief Technology Officer's (CTO) Technical Advisory Committee (CTAC) from people affected by the Medicaid unwinding; contact information, which includes: name, email address, phone number, and mailing address, and Medicaid enrollment and application status. 

 

MODS transfers targeted lists back to GovDelivery for outreach as instructed by CMS Office of Communication (OC). These lists may include the following data. Contact information of consumers seeking health insurance on the FFM, including name, email address, phone number and language preference. Geographic information about the consumer, such as a zip code or parts of the mailing address (city and state).

 

MODS transfers targeted lists to the CMS Call Center for outreach as instructed by CMS OC. These lists may include the name, phone number and language preference of those consumers seeking healthcare coverage through the FFM. 

 

To access MODS, system users must log in to CMS IDM using their Enterprise User Administration Identification (EUA ID), password, and Multi-Factor Authentication (MFA) code. System users are CMS employees and CMS direct contractors.

Marketplace Outreach Data System

 

MODS receives the BEST_CSR_AMT field from MIDAS which provides us with the cost sharing amount per policy. MODS receives the MAX_APTC_AMOUNT from MIDAS in the plcy_max_aptc_Xprt which shares the APTC amount per application. MODS does not collect or store SSN for any purpose.

 

 

Provide an overview of the system and describe the information it will collect, maintain (store), or share, either permanently or temporarily.

MODS compiles information about consumers who have expressed interest in enrolling in or started to enroll in the FFM through the healthcare.gov website. The information is provided to MODS by other CMS systems, MIDAS, GovDelivery, and the CMS FFM Call Center. The information is used for targeted outreach (communication) efforts and research on the effectiveness of outreach efforts with consumers.

The information received by MODS, from both MIDAS and GovDelivery, is daily through a secure Electronic File Transfer (EFT) method and on a weekly basis from the CMS FFM Call Center. This is consumer information, such as contact information, including geographical, and communication information, email correspondence, about consumers. All three of these systems have Privacy Impact Assessments (PIAs) to address the Personally Identifiable Information (PII) that is collected, maintained and shared by those systems with MODS.

MODS creates lists from the data that are transferred back to GovDelivery and the Call Center on a daily or weekly basis to enable them to contact people seeking health insurance on the FFM. These communications are ongoing throughout the year, and especially during Open Enrollment for healthcare. They are to help consumers understand when and how to choose the best coverage for their individual circumstances, and how to maintain and use that coverage throughout the year. 

 

The MODS data is incorporated into reports and analysis used by the Office of Communication to continuously measure, assess the effectiveness of, and improve outreach performance; and to study and understand users’ knowledge and behavior when engaging with the FFM website, healthcare.gov.

 

To access MODS, system users input user credentials for CMS IDM: their EUA ID, password, and MFA code.

MODS staff do not routinely retrieve records using personal identifier. In very rare cases (approximately once per year), per documented policies, personnel may retrieve a record using PII to investigate a reported system error or inconsistency.

Does the system collect, maintain, use or share PII?

Yes

Indicate the type of PII that the system will collect or maintain.

  • Name

  • E-Mail Address
  • Phone Numbers
  • Date of Birth
  • Mailing Address
  • Other - Language preference, User ID and password (Non-sensitive PII)

Indicate the categories of individuals about whom PII is collected, maintained or shared.

Public Citizens

How many individuals' PII in the system?

1,000,000 or more

For what primary purpose is the PII used?

PII is used to produce lists for outreach via email, Short Message Service (SMS), and outbound phone calls.

Describe the secondary uses for which the PII will be used (e.g. testing, training or research)

PII is also used to report on and analyze the effectiveness of outreach activities. Non-sensitive PII is also used for system login by system users.

Describe the function of the SSN.

Not applicable

Cite the legal authority to use the SSN.

Not applicable

Identify legal authorities​ governing information use and disclosure specific to the system and program.

Patient Protection and Affordable Care Act, 42 U.S.C. § 18001 (2010); 5 USC 301 Departmental regulations

Are records on the system retrieved by one or more PII data elements?

No

Identify the sources of PII in the system: Directly from an individual about whom the information pertains

  • In-Person

  • Online

Identify the sources of PII in the system: Government Sources

Within the OPDIV

Identify the sources of PII in the system: Non-Government Sources

Private Sector

Identify the OMB information collection approval number and expiration date

0938-1191, expiration date 07/31/2027

Is the PII shared with other organizations?

No

Describe the process in place to notify individuals that their personal information will be collected. If no prior notice is given, explain the reason.

Since MODS does not directly collect PII from consumers, there isn't a method to notify them that PII is collected. MODS receives consumer PII from GovDelivery and MIDAS. Those systems are responsible for notifying individuals that their PII is collected.

System users are notified that their non-sensitive PII (user credentials) is being collected at login by a banner notice.

Is the submission of the PII by individuals voluntary or mandatory?

Voluntary

Describe the method for individuals to opt-out of the collection or use of their PII. If there is no option to object to the information collection, provide a reason.

There is no method for MODS users to opt-out of providing their PII to access the system as it is required to utilize the system. Since MODS does not directly collect any PII from consumers, but from MIDAS and GovDelivery, those systems are responsible for opt-out methods.

Describe the process to notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changes since the notice at the time of original collection). Alternatively, describe why they cannot be notified or have their consent obtained.

MODS does not have a defined process to notify and obtain consent from the individuals whose PII is in the system when major changes occur because the data is inherited from MIDAS, CTAC, and GovDelivery. Those systems are responsible for notifying and obtaining consent from individuals.

Describe the process in place to resolve an individual's concerns when they believe their PII has been inappropriately obtained, used, or disclosed, or that the PII is inaccurate. If no process exists, explain why not.

MODS does not directly interact with consumers, so there isn't a process in place if a consumer has concerns about their PII. They would contact the CMS FFM Call Center.

Describe the process in place for periodic reviews of PII contained in the system to ensure the data's integrity, availability, accuracy and relevancy. If no processes are in place, explain why not.

There is not a defined process for periodic reviews of PII in MODS because the data is inherited from MIDAS, CTAC, and GovDelivery. The PII is transferred on a daily and weekly basis from MIDAS and GovDelivery and that process would inherently update any information as those systems would update and change any PII to ensure the integrity, availability, accuracy, and relevancy. MODS does receive and store PII in secured formats. 

Identify who will have access to the PII in the system and the reason why they require access.

  • Administrators: Administrator access is required to ensure MODS is functioning properly.

  • Developers: Developer access is required to ensure the data pipeline is functioning properly.
  • Contractors: CMS' direct contractors, in their roles as administrators, developers and analysts, would have access to PII to perform the job functions of those positions.
  • Others - Analysts: Analysts require access to conduct data analysis and run reports.

Describe the procedures in place to determine which system users (administrators, developers, contractors, etc.) may access PII.

MODS uses role-based access controls to ensure that administrators, developers, and analysts are granted access on a ‘least privilege’ basis, so that only those with the "need" to access the system are granted access for their assigned task/duties only.

Describe the methods in place to allow those with access to PII to only access the minimum amount of information necessary to perform their job.

MODS uses role-based access controls to ensure that administrators, developers, and analysts are granted access on a ‘least privilege’ Specifically, only administrators have access to all environments; analysts only have access to the database information but cannot edit or modify it; and developers will only have access to programing and related information.

Identifying training and awareness provided to personnel (system owners, managers, operators, contractors and/or program managers) using the system to make them aware of their responsibilities for protecting the information being collected and maintained.

All MODS users are required to take the CMS Information Security and Privacy training on an annual basis, or whenever changes to the training module have been made. This training includes details on the handling of PII.

Describe training system users receive (above and beyond general security and privacy awareness training)

CMS employees and contractors with privileged access are required to complete role-based training and meet continuing education requirements commensurate with their role. Other training such as conferences, seminars and classroom training provided by CMS/Health and Human Services (HHS) is available apart from the regular annual training.

Role-based security training is completed once before a position is started and annually thereafter. 

 

Do contracts include Federal Acquisition Regulation and other appropriate clauses ensuring adherence to privacy provisions and practices?

Yes

Describe the process and guidelines in place with regard to the retention and destruction of PII. Cite specific records retention schedules.

The retention and destruction of MODS data is governed by the CMS Records Schedule. This schedule is aligned with the National Archives and Records Administration (NARA) guidelines for data retention and destruction.  The following CMS Records Schedule Items apply:

Enrollment Records
Disposition Authority Number: DAA-0440-2015-0006-0001
Cutoff Instruction: Cutoff at the end of the calendar year.
Retention Period: Destroy no sooner than 7 year(s) after cutoff but longer retention is authorized.

Beneficiary Records
Disposition Authority Number: DAA-0440-2015-0007-0001
Cutoff Instruction: Cutoff at the end of the calendar year.
Retention Period: Destroy no sooner than 10 year(s) after cutoff but longer retention is authorized.

Provider and Health Plan Records
Disposition Authority Number: DAA-0440-2015-0008-0001
Retention Period: Destroy no sooner than 7 year(s) after cutoff but longer retention is authorized.

Analytic and Research Files (restricted)
Disposition Authority Number DAA-0440-2015-0009-0002
Transfer to the National Archives for Accessioning: 20 year(s) after cutoff. 

Research and Program Analysis: Supporting Records
Disposition Authority Number: DAA-0440-2015-0009-0003
Cutoff Instruction: Cutoff at the end of the calendar year.
Retention Period: Destroy 10 year(s) after cutoff or when no longer needed for agency business, whichever is later.

Describe, briefly but with specificity, how the PII will be secured in the system using administrative, technical, and physical controls.

Access is restricted to a small set of users. Users must be whitelisted (approved) by CMS and have a CMS user account. Users can only access the system from an approved Internet Protocol (IP) address.

Technical controls include encryption of transmitted and maintained information, the use of intrusion detection and prevention technologies and multifactor authentication to access the system. 

The system is located within a CMS certified data center with physical controls, such as limited access to the building, the presence of security guards and video monitoring.