Premium Estimation Tool
Privacy Impact Assessment (PIA) published by CMS as an Operating Division of the U.S. Department of Health and Human Services
Date signed: 5/15/2023
| PIA Questions | PIA Answers |
|---|---|
| OPDIV: | CMS |
| PIA Unique Identifier: | P-4781243-233826 |
| Name: | Premium Estimation Tool |
| The subject of this PIA is which of the following? | Major Application |
| Identify the Enterprise Performance Lifecycle Phase of the system. | Operate |
| Is this a FISMA-Reportable system? | Yes |
| Does the system include a Website or online application available to and for the use of the general public? | Yes |
| Identify the operator: | Contractor |
| Is this a new or existing system? | Existing |
| Does the system have Security Authorization (SA)? | Yes |
| Date of Security Authorization | 2/7/2025 |
| Indicate the following reason(s) for updating this PIA. Choose from the following options. | PIA Validation (PIA Refresh/Annual Review) |
| Describe in further detail any changes to the system that have occurred since the last PIA. | Not Applicable |
| Describe the purpose of the system | The Premium Estimation Tool (PET) system has 5 subsystems: Window Shopping, Tax Tool (TT), Plan Compare 2.0 (PC2.0) and Marketplace Application Programming Interface (API) and Machine Readable Tools (MRT) Coverage Portal. The subsystem Window Shopping enables consumers to get cost and eligibility estimates and browse available health and dental plans on Healthcare.gov, also known as the Federal Facilitated Marketplace (FFM) or Health Insurance Marketplace. The second subsystem TT assists consumers with determining tax exemption eligibility and premium tax credit eligibility. PC2.0 allows users to compare healthcare plans and to enroll for plans. Marketplace API serves up plan data as well as provider and drug coverage data to support the consumer enrollment process in Windowshop and Plan Compare 2.0. Machine Readable Tools (MRT) Coverage Portal allows public end users (healthcare plan issuers) to view knowledge base articles, validate their machine readable schemas and check their plan data coverage. |
| Describe the type of information the system will collect, maintain (store), or share. (Subsequent questions will identify if this information is PII and ask about the specific data elements) | The Market Place database stores and transmits: Healthcare Plans – publicly available Stand-alone Dental Plans – publicly available
The Window Shopping subsystem processes but does not permanently collect user: Zip code Sex Household income Ages of household members Tobacco usage Pregnancy Unemployment Compensation Status/existence of current healthcare coverage
The TT application processes but does not permanently collect user: Zip code County where each household member lived each month of the previous year Ages of family members Months they were eligible for employer coverage Months during which they didn't have another coverage exemption
The PC2.0 sub-system collects from the public user temporarily during the user session: Tobacco usage over the last 6 months Names of doctors, medicines and medical facilities which they intend to use.
The PC2.0 sub-system collects from for the public user from the FFM system indefinitely: Healthcare plan data User birthdate Sex Address Name Tax filing status Coverage start and stop dates Previous policies Tax payer ID Eligibility for financial assistance Household size State in which applicant enrolling in No PHI is stored by PC2.0 or exchanged between FFM and PC2.0 but only the PII described above. The PET system also maintains email and phone number. At the operating system level PET systems system collect user credentials such as keys or user names and hashes of passwords until the user is no longer authorized to use the system. The Machine Readable Tools (MRT) Coverage Portal does not collect or store any user information. |
| Provide an overview of the system and describe the information it will collect, maintain (store), or share, either permanently or temporarily. | The subsystem Window Shopping gives consumers a chance to see what Qualified Health Plans (QHP) and Stand-alone Dental Plans (SADP) they may be eligible for in the FFM before creating an account and filling out the eligibility application on healthcare.gov. The Window Shopping subsystem lets the consumer enter a few details about themselves. The information is not saved/stored by the Window Shopping subsystem. The requested information includes: zip code, sex, household income, ages of household members, tobacco usage, pregnancy, and status/existence of current healthcare coverage. Responses are optional. Based on that information, the consumer is directed to the next screen where the available plans are listed. The consumer can then select plans and view the description of the insurance plan coverage and see the estimated monthly premiums. Users of the TT application enter the zip code and county where each household member lived each month of the previous year, their ages, the months they were eligible for employer coverage, and the months during which they didn't have another coverage exemption. In return, they are provided with the following information: potential premium tax credits, tax exemptions and links to tax related information. This information is not stored or saved by TT. Users of PC2.0 are given the opportunity to compare healthcare plans they are eligible for and to enroll in those plans. Users who would like to compare healthcare plans, are asked if they have used tobacco regularly in the last 6 months and are asked to give a specific date when it was the last time they used tobacco. This information will change the prices of prospective plans. Users are then given the opportunity to enter the names of doctors, medicines and medical facilities which they intend to use. This is information is used during the comparison of plans to ensure that plans users are comparing offer those resources. Enrollment is handled by the scalable login system which stores and process credential information for the enrollment. PC2.0 does not collect or store this information. During the processes described above PC2.0 will make a request for user and healthcare plan data from FFM. This is stored in the PC2.0 database indefinitely. This information will include PII such as user birthdate, sex, address, name, tax filing status, coverage start and stop dates, previous policies, tax payer ID, eligibility for financial assistance and other information which is described thoroughly in the Plan Compare 2.0 Interface Control Document, Version 2.7, dated 04/15/16. No PHI is stored by PC2.0 or exchanged between FFM and PC2.0 but on the PII described above. System administrators log into main PET system to support and administer the application/system. To access the system, they enter the following login credentials: A User ID and password. The creation of the User ID and password are done in the CMS Enterprise User Administration (EUA) system and not within the main PET system. Plan Compare 2.0 application must use utilize PII provided by the FFE/FFM to provide users tailored decision-making support when choosing a healthcare plan for enrollment. Other systems do not query PET based on PII. The PET system also maintains email and phone number. The Machine Readable Tools (MRT) Coverage Portal does not collect or store any user information. |
| Does the system collect, maintain, use or share PII? | Yes |
| Indicate the type of PII that the system will collect or maintain. |
|
| Indicate the categories of individuals about whom PII is collected, maintained or shared. |
|
| How many individuals' PII in the system? | 1,000,000 or more |
| For what primary purpose is the PII used? | Login credentials (user ID and password) is collected to support and administer the application/system. To access the system, they enter login credentials. The creation of the User ID and password are done in the CMS EUA system and not within the main PET system. Temporarily collected PII (zip code, household income, ages, etc.) is used to present the public/consumers with insurance plan information (plan names, copays, deductibles and estimated monthly premiums), and tax information. Data collected by PC2.0 which is described in section 13 is to allow users to compare healthcare plans, and to enroll in those plans. |
| Describe the secondary uses for which the PII will be used (e.g. testing, training or research) | Not applicable. |
| Describe the function of the SSN. | Not applicable. |
| Cite the legal authority to use the SSN. | Not applicable. |
| Identify legal authorities governing information use and disclosure specific to the system and program. | Affordable Care Act. Title 42 U.S.C. 18031, 18041, 18081, 18083, and sections 2723, 2761of the Public Health Service Act (PHS Act). 5USC Section 301, Departmental Regulations |
| Are records on the system retrieved by one or more PII data elements? | Yes |
| Identify the number and title of the Privacy Act System of Records (SORN) that is being used to cover the system or identify if a SORN is being developed. | Published: SORN 09-70-0560, Health Insurance Exchange (HIX) Program |
| Identify the sources of PII in the system: Directly from an individual about whom the information pertains | In-Person |
| Identify the sources of PII in the system: Government Sources | Within the OPDIV |
| Identify the sources of PII in the system: Non-Government Sources | Members of the Public |
| Identify the OMB information collection approval number and expiration date | OMB Control Numbers: CMS Form Number: CMS-10400 Title: Establishment of Qualified Health Plans and American Health Benefit Exchanges OMB control number: 0938-1191 Expiration Date: 07/31/2019 |
| Is the PII shared with other organizations? | No |
| Describe the process in place to notify individuals that their personal information will be collected. If no prior notice is given, explain the reason. | The consumer user community entering information on the main PET system website has a link to the Privacy Policy that contains information about the privacy and use of information collected. The collection of CMS employee and direct contractor user credentials being saved by CMS systems is inherent to employment. Individual requesting access to WQC Security Scrum (WSS) must sign an account request form. Prior to granting access, review and approval is required by the main PET System Information System Security Officer (ISSO). |
| Is the submission of the PII by individuals voluntary or mandatory? | Voluntary |
| Describe the method for individuals to opt-out of the collection or use of their PII. If there is no option to object to the information collection, provide a reason. | Users have the option to enter PII in to the Window Shopping or TT sub-systems. If a consumer decides not to provide this information he or she will not be able to know what Qualified Health Plans (QHP) and Stand-alone Dental Plans (SADP) he or she may be eligible for in the FFM before creating an account and filling out the eligibility application on healthcare.gov. He or she will not know his or her potential premium tax credits, and tax exemptions before creating an account and filling out the eligibility application on healthcare.gov. Users have the option of entering PII into PC2.0 which is collected indefinitely by the system. Entering the information is optional but if they don’t they cannot see and compare Healthcare and Dental plans they are eligible for and they cannot enroll in those plans. An option for users to opt-out of having their login credentials stored within the main PET system is not available because it is fundamental to the function of the system. Potential user cannot 'opt-out' of providing his or her PII. The PII is needed to create a user account in order to access the main PET system. |
| Describe the process to notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changes since the notice at the time of original collection). Alternatively, describe why they cannot be notified or have their consent obtained. | Only CMS employees and direct contractors' credentials are accessed/stored by the system. The expectation of user credentials being saved by CMS systems is inherent to system access. Individual requesting access to WSS must sign an account request form. Prior to granting access, review and approval is required by the WSS system owner. The other collected PII (zip code, household income, ages, etc.) is used to present the public/consumers with insurance plan information (plan names, copays, deductibles and estimated monthly premiums), and tax information. This information is collected temporarily by the webpage but is not stored. When a person exits the screen, the information is not retained for another use. The same user would need to re-enter information each time. Changes to the use or the disclosure of the PII would be made in the HIX SORN and published for a 60-day public comment period. |
| Describe the process in place to resolve an individual's concerns when they believe their PII has been inappropriately obtained, used, or disclosed, or that the PII is inaccurate. If no process exists, explain why not. | The credential information used by the main PET system is from the CMS EUA system. If the information (name and company e-mail) is inaccurate such that a name is misspelled or a company e-mail is incorrect, then a simple e-mail to the CMS Access Authority (CAA) with the details of the change would be sufficient to correct the problem and amend the record within EUA. If an employee has reason to believe that their personal information has been compromised they can create a ticket with the CMS IT Service Desk at a 1-800 number. Potentially, the CMS Cyber Information Center (CCIC) may be notified and they would investigate the matter to determine the severity of the compromise. The other collected PII are used to present the public/consumers with insurance plan information (plan names, copays, deductibles and estimated monthly premiums), and tax information. This information is collected temporarily by the webpage but is not stored. When a person exits the screen, the information is not retained for another use. The same user would need to re-enter information each time. |
| Describe the process in place for periodic reviews of PII contained in the system to ensure the data's integrity, availability, accuracy and relevancy. If no processes are in place, explain why not. | The other collected PII are used to present the public/consumers with insurance plan information (plan names, copays, deductibles and estimated monthly premiums), and tax information. This information is collected temporarily by the webpage but is not stored. When a person exits the screen, the information is not retained for another use. The same user would need to re-enter information each time. The credentials information used by the PET system is from the CMS EUA system. The EUA system is initially responsible for the review for integrity, availability, accuracy and relevancy. The information is initially entered into EUA via a request form, to allow access to CMS system. The form must be approved by the employee’s manager and COR (Contracting Officer Representative). The EUA system automatically requires users to review their access information annually and confirm that it is accurate. Further, when an employee or contractor is terminated, their access to CMS systems is terminated and their EUA information is deleted. The PET Administrators will review and update the current users of the PET system to ensure that only the approved users are allowed access to the system. |
| Identify who will have access to the PII in the system and the reason why they require access. |
|
| Describe the procedures in place to determine which system users (administrators, developers, contractors, etc.) may access PII. | Prospective system administrators must sign an account request form. The account request form must also be filled indicating the minimal access required to perform one’s tasks. Prior to granting access, review and approval is required by the system owner. |
| Describe the methods in place to allow those with access to PII to only access the minimum amount of information necessary to perform their job. | The main PET system uses the principle of least privilege as well as a role-based access control to ensure system administrators, and users are granted access on a "need-to-know" and "need-to-access" commensurate with their assigned duties. System Administrators review user accounts at least annually. Any anomalies are addressed and resolved by contacting the user, and modifying their user data, or by removing their access if no longer required. Activities of all users including system administrators are logged and reviewed by the main PET system ISSO to identify abnormal activities if any. |
| Identifying training and awareness provided to personnel (system owners, managers, operators, contractors and/or program managers) using the system to make them aware of their responsibilities for protecting the information being collected and maintained. | CMS employees and direct contractors with privileged access are required to complete role-based training and meet continuing education requirements commensurate with their role. Other training avenues such as conferences, seminars and classroom training provided by CMS/HHS is available apart from the regular annual training.
|
| Describe training system users receive (above and beyond general security and privacy awareness training) | None |
| Do contracts include Federal Acquisition Regulation and other appropriate clauses ensuring adherence to privacy provisions and practices? | Yes |
| Describe the process and guidelines in place with regard to the retention and destruction of PII. Cite specific records retention schedules. | PET follows the CMS Records Schedule as follows: Enrollment Records: Disposition Authority Number: DAA-0440-2015-0006-0001 Cutoff Instruction: Cutoff at the end of the calendar year. Retention Period: Destroy no sooner than 7 year(s) after cutoff but longer retention is authorized. Beneficiary Records: Disposition Authority Number: DAA-0440-2015-0007-0001 Cutoff Instruction: Cutoff at the end of the calendar year. Retention Period: Destroy no sooner than 10 year(s) after cutoff but longer retention is authorized. Provider and Health Plan Records: Disposition Authority Number: DAA-0440-2015-0008-0001 Retention Period: Destroy no sooner than 7 year(s) after cutoff but longer retention is authorized. Analytic and Research Files (restricted) Disposition Authority Number DAA-0440-2015-0009-0002 Transfer to the National Archives for Accessioning: Transfer to the National Archives 20 year(s) after cutoff. Research and Program Analysis: Supporting Records Disposition Authority Number: DAA-0440-2015-0009-0003 Cutoff Instruction: Cutoff at the end of the calendar year. Retention Period: Destroy 10 year(s) after cutoff or when no longer needed for agency business, whichever is latest. |
| Describe, briefly but with specificity, how the PII will be secured in the system using administrative, technical, and physical controls. | PET has a public interface with no login required. PET also has an internal interface for Reviewers and Approvers of requests by Insurance providers to add contact information. Access to the internal network is must receive approval though the EUA system and credentials are stored in the CMS Lightweight Directory Access Protocol (LDAP) and not on the PET system. This is a role-based access control. PET backend systems require that individuals who have received role-based training such and have a need-to-know, may request access to these systems through a JIRA ticket. System Administrators can access backend systems within the Amazon Web Services (AWS) environment using OpenVPN which requires two-factor authentication. After connecting to an internal Gateway into the environment over the Virtual Private Network (VPN), they are required to have a cryptographic private key on their client system which matches a public key present on the target system. This allows a Secure Shell (SSH) session to be created using which implements Federal Information Processing Standard (FIPS) 140-2 compliant encryption. PET physical infrastructure exists in the Federal Risk and Authorization Management Program (FedRAMP) accredited AWS east region and inherits its physical and administrative security controls regarding system infrastructure. AWS data centers and physical servers are only accessible to authorized personnel. The Office of Communications AWS Cloud Team authorizes remote access to PET servers. |
| Identify the publicly-available URL: | https://www.healthcare.gov/find-premium-estimates/ , and https://developer.cms.gov/marketplace-api/coverage-portal/#/ |
| Does the website have a posted privacy notice? | Yes |
| Is the privacy policy available in a machine-readable format? | Yes |
| Does the website use web measurement and customization technology? | Yes |
| Select the type of website measurement and customization technologies is in use and if is used to collect PII. (Select all that apply) |
|
| Web Beacons - Collects PII?: No | |
| Web Bugs - Collects PII?: No | |
| Session Cookies - Collects PII?: No | |
| Persistent Cookies - Collects PII?: No | |
| Other - Collects PII?: No | |
| Does the website have any information or pages directed at children under the age of thirteen? | No |
| Does the website contain links to non-federal government website external to HHS? | Yes |
| Is a disclaimer notice provided to users that follow external links to websites not owned or operated by HHS? | No |