Skip to main content

Qualtrics 2023

Date signed: 5/15/2023

TPWA PIA info for Qualtrics 2023
TPWA PIA QuestionsTPWA PIA Answers
OPDIV:CMS
TPWA Unique Identifier (UID):T-8525178-808506
Is this a new TPWA?Yes
Please provide the reason for revisionRevising the TPWA PIA to reflect updates to CMS’ use of Qualtrics to capture contact information within site surveys.
Will the use of a third-party Website or application create a new or modify an existing HHS/OPDIV System of Records Notice (SORN) under the Privacy Act?No
Indicate the SORN number (or identify plans to put one in place.)
  • SORN Number: Not Applicable
  • If not published: Not applicable
Will the use of a third-party Website or application create an information collection subject to OMB clearance under the Paperwork Reduction Act (PRA)?Yes
Indicate the OMB approval number and approval number expiration date (or describe the plans to obtain OMB clearance.)
  • OMB Approval Number: 0938-1185
  • Expiration Date: 3/31/2026
  • Explanation: Qualitative Feedback on Agency’s Service Delivery
Does the third-party Website or application contain Federal Records?No
Describe the specific purpose for the OPDIV use of the third-party Website or application:The Centers for Medicare & Medicaid Services (CMS) uses Qualtrics, an Experience Management platform, to gather feedback from visitors to CMS’ websites, including CMS.gov, Medicare.gov, MyMedicare.gov, HealthCare.gov, CuidadoDeSalud.gov, Medicaid.gov, InsureKidsNow.gov, and various subdomains of the above top level domains (TLDs), to gauge overall satisfaction with the website and to find out how to improve the customer experience. These TLDs are hereafter referred to as “CMS’ websites.” Feedback collected is general consumer feedback information via multiple-choice and open-ended questions such as, "What is your feedback about?" "How can we improve this page?" and "Did you find the information helpful?" Consumers provide feedback through online surveys facilitated by the Qualtrics tool. The Qualtrics platform gathers feedback from CMS website visitors to gauge overall satisfaction with the website to build an omni-channel voice of the customer (VoC) program in an effort to improve the consumer experience. The Qualtrics platforms gathers general information, as an intake form, from CMS website visitors regarding various topics.
Have the third-party privacy policies been reviewed to evaluate any risks and to determine whether the Website or application is appropriate for OPDIV use?Yes
Describe alternative means by which the public can obtain comparable information or services if they choose not to use the third-party Website or application:If a member of the public chooses not to provide feedback, there will be no impact to their experience on the site. The technology is used to improve the customer experience.
Survey questions are used to improve the customer experience and are not applicable to alternative application channels.
Does the third-party Website or application have appropriate branding to distinguish the OPDIV activities from those of nongovernmental actors?No
How does the public navigate to the third party Website or application from the OPIDIV?Incorporated or embedded on HHS Website
Please describe how the public navigate to the third-party website or application:The public does not navigate to Qualtrics as the application is embedded into CMS website pages.
If the public navigate to the third-party website or application via an external hyperlink, is there an alert to notify the public that they are being directed to a nongovernmental Website?No
Has the OPDIV Privacy Policy been updated to describe the use of a third-party Website or application?Yes
Provide a hyperlink to the OPDIV Privacy Policy:https://www.cms.gov/privacy-policy/
https://www.medicare.gov/privacy-policy
https://www.healthcare.gov/privacy
Is an OPDIV Privacy Notice posted on the third-party Website or application?No
Is PII collected by the OPDIV from the third-party Website or application? Yes
Will the third-party Website or application make PII available to the OPDIV?Yes
Describe the PII that will be collected by the OPDIV from the third-party Website or application and/or the PII which the public could make available to the OPDIV through the use of the third-party Website or application and the intended or expected use of the PII:The personally identifiable information (PII) is collected to provide for an enriched and personalized user experience. A primary consideration of this technology is the ability to identify the same user across multiple devices and across multiple sessions. To achieve this, a Tealium ID must be captured. Behavioral data from one session/device is leveraged to provide an improved and consistent user experience in future sessions/devices. Users may voluntarily include PII in open-ended questions similar to “How can we improve this page?” If a visitor is interested in being contacted in the future for research activities related to the site, they may include their email address. In addition, within certain intake forms, users may provide their full name, phone number and email address to receive a follow-up on an inquiry. 
Describe the type of PII from the third-party Website or application that will be shared, with whom the PII will be shared, and the purpose of the information sharing:The personally identifiable information (PII) collected is a Tealium ID, full name, phone number and email address. Qualtrics is used in concert with Tealium as the only third-party vendors designated to store Tier-3 level personally identifiable information. Data within Qualtrics is not accessible by personnel from Tealium and vice versa. Only designated federal staff and contractors who need this information to perform their duties have access to this data. No other third party organization will have access to the information collected. 
If PII is shared, how are the risks of sharing PII mitigated?

Access to the platform is managed by role-based permissioning to ensure visibility is limited to appropriate CMS staff and contractors. Multi-factor authentication is required to log in to the system. The platform is configured for two user types:

• Brand Administrator: The Brand Administrator is a special user type with the ability to edit administrative settings for the whole brand. A “Brand” is synonymous with website (such as Healthcare.gov or Medicare.gov).
• Standard Account: This user type generally has access to all the features in the brand except administrative ones.

As is typical for FedRamp systems, administrative controls include items such as, but not limited to user training, system documentation that advises on proper use, implementation of need to know and minimum necessary principles when awarding access, and others. Technical controls include items such as, but not limited to, firewalls, network monitoring and intrusion detection. Physical controls include that all system servers are protected by guards, locked facility doors, and climate controls. Other appropriate controls have been selected from the National Institute of Standards and Technology (NIST) guidance.

Will the PII from the third-party Website or application be maintained by the OPDIV?Yes
If PII will be maintained, indicate how long the PII will
be maintained:

General Records Schedule (GRS) 6.5, Item 10, Disposition Authority: DM-GRS-2017-0002-0001.

Records from operations such as a customer call center or service center providing services to the public. Services may address a wide variety of topics including but not limited to: incoming requests and responses, system data including customer ticket numbers and visit tracking, evaluations and feedback about customer services, reports generated from customer management data, customer feedback and satisfaction surveys, including survey instruments, data, and reports.

CMS may retain records 1 year after resolved, or when no longer needed for business use, whichever is appropriate. The data retention policy is 13 months for the Qualtrics Experience Management platform. CMS is able to connect to the Qualtrics Experience Management platform to export this data to a CMS managed data warehouse.

Describe how PII that is used or maintained will be secured: Qualtrics is FedRamp Authorized. FedRAMP is the gold standard of U.S. government security compliance, with over 300 controls based on the highly-regarded NIST 800-53 that requires constant monitoring and periodic independent assessments. For more information on the Qualtrics FedRamp Authorization, see: https://marketplace.fedramp.gov/#!/product/qualtrics-xm-platform?sort=productName 
All response data resides in Amazon Web Services (AWS) GovCloud (environment is specific only for Federal customers), and data is protected by disk level encryption and database encryption. AWS GovCloud has an existing ATO (Authority to Operate) under FedRAMP, which gives Government agencies the ability to leverage AWS GovCloud for sensitive workloads.
Additional information can be found on the Qualtrics Privacy Statement: https://www.qualtrics.com/privacy-statement/
What other privacy risks exist and how will they be mitigated?

CMS will use Qualtrics in a manner that protects the privacy of consumers who visit CMS’ websites and respects the intent of visitors. CMS will conduct periodic reviews of Qualtrics’ privacy practices to ensure its policies continue to align with agency objectives and privacy policies and do not present unreasonable or unmitigated risks to consumer privacy. Qualtrics is employed solely for the purposes of improving CMS' services and activities online related to operating CMS websites such as CMS.gov, Medicare.gov, MyMedicare.gov, HealthCare.gov, CuidadoDeSalud.gov, Medicaid.gov, InsureKidsNow.gov, and various subdomains of the above top level domains.

Information collected by Qualtrics is created and maintained by Qualtrics.

Potential Risk: 
Persistent cookies are used with third-party tools on CMS’ websites and can be stored on a user’s local browser. Qualtrics cookies are stored for one year.

Mitigation: 
Qualtrics' privacy policies, notices from CMS’ websites, information published by Qualtrics about its privacy policies, and the requirement for users to opt-in to receive an enriched and personalized user experience before Tier 3 data collection occurs, or the ability for consumers to opt-out of providing their information to Qualtrics maximizes consumers’ ability to protect their information and mitigate risks to their privacy.

Additionally, Qualtrics' surveys are voluntary and consumers can choose not to participate in surveys. CMS has configured its use of Qualtrics to mask IP addresses before being stored to add additional safeguards to ensure that this data cannot be connected with other data in order to identify a consumer who completes a survey supported by Qualtrics. In some cases, consumers may inappropriately add PII information in the free text field of surveys. A query is implemented in the system to redact the inappropriate PII when included in the response of a free text field.

CMS will not deploy the Qualtrics tool if the website is not using Tealium iQ.

Potential Risk : 
CMS also recognizes that if Qualtrics is not implemented correctly in relation to CMS’ websites, personal information could be collected about CMS website visitors.

Mitigation: 
Therefore, to mitigate this risk, CMS only allows a limited number of trained and credentialed staff or contractors to implement Qualtrics. 

Third-Party Web and Application (TPWA) Privacy Impact Assessment (PIA) published by CMS as an Operating Division of the U.S. Department of Health and Human Services

View all CMS PIAs