Registration for Technical Assistance Portal
Privacy Impact Assessment (PIA) published by CMS as an Operating Division of the U.S. Department of Health and Human Services
Date signed: 12/16/2022
| PIA Questions | PIA Answers |
|---|---|
| OPDIV: | CMS |
| PIA Unique Identifier: | P-4726151-323081 |
| Name: | Registration for Technical Assistance Portal |
| The subject of this PIA is which of the following? | Major Application |
| Identify the Enterprise Performance Lifecycle Phase of the system. | Operate |
| Is this a FISMA-Reportable system? | Yes |
| Does the system include a Website or online application available to and for the use of the general public? | Yes |
| Identify the operator: | Contractor |
| Is this a new or existing system? | Existing |
| Does the system have Security Authorization (SA)? | Yes |
| Date of Security Authorization | 11/16/2023 |
| Indicate the following reason(s) for updating this PIA. Choose from the following options. | PIA Validation (PIA Refresh/Annual Review) |
| Describe in further detail any changes to the system that have occurred since the last PIA. | The Registration for Technical Assistance (REGTAP) has been migrated onto the CMS AWS GovCloud and is in compliance with Technical Review Board (TRB) and the Marketplace Information Technology Group (MITG) security recommendations. |
| Describe the purpose of the system | The Registration for Technical Assistance (REGTAP) website was created by the CMS Center for Consumer Information and Insurance Oversight (CCIIO) to provide educational events and communication for organizations involved in federal and state healthcare insurance marketplaces, exchanges and Premium Stabilization programs under the Affordable Care Act (ACA). |
| Describe the type of information the system will collect, maintain (store), or share. (Subsequent questions will identify if this information is PII and ask about the specific data elements) | REGTAP collects and stores user registration information which includes the following: email address, name, password, organization name, state, organization type, role in organization, position title, telephone number and training event registration and attendance history. In accordance with ARS requirements, individual user accounts expire after 60 days without accessing the system. Passwords are maintained by the user once an account is created and changed upon first use by the user in accordance with ARS requirements. No other person, including system administrators, have access to user passwords once they are changed and managed by the user. Name and telephone are stored and used to contact users for system support service desk tickets. Names are required to properly account for training and outreach inquires, attendance records and reporting. Stakeholder registration and attendance data are shared with CMS only. This information is collected in the REGTAP database and stored permanently based on the CCIIO Government Task Lead business requirements and the February 26, 2015 direction which states. “This is a reminder that the agency is under a records freeze related to the following issues: Tobacco, Hurricane Katrina, Deepwater Horizon Multidistrict Litigation, Development and Implementation of Federally Facilitated Marketplace (FFM), and Documents Relating to Effectuated Enrollment in the Marketplaces (both Federal and State). This means that you must retain and preserve all current and future "records" relating to these issues. The agency may be asked to provide these records for review, so under no circumstances should records to be destroyed until you are officially notified the freeze has been lifted. Any routine data destruction policies (i.e., the CMS Records Schedule) that could affect responsive documents are discontinued until further notice. Additionally, actions to preserve these records must ensure the information in the preserved record is accessible. It is important that all employees adhere to this guidance, as well as litigation hold procedures. Litigation holds are issued by OSORA, upon direction by the Office of the General Counsel (OGC), as a result of current or reasonably anticipated litigation. A litigation hold suspends the normal disposition, retention, and processing of records for the course of the litigation. Further, Contracting Officers Representatives (CORs) are reminded that CMS contractors must also adhere to CMS records policies and are asked to instruct contractors about this guidance accordingly through their contracting officer "Records" include all documents, reports, writings, letters, memoranda, notices, communications (including e-mails, faxes, telephone records, and all communications with other Federal departments and agencies, State and local governments, and private sector entities), contracts, agreements, schedules, spreadsheets, travel records, data, electronically stored information, audio and video recordings, computer disks and hard drives, drawings, graphs, charts, photographs, and all other records of any kind. "Records" include, but are not limited to, all records required to be preserved pursuant to the Federal Records Act. (Found at http://www.archives.gov/about/laws/fed-agencies.html). Every departing employee must return all official records (paper and electronic) along with any and all removable computer data storage devices (e.g., thumb drives, flash drives, DVDs or CDs) to their immediate supervisor or a designated staff person in accordance with their office’s departure policy. Electronic files can be saved to the office’s shared drive; however, the immediate supervisor or replacement must know where those files are stored. Managers of departing employees should ensure that they secure all records before signing the CMS form 129, clearance form. Please direct any questions about the records freeze or reporting requirements to Carlos Simon, Director, Issuances, Records and Information Systems Group, 410-786-4201.” |
| Provide an overview of the system and describe the information it will collect, maintain (store), or share, either permanently or temporarily. | REGTAP supports the CMS commitment to providing technical assistance, education and communication related to ACA Marketplace, Consolidation Appropriations Act (CAA), and the No Surprises Act. REGTAP provides a secure, public, website for only registered users from organizations such as health plan issuers, insurance agents and brokers, third party administrators, regulators, and other healthcare-related organizations. We were notified on February 26, 2015 that a CMS Records Freeze in relation to Marketplace Enrollment data supersedes NARA requirements. No PII is available publicly. Types of Personally Identifiable Information REGTAP Collects includes Email address, Full Name, Organization Name, State, Organization Type, Title, Role in Organization, Work Phone, Mobile Phone. REGTAP reports are available only to CMS and REGTAP staff who need this information to perform their duties. REGTAP may also use surveys to collect opinions and feedback. Users do not have to answer these questions. The REGTAP staff analyzes and uses this information to improve the site's operation and content. Reports are available only to CMS and REGTAP staff who require this information to perform their duties. The website includes the following services: training event registration, a library of CMS-published resource materials, a frequently asked questions (FAQ) database and an inquiry submission module to submit questions to CMS. The information collected and maintained in REGTAP includes user account information and the CMS library of resources. The user account information, including the system support staff user credentials, is retained for as long as the user retains their account or as long as the user needs access to the system. The library material is considered ‘public’ as it is informational about healthcare marketplace and Premium Stabilization program topics. Both categories of information are retained indefinitely on an ‘as necessary’ or ‘as applicable’ basis and is updated periodically. The PII collected by the REGTAP system is only used for the purpose of account creation and access to the platform. This information is not shared or used for any other activities. |
| Does the system collect, maintain, use or share PII? | Yes |
| Indicate the type of PII that the system will collect or maintain. |
|
| Indicate the categories of individuals about whom PII is collected, maintained or shared. |
|
| How many individuals' PII in the system? | 100,000-999,999 |
| For what primary purpose is the PII used? | Email address, Phone number, organizational role and title, organization name, state, training event, and registration history are used to provide educational events and communication for organizations involved in federal and state healthcare insurance marketplaces, exchanges.
User name and password are used to access REGTAP. |
| Describe the secondary uses for which the PII will be used (e.g. testing, training or research) | Not Applicable |
| Describe the function of the SSN. | Not Applicable |
| Cite the legal authority to use the SSN. | Not Applicable |
| Identify legal authorities governing information use and disclosure specific to the system and program. | Affordable Care Act 42 USC Sections 18031, 18041, 18081-18083 and Section 1414. 5 USC Section 301 Department Regulations Consolidated Appropriations Act, 2021 (CAA) including the No Surprises Act. |
| Are records on the system retrieved by one or more PII data elements? | Yes |
| Identify the number and title of the Privacy Act System of Records (SORN) that is being used to cover the system or identify if a SORN is being developed. | 09-70-0560 Health Insurance Exchanges (HIX) Program, published 2/6/2013 and updated 5/29/2013 and 10/23/2013 |
| Identify the sources of PII in the system: Directly from an individual about whom the information pertains |
|
| Identify the sources of PII in the system: Government Sources |
|
| Identify the sources of PII in the system: Non-Government Sources |
|
| Identify the OMB information collection approval number and expiration date | OMB 0938-1331, expiration 9/14/2024 |
| Is the PII shared with other organizations? | No |
| Describe the process in place to notify individuals that their personal information will be collected. If no prior notice is given, explain the reason. | REGTAP advises individuals on the main log-on page and on the new user registration page that personal information will be collected. As part of the registration, a user must accept the REGTAP terms of use and privacy policy in order to create an account. System support staff are advised as part of the general onboarding process of CMS employment or gaining access to CMS systems. |
| Is the submission of the PII by individuals voluntary or mandatory? | Voluntary |
| Describe the method for individuals to opt-out of the collection or use of their PII. If there is no option to object to the information collection, provide a reason. | No Identity Management (IDM) information is used (no EUA, badge number, or unique identification number associated with the IDM are stored in REGTAP). To receive any REGTAP publicly available information user’s do need to have an account created. User’s may opt out on three ways; 1) by not signing up for a REGTAP account as it is optional to do so. 2) Users have the ability to manage all account information which the exception of email address. Email addresses can be changed through a Service Desk ticket Registrar@regtap.info. 3) There is also a deactivation request which would eliminate access to an individual user account. |
| Describe the process to notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changes since the notice at the time of original collection). Alternatively, describe why they cannot be notified or have their consent obtained. | REGTAP has three methods for notification and to obtain consent if required: 1) on the REGTAP Home page - publicly accessible information (login not required); 2) on the REGTAP Dashboard messaging - available to all registered users; and 3) by email notification to all registered users. |
| Describe the process in place to resolve an individual's concerns when they believe their PII has been inappropriately obtained, used, or disclosed, or that the PII is inaccurate. If no process exists, explain why not. | If an individual believes their PII has been inappropriately obtained, used, or disclosed, or that the PII is inaccurate, they may report this to REGTAP Registrar by telephone at 1-800-257-9520 or E-mail registrar@regtap.info. Then the REGTAP Registrar will contact the office of the Chief Information Security Officer (CISO) and/or the Information System Security Officer (ISSO) within one (1) business hour of issue identification for investigation, and resolution. |
| Describe the process in place for periodic reviews of PII contained in the system to ensure the data's integrity, availability, accuracy and relevancy. If no processes are in place, explain why not. | REGTAP maintains the data integrity and availability by employing security procedures including firewalls, requiring complex passwords, role-based access and encryption layers. The users of the system and REGTAP administrators maintain data accuracy and relevancy. Users can correct their own PII data within their own account, or administrators can correct this for them if they are alerted to changes. Administrators also run quarterly reports to determine if there are any anomalies (i.e. name change, or mismatch) with user information. If found, the error is addressed and resolved by contacting the user, and modifying their user data, or by removing their access to REGTAP, if no longer required. |
| Identify who will have access to the PII in the system and the reason why they require access. |
|
| Describe the procedures in place to determine which system users (administrators, developers, contractors, etc.) may access PII. | REGTAP employs the concept of least privilege, allowing only authorized accesses for registered and system users (and processes acting on behalf of users) which are necessary to accomplish assigned tasks. Based on the principles of least privilege, a role-based methodology is used to identify and validate if the existing access privileges assigned to a registered user are consistent with their job role. |
| Describe the methods in place to allow those with access to PII to only access the minimum amount of information necessary to perform their job. | Registered users whose access privileges are not consistent with their job role and cannot be verified, are disabled temporarily until their access privileges can be verified by their job role management authority. The REGTAP User Account Management process audit is performed as needed but not less than semi-annually. New or changed REGTAP privileged users accounts are monitored daily. |
| Identifying training and awareness provided to personnel (system owners, managers, operators, contractors and/or program managers) using the system to make them aware of their responsibilities for protecting the information being collected and maintained. | Annual Security and Privacy Awareness training is required for and provided to all CMS employees and direct contractors that support REGTAP. The contractor staff receives this training as part of their initial training and annually (one year from the date a staff member completed their last security and privacy awareness training session). CMS employees take the training annually and additional REGTAP role-based security and privacy training for privileged user roles. |
| Describe training system users receive (above and beyond general security and privacy awareness training) | Not Applicable |
| Do contracts include Federal Acquisition Regulation and other appropriate clauses ensuring adherence to privacy provisions and practices? | Yes |
| Describe the process and guidelines in place with regard to the retention and destruction of PII. Cite specific records retention schedules. | On February 26, 2015, CMS notified our team of a records freeze for any records associated with enrollment in the Marketplace which superseded all other requirements. Records are maintained in accordance with the National Archives and Records Administration (NARA) Disposition Authority, DAA-0440-2012- 0016-0001 which indicate the CMS business requirement is that Outreach and Training records are to be stored “Permanently” in accordance with https://www.cms.gov/Regulations-and-Guidance/Guidance/CMSRecordsSchedule/Downloads/Bucket-8-Public-Outreach-and-Engagement.pdf. REGTAP also complies with General Records Schedules (GRS) 3.2, which states that records will be destroyed 7 years 6 months, 10 years 6 months, or 20 years 6 months old, based on the maximum level of operation of the Certification Authority, or when no longer needed for business, whichever is later. Any removal of historic information must be approved by its corresponding Government Task Lead. |
| Describe, briefly but with specificity, how the PII will be secured in the system using administrative, technical, and physical controls. | The administrative controls in place to secure the PII include role-based access and permissions, periodic review of users and deletion of non-active accounts. The technical controls in place are firewalls that prevent unauthorized access, encrypted access when users log into REGTAP, security scans, penetration testing and intrusion detection and prevention technologies. There is also active penetration testing and a tiered system architecture which means users can only log into the application but not into any test environment and the testing and active applications are not joined together.
The physical controls in place are as follows: the use of security cards and pass codes, security guards and a separately located backup system. |
| Identify the publicly-available URL: | https://regtap.cms.gov/ |
| Does the website have a posted privacy notice? | Yes |
| Is the privacy policy available in a machine-readable format? | Yes |
| Does the website use web measurement and customization technology? | Yes |
| Select the type of website measurement and customization technologies is in use and if is used to collect PII. (Select all that apply) |
|
| Web Beacons - Collects PII?: No | |
| Session Cookies - Collects PII?: No | |
| Does the website have any information or pages directed at children under the age of thirteen? | No |
| Does the website contain links to non-federal government website external to HHS? | Yes |
| Is a disclaimer notice provided to users that follow external links to websites not owned or operated by HHS? | Yes |