CMS-10877 Privacy Questiionaire

OMB Control #: 0938-NEW
Expiration Date: XX/XX/20XX

Privacy/TPWA Questionnaire
CMS is conducting research on Direct Enrollment Entity Websites. The purpose for this tool is to
provide consumers who wish to file Exchange coverage applications with the assistance of a
health insurance issuer or web-based agent or broker (web-broker) with the capability to do so
directly through the website of the issuer or web-broker, without the need to be redirected to
HealthCare.gov to submit their application information for the 2023 plan year.
In order to use this tool, we collect information about what information is collected by the tool,
how that information is used, and which tracking technologies are utilized in order to assess
any privacy impact to consumers. Please identify any responses that contain information that
you consider to be commercial confidential or proprietary.
Please answer in detail the following questions.
1. Please list the specific tracking technologies your website(s)(s) use(s) (e.g., http cookies,
pixels, HTML 5, web cache, local shared objects, Flash, device fingerprinting, device
identifiers, probabilistic or statistical identifiers)?
2. How can consumers opt-out of this tracking? Please provide the steps on how this is
done and confirm that if a consumer chooses to opt-out of tracking that all tracking will
cease. Can consumers opt-out of this tracking in the downstream and/or upstream
entity website as well?
3. What information is collected by this tool – please list all data elements (e.g., device,
browser, OS, IP, screen size)? Also, include the data elements associated with any
Personally Identifiable Information (PII) (if collected).
4. Which of these data elements do you aggregate and how is the aggregated data used
(e.g., data about individual device, browser, OS, IP, screen size are replaced with
summary statistics [e.g., 15.1% of devices had a screen size of 1920 x 1080] and the
original data is not stored)?
5. What information is stored by this tool – please list all data elements (including PII)?
How long is it stored? Is it stored in the continental US?
6. Do you sell or market consumer information to third parties?
7. Do any other entities (media partners, cookie pools, ad networks, analytics providers,
etc.) have access to this information? If yes, what agreements do you have in place
governing their use of this information?

PRA DISCLOSURE: According to the Paperwork Reduction Act of 1995, no persons are required to respond to a collection of
information unless it displays a valid OMB control number. The valid OMB control number for this information collection is 0938NEW, expiration date is XX/XX/20XX. The time required to complete this information collection is estimated to take up to 56,290
hours annually for all direct enrollment entities. If you have comments concerning the accuracy of the time estimate(s) or
suggestions for improving this form, please write to: CMS, 7500 Security Boulevard, Attn: PRA Reports Clearance Officer, Mail
Stop C4-26-05, Baltimore, Maryland 21244-1850. ****CMS Disclosure**** Please do not send applications, claims, payments,
medical records or any documents containing sensitive information to the PRA Reports Clearance Office. Please note that any
correspondence not pertaining to the information collection burden approved under the associated OMB control number listed
on this form will not be reviewed, forwarded, or retained. If you have questions or concerns regarding where to submit your
documents, please contact Brittany Cain at [email protected].

1

8. Do you or any other entity use this collected information? If yes, for what specific
purpose(s)? This includes, but is not limited to, directly or indirectly benefiting other
clients.
9. Do you match or link this information with any other data source(s)? If so, what data
sources and what is the source or sources of that information? What is the purpose of
this matching or linking?
10. What functionality or configuration options does your tool provide that would enhance
the privacy protections for users?
11. Does your governing agreement mandate that the privacy notice is consistent with the
CMS privacy notice posted on the upstream/downstream entity website? If so, do you
verify and validate that all downstream and/or upstream entities privacy notices are
consistent with entries in this privacy questionnaire? If so, please attest to this
validation with a list of downstream and/or upstream entities that you have verified.
12. Do your websites/applications have appropriate branding to distinguish your EDE
website from a website owned and operated by the federal government? Do your
upstream and/or downstream entities’ websites/applications have appropriate branding
to distinguish your EDE website from a website owned and operated by the federal
government?
13. If the public navigates to the third-party Website or application via an external
hyperlink, is there an alert to notify the public that they are being redirected to the
third-party Website?
Federal law, at 18 U.S.C. §1001, authorizes prosecution and penalties of fine or imprisonment for conviction of
"whoever, in any matter within the jurisdiction of any department or agency of the United States knowingly and
willfully falsifies, conceals or covers up by any trick, scheme, or device a material fact, or makes any false, fictitious
or fraudulent statements or representations or makes or uses any false writing or document knowing the same to
contain any false, fictitious, or fraudulent statement or entry"