• Text Resize A A A
  • Print Print
  • Share Share on facebook Share on twitter Share

Third Party Websites and Applications Privacy Impact Assessment - Chartbeat for Quality Payment Program

Date Signed:
10/14/2016

OPDIV:
CMS

Name:
Chartbeat for Quality Payment Program

TPWA Unique Identifier:

Is this a new TPWA?
Yes

Will the use of a third-party Website or application create a new or modify an existing HHS/OPDIV System of Records Notice (SORN) under the Privacy Act?
No

Will the use of a third-party Website or application create an information collection subject to OMB clearance under the Paperwork Reduction Act (PRA)?
No

Does the third-party Website or application contain Federal Records?
No

Describe the specific purpose for the OPDIV use of the third-party Website or application:
The Quality Payment Program (QPP) uses Chartbeat to collect, report, and analyze visitor interactions at qpp.cms.gov. CMS receives reports from Chartbeat that provide information about visitor traffic and the number of concurrent visitors to the QPP website and its various sections to help make the qpp.com.gov website more useful to visitors.
Chartbeat provides reports and can provide real-time consumer traffic numbers that can be delivered to an easy to use dashboard. This allows CMS to react to unexpected spikes in traffic as well as pinpoint the source of this traffic. Information related to consumer traffic on qpp.cms.gov provided by Chartbeat allows the QPP Technical Team to make needed technical changes and to react to any unexpected traffic spikes.

Only the QPP Technical Team that includes CMS employees, contractors and other designated federal employees who need the information to perform their duties will analyze the information and reports and will use the data that is provided to CMS by Chartbeat.

Have third-party privacy policies been reviewed to evaluate any risks and to determine whether tthehe Website or application is appropriate for OPDIV use?
Yes

Describe alternative means by which the public can obtain comparable information or services if they choose not to use the third-party Website or application:
If consumers do not want Chartbeat to collect information related to their visits to qpp.cms.gov, consumers can use the Tealium iQ Privacy Manager on qpp.cms.gov privacy page and "opt out" of having data collected about their device by Chartbeat.

Alternatively, a consumer can disable their cookies if they do not want their information to be collected by Chartbeat.

Does the third-party Website or application have appropriate branding to distinguish the OPDIV activities from those of nongovernmental actors?
No

How does the public navigate to the third party Website or application from the OPIDIV?
N/A. Chartbeat is a web measurement tool used to monitor visitor traffic on a website; it is not a website accessible to the public.

Please describe how the public navigate to the third party website or application:
N/A. Chartbeat is a web measurement tool used to monitor visitor traffic on a website; it is not a website accessible to the public.

If the public navigate to the third-party website or application via an external hyperlink, is there an alert to notify the public that they are being directed to a non-governmental Website?
No

Has the OPDIV Privacy Policy been updated to describe the use of a third-party Website or application?
Yes

Provide a hyperlink to the OPDIV Privacy Policy:
https://qpp.cms.gov/privacy/

Is an OPDIV Privacy Notice posted on the third-party website or application?
No

Is PII collected by the OPDIV from the third-party Website or application?
No

Will the third-party Website or application make PII available to the OPDIV?
No

Describe the PII that will be collected by the OPDIV from the third-party Website or application and/or the PII which the public could make available to the OPDIV through the use of the third-party Website or application and the intended or expected use of the PII:
CMS does not collect any PII through the use of Chartbeat.

Describe the type of PII from the third-party Website or application that will be shared, with whom the PII will be shared, and the purpose of the information sharing:
PII is not stored or shared.

If PII is shared, how are the risks of sharing PII mitigated?
No PII is shared with CMS.

Will the PII from the third-party website or application be maintained by the OPDIV?
No

Describe how PII that is used or maintained will be secured:
Not Applicable.

What other privacy risks exist and how will they be mitigated?
CMS will use of Chartbeat in a manner that protects the privacy of consumers who visit qpp.cms.gov and respects the intent of qpp.cms.gov users. CMS will conduct periodic reviews of Chartbeat's privacy practices to ensure its policies continue to align with agency objectives and privacy policies and do not present unreasonable or unmitigated risks to consumer privacy.

Chartbeat is employed solely for the purposes of improving CMS' services and on-line activities related to operating qpp.cms.gov.

Risk #1:
Persistent cookies are used by Chartbeat’s third-party tools on qpp.cms.gov and can be stored on a user’s local browser. A consumer's referring URL, device type, time spent on site or page, visitor frequency, browser type, size and technology, operating system and geographic location data is collected, based on the IP address, through a consumer’s device location. Locations are estimates and are only approximations.

Chartbeat's cookies are stored on the user's local browser for three years by default.

Mitigation:
Chartbeat's privacy policies, notices from qpp.cms.gov, information published by Chartbeat about its privacy policies, and the ability for consumers to opt-out of having their information collected by Chartbeat maximizes consumers’ ability to protect their information and mitigate risks to their privacy.

Consumers can also use the Tealium iQ Privacy Manager on qpp.cms.gov privacy page and "opt out" of having data collected about them by Chartbeat.

Risk #2:
The information collected by Chartbeat is created and maintained by Chartbeat. Chartbeat may aggregate and anonymize Traffic Data from qpp.cms.gov with that from other websites to provide benchmarking data and other functionality.

Mitigation:
Chartbeat will only disclose aggregated traffic data in a manner that does not reveal the identity of a CMS or a qpp.cms.gov consumer without CMS's express prior consent.

Content created by Assistant Secretary for Public Affairs (ASPA)
Content last reviewed on October 20, 2016