CMS Privacy Notice for the Quality Payment Program (QPP) Website
Table of Contents
CMS, operating the QPP Website, does not collect name, contact information, social security number or other similar information unless you choose to provide it. We do collect other limited information automatically from visitors who read, browse, and/or download information from the QPP Website. We do this so we can understand how the site is being used and how we can make it more helpful. See the Types of information we collect section below for more information.
Personally identifiable information (PII), defined by the Office of Management and Budget (OMB), refers to information which can be used to distinguish or trace an individual's identity, such as their name, social security number, biometric records, etc. alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual, such as date and place of birth, mother’s maiden name, etc.
CMS does not sell any information entered into the QPP Website. For information on how we share information, see How CMS uses information collected by the QPP Website.
Types of information we collect
Information which is automatically collected:
When you browse:
Certain information about your visit can be collected when you browse websites. When you browse the QPP Website, we, and in some cases our third-party service provider(s), can collect the following types of information about your visit, including:
- Domain (for example, comcast.com, if you are using a Comcast account) from which you accessed the Internet.
- IP address (an IP or internet protocol address is a number that is automatically assigned to a device connected to the Web).
- Operating system (which is software that directs a computer’s basic functions such as executing programs and managing storage) for the device that you are using and information about the browser you used when visiting the site.
- Date and time of your visit
- Pages you visited
- Address of the website/search engine that connected you to the QPP Website (such as google.com or bing.com)
- Device type (desktop computer, tablet, or type of mobile device)
- Screen resolution
- Browser language
- Geographic location
- Time spent on page
- Scroll depth – The measure of how much of a web page was viewed
- User events (e.g. clicking a button)
(See How the QPP Website uses third-party websites and applications below for more information.)
Information which you may provide:
When you request information:
If you choose to receive alerts or e-newsletters, CMS will collect information including your email address to deliver the alerts or e-newsletters. We use this information to complete the subscription process and provide you with information. You can opt out of these communications at any time by editing your subscription preferences.
For specific details on the data collected by the systems that make up the QPP Website, as well as Third-Party Websites and Applications (TPWA), please view the Privacy Impact Assessments (PIAs) located at under the sections for Centers for Medicare & Medicaid Services at: https://www.hhs.gov/pia/index.html.
HHS PIAs for CMS Systems supporting the QPP Website:
- Amazon Web Services: https://www.hhs.gov/sites/default/files/cms-amazon-web-services.pdf
HHS PIAs for CMS TPWA supporting the QPP Website:
How CMS uses information collected by the QPP Website
CMS websites use a variety of Web measurement software tools. We use them to collect the information listed in the “Types of information collected” section above. The tools collect information automatically and continuously. No PII is collected by these tools.
When conducting surveys and improving services:
CMS also uses online surveys to collect opinions and feedback. You don’t have to answer these questions. If you do answer these questions, do not include any PII in your answers. We analyze and use the information from these surveys to improve the site’s operation and content. The information is available only to CMS managers, members of the CMS communications and Web teams, and other designated federal staff and contractors who require this information to perform their job functions and duties.
When using third-party tools for website analytics:
CMS uses a variety of third-party web tools for web analytics. CMS uses these tools to collect basic information about visits to the QPP Website. This information is then used to maintain the QPP Website including: monitoring site stability, measuring site traffic, optimizing site content, and may help make the site more useful to visitors.
The CMS staff analyzes the data collected from these tools. The reports are available only to CMS managers, members of the CMS communications and web teams, and other designated federal staff and contractors who need this information to perform their job functions and duties.
Data from CMS website measurement tools is kept as long as needed to support the mission of the QPP Website.
See How the QPP Website uses third-party websites and applications below for more information on how these tools work.
The Office of Management and Budget Memorandum M-10-22, Guidance for Online Use of Web Measurement and Customization Technologies, allows federal agencies to use session and persistent cookies to improve the delivery of services.
When you visit a website, its server may generate a piece of text known as a "cookie" to place on your device. The cookie, which is unique to your browser, allows the server to "remember" specific information about your visit while you are connected. The cookie makes it easier for you to use the dynamic features of Web pages. Information that you enter into the application is not associated with cookies on the QPP Website. Depending on the third-party tool's business practices, privacy policies, terms of service, and/or the privacy settings you selected, information you have provided to third parties could be used to identify you when you visit the QPP Website. These third parties do not/will not share your identity with CMS or Department of Health and Human Services (HHS).
There are two types of cookies, single session (temporary), and multi-session (persistent). Single session cookies last only as long as your Web browser is open. Once you close your browser, the session cookie disappears. Persistent cookies are stored on your device for longer periods. Both types of cookies create an ID that is unique to your device.
- Session Cookies: We use session cookies for technical purposes such as to allow better navigation through our site. These cookies let our server know that you are continuing a visit to our site. The OMB Memorandum M-10-22 Guidance defines our use of session cookies as "Usage Tier 1—Single Session.” The policy says, "This tier encompasses any use of single session web measurement and customization technologies."
- Persistent Cookies: We use persistent cookies to understand the differences between new and returning visitors to the QPP Website. Persistent cookies remain on your device between visits to our site until they expire or are removed by the user. The OMB Memorandum M-10-22 Guidance defines our use of persistent cookies as "Usage Tier 2—Multi-session without personally identifiable information.” The policy says, "This tier encompasses any use of multi-session Web measurement and customization technologies when no PII is collected." We do not use persistent cookies to collect PII. CMS does not identify a user by using such technologies.
CMS also uses the following technologies on the QPP Website:
- Website Log Files – Are used as an analysis tool to tell how visitors use the QPP Website, how often they return, and how they navigate through the site.
Your Choices About Tracking and Data Collection by QPP
The QPP Website offers a Privacy Manager which gives you control over what tracking and data collection takes place during your visit. Third-party tools are enabled by default to provide a quality consumer experience.
The Privacy Manager provides you with the choice to opt-in or to opt-out of the different categories of third-party tools used by the QPP Website analytic tools. The Privacy Manager prevents third-party tools from loading regardless of your cookie settings, which provides consumers with an additional layer of privacy that prevents the tool from loading at all. Because the Privacy Manager creates a cookie in your browser, the opt-in and opt-out choices you make through the Privacy Manager will only be effective on the device and browser you used to make your choices, and your choices will expire when the cookie expires. Once the cookie is created, the Privacy Manager will retain your settings for 3 years from the date of your most recent visit. Thereafter, you may revisit the Privacy Manager to renew your opt-in and opt-out choices.
How to opt-out or disable cookies
If you do not wish to have session or persistent cookies placed on your computer, you can disable them using your Web browser. If you opt-out of cookies, you will still have access to all information and resources on CMS websites. Instructions for disabling or opting out of cookies in the most popular browsers are located at: https://www.usa.gov/optout-instructions.
Please note that by opting out of cookies, you will disable cookies from all sources, not just from CMS websites. If you disable cookies in your browser, our Privacy Manager will not be able to store your preferences and will not function properly. If you do not wish to use our Privacy Manager to opt-out of the tools used by the QPP Website, you can opt-out of tools individually.
Privacy Information Regarding Third-party Services
The following table lists the third-party services currently used by CMS in conjunction with the QPP Website and provides links to the privacy policies for each third-party service provider. See the list of third-party tools for more information on how to opt-out individually to each service. Links are provided below to the instructions for opting out of each service and a link where you can learn more about each service by reviewing the CMS Third-party Website Privacy Impact Assessment.
Category: Web Analytics
Purpose and Use:Determines concurrent users and analyzes spikes in traffic. This is a tier 2 usage, Persistent Cookies are used.
How to Opt-Out for this Service:
CMS Third-party Website and Application Privacy Impact Assessment:Chartbeat, T-1494462-247155, https://www.hhs.gov/sites/default/files/cms-chartbeat.pdf
Third-party Tool:Google Analytics
Purpose and Use:Collects and analyzes data on visitor interactions with the QPP Website to help make the site more useful to visitors. This is a tier 2 usage, Persistent Cookies are used.
How to Opt-Out for this Service:Google provides a browser plug-in that will allow you to opt-out of all Google Analytics measurements, which can be found at https://tools.google.com/dlpage/gaoptout
CMS Third-party Website and Application Privacy Impact Assessment:Google Analytics, T-5991099-891893, https://www.hhs.gov/sites/default/files/cms-google-analytics.pdf
Third-party Tool:New Relic
Purpose and Use:Monitors and evaluates the web and system transactions of the QPP Website to assist with troubleshooting. This is a tier 1 usage, Session Cookies are used.
How to Opt-Out for this Service:https://newrelic.com/privacy
CMS Third-party Website and Application Privacy Impact Assessment:New Relic, https://www.hhs.gov/sites/default/files/cms-new-relic.pdf
Category: Privacy Manager
Purpose and Use:The QPP Website uses Tealium as a solution for the QPP Website staff to manage website tags from a single interface. Specifically, the tool allows CMS to control which third-party tools are enabled/disabled. Tealium, through its Privacy Manager, also allows consumers to choose which types of third-party tools are enabled / disabled during their visit.
How to Opt-Out for this Service:
CMS Third-party Website and Application Privacy Impact Assessment:https://www.hhs.gov/sites/default/files/cms-tealium.pdf
If you opt-out of the tools used by the QPP Website via the Privacy Manager or by opting out of the tools directly, you will still have access to information and resources at the QPP Website.
How the QPP Website uses third-party websites and applications
As a response to OMB Memorandum M-10-06, Open Government Directive, the QPP Website leverages a variety of technologies and social media services to communicate and interact with the public. These third-party websites and applications include popular social networking and media sites, open source software communities, and more.
Your activity on the third-party websites that the QPP Website links to (such as Facebook or Twitter) is governed by the security and privacy policies of those sites. You should review the privacy policies of all websites before using them so that you understand how your information may be used. You should also adjust privacy settings on your account on any third-party website to match your preferences.
Website Analytics Tools:
These tools collect basic site usage information such as: how many visits the QPP Website receives, the pages visited by consumers, time spent on the site, the number of return visits to the site, the approximate location of the device used to access the site, types of devices used, etc. This information is then used to maintain the website including: monitoring site stability, measuring site traffic, optimizing site content, and improving the consumer experience. Use the QPP Website Privacy Manager to opt-out of website analytics tools.
CMS may consider new third-party tools or the use of new third-party websites, but CMS will first assess a tool or website before it is used in connection with the QPP Website. CMS will provide notice to the public before adding any new tool to the QPP Website. These assessments include a description about how information will be collected, accessed, secured, and stored. Risk assessments for third-party websites and applications are available at https://www.hhs.gov/pia/.
Third-party services are web-based technologies that are not exclusively operated or controlled by a government entity, or that involve significant participation of a non-government entity. These services may be separate websites or may be applications embedded within CMS websites. The list of third-party services at https://www.hhs.gov/pia/ has links to third-party privacy policies used by HHS.
How long CMS keeps QPP Website-related data and how it is accessed
CMS will keep data collected long enough to achieve the specified objective for which they were collected. Once the specified objective is achieved, the data will be retired or destroyed in accordance with published draft records schedules of CMS as approved by the National Archives and Records Administration (NARA).
CMS does not store information from cookies on CMS systems. The persistent cookies used with third-party tools on the QPP Website can be stored on a user’s local system and are set to expire at varying time periods depending upon the cookie. CMS assesses whether the expiration date of a cookie exceeds one year and provides an explanation as to why cookies with a longer life are used on the site in the associated Third-Party Website or Application Privacy Impact Assessment(s).
Children and privacy on the QPP Website
We believe in the importance of protecting the privacy of children online. The Children’s Online Privacy Protection Act (COPPA) governs information gathered online from or about children under the age of 13. The QPP Website is not intended to solicit information of any kind from children under age 13. If you believe that we have received information from a child under age 13, please contact the CMS Privacy Officer via e-mail at Privacy@cms.hhs.gov or by telephone at 410-786-5357.
Links to other sites
Non-federal websites do not necessarily operate under the same laws, regulations, and policies as federal websites. Aside from third-party websites highlighted in this privacy notice, CMS is not responsible for the contents of external web pages, and a link to a page does not constitute an endorsement.
To learn more about our policies for linking to sites run by third parties, see How the QPP Website uses third-party websites and applications.
Your Privacy on Social Media Sites
CMS uses Social Media Sites (listed below) in order to increase government transparency, enhance information sharing, promote public participation, and encourage collaboration with the agency.
Please note that Social Media Sites are not government websites or applications; they are controlled or operated by the Social Media Site. CMS does not own, manage, or control social media sites. In addition, CMS does not collect, maintain or disseminate information posted by visitors to those sites. If you choose to provide information to a Social Media Site through registration or other interaction with the site the use of any information you provide is controlled by your relationship with the Social Media site. For example, any information that you provide to register on Facebook is voluntarily contributed and is not maintained by CMS. This information may be available to CMS Social Media Page Administrators in whole or part, based on a user's privacy settings on the Social Media site. Although you may voluntarily contribute to a Social Media Site with the intent to share the information with others on a CMS Social Media Page, to protect your privacy, please do not disclose personally identifiable information about yourself or others.
Qualitypaymentprogram.cms.gov is not currently using any social media sites as a means to communicate, share information about the program, encourage interaction and to promote participation.
Additional privacy information
If you would like more information about the application of the Privacy Act at CMS, please read the Privacy Act of 1974 located at https://www.cms.gov/Research-Statistics-Data-and-Systems/Computer-Data-and-Systems/Privacy/PrivacyActof1974.html.
Published Date: October 14, 2016