Department of Health and Human Service clarifies Marketplace privacy and security standards
Dec. 20, 2013
This Reform Alert is an update to the Aug. 25, 2013, Reform Alert: HHS issues proposed rule on Marketplace monitoring of privacy and security standards
On Nov. 25, the Department of Health and Human Services (HHS) issued guidance clarifying privacy and security standards on the Marketplace. The clarification was necessary because existing language regarding the use or disclosure of personally identifiable information (PII) limits the ability of the Marketplace to operate efficiently. The notice permits the Marketplace to use or disclose eligibility and enrollment PII to ensure the efficient operation of the Marketplace, subject to privacy and security standards. Prior to the Marketplace using an individual’s PII, the individual would need to provide consent.
The Marketplace may seek approval from HHS to use and disclose eligibility and enrollment PII not explicitly described within the law. Requestors must show the proposed use or disclosure will ensure efficient operation of the Marketplace and how the information will be protected by privacy and security standards. Anytime the Marketplace utilizes this process, the individual must provide consent.
HHS intends to provide future guidance defining efficient operation of the Marketplace while maintaining privacy and security. It is currently taking comments on such uses and disclosures.
The proposed notice also more clearly defines “non-Marketplace entities” as any individual or entity that gains access to PII submitted to the Marketplace or collects, uses, or discloses PII gathered directly from applicants, qualified individuals, or enrollees while that individual or entity is performing the functions agreed to with the Marketplace.
This definition is based on the access to PII rather than an exhaustive list of entities. Based on this definition, the following entities would qualify as “non-Marketplace entities:”
- Medicaid agencies
- CHIP agencies
- Certified application counselors
- In-person assisters
- QHP issuers
- Other third party contractors
The proposal adds more detail regarding the contracts that non-Marketplace entities must enter into with the Marketplace, including the following five required requirements:
- A description of the functions to be performed by the non-Marketplace entity
- A provision binding the non-Marketplace entity to comply with the privacy and security standards that apply to the entity
- A provision requiring the non-Marketplace entity to monitor, periodically assess, and update its security controls and related system risks to ensure the continued effectiveness of those controls
- A provision requiring the non-Marketplace entity to inform the Marketplace of any change in its administrative, technical, or operational environments defined as material within the contract
- A provision that requires the non-Marketplace entity to bind any downstream entities1 to the same privacy and security standards and obligations to which the non-Marketplace entity has agreed in its contract or agreement with the Marketplace.
- The environment in which the non-Marketplace entity is operating
- Whether the standards are relevant and applicable to the non-Marketplace entity’s duties and activities in connection with the Marketplace
- Any existing legal requirements to which the non-Marketplace entity is bound in relation to its administrative, technical, and operational controls and practices, including but not limited to, its existing data handling and information technology processes and protocols.
Where can I find more information?
More information can be found at HHS issues the draft notice of benefit and payment parameters for 2015.
1 A downstream entity is any party that enters into an agreement for purposes of providing administrative or health care services related to the agreement signed between that entity and the QHP issuer - contractors and sub-contractors included.
The information in this document is based on preliminary review of the national health care reform legislation and is not intended to impart legal advice. The federal government continues to issue guidance on how the provisions of national health reform should be interpreted and applied. The impact of these reforms on individual situations may vary. This overview is intended as an educational tool only and does not replace a more rigorous review of the law’s applicability to individual circumstances and attendant legal counsel and should not be relied upon as legal or compliance advice. As required by US Treasury Regulations, we also inform you that any tax information contained in this communication is not intended to be used and cannot be used by any taxpayer to avoid penalties under the Internal Revenue Code.
Any agreement between the Marketplace and a non- Marketplace entity must also take the following into consideration with respect to privacy and security requirements: