1. Privacy and Security Laws Beyond HIPAA: Protecting Consumer Information Webinar Presented by Laura Bird January 29, 2014 1

2. Module Contents Introduction Privacy and Security of Personally Identifiable Information under the Affordable Care Act Privacy and Security of Federal Tax Information under the Tax Code Other Requirements on Certified Application Counselors and Navigators under Agreements with the Centers for Medicare & Medicaid Services Authorized Representative Designation & Privacy Other Considerations & Guidance 2

3. Introduction 3

4. Acronyms AcronymMeaning ACAAffordable Care Act CACCertified Application Counselor CDOCertified Designated Organization CMSCenters for Medicare & Medicaid Services FFMFederally Facilitated Marketplace FTIFederal Tax Information HIPAAHealth Insurance Portability and Accountability Act IRSInternal Revenue Service PHIProtected Health Information PIIPersonally Identifiable Information QHPQualified Health Plan 4

5. Why is Protecting Consumer Information Important? Besides the fact that it can harm a person personally and financially… Purpose of Marketplace is to help people get insured. Enrollment assisters have a key role in protecting information. Disclosure can result in civil and criminal penalties. 5

6. Enrollment Assisters Types – Navigators – Non-Navigator Assister Personnel – Certified Application Counselors – Authorized Representatives – Outreach and Enrollment Workers – Agents and Brokers (not discussed here) Enrollment Assisters will need to be familiar with applicable privacy and security laws beyond HIPAA in providing assistance to consumers. 6

7. Enrollment Assisters & Privacy Enrollment assisters who assist consumers apply for coverage will have access to a consumer’s personal information. Enrollment assisters are bound by the ACA, as well as other privacy laws, to protect consumer information that the enrollment assister may be exposed to and have a duty to ensure that it’s not used or shared in a harmful way. 7

8. Privacy and Security of PII Under The ACA 8

9. Compliance with HIPAA is not Enough I/T/Us are required to comply with the HIPAA Privacy, Security and Breach Notification Rules as to the PHI created, maintained, or transmitted. The ACA privacy and security standards are broader than HIPAA. Complying with HIPAA is not enough to comply with ACA privacy and security standards. 9

10. Eight ACA Privacy and Security Standards 1.Individual access 2.Correction 3.Openness and transparency 4.Individual choice 5.Collection, use and disclosure limitations 6.Data quality and integrity 7.Safeguards 8.Accountability 10

11. Confidentiality of Consumer’s PII Under the ACA A consumer is required to provide only the information strictly necessary to verify identity, determine eligibility for insurance, and determine the amount of the tax credit or cost sharing reduction. Any person (including enrollment assisters) who receives information provided by an applicant or from a Federal agency shall use the information only for the purpose of ensuring efficient operation of the Marketplace and shall not disclose the information to any other person. See Section 1411(g) of the Affordable Care Act. 11

12. What is the Penalty for Disclosing PII? A “….person who knowingly and willfully uses or discloses information in violation of section 1411 (g) of the Affordable Care Act will be subject to a civil penalty of not more than $25,000 per person or entity, per use or disclosure, in addition to other penalties that may be prescribed by law.” 45 C.F.R. § 155.260(g). 12

13. Examples of Information Considered PII Under the ACA NameBiometric Records (e.g., height, weight, etc.) Medical Information Social Security NumberPhone NumberEducational Information Date and Place of BirthAddressFinancial Information Mother’s Maiden NameDriver’s License NumberEmployment Information 13 *These are only examples, the CMS Agreements include a long list of the types of PII a Navigator or CAC may receive.

14. Non-Exchange Entity A Marketplace must require the same or more stringent privacy and security standards as a condition of an agreement with a Non- Exchange entity. A Non-Exchange entity specifically includes Navigators, CACs and agents and brokers. A Tribe or organization with Outreach and Enrollment Workers may be considered a Non- Exchange entity. 14

15. Non-Exchange Entity (cont’d) A Non-Exchange entity is not specifically defined in the regulations but refers to: “…Individuals or entities, such as Navigators, agents, and brokers, that: (1) Gain access to personally identifiable information submitted to the Exchange; or (2) Collect, use or disclose personally identifiable information gathered directly from applicants, qualified individuals, or enrollees while that individual or entity is performing the functions outlined in the agreement with the Exchange….” 15

16. Applicable Laws and Requirements Type of Enrollment AssisterApplicable ACA Security and Privacy Laws and Other Requirements NavigatorsSection 1411 (g); 45 C.F.R. 155.210; 45 C.F.R. § 155.260; CMS Agreement with Attachments; and MARS-E Suite of Documents Non-Navigator Personnel Assistance (In Person Assisters) Section 1411 (g); 45 C.F.R. § 155.260; State Marketplace Agreement (if applicable) Certified Assistance Counselors Section 1411 (g); 45 C.F.R. § 155.225; 45 C.F.R. § 155.260; CMS Agreement with Appendices; and MARS-E Suite of Documents Authorized RepresentativesSection 1411(g) 45 C.F.R. § 155.227; and Authorized Representative Designation Form Outreach and Enrollment Workers Section 1411(g); likely considered a Non-Exchange entity subject to the same laws as CACs. 16

17. Oversight of ACA Privacy and Security Standards HHS has oversight and monitors:State has oversight and monitors: Federally-facilitated Marketplaces State Partnership Marketplaces Non-Exchange Entities in an FFM State-based Marketplaces Non-Exchange Entities in a State-based Marketplace Caveat: If your Tribe or organization entered into an agreement with the State then your Tribe or organization may have agreed to comply with other state privacy and security laws. 17

18. Section Summary: What You Need to Know You must keep the consumer’s information confidential, never disclose information to others. Under ACA, there are civil penalties for disclosure of confidential information. Critical to maintain consumer’s trust! 18

19. Questions ??? 19

20. Privacy and Security of FTI under The Tax Code 20

21. Under the Tax Code The ACA regulations incorporate reference to the Tax Code. Under the Tax Code, if you have access to Federal Tax Information (FTI) from the IRS or a secondary source to carry out consumer eligibility requirements for premium tax credits or any cost sharing reduction, or eligibility in a State Medicaid Program, CHIP or basic health program, you are bound not to disclose FTI obtained in any manner in connection with the service provided to the consumer. FTI includes returns and return information and must be kept confidential. 21

22. Federal Tax Information (FTI) FTI is any return or return information received from the IRS or a secondary source. ReturnReturn Information Any tax or information return (e.g., 1040, 1040A, 1040EZ, etc.), including forms such as W-2s and 1099s. Declaration of estimated tax Claim for refund Any amendment or supplement Supporting schedules, attachments or lists which are part of the return Any information collected or generated by the IRS regarding any person’s liability or possible liability for any tax, penalty, interest, fine, forfeiture, or offense Information extracted from a return, including dependents or location of business The taxpayer’s name, address, and identification number (e.g., SSN or EIN) Information collected about any person’s tax matters Information about a person’s income, finances, debts, deductions and exemptions 22

23. FTI Available through Marketplaces Under the Tax Code Taxpayer identity information Filing status (single, married, etc.) The number of individuals for whom a deduction is allowed The taxpayer’s modified adjusted gross income (MAGI) The taxable year of the information, or that such information is not available. Other information that might indicate whether an individual is eligible for the premium tax credit, or cost sharing reductions, and the amount. 23

24. Protecting FTI Do not retain the FTI after the enrollment session is over. Never access FTI if the information is not needed for the consumer’s enrollment. If you have access to a consumer’s FTI, do not disclose the FTI. Criminal penalties and civil liability can result from unauthorized access or disclosure of FTI. 24

25. What is Considered Unauthorized Access? Unauthorized access occurs when an entity or individual receives or has access to FTI without authority. Criminal penalty: Misdemeanor punishable by a fine of up to $1,000, or imprisonment of not more than one year, or both, plus the costs of prosecution. Civil liability: A taxpayer may sue the employee or assister for damages. 25

26. What is Considered Unauthorized Disclosure? Unauthorized disclosure occurs when an entity or individual with authorization to receive FTI discloses FTI to another entity or individual who does not have the authority and a need-to-know. Criminal penalty: Felony punishable by a fine of up to $5,000, or imprisonment of not more than one year, or both, plus the costs of prosecution. Civil liability: A taxpayer may sue the employee or assister for damages. 26

27. Section Summary: What You Need to Know FTI is only that information received directly from the IRS or through a secondary source. Never retain FTI after the enrollment session ends. Even if you receive the return or return information from a consumer directly to assist with an application, do not keep this information in your files and make sure to return it to the consumer. 27

28. Questions ??? 28

29. Other Requirements on Navigators and CACs under CMS Agreement 29

30. Additional Navigator and CAC Requirements Navigators and CACs are subject to six categories of privacy and security standards that the Navigator or CAC organization agreed to with CMS, including any attachments and referenced documents. – Note: Links to the documents are provided in the next slide. As a Navigator or CAC, you may be required to sign an agreement with your employer to perform your duties as a Navigator or CAC. Recommendation: These standards should also be followed by I/T/Us not under a formal agreement with CMS or a Marketplace as minimal standards to ensure the protection of consumer information. 30

31. Links to Referenced Documents Model Navigator Assistance Consent Form in FFM, available at http://oci.wi.gov/navigator/navigator-consent.pdf http://oci.wi.gov/navigator/navigator-consent.pdf Model CAC Authorization Form in FFM, available at http://enrollmentloop.org/sites/default/files/helpimages/CAC%20C onsent%20Form.pdf http://enrollmentloop.org/sites/default/files/helpimages/CAC%20C onsent%20Form.pdf Appendices to Model Agreement Between CAC and Organization in FFM, available athttp://revcycle.med.umich.edu/sites/default/files/Appendices%2 0to%20the%20CDO- CAC%20Model%20Agreement%20%282%29.pdfhttp://revcycle.med.umich.edu/sites/default/files/Appendices%2 0to%20the%20CDO- CAC%20Model%20Agreement%20%282%29.pdf MARS-E Suite of Documents, available at http://www.cms.gov/cciio/resources/regulations-and- guidance/#MinimumAcceptableRiskStandards http://www.cms.gov/cciio/resources/regulations-and- guidance/#MinimumAcceptableRiskStandards 31

32. 6 Categories of Privacy and Security Standards 1- Individual Access: – Organization must have policies and procedures in place to provide consumers with access to PII upon request. – Organization must respond to a request for access and grant or deny request within 30 days. 2- Openness & Transparency: – Organization must provide a Privacy Notice Statement that is prominently and conspicuous displayed on a public facing website (if applicable), or in electronic form and/or paper form that will be used to gather and/or request PII. 32

33. 6 Categories of Privacy and Security Standards (cont’d) 3- Individual Choice: – Organization may only use PII for the functions and purposes listed in the Privacy Notice Statement and any agreements that were in effect when PII was collected unless the consumer’s informed consent is obtained. The consent must be appropriately secured and retained for 10 years. 4- Collection, use and disclosure limitations: – Organization should always try to collect PII directly from the consumer when information may result in an adverse determination about benefits. 33

34. 6 Categories of Privacy and Security Standards (cont’d) 5- Data quality & integrity: – Organization must allow a consumer the right to amend, correct, substitute or delete PII. Such request must be granted or denied within 10 working days of request. – Organization must verify consumer’s identity. – Organization must maintain an accounting of any and all disclosures for at least 10 years after the disclosure, or the life of the record, whichever is longer. 34

35. 6 Categories of Privacy and Security Standards (cont’d) 6- Accountability: – Organization must implement breach and incident handling procedures. – Organization shall incorporate privacy and security standards and implementation procedures in its standard operating procedures as to PII. – Organization shall develop training and awareness programs for members of its workforce involved with PII. – Organization shall adopt and implement Security Control Standards. 35

36. Model Consent Form Templates Navigator Model Consent FormCAC Model Consent Form Selected privacy and security standards: “[Navigator] will make sure that my PII is kept private and secure…” “Navigator should not maintain or store any of my PII…” “Navigator will make sure that any stored PII is kept private and secure…” “If [Navigator] does collect, handle, disclose, access, maintain, store and/or use my PII….[Navigator] will keep that PII private and secure.” Selected privacy and security standards: [CAC] will follow privacy and information security standards when creating, collecting, disclosing, accessing, maintaining, storing and/or using my PII….Information about these standards will be provided.” [CAC] aren’t expected or required to maintain or store any of my PII and/or the PII of my authorized representative, other than this authorization form, but if [CAC] do maintain or store my PII, they will follow privacy and information security standards.” 36 Note: See slide #31 for links to these consent forms.

37. Consent Form Modifications Mailing Documents for Consumers – CMS Training: The best practice discourages mailing of applications by CAC. See Privacy and Security Standards, Course 13. – Best practice is to ask the consumer to mail the application him/herself. – However, where consumer may be unable to accomplish this task, you could have a separate consent form allowing the organization/assister to mail the application releasing the organization/assister from liability. 37

38. Section Summary: What You Need to Know Always provide a Privacy Notice Statement to consumer. Always obtain a consent form before assisting a consumer. Always obtain informed consent (separate form) for any use or disclosure of consumer’s information outside of the Privacy Notice Statement. Consents must be kept for 10 years. Keep track of any disclosures made as to consumer’s information. Must be kept for 10 years. Report any breaches of the consumer’s PII or FTI. 38

39. Questions ??? 39

40. Authorized Representative Designation & Privacy 40

41. What is an Authorized Representative? An authorized representative is a person or organization authorized by a consumer to assist the consumer with his or her application and enrollment in insurance in the Marketplace. – An authorized representative should have authority to also work with the QHP, but a separate form could be required. A consumer should select a person or organization that the consumer trusts to act as his or her representative since this person will have access to the consumer’s PII. The FFM paper application allows a consumer to name an authorized representative, but it may be done through the electronic application. A consumer may revoke a designation at any time. 41

42. Duties of Authorized Representative An authorized representative may be authorized to: – Sign the application on behalf of the consumer – Submit an update or respond to a redetermination for the consumer – Receive copies of the consumer’s notices and other communications from the Marketplace; and – Act on behalf of the consumer in other matters with the Marketplace. See 45 C.F.R. § 155.227(c). 42

43. Requirements of Authorized Representative Designation Must be in a written document signed by consumer, or through another legally binding format. Marketplace must ensure that the “…authorized representative agrees to maintain, or be legally bound to maintain, the confidentiality of any information…” regarding the consumer. Marketplace must ensure that the representative is responsible for fulfilling all required duties. Marketplace must provide information to both the consumer and the authorized representative regarding representative’s powers and duties. See 45 C.F.R. § 155.227(a)(2)-(5). 43

44. Timing of Designation The Marketplace must permit a consumer to designate an authorized representative: – At the time of the application; or – At other times and methods, including: Via an internet website By telephone through a call center By mail In person See 45 C.F.R. 155.227(b), 155.405(c)(2). 44

45. Language in FFM Paper Application By signing an authorized representative designation, a consumer gives the representative: – Permission to talk about the consumer’s application with the Marketplace – See consumer’s information – Act on consumer’s behalf on matters related to the application, including obtaining information about consumer’s application – Sign the application on consumer’s behalf. 45

46. Authorized Representative Designation in Selected State-based Marketplaces StateAuthorized Representative Form COPart of application. Same terms as FFM designation, but adds that authorized representative takes legal responsibility for the information provided in the application. Note: Specifically states that an enrollment assister can act as an authorized representative but must provide documentation that consumer cannot act on own behalf. MASeparate form explaining in detail who may be selected as an Authorized Representative and includes additional terms and disclosures. Available at: http://www.mass.gov/eohhs/docs/masshealth/privacy/ard.pdf. MNPart of application. Same language as FFM designation. NVSeparate form with additional terms and disclosures. No link but can be googled, enter “Consent for Facilitated Enrollment by An Authorized Representative.” ORSeparate form with the same language as FFM but additional language at signature line states that Authorized Representative understands that he/she is liable for repayment of an overpayment if he/she knowingly withholds information or gives incorrect or incomplete information. Available at http://resources.coveroregon.com/pdfs/Consent_for_Assistance_Form.pdf. 46

47. Authorized Representative v. CAC ConsiderationI/T/U Authorized Representative I/T/U CAC TrainingMay not be formally trained on Marketplace enrollment process. Certified to assist consumers in the State. Familiar with process. Privacy and Confidentiality No specific training on privacy and confidentiality of consumer information beyond HIPAA. Received specific training on privacy and confidentiality of consumer information in Marketplace. Applicable ACA Laws and Regulations Section 1411 (g); 45 C.F.R. § 155.227 Section 1411 (g) 45 C.F.R. §§ 155.225, 155.260 Other Requirements If within an I/T/U, privacy practices would apply in handling PHI. Compliance with all terms in organization’s agreement with CMS, including any attachments and referenced documents. Access to Information Complete access to consumer information. Potentially less access to consumer information. 47

48. Can a CAC also be an Authorized Representative? Yes. A CAC can also be designed as a consumer’s authorized representative. 48

49. Section Summary: What You Need to Know Authorized representatives must agree to maintain confidentiality of consumer information. Best practice for authorized representatives within an I/T/U would be to follow the same or similar standards as Navigators and CACs under CMS Agreements. 49

50. Other Considerations & Guidance 50

51. Tribal Sponsorship Considerations Tribes involved in Tribal Sponsorship of QHPs in the Marketplace should only collect and retain information solely for the purpose of administrating the program. – May include very sensitive information, such as claims data or other medical information. Follow the same six privacy and security standards previously discussed (see slides 32-35). – Make sure to tailor Privacy Notice Statement and consent forms to Tribal Sponsorship. 51

52. General Guidance on Physical and Electronic Protection of Information Secure PII in a locked file cabinet, and limit access. Password protect computers and electronic files containing consumer information, and limit access. Never email PII/FTI, or request this information via email. Do not keep notes with a consumer’s PII/FTI. Never leave consumer information unattended on your desk or computer screen. 52

53. Questions ??? 53