[Federal Register Volume 78, Number 25 (Wednesday, February 6, 2013)]
[Notices]
[Pages 8538-8542]
From the Federal Register Online via the Government Printing Office [www.gpo.gov]
[FR Doc No: 2013-02666]


-----------------------------------------------------------------------

DEPARTMENT OF HEALTH AND HUMAN SERVICES

Centers for Medicare & Medicaid Services


Privacy Act of 1974

AGENCY: Department of Health and Human Services (HHS), Centers for 
Medicare & Medicaid Services (CMS).

ACTION: Notice to establish a new system of records.

-----------------------------------------------------------------------

SUMMARY: In accordance with the requirements of the Privacy Act of 
1974, CMS is establishing a new system of records titled, ``Health 
Insurance Exchanges (HIX) Program,'' to support the CMS Health 
Insurance Exchanges Program established under provisions of the 
Affordable Care Act (PPACA) (Pub. L. 111-148), as amended by the Health 
Care and Education Reconciliation Act of 2010 (Pub. L. 111-152). The 
Health Insurance Exchanges (HIX) Program includes Federally-facilitated 
Exchanges operated by CMS, CMS support and services provided to all 
Exchanges and state agencies administering Medicaid, CHIP and the BHP, 
and CMS administration of advance payment of premium tax credits and 
cost-sharing reductions. The system of records will contain personally 
identifiable information (PII) about certain individuals who apply or 
on whose behalf an application is filed for eligibility determinations 
for enrollment in a qualified health plan (QHP) through an Exchange, 
and for insurance affordability programs. Exchange functions that will 
utilize PII include eligibility, enrollment, appeals, payment processes 
and consumer assistance. The system will also contain information about 
qualified employers seeking to obtain health insurance coverage for its 
qualified employees through a Small Business Health Options Program 
(SHOP). In addition, the system will include PII of marketplace 
assisters, Navigators and Agents/Brokers, their officers, employers and 
contractors; contact information for QHP Issuers seeking certification 
that may contain personally identifiable information of their officers, 
and employees or contractors; employees and contractors of the Exchange 
and CMS. The program and the system of records are more thoroughly 
described in the Supplementary Information section and System of 
Records Notice (SORN), below.

DATES: Effective Dates: Effective 30 days after publication. Written 
comments should be submitted on or before the effective date. HHS/CMS/
CCIIO may publish an amended system of records notice (SORN) in light 
of any comments received.

ADDRESSES: The public should send comments to: CMS Privacy Officer, 
Division of Privacy Policy, Privacy Policy and Compliance Group, Office 
of E-Health Standards & Services, Office of Enterprise Management, CMS, 
Room S2-24-25, 7500 Security Boulevard,

[[Page 8539]]

Baltimore, Maryland 21244-1850. Comments received will be available for 
review at this location, by appointment, during regular business hours, 
Monday through Friday from 9:00 a.m.--3:00 p.m., Eastern Time zone.
    For Information on Health Insurance Exchanges Contact: Karen 
Mandelbaum, JD, MHA, Office of Health Insurance Exchanges, Consumer 
Information and Insurance Systems Group, Center for Consumer 
Information and Insurance Oversight, 7210 Ambassador Road, Baltimore, 
MD 21244, Office Phone: (410) 786-1762, Facsimile: (301) 492-4353, E-
Mail: karen.mandelbaum@cms.hhs.gov

SUPPLEMENTARY INFORMATION:

I. Health Insurance Exchanges Program

    The Affordable Care Act (ACA) requires Exchanges to use a single, 
streamlined application for consumers to use in applying for 
eligibility determinations for enrollment in a QHP through the 
Exchange, for insurance affordability programs, and for certifications 
of exemption from the individual responsibility mandate and penalty. 
The insurance affordability programs that the Exchanges will determine 
eligibility for include: (a) The advance payment of the premium tax 
credits (APTC); (b) cost-sharing reductions (CSR); (c) Medicaid, (d) 
Children's Health Insurance Program (CHIP), and (e) Basic Health Plan 
(BHP), if a BHP is operating in the service area of the Exchange. The 
information requested on the application includes all of the 
information necessary for determining eligibility and enrolling 
individuals and qualified employees in a QHP through the Exchange or 
SHOP and for determining eligibility for insurance affordability 
programs. The applicant must be able to file this application online, 
by telephone, in person or by mail with the entity that is 
administering the eligibility and enrollment functions of the Exchange. 
This eligibility and enrollment process will be conducted in real-time 
through electronic data transfer.
    The applicant/enrollee, the application filer on behalf of other 
applicants, or the authorized representative of the applicant/enrollee 
will be asked to provide the minimum amount of information necessary to 
support the eligibility and enrollment processes of the above listed 
programs. The categories of information requested on the application 
include personal, employment, financial, demographic, and pregnancy 
status and tobacco use. Section 1411 of the Affordable Care Act 
requires verification of the information received from applicants/
enrollees. The information provided by an applicant/enrollee, or by an 
application filer on behalf of other applicants, on the application 
will be matched and verified against data provided by the Internal 
Revenue Service (IRS), Social Security Administration (SSA), Department 
of Homeland Security (DHS), Department of Veterans Affairs 
(VA),Department of Defense (DoD), Peace Corps, and Office of Personnel 
Management (OPM) that is maintained by the Federally-facilitated 
Exchange (FFE). State-based Exchanges (SBEs) will send requests for 
data matching through the Data Services Hub (Hub). Exchanges can also 
permit certain individuals and entities to assist applicants and 
enrollees. These include Navigators, Agents, Brokers and employees, 
agents and contractors of the Exchange (e.g. marketplace assisters).
    Section 1943(b) of the Social Security Act (as amended by Section 
2201 of the Affordable Care Act), as implemented through regulations 
adopted by the Secretary of HHS,\1\ requires that Medicaid and CHIP 
agencies utilize the same streamlined enrollment system and secure 
electronic interface established in Section 1413 to verify information, 
including federal tax information, financial and quarters of coverage 
information held by the Social Security Administration, Social Security 
Number (SSN) and citizenship, needed to make an eligibility 
determination and facilitate a streamlined eligibility and enrollment 
system among all insurance affordability programs. This enrollment 
system and secure electronic interface is the same one developed by HHS 
to comply with sections 1411(c) and 1411(d) of the Affordable Care Act 
for purposes of determining eligibility to enroll in a qualified health 
plan (QHP) through an Exchange State Medicaid, Chip and BHP agencies 
will send requests for data matching through the Data Services Hub 
(Hub).
---------------------------------------------------------------------------

    \1\ 42 CFR 435.948, 435.949.
---------------------------------------------------------------------------

    With respect to determinations of eligibility for Medicaid and 
CHIP, the FFE can make either an assessment of eligibility or a 
determination of eligibility. Unless the FFE assesses an applicant/
enrollee as ineligible for a Medicaid, CHIP or BHP program and the 
applicant/enrollee requests to withdraw his/her application for 
Medicaid, CHIP or BHP, the FFE must notify the State Medicaid or CHIP 
agency and transmit all information obtained or verified by the CMS in 
operation of the FFE via secure electronic interface for that other 
agency to make a full determination of eligibility under those programs 
and provide the applicant with coverage.
    When applicants/enrollees receive a determination that they are 
qualified to enroll in a QHP and have chosen a QHP to enroll in, the 
Exchange will notify the QHP Issuers of individual enrollment 
selections and transmit the information necessary to implement, 
discontinue or modify enrollment and/or the level of payments processed 
and received through the APTC and CSR programs and information 
regarding the premium payments due from the enrollees.
    Enrollees are required to update information that would impact 
their eligibility status, and an Exchange will perform mid-year 
redeterminations using the same system used for initial determinations 
of eligibility when it receives updated information regarding an 
enrollee either directly from the enrollee or through a periodic 
examination of data sources. The Secretary along with the other 
appropriate agencies will establish an appeals process for individuals 
and employers when eligibility is denied as a result of inconsistencies 
between the information obtained from applicants/enrollees and 
employers and information and data verified through the Exchange. CMS 
will also process enrollment and payment transactions to facilitate 
APTC payments for all Exchanges; SBEs will send this information to CMS 
through the Hub. The FFE will store eligibility and enrollment records, 
system user records, appeals records, consumer services records and 
SHOP employer records for all Exchanges. The Hub will be a pass-through 
for SBEs for providing information from applicants/enrollees to CMS and 
for the FFE to share data with SBEs, Medicaid, CHIP and BHP agencies.
    Each Exchange, including the FFE, will establish a SHOP to assist 
qualified employers and facilitate the enrollment of qualified 
employees into QHPs. Eligibility determinations are not made on the 
individual level in a SHOP; rather, the information that an employer is 
required to provide about employees includes, the name and address of 
the employer, number of employees, Employer Identification Number 
(EIN), and list of qualified employees and their tax ID numbers.
    The FFE will be responsible for performing oversight functions with 
respect to issuer compliance with market-wide and Exchange specific 
standards in connection with QHPs certified by the FFE. The FFE will 
require QHP Issuers to submit, as requested by the FFE, certified 
financial information including information

[[Page 8540]]

related to ownership and control and information demonstrating that the 
issuer is fiscally sound, information that is necessary to administer 
and evaluate the program, including but not limited to, enrollee 
complaints against the QHP issuer and their disposition, enrollee 
appeals and their disposition, formal actions, reviews, findings or 
other similar actions by States, other regulatory bodies or any other 
certifying or accrediting organization, and any other information 
deemed necessary by the FFE for the administration of the FFE or 
certification of QHPs. In addition, the FFE will require qualified 
health plans to periodically report the activities that the health plan 
has implemented in order to improve health outcomes.
    CMS will also administer the administration of advance payment of 
premium tax credits and cost-sharing reductions for all Exchanges. The 
PII that will be collected, disclosed and used as part of this 
administration includes QHP enrollment, premium payment information, 
and information about cost-sharing payments necessary to reconcile 
estimates of cost-sharing reductions with actual cost-sharing 
reductions.

II. The Privacy Act

    The Privacy Act (5 U.S.C. 552a) governs the means by which the 
United States Government collects, maintains, and uses PII in a system 
of records. A ``system of records'' is a group of any records under the 
control of a Federal agency from which information about individuals is 
retrieved by name or other personal identifier. The Privacy Act 
requires each agency to publish in the Federal Register a system of 
records notice (SORN) identifying and describing each system of records 
the agency maintains, including the purposes for which the agency uses 
PII in the system, the routine uses for which the agency discloses such 
information outside the agency, and how individual record subjects can 
exercise their rights under the Privacy Act (e.g., to determine if the 
system contains information about them).
SYSTEM NUMBER:
    09-70-0560

SYSTEM NAME:
    Health Insurance Exchanges (HIX) Program, HHS/CMS/CCIIO

SECURITY CLASSIFICATION:
    Unclassified

SYSTEM LOCATION:
    CMS Data Center, 7500 Security Boulevard, North Building, First 
Floor, Baltimore, Maryland 21244-1850, Health Insurance Exchanges 
Program (HIX) locations, and at various contractor sites.

CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:
    The system will contain personally identifiable information (PII) 
about the following categories of individuals who participate in or are 
involved with the CMS Health Insurance Exchanges Program: (1) Any 
applicant/enrollee who applies, or on whose behalf an application is 
filed, for an eligibility determination for a qualified health plan 
(QHP) through an Exchange, insurance affordability program, or for a 
certification of exemption; (2) Navigators, Agents, Brokers, 
individuals or entities that are required to register with an Exchange 
prior to assisting qualified individuals to enroll in QHPs through the 
Exchange; (3) officers, employees and contractors of the Exchange; (4) 
employees and contractors of CMS (e.g. marketplace assisters, appeals 
staff); (5) contact information and business identifying information of 
QHPs seeking certification; (6) persons employed by or contracted with 
an Exchange organization who provide home or personal contact 
information; and (7) any qualified employer and the qualified employees 
whose enrollment in a QHP is facilitated through a Small Business 
Health Options Program (SHOP).

CATEGORIES OF RECORDS IN THE SYSTEM:
    Information maintained in this system for individual applicant/
enrollees includes, but may not be limited to, the applicant's first 
name, last name, middle initial, mailing address or permanent 
residential address (if different from the mailing address), date of 
birth, Social Security Number (if the applicant has one), taxpayer 
status, gender, ethnicity, residency, email address, and telephone 
number. The system will also maintain information that will verify the 
information provided by the individual/enrollee or by the application 
filer on behalf of other applicants that will enable a decision about 
an applicant's eligibility. The system will collect and maintain 
information that the applicant or the application filer on behalf of 
other applicants submits pertaining to (1) his or her citizenship or 
immigration status, because only individuals who are citizens or 
nationals of the U.S. or lawfully present are eligible to enroll; (2) 
enrollment in Federally funded minimum essential health coverage (e.g. 
Medicare, Medicaid, Federal Employees Health Benefit Program (FEHBP), 
Veterans Health Administration (Champ VA), Children's Health Insurance 
Program (CHIP), Department of Defense (TRICARE), Peace Corps); (3) 
incarceration status; (4) Indian status; (5) enrollment in employer-
sponsored coverage; (6) requests for and accompanying documentation to 
justify receipt of individual responsibility exemptions, including 
membership in a certain type of recognized religious sect or health 
care sharing ministry; (7) employer information; (8) status as a 
veteran; (9) limited health status information (pregnancy status, 
blindness, disability status); and (10) household income, including tax 
return information from the IRS, income information from the Social 
Security Administration, and financial information from other third 
party sources. Information will also be maintained with respect to the 
applicant's enrollment in a QHP through the Exchange, the premium 
amounts and payment history.
    With respect to qualified employers and the qualified employees 
utilizing SHOP, the information maintained in the system includes but 
may not be limited to the name and address of the employer, number of 
employees, Employer Identification Number (EIN), and list of qualified 
employees and their tax ID numbers.

AUTHORITY FOR MAINTENANCE OF THE SYSTEM:
    The HIX program implements recent health care reform provisions of 
the Patient Protection and Affordable Care Act (PPACA) (Pub. L. 111-
148) as amended by the Health Care and Education Reconciliation Act of 
2010 (Pub. L. 111-152) collectively the Affordable Care Act. Title 42 
U.S.C. 18031, 18041, 18081--18083 and section 1414 of the Affordable 
Care Act.

PURPOSE(S) OF THE SYSTEM:
    The purpose of this system is to collect, create, use and disclose 
PII on individuals who apply for eligibility determinations for 
enrollment in a qualified health plan through the Exchange, for 
insurance affordability programs,\2\ and for certifications of 
exemption from the individual responsibility requirement and; and as 
needed to perform the Exchange minimum functions in 45 CFR 155.200; and 
to maintain records used to support all Health Insurance Exchanges 
under

[[Page 8541]]

the HIX Program established by CMS. The system will collect, create, 
use and disclose PII that will enable HHS to perform oversight and 
enforcement activities of QHP Issuers offering qualified health plans 
through the FFE. In addition, HHS, and any contractors assisting HHS, 
will use PII from the system to assist in accomplishing CMS functions 
relating to the purposes of this collection and who need to have access 
to the records in order to assist CMS.
---------------------------------------------------------------------------

    \2\ The insurance affordability programs are: (a) The advance 
payment of the premium tax credits (APTC); (b) cost-sharing 
reductions (CSR); (c) Medicaid, (d) Children's Health Insurance 
Program (CHIP), and (e) Basic Health Plan (BHP), if a BHP is 
operating in the service area of the Exchange.
---------------------------------------------------------------------------

ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM
A. Entities Who May Receive Disclosures Under Routine Use
    These routine uses specify circumstances, in addition to those 
provided by statute in the Privacy Act of 1974, under which CMS may 
release information from the HIX without the consent of the individual 
to whom such information pertains. Each proposed disclosure of 
information under these routine uses will be evaluated to ensure that 
the disclosure is legally permissible, including but not limited to 
ensuring that the purpose of the disclosure is compatible with the 
purpose for which the information was collected. We are establishing 
the following routine use disclosures of information maintained in the 
system:
    1. To support Agency contractors, consultants, or CMS grantees who 
have been engaged by the Agency to assist in accomplishment of a CMS 
function relating to the purposes for this collection and who need to 
have access to the records in order to assist CMS.
    2. To disclose information to another Federal agency, agency of a 
State government, a non-profit entity operating an Exchange for a 
State, an agency established by State law, or its fiscal agent to (A) 
make eligibility determinations for enrollment in a QHP through an 
Exchange, insurance affordability programs, and certifications of 
exemption from the individual responsibility requirement, (B) to carry 
out the HIX Program, and (C) to perform functions of an Exchange 
described in 45 CFR 155.200, including notices to employers under 
section 1411(f) of the Affordable Care Act.
    3. To disclose information about applicants in order to obtain 
information from other Federal agencies that help CMS, pursuant to 
agreements with CMS, to determine the eligibility of applicants to 
enroll in QHPs through an Exchange, in insurance affordability 
programs, or for a certification of exemption from the individual 
responsibility requirement.
    4. To assist a CMS contractor (including, but not limited to 
Medicare Administrative Contractors, fiscal intermediaries, and 
carriers) that assists in the administration of a CMS-administered 
health benefits program, or to a grantee of a CMS-administered grant 
program, when disclosure is deemed reasonably necessary by CMS to 
prevent, deter, discover, detect, investigate, examine, prosecute, sue 
with respect to, defend against, correct, remedy, or otherwise combat 
fraud, waste or abuse in such program.
    5. To assist another Federal agency or an instrumentality of any 
governmental jurisdiction within or under the control of the United 
States (including any state or local governmental agency), that 
administers, or that has the authority to investigate potential fraud, 
waste or abuse in a health benefits program funded in whole or in part 
by Federal funds, when disclosure is deemed reasonably necessary by CMS 
to prevent, deter, discover, detect, investigate, examine, prosecute, 
sue with respect to, defend against, correct, remedy, or otherwise 
combat fraud, waste or abuse in such programs.
    6. To assist appropriate Federal agencies and CMS contractors and 
consultants that have a need to know the information for the purpose of 
assisting CMS' efforts to respond to a suspected or confirmed breach of 
the security or confidentiality of information maintained in this 
system of records, provided that the information disclosed is relevant 
and necessary for that assistance.
    7. To assist the U.S. Department of Homeland Security (DHS) cyber 
security personnel, if captured in an intrusion detection system used 
by HHS and DHS pursuant to the Einstein 2 program.
    8. To provide information about applicants to application filers, 
who are filing on behalf of those applicants, when relevant and 
necessary to determine eligibility to enroll in QHPs or in insurance 
affordability programs.
    9. To QHP issuers for purposes of administering advance payment of 
premium tax credits and cost-sharing reductions.

POLICIES AND PRACTICES FOR STORING, RETRIEVING, ACCESSING, RETAINING, 
AND DISPOSING OF RECORDS IN THE SYSTEM--
STORAGE:
    Electronic records will be stored on both tape cartridges (magnetic 
storage media) and in a relational database management environment 
(DASD data storage media). Any hard copies of program related records 
containing PII at CMS and contractor locations will be kept in secure 
hard-copy file folders locked in secure file cabinets during non-duty 
hours.

RETRIEVABILITY:
    The records will be retrieved electronically by a variety of 
fields, including but not limited to first name, last name, middle 
initial, date of birth, or Social Security Number (SSN).

SAFEGUARDS:
    Personnel having access to the system have been trained in the 
Privacy Act and information security requirements. Employees who 
maintain records in this system are instructed not to release data 
until the intended recipient agrees to implement appropriate 
management, operational and technical safeguards sufficient to protect 
the confidentiality, integrity and availability of the information and 
information systems and to prevent unauthorized access.
    Access to records in the HIX Database system will be limited to 
authorized CMS personnel and contractors through password security, 
encryption, firewalls, and secured operating system. Any electronic or 
hard copies of records containing PII at CMS, exchanges and contractor 
locations will be kept in secure electronic files or in hard-copy file 
folders locked in secure file cabinets during non-duty hours.

RETENTION AND DISPOSAL:
    Records are maintained with identifiers for all transactions for a 
period of 10 years after they are entered into the system. Records are 
housed in both active and archival files in accordance with CMS data 
and document management policies and standards.

SYSTEM MANAGER AND ADDRESS:
    Director, Consumer Information and Insurance Systems Group, Center 
for Consumer Information and Insurance Oversight, Centers for Medicare 
& Medicaid Services, 7501 Wisconsin Ave, 9th Floor, Bethesda, MD 20814.

NOTIFICATION PROCEDURE:
    An individual record subject who wishes to know if this system 
contains records about him or her should write to the system manager 
who will require the system name, and for verification purposes, the 
subject individual's name (woman's maiden name, if applicable), and SSN 
(furnishing the SSN is voluntary, but it may make searching for a 
record easier and prevent delay).

RECORD ACCESS PROCEDURE:
    An individual seeking access to records about him or her in this 
system should use the same procedures outlined in Notification 
Procedures above. The requestor should also reasonably specify the 
record contents being sought. (These procedures are in

[[Page 8542]]

accordance with Department regulation 45 CFR 5b.5 (a) (2).)

CONTESTING RECORD PROCEDURES:
    To contest a record, the subject individual should contact the 
system manager named above, and reasonably identify the record and 
specify the information being contested. The individual should state 
the corrective action sought and the reasons for the correction with 
supporting justification. (These procedures are in accordance with 
Department regulation 45 CFR 5b.7.)

RECORD SOURCE CATEGORIES:
    Personally identifiable information in this database is obtained 
from the application submitted by or on behalf of individuals/
applicants seeking eligibility determinations, from qualified employers 
and other employers who provide employer-sponsored coverage, from other 
Federal and state agencies needed to make eligibility determinations, 
from marketplace assisters facilitating the eligibility and enrollment 
processes, from QHPs, from State-based Exchanges that provide 
information to perform the statutory functions, from states 
participating in State Partnership Exchanges pursuant to the State 
Partnership Memorandum of Understanding, and from third party data 
sources to determine eligibility as described in this notice.

EXEMPTIONS CLAIMED FOR THIS SYSTEM:
    None

    Dated: January 31, 2013.
Michelle Snyder,
Deputy Chief Operating Officer, Centers for Medicare & Medicaid 
Services.
[FR Doc. 2013-02666 Filed 2-5-13; 8:45 am]
BILLING CODE 4120-03-P