[Federal Register Volume 78, Number 25 (Wednesday, February 6, 2013)]
[Notices]
[Pages 8538-8542]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2013-02666]
-----------------------------------------------------------------------
DEPARTMENT OF HEALTH AND HUMAN SERVICES
Centers for Medicare & Medicaid Services
Privacy Act of 1974
AGENCY: Department of Health and Human Services (HHS), Centers for
Medicare & Medicaid Services (CMS).
ACTION: Notice to establish a new system of records.
-----------------------------------------------------------------------
SUMMARY: In accordance with the requirements of the Privacy Act of
1974, CMS is establishing a new system of records titled, ``Health
Insurance Exchanges (HIX) Program,'' to support the CMS Health
Insurance Exchanges Program established under provisions of the
Affordable Care Act (PPACA) (Pub. L. 111-148), as amended by the Health
Care and Education Reconciliation Act of 2010 (Pub. L. 111-152). The
Health Insurance Exchanges (HIX) Program includes Federally-facilitated
Exchanges operated by CMS, CMS support and services provided to all
Exchanges and state agencies administering Medicaid, CHIP and the BHP,
and CMS administration of advance payment of premium tax credits and
cost-sharing reductions. The system of records will contain personally
identifiable information (PII) about certain individuals who apply or
on whose behalf an application is filed for eligibility determinations
for enrollment in a qualified health plan (QHP) through an Exchange,
and for insurance affordability programs. Exchange functions that will
utilize PII include eligibility, enrollment, appeals, payment processes
and consumer assistance. The system will also contain information about
qualified employers seeking to obtain health insurance coverage for its
qualified employees through a Small Business Health Options Program
(SHOP). In addition, the system will include PII of marketplace
assisters, Navigators and Agents/Brokers, their officers, employers and
contractors; contact information for QHP Issuers seeking certification
that may contain personally identifiable information of their officers,
and employees or contractors; employees and contractors of the Exchange
and CMS. The program and the system of records are more thoroughly
described in the Supplementary Information section and System of
Records Notice (SORN), below.
DATES: Effective Dates: Effective 30 days after publication. Written
comments should be submitted on or before the effective date. HHS/CMS/
CCIIO may publish an amended system of records notice (SORN) in light
of any comments received.
ADDRESSES: The public should send comments to: CMS Privacy Officer,
Division of Privacy Policy, Privacy Policy and Compliance Group, Office
of E-Health Standards & Services, Office of Enterprise Management, CMS,
Room S2-24-25, 7500 Security Boulevard,
[[Page 8539]]
Baltimore, Maryland 21244-1850. Comments received will be available for
review at this location, by appointment, during regular business hours,
Monday through Friday from 9:00 a.m.--3:00 p.m., Eastern Time zone.
For Information on Health Insurance Exchanges Contact: Karen
Mandelbaum, JD, MHA, Office of Health Insurance Exchanges, Consumer
Information and Insurance Systems Group, Center for Consumer
Information and Insurance Oversight, 7210 Ambassador Road, Baltimore,
MD 21244, Office Phone: (410) 786-1762, Facsimile: (301) 492-4353, E-
Mail: [email protected]
SUPPLEMENTARY INFORMATION:
I. Health Insurance Exchanges Program
The Affordable Care Act (ACA) requires Exchanges to use a single,
streamlined application for consumers to use in applying for
eligibility determinations for enrollment in a QHP through the
Exchange, for insurance affordability programs, and for certifications
of exemption from the individual responsibility mandate and penalty.
The insurance affordability programs that the Exchanges will determine
eligibility for include: (a) The advance payment of the premium tax
credits (APTC); (b) cost-sharing reductions (CSR); (c) Medicaid, (d)
Children's Health Insurance Program (CHIP), and (e) Basic Health Plan
(BHP), if a BHP is operating in the service area of the Exchange. The
information requested on the application includes all of the
information necessary for determining eligibility and enrolling
individuals and qualified employees in a QHP through the Exchange or
SHOP and for determining eligibility for insurance affordability
programs. The applicant must be able to file this application online,
by telephone, in person or by mail with the entity that is
administering the eligibility and enrollment functions of the Exchange.
This eligibility and enrollment process will be conducted in real-time
through electronic data transfer.
The applicant/enrollee, the application filer on behalf of other
applicants, or the authorized representative of the applicant/enrollee
will be asked to provide the minimum amount of information necessary to
support the eligibility and enrollment processes of the above listed
programs. The categories of information requested on the application
include personal, employment, financial, demographic, and pregnancy
status and tobacco use. Section 1411 of the Affordable Care Act
requires verification of the information received from applicants/
enrollees. The information provided by an applicant/enrollee, or by an
application filer on behalf of other applicants, on the application
will be matched and verified against data provided by the Internal
Revenue Service (IRS), Social Security Administration (SSA), Department
of Homeland Security (DHS), Department of Veterans Affairs
(VA),Department of Defense (DoD), Peace Corps, and Office of Personnel
Management (OPM) that is maintained by the Federally-facilitated
Exchange (FFE). State-based Exchanges (SBEs) will send requests for
data matching through the Data Services Hub (Hub). Exchanges can also
permit certain individuals and entities to assist applicants and
enrollees. These include Navigators, Agents, Brokers and employees,
agents and contractors of the Exchange (e.g. marketplace assisters).
Section 1943(b) of the Social Security Act (as amended by Section
2201 of the Affordable Care Act), as implemented through regulations
adopted by the Secretary of HHS,\1\ requires that Medicaid and CHIP
agencies utilize the same streamlined enrollment system and secure
electronic interface established in Section 1413 to verify information,
including federal tax information, financial and quarters of coverage
information held by the Social Security Administration, Social Security
Number (SSN) and citizenship, needed to make an eligibility
determination and facilitate a streamlined eligibility and enrollment
system among all insurance affordability programs. This enrollment
system and secure electronic interface is the same one developed by HHS
to comply with sections 1411(c) and 1411(d) of the Affordable Care Act
for purposes of determining eligibility to enroll in a qualified health
plan (QHP) through an Exchange State Medicaid, Chip and BHP agencies
will send requests for data matching through the Data Services Hub
(Hub).
---------------------------------------------------------------------------
\1\ 42 CFR 435.948, 435.949.
---------------------------------------------------------------------------
With respect to determinations of eligibility for Medicaid and
CHIP, the FFE can make either an assessment of eligibility or a
determination of eligibility. Unless the FFE assesses an applicant/
enrollee as ineligible for a Medicaid, CHIP or BHP program and the
applicant/enrollee requests to withdraw his/her application for
Medicaid, CHIP or BHP, the FFE must notify the State Medicaid or CHIP
agency and transmit all information obtained or verified by the CMS in
operation of the FFE via secure electronic interface for that other
agency to make a full determination of eligibility under those programs
and provide the applicant with coverage.
When applicants/enrollees receive a determination that they are
qualified to enroll in a QHP and have chosen a QHP to enroll in, the
Exchange will notify the QHP Issuers of individual enrollment
selections and transmit the information necessary to implement,
discontinue or modify enrollment and/or the level of payments processed
and received through the APTC and CSR programs and information
regarding the premium payments due from the enrollees.
Enrollees are required to update information that would impact
their eligibility status, and an Exchange will perform mid-year
redeterminations using the same system used for initial determinations
of eligibility when it receives updated information regarding an
enrollee either directly from the enrollee or through a periodic
examination of data sources. The Secretary along with the other
appropriate agencies will establish an appeals process for individuals
and employers when eligibility is denied as a result of inconsistencies
between the information obtained from applicants/enrollees and
employers and information and data verified through the Exchange. CMS
will also process enrollment and payment transactions to facilitate
APTC payments for all Exchanges; SBEs will send this information to CMS
through the Hub. The FFE will store eligibility and enrollment records,
system user records, appeals records, consumer services records and
SHOP employer records for all Exchanges. The Hub will be a pass-through
for SBEs for providing information from applicants/enrollees to CMS and
for the FFE to share data with SBEs, Medicaid, CHIP and BHP agencies.
Each Exchange, including the FFE, will establish a SHOP to assist
qualified employers and facilitate the enrollment of qualified
employees into QHPs. Eligibility determinations are not made on the
individual level in a SHOP; rather, the information that an employer is
required to provide about employees includes, the name and address of
the employer, number of employees, Employer Identification Number
(EIN), and list of qualified employees and their tax ID numbers.
The FFE will be responsible for performing oversight functions with
respect to issuer compliance with market-wide and Exchange specific
standards in connection with QHPs certified by the FFE. The FFE will
require QHP Issuers to submit, as requested by the FFE, certified
financial information including information
[[Page 8540]]
related to ownership and control and information demonstrating that the
issuer is fiscally sound, information that is necessary to administer
and evaluate the program, including but not limited to, enrollee
complaints against the QHP issuer and their disposition, enrollee
appeals and their disposition, formal actions, reviews, findings or
other similar actions by States, other regulatory bodies or any other
certifying or accrediting organization, and any other information
deemed necessary by the FFE for the administration of the FFE or
certification of QHPs. In addition, the FFE will require qualified
health plans to periodically report the activities that the health plan
has implemented in order to improve health outcomes.
CMS will also administer the administration of advance payment of
premium tax credits and cost-sharing reductions for all Exchanges. The
PII that will be collected, disclosed and used as part of this
administration includes QHP enrollment, premium payment information,
and information about cost-sharing payments necessary to reconcile
estimates of cost-sharing reductions with actual cost-sharing
reductions.
II. The Privacy Act
The Privacy Act (5 U.S.C. 552a) governs the means by which the
United States Government collects, maintains, and uses PII in a system
of records. A ``system of records'' is a group of any records under the
control of a Federal agency from which information about individuals is
retrieved by name or other personal identifier. The Privacy Act
requires each agency to publish in the Federal Register a system of
records notice (SORN) identifying and describing each system of records
the agency maintains, including the purposes for which the agency uses
PII in the system, the routine uses for which the agency discloses such
information outside the agency, and how individual record subjects can
exercise their rights under the Privacy Act (e.g., to determine if the
system contains information about them).
SYSTEM NUMBER:
09-70-0560
SYSTEM NAME:
Health Insurance Exchanges (HIX) Program, HHS/CMS/CCIIO
SECURITY CLASSIFICATION:
Unclassified
SYSTEM LOCATION:
CMS Data Center, 7500 Security Boulevard, North Building, First
Floor, Baltimore, Maryland 21244-1850, Health Insurance Exchanges
Program (HIX) locations, and at various contractor sites.
CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:
The system will contain personally identifiable information (PII)
about the following categories of individuals who participate in or are
involved with the CMS Health Insurance Exchanges Program: (1) Any
applicant/enrollee who applies, or on whose behalf an application is
filed, for an eligibility determination for a qualified health plan
(QHP) through an Exchange, insurance affordability program, or for a
certification of exemption; (2) Navigators, Agents, Brokers,
individuals or entities that are required to register with an Exchange
prior to assisting qualified individuals to enroll in QHPs through the
Exchange; (3) officers, employees and contractors of the Exchange; (4)
employees and contractors of CMS (e.g. marketplace assisters, appeals
staff); (5) contact information and business identifying information of
QHPs seeking certification; (6) persons employed by or contracted with
an Exchange organization who provide home or personal contact
information; and (7) any qualified employer and the qualified employees
whose enrollment in a QHP is facilitated through a Small Business
Health Options Program (SHOP).
CATEGORIES OF RECORDS IN THE SYSTEM:
Information maintained in this system for individual applicant/
enrollees includes, but may not be limited to, the applicant's first
name, last name, middle initial, mailing address or permanent
residential address (if different from the mailing address), date of
birth, Social Security Number (if the applicant has one), taxpayer
status, gender, ethnicity, residency, email address, and telephone
number. The system will also maintain information that will verify the
information provided by the individual/enrollee or by the application
filer on behalf of other applicants that will enable a decision about
an applicant's eligibility. The system will collect and maintain
information that the applicant or the application filer on behalf of
other applicants submits pertaining to (1) his or her citizenship or
immigration status, because only individuals who are citizens or
nationals of the U.S. or lawfully present are eligible to enroll; (2)
enrollment in Federally funded minimum essential health coverage (e.g.
Medicare, Medicaid, Federal Employees Health Benefit Program (FEHBP),
Veterans Health Administration (Champ VA), Children's Health Insurance
Program (CHIP), Department of Defense (TRICARE), Peace Corps); (3)
incarceration status; (4) Indian status; (5) enrollment in employer-
sponsored coverage; (6) requests for and accompanying documentation to
justify receipt of individual responsibility exemptions, including
membership in a certain type of recognized religious sect or health
care sharing ministry; (7) employer information; (8) status as a
veteran; (9) limited health status information (pregnancy status,
blindness, disability status); and (10) household income, including tax
return information from the IRS, income information from the Social
Security Administration, and financial information from other third
party sources. Information will also be maintained with respect to the
applicant's enrollment in a QHP through the Exchange, the premium
amounts and payment history.
With respect to qualified employers and the qualified employees
utilizing SHOP, the information maintained in the system includes but
may not be limited to the name and address of the employer, number of
employees, Employer Identification Number (EIN), and list of qualified
employees and their tax ID numbers.
AUTHORITY FOR MAINTENANCE OF THE SYSTEM:
The HIX program implements recent health care reform provisions of
the Patient Protection and Affordable Care Act (PPACA) (Pub. L. 111-
148) as amended by the Health Care and Education Reconciliation Act of
2010 (Pub. L. 111-152) collectively the Affordable Care Act. Title 42
U.S.C. 18031, 18041, 18081--18083 and section 1414 of the Affordable
Care Act.
PURPOSE(S) OF THE SYSTEM:
The purpose of this system is to collect, create, use and disclose
PII on individuals who apply for eligibility determinations for
enrollment in a qualified health plan through the Exchange, for
insurance affordability programs,\2\ and for certifications of
exemption from the individual responsibility requirement and; and as
needed to perform the Exchange minimum functions in 45 CFR 155.200; and
to maintain records used to support all Health Insurance Exchanges
under
[[Page 8541]]
the HIX Program established by CMS. The system will collect, create,
use and disclose PII that will enable HHS to perform oversight and
enforcement activities of QHP Issuers offering qualified health plans
through the FFE. In addition, HHS, and any contractors assisting HHS,
will use PII from the system to assist in accomplishing CMS functions
relating to the purposes of this collection and who need to have access
to the records in order to assist CMS.
---------------------------------------------------------------------------
\2\ The insurance affordability programs are: (a) The advance
payment of the premium tax credits (APTC); (b) cost-sharing
reductions (CSR); (c) Medicaid, (d) Children's Health Insurance
Program (CHIP), and (e) Basic Health Plan (BHP), if a BHP is
operating in the service area of the Exchange.
---------------------------------------------------------------------------
ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM
A. Entities Who May Receive Disclosures Under Routine Use
These routine uses specify circumstances, in addition to those
provided by statute in the Privacy Act of 1974, under which CMS may
release information from the HIX without the consent of the individual
to whom such information pertains. Each proposed disclosure of
information under these routine uses will be evaluated to ensure that
the disclosure is legally permissible, including but not limited to
ensuring that the purpose of the disclosure is compatible with the
purpose for which the information was collected. We are establishing
the following routine use disclosures of information maintained in the
system:
1. To support Agency contractors, consultants, or CMS grantees who
have been engaged by the Agency to assist in accomplishment of a CMS
function relating to the purposes for this collection and who need to
have access to the records in order to assist CMS.
2. To disclose information to another Federal agency, agency of a
State government, a non-profit entity operating an Exchange for a
State, an agency established by State law, or its fiscal agent to (A)
make eligibility determinations for enrollment in a QHP through an
Exchange, insurance affordability programs, and certifications of
exemption from the individual responsibility requirement, (B) to carry
out the HIX Program, and (C) to perform functions of an Exchange
described in 45 CFR 155.200, including notices to employers under
section 1411(f) of the Affordable Care Act.
3. To disclose information about applicants in order to obtain
information from other Federal agencies that help CMS, pursuant to
agreements with CMS, to determine the eligibility of applicants to
enroll in QHPs through an Exchange, in insurance affordability
programs, or for a certification of exemption from the individual
responsibility requirement.
4. To assist a CMS contractor (including, but not limited to
Medicare Administrative Contractors, fiscal intermediaries, and
carriers) that assists in the administration of a CMS-administered
health benefits program, or to a grantee of a CMS-administered grant
program, when disclosure is deemed reasonably necessary by CMS to
prevent, deter, discover, detect, investigate, examine, prosecute, sue
with respect to, defend against, correct, remedy, or otherwise combat
fraud, waste or abuse in such program.
5. To assist another Federal agency or an instrumentality of any
governmental jurisdiction within or under the control of the United
States (including any state or local governmental agency), that
administers, or that has the authority to investigate potential fraud,
waste or abuse in a health benefits program funded in whole or in part
by Federal funds, when disclosure is deemed reasonably necessary by CMS
to prevent, deter, discover, detect, investigate, examine, prosecute,
sue with respect to, defend against, correct, remedy, or otherwise
combat fraud, waste or abuse in such programs.
6. To assist appropriate Federal agencies and CMS contractors and
consultants that have a need to know the information for the purpose of
assisting CMS' efforts to respond to a suspected or confirmed breach of
the security or confidentiality of information maintained in this
system of records, provided that the information disclosed is relevant
and necessary for that assistance.
7. To assist the U.S. Department of Homeland Security (DHS) cyber
security personnel, if captured in an intrusion detection system used
by HHS and DHS pursuant to the Einstein 2 program.
8. To provide information about applicants to application filers,
who are filing on behalf of those applicants, when relevant and
necessary to determine eligibility to enroll in QHPs or in insurance
affordability programs.
9. To QHP issuers for purposes of administering advance payment of
premium tax credits and cost-sharing reductions.
POLICIES AND PRACTICES FOR STORING, RETRIEVING, ACCESSING, RETAINING,
AND DISPOSING OF RECORDS IN THE SYSTEM--
STORAGE:
Electronic records will be stored on both tape cartridges (magnetic
storage media) and in a relational database management environment
(DASD data storage media). Any hard copies of program related records
containing PII at CMS and contractor locations will be kept in secure
hard-copy file folders locked in secure file cabinets during non-duty
hours.
RETRIEVABILITY:
The records will be retrieved electronically by a variety of
fields, including but not limited to first name, last name, middle
initial, date of birth, or Social Security Number (SSN).
SAFEGUARDS:
Personnel having access to the system have been trained in the
Privacy Act and information security requirements. Employees who
maintain records in this system are instructed not to release data
until the intended recipient agrees to implement appropriate
management, operational and technical safeguards sufficient to protect
the confidentiality, integrity and availability of the information and
information systems and to prevent unauthorized access.
Access to records in the HIX Database system will be limited to
authorized CMS personnel and contractors through password security,
encryption, firewalls, and secured operating system. Any electronic or
hard copies of records containing PII at CMS, exchanges and contractor
locations will be kept in secure electronic files or in hard-copy file
folders locked in secure file cabinets during non-duty hours.
RETENTION AND DISPOSAL:
Records are maintained with identifiers for all transactions for a
period of 10 years after they are entered into the system. Records are
housed in both active and archival files in accordance with CMS data
and document management policies and standards.
SYSTEM MANAGER AND ADDRESS:
Director, Consumer Information and Insurance Systems Group, Center
for Consumer Information and Insurance Oversight, Centers for Medicare
& Medicaid Services, 7501 Wisconsin Ave, 9th Floor, Bethesda, MD 20814.
NOTIFICATION PROCEDURE:
An individual record subject who wishes to know if this system
contains records about him or her should write to the system manager
who will require the system name, and for verification purposes, the
subject individual's name (woman's maiden name, if applicable), and SSN
(furnishing the SSN is voluntary, but it may make searching for a
record easier and prevent delay).
RECORD ACCESS PROCEDURE:
An individual seeking access to records about him or her in this
system should use the same procedures outlined in Notification
Procedures above. The requestor should also reasonably specify the
record contents being sought. (These procedures are in
[[Page 8542]]
accordance with Department regulation 45 CFR 5b.5 (a) (2).)
CONTESTING RECORD PROCEDURES:
To contest a record, the subject individual should contact the
system manager named above, and reasonably identify the record and
specify the information being contested. The individual should state
the corrective action sought and the reasons for the correction with
supporting justification. (These procedures are in accordance with
Department regulation 45 CFR 5b.7.)
RECORD SOURCE CATEGORIES:
Personally identifiable information in this database is obtained
from the application submitted by or on behalf of individuals/
applicants seeking eligibility determinations, from qualified employers
and other employers who provide employer-sponsored coverage, from other
Federal and state agencies needed to make eligibility determinations,
from marketplace assisters facilitating the eligibility and enrollment
processes, from QHPs, from State-based Exchanges that provide
information to perform the statutory functions, from states
participating in State Partnership Exchanges pursuant to the State
Partnership Memorandum of Understanding, and from third party data
sources to determine eligibility as described in this notice.
EXEMPTIONS CLAIMED FOR THIS SYSTEM:
None
Dated: January 31, 2013.
Michelle Snyder,
Deputy Chief Operating Officer, Centers for Medicare & Medicaid
Services.
[FR Doc. 2013-02666 Filed 2-5-13; 8:45 am]
BILLING CODE 4120-03-P