Privacy and security laws beyond hipaa protecting consumer information
This presentation is the property of its rightful owner.
Sponsored Links
1 / 53

Privacy and Security Laws Beyond HIPAA: Protecting Consumer Information PowerPoint PPT Presentation

  • Uploaded on
  • Presentation posted in: General

Privacy and Security Laws Beyond HIPAA: Protecting Consumer Information. Webinar Presented by Laura Bird January 29, 2014. Module Contents. Introduction Privacy and Security of Personally Identifiable Information under the Affordable Care Act

Download Presentation

Privacy and Security Laws Beyond HIPAA: Protecting Consumer Information

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript

Privacy and security laws beyond hipaa protecting consumer information

Privacy and Security Laws Beyond HIPAA: Protecting Consumer Information

Webinar Presented by Laura Bird

January 29, 2014

Module contents

Module Contents

  • Introduction

  • Privacy and Security of Personally Identifiable Information under the Affordable Care Act

  • Privacy and Security of Federal Tax Information under the Tax Code

  • Other Requirements on Certified Application Counselors and Navigators under Agreements with the Centers for Medicare & Medicaid Services

  • Authorized Representative Designation & Privacy

  • Other Considerations & Guidance





Why is protecting c onsumer i nformation i mportant

Why is Protecting Consumer Information Important?

  • Besides the fact that it can harm a person personally and financially…

  • Purpose of Marketplace is to help people get insured.

  • Enrollment assisters have a key role in protecting information.

  • Disclosure can result in civil and criminal penalties.

Enrollment assisters

Enrollment Assisters

  • Types

    • Navigators

    • Non-Navigator Assister Personnel

    • Certified Application Counselors

    • Authorized Representatives

    • Outreach and Enrollment Workers

    • Agents and Brokers (not discussed here)

  • Enrollment Assisters will need to be familiar with applicable privacy and security laws beyond HIPAA in providing assistance to consumers.

Enrollment assisters privacy

Enrollment Assisters & Privacy

  • Enrollment assisters who assist consumers apply for coverage will have access to a consumer’s personal information.

  • Enrollment assisters are bound by the ACA, as well as other privacy laws, to protect consumer information that the enrollment assister may be exposed to and have a duty to ensure that it’s not used or shared in a harmful way.

Privacy and security of pii under the aca

Privacy and Security of PII Under The ACA

Compliance with hipaa is not enough

Compliance with HIPAA is not Enough

  • I/T/Us are required to comply with the HIPAA Privacy, Security and Breach Notification Rules as to the PHI created, maintained, or transmitted.

  • The ACA privacy and security standards are broader than HIPAA. Complying with HIPAA is not enough to comply with ACA privacy and security standards.

Eight aca privacy and security standards

Eight ACA Privacy and Security Standards

  • Individual access

  • Correction

  • Openness and transparency

  • Individual choice

  • Collection, use and disclosure limitations

  • Data quality and integrity

  • Safeguards

  • Accountability

Confidentiality of consumer s pii under the aca

Confidentiality of Consumer’s PII Under the ACA

  • A consumer is required to provide only the information strictly necessary to verify identity, determine eligibility for insurance, and determine the amount of the tax credit or cost sharing reduction.

  • Any person (including enrollment assisters) who receives information provided by an applicant or from a Federal agency shall use the information only for the purpose of ensuring efficient operation of the Marketplace and shall not disclose the information to any other person.

    See Section 1411(g) of the Affordable Care Act.

What is the penalty for disclosing pii

What is the Penalty for Disclosing PII?

  • A “….person who knowingly and willfully uses or discloses information in violation of section 1411 (g) of the Affordable Care Act will be subject to a civil penalty of not more than $25,000 per person or entity, per use or disclosure, in addition to other penalties that may be prescribed by law.”

    45 C.F.R. § 155.260(g).

Examples of information considered pii under the aca

Examples of Information Considered PII Under the ACA

*These are only examples, the CMS Agreements include a long list of the types of PII a Navigator or CAC may receive.

Non exchange entity

Non-Exchange Entity

  • A Marketplace must require the same or more stringent privacy and security standards as a condition of an agreement with a Non-Exchange entity.

  • A Non-Exchange entity specifically includes Navigators, CACs and agents and brokers.

  • A Tribe or organization with Outreach and Enrollment Workers may be considered a Non-Exchange entity.

Non exchange entity cont d

Non-Exchange Entity (cont’d)

  • A Non-Exchange entity is not specifically defined in the regulations but refers to: “…Individuals or entities, such as Navigators, agents, and brokers, that:

    (1) Gain access to personally identifiable information submitted to the Exchange; or

    (2) Collect, use or disclose personally identifiable information gathered directly from applicants, qualified individuals, or enrollees while that individual or entity is performing the functions outlined in the agreement with the Exchange….”

Applicable laws and requirements

Applicable Laws and Requirements

Oversight of aca privacy and security standards

Oversight of ACA Privacy and Security Standards

Section summary what you need to know

Section Summary: What You Need to Know

  • You must keep the consumer’s information confidential, never disclose information to others.

  • Under ACA, there are civil penalties for disclosure of confidential information.

  • Critical to maintain consumer’s trust!




Privacy and security of fti under the tax code

Privacy and Security of FTI under The Tax Code

Under the tax code

Under the Tax Code

  • The ACA regulations incorporate reference to the Tax Code.

  • Under the Tax Code, if you have access to Federal Tax Information (FTI) from the IRS or a secondary source to carry out consumer eligibility requirements for premium tax credits or any cost sharing reduction, or eligibility in a State Medicaid Program, CHIP or basic health program, you are bound not to disclose FTI obtained in any manner in connection with the serviceprovided to the consumer.

  • FTI includes returns and return information and must be kept confidential.

Federal tax information fti

Federal Tax Information (FTI)

Fti available through marketplaces under the tax code

FTI Available through Marketplaces Under the Tax Code

  • Taxpayer identity information

  • Filing status (single, married, etc.)

  • The number of individuals for whom a deduction is allowed

  • The taxpayer’s modified adjusted gross income (MAGI)

  • The taxable year of the information, or that such information is not available.

  • Other information that might indicate whether an individual is eligible for the premium tax credit, or cost sharing reductions, and the amount.

Protecting fti

Protecting FTI

  • Do not retain the FTI after the enrollment session is over.

  • Never access FTI if the information is not needed for the consumer’s enrollment.

  • If you have access to a consumer’s FTI, do not disclose the FTI.

  • Criminal penalties and civil liability can result from unauthorized access or disclosure of FTI.

What is considered unauthorized access

What is Considered Unauthorized Access?

  • Unauthorized access occurs when an entity or individual receives or has access to FTI without authority.

  • Criminal penalty: Misdemeanor punishable by a fine of up to $1,000, or imprisonment of not more than one year, or both, plus the costs of prosecution.

  • Civil liability: A taxpayer may sue the employee or assister for damages.

What is considered unauthorized disclosure

What is Considered Unauthorized Disclosure?

  • Unauthorized disclosure occurs when an entity or individual with authorization to receive FTI discloses FTI to another entity or individual who does not have the authority and a need-to-know.

  • Criminal penalty: Felony punishable by a fine of up to $5,000, or imprisonment of not more than one year, or both, plus the costs of prosecution.

  • Civil liability: A taxpayer may sue the employee or assister for damages.

Section summary what you need to know1

Section Summary: What You Need to Know

  • FTI is only that information received directly from the IRS or through a secondary source.

  • Never retain FTI after the enrollment session ends.

  • Even if you receive the return or return information from a consumer directly to assist with an application, do not keep this information in your files and make sure to return it to the consumer.




Other requirements on navigators and cacs under cms agreement

Other Requirements on Navigators and CACs under CMS Agreement

Additional navigator and cac requirements

Additional Navigator and CAC Requirements

  • Navigators and CACs are subject to six categories of privacy and security standards that the Navigator or CAC organization agreed to with CMS, including any attachments and referenced documents.

    • Note: Links to the documents are provided in the next slide.

  • As a Navigator or CAC, you may be required to sign an agreement with your employer to perform your duties as a Navigator or CAC.

  • Recommendation: These standards should also be followed by I/T/Us not under a formal agreement with CMS or a Marketplace as minimal standards to ensure the protection of consumer information.

Links to referenced documents

Links to Referenced Documents

  • Model Navigator Assistance Consent Form in FFM, available at

  • Model CAC Authorization Form in FFM, available at

  • Appendices to Model Agreement Between CAC and Organization in FFM, available at

  • MARS-E Suite of Documents, available at

6 categories of privacy and security standards

6 Categories of Privacy and Security Standards

1- Individual Access:

  • Organization must have policies and procedures in place to provide consumers with access to PII upon request.

  • Organization must respond to a request for access and grant or deny request within 30 days.

    2- Openness & Transparency:

  • Organization must provide a Privacy Notice Statement that is prominently and conspicuous displayed on a public facing website (if applicable), or in electronic form and/or paper form that will be used to gather and/or request PII.

6 categories of privacy and security standards cont d

6 Categories of Privacy and Security Standards (cont’d)

3- Individual Choice:

  • Organization may only use PII for the functions and purposes listed in the Privacy Notice Statement and any agreements that were in effect when PII was collected unless the consumer’s informed consent is obtained. The consent must be appropriately secured and retained for 10 years.

    4- Collection, use and disclosure limitations:

  • Organization should always try to collect PII directly from the consumer when information may result in an adverse determination about benefits.

6 categories of privacy and security standards cont d1

6 Categories of Privacy and Security Standards (cont’d)

5- Data quality & integrity:

  • Organization must allow a consumer the right to amend, correct, substitute or delete PII. Such request must be granted or denied within 10 working days of request.

  • Organization must verify consumer’s identity.

  • Organization must maintain an accounting of any and all disclosures for at least 10 years after the disclosure, or the life of the record, whichever is longer.

6 categories of privacy and security standards cont d2

6 Categories of Privacy and Security Standards (cont’d)

6- Accountability:

  • Organization must implement breach and incident handling procedures.

  • Organization shall incorporate privacy and security standards and implementation procedures in its standard operating procedures as to PII.

  • Organization shall develop training and awareness programs for members of its workforce involved with PII.

  • Organization shall adopt and implement Security Control Standards.

Model consent form templates

Model Consent Form Templates

Note: See slide #31 for links to these consent forms.

Consent form modifications

Consent Form Modifications

  • Mailing Documents for Consumers

    • CMS Training: The best practice discourages mailing of applications by CAC. See Privacy and Security Standards, Course 13.

    • Best practice is to ask the consumer to mail the application him/herself.

    • However, where consumer may be unable to accomplish this task, you could have a separate consent formallowing the organization/assister to mail the application releasing the organization/assister from liability.

Section summary what you need to know2

Section Summary: What You Need to Know

  • Always provide a Privacy Notice Statement to consumer.

  • Always obtain a consent form before assisting a consumer.

  • Always obtain informed consent (separate form) for any use or disclosure of consumer’s information outside of the Privacy Notice Statement. Consents must be kept for 10 years.

  • Keep track of any disclosures made as to consumer’s information. Must be kept for 10 years.

  • Report any breaches of the consumer’s PII or FTI.




Authorized representative designation privacy

Authorized Representative Designation & Privacy

What is an authorized representative

What is an Authorized Representative?

  • An authorized representative is a person or organization authorized by a consumer to assist the consumer with his or her application and enrollment in insurance in the Marketplace.

    • An authorized representative should have authority to also work with the QHP, but a separate form could be required.

  • A consumer should select a person or organization that the consumer trusts to act as his or her representative since this person will have access to the consumer’s PII.

  • The FFM paper application allows a consumer to name an authorized representative, but it may be done through the electronic application.

  • A consumer may revoke a designation at any time.

Duties of authorized representative

Duties of Authorized Representative

  • An authorized representative may be authorized to:

    • Sign the application on behalf of the consumer

    • Submit an update or respond to a redetermination for the consumer

    • Receive copies of the consumer’s notices and other communications from the Marketplace; and

    • Act on behalf of the consumer in other matters with the Marketplace. See 45 C.F.R. § 155.227(c).

Requirements of authorized representative designation

Requirements of Authorized Representative Designation

  • Must be in a written document signed by consumer, or through another legally binding format.

  • Marketplace must ensure that the “…authorized representative agrees to maintain, or be legally bound to maintain, the confidentiality of any information…” regarding the consumer.

  • Marketplace must ensure that the representative is responsible for fulfilling all required duties.

  • Marketplace must provide information to both the consumer and the authorized representative regarding representative’s powers and duties.

    See 45 C.F.R. § 155.227(a)(2)-(5).

Timing of designation

Timing of Designation

  • The Marketplace must permit a consumer to designate an authorized representative:

    • At the time of the application; or

    • At other times and methods, including:

      • Via an internet website

      • By telephone through a call center

      • By mail

      • In person

        See 45 C.F.R. 155.227(b), 155.405(c)(2).

Language in ffm paper application

Language in FFM Paper Application

  • By signing an authorized representative designation, a consumer gives the representative:

    • Permission to talk about the consumer’s application with the Marketplace

    • See consumer’s information

    • Act on consumer’s behalf on matters related to the application, including obtaining information about consumer’s application

    • Sign the application on consumer’s behalf.

Authorized representative designation in selected state based marketplaces

Authorized Representative Designation in Selected State-based Marketplaces

Authorized representative v cac

Authorized Representative v. CAC

Can a cac also be an authorized representative

Can a CAC also be an Authorized Representative?

  • Yes. A CAC can also be designed as a consumer’s authorized representative.

Section summary what you need to know3

Section Summary: What You Need to Know

  • Authorized representatives must agree to maintain confidentiality of consumer information.

  • Best practice for authorized representatives within an I/T/U would be to follow the same or similar standards as Navigators and CACs under CMS Agreements.

Other considerations guidance

Other Considerations & Guidance

Tribal sponsorship considerations

Tribal Sponsorship Considerations

  • Tribes involved in Tribal Sponsorship of QHPs in the Marketplace should only collect and retain information solely for the purpose of administrating the program.

    • May include very sensitive information, such as claims data or other medical information.

  • Follow the same six privacy and security standards previously discussed (see slides 32-35).

    • Make sure to tailor Privacy Notice Statement and consent forms to Tribal Sponsorship.

General guidance on physical and electronic protection of information

General Guidance on Physical and Electronic Protection of Information

  • Secure PII in a locked file cabinet, and limit access.

  • Password protect computers and electronic files containing consumer information, and limit access.

  • Never email PII/FTI, or request this information via email.

  • Do not keep notes with a consumer’s PII/FTI.

  • Never leave consumer information unattended on your desk or computer screen.




  • Login