Common use of Application to non-Exchange entities Clause in Contracts

Application to non-Exchange entities. (1) Non-Exchange entities. A non-Exchange entity is any individual or entity that: (i) Gains access to personally identifiable information submitted to an Exchange; or (ii) Collects, uses, or discloses personally identifiable information gathered directly from applicants, qualified individuals, or enrollees while that individual or entity is performing functions agreed to with the Exchange. (2) Prior to any person or entity becoming a non-Exchange entity, Exchanges must execute with the person or entity a contract or agreement that includes: (i) A description of the functions to be performed by the non-Exchange entity; (ii) A provision(s) binding the non-Exchange entity to comply with the privacy and security standards and obligations adopted in accordance with paragraph (b)(3) of this section, and specifically listing or incorporating those privacy and security standards and obligations; (iii) A provision requiring the non-Exchange entity to monitor, periodically assess, and update its security controls and related system risks to ensure the continued effectiveness of those controls in accordance with paragraph (a)(5) of this section; (iv) A provision requiring the non-Exchange entity to inform the Exchange of any change in its administrative, technical, or operational environments defined as material within the contract; and (v) A provision that requires the non-Exchange entity to bind any downstream entities to the same privacy and security standards and obligations to which the non-Exchange entity has agreed in its contract or agreement with the Exchange. (3) When collection, use or disclosure is not otherwise required by law, the privacy and security standards to which an Exchange binds non-Exchange entities must: (i) Be consistent with the principles and requirements listed in paragraphs (a)(1) through (6) of this section, including being at least as protective as the standards the Exchange has established and implemented for itself in compliance with paragraph (a)(3) of this section; (ii) Comply with the requirements of paragraphs (c), (d), (f), and (g) of this section; and (iii) Take into specific consideration: (A) The environment in which the non-Exchange entity is operating; (B) Whether the standards are relevant and applicable to the non-Exchange entity's duties and activities in connection with the Exchange; and (C) Any existing legal requirements to which the non-Exchange entity is bound in relation to its administrative, technical, and operational controls and practices, including but not limited to, its existing data handling and information technology processes and protocols.

Application to non-Exchange entities. (1) Non-Exchange Non‐Exchange entities. A non-Exchange non‐Exchange entity is any individual or entity that: (i) Gains access to personally identifiable information submitted to an Exchange; or (ii) Collects, uses, or discloses personally identifiable information gathered directly from applicants, qualified individuals, or enrollees while that individual or entity is performing functions agreed to with the Exchange. (2) Prior to any person or entity becoming a non-Exchange non‐Exchange entity, Exchanges must execute with the person or entity a contract or agreement that includes: (i) A description of the functions to be performed by the non-Exchange non‐Exchange entity; (ii) A provision(s) binding the non-Exchange non‐Exchange entity to comply with the privacy and security standards and obligations adopted in accordance with paragraph (b)(3) of this section, and specifically listing or incorporating those privacy and security standards and obligations; (iii) A provision requiring the non-Exchange non‐Exchange entity to monitor, periodically assess, and update its security controls and related system risks to ensure the continued effectiveness of those controls in accordance with paragraph (a)(5) of this section; (iv) A provision requiring the non-Exchange non‐Exchange entity to inform the Exchange of any change in its administrative, technical, or operational environments defined as material within the contract; and (v) A provision that requires the non-Exchange non‐Exchange entity to bind any downstream entities to the same privacy and security standards and obligations to which the non-Exchange non‐Exchange entity has agreed in its contract or agreement with the Exchange. (3) When collection, use or disclosure is not otherwise required by law, the privacy and security standards to which an Exchange binds non-Exchange non‐Exchange entities must: (i) Be consistent with the principles and requirements listed in paragraphs (a)(1) through (6) of this section, including being at least as protective as the standards the Exchange has established and implemented for itself in compliance with paragraph (a)(3) of this section; (ii) Comply with the requirements of paragraphs (c), (d), (f), and (g) of this section; and (iii) Take into specific consideration: (A) The environment in which the non-Exchange non‐Exchange entity is operating; (B) Whether the standards are relevant and applicable to the non-Exchange non‐Exchange entity's duties and activities in connection with the Exchange; and (C) Any existing legal requirements to which the non-Exchange non‐Exchange entity is bound in relation to its administrative, technical, and operational controls and practices, including but not limited to, its existing data handling and information technology processes and protocols.