Common use of Ensuring Privacy and Security of Consumer Personally Identifiable Information Clause in Contracts

Ensuring Privacy and Security of Consumer Personally Identifiable Information. (PII) Protecting consumers’ personally identifiable information is of great importance and applicants should demonstrate the ability to ensure consumers are protected. Applicants should develop and include with their application a plan to protect the privacy and security of consumers’ personally identifiable information that includes a discussion of the following: • How the applicant intends to comply with FFE privacy and security standards and to use computers, including laptops or tablets, in accordance with those standards and 45 C.F.R. § 155.260. The privacy and security standards for current Navigator awardees under opportunity CA-NAV-15-001 and CA-NAV-16-001 can be found here: xxxxx://xxx.xxx.xxx/CCIIO/Programs-and-Initiatives/Health-Insurance- Marketplaces/Downloads/EXAMPLE-2017-Privacy-Security-Terms-Conditions.pdf. • Process for ensuring all persons performing Navigator functions and others who have access to sensitive information or PII related to the organization’s Navigator functions complete all required training related to ensuring privacy and security of consumer PII, including training on compliance with FFE privacy and security standards. • Process for ensuring that applicants for coverage available through an Exchange application (1) are informed of the functions and responsibilities of Navigators, including that Navigators are not acting as tax advisers or attorneys when providing assistance as Navigators and cannot provide tax or legal advice within their capacity as Navigators; (2) provide authorization prior to a Navigator’s obtaining access to their personally identifiable information; and (3) may revoke at any time the authorization provided to the Navigator. Applicants should discuss how they plan to ensure that persons performing Navigator functions and others who have access to sensitive information or PII related to the organization’s Navigator functions will protect consumer PII. Discussion should include: • Plans for training persons performing Navigator functions and others who have access to sensitive information or PII related to the organization’s Navigator functions on how to receive, secure, and handle PII or other sensitive data, and • Process for evaluating qualifications of persons performing Navigator functions and others who have access to sensitive information or PII related to the organization’s Navigator functions for receiving, securing, and handling PII or other sensitive data, including if background checks are conducted. If background checks are conducted, applicants should explain on whom they are conducted, what would be considered to be adverse findings of a background check and/or findings that would preclude someone from working on the organization’s Navigator activities or accessing PII related to those activities, and whether the following types of recommended background checks are used:  Office of Inspector General (OIG) Sanction Check • HHS OIG has a list that identifies individuals who are debarred/sanctioned from participating on any Federal programs.

Ensuring Privacy and Security of Consumer Personally Identifiable Information. (PII) Protecting consumers’ personally identifiable information is of great importance and applicants should demonstrate the ability to ensure consumers are protected. 30 Applicants should develop and include with their application a plan to protect the privacy and security of consumers’ personally identifiable information PII that includes a discussion of the following: • (5 points) How the applicant intends to comply with FFE privacy and security standards and to use computers, including laptops or tablets, in accordance with those standards and 45 C.F.R. § 155.260. The privacy and security standards for current Navigator awardees under opportunity CA-NAV-15-001 and CA-NAV-16NAV-19-001 can be found here: xxxxx://xxx.xxx.xxx/CCIIO/Programs-and-Initiatives/Health-Insurance- Marketplaces/Downloads/EXAMPLE-2017-Privacy-Security-Terms-Conditions.pdf. xxxxx://xxx.xxx.xxx/files/document/2020-privacy-and-security-terms- and-conditions-508-ejs-5-4-2021.pdf • (5 points) Process for ensuring all persons performing Navigator functions and others who have access to sensitive information or PII related to the organization’s Navigator functions complete all required training related to ensuring privacy and security of consumer PII, including training on compliance with FFE privacy and security standards. ; Project Narrative Topics Total Available Points Scoring Criteria Breakdown • (5 points) Process for ensuring that applicants for coverage available through an Exchange application (1) are informed of the functions and responsibilities of Navigators, including that Navigators are not acting as tax advisers or attorneys when providing assistance as Navigators and cannot provide tax or legal advice within their capacity as Navigators; (2) provide authorization prior to a Navigator’s obtaining access to their personally identifiable information; and (3) may revoke at any time the authorization provided to the Navigator. Applicants should discuss how they plan ; • (5 points) How the applicant plans to conduct ongoing monitoring throughout the duration of the period of performance to ensure that persons performing Navigator functions and others who have access to sensitive information or PII related to the organization’s Navigator functions will protect are protecting consumer PIIPII and other sensitive data in accordance with their training and the organization’s operating policies. Discussion Applicant should includealso discuss mitigation plans for addressing PII breaches, should any occur. • (10 points total) Applicant should also discuss the following: •  (5 points) Plans for training persons performing Navigator functions and others who have access to sensitive information or PII related to the organization’s Navigator functions on how to receive, secure, and handle PII or other sensitive data, and •  (5 points) Process for evaluating qualifications of persons performing Navigator functions and others who have access to sensitive information or PII related to the organization’s Navigator functions for receiving, securing, and handling PII or other sensitive data, including if background checks are conducted. If background checks are conducted, applicants should explain on whom they are conducted, what would be considered to Project Narrative Topics Total Available Points Scoring Criteria Breakdown be adverse findings of a background check and/or findings that would preclude someone from working on the organization’s Navigator activities or accessing PII related to those activities, and whether the following types of recommended background checks are used:  Office of Inspector General (OIG) Sanction Check • HHS OIG has a list that identifies individuals who are debarred/sanctioned from participating on any Federal programs.  Criminal Background Investigation • This type of investigation can include a national criminal database search, as well as a locality search (to include Federal, District & County Court and criminal records check).  State-required Background Check • This can include any investigations required of Navigators under state law.

Ensuring Privacy and Security of Consumer Personally Identifiable Information. (PII) Protecting consumers’ personally identifiable information is of great importance and applicants should demonstrate the ability to ensure consumers are protected. Applicants should develop and include with their application a plan to protect the privacy and security of consumers’ personally identifiable information that includes a discussion of the following: • How the applicant intends to comply with FFE privacy and security standards and to use computers, including laptops or tablets, in accordance with those standards and 45 C.F.R. § 155.260. The privacy and security standards for current Navigator awardees under opportunity CA-NAV-15-001 and CA-NAV-16-001 can be found here: xxxxx://xxx.xxx.xxx/CCIIO/Programs-and-Initiatives/Health-Insurance- Marketplaces/Downloads/EXAMPLE-2017-Privacy-Security-Terms-Conditions.pdf. • Process for ensuring all persons performing Navigator functions and others who have access to sensitive information or PII related to the organization’s Navigator functions complete all required training related to ensuring privacy and security of consumer PII, including training on compliance with FFE privacy and security standards. • Process for ensuring that applicants for coverage available through an Exchange application (1) are informed of the functions and responsibilities of Navigators, including that Navigators are not acting as tax advisers or attorneys when providing assistance as Navigators and cannot provide tax or legal advice within their capacity as Navigators; (2) provide authorization prior to a Navigator’s obtaining access to their personally identifiable information; and (3) may revoke at any time the authorization provided to the Navigator. Applicants should discuss how they plan to ensure that persons performing Navigator functions and others who have access to sensitive information or PII related to the organization’s Navigator functions will protect consumer PII. Discussion should include: • Plans for training persons performing Navigator functions and others who have access to sensitive information or PII related to the organization’s Navigator functions on how to receive, secure, and handle PII or other sensitive data, and • Process for evaluating qualifications of persons performing Navigator functions and others who have access to sensitive information or PII related to the organization’s Navigator functions for receiving, securing, and handling PII or other sensitive data, including if background checks are conducted. If background checks are conducted, applicants should explain on whom they are conducted, what would be considered to be adverse findings of a background check and/or findings that would preclude someone from working on the organization’s Navigator activities or accessing PII related to those activities, and whether the following types of recommended background checks are used:  ▪ Office of Inspector General (OIG) Sanction Check • HHS OIG has a list that identifies individuals who are debarred/sanctioned from participating on any Federal programs. ▪ Criminal Background Investigation • This type of investigation can include a national criminal database search, as well as a locality search (to include Federal, District & County Court and criminal records check). ▪ State-required Background Check • This can include any investigations required of Navigators under state law. • Current and past HHS Navigator awardees should include a discussion of their track record handling and protecting consumer PII while as a Navigator awardee, including any breaches of consumer PII (and when) and actions taken to rectify the breach(es).

Ensuring Privacy and Security of Consumer Personally Identifiable Information. (PII) Protecting consumers’ personally identifiable information is of great importance and applicants should demonstrate the ability to ensure consumers are protected. Applicants should develop and include with their application a plan to protect the privacy and security of consumers’ personally identifiable information that includes a discussion of the following: • How the applicant intends to comply with FFE privacy and security standards and to use computers, including laptops or tablets, in accordance with those standards and 45 C.F.R. § 155.260. The privacy and security standards for current Navigator awardees under opportunity CA-NAV-15-001 and CA-NAV-16NAV-18-001 can be found here: xxxxx://xxx.xxx.xxx/CCIIO/Programs-and-Initiatives/Health-Insurance- xxxxx://xxx.xxx.xxx/CCIIO/Programs-and-Initiatives/Health- Insurance-Marketplaces/Downloads/EXAMPLE-2017EXAMPLE-2018-Privacy-Security-Terms-Conditions.pdf. Privacy- Security-Terms-Conditions.pdf • Process for ensuring all persons performing Navigator functions and others who have access to sensitive information or PII related to the organization’s Navigator functions complete all required training related to ensuring privacy and security of consumer PII, including training on compliance with FFE privacy and security standards. • Process for ensuring that applicants for coverage available through an Exchange application (1) are informed of the functions and responsibilities of Navigators, including that Navigators are not acting as tax advisers or attorneys when providing assistance as Navigators and cannot provide tax or legal advice within their capacity as Navigators; (2) provide authorization prior to a Navigator’s obtaining access to their personally identifiable information; and (3) may revoke at any time the authorization provided to the Navigator. Applicants should discuss how they plan to ensure that persons performing Navigator functions and others who have access to sensitive information or PII related to the organization’s Navigator functions will protect consumer PII. Discussion should include: • Plans for training persons performing Navigator functions and others who have access to sensitive information or PII related to the organization’s Navigator functions on how to receive, secure, and handle PII or other sensitive data, and • Process for evaluating qualifications of persons performing Navigator functions and others who have access to sensitive information or PII related to the organization’s Navigator functions for receiving, securing, and handling PII or other sensitive data, including if background checks are conducted. If background checks are conducted, applicants should explain on whom they are conducted, what would be considered to be adverse findings of a background check and/or findings that would preclude someone from working on the organization’s Navigator activities or accessing PII related to those activities, and whether the following types of recommended background checks are used:  ▪ Office of Inspector General (OIG) Sanction Check • HHS OIG has a list that identifies individuals who are debarred/sanctioned from participating on any Federal programs. ▪ Criminal Background Investigation • This type of investigation can include a national criminal database search, as well as a locality search (to include Federal, District & County Court and criminal records check). ▪ State-required Background Check • This can include any investigations required of Navigators under state law. • Current and past HHS Navigator awardees should include a discussion of their track record handling and protecting consumer PII while as a Navigator awardee, including any breaches of consumer PII (and when) and actions taken to rectify the breach(es).

Ensuring Privacy and Security of Consumer Personally Identifiable Information. (PII) Protecting consumers’ personally identifiable information is of great importance and applicants should demonstrate the ability to ensure consumers are protected. Applicants should develop and include with their application a plan to protect the privacy and security of consumers’ personally identifiable information that includes a discussion of the following: •  How the applicant intends to comply with FFE FFM privacy and security standards and to use computers, including laptops or tablets, in accordance with those standards and 45 C.F.R. § 155.260. The privacy and security standards for current Navigator awardees under opportunity CA-NAV-15-001 and CA-NAV-16NAV-13-001 can be found here: xxxxx://xxx.xxx.xxx/CCIIO/Programs-and-Initiatives/Health-Insurance- xxxx://xxx.xxx.xxx/CCIIO/Programs- and-Initiatives/Health-Insurance-Marketplaces/Downloads/EXAMPLE-2017privacy-Privacyand-Securitysecurity-Terms-Conditions.pdf. • terms- and-conditions-6-4-14.pdf; and  Process for ensuring all persons performing Navigator functions staff and others who have access to sensitive information or PII related to the organization’s Navigator functions volunteers complete all required training related to ensuring privacy and security of consumer PII, including training on compliance with FFE FFM privacy and security standards. •  Process for ensuring that Marketplace applicants for coverage available through an Exchange application (1) are informed of the functions and responsibilities of Navigators, including that Navigators are not acting as tax advisers or attorneys when providing assistance as Navigators and cannot provide tax or legal advice within their capacity as Navigators; (2) provide authorization prior to a Navigator’s obtaining access to their a Marketplace applicant’s personally identifiable information; and (3) may revoke at any time the authorization provided to the Navigator. Applicants should discuss how they plan to ensure that persons staff performing Navigator functions and others who have access to sensitive information or PII related to the organization’s Navigator functions duties will protect consumer PII. Discussion should include: •  Plans for training persons performing Navigator functions and others who have access to sensitive information or PII related to the organization’s Navigator functions staff on how to receive, secure, and handle PII or other sensitive data, and •  Process for evaluating staff qualifications of persons performing Navigator functions and others who have access to sensitive information or PII related to the organization’s Navigator functions for receiving, securing, and handling PII or other sensitive data, including if .  While applicants are not required to conduct background checks are conductedon staff that will perform Navigator duties or have access to sensitive information or PII, applicants that include a discussion of plans to do so may receive a higher score in this category than applicants that do not. If Any discussion of background checks are conducted, applicants should explain on whom they are conducted, include a discussion of what would be considered to be adverse findings findings, such as identification of an individual who has been debarred or sanctioned from any Federal programs, or a background check and/or findings that would preclude someone from working on the organization’s Navigator activities or accessing PII related to those activitiesfinding of past criminal charges against an individual, and whether the following types of recommended what action would be taken with respect to any adverse findings. Recommended background checks are usedfor applicant staff carrying out Navigator duties include all of the following:  o Office of Inspector General (OIG) Sanction Check • HHS  OIG has a list that identifies individuals who are debarred/sanctioned from participating on any Federal programs.

Ensuring Privacy and Security of Consumer Personally Identifiable Information. (PII) Protecting consumers’ personally identifiable information is of great importance and applicants should demonstrate the ability to ensure consumers are protected. Applicants should develop and include with their application a plan to protect the privacy and security of consumers’ personally identifiable information that includes a discussion of the following: • How the applicant intends to comply with FFE FFM privacy and security standards and to use computers, including laptops or tablets, in accordance with those standards and 45 C.F.R. § 155.260. The privacy and security standards for current Navigator awardees under opportunity CA-NAV-15NAV-14-001 and CA-NAV-16-001 002 can be found here: xxxxx://xxx.xxx.xxx/CCIIO/Programs-and-Initiatives/Health-Insurance- xxxx://xxx.xxx.xxx/CCIIO/Programs- and-Initiatives/Health-Insurance-Marketplaces/Downloads/EXAMPLE-2017Privacy-Privacyand-Security-Terms-Conditions.pdf. Terms- and-Conditions-FINAL508MM.pdf; and • Process for ensuring all persons performing Navigator functions staff and others who have access to sensitive information or PII related to the organization’s Navigator functions volunteers complete all required training related to ensuring privacy and security of consumer PII, including training on compliance with FFE FFM privacy and security standards. • Process for ensuring that applicants for coverage available through an Exchange a Marketplace application (1) are informed of the functions and responsibilities of Navigators, including that Navigators are not acting as tax advisers or attorneys when providing assistance as Navigators and cannot provide tax or legal advice within their capacity as Navigators; (2) provide authorization prior to a Navigator’s obtaining access to their personally identifiable information; and (3) may revoke at any time the authorization provided to the Navigator. Applicants should discuss how they plan to ensure that persons staff performing Navigator functions and others who have access to sensitive information or PII related to the organization’s Navigator functions duties will protect consumer PII. Discussion should include: • Plans for training persons performing Navigator functions and others who have access to sensitive information or PII related to the organization’s Navigator functions staff on how to receive, secure, and handle PII or other sensitive data, and • Process for evaluating staff qualifications of persons performing Navigator functions and others who have access to sensitive information or PII related to the organization’s Navigator functions for receiving, securing, and handling PII or other sensitive data, including if . • While applicants are not required to conduct background checks are conductedon staff that will perform Navigator duties or have access to sensitive information or PII, applicants that include a discussion of plans to do so may receive a higher score in this category than applicants that do not. If Any discussion of background checks are conducted, applicants should explain on whom they are conducted, include a discussion of what would be considered to be adverse findings findings, such as identification of an individual who has been debarred or sanctioned from any Federal programs, or a background check and/or findings that would preclude someone from working on the organization’s Navigator activities or accessing PII related to those activitiesfinding of past criminal charges against an individual, and whether the following types of recommended what action would be taken with respect to any adverse findings. Recommended background checks are usedfor applicant staff carrying out Navigator duties include all of the following:  o Office of Inspector General (OIG) Sanction Check • HHS  OIG has a list that identifies individuals who are debarred/sanctioned from participating on any Federal programs.