Implementation Specifications Sample Clauses
Implementation Specifications. 1. The Non-Exchange Entity must obtain informed consent from individuals for any use or disclosure of information that is not permissible within the scope of the Privacy Notice Statement and any relevant agreements that were in effect as of the time the PII was collected. Such consent must be subject to a right of revocation.
2. Any such consent that serves as the basis of a use or disclosure must:
A. Be provided in specific terms and in plain language;
B. Identify the entity collecting or using the PII, and/or making the disclosure;
C. Identify the specific collections, use(s), and disclosure(s) of specified PII with respect to a specific recipient(s);
D. Provide notice of an individual’s ability to revoke the consent at any time.
3. Consent documents must be appropriately secured and retained for 10 years.
Implementation Specifications. 1. The accounting shall contain the date, nature, and purpose of such disclosures, and the name and address of the person or agency to whom the disclosure is made
2. The accounting shall be retained for at least 10 years after the disclosure, or the life of the record, whichever is longer.
3. Notwithstanding exceptions in Section (1)a.10, this accounting shall be available to Consumers, Applicants, Qualified Individuals, Enrollees, Qualified Employees, Qualified Employers, or these individuals’ legal representatives or Authorized Representatives, on their request per the procedures outlined under the access standards in Section (1) above.
Implementation Specifications. 1. Access rights must apply to any PII that is created, collected, disclosed, accessed, maintained, stored, and used by the Non-Exchange Entity to perform any of the Authorized Functions outlined in their respective agreements with the NMHIX.
2. The release of electronic documents containing PII through any electronic means of communication (e.g., e-mail, web portal) must meet the verification requirements for the release of “written documents” in Section (5)b below.
3. Persons legally authorized to act on behalf of the Consumers, Applicants, Qualified Individuals, Enrollees, Qualified Employees, and Qualified Employers regarding their PII, including individuals acting under an appropriate power of attorney that complies with applicable state and federal law, must be granted access in accordance with their legal authority. Such access would generally be expected to be coextensive with the degree of access available to the Subject Individual.
4. At the time the request is made, the Consumer, Applicant, Qualified Individual, Enrollee, Qualified Employees, Qualified Employers, or these individuals’ legal representatives or Authorized Representatives should generally be required to specify which PII he or she would like access to. The Non-Exchange Entity may assist them in determining their Information or data needs if such assistance is requested.
5. Subject to paragraphs (1) a.i.6 and 7 below, Non-Exchange Entities generally must provide access to the PII in the form or format requested, if it is readily producible in such form or format.
6. The Non-Exchange Entity may charge a fee only to recoup their costs for labor for copying the PII, supplies for creating a paper copy or a copy on electronic media, postage if the PII is mailed, or any costs for preparing an explanation or summary of the PII if the contractors has requested and/or agreed to receive such summary. If such fees are paid, the Non- Exchange Entity must provide the requested copies in accordance with any other applicable standards and implementation specifications.
7. A Non-Exchange Entity that receives a request for notification of, or access to PII must verify the requestor’s identity in accordance with Section (5)b.
8. A Non-Exchange Entity must complete its review of a request for access or notification (and grant or deny said notification and/or access) within 30 days of receipt of the notification and/or access request.
9. Except as otherwise provided in (1)a.i.10, if the requested PII c...
Implementation Specifications. 1. The requester must submit through mail, via an electronic upload process, or in-person to the Non-Exchange Entity’s Responsible Official, a copy of one of the following government-issued identification: a driver’s license, school identification card, voter registration card, U.S. military card or draft record, identification card issued by the federal, state or local government, including a U.S. passport, military dependent’s identification card, Native American tribal document, or U.S. Coast Guard Merchant Mariner card.
2. If such requester cannot provide a copy of one of these documents, he or she can submit two of the following documents that corroborate one another: a birth certificate, Social Security card, marriage certificate, divorce decree, employer identification card, high school or college diploma, and/or property deed or title.
Implementation Specifications. 1. The Non-Exchange Entity must require such individuals to successfully complete privacy and security training, as appropriate for their work duties and level of exposure to PII, prior to when they assume responsibility for/have access to PII.
2. The Non-Exchange Entity must require periodic role-based training on an annual basis, at a minimum.
3. The successful completion by such individuals of applicable training programs, curricula, and examinations offered through the FFE is sufficient to satisfy the requirements of this paragraph.
Implementation Specifications. 1. The statement must be written in plain language and provided in a manner that is accessible and timely to people living with disabilities and with limited English proficiency.
2. The statement must contain at a minimum the following information:
a. Legal authority to collect PII;
b. Purpose of the information collection;
c. To whom PII might be disclosed, and for what purposes;
d. Authorized uses and disclosures of any collected information;
e. Whether the request to collect PII is voluntary or mandatory under the applicable law;
f. Effects of non-disclosure if an individual chooses not to provide the requested information.
3. The Non-Exchange Entity shall maintain its Privacy Notice Statement content by reviewing and revising as necessary on an annual basis, at a minimum, and before or as soon as possible after any change to its privacy policies and procedures.
4. If the Non-Exchange Entity operates a Web site, it shall ensure that descriptions of its privacy and security practices, and information on how to file complaints with NMHIX and the Non-Exchange Entity, are publicly available through its Web site.
Implementation Specifications. 1. Such individuals shall be provided with instructions as to how they should address their requests to the Non-Exchange Entity’s Responsible Official, in writing or telephonically. They may also be offered an opportunity to meet with such individual or their delegate(s) in person.
2. Such individuals shall be instructed to specify the following in each request:
a. The PII they wish to correct, amend, substitute or delete;
b. The reasons for requesting such correction, amendment, substitution, or deletion, along with any supporting justification or evidence.
3. Such requests must be contracted or denied within no more than 10 working days of receipt.
4. If the Responsible Official (or their delegate) reviews these materials and ultimately agrees that the identified PII is not accurate, timely, complete, relevant or necessary to accomplish the function for which the PII was obtained/provided, the PII should be corrected, amended, substituted, or deleted in accordance with applicable law.
5. If the Responsible Official (or their delegate) reviews these materials and ultimately does not agree that the PII should be corrected, amended, substituted, or deleted, the requestor shall be informed in writing of the denial, and, if applicable, the availability of any appeal procedures. If available, the notification must identify the appropriate appeal authority including that authority’s name, title, and contact information.
Implementation Specifications. 1. The statement must be written in plain language and provided in a manner that is timely and accessible to people living with disabilities and with limited English proficiency.
2. The statement must contain at a minimum the following information:
a. Legal authority to collect PII;
b. Purpose of the information collection;
c. To whom XXX might be disclosed, and for what purposes;
d. Authorized uses and disclosures of any collected information;
e. Whether the request to collect PII is voluntary or mandatory under the applicable law; and
f. Effects of non-disclosure if an individual chooses not to provide the requested information.
3. The Non-Exchange Entity shall maintain its Privacy Notice Statement content by reviewing and revising as necessary on an annual basis, at a minimum, and before or as soon as possible after any change to its privacy policies and procedures.
Implementation Specifications. 1. The privacy and security standards and implementation specifications shall be written in plain language and shall be available to all of the Non- Exchange Entity’s Workforce members whose responsibilities entail the creation, collection, maintenance, storage, access, or use of PII.
2. The procedures shall ensure the Non-Exchange Entity’s cooperation with CMS in resolving any Incident or Breach, including (if requested by CMS) the return or destruction of any PII files it received under the Agreement; the provision of a formal response to an allegation of unauthorized PII use, reuse, or disclosure; and/or the submission of a corrective action plan with steps designed to prevent any future unauthorized uses, reuses, or disclosures.
3. The standard operating procedures must be designed and implemented to ensure the Non-Exchange Entity and its Workforce comply with the standards and implementation specifications contained herein, and must be reasonably designed, taking into account the size and the type of activities that relate to PII undertaken by the Non-Exchange Entity, to ensure such compliance.
Implementation Specifications. Such policies and procedures would:
1. Identify the Non-Exchange Entity’s Designated Security and Privacy Official(s), if applicable, and/or identify other personnel authorized to access PII and responsible for reporting and managing Incidents or Breaches to CMS;
2. Provide details regarding the identification, response, recovery, and follow-up of Incidents and Breaches, which should include information regarding the potential need for CMS to immediately suspend or revoke access to the Hub, if applicable, for containment purposes; and
3. Require reporting of any security and privacy Incident or Breach of PII to the CMS IT Service Desk by telephone at (000) 000-0000 or 0-000-000-0000 or via email notification at xxx_xx_xxxxxxx_xxxx@xxx.xxx.xxx within one hour after discovery of the Incident or Breach.