Contract

1 AGREEMENT BETWEEN WEB-BASED ENTITY AND THE CENTERS FOR MEDICARE & MEDICAID SERVICES FOR THE FEDERALLY-FACILITATED EXCHANGE AND THE STATE- BASED EXCHANGE ON THE FEDERAL PLATFORM INDIVIDUAL MARKET THIS WEB-BROKER AGREEMENT (“Agreement”) is entered into by and between THE CENTERS FOR MEDICARE & MEDICAID SERVICES (“CMS”), as the Party (as defined below) responsible for the management and oversight of the Federally-facilitated Exchanges (“FFEs”) and the operation of the Federal eligibility and enrollment platform relied upon by certain State-based Exchanges for their eligibility and enrollment functions (SBE-FPs), including the CMS Data Services Hub (“Hub”), and , (hereinafter referred to as Web-based Entity or “WBE”), an Agent or Broker that uses a non-FFE Internet website in accordance with 45 CFR 155.220(c)(3) to assist Consumers, Applicants, Qualified Individuals, and Enrollees in applying for Advance Payments of the Premium Tax Credits (“APTCs”) and Cost-sharing Reductions (“CSRs”) for Qualified Health Plans (“QHPs”), and/or in completing enrollment in QHPs offered in the individual market through the FFEs or SBE-FPs, and provides Customer Service (CMS and WBE hereinafter referred to as the “Party,” or collectively, as the “Parties”). WHEREAS: 1. Section 1312(e) of the Affordable Care Act (“ACA”) provides that the Secretary of the U.S. Department of Health and Human Services (“HHS”) shall establish procedures that permit Agents and Brokers to enroll Qualified Individuals in QHPs through an Exchange, and to assist individuals in applying for APTCs and CSRs, to the extent allowed by States. To participate in an FFE or SBE-FP, Agents and Brokers, including WBEs, must complete all necessary registration and training requirements under 45 CFR 155.220. 2. To facilitate the eligibility determination and enrollment processes, CMS will provide centralized and standardized business and technical services (“Hub Web Services”) through an application programming interface to WBE that will enable WBE to establish a secure connection with the Hub. The application programming interface will enable the secure transmission of key eligibility and enrollment information between CMS and WBE. 3. To facilitate the operation of the FFEs and SBE-FPs, CMS desires to: (a) disclose Personally Identifiable Information (“PII”), which is held in the Health Insurance Exchanges Program (“XXX”), to WBE; (b) provide WBE with access to the Hub Web Services; and (c) permit WBE to create, collect, disclose, access, maintain, store, and use PII from CMS, Consumers, Applicants, Qualified Individuals, and Enrollees—or these individuals’ legal representatives or Authorized Representatives—to the extent that these activities are necessary to carry out the functions that the ACA and implementing regulations permit WBE to carry out. 4. WBE is an entity licensed as an Agent or Broker and desires to gain access to the eHealthInsurance Services, Inc.

2 Hub Web Services, and to create, collect, disclose, access, maintain, store, and use PII from CMS, Consumers, Applicants, Qualified Individuals, and Enrollees to perform the Authorized Functions described in Section II.a of this Agreement. 5. 45 CFR 155.260(b) provides that an Exchange must, among other things, require privacy and security standards that are consistent with the principles in 45 CFR 156.260(a)(1) through (a)(6), including being at least as protective as the standards the Exchange has established and implemented for itself under 45 CFR 155.260(a)(3), as a condition of contract or agreement with Non-Exchange Entities, and WBE is a Non-Exchange Entity. 6. CMS, in the administration of the FFEs and the Hub, has adopted privacy and security standards concerning PII, as set forth in Appendix A, “Privacy and Security Standards and Implementation Specifications for Non-Exchange Entities.” Now, therefore, in consideration of the promises and covenants herein contained, the adequacy of which the Parties acknowledge, the Parties agree as follows: I. Definitions. Capitalized terms not otherwise specifically defined herein shall have the meaning set forth in the attached Appendix B, “Definitions.” Any capitalized term that is not defined herein or in Appendix B has the meaning provided in 45 CFR 155.20. II. Acceptance of Standard Rules of Conduct. WBE and CMS are entering into this Agreement to satisfy the requirements under 45 CFR 155.260(b)(2). WBE hereby acknowledges and agrees to accept and abide by the standard rules of conduct set forth below and in Appendix A, “Privacy and Security Standards and Implementation Specifications for Non-Exchange Entities,” and Appendix C, “Standards for Communication with the Hub,” which are incorporated by reference in this Agreement, while and as engaging in any activity as WBE for purposes of the ACA. WBE shall be bound to strictly adhere to the privacy and security standards—and to ensure that its employees, officers, directors, contractors, subcontractors, agents, and representatives strictly adhere to the same—to gain and maintain access to the Hub Web Services and to create, collect, disclose, access, maintain, store, and use PII for the efficient operation of the FFEs and SBE-FPs. a. Authorized Functions. WBE may create, collect, disclose, access, maintain, store, and use PII for: 1. Assisting with completing applications for QHP eligibility; 2. Supporting QHP selection and enrollment by assisting with plan selection and plan comparisons; 3. Assisting with completing applications for the receipt of APTCs or CSRs and with selecting an APTC amount;

3 4. Facilitating the collection of standardized attestations acknowledging the receipt of the APTC or CSR determination, if applicable; 5. Assisting with the application for and determination of certificates of exemption; 6. Assisting with filing appeals of eligibility determinations in connection with the FFEs and SBE-FPs; 7. Transmitting information about the Consumer’s, Applicant’s, Qualified Individual’s, or Enrollee’s decisions regarding QHP enrollment and/or CSR and APTC information to the FFEs and SBE- FPs; 8. Facilitating payment of the initial premium amount to the appropriate QHP; 9. Facilitating an Enrollee’s ability to disenroll from a QHP; 10. Educating Consumers, Applicants, or Enrollees on insurance affordability programs and, if applicable, informing such individuals of eligibility for Medicaid or Children’s Health Insurance Program (CHIP); 11. Assisting an Enrollee’s ability to report changes in eligibility status to the FFEs and SBE-FPs throughout the coverage year, including changes that may affect eligibility (e.g., adding a dependent); 12. Correcting errors in the application for QHP enrollment; 13. Informing or reminding Enrollees when QHP coverage should be renewed, when Enrollees may no longer be eligible to maintain their current QHP coverage because of age, or to inform Enrollees of QHP coverage options at renewal; 14. Providing appropriate information, materials, and programs to Consumers, Applicants, Qualified Individuals, and Enrollees, to inform and educate them about the use and management of their health information, and services and options offered through the selected QHP or among the available QHP options; 15. Contacting Consumers, Applicants, Qualified Individuals, and Enrollees to assess their satisfaction or resolve complaints with services provided by WBE in connection with the FFEs, SBE-FPs, WBE, or QHPs; 16. Providing assistance in communicating with QHP Issuers; 17. Fulfilling the legal responsibilities related to the efficient functions of QHP Issuers in the FFEs and SBE-FPs, as permitted or required by WBE’s contractual relationships with QHP Issuers; and 18. Performing other functions substantially similar to those enumerated above and such other functions that CMS may approve in writing from time to time.

4 b. Standards Regarding PII. WBE agrees that it will create, collect, disclose, access, maintain, use, or store PII that it receives directly from Consumers, Applicants, Qualified Individuals, or Enrollees and from Hub Web Services only in accordance with all laws as applicable, including section 1411(g) of the ACA. 1. Safeguards. WBE agrees to monitor, periodically assess, and update its security controls and related system risks to ensure the continued effectiveness of those controls in accordance with this Agreement, including Appendix A, “Privacy and Security Standards and Implementation Specifications for Non-Exchange Entities,” and to timely inform the Exchange of any material change in its administrative, technical, or operational environments, or that would require an alteration of the privacy and security standards within this Agreement. 2. Downstream Entities. WBE will satisfy the requirement in 45 CFR 155.260(b)(2)(v) to bind downstream entities by entering into written agreements with any downstream entities that will have access to PII as defined in this Agreement. 3. Critical Security and Privacy Controls. The critical controls the WBE must implement before WBE is able to submit any transactions to the FFE production system: a. Email/Web Browser Protections – Including but not limited to assurance that transfer protocols are secure and limits the threat of communications being intercepted. b. Malware Protection – Including but not limited to protections against known threat vectors within the system’s environment to mitigate damage/security breaches. c. Patch Management – Including but not limited to ensuring every client and server is up to date with the latest security patches throughout the environment. d. Vulnerability Management – Including but not limited to identifying, classifying, remediating, and mitigating vulnerabilities on a continual basis by conducting periodic vulnerability scans to identify weaknesses within an environment. e. Inventory of Software/Hardware – Including but not limited to maintaining an Inventory of hardware/software within the environment helps to identify vulnerable aspects left open to threat vectors without performing vulnerability scans and to have specific knowledge of what is within the system’s environment. f. Account Management- Including but not limited to the determination of who/what has access to the system’s environment and data and also maintain access controls to the system.

5 g. Configuration Management – Including but not limited to defining the baseline configurations of the servers and endpoints of a system to mitigate threat factors that can be utilized to gain access to the system/data. h. Incident Response – Including but not limited to the ability to detect security events, investigate, and mitigate or limit the effects of those events. i. Governance and Privacy Compliance Program – Including but not limited to appointing a responsible official to develop and implement operational privacy compliance policies for information systems and databases. j. Privacy Impact/Risk Assessment – Including but not limited to appointing a responsible official to develop and implement a formal policy and procedures to assess the organizations risk posture. k. Awareness and Training Program – Including but not limited to appointing a responsible official to develop and implement security and privacy education awareness program for all staff members and contractors. l. Data Retention and Destruction – Including but not limited to developing formal policy and procedures for data retention and destruction of PII. c. PII Received. Subject to the terms and conditions of this Agreement and applicable laws, in performing the tasks contemplated under this Agreement, WBE may create, collect, disclose, access, maintain, store, and use the following PII from Consumers, Applicants, Qualified Individuals, or Enrollees, including but not limited to: APTC percentage and amount applied Auto disenrollment information Applicant name Applicant address Applicant birthdate Applicant telephone number Applicant email Applicant Social Security Number Applicant spoken and written language preference Applicant Medicaid Eligibility indicator, start and end dates Applicant Children’s Health Insurance Program eligibility indicator, start and end dates Applicant QHP eligibility indicator, start and end dates Applicant APTC percentage and amount applied eligibility indicator, start and end dates Applicant household income Applicant maximum APTC amount

6 Applicant CSR eligibility indicator, start and end dates Applicant CSR level Applicant QHP eligibility status change Applicant APTC eligibility status change Applicant CSR eligibility status change Applicant Initial or Annual Open Enrollment Indicator, start and end dates Applicant Special Enrollment Period eligibility indicator and reason code Contact name Contact address Contact birthdate Contact telephone number Contact email Contact spoken and written language preference Enrollment group history (past six months) Enrollment type period FFE Applicant ID FFE Member ID Issuer Member ID Net premium amount Premium amount, start and end dates Credit or Debit Card Number, name on card Checking account and routing number Special Enrollment Period reason Subscriber indicator and relationship to subscriber Tobacco use indicator and last date of tobacco use Custodial parent Health coverage American Indian/Alaska Native status and name of tribe Marital status Race/ethnicity Requesting financial assistance Responsible person Dependent name Applicant/dependent sex Student status Subscriber indicator and relationship to subscriber Total individual responsibility amount d. Collection of PII. PII collected from Consumers, Applicants, Qualified Individuals, Enrollees—or their legal representatives or Authorized Representatives—in the context of completing an application for QHP, APTC, or CSR eligibility, or any data transmitted from or through the Hub, may be used only for Authorized Functions specified in Section II.a of this Agreement. Such information may not be used for purposes other than authorized by this agreement or as consented to by a Consumer, Applicant, Qualified Individual, or Enrollee. e. Collection and Use of Information Provided Under Other Authorities. This

7 Agreement does not preclude WBE from collecting information from Consumers, Applicants, Qualified Individuals, or Enrollees—or their legal representatives or Authorized Representative—for a non-FFE/non-SBE-FP/non-Hub purpose, and using, reusing, and disclosing the non-FFE/non-SBE-FP/non-Hub information obtained as permitted by applicable law and/or other applicable authorities. Such information must be stored separately from any PII collected in accordance with Section II.c of this Agreement. f. Ability of Individuals to Limit Collection and Use. WBE agrees to allow the Consumer, Applicant, Qualified Individual, or Enrollee to limit WBE’s creation, collection, disclosure, access, maintenance, storage, and use of their PII to the sole purpose of obtaining WBE’s assistance in applying for a QHP, APTC or CSR eligibility, and for performing Authorized Functions specified in Section II.a of this Agreement. g. Incident and Breach Reporting. WBE agrees to report any suspected or confirmed Incident or Breach of PII to the CMS IT Service Desk by telephone at (410) 000- 0000 or 0-000-000-0000 or via email notification at xxx_xx_xxxxxxx_xxxx@xxx.xxx.xxx within one hour of discovery of the Incident or Breach. In the event of an Incident or Breach WBE must permit CMS to gather all information necessary to conduct all Incident response activities deemed necessary by CMS. If WBE fails to report an Incident or Breach in compliance with this provision, the WBE may be subject to the Termination provision (Section IV) of this Agreement. Termination pursuant to Section IV may also result where an Incident or Breach is found to have resulted from WBE’s failure to comply with the terms of this Agreement. III. Effective Date and Term; Renewal. a. Effective Date and Term. This Agreement becomes effective on the date the last of the two Parties executes this Agreement and ends the day before the first day of the open enrollment period for the benefit year beginning January 1, 2018. b. Renewal. This Agreement may be renewed in the sole and absolute discretion of CMS for subsequent and consecutive one (1) year periods upon thirty (30)-Days’ advance written notice to WBE. IV. Termination. a. Termination without Cause. Either Party may terminate this Agreement without cause and for its convenience upon thirty (30)-Days’ prior written notice to the other Party. b. Termination with Cause. The termination of this Agreement shall be governed by the termination standards adopted by the FFE or SBE-FP under 45 CFR 155.220. Notwithstanding the foregoing, WBE shall be considered in “Habitual Default” of this Agreement if it has been served with a thirty (30)-Day notice under 45 CFR

8 155.220 more than three (3) times in any calendar year, whereupon CMS may, in its sole discretion, immediately thereafter terminate this Agreement upon notice to WBE without any further opportunity to cure or propose cure. CMS may also temporarily suspend the ability of a WBE to make its website available to transact information with HHS pursuant to 45 CFR 155.220(c)(4)(ii). c. Termination for Failure to Maintain Valid State Licensure. WBE acknowledges and agrees that valid state licensure in each state in which WBE will assist consumers in applying for or obtaining coverage under a qualified health plan through an FFE or SBE-FP is a precondition to WBE’s authority under this Agreement. Accordingly, CMS may terminate this Agreement upon thirty (30) Days’ prior written notice if WBE fails to maintain valid licensure in at least one FFE or SBE-FP state, and in each state for which WBE facilitates enrollment in a QHP through the FFE or a SBE-FP. Any such termination shall be governed by the termination and reconsideration standards adopted by the FFE under 45 CFR 155.220(g). d. Destruction of PII. WBE covenants and agrees to destroy all PII in its possession at the end of the record retention period required under Appendix A. If, upon the termination or expiration of this Agreement, WBE has in its possession PII for which no retention period is specified in Appendix A, such PII shall be destroyed within thirty (30) Days of the termination or expiration of this Agreement. The WBE’s duty to protect and maintain the privacy and security of PII, as provided for in Appendix A of this Agreement, shall continue in full force and effect until such PII is destroyed and shall survive the termination or expiration of this Agreement. e. De-registration from the FFEs. WBE acknowledges that the termination or expiration of this Agreement may result in the de-registration of WBE from the FFEs and SBE-FPs. V. Miscellaneous. a. Notice. All notices specifically required under this Agreement shall be given in writing and shall be delivered as follows: If to CMS: Centers for Medicare & Medicaid Services (CMS) Center for Consumer Information & Insurance Oversight (CCIIO) Attn: Office of the Director Room 739H 000 Xxxxxxxxxxxx Xxxxxx, XX Xxxxxxxxxx, XX 00000 If to WBE, to WBE’s address on record.

9 Notices sent by hand or overnight courier service, or mailed by certified or registered mail, shall be deemed to have been given when received; notices sent by facsimile shall be deemed to have been given when the appropriate confirmation of receipt has been received; provided, that notices not given on a business day (i.e., Monday-Friday excluding Federal holidays) between 9:00 a.m. and 5:00 p.m. local time where the recipient is located shall be deemed to have been given at 9:00 a.m. on the next business day for the recipient. A Party to this Agreement may change its contact information for notices and other communications by providing thirty (30)-Days’ written notice of such change in accordance with this provision. b. Assignment and Subcontracting. WBE shall not assign this Agreement in whole or in part, whether by merger, acquisition, consolidation, reorganization, or otherwise, nor subcontract any portion of the services to be provided by WBE under this Agreement, nor otherwise delegate any of its obligations under this Agreement, without the express, prior written consent of CMS, which consent may be withheld, conditioned, granted, or denied in CMS’ sole and absolute discretion. WBE further shall not assign this Agreement or any of its rights or obligations hereunder without the prior written consent of the State. If WBE attempts to make an assignment, subcontract its service obligations or otherwise delegate its obligations hereunder in violation of this provision, such assignment, subcontract, or delegation shall be deemed void ab initio and of no force or effect, and WBE shall remain legally bound hereto and responsible for all obligations under this Agreement. WBE shall further be thereafter subject to such compliance actions as may otherwise be provided for under applicable law. c. Use of the FFM Web Services. WBE will only use a CMS-approved Direct Enrollment pathway to facilitate enrollment through the FFEs and SBE-FPs. d. Survival. WBE’s duty to protect and maintain the privacy and security of PII under this Agreement shall survive the expiration or termination of this Agreement. e. Severability. The invalidity or unenforceability of any provision of this Agreement shall not affect the validity or enforceability of any other provision of this Agreement. In the event that any provision of this Agreement is determined to be invalid, unenforceable or otherwise illegal, such provision shall be deemed restated, in accordance with applicable law, to reflect as nearly as possible the original intention of the parties, and the remainder of the Agreement shall be in full force and effect. f. Disclaimer of Joint Venture. Neither this Agreement nor the activities of WBE contemplated by and under this Agreement shall be deemed or construed to create in any way any partnership, joint venture or agency relationship between CMS and WBE. Neither Party is, nor shall either Party hold itself out to be, vested with any power or right to bind the other Party contractually or to act on behalf of the other Party, except to the extent expressly set forth in ACA and the

10 regulations codified thereunder, including as codified at 45 CFR part 155. g. Remedies Cumulative. No remedy herein conferred upon or reserved to CMS under this Agreement is intended to be exclusive of any other remedy or remedies available to CMS under operative law and regulation, and each and every such remedy, to the extent permitted by law, shall be cumulative and in addition to any other remedy now or hereafter existing at law or in equity or otherwise. h. Compliance with Law. WBE covenants and agrees to comply with any and all applicable laws, statutes, regulations, or ordinances of the United States of America and any Federal Government agency, board, or court that are applicable to the conduct of the activities that are the subject of this Agreement, including, but not necessarily limited to, any additional and applicable standards required by statute, and any regulations or policies implementing or interpreting such statutory provisions hereafter issued by CMS. In the event of a conflict between the terms of this Agreement and any statutory, regulatory, or sub-regulatory guidance released by CMS, the requirement that constitutes the stricter, higher, or more stringent level of compliance shall control. i. Governing Law. This Agreement will be governed by the laws and common law of the United States of America, including without limitation such regulations as may be promulgated by HHS or any of its constituent agencies, without regard to any conflict of laws statutes or rules. WBE further agrees and consents to the jurisdiction of the Federal Courts located within the District of Columbia and the courts of appeal therefrom, and waives any claim of lack of jurisdiction or forum non conveniens. j. Amendment. CMS may amend this Agreement for purposes of reflecting changes in applicable law or regulations, with such amendments taking effect upon thirty (30)-Days’ written notice to WBE (“CMS notice period”) unless circumstances warrant an earlier effective date. Any amendments made under this provision will only have prospective effect and will not be applied retrospectively. WBE may reject such amendment by providing to CMS, during the CMS notice period, thirty (30)-Days’ written notice of its intent to reject the amendment (“rejection notice period”). Any such rejection of an amendment made by CMS shall result in the termination of this Agreement upon expiration of the rejection notice period. k. Audit and Compliance Review. WBE agrees that CMS, the Comptroller General, the Office of the Inspector General of HHS, or their designees may conduct compliance reviews or audits, which includes the right to interview employees, contractors and business partners of the WBE and to audit, inspect, evaluate, examine, and make excerpts, transcripts, and copies of any books, records, documents, and other evidence of WBE’s compliance with the requirements of this Agreement upon reasonable notice to WBE, during WBE’s regular business hours, and at WBE’s regular business location. These audit and review rights

11 include the right to audit WBE’s compliance with and implementation of the privacy and security requirements under this Agreement. WBE further agrees to allow reasonable access to the information and facilities, including but not limited to WBE website testing environments, requested by CMS, the Comptroller General, the Office of the Inspector General of HHS, or their designees for the purpose of such a compliance review or audit. CMS may suspend or terminate the agreement of a WBE that does not comply with such a compliance review request within seven business days. l. APTC Selection and Attestation. WBE must allow Consumers, Applicants, Qualified Individuals, and Enrollees to select and attest to an APTC amount, if applicable, in accordance with 45 CFR 155.310(d)(2). WBE should use the specific language detailed the FFM and FF-SHOP Enrollment Manual, available at xxxxx://xxx.xxx.xxx/XXXXX/Xxxxxxxxx/Xxxxxxxxxxx-xxx- Guidance/Downloads/Updated_Enrollment_Operations_Policy- and_Guidance_Final_9-30-2015_mb.pdf, when providing consumers with the ability to attest to an APTC amount. [REMAINDER OF PAGE INTENTIONALLY LEFT BLANK]

14 APPENDIX A PRIVACY AND SECURITY STANDARDS AND IMPLEMENTATION SPECIFICATIONS FOR NON-EXCHANGE ENTITIES Statement of Applicability: These standards and implementation specifications are established in accordance with Section 1411(g) of the Affordable Care Act (“ACA”) (42 U.S.C. § 18081(g)), the Federal Information Management Act of 2002 (“FISMA”) (44 U.S.C. 3541), and 45 CFR 155.260. All capitalized terms used herein carry the meanings assigned in Appendix B, “Definitions.” Any capitalized term that is not defined in Appendix B has the meaning provided in 45 CFR 155.20. The standards and implementation specifications that are set forth in this Appendix A are consistent with the principles in 45 CFR 155.260(a)(1) through (a)(6). The FFEs will enter into contractual agreements with all Non-Exchange Entities, including WBE that gain access to Personally Identifiable Information (“PII”) exchanged with the FFEs and SBE-FPs, or directly from Consumers, Applicants, Qualified Individuals, or Enrollees, or these individuals’ legal representatives or Authorized Representatives. That agreement and its appendices, including this Appendix A, govern any PII that is created, collected, disclosed, accessed, maintained, stored, or used by Non-Exchange Entities in the context of the FFEs and SBE-FPs. In signing that contractual agreement, in which this Appendix A has been incorporated, Non-Exchange Entities agree to comply with the standards and implementation specifications laid out in this document and the applicable standards, controls, and applicable implementation specifications within the privacy and security standards as established by the FFE under 155.260(a)(3) and as applicable to non-Exchange entities under 155.260(b)(3) while performing the Authorized Functions outlined in their respective agreements. NON-EXCHANGE ENTITY PRIVACY AND SECURITY STANDARDS AND IMPLEMENTATION SPECIFICATIONS Non-Exchange Entities must meet the following privacy and security standards: (1) Individual Access to PII. In keeping with the standards and implementation specifications used by the FFE, Non-Exchange Entities that maintain and/or store PII must provide Consumers, Applicants, Qualified Individuals, and Enrollees—or these individuals’ legal representatives and Authorized Representatives—with a simple and timely means of appropriately accessing PII pertaining to them and/or the person they represent in a physical or electronic readable form and format. a. Standard: Individual Access to PII. Non-Exchange Entities that maintain and/or store PII must implement policies and procedures that provide access to PII upon request.

15 i. Implementation Specifications. 1. Access rights must apply to any PII that is created, collected, disclosed, accessed, maintained, stored, and used by the Non- Exchange Entity to perform any of the Authorized Functions outlined in their respective agreements with CMS. 2. The release of electronic documents containing PII through any electronic means of communication (e.g., e-mail, web portal) must meet the verification requirements for the release of “written documents” in Section (5)b below. 3. Persons legally authorized to act on behalf of the Consumers, Applicants, Qualified Individuals, and Enrollees regarding their PII, including individuals acting under an appropriate power of attorney that complies with applicable state and federal law, must be granted access in accordance with their legal authority. Such access would generally be expected to be coextensive with the degree of access available to the Subject Individual. 4. At the time the request is made, the Consumer, Applicant, Qualified Individual, Enrollee—or these individuals’ legal representatives or Authorized Representatives—should generally be required to specify which PII he or she would like access to. The Non-Exchange Entity may assist them in determining their information or data needs, if such assistance is requested. 5. Subject to paragraphs (1)a.i.6 and 7 below, Non-Exchange Entities generally must provide access to the PII in the form or format requested, if it is readily producible in such form or format. 6. The Non-Exchange Entity may charge a fee only to recoup their costs for labor for copying the PII, supplies for creating a paper copy or a copy on electronic media, postage if the PII is mailed, or any costs for preparing an explanation or summary of the PII if the recipient has requested and/or agreed to receive such summary. If such fees are paid, the Non-Exchange Entity must provide the requested copies in accordance with any other applicable standards and implementation specifications. 7. A Non-Exchange Entity that receives a request for notification of, or access to PII must verify the requestor’s identity in accordance with Section (5)b below. 8. A Non-Exchange Entity must complete its review of a request for access or notification (and grant or deny said notification and/or access) within thirty (30) Days of receipt of the notification and/or access request. 9. Except as otherwise provided in (1)a.i.10, if the requested PII cannot be produced, the Non-Exchange Entity must provide an explanation for its denial of the notification or access request, and, if applicable, information regarding the availability of any appeal procedures, including the appropriate appeal authority’s name, title, and contact information.

16 10. Non-Exchange Entities may deny access to PII that they maintain or store without providing an opportunity for review, in the following circumstances: a. If the PII was obtained or created solely for use in legal proceedings; or b. If the PII is contained in records that are subject to a law that either permits withholding the PII or bars the release of such PII. (2) Openness and Transparency. In keeping with the standards and implementation specifications used by the FFE, Non-Exchange Entities must ensure openness and transparency about policies, procedures, and technologies that directly affect Consumers, Applicants, Qualified Individuals, and Enrollees and their PII. a. Standard: Privacy Notice Statement. Prior to collecting PII, the Non-Exchange Entity must provide a notice that is prominently and conspicuously displayed on a public-facing website, if applicable, or on the electronic and/or paper form the Non- Exchange Entity will use to gather and/or request PII. i. Implementation Specifications. 1. The statement must be written in plain language and provided in a manner that is timely and accessible to people living with disabilities and with limited English proficiency. 2. The statement must contain at a minimum the following information: a. Legal authority to collect PII; b. Purpose of the information collection; c. To whom PII might be disclosed, and for what purposes; d. Authorized uses and disclosures of any collected information; e. Whether the request to collect PII is voluntary or mandatory under the applicable law; and f. Effects of non-disclosure if an individual chooses not to provide the requested information. 3. The Non-Exchange Entity shall maintain its Privacy Notice Statement content by reviewing and revising as necessary on an annual basis, at a minimum, and before or as soon as possible after any change to its privacy policies and procedures. 4. If the Non-Exchange Entity operates a website, it shall ensure that descriptions of its privacy and security practices, and information on how to file complaints with CMS and the Non-Exchange Entity, are publicly available through its website. (3) Individual Choice. In keeping with the standards and implementation specifications used by the FFE, Non-Exchange Entities should ensure that Consumers, Applicants, Qualified Individuals, and Enrollees—or these individuals’ legal representatives or Authorized Representatives—are provided a reasonable opportunity and capability to make informed decisions about the creation, collection, disclosure, access, maintenance, storage, and use of their PII.

17 a. Standard: Informed Consent. The Non-Exchange Entity may create, collect, disclose, access, maintain, store, and use PII from Consumers, Applicants, Qualified Individuals, and Enrollees—or these individuals’ legal representatives or Authorized Representatives—only for the functions and purposes listed in the Privacy Notice Statement and any relevant agreements in effect as of the time the information is collected, unless the FFE, SBE-FP or Non-Exchange Entity obtains informed consent from such individuals. i. Implementation Specifications. 1. The Non-Exchange Entity must obtain informed consent from individuals for any use or disclosure of information that is not permissible within the scope of the Privacy Notice Statement and any relevant agreements that were in effect as of the time the PII was collected. Such consent must be subject to a right of revocation. 2. Any such consent that serves as the basis of a use or disclosure must: a. Be provided in specific terms and in plain language; b. Identify the entity collecting or using the PII, and/or making the disclosure; c. Identify the specific collections, use(s), and disclosure(s) of specified PII with respect to a specific recipient(s); and d. Provide notice of an individual’s ability to revoke the consent at any time. 3. Consent documents must be appropriately secured and retained for ten (10) years. (4) Creation, Collection, Disclosure, Access, Maintenance, Storage, and Use Limitations. In keeping with the standards and implementation specifications used by the FFE, Non- Exchange Entities must ensure that PII is only created, collected, disclosed, accessed, maintained, stored, and used, to the extent necessary to accomplish a specified purpose(s) in the contractual agreement and any appendices. Such information shall never be used to discriminate against a Consumer, Applicant, Qualified Individual, Enrollee, Qualified Employee, or Qualified Employer. a. Standard: Creation, Collection, Disclosure, Access, Maintenance, Storage, and Use Limitations. Other than in accordance with the consent procedures outlined above, the Non-Exchange Entity shall only create, collect, disclose, access, maintain, store, and use PII: 1. To the extent necessary to ensure the efficient operation of the Exchange; 2. In accordance with its published Privacy Notice Statement and any applicable agreements that were in effect at the time the PII was collected, including the consent procedures outlined above in Section (3) above; and/or 3. In accordance with the permissible functions outlined in the regulations and agreements between CMS and the Non-Exchange Entity.

18 b. Standard: Non-discrimination. The Non-Exchange Entity should not, to the greatest extent practicable, collect PII directly from the Consumer, Applicant, Qualified Individual, or Enrollee, when the information is likely to result in adverse determinations about benefits. c. Standard: Prohibited Uses and Disclosures of PII. i. Implementation Specifications. 1. The Non-Exchange Entity shall not request Information regarding citizenship, status as a national, or immigration status for an individual who is not seeking coverage for himself or herself on any application. 2. The Non-Exchange Entity shall not require an individual who is not seeking coverage for himself or herself to provide a Social Security Number (SSN), except if an Applicant’s eligibility is reliant on a tax filer’s tax return and their SSN is relevant to verification of household income and family size. 3. The Non-Exchange Entity shall not use PII to discriminate, including employing marketing practices or benefit designs that will have the effect of discouraging the enrollment of individuals with significant health needs in QHPs. (5) Data Quality and Integrity. In keeping with the standards and implementation specifications used by the FFE, Non-Exchange Entities should take reasonable steps to ensure that PII is complete, accurate, and up-to-date to the extent such data is necessary for the Non-Exchange Entity’s intended use of such data, and that such data has not been altered or destroyed in an unauthorized manner, thereby ensuring the confidentiality, integrity, and availability of PII. a. Standard: Right to Amend, Correct, Substitute, or Delete PII. In keeping with the standards and implementation specifications used by the FFE, Non-Exchange Entities must offer Consumers, Applicants, Qualified Individuals, and Enrollees— or these individuals’ legal representatives or Authorized Representatives—an opportunity to request amendment, correction, substitution, or deletion of PII maintained and/or stored by the Non-Exchange Entity if such individual believes that the PII is not accurate, timely, complete, relevant, or necessary to accomplish an Exchange-related function, except where the PII questioned originated from other sources, in which case the individual should contact the originating source. i. Implementation Specifications. 1. Such individuals shall be provided with instructions as to how they should address their requests to the Non-Exchange Entity’s Responsible Official, in writing or by telephone. They may also be offered an opportunity to meet with the Responsible Official or their delegate(s) in person. 2. Such individuals shall be instructed to specify the following in each request:

19 a. The PII they wish to correct, amend, substitute or delete; and b. The reasons for requesting such correction, amendment, substitution, or deletion, along with any supporting justification or evidence. 3. Such requests must be granted or denied within no more than ten (10) working days of receipt. 4. If the Responsible Official (or their delegate) reviews these materials and ultimately agrees that the identified PII is not accurate, timely, complete, relevant, or necessary to accomplish the function for which the PII was obtained/provided, the PII should be corrected, amended, substituted, or deleted in accordance with applicable law. 5. If the Responsible Official (or their delegate) reviews these materials and ultimately does not agree that the PII should be corrected, amended, substituted, or deleted, the requestor shall be informed in writing of the denial, and, if applicable, the availability of any appeal procedures. If available, the notification must identify the appropriate appeal authority including that authority’s name, title, and contact information. b. Standard: Verification of Identity for Requests to Amend, Correct, Substitute or Delete PII. In keeping with the standards and implementation specifications used by the FFE, Non-Exchange Entities that maintain and/or store PII must develop and implement policies and procedures to verify the identity of any person who requests access to, notification of, or modification—including amendment, correction, substitution, or deletion—of PII that is maintained by or for the Non-Exchange Entity. This includes confirmation of an individuals’ legal or personal authority to access, receive notification of, or seek modification—including amendment, correction, substitution, or deletion—of a Consumer’s, Applicant’s, Qualified Individual’s, or Enrollee’s PII. i. Implementation Specifications. 1. The requester must submit through mail, via an electronic upload process, or in-person to the Non-Exchange Entity’s Responsible Official, a copy of one of the following government- issued identification: a driver’s license, voter registration card, U.S. military card or draft record, identification card issued by the federal, state, or local government, including a U.S. passport, military dependent’s identification card, Native American tribal document, or U.S. Coast Guard Merchant Mariner card. 2. If such requester cannot provide a copy of one of these documents, he or she can submit two of the following documents that corroborate one another: a birth certificate, Social Security card, marriage certificate, divorce decree, employer identification card, high school or college diploma, and/or property deed or title. c. Standard: Accounting for Disclosures. Except for those disclosures made to the Non-Exchange Entity’s Workforce who have a need for the record in the

20 performance of their duties, and the disclosures that are necessary to carry out the required functions of the Non-Exchange Entity, Non-Exchange Entities that maintain and/or store PII shall maintain an accounting of any and all disclosures. i. Implementation Specifications. 1. The accounting shall contain the date, nature, and purpose of such disclosures, and the name and address of the person or agency to whom the disclosure is made. 2. The accounting shall be retained for at least ten (10) years after the disclosure, or the life of the record, whichever is longer. 3. Notwithstanding exceptions in Section (1)a.10, this accounting shall be available to Consumers, Applicants, Qualified Individuals, and Enrollees—or these individuals’ legal representatives or Authorized Representatives—on their request per the procedures outlined under the access standards in Section (1) above. (6) Accountability. In keeping with the standards and implementation specifications used by the FFE, Non-Exchange Entities should adopt and implement the standards and implementation specifications in this document in a manner that ensures appropriate monitoring and other means and methods to identify and report Incidents and/or Breaches. a. Standard: Reporting. The Non-Exchange Entity must implement Breach and Incident Handling procedures that are consistent with CMS’ Incident and Breach Notification Procedures1 and incorporate these procedures in the Non-Exchange Entity’s own written policies and procedures. i. Implementation Specifications. Such policies and procedures would: 1. Identify the Non-Exchange Entity’s Designated Privacy Official, if applicable, and/or identify other personnel authorized to access PII and responsible for reporting and managing Incidents or Breaches to CMS; 2. Provide details regarding the identification, response, recovery, and follow-up of Incidents and Breaches, which should include information regarding the potential need for CMS to immediately suspend or revoke access to the Hub for containment purposes. 3. Require reporting of any Incident or Breach of PII to the CMS IT Service Desk by telephone at (000) 000-0000 or 0-000-000-0000 or via email notification at xxx_xx_xxxxxxx_xxxx@xxx.xxx.xxx within one hour after discovery of the Incident or Breach. b. Standard: Standard Operating Procedures. The Non-Exchange Entity shall incorporate privacy and security standards and implementation specifications, where appropriate, in its standard operating procedures that are associated with functions involving the creation, collection, disclosure, access, maintenance, storage, or use of PII. 1 Available at xxxx://xxx.xxx.xxx/Xxxxxxxx-Xxxxxxxxxx-Xxxx-xxx-Xxxxxxx/XXX-Xxxxxxxxxxx- Technology/InformationSecurity/Downloads/RMH_VIII_7-1_Incident_Handling_Standard.pdf

21 i. Implementation Specifications. 1. The privacy and security standards and implementation specifications shall be written in plain language and shall be available to all of the Non-Exchange Entity’s Workforce members whose responsibilities entail the creation, collection, maintenance, storage, access, or use of PII. 2. The procedures shall ensure the Non-Exchange Entity’s cooperation with CMS in resolving any Incident or Breach, including (if requested by CMS) the return or destruction of any PII files it received under the Agreement; the provision of a formal response to an allegation of unauthorized PII use, reuse, or disclosure; and/or the submission of a corrective action plan with steps designed to prevent any future unauthorized uses, reuses, or disclosures. 3. The standard operating procedures must be designed and implemented to ensure the Non-Exchange Entity and its Workforce comply with the standards and implementation specifications contained herein, and must be reasonably designed, taking into account the size and the type of activities that relate to PII undertaken by the Non-Exchange Entity, to ensure such compliance. ANNUAL SECURITY AND PRIVACY ATTESTATION (SPA) The Non-Exchange Entity shall complete an annual SPA assessment as described below. The SPA assessment shall include the following: • Documentation of existing security and privacy controls; • Identification of potential security and privacy risks; and • Corrective action plan describing approach and timeline to implement security and privacy controls to mitigate potential security and privacy risks. (1) Assessment Options. The following options are acceptable approaches for completing the SPA assessment: a. The Non-Exchange Entity may contract with a third party with experience conducting information system privacy and security audits to perform the SPA assessment. b. The Non-Exchange Entity may utilize internal information system staff resources to perform the SPA assessment, provided such staff have no direct responsibility for the security or privacy posture of the information system that is the subject of the SPA assessment. c. The Non-Exchange Entity may reference existing audit results that address some or all of the SPA assessment’s requirements. Such existing audit results must have been generated using one of the methods described above in the first two assessment options. In addition, such existing audit results must have been produced within 365 days of completion of the SPA assessment. If existing audit reports do not address all

22 required elements of the SPA assessment, the remaining elements must be addressed utilizing one of the first two assessment options. (2) Assessment Methodology. The SPA assessment methodology described herein is based on the standard CMS methodology used in the assessment of all CMS internal and business partner information systems. The Non-Exchange Entity shall prepare an assessment plan to evaluate any system vulnerabilities. The assessment methods may include examination of documentation, logs, and configurations; interviews of personnel; and/or testing of technical controls. The SPA assessment shall provide an accurate depiction of the security and privacy controls in place, as well as potential security and privacy risks, by identifying the following: a. Application or system vulnerabilities, the associated business and system risks and potential impact; b. Weaknesses in the configuration management process such as weak system configuration settings that may compromise the confidentiality, integrity, and availability of the system; c. Non-Exchange Entity security and privacy policies and procedures; and d. Major documentation omissions and/or discrepancies. (3) Tests and Analysis Performed. The SPA assessment may include tests that analyze applications, systems, and associated infrastructure. The tests may begin with high-level analyses and increase in specificity. Tests and analyses performed during an assessment may include: a. Security control technical testing; b. Adherence to privacy program policies; c. Network and component scanning; d. Configuration assessment; e. Documentation review; f. Personnel interviews; and g. Observations. (4) Noncompliance and Applicability. The Non-Exchange Entity must develop a corrective action plan to mitigate any security and privacy risks if the SPA assessment identifies a deficiency in the Non-Exchange Entity’s security and privacy controls. Alternatively, the Non-Exchange Entity may document why it believes a critical control is not applicable to its system or circumstances. The SPA assessment results do not alter the Agreement between the Non-Exchange Entity and CMS, including any penalties for non-compliance. If the Non- Exchange Entity’s SPA assessment includes findings suggesting significant security or privacy risks, and the Non-Exchange Entity does not commence development and implementation of a corrective action plan to the reasonable satisfaction of CMS, a comprehensive audit may be initiated by CMS, and/or the Agreement between the Non- Exchange Entity and CMS may be terminated for cause. (5) Critical Security and Privacy Controls. The critical controls the Non-Exchange Entity must

24 of the annual SPA assessment. The signatories on the SPA personally attest to its accuracy and authenticity. (8) Submission of SPA to CMS. The SPA must be submitted electronically in a format specified by CMS or by mail to CMS at the address in Section V above by July 1, 2017. (9) CMS Verification of SPA. CMS will review the Non-Exchange Entity’s SPA assessment, and for any critical security or privacy control that the Non-Exchange Entity claimed as not applicable, CMS, in its sole discretion, will determine if the claim is justified. If CMS determines such controls are applicable, CMS may require a supplementary assessment of such controls and an amended SPA submission from the Non-Exchange Entity. If the SPA assessment indicates that the Non-Exchange Entity does not meet any critical control, CMS may require remedial action. A Non-Exchange Entity that does not complete a SPA assessment or any required supplemental assessment or remedial actions may be subject to the Termination with Cause provision (Section IV, b) of this agreement. [REMAINDER OF PAGE INTENTIONALLY LEFT BLANK]

00 XXXXXXXX X DEFINITIONS This Appendix defines terms that are used in the Agreement and other Appendices. Any capitalized term used in the Agreement that is not defined therein or in this Appendix has the meaning provided in 45 CFR 155.20. (1) Affordable Care Act (ACA) means the Patient Protection and Affordable Care Act (Public Law 111-148), as amended by the Health Care and Education Reconciliation Act of 2010 (Public Law 111-152), which are referred to collectively as the Affordable Care Act. (2) Access means availability of a SORN Record to a Subject Individual. (3) Advance Payments of the Premium Tax Credit (APTC) has the meaning set forth in 45 CFR 155.20. (4) Agent or Broker has the meaning set forth in 45 CFR 155.20. (5) Applicant has the meaning set forth in 45 CFR 155.20. (6) Application Filer has the meaning set forth in 45 CFR 155.20. (7) Authorized Function means a task performed by a Non-Exchange Entity that the Non- Exchange Entity is explicitly authorized or required to perform based on applicable law or regulation, and as enumerated in the Agreement that incorporates this Appendix B. (8) Authorized Representative means a person or organization meeting the requirements set forth in 45 CFR 155.227. (9) Breach is defined by OMB Memorandum M-07-16, Safeguarding and Responding to the Breach of Personally Identifiable Information (May 22, 2007), as the compromise, unauthorized disclosure, unauthorized acquisition, unauthorized access, loss of control or any similar term or phrase that refers to situations where persons other than authorized users or for an other than authorized purpose have access or potential access to Personally Identifiable Information (PII), whether physical or electronic. (10) CCIIO means the Center for Consumer Information and Insurance Oversight within the Centers for Medicare & Medicaid Services (CMS). (11) Certified Application Counselor means an organization, staff person, or volunteer meeting the requirements set forth in 45 CFR 155.225. (12) CMS means the Centers for Medicare & Medicaid Services.

26 (13) CMS Companion Guides means a CMS-authored guide, available on the CMS website, which is meant to be used in conjunction with and supplement relevant implementation guides published by the Accredited Standards Committee. (14) CMS Data Services Hub (Hub) is the CMS Federally-managed service to interface data among connecting entities, including HHS, certain other Federal agencies, and State Medicaid agencies. (15) CMS Data Services Hub Web Services (Hub Web Services) means business and technical services made available by CMS to enable the determination of certain eligibility and enrollment or federal financial payment data through the Federally-facilitated Exchange website, including the collection of personal and financial information necessary for Consumer, Applicant, Qualified Individual, Qualified Employer, Qualified Employee, or Enrollee account creations; Qualified Health Plan (QHP) application submissions; and Insurance Affordability Program eligibility determinations. (16) Consumer means a person who, for himself or herself, or on behalf of another individual, seeks information related to eligibility or coverage through a Qualified Health Plan (QHP) or Insurance Affordability Program, or whom an agent or broker (including Web-brokers) registered with the applicable FFE, Navigator, Issuer, Certified Application Counselor, or other entity assists in applying for a QHP, applying for APTCs and CSRs, and/or completing enrollment in a QHP through an FFE for individual market coverage. (17) Cost-sharing Reductions (CSRs) has the meaning set forth in 45 CFR 155.20. (18) Customer Service means assistance regarding Health Insurance Coverage provided to a Consumer, Applicant, or Qualified Individual including but not limited to responding to questions and complaints and providing information about Health Insurance Coverage and enrollment processes in connection with the FFEs. (19) Day or Days means calendar days unless otherwise expressly indicated in the relevant provision of the Agreement that incorporates this Appendix B. (20) Designated Privacy Official means a contact person or office responsible for receiving complaints related to Breaches or Incidents, able to provide further information about matters covered by the notice, responsible for the development and implementation of the privacy and security policies and procedures of the Non-Exchange Entity, and ensuring the Non-Exchange Entity has in place appropriate safeguards to protect the privacy and security of PII. (21) Enrollee has the meaning set forth in 45 CFR 155.20. (22) Enrollment Reconciliation is the process set forth in 45 CFR 155.400(d).

27 (23) Exchange has the meaning set forth in 45 CFR 155.20. (24) Federally-facilitated Exchange (FFE) means an Exchange (or Marketplace) established by HHS and operated by CMS under Section 1321(c)(1) of the ACA for individual or small group market coverage, including the Federally-facilitated Small Business Health Options Program (FF-SHOP). Federally-facilitated Marketplace (FFM) has the same meaning as FFE. (25) Federal Privacy Impact Assessment (PIA) is an analysis of how information is handled: (i) to ensure handling conforms to applicable legal, regulatory, and policy requirements regarding privacy; (ii) to determine the risks and effects of collecting, maintaining and disseminating information in identifiable form in an electronic information system; and (iii) to examine and evaluate protections and alternative processes for handling information to mitigate potential privacy risks, as defined in OMB Memorandum M-03-22, OMB Guidance for Implementing the Privacy Provisions of the E-Government Act of 2002 (September 26, 2003). (26) Health Insurance Coverage has the meaning set forth in 45 CFR 155.20. (27) Health Insurance Exchanges Program (XXX) means the System of Records that CMS uses in the administration of the FFE. As a System of Records, the use and disclosure of the SORN Records maintained by the XXX must comply with the Privacy Act of 1974, the implementing regulations at 45 CFR Part 5b, and the “routine uses” that were established for the XXX in the Federal Register at 78 FR 8538 (February 6, 2013), and amended by 78 FR 32256 (May 29, 2013) and 78 FR 63211 (October 23, 2013). (28) HHS means the U.S. Department of Health & Human Services. (29) Health Insurance Portability and Accountability Act (HIPAA) means the Health Insurance Portability and Accountability Act of 1996, Pub. L. No. 104- 191, as amended, and its implementing regulations. (30) Incident, or Security Incident, means the act of violating an explicit or implied security policy, which includes attempts to gain unauthorized access to a system or its data, unwanted disruption or denial of service, the unauthorized use of a system for the processing or storage of data; and changes to system hardware, firmware, or software characteristics without the owner’s knowledge, instruction, or consent. (31) Information means any communication or representation of knowledge, such as facts, data, or opinions in any medium or form, including textual, numerical, graphic, cartographic, narrative, or audiovisual.

28 (32) Insurance Affordability Program means a program that is one of the following: (1) A State Medicaid program under title XIX of the Social Security Act. (2) A State children’s health insurance program (CHIP) under title XXI of the Social Security Act. (3) A State basic health program established under section 1331 of the Affordable Care Act. (4) A program that makes coverage in a Qualified Health Plan through the Exchange with Advance Payments of the Premium Tax Credit established under section 36B of the Internal Revenue Code available to Qualified Individuals. (5) A program that makes available coverage in a Qualified Health Plan through the Exchange with Cost-sharing Reductions established under section 1402 of the Affordable Care Act. (33) Issuer has the meaning set forth in 45 CFR 144.103. (34) Non-Exchange Entity has the meaning at 45 CFR 155.260(b)(1), including, but not limited to QHP issuers, Navigators, Agents, and Brokers. (35) OMB means the Office of Management and Budget. (36) Personally Identifiable Information (PII) has the meaning contained in OMB Memoranda M-07-16 (May 22, 2007) and means information which can be used to distinguish or trace an individual’s identity, such as their name, Social Security Number, biometric records alone, or when combined with other personal or identifying information that is linked or linkable to a specific individual, such as date and place of birth and mother’s maiden name. (37) Qualified Health Plan (QHP) has the meaning set forth in 45 CFR 155.20. (38) Qualified Health Plan (QHP) Issuer has the meaning set forth in 45 CFR 155.20. (39) Qualified Individual has the meaning set forth in 45 CFR 155.20. (40) Responsible Official means an individual or officer responsible for managing a Non- Exchange Entity or Exchange’s records or information systems, or another individual designated as an individual to whom requests can be made, or the designee of either such officer or individual who is listed in a Federal System of Records Notice as the system manager, or another individual listed as an individual to whom requests may be made, or the designee of either such officer or individual. (41) Security Control means a safeguard or countermeasure prescribed for an information system or an organization designed to protect the confidentiality, integrity, and availability of its information and to meet a set of defined security requirements.

29 (42) State means the State that has licensed the Agent, Broker, or Issuer that is a party to this Agreement and in which the Agent, Broker or Issuer is operating. (43) State-based Exchange on the Federal Platform (SBE-FP) means an Exchange established by a State that receives approval under 45 CFR 155.106(c) to utilize the Federal platform to support select eligibility and enrollment functions. (44) State Partnership Exchange means a type of FFE in which a State assumes responsibility for carrying out certain activities related to plan management, consumer assistance, or both. (45) Subject Individual means that individual to whom a SORN Record pertains. (46) System of Records means a group of Records under the control of any Federal agency from which information is retrieved by name of the individual or by some identifying number, symbol, or other identifying particular assigned to the individual. (47) System of Records Notice (SORN) means a notice published in the Federal Register notifying the public of a System of Records maintained by a Federal agency. The notice describes privacy considerations that have been addressed in implementing the system. (48) System of Record Notice (SORN) Record means any item, collection, or grouping of information about an individual that is maintained by an agency, including but not limited to that individual’s education, financial transactions, medical history, and criminal or employment history and that contains that individual’s name, or an identifying number, symbol, or the identifying number, symbol, or other identifying particular assigned to the individual, such as a finger or voice print or a photograph, that is part of a System of Records. (49) Web-broker means an agent or broker who uses a non-Federally-facilitated Exchange Internet website to assist Consumers, Applicants, Qualified Individuals, and Enrollees in the QHP selection and enrollment process as described in 45 CFR 155.220(c). (50) Web-Based Entity means a Non-Exchange Entity that performs direct enrollment under this agreement. (51) Workforce means a Non-Exchange Entity’s or FFE’s employees, agents, contractors, subcontractors, officers, directors, agents, representatives, and any other individual who may create, collect, disclose, access, maintain, store, or use PII in the performance of his or her duties.

30 APPENDIX C STANDARDS FOR COMMUNICATION WITH THE HUB (1) Web-based Entity (“WBE”) must complete testing for each Hub-related transaction it will implement, and shall not be allowed to exchange data with CMS in production mode until testing is satisfactorily passed, as determined by CMS in its sole discretion. Successful testing generally means the ability to pass all applicable HIPAA compliance standards, or other CMS-approved standards, and to process electronic data and information transmitted by WBE to the Hub. The capability to submit these test transactions will be maintained by WBE throughout the term of this Agreement. (2) Transactions must be formatted in accordance with the Accredited Standards Committee Implementation Guides adopted under HIPAA, available at xxxx://xxxxx.x00.xxx/xxxxx/, as applicable and appropriate for the type of transaction. CMS will make available Companion Guides for the transactions, which specify necessary situational data elements. (3) WBE agrees to abide by the applicable policies affecting electronic data interchange submissions and submitters as published in any of the guidance documents related to the CMS FFE or Hub, as well as applicable standards in the appropriate CMS Manual(s) or CMS Companion Guide(s), as published on the CMS website. These materials can be found at xxxx://xxx.xxx.xxx/XXXXX/Xxxxxxxxx/Xxxxxxxxxxx-xxx- Guidance/Downloads/companion-guide-for-ffe-enrollment-transaction-v15.pdf and xxxx://xxx.xxx.xxx/xxxxx/xxxxxxxxx/xxxxxxxxxxx-xxx-xxxxxxxx/xxxxx.xxxx. (4) WBE agrees to submit test transactions to the Hub prior to the submission of any transactions to the FFE production system and to determine that the transactions and responses comply with all requirements and specifications approved by the CMS and/or the CMS contractor.2 (5) WBE agrees that prior to the submission of any additional transaction types to the FFE production system, or as a result of making changes to an existing transaction type or system, it will submit test transactions to the Hub in accordance with paragraph (1) above. (6) If WBE enters into relationships with other affiliated entities, or their authorized designees for submitting and receiving FFE data, it must execute contracts with such entities stipulating that that such entities and any of its subcontractors or affiliates must utilize software tested and approved by WBE as being in the 2 While CMS owns data in the FFE, contractors operate the FFE system in which the enrollment and financial management data flow. Contractors provide the pipeline network for the transmission of electronic data, including the transport of Exchange data to and from the Hub and WBE so that WBE may discern the activity related to enrollment functions of persons they serve. WBE may also use the transported data to receive descriptions of financial transactions from CMS.

31 proper format and compatible with the FFE system. Entities that enter into contract with WBE and access PII are required to maintain the same or more stringent security and privacy controls as WBE. (7) WBE agrees that CMS may require successful completion of an Operational Readiness Review to the satisfaction of CMS, which may occur before WBE is able to submit any transactions to the FFE production system or at any time during the term of this Agreement. The Operational Readiness Review will assess WBE’s compliance with CMS’ regulatory and contractual requirements, to include the critical privacy and security controls. This Agreement may be terminated or access to CMS systems may be denied for a failure to comply with Operational Readiness Review or if, at the sole discretion of CMS, the results are unsatisfactory. WBE must attest that its systems are in compliance with applicable critical privacy and security controls under Section II.b.3 of the Agreement as a condition of executing this agreement. [REMAINDER OF PAGE INTENTIONALLY LEFT BLANK]

32 APPENDIX D Annual Security and Privacy Attestation Report – Web-Based Entity Self-Attestation for Year: (e.g. January 2017 – December 2017) Date Completed: Attestation Identification Web-Based Entity System Name Business Owner Security Officer Privacy Officer Critical Control Met Not Met N/A Date (Day/Month/Year) 1. Email/Web Browser Protections: Including but not limited to assurance that transfer protocols are secure and limits the threat of communications being intercepted. 2. Malware Protection: Including but not limited to protections against known threat vectors within the system’s environment to mitigate damage/security breaches. 3. Patch Management: Including but not limited to ensuring every client and server is up to date with the latest security patches throughout the environment. 4. Vulnerability Management: Including but not limited to identifying, classifying, remediating, and mitigating vulnerabilities on a continual basis by conducting periodic vulnerability scans to identify weaknesses within an environment. 5. Inventory of Software/Hardware: Including but not limited to maintaining an Inventory of hardware/software within the environment helps to identify vulnerable aspects left open to threat vectors without performing vulnerability scans and to have specific knowledge of what is within the system’s environment. 6. Account Management: Including but not limited to the determination of who/what has access to the system’s environment and data

33 Critical Control Met Not Met N/A Date (Day/Month/Year) and also maintain access controls to the system. 7. Configuration Management: Including but not limited to defining the baseline configurations of the servers and endpoints of a system to mitigate threat factors that can be utilized to gain access to the system/data. 8. Incident Response: Including but not limited to the ability to detect security events, investigate, and mitigate or limit the effects of those events. 9. Governance and Privacy Compliance Program: Including but not limited to appointing a responsible official to develop and implement operational privacy compliance policies for information systems and databases. 10. Privacy Impact/Risk Assessment: Including but not limited to appointing a responsible official to develop and implement a formal policy and procedures to assess the organizations risk posture. 11. Awareness and Training Program: Including but not limited to appointing a responsible official to develop and implement security and privacy education awareness program for all staff members and contractors. 12. Data Retention and Destruction: Including but not limited to developing formal policy and procedures for data retention and destruction of PII. Explanation for any critical control not met or not applicable (use additional pages if necessary):

34 Self- Attestation for Year: (e.g., January 2017 – December 2017) Date Completed: System Security Officer Signature Date Privacy Officer Signature Date Business Owner Signature Date

Document Metadata

Table of Contents

Free Standard Templates

Contract

Document Metadata

Free Standard Templates

Contract

Document Metadata

Related content