AGREEMENT BETWEEN WEB-BROKER ENTITY AND THE CENTERS FOR MEDICARE AND MEDICAID SERVICES FOR THE FEDERALLY-FACILITATED EXCHANGE INDIVIDUAL MARKET

Exhibit 99.1

AGREEMENT BETWEEN WEB-BROKER ENTITY AND

THE CENTERS FOR MEDICARE AND MEDICAID SERVICES FOR THE

FEDERALLY-FACILITATED EXCHANGE INDIVIDUAL MARKET

THIS WEB-BROKER AGREEMENT (“Agreement”) is entered into by and between THE CENTERS FOR MEDICARE & MEDICAID SERVICES (“CMS”), as the Party (as defined below) responsible for the management and oversight of the Federally-facilitated Exchange (“FFE”), including the CMS Data Services Hub (“Hub”), and eHealthInsurance Services, Inc., (hereinafter referred to as Web-broker Entity, or “WBE”), an Agent or Broker that uses a non-FFE Internet web site to, among other things, assist Consumers, Applicants, Qualified Individuals and Enrollees in applying for Advance Payments of the Premium Tax Credits (“APTCs”) and Cost-sharing Reductions (“CSRs”) for Qualified Health Plans (“QHPs”), and/or in completing enrollment in QHPs offered in the individual market through the FFE, and provides Customer Service (CMS and WBE hereinafter referred to as the “Party,” or collectively, as the “Parties”).

WHEREAS:

1. Section 1312(e) of the Affordable Care Act (“ACA”) provides that the Secretary of the U.S. Department of Health and Human Services (“HHS”) shall establish procedures that permit Agents and Brokers to enroll Qualified Individuals in QHPs through an Exchange, and to assist individuals in applying for Advance Payments of the Premium Tax Credit (“APTCs”) and Cost-sharing Reductions (“CSRs”), to the extent allowed by States. To participate in an FFE, Agents and Brokers must complete all necessary registration and training requirements under 45 CFR 155.220.

2. To facilitate the eligibility determination and enrollment processes, CMS will provide centralized and standardized business and technical services (“Hub Web Services”) through an application programming interface to WBE that will enable WBE to establish a secure connection with the Hub. The application programming interface will enable the secure transmission of key eligibility and enrollment information between CMS and WBE.

3. To facilitate the operation of the FFE, CMS desires to: (a) disclose PII which is held in the Health Insurance Exchanges Program (“XXX”) to WBE; (b) provide WBE with access to the Hub Web Services; and (c) permit WBE to create, collect, disclose, access, maintain, store, and use PII from CMS, Consumers, Applicants, Qualified Individuals and Enrollees, or these individuals’ legal representative or Authorized Representative, to the extent that these activities are necessary to carry out the functions that the ACA and implementing regulations permit WBE to carry out.

4. WBE is an entity licensed as an Agent or Broker and desires to gain access to the Hub Web Services, and to create, collect, disclose, access, maintain, store, and use PII from CMS, Consumers, Applicants, Qualified Individuals and Enrollees to perform the Authorized Functions described in Sections II.a of this Agreement.

1

5. 45 CFR 155.260(b) provides that an Exchange must require the same or more stringent privacy and security standards as are established and implemented for the Exchange under 45 CFR 155.260(a), as a condition of contract or agreement with Non-Exchange Entities, and WBE is a Non-Exchange Entity.

6. CMS, in the administration of the FFEs and the Hub, has adopted privacy and security standards concerning PII, as set forth in Appendix A, “Privacy and Security Standards and Implementation Specifications for Non-Exchange Entities.”

Now, therefore, in consideration of the promises and covenants herein contained, the adequacy of which the Parties acknowledge, the Parties agree as follows:

I. Definitions.

Capitalized terms not otherwise specifically defined herein shall have the meaning set forth in the attached Appendix B, “Definitions”, and/or in 45 CFR 155.20, which definitions are hereby incorporated by reference.

II. Acceptance of Standard Rules of Conduct.

WBE hereby acknowledges and agrees to accept and abide by the standard rules of conduct set forth below and in Appendix A, “Privacy and Security Standards and Implementation Specifications for Non-Exchange Entities,” and Appendix C, “Standards for Communication with the Hub,” which are incorporated by reference in this Agreement, while and as engaging in any activity as WBE for purposes of the ACA. WBE shall be bound to strictly adhere to the privacy and security standards, and to ensure that its employees, officers, directors, contractors, subcontractors, agents, and representatives strictly adhere to the same, to gain and maintain access to the Hub Web Services, and to create, collect, disclose, access, maintain, store, and use PII for the efficient operation of the FFE.

a. Authorized Functions. WBE may create, collect, disclose, access, maintain, store, and use PII for:

1. Assisting with applications for QHP eligibility;

2. Supporting QHP selection and enrollment by assisting with plan selection and plan comparisons;

3. Assisting with applications for the receipt of APTCs or CSRs, and selecting an APTC amount;

4. Facilitating the collection of standardized attestations acknowledging the receipt of the APTC or CSR determination, if applicable;

2

5. Assisting with the application for and determination of certificates of exemption;

6. Assisting with filing appeals of eligibility determinations in connection with the FFE;

7. Transmitting information about the Consumer’s, Applicant’s, Qualified Individual’s, or Enrollee’s decisions regarding QHP enrollment and/or CSR and APTC information to the FFE;

8. Facilitating payment of the initial premium amount to appropriate QHP;

9. Facilitating an Enrollee’s ability to disenroll from a QHP;

10. Educating Consumers, Applicants, or Enrollees on insurance affordability programs, and if applicable, informing such individuals of eligibility for Medicaid or Children’s Health Insurance Program (CHIP);

11. Assisting an Enrollee’s ability to report changes in eligibility status to the FFE throughout the coverage year, including changes that may impact eligibility (e.g., adding a dependent);

12. Correcting errors in the application for QHP enrollment;

13. Informing or reminding Enrollees when QHP coverage should be renewed, when Enrollees may no longer be eligible to maintain their current QHP coverage because of age, or to inform Enrollees of QHP coverage options at renewal;

14. Providing appropriate information, materials, and programs to Consumers, Applicants, Qualified Individuals, and Enrollees, to inform and educate them about the use and management of their health information, and services and options offered through the selected QHP or among the available QHP options;

15. Contacting Consumers, Applicants, Qualified Individuals, and Enrollees to assess their satisfaction or resolve complaints with services provided by WBE in connection with the FFE, WBE or QHPs;

16. Providing assistance in communicating with QHP Issuers;

17. Carrying out the legal responsibilities related to the efficient functions of QHP Issuers in the FFE, as permitted or required by WBE’s contractual relationships with QHP Issuers; and

18. Other functions substantially similar to those enumerated above and such other functions that may be approved by CMS in writing from time to time.

3

b. PII Received. Subject to the terms and conditions of this Agreement and applicable laws, in performing the tasks contemplated under this Agreement, WBE may create, collect, disclose, access, maintain, store, and use the following data and PII from Consumers, Applicants, Qualified Individual, or Enrollees:

APTC percentage and amount applied

Auto disenrollment information

Applicant Name

Applicant Address

Applicant Birthdate

Applicant Telephone number

Applicant Email

Applicant Social Security Number

Applicant spoken and written language preference

Applicant Medicaid Eligibility indicator, start and end dates

Applicant Children’s Health Insurance Program eligibility indicator, start and end dates

Applicant QHP eligibility indicator, start and end dates

Applicant APTC percentage and amount applied eligibility indicator, start and end dates

Applicant household income

Applicant Maximum APTC amount

Applicant CSR eligibility indicator, start and end dates

Applicant CSR level

Applicant QHP eligibility status change

Applicant APTC eligibility status change

Applicant CSR eligibility status change

Applicant Initial or Annual Open Enrollment Indicator, start and end dates

Applicant Special Enrollment Period eligibility indicator and reason code

Contact Name

Contact Address

Contact Birthdate

Contact Telephone number

Contact Email

Contact spoken and written language preference

Enrollment group history (past six months)

Enrollment type period

FFE Applicant ID

FFE Member ID

Issuer Member ID

Net premium amount

Premium Amount, start and end dates

Credit or Debit Card Number, Name on Card

Checking account and routing number

Special enrollment period reason

Subscriber Indicator and relationship to subscriber

Tobacco use indicator and last date of tobacco use

Custodial parent

Health coverage

American Indian/Alaska Native status and name of tribe

Marital status

4

Race/ethnicity

Requesting financial assistance

Responsible person

Applicant/Employee/dependent sex name

Student status

Subscriber indicator and relationship to subscriber

Total individual responsibility amount

c. Collection of PII. PII collected from Consumers, Applicants, Qualified Individuals, Enrollees, or their legal representative or Authorized Representative, in the context of completing an application for QHP, APTC or CSR eligibility, or any data transmitted from or through the Hub, may be used only for Authorized Functions specified in Section II.a of this Agreement. Such information may not be reused for any other purpose.

d. Collection and Use of Information Provided Under Other Authorities. This Agreement does not preclude WBE from separately collecting information from Consumers, Applicants, Qualified Individuals, or Enrollees, or their legal representative or Authorized Representative, for a non-FFE/ non-Hub purpose, and using, reusing, and disclosing the non-FFE/non-Hub information obtained separately as permitted by applicable law and/or other applicable authorities. Such information must be separately collected and stored from any PII collected in accordance with Section II.c of this Agreement.

e. Ability of Individuals to Limit Collection and Use. WBE agrees to allow the Consumer, Applicant, Qualified Individual or Enrollee to limit WBE’s creation, collection, disclosure, access, maintenance, storage, and use of their PII to the sole purpose of obtaining WBE’s assistance in applying for QHP, APTC or CSR eligibility, and for performing Authorized Functions specified in Section II.a of this Agreement.

III. Effective Date and Term; Renewal

a. Effective Date and Term. This Agreement becomes effective on the date the last of the two Parties executes this Agreement and ends September 30, 2014.

b. Renewal. This Agreement may be renewed in the sole and absolute discretion of CMS for subsequent and consecutive one (1) year periods upon thirty (30) Days’ advance written notice to WBE.

IV. Termination.

a. Termination without Cause. Either Party may terminate this Agreement without cause and for its convenience upon thirty (30)-Days’ prior written notice to the other Party. This Agreement shall automatically terminate at the end of its term or in connection with the rejection of an amendment as provided for in Section V.i of this Agreement.

5

b. Termination with Cause. CMS may terminate this Agreement for cause upon thirty (30)-Days’ written notice to WBE if WBE materially breaches any term of this Agreement as determined at the sole but reasonable discretion of CMS, unless WBE commences curing such breach(es) within such 30-Day period to the reasonable satisfaction of CMS in the manner hereafter described in this subsection, and thereafter diligently prosecutes such cure to completion. The 30-Day notice from CMS shall contain a description of the material breach, whereupon WBE shall have seven (7) Days from the date of the notice in which to propose a plan and a time frame to cure the material breach, which plan and time frame may be rejected, approved or amended in CMS’s sole but reasonable discretion. Notwithstanding the foregoing, WBE shall be considered in “Habitual Default” of this Agreement in the event that it has been served with a 30-Day notice under this subsection more than three (3) times in any calendar year, whereupon CMS may, in its sole discretion, immediately thereafter terminate this Agreement upon notice to WBE without any further opportunity to cure or propose cure.

c. Destruction of PII. WBE covenants and agrees to destroy all PII in its possession at the end of the record retention period required under Appendix A. If, upon the termination or expiration of this Agreement, WBE has in its possession PII for which no retention period is specified in Appendix A, such PII shall be destroyed within 30 Days of the termination or expiration of this Agreement. The WBE’s duty to protect and maintain the privacy and security of PII, as provided for in Appendix A of this Agreement, shall continue in full force and effect until such PII is destroyed and shall survive the termination or expiration of this Agreement. WBE acknowledges that the termination or expiration of this Agreement may result in the de-registration of WBE from FFE.

V. Miscellaneous.

a. Notice. All notices specifically required under this Agreement shall be given in writing and shall be delivered as follows:

If to CMS:

Centers for Medicare & Medicaid Services (CMS)

Center for Consumer Information & Insurance Oversight (CCIIO)

Attn: Office of the Director

Room 739H

000 Xxxxxxxxxxxx Xxxxxx, XX

Xxxxxxxxxx, XX 00000

If to WBE, to WBE’s address on record.

6

Notices sent by hand or overnight courier service, or mailed by certified or registered mail, shall be deemed to have been given when received; notices sent by facsimile shall be deemed to have been given when the appropriate confirmation of receipt has been received; provided, that notices not given on a business day (i.e., Monday—Friday excluding Federal holidays) between 9:00 a.m. and 5:00 p.m. local time where the recipient is located shall be deemed to have been given at 9:00 a.m. on the next business day for the recipient. A Party to this Agreement may change its contact information for notices and other communications by providing 30 Days’ written notice of such change in accordance with this provision.

b. Assignment and Subcontracting. WBE shall not assign this Agreement in whole or in part, whether by merger, acquisition, consolidation, reorganization or otherwise, nor subcontract any portion of the services to be provided by WBE under this Agreement, nor otherwise delegate any of its obligations under this Agreement, without the express, prior written consent of CMS, which consent may be withheld, conditioned, granted or denied in CMS’s sole and absolute discretion. WBE further shall not assign this Agreement or any of its rights or obligations hereunder without the prior written consent of the State. If WBE attempts to make an assignment, subcontract its service obligations or otherwise delegate its obligations hereunder in violation of this provision, such assignment, subcontract or delegation shall be deemed void ab initio and of no force or effect, and WBE shall remain legally bound hereto and responsible for all obligations under this Agreement. WBE shall further be thereafter subject to such compliance actions as may otherwise be provided for under applicable law.

c. Survival. WBE’s duty to protect and maintain the privacy and security of PII under this Agreement shall survive the expiration or earlier termination of this Agreement.

d. Severability. The invalidity or unenforceability of any provision of this Agreement shall not affect the validity or enforceability of any other provision of this Agreement. In the event that any provision of this Agreement is determined to be invalid, unenforceable or otherwise illegal, such provision shall be deemed restated, in accordance with applicable law, to reflect as nearly as possible the original intention of the parties, and the remainder of the Agreement shall be in full force and effect.

e. Disclaimer of Joint Venture. Neither this Agreement nor the activities of WBE contemplated by and under this Agreement shall be deemed or construed to create in any way any partnership, joint venture or agency relationship between CMS and WBE. Neither Party is, nor shall either Party hold itself out to be, vested with any power or right to bind the other Party contractually or to act on behalf of the other Party, except to the extent expressly set forth in ACA and the regulations codified thereunder, including as codified at 45 CFR part 155.

f. Remedies Cumulative. No remedy herein conferred upon or reserved to CMS under this Agreement is intended to be exclusive of any other remedy or remedies available to CMS under operative law and regulation, and each and every such remedy, to the extent permitted by law, shall be cumulative and in addition to any other remedy now or hereafter existing at law or in equity or otherwise.

7

g. Compliance with Law. WBE covenants and agrees to comply with any and all applicable laws, statutes, regulations or ordinances of the United States of America, and any Federal Government agency, board or court, that are applicable to the conduct of the activities that are the subject of this Agreement, including but not necessarily limited to, any additional and applicable standards required by statute, and any regulations or policies implementing or interpreting such statutory provisions hereafter issued by CMS. In the event of a conflict between the terms of this Agreement and, any statutory, regulatory, or sub-regulatory guidance released by CMS, the requirement which constitutes the stricter, higher or more stringent level of compliance shall control.

h. Governing Law. This Agreement will be governed by the laws and common law of the United States of America, including without limitation such regulations as may be promulgated from time to time by the HHS or any of its constituent agencies, without regard to any conflict of laws statutes or rules. WBE further agrees and consents to the jurisdiction of the Federal Courts located within the District of Columbia and the courts of appeal therefrom, and waives any claim of lack of jurisdiction or forum non conveniens.

i. Amendment. CMS may amend this Agreement for purposes of reflecting changes in applicable law or regulations, with such amendments taking effect upon thirty (30)- Days’ written notice to WBE (“CMS notice period”). Any amendments made under this provision will only have prospective effect and will not be applied retrospectively. WBE may reject such amendment, by providing to CMS, during the CMS notice period, thirty (30)-Days’ written notice of its intent to reject the amendment (“rejection notice period”). Any such rejection of an amendment made by CMS shall result in the termination of this Agreement upon expiration of the rejection notice period.

j. Audit. WBE agrees that CMS, the Comptroller General, the Office of the Inspector General of HHS or their designees have the right to audit, inspect, evaluate, examine, and make excerpts, transcripts, and copies of any books, records, documents, and other evidence of WBE’s compliance with the requirements of this Agreement, upon reasonable notice to WBE and during WBE’s regular business hours and at WBE’s regular business location. WBE further agrees to allow reasonable access to the information and facilities requested by CMS, the Comptroller General, the Office of the Inspector General of HHS or their designees for the purpose of such an audit.

[REMAINDER OF PAGE INTENTIONALLY LEFT BLANK]

8

This “Agreement between WBE and the Centers for Medicare & Medicaid Services for the Federally-facilitated Exchange Individual Market” has been signed and executed by:

FOR WBE

The undersigned is an authorized official of WBE who is authorized to represent and bind WBE for purposes of this Agreement.

/s/ Xxxx Xxxxx				July 26, 2013
Signature of Authorized Official of WBE				Date
Xxxx Xxxxx, Chief Executive Officer
Printed Name and Title of Authorized Official of WBE
eHealthInsurance Services, Inc.
WBE Name
WBE Address
WBE Contact Number

9

FOR CMS

The undersigned are officials of CMS who are authorized to represent CMS for purposes of this Agreement.

/s/ Xxxxx Xxxx				7-26-13
Xxxxx Xxxx				Date
Acting Deputy Director, Operations
Center for Consumer Information & Insurance Oversight
Centers for Medicare & Medicaid Services
/s/ Xxxx Xxxxxxx				7/29/13
Xxxx Xxxxxxx				Date
Director and CMS Chief Information Officer
Office of Information Services
Centers for Medicare & Medicaid Services
/s/ Xxxxxx Xxxxxxxxx				7/29/13
Xxxxxx Xxxxxxxxx				Date
Director
Office of E-Health Standards and Services
Centers for Medicare & Medicaid Services

10

APPENDIX A

PRIVACY AND SECURITY STANDARDS

AND

IMPLEMENTATION SPECIFICATIONS FOR NON-EXCHANGE ENTITIES

Statement of Applicability:

These standards and implementation specifications are established in accordance with Section 1411(g) of the Affordable Care Act (42 U.S.C. § 18081(g)) and 45 CFR 155.260. All terms used herein carry the meanings assigned in Appendix B, “Definitions,” and/or in 45 CFR 155.20, which definitions hereby incorporated by reference

The standards and implementation specifications that are set forth in this Appendix A and Version 1.0 of the MARS-E suite of documents (which can be found at xxxx://xxx.xxx.xxx/XXXXX/Xxxxxxxxx/Xxxxxxxxxxx-xxx-Xxxxxxxx/) are the same as, or more stringent than, the privacy and security standards and implementation specifications that we have established for the Federally-Facilitated Exchanges (“FFEs”) established under Section 1321(c) of the Affordable Care Act (42 U.S.C. § 18041(c)).

The FFEs will enter into contractual agreements with all Non-Exchange Entities that gain access to Personally Identifiable Information (“PII”) exchanged with the FFEs, or directly from Consumers, Applicants, Qualified Individuals, Enrollees, Qualified Employees, and Qualified Employers, or these individuals’ legal representatives or Authorized Representatives. That agreement and its appendices, including this Appendix A, govern any PII that is created, collected, disclosed, accessed, maintained, stored, or used by Non-Exchange Entities in the context of the FFE. In signing that contractual agreement, in which this Appendix A has been incorporated, Non-Exchange Entities agree to comply with the standards and implementation specifications laid out in this document and the referenced MARS-E suite of documents while performing the Authorized Functions outlined in their respective agreements.

11

NON-EXCHANGE ENTITY PRIVACY AND SECURITY STANDARDS AND IMPLEMENTATION SPECIFICATIONS

In addition to the standards and implementation specifications set forth in the MARS-E suite of documents noted above, Non-Exchange Entities must meet the following privacy and security standards and implementation specifications to the extent they are not inconsistent with any applicable MARS-E standards.

(1) Individual Access to PII: In keeping with the standards and implementation specifications used by the FFE, Non-Exchange Entities that maintain and/or store PII must provide Consumers, Applicants, Qualified Individuals, Enrollees, Qualified Employees, and Qualified Employers, or these individuals’ legal representatives and Authorized Representatives, with a simple and timely means of appropriately accessing PII pertaining to them and/or the person they represent in a physical or electronic readable form and format.

a. Standard: Non-Exchange Entities that maintain and/or store PII must implement policies and procedures that provide access to PII upon request.

i. Implementation Specifications:

1. Access rights must apply to any PII that is created, collected, disclosed, accessed, maintained, stored, and used by the Non-Exchange Entity to perform any of the Authorized Functions outlined in their respective agreements with the FFE.

2. The release of electronic documents containing PII through any electronic means of communication (e.g., e-mail, web portal) must meet the verification requirements for the release of “written documents” in Section (5)b below.

3. Persons legally authorized to act on behalf of the Consumers, Applicants, Qualified Individuals, Enrollees, Qualified Employees, and Qualified Employers regarding their PII, including individuals acting under an appropriate power of attorney that complies with applicable state and federal law, must be granted access in accordance with their legal authority. Such access would generally be expected to be coextensive with the degree of access available to the Subject Individual.

4. At the time the request is made, the Consumer, Applicant, Qualified Individual, Enrollee, or these individuals’ legal representatives or Authorized Representatives should generally be required to specify which PII he or she would like access to. The Non-Exchange Entity may assist them in determining their Information or data needs if such assistance is requested.

12

5. Subject to paragraphs (1)a.i.6 and 7 below, Non-Exchange Entities generally must provide access to the PII in the form or format requested, if it is readily producible in such form or format.

6. The Non-Exchange Entity may charge a fee only to recoup their costs for labor for copying the PII, supplies for creating a paper copy or a copy on electronic media, postage if the PII is mailed, or any costs for preparing an explanation or summary of the PII if the recipients has requested and/or agreed to receive such summary. If such fees are paid, the Non-Exchange Entity must provide the requested copies in accordance with any other applicable standards and implementation specifications.

7. A Non-Exchange Entity that receives a request for notification of, or access to PII must verify the requestor’s identity in accordance with Section (5)b below.

8. A Non-Exchange Entity must complete its review of a request for access or notification (and grant or deny said notification and/or access) within 30 days of receipt of the notification and/or access request.

9. Except as otherwise provided in (1)a.i.10, if the requested PII cannot be produced, the Non-Exchange Entity must provide an explanation for its denial of the notification or access request, and, if applicable, information regarding the availability of any appeal procedures, including the appropriate appeal authority’s name, title, and contact information.

10. Unreviewable grounds for denial. Non-Exchange Entities may deny access to PII that they maintain or store without providing an opportunity for review, in the following circumstances:

a. If the PII was obtained or created solely for use in legal proceedings;

b. If the PII is contained in records that are subject to a law that either permits withholding the PII or bars the release of such PII.

(2) Openness and Transparency. In keeping with the standards and implementation specifications used by the FFE, Non-Exchange Entities must ensure openness and transparency about policies, procedures, and technologies that directly affect Consumers, Applicants, Qualified Individuals, Enrollees, Qualified Employers, and Qualified Employees, and their PII.

a. Standard: Privacy Notice Statement. Prior to collecting PII, the Non-Exchange Entity must provide a notice that is prominently and conspicuously displayed on a public facing Web site, if applicable, or on the electronic and/or paper form the Non-Exchange Entity will use to gather and/or request PII.

13

i. Implementation Specifications.

1. The statement must be written in plain language and provided in a manner that is accessible and timely to people living with disabilities and with limited English proficiency.

2. The statement must contain at a minimum the following information:

a. Legal authority to collect PII;

b. Purpose of the information collection;

c. To whom PII might be disclosed, and for what purposes;

d. Authorized uses and disclosures of any collected information;

e. Whether the request to collect PII is voluntary or mandatory under the applicable law;

f. Effects of non-disclosure if an individual chooses not to provide the requested information.

3. The Non-Exchange Entity shall maintain its Privacy Notice Statement content by reviewing and revising as necessary on an annual basis, at a minimum, and before or as soon as possible after any change to its privacy policies and procedures.

4. If the Non-Exchange Entity operates a Web site, it shall ensure that descriptions of its privacy and security practices, and information on how to file complaints with CMS and the Non-Exchange Entity, are publicly available through its Web site.

(3) Individual choice. In keeping with the standards and implementation specifications used by the FFE, Non-Exchange Entities should ensure that Consumers, Applicants, Qualified Individuals, Enrollees, Qualified Employees, and Qualified Employers, or these individuals’ legal representatives or Authorized Representatives, are provided a reasonable opportunity and capability to make informed decisions about the creation, collection, disclosure, access, maintenance, storage, and use of their PII.

a. Standard: Informed Consent. The Non-Exchange Entity may create, collect, disclose, access, maintain, store, and use PII from Consumers, Applicants, Qualified Individuals, Enrollees, or these individuals’ legal representatives or Authorized Representatives, only for the functions and purposes listed in the Privacy Notice Statement and any relevant agreements in effect as of the time the information is collected, unless the FFE or Non-Exchange Entity obtains informed consent from such individuals.

14

i. Implementation specifications:

1. The Non-Exchange Entity must obtain informed consent from individuals for any use or disclosure of information that is not permissible within the scope of the Privacy Notice Statement and any relevant agreements that were in effect as of the time the PII was collected. Such consent must be subject to a right of revocation.

2. Any such consent that serves as the basis of a use or disclosure must:

a. Be provided in specific terms and in plain language;

b. Identify the entity collecting or using the PII, and/or making the disclosure;

c. Identify the specific collections, use(s), and disclosure(s) of specified PII with respect to a specific recipient(s);

d. Provide notice of an individual’s ability to revoke the consent at any time.

3. Consent documents must be appropriately secured and retained for 10 years.

(4) Creation, collection, disclosure, access, maintenance, storage, and use limitations. In keeping with the standards and implementation specifications used by the FFE, Non-Exchange Entities must ensure that PII is only created, collected, disclosed, accessed, maintained, stored, and used, to the extent necessary to accomplish a specified purpose(s) in the contractual agreement and any appendices. Such information shall never be used to discriminate against a Consumer, Applicant, Qualified Individual, Enrollee, Qualified Employee, or Qualified Employer.

a. Standard: Other than in accordance with the consent procedures outlined above, the Non-Exchange Entity shall only create, collect, disclose, access, maintain, store, and use PII:

1. To the extent necessary to ensure the efficient operation of the Exchange;

2. In accordance with its published Privacy Notice Statement and any applicable agreements that were in effect at the time the PII was collected, including the consent procedures outlined above in Section (3) above; and/or

3. In accordance with the permissible functions outlined in the regulations and agreements between CMS and the Non-Exchange Entity.

15

b. Standard: Non-discrimination. The Non-Exchange Entity should, to the greatest extent practicable, collect PII directly from the Consumer, Applicant, Qualified Individual, Enrollee, Qualified Employee, or Qualified Employer, when the information may result in adverse determinations about benefits.

c. Standard: Prohibited uses and disclosures of PII

i. Implementation Specifications:

1. The Non-Exchange Entity shall not request Information regarding citizenship, status as a national, or immigration status for an individual who is not seeking coverage for himself or herself on any application.

2. The Non-Exchange Entity shall not require an individual who is not seeking coverage for himself or herself to provide a social security number (SSN), except if an Applicant’s eligibility is reliant on a tax filer’s tax return and their SSN is relevant to verification of household income and family size.

3. The Non-Exchange Entity shall not use PII to discriminate, including employing marketing practices or benefit designs that will have the effect of discouraging the enrollment of individuals with significant health needs in QHPs.

(5) Data quality and integrity. In keeping with the standards and implementation specifications used by the FFE, Non-Exchange Entities should take reasonable steps to ensure that PII is complete, accurate, and up-to-date to the extent such data is necessary for the Non-Exchange Entity’s intended use of such data, and that such data has not been altered or destroyed in an unauthorized manner, thereby ensuring the confidentiality, integrity, and availability of PII.

a. Standard: Right to Amend, Correct, Substitute, or Delete PII. In keeping with the standards and implementation specifications used by the FFE, Non-Exchange Entities must offer Consumers, Applicants, Qualified Individuals, Enrollees, Qualified Employees, and Qualified Employers, or these individuals’ legal representatives or Authorized Representatives, an opportunity to request amendment, correction, substitution, or deletion of PII maintained and/or stored by the Non-Exchange Entity if such individual believes that the PII is not accurate, timely, complete, relevant, or necessary to accomplish an Exchange-related function, except where the Information questioned originated from other sources, in which case the individual should contact the originating source.

16

i. Implementation Specifications:

1. Such individuals shall be provided with instructions as to how they should address their requests to the Non-Exchange Entity’s Responsible Official, in writing or telephonically. They may also be offered an opportunity to meet with such individual or their delegate(s) in person.

2. Such individuals shall be instructed to specify the following in each request:

a. The PII they wish to correct, amend, substitute or delete;

b. The reasons for requesting such correction, amendment, substitution, or deletion, along with any supporting justification or evidence.

3. Such requests must be granted or denied within no more than 10 working days of receipt.

4. If the Responsible Official (or their delegate) reviews these materials and ultimately agrees that the identified PII is not accurate, timely, complete, relevant or necessary to accomplish the function for which the PII was obtained/provided, the PII should be corrected, amended, substituted, or deleted in accordance with applicable law.

5. If the Responsible Official (or their delegate) reviews these materials and ultimately does not agree that the PII should be corrected, amended, substituted, or deleted, the requestor shall be informed in writing of the denial, and, if applicable, the availability of any appeal procedures. If available, the notification must identify the appropriate appeal authority including that authority’s name, title, and contact information.

b. Standard: Verification of Identity for Requests to Amend, Correct, Substitute or Delete PII. In keeping with the standards and implementation specifications used by the FFE, Non-Exchange Entities that maintain and/or store PII must develop and implement policies and procedures to verify the identity of any person who requests access to; notification of; or amendment, correction, substitution, or deletion of PII that is maintained by or for the Non-Exchange Entity. This includes confirmation of an individuals’ legal or personal authority to access; receive notification of; or seek amendment, correction, substitution, or deletion of a Consumer’s, Applicant’s, Qualified Individuals’, Enrollee’s, Qualified Employee’s, or Qualified Employer’s PII.

i. Implementation Specifications:

1. The requester must submit through mail, via an electronic upload process, or in-person to the Non-Exchange Entity’s Responsible

17

Official, a copy of one of the following government-issued identification: a driver’s license, school identification card, voter registration card, U.S. military card or draft record, identification card issued by the federal, state or local government, including a U.S. passport, military dependent’s identification card, Native American tribal document, or U.S. Coast Guard Merchant Mariner card.

2. If such requester cannot provide a copy of one of these documents, he or she can submit two of the following documents that corroborate one another: a birth certificate, Social Security card, marriage certificate, divorce decree, employer identification card, high school or college diploma, and/or property deed or title.

c. Standard: Accounting for Disclosures. Except for those disclosures made to the Non-Exchange Entity’s Workforce who have a need for the record in the performance of their duties; and the disclosures that are necessary to carry out the required functions of the Non-Exchange Entity, Non-Exchange Entities that maintain and/or store PII shall maintain an accounting of any and all disclosures.

i. Implementation Specifications:

1. The accounting shall contain the date, nature, and purpose of such disclosures, and the name and address of the person or agency to whom the disclosure is made

2. The accounting shall be retained for at least 10 years after the disclosure, or the life of the record, whichever is longer.

3. Notwithstanding exceptions in Section (1)a.10, this accounting shall be available to Consumers, Applicants, Qualified Individuals, Enrollees, Qualified Employees, Qualified Employers, or these individuals’ legal representatives or Authorized Representatives, on their request per the procedures outlined under the access standards in Section (1) above.

(6) Accountability. In keeping with the standards and implementation specifications used by the FEE, Non-Exchange Entities should adopt and implement the standards and implementation specifications in this document and the cited MARS-E document suite, in a manner that ensures appropriate monitoring and other means and methods to identify

and report Incidents and/or Breaches.

18

a. Standard: Reporting. The Non-Exchange Entity must implement Breach and Incident handling procedures that are consistent with CMS’ Incident and Breach Notification Procedures¹ and memorialized in the Non-Exchange Entity’s own written policies and procedures. Such policies and procedures would:

i. Identify the Non-Exchange Entity’s Designated Privacy Official, if applicable, and/or identify other personnel authorized to access PII and responsible for reporting and managing Incidents or Breaches to CMS.

ii. Provide details regarding the identification, response, recovery, and follow-up of Incidents and Breaches, which should include information regarding the potential need for CMS to immediately suspend or revoke access to the Hub for containment purposes; and

iii. Require reporting any Incident or Breach of PII to the CMS IT Service Desk by telephone at (000) 000-0000 or 0-000-000-0000 or via email notification at xxx_xx_xxxxxxx_xxxx@xxx.xxx.xxx within required time frames.

b. Standard: Standard Operating Procedures. The Non-Exchange Entity shall incorporate privacy and security standards and implementation specifications, where appropriate, in its standard operating procedures that are associated with functions involving the creation, collection, disclosure, access, maintenance, storage, or use of PII.

i. Implementation Specifications:

1. The privacy and security standards and implementation specifications shall be written in plain language and shall be available to all of the Non-Exchange Entity’s Workforce members whose responsibilities entail the creation, collection, maintenance, storage, access, or use of PII.

2. The procedures shall ensure the Non-Exchange Entity’s cooperation with CMS in resolving any Incident or Breach, including (if requested by CMS) the return or destruction of any PII files it received under the Agreement; the provision of a formal response to an allegation of unauthorized PII use, reuse or disclosure; and/or the submission of a corrective action plan with steps designed to prevent any future unauthorized uses, reuses or disclosures.

3. The standard operating procedures must be designed and implemented to ensure the Non-Exchange Entity and its Workforce comply with the standards and implementation specifications contained herein, and must be reasonably designed, taking into

¹  Available at xxxx://xxx.xxx.xxx/Xxxxxxxx-Xxxxxxxxxx-Xxxx-xxx-Xxxxxxx/XXX-Xxxxxxxxxxx-Xxxxxxxxxx/XxxxxxxxxxxXxxxxxxx/Xxxxxxxxx/XXX_XXXX_0-0_Xxxxxxxx_Xxxxxxxx_Xxxxxxxx.xxx

19

account the size and the type of activities that relate to PII undertaken by the Non-Exchange Entity, to ensure such compliance.

a. Standard: Training and Awareness. The Non-Exchange Entity shall develop training and awareness programs for members of its Workforce that create, collect, disclose, access, maintain, store, and use PII while carrying out any Authorized Functions.

i. Implementation Specifications:

1. The Non-Exchange Entity must require such individuals to successfully complete privacy and security training, as appropriate for their work duties and level of exposure to PII, prior to when they assume responsibility for/have access to PII.

2. The Non-Exchange Entity must require periodic role-based training on an annual basis, at a minimum.

3. The successful completion by such individuals of applicable training programs, curricula, and examinations offered through the FFE is sufficient to satisfy the requirements of this paragraph.

b. Standard: Security Controls. The FFE shall adopt and implement the Security Control standards cited in the MARS-E document suite for protecting the confidentiality, integrity, and availability of PII.

i. Implementation Specifications:

1. Implementation specifications for each Security Control are provided in the MARS-E document suite.

00

XXXXXXXX X

DEFINITIONS

This Appendix defines terms that are used in the Agreement and other Appendices. Any capitalized term used in the Agreement that is not defined here has the meaning provided in 45 CFR 155.20.

(1) Affordable Care Act (ACA) means the Patient Protection and Affordable Care Act (Public Law 111-148), as amended by the Health Care and Education Reconciliation Act of 2010 (Public Law 111-152), which are referred to collectively as the Affordable Care Act.

(2) Access means availability of a SORN Record to a subject individual.

(3) Advance Payments of the Premium Tax Credit (APTC) has the meaning set forth in 45 CFR 155.20.

(4) Agent or Broker has the meaning set forth in 45 CFR 155.20.

(5) Applicant has the meaning set forth in 45 CFR 155.20.

(6) Application Filer has the meaning set forth in 45 CFR 155.20.

(7) Authorized Function means a task performed by a Non-Exchange Entity that the Non-Exchange Entity is explicitly authorized or required to perform based on applicable law or regulation, and as enumerated in the Agreement that incorporates this Appendix B.

(8) Authorized Representative means a person or organization meeting the requirements set forth in 45 CFR 155.227.

(9) Breach is defined by OMB Memorandum M-07-16, Safeguarding and Responding to the Breach of Personally Identifiable Information (May `22, 2007), as the compromise, unauthorized disclosure, unauthorized acquisition, unauthorized access, loss of control or any similar term or phrase that refers to situations where persons other than authorized users or for an other than authorized purpose have access or potential access to Personally Identifiable Information (PII), whether physical or electronic.

(10) CCIIO means the Center for Consumer Information and Insurance Oversight within the Centers for Medicare & Medicaid Services (CMS).

21

(11) Certified Application Counselor means an organization, staff person, or volunteer meeting the requirements set forth in 45 CFR 155.225.

(12) CMS means the Centers for Medicare & Medicaid Services.

(13) CMS Companion Guides means a CMS-authored guide, available on the CMS web site, which is meant to be used in conjunction with and supplement relevant implementation guides published by the Accredited Standards Committee.

(14) CMS Data Services Hub (Hub) is the CMS Federally-managed service to interface data among connecting entities, including HHS, certain other Federal agencies, and State Medicaid agencies.

(15) CMS Data Services Hub Web Services (Hub Web Services) means business and technical services made available by CMS to enable the determination of certain eligibility and enrollment or Federal financial payment data through the Federally-facilitated Exchange website, including the collection of personal and financial information necessary for Consumer, Applicant, Qualified Individual, Qualified Employer, Qualified Employee, or Enrollee account creations; Qualified Health Plan (QHP) application submissions; and Insurance Affordability Program eligibility determinations.

(16) CMS Companion Guide means a CMS-authored guide, available on the CMS web site, which is meant to be used in conjunction with and supplement relevant implementation guides published by the Accredited Standards Committee.

(17) Compliance and Oversight Activities are the routine activities and processes conducted by a QHP Issuer as related to ensuring operational integrity, including but not limited to internal reviews and audits of business procedures and processes and maintaining records as required by State or Federal law.

(18) Consumer means a person who, for himself or herself, or on behalf of another individual, seeks information related to eligibility or coverage through a Qualified Health Plan (QHP) or other Insurance Affordability Program, or whom an agent or broker (including Web-brokers), Navigator, Issuer, Certified Application Counselor, or other entity assists in applying for a coverage through QHP, applying for APTCs and CSRs, and/or completing enrollment in a QHP through its web site for individual market coverage.

(19) Controlling Health Plan (CHP) has the meaning set forth in 45 CFR 162.103.

22

(20) Cost-sharing Reduction (CSR) has the meaning set forth in 45 CFR 155.20.

(21) Customer Service means assistance regarding Health Insurance Coverage provided to a Consumer, Applicant, Qualified Individual, Qualified Employer, or Qualified Employee, including but not limited to responding to questions and complaints and providing information about Health Insurance Coverage and enrollment processes in connection with the FFE.

(22) Day or Days means calendar days unless otherwise expressly indicated in the relevant provision of the Agreement that incorporates this Appendix B.

(23) Department of Insurance (DOI) means the State agency or regulatory authority that, among other things, licenses, oversees, and regulates Issuers, Agents, and Brokers, as applicable.

(24) Designated Privacy Official means a contact person or office responsible for receiving complaints related to Breaches or Incidents, able to provide further information about matters covered by the notice, responsible for the development and implementation of the privacy and security policies and procedures of the Non-Exchange Entity, and ensuring the Non-Exchange Entity has in place appropriate safeguards to protect the privacy and security of PII.

(25) Enrollee has the meaning set forth in 45 CFR 155.20.

(26) Enrollment Reconciliation is the process set forth in 45 CFR 155.400(d).

(27) Exchange has the meaning set forth in 45 CFR 155.20.

(28) Federally-facilitated Exchange (FFE) means an Exchange (or Marketplace) established by HHS and operated by CMS under Section 1321(c)(1) of the ACA for individual or small group market coverage, including the Federally-facilitated Small Business Health Options Program (FF-SHOP). Federally-facilitated Marketplace (FFM) has the same meaning as FFE.

(29) Federal Privacy Impact Assessment (PIA) is an analysis of how information is handled: (i) to ensure handling conforms to applicable legal, regulatory, and policy requirements regarding privacy; (ii) to determine the risks and effects of collecting, maintaining and disseminating information in identifiable form in an electronic information system; and (iii) to examine and evaluate protections and alternative

23

processes for handling information to mitigate potential privacy risks, as defined in OMB Memorandum M-03-22, OMB Guidance for Implementing the Privacy Provisions of the E-Government Act of 2002 (September 26, 2003).

(30) Health Insurance Coverage has the meaning set forth in 45 CFR 155.20.

(31) Health Insurance Exchanges Program (XXX) means the System of Records that CMS uses in the administration of the FFE. As a System of Records, the use and disclosure of the SORN Records maintained by the XXX must comply with the Privacy Act of 1974, the implementing regulations at 45 CFR Part 5b, and the “routine uses” that were established for the XXX in the Federal Register at 78 Fed. Reg. 8538 (February 6, 2013), and amended by 78 Fed.Reg. 32256 (May 29, 2013).

(32) HHS means the U.S. Department of Health & Human Services.

(33) Health Insurance Portability and Accountability Act (HIPAA) means the Health Insurance Portability and Accountability Act of 1996, Pub. L. No. 104-191, as amended, and its implementing regulations.

(34) Incident, or Security Incident, means the act of violating an explicit or implied security policy, which includes attempts (either failed or successful) to gain unauthorized access to a system or its data, unwanted disruption or denial of service, the unauthorized use of a system for the processing or storage of data; and changes to system hardware, firmware, or software characteristics without the owner’s knowledge, instruction, or consent.

(35) Information means any communication or representation of knowledge such as facts, data, or opinions in any medium or form, including textual, numerical, graphic, cartographic, narrative, or audiovisual.

(36) Insurance Affordability Program means a program that is one of the following:

(1) A State Medicaid program under title XIX of the Social Security Act.

(2) A State children’s health insurance program (CHIP) under title XXI of the Social Security Act.

(3) A State basic health program established under section 1331 of the Affordable Care Act.

(4) A program that makes coverage in a Qualified Health Plan through the Exchange with Advance Payments of the Premium Tax Credit established under section 36B of the Internal Revenue Code available to Qualified Individuals.

(5) A program that makes available coverage in a Qualified Health Plan through the Exchange with Cost-sharing Reductions established under section 1402 of the Affordable Care Act.

24

(37) Issuer has the meaning set forth in 45 CFR 144.103.

(38) Minimum Acceptable Risk Standards—Exchanges (MARS-E) means a CMS-published suite of documents, version 1.0 (August 1, 2012), that defines the security standards required pursuant to 45 CFR 155.260 and 45 CFR 155.270, for any Exchange, individual, or entity gaining access to information submitted to an Exchange or through an Exchange using a direct, system-to-system connection to the Hub, available on the CCIIO web site.

(39) Navigator has the meaning set forth in 45 CFR 155.20.

(40) Non-Exchange Entity has the meaning at 45 CFR 155.260(b), including but not limited to Navigators, agents, and brokers.

(41) OMB means the Office of Management and Budget.

(42) Other Entity Identifier (OEID) means an alternative identification mechanism that is used to identify itself or have itself identified on all covered transactions in which it needs to be identified or any other lawful purpose and is available through the Enumeration System identified in 45 CFR 162.508 to entities with the following characteristics:

(1) Is identified in a transaction for which the Secretary of HHS has adopted a standard under 45 CFR Part 162;

(2) Is not eligible to obtain a Health Plan Identifier under 45 CFR 162.506;

(3) Is not eligible to obtain a National Provider Identifier (NPI) under 45 CFR 160.410; and

(4) Is not an individual.

(43) Personally Identifiable Information (PII) has the meaning contained in OMB Memoranda M-07-16 (May 22, 2007) and means information which can be used to distinguish or trace an individual’s identity, such as their name, social security number, biometric records, etc., alone, or when combined with other personal or identifying information that is linked or linkable to a specific individual, such as date and place of birth, mother’s maiden name, etc.

25

(44) Qualified Employee has the meaning set forth in 45 CFR 155.20.

(45) Qualified Employer has the meaning set forth in 45 CFR 155.20.

(46) Qualified Health Plan (QHP) has the meaning set forth in 45 CFR 155.20.

(47) Qualified Individual has the meaning set forth in 45 CFR 155.20.

(48) Responsible Official means an individual or officer responsible for managing a Non-Exchange Entity or Exchange’s records or information systems, or another individual designated as an individual to whom requests can be made, or the designee of either such officer or individual who is listed in a Federal System of Records Notice as the system manager, or another individual listed as an individual to whom requests may be made, or the designee of either such officer or individual.

(49) Security Control means a safeguard or countermeasure prescribed for an information system or an organization designed to protect the confidentiality, integrity, and availability of its information and to meet a set of defined security requirements.

(50) State means the State that has licensed the Agent, Broker, or Issuer that is a party to this Agreement or the State where the Certified Application Counselor, Navigator, or Non-Navigator that is a party to this Agreement is operating.

(51) State Partnership Exchange means a type of FFE in which a State assumes responsibility for carrying out certain activities related to plan management, consumer assistance, or both.

(52) Subhealth Plan (SHP) has the meaning set forth in 45 CFR 162.103.

(53) Subject Individual means that individual to whom a SORN Record pertains.

(54) System of Records means a group of Records under the control of any Federal agency from which information is retrieved by name of the individual or by some identifying number, symbol, or other identifying particular assigned to the individual.

(55) System of Records Notice (SORN) means a notice published in the Federal Register notifying the public of a System of Records maintained by a Federal agency. The notice describes privacy considerations that have been addressed in implementing the system.

(56) System of Record Notice (SORN) Record means any item, collection, or grouping of information about an individual that is maintained by an agency, including but not limited

26

to that individual’s education, financial transactions, medical history, and criminal or employment history and that contains that individual’s name, or an identifying number, symbol, or the identifying number, symbol, or other identifying particular assigned to the individual, such as a finger or voice print or a photograph, that is part of a System of Records.

(57) Trading Partner means an entity that exchanges enrollment or financial management data with a Hub contractor.

(58) Web-broker means an agent or broker who uses a non-Federally-facilitated Exchange internet web site to assist Consumers, Applicants, Qualified Individuals, and Enrollees in the QHP selection and enrollment process as described in 45 CFR 155.220(c).

(59) Workforce means a Non-Exchange Entity’s or FFE’s employees, agents, contractors, subcontractors, officers, directors, agents, representatives, and any other individual who may create, collect, disclose, access, maintain, store, or use PII in the performance of his or her duties.

27

APPENDIX C

STANDARDS FOR COMMUNICATION WITH THE HUB

(1) Web-broker Entity (“WBE”) must complete testing for each Hub-related transaction it will implement, and shall not be allowed to exchange data with CMS in production mode until testing is satisfactorily passed, as determined by CMS in its sole discretion. Successful testing generally means the ability to pass all applicable HIPAA compliance standards, or other CMS-approved standards, and to process electronic data and information transmitted by WBE to the Hub. The capability to submit these test transactions will be maintained by WBE throughout the term of this Agreement.

(2) Transactions must be formatted in accordance with the Accredited Standards Committee Implementation Guides adopted under HIPAA, available at xxxx://xxxxx.x00.xxx/xxxxx/, as applicable and appropriate for the type of transaction. CMS will make available Companion Guides for the transactions, which specify necessary situational data elements.

(3) WBE agrees to abide by the applicable policies affecting electronic data interchange submissions and submitters as published in any of the guidance documents related to the CMS FFE or Hub, as well as applicable standards in the appropriate CMS Manual(s) or CMS Companion Guide(s), as published on the CMS Web site. These materials can be found at xxxx://xxx.xxx.xxx/XXXXX/Xxxxxxxxx/Xxxxxxxxxxx-xxx- Guidance/Downloads/companion-guide-for-ffe-enrollment-transaction-v15.pdf and xxxx://xxx.xxx.xxx/xxxxx/xxxxxxxxx/xxxxxxxxxxx-xxx-xxxxxxxx/xxxxx.xxxx.

(4) WBE agrees that prior to the submission of any additional transaction types to the FFE production system, or as a result of making changes to an existing transaction type or system, it will submit test transactions to the Hub in accordance with paragraph (1) above.

(5) If WBE enters into relationships with other affiliated entities, or their authorized designees, for submitting and receiving FFE data, it must execute contracts with such entities that stipulate that such entities and any of its subcontractors or affiliates, must utilize software tested and approved by WBE as being in the proper format and compatible with the FFE system.

28