Securing the Health Insurance Marketplace
Securing the Health Insurance Marketplace
Beginning October 1, 2013, consumers can begin applying for health insurance coverage in the Health Insurance Marketplaces. When consumers fill out their Marketplace application, they can trust that the information they’re providing is protected by stringent security standards and that the technology underlying the application process has been tested and is secure.
The Department of Health and Human Services’ (HHS) and the Centers for Medicare & Medicaid Services’ (CMS) program integrity efforts to prevent, protect against, and prosecute fraud in the health insurance Marketplace, using tried and tested methods used in other programs, including Medicare, government grants, mortgages, Medicaid, and CHIP. These efforts are focused on designing the front end to protect consumers’ personally identifiable information (PII) and prevent bad actors from taking advantage of consumers seeking to enroll in the Marketplaces, as well as ensuring on the back end that CMS and other parts of the Federal government and states are ready to take action against any entity that engages in fraudulent activities.
Protecting the privacy of consumers remains the highest priority of CMS, and CMS is taking important steps to prevent fraud and ensure the security of the Marketplace:
IT Systems Security
The privacy and security of consumer’s PII is a top priority for CMS, and we have a strong record in protecting data in programs such as Medicare and Medicaid. Federally-facilitated Marketplace (FFM) IT systems are currently being tested to ensure security, and the Data Services Hub (the Hub), which will be accessed by all Marketplaces, has completed security testing and certification to operate. CMS has designed the FFM Marketplace IT systems and the Hub to minimize and prevent security vulnerabilities, specifically by storing the minimum amount of PII possible. Further, CMS is putting in place a robust security monitoring program that will report and record all security events and network device logs to identify, assess, and mitigate vulnerabilities. Together with our interagency partners, CMS has developed a rapid response mechanism to respond to a potential data breach and mitigate the effects of attempts to jeopardize the integrity of the Hub and the databases it connects.
The Marketplace single streamlined application asks for some personal information necessary to make eligibility determinations, such as the applicant’s name, address, and date of birth. Personal health information (PHI) will be requested only when it is needed to complete the application and make an eligibility determination for health coverage options such as Medicaid and the Children’s Health Insurance Program (CHIP), coverage through Qualified Health Plans offered through the Marketplace, and consumer insurance affordability programs. To the extent (PHI) is necessary for these determinations, the FFM IT systems will not store this information.
Under HHS rules, every state-based and Federally-facilitated Marketplace will be required to confirm an applicant’s identity and eligibility for enrollment in a Marketplace plan, and if the applicant requests, will confirm the applicant’s eligibility for an insurance affordability program (tax credits, cost-sharing reductions, Medicaid and CHIP). This will be done using the Hub.
The Hub is not a database and will not store consumer information. Instead, it is a routing tool that will provide one secure, protected connection to common federal data sources including the Social Security Administration (SSA), Internal Revenue Service (IRS), and Department of Homeland Security (DHS). The Hub connects both state and federal Marketplace systems performing eligibility determinations with the federal authoritative data sources using secured connections. It allows the Marketplaces, Medicaid, and CHIP systems to query the government databases used today in the eligibility processes for many state and federal programs in an efficient, secure manner.
The Hub increases efficiency and security by eliminating the need for each Marketplace, Medicaid agency, and CHIP agency to set up separate data connections to each database. Vulnerabilities increase when the number of connections to a data source increase – which is why CMS has designed the Hub to prevent such liabilities. The Hub provides one highly secured connection to trusted federal and state databases instead of requiring each agency to set up what could have amounted to hundreds of independently established connections. Privacy controls between CMS and our federal and state partners are enforced through a series of business agreements to ensure trust and confidence before data is exchanged. The Federal agencies with whom CMS has such agreements require their employees to participate in privacy trainings to understand their responsibility for protecting PII. All CMS employees with access to the Hub will be trained in applicable privacy laws and are required to complete an annual computer-based Privacy Awareness Training course.
Controls and Training for Enrollment Assisters
Consumers in every state will have access to Marketplace-trained and approved individuals to help them understand their coverage options and enroll in a plan through state and federal Marketplaces. Assistance may be provided by any of the following: Navigators, In-Person Assisters (Non-Navigator Assistance Personnel), Certified Application Counselors and/or their affiliated organizations, and, if state law permits, Agents and Brokers (collectively, assistance personnel). More information on these types of assistance personnel can be found here.
CMS will train and approve assistance personnel who will help consumers in the Federally-facilitated and State Partnership Marketplaces (FFMs and SPMs). CMS will approve as assistance personnel only those organizations and individuals that agree to protect PII. Assistance personnel and/or the organizations they are affiliated with in the FFMs and SPMs must sign agreements with CMS requiring them to comply with Marketplace privacy and information security requirements. All types of assistance personnel in the FFMs and SPMs are required to complete training, including training about the appropriate handling of PII. Assistance personnel in the FFMs and SPMs are also being trained to report instances of potential fraud of which they have knowledge, or suspect, and to encourage consumers to do the same.
All state-based Marketplaces are required to develop standards to protect the privacy and security of consumers’ personal information and to ensure that the assistance personnel that they approve and train abide by the same or more stringent standards. In addition, as part of CMS’s ongoing efforts to support state flexibility, we are working with assistance personnel to ensure they take advantage of additional safeguards states are putting in place to protect consumer privacy.
Importantly, Navigators and certified application counselors may not charge any fees for assisting consumers with enrollment, or steer consumers to others who will charge fees. Consumers should be suspicious of anyone who charges them a fee in connection with enrollment.
CMS is working to educate consumers so they can protect themselves from unscrupulous fraudsters. We will conduct an outreach and education campaign to inform consumers about how they can protect their PII and how to detect and report fraudulent activities. This campaign will make clear that consumers should generally not expect to pay any fees for assistance with enrollment. CMS will create and distribute consumer information including online content, public service announcements, drop-in articles, and other materials. We are engaging partners, stakeholders, and other entities to help deliver this information and to educate consumers. CMS is also widely advertising the toll free Marketplace call center number (1-800-318-2596) that consumers can use to report suspected fraudulent activity.
CMS will not tolerate the misuse of personal information associated with the Marketplace or the inappropriate charging of fees for assisting consumers with enrollment. Likewise, steps will be taken, pursuant to our agreements with navigator and certified assister organizations, to ensure that no one poses as an assistor affiliated with the Marketplace in an effort to access PII or charge consumers for services they are not providing. Whether the bad actor is a legitimate assister who abuses his or her position, or someone who gains access to personal information through theft, fraud, or other illegal means, there are a wide variety of law enforcement tools available to mitigate these situations.
A response and referral system will be created. Suspected fraudulent activity are monitored and prosecuted in the same way as other government programs, including Medicare, Medicaid, and CHIP. Potential fraudulent activity is detected in two main ways. First, a consumer may report suspected activity by calling the Marketplace Call Center (1-800-318-2596, TTY 1-855-889-4325). The consumer information will be recorded and relayed to federal and State officials for evaluation and potential prosecution. In addition, the consumer will be provided with information about steps to take if their personal information has been compromised. Second, federal officials will monitor activity for trends that could indicate fraud. This information will be referred for prosecution to state and local officials as needed.
Working with federal and state partners including the Department of Justice and other law enforcement agencies, CMS will marshal all available resources to fight wrongdoing that may arise in the Marketplaces. CMS will work with these federal and state partners to oversee and monitor the Marketplaces as well as entities associated with the Marketplaces for compliance with the privacy and security standards established and implemented by the Marketplace. Oversight activities may include, but are not limited to, audits, investigations, inspections and any reasonable activities necessary for appropriate oversight of compliance with Marketplace privacy and security standards.
Key enforcement authority:
- Bad actors that gain unauthorized access to or misuse consumers’ personal information can be criminally prosecuted under federal and state law. Identity theft and related fraud can be prosecuted under The Identity Theft Assumption and Deterrence Act and other federal statutes that protect against credit card fraud, computer fraud, mail fraud, wire fraud, and financial institution fraud. State law enforcement authorities can also prosecute those who illegally gain access to or misuse consumer information.
- Moreover, Marketplaces can take action against entities that inappropriately charge consumers fees for assisting with enrollment.
- The Affordable Care Act places restrictions on the use or disclosure of information provided by applicants for Marketplace coverage and provides for civil monetary penalties up to $25,000 if those restrictions are not followed.
- Insurance companies’ activities are tightly regulated by their state departments of insurance and by the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH). Insurers are responsible for overseeing any appointed agents and brokers that work with consumers on their behalves.
- Under federal law, state insurance commissioners must adopt requirements regarding the privacy and disclosure of nonpublic personal financial information associated with the insurance industry. State insurance commissioners can also revoke the licenses of agents and brokers charged with identity theft violations.
Protecting consumers as they enroll in a quality, affordable health insurance plan is a top priority for CMS. We are committed to ensuring that consumers are not defrauded in their attempt to obtain affordable health care. Working with our partners across federal and state government, CMS is committed to keeping consumers’ personal information safe as families apply for and receive health insurance coverage through the Marketplaces.