Privacy Act of 1974; Report of an Altered CMS System of Records Notice, 63211-63216 [2013-24861]

Agencies

• Centers for Medicare & Medicaid Services
• DEPARTMENT OF HEALTH AND HUMAN SERVICES

[Federal Register Volume 78, Number 205 (Wednesday, October 23, 2013)]
[Notices]
[Pages 63211-63216]
From the Federal Register Online via the Government Printing Office [www.gpo.gov]
[FR Doc No: 2013-24861]


-----------------------------------------------------------------------

DEPARTMENT OF HEALTH AND HUMAN SERVICES

Centers for Medicare & Medicaid Services


Privacy Act of 1974; Report of an Altered CMS System of Records 
Notice

AGENCY: Centers for Medicare & Medicaid Services (CMS), Department of 
Health and Human Services (HHS).

ACTION: Altered System of Records Notice (SORN).

-----------------------------------------------------------------------

SUMMARY: In accordance with the requirements of the Privacy Act of 1974 
(5 U.S.C. 552a), CMS proposes several alterations to the existing 
system of records titled, ``Health Insurance Exchanges (HIX) Program'' 
(No. 09-70-0560), published at 78 FR 8538 (February 6, 2013) and 
amended and published at 78 FR 32256 (May 29, 2013). The alterations 
affect the ``Purposes of the System'', ``Categories of Individuals 
Covered by the System'', ``Categories of Records in the System'', 
``Authority for Maintenance of the System'', ``System Location'', 
``Retention and Disposal'', ``System Manager and Address'', ``Routine 
Uses of Records Maintained in the System'', and ``Record Source 
Categories'' sections of the accompanying System of Records Notice, as 
more fully explained in the Supplementary Information section.

DATES: The proposed modifications will be effective immediately, with 
exception of the new and revised Routine Uses which will be effective 
30 days after publication of this notice in the Federal Register unless 
comments received on or before that date result in revisions to this 
notice.

ADDRESSES: The public should send comments to: CMS Privacy Officer, 
Division of Privacy Policy, Privacy Policy and Compliance Group, Office 
of E-Health Standards & Services, Office of Enterprise Management, CMS, 
Room S2-24-25, 7500 Security Boulevard, Baltimore, Maryland 21244-1850. 
Comments received will be available for review at this location, by 
appointment, during regular business hours, Monday through Friday from 
9:00 a.m.-3:00 p.m., Eastern Time zone.
    For Information on Health Insurance Exchanges Contact: Karen 
Mandelbaum, JD, MHA, Office of Health Insurance Exchanges, Exchange 
Policy and Operations Group, Center for Consumer Information and 
Insurance Oversight, 7210 Ambassador Road, Baltimore, MD 21244, Office 
Phone: (410) 786-1762, Facsimile: (301) 492-4353, Email: 
karen.mandelbaum@cms.hhs.gov.

SUPPLEMENTARY INFORMATION: 

I. Proposed Alterations

    By way of background, this system of records was established to be 
a global system of records to cover all data activities in support of 
the HIX Program at the Federal level. The Health Insurance Exchanges 
(HIX) Program is a new way to find health insurance coverage for people 
who do not currently have coverage or who want to find options for 
health insurance coverage. The HIX Program includes Federally-
facilitated Exchanges (FFEs) operated by CMS, CMS support and services 
provided to all Exchanges and state agencies administering Medicaid 
programs, Children's Health Insurance Programs (CHIPs) and Basic Health 
Programs (BHPs), and CMS administration of advance payments of the 
premium tax credit and cost-sharing reductions associated with 
enrollment in QHPs through an Exchange. The system stores personal, 
financial, employment and demographic information about individuals who 
participate in or are involved with the HIX Program. The proposed 
modifications to the system of records and the affected sections of the 
System of Records Notice are identified and described below.

Use Limitations on Federal Tax Return Information

    CMS proposes to amend item No. 1 in the Categories of Records 
section to clarify that Federal tax return information may be used or 
disclosed only as authorized by 26 U.S.C. 6103.

Discussion of Reporting

    CMS proposes to amend the Purpose of the System section to 
explicitly mention the oversight and reporting functions required by 
the Patient Protection and Affordable Care Act (PPACA) (Pub. L. 111-
148) as amended by the Health Care and Education Reconciliation Act of 
2010 (Pub. L. 111-152), collectively referred to as the Affordable Care 
Act.

Individuals Providing Consumer Assistance

    CMS proposes to include, in the Purpose and Categories of Records 
sections, a description of the information resulting from registering, 
training and/or certifying individuals who will assist consumers, 
applicants and enrollees in states where an FFE and/or an FF-SHOP will 
operate. Such individuals include Navigators (as defined by 45 
CFR155.210), non-Navigator Assistance Personnel (as allowed for under 
45 CFR155.205; also known as In-Person Assisters), Certified 
application counselors (as defined by 45 CFR155.225), Agents and 
Brokers, and any other individuals that are required to register with 
an Exchange prior to assisting qualified individuals, employees and 
employers to enroll in QHPs through the Exchange. Upon completing the 
registration form and successfully completing the training and testing 
program and certification process, CMS will certify these individuals 
to provide consumers, applicants, and enrollees with outreach, 
education, and assistance in obtaining access to health care coverage 
through an FFE or FF-SHOP.
    CMS proposes to amend Routine Use No. 2 to clarify that CMS may 
disclosure information about Navigators, non-Navigator Assistance 
Personnel, Certified application counselors, and

[[Page 63212]]

Agents and Brokers to the appropriate state agency or agencies in the 
state in which they have registered and will provide outreach, 
education and assistance to consumers, applicants and enrollees through 
the FFE or FF-SHOP.
    Additionally, CMS proposes a new Routine Use, Number 11, 
specifically related to the information of Agents and Brokers who have 
completed registration and training. Pursuant to 45 CFR 155.220(b), CMS 
proposes Routine Use number 11 so that CMS may display on the FFE and 
FF-SHOP Web sites information regarding these Agents and Brokers who 
have completed registration and training for the convenience of 
consumers looking for assistance from an Agent or Broker that is 
familiar with the Exchange policies and application process.

Identity Proofing

    CMS proposes to include a description of the identity proofing 
process within the Purpose of the System section. Identity proofing 
refers to a process through which the Exchange, state Medicaid agency, 
or state CHIP agency obtains a level of assurance through a third party 
data verification source regarding an individual's identity that is 
sufficient to allow access to electronic systems that include sensitive 
state and Federal data. This process will be performed at the time (A) 
an application for an eligibility determination in the individual 
market and Small Business Health Options Program (SHOP) is submitted to 
an Exchange and (B) an Agent or Broker registers with the Federally-
facilitated Exchange (FFE) and completes the FFE training and 
certification processes.
    Identity proofing must be completed by several categories of 
individuals. Each adult application filer (as defined at 45 CFR 155.20) 
submitting either an on-line application or a telephonic application 
for an eligibility determination or enrollment in a QHP through an 
Exchange in the individual market, advance payments of the premium tax 
credit, cost-sharing reductions, Medicaid and CHIP must complete the 
identity proofing process. The adult application filer is required to 
complete identity proofing prior to filing an on-line or telephonic 
application and prior to the disclosure of any information covered 
under this system of records back to the application filer. Application 
filers submitting paper applications regardless of type (including 
exemptions) will be identity proofed only if they elect to move into an 
electronic process. In addition, for the FF-SHOP Employer applications, 
the primary employer contact must complete identity proofing and if a 
secondary employer contacts is identified on the application, the 
secondary employer contact may have to complete identity proofing as 
well. Identity proofing will also be performed on Agents and Brokers 
when they register with the FFE to become certified to assist 
consumers, individuals, applicants and enrollees in the individual 
market Marketplace and SHOP Marketplace in a state in which the Agent 
or Broker is licensed to sell health insurance.

Clarification of Meanings of Terms

    CMS also proposes to clarify the intended meaning of the term 
``application filer'' as it is used in the current version of the SORN. 
CMS also proposes to add a new Category of Records describing the 
information maintained about this group of individuals. As used in the 
existing Category of Records and Routine Use Number 8, this terms was 
intended to be inclusive of the following: an application filer, as 
defined by 45 CFR155.20 (which includes authorized representatives); 
individuals or their authorized representative applying for exemption 
from the individual shared responsibility payment; a SHOP application 
filer as defined by 45 CFR155.700; Agents and Brokers; and QHP issuers 
performing application assistance functions.
    To ensure clarity of the meaning of terms used with the SORN, 
beginning with this version of the SORN, CMS proposes to align the use 
of terms with the definitions provided within HIX program regulations. 
Therefore, CMS is proposing changes to the Categories of Records and 
Routine Use number 8 to itemize all of the populations included within 
the meaning of the current use of the term application filer. In 
general, additional small wording adjustments have been made throughout 
all sections to provide consistent use of terms and more specificity 
throughout the SORN.

Health Insurance Casework System (HICS)

    CMS proposes to update the Purpose of the System, the Authority for 
Maintenance of the System, and Categories of Records sections and add a 
new Routine Use to include a description of the consumer complaint 
tracking system known as the Health Insurance Casework System (HICS). 
Section 1311(c)(3) of the Affordable Care Act requires HHS to ``develop 
a rating system that would rate qualified health plans offered through 
an Exchange in each benefits level on the basis of the relative quality 
and price.'' Additionally, Section 1321(c) of the Affordable Care Act 
authorizes HHS to ensure that states with Exchanges are substantially 
enforcing the federal standards to be set for the Exchanges. Sections 
2723 and 2761 of the Public Health Service Act (PHS Act) authorize HHS 
to enforce PHS Act provisions that apply to non-Federal governmental 
plans and to enforce PHS Act provisions that apply to other health 
insurance coverage in states that HHS has determined are not 
substantially enforcing those provisions. By collecting consumer 
complaint information, HICS will help HHS carry out all of the above 
mentioned functions.

Routine Uses

    CMS proposes the following Routine Use modifications.
    [squf] Routine Use No. 2: Modify to permit CMS to disclose 
information to an Appeals Entity as defined under 45 CFR 155.500 in the 
event that an applicant or enrollee exercises his or her appeal right 
under 45 CFR 155.505. Modify to permit CMS to disclose information 
about Navigators, non-Navigator Assistance Personnel, Certified 
application counselors, and Agents and Brokers who have been trained 
and certified by CMS to provide consumer assistance to the appropriate 
state agency or agencies for oversight and monitoring of these 
individuals.
    [squf] Routine Use No. 4: Modify to remove unnecessary example 
related to contractors.
    [squf] Routine Use No. 8: Modify to clarify the meaning intended 
with the use of term application filer to allow information about 
applicants and Relevant Individuals to be disclosed to Agents, Brokers, 
and QHP issuers.
    [squf] Routine Use No. 9: Modify to expand the disclosure of 
information to QHP issuers to include the disclosure of (A) applicant/
enrollee and Relevant Individual information as necessary for 
individuals to be enrolled in a QHP, regardless of eligibility for 
advance payments of the premium tax credit or cost-sharing reductions 
and (B) consumer information for those that contact CMS to file a 
complaint or to seek resolution of an issue with the QHP issuer.
    CMS proposes adding the following Routine Uses.
    [squf] Routine Use No. 10: Provide for disclosures of employee 
information to employers when an employee submitting an application for 
an eligibility determination has been determined eligible for advance 
payments of the premium tax credit and cost-sharing reductions, or as 
needed to

[[Page 63213]]

verify whether an applicant is enrolled in an eligible employer 
sponsored plan.
    [ssquf] Routine Use No.11: Permit the public disclosure of 
information to the appropriate state agency, and members of the public, 
about Agents and Brokers that have registered with, successfully 
completed CMS training, and are certified by an FFE or FF-SHOP, and to 
disclose Agent and Broker information to the appropriate state agency 
to assist states with oversight, monitoring and enforcement activities 
over agents and brokers and allow states to provide outreach and 
education resources to consumers about obtaining health care coverage 
in their states.
    [ssquf] Routine Use No. 12: Permit the disclosure of information 
from the HICS system to other government agencies for the purposes of 
resolving complaints and assisting states with issuer oversight and 
monitoring.
    [ssquf] Routine Use No. 13: To assist a CMS contractor that is 
engaged to perform a function or provide administrative, technical or 
physical support to the FFEs (including FF-SHOPs) or to a grantee of a 
CMS-administered grant program, when the disclosure is deemed 
reasonably necessary by CMS to prevent, deter, discover, detect, 
investigate, examine, prosecute, sue with respect to, defend against, 
correct, remedy, or otherwise combat fraud, waste or abuse in such 
program.

II. The Privacy Act

    The Privacy Act (5 U.S.C. 552a) governs the means by which the 
United States Government collects, maintains, and uses PII in a system 
of records. A ``system of records'' is a group of any records under the 
control of a Federal agency from which information about individuals is 
retrieved by name or other personal identifier. The Privacy Act 
requires each agency to publish in the Federal Register a system of 
records notice (SORN) identifying and describing each system of records 
the agency maintains, including the purposes for which the agency uses 
PII in the system, the routine uses for which the agency discloses such 
information outside the agency, and how individual record subjects can 
exercise their rights under the Privacy Act (e.g., to determine if the 
system contains information about them).
SYSTEM NUMBER:
    09-70-0560.

SYSTEM NAME:
    Health Insurance Exchanges (HIX) Program, HHS/CMS/CCIIO.

SECURITY CLASSIFICATION:
    Unclassified

SYSTEM LOCATION:
    CMS Data Center, 7500 Security Boulevard, North Building, First 
Floor, Baltimore, Maryland 21244-1850, Health Insurance Exchanges 
Program (HIX) locations, and at various contractor sites.

CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:
    The system will contain personally identifiable information (PII) 
about the following categories of individuals who participate in or are 
involved with the CMS Health Insurance Exchanges (HIX) Program: (1) Any 
applicant/enrollee who applies and any application filer (an 
application filer, as defined by 45 CFR155.20 (which includes 
authorized representatives); individuals or their authorized 
representative applying for exemption from the individual shared 
responsibility payment; a SHOP application filer as defined by 45 
CFR155.700; Agents and Brokers; and QHP issuers performing application 
assistance functions) who files an application on behalf of an 
applicant/enrollee, for an eligibility determination for enrollment in 
a qualified health plan (QHP) through an Exchange, for one or more 
insurance affordability programs, for a certificate of exemption from 
the shared responsibility requirement, or an appeal; (2) Navigators, 
non-Navigator Assistance Personnel (also known as In-Person Assisters), 
Certified application counselors, Agents and Brokers, and all other 
individuals or entities that are required to register with an Exchange 
prior to assisting qualified individuals, employees and employers to 
enroll in QHPs through the Exchange; (3) officers, employees and 
contractors of the Exchange; (4) employees and contractors of CMS (e.g. 
eligibility support workers, appeals staff, etc.); (5) contact 
information and business identifying information of representatives, 
officers, agents, and employees of QHPs seeking certification; (6) 
persons employed by or contracted with an Exchange organization who 
provide home or personal contact information; (7) any qualified 
employer and the qualified employees whose enrollment in a QHP is 
facilitated through a Small Business Health Options Program (SHOP), 
including authorized representatives of such individuals; and (8) 
Individuals, including non-applicant household members/family members, 
non-applicant tax payers or tax filers, and spouses and parents of 
applicants, who are listed on the application and whose PII may bear 
upon a determination of the eligibility of an individual for an 
insurance affordability program and for certifications of exemption 
from the individual responsibility requirement. Such individuals will 
hereafter be referred to as ``Relevant Individual(s)''.

CATEGORIES OF RECORDS IN THE SYSTEM:
    Information maintained in this system for individual applicant/
enrollees includes, but may not be limited to, the applicant's first 
name, last name, middle initial, mailing address or permanent 
residential address (if different from the mailing address), date of 
birth, Social Security Number (if the applicant/enrollee has one), 
taxpayer status, gender, ethnicity, residency, email address, telephone 
number, employment status and employer if applicable. The system will 
also maintain information from the verification process of the 
information provided by the applicant/enrollee or by the application 
filer (an application filer, as defined by 45 CFR 155.20 (which 
includes authorized representatives); individuals or their authorized 
representative applying for exemption from the individual shared 
responsibility payment; a SHOP application filer as defined by 45 CFR 
155.700; Agents and Brokers; and QHP issuers performing application 
assistance functions) on behalf of the applicant that will enable a 
determination about the applicant's or enrollee's eligibility. The 
system will collect and maintain information that the applicant/
enrollee or the application filer (an application filer, as defined by 
45 CFR 155.20 (which includes authorized representatives); individuals 
or their authorized representative applying for exemption from the 
individual shared responsibility payment; a SHOP application filer as 
defined by 45 CFR 155.700; Agents and Brokers; and QHP issuers 
performing application assistance functions) on behalf of the applicant 
submits, information that is obtained from other federal agencies 
through the computer matching programs verifying applicant information 
and information obtained from federal and state sources through the 
Information Exchange Agreements with IRS and State Medicaid and CHIP 
agencies and State-based Exchanges pertaining to (1) the applicant or 
enrollee's citizenship or immigration status, because only individuals 
who are citizens or nationals of the U.S. or lawfully present are 
eligible to enroll; (2) enrollment in Federally funded minimum 
essential health coverage (e.g. Medicare, Medicaid, Federal Employees 
Health Benefit Program (FEHBP), Veterans Health Administration (Champ 
VA), Children's Health Insurance Program (CHIP), Department of Defense

[[Page 63214]]

(TRICARE), Peace Corps); (3) incarceration status; (4) Indian status; 
(5) enrollment in employer-sponsored coverage; (6) requests for and 
accompanying documentation to justify receipt of individual 
responsibility exemptions, including membership in a certain type of 
recognized religious sect or health care sharing ministry; (7) employer 
information; (8) status as a veteran; (9) pregnancy status; (10) 
blindness and/or disability status; (11) smoking status; and (12) 
household income, including tax return information from the IRS, income 
information from the Social Security Administration, and financial 
information from other third party sources. Federal tax return 
information can only be used or disclosed as authorized by 26 U.S.C. 
6103.
    Information will also be maintained with respect to the applicant's 
enrollment in a QHP through the Exchange, the premium amounts and 
payment history. The system will collect and maintain information 
pertaining to Relevant Individual(s) that includes the following: First 
name, last name, middle initial, permanent residential address, date of 
birth, SSN (if the Relevant Individual has one or is required to 
provide it as specified in 45 CFR 155.305(f)(6)), taxpayer status, 
gender, residency, relationship to applicant, employer information, and 
household income, including tax information from the IRS, income 
information from the Social Security Administration, and financial 
information from other third party sources. Additionally, should an 
applicant file an appeal, information related to the appeal and any 
associated documentation and decision will be maintained in the system.
    With respect to qualified employers and qualified employees 
utilizing the SHOP, the information maintained in the system includes 
but may not be limited to the name and address of the employer, number 
of employees, Employer Identification Number (EIN), and list of 
qualified employees and their Social Security Numbers.
    Information maintained in this system for application filers (an 
application filer, as defined by 45 CFR 155.20 (which includes 
authorized representatives); individuals or their authorized 
representative applying for exemption from the individual shared 
responsibility payment; a SHOP application filer as defined by 45 CFR 
155.700; Agents and Brokers; and QHP issuers performing application 
assistance functions) may include, but not be limited to, the 
individual's first name, middle name, last name, address, city, state, 
zip code, telephone number, organization name, identification number, 
and association with or relationship to an applicant.
    Information maintained in this system for Agents and Brokers 
includes, but may not be limited to, the Agent or Broker's log-in ID, 
password, first name, middle name, last name, email address, user type, 
National Producer Number, occupation type, organization type, job 
title, manager, primary language, region, time zone, state, zip code, 
phone number. Information maintained in this system for assisters such 
as Navigators, non-Navigator Assistance Personnel (including In-Person 
Assisters), and Certified application counselors, includes, but may not 
be limited to, the assister individual's or entity's user name (user 
name/ID), first name, last name, email address, phone number, state, 
zip code, user type, employer or grantee organization (if applicable).
    Information in the Health Insurance Casework System (HICS) includes 
but is not limited to, complainant's contact information, such as, 
name, telephone number, email address, state of residence, zip code; 
demographic information, such as, age, gender, ethnicity, family 
status, employment status, income level, veteran's status and health 
insurance status, health insurance background and recent history, and 
available health insurance options. The PII in HICS will include but 
not be limited to, the consumers, applicants/enrollees, and/or their 
authorized representatives that have contacted CMS to file a complaint 
about a QHP offered through the FFE or the issuer of such a QHP, or to 
seek resolution of a particular issue with such a QHP or issuer. 
Therefore, we anticipate that in addition to the PII listed above, to 
the extent complainants share health information with CMS as part of 
their complaints, PHI may also be included in HICS. Any HICS data 
published will be in aggregate form and will not contain any personally 
identifiable data elements.
    Information maintained in this system for (i) officers, employees 
and contractors of the Exchange; (ii) employees and contractors of CMS; 
(iii) representatives, officers, agents, and employees of QHPs seeking 
certification; and (iv) persons employed by or contracted with an 
Exchange organization will include contact and identifying information 
(such as first and last name, address, telephone number, email address, 
employer, or similar information), relationship to the Exchange or CMS 
(such as status as contractor, employee, etc.), and, as applicable, 
log-in IDs and passwords.

AUTHORITY FOR MAINTENANCE OF THE SYSTEM:
    The HIX program implements health care reform provisions of the 
Patient Protection and Affordable Care Act (PPACA) (Pub. L. 111-148) as 
amended by the Health Care and Education Reconciliation Act of 2010 
(Pub. L. 111-152) collectively referred to as the Affordable Care Act. 
Title 42 U.S.C. 18031, 18041, 18081, 18083, and sections 2723, 2761 of 
the Public Health Service Act (PHS Act).

PURPOSE(S) OF THE SYSTEM:
    Health Insurance Exchanges are established by the Patient 
Protection and Affordable Care Act of 2010 as amended by the Health 
Care and Education Reconciliation Act of 2010. They provide competitive 
marketplaces for individuals and small employers to directly compare 
available private health insurance options on the basis of price, 
quality, and other factors. The Exchanges will help enhance competition 
in the health insurance market, improve choice of affordable health 
insurance, and give small businesses the same purchasing clout as large 
businesses.
    The purpose of this system is to collect, create, use and disclose 
PII about individuals who apply for eligibility determinations or 
appeal eligibility determinations for enrollment in a QHP, including 
stand-alone dental plans, through an Exchange, for insurance 
affordability programs, and for certifications of exemption from the 
individual responsibility requirement. The purpose of this system is 
also to collect, create, use and disclose PII about Relevant 
Individual(s) whose PII may bear upon a determination of the 
eligibility of an individual for an insurance affordability program or 
for certifications of exemption from the individual responsibility 
requirement. An additional purpose of the system is to collect, create, 
use and disclose PII for the identity proofing of application filers as 
defined in 45 CFR 155.20, primary and secondary employer contacts 
filing applications to a FF-SHOP, and Agents and Brokers registering 
with the FFE.
    The system will collect, create, use and disclose PII about 
individuals and entities that register with and are certified by CMS. 
The CMS-registered and -certified individuals include, but are not 
limited to, Agents and Brokers, Navigators, non-Navigator Assistance 
personnel (also known as In-Person Assisters), and Certified 
application counselors. CMS may display the contact information of 
Agents and Brokers that register, and successfully complete the CMS 
training and are

[[Page 63215]]

certified by CMS, on the FFE and on the FF-SHOP Web sites for the 
convenience of consumers looking for an agent or broker that is 
familiar with the FFE policies, the QHPs being offered, the eligibility 
determination application process and who are active in the FFE market. 
Because CMS training is optional for Agents and Brokers offering 
assistance in the FF-SHOP, only the contact information of those Agents 
and Brokers who have successfully completed CMS developed training and 
testing, will be made available to the public (e.g. displayed on a CMS 
Web site).
    Another purpose of the system is tracking and compiling consumer 
complaints about QHPs offered through an FFE or FF-SHOP or issuers that 
offer such QHPs. This enables the program to ensure that consumers 
receive timely assistance and to build a QHP rating system based on 
complaints. An additional purpose of the system is to perform required 
legal functions related to oversight and reporting for the HIX Program 
and its components and to provide necessary analysis and reporting 
capabilities. The PII described within this SORN will be used for these 
purposes.

ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM
A. Entities Who May Receive Disclosures Under Routine Uses
    These routine uses specify circumstances, in addition to those 
provided by statute in the Privacy Act of 1974, under which CMS may 
release information from the HIX SOR without the affirmative consent of 
the individual to whom such information pertains. Each proposed 
disclosure of information under these routine uses will be evaluated to 
ensure that the disclosure is legally permissible, including but not 
limited to ensuring that the purpose of the disclosure is compatible 
with the purpose for which the information was collected. We are 
establishing the following routine use disclosures of information 
maintained in the system:
    1. To support Agency contractors, consultants, or CMS grantees who 
have been engaged by the Agency to assist in accomplishment of a CMS 
function relating to the purposes for this collection and who need to 
have access to the records in order to assist CMS.
    2. To disclose information to another Federal agency, agency of a 
State government, a non-profit entity operating an Exchange for a 
State, an agency established by State law, or its fiscal agent, or an 
Appeals Entity as defined by 45 CFR 155.500 to (A) make eligibility 
determinations for enrollment in a QHP through an Exchange, insurance 
affordability programs, certifications of exemption from the individual 
responsibility requirement, and to coordinate and resolve requests for 
appeals; (B) to carry out the HIX Program; (C) to perform functions of 
an Exchange described in 45 CFR 155.200, including notices to employers 
under section 1411(f) of the Affordable Care Act; and (D) permit the 
disclosure of Navigator, non-Navigator Assistance Personnel, Certified 
application counselor, and Agent and Broker information who have 
completed CMS training, testing and certification to provide consumer 
assistance to the appropriate state agency or agencies to assist states 
with oversight, monitoring and enforcement activities, because both CMS 
and states will be responsible for overseeing, monitoring and 
regulating these individuals.
    3. To disclose information about applicants and Relevant 
Individual(s) in order to obtain information from other Federal 
agencies and State agencies and third party data sources that provide 
information to CMS, pursuant to agreements with CMS, for purposes of 
determining the eligibility of applicants to enroll in QHPs through an 
Exchange, in insurance affordability programs, or for a certification 
of exemption from the individual responsibility requirement.
    4. To assist a CMS contractor that assists in the administration of 
a CMS administered health benefits program, or to a grantee of a CMS-
administered grant program, when disclosure is deemed reasonably 
necessary by CMS to prevent, deter, discover, detect, investigate, 
examine, prosecute, sue with respect to, defend against, correct, 
remedy, or otherwise combat fraud, waste or abuse in such program or to 
provide oversight of FFE operations.
    5. To assist another Federal agency or an instrumentality of any 
governmental jurisdiction within or under the control of the United 
States (including any state or local governmental agency), that 
administers, or that has the authority to investigate potential fraud, 
waste or abuse in a health benefits program funded in whole or in part 
by Federal funds, when disclosure is deemed reasonably necessary by CMS 
to prevent, deter, discover, detect, investigate, examine, prosecute, 
sue with respect to, defend against, correct, remedy, or otherwise 
combat fraud, waste or abuse in such programs.
    6. To assist appropriate Federal agencies and CMS contractors and 
consultants that have a need to know the information for the purpose of 
assisting CMS' efforts to respond to a suspected or confirmed breach of 
the security or confidentiality of information maintained in this 
system of records, provided that the information disclosed is relevant 
and necessary for that assistance.
    7. To assist the U.S. Department of Homeland Security (DHS) cyber 
security personnel, if captured in an intrusion detection system used 
by HHS and DHS pursuant to the Einstein 2 program.
    8. To provide information about applicants, enrollees, appellants, 
and Relevant Individual(s) to applicants/enrollees, application filers 
as defined by 45 CFR 155.20, individuals or their authorized 
representative applying for exemption from the individual shared 
responsibility payment; a SHOP application filer as defined by 45 CFR 
155.700; appellants, Agents Brokers, and QHP issuers who are authorized 
or certified by CMS to assist applicants/enrollees, when relevant and 
necessary to determine eligibility for enrollment in a QHP, insurance 
affordability programs, or a certification of exemption from the 
individual responsibility requirement through the FFEs.
    9. To provide applicant/enrollee and Relevant Individual 
information to QHP issuers for purposes of enrollment in a qualified 
health plan and for the administration of the advance payments of 
premium tax credit and cost-sharing reductions. To provide information 
about consumers that contact CMS to file a complaint or to seek 
resolution of a particular issue (that is, to initiate a ``case'') to 
the issuer of a QHP in an FFE or FF-SHOP, which issuer or which 
issuer's QHP is the subject of the case.
    10. To assist employers identified on applications for eligibility 
determinations submitted to an Exchange to provide (A) notification to 
the employer that an employee has been determined eligible for advanced 
payments of the premium tax credit or cost sharing reductions, (B) 
notice to the applicant indicating that the Exchange will be contacting 
any employer identified on the application for the applicant and the 
members of his or her household, as defined in 26 CFR 1.36B-1(d), to 
verify whether the applicant is enrolled in an eligible employer-
sponsored plan or is eligible for qualifying coverage in an eligible 
employer-sponsored plan for the benefit year for which coverage is 
requested, and (C) notice to the employer requesting verification of an 
employee's eligibility or enrollment in an eligible employer-sponsored 
plan for the benefit year for which coverage is requested.
    11. To permit the public disclosure of information to the 
appropriate state agency, and members of the public,

[[Page 63216]]

about Agents and Brokers that have registered with, successfully 
completed CMS training, and are certified by an FFE or FF-SHOP to 
provide outreach and education resources to consumers about obtaining 
health care coverage in their states,.
    12. To provide information regarding complaints to other Federal 
agencies and agencies of a state government for the purpose of 
resolving complaints and identifying insurer non-compliance with 
Federal, state, and other applicable law.
    13. To assist a CMS contractor that is engaged to perform a 
function or provide administrative, technical or physical support to 
the FFEs (including FF-SHOPs) or to a grantee of a CMS-administered 
grant program, when the disclosure is deemed reasonably necessary by 
CMS to prevent, deter, discover, detect, investigate, examine, 
prosecute, sue with respect to, defend against, correct, remedy, or 
otherwise combat fraud, waste or abuse in such program.

POLICIES AND PRACTICES FOR STORING, RETRIEVING, ACCESSING, RETAINING, 
AND DISPOSING OF RECORDS IN THE SYSTEM
STORAGE:
    Electronic records will be stored on both tape cartridges (magnetic 
storage media) and in a relational database management environment 
(DASD data storage media). Any hard copies of program related records 
containing PII at CMS and contractor locations will be kept in secure 
hard-copy file folders locked in secure file cabinets during non-duty 
hours.

RETRIEVABILITY:
    The records will be retrieved electronically by a variety of 
fields, including but not limited to first name, last name, middle 
initial, date of birth, or Social Security Number (SSN).

SAFEGUARDS:
    Personnel having access to the system have been trained in the 
Privacy Act and information security requirements. Employees who 
maintain records in this system are instructed not to release data 
until the intended recipient agrees to implement appropriate 
management, operational and technical safeguards sufficient to protect 
the confidentiality, integrity and availability of the information and 
information systems and to prevent unauthorized access. Access to 
records in the HIX Program system will be limited to authorized CMS 
personnel and contractors through password security, encryption, 
firewalls, and secured operating system. Any electronic or hard copies 
of records containing PII at CMS, Exchanges and contractor locations 
will be kept in secure electronic files or in hard-copy file folders 
locked in secure file cabinets during non-duty hours.

RETENTION AND DISPOSAL:
    These records will be maintained until they become inactive, at 
which time they will be retired or destroyed in accordance with 
published records schedules of the Centers for Medicare & Medicaid 
Services as approved by the National Archives and Records 
Administration.

SYSTEM MANAGER AND ADDRESS:
    Director of Operations, Center for Consumer Information and 
Insurance Oversight, 7501 Wisconsin Avenue, Bethesda, Maryland 20814.

NOTIFICATION PROCEDURE:
    An individual record subject who wishes to know if this system 
contains records about him or her should write to the system manager 
who will require the system name, and for verification purposes, the 
subject individual's name (individual's former name(s) name, if 
applicable), and SSN (furnishing the SSN is voluntary, but it may make 
searching for a record easier and prevent delay).

RECORD ACCESS PROCEDURE:
    An individual seeking access to records about him or her in this 
system should use the same procedures outlined in Notification 
Procedures above. The requestor should also reasonably specify the 
record contents being sought. (These procedures are in accordance with 
Department regulation 45 CFR 5b.5(a)(2).)

CONTESTING RECORD PROCEDURES:
    To contest a record, the subject individual should contact the 
system manager named above, and reasonably identify the record and 
specify the information being contested. The individual should state 
the corrective action sought and the reasons for the correction with 
supporting justification. (These procedures are in accordance with 
Department regulation 45 CFR 5b.7.)

RECORD SOURCE CATEGORIES:
    Personally identifiable information in this database is obtained 
from the application submitted by or on behalf of applicants, 
enrollees, and appellants seeking eligibility determinations, from 
qualified employers and other employers who provide employer-sponsored 
coverage, from CMS and other Federal and state agencies as part of 
verifications and information retrievals to make eligibility 
determinations, from Marketplace assisters facilitating the eligibility 
and enrollment processes, from QHPs, from State-based Exchanges that 
provide information to perform the statutory functions, from states 
participating in State Partnership Exchanges pursuant to Conditional 
Approval Decision letters, and from third party data sources to 
determine eligibility as described in this notice.

EXEMPTIONS CLAIMED FOR THIS SYSTEM:
    None.

    Dated: October 18, 2013.
Michelle Snyder,
Chief Operating Officer, Centers for Medicare & Medicaid Services.
[FR Doc. 2013-24861 Filed 10-22-13; 8:45 am]
BILLING CODE 4120-03-P