Last revised: November 1, 2013
Privacy & Security Policies for Exchange Operations
At the DC Health Benefit Exchange Authority ("Authority"), consumer privacy is important to us. We respect your right to privacy and will protect the information we maintain about you in the ongoing operation of the health benefit exchange ("Exchange") in accordance with applicable laws, regulations and standards for security and privacy.
As a reflection of our commitment to protecting your information, the Authority has adopted these privacy and security policies, which govern our creation, collection, use, disclosure and maintenance of personally identifiable information ("Personally Identifiable Information" or "PII") in connection with Exchange operations (the "Privacy and Security Policies for Exchange Operations"). The Authority expects all individuals and entities that have access to PII through or in connection with Authority services to abide by these Privacy and Security Policies for Exchange Operations, including Authority employees, business partners, grantees, contractors and designees, as well as insurance companies and governmental agencies. These Privacy and Security Policies for Exchange Operations are designed to complement (and not override) any applicable state or federal laws or regulations, which continue to apply to any activities subject to these Policies. The Authority may amend these Privacy and Security Policies for Exchange Operations from time to time.
- What These Policies Cover
- A Privacy and Security Partnership & Individual Choice
- Information Voluntarily Provided by You
- Protection of Your Personally Identifiable Information
- Your Access and Opportunity to Correct
- Personally Identifiable Information Safeguards
- Data Retention and Destruction
- Accountability: Breach Notification
- Contact Information
What These Policies Cover
These Policies cover how the Authority treats Personally Identifiable Information that it collects and receives from various sources, including from individuals, from parents and guardians concerning their children, from employers, from employees, and from governmental sources. We use the term “personally identifiable information,” or “PII,” to mean any information that could reasonably be used to identify you, including your name, address, telephone number, Social Security number, birth date, bank account information, credit card information, or any combination of information that could be used to identify you.
A Privacy and Security Partnership & Individual Choice
Your privacy is best protected by a partnership between the Authority and you, the consumer. We take steps to protect your privacy in accordance with the privacy and security standards for the protection of PII established under the Patient Protection and Affordable Care Act set forth in federal regulation (45 C.F.R. § 155.260). The information in these Privacy and Security Policies for Exchange Operations will allow you to make informed decisions about your interactions with the Authority, such as decisions about whether to share Personally Identifiable Information with us. You can also help to keep your Personally Identifiable Information safe by not sharing your password for the DC Health Link website and by being mindful of potential fraud when asked to provide such personal information. For fraud prevention tips, see DC's fraud prevention initiative.
Information Voluntarily Provided by You
The Authority collects information from you that you provide voluntarily through several mechanisms, including through surveys, through any e-mail messages you choose to send to the Authority, through the application process in connection with DC Health Link, and through verbal interactions with our employees and designees. Surveys, for instance, may collect Personally Identifiable Information you voluntarily submit, such as name, e-mail address or phone number, and we may collect information through other means so that we may contact you for follow up to your questions, concerns or recommendations. E-mail messages sent by you may contain Personally Identifiable Information, such as your e-mail address and any other information you choose to give us to help us answer your inquiry. Applications also will include specific Personally Identifiable Information, such as social security numbers and, in some instances, tax and income information.
Protection of Your Personally Identifiable Information
It is the Authority's policy that it will create, collect, use and/or disclose and maintain Personally Identifiable Information only to the extent necessary to accomplish a specified purpose consistent with its Exchange functions and never to discriminate inappropriately.
Your PII collected via the Authority and/or DC Health Link websites will not be shared, sold, or transferred to any third party for the third party's direct marketing purposes without your prior consent, unless it is required by law. The Authority may use your PII, however, as required or permitted by law (e.g., as necessary for us to carry out authorized functions of the Authority). Once you voluntarily submit Personally Identifiable Information to us, its dissemination will be governed by 45 C.F.R. 155.260 and other applicable laws and regulations, including the District of Columbia “Freedom of Information Act,” also known as “FOIA” (found at DC Code §§ 2-531 through539), as well as these Exchange Operation Privacy and Security Policies. The information collected via the Authority and DC Health Link websites is also governed by the Authority's website privacy and security policy.
The information that you voluntarily submit to the Authority may, for example, be used for purposes such as: determining eligibility for enrollment in qualified health plans; assessing eligibility for Medicaid and other insurance affordability programs; determining eligibility for premium support; answering your questions; responding to requests for assistance; generating summary statistics about usage; auditing applications and detecting fraud; aiding in the planning, design, and development of Authority operations and the DC Health Link website; and fulfilling our legal obligations, including as necessary or advisable to protect the Authority's rights, safety or property or the rights, safety or property of others; enforce these Exchange Operation Privacy and Security Policies; comply with legal process or cooperate with law enforcement or governmental requests.
The PII you provide us will be disclosed by us only to Authority employees; business partners; grantees; contractors; designees; governmental agencies, insurance companies (and, where necessary, to law enforcement officials), with a “need to know” in order to fulfill their job responsibilities or duties in connection with Authority operations, such as maintaining the DC Health Link and hbx.dc.gov websites, improving the consumer experience and assisting with processing of your application.
Where appropriate, we may provide the information submitted by you to the person or company that is the subject of your inquiry, or to a government agency responsible for the matters referred to in your communication. The Authority reserves the right to transfer any and all information, including Personally Identifiable Information, collected from you to an affiliate or third party in the event of any reorganization, assignment, transfer or disposition of all or any portion of our business or operations of the Authority.
We will collect and aggregate the information you provide through surveys and other means for purposes of market research to make the Authority more responsive to customer needs. From time-to-time, the Authority may combine personal information we collect from you with information available from other sources (e.g., Medicaid eligibility information from the District of Columbia Department of Health Care Finance). We will treat the combined information as PII.
The Authority may, as permitted by law, use and share aggregate data or information that does not identify you (sometimes referred to as "de-identified" data). Such activities are not subject to restrictions under these Exchange Operation Privacy and Security Policies. We will not re-identify such data and will require our contracting parties to agree to keep the data in de-identified form.
Any person who knowingly and willfully uses or discloses information in violation of the Patient Protection and Affordable Care Act may be subject to civil penalties, in addition to other penalties that may be prescribed by law or contract.
Your Access and Opportunity to Correct
The DC “Freedom of Information Act” and 45 C.F.R. § 155.260 provide you with certain rights to get information about you that is in our records. To learn more about the means through which you can get this information, please contact the Authority at [email protected].
The Authority is committed to maintaining information that is complete, accurate and up-to-date. In keeping with this policy, you may dispute the accuracy or integrity of your Personally Identifiable Information, and request to have erroneous information corrected (or to have your dispute concerning such information documented, if your request for correction is denied). To do so, you may contact the Authority at [email protected].
Personally Identifiable Information Safeguards
The Authority has taken several steps intended to safeguard the integrity of Personally Identifiable Information. Security measures have been integrated into the design, implementation and day-to-day practices of the entire Exchange operating environment as part of its continuing commitment to risk management. Personally Identifiable Information is protected with reasonable operational, administrative, technical, and physical safeguards to ensure its confidentiality, integrity, and availability and to prevent unauthorized or inappropriate access, use, or disclosure. The Authority utilizes industry standard methods and mechanisms for data protection, such as firewalls, intrusion monitoring, and passwords to protect electronic information. Multiple physical security methods, such as locking devices and premises monitoring, are also employed to protect information contained in documents. The Authority website is equipped with security measures intended to protect the information you provide us. We encrypt credit card numbers and other data that must remain secure to meet legal requirements.
Data Retention and Destruction
The Authority will keep datacollected long enough to achieve the specified objective for which such data was collected. Data is destroyed when its purpose has been fulfilled unless maintenance of such data is required by law or for purposes of Exchange operations. .Documents containing Personally Identifiable Information are destroyed or disposed of in an appropriate and reasonable manner consistent with applicable legal requirements and federal agency guidance, and in accordance with applicable retention schedules.
Accountability: Breach Notification
In the event that security, confidentiality, or integrity of personal information is compromised, the District of Columbia’s “Consumer Personal Information Security Breach Notification Act,” DC Code § 28-3851 through § 28-3853, requires that prompt notification be given to any District of Columbia resident whose personal information was included in the breach. The notification shall be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement, and with any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system.
For questions about the privacy of your PII under this Privacy and Security Exchange Operations Policy, please contact the Authority at [email protected].
How does the Authority use my information?
As an independent authority of the District of Columbia government operating DC Health Link, DC's new health insurance marketplace, and performing functions associated with operation of the DC health benefit exchange ("Exchange") under the Affordable Care Act, the DC Health Benefit Exchange Authority ("Authority") is required to protect the personally identifiable information ("Personally Identifiable Information" or "PII") it collects and maintains. The Authority respects your right to privacy and will protect the information it maintains about you in the ongoing operation of the Exchange in accordance with applicable laws, regulations and standards. “You” or "your" refers to any person whose information is entered on your application, or those acting on such a person’s behalf.
The Authority needs your information to determine eligibility for:
- Enrollment in an Exchange plan, also known as a "Qualified Health Plan;"
- Insurance affordability programs; and
- Certifications of exemption from the individual responsibility requirement.
When you apply for health coverage or an exemption, your information may be used for a variety of purposes, such as to:
- Help you with the application process;
- Verify information, like your identity and any income history you provide;
- Give you information about different cost-saving programs;
- Help you resolve questions about the results of your application, including an appeal, if you decide to file one; and
- Communicate with you during the eligibility process.
When you enroll in health coverage, your information may be used for a variety of purposes, such as to:
- Help you enroll;
- Report and manage the advance payments of premium tax credit and cost-sharing reductions to the issuer of your Exchange plan, if you’re eligible; and
- Communicate with you throughout the enrollment process.
After you enroll in health coverage, your information may be used for a variety of purposes such as to:
- Continue communications with you;
- Help you keep your coverage up-to-date;
- Verify your continued eligibility;
- Perform ongoing execution of the functions of the Exchange, such as operation of insurance affordability programs for those who are enrolled, and oversight of issuers of Exchange Qualified Health Plans;
- Respond to any consumer feedback or complaints you file;
- Combat fraud and abuse in the federal health care system; and
- Respond to suspected or confirmed breaches of Exchange security or confidentiality of information.
Also, federal and state law (like the Social Security Act, the DC Freedom of Information Act and the DC Exchange Act, § 31–3171.01 through § 31–3171.18) may require or permit the Authority to share information we collect or maintain about you for other purposes.
Who can my DC Health Link application information be shared with and why?
The DC Health Benefit Exchange Authority ("Authority") will only share your information as permitted or required by law. Examples of when the Authority may disclose your information to agencies or people who need the information for specific reasons are provided below.
- When you apply, the Authority verifies the information you provide with these organizations and agencies to determine your eligibility to purchase a qualified health plan ("Qualified Health Plans") through the DC health benefit exchange ("Exchange") and, if you choose, for help paying for health coverage:
- Social Security may verify your Social Security numbers ("SSNs") and citizenship status;
- The U.S. Department of Homeland Security may verify your immigration status and/or naturalized citizenship status;
- The Internal Revenue Service ("IRS") may verify your household income and family size; the income of household members may also be verified with the Social Security Administration and with a consumer credit reporting agency;
- A consumer credit reporting agency may verify your employment information;
- The employers listed on your application may verify your eligibility for employer-sponsored health plans; and
- The District of Columbia Department of Health Care Finance ("Medicaid") office, the Children’s Health Insurance Program ("CHIP"), the U.S. Department of Veterans Affairs, Medicare, Peace Corps, U.S. Department of Defense (for TRICARE), U.S. Department of Health and Human Services, the Office of Personnel Management ("OPM"), and the Small Business Health Option Programs ("SHOP") that operate in DC may verify your eligibility for and/or enrollment in health coverage programs.
Not all applicants will need to provide all of this information. For example, you will be asked about your employment, income, and enrollment in health coverage only if you want help paying for health coverage.
- You may decide to give permission to organizations or people who can communicate with the Exchange about your application for such needs as resolving inconsistencies, or ensuring complete and accurate applications. Depending on your permission, they may include:
- Your authorized representatives;
- Your certified assisters, agents, brokers; or
- The insurance company that issues your Exchange health plan.
Each application filer confirms that he or she is authorized to share information for everyone on the application. That way, the Exchange has permission to share your information with your application filer.
- Once you select coverage, the Authority will use your information for purposes such as:
- Notifying employers on your application if you’re eligible for certain insurance affordability programs (advanced payment of the premium tax credit or cost-sharing reductions);
- Transferring your enrollment information to the appropriate organization or agency. This might, for instance, be the issuer of the Exchange plan that you selected, or a Medicaid or CHIP agency;
- Making reports to the IRS about your enrollment in a Qualified Health Plan through the Exchange and about your eligibility for advanced payment of the premium tax credit, cost-sharing reductions, and/or a certification of exemption from the individual responsibility requirement(s); and/or
- If you choose to submit an appeal, the information from your application and your appeal may be shared with federal and state agencies in order to process your appeal.
- To maintain Exchange operations, the Authority works with the following groups and may, therefore, share your information with:
- Contractors that perform functions for the Exchange to accomplish the specific functions they’re engaged to perform;
- Other federal, state, or local government agencies to combat fraud, waste, and abuse and to respond to concerns about the security or confidentiality of information;
- Insurance companies that issue Exchange plans and also the IRS, for the ongoing administration of advanced payment of premium tax credits and cost-sharing reductions, if applicable to you; and
- Issuers of Qualified Health Plans, if you complain to us about a Qualified Health Plan or an issuer, to notify the issuers about the complaints.
Do I have to answer the questions on my DC Health Link application?
You don’t have to give personally identifiable information ("PII"), such as Social Security Numbers ("SSNs"). However, if you do not give this information, it may delay or prevent DC Health Link from performing all functions, like telling you about getting help paying for coverage, or determining your eligibility for benefits, programs or exemptions.
If you are not exempt from the shared responsibility payment and do not maintain qualifying health coverage for three months or longer during the year, you may be subject to a penalty.
Be sure to provide correct information. Anyone who fails to provide correct information or who knowingly and willfully provides false or untrue information to the Authority may be subject to a penalty and other law enforcement action.
Do I have to provide Social Security numbers for people listed on my application?
People who apply for health coverage need to provide a social security number ("SSN"), if they have one. An application filer must also provide the SSN of any tax filer who is not applying for health coverage if the tax filer’s tax information will be used to verify the household’s eligibility for help with paying for health coverage. Other people not applying for health coverage are encouraged to provide their SSNs to speed up the application process, but aren’t required to provide one. We use SSNs to check income and other information to see who is eligible for help with health coverage costs. If someone wants help getting an SSN, they can visit socialsecurity.gov, or call 1-800-772-1213. TTY users should call 1-800-325-0778.
What are my rights regarding my information in the Exchange?
You have certain rights with regard to the information the DC Health Benefit Exchange Authority ("Authority") maintains about you in its Exchange operations. Specifically:
- You, and the people you give permission to, may see and request a copy of the personally identifiable information ("Personally Identifiable Information" or "PII") the Authority collects and maintains about you;
- You may question if the information the Authority has about you is correct;
- If you do not understand the information in the Exchange Operation Privacy and Security Policies, you may contact the Authority for an explanation, and you can ask the Authority for a copy of these Exchange Operation Privacy and Security Policies.