The Centers for Medicare & Medicaid Services (CMS) will have to create a big new system of records to support the new health insurance exchanges (HIX).
CMS is giving a little bit of information about how the new record system -- the HIX program -- will work in a notice to be published Wednesday in the Federal Register.
The federal Privacy Act of 1974 requires CMS to publish a privacy notice when it sets up new record systems.
The PPACA HIX program
The Patient Protection and Affordable Care Act of 2010 (PPACA) requires the U.S. Department of Health and Human Services (HHS) -- the parent of CMS -- to work with state agencies to set up a system of individual and small group exchanges, or health insurance supermarkets, by Oct. 1.
The exchanges are supposed to use one application process to help consumers find out whether they are eligible for health coverage subsidies or for exemptions from the PPACA "shared responsibility" health insurance ownership mandate.
An exchange program "Data Services Hub" will help exchanges get eligibility information and check applications by pulling data from the Internal Revenue Service, the Social Security Administration, the U.S. Department of Homeland Security, the U.S. Department of Veterans Affairs, the U.S. Department of Defense, the Peace Corps and the federal Office of Personnel Management.
The exchanges also will share "personally identifiable information" (PII) with the health insurers that sell coverage through the exchanges; "Navigators," or official PPACA exchange ombudsmen; "marketplace assisters," or exchange employees who help consumers use the exchange; and insurance agents and brokers.
States with their own exchanges will be responsible for handling some types of exchange data, and the CMS-run "federal facilitated exchanges" will handle other types of data, officials said.
For all exchanges, CMS will administer the new PPACA health insurance purchase tax credit program and the new "cost-sharing reduction" program, officials said.
The HIX record system
The Privacy Act requires officials to describe the purpose of any record system that will use PII; when and how the agency that runs the system will share the information; and how individuals can check and correct any information about them that the system contains.
The PII in the HIX program record system will have the security classification of "unclassified," officials said.
The system will be located at a CMS data center in Baltimore, a variety of HIX Program locations, and contractor sites.
In addition to PII about HIX program applicants, the system will include PII about navigators, agents and brokers; exchange employees and contractors; CMS employees and contractors; insurers that sell coverage through the exchanges; and employers that have workers sign up for health coverage through the new Small Business Health Options Program (SHOP) exchanges.
In addition to names, contact information and health coverage information, the types of data that could be stored in the record system could include information about whether an individual is incarcerated, the individual's religion, the individual's household income, and information about whether an individual is pregnant.
The HIX program will keep electronic records on both tape cartridges and in a relational database management system. Any hard copies of records containing PII "will be kept in secure hard-copy file folders locked in secure file cabinets during non-duty hours," officials said.
"Access to records in the HIX database system will be limited to authorized CMS personnel and contractors through password security, encryption, firewalls, and secured operating system," officials said.
The system managers will retain the records with identifiers for 10 years.
Individuals who want to know about the information about them that's in the database, or to correct the database records, can write to the system manager.