COVID-19 might have brought in-person interaction to a screeching halt in 2020, but it had the opposite effect for another area of global development- the digitization of healthcare and health insurance. As the pandemic made it difficult for people to retain steady health insurance coverage, people increasingly turned to public online health insurance marketplaces, where one can compare health plans and pricing and (in some) enroll in them. These marketplaces are commonly known as State Health Benefit Exchanges, or SBEs. SBEs are state-sponsored health insurance exchanges or marketplaces.
It’s widely assumed that SBEs are HIPAA-covered entities; while they do collect a lot of HIPAA-protected data, SBEs themselves may not be HIPAA protected at the entity level or may otherwise escape HIPAA coverage, depending on the status of the agency collecting that data. It’s therefore important to establish a supplemental set of standards to make sure there are appropriate safeguards in place to manage the use, collection, transfer, and disposal of this data.
As more and more information is loaded into and transferred across these SBEs every day, the need for standardizing a framework or a set of frameworks for health insurance privacy and related PII becomes paramount. However, given the recency of this need, there hasn’t been adequate time to catch up and develop solid policies for protecting sensitive health and personal information. Some SBEs have taken things into their own hands by developing robust crosswalked frameworks and internal privacy practices for their respective SBEs. Although it’s a great start, unfortunately this isn’t enough. SBEs operate in 21 states with varying degrees of detail required of PII and other information collection. At minimum, SBEs will ask to collect a user’s name, SSN and/or DL number, birthdate, address, and contact information. While these categories of information may be protected by HIPAA, whether as an entity the agency is covered by the law is uncertain. Moreover, each SBE must comply with any applicable state privacy laws and regulations, which vary greatly from state to state.
In this vast and multifaceted landscape, we at Kuma have had the privilege of learning from 3 prominent SBEs from around the country about their privacy and security best practices. One can look to some of the following SBE privacy models for guidance and inspiration in designing their own privacy programs:
SBE Privacy Model #1 (PM1): East Coast
PM1 complies with the MARS-E and NIST 800-53 privacy frameworks as general guidance for establishing privacy practices at their SBE. There is a Chief Privacy Officer (CPO), who oversees one Privacy Manager responsible for tracking privacy incidents, supporting the creation of data use agreements, and coordinating annual PIA and MARS-E privacy assessments. The CPO notes that some of the specific best practices with respect to privacy considerations in an SBE environment include requiring vendors with access to internal systems to undergo annual SOC 2 Type 2 assessments, performing annual MARS-E privacy assessments and one-third of MARS-E’s IT Security assessments with an independent third-party vendor performing the assessment every three years, and maintaining and updating certifications for cloud-based ecosystems. In terms of internal privacy program and policy review, on an annual basis, the CPO says that she reviews privacy practices to ensure alignment with the MARS-E Privacy section and performs the annual Privacy Impact Assessment as required by CCIIO.
SBE Privacy Model #2 (PM2): the Rockies
PM2 complies with the NIST privacy framework, but generally focus on the Minimum Acceptable Risk Standards for Exchanges (MARS-E) as the primary framework from regulators at the Centers for Medicare and Medicaid Services (CMS). The MARS-E incorporates the latest version of NIST (NIST 800-53). The structure of the privacy program at PM2 involves a main Privacy and Security officer, with other teams incorporating privacy and security principles into their respective functions. They conduct an annual review of the privacy and security program and submit annual reports concerning the same to regulators, primarily the CMS.
SBE Privacy Model #3 (PM3): West Coast
PM3 also follows MARS-E standards for assessing the privacy controls within their program. Overall, PM3 must comply with NIST 800-53 (including Appendix J), state privacy laws, and ACA CFR sec. 155.260. In total, PM3 has identified 431 individual privacy and security requirements for compliance. The privacy team within PM3 consists of a Privacy Officer and Managers, with Privacy Managers handling the various offshoot functions of the privacy program. PM3 has identified all 36 privacy controls within the MARS-E framework as the best privacy practices for SBEs. Among them are maintaining a strong system security plan (SSP) as a dynamic document-consistent review, and updates of SSP control implementations is a core part of PM3’s privacy program. Another control is maintaining strict compliance with the ISA- a contract that each SBE must enter with the CMS as part of developing a state health benefits marketplace. PM3’s PIA obligations include an annual assessment as well as ad-hoc PIAs whenever core changes occur to the main data processing ecosystem.
Overall, it is recommended that SBEs work their way towards adopting many of the best practices outlined above, from exemplary organizations who are spearheading the effort to develop robust SBE privacy practices. Looking ahead to organizational growth, SBEs might benefit from adopting standardized assessments of third parties and vendors to strengthen their contractor privacy control implementations. SBEs might also look to focusing their privacy program toward compliance with their ISA and the CMS.
Are you ready to mature your privacy practices, but not sure how to get started?