Code of Federal Regulations (Last Updated: October 10, 2024) |
Title 45 - Public Welfare |
Subtitle A - Department of Health and Human Services |
SubChapter B - Requirements Relating to Health Care Access |
Part 155 - Exchange Establishment Standards and Other Related Standards Under the Affordable Care Act |
Subpart C - General Functions of an Exchange |
§ 155.221 - Standards for direct enrollment entities and for third-parties to perform audits of direct enrollment entities.
-
§ 155.221 Standards for direct enrollment entities and for third-parties to perform audits of direct enrollment entities.
(a) Direct enrollment entities. The Federally-facilitated Exchanges will All Exchanges may permit the following entities to assist consumers with direct enrollment in QHPs offered through the Exchange in a manner that is considered to be through the Exchange, to the extent permitted by applicable State law:
(1) QHP issuers that meet the applicable requirements in this section and § 156.1230 of this subchapter; and
(i) For purposes of applying the requirements of § 156.1230(b) of this subchapter to State Exchanges, all references to “Federally-facilitated Exchange” and “HHS”, and “HealthCare.gov” will be understood to mean “the applicable State Exchange”, “the applicable State Exchange”, and “the applicable State Exchange website”, respectively.
(ii) [Reserved]
(2) Web-brokers that meet the applicable requirements in this section and § 155.220.
(b) Direct enrollment entity requirements. For the Federally-facilitated Exchanges, a direct enrollment entity must:
(1) Display and market QHPs offered through the Exchange, individual health insurance coverage as defined in § 144.103 of this subchapter offered outside the Exchange (including QHPs and non-QHPs other than excepted benefits), and any other products, such as excepted benefits, on at least three separate website pages on its non-Exchange website, except as permitted under paragraph (c) of this section;
(2) Prominently display a standardized disclaimer in the form and manner provided by HHS;
(3) Limit marketing of non-QHPs during the Exchange eligibility application and QHP selection process in a manner that minimizes the likelihood that consumers will be confused as to which products and plans are available through the Exchange and which products and plans are not, except as permitted under paragraph (c)(1) of this section;
(4) Demonstrate operational readiness and compliance with applicable requirements prior to the direct enrollment entity's internet website being used to complete an Exchange eligibility application or a QHP selection, which may include submission or completion, in the form and manner specified by HHS, of the following:
(i) Business audit documentation including:
(A) Notices of intent to participate including auditor information;
(B) Documentation packages including privacy questionnaires, privacy policy statements, and terms of service; and
(C) Business audit reports including testing results.
(ii) Security and privacy audit documentation including:
(A) Interconnection security agreements;
(B) Security and privacy controls assessment test plans;
(C) Security and privacy assessment reports;
(D) Plans of action and milestones;
(E) Privacy impact assessments;
(F) System security and privacy plans;
(G) Incident response plans; and
(H) Vulnerability scan results.
(iii) Eligibility application audits performed by HHS;
(iv) Online training modules offered by HHS; and
(v) Agreements between the direct enrollment entity and HHS.
(5) Comply with applicable Federal and State requirements.
(6) Implement and prominently display website changes in a manner that is consistent with display changes made to the Federally-facilitated Exchange website by meeting standards communicated and defined by HHS within a time period set by HHS, unless HHS approves a deviation from those standards. Direct enrollment entities may request a deviation by submitting a proposed alternative display and accompanying rationale to HHS for review.
(c) Exceptions to direct enrollment entity display and marketing requirement. For the Federally-facilitated Exchanges, a direct enrollment entity may:
(1) Display and market QHPs offered through the Exchange and individual health insurance coverage as defined in § 144.103 of this subchapter offered outside the Exchange (including QHPs and non-QHPs other than excepted benefits) on the same website pages when assisting individuals who have communicated receipt of an offer of an individual coverage health reimbursement arrangement as described in § 146.123(c) of this subchapter, as a standalone benefit, or in addition to an offer of an arrangement under which the individual may pay the portion of the premium for individual health insurance coverage that is not covered by an individual coverage health reimbursement arrangement using a salary reduction arrangement pursuant to a cafeteria plan under section 125 of the Internal Revenue Code, but must clearly distinguish between the QHPs offered through the Exchange and individual health insurance coverage offered outside the Exchange (including QHPs and non-QHPs other than excepted benefits), and prominently communicate that advance payments of the premium tax credit and cost-sharing reductions are available only for QHPs purchased through the Exchange, that advance payments of the premium tax credit are not available to individuals who accept an offer of an individual coverage health reimbursement arrangement or who opt out of an individual coverage health reimbursement arrangement that is considered affordable, and that a salary reduction arrangement under a cafeteria plan may only be used toward the cost of premiums for plans purchased outside the Exchange; and
(2) Display and market Exchange-certified stand-alone dental plans offered outside the Exchange and non-certified stand-alone dental plans on the same website pages.
(d) Direct enrollment entity application assister requirements. For the Federally-facilitated Exchanges, to the extent permitted under state law, a direct enrollment entity may permit its direct enrollment entity application assisters, as defined at § 155.20, to assist individuals in the individual market with applying for a determination or redetermination of eligibility for coverage through the Exchange and for insurance affordability programs, provided that such direct enrollment entity ensures that each of its direct enrollment entity application assisters meets the requirements in § 155.415(b).
(e) Federally-facilitated Exchange direct enrollment entity suspension. HHS may immediately suspend the direct enrollment entity's ability to transact information with the Exchange if HHS discovers circumstances that pose unacceptable risk to the accuracy of the Exchange's eligibility determinations, Exchange operations, or Exchange information technology systems until the incident or breach is remedied or sufficiently mitigated to HHS' satisfaction.
(f) Third parties to perform audits of direct enrollment entities. A direct enrollment entity must engage an independent, third-party entity to conduct an initial and annual review to demonstrate the direct enrollment entity's operational readiness and compliance with applicable direct enrollment entity requirements in accordance with paragraph (b)(4) of this section prior to the direct enrollment entity's internet website being used to complete an Exchange eligibility application or a QHP selection. The third-party entity will be a downstream or delegated entity of the direct enrollment entity that participates or wishes to participate in direct enrollment.
(g) Third-party auditor standards. A direct enrollment entity must satisfy the requirement to demonstrate operational readiness under paragraph (f) of this section by engaging a third-party entity that executes a written agreement with the direct enrollment entity under which the third-party entity agrees to comply with each of the following standards:
(1) Has experience conducting audits or similar services, including experience with relevant privacy and security standards;
(2) Adheres to HHS specifications for content, format, privacy, and security in the conduct of an operational readiness review, which includes ensuring that direct enrollment entities are in compliance with the applicable privacy and security standards and other applicable requirements;
(3) Collects, stores, and shares with HHS all data related to the third-party entity's audit of direct enrollment entities in a manner, format, and frequency specified by HHS until 10 years from the date of creation, and complies with the privacy and security standards HHS adopts for direct enrollment entities as required in accordance with § 155.260;
(4) Discloses to HHS any financial relationships between the entity and individuals who own or are employed by a direct enrollment entity for which it is conducting an operational readiness review;
(5) Complies with all applicable Federal and State requirements;
(6) Ensures, on an annual basis, that appropriate staff successfully complete operational readiness review training as established by HHS prior to conducting audits under paragraph (f) of this section;
(7) Permits access by the Secretary and the Office of the Inspector General or their designees in connection with their right to evaluate through audit, inspection, or other means, to the third-party entity's books, contracts, computers, or other electronic systems, relating to the third-party entity's audits of a direct enrollment entity's obligations in accordance with standards under paragraph (f) of this section until 10 years from the date of creation of a specific audit; and
(8) Complies with other minimum business criteria as specified in guidance by HHS.
(h) Multiple auditors. A direct enrollment entity may engage multiple third-party entities to conduct the audit under paragraph (f) of this section.
(i) Application to State Exchanges using a Federal platform. A direct enrollment entity that enrolls qualified individuals in coverage in a manner that constitutes enrollment through a State Exchange using the Federal platform, or assists individual market consumers with submission of applications for advance payments of the premium tax credit and cost-sharing reductions through a State Exchange using a Federal platform must comply with all applicable Federally-facilitated Exchange standards in this section.
(j) Application to State Exchanges that do not use the Federal platform. A direct enrollment entity that enrolls qualified individuals, qualified employers, or qualified employees in coverage in a manner that constitutes enrollment through the State Exchange, or assists consumers with submission of applications for advance payments of the premium tax credit and cost-sharing reductions through the State Exchange, must comply with the Federally-facilitated Exchange standards in paragraphs (b)(1) through (3) and (d) of this section, including the exceptions in paragraph (c) of this section, where applicable; any additional State-specific standards under paragraph (j)(1) of this section; the State Exchange's operational readiness standards under paragraph (j)(2) of this section; and the State Exchange's website display change standards under paragraph (j)(3) of this section. References to §§ 155.415(b), and 155.415(b)(1) in paragraph (d) of this section will be understood to also apply to State Exchanges.
(1) State Exchanges may add State-specific information to the standardized disclaimer under paragraph (b)(2) of this section that does not conflict with the HHS-provided language.
(2) State Exchanges must establish the form and manner for their direct enrollment entities to demonstrate operational readiness and compliance with applicable requirements in order for the direct enrollment entity's internet website being used to complete an Exchange eligibility application or a QHP selection, which may include submission or completion of the following documentation to the State Exchange, in the form and manner specified by the Exchange:
(i) Business audit documentation including:
(A) Notices of intent to participate including auditor information;
(B) Documentation packages including privacy questionnaires, privacy policy statements, and terms of service; and
(C) Business audit reports including testing results.
(ii) Security and privacy audit documentation including:
(A) Interconnection security agreements;
(B) Security and privacy controls assessment test plans;
(C) Security and privacy assessment reports;
(D) Plans of action and milestones;
(E) Privacy impact assessments;
(F) System security and privacy plans;
(G) Incident response plans; and
(H) Vulnerability scan results.
(3) State Exchanges must require their direct enrollment entities to implement and prominently display website changes in a manner that is consistent with the display changes made by State Exchanges to the State Exchanges' websites, consistent with the process of defining and communicating standards and setting advance notice periods in paragraph (b)(6) of this section, except that all references in paragraph (b)(6) of this section to “Federally-Facilitated Exchange website” would be understood to mean “State Exchange website,” references to “HHS” would be understood to mean “State Exchange,” and the reference to “unless HHS approves a deviation from those standards” would be understood to mean “unless the State Exchange approves a deviation from those standards under the deviation request process it is required to establish should the State Exchange elect to permit deviation requests.”
[83 FR 17061, Apr. 17, 2018, as amended at 84 FR 17566, Apr. 25, 2019; 86 FR 6176, Jan. 19, 2021; 86 FR 24289, May 5, 2021; 86 FR 53503, Sept. 27, 2021; 89 FR 26420, Apr. 15, 2024]