Terms and Conditions

HEALTHSHERPA PRODUCTS AND SERVICES SCOPE OF USE

Subject to the terms and conditions of this Agreement, including, without limitation, Customer’s payment of all amounts payable hereunder, HealthSherpa hereby grants to Customer a limited, non-exclusive, non-assignable, non-transferable license, solely during the term of this Agreement, to access and use HealthSherpa Products and Services specified on the Service Contract submitted by you to HealthSherpa and accepted by HealthSherpa.

Any other commercial use or exploitation of HealthSherpa Products and Services or any content, code, information, data or other materials on or through HealthSherpa Products and Services is strictly prohibited. In no event shall Customer’s use of any trademark, trade name, service mark, icon, logo or other indicator of HealthSherpa without HealthSherpa’s advance, express, written permission in each instance. The license granted herein is granted solely to Customer, and not, by implication or otherwise, to any parent, subsidiary or affiliate of Customer. All rights not expressly granted hereunder are reserved to HealthSherpa.

Customer shall be responsible for any access to or use of HealthSherpa Products and Services by Customer or any person or entity using a password provided by HealthSherpa to Customer, whether or not such access or use has been authorized by or on behalf of Customer, and whether or not such person or entity is an employee or broker of Customer. Customer represents, warrants and covenants that it shall use HealthSherpa Products and Services only for lawful purposes and in conformance with these Terms and Conditions, and that all information provided by Customer to HealthSherpa relating to this Agreement, whether via online forms or otherwise, is accurate and complete. HealthSherpa shall have the right, in its sole discretion, to deactivate, change and/or delete Customer’s password(s) (if applicable). HealthSherpa may upgrade, modify, change or enhance HealthSherpa Products and Services and convert Customer to a new version thereof at any time in its sole discretion.

USAGE MONITORING AND AUDITING

So that HealthSherpa and HealthCare.gov remains accurate and available to you and all other visitors, we monitor network traffic to identify unauthorized attempts to upload or change information or otherwise cause damage to this web service. Use of HealthCare.gov constitutes consent to such monitoring and auditing. Unauthorized attempts to upload information and/or change information on this website are strictly prohibited and are subject to prosecution under the Computer Fraud and Abuse Act of 1986 and Title 18 U.S.C. Sec.1001 and 1030.

FEES, PAYMENT AND TERM OF SERVICE

1. DEFINITIONS

A "Service" is a HealthSherpa Service ordered by a Customer on a Service Contract.

a. Unless otherwise specified in the Service Contract, the Term of the License granted above and during which the Services are rendered under this Agreement will be until HealthSherpa or Customer terminates the agreement.

b. Customer will pay for the Service on a per application submission basis, at time of submission. Payment for the Products and Services subject to this Agreement shall be made by valid credit/debit card or ACH bank draft acceptable to HealthSherpa, provided by you at the time of your submission of the Service Contract. Fees for successfully submitted applications are non-refundable.

c. HealthSherpa may terminate or suspend the License herein granted and the services it performs under this Agreement for the reason of nonpayment by you. HealthSherpa may, at its sole election, reactivate the License and such services upon your payment of any outstanding charges, plus applicable re-activation fees.

2. ACCURATE INFORMATION

You agree to: (1) provide certain true, current, complete and accurate information (the "Registration Data") about you as required by the application process; and (2) maintain and update according to our modification procedures the Registration Data you provided to us when purchasing our services as needed to keep it current, complete and accurate. In any event, you are solely responsible for the credit card or bank account information you provide to HealthSherpa and must promptly inform HealthSherpa of any changes thereto (e.g., change of expiration date or account number). We are neither responsible for any consequences resulting from your failure to provide notice nor for your providing outdated, incomplete or inaccurate information.

3. PRIVACY

In cases where you choose to receive services from third parties associated with HealthSherpa, you grant the right to disclose your individual Registration Data to those third parties in order to fulfill service offers. You also understand that third party services have individual policies towards the privacy of customer information, which may differ from those stated herein.

HealthSherpa considers the consumer data collected from the quoting and enrollment product, and to be private. Except as provided in Sections 2 and 3 above, HealthSherpa will not intentionally disclose any data entered or Customer Data unless required by law. HealthSherpa will also not share Customer’s client data with any other Customers.

4. ACCOUNT ACCESS

To access or use the HealthSherpa services or to modify your account, you may be required to establish an account and obtain a login name and password. You authorize us to process any and all account transactions initiated through the use of your login. You are solely responsible for maintaining the confidentiality of your login. You must immediately notify us of any unauthorized use of your login, and you are responsible for any unauthorized activities, charges and/or liabilities made through your account. In no event will we be liable for the unauthorized use or misuse of your login name, account number or password.

5. AGENTS

You agree that, if your agent, (e.g., your Primary Contact or Account Administrative Contact, Internet Service Provider, employee) purchased our service(s) on your behalf, you are nonetheless bound as a principal by all terms and conditions herein. Your continued use of our services ratifies any unauthorized actions of your agent. By using your login name, account number or password, or otherwise purporting to act on your behalf, your agent certifies that he or she is authorized to apply for our services on your behalf, that he or she is authorized to bind you to the terms and conditions of this Agreement, that he or she has apprised you of the terms and conditions of this Agreement, and that he or she is otherwise authorized to act on your behalf. In addition, you are responsible for any errors made by your agent.

6. ACCEPTABLE USE

You agree to be bound by the applicable provisions of the HealthSherpa Acceptable Use Policy, found at: https://www.healthsherpa.com/acceptable_use, incorporated herein and made part of this Agreement by reference.

7. ACCURACY

HealthSherpa' quotes are verified through extensive internal and insurance company testing. HealthSherpa quotes use information consumers provide on our detailed questionnaires. However, these quotes could change based on additional or contradictory information that emerges during the final insurance underwriting process.

8. EXCLUSIVE REMEDY

YOU AGREE THAT OUR ENTIRE LIABILITY, AND YOUR EXCLUSIVE REMEDY, IN LAW, IN EQUITY, OR OTHERWISE, WITH RESPECT TO ANY HEALTHSHERPA SERVICE(S) PROVIDED UNDER THIS AGREEMENT AND/OR FOR ANY BREACH OF THIS AGREEMENT IS SOLELY LIMITED TO THE AMOUNT YOU PAID FOR SUCH SERVICE(S) DURING THE TERM OF THIS AGREEMENT. IN NO EVENT SHALL HEALTHSHERPA, ITS LICENSORS AND CONTRACTORS (INCLUDING THIRD PARTIES PROVIDING SERVICES AS PART OF THE SERVICE FOR WEBSITES FROM HEALTHSHERPA) BE LIABLE FOR ANY INDIRECT, INCIDENTAL, SPECIAL OR CONSEQUENTIAL DAMAGES EVEN IF HEALTHSHERPA HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. TO THE EXTENT THAT A STATE DOES NOT PERMIT THE EXCLUSION OR LIMITATION OF LIABILITY AS SET FORTH HEREIN HEALTHSHERPA'S LIABILITY IS LIMITED TO THE EXTENT PERMITTED BY LAW IN SUCH STATES.

HealthSherpa and its licensors and contractors disclaim any and all loss or liability resulting from, but not limited to: (1) loss or liability resulting from access delays or access interruptions; (2) loss or liability resulting from data non-delivery or data mis-delivery; (3) loss or liability resulting from acts of god; (4) loss or liability resulting from the unauthorized use or misuse of your account number, password or security authentication option; (5) loss or liability resulting from errors, omissions, or misstatements in any and all information or service(s) provided under this agreement; (6) loss or liability relating to the deletion of or failure to store data; (7) loss or liability resulting from the development or interruption of your web site or your HealthSherpa quote engine; (8) loss or liability from your inability to use our e-mail service, web site manager service or any component of the service (for websites from HealthSherpa); (9) loss or liability that you may incur in connection with our processing of your application for our services or your agent's failure to pay any fees, including the initial registration fee or renewal fee; (10) loss or liability as a result of the application of our dispute policy; or (11) loss or liability relating to limitations, incompatibilities, defects, or other problems inherent in XML, JSP or any other standard not under HealthSherpa sole control.

You acknowledge that the Internet is neither owned nor controlled by any one entity; therefore, HealthSherpa can make no guarantee that any given reader shall be able to access HealthSherpa' server at any given time. HealthSherpa represents that it shall make every good faith effort to ensure that its server is available as widely as possible and with as little service interruption as possible; HealthSherpa expressly limits its damages to the Client for any non-accessibility time or other down time to the prorated monthly charge during the system unavailability. HealthSherpa specifically denies any responsibilities for any damages arising as a consequence of such unavailability.

9. DISCLAIMER OF WARRANTIES

YOU AGREE THAT YOUR USE OF OUR SERVICE(S) OR OUR LICENSORS' SERVICES IS SOLELY AT YOUR OWN RISK. YOU AGREE THAT ALL OF SUCH SERVICES ARE PROVIDED ON AN "AS IS," AND "AS AVAILABLE" BASIS, EXCEPT AS OTHERWISE NOTED IN THIS AGREEMENT. WE AND OUR LICENSORS EXPRESSLY DISCLAIM ALL WARRANTIES OF ANY KIND, WHETHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT. NEITHER HEALTHSHERPA NOR OUR LICENSORS MAKE ANY WARRANTY THAT SERVICE(S) LICENSED HEREUNDER WILL MEET YOUR REQUIREMENTS, OR THAT THE SERVICE(S) WILL BE UNINTERRUPTED, TIMELY, SECURE, OR ERROR FREE; NOR DO WE OR OUR LICENSORS MAKE ANY WARRANTY AS TO THE RESULTS THAT MAY BE OBTAINED FROM THE USE OF THE SERVICE(S) OR AS TO THE ACCURACY OR RELIABILITY OF ANY INFORMATION OBTAINED THROUGH OUR SERVICES. NO ADVICE OR INFORMATION, WHETHER ORAL OR WRITTEN, OBTAINED BY YOU FROM US OR THROUGH OUR SERVICES SHALL CREATE ANY WARRANTY NOT EXPRESSLY MADE HEREIN, YOU MAY NOT RELY ON ANY SUCH INFORMATION OR ADVICE.

10. INDEMNITY

You agree to release, indemnify, defend and hold harmless HealthSherpa and any of our contractors, agents, employees, officers, directors, shareholders, affiliates and assigns from all liabilities, claims, damages, costs and expenses, including reasonable attorneys' fees and expenses, relating to or arising out of (a) this Agreement or the breach of your warranties, representations and obligations under this Agreement, (b) the HealthSherpa services or your use of such services, including without limitation infringement or dilution by you, or someone else using our service(s) from your computer, (c) infringement, (d) any intellectual property or other proprietary right of any person or entity, (e) any violation of HealthSherpa' Acceptable Use policy or other operating rules or policies communicated to you by HealthSherpa during the course of this Agreement, (f) any information or data you supplied to HealthSherpa, including, without limitation, any misrepresentation in your application, if applicable, (g) the inclusion of meta-tags or other elements in any website created for you or by you via the HealthSherpa services, or (h) any information, material, or services available on your licensed HealthSherpa Web Site. The terms of this paragraph will survive any termination or cancellation of this Agreement.

11. TERMINATION

a. BY YOU. To cancel your Service you must submit your written notice of cancellation to HealthSherpa and include the following information: (i) Your company name and the account holder's name; and (ii) your reason for requesting cancellation. Unless otherwise agreed to in writing (in either paper or electronic form), your Service will be canceled as of the expiration of the current one-year term in which your notice was received. Unless otherwise specified in writing by HealthSherpa, you will not receive any refund for payments already made by you as of the date of termination, and, you may incur additional fees (such as in the case of early termination). If you are canceling your Service because we have modified this Agreement, to be entitled to a waiver of further fees, your notice must be given to us within thirty days of such modification, and you must specifically state, in your notice, that you are terminating because we have modified the Agreement and must further specifically identify the modification(s) to which you do not agree.

b. BY US. We may terminate the License granted under this Agreement or any part thereof, this Agreement, or any part of the HealthSherpa Services rendered under this Agreement:

  1. immediately if, after ten (10) days' prior notice, you have failed to cure, to HealthSherpa' sole satisfaction, any inaccuracy or incompleteness of the information requested from you under Section 3 of this Agreement;
  2. immediately if HealthSherpa determines, in its sole discretion, that you have violated the HealthSherpa Acceptable Use Policy, or have made any other breach of your obligations under this Agreement;
  3. upon thirty (30) days' prior notice, if HealthSherpa terminates or significantly alters a Product or Service offering; or

c. EFFECT OF TERMINATION. Upon termination, you shall destroy any copy of the materials licensed to you hereunder and referenced herein. You agree that upon termination or discontinuance for any reason, we may delete all information related to you on the HealthSherpa service, if applicable. In addition to the terms set forth herein, certain HealthSherpa services may have additional terms regarding termination, which are set forth in the applicable Schedule.

12. MODIFICATIONS TO AGREEMENT

Except as otherwise provided in this Agreement, you agree, during the term of this Agreement, that we may: (a) revise the terms and conditions of this Agreement; and/or (b) change part of the services provided under this Agreement at any time. Any such revision or change will be binding and effective 30 days after posting of the revised Agreement or change to the service(s) on HealthSherpa Web sites, or upon notification to you by e-mail. By continuing to use HealthSherpa services after any revision to this Agreement or change in service(s), you agree to abide by and be bound by any such revisions or changes. If you do not agree to such revisions or changes, you may cancel the Service by sending HealthSherpa a notice, as set forth herein, within thirty days of the posting or notification to you of any such modification or change, stating that you are canceling the Service because of a modification of this Agreement, and particularly pointing out the modification(s) to which you do not agree.

13. NOTICES AND ANNOUNCEMENTS

(a) Except as expressly provided otherwise herein, all notices to HealthSherpa shall be in writing (either paper or electronic format) and delivered either via email to customerservice@HealthSherpa.com, or via postal mail to HealthSherpa, Inc., ATTN: Customer Service, 530 Brannan Street #202, San Francisco, CA 94107. All notices to you shall be delivered to your mailing address or e-mail address as provided in your account information (as updated by you pursuant to this Agreement). (b) You authorize us to contact you as our customer via telephone, at the number provided by you in your account information, e-mail or postal mail regarding information that we deem is of potential interest to you. Notices and announcements may include commercial e-mails, and other notices describing changes, upgrades, new products and services or other relevant matters.

14. SEVERABILITY

You agree that the terms of this Agreement are severable. If any term or provision is declared invalid or unenforceable, in whole or in part, that term or provision will not affect the remainder of this Agreement; this Agreement will be deemed amended to the extent necessary to make this Agreement enforceable, valid and, to the maximum extent possible consistent with applicable law, consistent with the original intentions of the parties; and the remaining terms and provisions will remain in full force and effect.

15. REMEDIES

You acknowledge that if you breach this Agreement, HealthSherpa’s damages from such a breach would be difficult to calculate and that HealthSherpa would suffer irreparable harm. Therefore, you agree that HealthSherpa, in addition to any legal remedy for damages to which it would be entitled in the event of your breach, is entitled to equitable relief, including but not limited to preliminary and permanent injunctive relief. In the event of your breach of this Agreement, you agree to pay all reasonable attorneys' fees and costs of HealthSherpa in enforcing this Agreement.

16. APPLICABLE LAW

CONSENT TO JURSDICTION AND VENUE. Without regard to its conflicts of laws provisions, the laws of the State of California will be used to construe this Agreement. You consent to the exclusive jurisdiction and venue of state and federal courts resident in San Francisco County, California to adjudicate any dispute arising out of this Agreement.

SERVICE SPECIFIC TERMS: The following terms apply in addition to Sections 1 through 16 only if you have purchased the particular service described:

ACCEPTABLE USE

HEALTHSHERPA ACCEPTABLE USE POLICY

During the course of using HealthSherpa's products and services, you agree to conduct your business activities in a way which will not violate any federal or state law, which will conform to a high standard of business ethics, and which will maintain the good business reputation of HealthSherpa and its other Customers. In particular and without limitation, you agree not to do any of the following:

  1. Violate any state or federal law relating to the marketing or sale of insurance policies;
  2. Engage in false advertising or in any fraudulent or deceptive business practice;
  3. Post, distribute, or otherwise make available or transmit any data, text, medium or computer file, telephonic conversations, chat or email exchanges that HealthSherpa, in its sole discretion, deems to be: (a) defamatory, abusive, harassing, insulting or threatening; (b) bigoted, hateful, or offensive; (c) vulgar, obscene, or sexually explicit; or (d) encouraging of or advocating illegal activity or discussing illegal activities with the intent to commit them;
  4. Post, distribute, or otherwise make available or transmit any data, text, medium or computer file that (a) infringes any right of a third party under any domestic or international law, including but not limited to copyright, patent, trademark, trade secret or other proprietary right (for third party claims of copyright infringement, HealthSherpa will follow the procedure set forth in Part B below); (b) violates any right of privacy or publicity of a third party in the absence of such third party's express permission to disseminate his or her personal information, voice or likeness;
  5. Post, distribute or otherwise make available or transmit any software or files that contain a virus or other harmful component;
  6. Impersonate any person or entity or misrepresent your identity or affiliation with another person or entity;
  7. Delete any legal notices or disclaimers, including but not limited to copyright and trademark symbols, or modify any marks which you do not own or have express permission to modify.

HealthSherpa reserves the right to remove or disable access to any material which falls within one or more of the above categories.

STANDARD RULES OF CONDUCT

In using HealthSherpa's products and services, you may have access to consumer personally identifiable information (PII) retrieved from the Federal Data Hub. You agree to be bound to the rules of conduct outlined below.

AUTHORIZED FUNCTIONS

You may create, collect, disclose, access, maintain, store, and use PII for:

  1. Assisting with completing applications for QHP eligibility;
  2. Supporting QHP selection and enrollment by assisting with plan selection and plan comparisons;
  3. Assisting with completing applications for the receipt of APTCs or CSRs and with selecting an APTC amount;
  4. Facilitating the collection of standardized attestations acknowledging the receipt of the APTC or CSR determination, if applicable;
  5. Assisting with the application for and determination of certificates of exemption;
  6. Assisting with filing appeals of eligibility determinations in connection with the FFEs and SBE-FPs;
  7. Transmitting information about the Consumer’s, Applicant’s, Qualified Individual’s, or Enrollee’s decisions regarding QHP enrollment and/or CSR and APTC information to the FFEs and SBEFPs;
  8. Facilitating payment of the initial premium amount to the appropriate QHP;
  9. Facilitating an Enrollee’s ability to disenroll from a QHP;
  10. Educating Consumers, Applicants, or Enrollees on insurance affordability programs and, if applicable, informing such individuals of eligibility for Medicaid or Children’s Health Insurance Program (CHIP);
  11. Assisting an Enrollee’s ability to report changes in eligibility status to the FFEs and SBE-FPs throughout the coverage year, including changes that may affect eligibility (e.g., adding a dependent);
  12. Correcting errors in the application for QHP enrollment;
  13. Informing or reminding Enrollees when QHP coverage should be renewed, when Enrollees may no longer be eligible to maintain their current QHP coverage because of age, or to inform Enrollees of QHP coverage options at renewal;
  14. Providing appropriate information, materials, and programs to Consumers, Applicants, Qualified Individuals, and Enrollees, to inform and educate them about the use and management of their health information, and services and options offered through the selected QHP or among the available QHP options;
  15. Contacting Consumers, Applicants, Qualified Individuals, and Enrollees to assess their satisfaction or resolve complaints with services provided by you in connection with the FFEs, SBE-FPs, HealtHSherpa, or QHPs;
  16. Providing assistance in communicating with QHP Issuers;
  17. Fulfilling the legal responsibilities related to the efficient functions of QHP Issuers in the FFEs and SBE-FPs, as permitted or required by your contractual relationships with QHP Issuers; and
  18. Performing other functions substantially similar to those enumerated above and such other functions that CMS may approve in writing from time to time.
STANDARDS REGARDING PII

You agree that you will create, collect, disclose, access, maintain, use, or store PII that you receive directly from Consumers, Applicants, Qualified Individuals, or Enrollees and from Hub Web Services only in accordance with all laws as applicable, including section 1411(g) of the ACA.

  1. Safeguards. You agree to monitor, periodically assess, and update your security controls and related system risks to ensure the continued effectiveness of those controls in accordance with this Agreement, including Appendix A, “Privacy and Security Standards and Implementation Specifications for Non-Exchange Entities,” and to timely inform the Exchange of any material change in your administrative, technical, or operational environments, or that would require an alteration of the privacy and security standards within this Agreement.
  2. Downstream Entities. You will satisfy the requirement in 45 CFR 155.260(b)(2)(v) to bind downstream entities by entering into written agreements with any downstream entities that will have access to PII as defined in this Agreement.
  3. Critical Security and Privacy Controls. The critical controls the you must implement before you are able to submit any transactions to the FFE production system:
    • Email/Web Browser Protections – Including but not limited to assurance that transfer protocols are secure and limits the threat of communications being intercepted.
    • Malware Protection – Including but not limited to protections against known threat vectors within the system’s environment to mitigate damage/security breaches.
    • Patch Management – Including but not limited to ensuring every client and server is up to date with the latest security patches throughout the environment.
    • Vulnerability Management – Including but not limited to identifying, classifying, remediating, and mitigating vulnerabilities on a continual basis by conducting periodic vulnerability scans to identify weaknesses within an environment.
    • Inventory of Software/Hardware – Including but not limited to maintaining an Inventory of hardware/software within the environment helps to identify vulnerable aspects left open to threat vectors without performing vulnerability scans and to have specific knowledge of what is within the system’s environment.
    • Account Management - Including but not limited to the determination of who/what has access to the system’s environment and data and also maintain access controls to the system.
    • Configuration Management – Including but not limited to defining the baseline configurations of the servers and endpoints of a system to mitigate threat factors that can be utilized to gain access to the system/data.
    • Incident Response – Including but not limited to the ability to detect security events, investigate, and mitigate or limit the effects of those events.
    • Governance and Privacy Compliance Program – Including but not limited to appointing a responsible official to develop and implement operational privacy compliance policies for information systems and databases.
    • Privacy Impact/Risk Assessment – Including but not limited to appointing a responsible official to develop and implement a formal policy and procedures to assess the organizations risk posture.
    • Awareness and Training Program – Including but not limited to appointing a responsible official to develop and implement security and privacy education awareness program for all staff members and contractors.
    • Data Retention and Destruction – Including but not limited to developing formal policy and procedures for data retention and destruction of PII.
PII RECEIVED

Subject to the terms and conditions of this Agreement and applicable laws, in performing the tasks contemplated under this Agreement, you may create, collect, disclose, access, maintain, store, and use the following PII from Consumers, Applicants, Qualified Individuals, or Enrollees, including but not limited to:

APTC percentage and amount applied, auto disenrollment information, applicant name, applicant address, applicant birthdate, applicant telephone number, applicant email, applicant social security number, applicant spoken and written language preference, applicant medicaid eligibility indicator, start and end dates, applicant children’s health insurance program eligibility indicator, start, and end dates, applicant qhp eligibility indicator, start and end dates, applicant aptc percentage and amount applied eligibility indicator, start, and end dates, applicant household income, applicant maximum aptc amount, applicant csr eligibility indicator, start and end dates, applicant csr level, applicant qhp eligibility status change, applicant aptc eligibility status change, applicant csr eligibility status change, applicant initial or annual open enrollment indicator, start and end, dates, applicant special enrollment period eligibility indicator and reason code, contact name, contact address, contact birthdate, contact telephone number, contact email, contact spoken and written language preference, enrollment group history (past six months), enrollment type period, ffe applicant id, ffe member id, issuer member id, net premium amount, premium amount, start and end dates, credit or debit card number, name on card, checking account and routing number, special enrollment period reason, subscriber indicator and relationship to subscriber, tobacco use indicator and last date of tobacco use, custodial parent, health coverage, american indian/alaska native status and name of tribe, marital status, race/ethnicity, requesting financial assistance, responsible person, dependent name, applicant/dependent sex, student status, subscriber indicator and relationship to subscriber, and total individual responsibility amount.

COLLECTION OF PII

PII collected from Consumers, Applicants, Qualified Individuals, Enrollees—or their legal representatives or Authorized Representatives—in the context of completing an application for QHP, APTC, or CSR eligibility, or any data transmitted from or through the Hub, may be used only for Authorized Functions specified above. Such information may not be used for purposes other than authorized by this agreement or as consented to by a Consumer, Applicant, Qualified Individual, or Enrollee.

COLLECTION AND USE OF INFORMATION PROVIDED UNDER OTHER AUTHORITIES

Collection and Use of Information Provided Under Other Authorities. This Agreement does not preclude you from collecting information from Consumers, Applicants, Qualified Individuals, or Enrollees—or their legal representatives or Authorized Representative—for a non-FFE/non-SBE-FP/non-Hub purpose, and using, reusing, and disclosing the non-FFE/non-SBE-FP/non-Hub information obtained as permitted by applicable law and/or other applicable authorities. Such information must be stored separately from any PII collected in accordance with the above.

ABILITY OF INDIVIDUALS TO LIMIT COLLECTION AND USE

You agree to allow the Consumer, Applicant, Qualified Individual, or Enrollee to limit your creation, collection, disclosure, access, maintenance, storage, and use of their PII to the sole purpose of obtaining your assistance in applying for a QHP, APTC or CSR eligibility, and for performing Authorized Functions above.

INCIDENT AND BREACH REPORTING

You agree to report any suspected or confirmed Incident or Breach of PII to the CMS IT Service Desk by telephone at (410) 786-2580 or 1-800-562-1963 or via email notification at cms_it_service_desk@cms.hhs.gov within one hour of discovery of the Incident or Breach. In the event of an Incident or Breach you must permit CMS to gather all information necessary to conduct all Incident response activities deemed necessary by CMS. If you fail to report an Incident or Breach in compliance with this provision, you may be subject to the Termination provision (Section IV) of this Agreement. Termination pursuant to Section IV may also result where an Incident or Breach is found to have resulted from your failure to comply with the terms of this Agreement.

PRIVACY AND SECURITY STANDARDS

Non-Exchange Entities must meet the following privacy and security standards:

  1. Individual access to PII. In keeping with the standards and implementation specifications used by the FFE, Non-Exchange Entities that maintain and/or store PII must provide Consumers, Applicants, Qualified Individuals, and Enrollees—or these individuals’ legal representatives and Authorized Representatives—with a simple and timely means of appropriately accessing PII pertaining to them and/or the person they represent in a physical or electronic readable form and format.
    • Standard: Individual Access to PII. Non-Exchange Entities that maintain and/or store PII must implement policies and procedures that provide access to PII upon request.
      • Implementation Specifications.
        1. Access rights must apply to any PII that is created, collected, disclosed, accessed, maintained, stored, and used by the NonExchange Entity to perform any of the Authorized Functions outlined in their respective agreements with CMS.
        2. The release of electronic documents containing PII through any electronic means of communication (e.g., e-mail, web portal) must meet the verification requirements for the release of “written documents” in Section (5)b below.
        3. Persons legally authorized to act on behalf of the Consumers, Applicants, Qualified Individuals, and Enrollees regarding their PII, including individuals acting under an appropriate power of attorney that complies with applicable state and federal law, must be granted access in accordance with their legal authority. Such access would generally be expected to be coextensive with the degree of access available to the Subject Individual.
        4. At the time the request is made, the Consumer, Applicant, Qualified Individual, Enrollee—or these individuals’ legal representatives or Authorized Representatives—should generally be required to specify which PII he or she would like access to. The Non-Exchange Entity may assist them in determining their information or data needs, if such assistance is requested.
        5. Subject to paragraphs (1)a.i.6 and 7 below, Non-Exchange Entities generally must provide access to the PII in the form or format requested, if it is readily producible in such form or format.
        6. The Non-Exchange Entity may charge a fee only to recoup their costs for labor for copying the PII, supplies for creating a paper copy or a copy on electronic media, postage if the PII is mailed, or any costs for preparing an explanation or summary of the PII if the recipient has requested and/or agreed to receive such summary. If such fees are paid, the Non-Exchange Entity must provide the requested copies in accordance with any other applicable standards and implementation specifications.
        7. A Non-Exchange Entity that receives a request for notification of, or access to PII must verify the requestor’s identity in accordance with Section (5)b below.
        8. A Non-Exchange Entity must complete its review of a request for access or notification (and grant or deny said notification and/or access) within thirty (30) Days of receipt of the notification and/or access request.
        9. Except as otherwise provided in (1)a.i.10, if the requested PII cannot be produced, the Non-Exchange Entity must provide an explanation for its denial of the notification or access request, and, if applicable, information regarding the availability of any appeal procedures, including the appropriate appeal authority’s name, title, and contact information.
        10. Non-Exchange Entities may deny access to PII that they maintain or store without providing an opportunity for review, in the following circumstances:
          • If the PII was obtained or created solely for use in legal proceedings; or
          • If the PII is contained in records that are subject to a law that either permits withholding the PII or bars the release of such PII.
  2. Openness and transparency. In keeping with the standards and implementation specifications used by the FFE, Non-Exchange Entities must ensure openness and transparency about policies, procedures, and technologies that directly affect Consumers, Applicants, Qualified Individuals, and Enrollees and their PII.
    • Standard: Privacy Notice Statement. Prior to collecting PII, the Non-Exchange Entity must provide a notice that is prominently and conspicuously displayed on a public-facing website, if applicable, or on the electronic and/or paper form the NonExchange Entity will use to gather and/or request PII.
      • Implementation Specifications.
        1. The statement must be written in plain language and provided in a manner that is timely and accessible to people living with disabilities and with limited English proficiency.
        2. The statement must contain at a minimum the following information:
          • Legal authority to collect PII;
          • Purpose of the information collection;
          • To whom PII might be disclosed, and for what purposes;
          • Authorized uses and disclosures of any collected information;
          • Whether the request to collect PII is voluntary or mandatory under the applicable law; and
          • Effects of non-disclosure if an individual chooses not to provide the requested information.
        3. The Non-Exchange Entity shall maintain its Privacy Notice Statement content by reviewing and revising as necessary on an annual basis, at a minimum, and before or as soon as possible after any change to its privacy policies and procedures.
        4. If the Non-Exchange Entity operates a website, it shall ensure that descriptions of its privacy and security practices, and information on how to file complaints with CMS and the Non-Exchange Entity, are publicly available through its website.
  3. Individual Choice. In keeping with the standards and implementation specifications used by the FFE, Non-Exchange Entities should ensure that Consumers, Applicants, Qualified Individuals, and Enrollees—or these individuals’ legal representatives or Authorized Representatives—are provided a reasonable opportunity and capability to make informed decisions about the creation, collection, disclosure, access, maintenance, storage, and use of their PII.
    • Standard: Informed Consent. The Non-Exchange Entity may create, collect, disclose, access, maintain, store, and use PII from Consumers, Applicants, Qualified Individuals, and Enrollees—or these individuals’ legal representatives or Authorized Representatives—only for the functions and purposes listed in the Privacy Notice Statement and any relevant agreements in effect as of the time the information is collected, unless the FFE, SBE-FP or Non-Exchange Entity obtains informed consent from such individuals.
      • Implementation Specifications.
        1. The Non-Exchange Entity must obtain informed consent from individuals for any use or disclosure of information that is not permissible within the scope of the Privacy Notice Statement and any relevant agreements that were in effect as of the time the PII was collected. Such consent must be subject to a right of revocation.
        2. Any such consent that serves as the basis of a use or disclosure must:
          • Be provided in specific terms and in plain language;
          • Identify the entity collecting or using the PII, and/or making the disclosure;
          • Identify the specific collections, use(s), and disclosure(s) of specified PII with respect to a specific recipient(s); and
          • Provide notice of an individual’s ability to revoke the consent at any time.
        3. Consent documents must be appropriately secured and retained for ten (10) years.
  4. Creation, Collection, Disclosure, Access, Maintenance, Storage, and Use Limitations. In keeping with the standards and implementation specifications used by the FFE, NonExchange Entities must ensure that PII is only created, collected, disclosed, accessed, maintained, stored, and used, to the extent necessary to accomplish a specified purpose(s) in the contractual agreement and any appendices. Such information shall never be used to discriminate against a Consumer, Applicant, Qualified Individual, Enrollee, Qualified Employee, or Qualified Employer.
    • Standard: Creation, Collection, Disclosure, Access, Maintenance, Storage, and Use Limitations. Other than in accordance with the consent procedures outlined above, the Non-Exchange Entity shall only create, collect, disclose, access, maintain, store, and use PII:
      1. To the extent necessary to ensure the efficient operation of the Exchange;
      2. In accordance with its published Privacy Notice Statement and any applicable agreements that were in effect at the time the PII was collected, including the consent procedures outlined above in Section (3) above; and/or
      3. In accordance with the permissible functions outlined in the regulations and agreements between CMS and the Non-Exchange Entity.
    • Standard: Non-discrimination. The Non-Exchange Entity should not, to the greatest extent practicable, collect PII directly from the Consumer, Applicant, Qualified Individual, or Enrollee, when the information is likely to result in adverse determinations about benefits.
    • Standard: Prohibited Uses and Disclosures of PII.
      • Implementation Specifications.
        1. The Non-Exchange Entity shall not request Information regarding citizenship, status as a national, or immigration status for an individual who is not seeking coverage for himself or herself on any application.
        2. The Non-Exchange Entity shall not require an individual who is not seeking coverage for himself or herself to provide a Social Security Number (SSN), except if an Applicant’s eligibility is reliant on a tax filer’s tax return and their SSN is relevant to verification of household income and family size.
        3. The Non-Exchange Entity shall not use PII to discriminate, including employing marketing practices or benefit designs that will have the effect of discouraging the enrollment of individuals with significant health needs in QHPs.
  5. Data Quality and Integrity. In keeping with the standards and implementation specifications used by the FFE, Non-Exchange Entities should take reasonable steps to ensure that PII is complete, accurate, and up-to-date to the extent such data is necessary for the Non-Exchange Entity’s intended use of such data, and that such data has not been altered or destroyed in an unauthorized manner, thereby ensuring the confidentiality, integrity, and availability of PII.
    • Standard: Right to Amend, Correct, Substitute, or Delete PII. In keeping with the standards and implementation specifications used by the FFE, Non-Exchange Entities must offer Consumers, Applicants, Qualified Individuals, and Enrollees— or these individuals’ legal representatives or Authorized Representatives—an opportunity to request amendment, correction, substitution, or deletion of PII maintained and/or stored by the Non-Exchange Entity if such individual believes that the PII is not accurate, timely, complete, relevant, or necessary to accomplish an Exchange-related function, except where the PII questioned originated from other sources, in which case the individual should contact the originating source.
      • Implementation Specifications.
        1. Such individuals shall be provided with instructions as to how they should address their requests to the Non-Exchange Entity’s Responsible Official, in writing or by telephone. They may also be offered an opportunity to meet with the Responsible Official or their delegate(s) in person.
        2. Such individuals shall be instructed to specify the following in each request:
          • The PII they wish to correct, amend, substitute or delete; and
          • The reasons for requesting such correction, amendment, substitution, or deletion, along with any supporting justification or evidence.
        3. Such requests must be granted or denied within no more than ten (10) working days of receipt.
        4. If the Responsible Official (or their delegate) reviews these materials and ultimately agrees that the identified PII is not accurate, timely, complete, relevant, or necessary to accomplish the function for which the PII was obtained/provided, the PII should be corrected, amended, substituted, or deleted in accordance with applicable law.
        5. If the Responsible Official (or their delegate) reviews these materials and ultimately does not agree that the PII should be corrected, amended, substituted, or deleted, the requestor shall be informed in writing of the denial, and, if applicable, the availability of any appeal procedures. If available, the notification must identify the appropriate appeal authority including that authority’s name, title, and contact information.
    • Standard: Verification of Identity for Requests to Amend, Correct, Substitute or Delete PII. In keeping with the standards and implementation specifications used by the FFE, Non-Exchange Entities that maintain and/or store PII must develop and implement policies and procedures to verify the identity of any person who requests access to, notification of, or modification—including amendment, correction, substitution, or deletion—of PII that is maintained by or for the Non-Exchange Entity. This includes confirmation of an individuals’ legal or personal authority to access, receive notification of, or seek modification—including amendment, correction, substitution, or deletion—of a Consumer’s, Applicant’s, Qualified Individual’s, or Enrollee’s PII.
      • Implementation Specifications.
        1. The requester must submit through mail, via an electronic upload process, or in-person to the Non-Exchange Entity’s Responsible Official, a copy of one of the following government-issued identification: a driver’s license, voter registration card, U.S. military card or draft record, identification card issued by the federal, state, or local government, including a U.S. passport, military dependent’s identification card, Native American tribal document, or U.S. Coast Guard Merchant Mariner card.
        2. If such requester cannot provide a copy of one of these documents, he or she can submit two of the following documents that corroborate one another: a birth certificate, Social Security card, marriage certificate, divorce decree, employer identification card, high school or college diploma, and/or property deed or title.
    • Standard: Accounting for Disclosures. Except for those disclosures made to the Non-Exchange Entity’s Workforce who have a need for the record in the performance of their duties, and the disclosures that are necessary to carry out the required functions of the Non-Exchange Entity, Non-Exchange Entities that maintain and/or store PII shall maintain an accounting of any and all disclosures.
      • Implementation Specifications.
        1. The accounting shall contain the date, nature, and purpose of such disclosures, and the name and address of the person or agency to whom the disclosure is made.
        2. The accounting shall be retained for at least ten (10) years after the disclosure, or the life of the record, whichever is longer.
        3. Notwithstanding exceptions in Section (1)a.10, this accounting shall be available to Consumers, Applicants, Qualified Individuals, and Enrollees—or these individuals’ legal representatives or Authorized Representatives—on their request per the procedures outlined under the access standards in Section (1) above.
  6. Accountability. In keeping with the standards and implementation specifications used by the FFE, Non-Exchange Entities should adopt and implement the standards and implementation specifications in this document in a manner that ensures appropriate monitoring and other means and methods to identify and report Incidents and/or Breaches.
    • Standard: Reporting. The Non-Exchange Entity must implement Breach and Incident Handling procedures that are consistent with CMS’ Incident and Breach Notification Procedures and incorporate these procedures in the Non-Exchange Entity’s own written policies and procedures.
      • Implementation Specifications. Such policies and procedures would:
        1. Identify the Non-Exchange Entity’s Designated Privacy Official, if applicable, and/or identify other personnel authorized to access PII and responsible for reporting and managing Incidents or Breaches to CMS;
        2. Provide details regarding the identification, response, recovery, and follow-up of Incidents and Breaches, which should include information regarding the potential need for CMS to immediately suspend or revoke access to the Hub for containment purposes.
        3. Require reporting of any Incident or Breach of PII to the CMS IT Service Desk by telephone at (410) 786-2580 or 1-800-562-1963 or via email notification at cms_it_service_desk@cms.hhs.gov within one hour after discovery of the Incident or Breach.
    • Standard: Standard Operating Procedures. The Non-Exchange Entity shall incorporate privacy and security standards and implementation specifications, where appropriate, in its standard operating procedures that are associated with functions involving the creation, collection, disclosure, access, maintenance, storage, or use of PII.
      • Implementation Specifications.
        1. The privacy and security standards and implementation specifications shall be written in plain language and shall be available to all of the Non-Exchange Entity’s Workforce members whose responsibilities entail the creation, collection, maintenance, storage, access, or use of PII.
        2. The procedures shall ensure the Non-Exchange Entity’s cooperation with CMS in resolving any Incident or Breach, including (if requested by CMS) the return or destruction of any PII files it received under the Agreement; the provision of a formal response to an allegation of unauthorized PII use, reuse, or disclosure; and/or the submission of a corrective action plan with steps designed to prevent any future unauthorized uses, reuses, or disclosures.
        3. The standard operating procedures must be designed and implemented to ensure the Non-Exchange Entity and its Workforce comply with the standards and implementation specifications contained herein, and must be reasonably designed, taking into account the size and the type of activities that relate to PII undertaken by the Non-Exchange Entity, to ensure such compliance.

CLAIMS OF COPYRIGHT INFRINGEMENT

Takedown. Any third party who believes that his, her or its rights in a copyrighted work are infringed by material which has been stored on a HealthSherpa system, network or hosted site at the direction of a Customer, and who wishes the infringing material to be removed or access thereto disabled, must send a Notification of Claim of Infringement, in writing, to HealthSherpa's Designated Agent:

Ning Liang
548 Brannan Street, #310
San Francisco, CA 94107
(303) 483 5146
ning@healthsherpa.com

To be effective, the Notification must include

  1. A physical or electronic signature of a person authorized to act on behalf of an owner of an exclusive right that is allegedly infringed;
  2. Identification of the copyrighted work claimed to have been infringed, or, if multiple copyrighted works at a single online site are covered by a single notification, a representative list of such works at that site;
  3. Identification of the material which is claimed to be infringing or to be the subject of infringing activity and that is to be removed or access to which is to be disabled, and information reasonably sufficient to permit HealthSherpa to locate the material;
  4. Information reasonably sufficient to permit HealthSherpa to contact the complaining party, including an address, telephone number, and, if available, an electronic mail address at which the complaining party may be contacted;
  5. A statement that the complaining party has a good-faith belief that use of the material in the manner complained of is not authorized by the copyright owner, its agent, or the law; and
  6. A statement that the information in the Notification is accurate, and under penalty of perjury, that the complaining party is authorized to act on behalf of the owner of an exclusive right that is allegedly infringed.

If HealthSherpa receives a Notification which substantially complies with Section 2 immediately above, then HealthSherpa will expeditiously remove or disable access to the material that is claimed to be infringing or to be the subject of infringing activity.

HealthSherpa will promptly notify the affected Customer(s) of any action under Section 3 that it has taken to remove or disable access to material that is claimed to be infringing or to be the subject of infringing activity.

Putback. Any Customer who has had material removed or access disabled under Section 3, and who believes that such material was removed by mistake or because the material was misidentified, may seek to have such material replaced or access thereto reenabled by sending a Counter Notification to HealthSherpa that contains the following:

  1. A physical or electronic signature of the Customer;
  2. Identification of the material which has been removed or to which access has been disabled and the location at which the material appeared before it was removed or access to it was disabled;
  3. A statement under penalty of perjury that the Customer has a good faith belief that the material was removed or disabled as a result of mistake or misidentification of the material to be removed or disabled;
  4. The customer's name, address and telephone number, and a statement that the Customer consents to the jurisdiction of the Federal District Court for the judicial district in which the last said address is located, or, if the Customer's address is outside the United States, for any judicial district in which HealthSherpa may be found, and that the Customer will accept service of process from the person who provided the Notification under Section 2 above, or an agent of such person.

Upon the receipt of a Counter Notification substantially complying with Section 5 immediately above, HealthSherpa will promptly provide the person who provided the Notification under Section 2 above with a copy of the Counter Notification, and will inform said person that it will replace the removed material, or cease disabling access to it, in ten business days.

Upon receipt by HealthSherpa of a Counter Notification substantially complying with Section 5 immediately above, HealthSherpa will replace the removed material and cease disabling access to it not less than ten, nor more than fourteen, business days following receipt of the Counter Notification, unless its Designated Agent first receives notice from the person who submitted the notification under Section 2 above that such person has filed an action seeking a court order to restrain the Customer from engaging in infringing activity relating to the material on HealthSherpa's system or network.