Notice of Changes – October 2022

Maryland Health Connection (MHC) made the following system changes that impact how your personally identifiable information (PII) is processed in order to improve your consumer experience:

• “LiveChat” and “Broker Connect” allow you to connect directly with workers who can answer your health insurance application and insurance plan coverage questions;
• “No Wrong Door” allows you to consent to check if you or your dependents are eligible for other health benefits the State offers without having to re-enter all of your information;
• Medicaid information is shared with the Maryland Department of Education, in accordance with amended section 1902(a)(7) of the Social Security Act that allows sharing of Medicaid information with standard protections in place, to determine if your child is eligible for free or reduced cost School Lunch program; and
• A new Privacy Incident Management System allows for more efficient mitigation, tracking, investigation, and resolution of any potential or actual breaches of PII.

YOUR PRIVACY MATTERS TO US

Welcome to Maryland Health Benefit Exchange’s Privacy Notice that is applicable to the three sites it maintains namely MarylandHealthConnection.gov, MarylandHBE.com and Maryland Small Business.  We are committed to protect your personal information!  Every decision we make is based upon that fundamental principle, including how we collect, maintain and utilize your personal information. We want you to enroll with confidence and to be informed and empowered with regard to your personal privacy.

Simply put:

• We will not collect personal information from you without your knowledge or consent;
• We will not knowingly disclose your personal information to a third party, except as provided in this Privacy Notice;
• We will allow you to inspect and correct your personal information;
• We will take any and all reasonable measures to protect the security of any personal information you provide;
• We will inform you of our activities that impact your privacy such as collection, use, sharing, safeguarding, maintenance and disposal of your personal information; and
• We will notify you if we think that the privacy of any personal information you provide may have been compromised.

View or download a copy of:

• Privacy Notice
• Terms & Conditions for Text Alerts

Our Authority to Collect Personally Identifiable Information (PII)

We collect PII pursuant to federal and state laws namely the Affordable Care Act (ACA) and Title 31 of the Insurance Article of the Maryland Code Annotated (MD Code Ann., Insurance §31-101 et seq.).

Types of PII We Collect

The specific elements of PII we collect include your or your family member’s name, date of birth, social security number, ID, employment status, income, citizenship, immigration documents, email, phone number, address, insurance member ID / policy number, military status, race, photographic identifiers, driver’s license number, mother’s maiden name, certificates and/or legal documents.

We do not solicit information of any kind from children under age 13 as the law requires.  If you believe that we have received information from a child under age 13, please contact Maryland Health Connection’s customer service center at 1-800-318-2596.  Deaf and hard of hearing, please use Relay service.

Purpose for Which We Collect PII

We collect, create, use, store and disclose your PII to determine whether you are eligible for and, if so, enroll you in health coverage, dental coverage and programs that make insurance more affordable for you such as advance payment of premium tax credits (APTC), cost sharing reductions (CSR), Maryland Medicaid or Maryland Children’s Health Program (MCHP).  If necessary, we may also collect or disclose your information to carry out other functions the law requires, or if the Secretary of U.S. Department of Health and Human Services specifically allows it.  We strive to ensure that all PII we collect and maintain is accurate, relevant, timely and complete for the intended purpose.

In addition, we collect information on pages you visit, user specific information on accessed pages and information volunteered by you such as surveys and/or site registrations.  The information we collect is used for internal review to improve our web pages, customize content and/or layout for individual consumers and to contact consumers for marketing purposes.  Moreover, we use Google Analytics to provide relevant advertisements to you; and, our web site uses “cookies” to improve the consumer experience and services/products offered.  We do not store information from cookies on our systems.  The persistent cookies used with third-party tools on MarylandHealthConnection.gov can be stored on a user’s local system and are set to expire at varying time periods depending upon the cookie.

• To opt out of our use of Google Analytics, visit the Google Analytics Opt-Out page.
• To customize or opt out of Google’s use of cookies, click on the link for Google’s Ads Settings page.
• To opt out of a third party vendor’s use of cookies, visit the Network Advertising Initiative Opt-Out page.

How We Use PII Internally

We use your Personally Identifiable Information to:

• Verify your identity
• Determine whether you qualify for the insurance affordability programs, and/or are eligible for health and/or dental coverage;
• Enroll you in insurance affordability programs;
• Create and maintain your online account;
• Communicate with you;
• Process appeals;
• Connect you via a PayNow button with certain insurers to make a premium payment;
• Inform you about voluntary research initiatives that help improve our operations, increase consumers’ understanding of healthcare, and better communicate with the community with a goal to improve healthcare outcomes. Whether you participate has no bearing on your health insurance eligibility, status or service;
• Combat fraud;
• Survey you about your customer experience to improve our service quality; and
• Respond to your email inquiries

Why and How We Share PII Externally

We may share your information with State and federal agencies to determine your eligibility for health insurance and other insurance affordability programs through secure electronic portals guided by data sharing agreements. The federal agencies may include the Health and Human Services (HHS), Centers for Medicare and Medicaid Services (CMS), Social Security Administration (SSA), the Internal Revenue Service (IRS), the Department of Homeland Security (DHS), the Department of Defense (DoD) and the Veterans Health Administration (VHA). In addition, we may share your information with the National Death Registry to ensure that deceased individuals’ names are not fraudulently used.

State agencies may include the Maryland Department of Health (MDH), Maryland Medicaid and Children’s Health Insurance Program (CHIP), Department of Human Services (DHS), Maryland Insurance Administration (MIA), Office of Comptroller of Maryland, Department of Information Technology (DoIT). In addition, if you opt in, we provide you the opportunity to register to vote through Maryland State Board of Elections (SBE).

We may also share your information with the employer(s) listed on your application by mail for the limited purposes of verifying whether you are eligible for or are enrolled in employer-sponsored coverage.

Other entities we share your PII with may also include consumer reporting agencies for income verification purposes; agents, brokers, issuers of health plans; and/or our contractors that are engaged to perform various functions of the Exchange such as consumer assistance services, information technology services, fulfillment services, third-party administration and other services as needed.

Additionally, we may partner with entities, such as educational institutions, to understand better ways of improving our consumers’ understanding, use, and access of their health benefits.

Of course, we share your information with you or the authorized representative to whom you consent to us to share information.

Your Consent to Use and Share Your PII

We cannot – and do not – collect your information without your knowledge or consent.  You provide your consent by clicking a check-box when applying for insurance coverage online, electronically signing at the time of the application, providing wet signature when applying in person, or verbally consenting when prompted by the call center representative in case of an over-the-phone application.  Your consent means that under the penalty of perjury, you confirm the accuracy of the information provided and agree to promptly report any change in your or your family’s personal circumstances such as, including but not limited to, address, income, immigration or health insurance status.

Although providing information is voluntary – and your consent may be withdrawn at any time – failing to provide certain information may delay or prevent your ability to obtain insurance through us or enroll in insurance affordability programs such as advance payment of premium tax credits (APTC), cost sharing reductions (CSR), Maryland Medicaid or Maryland Children’s Health Program (MCHP).   Please note that knowingly and willfully providing false or fraudulent information may make you subject to a penalty or other law enforcement actions.  If you wish to rescind your consent to use your personal information, please either:

• Contact Maryland Health Connection’s consumer support center at 1-855-642-8572.  Deaf and hard of hearing, please use the Relay service.
• Contact the Privacy Officer at 410-547-6862.  Deaf and hard of hearing, please use the Relay service.

Terms & Conditions for Text Alerts

We offer text messaging as a way to communicate with you.  You do not have to receive text messages to apply for health coverage.  To receive text messages from Maryland Health Connection, you must consent by providing a mobile phone number and opting in.  Text messaging from Maryland Health Connection may also include one-time texts for Multi-factor Authentication (MFA).

• To stop delivery of text messages related to the status of your application, deadlines, health care benefits and general health information, reply STOP from your mobile phone.
• If you want to specify the type of text messages you will receive, you can go to Manage Account Settings to manage your text subscriptions.
• For security reasons, if you would like to stop MFA, go to the “Enable or Disable Additional Security” section on your account home page and click “Opt Out.”
• If you have any questions about text messages, you can contact Maryland Health Connection’s consumer support center at 1-855-642-8572.  Deaf and hard of hearing, please use Relay service.

How You May Access, Inspect and Amend Your Record

You have the right to access, inspect or update any record containing your personal information, and print submitted applications at any time.  A change in your information may trigger the need for you to provide supporting documentation.

1. If you would like to access, inspect or amend your Maryland Health Connection records, please either:

• Log in to your online account for immediate access, or
• Contact Maryland Health Connection’s consumer support center at 1-855-642-8572.  Deaf and hard of hearing, please use Relay service.

2. If you believe your privacy rights have been violated, please contact the Privacy Officer at 410-547-6862.  Deaf and hard of hearing, please use Relay service.  Maryland Health Connection will not take any retaliatory action against you if you make a complaint in good faith and the complaint will not affect your eligibility and enrollment in health insurance through Maryland Health Connection.

We maintain your information to achieve the specific objective for which you provided it to us.   The data is then archived or destroyed in accordance with our records schedules which, at a minimum, reflect the Affordable Care Act data retention requirements.

How We Protect Your Personal Information

We strictly adhere to a wide range of federal and state privacy and information security related requirements under Affordable Care Act privacy regulations as enlisted in 45. C.F.R §155.260, federal guidance on Preparing and Responding to a Breach of Personally Identifiable Information in OMB M-17-12 memorandum, Minimum Acceptable Risk Standards for Exchanges as prescribed in MARS-E, privacy and security policy / guidance by the Maryland Department of Information Technology , Md. State Government Code Ann. § 10-1301 et. seq. for the Protection of Information by Governmental Agencies and our Computer Matching Agreement with CMS.

Privacy and Information Security Safeguards

To ensure that any personal information you provide remains safe and secure, we have established and implemented strong technical, administrative and physical safeguards based upon these privacy and security-related legal requirements to ensure that:

• The confidentiality, integrity, and availability of any personal information created, collected, used or disclosed by or to us is preserved;
• Your personal information is only used by or disclosed to those authorized to receive or view it;
• Any federal tax information we receive from the Internal Revenue Service (IRS) is kept confidential in accordance with the Internal Revenue Code;
• Your personal information is protected against any reasonably anticipated threats or hazards to its confidentiality, integrity or availability;
• Your personal information is protected against any reasonably anticipated uses or disclosures of such information which are not permitted or required by law;
• Any personal information you provide is securely destroyed or disposed of in an appropriate and reasonable manner and in accordance with retention schedules; and
• Your personal information is complete, accurate and up-to-date to the extent necessary for its intended purposes and has not been altered or destroyed in an unauthorized manner.

We utilize advanced encryption, data loss prevention measures, and strict access controls to safeguard your information.  Our staff and third-party representatives receive ongoing privacy and information security training and attest to the adherence of our privacy and security practices on an annual basis.

Application to Non-Exchange Entities

In the event we are required to disclose your personal information to another government agency, a qualified health plan or any other non-exchange entity in order to fulfill a required Exchange function, we first require any such organization to enter into a legally-binding contract in which they agree to abide by privacy and security controls as stringent as those developed and implemented by us.  We also monitor the performance of these agreements and may actually terminate our contract with any such non-exchange entity should it fail to comply.

Notification of Potential Privacy Breach

Our employees and non-exchange entities are required to immediately contact the Privacy Office should they ever suspect or know that the confidentiality of your personal information has been compromised.  Upon notification, the Privacy Office immediately investigates and takes any remedial measures needed to ensure the continuing security of your personal information.  In the event that your personal information is disclosed to an unauthorized person, we will notify you in accordance with the applicable law.

How We Protect Your Federal Tax Information (FTI)

During the course of performing Exchange functions mandated by the law, we legally receive your FTI from either the Internal Revenue Service (IRS) or from secondary sources such as the Social Security Administration.  Pursuant to Internal Revenue Code Section 6103, we have implemented adequate protections – physical and technological – to keep your FTI safe and only allow access to it on a need-to-know basis.  We also require our procured contractors with access to FTI to adhere to the same security protocols.  In addition, our procedures and protections pertaining to FTI security are frequently assessed by the IRS through on site audits, Safeguard Review Reports, Safeguard Security Reports and Corrective Action Plans, if any.

Authorized Representative

You have the right to authorize a third party, in both the individual and the small group market, to act on your behalf, and in your best interest, to apply for health insurance eligibility, sign an application, update or respond to an eligibility redetermination, and carry out other ongoing communications with us.  The designation remains in effect until you inform us that the representative is no longer authorized or the designated authorized representative informs us that they are not acting in that capacity anymore.  To designate an authorized representative, or to remove/replace one, please either:

• • You can: log into your account and select Manage Account Settings, or
  • Download the Authorized Representative Form and mail it to: Maryland Health Connection, P.O. Box 857, Lanham, MD 20703.
  • For help designating an Authorized Representative call the consumer support center at 1-855-642-8572.  Deaf and hard of hearing, use Relay service.

Activities Impacting Your Privacy Generally

Use of PII for Research or Remuneration

We do not sell your information or allow access to it for purposes such as testing or research without your consent and/or legal authority.

Non-Identifying Information Collected & Stored Automatically

When you browse this website or download information, we gather and store certain information about your visit for statistical purposes to provide relevant experiences and advertisements to our visitors.  The following information, which does not identify you personally, is gathered:

• • The internet domains (example: aol.com) and IP addresses of user
  • The type of browser and operating system used to access the site
  • The date and time of visits
  • The pages visited by users
  • The address from which users link to the website
  • Browser language
  • Device type
  • Screen resolution
  • Approximate geographic location based on the IP address of the user’s local system
  • Geographic location
  • Scroll Depth-the measure of how much of a web page was viewed
  • User events (e.g. clicking a button)
  • Time spent on page

Marketplace Email Messages

If you have given us your permission to send you marketing messages via email, you will receive important updates, deadlines or reminders related to the health insurance marketplace via the provided email address.  In sending these email reminders, MHBE remains compliant with Federal Trade Commission’s guidelines on e-mail marketing: https://www.ftc.gov/tips-advice/business-center/guidance/can-spam-act-compliance-guide-business

• To opt out of emails, please use the “unsubscribe” link at the bottom of every Maryland Health Connection email.

Surveys

We use electronic surveys (email, online) to collect opinions and feedback.  You do not have to answer these questions.  If you do answer these questions, please do not include any personally identifiable information in your answers.  We analyze and use the information from these surveys to improve the site’s operation and content.  The information is available only to MHBE managers, members of the MHBE communications and web teams, and other designated state staff and contractors who require this information to perform their duties.

Third-Party Websites & Applications

We use a variety of third-party tools and links to third-party websites (public and private) to connect with you through social networking & media sites, for digital advertising and to gather information for web analytics.  Your activity on the third-party websites that our websites link to (such as Facebook, Twitter, healthcare providers) is governed by the security and privacy policies of those sites.  We do not own, manage, or control these third-party sites.  You should review the privacy policies of all websites before using them so that you understand how your information may be used, and adjust the privacy settings on your account with them to match your preferences.

Accounting of Disclosures

You have the right to request a report on non-routine disclosure(s) of your information including the type(s) of information disclosed, the date of disclosure, by whom, to whom and for what purpose.  An example of a non-routine disclosure is when an external auditor reviews your record.  There may be instance(s) where law enforcement requires us not to disclose such information for a period of time if such a disclosure could cause harm or impede justice.  To request such an accounting of disclosure(s), please:

• Fill out the Accounting of Disclosures Request and Release of Information Authorization forms in order to receive or release documentation containing your personal information, for example, a copy of your application;
• Contact the Privacy Officer at 410-547-6862.  Deaf and hard of hearing, please use the Relay service.

Changes to Our Privacy Notice or IT Systems

This Privacy Notice may at our discretion be updated and revised from time-to-time and any such updates or revisions will be automatically applicable to any personal information you have provided.  Any major changes relevant to the use of your personal information or changes in the system will be posted prominently on our website.

Contact the Privacy Officer

Should you have any questions or concerns regarding this Privacy Notice, please feel free to contact the Privacy Office at 410-547-6862.  Deaf and hard of hearing, please use the Relay service.