DEPARTMENT OF HEALTH & HUMAN SERVICES

Centers for Medicare & Medicaid Services

Center for Consumer Information & Insurance

Oversight 200 Independence Avenue SW

Washington, DC 20201

Plan Issuers (QHPI) Personally Identifiable Information (PII) Incident or Breach reporting.

These requirements are included in the Agreement Between Qualified Health Plan (QHP)

and the Centers for Medicare & Medicaid Services that QHPI sign before they participate in

the Exchange by displaying plans to consumers.

What actions must a QHPI take if a suspected or confirmed Incident or Breach of

Per the Agreement Between Qualified Health Plan (QHP) and the Centers for

Medicare & Medicaid Services (Agreement), QHPI agrees to report any suspected or

confirmed Breaches of PII to the CMS IT Service Desk by telephone at (410) 786-2580

involving PII?

issuer may be subject to the Termination provision (Section V) of the Agreement.

Termination pursuant to Section V may also result where an Incident or Breach is

found to have resulted from QHPI’s failure to comply with the terms of the Agreement.

Nothing in the Agreement should be construed to limit the ability of the Department of

Health & Human Services (HHS) to temporarily suspend the ability of a QHPI to

connect to HHS systems due to suspected or confirmed security risks and Incidents or

Breaches.