(a) Direct enrollment entities. The Federally-facilitated Exchanges will permit the following entities to assist consumers with direct enrollment in QHPs offered through the Exchange in a manner that is considered to be through the Exchange, to the extent permitted by applicable State law:
(1) QHP issuers that meet the applicable requirements in this section and § 156.1230 of this subchapter; and
(2) Web-brokers that meet the applicable requirements in this section and § 155.220.
(b) Direct enrollment entity requirements. For the Federally-facilitated Exchanges, a direct enrollment entity must:
(1) Display and market QHPs offered through the Exchange, individual health insurance coverage as defined in § 144.103 of this subchapter offered outside the Exchange (including QHPs and non-QHPs other than excepted benefits), and any other products, such as excepted benefits, on at least three separate website pages on its non-Exchange website, except as permitted under paragraph (c) of this section;
(2) Prominently display a standardized disclaimer in the form and manner provided by HHS;
(3) Limit marketing of non-QHPs during the Exchange eligibility application and QHP selection process in a manner that minimizes the likelihood that consumers will be confused as to which products and plans are available through the Exchange and which products and plans are not, except as permitted under paragraph (c)(1) of this section;
(4) Demonstrate operational readiness and compliance with applicable requirements prior to the direct enrollment entity's internet website being used to complete an Exchange eligibility application or a QHP selection, which may include submission or completion, in the form and manner specified by HHS, of the following:
(i) Business audit documentation including:
(A) Notices of intent to participate including auditor information;
(B) Documentation packages including privacy questionnaires, privacy policy statements, and terms of service; and
(C) Business audit reports including testing results.
(ii) Security and privacy audit documentation including:
(A) Interconnection security agreements;
(B) Security and privacy controls assessment test plans;
(C) Security and privacy assessment reports;
(D) Plans of action and milestones;
(E) Privacy impact assessments;
(F) System security and privacy plans;
(G) Incident response plans; and
(H) Vulnerability scan results.
(iii) Eligibility application audits performed by HHS;
(iv) Online training modules offered by HHS; and
(v) Agreements between the direct enrollment entity and HHS.
(5) Comply with applicable Federal and State requirements.
(c) Exceptions to direct enrollment entity display and marketing requirement. For the Federally-facilitated Exchanges, a direct enrollment entity may:
(1) Display and market QHPs offered through the Exchange and individual health insurance coverage as defined in § 144.103 of this subchapter offered outside the Exchange (including QHPs and non-QHPs other than excepted benefits) on the same website pages when assisting individuals who have communicated receipt of an offer of an individual coverage health reimbursement arrangement as described in § 146.123(c) of this subchapter, as a standalone benefit, or in addition to an offer of an arrangement under which the individual may pay the portion of the premium for individual health insurance coverage that is not covered by an individual coverage health reimbursement arrangement using a salary reduction arrangement pursuant to a cafeteria plan under section 125 of the Internal Revenue Code, but must clearly distinguish between the QHPs offered through the Exchange and individual health insurance coverage offered outside the Exchange (including QHPs and non-QHPs other than excepted benefits), and prominently communicate that advance payments of the premium tax credit and cost-sharing reductions are available only for QHPs purchased through the Exchange, that advance payments of the premium tax credit are not available to individuals who accept an offer of an individual coverage health reimbursement arrangement or who opt out of an individual coverage health reimbursement arrangement that is considered affordable, and that a salary reduction arrangement under a cafeteria plan may only be used toward the cost of premiums for plans purchased outside the Exchange; and
(2) Display and market Exchange-certified stand-alone dental plans offered outside the Exchange and non-certified stand-alone dental plans on the same website pages.
(d) Direct enrollment entity application assister requirements. For the Federally-facilitated Exchanges, to the extent permitted under state law, a direct enrollment entity may permit its direct enrollment entity application assisters, as defined at § 155.20, to assist individuals in the individual market with applying for a determination or redetermination of eligibility for coverage through the Exchange and for insurance affordability programs, provided that such direct enrollment entity ensures that each of its direct enrollment entity application assisters meets the requirements in § 155.415(b).
(e) Federally-facilitated Exchange direct enrollment entity suspension. HHS may immediately suspend the direct enrollment entity's ability to transact information with the Exchange if HHS discovers circumstances that pose unacceptable risk to the accuracy of the Exchange's eligibility determinations, Exchange operations, or Exchange information technology systems until the incident or breach is remedied or sufficiently mitigated to HHS' satisfaction.
(f) Third parties to perform audits of direct enrollment entities. A direct enrollment entity must engage an independent, third-party entity to conduct an initial and annual review to demonstrate the direct enrollment entity's operational readiness and compliance with applicable direct enrollment entity requirements in accordance with paragraph (b)(4) of this section prior to the direct enrollment entity's internet website being used to complete an Exchange eligibility application or a QHP selection. The third-party entity will be a downstream or delegated entity of the direct enrollment entity that participates or wishes to participate in direct enrollment.
(g) Third-party auditor standards. A direct enrollment entity must satisfy the requirement to demonstrate operational readiness under paragraph (f) of this section by engaging a third-party entity that executes a written agreement with the direct enrollment entity under which the third-party entity agrees to comply with each of the following standards:
(1) Has experience conducting audits or similar services, including experience with relevant privacy and security standards;
(2) Adheres to HHS specifications for content, format, privacy, and security in the conduct of an operational readiness review, which includes ensuring that direct enrollment entities are in compliance with the applicable privacy and security standards and other applicable requirements;
(3) Collects, stores, and shares with HHS all data related to the third-party entity's audit of direct enrollment entities in a manner, format, and frequency specified by HHS until 10 years from the date of creation, and complies with the privacy and security standards HHS adopts for direct enrollment entities as required in accordance with § 155.260;
(4) Discloses to HHS any financial relationships between the entity and individuals who own or are employed by a direct enrollment entity for which it is conducting an operational readiness review;
(5) Complies with all applicable Federal and State requirements;
(6) Ensures, on an annual basis, that appropriate staff successfully complete operational readiness review training as established by HHS prior to conducting audits under paragraph (f) of this section;
(7) Permits access by the Secretary and the Office of the Inspector General or their designees in connection with their right to evaluate through audit, inspection, or other means, to the third-party entity's books, contracts, computers, or other electronic systems, relating to the third-party entity's audits of a direct enrollment entity's obligations in accordance with standards under paragraph (f) of this section until 10 years from the date of creation of a specific audit; and
(8) Complies with other minimum business criteria as specified in guidance by HHS.
(h) Multiple auditors. A direct enrollment entity may engage multiple third-party entities to conduct the audit under paragraph (f) of this section.
(i) Application to State Exchanges using a Federal platform. A direct enrollment entity that enrolls qualified individuals in coverage in a manner that constitutes enrollment through a State Exchange using the Federal platform, or assists individual market consumers with submission of applications for advance payments of the premium tax credit and cost-sharing reductions through a State Exchange using a Federal platform must comply with all applicable Federally-facilitated Exchange standards in this section.
(j) Process for States to elect the Exchange direct enrollment option. Subject to HHS approval, and in addition to or in lieu of the Exchange operating its own consumer-facing eligibility application and enrollment website, a State may elect for the State Exchange, State Exchange on the Federal platform, or federally-facilitated Exchange in the State to approve one or more enrollment entities described in paragraph (a) of this section to make available a non-Exchange online website to enroll qualified individuals in a QHP offered through the Exchange in the State in a manner that constitutes enrollment through the Exchange, as specified in paragraph (j)(1) or (2) of this section. Through the websites of these approved entities, consumers in the State apply for and enroll in coverage using an eligibility application as described in § 155.405, and receive eligibility determinations from the Exchange for QHP enrollment, advance payments of the premium tax credit and cost-sharing reductions, as well as receive assessments or determinations from the Exchange for Medicaid and CHIP eligibility in accordance with §§ 155.302 and 155.405.
(1) Direct enrollment option for a State Exchange. A State may receive approval, under §§ 155.105(b) and 155.106(a), to operate a State Exchange using the direct enrollment option described in this paragraph (j). The State Exchange must meet all Federal statutory and regulatory requirements for the operation of an Exchange. An approved State Exchange that wishes to implement this option must submit a revised Exchange Blueprint in accordance with § 155.105(e). In order to obtain approval for the State Exchange to implement this option, the State must:
(i) Demonstrate to HHS operational readiness for the State Exchange to enroll qualified individuals in a QHP through approved direct enrollment entity websites in a manner that constitutes enrollment through the Exchange, including enabling individuals to apply for, and receive eligibility determinations from the Exchange for QHP enrollment and advance payments of the premium tax credit and cost-sharing reductions, as well as receive assessments or determinations of Medicaid and CHIP eligibility from the Exchange as described in § 155.302, using the eligibility application described in § 155.405;
(ii) Provide HHS an implementation plan and timeline that details the key activities, milestones, and communication and outreach strategy to support the transition of enrollment operations to direct enrollment entities; and
(iii) Ensure that a minimum of one direct enrollment entity approved by the State meets minimum Federal requirements for HHS approval to participate in the federally-facilitated Exchange direct enrollment program, including requirements at § 155.220 and this section, particularly § 155.220(c)(3)(i)(A) and (D) so that at least one approved web-broker in the state displays detailed information for all available QHPs and meets accessibility requirements under § 155.205(c) and is capable of enrolling all consumers in the State, including those who present complex eligibility scenarios. Where no direct enrollment entity approved by the State meets such minimum Federal requirements or possesses the capability to enroll all consumers in the State, the State must offer a consumer-facing website that meets such requirements and possesses such capability.
(2) Direct enrollment option for a State with a federally-facilitated Exchange or State Exchange on the Federal platform. Pursuant to a request from a State, the federally-facilitated Exchange or a State Exchange on the Federal platform may partner with the requesting State to implement the direct enrollment option described in this paragraph (j). The federally-facilitated Exchange or State-based Exchange on the Federal platform must meet all Federal statutory and regulatory requirements for the operation of an Exchange. In order to obtain approval for the federally-facilitated Exchange or State Exchange on the Federal platform in a State to implement this option, a State must:
(i) Coordinate with HHS on an implementation plan and timeline that allows for a transition period, developed at the discretion of HHS in consultation with the State, necessary for the federally-facilitated Exchange to operationalize the necessary changes to implement this option;
(ii) Execute a Federal agreement with HHS that includes the terms and conditions for the arrangement and which defines the division of responsibilities between HHS and the State;
(iii) Agree to procedures developed by HHS for the collection and remittance of the monthly user fee described in § 156.50(c) of this subchapter; and
(iv) Perform and cooperate with activities established by HHS related to oversight and financial integrity requirements in accordance with section 1313 of the Affordable Care Act, including complying with reporting and compliance activities required by HHS and described in the Federal agreement.
[83 FR 17061, Apr. 17, 2018, as amended at 84 FR 17566, Apr. 25, 2019; 86 FR 6176, Jan. 19, 2021; 86 FR 24289, May 5, 2021]