- Privacy & Security Partnership
- Collection of Information
- Do I have to Give PII to Pennie?
- Authority to Collect
- Information Sharing with External Entities
- Information Sharing with Enrollment Professionals
- Individual Access/Correction of Information
- Complaints Regarding the Improper Handling of PII or PHI
- Operational, Technical, Administrative, and Physical Safeguards
- Security Controls
- Pennsylvania Privacy and Information Security Policies and Standards
- Privacy Act Statement
The Pennsylvania Health Insurance Exchange Authority d/b/a Pennie (Pennie) is the Commonwealth of Pennsylvania’s Affordable Care Act (ACA) Administering Entity. As part of Pennie’s responsibilities, it will collect sensitive information from customers in order to perform its ACA-mandated functions, such as enrolling customers in Qualified Health Plans (QHPs) or Qualified Dental Plans (QDPs) and determining someone’s eligibility for Advance Premium Tax Credits (APTC) and Cost-Sharing Reductions (CSR). To do this, Pennie is required to collect certain Personally Identifiable Information (PII) and Protected Health Information (PHI). Both PII and PHI are protected by federal and state laws.
At Pennie, customer privacy is important. Pennie respects your right to privacy and will strive to protect information we maintain about you in the ongoing operation of the health exchange in accordance with the applicable laws, regulations, and standards for security and privacy.
Privacy and Security Partnership
Collection of Information
Pennie collects information from you that you provide voluntarily through several mechanisms, such as surveys, electronic messages you choose to send to Pennie, the application process, verbal interactions with our employees and our customer service call center representatives, and appeals you may file. Surveys, for instance, may collect PII you voluntarily submit, such as name, e-mail address, mailing address, or telephone number. Pennie may collect information through other means so that we may contact you for follow up to your questions, concerns, or recommendations. Electronic messages sent by you may contain PII, such as your name, e-mail address, mailing address, or telephone, and any other information you choose to give us to help us answer your inquiry. Applications also will include specific PII or PHI, such as social security numbers and, in some instances, tax and income information.
Please know that Pennie will only collect the minimum information required to achieve its mission of providing affordable health insurance to individuals in the Commonwealth. The information collected during the application process, enrollment, customer support, and renewals will only be used to ensure the efficient operation of Pennie, verify the eligibility of an individual to enroll through Pennie or to claim an APTC or CSR, and the amount of the tax credit or reduction. This information will not be shared, sold, or transferred to any third party for the third party’s direct marketing purposes without your prior consent and will not be provided to any other person or entity unless it is required to determine eligibility or enroll in a QHP/QDP. Once you voluntarily submit your PII or PHI to Pennie, it will be governed by federal and state laws and regulations, including but not limited to section 155.260 of the ACA’s regulations. See 45 C.F.R. § 155.260.
In order to facilitate enrollment in Pennie, and to determine eligibility for QHPs/QDPs, APTC, and CSR, Pennie must collect information necessary to authenticate identity, citizenship status, residency, income, and incarceration status. This data includes, but is not limited to:
• Demographic Data:
Name, Address, Telephone Number, Email, Age
• Income Data:
Tax Filing Status, Marriage Status, Tax Dependents, Employer, Annual or Monthly Income
• Citizenship and Immigration Data:
Social Security Number, Resident Alien Number, Native American Tribe ID Number, Incarceration Status
• Disability Information:
Whether the applicant/household member is blind, disabled, or requires assistance with daily living (this information cannot be used to deny coverage, but may help an individual to become eligible for Medicaid)
• Medical Insurance Coverage Information:
Past and current health insurance coverage, tobacco use, customer plan selections, and other information necessary to facilitate enrollment.
Additionally, the information you voluntarily provide may be used to improve Pennie’s enrollment system and the overall usability of the site, some data regarding page views, browsing behavior, and system response times may also be collected. All personal data changes, eligibility results, plan selections, and any other action performed by the user will be tracked for audit and appeals purposes.
Each interaction between an individual and Pennie’s website or customer service call center will also be documented along with any communications, notifications, or emails. Additionally, telephone calls to Pennie’s customer service call center will be recorded for audit, training, and appeals purposes. The primary purpose of recording this information is to help improve the efficiency of Pennie’s operations, including streamlined support of the appeals process. Calling into Pennie’s customer service call center will constitute consent to be recorded for these purposes.
The PII or PHI you provide us will be disclosed by us only to Pennie employees; business partners; grantees; contractors; designees; governmental agencies, insurance companies (and, where necessary, to law enforcement officials), with a “need to know” in order to fulfill their job responsibilities or duties in connection with Pennie operations, such as maintaining our website or improving the customer experience and assisting with processing of your application.
Pennie will collect and aggregate the information you provide through surveys and other means for purposes of market research to make Pennie more responsive to customer needs. From time-to-time, Pennie may combine personal information we collect from you with information available from other sources (e.g., Medicaid eligibility information from the Pennsylvania Department of Human Services). We will treat the combined information as PII.
If you interact with Pennie through its website, www.Pennie.com, your browsing experience may be customized by utilizing your browser’s “cookies” to store a randomly generated identifying tag on your computer. A cookie is a small text file that is saved on your computer when you visit a website
You can refuse the cookie or delete the cookie file from your computer’s browser at any time by using any one of several widely available methods. Cookies created by using our websites and stored on your computer do not contain personally identifiable information and do not compromise your privacy or security.
Session cookies allow you to move through many pages of a website quickly and easily without having to authenticate or reprocess each new area you visit. Session cookies are destroyed after successful completion of a transaction, after a few minutes of inactivity, or when the browser is closed.
Persistent cookies help websites remember your information and settings when you visit them in the future. They continue to exist after a few minutes of inactivity, after the browser is closed, or after a user completes a single session.
The information posted on Pennie’s website may include hypertext links to information created and maintained by other public and/or private organizations (external websites). These links are provided for your information and convenience. When you select a link to an outside website, you are leaving Pennie’s site and are subject to the privacy and security policies of the owners/sponsors of the outside website.
Pennie does not control or guarantee the accuracy, relevance, timeliness, or completeness of information contained on an outside website. Pennie does not endorse the organizations sponsoring outside websites and does not endorse the views they express or the products/services they offer.
Pennie is not responsible for transmissions users receive from outside websites. Pennie cannot guarantee that outside websites comply with accessibility requirements.
Do I have to Give PII or PHI to Pennie?
You do not have to give PII or PHI to Pennie. However, if you do not give this information, it may delay or prevent Pennie from determining your eligibility for assistance in paying for coverage or determining your eligibility for benefits, programs or exemptions.
Be sure to provide correct information. Anyone who fails to provide correct information or who knowingly and willfully provides false or untrue information to Pennie may be subject to a penalty and other law enforcement action.
Notably, people applying for health coverage need to provide a social security number (SSN), if they have one. An application filer must also provide the SSN of any tax filer who is not applying for health coverage if the tax filer’s tax information will be used to verify the household’s eligibility for help with paying for health coverage. Other people not applying for health coverage are encouraged to provide their SSNs to speed up the application process but aren’t required to provide one.
Pennie uses SSNs to check income and other information to see who is eligible for help with health coverage costs. If someone wants help getting an SSN, they can visit socialsecurity.gov, or call 1-800-772-1213. TTY users should call 1-800-325-0778.
Section 155.260 of the United States Department of Health and Human Services (DHHS) regulations state that Pennie may collect PII or PHI to determine eligibility for enrollment in qualified health plans, to assess potential eligibility for Medicaid/Children Health Insurance Program (CHIP), and to determine eligibility for exemptions from the individual mandate to maintain health insurance coverage. See 45 CFR § 155.260. Pennie will fully comply with this federal regulation. Pennie will not create, collect, use or disclose PII or PHI for any purposes that are not authorized under this regulation.
The following principles are outlined in the regulation:
- Individual Access: Individuals will be provided with a simple and timely means to access and obtain their PII and PHI.
- Correction: Individuals will be provided with a timely means to dispute the accuracy of their PII and PHI and to have erroneous information corrected.
- Openness and Transparency: All policies, procedures, and technologies that affect individuals and their PII or PHI are fully disclosed to the public.
- Individual Choice: Individuals will be provided a reasonable opportunity and capability to make informed decisions about the collection, use, and disclosure of their PII and PHI.
- Collection, Use, and Disclosure Limitations: PII and PHI will be created, collected, used, and/or disclosed only to the extent necessary to accomplish the goals of Pennie.
- Data Quality and Integrity: Persons and entities will take reasonable steps to ensure that personally identifiable health information is complete, accurate, and up-to-date to the extent necessary to provide services to the customers of Pennie.
- Safeguards: PII and PHI is protected with reasonable operational, administrative, technical, and physical safeguards to ensure its confidentiality, integrity, and availability and to prevent unauthorized access, use, or disclosure.
- Accountability: These principles are implemented, and adherence assured, through independent security audits by a third party.
Information Sharing with External Entities
Pennie will need to share information with insurance carriers, as well as federal and state agencies in order to process requests for enrollment in QHPs/QDPs and determine eligibility for health/dental coverage, APTC, and CSR. The following table outlines the entities Pennie will share data with and how that data is used. All entities that receive data from Pennie are required to support the same level of data security standards as Pennie itself.
|#||Entity||Data||Usage of Data|
|1.||Qualified Health and Dental Plan Carriers||Individual APTC Amount, Premium Amount, Plan Selection, Enrollment Status||Carriers are notified of the customer’s plan selection and account maintenance activities. Pennie is notified by Carriers of the enrollment status.|
|2.||Pennsylvania Department of Human Services (DHS)||Individual Demographic, Income, Citizenship, Disability||DHS determines eligibility for Medicaid/CHIP in the Commonwealth. Pennie will refer applications for coverage to DHS via electronic data transfer if potential eligibility for Medicaid/CHIP is assessed.|
|3.||United States Department of Health and Human Services, Centers for Medicare and Medicaid Services (CMS)||Individual Enrollment,
Premium Amount, APTC
|Pennie is federally mandated to report enrollment, premium, and APTC amounts to CMS for each enrolled individual.|
|4.||United States Internal Revenue Service (IRS)||Individual Enrollment,
Premium Amount, APTC
|Pennie is federally mandated to report enrollment, premium, and APTC amounts to the IRS for each Tax Household.|
|5||United States Social Security Administration||Name, Social Security Number, Individual Demographic Information||Pennie is federally mandated to verify citizenship status.|
|6||United States Department of Homeland Security||Name, Social Security Number, Individual Demographic Information||Pennie is federally mandated to verify citizenship status.|
Customers may, at their own discretion, elect to share their information with enrollment professionals when requesting assistance with the application and enrollment process. Enrollment professionals include Navigators, whose role was created under the ACA to provide impartial education to customers regarding ACA health/dental plans and subsidies, but who are not permitted to recommend specific plans. Additional enrollment professionals include private insurance agents/brokers, who are certified by Pennie to provide ACA education and enrollment assistance, and who may offer plan recommendations based on a customer’s specific requirements. All enrollment professionals are required to comply with the terms of this policy, as well as other criteria established by Pennie.
Before information will be shared with an enrollment professional a customer must explicitly designate a Navigator or agent/broker using Pennie’s website, or by calling Pennie’s customer service call center. Customers may change or terminate their designation at any time.
Individual Access/Correction of Information
Section 155.260 of the ACA’s regulations provide you with certain rights to get information about you that are in our records. 45 C.F.R. § 155.260. Individuals may access their PII collected by Pennie at any time through the user portal on Pennie’s website. Customers are encouraged to review their application information on a regular basis to ensure its continued accuracy. Incorrect information can be corrected directly through the user portal, or by contacting the Pennie’s customer service call center. Designated enrollment professionals can also correct information on behalf of their customers.
Please note that in accordance with ACA regulations corrections to information provided on an application for coverage may result in a redetermination of eligibility.
Complaints Regarding the Improper Handling of PII or PHI
Complaints regarding the improper handling of PII should be submitted by email to Pennie’s Privacy Officer at Privacy@pennie.com. All complaints will be reviewed by the Privacy Officer and Pennie’s Executive Director, and all appropriate or required action will be taken.
Operational, Technical, Administrative, and Physical Safeguards
Pennie has taken several steps intended to safeguard the integrity of PII and PHI. Security measures have been integrated into the design, implementation, and day-to-day practices of the entire Pennie operating environment as part of its continuing commitment to risk management. PII and PHI is protected with reasonable operational, administrative, technical, and physical safeguards to ensure its confidentiality, integrity, and availability and to prevent unauthorized or inappropriate access, use, or disclosure. Pennie utilizes industry standard methods and mechanisms for data protection, such as firewalls, intrusion monitoring, and passwords to protect electronic information. Multiple physical security methods, such as locking devices and premises monitoring, are also employed to protect information contained in documents. Pennie’s website is equipped with security measures intended to protect the information you provide us.
Consistent with all applicable laws and regulations, Pennie will ensure that all information is protected through effective administrative and operational procedures. Pennie does not warrant the security of any information you transmit, however, Pennie will take all reasonable steps to ensure the confidentiality, integrity, and availability of all PII and PHI that is created, collected, used, or disclosed by Pennie.
PII and PHI will be used by, or disclosed to, only those authorized to receive or view it. In accordance with section 1411(g)(1) of the ACA, “[a]n applicant for insurance coverage or for a premium tax credit or cost-sharing reduction shall be required to provide only the information strictly necessary to authenticate identity, determine eligibility, and determine the amount of the credit or reduction.” 42 U.S.C. § 18081(g)(1).
The ACA prohibits the use of the information unless it is for Pennie operations (such as verification of eligibility for enrollment, APTC, or CSR). Id. Any person who knowingly and willfully uses or discloses information in violation of the ACA may be subject to civil penalties, in addition to other penalties that may be prescribe by law or contract. See generally 42 U.S.C. § 18081.
Tax return information will be kept confidential in accordance with section 6103 of the Internal Revenue Code. 26 U.S.C. § 6103. The IRS will disclose certain available items of federal tax return information to the Federal Data Services Hub after an individual submits an application for financial assistance in obtaining health coverage with Pennie or another state agency that administer Medicaid, CHIP, or basic health plans. The items that will be disclosed through the Federal Data Services Hub are described in section 6103(l)(21)(A) of the Internal Revenue Code and the regulations issued thereunder. 26 U.S.C. § 6103(l)(21)(A). Section 6103 of the Internal Revenue Code protects the confidentiality of federal tax return information.
Disclosure of federal tax return information to the United States Department of Health and Human Services is allowed in order to implement eligibility determinations for health insurance affordability programs within the confidentiality requirements in section 6103.4 of the Internal Revenue Code. 26 U.S.C. § 6103.4.
PII and PHI will be protected against any reasonably anticipated threats or hazards to the confidentiality, integrity, and availability of such information.
PII and PHI will be protected against any reasonably anticipated uses or disclosures that are not permitted or required by law. PII and PHI will be kept long enough to achieve the specified objective for which the data was collected and then securely destroyed or disposed of in an appropriate and reasonable manner and in accordance with federal and state laws, regulations, and Pennie retention schedules.
- Pennie will ensure that its workforce complies with all information safeguards and security controls.
- Pennie will monitor, periodically assess, and update security controls to ensure the continued effectiveness of those controls.
- Pennie will require, as a condition of contracts and agreements, the same or more stringent privacy and security standards and controls of Navigators, agents, brokers, and other contractors authorized to access any PII or PHI.
- Pennie will use secure electronic interfaces when sharing PII or PHI electronically. In accordance with section 1413 of the ACA, Pennie will establish secure electronic interfaces with state health subsidy programs allowing Pennie to be consistent with privacy and security standards in section 1942 of the Social Security Act. 42 U.S.C. § 18083.
- Pennie will ensure that all data matching and data sharing arrangements between Pennie and agencies administering the Medicaid and CHIP meet all requirements applicable to Pennie, as well as all of the applicable requirements to Medicaid and CHIP.
Pennsylvania Privacy and Information Security Policies and Standards
Pennie follows standards, policies, and procedures designed to safeguard PII, PHI, financial information, and plan information entrusted to Pennie. Pennie’s portal and supporting systems adhere to federal security mandates and standards, specifically:
- Health Insurance Portability and Accountability Act (HIPAA) Security and Privacy Rules;
- National Institute of Standards and Technology (NIST) guidelines, industry practices for security, confidentiality and auditing; and
- Pennsylvania specific security requirements to secure data and information.
Privacy Act Statement
The Patient Protection and Affordable Care Act (Public Law No. 111-148), as amended by the Health Care and Education Reconciliation Act of 2010 (Public Law No. 111-152), and the Social Security Act authorizes Pennie to collect the information on your application and any necessary supporting documentation, including social security numbers, to determine whether you and the listed people on your application are eligible for health coverage or help paying for health coverage.
Pennie needs the information you provided us on your application about yourself and the other people included in your household to determine eligibility for: (1) enrollment in a qualified health plan through Pennie, (2) insurance affordability programs (such as Medicaid, APTC, and CSR), and (3) certifications of exemption from the individual responsibility requirement. As part of that process, Pennie will electronically verify the information you provided on your application; communicate with you or your authorized representative, if you choose to have one; and eventually provide the information to the health plan you select so that they can enroll any eligible individuals in a qualified health plan or insurance affordability program. Pennie will also use the information in the future to conduct activities such as verifying your continued eligibility for health coverage or help paying for health coverage, processing appeals, reporting on and managing the insurance affordability programs for eligible individuals, performing oversight and quality control activities, combatting fraud, and responding to any concerns about the security or confidentiality of the information.
While providing the information we ask you on the application (including social security numbers and documentation of your immigration status) is voluntary, failing to provide the information may delay or prevent you from obtaining health coverage or help paying for health coverage through Pennie. If you don’t provide correct information on this form or knowingly and willfully provide false or fraudulent information, you may be subject to a penalty and other law enforcement action.
In order determine if you and the people on your application are eligible for health coverage, or help paying for health coverage, and to operate Pennie, we will electronically check the information you provided us on your application with the information in other electronic data sources. Such data sources include:
- We will need to share your information with other federal and state government agencies, such as the Internal Revenue Service (IRS), the Social Security Administration (SSA), and the United States Department of Homeland Security (DHS), the United States Department of Health and Human Services, and the Pennsylvania Department of Human Services;
- Other electronic data sources, including customer reporting agencies;
- Employers identified on applications for eligibility determinations;
- The authorized representatives of applicants/enrollees;
- Agents, Brokers, and issuers of Qualified Health Plans, as applicable, who are certified by Pennie to assist applicants/enrollees and who have been authorized to help applicant/enrollees;
- Contractors we engage to help run Pennie; and
- Anyone else as required by law.
This statement provides the notice required by the Privacy Act of 1974 (5 U.S.C. § 552a(e)(4)).
Pennsylvania health insurance exchange authority fraud, waste, and abuse policy
The Pennsylvania Health Insurance Exchange Authority d/b/a Pennie (Pennie) is interested in protecting our customers and the Commonwealth by addressing fraud, waste and abuse. Generally, Pennie defines fraud, waste, and abuse as:
- Fraud is a false representation of the facts, including making false or misleading statements, or trying to hide wrongdoing by an individual(s) or an organization. It includes, but is not limited to, when an individual is believed to have knowingly and deliberately withheld information or provided incorrect information to obtain assistance for which he/she would otherwise be ineligible. The deception is intentional and usually results in a benefit to the perpetrator and/or causes damage, harm, or loss to the United States Government, the Commonwealth, or others. Example: The falsification of financial records to cover up a theft of money or state property.
- Waste is the unnecessary spending or careless squandering of the Commonwealth’s resources, whether intentional or unintentional. Sometimes, inefficient or ineffective business practices may result in waste. Example: The expenditure of state funds to purchase items that have no business purpose.
- Abuse is the intentional destruction, diversion, manipulation, misapplication, mistreatment, or misuse of Commonwealth resources; or the extravagant or excessive use of a person’s position or authority. Abuse can occur in a financial or non-financial environment. Example: An employee taking time off from work without properly discharging leave time.
For more information about fraud, waste, and abuse, visit the Pennsylvania Office of State Inspector General’s Website (OSIG) website at: https://www.osig.pa.gov/
Individuals are encouraged to report fraud, waste and abuse to Pennie. When you contact us for assistance, there are some important actions you can take to help protect yourself from fraud:
- If seeking assistance over the phone, verify that you have called 1-844-844-8040 and are speaking with a customer service representative or otherwise authorized representative of Pennie before sharing personal information. Contact Pennie if you suspect identity theft or think you gave your personal information to someone not affiliated with Pennie.
- If seeking assistance online, make sure you are on Pennie’s official website: www.pennie.com. Pennie is not affiliated with any other websites or domains. Contact Pennie if another website represents itself as being connected to Pennie or attempts to enroll you in a health plan purportedly through Pennie.
- If being assisted in the community, make sure you are working with a Pennie Certified Assister (such as a Navigator), broker, or certified application counselor. All trained and certified Navigators and Assisters obtain a certification number, as well as a certificate with this number on it, which they are always required to display while working with a customer. Pennie Customer Support Representatives also have employee identification numbers. Contact Pennie if you suspect that the individual attempting to assist you to apply for a health care plan is not affiliated with Pennie but claims to be.
- Do not provide any individual with any form of payment for their assistance. All assistance services provided by Pennie are free. Contact Pennie if someone claiming to be affiliated with Pennie requires or advertises a fee to help you enroll through Pennie.
- Contact Pennie if you suspect that your personal information has been improperly accessed, used, disclosed, or destroyed.
- Most importantly, when in doubt, do not disclose your information and contact Pennie at 1-844-844-8040.
You can report fraud to Pennie in the following ways:
By mail at:
Harrisburg, PA 17108
By calling: 1-844-844-8040
By email: email@example.com
Additionally, if you suspect identity theft or that you gave your personal information to someone you should not have, contact the Federal Trade Commission at www.ftccomplaintassistant.gov.
In situations where reporting an incident of fraud to Pennie would be uncomfortable, or there is a possibility that reporting an incident may put one’s employment or benefits at risk, individuals have the option to report fraud to the Pennsylvania OSIG.
The following are examples of the types of violations you may report to the Pennsylvania OSIG:
- Suspected theft, waste, or misuse of the Commonwealth’s resources, including funds, property, and employee time;
- Intentional misuse of grant funds;
- Falsification of official documents (timesheets, leave reports, etc.);
- Gross mismanagement;
- Gross neglect of duty;
- Gross misconduct by a state employee; or
- Any violation of state or federal law (including regulations) by a state agency or employee.
Individuals may contact the OSIG:
- By phone at: 1-855-FRAUD-PA (1-855-372-8372)
- By mail at:
Office of State Inspector General
555 Walnut Street, 8th Floor
Harrisburg, PA 17101
- By filling out a Fraud Complaint Form online at: https://www.osig.pa.gov/Pages/GovernmentComplaint.aspx
All reports to the Pennsylvania OSIG will be kept confidential.
Proposed Plan Certification Policy
Click here for the proposed Proposed Plan Certification Policy.
Click here to submit your feedback.
Website Translation Disclaimer
Pennie.com and Agency.pennie.com are providing translation services through a third-party translation service to assist you in reading our website in languages other than English. The translation service may not translate all types of documents, and may not provide an exact translation. The Pennsylvania Health Insurance Exchange Authority d/b/a Pennie™ and Commonwealth of Pennsylvania do not make any promises, assurances, or guarantees about the content of the translations, the specific functions of the translation options, its reliability, availability, or ability to meet your needs.
The Commonwealth of Pennsylvania, its officers, employees, and/or agents shall not be liable for damages or losses of any kind arising out of, or in connection with, the use of the translation tool, including but not limited to, damages or losses caused by the reliance upon the accuracy of translations, or damages incurred from the viewing, distributing, or copying of such materials.