Section 760IAC4-5-2. Privacy and security agreement

   (a) The commissioner shall, in consultation with the secretary, develop a privacy and security agreement for navigators and application organizations pursuant to this rule.

  (b) Navigators and application organizations shall maintain and protect all personal information received from individuals when assisting such individuals with application for and enrollment in a QHP through a health benefit exchange or in a public health insurance program with reasonable operational, administrative, technical, and physical safeguards to ensure its confidentiality and to prevent unauthorized or inappropriate access, use, or disclosure of such personal information.

  (c) Navigators and application organizations shall follow all state and federal laws governing the privacy and security of personal information received from individuals whom they are assisting with application for and enrollment in a QHP through a health benefit exchange or in a public health insurance program.

  (d) Navigators and application organizations shall comply with the following safeguards to maintain and protect the confidentiality of personal information:

(1) Personal information shall only be disclosed to those individuals or entities authorized by law or by the individual to whom the personal information belongs.

(2) When disclosing personal information to authorized individuals or entities, reasonable efforts shall be made to limit disclosure of the personal information to the minimum necessary personal information needed to accomplish the intended purpose of such disclosure.

(3) Personal information shall be protected against any reasonably anticipated threats or hazards to the confidentiality of such personal information.

(4) Personal information shall be protected against any reasonably anticipated uses or disclosures that are not permitted or required by law.

(5) Personal information shall be securely destroyed or disposed of in an appropriate and reasonable manner that results in the personal information being illegible and unusable.

  (e) If a security breach or improper disclosure of personal information occurs, the navigator or application organization shall:

(1) take immediate steps to mitigate any potential harm related to the security breach or improper disclosure;

(2) notify the affected individual or individuals of the security breach or improper disclosure as soon as reasonably practical, but no later than ten (10) business days following the discovery of such security breach or improper disclosure, by U.S. first class mail or electronic mail if the affected individual or individuals have elected to receive notices or correspondence from the navigator or application organization via electronic mail;

(3) report any security breach or improper disclosure of personal information as soon as reasonably practical, but no later than five (5) business days following the discovery of such security breach or improper disclosure, to the department in a manner specified by the commissioner; and

(4) comply with state and federal law related to security breaches if applicable, including, but not limited to, IC 24-4.9-1 et seq.

  (f) Navigators and application organizations shall make available their internal privacy practices and policies upon request by the department.

  (g) If a navigator or application organization does not comply with the requirements of this rule, the commissioner may initiate an enforcement action against the navigator or application organization under 760 IAC 4-7. (Department of Insurance; 760 IAC 4-5-2; filed Jun 10, 2016, 1:21 p.m.: 20160706-IR-760150033FRA)