The Centers for Medicare & Medicaid Services (CMS) have simplified enrollment in health plans sold through the Federally Facilitated Marketplace by developing a new ‘enhanced’ direct enrollment (EDE) pathway. This new pathway allows CMS to partner with the private sector to provide a more manageable and seamless enrollment experience for consumers by allowing them to apply for and enroll in an Exchange plan directly through an approved issuer or web-broker without the need to be redirected to HealthCare.gov or contact the Exchange Call Center. The new process uses “APIs” (application programming interfaces) to transfer data between the Federally-facilitated Exchange and approved partner websites.
Consumers can once again interact directly with the carrier to:
- Shop for and enroll in on-exchange plans
- Submit required documentation to the marketplace, such as proof of income and citizenship status
- Make premium payments
- Report life changes and update their information and
- Renew their coverage during open enrollment
Carriers are thereby able to implement a streamlined and higher converting plan enrollment experience on their own web properties, agent tools, and customer service portals. This new standard also benefits brokers because direct enrollment is a faster process which results in brokers being able to enroll more consumers during the limited open enrollment period.
Third Party Auditor Requirement
Before EDE partners are approved, extensive reviews and audits must be conducted by an independent third-party auditor. Specifically, a direct enrollment entity that wishes to participate in EDE must submit an operational readiness review (ORR) composed of two separate audit packages:
- A business requirements audit and
- A privacy and security audit
CMS reviews the audit results to ensure compliance with nearly 300 CMS security and privacy standards. CMS also requires business logic audits, to ensure that a partner’s system will accurately deliver consumer information to the Exchange for an eligibility determination.
Additionally, EDE partners must sign a privacy and security agreement with CMS that describes their specific roles and responsibilities to protect consumer’s information and the standards they are committed to maintaining. Once an EDE partner obtains initial approval, CMS will continue to monitor the partner for compliance with program requirements.
For Classic DE Web Brokers, CMS in December 2019 established new requirements for prospective web-brokers onboarding on or after January 1, 2020. The requirement also applies to the existing web-brokers that completed the Web-Broker Agreement renewal in 2020 in order to continue to operate as web-brokers for plan year (PY) 2021.
Web-brokers must implement the 159 critical security and privacy controls4 specified in the Web-broker Agreement consistent with the Non-Exchange Entity Systems Security and Privacy Plan (NEE SSP). contains comprehensive security and privacy control objectives for all aspects of the DE program (i.e., classic DE and EDE).
Hence, web-brokers are required to assess the 159 critical controls in the Web-broker Agreement, and the web-broker must conduct a privacy and security audit.