As a condition of operating in a Federally-facilitated Individual Marketplace, agents and brokers must execute the Federally-
facilitated Marketplace Agreement, which includes privacy and security standards. These privacy and security standards include
the requirement that agents and brokers provide individuals with a Privacy Notice Statement regarding use and disclosure of
PHI. This Privacy Notice Statement must be presented to individuals prior to assisting them with application and enrollment in
coverage through a Federally-facilitated Individual Marketplace.

The following privacy notice describes how producers may use and disclose your PHI for purposes of health care operations,
and for other purposes that are permitted or required by law. PHI is information about you, including demographic information,
that may identify you and that relates to your past, present or future physical condition and related health care services, or
payment for health care services.

Producer shall:
A. Not use or disclose PHI (PHI) other than as permitted or required by law; Except as otherwise limited, the producer may use
or disclose PHI to perform functions, activities, or services for, or on behalf of the covered entity, provided that each use or
disclosure would not violate the Privacy Rule. The producer must obtain reasonable assurances from any person to whom the
information is disclosed that it will remain confidential and used or further disclosed only as Required By Law or for the purpose
for which it was disclosed to the person, and the person notifies the producer of any instances of which it is aware in which the
confidentiality of the information has been breached.
B. Use appropriate safeguards to prevent use or disclosure of PHI other than as permitted or required by law. The producer
shall implement administrative, physical and technical safeguards that reasonably and appropriately protect the confidentiality,
integrity, and availability of Electronic PHI (e-PHI) that it creates, receives, maintains or transmits on behalf of the consumer.
C. Report to the covered entity immediately any use or disclosure of PHI not permitted or required by law of which it becomes
aware, including breaches of unsecured PHI as required at 45 CFR 164.410, and any security incident of which it becomes
aware.
D. Notify the covered entity of a Breach of Unsecured PHI within 24 hours of the discovery of such Breach, followed by a report
in writing, except where a law enforcement official determines that a notification would impede a criminal investigation or
cause damage to national security. The producer’s written notification to the covered entity hereunder shall:
1. Be made to the covered entity within 48 hours of the initial oral report, and
2. Include the individual whose Unsecured PHI has been, or is reasonably believed to have been, the subject of a Breach.
E. In the event of an unauthorized use or disclosure of PHI or a Breach of unsecured PHI, the producer shall
mitigate to the extent practicable any harmful effects of said disclosure that are known to it;
F. In accordance with 45 CFR 164.502(e)(l)(ii) and 164.308(b)(2), if applicable, ensure that any subcontractors that create,
receive, maintain, or transmit PHI on behalf of the producer agree to the same restrictions, conditions, and requirements that
apply to the producer with respect to such information;
G. Within 7 days of request, make available PHI in a Designated Record Set to the covered entity as necessary to satisfy the
covered entity's obligations under 45 CFR 164.524;
H. Make any amendment to PHI in a Designated Record Set as directed or agreed to by the covered entity pursuant to 45 CFR
164.526, or take other measures as necessary to satisfy the covered entity's obligations under 45 CFR 164.526;
I. Maintain and make available, within 7 days after a request for such information, the information required to provide an
accounting of disclosures to the covered entity as necessary to satisfy the covered entity 's obligations under 45 CFR 164.528;
J. To the extent the producer is to carry out one or more of the covered entity's obligation(s) under Subpart E of 45 CFR Part
164, comply with the requirements of Subpart E that apply to the covered entity in the performance of such obligation(s);
K. With respect to any use, disclosure or request for PHI described in 45 CFR 502(b)(l), the producer shall limit the PHI to the
extent practicable to the limited data set as defined in 45 CFR 164.514(e)(2) or, if needed, to the minimum necessary to
accomplish the intended purpose of such use, disclosure or request;
L. Make its internal practices, books, and records available to the covered entity for purposes of determining compliance with
the HIPAA Rules; and
M. The producer shall be directly responsible for full compliance with the relevant requirements of the Privacy Rule to the same
extent as the covered entity. I hereby acknowledge receipt of the PHI privacy notice.