(a) Data collection requirements. If a State is operating a risk adjustment program, the State must collect risk adjustment data.
(b) Minimum standards.
(1) If a State is operating a risk adjustment program, the State may vary the amount and type of data collected, but the State must collect or calculate individual risk scores generated by the risk adjustment model in the applicable Federally certified risk adjustment methodology;
(2) If a State is operating a risk adjustment program, the State must require that issuers offering risk adjustment covered plans in the State comply with data privacy and security standards set forth in the applicable risk adjustment data collection approach; and
(3) If a State is operating a risk adjustment program, the State must ensure that any collection of personally identifiable information is limited to information reasonably necessary for use in the applicable risk adjustment model, calculation of plan average actuarial risk, or calculation of payments and charges. Except for purposes of data validation, the State may not collect or store any personally identifiable information for use as a unique identifier for an enrollee's data, unless such information is masked or encrypted by the issuer, with the key to that masking or encryption withheld from the State. Use and disclosure of personally identifiable information is limited to those purposes for which the personally identifiable information was collected (including for purposes of data validation).
(4) If a State is operating a risk adjustment program, the State must implement security standards that provide administrative, physical, and technical safeguards for the individually identifiable information consistent with the security standards described at 45 CFR 164.308, 164.310, and 164.312.
[77 FR 17248, Mar. 23, 2012, as amended at 78 FR 15528, Mar. 11, 2013]