What are the privacy and security obligations when handling marketplace consumer information?

Handling marketplace consumer information requires strong privacy and security responsibilities. Providers and navigators must protect personal data, comply with HIPAA and other privacy protections, and ensure secure handling and storage of PII and PHI. This means putting practical safeguards in place—access controls so only authorized staff can view data, encryption for data at rest and in transit, secure storage, and established procedures for incident response and breach notification. HIPAA’s Privacy Rule and Security Rule govern how PHI can be used or shared and require appropriate safeguards, with HIPAA applying to entities that handle PHI on behalf of covered entities. PII is any data that could identify a person, while PHI is health information linked to a person; both require careful protection in the marketplace context. Privacy isn’t optional, data isn’t free to be shared with employers without consent or legal basis, and data shouldn’t be kept indefinitely without safeguards or retention controls.