Privacy Policy

Virginia's Insurance Marketplace Privacy Policy


The Health Benefit Exchange Division of the State Corporation Commission d/b/a Virginia’s Insurance Marketplace (Virginia’s Marketplace) is the Commonwealth of Virginia’s Affordable Care Act (ACA) Administering Entity. As part of the Marketplace’s responsibilities, it will collect sensitive information from customers in order to perform its ACA-mandated functions, such as enrolling customers in Qualified Health Plans (QHPs) or Qualified Dental Plans (QDPs) and determining someone’s eligibility for Advance Premium Tax Credits (APTC) and Cost-Sharing Reductions (CSR). To do this, Virginia's Marketplace collects certain Personally Identifiable Information (PII) and Protected Health Information (PHI). Both PII and PHI are protected by federal and state laws. We are making this policy available to you to keep you informed about the ways in which Virginia’s Marketplace uses and discloses information and will always strive to be transparent about the policies and procedures that affect your information.  

At Virginia's Marketplace, your privacy is important. Virginia's Marketplace respects your right to privacy and will protect your information in accordance with the applicable laws, regulations, and standards for security and privacy.  

This Privacy Policy describes how information obtained by Virginia's Marketplace from various sources – such as the customer, parents and guardians about their children, employers, employees, and governmental sources – may be collected, used, disclosed, and accessed. The information in this Privacy Policy will allow you to make informed decisions about your interactions with Virginia’s Marketplace, such as decisions about whether to share PII or PHI with us. Virginia’s Marketplace may amend this Privacy Policy from time to time without notice.  

Privacy and Security Partnership  

Your privacy is best protected through a partnership between Virginia’s Marketplace and you, the customer. We take steps to protect your privacy in accordance with the privacy and security standards for the protection of PII and PHI established in the ACA and its regulations. See 45 C.F.R. § 155.260. You should also take steps to help keep your PII and PHI safe by not sharing your password for Virginia’s Marketplace with anyone and by being mindful of potential fraud when asked to provide such personal information.  

Collection of Information  

Virginia's Marketplace collects information from you that you provide voluntarily through several mechanisms, such as surveys, electronic messages you choose to send to Virginia's Marketplace, the application process, verbal interactions with our employees and our customer service call center representatives and appeals you may file. Surveys, for instance, may collect PII you voluntarily submit, such as name, e-mail address, mailing address, or telephone number. Virginia’s Marketplace may collect information through other means so that we may contact you for follow-up to your questions, concerns, or recommendations. Electronic messages sent by you may contain PII, such as your name, e-mail address, mailing address, or telephone, and any other information you choose to give us to help us answer your inquiry. Applications also will include specific PII or PHI, such as social security numbers and, in some instances, tax and income information.  

Please know that Virginia's Marketplace will only collect the minimum information required to achieve its mission of providing affordable health insurance to individuals in the Commonwealth. The information collected during the application process, enrollment, customer support, and the renewal process will only be used to ensure the efficient operation of Virginia's Marketplace, to verify the eligibility of an individual for enrollment through Virginia’s Marketplace or to claim an APTC or CSR, and to determine the amount of the tax credit or reduction. This information will not be shared, sold, or transferred to any third party for the third party’s direct marketing purposes without your prior consent and will not be provided to any other person or entity unless it is required to determine eligibility or enroll in a QHP/QDP. Once you voluntarily submit your PII or PHI to Virginia’s Marketplace, it will be governed by federal and state laws and regulations, including but not limited to section 155.260 of the ACA’s regulations. See 45 C.F.R. § 155.260.  

In order to facilitate enrollment in Virginia's Marketplace, and to determine eligibility for QHPs/QDPs, APTC, and CSR, Virginia's Marketplace must collect information necessary to authenticate identity, citizenship status, residency, income, and incarceration status. 3 Confidential  

This data includes, but is not limited to:  

• Demographic Data:  

Name, Address, Telephone Number, Email, Age  

• Income Data:  

Tax Filing Status, Marriage Status, Tax Dependents, Employer, Annual or Monthly Income  

• Citizenship and Immigration Data:  

Social Security Number, Resident Alien Number, Native American Tribe ID Number, Incarceration Status  

• Disability Information: Whether the applicant/household member is blind, disabled, or requires assistance with daily living (this information cannot be used to deny coverage, but may be used to determine whether an individual is eligible for Medicaid)  

• Medical Insurance Coverage Information: Past and current health insurance coverage, customer plan selections, and other information necessary to facilitate enrollment.  

The information that you voluntarily submit to Virginia's Marketplace may be used for purposes such as: determining eligibility for enrollment in qualified health plans; assessing eligibility for Medicaid and other insurance affordability programs; determining eligibility for premium support; answering your questions; responding to requests for assistance; generating summary statistics about usage; auditing applications and detecting fraud; aiding in the planning, design, and development of Virginia's Marketplace operations and Virginia’s Marketplace’s website; and fulfilling our legal obligations, including as necessary or advisable to protect Virginia’s Marketplace’s rights, safety, or property or the rights, safety, or property of others; enforce this Privacy Policy; comply with legal process or cooperate with law enforcement or governmental requests.  

Additionally, the information you voluntarily provide may be used to improve Virginia's Marketplace’s enrollment system and the overall usability of the site. Some data regarding page views, browsing behavior, and system response times may also be collected. All personal data changes, eligibility results, plan selections, and any other action performed by the user will be tracked for audit and appeals purposes.  

Each interaction between an individual and the Virginia's Marketplace’s website or customer service call center will also be documented along with any communications, notifications, or emails. Additionally, telephone calls to the Virginia's Marketplace customer service call center will be recorded for audit, training, and appeals purposes. The primary purpose of recording this information is to help improve the efficiency of the Virginia’s Marketplace’s operations, including streamlined support of the appeals process. Calling into Virginia’s Marketplace’s customer service call center will constitute consent to be recorded for these purposes.  

The PII or PHI you provide us will be disclosed by us only to Virginia's Marketplace employees; business partners; grantees; contractors; designees; governmental agencies, insurance companies (and, where necessary, to law enforcement officials), with a “need to know” in order to fulfill their job responsibilities or duties in connection with Virginia's Marketplace operations, such as maintaining our website or improving the customer experience and assisting with processing of your application.  

Virginia's Marketplace will collect and aggregate the information you provide through surveys and other means for purposes of market research to make Virginia's Marketplace more responsive to customer needs. From time-to-time, Virginia’s Marketplace may combine personal information we collect from you with information available from other sources (e.g., Medicaid eligibility information from the Virginia Department of Medical Assistance Services). We will treat the combined information as PII.  

Virginia's Marketplace may, as permitted by law, use and share aggregate data or information that does not identify you (sometimes referred to as “de-identified” data). Such activities are not subject to restrictions under this Privacy Policy. We will not re-identify such data and will require our contracting parties to agree to keep the data in de-identified form.  


If you interact with Virginia's Marketplace through its website,, your browsing experience may be customized by utilizing your browser’s “cookies” to store a randomly generated identifying tag on your computer. A cookie is a small text file that is saved on your computer when you visit a website.  

You can refuse the cookie or delete the cookie file from your computer’s browser at any time by using any one of several widely available methods. Cookies created by using our website and stored on your computer do not contain personally identifiable information and do not compromise your privacy or security.  

Session cookies allow you to move through many pages of a website quickly and easily without having to authenticate or reprocess each new area you visit. Session cookies are destroyed after successful completion of a transaction, after a few minutes of inactivity, or when the browser is closed.  

Persistent cookies help websites remember your information and settings when you visit them in the future. They continue to exist after a few minutes of inactivity, after the browser is closed, or after a user completes a single session.  


The information posted on the Virginia's Marketplace’s website may include hypertext links to information created and maintained by other public and/or private organizations (external websites). These links are provided for your information and convenience. When you select a link to an outside website, you are leaving the Virginia's Marketplace website and are subject to the privacy and security policies of the owners/sponsors of the outside website.  

Virginia's Marketplace does not control or guarantee the accuracy, relevance, timeliness, or completeness of information contained on an outside website. Virginia’s Marketplace does not endorse the organizations sponsoring outside websites and does not endorse the views they express or the products/services they offer.  

Virginia's Marketplace is not responsible for transmissions users receive from outside websites. Virginia's Marketplace cannot guarantee that outside websites comply with accessibility requirements. 6 Confidential  

Do I have to Give PII or PHI to Virginia's Marketplace?  

By using Virginia's Marketplace’s services whether through the website, or customer service call center, mail, or other means, you consent to the collection, use, and sharing of your information as outlined in this privacy policy and to the limitations on our responsibilities to you. By providing information to Virginia's Marketplace, you are agreeing to be bound by these terms as in effect, all applicable laws and regulations, and any other applicable policies, terms, and guidelines established by Virginia’s Marketplace. If you do not agree with any of these terms, do not access Virginia’s Marketplace’s website or customer service center.  

You do not have to give PII or PHI to Virginia's Marketplace. However, if you do not give this information, it will prevent Virginia's Marketplace from determining your eligibility for assistance in paying for coverage or determining your eligibility for benefits, programs, or exemptions.  

Be sure to provide correct information. Anyone who fails to provide correct information or who knowingly and willfully provides false or untrue information to Virginia's Marketplace may be subject to a penalty and other law enforcement action.  

Notably, people applying for health coverage need to provide a social security number (SSN), if they have one. An application filer must also provide the SSN of any tax filer who is not applying for health coverage if the tax filer’s tax information will be used to verify the household’s eligibility for help with paying for health coverage. Other people not applying for health coverage are encouraged to provide their SSNs to speed up the application process but aren’t required to provide one.  

Virginia's Marketplace uses SSNs to check income and other information to see who is eligible for help with health coverage costs. If someone wants help getting an SSN, they can visit, or call 1-800-772-1213. TTY users should call 1-800-325-0778.  

Authority to Collect  

Section 155.260 of the United States Department of Health and Human Services (DHHS) regulations state that Virginia's Marketplace may collect PII or PHI to determine eligibility for enrollment in qualified health plans, to determine eligibility for Medicaid/ Family Access to Medical Insurance Security Plan (FAMIS) and other insurance affordability programs, and to determine eligibility for exemptions from the individual mandate to maintain health insurance coverage. See 45 CFR § 155.260. Virginia's Marketplace will fully comply with this federal regulation. Virginia's Marketplace will not create, collect, use or disclose PII or PHI for any purposes that are not authorized under this regulation.  

The following principles are outlined in the regulation:  

Individual Access: Individuals will be provided with a simple and timely means to access and obtain their PII and PHI.  

Correction: Individuals will be provided with a timely means to dispute the accuracy of their PII and PHI and to have erroneous information corrected.  

Openness and Transparency: All policies, procedures, and technologies that affect individuals and their PII or PHI are fully disclosed to the public.  

Individual Choice: Individuals will be provided a reasonable opportunity and capability to make informed decisions about the collection, use, and disclosure of their PII and PHI.  

Collection, Use, and Disclosure Limitations: PII and PHI will be created, collected, used, and/or disclosed only to the extent necessary to accomplish the goals of Virginia's Marketplace.  

• Data Quality and Integrity: Persons and entities will take reasonable steps to ensure that personally identifiable health information is complete, accurate, and up to date to the extent necessary to provide services to the customers of Virginia's Marketplace.  

Safeguards: PII and PHI is protected with reasonable operational, administrative, technical, and physical safeguards to ensure its confidentiality, integrity, and availability and to prevent unauthorized access, use, or disclosure.  

Accountability: These principles are implemented, and adherence assured, through independent security audits by a third party.  

Information Sharing with External Entities  

Virginia's Marketplace will need to share information with insurance carriers, as well as federal and state agencies in order to process requests for enrollment in QHPs/QDPs and determine eligibility for health/dental coverage, APTC, CSR, and Medicaid/FAMIS. The following table outlines the entities Virginia's Marketplace will share data with and how that data is used. All entities that receive data from Virginia’s Marketplace are required to support the same level of data security standards as Virginia's Marketplace itself.

Qualified Health and Dental Plan Carriers

  • Individual APTC Amount, Premium Amount, Plan Selection, Enrollment Status
  • Carriers are notified of the customer’s plan selection and account maintenance activities. Virginia's Marketplace is notified by Carriers of the enrollment status.

Virginia Department of Medical Assistance Services (DMAS)

  • Individual Demographic, Income, Citizenship, Disability
  • DMAS determines eligibility for Medicaid/FAMIS in the Commonwealth. Virginia's Marketplace will refer applications for coverage to DMAS via electronic data transfer if potential eligibility for Medicaid/FAMIS is assessed.

United States Department of Health and Human Services, Centers for Medicare and Medicaid Services (CMS)

  • Individual Enrollment, Premium Amount, APTC  
  • Virginia's Marketplace is federally mandated to report enrollment, Services, Centers for Medicare and Medicaid Services (CMS) premium, and APTC amounts to CMS for each enrolled individual.

United States Internal Revenue Service (IRS)

  • Individual Enrollment, Premium Amount, APTC
  • Virginia's Marketplace is federally mandated to report enrollment, premium, and APTC amounts to the IRS and verify income for each Tax Household.  

United States Social Security Administration  

  • Name, Social Security Number, Individual Demographic Information  
  • Virginia's Marketplace is federally mandated to verify citizenship status.  

United States Department of Homeland Security  

  • Name, Social Security Number, Individual Demographic Information  
  • Virginia's Marketplace is federally mandated to verify citizenship status.  


  • Name, FCR Credit Data, Individual Demographic Information  
  • Virginia's Marketplace is federally mandated to verify identity and income.  

Information Sharing with Enrollment Professionals  

Customers may, at their own discretion, elect to share their information with enrollment professionals when requesting assistance with the application and enrollment process. Enrollment professionals include Navigators, CDOs and CACs whose role was created under the ACA to provide impartial education to customers regarding ACA health/dental plans and subsidies, but who are not permitted to recommend specific plans. Additional enrollment professionals include certified insurance agents to provide ACA education and enrollment assistance, and who may offer plan recommendations based on a customer’s specific requirements. All enrollment professionals are required to comply with the terms of this policy, as well as other criteria established by Virginia's Marketplace.

Before information will be shared with an enrollment professional a customer must explicitly designate a Navigator or agent/broker using Virginia's Marketplace’s website, or by calling Virginia's Marketplace customer service center. Customers may change or terminate their designation at any time.

Individual Access/Correction of Information

Section 155.260 of the ACA’s regulations provide you with certain rights to get information about you that are in our records. 45 C.F.R. § 155.260. Individuals may access their PII collected by Virginia's Marketplace at any time through the user portal on Virginia's Marketplace. Customers are encouraged to review their application information on a regular basis to ensure its continued accuracy. Incorrect information can be corrected directly through the user portal, or by contacting Virginia’s Marketplace’s customer service center. Designated enrollment professionals can also correct information on behalf of their customers.

Please note that in accordance with ACA regulations corrections to information provided on an application for coverage may result in a redetermination of eligibility.

Complaints Regarding the Improper Handling of PII or PHI  

Complaints regarding the improper handling of PII should be submitted by email to Virginia's Marketplace’s Privacy Officer at All complaints will be reviewed by the Privacy Officer and Legal Counsel, and all appropriate parties for required action will be taken.

If it is determined that a complaint warrants a revision to Virginia's Marketplace’s Privacy Policy, then the change will be drafted and submitted to the Virginia's Marketplace’s Policy Change Control Group for approval.

Operational, Technical, Administrative, and Physical Safeguards

Virginia's Marketplace has taken several steps intended to safeguard the integrity of PII and PHI. Security measures have been integrated into the design, implementation, and day-to-day practices of the entire Virginia's Marketplace operating environment as part of its continuing commitment to risk management. PII and PHI is protected with reasonable operational, administrative, technical, and physical safeguards to ensure its confidentiality, integrity, and availability and to prevent unauthorized or inappropriate access, use, or disclosure. Virginia’s Marketplace utilizes industry standard methods and mechanisms for data protection, such as firewalls, intrusion monitoring, and passwords to protect electronic information. Multiple physical security methods, such as locking devices and premises monitoring, are also employed to protect information contained in documents. Virginia’s Marketplace’s website is equipped with security measures intended to protect the information you provide us.

Consistent with all applicable laws and regulations, Virginia's Marketplace will ensure that all information is protected through effective administrative and operational procedures, including secure electronic interfaces when PII is shared and regular assessment and updating of safeguards and procedures. Virginia's Marketplace does not warrant the security of any information you transmit; however, Virginia's Marketplace will take all reasonable steps to ensure the confidentiality, integrity, and availability of all PII and PHI that is created, collected, used, or disclosed by Virginia's Marketplace.

PII and PHI will be used by, or disclosed to, only those authorized to receive or view it. In accordance with section 1411(g)(1) of the ACA, “[a]n applicant for insurance coverage or for a premium tax credit or cost-sharing reduction shall be required to provide only the information strictly necessary to authenticate identity, determine eligibility, and determine the amount of the credit or reduction.” 42 U.S.C. § 18081(g)(1).

The ACA prohibits the use of the information unless it is for Virginia’s Marketplace operations (such as verification of eligibility for enrollment, APTC, or CSR).  Any person who knowingly and willfully uses or discloses information in violation of the ACA may be subject to civil penalties, in addition to other penalties that may be prescribed by law or contract. See generally 42 U.S.C. § 18081.

Tax return information will be kept confidential in accordance with section 6103 of the Internal Revenue Code. 26 U.S.C. § 6103. The IRS will disclose certain available items of federal tax return information to the Federal Data Services Hub after an individual submits an application for financial assistance in obtaining health coverage with Virginia's Marketplace or another state agency that administer Medicaid and FAMIS. The items that will be disclosed through the Federal Data Services Hub are described in section 6103(l)(21)(A) of the Internal Revenue Code and the regulations issued thereunder. 26 U.S.C. § 6103(l)(21)(A). Section 6103 of the Internal Revenue Code protects the confidentiality of federal tax return information.

Disclosure of federal tax return information to the United States Department of Health and Human Services is allowed in order to implement eligibility determinations for health insurance affordability programs within the confidentiality requirements in section 6103.4 of the Internal Revenue Code. 26 U.S.C. § 6103.4

PII and PHI will be protected against any reasonably anticipated threats or hazards to the confidentiality, integrity, and availability of such information.

PII and PHI will be protected against any reasonably anticipated uses or disclosures that are not permitted or required by law. PII and PHI will be kept long enough to achieve the specified objective for which the data was collected and then securely destroyed or disposed of in an appropriate and reasonable manner and in accordance with federal and state laws, regulations, and Virginia's Marketplace retention schedules.

Security Controls

• Virginia's Marketplace will ensure that its workforce complies with all information safeguards and security controls.

• Virginia's Marketplace will monitor, periodically assess, and update security controls to ensure the continued effectiveness of those controls.

• Virginia's Marketplace will require, as a condition of contracts and agreements, the same or more stringent privacy and security standards and controls of Navigators, agents, brokers, and other contractors authorized to access any PII or PHI.

• Virginia's Marketplace will use secure electronic interfaces when sharing PII or PHI electronically. In accordance with section 1413 of the ACA, Virginia's Marketplace will establish secure electronic interfaces with state health subsidy programs allowing Virginia’s Marketplace to be consistent with privacy and security standards in section 1942 of the Social Security Act. 42 U.S.C. § 18083.

• Virginia's Marketplace will ensure that all data matching and data sharing arrangements between Virginia's Marketplace and agencies administering Medicaid and FAMIS meet all requirements applicable to Virginia’s Marketplace as well as all of the applicable requirements to Medicaid and FAMIS.

Virginia Privacy and Information Security Policies and Standards

Virginia's Marketplace follows standards, policies, and procedures designed to safeguard PII, PHI, and plan information entrusted to Virginia's Marketplace. Virginia’s Marketplace’s portal and supporting systems adhere to federal security mandates and standards, specifically:

• Health Insurance Portability and Accountability Act (HIPAA) Security and Privacy Rules;

• National Institute of Standards and Technology (NIST) guidelines, industry practices for security, confidentiality, and auditing; and

• Virginia specific security requirements to secure data and information.

Privacy Act Statement

Privacy Act Statement

The Patient Protection and Affordable Care Act (Public Law No. 111-148), as amended by the Health Care and Education Reconciliation Act of 2010 (Public Law No. 111-152), and the Social Security Act authorizes Virginia's Marketplace to collect the information on your application and any necessary supporting documentation, including social security numbers, to determine whether you and the listed people on your application are eligible for health coverage or help paying for health coverage.

Virginia's Marketplace needs the information you provided us on your application about yourself and the other people included in your household to determine eligibility for: (1) enrollment in a qualified health plan through Virginia's Marketplace, (2) insurance affordability programs (such as Medicaid, APTC, and CSR), and (3) certifications of exemption from the individual responsibility requirement. As part of that process, Virginia’s Marketplace will electronically verify information you provided on your application; communicate with you or your authorized representative, if you choose to have one; and eventually provide the information to the health plan you select so that they can enroll any eligible individuals in a qualified health plan or insurance affordability program. Virginia’s Marketplace will also use the information in the future to conduct activities such as verifying your continued eligibility for health coverage or help paying for health coverage, processing appeals, reporting on and managing the insurance affordability programs for eligible individuals, performing oversight and quality control activities, combatting fraud, and responding to any concerns about the security or confidentiality of the information.

While providing the information we ask you on the application (including social security numbers and documentation of your immigration status) is voluntary, failing to provide the information may delay or prevent you from obtaining health coverage or help paying for health coverage through Virginia's Marketplace. If you don’t provide correct information on this form or knowingly and willfully provide false or fraudulent information, you may be subject to a penalty and other law enforcement action.

To determine if you and the people on your application are eligible for health coverage, or help paying for health coverage, and to operate Virginia's Marketplace, we will electronically check the information you provided us on your application with the information in other electronic data sources. Such data sources include:

We will need to share your information with other federal and state government agencies, such as the Internal Revenue Service (IRS), the Social Security Administration (SSA), and the United States Department of Homeland Security (DHS), the United States Department of Health and Human Services, and the Virginia Department of Medical Assistance Services (DMAS);

2. Other electronic data sources, including customer reporting agencies;

3. Employers identified on applications for eligibility determinations;

4. Applicants/enrollees;

5. The authorized representatives of applicants/enrollees;

6. Agents, Brokers, and issuers of Qualified Health Plans, as applicable, who are certified by Virginia's Marketplace to assist applicants/enrollees and who have been authorized to help applicant/enrollees;

7. Contractors we engage to help run Virginia's Marketplace; and

8. Anyone else as required by law.

This statement provides the notice required by the Privacy Act of 1974 (5 U.S.C. § 552a(e)(4)).