45 CFR 155.260 v2024
CMS Privacy and Security Standards
Framework data extracted from the Secure Controls Framework (SCF) v2025.4 Set Theory Relationship Mapping (STRM) files, licensed under CC BY-ND 4.0 . Attribution required per license terms.
59 All
155 — Privacy and Security of PII (59 requirements)
155.260Privacy and Security of Personally Identifiable Information
155.260(a)Exchange Privacy and Security Requirements
155.260(a)(1)Permitted Use and Disclosure of PII
155.260(a)(1)(i)Disclosure for Exchange Functions
155.260(a)(1)(ii)Secretary-Approved Disclosure with Consent
155.260(a)(1)(iii)Additional Secretary-Approved Uses with Consent
155.260(a)(1)(iii)(A)HHS Approval Criteria for Additional Uses
155.260(a)(1)(iii)(B)Submission Requirements for Additional Use Approval
155.260(a)(1)(iii)(B)(1)Exchange Identity and Contact Information
155.260(a)(1)(iii)(B)(2)Description of Proposed Use or Disclosure
155.260(a)(1)(iii)(B)(3)Justification for Efficient Exchange Operation
155.260(a)(1)(iii)(B)(4)Privacy and Security Protection Description
155.260(a)(2)Limitation on PII Creation, Collection, Use, and Disclosure
155.260(a)(3)Privacy and Security Principles
155.260(a)(3)(i)Individual Access to PII
155.260(a)(3)(ii)Dispute and Correction of PII
155.260(a)(3)(iii)Openness and Transparency
155.260(a)(3)(iv)Informed Decision-Making
155.260(a)(3)(v)Purpose Limitation and Non-Discrimination
155.260(a)(3)(vi)Data Quality and Integrity
155.260(a)(3)(vii)PII Safeguards
155.260(a)(3)(viii)Monitoring and Breach Mitigation
155.260(a)(4)Operational, Technical, Administrative, and Physical Safeguards
155.260(a)(4)(i)Confidentiality, Integrity, and Availability of PII
155.260(a)(4)(ii)Authorized Access Only
155.260(a)(4)(iii)Confidentiality of Return Information
155.260(a)(4)(iv)Protection Against Threats and Hazards
155.260(a)(4)(v)Protection Against Unauthorized Use or Disclosure
155.260(a)(4)(vi)Secure Destruction and Disposal
155.260(a)(5)Continuous Security Monitoring and Assessment
155.260(a)(6)Secure Electronic Interfaces
155.260(b)Non-Exchange Entity Requirements
155.260(b)(1)Definition of Non-Exchange Entity
155.260(b)(1)(i)Access to Exchange PII
155.260(b)(1)(ii)Direct Collection from Applicants
155.260(b)(2)Contract Requirements for Non-Exchange Entities
155.260(b)(2)(i)Function Description
155.260(b)(2)(ii)Privacy and Security Compliance Binding
155.260(b)(2)(iii)Security Monitoring Requirement
155.260(b)(2)(iv)Material Change Notification
155.260(b)(2)(v)Downstream Entity Binding
155.260(b)(3)Privacy and Security Standards for Non-Exchange Entities
155.260(b)(3)(i)Consistency with Exchange Standards
155.260(b)(3)(ii)Compliance with Additional Requirements
155.260(b)(3)(iii)Specific Considerations for Non-Exchange Standards
155.260(b)(3)(iii)(A)Operating Environment Consideration
155.260(b)(3)(iii)(B)Relevance to Entity Activities
155.260(b)(3)(iii)(C)Existing Legal Requirements
155.260(c)Workforce Compliance
155.260(d)Written Policies and Procedures
155.260(d)(1)Written Documentation and Availability
155.260(d)(2)Identification of Applicable Law
155.260(e)Data Sharing with Medicaid, CHIP, and BHP
155.260(e)(1)Compliance with Section Requirements
155.260(e)(2)Affordable Care Act Compliance
155.260(e)(3)Medicaid Stringency Requirements
155.260(e)(4)Matching Program Compliance
155.260(f)Confidentiality of Return Information
155.260(g)Civil Monetary Penalties for Violations