Privacy Policy

1.0 Overview

This Privacy Policy outlines the fundamental principles and strict guidelines for all Workforce Members of Fortellar regarding the handling of Personally Identifiable Information (PII). Our primary goal is to ensure the confidentiality, integrity, and availability of sensitive data, adhering rigorously to applicable privacy and security regulations. The policy emphasizes the "minimum necessary" and "need-to-know" principles, mandating secure data collection, access, and disclosure practices. It also details Workforce Member responsibilities, including mandatory training, reporting violations, and the strict protocols for breach notification and data security. Compliance with this policy is paramount to protecting individual privacy and maintaining the trust placed in our health plan marketplace.

2.0 Purpose

The purpose of this Privacy Policy is to establish clear guidelines and responsibilities for all employees, contractors, volunteers, and other workforce members ("Workforce Members") of Fortellar regarding the collection, use, disclosure, and protection of Personally Identifiable Information (PII). This Policy is designed to ensure compliance with applicable federal and state privacy and security laws and regulations.

3.0 Scope

This Policy applies to all information, whether electronic, paper, or oral, that is created, received, maintained, or transmitted by Fortellar in connection with its operations as a health plan marketplace. Strict adherence to this Policy is mandatory for all Workforce Members.

4.0 Policy

4.1 Principles of Data Handling

All Workforce Members must adhere to the following principles when handling PII:

  • Confidentiality: Treat all PII as confidential. Do not discuss or disclose this information to unauthorized individuals, inside or outside the organization.

  • Integrity: Ensure the accuracy and completeness of PII. Report any suspected inaccuracies immediately.

  • Availability: Ensure that authorized Workforce Members have timely and reliable access to PII when needed for legitimate business purposes.

  • Minimum Necessary: Access, use, or disclose only the minimum necessary PII required to perform your job duties.

  • Need-to-Know: Access to PII is granted only on a "need-to-know" basis, meaning only those Workforce Members who require the information to perform their specific job functions are authorized to access it.

4.2 Data Collection and Use

  • Legitimate Purpose: PII will only be collected and used for legitimate business purposes related to the operation of the health plan marketplace, such as facilitating plan enrollment, processing applications, providing customer support, and complying with legal obligations.

  • Authorized Systems: All collection, input, and processing of PII must occur within authorized and secure systems and applications designated by Fortellar.

  • No Unauthorized Copies: Do not create unauthorized copies of PII, whether in electronic or paper format.

4.3 Data Access and Authorization

  • Role-Based Access: Access to PII is strictly controlled through role-based access permissions. Workforce Members will only be granted access to the specific data necessary for their assigned roles and responsibilities.

  • Unique User IDs: All Workforce Members must use unique user IDs and strong passwords to access systems containing PII. Sharing of user IDs or passwords is strictly prohibited.

  • Access Reviews: Access privileges will be regularly reviewed and updated based on changes in job roles or termination of employment.

  • Remote Access: Remote access to systems containing PII is permitted only through secure, approved methods (e.g., VPN) and on company-issued or approved devices that meet security standards.

4.4 Data Security

All Workforce Members are responsible for maintaining the security of PII.

  • Workstation Security:

  • Always lock your computer screen when leaving your workstation, even for short periods.

  • Do not leave PII visible on screens or in unsecured areas.

  • Position monitors to prevent unauthorized viewing.

  • Log off systems at the end of the workday.

  • Password Management:

  • Use strong, unique passwords for all systems containing PII.

  • Change passwords regularly as required by company policy.

  • Never write down or share passwords.

  • Email and Electronic Communications:

  • Exercise extreme caution when sending PII via email. Use secure, encrypted email solutions approved by Fortellar for any communication containing PII.

  • Verify recipient addresses before sending sensitive information.

  • Do not use personal email accounts for company business involving PII.

  • Physical Security:

  • Secure all paper documents containing PII in locked cabinets or offices when not in use.

  • Properly dispose of paper documents containing PII using shredders or secure shredding services.

  • Mobile Devices and Portable Media:

  • PII should not be stored on personal mobile devices (laptops, smartphones, tablets, USB drives) unless explicitly authorized and secured with encryption and other protective measures.

  • Report lost or stolen devices immediately.

4.5 Data Disclosure and Sharing

  • Authorized Disclosures: PII may only be disclosed to authorized individuals or entities or as otherwise permitted or required by law (e.g., law enforcement, judicial orders).

  • No Unauthorized Sharing: Workforce Members are strictly prohibited from sharing PII with any unauthorized individuals, including family members, friends, or other Workforce Members who do not have a legitimate "need-to-know."

  • Verification: Before disclosing PII, Workforce Members must take reasonable steps to verify the identity and authority of the person or entity requesting the information.

4.6 Employee Responsibilities and Sanctions

  • Confidentiality Agreement: All Workforce Members must sign a confidentiality agreement upon hire, acknowledging their understanding and commitment to protecting PII.

  • Mandatory Training: All Workforce Members must complete mandatory privacy and security training upon hire and annually thereafter. Additional training may be required based on job function or changes in regulations.

  • Reporting Violations: Any suspected or actual privacy or security incidents, breaches, or violations of this Policy must be reported immediately to the VP of HR or VP of Technology

  • Sanctions: Failure to comply with this Policy will result in disciplinary action, up to and including termination of employment, and may also lead to civil and criminal penalties as prescribed by law.

4.7 Breach Notification

In the event of a suspected or actual breach of unsecured PII, the following internal procedures will be followed:

  • Immediate Reporting: Any Workforce Member who suspects or identifies a breach must immediately report it to the VP of Technology.

  • Investigation: The VP of Technology will lead an immediate investigation to determine the scope, cause, and impact of the breach.

  • Mitigation: Steps will be taken to mitigate any harm caused by the breach and prevent future occurrences.

  • External Notification: If a breach of unsecured PII is confirmed, Fortellar will comply with all applicable breach notification requirements and other relevant laws, including notifying affected individuals, and potentially the media.

4.8 Auditing and Monitoring

Fortellar will regularly audit and monitor access to systems and information containing PHI/PII to ensure compliance with this Policy and detect any unauthorized activity. These activities may include:

  • Reviewing system access logs.

  • Conducting internal security assessments.

  • Performing periodic privacy compliance reviews.

4.9 Policy Review and Updates

This Policy will be reviewed at least annually by the VP of Technology and other relevant stakeholders to ensure its continued effectiveness and compliance with evolving legal and regulatory requirements. Any updates or revisions will be communicated to all Workforce Members.

5.0 Definitions

Personally Identifiable Information (PII): Any information that can be used to distinguish or trace an individual’s identity, either alone or when combined with other personal or identifying information that is linked or linkable to a specific individual. Examples include name, address, email, phone number, Social Security Number, and financial account numbers.

Workforce Member: Employees, contingent workers, volunteers, trainees, and other persons whose conduct, in the performance of work for a covered entity, is under the direct control of such entity, whether they are paid by the covered entity.

6.0 Enforcement

Any Staff member found to have violated this policy may be subject to disciplinary action, up to and including termination.

7.0 Distribution

This policy is to be distributed to all Fortellar Workforce members.

8.0 Standards

HIPAA Privacy Rule

9.0 Training

All Staff and Contingent workers must complete annual privacy training. Failure to complete training may result in restricted system access or disciplinary action.

Strategic technology partners
combining deep industry expertise with innovative solutions for regulated industries.

Services
Company
Stay Updated

Get insights on technology trends, security updates, and industry best practices.

By subscribing you agree to with our
Privacy Policy

Strategic

Deployment

Managed

Cybersecurity & Compliance

Cloud & Technology Infrastructure

Technology & Security Operations

Expertise

About Us

Resources

Careers

Contact

© 2025 Fortellar. All rights reserved.

Privacy Policy