Appearance
Consumer & Agent Flow
Status: Living document. Last updated 2026-05-11.
Terminology note: this doc uses Agent (individual licensed insurance agent, solo or under an agency) and Agency (organization with agents under them). The project's hard terminology rule per CLAUDE.md — no "broker" wording in new content. Where this doc previously used "Broker", "Broker Portal", "Broker Fulfillment", it now reads Agent / Agent Portal / Agent Fulfillment.
End-to-End Journey
Phase 1: Discovery
Goal: Show the consumer their real subsidized price in 30 seconds.
No PII collected. Only zip code, ages, household size, income. This data is not stored — it's used for a real-time query.
State universe handling (per architecture.md):
- Federal-30 + NY: served from own MongoDB Atlas cluster (CMS PUF age-rated premiums for federal; NY DFS / NYSOH community-rated for NY)
- 19 SBE states + DC: redirect banner with link to the state marketplace (Covered California, NY State of Health, etc.)
Disclaimers shown throughout:
- "Estimates based on the information you provided"
- "Powered by the same data as Healthcare.gov"
- "Final premium confirmed after enrollment review by a licensed agent"
Medicaid-Income Handling
Phase 2: Plan Selection
Doctor + Prescription Matching
Data path: the doctor + Rx coverage check calls CMS Marketplace API at query time (pivot decision 2026-05-03, docs/decisions/2026-05-03-pivot-cms-api-direct.md). When CMS returns coverage without enriched fields (network tier for providers, drug tier for medications), a non-PHI §1311 reference dataset on a separate Atlas cluster fills in the gaps via cross-cluster PrivateLink (see ADR 0004).
The data_source field is not surfaced to clients — IP opacity is enforced (see architecture.md).
What the Consumer Sees
For each plan:
- Monthly premium (after all subsidies)
- Sticker price (struck through)
- Savings amount and percentage
- Deductible and max out-of-pocket (before/after CSR)
- Key copays: primary care, specialist, urgent care, ER, generic Rx
- Drug-specific costs (if Rx entered)
- Star rating
- Network type (HMO/PPO/EPO)
- Links to: drug formulary, SBC, provider directory (all proxied through
/api/docs/[id])
Clear quote disclaimer:
"These estimates are calculated using federal government data and the official ACA subsidy formula. Your exact premium and benefits will be confirmed by a licensed agent during enrollment. Actual costs may vary slightly based on final eligibility verification."
Phase 3: Enrollment
PII Collection
When the consumer selects a plan and proceeds to enroll, we collect:
| Field | Sensitivity | Encryption |
|---|---|---|
| Full legal name | PHI | AES-256 field-level |
| Date of birth | PHI | AES-256 field-level |
| Social Security Number | PHI (highest) | AES-256 field-level + separate key |
| Address | PHI | AES-256 field-level |
| Phone number | PII | Hashed + encrypted |
| PII | Hashed + encrypted | |
| Immigration status | PHI | AES-256 field-level |
| Income verification docs | PHI | Encrypted at rest (S3) |
| Employer information | PII | AES-256 field-level |
Encryption Architecture
MongoDB Client-Side Field Level Encryption (CSFLE):
- SSN, name, DOB, address encrypted BEFORE leaving the API layer
- MongoDB Atlas never sees plaintext PII
- Even a database breach yields only encrypted blobs
- Keys managed by AWS KMS — separate from database access
- Different KMS keys for different sensitivity levels (SSN gets its own key)
Storage location: consumer enrollment PHI lands on the prod Atlas cluster (askflorence-prod-01, M10 HIPAA tier). The non-PHI §1311 reference data on the staging cluster is read-only and never receives enrollment data — enforced by the staging-cluster CI guard per ADR 0004.
Phase 4: Agent Fulfillment
Agent Queue
Agent Portal Access Controls
Access rules:
- Agents can ONLY see enrollments assigned to them
- Agents can ONLY see enrollments in states where they're licensed (verified via NIPR PDB — see #54)
- Every PII field access is logged to
agent_audit_log(append-only at the DB role layer per ADR 0002) - Session timeout after 15 minutes of inactivity (Tier 2 auth per CLAUDE.md)
- No bulk export of consumer data
- No PII visible in URLs, logs, or error messages
- Authentication uses magic link + TOTP (NIST 800-63B compliant, no SMS)
Agent Assignment Logic
Phase 5: Confirmation
Consumer Notification Flow
Post-Enrollment
- Consumer can log in to see enrollment status
- Payment path established (carrier direct billing or marketplace billing)
- AskFlorence tracks for retention (annual renewal reminders via ADR 0005 delayed-job pattern)
- Agent NPN on enrollment → recurring carrier commission per member (PMPM model — see
/overview)
Data Flow Summary
Disclaimer Language
On quote results:
"These premium estimates are calculated using official federal government data sources and the IRS Advanced Premium Tax Credit formula. They represent what most people with your household profile qualify for. Your exact premium, deductible, and copays will be confirmed during the enrollment process by a licensed insurance agent. Actual amounts may vary based on final eligibility verification by the insurance carrier."
On enrollment submission:
"By submitting this application, you authorize AskFlorence and our licensed agent partner to process your health insurance enrollment. Your personal information is encrypted and stored in compliance with HIPAA regulations. Only your assigned licensed agent will have access to your application details for the purpose of completing your enrollment."
On confirmation:
"Your plan selection has been reviewed and submitted by a licensed insurance agent. [Carrier Name] has confirmed your enrollment. Your coverage begins [date]. If you have questions about your coverage, contact [carrier phone] or your AskFlorence agent at [support email]."
