One-Hour Breach Notification Out of Final HIX Rule? Yes and No

The Centers for Medicare and Medicaid Services, in a final rule setting standards for health plans operating in state health insurance exchanges, has dropped a requirement that privacy and security incidents be reported within one hour of discovery, while at the same time noting it is still required by other regulations.


The Centers for Medicare and Medicaid Services, in a final rule setting standards for health plans operating in state health insurance exchanges, has dropped a proposed requirement that privacy and security incidents be reported within one hour of discovery, while at the same time noting it is still required by other regulations.

CMS noted that many commenters to the proposed rule issued in June found the one-hour provision to be not practical or workable. But, while dropping the provision, what CMS decided to do in the final rule may not be much of a change. CMS apparently decided the provision wasn’t needed because it’s already in existing legal agreements.

Responding to comments on the proposed rule, CMS in the final rule said: “We note that the timeline for reporting privacy and security incidents and breaches that we proposed to codify in this regulation has also been included in the computer matching, information exchange and other data sharing agreements, as authorized under sections 1413 (c) and 1413(d) of the Affordable Care Act. In addition, legal agreements executed pursuant to section 155.260(b) between CMS and non-Exchange entities required to comply with the privacy and security standards established and implemented by a Federally Facilitated Exchange pursuant to section 155.260 include the one hour timeframe for reporting all privacy and security incidents and breaches.

“Because the one hour incident response timeline has been included in all the data sharing agreements required under the Affordable Care Act, we have deleted the timing for incident reporting from regulation, proposed in section 155.280(c)(3), and expect it to be addressed through separate agreement.”

CMS continues to expect the exchanges to be open for business on Oct. 1, 2013, to support open enrollment as consumers compare and purchase health insurance with coverage beginning in January 2014.

In general, the new rule, available here and being published August 30 in the Federal Register, finalizes without change many policies spelled out in a proposed rule issued in June, although multiple definitions are changed. CMS in the rule contends that affected parties should have little difficulty complying with the provisions within the next month, as standards are based on existing standards already in effect, and provisions were previously addressed in guidance and several other rules pertaining to health insurance exchanges. “In addition to comments on the substance of the provisions we are now finalizing, we sought input on ways to implement the proposed policies to minimize burden,” the agency notes in the final rule.

For instance, CMS proposed that issuers in the small group market apply rates based on the employer’s principal business address. However, some states use each employee’s place of residence and issuers in those states have appropriate administrative systems and rates, and asked for flexibility. Consequently, issuers that demonstrate good faith in having relied on state guidance may rate based on employee address during 2014.

CMS is not finalizing all provisions from the proposed rule, as some need to be in effect by October while others can be finalized at a later date.

More for you

Loading data for hdm_tax_topic #reducing-cost...