Rule Proposes HIX Privacy/Security Responsibilities that Differ from HIPAA
State health insurance exchanges would be required to report privacy and security issues, and breaches of personally identifiable information, to the Department of Health and Human Services within one hour of discovery, under a recently published proposed rule.
State health insurance exchanges would be required to report privacy and security issues, and breaches of personally identifiable information, to the Department of Health and Human Services within one hour of discovery, under a recently published proposed rule.
In contrast, the HIPAA breach notification rule gives covered entities 60 days to publicly announce a breach.
The one-hour requirement, which covers all exchanges regardless of whether they are operated by states or the federal government, is part of a rule published June 19 in the Federal Register to set financial integrity and oversight standards for the exchanges and the health plans offered through them.
The rule requires business partners of federally facilitated exchanges (FFEs) to also report breaches within an hour, but is not so clear on the partners of state-run exchanges. “We propose that FFEs, non-Exchange entities associated with FFEs, and State Exchanges must report all privacy and security incidents and breaches to HHS within one hour of discovering the incident or breach,” according to the proposed rule. “We also propose that a non-Exchange entity associated with a State Exchange must report all privacy and security incidents and breaches to the State Exchange with which they are associated. We welcome comment on these proposals.”
In general, the proposed rule requires exchanges and partners to protect personally identifiable information under provisions of the Privacy Act of 1974, instead of under the HIPAA privacy and security rules, which cover protected health information. HHS in the proposed rule includes new definitions for the terms “incident” and “breach.”
HHS considered and declined to use definitions under HIPAA “because the protected health information that triggers the HIPAA requirements is considered a subset of personally identifiable information and we believe that the HIPAA definitions would not provide broad enough protections to satisfy the requirements under the Privacy Act of 1974, the e-Government Act of 2002, other laws to which HHS is subject, or the expectations of the other Federal agencies that will be providing PII to facilitate Exchange eligibility determinations,” the agency explains.
The proposed rule, “Patient Protection and Affordable Care Act: Program Integrity: Exchange, SHOP, Premium Stabilization Programs and Market Standards,” is available here with comments due by July 19.
In contrast, the HIPAA breach notification rule gives covered entities 60 days to publicly announce a breach.
The one-hour requirement, which covers all exchanges regardless of whether they are operated by states or the federal government, is part of a rule published June 19 in the Federal Register to set financial integrity and oversight standards for the exchanges and the health plans offered through them.
The rule requires business partners of federally facilitated exchanges (FFEs) to also report breaches within an hour, but is not so clear on the partners of state-run exchanges. “We propose that FFEs, non-Exchange entities associated with FFEs, and State Exchanges must report all privacy and security incidents and breaches to HHS within one hour of discovering the incident or breach,” according to the proposed rule. “We also propose that a non-Exchange entity associated with a State Exchange must report all privacy and security incidents and breaches to the State Exchange with which they are associated. We welcome comment on these proposals.”
In general, the proposed rule requires exchanges and partners to protect personally identifiable information under provisions of the Privacy Act of 1974, instead of under the HIPAA privacy and security rules, which cover protected health information. HHS in the proposed rule includes new definitions for the terms “incident” and “breach.”
HHS considered and declined to use definitions under HIPAA “because the protected health information that triggers the HIPAA requirements is considered a subset of personally identifiable information and we believe that the HIPAA definitions would not provide broad enough protections to satisfy the requirements under the Privacy Act of 1974, the e-Government Act of 2002, other laws to which HHS is subject, or the expectations of the other Federal agencies that will be providing PII to facilitate Exchange eligibility determinations,” the agency explains.
The proposed rule, “Patient Protection and Affordable Care Act: Program Integrity: Exchange, SHOP, Premium Stabilization Programs and Market Standards,” is available here with comments due by July 19.
More for you
Loading data for hdm_tax_topic #better-outcomes...