CMS: One Hour to Report HIX Security Incidents

The Centers for Medicare and Medicaid Services is seeking to fast-track the rollout of a new process that state health insurance exchanges will use to report--within one hour--information security incidents.

With the exchanges expected to open on October 1, CMS has submitted a request for an emergency review of the new reporting system from the Office of Management and Budget “because public harm is reasonably likely to result if the normal clearance procedures are followed,” according to a notice issued on August 20. “The approval of this data collection process is essential to ensuring that information security incidents, which also include personally identifiable information and protected health information, are captured within the specified timeframe. In absence of this change, a significant number of incidents will not be detected; therefore causing harm and potential risk to the public’s identity with identity fraud.”

Through a computer-matching agreement with CMS, state-based HIX administering entities, called AEs, will receive data from CMS to determine eligibility for insurance affordability programs such as subsidies, and certificates of exemption. Under the new incident reporting system, AEs are expected to report suspected or confirmed loss of protected information within one hour of discovery to their designated Center for Consumer Information and Insurance Oversight State Officer.

The officer then will notify affected federal agency data sources, which could include the Department of Defense, Department of Homeland Security, Department of Treasury, Internal Revenue Service, Office of Personnel Management, Peace Corps, Social Security Administration, or Veterans Health Administration. More information is available here.