One-Hour Breach Notification Out of Final HIX Rule? Yes and No

[Jake Kouns <jkouns () opensecurityfoundation org>]

http://www.healthdatamanagement.com/news/hix-health-insurance-exchange-incident-breach-notification-46524-1.html

The Centers for Medicare and Medicaid Services, in a final rule
setting standards for health plans operating in state health insurance
exchanges, has dropped a proposed requirement that privacy and
security incidents be reported within one hour of discovery, while at
the same time noting it is still required by other regulations.

CMS noted that many commenters to the proposed rule issued in June
found the one-hour provision to be not practical or workable. But,
while dropping the provision, what CMS decided to do in the final rule
may not be much of a change. CMS apparently decided the provision
wasn’t needed because it’s already in existing legal agreements.

Responding to comments on the proposed rule, CMS in the final rule
said: “We note that the timeline for reporting privacy and security
incidents and breaches that we proposed to codify in this regulation
has also been included in the computer matching, information exchange
and other data sharing agreements, as authorized under sections 1413
(c) and 1413(d) of the Affordable Care Act. In addition, legal
agreements executed pursuant to section 155.260(b) between CMS and
non-Exchange entities required to comply with the privacy and security
standards established and implemented by a Federally Facilitated
Exchange pursuant to section 155.260 include the one hour timeframe
for reporting all privacy and security incidents and breaches.

“Because the one hour incident response timeline has been included in
all the data sharing agreements required under the Affordable Care
Act, we have deleted the timing for incident reporting from
regulation, proposed in section 155.280(c)(3), and expect it to be
addressed through separate agreement.”

CMS continues to expect the exchanges to be open for business on Oct.
1, 2013, to support open enrollment as consumers compare and purchase
health insurance with coverage beginning in January 2014.

In general, the new rule, available here and being published August 30
in theFederal Register, finalizes without change many policies spelled
out in a proposed rule issued in June, although multiple definitions
are changed. CMS in the rule contends that affected parties should
have little difficulty complying with the provisions within the next
month, as standards are based on existing standards already in effect,
and provisions were previously addressed in guidance and several other
rules pertaining to health insurance exchanges. “In addition to
comments on the substance of the provisions we are now finalizing, we
sought input on ways to implement the proposed policies to minimize
burden,” the agency notes in the final rule.

For instance, CMS proposed that issuers in the small group market
apply rates based on the employer’s principal business address.
However, some states use each employee’s place of residence and
issuers in those states have appropriate administrative systems and
rates, and asked for flexibility. Consequently, issuers that
demonstrate good faith in having relied on state guidance may rate
based on employee address during 2014.

CMS is not finalizing all provisions from the proposed rule, as some
need to be in effect by October while others can be finalized at a
later date.
_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security offers security intelligence, risk management services and customized security solutions. The 
YourCISO portal gives decision makers access to tools for evaluating their security posture and prioritizing risk 
mitigation strategies. Cyber Risk Analytics offers actionable threat information and breach analysis.