BreachExchange mailing list archives
One-Hour Breach Notification Out of Final HIX Rule? Yes and No
From: Jake Kouns <jkouns () opensecurityfoundation org>
Date: Fri, 30 Aug 2013 13:44:22 -0400
http://www.healthdatamanagement.com/news/hix-health-insurance-exchange-incident-breach-notification-46524-1.html The Centers for Medicare and Medicaid Services, in a final rule setting standards for health plans operating in state health insurance exchanges, has dropped a proposed requirement that privacy and security incidents be reported within one hour of discovery, while at the same time noting it is still required by other regulations. CMS noted that many commenters to the proposed rule issued in June found the one-hour provision to be not practical or workable. But, while dropping the provision, what CMS decided to do in the final rule may not be much of a change. CMS apparently decided the provision wasn’t needed because it’s already in existing legal agreements. Responding to comments on the proposed rule, CMS in the final rule said: “We note that the timeline for reporting privacy and security incidents and breaches that we proposed to codify in this regulation has also been included in the computer matching, information exchange and other data sharing agreements, as authorized under sections 1413 (c) and 1413(d) of the Affordable Care Act. In addition, legal agreements executed pursuant to section 155.260(b) between CMS and non-Exchange entities required to comply with the privacy and security standards established and implemented by a Federally Facilitated Exchange pursuant to section 155.260 include the one hour timeframe for reporting all privacy and security incidents and breaches. “Because the one hour incident response timeline has been included in all the data sharing agreements required under the Affordable Care Act, we have deleted the timing for incident reporting from regulation, proposed in section 155.280(c)(3), and expect it to be addressed through separate agreement.” CMS continues to expect the exchanges to be open for business on Oct. 1, 2013, to support open enrollment as consumers compare and purchase health insurance with coverage beginning in January 2014. In general, the new rule, available here and being published August 30 in theFederal Register, finalizes without change many policies spelled out in a proposed rule issued in June, although multiple definitions are changed. CMS in the rule contends that affected parties should have little difficulty complying with the provisions within the next month, as standards are based on existing standards already in effect, and provisions were previously addressed in guidance and several other rules pertaining to health insurance exchanges. “In addition to comments on the substance of the provisions we are now finalizing, we sought input on ways to implement the proposed policies to minimize burden,” the agency notes in the final rule. For instance, CMS proposed that issuers in the small group market apply rates based on the employer’s principal business address. However, some states use each employee’s place of residence and issuers in those states have appropriate administrative systems and rates, and asked for flexibility. Consequently, issuers that demonstrate good faith in having relied on state guidance may rate based on employee address during 2014. CMS is not finalizing all provisions from the proposed rule, as some need to be in effect by October while others can be finalized at a later date. _______________________________________________ Dataloss Mailing List (dataloss () datalossdb org) Archived at http://seclists.org/dataloss/ Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss For inquiries regarding use or licensing of data, e-mail sales () riskbasedsecurity com Supporters: Risk Based Security (http://www.riskbasedsecurity.com/) Risk Based Security offers security intelligence, risk management services and customized security solutions. The YourCISO portal gives decision makers access to tools for evaluating their security posture and prioritizing risk mitigation strategies. Cyber Risk Analytics offers actionable threat information and breach analysis.
Current thread:
- One-Hour Breach Notification Out of Final HIX Rule? Yes and No Jake Kouns (Aug 30)