Health Insurance Exchange Final Rule Omits Provision
By Marianne Kolbasuk McGee
A controversial proposal to require state health insurance exchanges to report breaches to federal regulators within one hour of discovery has been dropped from the final regulation governing the exchanges.
Instead of including a one-hour breach reporting mandate in the final rule for health insurance exchanges, the Department of Health and Human Services has decided to rely on “strict” breach reporting provisions that are part of contracts for the exchanges, says the 300-page regulation released by HHS’ Centers for Medicare and Medicaid Services. The final rule was published Aug. 28 on the Federal Register Public Inspection website. It’s slated to be officially published in the Federal Register Aug. 30 and to take effect 30 days after that, just in time for the Oct. 1 go-live date for the exchanges.
“Because the one-hour incident response timeline has been included in all the data sharing agreements required under the Affordable Care Act, we have deleted the timing for incident reporting from regulation … and expect it to be addressed through separate agreement,” the final rule states.
The state health insurance exchanges, called for under federal healthcare reform, are online marketplaces where consumers and small businesses can shop for and enroll in health plans. They’re slated to begin open enrollment Oct. 1.
CMS Offers Clarification
When asked for clarification about the one-hour breach reporting provision that was part of HHS’ proposed rule, versus what appears in the final rule, a CMS spokeswoman told Information Security Media Group, “We are still holding states and non-exchange entities to strict incident and breach reporting standards, but are doing it through separate agreements.”