Insurance Exchange Standards Proposed

Privacy, Security Requirements for State Exchanges Outlined
Insurance Exchange Standards Proposed
The Department of Health and Human Services has published a proposed rule that describes privacy, security and many other standards for web-based state insurance exchanges called for under the healthcare reform law enacted in 2010.

The online health insurance exchanges, slated to go into operation Jan. 1, 2014, are designed to ease insurance acquisition for individuals and small businesses. The state-operated exchanges, according to the proposed rule, will "help enhance competition in the health insurance market, improve choice of affordable health insurance and give small businesses the same purchasing clout as large businesses."

Regarding privacy and security, the proposal states, among other things:

  • "We propose to require that the Exchange apply appropriate security and privacy protections when collecting, using, disclosing or disposing of personally identifiable information ... In addition, we propose to require contractual terms that impose these standards on contractors or subcontractors. ..."
  • "We propose to require that the security standards of the Exchange (and which the Exchange must contractually impose on contractors and subcontractors) are consistent with HIPAA security rules."
  • Rather than require compliance with the HIPAA privacy rule, HHS would give states "flexibility to create a more appropriate and tailored standard." That's because the exchanges will handle a wide variety of information, including tax returns.
  • HHS is considering "imposing a requirement that each Exchange implement some form of authentication procedure for ensuring that all entities interacting with Exchanges are who they claim." HHS states that it's working with other federal agencies to determine the best methods of authentication.

Comments on the proposed rule are being accepted through Sept. 28. For information, see the rule.

About the Author

Howard Anderson

Howard Anderson

News Editor, ISMG

Anderson is news editor of Information Security Media Group and was founding editor of HealthcareInfoSecurity and DataBreachToday. He has more than 40 years of journalism experience, with a focus on healthcare information technology issues. Before launching HealthcareInfoSecurity, he served as founding editor of Health Data Management magazine, where he worked for 17 years, and he served in leadership roles at several other healthcare magazines and newspapers.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.