Insurance Exchange Standards ProposedPrivacy, Security Requirements for State Exchanges Outlined
The online health insurance exchanges, slated to go into operation Jan. 1, 2014, are designed to ease insurance acquisition for individuals and small businesses. The state-operated exchanges, according to the proposed rule, will "help enhance competition in the health insurance market, improve choice of affordable health insurance and give small businesses the same purchasing clout as large businesses."
Regarding privacy and security, the proposal states, among other things:
- "We propose to require that the Exchange apply appropriate security and privacy protections when collecting, using, disclosing or disposing of personally identifiable information ... In addition, we propose to require contractual terms that impose these standards on contractors or subcontractors. ..."
- "We propose to require that the security standards of the Exchange (and which the Exchange must contractually impose on contractors and subcontractors) are consistent with HIPAA security rules."
- Rather than require compliance with the HIPAA privacy rule, HHS would give states "flexibility to create a more appropriate and tailored standard." That's because the exchanges will handle a wide variety of information, including tax returns.
- HHS is considering "imposing a requirement that each Exchange implement some form of authentication procedure for ensuring that all entities interacting with Exchanges are who they claim." HHS states that it's working with other federal agencies to determine the best methods of authentication.
Comments on the proposed rule are being accepted through Sept. 28. For information, see the rule.