One-Hour Breach Reporting Rule DroppedHealth Insurance Exchange Final Rule Omits Provision
A controversial proposal to require state health insurance exchanges to report breaches to federal regulators within one hour of discovery has been dropped from the final regulation governing the exchanges.
Instead of including a one-hour breach reporting mandate in the final rule for health insurance exchanges, the Department of Health and Human Services has decided to rely on "strict" breach reporting provisions that are part of contracts for the exchanges, says the 300-page regulation released by HHS' Centers for Medicare and Medicaid Services. The final rule was published Aug. 28 on the Federal Register Public Inspection website. It's slated to be officially published in the Federal Register Aug. 30 and to take effect 30 days after that, just in time for the Oct. 1 go-live date for the exchanges.
"Because the one-hour incident response timeline has been included in all the data sharing agreements required under the Affordable Care Act, we have deleted the timing for incident reporting from regulation ... and expect it to be addressed through separate agreement," the final rule states.
The state health insurance exchanges, called for under federal healthcare reform, are online marketplaces where consumers and small businesses can shop for and enroll in health plans. They're slated to begin open enrollment Oct. 1.
CMS Offers Clarification
When asked for clarification about the one-hour breach reporting provision that was part of HHS' proposed rule, versus what appears in the final rule, a CMS spokeswoman told Information Security Media Group, "We are still holding states and non-exchange entities to strict incident and breach reporting standards, but are doing it through separate agreements."
Christopher Rasmussen, a policy analyst at the Center for Democracy & Technology, a consumer advocacy organization, says that while he had initial concerns that a one-hour breach reporting mandate could be "too quick," he's a bit "baffled" about why HHS proposed the provision in the first place if the requirement was already part of contracts.
One of the main differences in the one-hour requirement being part of a contract, versus a final government rule, is that if an exchange fails to report a breach to HHS within 60 minutes of discovery, "it's a contractual breach, rather than a regulatory violation," Rasmussen says.
And although Rasmussen says it's disappointing that CMS chose not to specify a time frame for reporting breaches in the regulations, "we are comfortable with the same requirements being in a contract."
Independent security consultant Tom Walsh, who was critical of the original one-hour proposal, says, "There always needs to be a balance for reporting requirements. If the timeline is too soon, there is not enough time to conduct an accurate and thorough investigation. If you allow too much time or no deadline, then the opportunity for applying mitigating safeguards or controls to keep the incident contained or more manageable may have vanished, leading to a larger incident or breach."
Curt Kwak, CIO at the Washington state health insurance exchange, says the final rule dropping the one-hour reporting requirement, but defaulting to the terms of contracts, is "definitely not what I had hoped for. ... What I wanted to mitigate was overreaction and/or unnecessary work that could be created by false alarms. ... I felt the best way to mitigate this was to spend more time for investigation, following a very methodical and comprehensive process. I think we will be able to align with the one-hour notification as long as the receiving end understands that we are working on it and may not have the full picture yet."
A Sudden Change
The decision by HHS to drop the controversial proposal from the final rule is a sudden about-face, considering that, just last week, the department was seeking speedy review of the provision from the Office of Management and Budget.
In an Aug. 21 notice in the Federal Register, CMS asked OMB, which reviews the impact of regulations, to approve the proposal by Sept. 25.
The breach notification requirement was originally unveiled June 19 as part of a lengthy proposed rule governing health insurance exchanges (see: 60 Minutes to Report a Breach?).
In addition to dropping the one-hour reporting proposal from the final rule, CMS has made other changes in the final regulation regarding breaches. "We are not finalizing [provisions] which would have defined the terms 'incident' and 'breach' ... [and which] would have required an entity where an incident or breach occurs to manage the incident or breach in accordance with the entity's documented incident handling and breach notification procedures," the final rule states. "These standards are [also] included in other legal documents."