The Centers for Medicare & Medicaid Services is pushing for an "emergency review" of the proposed rule that would require state health insurance exchanges to federally report data breaches within one hour of discovery of such incidents.
In a new post published Wednesday in the Federal Register, CMS called approval of the rule "essential " to security efforts, adding that, should normal clearance procedures be followed, "public harm is reasonably likely to result."
"In absence of this change, a significant number of incidents will not be detected," the notice said, "therefore, causing harm and potential risk to the public's identity with identity fraud."
In the initial proposal, published to the Federal Register on June 19, the U.S. Department of Health & Human Services said it would define a security incident according to standards set by the Office of Management and Budget, as opposed to standards set by the HIPAA regulations, because the latter, it said, are not broad enough.
Under the rule, state-based health insurance exchange administering entities will be required to report both suspected and confirmed loss of personally identifiable information to designated Center for Consumer Information and Insurance Oversight State Officers, who then will notify any federal agencies impacted.
CMS wants OMB review and approval of the rule by Sept. 25, to be followed by a 180-day approval period.
At least one state health insurance exchange CIO--Washington state health insurance exchange CIO Curt Kwak--said in an interview published this week that he doesn't think the proposed rule will become final due to its extremely challenging nature. Kwak called the rule "unrealistic," and said that its enforcement would force all exchanges to be "less efficient."
"Now if it does become the rule, then we will obviously need to augment our staff and tighten our environment even more, but again that will probably constrict the operation efficiency of our environment," Kwak said.
To learn more:
- read the Federal Register post