HHS drops 1-hour HIX breach notification rule

HHS' final regulation on health insurance exchanges does not include a proposed mandate that healthcare organizations report all data breaches within one hour of discovery. 

However, the U.S. Department of Health & Human Services said the proposed breach reporting timeline requirement was included in computer matching, information exchange and other data sharing agreements.

"Because the one-hour incident response timeline has been included in all the data sharing agreements required under the Affordable Care Act, we have deleted the timing for incident reporting from [the] regulation … and expect it to be addressed through separate agreement," the final regulation said.

HHS noted in the final regulation that it had received a number of comments expressing concern that the requirement was impractical and not "workable in the exchange environment." Concerns also were raised about the potential for "over-reporting," which some commenters said could "undermine the ability [of impacted organizations] to present a thoughtful, comprehensive plan of action."

According to the original proposal, published June 19 in the Federal Register, HHS would define a security incident according to standards set by the Office of Management and Budget, as opposed to standards set by the HIPAA regulations, because the latter, it said, is not broad enough.

In an interview earlier this month with HealthcareInfoSecurity, Washington state health insurance exchange CIO Curt Kwak called the rule "unrealistic," saying that its enforcement would make all exchanges "less efficient."

Just last week, the Centers for Medicare & Medicaid Services called for an "emergency review" of the proposed rule, saying its approval was "essential" to security efforts. CMS said that the public would be harmed if normal clearance procedures were followed.

"In absence of this change, a significant number of incidents will not be detected," the notice said, "therefore, causing harm and potential risk to the public's identity with identity fraud."

To learn more:
- here's the final rule (.pdf)

Suggested Articles

Nearly 10,000 patients involved in research studies were impacted by a third-party privacy breach that may have exposed their medical diagnoses.

Veterans Health Administration medical facilities currently have a paper medical record backlog that if stacked up would be 5.15 miles high, according to the…

The Department of Health and Human Services announced proposed changes to privacy restrictions on patients' substance use treatment records.