HHS rule would give federal exchanges 1 hour to report data breaches

Under a newly proposed rule from the U.S. Department of Health & Human Services, federally-facilitated exchanges created via the Affordable Care Act, as well as entities working with such exchanges, would have one hour to report security incidents upon discovery of a breach.

According to the proposal, published June 19 in the Federal Register, HHS would define a security incident according to standards set by the Office of Management and Budget, as opposed to standards set by the HIPAA regulations, because the latter, it says, is not broad enough.

"The protected health information that triggers HIPAA … is considered a subset of [personally identifiable information]," the notice reads. "We … propose that 'incident' would mean the act of violating an explicit or implied security policy, which includes attempts [either failed or successful] to gain unauthorized access to a system or its data, unwanted disruption or denial of service, the unauthorized use of a system for the processing or storage of data; and changes to system hardware, firmware, or software characteristics without the owner's knowledge, instruction, or consent."

Additionally, the definition of breach would encompass situations in which personally identifiable information, whether physical or electronic, is compromised via a "loss of control, unauthorized disclosure, unauthorized acquisition, [or] unauthorized access."

Earlier this month, Rep. Diane Black (R-Tenn.) called the potential for abuse of information to be stored on a data services hub mandated by the ACA "staggering." The hub will be used to connect state health insurance exchanges with federal agencies, and will contain personal information, including medical records and tax and financial information.

"Which agencies will have access to what information [in the hub]?" Black asked. "Will government employees, contractors and third parties have access; and what training and security clearances--if any--are required for these individuals?"

HHS is asking for comments on its proposed rule by July 19.

To learn more:
- read the Federal Register notice