Insurance exchange CIO: Proposed data breach reporting rule 'unrealistic'

At least one state health insurance exchange CIO doesn't think the proposed rule requiring exchanges to report data security incidents within one hour of a breach discovery will become final due to its extremely challenging nature.

In a recent interview with HealthcareInfoSecurity, Washington state health insurance exchange CIO Curt Kwak called the rule, published June 19 in the Federal Register, "unrealistic," saying that its enforcement would force all exchanges to be "less efficient."

"Now if it does become the rule, then we will obviously need to augment our staff and tighten our environment even more, but again that will probably constrict the operation efficiency of our environment," Kwak told HealthcareInfoSecurity. "We'll be ready, and we'll do whatever we can with the final ruling."

According to Kwak, the biggest security challenge he's encountered, thus far, involves the different protocols in processing data for dependent partners. Still, he said, having to handle sensitive financial information in addition to protected health information will be a significant concern, as well.

In a post published in the Federal Register last week, the Centers for Medicare & Medicaid Services announced plans to form computer matching agreements with the Internal Revenue Service and the Veterans Health Administration to help regulate information to be shared via the Affordable Care Act's data hub. CMS said that the purpose of such agreements will be to "establish the terms, condition, safeguards and procedures" that will govern the information gathering process.

Also last week, Senate Republican Leader Mitch McConnell (Ken.) called for a delay in the opening of all of the exchanges, citing security concerns with the data hub. Legislation introduced last month by Rep. Pat Meehan (R-Pa.) calls for a one-year delay in the launch of the data hub, citing concerns similar to McConnell's.

Security testing for the hub is behind schedule, according to a recent report published by the U.S. Department of Health & Human Services Office of Inspector General.

To learn more:
- read the full HealthcareInfoSecurity interview