60 Minutes to Report a Breach?That's What's Proposed for Health Insurance Exchanges
Buried deep within the recently released 253-page proposed rule governing state health insurance exchanges, created under federal healthcare reform, is a stunning requirement: Breaches must be reported within one hour of discovery to the Department of Health and Human Services.
That may seem like an incredible demand, considering that the HIPAA breach notification rule gives covered entities up to 60 days to report breaches. But the proposal is not without precedent.
"I have seen the one-hour deadline before - it is a federal requirement for reporting unauthorized access to a federal system to the U.S. Computer Emergency Readiness Team , or US-CERT," says privacy attorney Adam Greene, a partner at Davis Wright Tremaine and a former official at HHS' Office for Civil Rights.
Greene suspects that this one-hour US-CERT breach reporting deadline may have influenced HHS as it wrote its proposed rule for health insurance exchanges.
Independent security consultant Tom Walsh contends the one-hour breach reporting proposal is unrealistic. "It's far different from some state laws, and the [HIPAA] healthcare breach notification rule, which wants the notification as soon as possible, or 'without unreasonable delay,' but no later than 60 days," he notes.
California and Connecticut, which have among the strictest breach reporting laws, require notice of a breach within five days, he notes.
"The investigation of any type of reported incident or possible breach takes time," Walsh says. "Those responding to the incident must be careful not to accidentally alter or destroy forensic data. The simple act of rebooting a computer could alter the audit trail and the investigation. Heck, it could easily take an hour just to assemble a knowledgeable incident response team."
Conducting a thorough and accurate investigation typically takes one week, on average, Walsh says.
"Having a one-hour timeline rushes the process and could potentially create errors and many 'false alarms.' When it comes to conducting an investigation, it is my opinion that you only have one chance to do it right. You cannot 'un-ring a bell.'"
But Curt Kwak, CIO at the Washington State Health Benefit Exchange, says that requiring notification within 24 hours would be reasonable.
Healthcare Reform Mandates
Created under federal healthcare reform, insurance exchanges will enable small businesses and uninsured consumers to shop online for healthcare coverage. These online marketplaces will collect data from consumers on the front end, and they'll also need to exchange data from other systems on the back end, creating privacy and security challenges. Consumers can enroll for coverage through these exchanges beginning on Oct. 1, with coverage starting Jan. 1, 2014.
The propose rule published in the Federal Register June 19 indicates HHS considered HIPAA regulations when hammering out breach notification rules for the insurance exchanges. But the agency apparently chose not to apply the HIPAA breach guidelines because HIPAA only covers protected health information, and the exchanges will be collecting much more data than that. These exchanges, for example, will collect income-related data as part of eligibility determinations.
The proposed standards requirements state that the exchanges and their partners must meet all the standards for protecting personally indentified information called for under the Privacy Act of 1974.
Here's what the proposed rule says about privacy and security:
"We considered but declined to use the definitions for [incident and breach] provided under the HIPAA regulations because the protected health information that triggers the HIPAA requirements is considered a subset of PII, and we believe that the HIPAA definitions would not provide broad enough protections to satisfy the requirements under the Privacy Act of 1974."
In addition, the proposal defines a breach as "the loss of control, compromise, unauthorized disclosure, unauthorized acquisition, unauthorized access, or any similar term referring to situations where persons other than authorized users and for an other than authorized purpose have access or potential access to personally identifiable information, whether physical or electronic." The document notes this is the same definition used by the Office of Management and Budget in its memorandum, "Safeguarding and Responding to the Breach of Personally Identifiable Information."
Here's what the proposal says about the notification deadline:
"We propose that FFEs [federally facilitated exchanges], non-exchange entities associated with FFEs, and state exchanges must report all privacy and security incidents and breaches to HHS within one hour of discovering the incident or breach."
HHS is accepting comments on the proposal until July 19. Plus, you can share your comments on the proposed breach notification requirement below this story.