HHS Seeks Speedy OK of Breach Rule

Health Insurance Exchanges Would Face 1-Hour Deadline
HHS Seeks Speedy OK of Breach Rule

The Department of Health and Human Services is seeking speedy approval of its controversial proposal to require state health insurance exchanges to report data breaches within one hour of discovery.

See Also: Hunt Cloud Threats or Be Hunted | CISO Guide to Cloud Compromise Assessments

In an Aug. 21 notice in the Federal Register, HHS' Centers for Medicare and Medicaid Services asks the Office of Management and Budget, which reviews the impact of regulations, to approve the proposal by Sept. 25, followed by a 180-day comment period. State health insurance exchanges, a key component of federal healthcare reform, are slated to begin operations for open enrollment by Oct. 1.

The breach notification requirement was originally unveiled June 19 as part of a lengthy proposed rule governing health insurance exchanges (see: 60 Minutes to Report a Breach?).

"We are requesting an emergency review ... because public harm is reasonably likely to result if the normal clearance procedures are followed," the Aug. 21 notice states. Without the emergency approval, "a significant number of incidents will not be detected, therefore causing harm and potential risk [of] ... identity fraud."

Proposal Criticized

Critics of the proposal, including independent security consultant Tom Walsh, say it's unrealistic. "It's far different from some state laws, and the [HIPAA] healthcare breach notification rule, which wants the notification as soon as possible, or 'without unreasonable delay,' but no later than 60 days," he notes.

"The investigation of any type of reported incident or possible breach takes time," Walsh adds. "Those responding to the incident must be careful not to accidentally alter or destroy forensic data. The simple act of rebooting a computer could alter the audit trail and the investigation. Heck, it could easily take an hour just to assemble a knowledgeable incident response team."

Conducting a thorough and accurate investigation typically takes one week, on average, Walsh says.

Curt Kwak, CIO of the Washington state health insurance exchange, said in a recent interview: "From my perspective, I don't believe this will become final because we don't believe it's realistic." He added: "This level of ruling will force us to be less efficient and most likely impact the usability of the system and our ability to support the system as well."

But if the requirement, in fact, goes into effect, Kwak says his state's health insurance exchange will adjust. "We will obviously need to augment our staff and tighten our environment even more," he says, "but that will probably constrict the operation efficiency of our environment."

About the Author

Howard Anderson

Howard Anderson

Former News Editor, ISMG

Anderson was news editor of Information Security Media Group and founding editor of HealthcareInfoSecurity and DataBreachToday. He has more than 40 years of journalism experience, with a focus on healthcare information technology issues. Before launching HealthcareInfoSecurity, he served as founding editor of Health Data Management magazine, where he worked for 17 years, and he served in leadership roles at several other healthcare magazines and newspapers.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing databreachtoday.com, you agree to our use of cookies.