From: HealthITSecurity
HHS proposes new data breach reporting rules for FFEs
Author Name: Patrick Ouellette
The Department of Health and Human Services (HHS) has requested comments regarding its recent proposal that, under the Affordable Care Act, Federally-facilitated Exchanges (FFEs), non-Exchange entities associated with FFEs and State Exchanges must report all privacy and security incidents and breaches to HHS within one hour of discovering the incident or breach.
The scope of these security incidents and breaches, according to the June 19 post on the Federal Register from HHS and the Center for Medicare and Medicaid Services (CMS), is broader than HIPAA and HHS will use the definitions set by the Office of Management and Budget (OMB).
We considered the definitions and explanations for “incident” in the following publications: OMB Memorandum M-06-19, OMB Memorandum M-07-16, and the National Institute of Standards and Technology Special Publication 800-61, and propose that “incident” would mean, the act of violating an explicit or implied security policy, which includes attempts (either failed or successful) to gain unauthorized access to a system or its data, unwanted disruption or denial of service, the unauthorized use of a system for the processing or storage of data; and changes to system hardware, firmware, or software characteristics without the owner’s knowledge, instruction, or consent. We propose that the definition for “breach” be the same as the definition in OMB Memorandum M-07-16, Safeguarding and Responding to the Breach of Personally Identifiable Information, which defines “breach” as the loss of control, compromise, unauthorized disclosure, unauthorized acquisition, unauthorized access, or any similar term referring to situations where persons other than authorized users and for an other than authorized purpose have access or potential access to personally identifiable information, whether physical or electronic. We welcome comment on the use of these definitions for incident and breach as they relate to PII.
Documentation is a big part of the HHS proposal. In the event of an incident or breach, HHS wants the breached entity to be responsible for reporting and managing it according to the entity’s documented incident handling or breach notification procedures. HHS said that incident handling and breach notification procedures should be among the written policies and procedures required for Exchanges under §155.260(d). Non-Exchange entities associated with the Exchanges would be required to have policies and procedures in place for reporting breaches and incidents as a condition of the contracts or agreements that are required under §155.260(b). And under §155.260(a)(3)(viii), Exchanges would also be required to establish accountability standards that would include the development and implementation of policies and procedures including incident handling and breach notification procedures.
In §155.280(c)(3) we propose that FFEs, non-Exchange entities associated with FFEs, and State Exchanges must report all privacy and security incidents and breaches to HHS within one hour of discovering the incident or breach. We also propose that a non-Exchange entity associated with a State Exchange must report all privacy and security incidents and breaches to the State Exchange with which they are associated. We welcome comment on these proposals.
Leave a Reply