Editor’s Note: For more on the proposed rule, please see the Regulatory Cyber Security IPD here.
From: FierceHealthIT
By Dan Bowman
Under a newly proposed rule from the U.S. Department of Health & Human Services, federally-facilitated exchanges created via the Affordable Care Act, as well as entities working with such exchanges, would have one hour to report security incidents upon discovery of a breach.
According to the proposal, published June 19 in the Federal Register, HHS would define a security incident according to standards set by the Office of Management and Budget, as opposed to standards set by the HIPAA regulations, because the latter, it says, is not broad enough.
“The protected health information that triggers HIPAA … is considered a subset of [personally identifiable information],” the notice reads. “We … propose that ‘incident’ would mean the act of violating an explicit or implied security policy, which includes attempts [either failed or successful] to gain unauthorized access to a system or its data, unwanted disruption or denial of service, the unauthorized use of a system for the processing or storage of data; and changes to system hardware, firmware, or software characteristics without the owner’s knowledge, instruction, or consent.”
Leave a Reply