HIX proposed rule outlines breach requirements

Laura Pedulli | | Health Exec | Precision Medicine

The Centers of Medicare & Medicaid Services (CMS) unveiled a proposed rule governing the financial integrity and oversight standards of health insurance exchanges.

Under the June 19 CMS proposal—“Patient Protection and Affordable Care Act; Program Integrity: Exchange, SHOP, Premium Stabilization Programs, and Market Standards"—state insurance exchanges must contact the Department of Health and Human Services (HHS) within one hour of learning of an incident or breach.

“We propose that federally facilitated exchanges (FFEs), non-exchange entities associated with FFEs, and state exchanges must report all privacy and security incidents and breaches to HHS within one hour of discovering the incident or breach,” according to the proposed rule. “We also propose that a non-exchange entity associated with a state exchange must report all privacy and security incidents and breaches to the state exchange with which they are associated. We welcome comment on these proposals.”

The proposed rule also put forth revised definitions for the terms incident and breach. It clarified that ‘‘incident’’ would mean “the act of violating an explicit or implied security policy, which includes attempts to gain unauthorized access to a system or its data, unwanted disruption or denial of service, the unauthorized use of a system for the processing or storage of data; and changes to system hardware, firmware, or software characteristics without the owner’s knowledge, instruction or consent.”

The rule defines ‘‘breach’’ as “the loss of control, compromise, unauthorized disclosure, unauthorized acquisition, unauthorized access, or any similar term referring to situations where persons other than authorized users and for an other than authorized purpose have access or potential access to personally identifiable information, whether physical or electronic.”

The CMS wrote that it decided against using HIPPA definitions for incident and breach because they “would not provide broad enough protections to satisfy the requirements under the Privacy Act of 1974, the e-Government Act of 2002, other laws to which HHS is subject, or the expectations of the other federal agencies that will be providing personally identifiable information to facilitate exchange eligibility determinations,” according to the proposed rule.

CMS is accepting comments on the rule until July 19.  

Laura Pedulli

Related Content

Pitching the business case for 3D printing labs in radiology
FDA issues first-ever clearance for OTC oximeter
Augmented reality company secures $15M in funding from Cleveland Clinic, Mayo, GE Healthcare and more
Merck to acquire Prometheus Biosciences for $10.8B
Johnson & Johnson scraps RSV vaccine after trial
Intermountain Health launches new biotech company

Around the web

Cardiovascular Business
Reimbursement update: What hospitals need to know about new Medicare payments for cardiac CT

CMS finalized a significant policy change when it increased the Medicare payments hospitals receive for performing CCTA exams. What, exactly, does the update mean for cardiologists, billing specialists and other hospital employees?

Cardiovascular Business
Stryker acquires Inari Medical for $4.9B

Stryker, a global medtech company based out of Michigan, has kicked off 2025 with a bit of excitement. The company says Inari’s peripheral vascular portfolio is highly complementary to its own neurovascular portfolio.

Radiology Business
The biggest obstacles facing radiology business managers in 2025

RBMA President Peter Moffatt discusses declining reimbursement rates, recruiting challenges and the role of artificial intelligence in transforming the industry.