One-hour notification mandate for HIX dropped but only because it's already covered

Beth Walsh | | Health Exec | Policy & Regulations

In response to numerous commenters who said a one-hour notification rule for privacy and security incidents is impractical and unworkable, the Centers for Medicare & Medicaid Services (CMS), in a final rule setting standards for health plans operating in state health insurance exchanges, dropped the proposed requirement.

However, CMS noted the provision wasn’t needed because it’s already in existing legal agreements. “Because the one hour incident response timeline has been included in all the data sharing agreements required under the Affordable Care Act, we have deleted the timing for incident reporting from regulation, proposed in section 155.280(c)(3), and expect it to be addressed through separate agreement," the final rule states.

Health insurance exchanges are set to open for business on Oct. 1 to support open enrollment as consumers compare and purchase health insurance with coverage beginning in January 2014.

Not all the provisions from the proposed rule have been finalized, as some need to be in effect by October while others can wait.

The final rule is available here.

 

Beth Walsh,

Editor

Editor Beth earned a bachelor’s degree in journalism and master’s in health communication. She has worked in hospital, academic and publishing settings over the past 20 years. Beth joined TriMed in 2005, as editor of CMIO and Clinical Innovation + Technology. When not covering all things related to health IT, she spends time with her husband and three children.

Related Content

Dental chain involved in ransomware coverup fined $350K
$49B in medical debt to be erased from credit reports
$3.3B merger of UnitedHealth and Amedisys delayed by DOJ lawsuit
FDA to hopeful marketers of AI-equipped medical devices: Think beyond your initial approval
FDA issues proposed guidance for improving reliability of pulse oximeters
Bill to regulate healthcare private equity lands on desk of Mass. governor

Around the web

Cardiovascular Business
Stryker acquires Inari Medical for $4.9B

Stryker, a global medtech company based out of Michigan, has kicked off 2025 with a bit of excitement. The company says Inari’s peripheral vascular portfolio is highly complementary to its own neurovascular portfolio.

Radiology Business
The biggest obstacles facing radiology business managers in 2025

RBMA President Peter Moffatt discusses declining reimbursement rates, recruiting challenges and the role of artificial intelligence in transforming the industry.

Radiology Business
Policies and regulations shaping radiology in 2025

Mark Isenberg, executive vice president of Zotec Partners, discusses key developments that will reshape the specialty this year.