Health Information Management

CMS requests emergency review of HIE breach reporting proposed rule

HIM-HIPAA Insider, August 26, 2013

Want to receive articles like this one in your inbox? Subscribe to HIM-HIPAA Insider!

by Jaclyn Fitzgerald, Online editor 

CMS requested emergency review of a proposed rule that would change the way state health insurance exchanges (HIE) report privacy and security breaches to HHS, according to a notice posted in the Federal Register.

Under the proposed rule, state-based administering entities would be required to report suspected or confirmed breaches of personally identifiable information and protected health information to their Center for Consumer Information and Insurance Oversight State Officer within one hour of discovery, according to the request. The officer would then be required to notify the appropriate federal agency such as the Internal Revenue Service, Department of Defense, Department of Homeland Security, Social Security Administration, Peace Corps, Office of Personnel Management, and Veterans Health Administration, the noticed stated.

HIE breaches could go undetected if this change is not implemented, leading to public harm and an increased risk of identity fraud, according to the notice. Currently, HIEs are subject to the HIPAA privacy and security rule, which would allow HIEs 60 days to publicly report a breach.

CMS requested that the Office of Management and Budget review and approve the proposed rule by September 25 with a 180-day approval period. This deadline is just five days before the October 1 HIE launch.

CMS will accept comments through September 20 either electronically or by mail.

Want to receive articles like this one in your inbox? Subscribe to HIM-HIPAA Insider!

Most Popular