Senior Communications Manager
Kirk Nahra Discusses Data Breach Reporting Proposal for Insurance Exchanges
Kirk J. Nahra, chair of Wiley Rein’s Privacy Practice, was quoted by Bloomberg BNA in a June 26 article about the U.S. Centers for Medicare and Medicaid Services’ (CMS) proposed data breach reporting standards for health insurance marketplaces.
The proposed rule would require federally facilitated exchanges (FFEs), state exchanges and their business associates to have written policies and procedures in place for handling and reporting data breaches. Breach incidents would be defined as violations of security policies to gain unauthorized access to systems and data, according to the article.
State exchanges, FFEs and non-exchange entities associated with FFEs would have to notify the U.S. Department of Health and Human Services (HHS) of breach incidents within one hour of discovering them. Business associates of state exchanges would have to report breach incidents to the state exchanges within the same time period.
Although the proposal’s time frame for reporting data breach incidents is similar to that of other CMS programs, it is “wildly out of line” with other security breach notification requirements, in the health care industry and otherwise, Mr. Nahra told Bloomberg BNA.
“It is also almost impossible to meet and will require overreporting of many minor incidents,” he said.