Proposed HIE Breach Reporting Requirements

A couple of weeks ago, the US Department of Health and Human Services published its proposed rule relating to the Patient Protection and Affordable Care Act, colloquially referred to as “Obamacare.” Within that document, which at the time of this blog post has 10 days remaining for comment, is the following line buried on page 69 of 253:

“…we propose that FFEs*, non-Exchange entities associated with FFEs, and State Exchanges must report all privacy and security incidents and breaches to HHS within one hour of discovering the incident or breach.”

Let’s put that in a little perspective. The existing HIPAA regulations require breaches be reported “without reasonable delay,” but within 60 days. We’re talking about reducing the acceptable time to notify the feds from 60 days to 60 MINUTES.

For federal agencies, this isn’t such a crazy idea, as they’re currently required to report such incidents to US-CERT within the same time frame. More likely than not, this is where HHS came up with the proposed time limit. And I can’t really argue with them. As these systems become interconnected, as is the point of this whole endeavor, the sooner the proper folks know about a breach in, say, Maryland, and the sooner they can take measures to ensure that said breach doesn’t traverse the system to affect the other 49 states, the District and the territories.

Besides all of the other pitfalls this entire operation is experiencing (see July 2nd’s announcement by the president’s administration of a one year delay in enforcement), I hear from several little birdies that exactly ZERO states are ready to go live with their exchanges. Adding this requirement will only serve to delay things even more (not that that’s a bad thing…do it right or don’t do it at all, I say). Many federal agencies, as we all know, have the budgets to bring in very expensive contractors to run their information security programs. The state agencies, by and large, do not. Many that I’ve worked with over the years in various roles barely have the ability to keep their network infrastructure up to date, much less their security systems (refer to my recent post on the Washington State Courts).

Having a managed intrusion detection system along with log aggregation and daily log review will better allow the States and other required entities to not only report, but report with worthwhile data.

*Federally Facilitated Exchanges –mgmt