Most breach notification mandates require a notice be provided without unreasonable delay. In some cases, such as under HIPAA, the same standard applies but also with an outside date to provide the notice – 60 days. Proposed regulations under the Affordable Care Act would require notification to the Department of Health and Human Services in one hour!
In §155.280(c)(3) we propose that [Federally-facilitated Exchanges or FFEs], non-Exchange entities associated with FFEs, and State Exchanges must report all privacy and security incidents and breaches to HHS within one hour of discovering the incident or breach. We also propose that a non-Exchange entity associated with a State Exchange must report all privacy and security incidents and breaches to the State Exchange with which they are associated.
The proposed definitions for "incidents" and "breaches" are broader than those under HIPAA, HHS adopting instead definitions established by Office of Management and Budget. Under the proposed regulations, FFEs and non-Exchange entities associated with FFEs would have to comply with applicable privacy and security standards, and be subject to monitoring, auditing by HHS. This would include being required to have policies and procedures in place for reporting breaches and incidents.
The breach mandate would apply to the Exchanges as well as "non-Exchange entities." Non-Exchange entities may include entities such as "navigators," agents, brokers and others "associated with an Exchange." "Navigators" are government-paid helpers, individuals and entities, whose role it will be to assist in the administration of the Exchange. Organizations such as unions, church groups and chambers of commerce can be navigators. They will perform tasks such as educating consumers and facilitating enrollment.
Many expect there will be a considerable amount of confusion at the end of this year as millions consider their health care options with the full impact of "Obamacare" rolling out for 2014. In the process, vast amounts of very sensitive, personal information will need to be exchanged among newly created exchanges and other entities. Entities associated with these exchanges will need to be prepared from a privacy and data security standpoint.