Today, the Centers for Medicare and Medicaid Services (CMS) requested an "emergency review" of its recently proposed rule that "[Federally-facilitated Exchanges or FFEs], non-Exchange entities associated with FFEs, and State Exchanges must report all privacy and security incidents and breaches to HHS within one hour of discovering the incident or breach."
We reported on the proposed rule in June. CMS is taking this step "to ensure compliance with an initiative of the Administration…[and] because public harm is reasonably likely to result if the normal clearance procedures are followed." There has been a considerable amount of pressure on the Obama Administration relating to significant privacy and data security concerns inherent in the massive information grab soon to take place with the implementation of the Exchanges.
CMS is requesting OMB review and approve its emergency request by September 25, 2013, and that any public comments be received by September 20, 2013. So, if you have concerns about the process (whether they pertain to privacy and data security generally, or the practicalities of reporting in one hour) you will need to voice those concerns quickly.