SmartHR

Final Health Reform Exchange Rules Flesh Out Privacy and Security Requirements

April 6, 2012 – 2:04 pm | By David Slaughter | 1 comment

Final rules that will govern the state-based insurance exchanges created by health reform include more detailed privacy and security requirements for the exchanges themselves and participating insurers. These restrictions also will apply indirectly to agents, brokers and others involved in this process. In the rules, published March 27 (77 Fed. Reg. 18310), the U.S. Department of Health and Human Services (HHS) “made major changes” from last year’s proposed version “both to give more guidance to States as they implement the Exchange program, and to ensure confidentiality for individuals who may interact with Exchanges,” HHS explained in the preamble. “Personally identifiable information” (PII) created or collected to determine an individual’s eligibility to enroll through an exchange may only be used or disclosed as needed to fulfill those specific functions. PII created or collected for other exchange functions may be used or disclosed more broadly, but only in compliance with the rules’ privacy and security standards. These provisions include some of the same principles as HIPAA’s privacy and security rules, but apply more broadly. “We believe HIPAA is not broad enough to adequately protect the various types of PII that will be created, collected, used, and disclosed by Exchanges,” since not all participants in these “health insurance marketplaces” will be HIPAA-covered entities, HHS stated. However, those that are covered entities must continue to comply with HIPAA as well. The exchanges were designed by the Patient Protection and Affordable Care Act to give individuals and small employers “one-stop marketplaces” to shop for health coverage, starting in 2014. State plans to launch exchanges must be approved by HHS by Jan. 1, 2013, or else the agency can move in and set up exchanges itself. Exchanges must establish privacy and security policies consistent with “fair information practice principles” identified by HHS’ Office of the National Coordinator for Health Information Technology in the “framework” it adopted in 2008 for health information exchange. Exchanges “must establish and implement operational, technical, administrative and physical safeguards” to ensure “the confidentiality, integrity, and availability” of PII the exchange creates, collects, uses or discloses; and protect it against “reasonably anticipated” threats or unpermitted disclosures. “We believe the standards in this final rule will minimize burden by allowing HHS and the States to leverage existing security infrastructure,” HHS stated. “We plan to release guidance to assist States in developing and implementing privacy and security policies and protocols that fulfill the standards of this section.” Exchanges also “must monitor, periodically assess, and update” their security measures, and use “secure electronic interfaces” when sharing PII electronically. Like HIPAA-covered entities, exchanges must have written policies and procedures, make them available to HHS on request and ensure that their work force complies with them. The exchange rules also include an analog to HIPAA’s business associate requirements. Any agents, brokers or others that receive PII through an exchange — or collect, use or disclose PII on the exchange’s behalf — must agree to meet at least the same level of privacy and security measures as the exchange. HIPAA’s privacy and security rules, and their effect on plan sponsors, are detailed in the Employer’s Guide to HIPAA and Employer’s Guide to HIPAA Privacy Requirements.