CMS, HHS Issue New Data Privacy Rules for ACA Insurance Exchanges
May 22, 2014 in News
A final rule released last week by CMS includes updated privacy and data security standards for patients who purchase or shop for coverage through the Affordable Care Act’s health insurance exchanges, Health IT Security reports (Ouellette, Health IT Security, 5/21).
The final rule outlines standards for the exchange and health insurance market beginning in the 2015 open enrollment period (Dickson/Demko, Modern Healthcare, 5/16).
Details of Privacy, Data Security Standards
According to the final rule, CMS and HHS will begin issuing civil monetary penalties when data privacy and security issues related to the law’s health insurance exchanges occur.
Specifically, the rule would amend a regulation (45 CFR 155.260) for the handling and safeguarding of consumers’ personally identifiable information to reference the new penalty associated with section 155.285. The rule states, “Uses and disclosures of information that are not permitted by §155.260 or otherwise permitted by statute or regulation, therefore, are prohibited. Those prohibited uses and disclosures are the focus of the penalties imposed in §155.285 to the extent they are knowing and willful.”
The rule also states that individuals must be notified when a civil monetary fine is assessed because patient data have been improperly disclosed or used through state or federal exchanges.
According to Health IT Security, it appears that the two agencies are “aiming to use the civil monetary penalties as a preventive measure against patient data disclosures within the insurance exchanges.”
The new language will be posted in the Federal Register on May 27 and will go into effect on July 26, the final rule states (Health IT Security, 5/21).