If you have "no place to go," come here!

ObamaCare Clusterfuck: HHS holds state exchanges to US-CERT security breach standard, not HIPAA


Buried deep within the recently released 253-page proposed rule governing state health insurance exchanges, created under federal healthcare reform, is a stunning requirement: Breaches must be reported within one hour of discovery to the Department of Health and Human Services.

That may seem like an incredible demand, considering that the HIPAA [see here] breach notification rule gives covered entities up to 60 days to report breaches. But the proposal is not without precedent.

"I have seen the one-hour deadline before - it is a federal requirement for reporting unauthorized access to a federal system to the U.S. Computer Emergency Readiness Team , or US-CERT," says privacy attorney Adam Greene, a partner at Davis Wright Tremaine and a former official at HHS' Office for Civil Rights.

Greene suspects that this one-hour US-CERT breach reporting deadline may have influenced HHS as it wrote its proposed rule for health insurance exchanges

Now, I suppose from one standpoint that's good news: I certainly don't want HHS waiting for weeks or months to report, if my data gets hacked.

But from another standpoint, the US-CERT deadline is very bad news indeed. From the US-CERT site:

US-CERT leverages the Protected Critical Infrastructure Information (PCII) Program to prevent inappropriate disclosure of proprietary information or other sensitive data. Established in response to the Critical Infrastructure Information Act of 2002 (CII Act), the PCII Program enables members of the private sector to voluntarily submit confidential information regarding the nation's critical infrastructure to DHS with the assurance that the information will be protected from public disclosure. More details about how information can be protected under the CII Act can be found on the Department of Homeland Security website.

In other words, HHS regards the exchanges as "critical infrastructure," since that's the standard they adopted for security breaches. That means, to me, that the personal data handled by the exchanges is extremely valuable* or, to look at the issue in another way, enables great abuse.

NOTE * For example, individual risk scores.

No votes yet