The Centers for Medicare and Medicaid Services, in a final rule setting standards for health plans operating in state health insurance exchanges, has dropped a proposed requirement that privacy and security incidents be reported within one hour of discovery, while at the same time noting it is still required by other regulations.

CMS noted that many commenters to the proposed rule issued in June found the one-hour provision to be not practical or workable. But, while dropping the provision, what CMS decided to do in the final rule may not be much of a change. CMS apparently decided the provision wasn’t needed because it’s already in existing legal agreements.

Register or login for access to this item and much more

All Digital Insurance content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access