The Department of Health and Human Services published on June 19, 2013, a proposed rule requiring health insurance exchanges created under the Affordable Care Act to report privacy and security issues and breaches individually identifiable information to HHS within one hour of discovery.
The proposed rule requires exchanges and partners to protect personally identifibale information under the Privacy Act of 1974, rather than under HIPAA's rules and regulations. Further, Federally Facilitated Exchanges (FFEs), non-Exchange entities associated with FFEs, and State Exchanges must report all privacy and security incidents and breaches to HHS within one hour of discovering the incident or breach, which is contrary to HIPAA's 60 day breach notification rule.