Reform Alert - News from the Blues' Office of National Health Reform

HHS issues proposed rule on Marketplace monitoring of privacy and security standards

Update: Dec. 20, 2013 — Department of Health and Human Service clarifies Marketplace privacy and security standards

Aug. 5, 2013

On June 19, the Department of Health and Human Services (HHS) issued a proposed rule requiring plans to monitor Marketplace privacy and security standards. The proposed rule states that HHS will monitor any individual or entity subject to the privacy and security requirements within the Marketplace final rule. In the case of a Federally-facilitated Marketplace (FFM), HHS will oversee and monitor FFMs and non-Marketplace entities[i] associated with FFMs for compliance with privacy and security standards.

HHS proposes that the agency may perform oversight activities, including but not limited to:

  • Audits;
  • Investigations;
  • Inspections; and
  • Any reasonable activities necessary for appropriate oversight of compliance

The rule also includes proposed definitions of "incident" and "breach" as they apply to privacy and security throughout the Marketplace:

    Incident: The act of violating an explicit or implied security policy, which includes attempts (either failed or successful) to gain unauthorized access to a system or its data, unwanted disruption or denial of service, the unauthorized use of a system for the processing or storage of data; and changes to system hardware, firmware, or software characteristics without the owner’s knowledge, instruction, or consent.

    Breach: The loss of control, compromise, unauthorized disclosure, unauthorized acquisition, unauthorized access, or any similar term referring to situations where persons other than authorized users and for any other than authorized purpose have access or potential access to personally identifiable information, whether physical or electronic.

In the event of an incident or breach, the entity where the incident or breach occurs would be responsible for reporting and managing it according to the entity’s documented incident handling or breach notification procedures.

Non-Marketplace entities associated with the Marketplace (such as agents, brokers, Navigators, or qualified health plan issuers) would be required to have policies and procedures in place for reporting breaches and incidents as a condition of the contracts or agreements.

The proposed rule notes that in the event of an incident or breach, an FFM, non-Marketplace entity associated with an FFM, or state Marketplace must report the incident or breach to HHS within one hour of discovery.

Where can I find more information?
More information can be found here.

[i] "Non-Marketplace entities" include agents, brokers, and others "associated with the Marketplace." It is interpreted to include QHP issuers as well.


The information in this document is based on preliminary review of the national health care reform legislation and is not intended to impart legal advice. The federal government continues to issue guidance on how the provisions of national health reform should be interpreted and applied. The impact of these reforms on individual situations may vary. This overview is intended as an educational tool only and does not replace a more rigorous review of the law’s applicability to individual circumstances and attendant legal counsel and should not be relied upon as legal or compliance advice. As required by US Treasury Regulations, we also inform you that any tax information contained in this communication is not intended to be used and cannot be used by any taxpayer to avoid penalties under the Internal Revenue Code.