Health Exchange Rule Addresses Privacy
New Insurance Exchanges Must Comply With GuidelinesFederal officials have released a final rule setting guidelines, including privacy and security provisions, for state insurance exchanges, called for under healthcare reform, which must begin operating by 2014.
See Also: Mastering Data Dilemmas: Navigating Privacy, Localization and Sovereignty
The exchanges will provide consumers and smaller employers with an easier way to shop for insurance coverage from multiple health plans. The rule, revealed on the Federal Register Public Inspection Desk March 12, will be officially published in the Federal Register March 27.
Privacy, Security Provisions
Section 155.260 of the rule from the Department of Health and Human Services spells out privacy and security provisions. Among them are:
- Personally identifiable health information should be protected with reasonable operational, administrative, technical and physical safeguards to ensure its confidentiality, integrity and availability and to prevent unauthorized or inappropriate access, use or disclosure.
- Anyone who uses or discloses information in violation of the Affordable Care Act (healthcare reform) will be subject to a civil penalty of not more than $25,000 per person or entity, per use or disclosure, in addition to other penalties that may be prescribed by law.
- Exchanges may only use or disclose personally identifiable information to the extent such information is necessary to carry out their narrowly defined functions, such as to determine eligibility for enrollment.
- Individuals should be provided a reasonable opportunity to make informed decisions about the collection, use and disclosure of their personally identifiable health information.
- Individuals should be provided with a simple and timely means to access and obtain their personally identifiable health information in a readable format.