“We considered but declined to use the definitions for these terms provided under the HIPAA regulations because the protected health information (PHI) that triggers the HIPAA requirements is considered a subset of PII [Personally Identifiable Information], and we believe that the HIPAA definitions would not provide broad enough protections to satisfy the requirements under the Privacy Act of 1974 (5 U.S.C. 552a), the e-Government Act of 2002 (Pub. L. 107–347), other laws to which HHS is subject, or the expectations of the other Federal agencies that will be providing PII to facilitate Exchange eligibility determinations.” [The new standard is found at the end of this post.]

Federal agencies issued its weekly set of proposed health care reform rules today. My stack of federal regulations is almost high enough for me to clean the leaves out of my gutters. If only the agencies would publish rules faster.

For the math inclined, you will find the “allowable rating factor (ARF)” for “family tiering states” – “ARFs is the rating factor for the subscriber(s) (based on family size/composition) and Ms is the number of billed person-months that are counted in determining the subscriber(s) premium.”

ARF formula

 The proposed rules published today address a wide range of subjects from market rules to exchange operations. Here is the table of contents:

 Table of Contents

I. Background

A. Legislative Overview

B. Stakeholder Consultation and Input

C. Structure of the Proposed Rule

II. Provisions of the Proposed Rule

A. Part 144 – Requirements Related to Health Insurance Coverage

B. Part 147 – Health Insurance Reform Requirements for the Group and Individual Health Insurance Markets

C. Part 153 – Standards Related to Reinsurance, Risk Corridors, and Risk Adjustment under the Affordable Care Act

1. Subpart A – General Provisions

2. Subpart C – State Standards Related to the Reinsurance Program

3. Subpart D – State Standards Related to the Risk Adjustment Program

4. Risk Adjustment Methodology

5. Subpart E – Health Insurance Issuer and Group Health Plan Standards Related to the Reinsurance Program

6. Subpart F – Health Insurance Issuer Standards Related to the Risk Corridors Program

7. Subpart G – Health Insurance Issuer Standards Related to the Risk Adjustment Program

8. Subpart H – Distributed Data Collection for HHS-Operated Programs

D. Part 155 – Exchange Establishment Standards and Other Related Standards Under the Affordable Care Act

1. Subpart A – General Provisions

2. Subpart B – General Standards Related to the Establishment of an Exchange

3. Subpart C – General Functions of an Exchange

4. Subpart D – Exchange Functions in the Individual Market: Eligibility Determinations for Exchange Participation and Insurance Affordability Programs

5. Subpart E – Exchange Functions in the Individual Market: Enrollment in Qualified Health Plans

6. Subpart H – Exchange Functions: Small Business Health Options Program (SHOP)

7. Subpart M – Oversight and Program Integrity Standards for State Exchanges

E. Part 156 – Health Insurance Issuer Standards Under the Affordable Care Act, Including Standards Related to Exchanges

1. Subpart A – General Provisions

2. Subpart C – Qualified Health Plan Minimum Certification Standards

3. Subpart D – Federally-facilitated Exchange Qualified Health Plan Issuer Standards

4. Subpart E – Health Insurance Issuer Responsibilities with Respect to Advance Payments of the Premium Tax Credit and Cost-sharing Reductions

5. Subpart H – Oversight and Financial Integrity Standards for Issuers of Qualified Health Plans in Federally-facilitated Exchanges

6. Subpart I – Enforcement Remedies in Federally-facilitated Exchanges

7. Subpart J – Administrative Review of QHP Issuer Sanctions in Federally-facilitated Exchanges

8. Subpart K – Cases Forwarded to Qualified Health Plans and Qualified Health Plan Issuers in Federally-facilitated Exchanges by HHS

9. Subpart L – Quality Standards

10. Subpart M – Qualified Health Plan Issuer Responsibilities

III. Collection of Information Requirements

IV. Response to Comments

V. Regulatory Impact Analysis

Obviously, I have not had time to read the full set of rules, let alone “digest” them. However, here’s a taste of potential confusion and complication that I read while “speed reading” down to the exchange standards. HHS has proposed to abandon HIPAA privacy, security and breach notification standards for exchanges in favor of tougher federal agency standards:

45 CFR § 155.280 Oversight and monitoring of privacy and security requirements.

…(c) Security and privacy incidents and breaches.

(1) The following definitions apply to privacy and security incidents and breaches:

(i) Incident means the act of violating an explicit or implied security policy, which includes attempts (either failed or successful) to gain unauthorized access to a system or its data, unwanted disruption or denial of service, the unauthorized use of a system for the processing or storage of data; and changes to system hardware, firmware, or software characteristics without the owner’s knowledge, instruction, or consent.

(ii) Breach means the loss of control, compromise, unauthorized disclosure, unauthorized acquisition, unauthorized access, or any similar term referring to situations where persons other than authorized users and for an other than authorized purpose have access or potential access to personally identifiable information, whether physical or electronic.

(2) Incident or breach management. The entity where an incident or breach occurs is responsible for managing the incident or breach in accordance with the entity’s documented incident handling and breach notification procedures.

(3) Reporting. Federally-facilitated Exchanges, non-Exchange entities associated with the Federally-facilitated Exchange, and State Exchanges must report all privacy and security incidents and breaches to HHS within one (1) hour of discovering the incident or breach. A non-Exchange entity associated with a State Exchange must report all privacy and security incidents and breaches to the State Exchange with which they are associated.”

I’ll pull out my new HIPAA rules and figure out how I need to adjust client privacy policies and procedures – one of my all time favorite tasks.