CMS Seeks Emergency Review of Burden Of Breach Reports by State Marketplaces

Stay ahead of developments in federal and state health care law, regulation and transactions with timely, expert news and analysis.

By Alex Ruoff  


The Centers for Medicare & Medicaid Services called for an emergency review of the burden posed by an information collection request that would require agencies administering state-based health insurance marketplaces to report to the federal government within one hour of any reported incidents involving the loss of consumer personal or financial information, according to a notice published in the Federal Register Aug. 21 (78 Fed. Reg. 51,729).

CMS requested an emergency review of the information collection request by the Office of Management and Budget by Sept. 25, with a 180-day approval period. Comments from the public will be accepted until Sept. 20.

The insurance marketplace administering entities--which could be any state agency--will have access to consumer personal information stored by various federal agencies through CMS's data services hub to make eligibility determinations for insurance applications, CMS said.

Under the proposed information collection request, state-based administering agencies would report “suspected or confirmed incidents affecting loss or suspected loss of [personally identifiable information] within one hour of discovery” to CMS's Center for Consumer Information & Insurance Oversight, which would notify the affected agency.

The administering entities would also be required to contact the Department of the Treasury and the Internal Revenue Service within 24 hours of discovering a potential breach, loss, or misuse of tax information.

CMS expects 936 annual responses to its information collection request from 18 state, local or tribal governments, with a total annual burden of 234 hours.

The data hub, once online, will connect state-based administering entities to various federal agencies, including IRS, Department of Defense, Department of Homeland Security, Social Security Administration, Peace Corps, Office of Personnel Management, and Veterans Health Administration.

Lawmakers opposed to the Affordable Care Act--which calls for the marketplaces and the data hub to come online Oct. 1--have warned about potential security issues facing the data hub.

Senate Minority Leader Mitch McConnell (R-Ky.), in an Aug. 12 letter to CMS, called the agency “ill-prepared to guarantee the protection of personal and taxpayer resources from hackers and cyber criminals” (see previous article).

McConnell's letter was preceded by an Aug. 9 letter from Sen. Orrin Hatch (R-Utah), asking the Government Accountability Office to assess the interoperability and security features of the data hub (see previous article).

The notice is at

Request Health Care on Bloomberg Law