The Centers for Medicare and Medicaid Services (CMS) is developing a process for Health Insurance Exchanges to report security incidents, including breaches of personally identifiable information (PII) and protected health information (PHI). If an Exchange encounters a breach, the exchange will have to report the information to CMS using a special form.
The form includes questions that must be answered about the incident, the device involved in the incident, the type of breach, and a description of the unauthorized use. A form has been developed for online reporting, which will have to be completed and submitted within one hour of discovery of the breach.