The Department of Health and Human Services released a set of frequently asked questions for reporting certain security incidents. The FAQs are aimed at Qualified Health Plans on the Exchanges, but may provide guidance for employers, particularly on when reporting is not required.
Qualified Health Plans in the Marketplace must report to HHS incidents and breaches of personally identifiable information. The reporting must be made to the Centers for Medicare and Medicaid Services’ IT Service Desk by telephone or email within 72-96 hours after discovery of the incident or breach.
An incident is defined as the “act of violating an explicit or implied security policy, which includes attempts (either failed or successful) to gain unauthorized access to a system or its data, unwanted disruption or denial of service, the unauthorized use of a system for the processing or storage of data; and changes to system hardware, firmware, or software characteristics without the owner’s knowledge, instruction or consent.” This definition is similar to the definition under HIPAA.
Plans questioned whether they had a requirement to report all failed attempts to gain unauthorized access to the system. CMS confirmed that some unintentional disruptions to a system may not be unlawful or pose a risk, so an entity may perform a risk assessment and risk management procedures and determine that it may not be reasonable to report every occurrence. Entities should consider many factors when considering whether to report failed attempts to gain unauthorized access to its system, taking into account the probability of potential risk and the system’s capabilities. For example, a single “ping” would likely not have to be reported, but a suspicious pattern of pings could require reporting.
Plan sponsors should consider their system security and monitor suspicious access to data.
