Breach Reporting Update


Privacy and Security is extremely important to Health Insurance Exchanges. CMS has submitted a request for a review of the reporting system due to "because public harm is reasonably likely to result if the normal clearance procedures are followed,” The request for review has been published in the federal register. The bottom line, if the request is approved then Health Insurance Exchanges will be required to report breaches or even suspected breaches within 24 hours. This is due to the large amount of patient data that will be stored in these exchanges.

While this new rule would not have an impact upon doctors offices, it does raise a concern. As Web based EHR grows, the amount of patient records stored in a single platform will grow. It is possible that CMS may determine that such a large collection of patient data presents a risk that requires a higher standard for breach reporting. While we do not know of any large breaches that have happened with web based EHR programs, but the possibility does raise significant concerns.

The same issues that potentially impact large web based EHR programs are faced by the Health Information Exchanges that will allow for doctor to doctor communication in Stage 2 of Meaningful Use. When storing patient data 'in the cloud' your Business Associate Agreement is extremely important. This document should state who is responsible for the financial burden of reporting and mitigating the breach. You should make sure that if the breach happens at your service provider that they are responsible for these costs.

You will need to have Business Associate Agreements in place with both your EHR provider and any health information Exchange that you connect to.

To view the item in the Federal Register visit