The Obama administration has published the last major rule that it needed to finalize before the opening of the health insurance exchanges Oct. 1. The exchange program integrity rule generally finalizes policies it proposed in January and June.
Even coming so close to the exchange opening, the Health and Human Services Department (HHS) said in the rule that it doesn't believe those involved will have difficulty meeting the requirements because they "are based on existing standards currently in effect in the private health insurance market" and have been discussed in other guidance and the blueprint process for exchanges.
The 300-page final rule released last week by HHS outlines exchange standards related to eligibility appeals, verification of eligibility for minimum essential coverage and how to handle incomplete applications.
It clarifies the roles of agents and brokers, and those assisting consumers with their applications, issuers of health insurance in the federally-facilitated exchange (FFE) and direct enrollment, and the handling of consumer cases. It also sets standards on the state's operation of an exchange and small business health options program (SHOP). The regulation takes effect Sept. 30.
The program integrity final rule "attempts to wrap up a lot of loose ends that had to be addressed before the exchanges could open," said Timothy Jost, Washington and Lee University law professor, in a Health Affairs blog.
For example, even if a state is using the federally-facilitated exchange operated by HHS for its individual market, the final rule allows a state to operate a state-based small business health options (SHOP) program in 2014 if the state can assure HHS that it has the capability despite not having submitted an exchange blueprint.
The rule also contains provisions about privacy and security requirements, including those covering the monitoring of state exchanges and procedures for handling security incidents and breaches. The rule explains that its requirements do not duplicate HIPAA privacy requirements because not all entities that are subject to the exchange privacy and security requirements are subject to the Health Insurance Portability and Accountability Act (HIPAA).
HHS still has authority over privacy and confidentiality requirements but eliminated specific requirements on incident reporting and breach notification because they are handled in data sharing, computer matching and information exchange legal agreements that HHS enters into with other agencies and organizations, Jost explained.
That also included dropping the standard in the rule that incidents and breaches be reported within one hour because it is part of all data-sharing agreements, he said.
The federally-facilitated exchanges will follow the HHS incident handling procedures, the rule said. HHS said that it intends to publish the FFE privacy and security standards and encouraged state exchanges to publish their standards to increase transparency.