Even the feds need IT.

A federal agency has come up with a form the new state-run health insurance exchanges can use to report security incidents.

The Centers for Medicare & Medicaid Services is putting the exchange security incident report form, CMS Form 10496, through a federal paperwork review process.

A state is supposed to send a security report to its CMS state officer within one hour of discovering the problem.

The Patient Protection and Affordable Care Act calls for states that run their own state-based public exchanges to enter into tough data security agreements with CMS.

The list of eight “incident ” on Form 10496 includes the loss or theft of an asset; a personal information breach; an attack by malicious code; unauthorized access of data; unsuccessful attempts to get unauthorized access to data; a denial of service attack; and investigations.

An exchange also must list the type of device involved in an incident and how many individuals were affected by any loss or compromise of personal information.

CMS is estimating in a supporting statement that a typical exchange might spend about 15 minutes filling out the form and submit about one form per week, at a total cost of about $500 per state-based exchange per year.

CMS also is putting the reports associated with the exchange enrollment assistance program through a routine paperwork review. In a review statement, the agency estimates that mid-level exchange project leads will earn $29 per hour and that senior exchange executives will earn $48 per hour.

See also: