No. 36634 (New Rule): Rule R358-1. Electronic Standards for Transmitting Information through the Health Insurance Exchange  

(New Rule)

DAR File No.: 36634
Filed: 08/09/2012 03:11:47 PM

RULE ANALYSIS

Purpose of the rule or reason for the change:

The purpose of this rule is to establish electronic standards for the Health Insurance Exchange and its partners.

Summary of the rule or change:

The rule outlines technology standards and requirements for the Health Insurance Exchange and its partners.

State statutory or constitutional authorization for this rule:

• Section 63M-1-2506

Anticipated cost or savings to:

the state budget:

This rule adds no costs nor saves money for the state. It establishes technology standards that prospective partners of the Health Insurance Exchange must meet. Prospective partners will disclose their technology in any request for proposal (RFP) that might be issued, and the Exchange itself will verify whether they meet the requirements.

local governments:

The Health Insurance Exchange is a state entity that does no direct or indirect business with local government. Therefore, no costs or savings will arise with the enactment of this rule.

small businesses:

The Health Insurance Exchange uses industry-standard technology and security requirements. Any business that is qualified to contract with the Exchange will use the same or better standards and requirements. Therefore, it will not cost them anything to conduct business with the Exchange.

persons other than small businesses, businesses, or local governmental entities:

The rule exists solely to set an electronic standard for Health Insurance Exchange partners to use when transmitting health information between their systems and the Exchange. Persons who are not partners of the Health Insurance Exchange will not be affected by the rule and will not experience costs or savings.

Compliance costs for affected persons:

Costs should not be incurred on the Health Insurance Exchange's behalf for any persons. In some cases, prospective contractors or partners may, at their discretion, upgrade their technology and security standards to meet Exchange requirements. However, these upgrades will benefit their business generally and without specific reference to Exchange operations. Any upgrades they deem necessary will increase their overall competitiveness in the market as a whole and will be a benefit to their operations generally.

Comments by the department head on the fiscal impact the rule may have on businesses:

It is my opinion that filing this rule will have no fiscal impact on Utah's businesses. The rule requires adherence to industry standard technologies and practices, a requirement that the Health Insurance Exchange's partners already meet. No persons covered by the rule must bear new costs, nor will they see new savings.

Spencer P. Eccles, Executive Director

The full text of this rule may be inspected, during regular business hours, at the Division of Administrative Rules, or at:

(2) This rule is enacted under the authority of Section 63M-1-2506.

R358-1-2. Definitions.

(1) Technology partner. A Health Insurance Exchange technology partner administers the technology on which the Exchange runs and supports the activities that take place on that technology.

(2) Financial partner. A Health Insurance Exchange financial partner administers the financial transactions that occur on the Exchange, including invoicing and collection of payments, and the disbursement of funds for services provided.

(3) Provider partner. A Health Insurance Exchange provider partner is any entity that offers goods or services to consumers through the Exchange system.

R358-1-3. Standards.

(1) The Office of Consumer Health Services requires that all Exchange technology, financial, and provider partners strive to keep consumer data secure at all times. All partners shall:

(a) transmit consumer data between the Exchange and all partners via secure file transfer protocol (SFTP);

(b) keep consumer data encrypted during transmission and while at rest on partner servers; and

(c) establish security profiles to provide leveled access to the minimum allowable data.

R358-1-4. HIPAA Compliance.

(1) The Office of Consumer Health Services requires that all Exchange technology and provider partners comply with the Health Insurance Portability and Accountability Act (HIPAA).

R358-1-5. Quality Control Process.

(1) Because security is integral to Health Insurance Exchange operations, the Office of Consumer Health Services shall:

(a) conduct periodic security audits to ensure the strength of the above standards as performed by all partners; and

(b) perform risk assessments across all partners, technologies, and platforms when implementing new enhancements or services.

KEY: data standards, Health Insurance Exchange, consumer health, health insurance

Date of Enactment or Last Substantive Amendment: 2012

Authorizing, and Implemented or Interpreted Law: 63M-1-2506