The deadlines for Department of Health and Human Services security risk assessments have been pushed back from August to mid-September, and the chief agency sign-off on the analysis is not due until Sept. 30, the day before the state insurance exchanges open for business.
"So that crunch for the sign-off for the security of the [federal] data hub has me a little concerned, but I think the agency will be working around the clock to get it done," says Rasmussen, a policy analyst for the Health Privacy Project of the Center for Democracy & Technology.
Under the Affordable Care Act, individuals and small businesses, starting Oct. 1, are supposed to be able to purchase private health insurance from these new online state insurance exchanges. These web-based marketplaces will collect data from consumers on the front end via a web portal and exchange data from other systems, including those of federal agencies, on the back end.
The federal data services hub is a key component for the state insurance exchanges because it will route data from the various federal agencies, such as the Internal Revenue Service, to these online insurance marketplaces during consumer eligibility and enrollment processes.
But contrary to rumors that the federal hub is a large database for the government to amass individuals' personal health information, "the data hub will not collect consumer data," Rasmussen clarifies in an interview with Information Security Media Group.
"The data hub is like a traffic circle - cars come into the circle from one street, and leave from another. They're not parking there," he says.
In the interview, Rasmussen describes:
- How consumer data will flow on the state insurance exchanges;
- How consumer data will be protected during the health insurance eligibility and enrollment processes;
- Steps consumers can take to protect their personal data while enrolling on the insurance exchanges.
Rasmussen is a policy analyst at the Center for Democracy & Technology, a Washington-based, not-for-profit civil liberties organization. Previously, Rasmussen worked with the Department of Veterans Affairs' Veterans Health Administration where he researched health data access and use policies from a privacy and security perspective across the agency and developed a common health data access policy.