Obamacare Breach Bill Passes House White House: Notification Requirement Burdensome

The House of Representatives on Jan. 10 approved a bill that would require individuals to be notified by the Department of Health and Human Services within two days of discovering breaches involving personal information on federally facilitated and state-operated Obamacare health insurance exchanges.

See Also: How to Anticipate Breaches & Prevent Data Loss: Avoiding the Fate of OPM

The bill, the Health Exchange Security and Transparency Act of 2014, sponsored by Rep. Joe Pitts, R-Pa., passed the GOP-led House 291 to 122, with 67 Democrats voting in favor.

Despite the legislation having some bipartisan support, the White House issued a statement opposing the bill's passage "because it would create unrealistic and costly paperwork requirements that do not improve the safety or security of personally identifiable information in the health insurance marketplaces."

The statement notes: "The indiscriminate reporting requirement may seriously impede the law enforcement investigation of a breach. Unlike existing requirements, H.R. 3811 requires expensive and unnecessary notification for the compromise of publicly available information, even if there is no reasonable risk that information could be used to cause harm."

Under Obamacare, insurers cannot deny health coverage to individuals based on pre-existing health conditions, so HIPAA-protected health data is not collected or exchanged on the insurance marketplace sites, whether they're state-operated or facilitated by the federal government through the HealthCare.gov website. However, other consumer information, including financial-related data, is submitted as part of the application.

Some consumer advocates agree that the two-day breach reporting proposal doesn't allow enough time to thoroughly evaluate incidents.

"Breaches take time to investigate, and if notification is required within two days, consumers potentially affected are not likely to receive much useful information about the breach," says Deven McGraw, director of the health privacy project at the Center for Democracy & Technology, a consumer advocacy group. "It could even be the case that consumers whose data was not ultimately involved may be unnecessarily notified. Ideally breach notification should contain as many details as are possible to help consumers assess their risks and potentially take mitigating actions," McGraw notes.

"Breaches should always be subject to notification as soon as possible, with an outer time limit to avoid delay," she adds. For example, theHITECH Act, enacted by Congress in 2009, requires notification without unreasonable delay and no later than 60 days after discovery, she notes.

Congressional Scrutiny

The House vote follows a series of Congressional hearings focused on the technical woes and security concerns for the HealthCare.gov website and systems that facilitate the health insurance exchanges of 36 states under the Affordable Care Act (see IT Experts Answer Obamacare Questions).

Many Democrats have charged that the mostly Republican-led scrutiny of HealthCare.gov's security is motivated by the GOP's ongoing desire to see the Affordable Care Act fail.

Drew Hammill, a spokesman for Democratic leader Rep. Nancy Pelosi, D-Calif., said in a Jan. 2 statement, "It is clear that the New Year has brought no change in heart for House Republicans. They continue to remain intent on undermining or repealing the Affordable Care Act at every turn, and that effort even extends to scaring their constituents from obtaining health coverage."

Notification Requirements

HR 3811, the bill that passed the House Jan. 10, states: "Not later than two business days after the discovery of a breach of security of any system maintained by an exchange established under the Affordable Care Act, which is known to have resulted in personally identifiable information of an individual being stolen or unlawfully accessed, the Secretary of the Department of Health and Human Services shall provide notice of such breach to each such individual" (see House to Vote on Obamacare Security Bills.)

A House vote on another Obamacare security-related bill was delayed. The vote on the Exchange Information Disclosure Act, sponsored by Rep. Lee Terry, R-Neb., has been rescheduled for the week of Jan. 13, says a Terry spokesman. That legislation proposes to amend the Affordable Care Act "to require transparency in the operation of American Health Benefit Exchanges."

Among the security-related provisions of the Terry-sponsored bill is for Congress to receive weekly reports on health insurance exchanges, including enrollment numbers, as well a description of technical problems on the HealthCare.gov site, including those related to consumer privacy and data security.

Rallying the Troops

House Majority Leader Eric Cantor, R-Va., sent a memo to House Republicans on Jan. 2 urging them to pass legislation to address the security of HealthCare.gov site, particularly data breach notification (see: GOP Plans HealthCare.gov Security Bill).

The focus on the security of HealthCare.gov is just one part of Cantor's larger call for "greater transparency" overall from the Obama administration for the Affordable Care Act, including "disclosure of reliable and complete enrollment data."


About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity

Marianne Kolbasuk McGee is executive editor of Information Security Media Group's HealthcareInfoSecurity.com media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site, and played a lead role in the launch of InformationWeek's healthcare IT media site.





Around the Network