Bill Addresses HealthCare.gov Privacy IssueWould Give Consumers More Control Over Profile Data
The Healthcare Consumer Privacy Act, H.R. 5610, introduced last week by Rep. Robert Hurt, R-Va. and Rep. John Barrow D-Ga., proposes that the Affordable Care Act, commonly known as Obamacare, be amended to allow consumers to remove their profiles on HealthCare.gov if they choose not to enroll in coverage offered on federally facilitated exchanges.
HealthCare.gov facilitates the online health insurance exchanges for more than 30 states under the Affordable Care Act, more commonly known as Obamacare. The website and its systems were plagued by serious technical issues for many weeks after HealthCare.gov launched for open enrollment on Oct. 1. 2013. Since then, HealthCare.gov has been the subject of multiple Congressional hearings, including some that focused on data security and privacy issues.
The proposed legislation comes in the wake of Department of Health and Human Services officials on Sept. 4 revealing a July hacking incident involving malware uploaded on a HealthCare.gov test server. The malware was designed to launch a distributed-denial-of-service attack against other websites when activated and not designed to exfiltrate personally identifiable information, HHS officials say. No consumer data was exposed in the incident, according to HHS (see HealthCare.Gov Server Hacked).
Power to the People
Hurt tells Information Security Media Group that he decided to introduce the bill after a constituent contacted his office to express concern over the fact that he was unable to delete his profile from HealthCare.gov. "Even though [the constituent] ultimately decided not to sign up for healthcare coverage, he still could not remove his profile from the site," he says. "We followed up with HHS and reiterated his request, but we were also told applicants could delete applications but could not remove all of their information from the system."
After hearing of similar complaints from other consumers, "we continued to press HHS for answers but received no justification for this policy. It became clear that legislative action would be necessary to ensure that Americans can protect their personal information," Hurt says.
Neither Barrow nor HHS' Centers for Medicare and Medicaid Services, which oversees HealthCare.gov, responded to ISMG's request for comment on the proposed legislation.
Both Hurt and Barrow are running for re-election to Congress in the November mid-term elections.
The bill, which has been referred to the House Committee on Energy and Commerce, calls on HHS "to create a mechanism that enables individuals to delete their profile and all of the associated personal information retained in the HealthCare.gov system," Hurt says.
Watch Dog Scrutiny
In addition to the recent hacking incident involving the HealthCare.gov test server, Hurt notes that the Government Accountability Office in September released a study detailing several privacy and security risks at the site's launch, almost a full year ago, that had not yet been fixed. "The GAO reported that there are still serious risks of unauthorized access, disclosure, and modification to all information collected and maintained by this website," he says.
In testimony before a Sept. 18 House Committee on Oversight and Government Reform hearing, CMS Administrator Marilyn Tavenner said CMS would carry out 22 technical and six executive action recommendations by GAO for addressing HealthCare.gov security weaknesses. She said those recommendations, which include end-to-end security testing of HealthCare.gov, would be carried out before the next open enrollment period for the Affordable Care Act launches on Nov. 15 (see HealthCare.gov Security Fixes Promised).
That GAO security study was followed by a report released by the HHS Office of Inspector general that gave a mixed review of HealthCare.gov security and highlighted one "critical vulnerability" that CMS says has since been addressed (see OIG Finds HealthCare.gov Vulnerability).
The proposed privacy amendment to allow consumers to delete their profiles on HealthCare.gov is technically feasible for implementation, if policymakers choose to support it, says Curt Kwak, the former CIO at the Washington state insurance exchange for Obamacare.
"Data and record retention is a critical component in healthcare, from HIPAA and legal perspectives," says Kwak, who in July joined Seattle, Wash.-based surgical practice, Proliance Surgeons, as its CIO. "Technically, anything can be done to align with the policy, including addition and deletion of data, as well as archival and recovery," he says.
"As an example, the Washington exchange had a process of 'deactivating' accounts in the system after 90 days of inactivity. This was in place to clean out the system from bogus accounts or test accounts, he says. "However, this is also related to the policy of the organization. Once deactivated, the organization can make a decision to permanently delete the account and all associated records, or just keep things deactivated," he adds, noting that his comments are "based on my experiences from my previous role at the [Washington state] exchange and may or may not be aligned with their current state." Kwak served as CIO at the Washington Health Benefit Exchange for two years, including during its inaugural open enrollment season last year.
Regarding other ways that consumers can get better assurance about the privacy of personal data entered onto the Obamacare websites, Kwak says consumer education around how the data will be used would be helpful. "There needs to be trust that the data will be used to deliver the service that they expect and also that the data in the system are safe and in trusted hands, per design and also per requirements from CMS and other federal agencies."