Bill Addresses Privacy Issue

Would Give Consumers More Control Over Profile Data
Bill Addresses Privacy Issue
Robert Hurt

A recently introduced bi-partisan bill would require that new privacy measures be implemented on the insurance exchange site to give consumers more control over their personal data.

See Also: How Enterprise Browsers Enhance Security and Efficiency

The Healthcare Consumer Privacy Act, H.R. 5610, introduced last week by Rep. Robert Hurt, R-Va. and Rep. John Barrow D-Ga., proposes that the Affordable Care Act, commonly known as Obamacare, be amended to allow consumers to remove their profiles on if they choose not to enroll in coverage offered on federally facilitated exchanges. facilitates the online health insurance exchanges for more than 30 states under the Affordable Care Act, more commonly known as Obamacare. The website and its systems were plagued by serious technical issues for many weeks after launched for open enrollment on Oct. 1. 2013. Since then, has been the subject of multiple Congressional hearings, including some that focused on data security and privacy issues.

The proposed legislation comes in the wake of Department of Health and Human Services officials on Sept. 4 revealing a July hacking incident involving malware uploaded on a test server. The malware was designed to launch a distributed-denial-of-service attack against other websites when activated and not designed to exfiltrate personally identifiable information, HHS officials say. No consumer data was exposed in the incident, according to HHS (see HealthCare.Gov Server Hacked).

Power to the People

Hurt tells Information Security Media Group that he decided to introduce the bill after a constituent contacted his office to express concern over the fact that he was unable to delete his profile from "Even though [the constituent] ultimately decided not to sign up for healthcare coverage, he still could not remove his profile from the site," he says. "We followed up with HHS and reiterated his request, but we were also told applicants could delete applications but could not remove all of their information from the system."

After hearing of similar complaints from other consumers, "we continued to press HHS for answers but received no justification for this policy. It became clear that legislative action would be necessary to ensure that Americans can protect their personal information," Hurt says.

Neither Barrow nor HHS' Centers for Medicare and Medicaid Services, which oversees, responded to ISMG's request for comment on the proposed legislation.

Both Hurt and Barrow are running for re-election to Congress in the November mid-term elections.

The bill, which has been referred to the House Committee on Energy and Commerce, calls on HHS "to create a mechanism that enables individuals to delete their profile and all of the associated personal information retained in the system," Hurt says.

Watch Dog Scrutiny

In addition to the recent hacking incident involving the test server, Hurt notes that the Government Accountability Office in September released a study detailing several privacy and security risks at the site's launch, almost a full year ago, that had not yet been fixed. "The GAO reported that there are still serious risks of unauthorized access, disclosure, and modification to all information collected and maintained by this website," he says.

In testimony before a Sept. 18 House Committee on Oversight and Government Reform hearing, CMS Administrator Marilyn Tavenner said CMS would carry out 22 technical and six executive action recommendations by GAO for addressing security weaknesses. She said those recommendations, which include end-to-end security testing of, would be carried out before the next open enrollment period for the Affordable Care Act launches on Nov. 15 (see Security Fixes Promised).

That GAO security study was followed by a report released by the HHS Office of Inspector general that gave a mixed review of security and highlighted one "critical vulnerability" that CMS says has since been addressed (see OIG Finds Vulnerability).

Policy Issue

The proposed privacy amendment to allow consumers to delete their profiles on is technically feasible for implementation, if policymakers choose to support it, says Curt Kwak, the former CIO at the Washington state insurance exchange for Obamacare.

"Data and record retention is a critical component in healthcare, from HIPAA and legal perspectives," says Kwak, who in July joined Seattle, Wash.-based surgical practice, Proliance Surgeons, as its CIO. "Technically, anything can be done to align with the policy, including addition and deletion of data, as well as archival and recovery," he says.

"As an example, the Washington exchange had a process of 'deactivating' accounts in the system after 90 days of inactivity. This was in place to clean out the system from bogus accounts or test accounts, he says. "However, this is also related to the policy of the organization. Once deactivated, the organization can make a decision to permanently delete the account and all associated records, or just keep things deactivated," he adds, noting that his comments are "based on my experiences from my previous role at the [Washington state] exchange and may or may not be aligned with their current state." Kwak served as CIO at the Washington Health Benefit Exchange for two years, including during its inaugural open enrollment season last year.

Regarding other ways that consumers can get better assurance about the privacy of personal data entered onto the Obamacare websites, Kwak says consumer education around how the data will be used would be helpful. "There needs to be trust that the data will be used to deliver the service that they expect and also that the data in the system are safe and in trusted hands, per design and also per requirements from CMS and other federal agencies."

About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity, ISMG

McGee is executive editor of Information Security Media Group's media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeek's healthcare IT media site.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.