Safe & Sound with Marianne Kolbasuk McGee

Sizing Up Obamacare Consumer Protections

New Rule Imposes Fines on Those Who Mishandle Data

The Department of Health and Human Services was the target of much criticism over the many glitches in the implementation of the Obamacare website and systems. Those missteps ultimately led HHS Secretary Kathleen Sebelius to step down. Critics have also raised ongoing concerns about whether the site and systems have adequate data security and privacy protections.

See Also: eBook: Secure Remote Access Simplified

The Government Accountability Office is conducting an audit of the security and privacy of that will include "an architecture review, vulnerability testing and examination of the monitoring and incident detection capabilities of the website." And that's welcome news.

However, Rep. Lamar Smith, R -Texas, chairman of the House Committee on Space, Science and Technology, recently sent a letter to GAO requesting that the agency expand that review by conducting a "complete and continuous end-to-end testing" of the security of the site and systems (see Expanded Scrutiny Sought). A spokesman for Smith's office says the chairman hasn't received a response from the agency yet, "but GAO indicated that we should expect a formal response soon."

In light of all the ongoing concerns about, it was good to see HHS issue a final rule this week setting standards for the Obamacare health insurance exchange. The rule directly addresses certain privacy and security concerns, namely, the handling of consumer data by so-called "navigators" who help individuals sign up for health coverage on the Affordable Care Act exchanges.

The rule, Patient Protection and Affordable Care Act; Exchange and Insurance Market Standards for 2015 and Beyond, contains new provisions for HHS to impose civil monetary sanctions of up to $25,000 per violation on navigators and other consumer assisters who improperly use or disclose personally identifiable information.

Under Obamacare, navigator entities and those who work for them help consumers understand their coverage options and find insurance plans on insurance exchanges that best meet their healthcare needs. There are already a lot of rules for those entities and their consumer-facing workers, including requirements for staff to receive training on the privacy and security standards applicable for handling and safeguarding consumers' personally identifiable information. Also among those rules are restrictions on retaining consumer PII.

But under the new final rule that's slated to be published in the Federal Register in May 27 and go into effect July 28, these consumer assisters also face potential civil monetary penalties for improperly using or disclosing consumer PII, or submitting false or fraudulent information


Chilling Effect?

When HHS floated the idea of civil monetary penalties in its proposed rule, among the concerns from those who commented was that the threat of fines would have a "chilling effect" on navigator organizations and their personnel. For instance, what would happen if an assister unknowingly submits false information, fraudulently provided by a consumer - to the exchange?

But the rule addresses those and other related concerns. "This proposal was designed to deter these entities and individuals from failing to comply with the federal requirements that apply to them, and to ensure that consumers interacting with the exchange receive high-quality assistance and robust consumer protection," the rule notes.

"As a general principle, while HHS intends to assess CMPs [civil monetary penalties] when appropriate, consistent with this final rule, we also intend to continue to work collaboratively with consumer assistance entities and personnel to prevent noncompliance issues and address any that arise before they reach the level where CMPs might be assessed."

It's important to note that while healthcare data - such as electronic health records - does not pass through the exchanges, consumers' personally identifiable information does. That includes names and addresses, which are also classified as PHI under HIPAA.

The rule attempts to sort through the issue of whether HHS can potentially penalize an entity or individual twice for the same potential privacy violation involving consumer data - once under HIPAA and once under the Obamacare rules.

"A few commenters noted that HIPAA already governs certain critical aspects of compliance related to protected health information," the rule notes. "We understand concern about the potential for a violation to be punished twice under different enforcement schemes, and we have ... included a factor allowing HHS to take into consideration whether other remedies or penalties have been assessed and/or imposed for the same conduct or occurrence."

The bottom line in all this is those who work with consumer data for the Obamacare exchanges have been put on notice that they can be issued financial sanctions by HHS if they use that information inappropriately or fail to protect it.

While the threat of penalties might not stop all potential fraudsters from using consumer data to do harm, the new rule's provisions for potential fines will serve as a deterrent. And that's a good start toward alleviating some of the lingering worries about Obamacare data privacy and security.

About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity, ISMG

McGee is executive editor of Information Security Media Group's media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeek's healthcare IT media site.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.