Insurance Exchanges' Security ChallengesStates Developing Data Privacy Plans
State health insurance exchanges, called for under healthcare reform, won't become operational until 2014. And they could be derailed, depending on the results of the November election. Nevertheless, organizers in many states already are developing comprehensive strategies for safeguarding the sensitive health and financial information the exchanges may handle.
See Also: HIPAA Audits: A Revised Game PlanThe health insurance exchanges will enable small businesses and uninsured consumers to shop online for healthcare coverage. These online marketplaces will collect data from consumers on the front end, and they'll also need to exchange data from other systems on the back end, creating privacy and security challenges.
Exchange organizers already are addressing such issues as authenticating users, protecting health information and other data that will be collected from consumers and ensuring the security of data exchanged during the eligibility verification process.
Protecting consumer health information needs to be a top priority for the exchanges, says Tom Walsh, president of the information security advisory firm Tom Walsh Consulting. "The demographic information [they will collect] is ripe for identity theft, medical identity theft, and insurance fraud," he says.
Utah's state insurance exchange already has experienced a hacking incident. While no data was compromised, text on the exchange's website was garbled, says Patty Connor, director of the exchange.
Such breaches fuel suspicion among consumers, Walsh says. "I'm wondering if information that was supposed to be used to help the consumer obtain discounts or credits could be used against them to collect unpaid taxes. There needs to be a well-written Notice of Privacy Practices and then enforcement efforts within the insurance exchanges," he says. "They'll need a person in the organization with a high level of authority to act as a consumer advocate."
Multiple Data Sources
Under healthcare reform, some individuals and families who try to purchase health insurance through the exchanges might qualify for tax credits or reduced premiums based on their income. And some individuals applying for insurance through an exchange might not realize they qualify for Medicaid or other government programs.
That means the exchanges will need to tap into various state, federal and other systems to access individuals' tax information, credit reports and other financial information, says James Wadleigh, CIO at Connecticut's state insurance exchange.
"We'll be gathering motor vehicle information, validating Social Security information, [contacting the] Department of Labor for wage earning data and potential tax credits," Wadleigh says. "We will only store data elements critical to see if consumers qualify for Medicaid, tax credits or to purchase coverage online." All such data will be encrypted, and multiple firewalls will safeguard information, he adds.
To authenticate consumers, the exchanges will also tap data from some third-party, non-government sources.
For example, the Connecticut exchange will tap data from Equifax, a credit reporting company. Three pieces of information will be used to validate consumers' identities through asking finance-related questions such as the name of bank an individual used for a car loan. But because not everyone has an electronic financial trail to help authenticate their identities, data from paper-based records will be used, too, Wadleigh says.
The Washington State Health Benefit Exchange, like many others, is looking for federal guidance for security steps, such as authenticating users, says Curt Kwak, CIO of the exchange.
In devising authentication methods, Kwak says, exchanges need to ensure the ID verification process isn't too burdensome for consumers as well as the brokers helping individuals with choosing policies and enrolling.
Technical guidance from the Department of Health and Human Services requires that protected health information must be safeguarded in compliance with HIPAA and state privacy laws, while tax return data must be protected in compliance with privacy provisions of Section 6103 of the Internal Revenue Code. Additional guidance to state exchanges on issues such as authentication is also expected from HHS.
"We will bring in best practices for HIPAA [compliance] and technology best practices in terms of encryption in how we handle data and share it with stakeholders," Kwak says.
State insurance exchanges should consider using data privacy and security best practices used in the financial services sector, suggests Bryce Williams, CEO of Extend Health, a commercial insurance exchange that assists workers and retirees of large companies with purchasing supplemental Medicare coverage (see: Insurance Exchanges: Protecting Data).
For example, Extend Health uses 128-bit secure socket layer technology, "which is the same thing that people use when they're on their online banking sites," Williams says.
The commercial exchange also encrypts data on servers as well as on agent's computers, Williams says. "That way, when we transmit information out to our carrier partners, including the actual enrollment of a senior in a Medicare plan, that data is protected."
One state insurance exchange has had a head start in dealing with privacy and security issues. Massachusetts' Health Connectorhas been operating about six years as a result of the Bay State's healthcare reform legislation.
Health Connector will "re-platform" some of its systems to conform to new requirements under federal healthcare reform, says CIO Scott Devonshire. A major component of that work will involve linking the exchange with data from federal agencies such as the IRS and Homeland Security, for additional eligibility-related transactions, including verification of whether an individual is a U.S. citizen or legal resident, he says. But much of that federal verification data will come from a federal data services hub being set up by the Centers for Medicare and Medicaid Services.
Encrypted data will be exchanged between the state exchange and the federal data services hub via "point to point" connections for processes to validate individuals' eligibility for coverage, he says. "There's a dedicated pipe" for these interactions, Devonshire says.
Need For Flexibility
The online exchanges also connect consumers with private health insurance carriers that sell the various policies available to individuals. So the exchanges need to securely share data with those private companies. "Each carrier has different nuances" in how data is exchanged and secured, Devonshire says.
"We would like to standardize formats, but to reduce administrative burdens on carriers [that will deal with many state exchanges], we're supporting different methods," he says. For instance, insurers use a variety of encryption and authentication methods, he says.
Currently, Health Connector doesn't ask individuals for health information as they seek to purchase insurance coverage. But as the exchange enhances its decision-support capabilities consumers with specific coverage offerings, individuals might be asked to supply more health information, Devonshire says. And that will be protected too, he adds.
Indeed, protecting consumer data will be vital to the success of these exchanges. "The key is overall trust," says Connecticut's Wadleigh. "We want to be viewed as a trusted site that's empathetic and customer-focused with what we know and understand is consumers' very personal financial and health information."