As if we don’t have enough to worry about, Nextgov.com has reported that the first order of business for House Republicans is to introduce legislation mandating that the HHS CMS disclose all “data breaches” involving the healthcare exchanges.
According to the article, House Majority Leader Eric Cantor wants to remove any discretion HHS has in reporting breaches, and require notification to consumers every time there is any unauthorized access to or use of their information.
In a memo to other members of the GOP, Cantor reportedly noted: “If a breach occurs, it shouldn’t be up to some bureaucrat to decide when or even whether to inform an individual that their personal information has been accessed.”
The legislation is part of a series of bills to be introduced in 2014 aimed specifically at the Affordable Care Act (Obamacare), and designed to reinforce the GOP’s position that the insurance and information exchanges are both a bad idea, and recklessly unsafe.
Indeed, in separate hearings before separate House Committees, the Q&A focused on security issues related to the establishment of the exchanges (noting more than 31 “incidents” since they went live on October 1, 2013). They also focused on the fact that people with access to the exchanges and the so-called healthcare “navigators” who have access to consumers’ Personally Identifiable Information (PII) are not statutorily required to undergo a criminal background check prior to having access to such PII.
Now we don’t have the details of the GOP bill, and it hasn’t yet been introduced. Currently, there are several bills aimed at mandatory data breach reporting for healthcare exchanges. H. R. 3731 would make it a “deceptive trade practice” to fail to notify consumers about any breach which resulted in the unauthorized acquisition of any personal information (including any non health-related personal information). Similarly, HR 3685, the Safe and Secure Federal Websites Act of 2013 would prohibit the federal government from operating a PII website (a website that collects, stores or transmits PII) unless the Comptroller General certifies that the website is “fully functional and secure.”
If there is any doubt that the bill is aimed at the healthcare.gov website problems, the definitions clear that up noting that the federal government cannot collect PII through a website unless “the website can fully support the activities for which it is designed or intended.”
In order to be certified as “secure” the site would have to have “security features that meet a standard acceptable for banking purposes. And the responsible agency has a named overall security leader with a comprehensive, top-down view of the security posture for the website who has supervised a complete end-to-end security test.” The site “ensures that personally identifiable information elicited, collected, or stored in connection with the website is captured at the latest possible step in a user input sequence.”
The bill would also address the personnel security requirement by mandating that people who have access to PII “have completed a Standard Form 85P and signed a non-disclosure agreement with respect to personally identifiable information, and the agency takes proper precautions to ensure only trustworthy persons may access such information.”
This is similar in spirit to HR 2927, which would provide that the tax provisions of Obamacare could not go into effect (no taxes, no subsidies) unless the Secretary of Treasury could certify that the “the reporting requirements relating to employer status and employee income levels and health care status may be made with 100 percent accuracy and without fraud.”
Clearly we want all federal websites – particularly those that collect and transmit PII – to be safe, secure and free from fraud. We want those with access to any sensitive information to be loyal, responsible, and free from deceit (although I am not sure that an SF 85P accomplishes that task).
In fact, the healthcare.gov website does not store or hold any PII, but transmits this data for verification to other government websites, and displays the result (actually the amount of any subsidy based on that information) to the data subject.
While the federal government does not require navigators to have a background check, a credit check, or a criminal history check (although some states like Arkansas, Florida, Georgia, Indiana and Ohio do so for their state navigators), the navigators typically have limited access to a participant’s PII; seeing it only if they are assisting a participant by actually inputting their data into the computer.
CMS as A HIPAA Covered Entity
The HHS CMS is a “Covered Entity” and must therefore report data breaches involving PHI the same way any other covered entity does. It must evaluate the nature of the breach, the nature of the information compromised, and other factors to determine the likelihood that the “breach” will result in a compromise of the data itself. It must document each breach, and the fact that it has engaged in this risk assessment. If the risk assessment indicates that the data may be compromised, CMS, as a covered entity must make a disclosure to the data subjects, although an HHS Inspector General report in 2012 indicated that they don’t always do so, and don’t always do so in a timely and complete fashion.
But that is just PHI – health data. The website healthcare.gov does not collect PHI. It only collects PII – information about the applicant, not his or her medical history. This is true because medical history is, for the most part, now irrelevant with respect to insurance eligibility. But PII is also sensitive and can be used to facilitate health fraud, identity fraud, credit card fraud, and identity theft. So the White House issued guidelines requiring all federal agencies (including HHS) to establish PII data breach policies.
HHS CMS has adopted these guidelines, and implements PII data breach procedures that require it to notify consumers about PII breaches.
On paper, the breach response requirements and notification requirements are fairly comprehensive.
So what is Congress’ beef?
First, Congress wants to remove any discretion HHS CMS has in determining whether a breach is a “reportable” breach. As declared by Rep. Cantor, HHS would be required to notify customers of every unauthorized access to, use of, or failure to comply with the standards relating to PII, whether the data was compromised as a result or not. Presumably, the same rules would apply to contractors working for HHS and CMS. The law has long made a distinction between “reportable” breaches and non-reportable breaches – or breaches that might result in harm, and breaches that won’t. The legislation would remove that distinction.
Second, it appears that Congress would require that, in addition to notifying the Secretary of HHS and where appropriate law enforcement and data subjects, HHS CMS would have to report every single unauthorized data access to – you guessed it – Congress.
It appears that Members of Congress are shocked, shocked to see that there were attempted breaches of the healthcare.gov website (none reported as successful). Congress wants to be advised in the future of all breaches or attempted breaches of websites containing PII so they can, well, they don’t explain what they will do with this information, but they want it anyway.
Third, Congress appears to want no website to go live until there is an ironclad guarantee of security. No such guarantee exists.
As the Office of the Inspector General report indicates, HHS can and must to a better job of protecting personal information. It should be leading the pack rather than following. I am not sure that this round of legislation is really aimed at making it easier for HHS to do its job. But maybe it’s because I am jaded and cynical. I wonder it that’s a pre-existing condition?