Privacy Concerns High as States Brace for Oct. 1st Exchange Enrollment
An employee for Minnesota’s new health exchange accidentally sent 2,400 Social Security numbers to an insurance broker earlier this month, underscoring privacy concerns with the Affordable Care Act (ACA), and raising additional questions as to the readiness of health insurance exchanges—set to go live October 1st.
The first three years of the law’s implementation were not exactly smooth—Avik Roy of the Manhattan Institute recently reported that the White House missed half of the ACA’s legally mandated deadlines. But in the coming months, millions of consumers will interface with the law for the first time via exchanges, renewing the states’ and the nation’s focus on the sweeping health reform law.
Last month, a coalition of attorneys general from 13 states—Alabama, Florida, Georgia, Kansas, Louisiana, Michigan, Montana, Nebraska, North Dakota, Oklahoma, South Carolina, Texas, and West Virginia—wrote HHS Secretary Kathleen Sebelius expressing concerns over consumer privacy and oversight of “navigators,” counselors charged with assisting consumers enrolling in exchanges. Chief among concerns was whether sufficient safeguards were in place “to prevent security breaches by new, as well as to ensure clear lines of accountability for any harm caused by confidentiality breaches.” Specifically, the attorneys asked:
- Screening Personnel. Beyond the general grant screening process, does the process for hiring personnel include any screening for staff that may pose risks to consumer data privacy?
- Monitoring Program Personnel. How will HHS or others oversee the activities navigators and non-navigator assistance personnel and ensure that employees do not retain personal information?
- Fraud Prevention and Remedies. Does HHS have any plans to provide assistance and relief to defrauded consumers?
- Supplemental State Regulation. How do you view the role of states with regard to supplementing federal data privacy requirements in all three types of exchanges? Many states have enacted or are considering legislation that further regulates navigators.
HHS has yet to respond.
But concerns are not limited to the 13 states that wrote to Secretary Sebelius, or states that oppose the ACA. In California, an early supporter of the ACA, Insurance Commissioner Dave Jones has expressed worry that the 21,000 personnel providing exchange customer support lack proper oversight and could “obtain information that will allow them to build the trust they have with the individual they’re working with and potentially sell them all manner of bogus products, steal their identity, gain access to certain assets they might have.”
This potential for fraud is particularly acute because California may be forced to rely heavily on counselors for enrollment assistance early on. According to the Wall Street Journal, in California’s state-run exchange, known as Covered California, there is “a possibility consumers won’t initially be able to enroll in coverage online.” Until online enrollment is available, the Los Angeles Times reports, consumers would rely on “call centers, enrollment counselors and agents,” the same entities California’s Insurance Commissioner voiced concerns about. Oregon, another early ACA supporter, faces similar delays, and won’t have its online enrollment system ready on time.
Commissioner Jones is not alone in his concerns. A report from the U.S. House Committee of Oversight found that top HHS officials are similarly concerned with the potential for identity theft as consumers begin to enroll next week. HHS officials are concerned not only that individuals may pose as counselors to defraud consumers—there is no way for consumers to verify who is a certified counselor—but that certified counselors themselves may misappropriate sensitive data due to lack of oversight, training, and safety protocols regarding personally identifiable information. Navigators will be required to undergo as little as 5 hours of training before handling sensitive data, and will not be subject to background checks.
Ultimately, existing delays of several of ACA’s major provisions—including the employer mandate and small business exchanges—appear to be pressuring the federal government to meet the October 1st exchange deadline, despite potential risks to consumer privacy.
“We can have a real disaster on our hands,” Jones said in an interview with the Associated Press.
“Nobody is going to say we’re not starting on October 1,” former director of the HHS Office of Insurance Exchanges Joel Ario told the Washington Post, “but in some situations, you may see a redefinition of what ‘start’ means.”