Healthcare Information Security

Patient Privacy News

Republicans use proposed breach notice bill to pressure HHS

By Patrick Ouellette

- House Energy and Commerce Health Subcommittee Chairman Joe Pitts (R-PA) will announce the Health Exchange Security and Transparency Act this week. According to, the bill would mandate the Department of Health and Human Services (HHS) to alert individuals within 48 hours of security breaches from state and federal health exchanges through The House is expected to review the bill on Friday.

The proposed bill follows up last week’s House Republican statement saying that it would focus on health insurance exchange security and breach notifications in 2014. This bill hones in on the latter, arguing that there needs to be “transparency” (if and) when a breach occurs:

Not later than two business days after the discovery of a breach of security of any system maintained by an Exchange established under section 1311 or 1321 of the Patient Protection and Affordable Care Act (42 U.S.C. 18031, 18041) which is known to have resulted in personally identifiable information of an individual being stolen or unlawfully accessed, the Secretary of Health and Human Services shall provide notice of such breach to each such individual.

What happens with the bill on Friday will be interesting, but this is just another political shot across the bow in the GOP’s efforts to use security as a reason why the Affordable Care Act (ACA) must be repealed. Regardless of political affiliation, health exchange security will be a primary focus for both HHS and the Center for Medicare and Medicaid Services (CMS). security has been embroiled in controversy since it missed its security testing targets this summer.

“The administration’s record of broken promises has given the American people every reason to doubt the security and readiness of the health care law. The administration knowingly launched a website before final security testing was completed after repeatedly testifying that everything was ‘on track,’ which we now know was not the case. Americans have the right to know if their personal information is jeopardized because of this law,” said Pitts.

Like any technology, there are certainly kinks to be worked out of the state and federal exchanges. If there are long-term security issues that haven’t been improved upon in the future, then the GOP’s argument would appear to be more persuasive. However, there are security flaws (both technical and administrative) across the healthcare industry, including reputable organizations that spend money on IT security. From a federal perspective, response hasn’t been (and shouldn’t be) to shut them down, but to learn from mistakes through penalties and training to mitigate risk going forward. This much is clear: the security tug-o-war has just begun.


SIGN UP and gain free access to articles, white papers, webcasts and exclusive interviews on

HIPAA Compliance
Data Breaches

Our privacy policy

no, thanks