- A state Attorney General alliance recently wrote a letter to Department of Health and Human Services (HHS) Secretary Kathleen Sebelius with apprehension that the new health insurance exchange “navigators” that open for enrollment on Oct. 1, 2013 may compromise patients’ data safety.
This letter, sent Aug. 14, followed a letter sent by the Office of Inspector General (OIG) to Centers for Medicare & Medicaid Services’ (CMS) regarding its Data Services Hub (Hub) and found that CMS had missed Hub security testing deadlines and may be putting patient data at risk. Similarly, this group of state attorneys believes that HHS’s timing is off with these assistance programs and it will affect the amount of time and resources dedicated to data security. West Virginia, Alabama, Florida, Georgia, Kansas, Louisiana, Michigan, Montana, Nebraska, North Dakota, Oklahoma, South Carolina and Texas were represented in this letter.
The group argued that has HHS hasn’t done enough to properly safeguard patient privacy of those using assistance programs connected with the exchanges and that HHS’s relevant guidance lacks clarity regarding privacy protection. Instead of specific best practices, the group maintained that the government had provided a vague set of guidelines:
…the Rule did not set forth any of the applicable standards beyond citing 45 C.F.R. § 155.260, which merely sets forth broad principles for data protection: “individual access,” “correction,”, “openness and transparency,” “individual choice,” “collection use and disclosure limitations,”, “data quality and integrity,” “safeguards,” and “accountability.” As to what these principles mean in practice, the Rule provides platitudes with little concrete guidance, requiring: “reasonable operational, administrative, technical, and physical safeguards to ensure [data] confidentiality, integrity, and availability and to prevent unauthorized or inappropriate access, use, or disclosure”; protections “against any reasonably anticipated threats or hazards to the confidentiality, integrity, and availability of such information”; and “openness and transparency about policies, procedures, and technologies that directly affect individuals and/or their personally identifiable information.” The Rule does not even require uniform criminal background or fingerprint checks before hiring personnel; indeed, it does not state that any prior criminal acts are per se disqualifying.
The group wants HHS to take action to ensure that thorough and specific safeguards are put in place to protect the patient data confidentiality prior to enrollment. Rigorous programmatic safeguards are needed to prevent security breaches by new personnel, as well as to ensure clear lines of accountability for any harm caused by confidentiality breaches. Furthermore, it said that as of right now, HHS has no realistic plan to prevent identity theft or to provide recourse to consumers if it occurs.
In the questions below, the group identified a number of areas that it believes are critical to ensuring effective safeguards for the protection of consumers’ private data through the navigator, assister, application counselor, or other consumer outreach programs. It wants HHS to give answers to the questions as well as collaborate in the future on patient privacy protection.
1. Screening Personnel. Beyond the general grant screening process, does the process for hiring personnel include any screening for staff that may pose risks to consumer data privacy? For example:
a. Will HHS or others require that all navigators or similar personnel have an educational degree or have any past experience or expertise in the health insurance field or data privacy?
b. Will HHS or others require uniform criminal background checks or credit reports?
c. Will certain individuals, such as those who have committed identity theft, be prohibited from becoming a navigator or other program personnel?
2. Guidance to Program Personnel. What forms of guidance will HHS provide to program personnel about consumer data privacy protections?
a. For example, will navigators that receive taxpayer return information be advised of their potential criminal liability, under section 7213(a) of the Internal Revenue Code, for unauthorized disclosure of such information?
b. Please identify the specific existing laws and standards that HHS believes govern the use of consumers’ information and which HHS will expect navigator, assister, application counselor, or other consumer outreach programs to follow. Honorable Kathleen Sebelius
3. Monitoring Program Personnel. How will HHS or others oversee the activities of navigators and non-navigator assistance personnel and ensure that employees do not retain personal information?
4. Notice to Consumers. Will consumer outreach programs inform consumers of their data privacy rights and the programs’ liability before they decide to receive assistance?
5. Liability. Where does liability rest when a consumer outreach program causes harm to a consumer, either purposefully or unintentionally, through the misuse of personal information?
a. Specifically, does liability rest with the individual who had direct consumer contact, the entity that received funds for consumer outreach, or the exchanges?
b. Does HHS plan to require that entities that receive federal or exchange-generated funds for consumer outreach activities carry any sort of professional liability insurance?
6. Fraud Prevention and Remedies. Does HHS have any plans to provide assistance and relief to defrauded consumers?
a. Will programs be required to aid consumers who believe information provided to a program has been misused?
b. How does HHS plan to prevent potential fraud by entities and individuals that may disingenuously represent themselves as navigators or other assisters to unsuspecting consumers?
7. Penalties. HHS has promised to take “appropriate action if complaints of fraud and abuse arise.”
a. Beyond civil monetary penalties, what other “appropriate action” will your agency take?
b. Beyond the False Claims Act, what other existing statutes providing for penalties will apply?
8. Supplemental State Regulation. How do you view the role of states with regard to supplementing federal data privacy requirements in all three types of exchanges? Many states have enacted or are considering legislation that further regulates navigators.
a. Has HHS informed any state that a proposed or adopted state requirement is inconsistent with federal rules? If yes, please provide an exhaustive list of such requirements.
b. To what extent will states be able to impose additional certification requirements and safeguards relating to a program’s data privacy operations, at levels comparable to the licensing of agents and brokers, without being in conflict with the Act?
c. What is your understanding of the minimum insurance and bonding requirements that states could impose on non-profit programs?