If you enroll in Obamacare at Healthcare.gov and later find out that your financial information or identity has been stolen by hackers, it likely won’t be because the government called to warn you of the security breach.
That’s because the government isn’t obligated to let you know if Healthcare.gov fails to protect your information from criminals.
According to a report this month at Watchdog.org, the U.S. Department of Health and Human Services (HHS) was approached with concerns about informing site users of any security breaches, but elected not to address them in 2012 as it issued its final ruling establishing how Healthcare.gov and the State-run online markets would function.
HHS solicited input ahead of finalizing healthcare exchange program rules in March 2012. But HHS dismissed the concerns of at least two commenters about how it planned to handle potential online break-ins that could compromise patient records. From the Federal Register, here’s how HHS responded:
Comment: Two commenters asked that HHS ensure that Exchanges promptly notify potentially affected enrollees in the event of a data breach or unauthorized access to PII. One commenter suggested that HHS ensure that an Exchange conducts an investigation and hold the breaching party accountable, both legally and financially, for notification and investigation following the breach or unauthorized access.
Response: We do not plan to include the specific notification procedures in the final rule. Consistent with this approach, we do not include specific policies for investigation of data breaches in this final rule. We do, however, plan to release guidance that addresses breach procedures.
Comment: One commenter requested that the final rule include privacy and security standards for storage, retention, and response to legal and civil matters. Another commenter stated that HHS should not retain PII longer than is necessary to carry out an authorized Exchange function.
Response: While the rule does not specifically mention storage, retention, or response to legal and civil matters, we believe that the final rule adequately addresses privacy and security standards for all potential uses of data, including storage and retention. We therefore do not include these elements in the final rule. We expect privacy and security standards developed by the Exchange will address the storage of information when it is not in use.
Strangely, the stringent privacy protections established by the Health Insurance Portability and Accountability Act of 1996 (HIPPA) apply to everything about Obamacare except the government-managed healthcare websites it established. That means the doctors, hospitals and insurance companies are in violation of the law if they don’t inform you about any behind-the-scenes activity that compromises your privacy — but the government itself is immune from the same law.
“In other words,” notes Watchdog.org, “the health plan itself is covered by HIPAA and any breaches of security that affect a consumer who has purchased a specific plan would have to be reported. But the process of choosing and purchasing a plan through the federal exchange — along with any information entered into the federal exchange as part of that process — is not subject to HIPAA protections.”