Government Isn’t Obligated To Inform Users When Site Compromises Their Private Info


If you enroll in Obamacare at and later find out that your financial information or identity has been stolen by hackers, it likely won’t be because the government called to warn you of the security breach.

That’s because the government isn’t obligated to let you know if fails to protect your information from criminals.

According to a report this month at, the U.S. Department of Health and Human Services (HHS) was approached with concerns about informing site users of any security breaches, but elected not to address them in 2012 as it issued its final ruling establishing how and the State-run online markets would function.

HHS solicited input ahead of finalizing healthcare exchange program rules in March 2012. But HHS dismissed the concerns of at least two commenters about how it planned to handle potential online break-ins that could compromise patient records. From the Federal Register, here’s how HHS responded:

Comment: Two commenters asked that HHS ensure that Exchanges promptly notify potentially affected enrollees in the event of a data breach or unauthorized access to PII. One commenter suggested that HHS ensure that an Exchange conducts an investigation and hold the breaching party accountable, both legally and financially, for notification and investigation following the breach or unauthorized access.

Response: We do not plan to include the specific notification procedures in the final rule. Consistent with this approach, we do not include specific policies for investigation of data breaches in this final rule. We do, however, plan to release guidance that addresses breach procedures.

Comment: One commenter requested that the final rule include privacy and security standards for storage, retention, and response to legal and civil matters. Another commenter stated that HHS should not retain PII longer than is necessary to carry out an authorized Exchange function.

Response: While the rule does not specifically mention storage, retention, or response to legal and civil matters, we believe that the final rule adequately addresses privacy and security standards for all potential uses of data, including storage and retention. We therefore do not include these elements in the final rule. We expect privacy and security standards developed by the Exchange will address the storage of information when it is not in use.

Strangely, the stringent privacy protections established by the Health Insurance Portability and Accountability Act of 1996 (HIPPA) apply to everything about Obamacare except the government-managed healthcare websites it established. That means the doctors, hospitals and insurance companies are in violation of the law if they don’t inform you about any behind-the-scenes activity that compromises your privacy — but the government itself is immune from the same law.

“In other words,” notes, “the health plan itself is covered by HIPAA and any breaches of security that affect a consumer who has purchased a specific plan would have to be reported. But the process of choosing and purchasing a plan through the federal exchange — along with any information entered into the federal exchange as part of that process — is not subject to HIPAA protections.”

Personal Liberty

Ben Bullard

Reconciling the concept of individual sovereignty with conscientious participation in the modern American political process is a continuing preoccupation for staff writer Ben Bullard. A former community newspaper writer, Bullard has closely observed the manner in which well-meaning small-town politicians and policy makers often accept, unthinkingly, their increasingly marginal role in shaping the quality of their own lives, as well as those of the people whom they serve. He argues that American public policy is plagued by inscrutable and corrupt motives on a national scale, a fundamental problem which individuals, families and communities must strive to solve. This, he argues, can be achieved only as Americans rediscover the principal role each citizen plays in enriching the welfare of our Republic.

Join the Discussion

Comment Policy: We encourage an open discussion with a wide range of viewpoints, even extreme ones, but we will not tolerate racism, profanity or slanderous comments toward the author(s) or comment participants. Make your case passionately, but civilly. Please don't stoop to name calling. We use filters for spam protection. If your comment does not appear, it is likely because it violates the above policy or contains links or language typical of spam. We reserve the right to remove comments at our discretion.