Each day, I hear from constituents in Florida’s 12th Congressional district who are experiencing the negative impacts of Obamacare. Contrary to the very promises the law was sold on, my constituents have lost their healthcare coverage, have seen their premiums rise and were forced to choose new doctors. Now, they’re faced with concerns regarding their personal information and whether it is compromised — all because the President’s signature law was never ready for prime time.
The Administration sold Healthcare.gov as a one-stop shopping experience, similar to Amazon or Travelocity. Instead, the American people received a product that was hastily assembled and broken. The website’s security was never given the appropriate level of attention and end-to-end testing to ensure the website was protected. Furthermore, security concerns from the Chief Information Security Officer at the Department of Health and Human Services, who suggested a delay of the website’s launch, were ignored and disregarded.
Privacy in the healthcare realm is typically governed by the Health Insurance Portability and Accountability Act. However, while HIPAA applies to physicians, hospitals and insurance companies, it does not apply to HHS or the federally run exchanges. Therefore, the millions of Americans who were forced to use the exchanges to avoid Individual Mandate fines, including myself, are now potential victims of identity theft.
Furthermore, data notification is critical to maintaining security, and individuals should be notified when their personal information could be compromised. Yet, in the final rules HHS published in August, it did not finalize a data breach notification rule. Instead, it stated that it is up to “…CMS [Center for Medicare and Medicaid Services] to determine whether a risk of harm exists and if individuals need to be notified.” A government bureaucrat should not decide if the loss of personally identifiable information constitutes “harm.”
Congressional oversight has uncovered facts that raise serious concerns regarding the security of the healthcare law’s exchanges. Coupled with the multiple Energy and Commerce Committee hearings held with Administration officials, who have misrepresented the functionality and readiness of Healthcare.gov, these raise serious questions regarding the security of personal information contained in the website. While the Administration insists no successful security attacks have occurred on the website, reports have revealed that individuals’ personal information has been disclosed and accessed by other individuals. Furthermore, it is unknown how many breaches have occurred, because there is no public disclosure requirement.
Therefore, I introduced the One Hour Notification Act in December to protect the privacy of hardworking Americans. This legislation would require HHS to notify individuals within one hour of learning of a data breach – the standard notification timeline HHS requires for its own data sharing agreements. The One Hour Notification Act would also require HHS to notify Congress in a timely manner when a data breach occurs and provide an annual report to Congress on data breaches and strategies being implemented to mitigate risks. This legislation assumes, however, that the cybersecurity standards within the website are stringent enough to detect breaches.
This week, the U.S. House of Representatives will vote on the Health Exchange Security and Transparency Act, a bill of which I am an original co-sponsor. This legislation pulls from legislation, like the One Hour Notification Act, to provide greater security to hardworking Americans. It will also bring accountability and transparency to the Administration and the healthcare exchanges.
Rep. Gus Bilirakis is a Republican who represents Florida’s 12th congressional district.
