A Trail To Data Insecurity: ObamaCare’s “Navigator” Program Lacks Privacy Protections

sextantCross-posted at WLF’s Forbes.com contributor page

With the October 1 date for open enrollment in ObamaCare health insurance exchanges rapidly approaching, the handful of states which agreed to run the exchanges are relying on everything from football teams to storied folk legends to spread the word. In the 36 other states that the federal government is in charge for now, outreach and education will be done by “Navigators,” a fancy term for taxpayer-funded community helpers. Though the Navigator program has yet to begin, many elected officials have raised serious concerns over whether it sufficiently prevents Navigators from helping themselves to sensitive consumer information. October 1 is just 26 days away, and those valid privacy concerns remain unaddressed.

$67 Million with Scant Privacy Strings Attached. The Department of Health and Human Services, which just two weeks ago doled out $67 million to 100 organizations for ObamaCare navigation, has ignored letters from congressional committee chairmen and state attorneys general criticizing the Navigator program’s severe privacy shortcomings. The rule governing the Navigator program, finalized just this past July, offers broad principles and platitudes about data quality and integrity, but few clear standards for ensuring the privacy of health records, social security numbers, and other patient information. It neither requires background checks nor dictates that any prior criminal act (such as, perhaps, identify theft) would per se disqualify a Navigator applicant. There are no licensing requirements, no obligations that Navigators or their employers carry liability insurance, and no provisions holding any entity, including HHS, responsible for data breaches. It’s not even clear whether HHS will assist an ObamaCare insurance exchange customer who is defrauded.

The absurdly short time frame within which these 100 organizations must hire and train the Navigators, as the state attorneys general wrote, only “exacerbate[s] these unclear standards.” HHS has even reduced the amount of training the Navigators will receive. The July final rule dictated 30 hours of online training. Several weeks ago, HHS officials unilaterally decided that 20 hours would be enough.

States and Feds on a Collision Course? Nineteen states have passed laws which provide more protection for their residents’ privacy that dealing with ObamaCare Navigators. Most of the laws require state licensing or approval for the Navigators, while many mandate criminal background checks and the purchase of liability insurance. Such laws may put those 19 states on a direct collision course with HHS, as the federal Navigator rule prohibits states from imposing standards that impede the selection of health insurance exchanges.

ObamaCare proponents bemoan that such state laws will “constrain” or “hinder” federal outreach efforts. But aren’t the states adopting the very type of privacy protections that federal regulators vocally advocate for consumers in every other situation?  When states act to enforce these laws, it will be interesting to watch federal officials lecture the states for overprotecting privacy.

A Hypocritical, Though Typical, Double Standard. Consider all this in a different context: A business hires an individual for a job where he is exposed to highly sensitive personal data. As per its hiring policy, the business conducted no background check, provided the new employee with a bare minimum of training, and handed him a manual reminding him in broad, general language that his job requires discretion and honesty. What would happen to that company and its executives if this employee, who had an undisclosed criminal record, were to use his data access to commit identity theft? There is little doubt that federal enforcement action would swiftly follow.

Federal regulators have investigated and prosecuted U.S. businesses for far less. For instance, as we’ve discussed previously here, the Federal Trade Commission, charged Wyndham Hotel Group with “unfair and deceptive” acts after a hacker victimized the company and stole customer data. Wyndham promptly informed its customers and moved to fortify its computer defenses, but that wasn’t enough to forestall FTC action.

Far be it from us to expect the federal government to practice what it preaches. But the Administration’s deliberate inaction in the face of such obvious opportunities for accidental or intentional privacy breaches is asking for trouble. Are federal officials so desperate to sell ObamaCare to an unwilling populace that they would willfully expose people to potentially ruinous fraud?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s