The Los Angeles Times has reported that Covered California, the largest state’s health insurance exchange under the Affordable Care Act, has started releasing to insurance agents throughout the state the names and contact information of tens of thousands of persons who started an application using the state’s online system but failed to complete it.
The Covered California director Peter Lee acknowledges the practice but says that the outreach program still complies with privacy laws and was reviewed by the exchange’s legal counsel. “I can see a lot of people will be comforted and relieved at getting the help they need to navigate a confusing process,” explained Lee.
I am hardly as confident as Covered California’s lawyers apparently were that this practice was legal.
The law requires that disclosures to third parties be necessary and I do not see why Covered California could not have contacted non-completers directly and ask them if they wanted help from an insurance agent rather than disclosing their identity to insurance agents. But even if the practice could be said to be borderline legal, it is difficult to imagine a practice more likely to sabotage enrollment efforts in California — and, since California’s interpretation could be precedent for other states — elsewhere.
For every person unable to complete their application online in California and who will, with the comforting help provided by insurance agents, now want to complete it, there are likely 10 who will be turned off by the cavalier attitude towards privacy exhibited by this government agency. Beyond a violation of ACA privacy safeguards, the action is either a sign of desperation about enrollment figures, even in a state that boasts of its success such as Peter Lee’s California, or monumental stupidity.
If California wanted to create an adverse selection death spiral, it would be difficult to be more effective than, without notice or consent, releasing personally identifiable information to insurance agents.
Let’s start with the Affordable Care Act itself. Section 1411(g)(2), codified at 42 U.S.C. § 18081(g)(2), reads
(g) CONFIDENTIALITY OF APPLICANT INFORMATION.—
(2) RECEIPT OF INFORMATION.—Any person who receives information provided by an applicant under subsection (b) (whether directly or by another person at the request of the
applicant), or receives information from a Federal agency under subsection (c), (d), or (e), shall—
(A) use the information only for the purposes of, and to the extent necessary in, ensuring the efficient operation of the Exchange, including verifying the eligibility of an individual to enroll through an Exchange or to claim a premium tax credit or cost-sharing reduction or the amount of the credit or reduction; and
(B) not disclose the information to any other person except as provided in this section.
Health and Human Services, one of the key agencies in charge of administering the Affordable Care Act has implemented this statutory provision in section 155.260 of Title 45of the Code of Federal Regulations. It says:
§ 155.260 Privacy and security of personally identifiable information.
Did Covered California release personally identifiable information? Yes.
Any representation of information that permits the identity of an individual to whom the information applies to be reasonably inferred by either direct or indirect means. Further, PII is defined as information: (i) that directly identifies an individual (e.g., name, address, social security number or other identifying number or code, telephone number, email address, etc.) or (ii) [omitted] Additionally, information permitting the physical or online contacting of a specific individual is the same as personally identifiable information. This information can be maintained in either paper, electronic or other media.
Or, if Department of Labor regulations are not enough, consider HHS’s own privacy training materials. They list name and email address — exactly what Covered California released — as emblematic personally identifiable information. HHS didn’t make this list up; they borrowed from footnote 1 of the White House’s Office of Management and Budget memorandum on Safeguarding Against and Responding to the Breach of Personally Identifiable Information.
Was it personal information collected for the right purpose? Yes
Apparently it is not just any collection of PII that triggers obligations under 155.260. It is collection for certain purposes. One of those purposes is “determining eligibility for enrollment in a qualified health plan.” It would surely appear that this was the purpose for which the information was provided. The individuals contacting the website were unlikely, except in peculiar cases, to be doing it for academic purposes or research. They wanted to find out whether they could get health insurance in an Exchange, what plans might be available, and what the price might be.
That’s what everyone has been advertising as the purpose of the Exchange. And, although one would think this goes without saying, that’s the reason Covered California wanted the person’s name and other personally identifiable information. Covered California wanted to determine whether that person — not some anonymous shopper — was eligible and what plans were available to that person. Covered California wanted very much to be able to link the determinations made by the back end of the web site to the identity of the person requesting that the determination be made.
Was this a necessary disclosure? Dubious
If I were representing Peter Lee or others involved with this privacy incident, this is where I might want to rest my defense. (But if I were running other health insurance exchanges or hoping for the success of the ACA, I think I’d try to stop him from doing so). The regulation does not prohibit all uses of personally identifiable information. Nor does it actually prohibit release of the information outside of the health insurance exchange. Rather — and this may be as disturbing to some as the news of what Covered California has done — it actually authorizes external disclosure and external use under some circumstances.
First, the Exchange may only use or disclose such personally identifiable information only “to the extent such information is necessary to carry out the functions described in § 155.200 of this subpart.” When we leaf to section 155.200, we find it says the legitimate functions are those in various subparts of the regulations. The relevant parts, however, are determining eligibility for subsidies and actually enrolling in a plan. Since these two functions are, I believe, precisely what Covered California had in mind, it would not appear to violate these specific portions of the regulation to third parties so long as the purpose was eligibility determination and enrollment.
There are, however, at least three rebuttals to this argument that, standing alone, might suggest that Covered California’s actions were lawful.
Rebuttal 1: But surely this does not mean that Covered California could publish the names of incomplete enrollers in the Los Angeles Times or on some internet list and ask that the public help them out. The regulations also place limits on the persons to whom disclosure may be made. Read this part of section 155.260:
In the end, it appears to boil down to whether the disclosures to insurance agents was necessary and done in the right way. As to whether it was necessary, I have serious doubts. I don’t see why Covered California could not itself just have easily sent the incomplete enrollers a communication with a list of insurance agents. Moreover, even if many users would prefer that the communication flow go first to insurance agents and then to them, the language of the informed consent regulation indicates that notice of such a policy have been provided.
According to a recent poll published in the Christian Science Monitor, eighty percent of the American public say people should be concerned “about the security features of the Obamacare website.” Concerns about the security of the information inside the health care Exchanges has been fanned by many parties. The right wing (and sometimes the left wing) has repeatedly attacked the implementation of Affordable Care Act on grounds that giving Big Brother all this information about one’s finances, health and identity is dangerous. It is, they have warned, hardly immune from hackers. The government’s abysmal track record in construction of the web site hardly gives one confidence.
Moreover, whether exaggerated or not, fears about the security of the detailed financial and personal data that will ultimately lie inside the health care exchanges have some technological support. Sources that would ordinarily not be dismissed as kooky or overly politicized have repeated these warnings. Here are some from the Mitre Corporation, Popular Mechanics and Information Week.
Mainstream media has noted the problem (CNBC, Fox News). Moreover, the fears have been amplified by commentators that, no matter what one may think of them, have large audiences that take what they say seriously. Here are some from Rush Limbaugh (“single biggest threat to individual security and identity security that we have in this country”), Sean Hannity (“we are hearing from security experts that the website is not safe”), Fox News (“it doesn’t look like anything was fixed from a security perspective”), Mother Jones (“According to several online security experts, Healthcare.gov, the portal where consumers in 35 states are being directed to obtain affordable health coverage, has a coding problem that could allow hackers to deploy a technique called ”clickjacking,” where invisible links are planted on a legitimate web page.”).
Given the widespread concern and the dependency of the entire system on enough people risking their personally identifiable information in order to enroll in the health care exchanges under the Affordable Care Act, one would think government officials would be extraordinarily vigilant against hackers and others who would seek to take private information outside the Exchanges. One would think, all the more, that government itself would not be disclosing the information.
And this is what makes Covered California’s actions so mind-bogglingly stupid. Yes, releasing one’s name and email address might not be the same as releasing information about sexually transmitted diseases or the size of one’s bank account, it is still precisely the sort of information that many Americans seek to block others from having and give up only as absolutely necessary. And releasing information to insurance agents who promise to abide by privacy rules is not the same as posting names and addresses directly on the Internet.
Even so, if government is to give this information out — to those whose bona fides may not always be known and who have a commercial motive to misuse the information — there better be an awfully good reason. Otherwise, those borderline people thinking about enrolling in an Exchange and on whom the whole of the Affordable Care Act really depends for its full success are going to think that the government places very little weight on privacy.
It is that sort of thinking, perhaps as much as concerns about the economics of the Affordable Care Act, that risks driving the whole system into an adverse selection death spiral from which it will be unable to escape. It is hard to imagine the pressure Covered California must be under to meet enrollment goals that would cause it to lose sight of these central points.
Let’s end with a look at one final statutory provision: section 1411(h)(2) of the ACA. It says:
Any person who knowingly and willfully uses or discloses information in violation of subsection(g) shall be subject, in addition to any other penalties that may be prescribed by law, to a civil penalty of not more than $25,000.
I would suggest that Peter Lee of Covered California think very carefully about this provision. I would suggest that insurance agents like Warner Pacific Insurance Services in Westlake Village, an identified recipient of this information, think very carefully about it too before using it to contact individuals. Perhaps the Obama administration will choose to excuse this apparent breach of the law due to what they may regard as the good motivations of the violators, but if you multiply $25,000 by each phone call or email, it can really add up.
Those involved in this release of information better hope that Covered California lawyer did some really good legal research and analysis before apparently giving the practice a clean bill of health.
Seth J. Chandler is a Professor of Law at the University of Houston at the University of Houston and author of acadeathspiral.org, where this post originally appeared.