The federal health insurance exchange might be violating consumers' privacy rights by giving their personal data, including age, income, ZIP code and various health conditions, to third-party sites embedded on Healthcare.gov, according to the Associated Press.
Although there hasn't been any evidence that the companies, which were hired to generate analysis to improve the consumer experience, are misusing the personal information, the large amount of data transfer is raising questions. The privacy concerns could possibly dissuade some consumers from enrolling in an exchange plan sold on a Healthcare.gov site that has been plagued with glitches from the first day of open enrollment.
Mehdi Daoudi, CEO of Catchpoint Systems, found about 50 third-party connections, including Google's data-analytics service, Twitter, Facebook and several online advertising providers, embedded on Healthcare.gov. The AP was able to replicate his results.
David Harlow, principal of The Harlow Group, LLC, a healthcare law and consulting firm based in Boston, told FierceHealthPayer that it's unclear if the site is violating HIPAA, saying that it needs to be determined whether or not the exchange is a covered entity or a business associate.
"Does it have the necessary relationship with insurance companies?" Harlow, who serves on FierceHealthIT's Editorial Advisory Board, said. He also wondered if, since it's run by a government agency, sovereign immunity is applicable.
The real question, though, Harlow said, is how is the site still underperforming in so many ways.
"Shouldn't they be able to do better?" Harlow said. "There's certainly been so much scrutiny given to this website and its development, that it's really stunning to me that this kind of coding was used in building it."
Harlow suggested that even if there is no specific regulatory or legal reason to change the site, it needs to change now, just as a matter of public relations.
"It's really not sustainable to have issue after issue with this website and expect people to keep coming back to it," he said.
Corporate cybersecurity consultant Theresa Payton, who served as White House chief information officer under President George W. Bush, told the AP that vendor management can often be the weakest link in a privacy and security chain. She added that Healthcare.gov's high number of connections might be "overkill."
Centers for Medicare & Medicaid Services Spokesman Aaron Albright said outside vendors "are prohibited from using information from these tools on Healthcare.gov for their companies' purposes."
Meanwhile, back-end issues continue for the federal exchange. Although Joel Ario, managing director at Manatt Health Solutions, said the consumer experience so far this enrollment period has "improved substantially," it still needs to resolve some behind-the-scenes glitches, reported Employee Benefit Adviser.
Ario added that the Obama administration aims to create a "Google-like experience" for Healthcare.gov so that consumers can input information into a search engine to receive a recommendation for the best plan. "We will get there eventually," Ario said.
Harlow called the ordeal a cautionary tale for industry, at large.
"Here are folks who are spending millions and millions of dollars on building a platform to collect information, to use information in a certain way, and are unable to do it in a way that is above reproach," he said. "This is another arm of the same agency that is tasked with enforcing these rules as they relate to folks in the private sector. How does that look and feel to the physician practices who are fined $150,000 for lapses in privacy and security protocols?"
Editor's Note: FierceHealthIT Senior Editor Dan Bowman contributed to this report.