Republican attorneys general from 11 states challenged the legality of reinstating canceled insurance plans without congressional approval and argued for tighter security around consumer data in the exchanges, the West Virginia Record reported.
Their remarks came in a Dec. 26 letter to U.S. Department of Health & Human Services Secretary Kathleen Sebelius in response to invited comments on a proposed federal rule about Affordable Care Act implementation (CMS 9954-P).
Patrick Morrisey of West Virginia led the response joined by fellow attorneys general from Alabama, Georgia, Idaho, Kansas, Louisiana, Michigan, Nebraska, Oklahoma, Texas and Virginia.
President Barack Obama called it an appropriate use of enforcement discretion to suspend ACA provisions by temporarily renewing non-compliant plans; but the AGs described Obama's administrative fix as "flatly illegal under federal constitutional and statutory law." And while the AGs support letting citizens keep preferred health insurance coverage, they said "the President cannot simply set aside statutes or re-write them as he pleases" when it becomes politically expedient to change how the ACA works.
"The only way to fix this problem-ridden law," the AGs wrote, "is to enact changes lawfully: through congressional action."
Further, the AGs called on HHS to do a better job securing consumer information on state and federal exchanges. The AGs recommended background checks and rigorous training for all who have access to private information, federal assistance for victims of marketplace identity theft and a process to investigate complaints about misused information and prosecute offenders.
The AGs aren't the first to voice concern about marketplace information security.Though federal officials say there have been no successful cyber attacks on HealthCare.gov, independent website security testing revealed 28 vulnerabilities in October, as FierceHealthPayer reported. Further, a Sept. 27 government memo documented federal officials launched HealthCare.gov before completion of a full security risk assessment on the site.