Congress Questions Security of Health Insurance Exchange Data Hub

September 19, 2013
Rachel V. Rose, JD, MBA
Rachel V. Rose, JD, MBA

Rachel V. Rose, JD, MBA, advises clients on compliance and transactions in healthcare, cybersecurity, corporate and securities law, while representing plaintiffs in False Claims Act and Dodd-Frank whistleblower cases. She also teaches bioethics at Baylor College of Medicine in Houston. Rachel can be reached through her website, www.rvrose.com.

How does a proposed data hub for newly-ensured patients affect your practice? Hint: It has to do with cybersecurity and HIPAA.

An electronic "data hub" is being created by the federal government as a central access point by health insurance exchanges. The exchanges' use is predicated on verifying enrollment in plans and insurance "means testing" and eligibility requirements. The primary entities utilizing these exchanges are federal agencies including the IRS, Social Security Administration, and Department of Veterans Affairs.

Remaining vigilant to making sure the health exchange data hub is secure so that Americans’ personal information is not vulnerable to being exposed, the Committee on Homeland Security, Subcommittee on Cybersecurity, Infrastructure Protection, and Security Technologies held a hearing Sept. 11 to review security concerns. The subcommittee's chairman, Rep. Patrick Meehan (R-Pa.) specifically addressed data exposure from a "cybersecurity standpoint."

While the congressional subcommittee relied heavily on an August OIG Report, during the hearing, Kay Daly indicated that CMS met progress milestones on various items, including the hub’s security authorization, in early September.

In response to the hearings, a CMS fact sheet was released reassuring users that "several layers of protection [are] in place to mitigate information security risk," and a "continuous monitoring model … to quickly identify and take action against irregular behavior and unauthorized system changes that could indicate a potential incident."

Paralleling HIPAA breach protocols, a system is in place whereby an "incident response capability would be activated, which allows for the tracking, investigation, and reporting of incidents."

The debate between the adequacy of the security measures and breach protocol continues between CMS and Congress. Whether a delay in the activation occurs remains to be seen.

The launch of the data hub is scheduled for October 1. What this means for practices is that the data hub enables people to sign up for insurance. In turn, this could mean an impact the number of covered patients and the fiscal bottom line. The coordination of compliance with the HIPAA Omnibus Rule is occurring simultaneously (on Sept. 23).

Because there are new provisions related to the release forms and transmission, storage and handling of personal health information, physicians need to make sure these items are in place in anticipation of additional patients, thereby decreasing potential liability.