Privacy Be Damned
The imminent health-exchange scandal.
Aug 5, 2013, Vol. 18, No. 44 • By MICHAEL ASTRUE
I have been dismayed, but unsurprised, to see that the Department of Health and Human Services (HHS) is already spinning the launch of its federal health insurance exchange this October. The federal and state “exchanges”—HHS recently rebranded them “marketplaces”—are a linchpin of the Affordable Care Act (ACA) that would allow uninsured Americans to assess and select health insurance plans. Repeated HHS assurances that the systems will be ready for launch have been a critical factor in state decisions as to whether they should use the HHS portal or build their own; at least 14 states have wisely chosen to build their own systems.
A functional and legally compliant federal exchange almost certainly will not be ready on October 1 for those who will have no choice but to use the federal portal. The reasons for failure are not short timelines (Congress gave HHS more than three years), political interference (Congress has not focused on ACA systems), or complexity (states have built well-designed exchanges). The reason is plain old incompetence and arrogance.
After enactment of the ACA, the former administrator of the Centers for Medicare and Medicaid Services (CMS), Donald Berwick, had the responsibility of creating systems for the exchanges, which required peripheral support from the Social Security Administration (SSA) and the Internal Revenue Service (IRS). Congress did not appropriate special funding for this initiative, and Berwick was unwilling to shift adequate funds within CMS for this critical project. Berwick then failed to persuade HHS secretary Kathleen Sebelius to spend one penny on this effort from her massive ACA discretionary fund. Berwick also failed to bully SSA into paying for the entire system; he brushed aside the blatant illegality of that approach.
Civil servants at CMS did what they could to meet the statutory deadline—they threw together an overly simplistic system without adequate privacy safeguards. The system’s lack of any substantial verification of the user would leave members of the public open to identity theft, lost periods of health insurance coverage, and exposure of address for victims of domestic abuse and others. CMS then tried to deflect attention from its shortcomings by falsely asserting that it had done so to satisfy White House directives about making electronic services user-friendly.
In reality, the beta version jammed through a few months ago will, unless delayed and fixed, inflict on the public the most widespread violation of the Privacy Act in our history. Almost a year ago both I and the IRS commissioner raised strong legal objections to the Office of Management and Budget (OMB), which has statutory oversight responsibilities for the Privacy Act. As of the time of my resignation as commissioner of Social Security last February, OMB lawyers could not bring themselves to bless a portal in which I could change Donald Trump’s health insurance and he could change mine.
Incredibly, at the time of our appeal, no senior legal official at HHS had reviewed the legal issues raised by this feature of the ACA. It is my understanding that OMB, despite the recent furor over this administration’s lack of respect for the privacy of citizens, has ordered agencies to bulldoze through the Privacy Act by invoking an absurdly broad interpretation of the Privacy Act’s “routine use” exemption.
The Privacy Act is a general prohibition, subject to narrow exceptions, on disclosure of records between agencies or to the public. The “routine use” exception allows disclosure when the use of a record is “for a purpose which is compatible with the purpose for which it is collected.” Privacy being essential to patient care, it is impossible to justify a “routine use” exception for a system knowingly built in a way that will permit disclosure of intimate health care data.
In this regard, the administration is not only preparing to violate the law, it is also holding itself to a far lower privacy standard than that to which it is trying to hold the private sector. In announcing the administration’s “Consumer Privacy Bill of Rights,” last year President Obama himself said, “American consumers can’t wait any longer for clear rules of the road that ensure their personal information is safe online.”
A June Government Accountability Office (GAO) report gingerly avoided all the significant privacy and operational issues surrounding the HHS system, and did little more than report that CMS admitted it was behind on certain parts of the program but felt it could catch up. Nowhere did our congressional watchdogs show any sign that they had actually tested the system and considered its readiness for public use.
Since the HHS inspector general and GAO have been snoozing on their watches, it is time for Congress itself to inspect the current version of the HHS software and decide whether delay of implementation of the exchanges is the right course of action.
Michael Astrue served as HHS general counsel (1989-1992) and commissioner of Social Security (2007-2013).
Recent Blog Posts