Reform Update: GOP-led states raise security concerns over insurance exchanges

Attorneys general from 13 Republican-led states that have refused to operate their own health insurance exchanges have raised concerns about the security of the personal information of people who enroll on the exchanges.

The attorneys general wrote to HHS Secretary Kathleen Sebelius (PDF) Aug. 14 expressing worries that navigators, assisters and other personnel who will help individuals enroll are not receiving adequate training regarding privacy protection.

On July 17, HHS released a final rule dealing with the standards for navigators and others, including requiring that they receive “training on the privacy and security standards” related to their work. That rule called for training navigators for up to 30 hours.

“The rule does not even require uniform criminal background or fingerprint checks before hiring personnel; indeed, it does not state that any prior criminal acts are per se disqualifying,” the letter to Sebelius states. It says “rigorous programmatic standards are needed to prevent security breaches by new personnel.”

The attorneys general also claim that consumer safeguard guidelines as written in the law “provide significantly less protection to consumers with respect to navigators than with respect to insurance agents and brokers.”

Agents and brokers, whose roles are potentially threatened by the exchanges and the navigators, have pushed for state legislation around the country requiring licensing and additional training of navigators.

HHS is aware of the security concerns. During a conference call with reporters today, Chiquita Brooks-LaSure, deputy director of policy and regulation at CMS' Center for Consumer Information and Insurance Oversight, said that the amount of required training is sufficient, and there would be additional training done “as needed.” She also said appropriate security safeguards are in place and that training of navigators will help protect consumers' personal data.

“We are absolutely focused on privacy and security at the department and at the CMS level, (they) are working on a variety of systems” to enhance privacy and security.

In addition, HHS announced today that it is awarding $67 million to 105 navigator grant applicants in states with federally facilitated and state partnership exchanges, including the 13 states the attorneys general represent. The amount was originally slated to be only $54 million. Brooks-LaSure said that the additional $13 million came from transferring funds from the Patient Protection and Affordable Care Act's Prevention and Public Health Fund.

Earlier this month, HHS' Office of Inspector General said in a report that security testing of the federal data hub, the computer system that will connect with state exchanges to determine exchange eligibility and make subsidy determinations, is behind schedule. In a letter earlier this week, Sen. Orrin Hatch (R-Utah) asked the Government Accountability Office for information on the "security and privacy of the data being exchanged" between the hub and the exchanges.

Christopher Rasmussen, a policy analyst with the Center for Democracy & Technology's Health Privacy Project, said the attorneys general raise some legitimate concerns.

Navigators need to be educated “to ensure they have adequate privacy and security training,” Rasmussen said. “While training can't stop someone who is determined to commit a crime, it does help so they don't do so unwittingly.”

Rasmussen added that federal regulations provide additional safeguards once a navigator is on the job. He noted that if there is a security incident involving a navigator or assister and someone witnesses it, the matter must be reported to the CMS immediately.

The Patient Protection and Affordable Care Act requires health plans offered on the exchanges to offer essential health benefits. In a report out this week, the Robert Wood Johnson Foundation found that insurers and regulators in most states say that shifting to the EHB standard—which the Obama administration allowed states to help define—is causing minimal change or disruption for them. The report, written by researchers at the Georgetown University Health Policy Institute, found that insurers are engaging in minimal substitution of covered benefits the first year. That means plans will closely follow the benefits, limits and exclusions found in each state's benchmark plan. The main differences among plans will be in cost-sharing and provider networks.

A ballot initiative effort to block Arkansas' proposal to use Medicaid funding from the federal government to purchase private insurance plans for individuals has failed, at least for now. Arkansans Against Big Government had attempted to collect signatures to place a referendum on the 2014 ballot to block Democratic Gov. Mike Beebe's proposal. Beebe's proposal was crafted as an alternative way of covering Arkansans who would have been covered by expanding Medicaid under the Patient Protection and Affordable Care Act, which the Republican-controlled Legislature would not agree to. The ballot initiative group needed 46,880 signatures, but got just a little over 26,000. But Glenn Gallas, the group's chairman, is not giving up, saying that there are other options, such as proposing a constitutional amendment or pressuring the Legislature to defund the private option.

For months, some groups have warned that young people will experience “rate shock” under Obamacare because they allegedly will pay for much more for individual-market insurance coverage than they do now. But Princeton University health economist Uwe Reinhardt doesn't buy those gloomy predictions. During a webinar Tuesday sponsored by the Alliance for Health Reform, he said young people will have to pay more in order to support the elderly and sick, but the increase won't be as drastic as some have predicted. And people who are older or who have pre-existing medical conditions, he said, will experience “premium joy.”

Follow Jonathan Block on Twitter: @MHjblock