Reform Update: Cantor plans to address risk of data breaches on HealthCare.gov in continued battle against ACA

House Republicans will resume their battle against the Patient Protection and Affordable Care Act when they return to Washington from the holiday recess next week, while congressional Democrats are feeling better about the law's implementation.

In a memo to his fellow GOP members Thursday, House Majority Leader Eric Cantor (R-Va.) said he plans to schedule legislation next week addressing the risk of data breaches in the federal HealthCare.gov enrollment website that launched in October under the ACA.

Cantor's office is still working on a final schedule for next week. As of early Friday afternoon, there was still no specific bill text or sponsor, so it's unclear if the House will consider one of the bills introduced already, or if the final legislation will combine those measures.

Republicans have vowed to maintain their investigative scrutiny over the Obamacare implementation, even as the information technology problems on the federal and state insurance exchanges have greatly lessened and HHS announced 2.1 million enrollments as of Dec. 29—about two-thirds of what the administration had projected by the end of 2013. Republicans hope they can use the healthcare reform issue as a springboard to capturing control of the Senate in the November elections, while Democrats are expressing growing confidence that the issue will work in their favor as more Americans benefit from the law's insurance expansion. But much depends on how the rollout goes and whether new problems crop up.

Cantor highlighted the recent unrelated data breach at retail giant Target a few weeks ago, when millions of Americans learned that hackers could have gained access to their personal financial information. Cantor also cited a report from credit report bureau Experian that said the healthcare industry will be the most susceptible to data breaches in 2014.

CMS spokesman Aaron Albright said in a written statement that no security breaches have occurred on HealthCare.gov, and that security testing is conducted on an ongoing basis using best industry practices. “To date, there have been no successful security attacks on HealthCare.gov, and no person or group has maliciously accessed personally identifiable information from the site,” Albright said.

Four House committees have examined the risk of data breaches in the exchanges in congressional hearings, or, in the case of the House Oversight and Government Reform Committee, through the release of a transcript of an interview with the CMS' chief information security officer.

According to Cantor, the Obama administration has downplayed the role of data breaches. He cited the CMS' Exchange Program Integrity Rule in August, which said the agency will determine whether a risk of harm exists and if consumers should be made aware of it.

“If a breach occurs, it shouldn't be up to some bureaucrat to decide when or even whether to inform an individual that their personal information has been accessed,” Cantor wrote. “Several of our colleagues, including Diane Black, Kerry Bentivolio and Gus Biliraki,s have introduced legislation to strengthen security requirements as well as require prompt notification in the event of a breach involving personal information.”

A new Health Affairs blog shows big cost differences between the rollout of the ACA's health insurance exchanges and the Medicare program in 1966. Professors David Himmelstein and Steffie Woolhandler of the City University of New York, long-time champions of a single-payer, Medicare-for-all model, reported that the costs of implementing the exchanges and enrolling 7 million people in the first year will total about $6 billion. That compares with a cost of about $867 million (in 2013 dollars) for Medicare in the first 11 months of that program. The $867 million figure included enrolling 18.9 million seniors and paying their medical bills. The authors cite the private insurance industry as the reason for the higher costs associated with the ACA's implementation. “Obamacare's byzantine complexity reflects the contortions required to simultaneously expand coverage and appease private insurers,” they wrote. “And private insurers will exact a steep ongoing toll. Medicare's overhead is just 2%, vs. an average of 13% for private plans (on top of the exchanges' costs, roughly 3% of premiums.) A single-payer plan that excluded private insurers could save hundreds of billions in transaction costs.”

Rocky King, the head of Cover Oregon—the state's severely troubled health insurance exchange—will resign March 5 after his medical leave ends, the Associated Press reports. The state's online exchange failed to launch last October and is still not up and running, as catastrophic technical woes have forced consumers to use paper applications. According to the story, about 38,000 people have enrolled manually through Cover Oregon, with about 14,000 in private plans and 24,000 in the Oregon Health Plan, the state's version of Medicaid. King has been on medical leave since Dec. 2 and cited his health as the reason for his departure (PDF). Oregon had been expected to be a national leader in rolling out its state-run exchange, and Gov. John Kitzhaber has been seriously embarrassed by the botched launch. King is one of several leaders of state-run exchanges who has exited following major rollout problems.

HHS on Friday released a proposed rule intended to remove any legal barriers under the Health Insurance Portability and Accountability Act privacy rule that could prevent states from reporting information to the National Instant Criminal Background Check System for gun sales. That system is designed to make sure that guns aren't sold to people whom the law prohibits from having them, including felons, individuals convicted of domestic violence and those who have been committed to a mental institution involuntarily. The background check system relies on information available to it. A 2012 report from the Government Accountability Office showed that 17 states had submitted fewer than 10 records of individuals prohibited for mental reasons. The proposed HHS rule would change the HIPAA privacy rule to permit certain HIPAA-covered entities to disclose to the NICS the identities of individuals who are prohibited by law from possessing or receiving a firearm for reasons related to mental health.

Follow Jessica Zigmond on Twitter: @MHjzigmond