Rather than focusing on the real problems plaguing HealthCare.gov, House Republicans sought to portray the website as an insecure portal that will endanger the privacy of American’s medical information during a House Energy and Commerce Committee hearing focusing on the implementation of the Affordable Care Act. The accusations led one Democratic lawmaker to label the hearing “a monkey court.”
In heated exchanges, Reps. Marsha Blackburn (R-TN) and Joe Barton (R-TX) pressed the contractors responsible for writing the code behind HealthCare.gov about why some of their employees had access to “the database servers storing the enrolling information,” and questioned source code informing users that they “have no reasonable expectation of privacy regarding any communication or data transiting stored on this information system.”
“How in the world can this be HIPAA compliant when HIPAA is designed to protect the patient’s privacy and this explicitly says in order to continue you have to accept this condition that you have no privacy — no reasonable expectation of privacy?” Barton asked Cheryl Campbell, senior vice president of CGI, one of the firms that wrote the website. He was referring to The Health Insurance Portability and Accountability Act of 1996, the law that guarantees “federal protections for individually identifiable health information held by covered entities and their business associates and gives patients an array of rights with respect to that information.”
Rep. Frank Pallone (D-NJ) pushed back against the implications, arguing that “HIPAA only applies when there’s health information is being provided,” not the biographical enrollment information that’s being entered by programmers. “HIPAA doesn’t apply. There is no health information in the process. You’re asked about your address, your date of birth. you are not asked health information,” he said.
As Washington & Lee Law Professor Timothy S. Jost explained to ThinkProgress in an email, “HIPAA only applies to health care providers, clearinghouses (and this is a narrowly defined term) health plans, and their business associates.” “Even so, access is available to data without consent for health care operations, which this would be.” Deven McGraw, of the Health Privacy Project at the Center for Democracy & Technology, agreed, adding, “It does not violate HIPAA – it’s not even covered by HIPAA.”
“I will not yield to this monkey court or whatever it is,” Pallone said in response to Republican interruptions. “Why are we going down this path?” he asked. “Because you are trying to scare people so they don’t apply and so therefore the legislation gets delayed or the Affordable Care Act gets defunded or it’s repealed. That’s all it is, hoping people won’t apply.” Watch it:
All of the contractors at the hearing indicated that they had received HIPAA training and were HIPAA compliant.
Jost adds that “even if the rule applies to the information and to the exchange, sharing information with a contractor would be a routine operation, and HIPAA allows disclosure of information without consent for operations. Surely a health plan that contracted with a company to build its software would not be violating HIPAA as long as the computer company also observed HIPAA protections. The exchange is subject to the Privacy Act, but the HHS Privacy Act rule permits disclosure to contractors.”