Why The House Bill On Healthcare.Gov Security Wouldn’t Really Make Data Safer

The U.S. House of Representatives passed a bill Friday requiring the Affordable Care Act’s website to report data breaches almost immediately after they are found.

The bill, which passed with a 291–122 vote, is the latest of at least 46 votes on Obamacare with Republicans arguing the site lacked proper security and Democrats saying the law wasn’t on par with the standards private insurance companies follow and only gives HHS staff more paperwork.

On its face, there’s nothing wrong with what the House bill, dubbed the “Health Exchange Security and Transparency Act,” asks: that the government tell users within 48 hours if their personal information is exposed. That short deadline is so that people can take swift action to prevent identity theft, House Majority Leader Eric Cantor (R-VA) argued before the vote.

But because federal laws that protect sensitive health data already exist and the U.S. Department of Health and Human Services (HHS) already has its own rules for breaches, the bill is a nonstarter for better cybersecurity. Those laws, which stem from HIPAA, make privacy and security requirements regarding health and medical records much tighter than those governing retailers like Target, where there is no uniform standard. Target announced in December that hackers stole millions of credit and debit card numbers from in-store shoppers between Nov. 27 and Dec. 15.


The difference is that HHS gives doctors, hospitals and private health insurance companies have 60 days to tell patients about a breach, whereas Target, which has a breach victim toll passing 100 million, has no a set amount time in which it should notify customers, depending on the state.

If we’re going to put these restrictions on, it should apply to both public and private insurers, Rep. Henry Waxman (D-CA) argued before the House vote.

And while the site has had a host of IT problems since its launch in October, no breaches have been reported for Despite repeatedly asserting that cybersecurity experts question the sites security, Republican House members offered no examples of how data encryption, or other protective measures, were insufficient. In fact, the bill doesn’t mention encryption or any other electronic security measures that make information harder to steal at all.

Passing the Health Exchange Security and Transparency Act is one of several tactics the Republican Party is using in 2014 to derail Obamacare. Besides poking at’s security, the GOP has also sued to get rid of federal subsidies and fight Medicaid expansion.