Think seriously about ACA security for your clients

There’s a problem with the website. We all know this. Someone will be sued. Will it be you? Big problems with expensive consequences still exist for employers and health care consumers on Healthcare.gov. The back-end processing of the website is not secure. Hackers can steal consumers’ personal health information and other data. Can you spell HIPAA or HITECH nightmare? Just last year, HITECH was amended to strengthen HIPAA’s protections.

Congress created these elaborate laws to protect the privacy of medical information for consumers. I’ve seen reports in most major media that security flaws on Healthcare.gov are limitless. This should raise a red flag for employers that they need to guide their employees who are going on the exchanges.

Employers and brokers should be careful recommending the website, especially if you help them enroll on it. The last thing you want is a duplicitous connection with this website if hackers get in and steal personal health information. Fines for this kind of breach are up to $50,000 per plan participant, per incident.

The final rule from last year states that an impermissible acquisition, access, use or disclosure of personal health information is presumed to be a breach, unless the health plan or business associate (as applicable) demonstrates that there is a low probability that the information has been compromised based on a risk assessment of at least the following factors:
• Personal health information involved that could be used by an unauthorized individual in a manner adverse to the subject of the data makes it is more likely that it will be considered compromised.
• A disclosure made to a person or entity required to abide by the privacy rule would make it less likely that personal health information has been compromised, since the recipient of the data must protect the information in a similar manner as the disclosing entity.
• Whether the personal health information was actually acquired or viewed.
• The extent that the risk of information has been mitigated.

In light of the serious concerns over Web security with Healthcare.gov, how do you feel about helping your clients’ employees enroll?  Does your employer client know the penalties and resulting costs of working with a party (Healthcare.gov) if employees’ personal health information is breached?  

Employer liability
Employers may still use Healthcare.gov to help employees get covered. But what happens if the screen is left on so that a passerby can see another employee’s information? That could be cause for fine for the employer.

What happens if an employer decides to promote Healthcare.gov and the data is compromised? That is also a HIPAA breach that could create culpability for the employer. Fines could follow. A breach of personal health information would cause the employer to make the error known to all, even if it was Healthcare.gov, not the employer, who was responsible for the breach.

Lastly, who has responsibility if Healthcare.gov is hacked and consumers’ information is stolen or compromised? Back-end data security is still one of the biggest problems with a site that was not ready for primetime. Inform your clients of these potential consequences.

Davidson, CEBS, is founder of Davidson Marketing Group and FutureOffice Network. He is also on the faculty at the Sheldon B. Lubar School of Business at the University of Wisconsin, Milwaukee. Reach him at craigd@davidsonmarketing.com.

For reprint and licensing requests for this article, click here.
Healthcare reform
MORE FROM EMPLOYEE BENEFIT NEWS