HHS Responds to Concerns, Boosts HealthCare.gov Protections
HHS over the weekend said it is boosting privacy protections for U.S. residents' personal data on HealthCare.gov following reports last week that found the federal exchange website was sharing certain consumer data with third-party companies, The Hill reports.
Background
Last week, technology experts analyzing HealthCare.gov noted connections between the site and several third-party technology companies, prompting concerns about privacy. The investigation found that dozens of data companies might be able to determine when a user is on HealthCare.gov. Further, according to the investigation, some companies might be able to piece together a user's age, income, ZIP code and medical information.
The third parties cannot see a user's name, birth date or Social Security number, but they might be able to determine personal information by noting that a user accessed HealthCare.gov and comparing that with other Internet activities.
HealthCare.gov's privacy policies state that "no personally identifiable information" is collected by third-party Web measurement tools, which are considered a standard part of e-commerce. According to CMS spokesperson Aaron Albright, third-party vendors "are prohibited from using information from these tools on HealthCare.gov for their companies' purpose," adding that the government uses them for performance measurement purposes.
HHS Announces Greater Privacy Protections
HHS said it added another encryption layer to the site to help reduce the amount of data that are shared with other companies. The changes will decrease the amount of information that is available to third parties for consumers using HealthCare.gov's window shopping feature (Devaney, The Hill, 1/24).
According to AP/Modern Healthcare, an independent analysis of HealthCare.gov released on Saturday showed that the amount of embedded connections the site had with private companies fell from 50 to 30 (AP/Modern Healthcare, 1/24).
In addition, CMS in a statement on Saturday said it takes the privacy "questions seriously and immediately launched a review of [its] privacy policies, contracts for third party tools and URL constructions" and is "looking at whether there are additional steps [the agency] should take" to "further increase consumer privacy" (The Hill, 1/24).
Reaction
Sens. Chuck Grassley (R-Iowa) and Orrin Hatch (R-Utah) said the privacy discoveries are "extremely concerning" for consumers (AP/The Oregonian, 1/23). Grassley has called on the Obama administration to explain how consumers' data were being used.
Meanwhile, Cooper Quintin, a staff technologist at the Electronic Frontier Foundation, said HHS' changes so far are "a great first step" to addressing privacy concerns, but he noted that the agency should do more, such as disabling third-party tracking for consumers who enable the "do not track" feature through their Web browsers (AP/Modern Healthcare, 1/24).
Lawmakers Demand Answers in Letter to HHS
In related news, top Democrat and Republican lawmakers on the House Oversight Committee on Thursday sent a letter to HHS Secretary Sylvia Mathews Burwell asking for information about how the federal government is using and sharing consumers' personal data collected through the federal exchange, CNN reports.
Committee Chair Jason Chaffetz (R-Utah), Rep. Elijah Cummings (D-Md.) and three additional committee members in the letter wrote that they are "concerned ... that sensitive consumer information submitted by visitors to HealthCare.gov -- such as age, income and smoking habits -- is being shared." The letter cited the investigation released last week and requested details about "the scope of the information that has been shared, as well as the controls in place to protect the personally identifiable information of consumers." In addition, the letter asked HHS to release the names of all third party companies that received data from HealthCare.gov, as well as:
- What data they receive;
- How the data's use is restricted; and
- How HHS makes sure the data are not being used commercially (Frates, CNN, 1/22).