Probably illegal and unquestionably stupid: Covered California’s release of personally identifiable information

Los Angeles Times article
Los Angeles Times article

The Los Angeles Times has reported that Covered California, the largest state’s health insurance exchange under the Affordable Care Act, has started releasing to insurance agents throughout the state the names and contact information of tens of thousands of persons who started an application using the state’s online system but failed to complete it. The Covered California director Peter Lee acknowledges the practice but says that the outreach program still complies with privacy laws and was reviewed by the exchange’s legal counsel. “I can see a lot of people will be comforted and relieved at getting the help they need to navigate a confusing process,” explained Lee.

I am hardly as confident as Covered California’s lawyers apparently were that this practice was legal. The law requires that disclosures to third parties be necessary and I do not see why Covered California could not have contacted non-completers directly and ask them if they wanted help from an insurance agent rather than disclosing their identify to insurance agents.  But even if the practice could be said to be borderline legal, it is difficult to imagine a practice more likely to sabotage enrollment efforts in California — and, since California’s interpretation could be precedent for other states — elsewhere.  For every person unable to complete their application online in California and who will, with the comforting help provided by insurance agents, now want to complete it, there are likely 10 who will be turned off by the cavalier attitude towards privacy exhibited by this government agency.  Beyond a violation of ACA privacy safeguards, the action is either a sign of desperation about enrollment figures, even in a state that boasts of its success such as Peter Lee’s California, or monumental stupidity.

If California wanted to create an adverse selection death spiral, it would be difficult to be more effective than, without notice or consent,  releasing personally identifiable information to insurance agents.

The Law

Let’s start with the Affordable Care Act itself. Section 1411(g)(2), codified at 42 U.S.C. § 18081(g)(2), reads

(g) CONFIDENTIALITY OF APPLICANT INFORMATION.— 

 

(2) RECEIPT OF INFORMATION.—Any person who receives information provided by an applicant under subsection (b) (whether directly or by another person at the request of the
applicant), or receives information from a Federal agency under subsection (c), (d), or (e), shall—
(A) use the information only for the purposes of, and to the extent necessary in, ensuring the efficient operation of the Exchange, including verifying the eligibility of an individual to enroll through an Exchange or to claim a premium tax credit or cost-sharing reduction or the amount of the credit or reduction; and

(B) not disclose the information to any other person except as provided in this section.

 

Health and Human Services, one of the key agencies in charge of administering the Affordable Care Act has implemented this statutory provision in  section 155.260 of Title 45 of the Code of Federal Regulations. It says:

§ 155.260 Privacy and security of personally identifiable information.

(a) Creation, collection, use and disclosure.
(1) Where the Exchange creates or collects personally identifiable information for the purposes of determining eligibility for enrollment in a qualified health plan; determining eligibility for other insurance affordability programs, as defined in 155.20; or determining eligibility for exemptions from the individual responsibility provisions in section 5000A of the Code, the Exchange may only use or disclose such personally identifiable information to the extent such information is necessary to carry out the functions described in § 155.200 of this subpart.
This regulation requires us to answer several questions: (1) was the information in question “personally identifiable information” ; (2) was it collected for one of the purposes set forth in subparagraph (a)(1); (3) and was its use or disclosure necessary to carry out a permitted function.

Did Covered California release personally identifiable information? Yes.

Section 155.260 of the Code of Federal Regulations does not appear to define personally identifiable information — although it is difficult to imagine anything that would fit it better than one’s name, address, phone number and email address. And, if one consults the Department of Labor, they say “PII” is:
Any representation of information that permits the identity of an individual to whom the information applies to be reasonably inferred by either direct or indirect means. Further, PII is defined as information: (i) that directly identifies an individual (e.g., name, address, social security number or other identifying number or code, telephone number, email address, etc.) or (ii) [omitted] Additionally, information permitting the physical or online contacting of a specific individual is the same as personally identifiable information. This information can be maintained in either paper, electronic or other media.
This definition fits what Covered California released to the letter.
Examples of personally identifiable information
Examples of personally identifiable information

Or, if Department of Labor regulations are not enough, consider HHS’s own privacy training materials.  They list name and email address — exactly what Covered California released — as emblematic personally identifiable information. HHS didn’t make this list up; they borrowed from footnote 1 of the White House’s Office of Management and Budget memorandum on Safeguarding Against and Responding to the Breach of Personally Identifiable Information

Was it personal information collected for the right purpose? Yes

Apparently it is not just any collection of PII that triggers obligations under 155.260. It is collection for certain purposes.  One of those purposes is “determining eligibility for enrollment in a qualified health plan.” It would surely appear that this was the purpose for which the information was provided. The individuals contacting the website were unlikely, except in peculiar cases, to be doing it for academic purposes or research. They wanted to find out whether they could get health insurance in an Exchange, what plans might be available, and what the price might be.  That’s what everyone has been advertising as the purpose of the Exchange. And, although one would think this goes without saying, that’s the reason Covered California wanted the person’s name and other personally identifiable information. Covered California wanted to determine whether that person — not some anonymous shopper — was eligible and what plans were available to that person. Covered California wanted very much to be able to link the determinations made by the back end of the web site to the identity of the person requesting that the determination be made.

Was this a necessary disclosure? Dubious

If I were representing Peter Lee or others involved with this privacy incident, this is where I might want to rest my defense. (But if I were running other health insurance exchanges or hoping for the success of the ACA, I think I’d try to stop him from doing so). The regulation does not prohibit all uses of personally identifiable information. Nor does it actually prohibit release of the information outside of the health insurance exchange. Rather — and this may be as disturbing to some as the news of what Covered California has done — it actually authorizes external disclosure and external use under some circumstances.

First, the Exchange may only use or disclose such personally identifiable information only “to the extent such information is necessary to carry out the functions described in § 155.200 of this subpart.” When we leaf to section 155.200, we find it says the legitimate functions are those in various subparts of the regulations.  The relevant parts, however, are determining eligibility for subsidies and actually enrolling in a plan. Since these two functions are, I believe, precisely what Covered California had in mind, it would not appear to violate these specific portions of the regulation to third parties so long as the purpose was eligibility determination and enrollment.

There are, however, at least three rebuttals to this argument that, standing alone, might suggest that Covered California’s actions were lawful.

Rebuttal 1: But surely this does not mean that Covered California could publish the names of incomplete enrollers in the Los Angeles Times or on some internet list and ask that the public help them out. The regulations also place limits on the persons to whom disclosure may be made. Read this part of section 155.260:

(b) Application to non-Exchange entities.  … [W]hen collection, use or disclosure is not otherwise required by law, an Exchange must require the same or more stringent privacy and security standards (as § 155.260(a)) as a condition of contract or agreement with individuals or entities, such as Navigators, agents, and brokers, that:
(1) Gain access to personally identifiable information submitted to an Exchange; or
(2) Collect, use or disclose personally identifiable information gathered directly from applicants, qualified individuals, or enrollees while that individual or entity is performing the functions outlined in the agreement with the Exchange.
Thus, if the third parties themselves agree to abide by the privacy regulations, perhaps they could use personally identifiable information the same way as the Exchanges themselves might. But I have doubts that all the parties to whom the information was released had entered into such “subect-to agreements.”  The Los Angeles Times article understandably leaves the issue a bit unclear, but it appears the disclosure of the information went in two stages, first to some agencies with whom California had pre-existing agreements and second to various insurance agents. While I would not be surprised if Covered California had “subject-to agreements” with the four agencies, I would be surprised if they had agreements with all to whom the second stage disclosure was met.  This is a factual issue that will need to be resolved should a formal dispute arise over the release of the information.
Rebuttal 2: Just because one could disclose the information to certain third parties does not mean it was “necessary” to do so. Section 155.260(b) does not authorize all disclosures to third parties that have entered into subject-to agreements. Rather, it authorizes only necessary disclosures. Was it really necessary for third parties to contact these individuals? Why could Covered California not keep the matter in house and do it itself? They had the information. They could inform those individuals that if they wanted to contact an insurance agent, there was a list of authorized agents who could help them.
Which brings me to …
Rebuttal #3:  There’s another provision in the regulations that needs to be considered: the idea of informed consent. Section 155.260(a)(3)(iv) states:
Individuals should be provided a reasonable opportunity and capability to make informed decisions about the collection, use, and disclosure of their personally identifiable information.
If the Los Angeles Times article is complete and accurate, this was not done here. There appears to have been no effort to ask enrollees whether, if they were unable to complete their enrollment, they wanted to be contacted by an insurance agent for help. Rather, contrary to the “informed decision” principle in (a)(3)(iv), Covered California just assumed that they would.  And, although some web site users might indeed have wanted such assistance, many others, I suspect, would not want third parties with potential commercial motives and who may not have been well vetted informed about personal medical insurance and financial matters. The whole point of (a)(3)(iv) is that the individuals should have some notice and say about the matter.  And it is that provision that appears to have been completely ignored here.

Legal conclusion

In the end, it appears to boil down to whether the disclosures to insurance agents was necessary and done in the right way. As to whether it was necessary, I have serious doubts. I don’t see why Covered California could not itself just have easily sent the incomplete enrollers a communication with a list of insurance agents. Moreover, even if many users would prefer that the communication flow go first to insurance agents and then to them, the language of the informed consent regulation indicates that notice of such a policy have been provided.

The stupidity

According to a recent poll published in the Christian Science Monitor, eighty percent of the American public say people should be concerned “about the security features of the Obamacare website.” Concerns about the security of the information inside the health care Exchanges has been fanned by many parties. The right wing (and sometimes the left wing) has repeatedly attacked the implementation of Affordable Care Act on grounds that  giving Big Brother all this information about one’s finances, health and identity is dangerous. It is, they have warned, hardly immune from hackers. The government’s abysmal track record in construction of the web site hardly gives one confidence.  

Moreover, whether exaggerated or not, fears about the security of the detailed financial and personal data that will ultimately lie inside the health care exchanges have some technological support. Sources that would ordinarily not be dismissed as kooky or overly politicized have repeated these warnings.  Here are some from the Mitre CorporationPopular Mechanics and Information Week. Mainstream media has noted the problem (CNBC, Fox News). Moreover, the fears have been amplified by commentators that, no matter what one may think of them, have large audiences that take what they say seriously. Here are some from Rush Limbaugh (“single biggest threat to individual security and identity security that we have in this country”), Sean Hannity (“we are hearing from security experts that the website is not safe”), Fox News (“it doesn’t look like anything was fixed from a security perspective”), Mother Jones (“According to several online security experts, Healthcare.gov, the portal where consumers in 35 states are being directed to obtain affordable health coverage, has a coding problem that could allow hackers to deploy a technique called “clickjacking,” where invisible links are planted on a legitimate web page.”).

Given the widespread concern and the dependency of the entire system on enough people risking their personally identifiable information in order to enroll in the health care exchanges under the Affordable Care Act, one would think government officials would be extraordinarily vigilant against hackers and others who would seek to take private information outside the Exchanges. One would think, all the more, that government itself would not be disclosing the information. 

And this is what makes Covered California’s actions so mind-bogglingly stupid. Yes, releasing one’s name and email address might not be the same as releasing information about sexually transmitted diseases or the size of one’s bank account, it is still precisely the sort of information that many Americans seek to block others from having and give up only as absolutely necessary.  And releasing information to insurance agents who promise to abide by privacy rules is not the same as posting names and addresses directly on the Internet. Even so, if government is to give this information out — to those whose bona fides may not always be known and who have a commercial motive to misuse the information —  there better be an awfully good reason. Otherwise, those borderline people thinking about enrolling in an Exchange and on whom the whole of the Affordable Care Act really depends for its full success are going to think that the government places very little weight on privacy.  It is that sort of thinking, perhaps as much as concerns about the economics of the Affordable Care Act, that risks driving the whole system into an adverse selection death spiral from which it will be unable to escape. It is hard to imagine the pressure Covered California must be under to meet enrollment goals that would cause it to lose sight of these central points.

 

Conclusion

Let’s end with a look at one final statutory provision: section 1411(h)(2) of the ACA. It says:

Any person who knowingly and willfully uses or discloses information in violation of subsection(g) shall be subject, in addition to any other penalties that may be prescribed by law, to a civil penalty of not more than $25,000.

I would suggest that Peter Lee of Covered California think very carefully about this provision. I would suggest that insurance agents like  Warner Pacific Insurance Services in Westlake Village, an identified recipient of this information, think very carefully about it too before using it to contact individuals. Perhaps the Obama administration will choose to excuse this apparent breach of the law due to what they may regard as the good motivations of the violators, but if you multiply $25,000 by each phone call or email, it can really add up. Those involved in this release of information better hope that Covered California lawyer did some really good legal research and analysis before apparently giving the practice a clean bill of health.

Share Button