The State of California is doing neither the best nor the worst when it comes to enrolling people in individual healthcare plans on its Exchange (Covered California), but it is doing the best job I have seen in releasing detailed information. In particular, it has released detailed information on the the age distribution of enrollees, “metal tiers” being selected by enrollees, subsidization rates, and the distribution of enrollees among insurance companies, and rates of enrollment among different language groups. Let’s look at the data and see what can be learned. And, other states, would you please do what California is doing. You have the data. It’s not that hard to put out the numbers.
As shown in the paired bar graph below, the distribution of enrollees in individual Exchange plans by age in California is weighted far more heavily towards those in the older age brackets. There is, in particular, a dearth of children relative to the large numbers in the population and a disproportionately high number of those in the 55-64 age bracket.
The graphic here is less “bullish” on the enrollment of younger enrollees than Covered California would like to make it appear. This is because in various press releases, Covered California has been comparing the proportion of younger people enrolled against the proportion of younger people in the population and suggesting that they are similar. But this is highly misleading because the relevant statistic is the proportion of younger people in the eligible population. The elderly are not eligible to purchase policies on the Exchange. Thankfully, however, California has released the raw data that lets people do their own analyses. When the results are examined properly, in my opinion, the distribution of the young is more problematic.
Metal Tier Distribution
As noted in an earlier blog entry, a high proportion of purchases of Gold and Platinum policies could be worrisome because those policies are likely to be disproportionately purchased by those in poorer health. These policies generally have significantly less cost sharing than the Bronze and Silver policies. The chart below, taken from data provided by Covered California, shows that this concern has not materialized thus far in California. “Sub.” in the graphic shows policies that are eligible for subsidy under 26 U.S.C. § 36B and possibly under 42 U.S.C. § 18071 whereas “Unsub.” shows policies that are not eligible for subsidy. Silver is by far and away the most popular plan selected. And, contrary to earlier information released by California, which initially got matters backwards, subsidized policies are significantly more prevalent than unsubsidized ones.
The pie chart below shows the distribution of enrollees by insurer. As one can see, enrollment in California has been dominated by large insurers. The top 4 insurers have 96.2% of the market. No small insurers have broken into the top 4. Moreover, some insurers are likely to have problems with the small absolute size of their pool if it does not increase significantly: Valley Health Plan has just 122 people enrolled to date in its health plans; Contra Costa Health Plan has just 178.
California has released information the primary language of enrollees. As shown in the paired bar graph below, the data demonstrates that English speaking individuals are enrolling at a rate significantly higher than those whose primary language is something else. People whose primary language is Spanish, for example, constitute 28.8% of the California population but only 4.6% of persons who have enrolled to date.
The Los Angeles Times has reported that Covered California, the largest state’s health insurance exchange under the Affordable Care Act, has started releasing to insurance agents throughout the state the names and contact information of tens of thousands of persons who started an application using the state’s online system but failed to complete it. The Covered California director Peter Lee acknowledges the practice but says that the outreach program still complies with privacy laws and was reviewed by the exchange’s legal counsel. “I can see a lot of people will be comforted and relieved at getting the help they need to navigate a confusing process,” explained Lee.
I am hardly as confident as Covered California’s lawyers apparently were that this practice was legal. The law requires that disclosures to third parties be necessary and I do not see why Covered California could not have contacted non-completers directly and ask them if they wanted help from an insurance agent rather than disclosing their identify to insurance agents. But even if the practice could be said to be borderline legal, it is difficult to imagine a practice more likely to sabotage enrollment efforts in California — and, since California’s interpretation could be precedent for other states — elsewhere. For every person unable to complete their application online in California and who will, with the comforting help provided by insurance agents, now want to complete it, there are likely 10 who will be turned off by the cavalier attitude towards privacy exhibited by this government agency. Beyond a violation of ACA privacy safeguards, the action is either a sign of desperation about enrollment figures, even in a state that boasts of its success such as Peter Lee’s California, or monumental stupidity.
If California wanted to create an adverse selection death spiral, it would be difficult to be more effective than, without notice or consent, releasing personally identifiable information to insurance agents.
Let’s start with the Affordable Care Act itself. Section 1411(g)(2), codified at 42 U.S.C. § 18081(g)(2), reads
(g) CONFIDENTIALITY OF APPLICANT INFORMATION.—
(2) RECEIPT OF INFORMATION.—Any person who receives information provided by an applicant under subsection (b) (whether directly or by another person at the request of the applicant), or receives information from a Federal agency under subsection (c), (d), or (e), shall— (A) use the information only for the purposes of, and to the extent necessary in, ensuring the efficient operation of the Exchange, including verifying the eligibility of an individual to enroll through an Exchange or to claim a premium tax credit or cost-sharing reduction or the amount of the credit or reduction; and
(B) not disclose the information to any other person except as provided in this section.
Health and Human Services, one of the key agencies in charge of administering the Affordable Care Act has implemented this statutory provision in section 155.260 of Title 45 of the Code of Federal Regulations. It says:
§ 155.260 Privacy and security of personally identifiable information.
(a) Creation, collection, use and disclosure.
(1) Where the Exchange creates or collects personally identifiable information for the purposes of determining eligibility for enrollment in a qualified health plan; determining eligibility for other insurance affordability programs, as defined in 155.20; or determining eligibility for exemptions from the individual responsibility provisions in section 5000A of the Code, the Exchange may only use or disclose such personally identifiable information to the extent such information is necessary to carry out the functions described in § 155.200 of this subpart.
This regulation requires us to answer several questions: (1) was the information in question “personally identifiable information” ; (2) was it collected for one of the purposes set forth in subparagraph (a)(1); (3) and was its use or disclosure necessary to carry out a permitted function.
Did Covered California release personally identifiable information? Yes.
Section 155.260 of the Code of Federal Regulations does not appear to define personally identifiable information — although it is difficult to imagine anything that would fit it better than one’s name, address, phone number and email address. And, if one consults the Department of Labor, they say “PII” is:
Any representation of information that permits the identity of an individual to whom the information applies to be reasonably inferred by either direct or indirect means. Further, PII is defined as information: (i) that directly identifies an individual (e.g., name, address, social security number or other identifying number or code, telephone number, email address, etc.) or (ii) [omitted] Additionally, information permitting the physical or online contacting of a specific individual is the same as personally identifiable information. This information can be maintained in either paper, electronic or other media.
This definition fits what Covered California released to the letter.
Was it personal information collected for the right purpose? Yes
Apparently it is not just any collection of PII that triggers obligations under 155.260. It is collection for certain purposes. One of those purposes is “determining eligibility for enrollment in a qualified health plan.” It would surely appear that this was the purpose for which the information was provided. The individuals contacting the website were unlikely, except in peculiar cases, to be doing it for academic purposes or research. They wanted to find out whether they could get health insurance in an Exchange, what plans might be available, and what the price might be. That’s what everyone has been advertising as the purpose of the Exchange. And, although one would think this goes without saying, that’s the reason Covered California wanted the person’s name and other personally identifiable information. Covered California wanted to determine whether that person — not some anonymous shopper — was eligible and what plans were available to that person. Covered California wanted very much to be able to link the determinations made by the back end of the web site to the identity of the person requesting that the determination be made.
Was this a necessary disclosure? Dubious
If I were representing Peter Lee or others involved with this privacy incident, this is where I might want to rest my defense. (But if I were running other health insurance exchanges or hoping for the success of the ACA, I think I’d try to stop him from doing so). The regulation does not prohibit all uses of personally identifiable information. Nor does it actually prohibit release of the information outside of the health insurance exchange. Rather — and this may be as disturbing to some as the news of what Covered California has done — it actually authorizes external disclosure and external use under some circumstances.
First, the Exchange may only use or disclose such personally identifiable information only “to the extent such information is necessary to carry out the functions described in § 155.200 of this subpart.” When we leaf to section 155.200, we find it says the legitimate functions are those in various subparts of the regulations. The relevant parts, however, are determining eligibility for subsidies and actually enrolling in a plan. Since these two functions are, I believe, precisely what Covered California had in mind, it would not appear to violate these specific portions of the regulation to third parties so long as the purpose was eligibility determination and enrollment.
There are, however, at least three rebuttals to this argument that, standing alone, might suggest that Covered California’s actions were lawful.
Rebuttal 1: But surely this does not mean that Covered California could publish the names of incomplete enrollers in the Los Angeles Times or on some internet list and ask that the public help them out. The regulations also place limits on the persons to whom disclosure may be made. Read this part of section 155.260:
(b) Application to non-Exchange entities. … [W]hen collection, use or disclosure is not otherwise required by law, an Exchange must require the same or more stringent privacy and security standards (as § 155.260(a)) as a condition of contract or agreement with individuals or entities, such as Navigators, agents, and brokers, that:
(1) Gain access to personally identifiable information submitted to an Exchange; or
(2) Collect, use or disclose personally identifiable information gathered directly from applicants, qualified individuals, or enrollees while that individual or entity is performing the functions outlined in the agreement with the Exchange.
Thus, if the third parties themselves agree to abide by the privacy regulations, perhaps they could use personally identifiable information the same way as the Exchanges themselves might. But I have doubts that all the parties to whom the information was released had entered into such “subect-to agreements.” The Los Angeles Times article understandably leaves the issue a bit unclear, but it appears the disclosure of the information went in two stages, first to some agencies with whom California had pre-existing agreements and second to various insurance agents. While I would not be surprised if Covered California had “subject-to agreements” with the four agencies, I would be surprised if they had agreements with all to whom the second stage disclosure was met. This is a factual issue that will need to be resolved should a formal dispute arise over the release of the information.
Rebuttal 2: Just because one could disclose the information to certain third parties does not mean it was “necessary” to do so. Section 155.260(b) does not authorize all disclosures to third parties that have entered into subject-to agreements. Rather, it authorizes only necessary disclosures. Was it really necessary for third parties to contact these individuals? Why could Covered California not keep the matter in house and do it itself? They had the information. They could inform those individuals that if they wanted to contact an insurance agent, there was a list of authorized agents who could help them.
Which brings me to …
Rebuttal #3: There’s another provision in the regulations that needs to be considered: the idea of informed consent. Section 155.260(a)(3)(iv) states:
Individuals should be provided a reasonable opportunity and capability to make informed decisions about the collection, use, and disclosure of their personally identifiable information.
If the Los Angeles Times article is complete and accurate, this was not done here. There appears to have been no effort to ask enrollees whether, if they were unable to complete their enrollment, they wanted to be contacted by an insurance agent for help. Rather, contrary to the “informed decision” principle in (a)(3)(iv), Covered California just assumed that they would. And, although some web site users might indeed have wanted such assistance, many others, I suspect, would not want third parties with potential commercial motives and who may not have been well vetted informed about personal medical insurance and financial matters. The whole point of (a)(3)(iv) is that the individuals should have some notice and say about the matter. And it is that provision that appears to have been completely ignored here.
In the end, it appears to boil down to whether the disclosures to insurance agents was necessary and done in the right way. As to whether it was necessary, I have serious doubts. I don’t see why Covered California could not itself just have easily sent the incomplete enrollers a communication with a list of insurance agents. Moreover, even if many users would prefer that the communication flow go first to insurance agents and then to them, the language of the informed consent regulation indicates that notice of such a policy have been provided.
According to a recent poll published in the Christian Science Monitor, eighty percent of the American public say people should be concerned “about the security features of the Obamacare website.” Concerns about the security of the information inside the health care Exchanges has been fanned by many parties. The right wing (and sometimes the left wing) has repeatedly attacked the implementation of Affordable Care Act on grounds that giving Big Brother all this information about one’s finances, health and identity is dangerous. It is, they have warned, hardly immune from hackers. The government’s abysmal track record in construction of the web site hardly gives one confidence.
Moreover, whether exaggerated or not, fears about the security of the detailed financial and personal data that will ultimately lie inside the health care exchanges have some technological support. Sources that would ordinarily not be dismissed as kooky or overly politicized have repeated these warnings. Here are some from the Mitre Corporation, Popular Mechanics and Information Week. Mainstream media has noted the problem (CNBC, Fox News). Moreover, the fears have been amplified by commentators that, no matter what one may think of them, have large audiences that take what they say seriously. Here are some from Rush Limbaugh (“single biggest threat to individual security and identity security that we have in this country”), Sean Hannity (“we are hearing from security experts that the website is not safe”), Fox News (“it doesn’t look like anything was fixed from a security perspective”), Mother Jones (“According to several online security experts, Healthcare.gov, the portal where consumers in 35 states are being directed to obtain affordable health coverage, has a coding problem that could allow hackers to deploy a technique called “clickjacking,” where invisible links are planted on a legitimate web page.”).
Given the widespread concern and the dependency of the entire system on enough people risking their personally identifiable information in order to enroll in the health care exchanges under the Affordable Care Act, one would think government officials would be extraordinarily vigilant against hackers and others who would seek to take private information outside the Exchanges. One would think, all the more, that government itself would not be disclosing the information.
And this is what makes Covered California’s actions so mind-bogglingly stupid. Yes, releasing one’s name and email address might not be the same as releasing information about sexually transmitted diseases or the size of one’s bank account, it is still precisely the sort of information that many Americans seek to block others from having and give up only as absolutely necessary. And releasing information to insurance agents who promise to abide by privacy rules is not the same as posting names and addresses directly on the Internet. Even so, if government is to give this information out — to those whose bona fides may not always be known and who have a commercial motive to misuse the information — there better be an awfully good reason. Otherwise, those borderline people thinking about enrolling in an Exchange and on whom the whole of the Affordable Care Act really depends for its full success are going to think that the government places very little weight on privacy. It is that sort of thinking, perhaps as much as concerns about the economics of the Affordable Care Act, that risks driving the whole system into an adverse selection death spiral from which it will be unable to escape. It is hard to imagine the pressure Covered California must be under to meet enrollment goals that would cause it to lose sight of these central points.
Let’s end with a look at one final statutory provision: section 1411(h)(2) of the ACA. It says:
Any person who knowingly and willfully uses or discloses information in violation of subsection(g) shall be subject, in addition to any other penalties that may be prescribed by law, to a civil penalty of not more than $25,000.
I would suggest that Peter Lee of Covered California think very carefully about this provision. I would suggest that insurance agents like Warner Pacific Insurance Services in Westlake Village, an identified recipient of this information, think very carefully about it too before using it to contact individuals. Perhaps the Obama administration will choose to excuse this apparent breach of the law due to what they may regard as the good motivations of the violators, but if you multiply $25,000 by each phone call or email, it can really add up. Those involved in this release of information better hope that Covered California lawyer did some really good legal research and analysis before apparently giving the practice a clean bill of health.
Exploring the likely implosion of the Affordable Care Act