Tag Archives: Peter Lee

Probably illegal and unquestionably stupid: Covered California’s release of personally identifiable information

Los Angeles Times article
Los Angeles Times article

The Los Angeles Times has reported that Covered California, the largest state’s health insurance exchange under the Affordable Care Act, has started releasing to insurance agents throughout the state the names and contact information of tens of thousands of persons who started an application using the state’s online system but failed to complete it. The Covered California director Peter Lee acknowledges the practice but says that the outreach program still complies with privacy laws and was reviewed by the exchange’s legal counsel. “I can see a lot of people will be comforted and relieved at getting the help they need to navigate a confusing process,” explained Lee.

I am hardly as confident as Covered California’s lawyers apparently were that this practice was legal. The law requires that disclosures to third parties be necessary and I do not see why Covered California could not have contacted non-completers directly and ask them if they wanted help from an insurance agent rather than disclosing their identify to insurance agents.  But even if the practice could be said to be borderline legal, it is difficult to imagine a practice more likely to sabotage enrollment efforts in California — and, since California’s interpretation could be precedent for other states — elsewhere.  For every person unable to complete their application online in California and who will, with the comforting help provided by insurance agents, now want to complete it, there are likely 10 who will be turned off by the cavalier attitude towards privacy exhibited by this government agency.  Beyond a violation of ACA privacy safeguards, the action is either a sign of desperation about enrollment figures, even in a state that boasts of its success such as Peter Lee’s California, or monumental stupidity.

If California wanted to create an adverse selection death spiral, it would be difficult to be more effective than, without notice or consent,  releasing personally identifiable information to insurance agents.

The Law

Let’s start with the Affordable Care Act itself. Section 1411(g)(2), codified at 42 U.S.C. § 18081(g)(2), reads



(2) RECEIPT OF INFORMATION.—Any person who receives information provided by an applicant under subsection (b) (whether directly or by another person at the request of the
applicant), or receives information from a Federal agency under subsection (c), (d), or (e), shall—
(A) use the information only for the purposes of, and to the extent necessary in, ensuring the efficient operation of the Exchange, including verifying the eligibility of an individual to enroll through an Exchange or to claim a premium tax credit or cost-sharing reduction or the amount of the credit or reduction; and

(B) not disclose the information to any other person except as provided in this section.


Health and Human Services, one of the key agencies in charge of administering the Affordable Care Act has implemented this statutory provision in  section 155.260 of Title 45 of the Code of Federal Regulations. It says:

§ 155.260 Privacy and security of personally identifiable information.

(a) Creation, collection, use and disclosure.
(1) Where the Exchange creates or collects personally identifiable information for the purposes of determining eligibility for enrollment in a qualified health plan; determining eligibility for other insurance affordability programs, as defined in 155.20; or determining eligibility for exemptions from the individual responsibility provisions in section 5000A of the Code, the Exchange may only use or disclose such personally identifiable information to the extent such information is necessary to carry out the functions described in § 155.200 of this subpart.
This regulation requires us to answer several questions: (1) was the information in question “personally identifiable information” ; (2) was it collected for one of the purposes set forth in subparagraph (a)(1); (3) and was its use or disclosure necessary to carry out a permitted function.

Did Covered California release personally identifiable information? Yes.

Section 155.260 of the Code of Federal Regulations does not appear to define personally identifiable information — although it is difficult to imagine anything that would fit it better than one’s name, address, phone number and email address. And, if one consults the Department of Labor, they say “PII” is:
Any representation of information that permits the identity of an individual to whom the information applies to be reasonably inferred by either direct or indirect means. Further, PII is defined as information: (i) that directly identifies an individual (e.g., name, address, social security number or other identifying number or code, telephone number, email address, etc.) or (ii) [omitted] Additionally, information permitting the physical or online contacting of a specific individual is the same as personally identifiable information. This information can be maintained in either paper, electronic or other media.
This definition fits what Covered California released to the letter.
Examples of personally identifiable information
Examples of personally identifiable information

Or, if Department of Labor regulations are not enough, consider HHS’s own privacy training materials.  They list name and email address — exactly what Covered California released — as emblematic personally identifiable information. HHS didn’t make this list up; they borrowed from footnote 1 of the White House’s Office of Management and Budget memorandum on Safeguarding Against and Responding to the Breach of Personally Identifiable Information

Was it personal information collected for the right purpose? Yes

Apparently it is not just any collection of PII that triggers obligations under 155.260. It is collection for certain purposes.  One of those purposes is “determining eligibility for enrollment in a qualified health plan.” It would surely appear that this was the purpose for which the information was provided. The individuals contacting the website were unlikely, except in peculiar cases, to be doing it for academic purposes or research. They wanted to find out whether they could get health insurance in an Exchange, what plans might be available, and what the price might be.  That’s what everyone has been advertising as the purpose of the Exchange. And, although one would think this goes without saying, that’s the reason Covered California wanted the person’s name and other personally identifiable information. Covered California wanted to determine whether that person — not some anonymous shopper — was eligible and what plans were available to that person. Covered California wanted very much to be able to link the determinations made by the back end of the web site to the identity of the person requesting that the determination be made.

Was this a necessary disclosure? Dubious

If I were representing Peter Lee or others involved with this privacy incident, this is where I might want to rest my defense. (But if I were running other health insurance exchanges or hoping for the success of the ACA, I think I’d try to stop him from doing so). The regulation does not prohibit all uses of personally identifiable information. Nor does it actually prohibit release of the information outside of the health insurance exchange. Rather — and this may be as disturbing to some as the news of what Covered California has done — it actually authorizes external disclosure and external use under some circumstances.

First, the Exchange may only use or disclose such personally identifiable information only “to the extent such information is necessary to carry out the functions described in § 155.200 of this subpart.” When we leaf to section 155.200, we find it says the legitimate functions are those in various subparts of the regulations.  The relevant parts, however, are determining eligibility for subsidies and actually enrolling in a plan. Since these two functions are, I believe, precisely what Covered California had in mind, it would not appear to violate these specific portions of the regulation to third parties so long as the purpose was eligibility determination and enrollment.

There are, however, at least three rebuttals to this argument that, standing alone, might suggest that Covered California’s actions were lawful.

Rebuttal 1: But surely this does not mean that Covered California could publish the names of incomplete enrollers in the Los Angeles Times or on some internet list and ask that the public help them out. The regulations also place limits on the persons to whom disclosure may be made. Read this part of section 155.260:

(b) Application to non-Exchange entities.  … [W]hen collection, use or disclosure is not otherwise required by law, an Exchange must require the same or more stringent privacy and security standards (as § 155.260(a)) as a condition of contract or agreement with individuals or entities, such as Navigators, agents, and brokers, that:
(1) Gain access to personally identifiable information submitted to an Exchange; or
(2) Collect, use or disclose personally identifiable information gathered directly from applicants, qualified individuals, or enrollees while that individual or entity is performing the functions outlined in the agreement with the Exchange.
Thus, if the third parties themselves agree to abide by the privacy regulations, perhaps they could use personally identifiable information the same way as the Exchanges themselves might. But I have doubts that all the parties to whom the information was released had entered into such “subect-to agreements.”  The Los Angeles Times article understandably leaves the issue a bit unclear, but it appears the disclosure of the information went in two stages, first to some agencies with whom California had pre-existing agreements and second to various insurance agents. While I would not be surprised if Covered California had “subject-to agreements” with the four agencies, I would be surprised if they had agreements with all to whom the second stage disclosure was met.  This is a factual issue that will need to be resolved should a formal dispute arise over the release of the information.
Rebuttal 2: Just because one could disclose the information to certain third parties does not mean it was “necessary” to do so. Section 155.260(b) does not authorize all disclosures to third parties that have entered into subject-to agreements. Rather, it authorizes only necessary disclosures. Was it really necessary for third parties to contact these individuals? Why could Covered California not keep the matter in house and do it itself? They had the information. They could inform those individuals that if they wanted to contact an insurance agent, there was a list of authorized agents who could help them.
Which brings me to …
Rebuttal #3:  There’s another provision in the regulations that needs to be considered: the idea of informed consent. Section 155.260(a)(3)(iv) states:
Individuals should be provided a reasonable opportunity and capability to make informed decisions about the collection, use, and disclosure of their personally identifiable information.
If the Los Angeles Times article is complete and accurate, this was not done here. There appears to have been no effort to ask enrollees whether, if they were unable to complete their enrollment, they wanted to be contacted by an insurance agent for help. Rather, contrary to the “informed decision” principle in (a)(3)(iv), Covered California just assumed that they would.  And, although some web site users might indeed have wanted such assistance, many others, I suspect, would not want third parties with potential commercial motives and who may not have been well vetted informed about personal medical insurance and financial matters. The whole point of (a)(3)(iv) is that the individuals should have some notice and say about the matter.  And it is that provision that appears to have been completely ignored here.

Legal conclusion

In the end, it appears to boil down to whether the disclosures to insurance agents was necessary and done in the right way. As to whether it was necessary, I have serious doubts. I don’t see why Covered California could not itself just have easily sent the incomplete enrollers a communication with a list of insurance agents. Moreover, even if many users would prefer that the communication flow go first to insurance agents and then to them, the language of the informed consent regulation indicates that notice of such a policy have been provided.

The stupidity

According to a recent poll published in the Christian Science Monitor, eighty percent of the American public say people should be concerned “about the security features of the Obamacare website.” Concerns about the security of the information inside the health care Exchanges has been fanned by many parties. The right wing (and sometimes the left wing) has repeatedly attacked the implementation of Affordable Care Act on grounds that  giving Big Brother all this information about one’s finances, health and identity is dangerous. It is, they have warned, hardly immune from hackers. The government’s abysmal track record in construction of the web site hardly gives one confidence.  

Moreover, whether exaggerated or not, fears about the security of the detailed financial and personal data that will ultimately lie inside the health care exchanges have some technological support. Sources that would ordinarily not be dismissed as kooky or overly politicized have repeated these warnings.  Here are some from the Mitre CorporationPopular Mechanics and Information Week. Mainstream media has noted the problem (CNBC, Fox News). Moreover, the fears have been amplified by commentators that, no matter what one may think of them, have large audiences that take what they say seriously. Here are some from Rush Limbaugh (“single biggest threat to individual security and identity security that we have in this country”), Sean Hannity (“we are hearing from security experts that the website is not safe”), Fox News (“it doesn’t look like anything was fixed from a security perspective”), Mother Jones (“According to several online security experts, Healthcare.gov, the portal where consumers in 35 states are being directed to obtain affordable health coverage, has a coding problem that could allow hackers to deploy a technique called “clickjacking,” where invisible links are planted on a legitimate web page.”).

Given the widespread concern and the dependency of the entire system on enough people risking their personally identifiable information in order to enroll in the health care exchanges under the Affordable Care Act, one would think government officials would be extraordinarily vigilant against hackers and others who would seek to take private information outside the Exchanges. One would think, all the more, that government itself would not be disclosing the information. 

And this is what makes Covered California’s actions so mind-bogglingly stupid. Yes, releasing one’s name and email address might not be the same as releasing information about sexually transmitted diseases or the size of one’s bank account, it is still precisely the sort of information that many Americans seek to block others from having and give up only as absolutely necessary.  And releasing information to insurance agents who promise to abide by privacy rules is not the same as posting names and addresses directly on the Internet. Even so, if government is to give this information out — to those whose bona fides may not always be known and who have a commercial motive to misuse the information —  there better be an awfully good reason. Otherwise, those borderline people thinking about enrolling in an Exchange and on whom the whole of the Affordable Care Act really depends for its full success are going to think that the government places very little weight on privacy.  It is that sort of thinking, perhaps as much as concerns about the economics of the Affordable Care Act, that risks driving the whole system into an adverse selection death spiral from which it will be unable to escape. It is hard to imagine the pressure Covered California must be under to meet enrollment goals that would cause it to lose sight of these central points.



Let’s end with a look at one final statutory provision: section 1411(h)(2) of the ACA. It says:

Any person who knowingly and willfully uses or discloses information in violation of subsection(g) shall be subject, in addition to any other penalties that may be prescribed by law, to a civil penalty of not more than $25,000.

I would suggest that Peter Lee of Covered California think very carefully about this provision. I would suggest that insurance agents like  Warner Pacific Insurance Services in Westlake Village, an identified recipient of this information, think very carefully about it too before using it to contact individuals. Perhaps the Obama administration will choose to excuse this apparent breach of the law due to what they may regard as the good motivations of the violators, but if you multiply $25,000 by each phone call or email, it can really add up. Those involved in this release of information better hope that Covered California lawyer did some really good legal research and analysis before apparently giving the practice a clean bill of health.

Share Button

California data shows disproportionate enrollment by those over 55

California has frequently been cited as an early Affordable Care Act success story with enrollment coming at least closer to projected numbers than in other states. Today’s release of information from Covered California, the state entity organizing enrollment there, shows a mixed picture about the likelihood that the ACA will become a stable source of non-discriminatory relatively inexpensive health insurance in the nation’s most populous state.

A highlight from the report is that 79,891 have at least gotten as far as selecting a plan since enrollment opened on October 1, 2013.  That’s better than any other state and better — at least as of the last report — of all the other states combined using the healthcare.gov portal. And, because, contrary to the wishes of California Insurance Commissioner Dave Jones, Covered California has decided not to permit those with recently enrolled in underwritten individual health insurance to “uncancel” policies that do not provide Essential Health Benefits, there is the potential to add more people to the Exchange pools than would otherwise be possible.  Additional good news: the pace of enrollment has picked up over the past two weeks. Still, to date, the 79,891 who have at least selected a plan are only 6% of the 1.3 million that the federal government projected California would enroll through 2014. And the web site in California appears to be working acceptably.

Perhaps the news on the number of enrollees is equivocal.  It’s better than other states, and it’s still early, but, relative to the projections on which the ACA was premised, it is not good at all.  There is also, however, what appears to me to be distinctly troubling news coming from California.  We have another report on the age distribution of enrollees: so far, it is disproportionately old. And this is true in the state in which enrollment has progressed the furthest and in the nation’s most populous state. So, the data is potentially significant not just as an augury of what may be seen in other states but because a disproportionately elderly population in the largest state is, in an of itself, a problem.

Although persons age 55 through 64 constitute about 18% of the California population aged 18 through 64, they constitute double that, 36%, of persons in that same age segment who have enrolled for a plan. Similarly, although persons age 45 through 64 constitute about 41% of the California population, they constitute 59% of those who have enrolled thus far. As discussed earlier on this blog and elsewhere, because premium ratios between old and young are capped at 3 to 1, whereas actual claim ratios are likely to be higher, disproportionate enrollment of the elderly can help drive an adverse selection death cycle.  This would be all the more true if the older people — it’s hard to call people age 55 “elderly”” —  that are enrolling are disproportionately unhealthy relative to their age-group peers. Claims, therefore, by Covered California Director Peter Lee that “enrollment in key demographics like the so-called young invincibles is very encouraging” rest on theories of economics and statistics that I do not understand.

A Side Note on Market Concentration

By the way, who’s on the hook in the event the ultimate pool is distinctly more expensive than insurers anticipated?  It’s the usual suspects. The big “winners” in California thus far are the usual suspects: Anthem Blue Cross has 28.1%, Kaiser Permanente, a California fixture, has 26.8%, Blue Shield of California has 25.6% and Health Net (with headquarters in Southern California) has 15.7%. Together, these four have 96% of the market with a “Herfindahl Index” of a moderately concentrated 2410. Dreams, therefore, of new competitors entering the marketplace, thus far seem illusory.  But it is these “winners” that stand to lose the most money — and be the greatest recipient of federal redistributions under Transitional Reinsurance, Risk Corridors and Risk Adjustments — in the coming year if the trends hold up.

Share Button