Safe & Sound with Marianne Kolbasuk McGee

Protecting Consumer Data Up Front

Privacy, Security Requirements for Insurance Exchange Workers
Protecting Consumer Data Up Front

Because first impressions count, it's important that the initial encounter that many consumers have with the centerpiece program of the Affordable Care Act goes off smoothly. That includes ensuring that consumers' personal information collected and shared on new state health insurance exchanges is safeguarded.

See Also: Live Discussion | Securing Business Growth: The Road to 24/7 Threat Detection and Response

Beginning on Oct 1, consumers, small business and families will be able to go online to state health insurance exchanges to enroll in private health plans that meet their budget and health needs. In some cases, lower-income consumers will discover via these exchanges that they are eligible for subsidies to help pay for private health insurance coverage, or perhaps they might qualify for government programs such as Medicaid or the Children's Health Insurance Program.

As other segments within healthcare have found, insiders, including front-end workers, are often implicated in serious breaches and fraud cases. 

The first contact many of these consumers will have with the insurance exchanges will be with so-called "navigators," "assistance personnel" and "certified application counselors" who will assist individuals in figuring out the plans for which they're eligible. These front-line workers will also help consumers complete coverage applications.

The U.S. Department of Health and Human Services recently issued regulations concerning those front-end workers. Within the 146-page final rule, called "Patient Protection and Affordable Care Act; Exchange Functions: Standards for Navigators and Non-Navigator Assistance Personnel; Consumer Assistance Tools and Programs of an Exchange and Certified Application Counselors," are provisions for how these consumer-facing workers must protect the personal information of applicants, including being properly trained in privacy and security requirements.

Among the provisions for protecting data is the expectation that these front-end workers "will assist consumers in completing the enrollment application, which requires entry of some personally identifiable information into either a computer-based or paper application; however, once the application is completed ... assistance personnel should not retain any of the information entered onto the application."

Other provisions include states being allowed to require background checks for navigators, and also consumers being required to provide authorization before counselors can obtain access to any of the applicant's personally identifiable information. Records of those authorizations must also be kept by the counselors.

Bigger Picture

Of course, the navigators and counselors are just part of the privacy and security equation that comes into play with these new state insurance exchanges, which will be involved in collecting, sharing and storing a great deal of consumers' personal health and financial data. That information needs to be protected on the back end, and state insurance exchange leaders have been busy in putting those security and privacy plans together, as well (see: An Insurance Exchange Tackles Security).

Certainly, there are plenty of challenges ahead for these exchanges. But the emphasis on privacy and security is critical and cannot be marginalized. The operators of these insurance exchanges must ensure that these requirements are carried out.

That's because as other segments within healthcare have found, insiders, including front-end workers, are often implicated in serious breaches and fraud cases. A couple of recent examples of insider crimes in healthcare:

Adventist Health System is faced with a class action suit in Florida because one of its hospital emergency department workers stole patient information from more than 760,000 records, selling that data for profit .

Meanwhile, just this week, the New York state office that investigates Medicaid fraud announced it has suspended one of its own workers after the individual allegedly sent 17,743 records of Medicaid beneficiaries to the employee's personal e-mail account. That case is under investigation by another state agency (see: State Employee Suspended After Breach).

The state health insurance exchanges' navigators, assistance personnel and counselors are insiders who have an important role to play. They will provide the first impression for many consumers who will be dealing with healthcare reform programs up close.

As we all know, many people in the U.S. are betting against healthcare reform. So, the last thing these new exchanges need is any kind of privacy or security breach or fraud incident involving these critical counselors and navigators. From the get go, privacy and security needs to be front and center.

How do we ensure that the right individuals are hired and receive the proper training? For that matter, what is the proper training? Share your thoughts within the comments below.

About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity, ISMG

McGee is executive editor of Information Security Media Group's media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeek's healthcare IT media site.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.