The HIPAAcrisy of Healthcare.gov

Healthcare.gov is the biggest dereliction of good public policy, information technology security and personal information privacy ever foisted upon the US public.  My worst fears were confirmed this morning at a congressional hearing questioning whether our data is secure on Healthcare.gov.  The consensus of the testimony at that hearing was that we are not secure.  Here is the link to that hearing - Is My Data on Healthcare.gov Secure?

One of the primary obligations of HIPAA is to conduct an entity-wide risk assessment.  The risk assessment includes a thorough evaluation of the confidentiality, integrity and availability of the organizations’ information technology systems.  Upon conclusion of the risk assessment it certain that there will be identified a number of vulnerabilities that need to be fixed.  Typical remediation includes implementing disk encryption, encryption of data in transit, end-point security, application control, content filtering, activity logging and more.

Failure to do a proper risk assessment and subsequent remediation can bring the wrath of the Health & Human Services and the Office of Civil Rights down on the offending organization.  Their wrath can easily include millions of dollars in fines and significant remediation obligations.  If you read recent HIPAA resolution agreements between HHS and organizations they have cited for violations, HHS almost always start with a statement about how the offending organization did not perform an adequate risk assessment.

CMS chief Marilyn Tavenner admittedly signed off on the Healthcare.gov website going live despite a memo that says it has not been "tested in a single environment" and that going live poses "inherent security risks.” Furthermore the system "requires rapid development and release of hot fixes and patches so it is not always available or stable during testing."  In other words, even if the system had been properly tested for confidentiality, integrity and availability, which they state it has not, all of the panicked changes being made to get it working invalidate any initial risk assessment.  I am not in a position to state flatly that HIPAA regulations have been violated.  Have there been violations on the Healthcare.gov website?  I am willing to bet that a number of government privacy and security regulations were violated.

What does this mean to you?  If you are a user of Healthcare.gov your PII (Personally Identifiable Information) that you shared with the government is clearly at risk.  What does this mean for Marilyn Tavenner?  Apparently not much as no one is being held accountable.  If this were HIPAA data, she would be at risk for guilt of willful neglect. By the CMS definition of willful neglect, the term certainly fits with the treatment of your information by HHS.  HHS is hiding behind the technical definition of HIPAA Electronic Personal Health Information (ePHI), while ignoring the fact that identity theft is rampant and that the information that is being provided by site applicants such as social security numbers must be protected.  To have the same agency that can put a healthcare organization out of business for making mistakes or not following the regulations, ignoring the most basic security practices that they define is pathetic.  What does this mean for all the other private healthcare providers out there?  Many healthcare organizations have paid huge fines and some may even face jail time for breaking the HIPAA regulation that Tavenner so casually brushed aside.  These are the regulations she is supposed to enforce, but did not in order to facilitate political and personal gain.  For all of those who have paid huge fines to Tavenner’s CMS under the accusations of willful neglect, her actions in order to achieve political expediency must be painful to watch

So Tavenner signed-off on HealthCare.gov to operate for six months while a mitigation plan was implemented. Will there be equal enforcement of the HIPAA regulations at healthcare.gov?  Is she even aware of her violations?  Will her willful disregard provide a defense for those who are in trouble for the same thing?  Will leniency be granted to other companies needing expediency within their healthcare organizations?  Only time will tell.

kathleen_sebelius.jpg

Kathleen Sebelius at a House Energy and Commerce Committee hearing Wednesday said she is responsible for the problems with Healthcare.gov.  Will she extend her ownership to the violations of privacy regulations? Will she own the pathetic demonstration that political expediency means more to HHS than the commitment to applicants’ privacy?  Will HHS be a little more forgiving the next time another organization gets investigated for a HIPAA breach or will Tavenner and Sebelius be HIPAAcritical?

This might get a lot more interesting before this website is fully functional and secure.

For years Alvaka Networks has been supporting the network availability and security of for-profit,  not-for-profit companies and government entities. Over the past four years we have been working extensively with healthcare companies in their efforts to meet the arduous regulatory obligations of HIPAA, HITECH and the 2013 Final Omnibus Rules.  Under those regulations HIPAA Covered Entities and their Business Associates are required to follow a number of requirements.  In all my 31 years in managing Information Technology never have a I seen such a large scale dereliction and disregard for good IT management, security and privacy practices.