House passes notification requirement for health exchange breaches


The House passed a bill Friday that would impose stringent new reporting requirements on the Health and Human Services Department whenever any healthcare exchange created under the Affordable Care Act suffers a data breach.

Sixty-seven Democrats joined all House Republicans in support of the bill (H.R. 3811), passing it by a 291-122 vote.

The bill, the Health Exchange Security and Transparency Act, contains one sentence, saying HHS must notify all individuals whose personally identifiable information is exposed in a data breach of a healthcare exchange within two days of discovering the breach.

The White House opposes the bill.

"It would create unrealistic and costly paperwork requirements that do not improve the safety or security of personally-identifiable information in the Health Insurance Marketplaces," the White House said in a statement of administration policy (.pdf).

It also said there is already a sufficient system to protect personal data and to notify consumers when theirs is compromised.

The House plans to vote soon on a related bill (H.R. 3362), which would require HHS to publish weekly reports on consumer interaction with and with customer service call centers. That bill, the Exchange Information Disclosure Act, passed the House Rules Committee on Wednesday.

The White House came out in opposition (.pdf) to that as well, "because it would require unfunded, unprecedented, and unnecessary reporting requirements," it says.

House Republicans have been hunting for security flaws in the healthcare exchanges since they went online in October. In December, a dispute broke out between HHS and House Oversight Committee Chairman Darrell Issa (R-Calif.) over his efforts to subpoena contractors who worked on for documents related to security testing.

Reps. Elijah Cummings (D-Md.), the committee's ranking member, and Henry Waxman (D-Calif.), ranking member of the Energy and Commerce Committee, released a memo Jan. 9 criticizing the efforts of their Republican colleagues.

The memo says that they and other members received a classified briefing from HHS on Jan. 7 informing them that nobody has hacked into and that no personal information has been exposed.

They also said that H.R. 3811 duplicates notification requirements that federal agencies are already subject to in the event of any exposure of personal data.

On Friday, the Washington Post reported that HHS has decided to replace the main contractor for, CGI Federal, with the consulting firm Accenture.

For more:
- go to the THOMAS page for H.R. 3811
- go to the THOMAS page for H.R. 3362
- download the White House SAP for H.R. 3811 (.pdf)
- download the White House SAP for H.R. 3362 (.pdf)
- download the Jan. 9 Cummings-Waxman memo (.pdf)

Related Articles:
Leahy proposes Computer Fraud and Abuse Act changes; House to vote on data bills
HHS, House Oversight quarrel over contractor subpoenas - UPDATED