May 25, 2022

Volume XII, Number 145

Advertisement
Advertisement

May 25, 2022

Subscribe to Latest Legal News and Analysis

May 24, 2022

Subscribe to Latest Legal News and Analysis

May 23, 2022

Subscribe to Latest Legal News and Analysis

U.S. Government Accountability Office (GAO) Report Outlines Healthcare.gov’s Ongoing Privacy Issues

According to a GAO report published September 16th, Healthcare.gov, the health insurance exchange rolled out last October, still has significant privacy weaknesses. Specifically, the report outlined that despite the Centers for Medicare & Medicaid Services’ (CMS) efforts to increase the security and privacy of data that it processes, maintains, and shares with both federal and commercial partners in an effort to support Healthcare.gov, “weaknesses remain both in the processes used for managing information security and privacy as well as the technical implementation of IT security controls.”

The report maintains that, “[u]ntil [CMS] addresses shortcomings in both the technical security controls and its information security program, CMS is exposing

Healthcare.gov-related data and its supporting systems to significant risks of unauthorized access, use, disclosure, modification, and disruption.”

The report included several recommendations that the Secretary of Health and Human Services should direct the Administrator of CMS to implement, including:

  1. Ensuring that the Federally Facilitated Marketplace (FFM) system security plans include all the information that the National Institute of Standards and Technology recommends, including plans that identify the individual responsible for the control and security of the system.

  2. Ensuring “that all Healthcare.gov privacy risks are analyzed and documented in their privacy impact assessments.”

  3. Performing “a comprehensive security assessment of the FFM, including the infrastructure, platform and all deployed software elements.”

  4. Establishing “detailed security roles and responsibilities for contractors, including participation in security controls reviews, to better ensure that communications between individuals and entities with responsibility for the security of the FFM and its supporting infrastructure are effective.”

Lawmakers have expressed concern over the details of the report considering that Healthcare.gov collects personally identifiable information, such as Social Security numbers, employment and wage information, and personal addresses of several million individuals. In a letter to Marilyn Tavenner, Administrator of CMS, Republican leaders in both the House and Senate expressed their dismay over the ongoing security vulnerabilities and requested that the Obama Administration provide details on whether the website’s security has been tested prior to the upcoming open enrollment period. Additionally, the letter also asked for the Obama Administration to provide information about any incident where the security ofHealthcare.gov had been compromised and for an assurance that the website complies with all federal laws that protect personal information, including the Privacy Act of 1974.

© 2022 Covington & Burling LLPNational Law Review, Volume IV, Number 262
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement

About this Author

Repeatedly ranked as having one of the best privacy practices in the world, Covington combines exceptional substantive expertise with an unrivaled understanding of the IT industry, and of e-commerce and digital media business models in particular.  Our practice provides exceptional coverage of all of the substantive areas of privacy, including IT/technology, data security, financial privacy, health privacy, employment privacy, litigation and transactions.  One of our core strengths is the ability to advise clients on relevant privacy and data security rules worldwide,...

202-662-6000
Advertisement
Advertisement
Advertisement