TRENDING:

Safe & Sound with Marianne Kolbasuk McGee

Protecting Consumer Data Up Front

Privacy, Security Requirements for Insurance Exchange Workers Marianne Kolbasuk McGee (HealthInfoSec) • July 18, 2013    
Protecting Consumer Data Up Front

Because first impressions count, it's important that the initial encounter that many consumers have with the centerpiece program of the Affordable Care Act goes off smoothly. That includes ensuring that consumers' personal information collected and shared on new state health insurance exchanges is safeguarded.

See Also: The Cybersecurity Swiss Army Knife for Info Guardians: ISO/IEC 27001

Beginning on Oct 1, consumers, small business and families will be able to go online to state health insurance exchanges to enroll in private health plans that meet their budget and health needs. In some cases, lower-income consumers will discover via these exchanges that they are eligible for subsidies to help pay for private health insurance coverage, or perhaps they might qualify for government programs such as Medicaid or the Children's Health Insurance Program.

The first contact many of these consumers will have with the insurance exchanges will be with so-called "navigators," "assistance personnel" and "certified application counselors" who will assist individuals in figuring out the plans for which they're eligible. These front-line workers will also help consumers complete coverage applications.

The U.S. Department of Health and Human Services recently issued regulations concerning those front-end workers. Within the 146-page final rule, called "Patient Protection and Affordable Care Act; Exchange Functions: Standards for Navigators and Non-Navigator Assistance Personnel; Consumer Assistance Tools and Programs of an Exchange and Certified Application Counselors," are provisions for how these consumer-facing workers must protect the personal information of applicants, including being properly trained in privacy and security requirements.

Among the provisions for protecting data is the expectation that these front-end workers "will assist consumers in completing the enrollment application, which requires entry of some personally identifiable information into either a computer-based or paper application; however, once the application is completed ... assistance personnel should not retain any of the information entered onto the application."

Other provisions include states being allowed to require background checks for navigators, and also consumers being required to provide authorization before counselors can obtain access to any of the applicant's personally identifiable information. Records of those authorizations must also be kept by the counselors.

Bigger Picture

Of course, the navigators and counselors are just part of the privacy and security equation that comes into play with these new state insurance exchanges, which will be involved in collecting, sharing and storing a great deal of consumers' personal health and financial data. That information needs to be protected on the back end, and state insurance exchange leaders have been busy in putting those security and privacy plans together, as well (see: An Insurance Exchange Tackles Security).

Certainly, there are plenty of challenges ahead for these exchanges. But the emphasis on privacy and security is critical and cannot be marginalized. The operators of these insurance exchanges must ensure that these requirements are carried out.

That's because as other segments within healthcare have found, insiders, including front-end workers, are often implicated in serious breaches and fraud cases. A couple of recent examples of insider crimes in healthcare:

Adventist Health System is faced with a class action suit in Florida because one of its hospital emergency department workers stole patient information from more than 760,000 records, selling that data for profit .

Meanwhile, just this week, the New York state office that investigates Medicaid fraud announced it has suspended one of its own workers after the individual allegedly sent 17,743 records of Medicaid beneficiaries to the employee's personal e-mail account. That case is under investigation by another state agency (see: State Employee Suspended After Breach).

The state health insurance exchanges' navigators, assistance personnel and counselors are insiders who have an important role to play. They will provide the first impression for many consumers who will be dealing with healthcare reform programs up close.

As we all know, many people in the U.S. are betting against healthcare reform. So, the last thing these new exchanges need is any kind of privacy or security breach or fraud incident involving these critical counselors and navigators. From the get go, privacy and security needs to be front and center.

How do we ensure that the right individuals are hired and receive the proper training? For that matter, what is the proper training? Share your thoughts within the comments below.



About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity, ISMG

McGee is executive editor of Information Security Media Group's HealthcareInfoSecurity.com media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeek's healthcare IT media site.




Around the Network

How 'Security by Default' Boosts Health Sector Cybersecurity
How 'Security by Default' Boosts Health Sector Cybersecurity
Protecting Medical Devices Against Future Cyberthreats
Protecting Medical Devices Against Future Cyberthreats
Why Health Firms Struggle with Cybersecurity Frameworks
Why Health Firms Struggle with Cybersecurity Frameworks
Is It Generative AI's Fault, or Do We Blame Human Beings?
Is It Generative AI's Fault, or Do We Blame Human Beings?
Transforming a Cyber Program in the Aftermath of an Attack
Transforming a Cyber Program in the Aftermath of an Attack
Identity Security and How to Reduce Risk During M&A
Identity Security and How to Reduce Risk During M&A
Medical Device Cyberthreat Modeling: Top Considerations
Medical Device Cyberthreat Modeling: Top Considerations
Evolving Threats Facing Robotic and Other Medical Gear
Evolving Threats Facing Robotic and Other Medical Gear
How the NIST CSF 2.0 Can Help Healthcare Sector Firms
How the NIST CSF 2.0 Can Help Healthcare Sector Firms
Safeguarding Critical OT and IoT Gear Used in Healthcare
Safeguarding Critical OT and IoT Gear Used in Healthcare

Continue »

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing databreachtoday.com, you agree to our use of cookies.