Obamacare Site: Not HIPAA Compliant, Doesn't Need To Be


Despite being one of the largest healthcare systems in the country, the Obamacare site and back-end systems are not HIPAA compliant, nor do they have be, the Department of Health and Human Services confirmed with CRN.

The Health Insurance Portability and Accountability Act, or HIPAA, places stringent privacy compliance regulations on the disclosure of protected information, such as medical records or personal information. It applies to healthcare companies, clearinghouses and other organizations that directly sell or use health information. But, the compliance measures were extended to independent contractors, such as solution providers.

However, the flagship site of the Affordable Care Act, or Obamacare as it has come to be known, and its back-end systems do not have to be compliant with HIPAA, falling instead under the Privacy Act. HHS told CRN that HIPAA only applies to healthcare providers that electronically submit certain forms, healthcare clearinghouses and health plans. However, the Obamacare system does not fall into any of those three categories.

[Related: HIPAA Omnibus Rule Violation Nets Hefty Fines]

"The exchanges and healthcare.gov website facilitate the purchase of health insurance coverage by small business and individuals, with functions ranging from determining eligibility and vetting plans for compliance with required benefits packages," the HHS wrote in an email to CRN. "These functions do not include healthcare delivery or the functions of a health plan. By contrast, participating insurers -- called qualified health plans -- are covered entities, and as such, must continue to comply with HIPAA, as well as the new privacy and security measures that exchanges choose to impose on their participating plans."

Abner Weintraub, president of the HIPAA Group, a HIPAA consultant, said that the government is using a loophole and wordplay to avoid complying with the regulations.

"All health insurers' health plans, their systems website and business operations, all are utterly, absolutely required to be compliant with HIPAA," Weintraub said to CRN. "So how is it that health insurance is the central and sole focus of the Affordable Care Act website, healthcare.gov, and yet it is not required to be compliant with HIPAA. It's absolute B.S."

Weintraub said he's worried that by not forcing the healthcare.gov site to comply with HIPAA, applicants' personal information could be put at risk.

"Because the Obamacare website has no promise of privacy, ... they've revealed that any and all info collected through the site can and may be shared with absolutely everybody. ... What they have done is essentially turned several hundred years of established medical privacy completely on its head and thrown it out the window," Weintraub said. "There's no wiggling out from under it for anyone else, other than the federal government apparently."

A solution provider CEO that helps clients become HIPAA certified told CRN that he has been scrambling over the last few months to get clients up to date due to expanded regulations that went into effect Sept. 23.

"Anybody that works in the healthcare arena and subsequently attached fields have been just slammed with mandates from the federal government," said the CEO, who requested anonymity.

Regardless of whether the site needed to be HIPAA compliant or not, the CEO said that it would have been a smart move for the site to comply because of the many controversies recently, mostly stemming from the NSA and concerns over the online privacy. Although the CEO said he recognized that, given the size of the project, the move to make the entire site HIPAA compliant would have been a very large undertaking, users need to know their information is safe.

"You have to have some sort of comfort level or campaign around to assure the people that their information is protected," the CEO told CRN.

PUBLISHED OCT. 25, 2013