HealthCare.gov shares consumer data with lots of third parties
Update: Less than a week after the AP, EFF and multiple media outlets brought to light the data sharing described below, the government appears to have altered the website code on HealthCare.gov so that no personal data is now shared with third-party tracking sites. Presumably the government has a continuing business interest in measuring the performance of the website and collecting aggregate statistics about its usage, and will continue to get some information of this type through Akamai and other web infrastructure vendors associated with the site.
As reported by the Associated Press this week and confirmed through testing by the Electronic Frontier Foundation (EFF), some personal information provided by users of the government’s HealthCare.gov website is automatically collected and sent to more than a dozen third-party companies, including online advertising and social media sites. According to the EFF, among the personal attributes sent to third-party sites are age, zip code, income, and self-reported status for things such as whether a consumer is a parent, a smoker, or pregnant. These data elements are all items that consumers enter on the insurance exchange site as part of the process of either determining eligibility for coverage or actually applying for insurance through the federal marketplace. Once a user has created an account on HealthCare.gov, but before anything other than demographic data is requested, the site presents and requires users to agree with a privacy statement that begins, “We’ll keep your information private as required by law. Your answers on this form will only be used to determine eligibility for health coverage or help paying for coverage.”
The EFF and others examining this data sharing behavior seem to accept as a given that the data being “quietly” shared (that is, without any explicit notice to consumers) is personal health-related information that should presumably be protected by existing regulations and restrictions on information sharing. In responses to questions from AP, the administration chose to defend the information sharing by noting that the third parties receiving the data are prohibited from using the data for purposes other than serving consumers on HealthCare.gov, although it’s not clear what the basis of such prohibition would be, since these commercial firms are not bound by either the Privacy Act or HIPAA. It is possible that each of the third-party organizations with which the government is sharing consumer details has executed a data use agreement or entered into another type of contractual agreement with the Centers for Medicare and Medicaid Services (CMS), the HHS agency responsible for administering the insurance marketplace. Such contractual obligations would augment existing regulations constraining the secondary use of information collected by federal agencies (including the restrictions on marketing added to HIPAA by the HITECH Act). What seems strange is that none of the many privacy notices and descriptions of information sharing practices provided by the government actually address sharing the kind of data that AP and the EFF identified.
The legality of this undisclosed information sharing hinges on whether the data in question actually fall under the definition of personally identifiable information (PII). The official government definition of PII comes from OMB Memorandum 07-16, which says PII is “information which can be used to distinguish or trace an individual’s identity, such as their name, social security number, biometric records, etc. alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual.” Although the government has not offered an assertion to this effect, the argument could be made that the attributes being shared are not personally identifiable information because they cannot be used to individually identify anyone. It is the second part of the government’s PII definition that is troublesome for the HealthCare.gov data sharing, because many of the third parties receiving the data already have in their possession large quantities of consumer information that could presumably be matched with the data coming from HealthCare.gov. The government should be acutely aware of this possibility, since one of its long-time privacy advisers is a leading researcher in “re-identification,” and because HHS’ Office of the National Coordinator for Health IT has funded research about re-identifying individuals from datasets that have purportedly been de-identified. Even if the data elements sent to major web analytics, advertising, and social media companies are not personally attributable as transmitted, it should not be very challenging for these firms to combine HealthCare.gov data with other public or commercial data sources (including their own databases). If such matching is feasible for even one of the third parties, then HealthCare.gov is not only failing to comply with its own privacy policies, but possibly violating several federal privacy regulations.