HealthCare.gov shares consumer data with lots of third parties

Update: Less than a week after the AP, EFF and multiple media outlets brought to light the data sharing described below, the government appears to have altered the website code on HealthCare.gov so that no personal data is now shared with third-party tracking sites. Presumably the government has a continuing business interest in measuring the performance of the website and collecting aggregate statistics about its usage, and will continue to get some information of this type through Akamai and other web infrastructure vendors associated with the site.


As reported by the Associated Press this week and confirmed through testing by the Electronic Frontier Foundation (EFF), some personal information provided by users of the government’s HealthCare.gov website is automatically collected and sent to more than a dozen third-party companies, including online advertising and social media sites. According to the EFF, among the personal attributes sent to third-party sites are age, zip code, income, and self-reported status for things such as whether a consumer is a parent, a smoker, or pregnant. These data elements are all items that consumers enter on the insurance exchange site as part of the process of either determining eligibility for coverage or actually applying for insurance through the federal marketplace. Once a user has created an account on HealthCare.gov, but before anything other than demographic data is requested, the site presents and requires users to agree with a privacy statement that begins, “We’ll keep your information private as required by law. Your answers on this form will only be used to determine eligibility for health coverage or help paying for coverage.”

Consumers visiting HealthCare.gov are directed to multiple privacy notices, including the HealthCare.gov privacy policy, an individual Privacy Act statement, and a sort of frequently-asked-questions page explaining how individual information collected on the site is used. These pages also make reference to two privacy-related documents that the government is required to publish under current regulations: a privacy impact assessment (PIA) and a system of records notice (SORN). While a copy of the SORN covering the health insurance exchanges established under the Affordable Care Act is available online, the PIA is not, since the most recent PIA information for all systems maintained by the Department of Health and Human Services (HHS) is from the fourth fiscal quarter of 2012. None of these sources of HealthCare.gov privacy information mentions sharing consumer data with commercial third-party organizations, although one – the site’s privacy policy – refers to the use of “Web measurement software tools” that continuously collect information from site visitors. The privacy policy, however, states in bold text that “No personally identifiable information is collected by these tools.”

The EFF and others examining this data sharing behavior seem to accept as a given that the data being “quietly” shared (that is, without any explicit notice to consumers) is personal health-related information that should presumably be protected by existing regulations and restrictions on information sharing. In responses to questions from AP, the administration chose to defend the information sharing by noting that the third parties receiving the data are prohibited from using the data for purposes other than serving consumers on HealthCare.gov, although it’s not clear what the basis of such prohibition would be, since these commercial firms are not bound by either the Privacy Act or HIPAA. It is possible that each of the third-party organizations with which the government is sharing consumer details has executed a data use agreement or entered into another type of contractual agreement with the Centers for Medicare and Medicaid Services (CMS), the HHS agency responsible for administering the insurance marketplace. Such contractual obligations would augment existing regulations constraining the secondary use of information collected by federal agencies (including the restrictions on marketing added to HIPAA by the HITECH Act). What seems strange is that none of the many privacy notices and descriptions of information sharing practices provided by the government actually address sharing the kind of data that AP and the EFF identified.

The legality of this undisclosed information sharing hinges on whether the data in question actually fall under the definition of personally identifiable information (PII). The official government definition of PII comes from OMB Memorandum 07-16, which says PII is “information which can be used to distinguish or trace an individual’s identity, such as their name, social security number, biometric records, etc. alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual.” Although the government has not offered an assertion to this effect, the argument could be made that the attributes being shared are not personally identifiable information because they cannot be used to individually identify anyone. It is the second part of the government’s PII definition that is troublesome for the HealthCare.gov data sharing, because many of the third parties receiving the data already have in their possession large quantities of consumer information that could presumably be matched with the data coming from HealthCare.gov. The government should be acutely aware of this possibility, since one of its long-time privacy advisers is a leading researcher in “re-identification,” and because HHS’ Office of the National Coordinator for Health IT has funded research about re-identifying individuals from datasets that have purportedly been de-identified. Even if the data elements sent to major web analytics, advertising, and social media companies are not personally attributable as transmitted, it should not be very challenging for these firms to combine HealthCare.gov data with other public or commercial data sources (including their own databases). If such matching is feasible for even one of the third parties, then HealthCare.gov is not only failing to comply with its own privacy policies, but possibly violating several federal privacy regulations.

Leave a Reply

Your email address will not be published. Required fields are marked *

twelve − 5 =

This site uses Akismet to reduce spam. Learn how your comment data is processed.