On Friday morning, CNN anchor Carol Costello challenged Rep. Marsha Blackburn (R-TN) to substantiate her claim that HealthCare.gov will endanger Americans’ medical privacy. The host pushed the Congresswoman to specify which medical details enrollees would have to turn over to the federal government, causing Blackburn to become visibly uncomfortable and unsure as she strung together various buzzwords about privacy.
The exchange originated from a question Blackburn herself leveled at the primary contractors responsible for HealthCare.gov during a House Energy & Commerce Committee hearing on Thursday. Blackburn asked the witnesses why some of their employees had access to “the database servers storing the enrolling information” and suggested that they were in violation of The Health Insurance Portability and Accountability Act of 1996 (HIPAA), the law that guarantees “federal protections for individually identifiable health information held by covered entities and their business associates and gives patients an array of rights with respect to that information.”
Asked to explain how requiring enrollees to enter their biographical enrollment information violates a law that only applies to medical data between medical entities, Blackburn demurred:
COSTELLO: So what specifically were you referring to on the website that violates, that could possibly violate HIPAA?
BLACKBURN: We are concerned about privacy overall. Data security privacy and of course applying and complying with the HIPAA laws, and…
COSTELLO: But what question specifically asks that would concern you about HIPAA, what medical question does it ask?
BLACKBURN: Carol, HIPAA requires you to — it’s the way you structure your website and the way you transit the information, the transfer rights that are there, and when you look at privacy on these websites, what you have to do is keep all of the application information in one server [...]
COSTELLO: I’m trying to understand what kind of information you’re talking about. What kind of information are you talking about? What specifically does the website ask that I might be afraid might shared with whomever? Specifically. What information?
BLACKBURN: You should be very concerned not only as you navigate the website but as you make a purchase, and then as your information is handled, what we want to make certain is that an individual’s medical information their financial information is all going to be kept in a private manner. What we do not want is a peeping Tom who is going to look through their PII, their personal identifying information. they want to make certain the federal government has standards and are applying and abiding by the privacy laws that are on the books and by the HIPAA regulations that every hospital and every doctor abide by. so this is a serious investigation, looking at the entire roll-out and launch of this website, how this data is being used.
As Washington & Lee Law Professor Timothy S. Jost explained to ThinkProgress in an email, “HIPAA only applies to health care providers, clearinghouses (and this is a narrowly defined term) health plans, and their business associates.” “Even so, access is available to data without consent for health care operations, which this would be.” Deven McGraw, of the Health Privacy Project at the Center for Democracy & Technology, agreed, adding, “It does not violate HIPAA – it’s not even covered by HIPAA.”