Attorneys General for 13 States Raise Concerns Regarding Exchange Navigators

The Attorneys General of West Virginia, Louisiana, Alabama, Michigan, Florida, Montana, Georgia, Nebraska, Kansas, North Dakota, Oklahoma, Texas and South Carolina joined together to send a letter to HHS Secretary Kathleen Sebelius, raising their concerns with the data privacy risks they see in the health insurance exchange enrollment assistance programs. Health insurance exchanges begin enrollment on October 1, 2013, and HHS has also announced a number of “Navigators” receiving grants from HHS to help consumers choose the option that is best for them. The Attorneys General requested a response from Sebelius by August 28, 2013.


The concerns that the Attorneys General raise are that during enrollment, numerous “navigator,” assister, application counselor, and other consumer outreach programs will be available to help consumers enroll in the plans. Central to this assistance will be the inputting of consumers’ private data into the applications, and this will give counselors a vast amount of personal information, which could be used in committing identity theft. Not only must HHS work to secure the consumers’ information, but also investigate, remedy, and prosecute data breaches.

Inadequate Training

In a Final rule issued on July 17, 2013, HHS provided that “extensive” training would be provided to program personnel, but little specific guidance was provided other than a few broad principles related to data protection. No uniform criminal background or fingerprint checks are even required for personnel under the Final rule, according to the letter, nor are any criminal acts that would disqualify personnel provided. In the Proposed Rule on Program Integrity, issued on June 19, 2013, HHS provided regulations against security breaches, but did not detail what would constitute a “breach” or an “incident.”

Once grants are finished being awarded, programs will only have approximately one month to screen, hire, and train all of their new personnel, and the grantees will have to guess, from the vague rules provided, what they need to do and HHS will not be able to direct each program on what they need to do prior to enrollment, said the Attorneys General. Further, due to time constraints, the meager training requirements have already been reduced by the HHS; the Rule provided for 30 hours of online training, but in a recent interview, an HHS spokesperson said that “an initial ’10 hours would be sufficient.’”

Other Consumer Protections

The Attorneys General also claim that the proposed consumer safeguards are “woefully substandard” compared to other privacy protections. States have greater protections for insurance agents and brokers, who are subject to licensing standards and continuing education requirements, as well as being personally liable for failure to comply with the laws. No such requirements were set forth for navigators, and HHS guidance was also less demanding with regard to federal requirements, like those that apply to federal census workers and Department of the Treasury workers. The Attorneys General points also to the lack of standardized background checks for program personnel, and cited those that apply to long-term care facility employees and providers seeking to participate in federal programs like Medicare, Medicaid and the Children’s Health Insurance Program.

Suggested Improvements

The Attorneys General stressed that it is not enough for HHS to adopt “vague policies against fraud,” They suggested a number of areas where improvement should be made or where questions still remain, including: (1) develop a process for screening personnel; (2) provide guidance to program personnel on consumer data privacy protections; (3) monitor program personnel; (4) providing notices of data privacy rights to consumers prior to them seeking assistance; (5) determining who holds liability for harm caused to consumers through misuse of personal information; (6) prevent fraud and provide assistance to defrauded consumers: (7) determine penalties and “appropriate action” for fraud and abuse; and (8) determine what role states will have in supplementing federal data privacy requirements. It is on these points that they requested a response from Sebelius.