H.R. 3811: Health Exchange Security and Transparency Act of 2014

H.R. 3811

Health Exchange Security and Transparency Act of 2014

Sponsor
Rep. Joe Pitts

Date
January 10, 2014 (113th Congress, 2nd Session)

Staff Contact
Kimberly Betz

Floor Situation

On Friday, January 10, 2014, the House will consider H.R. 3811, the Health Exchange Security and Transparency Act of 2014, under a rule.  H.R. 3811 was introduced on January 7, 2014 by Representative Joe Pitts (R-PA), Chairman, Energy and Commerce Subcommittee on Health, and has 74 cosponsors. 

Bill Summary

H.R. 3811 requires the Department of Health and Human Services to notify individuals, within two business days, of a breach of any security system maintained by a federal or state exchange that is known to have resulted in personally identifiable information being stolen or unlawfully accessed.

Background

Well before the October 1, 2013 launch date, red flags were raised regarding the vulnerability of HealthCare.gov, including security vulnerabilities.  In fact, on August 2, 2013, the Inspector General of the Department of Health and Human Services reported “several critical tasks remain to be completed in a short period of time, such as the final independent testing of the Hub’s security controls, remediating security vulnerabilities identified during testing, and obtaining the security authorization decision for the Hub before opening the exchanges.” [1]

Since October 1 and the website’s failed launch, even greater concern has been expressed regarding the website’s vulnerabilities, including the security of personal and medical information.  In fact, in an interview late last year, Experian Vice President, Michael Bruemmer, is quoted as saying he expects a significant increase in the number of health care breaches in 2014.[2]  Specifically, Bruemmer is quoted as saying “[the website infrastructure] was put together too quickly and haphazardly.”[3] Thus, “we have volume issues, security issues, multiple data handling points – all generally not good things for protecting protected health information and personal identity information.”[4]

Over the last several months, the House has held four separate hearings on the issue of data security, including:

“Cyber Side-Effects: How Secure is the Personal Information Entered into the Flawed Healthcare.gov?”  Hearing 11/13, Homeland Security.
http://homeland.house.gov/hearing/hearing-cyber-side-effects-how-secure-personal-information-entered-flawed-healthcaregov

“Is My Data on Healthcare.gov Secure?” Hearing 11/19, Science.;
http://science.house.gov/hearing/full-committee-hearing-my-data-healthcaregov-secure

“Security of Healthcare.gov.” Hearing 11/19, Energy and Commerce (Health).
http://energycommerce.house.gov/hearing/security-healthcaregov

 Oversight and Government Reform Release 12/20:  CMS Officials Launched HealthCare.gov Against Warning of Agency’s Top Cybersecurity Official
http://oversight.house.gov/release/cms-officials-launched-healthcare-gov-warning-agencys-top-cybersecurity-official/

Cost

A CBO review of H.R. 3811 states the bill is estimated to have no impact on direct spending.

Additional Information

For questions or further information contact the GOP Conference at 5-5107.