Paul Howard and Stephen Parente
We've received several comments about our 12/6/2012 piece in USA Today regarding the National Health Insurance Exchange Hub as prescribed by the Patient Protection and Affordable Care Act (ACA) and we'd like to clarify several issues. Our piece states 'when the constantly updated information is combined in a central data hub, the potential for abuse is staggering.'
Every op-ed goes through editing, and this one certainly did as well, and so we would like to clear up one potential misunderstanding: that there will be a giant database available with 300 million US citizens information available for all who wish to abuse it. This is not what we meant.
In fact, our original version goes into more detail: 'They (data inquiries to the Hub) occur, in discrete steps and with your permission, (similar to when) you apply for a mortgage.' Furthermore, 'to make matters even more complex, the exchange has to access this data in real time (if the government simply kept a file coordinating all of this data on you, it would be an even bigger invasion of privacy).'
It's not clear exactly how the data hub will operate, and that is our expressed concern. Ideally, the hub should function as a switch that routes information but does not retain the person-identifying information it is routing. Major credit card purchases today operate this way: where a retail vendor, at the point of purchase, uses your credit card to link a variety of data about you to make sure you are not a credit risk and then clears you for purchase of your 70" LCD TV for the holidays. This approach minimizes privacy risks and provides good data security.
The federal data hub should operate this way, coupled to either a State or Federal insurance exchange as well as to the Social Security Administration, Treasury Department, Homeland Security and Department of Justice, et al. Operating this would create a fire-and-forget data system that would instantaneously link to an abstract piece of information and then delete it to prevent it from becoming a privacy concern. Major credit bureaus have been providing these services for nearly two decades, and if there ever has been a privacy breech, it is not from a pure data switch.
Having said how you could provide reliable data privacy protection, no one has said how the data hub will actually operate. Greater transparency is needed, and a frank acknowledgement that the ACA's posted deadlines should take second place to reasonable data concerns. This isn't a political point, and isn't meant to impinge anyone's motives inside HHS.
HHS' job is to implement the law. And, much as we may dislike an assortment of the law's underlying provisions (and we have repeatedly expressed longstanding concerns about its impact on insurance markets, the federal budget, etc) HHS staff are doing exactly what they are supposed to do and facing constraints they can't always control. They are doing so in a politically charged environment - and crashing headlong into the constraints of scarce human capital, complex regulatory requirements, and a massive IT project with literally no technical precedent.
We believe that Congress has a legitimate oversight responsibility to ensure that - whatever your feelings about the ACA - the final product is trusted, functional, and secure for all Americans. They should take that responsibility seriously - and the Administration should help them execute that responsibility.