House of Representatives Passes Health Exchange Security and Transparency Act of 2014: HR 3811 Would Require HHS to Notify Affected Individuals of a Breach of a Health Insurance Exchange Within 2 Days of Discovery

Written by

On Friday, January 10, 2014, the House of Representatives passed H.R. 3811, the “Health Exchange Security and Transparency Act of 2014” by a vote of 291 to 122. The bill was introduced on January 7, 2014 by Representative Joe Pitts (R-PA), and has a total of 75 cosponsors. Under the bill, the Secretary of Health and Human Services would be required to provide notice to each individual “[n]ot later than two business days after the breach of security of any system maintained by an Exchange established under section 1311 or 1321 of [the Affordable Care Act] which is known to have resulted in personally identifiable information of an individual being stolen or unlawfully accessed.” By contrast, the HITECH Act requires HIPAA covered entities to provide breach notifications to individuals, to HHS (if the breach involves the PHI of 500 or more individuals), and/or to the media (if required) “without unreasonable delay and in no case later than 60 calendar days after the discovery of a breach by the covered entity involved.” The bill would require HHS to notify individuals not only with respect to breaches of security of a federally facilitated health insurance exchange – a health insurance exchange established and operated by HHS that is accessed through www.healthcare.gov – but also with respect to breaches of security of any health insurance exchange established and operated by a State under the Affordable Care Act.” 

Among others, Majority Leader Eric CantorChairman Fred Upton (Energy and Commerce Committee), and Chairman Joe Pitts (Energy and Commerce Health Subcommittee) made or issued statements in support of the bill. Ranking Members Henry Waxman (Energy and Commerce Committee) and Elijah Cummings (Committee on Oversight and Government Reform) issued a January 9, 2014 Memorandum to Democratic Members and staff in which they noted, among other things, that the healthcare.gov website has not suffered any breaches of security to date and that HHS already has protocols for informing affected individuals in the event of a breach of security, essentially arguing against the bill as unnecessary. The Office of Management and Budget similarly issued a January 9, 2014 Statement of Administration Policy in opposition to H.R. 3811, but did not state that the bill would be vetoed if passed by the Senate and presented to the President.

A companion bill, S. 1902, which is identical to H.R. 3811, was introduced in the Senate on January 9, 2014 by Senator John Barrasso (R-WY), but the Senate is not expected to take up the Senate or House bill given the opposition of the White House and Senate Democrats.

Written by Paula Stannard, Counsel, Privacy & Data SecurityHIPAA Privacy & SecurityAlston & Bird LLP