Unlike the leviathan Affordable Care Act that it modifies, the Health Exchange Security and Transparency Act is but one sentence long.
Its purpose is refreshingly narrow: to codify the practice of notifying individuals if their personal and sensitive information has been “stolen or unlawfully accessed” as a result of a security breach in the federal healthcare exchange.
The legislation, passed by the House on Friday, would give the Department of Health and Human Services, upon discovery of any such breach, 48 hours to alert those users who are affected.
The White House has argued that such notification is already part of HHS policy and that the measure is an attempt to scare off potential website users, hampering enrollment.
But the government has had a lot of trouble adhering to its own policies and deadlines related to the healthcare law.
If the measure becomes law, it still may prove difficult for the administration to meet the 48-hour notification requirement, given the history of botched ACA deadlines.
But this modification adds a layer of accountability that is much needed.
Congressional hearings in November put a spotlight on significant concerns raised by lawmakers and constituents in the aftermath of the ACA’s disastrous website rollout.
Witness Morgan Wright, CEO of Crowd Sourced Investigations LLC, referring to the lengthy timeline set forth by HHS officials to fix gaps in the site’s security, lambasted the government for its “lack of understanding for the consequences to consumers and the protection” of their personal information.
In a newsletter to constituents, Rep. Kay Granger, R-Fort Worth, called the bill “one helpful step toward ensuring people do not fall victim to this type of financially destructive crime.”
Granger voted in favor of the proposal.
In addition to providing accountability for privacy, perhaps the most significant aspect of this legislation is that it represents the most bi-partisan effort to date to modify the health care law.
Sixty-seven Democrats crossed over to support an otherwise Republican measure.
The legislation does not “fix” the security holes in the website.
And it is too soon to tell how wide those chasms are and how many Americans get caught in them.
In the meantime, this is a sensible step for improving protections and in building consensus among lawmakers to fix a law that will require support from both sides of the aisle.