THE ATTORNEY GENERAL OF TEXAS
Ken Paxton

Wednesday, November 6, 2013

El Procurador General de Texas Exhorta a Mejorar las Normas de Protecciˇn y Privacidad para los 'Navegadores' de Obamacare

AUSTIN El Procurador General Greg Abbott envi una carta a la Comisionada de Seguros de Texas Julia Rathgeber exhortando al Departamento de Seguros del estado a promulgar nuevos requisitos de proteccin al consumidor y privacidad para los navegadores de Obamacare. El procurador general propuso nuevas normas estatales para la prevencin de fraude y robo de identidad.

En una carta remitida en agosto a la Secretaria de Salud y Servicios Humanos Kathleen Sebelious, el Procurador General Abbott y 12 otros procuradores generales estatales expresaron inquietudes similares y recomendaron que las normas federales de privacidad que gobiernan a los navegadores sean mejoradas para ayudar a proteger a los consumidores. Los procuradores generales no recibieron respuesta del Departamento de Salud y Servicios Humanos de E.U. y tampoco las normas federales necesarias han sido establecidas.

Navegadores de Obamacare tienen acceso a la informacin ms sensible y personal de los Texanos, dijo el Procurador General Abbott. Inexplicablemente, el gobierno federal no ha promulgado las medidas de proteccin necesarias para proteger debidamente la privacidad de los texanos, por lo cual estoy profundamente preocupado sobre la amenaza de robo de identidad. Dada la aparente indiferencia de la Administracin Obama a la seriedad de estos problemas, agradezco que los funcionarios de Texas estn tomando la iniciativa para la debida proteccin de los texanos".

Las ms recientes inquietudes del Procurador General Abbott con los navegadores de Obamacare y sus recomendaciones para la Comisionada Rathgeber que responden a estas inquietudes son:

ASUNTO: El Manual de Procedimiento para Navegadores no entrena suficientemente a navegadores sobre cmo proteger la informacin confidencial de consumidores contra la revelacin indebida y el fraude
RECOMENDACIN: El Departamento de Seguros de Texas debe considerar establecer requisitos considerables que dicten cmo la informacin confidencial de los consumidores es recolectada, almacenada, transferida y resguardada, y considera publicar un Manual de Operacin de Texas para Navegadores.

ASUNTO: El Manual de Procedimiento no provee un "procedimiento de operacin normal sobre lo que un navegador debe de hacer en caso que la informacin confidencial mdica, financiera u otra informacin personal sea indebidamente revelada.
RECOMENDACIN: El Departamento de Seguros de Texas debe establecer reglamentos que requieran que los navegadores inmediatamente notifiquen al consumidor al igual que a la Procuradura General de Texas cuando la informacin confidencial de una persona haya sido comprometida, robada o revelada ante una fuente no autorizada. Adems, el Departamento debe requerir que los navegadores reciban entrenamiento sobre los pasos que una persona debe seguir para protegerse contra el robo de identidad en caso de que su informacin confidencial haya sido comprometida.

ASUNTO: El manual de procedimiento incluye poca informacin sobre las leyes federales y estatales que son infringidas cuando es revelada o indebidamente utilizada la informacin personal.
RECOMENDACIN: El Departamento de Seguros de Texas debe requerir que los navegadores reciban entrenamiento sobre las leyes federales y estatales que fueron promulgadas para la proteccin de privacidad personal y prevencin del robo de identidad.

ASUNTO: La reglas federales que gobiernan a los navegadores no requieren que los navegadores sean sujetos a una revisin de antecedentes criminales antes de obtener y tener acceso a la informacin personal de los texanos.
RECOMENDACIN: El Departamento de Seguros de Texas debe establecer un reglamento estatal que requiera una revisin de antecedentes criminales y prohba que personas que han recibido condenas penales, o robo o delitos penales relacionados, no puedan servir como navegadores en el Estado de Texas.

Carta del Procurador General:

November 5, 2013

Ms. Julia Rathgeber
Commissioner
Texas Department of Insurance
Post Office Box 149104
Austin, Texas 78714-9104

Dear Commissioner Rathgeber:

I write regarding the Texas Department of Insurance’s implementation of SB 1795 and proposed state regulations of federal health insurance navigators. It is my understanding that your office has discovered potential insufficiencies with federal regulations governing navigators and is therefore exploring the adoption of state rules that increase protections for Texas health insurance consumers.

Last summer, I identified a number of problems with the federal navigator regulations in a letter to Secretary Sebelius. The concerns that Ialong with twelve other state attorneys general identified in our letter still have not been adequately addressed by the Obama Administration, so
I am hopeful that the Texas Department of Insurance will move quickly to establish state regulations that will protect Texans’ medical privacy.

It is my understanding that your office has identified specific insufficiencies with the federal navigator rules that may need to be addressed via state regulations enacted pursuant to SB 1795. Based upon stakeholder meetings and discussions with interested parties, your office has identified the following notable insufficiencies with federal regulations:

- Inadequate attention to federal privacy requirements under HIPAA.
- No criminal background checks for navigators who will have access to Texans’ most sensitive private information.
- The absence of confidentiality requirements to govern how navigators handle consumers’ personal information.

As you know, the above are just three of the insufficiencies that the Texas Department of Insurance has already identified thus far. We understand that your office is now studying how to address these and other problems and will prepare an outline of insufficiencies that the State will endeavor to address with its own regulations in the absence of improved standards promulgated by the federal government. With that in mind, I wanted to offer concerns identified by the Office of the Attorney General so that you can incorporate them into your review process.

First, as you know, navigators will gain access to Texans’ most intimate personal information.
According to the Health Insurance Marketplace Navigator Standard Operating Procedures
Manual (SOP Manual) published by the Centers for Medicare & Medicaid Services, this personal information includes an individuals past, present, or future physical or mental health or condition, tax and financial information, including [i]nformation about consumers’ incomes, personal finances, debts, deductions and exemptions, and private employment and family information and histories. Yet, the 200-page federal SOP manual devotes just a handful of pages to instructing navigators how to protect consumers’ personal information from improper disclosures and fraud.

The Texas Department of Insurance should consider establishing comprehensive requirements that govern how consumers’ personal information is collected, stored, transferred, and secured. Further, the Department should consider publishing a Texas Navigator Operating Manual that incorporates all applicable state and federal privacy requirementsincluding whatever requirements are established by the Department pursuant to its authority under SB 1795.

Second, other than a requirement to report security breaches to the U.S. Department of Health & Human Services and provide Quarterly Progress Reports revealing security breaches, the SOP manual provides no detailed standard operating procedure for what a navigator is required to do in the event an individual’s private medical, financial, or other personal information is inappropriately disclosed. The Texas Department of Insurance should establish regulations thatconsistent with Chapter 521 of the Deceptive Trade Practices Actrequire navigators to immediately notify any consumer whose sensitive personal information has been compromised, stolen, or otherwise released to an unauthorized source. Navigators should also be required to notify TDI and the Attorney General’s Office immediately after an unauthorized disclosure of sensitive personal information.

Further, the Department should require that navigators receive training on the steps that an individual should take to protect themselves from identify theft in the event their sensitive personal information is compromised. For example, by informing navigators about the Identity Theft Victim’s Kit published by this office, navigators will know to immediately provide that critical resource to individuals whose sensitive personal information is compromised. Anytime there is an unauthorized disclosure of personal information, it is critical that the victim take immediate action to protect their identity from theft. The Department could facilitate an immediate response by incorporating forms and checklists into a Texas Navigator Operating Manualand thereby delineate the steps that navigators should follow in the event of an unauthorized disclosure of consumers’ sensitive personal information.

Third, the SOP manual includes little information about federal or state laws that are violated when an individual’s personal information is disclosed or improperly utilized. The Texas Department of Insurance should require that navigators receive training on the myriad of state and federal laws that were enacted to protect personal privacy and prevent identity theft. Such a requirement would help protect both consumersand navigators, who may not be aware that the Texas Identity Theft Enforcement and Protection Act imposes civil penalties of up to $50,000 on any individual or entity who fails to properly and securely protect a consumer’s sensitive personal information. By incorporating the steps that navigators are required to follow into a Texas Navigator Operating Manual, the Department could ensure that navigators have all relevant statutory requirements at their immediate disposal so that consumers are notified on how to prevent identity theft as soon as possible after an unauthorized disclosure.

Fourth, as your office has already recognized, the federal rules do not require that navigators be subjected to criminal background checks before they are allowed to obtain and access Texans sensitive personal information. The Texas Department of Insurance should establish a state regulation that requires criminal background checks and prohibits individuals convicted of feloniesor theft-related criminal offensesfrom serving as navigators in the State of Texas. Further, to promote compliance, the rules should establish a criteria or definition of what constitutes a criminal background check. The requirements contained in Texas Department of Insurance Rule 1.502(e) under Title 28, Part 1, Chapter 1, Subchapter D of the Texas Administrative Code are illustrative of the types of criminal conduct that could be screened and prohibited under the Department’s state navigator rules.

Obviously, the above referenced issues represent just a handful of insufficiencies that pose a serious threat to the privacy of Texas consumers. Given the severity of the risks posed by inadequate federal navigator regulations, I want to make our Consumer Protection Division and its staff available to provide legal advice and counsel to your office as you contemplate what additional rules and regulations are necessary to protect Texas consumers.

Thank you for your attention and swift action on this very important matter. Please do not hesitate to contact me if we can be of assistance throughout this process.

Sincerely,

Greg Abbott
Attorney General of Texas