Obamacare Will Collect and Share Americans' Data 'Without the Consent of the Individual'


Insurance Marketplace
U.S. Government

If you were starting to fret that the National Security Agency was the only government body that cared enough to stalk you, fret not! It turns out that the concerned folks slapping together Obamacare exchanges plan to hoover up your personal information in something called a Data Services Hub in order to determine your privileges and exemptions under the new government health care regime. Even better, officials intend to share your data with federal and state agencies, private contractors and consultants, explicitly without asking for your leave to do so.

John Merline of Investors Business Daily reports:

The Health and Human Services Department earlier this year exposed just how vast the government's data collection efforts will be on millions of Americans as a result of ObamaCare.

Sen. Max Baucus, D-Mont., asked HHS to provide "a complete list of agencies that will interact with the Federal Data Services Hub." The Hub is a central feature of ObamaCare, since it will be used by the new insurance exchanges to determine eligibility for benefits, exemptions from the federal mandate, and how much to grant in federal insurance subsidies.

In response, the HHS said the ObamaCare data hub will "interact" with seven other federal agencies: Social Security Administration, the IRS, the Department of Homeland Security, the Veterans Administration, Office of Personnel Management, the Department of Defense and — believe it or not — the Peace Corps. Plus the Hub will plug into state Medicaid databases.

And what sort of data will be "routed through" the Hub? Social Security numbers, income, family size, citizenship and immigration status, incarceration status, and enrollment status in other health plans, according to the HHS.

The Center for Consumer Information & Insurance Oversight at the Centers for Medicare & Medicaid Services provides some reassurances for those concerned by such concentration of personal information.

For all marketplaces, CMS is also building a tool called the Data Services Hub to help with verifying applicant information used to determine eligibility for enrollment in qualified health plans and insurance affordability programs.  The hub will provide one connection to the common federal data sources (including but not limited to SSA, IRS, DHS) needed to verify consumer application information for income, citizenship, immigration status, access to minimum essential coverage, etc.  CMS has completed the technical design, and reference architecture for this work, is establishing a cross-agency security framework as well as the protocols for connectivity, and has begun testing the hub.  The hub will not store consumer information, but will securely transmit data between state and federal systems to verify consumer application information. Protecting the privacy of individuals remains the highest priority of CMS.

No stored consumer information? Privacy is the "highest priority"? Well, that's all right, then. Except … Damn it. Government agencies often say one thing publicly, and quite aother privately. Merline points out that the Centers for Medicare & Medicaid Services portrayed the Data Services Hub in a somewhat different light in an obscure regulatory notice filed on February 6, 2013:

In accordance with the requirements of the Privacy Act of 1974, CMS is establishing a new system of records titled, "Health Insurance Exchanges (HIX) Program," to support the CMS Health Insurance Exchanges Program established under provisions of the Affordable Care Act (PPACA) … The system of records will contain personally identifiable information (PII) about certain individuals who apply or on whose behalf an application is filed for eligibility determinations for enrollment in a qualified health plan (QHP) through an Exchange, and for insurance affordability programs.

So, the database "will contain personally identifiable information" after all. And just how "highest priority" is the privacy of the stored data?

A. Entities Who May Receive Disclosures Under Routine Use

These routine uses specify circumstances, in addition to those provided by statute in the Privacy Act of 1974, under which CMS may release information from the HIX without the consent of the individual to whom such information pertains. …

Among the listed "entities who may receive disclosures under routine use" without your consent are federal agencies, state agencies, agency contractors, consultants, CMS grantees and non-profit entities operating exchanges for states.

Those are just the entities authorized to have access to your information, As we know, employees of government agencies from local police departments to the Internal Revenue Service have a history of misusing databases for fun and profit.

NEXT: Fancy Infused Liqueurs and Pre-Mixed Margaritas in Peril in Tennessee!

Editor's Note: We invite comments and request that they be civil and on-topic. We do not moderate or assume any responsibility for comments, which are owned by the readers who post them. Comments do not represent the views of Reason.com or Reason Foundation. We reserve the right to delete any comment for any reason at any time. Report abuses.

  1. Well sure. Why would they start caring about consent now?

  2. So I guess HIPAA is out the window now huh.

    1. No. It will remain to inconvenience family and friends and as a club to punish companies with health data that are unmutual with white house goals.

      1. Yep. On-the-ground service providers can’t reveal a thing about anyone. My mom is in residential rehab right now, recovering from a broken hip. People disappear from the facility and the staff can reveal nothing. So the person you were watching Jeopardy with in the lounge last night could be on her death bed and you can’t be told about it. She was concerned about one woman who went away, so we called the closest hospital and found out she was in ICU. Took my mom to visit her. On the way back to rehab she asked me if she could get in trouble for telling other residents that she visited her. I said “no” since she’s not an employee. I hope I was right!

        1. No, your mom can’t get in trouble. Worry not. Besides, the NSA already knows your mother was there.

          1. Yes, because Amelia’s mom is not a “covered entity”- just thought I’d throw in the legal jargon.

            1. You know who else isn’t a covered entity?

              1. Shawn Kemp?

                Antonio Cromartie?

    2. lawsuits here we come.

    3. So I guess HIPAA is out the window now huh.

      According to Dumbphy, it never existed for cops anyway. Why shouldn’t the rest of the government leviathan get to use our personal medical records as they see fit?

      1. Here’s the great thing about HIPAA: only the government can file a lawsuit for wrongful disclosure of PHI. No private cause of action exists for victims of the wrongful disclosure. So the FedGov has used HIPAA violations to shakedown hospitals and providers. Thanks BIll Clinton — you’re a true humanitarian!

        1. HIPAA is really about the manner in which “protected health information” is released.

          It most certainly is not some kind of overarching shield against disclosure of PHI.

    4. No; HIPAA was never intended to keep one’s data private from the state.

    5. The secret FISA court overrides HIPPA.

  3. But the government does have a history of protecting PII, and govt systems are virtually un-hackable, right? So I think everyone should feel secure about this.

    Top. Men.

    1. As a government IT guy… I wish that weren’t sarcasm. We’re thin on the ground and maligned by the very people who rely on our work while they deny the diversion of funding from their fiefdoms to keep the agency foundations intact.

      The last place my data is safe is in the very databases I’m charged with overseeing because the people who use it most hamstring my ability to make it safe and reliable.

      1. Wasn’t it the Dept of the Interior, which had its systems so riddled with security flaws and holes, that they just cut off Internet access?

        1. Am I the only one who would rather have government databases be completely incompetently designed and used rather than super-efficiently so? I’d rather deal with fuckups than with them efficiently collecting everything about me.

          1. That sounds nice. But the incompetence doesn’t prevent their misuse. They are very competent at misusing the data even if they can’t do anything else with it.

          2. Except that ID thieves may get some most excellent PII to fuck you with. Because the government has this idea that there are no limits on its ability to collect data. And to abuse it, but that’s another matter altogether.

            1. Well, ID Thieves don’t need this database to get that information. It’s already pretty much available. That doesn’t mean I’m thrilled that yet another database is getting created because that just compounds the problem.

              Most people have no idea how many times their PII has been breached already. I could show you servers in the Middle East and other black market sites that would blow your mind.

              1. I think the government is more likely to have that information all wrapped up neatly for cross-referencing.

              2. Well, its mainly available because the government requires its collection by various agencies and private entities and then has no particular incentive to secure it as the government has no accountability for screw-ups.

            2. That’s going to be the case no matter what. I’d rather that the government be incompetent and evil instead of competent and evil.

              1. Incompetent, weak, and evil. And nearsighted, like Mr. Magoo.

                1. And thinking it is bad-assed (when it really is not) like Commander McBragg.

          3. Yeah, until the ATF “misplaces” your machinegun registration document and your copy can’t be verified against the official database.

        2. The VA had a security breach in 2006 that was over 25 million people. Sure, I trust them.

          1. They promised they’ll never lose another laptop with the patient database on it.

            WTF? Who the fuck carries a full database WITH THEM?

            1. A database full of blues.

            2. People whose IT staff can’t write a usable, secure web app to save their lives?

              1. People called Romanes, they go, the house?

              2. People whose IT staff can’t write a usable, secure web app to save their lives?


                1. Although in fairness, a lot of what gets bandied about in the media is largely inaccurate.

                  “The AP got HACKED!!!” when in reality they got dumbassed.

                  This ‘database’ may have been a report that was pushed out from the database, but the media referred to it as a ‘database’. It could just have easily been a big assed Excel spreadsheet of data elements.

                  However, data loss is data loss.

                  1. Oh, I realize not to put any faith in what some moron reporter says, especially about computers (CRASH OVERRIDE! ACID BURN! CEREAL KILLER!), but I have seen incompetence from government IT staff that would stun you.

                    1. I’m tough to stun these days. I’m currently involved in a DNS forwarding issue with a huge enterprise, and their top people have no idea how DNS works. Private sector. There’s no excuse.

                    2. Yeah, I’ve seen incredible incompetence in the private sector too, and sometimes I just cannot understand how these people still have jobs. Then I realize that their bosses are probably even more incompetent than them and know even less.

                  2. “The AP got HACKED!!!” when in reality they got dumbassed.

                    Yeah, this is what I think of every time I see that some site got “hacked” via a DDOS attack. No, they didn’t get hacked, they got vandalized. Someone tore down the digital billboard that is their website.

                    It’s the media, though. juvenile acts of vandalism aren’t scary enough.

              3. Based on my experience, government IT security usually reasons like this:

                1. No web apps. They’ll get hacked!

                2. Put all the data in a warehouse. Then make sure that warehouse runs super slow. Users should just deal with it.

                3. Close warehouse at night and on weekends. BECAUSE SECURITY!

                Those three things are a recipe for frustrating the 2 or 3 people in each government agency who actually want to do any work, so eventually 1 of those 2 or 3 people says to themselves, “Well, if I download the main tables to my laptop, my queries will run faster AND I can do work at night and on weekends!” Then they lose their laptop.

                If IT departments don’t want users to do stupid things like download vast amounts of data to their laptop, they should fix it so you can do decent data analysis over the network. Or they should shut their yaps.

                1. The last time I looked (back when I was working there P/T), the VISTA system databases were running on PICK with a Windows wrapper, so I wouldn’t be surprised that someone working on it had the real deal on his laptop. FWIW, I’m a disabled veteran as well, so I was in the databases when the laptop was lost.

                  Not this any of that really matters. The VA sent me a Privacy brochure and I actually read the damn thing. I should have kept myself ignorant. Every federal agency, state agency, county and city agency, even though you’ve never interacted with that [whatever] agency has complete access to your VA medical records. That (especially) includes your pysch records. Now how’s that for scary. If you’re a Veteran, well golly gee, you are already in personal health information exchange with access to All.

                  I should drop some expletives here but I’ll spare ya.

      2. I need approval from a committee of government idiots with no understanding of relational databases before I can alter table structures. It’s maddening.

        1. People like you will be dealt with when your betters have control of your healthcare information and can use it to control your access, young man……

      3. and not to mention the “Snowden factor”:

        All it takes is a USB drive and you could download most/all? the data. Hello, identity theft. Hello, blackmail.

        1. 2.5 TB Thumb Drives? Where?

          1. ok, parts of… or filtered down slices.

          2. There’s a 1TB out now.

          3. 1tb removable drive in my hand right now. Costco, $79.95. Shop smart, shop S-Mart.

            Once you compress it? Text data (if that’s your format output) will compress way…wwwayyy down.

            1. Say, who verifies that the information the government says it has on you actually is true? What’s to stop them from just making it up, then clouding the source by invoking “NATIONAL SECURITY?”

              1. For yuks, I sometimes look myself up on those sites like “Spokeo”.

                I’m always more fascinated by what they have on my that’s not correct, than what ‘s correct.

                I mean, yeah, they know I own a home valued between X & Y. Yeah, that’s public info on the King County Parcel Search website.

                But the wrong stuff? Always gives me a chuckle.

                1. Heh, I just checked that out and I don’t exist. I’m outside the system biotches!

              2. No one? Who verifies the No-Fly list? Who verifies E-Verify?

            2. “This is my BOOM stick!”

            3. 1tb removable drive in my hand right now. Costco, $79.95.

              How far tech has come.

              1. For a factory refurbished drive, no less.

      4. Wait, how did you slip through? I thought the FedGov expressly shopped for IT folks without working security knowledge?

        1. State Gov. Same bureaucracy, less pay.


            Now my stomach hurts….

      5. I guess I’ll thell the story again about how a co-worker at the FL Dept of Corrections tried to tell everyone for six weeks that we had a SQL injection problem before emailing the CIO his SSN to his home email, and explaining how my coworker got all of this information from a public-facing website. We’re fucked.

        1. Did he get fired and prosecuted for acts of espionage? He didn’t have to move to Russia or Equador to avoid the man, did he?

          1. No. The CIO made very sure that no shit was to roll down on my co-worker. Eventually, being worth a shit drove us both to seek other employment.

            1. So, in other words, the CIO was one of those rare breeds, a semi-thoughtful bureaucrat.

  4. My doctor’s office keeps pushing this electronic management system on me. I can make appts and get scrip refills through email, etc.

    While all that is appealing to me, I just don’t trust it enough to not be part and parcel of Obamacare.

  5. Let’s say that you are honest with your physician about the use of certain politically incorrect chemicals. Does this mean that information about that illegal activity will be fair game for any government agency that might be interested?

    1. anxiety? take away the guns
      depression? take away the guns
      end of life? take away the guns

    2. That you have to ask..

      Oh wait, you were being facetious…


    3. I’m not sure how anyone feels comfortable being honest with a physician, considering.

      1. How can you be honest when doing so could result in the loss of your guns, children, and freedom?

      2. Well if you are not doing anything illegal you have nothing to worry about you subvertive succubus you!

        That was sarcasm in case it wasn’t blatant enough.

        And my doc prescribed me Viagra, based on the premise that since I am going to be 50 in a few months I have to have a need the stuff, without telling me. I found out about it when the free samples started showing up. I am going to get sued for breaking some poor women now…

    4. Yeah, I REALLY like our doc and trust him….but I totally do not talk about guns or recreational pharma in his presence. At least he can claim Plausible Deniability, cause I don’t tell him shit except my physical condition (mental is ALWAYS fine….of course).

      Bad enough the govt can get at all kinds of medical information already – first rule of both Gun Club and Recreational Pharma Club is…well, don’t mix those two club’s business. But the SECOND rule is….

    5. Let’s say that you are honest with your physician about the use of certain politically incorrect chemicals.

      No one here is THAT fucking stupid!

    6. Sorry if I’m posting this in the wrong spot, but if you answer “yes” when questioned at the doctor’s office about illegal drug use, it’s documented in the medical record, and that’s translated to a diagnosis code (in this case, 305.90). Like SIV said, hopefully people would know better than to answer “yes” but the thing is, a lot of people answer honestly. But it isn’t just the drug questions that are the problem. If you mention feeling sad or discouraged, or that you’re having trouble sleeping, you have “depressive disorder” which is coded as 311. It’s in the doctor’s best interest to make sure all this information is documented, because basically the more issues he discusses with you means more diagnoses on the insurance claim form, and the more money he can expect in reimbursement. What really worries me is that Section 4101 of Obamacare provides for school-based health centers which will offer, among other things, mental health and substance use disorder assessments along with physical health assessments.

  6. I hope future-President Santorum (or similar) shares abortion and miscarriage data with right-to-life pregnancy counseling groups.

    Will medical marijuana prescription data be shared with interested parties too? Only seems fair if the law stands.

  7. Even worse, there will come a time, sooner than later, if it isn’t already here, where they will use this information to identify their political enemies and then apply pressure to control behavior and/or access to care. They wanted this passed before people knew what was in it because they see this as a powerful political tool to ensure their grip on power. The nanny state will lord it over any and all that don’t line up to suck their daily dose of state cock.

    1. Come now Alex. It will was just a couple of rogue employees in the Cincinnati exchange who held up approval for that cancer treatment for that Tea Party spokesman. And some liberals had their care held up too, really we just can’t tell you who they were because of privacy concerns.

      1. That story sure has changed huh? From rogue employees to not so rogue employees. Then from a coordinated campaign to a not coordinated by the top men campaing. Now it is on its fifth itteration and the new story is they targeted everybody for special review even if it is obvious to us that one group got special treatment to speed up their requests while the other was cock blocked.

        And that’s not going to be the end of this ever mutating story and the lame attempts to explain away clear abuse of power for political gain.

        Nixon got jibbed man.

        1. It was all about Cincinnati. Pay no attention to the Washington based SES and career Dem hack who just took the 5th before Congress. It amazes me, their own people are taking the 5th yet the hacks still claim there was no wrong doing.

          1. John! Look over there! Benghazi! Wait, no – frackin! Wait – look – NSA…woooo scary! Kim Kardashian had a baby! British Royalty in the oven! Who’s The Voice this year?!

            1. Global warming and war on coal! That’s the new distraction du jour it looks like.

              1. KITTEHS!

        2. BUT NEW NEWS THEY ALSOI TARGETED “ISRAEL”, “OCCUPY” and….something else “liberalish”. SO IT’S OK!

          /media govt derptards

          1. “Israel” most likely to be evangelical Christian groups, amusingly.

  8. See, but the government your information, not you. So it’s perfectly acceptable for the feds to use their information any way they like… or something.

  9. So is it safe yet to surmise that America is in the process of transitioning from late republic to early imperial period yet?

    1. No. Early imperial Rome was still a fearsome and feared state. We are in the process of transforming from colonial Britain to labor Britain.

      1. Hold on there, hoss. We still have a huge military, and, like Republican Rome, we’re still trusted (yes, trusted, else other powers would have larger armies) to bring our power to bear to protect weaker states. That, coupled with our economic woes and increasingly unlimited government. . .well, trouble may lie ahead.

        1. Oh, I can see Rome CLEARLY from here. It’s all over but the crying for the USofA. Just a question of “how long before the maelstrom”.

          1. The triggering event will be an invasion where we actually occupy and rule a country on a permanent basis. With plunder.

            1. First dibs on the Canadian bacon!

              1. I like turtles

          2. I’ll be goddammed if I’m gonna let some ragtag group of Canadians march across NY and PA even if they will sack and loot DC.

            1. How about NY and NJ? They can sack NYC on the way.

              1. Its Canadians, dude. Unless they’ll take Toledo and Detroit, I’m not open to suggestion.

            2. Let ’em waltz through Philly.

            3. We will if they promise to just take out D.C., then go away.

        2. Why can’t it be both?

          Imperial Labour Briton?

    2. Is there some sort of reason why we have to emulate the Roman empire?

  10. Huh. I just built out an ACO cohort management system for a client and they were sure that CMS was going to require them to allow opt-out of data sharing. We spent hours and hours talking about it. I guess this will simplify their processes.

  11. And the Dept. of Homeland Security needs my health data because…? My therapist will soon be required to report if I express anti-government sentiments, I suppose.

    1. Terroristic tendencies are genetic, last I heard.

    2. Although, more likely it is to find out if you’ve been taking too many prescription narcotics, you evil bastard.

  12. …in order to determine your privileges and exemptions under the new government health care regime. Even better, officials intend to share your data with federal and state agencies, private contractors and consultants, explicitly without asking for your leave to do so.

    I AM A MAN

    1. They’re doing it wrong: A man, a plan, a canal: Panama.

      1. Actually you’ve got it wrong too. It’s “A man, a plan, a canal: St. Lawrence Seaway.”

        It’s also, “Able was I ere I saw St. Helena.”

  13. My God, this is the most Byzantine law I’ve ever seen. You can predict its failure on that aspect alone.

  14. Check this out:


    A database of all insurance records company – massive last year.

    Their Wiki entry is intact yet the links are dead – the company URL has disappeared without forwarding.

    1. Great. Now we’ve got Tommy Lee Jones and Will Smith in charge of our medical records.

      1. I’d have no problem with that. People, in charge, the right ones are.

  15. Couldn’t they just get all that information from the NSA? They already know everything anyway. Or better yet, just merge all Federal government departments and agencies into the NSA. For efficiency’s sake. /sarc

  16. O’RLY?!?!?!?!?!?!!?

    Never saw that coming.

  17. “Consent” doesn’t seem to mean anything to this administration.

    1. You’re so wrong. Consent means this to the administration: “Archaic. to agree in sentiment, opinion, etc.; be in harmony.” See, the government is us, and we’re the government, and all is as one. Everything is in harmonious balance with the government’s will, which is just a physical manifestation of the volont? g?n?rale.

  18. If we really want to make the left’s heads explode, someone ought to challenge the constitutionality of Obamacare on the grounds that it violates the privacy provisions of Roe v. Wade.

    1. If I can’t be forced to carry a baby to full term against my will, why should I be forced to subsidize other people’s medical care through my insurance premiums?

      1. No, I mean Roe v. Wade was premised on the idea not that there was a right to abortion per se, but that the sort of government monitoring necessary to restrict it would interfere in the right of women to have private conversations with their doctor. It seems to me that requiring doctors to turn over all medical records to the government would be exactly the sort of intrusion Roe v. Wade was supposedly so concerned about.

  19. In the Washington Post yesterday there was a quote from Senator Wyden that the NSA could also access medical records.

    Given the fact that the medical database is going to be connected to a central hub, I don’t think there should be a shred of doubt that the NSA will have the ability to snoop on your medical records. Of course, there will be some prefunctory court order from the secret FISA court, but you won’t know about it, and you won’t know when or if that power has been abused.

    1. “Of course, there will be some prefunctory court order from the secret FISA court,”

      So you’re saying it’ll be transparent?

  20. If I opt out of Social Security, can they have their fucking number back? Hell if I want it…

  21. “The hub will not store consumer information, but will securely transmit data between state and federal systems to verify consumer application information. Protecting the privacy of individuals remains the highest priority of CMS.”

    so, that says this nefarious “hub” is nothing more than a secure store-and-forward of database data from anywhere it IS kept to anyone who wants to access it, eh?

    I’ve been weasel-worded to before with dumber text than that, thank y’all very much.

    Now say something that resembles making any sense.

Please to post comments

Comments are closed.