Skip to Content

Privacy & Data

Covered California’s Misguided Privacy Policy

Earlier this month, Covered California – the state’s affordable health care insurance marketplace – launched an initiative to boost enrollment by inviting individuals who had started an application on the website, but did not finish it, to complete their application. However, the manner in which Covered California is doing this – through sharing the names, addresses and emails of potential applicants with insurance agents and brokers, and having the agents invite the applicant to return to complete their application – has alarmed insurance agents as well as the potential applicants.

The concern is understandable, since nowhere in its Notice of Privacy Practices did Covered California state that visitors to its website should expect to be contacted by anybody other than a direct representative of Covered California. The fact that the policy makes no mention of this type of information sharing is a major failing on Covered California’s part and also contravenes federal regulations on openness and transparency in health insurance marketplace privacy and security standards.

The lack of any mention of information sharing with third parties is not the only concern with Covered California’s privacy notice. There are numerous provisions in the policy that allow for sharing of information for purposes that are entirely unrelated to the mandate of Covered California (such as research, treatment, worker’s compensation, and so-called “national security and intelligence activities”). In fact, the list of possible uses suggests that Covered California incorrectly sees itself as a HIPAA covered entity, such as a health care provider or an insurer, instead of the Affordable Care Act (ACA) covered entity that they are.

The fact that Covered California is not a HIPAA covered entity has major implications for what types of information can be shared with third parties. The core of the ACA’s privacy protections is that the information collected from an applicant may only be shared for purposes related to, “… authenticat[ing] identity, determin[ing] eligibility and determin[ing] the amount of the credit or reduction.” Yet, hardly any of the reasons stated in the privacy notice relate to these purposes.

In reality, a privacy policy that is over 1,000 words long and that permits uses of data that are both irrelevant and contradictory to the ACA only serves to confuse consumers and damage their trust in the website. A privacy policy that clearly reflects the strict privacy protections of the ACA is what Covered California needs and more importantly what applicants deserve.

Given that the ACA already sets limits on how exchanges may use consumer data, Covered California’s privacy notice could easily be condensed to one sentence that says, “Information collected on this website will be used to authenticate your identity, determine your eligibility for coverage and determine the amount of a premium tax credit or cost sharing reduction (if any) to which your entitled.”

An entity like Covered California that is created by the ACA is governed by the ACA, and as such, their privacy policy should reflect this.

Related Reading

Samir Jain Testimony for House Committee. White document on black background.

CDT VP of Policy Samir Jain Testimony Before U.S. House Energy & Commerce Committee on “Legislative Solutions to Protect Kids Online and Ensure Americans’ Data Privacy Rights”
The CDT logo. A light and dark grey "cdt" alongside "Center for Democracy & Technology" on a white background.

Deprecating third-party cookies: a small step towards a more private web
CDT brief, entitled "Unintended Consequences: Consumer Privacy Legislation and Schools." White and blue document on a grey background

Brief – Unintended Consequences: Consumer Privacy Legislation and Schools