Right-Wing Media Pushes Misleading Attack On ACA Website Privacy

Right-wing media outlets pushed the false claim that the Healthcare.gov website includes a language stating that consumers they have “no reasonable expectation of privacy,” ignoring the fact that the phrase is part of standard website language and does not change current legal protections for health care information.

Weekly Standard post by Jeryl Bier attacked the health care law's exchange website, claiming a statement in the “terms and conditions” page is “another example of why the website's reputation is in tatters.” Bier's evidenced his claim by explaining, “Buried in the source code of Healthcare.gov” is the phrase “You have no reasonable expectation of privacy regarding any communication or data transiting or stored on this information system.” The misleading claim was repeated by several right-wing media outlets including Fox Nation who posted the story under the headline “Hidden in ObamaCare Site: Applicants Surrender Right to Privacy” and NewsMax who claimed “Obamacare May Endanger Personal Data Security.”

Fox Nation ACA website privacy

But the right-wing media's fearmongering about privacy concerns is unfounded. The Atlantic Wire pointed out that the phrase is part of standard legal language for similar “Terms and Conditions” pages and is only “hidden” because it was removed by developers, making the phrase not legally enforceable. The article adds that "[t]here are several ways in which" the analysis “is incorrect” (emphasis added):

The first is that Barton says the language is “hidden” -- because it's in the source code. “Source code,” for those who don't know, is the tagged language that tells a browser how to display a website. It's “hidden” only because it's information about the web page, not the content of the page itself. Meaning it doesn't show up on the page, meaning that there's no way it could even be legally enforceable.

Not only that, but the language, as detailed by the conservative Weekly Standard, is itself commented out. Developers will occasionally put marks around lines of code telling the computer, in essence, “ignore this.” (Why? Often developers will leave notes like "// Section two begins here" to make code easier to scan.) In this case, the language was likely commented out because the document, a fairly standard “Terms and Conditions” page, was repurposed form another project. Take standard legal language, comment out the parts you won't use, and done.


Barton is also confusing two types of privacy: the privacy afforded under HIPAA (discussed below) and the privacy that is necessary for online communication. Earlier this year, Google came under fire when it was reported that its attorneys argued that GMail users didn't have a reasonable expectation of privacy. As The Verge pointed out, this is a fairly common legal stipulation that allows online companies to process information submitted online. When you send your emails to Google, you acknowledge that Google has a right to see who sent the message and where it's going, and so on. It would be hard to maintain that information privately and have your email get to its destination! The language commented out in the source code of one page of Healthcare.gov is almost certainly similar in its intent.

While the Weekly Standard post acknowledges that “the unwanted portion of the warning was rendered inert with HTML coding tags” it continued to fearmonger about the language, claiming the “code could be rendered 'live' again by simply removing the tags” and claiming “it is unclear why the paragraph containing 'no reasonable expectation of privacy' would ever have even been considered appropriate in this context.”

This claim resurfaced in a House Energy and Commerce Committee hearing when Rep. Joe Barton (R-TX) asked an official from CGI, one of the companies that built the website, if the language violated the Health Insurance Portability and Accountability Act which guarantees protection for health care information that is identifiable to an individual. But health care experts Timothy Jost and Deven McGraw explained in statements to Think Progress that the website does not violate HIPAA:

As William & Lee Law Professor Timothy S. Jost explained to ThinkProgress in an email, “HIPAA only applies to health care providers, clearinghouses (and this is a narrowly defined term) health plans, and their business associates.” “Even so, access is available to data without consent for health care operations, which this would be.” Deven McGraw, of the Health Privacy Project at the Center for Democracy & Technology, agreed, adding, “It does not violate HIPAA - it's not even covered by HIPAA.”


Jost adds that “even if the rule applies to the information and to the exchange, sharing information with a contractor would be a routine operation, and HIPAA allows disclosure of information without consent for operations. Surely a health plan that contracted with a company to build its software would not be violating HIPAA as long as the computer company also observed HIPAA protections. The exchange is subject to the privacy rule, but the HHS privacy rule permits disclosure to contractors.”