HHS Wolves Guarding The Privacy and Security Hen House

As a former technology executive of a health and welfare benefits technology company, I am well versed in privacy and security regulations governing the protection of health information.  Those regulations are promulgated by...wait for it...the U.S. Department of Heath and Human Services, or HHS.  Yes, the very same department responsible for the failed rollout of the insurance marketplaces of 34 states.  If the totality of the problem was simply the inability of HHS to sell insurance products through their web site, that would be one thing...

Security and privacy regulations of "protected health information", or PHI, are governed by a law first passed in 1996 called the Health Insurance Portability and Privacy Act (more commonly know as HIPAA).  That law, associated amendments, and the HITECH act enacted as part of the infamous "shovel ready" American Recovery and Reinvestment Act of 2009 (or ARRA) and their associated regulation have transformed the information technology, data handling, and personnel management environment for companies (or their departments) that deal in personal health information.  There are stiff penalties and disclosure requirements for compliance failures.  The Office for Civil Rights (OCR) maintains a "wall of shame" for those covered entities that have faced enforcement action.

In the businesses where I served, our company would sign "business associate" agreements with our clients.  The purpose of those agreements was ensure that our company and those sub-contractors that we hired would appropriately safeguard protected health information of our client's employees.  Those safeguards were stringent and costly.  They ranged from hiring practices (including background checks) to numerous technological investments, to extensive training and finally a rigorous audit regimen.

This leads me to numerous questions now that the federal government is so involved in the procurement of health care:

1. Is HHS subject to the HIPAA law?
2. Is HHS a business associate to the health plans to which they are collecting personally identifiable information for the provision of health care?
3. Have contractors that HHS is using to build the technology for the marketplaces signed business associate agreements with HHS?
4. Has an independent auditor (not the OIG, which is again...part of HHS) established an opinion on the appropriateness of operational controls (via a Reporting on Controls at a Service Organization of the SSAE16 auditing standard or other established auditing standard) to assure those using the exchange that their information will in fact be safeguarded?
5. Will HHS disclose their own privacy violations to the OCR, and will those be posted on their own wall of shame?