No, this is not on HIPAA, but Ben Simo has noted what I think appears to be a legitimate question/concern:
I have read some reports that we need not be overly concerned about Healthcare.gov security because the site doesn’t keep much personal information. While we can’t into the site from outside to see what they do with the personal information they collect, we can view their published privacy policies and the data they return to the browser.
So let’s take a look at a couple of things that concern me…
Use of 3rd Party Web Analytics Tools
The Privacy Policy says:
HealthCare.gov uses a variety of Web measurement software tools. We use them to collect the information listed in the “Types of information collected” section above. The tools collect information automatically and continuously. No personally identifiable information is collected by these tools.
However, the system sends some personal information to 3rd party analytics and advertising companies. For example, the following two images show my username and password reset codes being sent to a couple of 3rd parties:
View the screen shots and read more about what he found on IsThereAProblemHere.com.
Update: This problem was reportedly fixed after the research published his concerns, as Kathleen Sebelius just testifed to Congress this morning. When I visit the site using Chrome, I see 5 companies tracking (via Abine DoNotTrackMe extension):
-
Optimizely
-
CrazyEgg
-
Doubleclick
-
Google Analytics
-
ChartBeat