Stand up for facts and support PolitiFact.
Now is your chance to go on the record as supporting trusted, factual information by joining PolitiFact’s Truth Squad. Contributions or gifts to PolitiFact, which is part of the 501(c)(3) nonprofit Poynter Institute, are tax deductible.
I would like to contribute
With a host of technical problems at the healthcare.gov website, critics of President Barack Obama’s health care law have gone on the offensive.
Among the claims we've heard recently, Rep. Joe Barton, R-Texas, said people visiting healthcare.gov are unwittingly waiving their privacy rights.
Barton told Fox News that there's a problem in the source code that seems to contradict HIPAA, the 1996 law that, among other things, protects the privacy of patients’ sensitive data.
"Hidden in the code, there is a sentence that says you waive any reasonable right to privacy of your personal information, the transiting of it or the storage of it," Barton said.
We decided to take a peek under healthcare.gov’s hood to see if Barton, the chairman emeritus of the House Energy and Commerce Committee, was right that people are waiving their privacy rights if they use the site.
The source code
Barton’s spokesman sent us the code he referenced during the hearing. It’s the same code the Washington Post published with their own analysis. This is the website’s HTML markup, which is the main language developers use to write websites.
The line in question reads, "You have no reasonable expectation of privacy regarding any communication or data transiting or stored on this information system."
There’s a couple of important HTML symbols around that section of the code, on lines 1406 and 1411. The section starts with a <!-- and ends with -->. That means all the content in between is "commented out," a web development term that tells everything enclosed to not display on the user’s screen.
Clay Johnson, the founder of the company that built President Barack Obama’s 2008 online campaign, said it’s a common technique for developers who want to delete something from a site’s appearance without permanently losing it.
The text is also a standard disclaimer for government websites, as an advanced Google search Johnson ran pointed out. It could’ve been easily copied by a developer as placeholder text.
Spokeswoman Linda Odorisio of CGI Federal, one of the main government contractors that built the site and was responsible for that portion of code, told us that line wasn’t meant to be in the code at all. Rather, it was meant for exchange employees who have access to consumer data.
"It informs them that their interaction with data in the system is monitored and tracked to ensure consumer privacy," she said.
Barton pulled up the code at the hearing as a way of backing up his claim that healthcare.gov isn’t compliant with HIPAA regulations on privacy.
Parts of Obama’s law must be compliant with HIPAA, but not the website itself, since HIPAA covers health care providers, health plans and health care clearinghouses.
That doesn’t mean the site doesn’t have privacy regulations in place, as we’ve noted before. The Affordable Care Act outlines processes for ensuring privacy and complying with existing privacy regulations.
As for the "hidden" code, users can’t legally accept a waiver they can’t see, so they can’t possibly be waiving their right to privacy.
In other words, the lines inserted in the code may be embarrassing, but they carry no legal weight.
"It’s bizarre and kind of sad to see that that would even be put in there as a comment note because that doesn’t accurately represent the privacy protections in place," said Christopher Rasmussen, a Health Privacy Project senior policy analyst.
Barton claimed healthcare.gov has "hidden" code indicating that consumers waive their rights to privacy when they apply for insurance. The website’s markup does include a sentence along these lines that isn’t visible to the user. But because it’s not displayed to the public, it carries no legal weight and consumers can’t consent to it. Bottom line, it doesn’t change a thing about the privacy protections in place at healthcare.gov. We rate Barton’s claim False.
The Atlantic Wire, "Congressman Lashes Out in Obamacare Hearing: This is a ‘Monkey Court!’ " Oct. 24, 2013
Email interview with Clay Johnson, federal government open source expert, Oct. 28, 2013
Email interview with Fabien Levy, U.S. Department of Health and Human Services press secretary, Oct. 28, 2013
Email interview with Linda Odorisio, CGI Federal spokeswoman, Oct. 28, 2013
Email interview with Sean Brown, Rep. Joe Barton’s spokesman, Oct. 29, 2013
Fox News, " ‘Monkey Court?’ Rep. Joe Barton Defends Obamacare Hearings," Oct. 25, 2013
Mother Jones, "4 Ways the Healthcare.gov Hearing Was Not About Healthcare.gov," Oct. 24, 2013
PCWorld, "Contractors: More Testing of Healthcare.gov Was Needed," Oct. 24, 2013
Phone interview with Abner Weintraub, The HIPAA Group co-founder, Oct. 29, 2013
Phone interview with Christopher Rasmussen, Health Privacy Project analyst, Oct. 28, 2013
PolitiFact, "The Health Care Marketplaces Have ‘No Privacy Protections,’ Cotton says," Oct. 9, 2013
U.S. Department of Health and Human Services, "What Is a ‘Covered Entity’ Under HIPAA?" accessed Oct. 29, 2013
U.S. Government Printing Office, "The Patient Protection and Affordable Care Act," March 23, 2010
Washington Post, "The Biggest Fight at the Obamacare Hearing Was Over These 47 Lines of Code," Oct. 24, 2013
Read About Our Process
In a world of wild talk and fake news, help us stand up for the facts.