The HIPAA regulations on who has access to patient data are pretty stringent too, and have a fair amount of detail on how information systems are to be configured in order to be HIPAA-compliant. I’d bet a lot of money the ACA sites aren’t even close to being HIPAA compliant (and that’s with much of the actual information-transfer infrastructure not even in place yet).
The insurance industry is largely exempted from hipaa. Its very convoluted.