Additionally, doesn't appear that HHS has definitively said it is not covered by HIPAA. The article Ksevio linked to is specific to covered entity liability under HIPAA. It mentions nothing about the potential for healthcare.gov to be a business associate (presumably of the various insurance companies it works with).
There are a couple of ways to be classified as a business associate, the pertinent way in this case being the creation, reception, maintenance, or transmission of PHI on behalf of a covered entity for "a regulated function or activity."
Healthcare.gov is clearly creating and transmitting PHI to insurance companies (which are covered entities). However, HHS has not clarified whether it considers health insurance portals to be performing a regulated âoefunction or activityâ for insurance companies.