The setup of government-mandated privacy protections, needed to safeguard the personal data enrollees of the Affordable Care Act’s insurance exchanges must provide to purchase insurance and to prevent fraud, is months behind schedule, according to the Department of Health and Human Services’ Office of the Inspector General for Audit Services.
“Several critical tasks remain to be completed in a short period of time,” noted Deputy Inspector General Gloria Jarmon in an August report on the status of the implementation of the exchanges. “If there are additional delays in completing the security authorization,” the chief information officer at the Centers for Medicare and Medicaid Services may not have the required “security controls needed for the security authorization decision” to open the exchanges in October.
One of the primary reform aims of Affordable Care Act is to ensure every American is insured, and the primary vehicles of that goal are the state-run and federally facilitated exchanges. To keep the insurance plans offered on the exchanges affordable, Americans whose employers do not offer insurance and who make less than 40 percent of the federal poverty line — around $45,960 for an individual and $92,000 for a household of four — will be given a federal tax credit to subsidize the cost.
But to determine whether an applicant is eligible for the subsidy or whether they can buy medical coverage on the exchanges, the databases of seven U.S. agencies, including the Internal Revenue Service and the Department of Homeland Security, must be linked. Since the Congressional Budget Office has calculated that 7 million people will enroll via the exchanges next year, and all data — from identity to citizenship to income to family size — must be verified, a massive amount of data will be circulating through the system.
Unsurprisingly, the Health and Human Services report focused on this system.
The $267 million computer system, nicknamed “the Hub,” will give marketplaces the means to see which applicants qualify for what programs and is a crucial piece of the Obamacare framework. Because such a massive amount of important personal data will be used by the insurance exchanges, security is a big concern. As Jarmon’s reported detailed, “effective security controls are necessary to protect the confidentiality, integrity, and availability of a system and its information.”
The Privacy Act of 1974 mandates that each agency of the federal government utilize administrative and physical security systems to prevent the unauthorized release of personal records. In addition, the Federal Information Security Management Act of 2002 requires the executive branch to ensure that Americans’ private records are protected from misuse and security breaches. In the case of the Obamacare hub, any serious security breach could result in identity theft.
According to Jarmon, the Centers for Medicare and Medicaid Services has delayed key deadlines by about two months. In March, CMS estimated that it would take 51 days — from July 15 to September 4 — to review the final Security Control Assessment report and make the final security authorization decision, steps that must be completed for the exchanges to open. Now, CMS is planning to squeeze that process into just 10 days.
“They’ve removed their margin for error,” Deven McGraw, director of the health privacy project at the nonprofit Center for Democracy & Technology, told Reuters. “There is huge pressure to get [the exchanges] up and running on time, but if there is a security incident they are done. It would be a complete disaster from a PR viewpoint.”
Congress has been weighed down by timetable concerns as well. On July 17, several officials — including Marilyn Tavenner, the administrator of CMS, and Henry Chao, the deputy chief information officer of CMS — testified before the House of Representatives. Both Tavennar and Chau reassured representatives on the Subcommittee on Energy Policy, Health Care, and Entitlements that the privacy and security measures would be ready for the October 1 exchange deadline. In fact, they said the measures were scheduled to be finished and tested by September 1, a month before the exchanges open for enrollment.
In June, Republican Rep. Diane Black of Tennessee, a registered nurse of 40 years, wrote in a U.S. News and & World Report opinion piece that even the most basic questions about the data hub have not been answered. “With so much personal information going in and out of the Hub likely privy to both government employees and contractors, many of whom will have discretion over health care coverage and tax penalties, the potential for abuses is staggering,” she said.
To Michael Astrue, the former Health and Human Service general counsel who recently stepped down as commissioner of the Social Security Administration, the reason for the delay is clear. “A functional and legally compliant federal exchange almost certainly will not be ready on October 1,” he wrote in a piece for the Weekly Standard. “The reasons for failure are not short timelines (Congress gave HHS more than three years), political interference (Congress has not focused on ACA systems), or complexity (states have built well-designed exchanges). The reason is plain old incompetence and arrogance.”
Here’s how the main U.S. indexes traded on Friday:
Follow Meghan on Twitter @MFoley_WSCS