Report Raises Questions About Security Of Data Americans Will Share With HHS Exchange Portal
A report released today by the Department of Health & Human Services (HHS) Office of Inspector General (OIG) raises serious questions about whether Americans should accept the opportunity made available by HHS for the first time today to establish a personal account and begin entering their data into HHS data banks in preparation to apply for health care coverage through health insurance exchanges to be created under the Patient Protection & Affordable Care Act when enrollment begins on October 1, 2013. In light of the OIG findings, Americans concerned about protecting their personal information may want to hold off entering information on the Healthcare.gov website and to share their concerns with HHS and Congress.
HHS Invites Americans To Enter Their Personal Information At Healthcare.Gov Beginning Today
Health insurance exchanges are State-based competitive marketplaces where individuals and small businesses will be able to purchase private health insurance.
Today, HHS began encouraging Americans to the HHS website “healthcare.gov” to open a personal account, the first step to buying coverage through one of the health insurance exchanges that HHS is creating under the Patient Protection & Affordable Care Act reforms. See Consumers Can Take First Step To Enrolling In New Insurance Options Today. HHS began encouraging Americans to prepare for enrollment today by setting up their personal account on the HHS Website. A HHS Twitter Tweet earlier today proclaimed, “Today you can be 1 step closer to getting health ins. by creating your Marketplace account:.” The website today invites Americans to “[a]nswer a few questions to get some personalized info here.”
While many are likely to view the information that HHS asks individuals to share when they create their personal accounts as relatively harmless, it merits noting that the creation of the login and password that will be used to control access to the personal account of registrants is one of those key elements. The text of an e-mail broadcast by HHS restated this invite by stating: “Starting today you can be one step closer to getting health insurance by creating your Marketplace account. Setting up your account is the first step in the process to get you ready for October 1. Follow these quick, easy steps and you’ll be on your way: Provide basic information like your name, address, and email address; Choose your user name and password; Create security questions to add an extra layer of protecting your information. When open enrollment begins October 1, you’ll be set up to apply for health coverage, compare plans side-by-side, and enroll in a plan. Create your account today! And after you’ve set up your account, make sure to tell your family and friends to set up theirs too. Coverage starts as soon as January 1, 2014.”
OIG Report Questions Security Of Data Shared With HHS
On the same day as HHS invited Americans to begin entering their personal data on the Healthcare.gov website, the HHS OIG released a report titled Observations Noted During The OIG Review Of CMS’s Implementation Of The Health Insurance Exchange—Data Services Hub (Report) that raises serious questions about the security of the sensitive personal data that Americans accepting the HHS invitation to explore health care coverage offered through health insurance exchanges will share with HHS as part of the process.
Data shared by Americans as part of the process of exploring and enrolling in coverage through the health insurance exchanges will be collected and shared through a data security Hub that will host and transmit that data. The OIG Report raises clear concerns about the existing security arrangements that CMS has implemented to protect that data, as well as questions about whether CMS will complete the necessary arrangements to secure and protect that sensitive data before enrollment begins October 1.
The findings reported by OIG in the Report raise significant questions about whether Americans should accept the HHS invitation to begin sharing their data with HHS now, as well as provide another basis for Congressional and public concern about whether CMS’ system for enrolling Americans in and administering the exchanges will be ready for prime time in October..
The findings contained in the Report are disquieting. The Report details the results OIG’s review of the efforts of CMS to implement and test the security of the Hub. While acknowledging that CMS stated that it is confident that the Hub will be operationally secure before October 1, 2013, the Report makes clear that OIG found reason for concern about the Hub security.
The Report reflects that critical tasks required to implement and test necessary security controls remain unfinished, stating: “[S]everal critical tasks remain to be completed in a short period of time, such as the final independent testing of the Hub’s security controls, remediating security vulnerabilities identified during testing, and obtaining the security authorization decision for the Hub before opening the exchanges. CMS’s current schedule is to complete all of its tasks by October 1, 2013, in time for the expected initial open enrollment period.”
While acknowledging that CMS has indicated that it is committed to complete and implement the necessary security arrangements before enrollment begins on October 1, 2013, the OIG Report also notes that CMS already has missed several critical target dates in its efforts to implement the required security measures. The Report additionally states: “CMS is working with very tight deadlines to ensure that security measures for the Hub are assessed, tested, and implemented by the expected initial open enrollment date of October 1, 2013. If there are additional delays in completing the security assessment and testing, the CMS CIO may have limited information on the security risks and controls when granting the security authorization of the Hub.” (emphasis added).
The security concerns highlighted in the Report should raise questions about the adequacy of the security of information that an individual might enter on the Healthcare.gov portal in response to the invitation that HHS began extending today. Furthermore, the reported findings are likely to prompt additional questions about whether ACA and its health insurance exchanges are ready for prime time. For policymakers, the security questions and delays in implementation also suggest additional security issues may arise when insurers and other parties required to exchange and access information through the CMS Hub interact with the Hub. This is because CMS must complete its arrangements before other agencies and parties can implement and test their system’s interaction with the Hub and the adequacy of the security of these processes. The continuing delay by CMS to finalize the Hub and its security will leave little time to identify and resolve issues that might stem from these interactiosn.
In light of the findings contained in the Report, Americans concerned about the security of their personal information may want to hold off entering data in response to the HHS’s invitation. Additionally, Americans concerned about these and other security issues also may want to share their feedback with HHS and members of Congress.
Other Questions About Exchange Readiness Remain
Today’s OIG Report of security concerns is just one of many growing concerns about the readiness of CMS and its health insurance exchanges and other health care reforms slated to take effect over the next few months are ready to go effective as scheduled.
Beyond the security issues in the OIG Report, for instance, the General Accounting Office (GAO) and others have expressed concern about arrangements and the need for added funding to prepare for the massive conversion in the U.S. health care system slated to take effect January 1, 2014. Despite these concerns, Obama Administration officials are continuing to claim readiness to begin enrollment of Americans In federal health care marketplace on schedule on October 1, 2013 and to meet other crucial deadlines necessary to effectively implement the next wave of ACA’s health care reforms in the Department of Health & Human Service’s rollout of new consumer health care education and decision-making tools on its newly designed healthcare.gov website.
While HHS says its tools and other preparations ready to meet the October 1, 2013 enrollment commencement and the January 1, 2014 rollout of the new health insurance exchange system, others are less confident. For instance, GAO officials recently found that major work that federal and state officials must complete to timely begin enrollment by October 1 remains unfinished, making it unclear if they will meet the impending October 1, 2013 enrollment kickoff deadline. See GAO Report and GAO Report such as::
- 17 states committed to run their own exchanges have missed March 2013 deadlines on 44% of key activities;
- Officials creating the small business exchanges still must review plans and train and certify the “navigators” that are supposed to help companies and individuals enroll in plans and complete other key arrangements;
- A federal the “data hub” designed to help individuals determine their eligibility and enroll in plans offered through the exchanges has only undergone initial testing; and
- The current planned process for coordination of data between employer and insurer plans and the health care exchanges to evaluate eligibility of the millions of Americans expected to apply for subsidies for enrolling in coverage through the exchange presently is for HHS to contact employers by telephone employers to ask if that employer asked that employee enrollee minimum essential coverage providing minimum essential value at an affordable cost that would disqualify the applicant for the subsidy.
Meanwhile, the GAO Reports also provide a glimpse at what the federal government has spent so far on preparing the federal exchanges and the data hub. They indicate that hat the Obama Administration had approximately $394 million on exchange efforts as of March 2013 including:
- $84 million to CGI Federal, which is building the federal exchange computer infrastructure;
- $55 million to Quality Software Services, which is building the data hub; and
- $38 million to Booz Allen Hamilton to provide technical assistance for enrollment and eligibility.
Contractor Booz Allen Hamilton recently has drawn attention as the National Security Association contractor through which the notorious fugitive Edward Snowden allegedly accessed information he disclosed to the public about NSA surveillance of “big data” on Americans and others through the internet.
The GAO also estimated the Obama administration needs Congress to approve an extra $1.5 billion from the budget to provide the Administration with the additional $2 billion that the GAO projects the Administration will need over the next fiscal year to create and run the federal exchanges. Existing budget and the political impass between the House and Senate over these and other concerns make it unlikely that Congress will approve these extra funds.
Join the discussion about health care reform and share your input by joining Project COPE: Coalition for Patient Empowerment here.
About Project COPE: The Coalition On Patient Empowerment & Its Coalition on Responsible Health Policy
Sharing and promoting the use of practical practices, tools, information and ideas that patients and their families, health care providers, employers, health plans, communities and policymakers can share and offer to help patients, their families and others in their care communities to understand and work together to better help the patients, their family and their professional and private care community plan for and manage these needs is the purpose of Project COPE, The Coalition on Patient Empowerment & It’s Affiliate, the Coalition on Responsible Health Policy.
The best opportunity to improve access to quality, affordable health care for all Americans is for every American, and every employer, insurer, and community organization to seize the opportunity to be good Samaritans. The government, health care providers, insurers and community organizations can help by providing education and resources to make understanding and dealing with the realities of illness, disability or aging easier for a patient and their family, the affected employers and others. At the end of the day, however, caring for people requires the human touch. Americans can best improve health care by not waiting for someone else to step up: Step up and help bridge the gap when you or your organization can. Speak up to help communicate and facilitate when you can. Building health care neighborhoods filled with good neighbors throughout the community is the key.
The outcome of this latest health care reform push is only a small part of a continuing process. Whether or not the Affordable Care Act makes financing care better or worse, the same challenges exist. The real meaning of the enacted reforms will be determined largely by the shaping and implementation of regulations and enforcement actions which generally are conducted outside the public eye. Americans individually and collectively clearly should monitor and continue to provide input through this critical time to help shape constructive rather than obstructive policy. Regardless of how the policy ultimately evolves, however, Americans, American businesses, and American communities still will need to roll up their sleeves and work to deal with the realities of dealing with ill, aging and disabled people and their families. While the reimbursement and coverage map will change and new government mandates will confine providers, payers and patients, the practical needs and challenges of patients and families will be the same and confusion about the new configuration will create new challenges as patients, providers and payers work through the changes.
We also encourage you and others to help develop real meaningful improvements by joining Project COPE: Coalition for Patient Empowerment here by sharing ideas, tools and other solutions and other resources. The Coalition For Responsible Health Care Policy provides a resource that concerned Americans can use to share, monitor and discuss the Health Care Reform law and other health care, insurance and related laws, regulations, policies and practices and options for promoting access to quality, affordable healthcare through the design, administration and enforcement of these regulations.
Other Helpful Resources & Other Information
We hope that this information is useful to you. If you found these updates of interest, you also be interested in one or more of the following other recent articles published on the Coalition for Responsible Health Care Reform electronic publication available here, our electronic Solutions Law Press Health Care Update publication available here, or our HR & Benefits Update electronic publication available here . You also can get access to information about how you can arrange for training on “Building Your Family’s Health Care Toolkit,” using the “PlayForLife” resources to organize low-cost wellness programs in your workplace, school, church or other communities, and other process improvement, compliance and other training and other resources for health care providers, employers, health plans, community leaders and others here. If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information – including your preferred e-mail by creating or updating your profile here. You can reach other recent updates and other informative publications and resources.
Recent examples of these publications include:
- Legislation Proposes To Change Obama Care Full-Time Employee Definition
- IRS Releases Updated Healthcare Law Online Resources Publication
- Self-Dealing Or Other Mishandling of Employee Benefit Plan Funds Risky For Fiduciaries & Those Appointing Them
- Employers & Insurers Reminded Of July 31 Deadline To Pay New ACA-Required PCORI Fees
- Use New Government Health Care Reform Resources With Care
- OCR Warns Others Learn From WellPoint’s $1.7 M HIPAA Settlement
- “Pay Or Play” Reprieve Still Leaves Employers Facing Challenging 2014 Health Care Reform Deadlines
- HHS Continues Preparations For New Health Insurance Marketplace By Awarding Grants To Promote Kids Enrollment
- HHS Touts Enrollment Tools, Says Exchange Enrollment Ready Despite GAO Concerns
- HIPAA Sanctions Triggered From Covered Entity Statements To Media, Workforce
- Consider OCR Technical Corrections When Updating Privacy Practices & Agreements For Omnibus Restatement of HIPAA Privacy, Security, Breach Notification & Enforcement Rules
- Id & Manage Hidden Employee Benefit Exposures In Business Insolvency Or Other Transactions
- Final Regulations Update HIPAA Health Plan Wellness Program Rules
- HHS Publishes Medicaid Expansion Final Regs, Invites Public Comment
- Hospitals with 2012 CMS Adverse Complaint Inspection Reports in AHCJ Data Bank Should Prepare Response
- OCR Invites Comments On Plans to Survey HIPAA Covered Entities Audited Under 2012 HIPAA Audit Program
- On Health Reform Law’s 3rd Anniversary, Test Your Reform Knowledge
- Maintaining Patient Problem List Under Meaningful Use Core Measure 3 To Support Patient Care
- CMS 2nd Recalculation Medicare Readmission Penalties In 6 Months Cuts Overall Penalties By $10M
- Hospital’s Disability Discrimination Settlement 4th In 5 Weeks For Justice Department
- Par Pharmaceutical Pays $45 Million For Illegal Off-Label Marketing Of Megace ES
- Corpus Christi Radiology Group & Clinic $2.3 Million To Settle Health Care Fraud Charges
- Houston Ambulance Service Owner Convicted Of Health Care Fraud Faces Up To 70 Years
- Genesis Healthcare Disability HHS OCR Discrimination Settlement Reminder To Use Interpreters, Other Needed Accommodations For Disabled
- OSHA Safety Violations At Veterans’ Medical Center Reminder To Manage OSHA Compliance
- Federal Health Care Fraud & Abuse Recovery of $4.2 Billion In FY 2012 Shows Enforcement Risks Growing
- Sequester Cuts Small Business Health Care Tax Credit
- NHI Says Coordinated Care Can Reduce Disabled’s High ER Use; System Contains Many Barriers To Providing This Care
- Look At Mental Health Care For Part Of The Solution To Prevent A Future Newtown Tragedy
- New OCR HIPAA De-Identification Guidance Among Developments Covered In 12/12 HIPAA Update Web Workshop
- Responding To West, Texas, Boston & Other Tragedies: Information and Reassurance Resources
- Justice Department Charges Employer, Pension Plan With Violating USERRA Reemployment Rights
- Administration Proposes Expanding Eligibility, Simplifying Small Employer Health Care Tax Credit
- Health Care Transparency Effectiveness & Value Depends On Data Quality, Understanding & Awareness
- Test Your Health Care Reform Knowledge On 3rd Anniversary of Reform Passage
- Insured “Expatriate Plans” Get Temporary Reprieve From Affordable Care Act Compliance Thru 2015 If Meet Other Health Plan Mandates
- OCR Plans To Survey Health Plans, Other Covered Entities Hit With HIPAA Audits in 2012
- Businesses Urged To Strengthen Their Worker Classification Defenses As IRS, Other Agencies Step Up Audits & Enforcement
- 13 Employer Tips For Coping With Health Care Reform Now!
For important information about this communication click here.
©2013 Cynthia Marcotte Stamer. Nonexclusive right to republish granted to Solutions Law Press, Inc. All other rights reserved.