data security, Employee Benefits, health care, Health Care Providers, Health Care Reform, health plans, Patient Empowerment, Patient Protection and Affordable Care Act, privacy, Privacy and Data Security, Public Plan, Public Policy
by Cynthia Marcotte Stamer

OIG Questions Security For American’s Personal Information On HHS Health Insurance Exchange-Data Services Hub

Report Raises Questions About Security Of Data Americans Will Share With HHS Exchange Portal

A report released today by the Department of Health & Human Services (HHS) Office of Inspector General (OIG) raises serious questions about whether Americans should accept the opportunity made available by HHS for the first time today to establish a personal account and begin entering their data into HHS data banks in preparation to apply for health care coverage through health insurance exchanges to be created under the Patient Protection & Affordable Care Act when enrollment begins on October 1, 2013.  In light of the OIG findings, Americans concerned about protecting their personal information may want to hold off entering information on the Healthcare.gov website and to share their concerns with HHS and Congress.

HHS Invites Americans To Enter Their Personal Information At Healthcare.Gov Beginning Today

Health insurance exchanges are State-based competitive marketplaces where individuals and small businesses will be able to purchase private health insurance.

Today, HHS began encouraging Americans to the HHS website “healthcare.gov” to open a personal account, the first step to buying coverage through one of the health insurance exchanges that HHS is creating under the Patient Protection & Affordable Care Act reforms.  See Consumers Can Take First Step To Enrolling In New Insurance Options Today.  HHS began encouraging Americans to prepare for enrollment today by setting up their personal account on the HHS Website.  A HHS Twitter Tweet earlier today proclaimed, “Today you can be 1 step closer to getting health ins. by creating your Marketplace account:.” The website today invites Americans to “[a]nswer a few questions to get some personalized info here.”

While many are likely to view the information that HHS asks individuals to share when they create their personal accounts as relatively harmless, it merits noting that the creation of the login and password that will be used to control access to the personal account of registrants is one of those key elements. The text of an e-mail broadcast by HHS restated this invite by stating:  “Starting today you can be one step closer to getting health insurance by creating your Marketplace account. Setting up your account is the first step in the process to get you ready for October 1.  Follow these quick, easy steps and you’ll be on your way:  Provide  basic information like your name, address, and email address;  Choose  your user name and password; Create security questions to add an extra layer of protecting your information.  When open enrollment begins October 1, you’ll be set up to apply for health coverage, compare plans side-by-side, and enroll in a plan.  Create your account today! And after you’ve set up your account, make sure to tell your family and friends to set up theirs too.  Coverage starts as soon as January 1, 2014.”

 

OIG Report Questions Security Of Data Shared With HHS

On the same day as HHS invited Americans to begin entering their personal data on the Healthcare.gov website, the HHS OIG released a report titled Observations Noted During The OIG Review Of CMS’s Implementation Of The Health Insurance Exchange—Data Services Hub (Report) that raises serious questions about the security of the sensitive personal data that Americans accepting the HHS invitation to explore health care coverage offered through health insurance exchanges will share with HHS as part of the process.

Data shared by Americans as part of the process of exploring and enrolling in coverage through the health insurance exchanges will be collected and shared through a data security Hub that will host and transmit that data.  The OIG Report raises clear concerns about the existing security arrangements that CMS has implemented to protect that data, as well as questions about whether CMS will complete the necessary arrangements to secure and protect that sensitive data before enrollment begins October 1.

The findings reported by OIG in the Report raise significant questions about whether Americans should accept the HHS invitation to begin sharing their data with HHS now, as well as provide another basis for Congressional and public concern about whether CMS’ system for enrolling Americans in and administering the exchanges will be ready for prime time in October..

The findings contained in the Report are disquieting. The Report details the results OIG’s review of the efforts of CMS to implement and test the security of the Hub.  While acknowledging that CMS stated that it is confident that the Hub will be operationally secure before October 1, 2013, the Report makes clear that OIG found reason for concern about the Hub security.

The Report reflects that critical tasks required to implement and test necessary security controls remain unfinished, stating: “[S]everal critical tasks remain to be completed in a short period of time, such as the final independent testing of the Hub’s security controls, remediating security vulnerabilities identified during testing, and obtaining the security authorization decision for the Hub before opening the exchanges. CMS’s current schedule is to complete all of its tasks by October 1, 2013, in time for the expected initial open enrollment period.”

While acknowledging that CMS has indicated that it is committed to complete and implement the necessary security arrangements before enrollment begins on October 1, 2013, the OIG Report also notes that CMS already has missed several critical target dates in its efforts to implement the required security measures.  The Report additionally states: “CMS is working with very tight deadlines to ensure that security measures for the Hub are assessed, tested, and implemented by the expected initial open enrollment date of October 1, 2013. If there are additional delays in completing the security assessment and testing, the CMS CIO may have limited information on the security risks and controls when granting the security authorization of the Hub.” (emphasis added).

The security concerns highlighted in the Report should raise questions about the adequacy of the security of information that an individual might enter on the Healthcare.gov portal in response to the invitation that HHS began extending today.  Furthermore, the reported findings are likely to prompt additional questions about whether ACA and its health insurance exchanges are ready for prime time.  For policymakers, the security questions and delays in implementation also suggest additional security issues may arise when insurers and other parties required to exchange and access information through the CMS Hub interact with the Hub.   This is because CMS must complete its arrangements before other agencies and parties can implement and test their system’s interaction with the Hub and the adequacy of the security of these processes.  The continuing delay by CMS to finalize the Hub and its security will leave little time to identify and resolve issues that might stem from these interactiosn.

In light of the findings contained in the Report, Americans concerned about the security of their personal information may want to hold off entering data in response to the HHS’s invitation.  Additionally, Americans concerned about these and other security issues also may want to share their feedback with HHS and members of Congress.

 Other Questions About Exchange Readiness Remain

Today’s OIG Report of security concerns is just one of many growing concerns about the readiness of CMS and its health insurance exchanges and other health care reforms slated to take effect over the next few months are ready to go effective as scheduled.

Beyond the security issues in the OIG Report, for instance, the General Accounting Office (GAO) and others have expressed concern about arrangements and the need for added funding to prepare for the massive conversion in the U.S. health care system slated to take effect January 1, 2014.  Despite these concerns, Obama Administration officials are continuing to claim readiness to begin enrollment of Americans In federal health care marketplace on schedule on October 1, 2013 and to meet other crucial deadlines necessary to effectively implement the next wave of ACA’s health care reforms in the Department of Health & Human Service’s rollout of new consumer health care education and decision-making tools on its newly designed healthcare.gov website.

While HHS says its tools and other preparations ready to meet the October 1, 2013 enrollment commencement and the January 1, 2014 rollout of the new health insurance exchange system, others are less confident.  For instance, GAO officials recently found that major work that federal and state officials  must complete to timely begin enrollment by October 1 remains unfinished, making it unclear if they will meet the impending October 1, 2013 enrollment kickoff deadline.  See GAO Report and  GAO Report such as::

  • 17 states committed to run their own exchanges have missed March 2013 deadlines on 44% of key activities;
  • Officials creating the small business exchanges still must review plans and train and certify the “navigators” that are supposed to help companies and individuals enroll in plans and complete other key arrangements;
  • A federal  the “data hub” designed to help individuals determine their eligibility and enroll in plans offered through the exchanges has only  undergone initial testing; and
  • The current planned process for coordination of data between employer and insurer plans and the health care exchanges to evaluate eligibility of the millions of Americans expected to apply for subsidies for enrolling in coverage through the exchange presently is for HHS to contact employers by telephone employers to ask if that employer asked that employee enrollee minimum essential coverage providing minimum essential value at an affordable cost that would disqualify the applicant for the subsidy.

Meanwhile, the GAO Reports also provide a glimpse at what the federal government has spent so far on preparing the federal exchanges and the data hub. They indicate that hat the Obama Administration had approximately $394 million on exchange efforts as of March 2013 including:

  • $84 million to CGI Federal, which is building the federal exchange computer infrastructure;
  • $55 million to Quality Software Services, which is building the data hub; and
  • $38 million to Booz Allen Hamilton to provide technical assistance for enrollment and eligibility.

Contractor Booz Allen Hamilton recently has drawn attention as the National Security Association contractor through which the notorious fugitive Edward Snowden allegedly accessed information he disclosed to the public about NSA surveillance of “big data” on Americans and others through the internet.

The GAO also estimated the Obama administration needs Congress to approve an extra $1.5 billion from the budget to provide the Administration with the additional $2 billion that the GAO projects the Administration will need over the next fiscal year to create and run the federal exchanges.  Existing budget  and the political impass between the House and Senate over these and other concerns make it unlikely that Congress will approve these extra funds.

Are you concerned about whether health care reform preparations are on track or have other health care policy concerns. Tell us what you think by responding to our poll. 

Join the discussion about health care reform and share your input by joining Project COPE: Coalition for Patient Empowerment here.

About Project COPE: The Coalition On Patient Empowerment & Its  Coalition on Responsible Health Policy

Sharing and promoting the use of practical practices, tools, information and ideas that patients and their families, health care providers, employers, health plans, communities and policymakers can share and offer to help patients, their families and others in their care communities to understand and work together to better help the patients, their family and their professional and private care community plan for and manage these  needs is the purpose of Project COPE, The Coalition on Patient Empowerment & It’s Affiliate, the Coalition on Responsible Health Policy.

The best opportunity to improve access to quality, affordable health care for all Americans is for every American, and every employer, insurer, and community organization to seize the opportunity to be good Samaritans.  The government, health care providers, insurers and community organizations can help by providing education and resources to make understanding and dealing with the realities of illness, disability or aging easier for a patient and their family, the affected employers and others. At the end of the day, however, caring for people requires the human touch.  Americans can best improve health care by not waiting for someone else to step up:  Step up and help bridge the gap when you or your organization can. Speak up to help communicate and facilitate when you can.  Building health care neighborhoods filled with good neighbors throughout the community is the key.

The outcome of this latest health care reform push is only a small part of a continuing process.  Whether or not the Affordable Care Act makes financing care better or worse, the same challenges exist.  The real meaning of the enacted reforms will be determined largely by the shaping and implementation of regulations and enforcement actions which generally are conducted outside the public eye.  Americans individually and collectively clearly should monitor and continue to provide input through this critical time to help shape constructive rather than obstructive policy. Regardless of how the policy ultimately evolves, however, Americans, American businesses, and American communities still will need to roll up their sleeves and work to deal with the realities of dealing with ill, aging and disabled people and their families.  While the reimbursement and coverage map will change and new government mandates will confine providers, payers and patients, the practical needs and challenges of patients and families will be the same and confusion about the new configuration will create new challenges as patients, providers and payers work through the changes.

We also encourage you and others to help develop real meaningful improvements by joining Project COPE: Coalition for Patient Empowerment here by sharing ideas, tools and other solutions and other resources. The Coalition For Responsible Health Care Policy provides a resource that concerned Americans can use to share, monitor and discuss the Health Care Reform law and other health care, insurance and related laws, regulations, policies and practices and options for promoting access to quality, affordable healthcare through the design, administration and enforcement of these regulations.

Other Helpful Resources & Other Information

We hope that this information is useful to you.   If you found these updates of interest, you also be interested in one or more of the following other recent articles published on the Coalition for Responsible Health Care Reform electronic publication available here, our electronic Solutions Law Press Health Care Update publication available here, or our HR & Benefits Update electronic publication available here .  You also can get access to information about how you can arrange for training on “Building Your Family’s Health Care Toolkit,”  using the “PlayForLife” resources to organize low-cost wellness programs in your workplace, school, church or other communities, and other process improvement, compliance and other training and other resources for health care providers, employers, health plans, community leaders and others here. If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information – including your preferred e-mail by creating or updating your profile here. You can reach other recent updates and other informative publications and resources.

Recent examples of these publications include:

For important information about this communication click here.

©2013 Cynthia Marcotte Stamer.  Nonexclusive right to republish granted to Solutions Law Press, Inc. All other rights reserved.