Wednesday, July 24, 2013

Questions Raised About ACA Data Security

Published: Jul 17, 2013

By David Pittman, Washington Correspondent, MedPage Today
WASHINGTON -- Federal watchdogs expressed concerns to lawmakers Wednesday about the security of information that will be traded through the Affordable Care Act's (ACA) health insurance exchanges.
Federal tax information provided to the exchanges in order to determine benefit eligibility may not be adequately protected, an official from the Office of the Treasury Inspector General for Tax Administration said Wednesday.
Alan Duncan, assistant inspector general for the Treasury Department, told the House Oversight and Government Reform Committee his office has concerns the Internal Revenue Service's (IRS) fraud controls may not be ready in time to detect ACA-related fraud schemes.
"The lack of adequate testing could result in significant delays and errors in accepting and processing ACA applications for health insurance coverage," Duncan said.
While much has been stated about whether the law's exchanges will be ready for open enrollment in roughly 76 days, Congress also is concerned that information passed through the exchanges' data exchange -- or data hub, as it is also called -- is vulnerable, with so many parties, including federal agencies and states, putting in and taking out that information.
The hub ties together information from various federal agencies to determine what benefits patients are eligible for under the ACA. It confirms income, citizen status, family information, and other data.
The health insurance exchanges -- online marketplaces where uninsured consumers can shop for health coverage -- request the information, such as tax return data from the IRS, to determine eligibility for financial assistance such as premium tax credits. While the exchanges are open to people regardless of income, the tax credits are available to those making between 100% and 400% of the federal poverty level.
"I believe that the hub has a bulls-eye on it," Rep. Jackie Speier (Calif.), the top Democrat on the Energy Policy, Healthcare and Entitlements Subcommittee, said at Wednesday's hearing. "The potential for it being hacked is great."
Witnesses said Wednesday that data is not stored at the hub -- only transferred between parties -- and disposed of within minutes. Such data includes contact information, employment information, income, Social Security number, date of birth, and certain information about family members.
The exchanges don't ask for, access, or store personal health information, Centers for Medicare and Medicaid Services (CMS) Administrator Marilyn Tavenner said.
"CMS is committed to creating safe, secure, and resilient marketplace IT systems and protecting personal privacy and confidentiality in collaboration with our partners, while expanding access to health insurance coverage to Americans," she told Congress in her testimony.
She said CMS will be fully ready this fall. Meanwhile, Henry Chao, deputy chief information officer at CMS, said the agency is about 80% along in its privacy and security efforts under the exchanges.
CMS has recently completed risk assessments and developed strategies for mitigating those risks with the data hub, John Dicken, director of healthcare at the Government Accountability Office (GAO), said Wednesday. The agency also is working on mitigation strategies for each state that is running its own exchange.
"Much progress has been made, but at the same time, much remains to be accomplished within a relatively short amount of time," Dicken told lawmakers.
Not hitting deadlines closer to open enrollment could result in delayed implementation of the ACA, Dicken said.
Danny Werfel, the IRS' principal deputy administrator, outlined to lawmakers how the IRS plans to test the data hub between now and when the exchanges open Oct. 1. Agencies receiving IRS information must meet "significant safeguarding requirements, including strict record-keeping and proper handling, storage, and disposal of tax records," he said.
Tavenner noted CMS is used to collecting and storing vast amounts of information.
House Oversight and Government Reform Committee Chair Darrell Issa (R-Calif.) expressed doubt because there has been no pilot testing of the security of the hub and subsequent exchanges. "The data of every American will be transferred," Issa noted.
A fair portion of Wednesday's hearing involved Republicans grilling IRS officials about the agency's targeting of politically conservative groups and their tax-exempt status. Sarah Hall Ingram, who headed the IRS office that led the charge against those groups, now heads the IRS' ACA implementation office, although she did not attend the hearing.


No comments:

Post a Comment