HHS Inspector General reports that the data hub intended to support health insurance exchanges will not be “secure” until the day before the exchanges are due to open.
While the report does not state that data security will not be in place, it notes that time is running out. HHS has said that the data hub will be secure and the exchanges will be up and running as most recently scheduled. Federally-run health insurance exchanges are due to open October 1, the opening day of open enrollment.
Find the OIG report here: https://oig.hhs.gov/oas/reports/region1/181330070.asp
An earlier timeline had called for the data hub to be designated as “secure” by September 4. In the meantime, as of Monday, August 5, prospective enrollees may go ahead and create new accounts and begin collecting the required information for enrollment and coverage. Open enrollment is scheduled for October 1, 2013 through March 2014, with coverage beginning January 1, 2014.
Health insurance exchanges are State-based competitive marketplaces where individuals and small businesses will be able to purchase private health insurance. The hub will help facilitate the access of data by exchanges; enable verification of coverage eligibility; provide a central point for the Internal Revenue Service when it asks for coverage information; provide data for oversight of the exchanges; provide data for paying insurers; and provide data for use in Web portals for consumers.
As explained by CQ HealthBeat: “The hub is the mechanism by which the new health law marketplaces will receive data establishing whether an insurance applicant is a U.S. citizen, what his or her income is, whether the applicant is eligible for subsidies to buy coverage, and the size of those subsidies. It will include links to the Internal Revenue Service, the Department of Homeland Security, HHS, the Social Security Administration and state agencies.”
As such, the role of the Hub is only as a pass-through of information that resides elsewhere, in other data bases. It is not intended to actually store information.
“It is important to note that the Hub does not store data,” the OIG reports. “Rather it acts as a conduit for exchanges to access the data from where they are originally stored. We evaluated the adequacy of the development and testing of the Hub from a security perspective. We did not review the functionality of the Hub.”
The reports summary notes that the OIG assessed the information technology security controls that CMS is implementing for the Hub, adequacy of the testing activities being performed during its development, and the coordination between CMS and Federal and State agencies during the development of the Hub. As a conclusion, it notes that “CMS is working with very tight deadlines to ensure that security measures for the Hub are assessed, tested, and implemented by the expected initial open enrollment date for health insurance exchanges of October 1, 2013. If there are additional delays in completing the security assessment and testing, CMS may have limited information on the security risks and controls before the exchanges open.”
As reported by CQ: The OIG document said “several critical tasks remain to be completed in a short period of time, such as the final independent testing of the Hub’s security controls, remediating security vulnerabilities identified during testing, and obtaining the security authorization decision for the Hub before opening the exchanges.”