CMS, IRS promise to meet cybersecurity requirements to protect Affordable Care Act data

By Melissa Dawkins
Special to Federal News Radio

Legislators are concerned about the Centers for Medicare and Medicaid Service’s ability to secure information processed through the Health Insurance Marketplace and the federal data service hub as established by the Patient Protection and Affordable Care Act (ACA).

“The rather large amount of information sharing raises the risk of identity theft and other types of misuse. This risk is even more pronounced since the Department of Health and Human Services has missed several of their own deadlines,” said Rep. James Lankford (R-Okla.) July 17 at a joint subcommittee hearing evaluating the privacy, security and fraud concerns with ACA’s information sharing apparatus.

ACA requires states to establish their own health care marketplaces by January 2014, which will let consumers access health care coverage through private health plans and apply for insurance affordability programs. The federal government will establish and operate federally-facilitated marketplaces in states that choose not to create their own exchanges, according to testimony from Marilyn Tavenner, CMS administrator.


Consumers’ personal information is stored in the marketplace, Tavenner said.

CMS also is creating a hub that connects the marketplaces and the federal and state databases to help verify the information provided by consumers in their applications. Personal information is not stored in the hub. It is a transmitting device, Tavenner testified.

This hub is intended to provide data necessary in determining each applicant’s eligibility, as well as provide real-time access to common federal data, state data and third-party data needed to verify the information provided by consumers, according to a June Government Accountability Office (GAO) report.

For example, the hub will let CMS instantaneously verify consumer-provided information, such as Social Security number, income and citizenship status with the Social Security Administration, the IRS and the Department of Homeland Security respectively, according to the report.

“It is important to note that while the marketplace application asks for personal information such as date of birth, name or address, the marketplace application never asks for personal health information and the marketplace IT systems will never access or store personal health information beyond what is normally asked for in Medicaid eligibility applications,” Tavenner said.

The IRS completed interagency testing with the CMS and Health and Human Services in preparation for the hub, and such testing is scheduled to continue through the summer, according to IRS Deputy Commissioner Danny Werfel’s testimony.

“The IRS is already well positioned to provide the needed safeguards, given the longstanding experience it has in overseeing the transmission of data to federal and state agencies under previously enacted exceptions to section 6103,” Werfel said in his testimony. “Agencies receiving return information from the IRS must meet significant safeguarding requirements, including strict recordkeeping and proper handling, storage and disposal of tax records.”

Legislators, however, are concerned about the security of the hub.

“I’m going to need to get assurances that when you have an expressed authorization to disclose personal health information that we give assurances to our constituents, my constituents, that this information is not going to be shared with people that shouldn’t be getting it,” said Rep. Diane Black (R-Tenn.). “And I don’t still have assurances in what I’m seeing here. … There are many more questions about navigators and what background checks they have; what kind of training they have. And this is something that definitely needs to be talked about a whole lot more.”

The GAO report found that while CMS had met security project schedules up to that date, some tasks, such as final testing with federal and state partners, still must be completed in order for federally funded exchanges to be up and running securely by Oct. 31, the day enrollment begins.

“I would say with regards to privacy and security, we’re probably about 80 percent,” said Henry Chao, chief information officer and director of the Office of Information Services for CMS at the hearing.

Both Chao and Tavenner said they are confident that CMS would be able to complete adequate cybersecurity testing by the Oct. 1 deadline.

“I’m encouraged by Ms. Tavenner’s written statement debunking the notion that in pursuit of access to care, we have to sacrifice privacy,” said Rep. Jackie Speier (D-Calif.). “Such statements must be backed by action. And all parties to the transition must have the same commitment. Mere promises are not enough. But, we should also listen to the facts and not pre-judge the efforts of thousands of federal and state employees working to make this law a reality.”

Melissa Dawkins is an intern for Federal News Radio


Affordable Care Act gives CMS shared services a shot in the arm

Cybersecurity fails to live up the expectations, reflect reality