Rancor, delays, and confusion have dominated nearly every step of implementing the Affordable Care Act, so it should come as no surprise that the creation of state health insurance exchanges has fueled new data privacy and security concerns.

As part of Obamacare, a network of federally subsidized health insurance exchanges, along with a massive federal data hub that connects them with government agencies and a national network of newly hired “navigators,” is currently being launched state-by-state to offer affordable coverage. Navigators are individuals and organizations that, funded by federal grants, are trained to serve as liaisons between consumers, businesses, and state healthcare exchanges.

Companies who view benefits as an important employee retention and recruitment tool face numerous dilemmas as they decide whether to continue existing coverage, or take advantage of these exchanges. Many are struggling to determine whether the exchanges will, in fact, cost less, and are carefully evaluating what reaction employees will have if a change is made. Security fears will make that sell much harder. Concerned companies may also agree with critics who argue that consumer protection efforts provide consumers with less protection in their dealings with navigators, than traditional HR departments,  insurance agents, and brokers.

Although most large companies are expected to retain their current insurance offerings, some are already announcing their intention to push employees onto exchanges. For example, food retailer Trader Joe's recently said that it will end health benefits for part-time workers, directing them instead to healthcare exchanges. Many small- to medium-sized companies are considering following that path.

The Centers for Medicare & Medicaid Services (CMS) will use a centralized data hub, connected to other government agencies, to verify information needed to determine eligibility for enrollment in these health plans and determine subsidies. At issue is whether the mountains of confidential data that will be collected and routed will be adequately protected from breaches or privacy exposures.

The date the exchanges go online for open enrollment, Oct. 1, is fast approaching and any problems or delays may impair the ability of businesses to assess them and consider any changes to the health benefits they offer to employees. Just as the Obama Administration recently delayed for one year the ACA's “employer mandate” to provide coverage, some in Congress and elsewhere are calling for a delay to the launch of the healthcare exchanges.

Count Stephen Parente, professor of finance at the University of Minnesota's, Carlson School of Management and director of its Medical Industry Leadership Institute, is among those with concerns.

Parente, who specializes in health information and medical technology, questions the government's capability to “rapidly and securely” combine information at a personal level from federal agencies in order for someone to purchase health insurance on a state or federal exchange.

“The combination of such data would constitute the largest personal data integration government project in the history of the Republic, with up to 300 million American citizen records needing to be combined from five federal agencies,” he said during Congressional testimony last week. “Greater transparency is needed, as well as a frank acknowledgement that the ACA's posted deadlines should take second place to reasonable data concerns.”

Already, ahead of Oct. 1, fears are being realized. On Sept. 13, MNsure, the new health insurance exchange in Parente's home state, allegedly leaked the names, social security numbers, and other identifying information of 2,400 insurance agents to another broker. An MNsure employee e-mailed the information to another broker.

The potential for security problems was recently flagged by HHS' own Office of the Inspector General. Among the concerns it detailed in an August report: a required sign-off on security measures by the authorizing official, the CMS chief information officer, was initially expected on Sept. 30, just one day before the start of open enrollment.

Subsequently, HHS retreated for its last-minute deadline. On Sept. 11, it declared this work done and ahead of schedule. The data hub completed its independent Security Controls Assessment on Aug. 23 and received an authorization to operate on Sept. 6, 2013. 

In an accompanying fact sheet, HHS explained that the hub isn't designed to store personal information, but rather pass it along to other federal and state databases that will. CMS will have security and privacy agreements with all federal agencies and states connecting to the Hub, including the Social Security Administration, Internal Revenue Service, Homeland Security, Veterans Affairs, Medicare, the Peace Corps, and the Office of Personnel Management.

“Greater transparency is needed, as well as a frank acknowledgement that the ACA's posted deadlines should take second place to reasonable data concerns.”

—Stephen Parente,

Professor of Finance,

University of Minnesota

The hub will provide one secured connection to federal and state databases instead of requiring each agency to set up what could have been hundreds of independently established connections, each adding to the risk profile. Continuous monitoring is intended to identify and take action against irregular behavior and unauthorized system changes.

Data Insecurity

Some are not buying that pledge of readiness. “The defense that the CMS systems are just a ‘routing tool,' not a repository—is either untrue or problematic,” said Michael  Astrue, former general counsel of HHS and a Social Security Administration commissioner for Presidents Bush and Obama, at last week's hearing convened by the House Homeland Security Sub-committee on Cyber-security, Infrastructure Protection, and Security Technologies. From 2007 to 2013, he led the overhaul and expansion of Social Security's suite of electronic services.

CMS must store data to create the forensic trails necessary to track security breaches, he said. Failure to do so would create “a serious issue” under the Federal Information Security Management Act.

Astrue is concerned by the lack of detail about a beta trial and that CMS appears to have “withheld security documents” from the inspector general's office. Federal requirements for these trials would probably take 6 to 18 months to develop, he said.

Amid the headline-grabbing data pilfering of Bradley Manning and Edward Snowden, it isn't too surprising that the nationwide system of exchange-based navigators would also come under scrutiny. Last month, a team of 13 state attorneys general wrote to Katherine Sebelius, secretary of the U.S. Department of Health and Human Services, to detail their concerns. Topping their list was a perceived lack of training for the exchange workers with access to consumers' personal information.

In a final rule issued in July, setting standards for navigators and non-navigator assistance personnel, HHS stated that they would “receive training on privacy and security standards” and that this training will be “extensive.”

“The rule provides platitudes with little concrete guidance,” the AGs countered, complaining that CMS does not require uniform criminal background or fingerprint checks before hiring, nor does it clearly establish that prior criminal acts are cause for disqualification.

POLITICAL PUSHBACK

The following is a selection from a letter sent last month by Senate Minority Leader Mitch McConnell to Centers for Medicare & Medicaid Services Administrator Marilyn Tavenner urging a delay in the Oct. 1 launch of open enrollment in the Affordable Care Act's health insurance exchanges because of potential security and privacy issues.

I write to express my deep concern about reports that the Centers for Medicare and Medicaid Services (CMS) has missed multiple deadlines for assuring the security of the Federal Services Data Hub. Americans should not be forced to enter into exchanges when CMS is so ill-prepared to guarantee the protection of personal data and taxpayer resources from hackers and cyber criminals who would use this sensitive data for personal gain.

Americans ought to be assured, at an absolute minimum, that their personal and financial data will be safe from data thieves.

HHS' recent track record does not inspire much confidence. [In August], the Office of the Inspector General reported that the CMS has missed multiple deadlines for testing, reporting, and remediating data security risks in the Federal Data Services Hub. In fact, HHS does not expect a final Security Control Assessment (SCA) report from an independent testing organization until 10 days before the Hub is scheduled to begin operations, hardly enough time to fix any problems that may be identified. Furthermore, the current schedule calls for CMS's Chief Information Officer (CIO) to certify the Security Authorization Decision on September 30, 2013, the day before exchanges open.

Adding to these concerns are reports that CMS has signed a $1.2 billion contract with a company to receive, sort, and evaluate applications for financial assistance in the exchanges that include personal, sensitive data. According to published reports, this particular company “has little experience with the Department of Health Human Services or the insurance marketplaces, known as exchanges, where individuals and small businesses are supposed to be able to shop for insurance.” And just last year, it was disclosed that more than 120,000 enrollees in the federal Thrift Savings Plan had their personal information, including Social Security numbers, stolen from your contractor's computers in 2011.

Source: Sen. Mitch McConnell (R-Ky).

“The tight deadline and fast-approaching launch date leaves little time to screen, hire, and train thousands of new personnel nationwide,” they wrote. Navigators were supposed to have 30 hours of online training before they start, but HHS has reduced that requirement to 20 hours.

“This is a dangerous situation,” says David Barton, an auditor with IT experience at the accounting firm UHY with technology audit expertise. “You have 10,000 people who are going to be contractors and, similar to Snowden, they are going to have access to all these databases. You can't expect that this honey pot of personal information is going to be untouched and unabused.”

Christopher Rasmussen, a policy analyst for the Center for Democracy & Technology's Health Privacy Project, expects state regulators will address some of the lingering concerns. For example, in California a law has already passed that requires fingerprinting and FBI background checks for all its navigators and anyone else with data access.

While Rasmussen is supportive of HHS' efforts, there are concerns, albeit ones he says can be overcome.

“Any large IT infrastructure is going to have its share of hiccups along the way,” he says. “Although this is a very large undertaking, maybe the largest ever, it is not unprecedented. We've had Medicaid for decades and states have been exchanging information with the government to verify eligibility. It's not like starting from a blank slate.”

It may be a long shot that the opening of exchanges will be delayed, but those concerns add another layer of uncertainty for frequently confused and overwhelmed employers. It may also be unsettling for them, given that businesses are increasingly facing federal demands to safeguard consumer data and stick to privacy policies—a case of “do as we say, not as we do.”

Topics