Skip to content

House GOP Unconvinced Health Insurance Exchange Information Will Be Secure

Updated July 18, 10:40 a.m.

With the NSA’s phone call monitoring and Edward Snowden on many minds, it’s not exactly a comfortable time for the government to roll out a massive computer project dealing with personal data like income, Social Security numbers and ethnicity.

Photo by Karl Eisenhower/KHN

But Henry Chao, a lead technology information officer from the Centers for Medicare & Medicaid Services, said officials have completed about 80 percent of the safeguards to protect privacy when the agency rolls out what it calls “The Hub.” The $349 million project links databases from seven U.S. agencies, including the Internal Revenue Service, to determine which people can receive government subsidies to help them afford health insurance. It is a key element in setting up the federal health law’s online health marketplaces for individuals and small businesses.

“It is important to understand that the hub is not a database; it does not retain or store information,” said Marilyn Tavenner, the CMS administrator, during a heated congressional hearing Wednesday.

She and Chao said the agency will complete the required tests and meet privacy regulations by Oct. 1, when health exchanges are scheduled to open. Their comments came in testimony to the House subcommittee on energy policy, health care and entitlements, which is part of the Oversight and Government Reform Committee.

Chao said the information entered to determine program eligibility is only in the system for a matter of minutes, unless saved to the “My Accounts” section by the user. The hub does not store medical records or personal health data, he said.

But Alan Duncan, an assistant inspector general for security and information technology services at the Treasury Department who monitors Internal Revenue Service issues, raised concerns. He said he was wary that hub fraud protection efforts will be ready for the exchange rollout. “The IT security challenges are considerable,” he said. “The new fraud prevention system may not be operational in sufficient time.”

IRS chief Danny Werfel told the subcommittee that IRS would be ready.

House Republicans were skeptical, citing the threat of cyber security breaches and Internet fraud. They raised repeated concerns about security for data left on the system by users.

“This is the largest consolidation of personal information in the history of the republic,” said Rep. Patrick Meehan (R-Pa.).

Committee members, including Rep. Darrell Issa (R-Calif.) and Rep. Jim Jordan (R-Ohio), grilled the panelists on the accountability of the team that would be responsible for the system.

They linked the vulnerability of personal data to recent problems in government oversight, such as the IRS’ investigation of political organizations, including Tea Party groups, reported in May. Issa, chairman of the full committee, said he has little confidence that the programs will be done in time, or that their security can be ensured. He said he had strong doubts about “forcing every individual in America into a health care plan not yet defined with a database, not yet secure.”