Skip to Content

Privacy & Data

Margin of Error on Privacy and Security Narrows for Affordable Care Act Insurance Marketplaces

With less than two months to go before enrollment is set to begin in the Affordable Care Act’s Health Insurance Marketplaces, a report last week from the HHS Office of the Inspector General found that Centers for Medicare & Medicaid Services (CMS) have moved their internal deadlines for security testing of the Data Hub to mid-September with a final agency sign-off due on September 30th, the day before open enrollment begins. Getting security right is vital and CMS has crunched its margin for error by moving the deadline to the last minute.

The attention being paid to security and privacy at this stage is a good thing – the American public deserves to be reassured that the personal data they enter into the new system, or that is shared by federal agencies, is used appropriately and does not fall into the wrong hands.

Last month, we wrote about the Data Hub and explained that it is not a collection point for sensitive information, but rather a “routing tool” that directs information from the Marketplaces to the appropriate federal agencies to make eligibility and enrollment determinations. The information new health insurance applicants will need to provide includes social security numbers, immigration status, and income levels.

Although the Inspector General’s report shows that the CMS Chief Information Officer (CIO) isn’t scheduled to sign-off on the Data Hub until September 30th, CMS IT personnel will be conducting extensive internal testing prior to sign-off. This internal testing includes tracking defects and vulnerabilities, and correcting and retesting the Data Hub to ensure the vulnerabilities are remediated. In addition, an independent external review team will conduct a Security Control Assessment that will determine whether or not the security controls have been implemented correctly and are operating as intended.

Federal regulation requires the Insurance Marketplaces to open on October 1st, so if CMS security sign-off does not come in time, people will likely be able to apply, but they won’t be able to know their application status until the Data Hub is operable. This obviously would not make for a good user experience at the onset of the program. While this scenario is not optimal, potentially worse would be pushing back the launch date.

Overall, we have been impressed by the focus on privacy and security steps that CMS has taken during the development phase of the Insurance Marketplaces and the Data Hub, and with the stakes high – both politically and user-experience wise – it seems likely any issues will be resolved before October 1st, even with the late final sign-off.