HHS Inspector General: Obamacare Privacy Protections Way Behind Schedule; Rampant Violations Of Law

Article is on Forbes.com by Avik Roy, Contributor

WASHINGTON - MAY 13:  Social Security Administ...

WASHINGTON - MAY 13: Former Social Security Administration Commissioner Michael Astrue speaks during a news briefing May 13, 2011 at the Treasury Department in Washington, DC. (Image credit: Getty Images via @daylife)

It hasn’t been a dull summer for Obamacare news. But there’s been one important issue that has been burbling under the surface, one that hasn’t garnered as much attention as rate shock, subsidy fraud, and the like. It’s this: In order for Obamacare to work, the government will need to know a lot about your financial, medical, and employment situation. Has the Obama administration set up adequate safeguards to protect Americans’ privacy under the law? According to the Office of the Inspector General of the Department of Health and Human Services, the answer is no. Based on OIG’s analysis, Obamacare’s exchanges may end up illegally exposing Americans’ private records to hackers and criminals.

Obama administration legally required to provide privacy safeguards

The Privacy Act of 1974 prohibits government agencies from sharing private individuals’ information, without written consent, outside of twelve specific exceptions. In addition, the Federal Information Security Management Act of 2002, or FISMA, obliges the executive branch to ensure that Americans’ private records are adequately protected from misuse and security breaches.

Hence, the Obamacare exchanges mandate the creation of a “data hub” through which exchanges can access personal records from seven different agencies—the Internal Revenue Service, the Social Security Administration, the Department of Homeland Security, the Veterans Health Administration, the Department of Defense, the Office of Personnel Management, and the Peace Corps—in order to determine eligibility for exchange subsidies and mandate penalties.

Under FISMA, the Obama administration must adhere to the guidelines of the National Institute of Standards and Technology in achieving these safeguards, before the Obamacare exchanges can legally operate.

Privacy safeguards are at least two months behind schedule

However, according to Gloria Jarmon, Deputy Inspector General for Audit Services at HHS, “several critical tasks remain to be completed in a short period of time…If there are additional delays in completing the security authorization,” the chief information officer at the Centers for Medicare and Medicaid Services (CMS) may not have the required “security controls needed for the security authorization decision” to open the exchanges on October 1.

According to Jarmon, CMS has delayed key deadlines by approximately two months, as described in the table below. But despite the fact every other deadline has been pushed back by as many as 73 days, CMS only delayed its final Security Authorization Decision by 26 days.

To out that another way: In March, CMS estimated that it would take 51 days—from July 15 to September 4—to review the final Security Control Assessment report, and make the final Security Authorization Decision, which you can think of as the “green light” that allows the exchanges to go forward, knowing that adequate security controls are in place. Now, CMS is planning to do that 51-day review in just 10 days.

What makes them think that they can accomplish a 51-day review in just 10 days? They don’t. The Obama administration is so determined to get Obamacare up and running on time that they are likely to ignore the legal requirements to adequately review these privacy safeguards.

Analyst: Privacy breach ‘would be a complete disaster’

The administration knows that if the exchanges don’t open on time, there will be a ton of bad press. So they are much more likely to attempt to launch the exchanges without adequate privacy safeguards. Deven McGraw, director of the health privacy project at the Center for Democracy and Technology, told Sharon Begley of Reuters that CMS had “removed their margin for error…if there is a security incident they are done. It would be a complete disaster from a PR viewpoint.”

Notes Begley, “The most likely serious security breach would be identity theft, in which a hacker steals the social security numbers and other information people provide when signing up for insurance.” That other information includes aspects of your financial, health, and employment status.

Social Security Commissioner: Obamacare exchanges are ‘the most widespread violation of the Privacy Act in our history’

Michael Astrue, who recently stepped down as Commissioner of the Social Security Administration, and also once served as HHS general council, is scathing in his condemnation for the Obamacare privacy breach.

“A functional and legally compliant federal exchange almost certainly will not be ready on October 1,” he writes in the latest issue of the Weekly Standard. “The reasons for failure are not short timelines (Congress gave HHS more than three years), political interference (Congress has not focused on ACA systems), or complexity (states have built well-designed exchanges). The reason is plain old incompetence and arrogance.”

According to Astrue, CMS “threw together an overly simplistic system without adequate privacy safeguards,” leaving exchange enrollees “open to identity theft, lost periods of health insurance coverage, and exposure of address for victims of domestic abuse and others…the beta version [of the exchanges] jammed through a few months ago will, unless delayed and fixed, inflict on the public the most widespread violation of the Privacy Act in our history.”

CMS disagrees with Astrue. The agency believes that one of the twelve exceptions to the Privacy Act allows agencies to share data “for a purpose which is compatible with the purpose for which it is [originally] collected.” But it’s hardly true that Americans’ personal records were intended for use in something as uniquely complex as Obamacare.

Delay Obamacare’s exchanges by one year

These critical problems with the exchanges invite litigation. Anyone who enrolled in the exchanges to obtain health insurance would presumably have standing to sue the Obama administration to ensure that CMS was adhering to the Privacy Act and the newer FISMA law.

It’s yet another example of why the exchanges would have a much greater likelihood of success if their implementation were delayed by one year. “I wish we had one more year,” says Connecticut’s exchange director, Kevin Counihan. Other states that tried to implement their own exchanges say the same thing.

Rep. Diane Black (R., Tenn.), a member of the House Ways and Means Committee, has been raising concerns about this issue. “Despite being only four months from Obamacare open enrollment,” she wrote in June, “even the most basic questions about the Data Hub have yet to be answered…With so much personal information going in and out of the Hub likely privy to both government employees and contractors, many of whom will have discretion over health care coverage and tax penalties, the potential for abuses is staggering.”

Democrats who support Obamacare—and Republicans who oppose it—should both want the exchanges to protect Americans’ privacy. There appears to be very good reason to believe that they won’t by October 1.

*    *    *

Follow @Avik on Twitter, Google+, and YouTube,
and The Apothecary on Facebook.

Or, sign up to receive a weekly e-mail digest of articles from The Apothecary.

*    *    *

UPDATE: Michael Astrue says that it’s apparent from the OIG report that HHS “obstructed” the OIG audit, and notes that “what’s worse…the inspector general only conducted interviews and reviewed paperwork. No auditor actually tried to use the beta version of the system that tens of millions of Americans must use in less than two months.”

Just days after the article appeared, the HHS inspector general issued an “audit report” on the health exchanges, perhaps the shortest one his office has ever issued on a significant topic. In less than five pages of analysis the report did little except note more missed deadlines. Some of the hard-hitting “observations” included:

“Because the documents were still drafts, we could not assess CMS’s efforts to identify security controls and systems risks…” (p.4)

“We could not assess planned testing or whether vulnerabilities identified by the testing would be mitigated because the SCA [security control assessment] test plan had not been provided and the SCA had not been completed at the time of our review.” (p.5)

Although the report’s use of the passive voice mutes the force of “the SCA test plan had not been provided,” a truly independent inspector general would insist that HHS not obstruct its audits.

What’s worse, if you look at the methodology section, you can see the inspector general only conducted interviews and reviewed paperwork. No auditor actually tried to use the beta version of the system that tens of millions of Americans must use in less than two months. Concern about the system is hardly unfounded; earlier this year a senior HHS technology official explicitly lowered the quality bar with the statement, “Let’s just make sure it’s not a third-world experience.”

I don’t sleep well thinking about Americans being fined for not using systems that don’t work. I don’t sleep well thinking about domestic abusers who could use vulnerabilities in the system to find their victims. However, the HHS inspector general seems to have no difficulty snoozing night or day.

INVESTORS’ NOTE: Aetna (NYSE:AET), UnitedHealth (NYSE:UNH), Molina (NYSE:MOH), Humana (NYSE:HUM), and WellPoint (NYSE:WLP) are leading players in the public and private exchange market.