Report Highlights Concerns About Security Of Sensitive Personal Information Americans Will Share With HHS Exchange Portal AS HHS Invites Consumers To Set Up Personal Accounts
The reported finding that the Department of Health & Human Services (HHS) has yet to complete the necessary security arrangements and testing for the web-portal Incomplete security arrangements and testing necessary to ensure the security of personal health and other information shared by consumers on the health insurance exchange Hub that Obamacare charged the HHS Centers for Medicare & Medicaid Services (CMS) with creating under Obama Care raises concerns about whether these security issues might undermine the security of the sensitive personal information that a consumer might share now or in the future when exploring or enrolling in health coverage options offered through the health insurance exchange.
On Monday, August 5, 2013, HHS sought to beef up interest and anticipation among Americans for the new health insurance exchange option by inviting consumers to prepare for the upcoming enrollment period scheduled to begin October 1, 2013 by creating their personal accounts on HHS’ Healthcare.gov website now.
HHS began encouraging Americans to the HHS website “healthcare.gov” to open a personal account, the first step to buying coverage through one of the health insurance exchanges that HHS is creating under the Patient Protection & Affordable Care Act reforms. See Consumers Can Take First Step To Enrolling In New Insurance Options Today. HHS is encouraging Americans to prepare for enrollment today by setting up their personal account on the HHS Website, Healthcare.gov. A HHS Twitter Tweet yesterday announced , “Today you can be 1 step closer to getting health ins. by creating your Marketplace account:.” The Healthcare.gov website main page now invites Americans to “[a]nswer a few questions to get some personalized info here.”
Unfortunately, HHS kicked off this campaign on the same day that the HHS’s Office of Inspector General (OIG) released a report titled Observations Noted During The OIG Review Of CMS’s Implementation Of The Health Insurance Exchange—Data Services Hub (Report) that raises questions about the adequacy of the current security of the data portal and whether HHS will complete the arrangements and testing to verify it appropriately safeguards the security of the sensitive personal information that consumers will share there when the enrollment period begins and thereafter.
Data shared by Americans as part of the process of exploring and enrolling in coverage through the health insurance exchanges will be collected and shared through a data security Hub that will host and transmit that data. The OIG Report raises clear concerns about the existing security arrangements that CMS has implemented to protect that data, as well as questions about whether CMS will complete the necessary arrangements to secure and protect that sensitive data before enrollment begins October 1.
The findings reported by OIG in the Report raise significant questions about whether Americans should accept the HHS invitation to establish their personal accounts now in anticipation of the October 1, 2013 beginning of the enrollment period for applying for coverage through the health insurance exchanges that would take effect on January 1, 2014.
The Report makes clear that OIG found reason for concern about the Hub security currently and whether these issues will be adequately addressed by the time the enrollment period begins on October 1, 2013.
OIG reports many critical tasks required to implement and test necessary security controls are unfinished. It states “[S]everal critical tasks remain to be completed in a short period of time, such as the final independent testing of the Hub’s security controls, remediating security vulnerabilities identified during testing, and obtaining the security authorization decision for the Hub before opening the exchanges. CMS’s current schedule is to complete all of its tasks by October 1, 2013, in time for the expected initial open enrollment period.”
While acknowledging that CMS has affirmed its commitment to complete and implement the necessary security arrangements before enrollment begins on October 1, 2013, the OIG Report also notes that CMS already has missed several critical target dates in its efforts to implement the required security measures.
The Report additionally states: “CMS is working with very tight deadlines to ensure that security measures for the Hub are assessed, tested, and implemented by the expected initial open enrollment date of October 1, 2013. If there are additional delays in completing the security assessment and testing, the CMS CIO may have limited information on the security risks and controls when granting the security authorization of the Hub.” (emphasis added).
The security concerns highlighted in the Report should raise questions about the adequacy of the security of information that an individual might enter on the Healthcare.gov portal in response to the invitation of HHS extended beginning yesterday.
The importance of the security concerns raised in the reports becomes evident when one considers that consumers establishing their personal accounts must “Choose your user name and password; Create security questions to add an extra layer of protecting your information.” While many may be temped to discount the significance of the security concerns because the information that HHS currently asks individuals to share when they create their personal accounts appears relatively harmless, it merits noting that the creation of the login and security password that will be used to control access to the personal account of registrants are among those initial elements. To the extent security deficiencies compromise the security of this information, these security deficiencies could undermine the security of the personal accounts and all of the information they contain.
The Report does not make clear whether the security issues identified in the Report could compromise logon and password security of the personal accounts established by consumers now or in the future. However, it bears noting that securing the logon and passwords used to access electronic resources containing sensitive personal health care information and establishing other appropriate safeguards to protect the security of personal health information is one of the key responsibilities that the Health Insurance Portability & Accountability Act (HIPAA) Security Rules require health plans, health care providers, health care clearinghouses and their business associates to protect and secure. Failure to implement and administer appropriate safeguards for logons and passwords could compromise all the sensitive data in the personal account now or in the future. Until questions about the security issues and their implications on the logon, password and other information associated with personal accounts are established, Americans concerned about the security of their personal information may want to hold off entering data in response to the HHS’s invitation. Additionally, Americans concerned about these and other security issues also may want to share their feedback with HHS and members of Congress.
Join the discussion about health care reform and share your input by joining Project COPE: Coalition for Patient Empowerment here.
About Project COPE: The Coalition On Patient Empowerment & Its Coalition on Responsible Health Policy
Sharing and promoting the use of practical practices, tools, information and ideas that patients and their families, health care providers, employers, health plans, communities and policymakers can share and offer to help patients, their families and others in their care communities to understand and work together to better help the patients, their family and their professional and private care community plan for and manage these needs is the purpose of Project COPE, The Coalition on Patient Empowerment & It’s Affiliate, the Coalition on Responsible Health Policy.
The best opportunity to improve access to quality, affordable health care for all Americans is for every American, and every employer, insurer, and community organization to seize the opportunity to be good Samaritans. The government, health care providers, insurers and community organizations can help by providing education and resources to make understanding and dealing with the realities of illness, disability or aging easier for a patient and their family, the affected employers and others. At the end of the day, however, caring for people requires the human touch. Americans can best improve health care by not waiting for someone else to step up: Step up and help bridge the gap when you or your organization can. Speak up to help communicate and facilitate when you can. Building health care neighborhoods filled with good neighbors throughout the community is the key.
The outcome of this latest health care reform push is only a small part of a continuing process. Whether or not the Affordable Care Act makes financing care better or worse, the same challenges exist. The real meaning of the enacted reforms will be determined largely by the shaping and implementation of regulations and enforcement actions which generally are conducted outside the public eye. Americans individually and collectively clearly should monitor and continue to provide input through this critical time to help shape constructive rather than obstructive policy. Regardless of how the policy ultimately evolves, however, Americans, American businesses, and American communities still will need to roll up their sleeves and work to deal with the realities of dealing with ill, aging and disabled people and their families. While the reimbursement and coverage map will change and new government mandates will confine providers, payers and patients, the practical needs and challenges of patients and families will be the same and confusion about the new configuration will create new challenges as patients, providers and payers work through the changes.
We also encourage you and others to help develop real meaningful improvements by joining Project COPE: Coalition for Patient Empowerment here by sharing ideas, tools and other solutions and other resources. The Coalition For Responsible Health Care Policy provides a resource that concerned Americans can use to share, monitor and discuss the Health Care Reform law and other health care, insurance and related laws, regulations, policies and practices and options for promoting access to quality, affordable healthcare through the design, administration and enforcement of these regulations.
Other Helpful Resources & Other Information
We hope that this information is useful to you. If you found these updates of interest, you also be interested in one or more of the following other recent articles published on the Coalition for Responsible Health Care Reform electronic publication available here, our electronic Solutions Law Press Health Care Update publication available here, or our HR & Benefits Update electronic publication available here . You also can get access to information about how you can arrange for training on “Building Your Family’s Health Care Toolkit,” using the “PlayForLife” resources to organize low-cost wellness programs in your workplace, school, church or other communities, and other process improvement, compliance and other training and other resources for health care providers, employers, health plans, community leaders and others here. If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information – including your preferred e-mail by creating or updating your profile here. You can reach other recent updates and other informative publications and resources.
Recent examples of these publications include:
- Legislation Proposes To Change Obama Care Full-Time Employee Definition
- IRS Releases Updated Healthcare Law Online Resources Publication
- Self-Dealing Or Other Mishandling of Employee Benefit Plan Funds Risky For Fiduciaries & Those Appointing Them
- Employers & Insurers Reminded Of July 31 Deadline To Pay New ACA-Required PCORI Fees
- Use New Government Health Care Reform Resources With Care
- OCR Warns Others Learn From WellPoint’s $1.7 M HIPAA Settlement
- “Pay Or Play” Reprieve Still Leaves Employers Facing Challenging 2014 Health Care Reform Deadlines
- HHS Continues Preparations For New Health Insurance Marketplace By Awarding Grants To Promote Kids Enrollment
- HHS Touts Enrollment Tools, Says Exchange Enrollment Ready Despite GAO Concerns
- HIPAA Sanctions Triggered From Covered Entity Statements To Media, Workforce
- Consider OCR Technical Corrections When Updating Privacy Practices & Agreements For Omnibus Restatement of HIPAA Privacy, Security, Breach Notification & Enforcement Rules
- Id & Manage Hidden Employee Benefit Exposures In Business Insolvency Or Other Transactions
- Final Regulations Update HIPAA Health Plan Wellness Program Rules
- HHS Publishes Medicaid Expansion Final Regs, Invites Public Comment
- Hospitals with 2012 CMS Adverse Complaint Inspection Reports in AHCJ Data Bank Should Prepare Response
- OCR Invites Comments On Plans to Survey HIPAA Covered Entities Audited Under 2012 HIPAA Audit Program
- On Health Reform Law’s 3rd Anniversary, Test Your Reform Knowledge
- Maintaining Patient Problem List Under Meaningful Use Core Measure 3 To Support Patient Care
- CMS 2nd Recalculation Medicare Readmission Penalties In 6 Months Cuts Overall Penalties By $10M
- Hospital’s Disability Discrimination Settlement 4th In 5 Weeks For Justice Department
- Par Pharmaceutical Pays $45 Million For Illegal Off-Label Marketing Of Megace ES
- Corpus Christi Radiology Group & Clinic $2.3 Million To Settle Health Care Fraud Charges
- Houston Ambulance Service Owner Convicted Of Health Care Fraud Faces Up To 70 Years
- Genesis Healthcare Disability HHS OCR Discrimination Settlement Reminder To Use Interpreters, Other Needed Accommodations For Disabled
- OSHA Safety Violations At Veterans’ Medical Center Reminder To Manage OSHA Compliance
- Federal Health Care Fraud & Abuse Recovery of $4.2 Billion In FY 2012 Shows Enforcement Risks Growing
- Sequester Cuts Small Business Health Care Tax Credit
- NHI Says Coordinated Care Can Reduce Disabled’s High ER Use; System Contains Many Barriers To Providing This Care
- Look At Mental Health Care For Part Of The Solution To Prevent A Future Newtown Tragedy
- New OCR HIPAA De-Identification Guidance Among Developments Covered In 12/12 HIPAA Update Web Workshop
- Responding To West, Texas, Boston & Other Tragedies: Information and Reassurance Resources
- Justice Department Charges Employer, Pension Plan With Violating USERRA Reemployment Rights
- Administration Proposes Expanding Eligibility, Simplifying Small Employer Health Care Tax Credit
- Health Care Transparency Effectiveness & Value Depends On Data Quality, Understanding & Awareness
- Test Your Health Care Reform Knowledge On 3rd Anniversary of Reform Passage
- Insured “Expatriate Plans” Get Temporary Reprieve From Affordable Care Act Compliance Thru 2015 If Meet Other Health Plan Mandates
- OCR Plans To Survey Health Plans, Other Covered Entities Hit With HIPAA Audits in 2012
- Businesses Urged To Strengthen Their Worker Classification Defenses As IRS, Other Agencies Step Up Audits & Enforcement
- 13 Employer Tips For Coping With Health Care Reform Now!
For important information about this communication click here.
©2013 Cynthia Marcotte Stamer. Nonexclusive right to republish granted to Solutions Law Press, Inc. All other rights reserved.