The Idaho Health Exchange may delay its launch due to data security concerns at the federal level, two Idaho lawmakers told IdahoReporter.com.
The health exchange, something of an Amazon.com of health insurance, is slated to open Oct. 1, but that may be pushed back if officials cannot verify that Idahoans’ personal data will be secure in the system.
To purchase coverage through the exchange, buyers will have to turn over tons of data: names, Social Security numbers and tax records. The system will use the information to determine if the buyer is eligible for a federal subsidy.
To do that in real-time, the Idaho site must communicate with the federal data services hub, a massive information engine that will power the federally run exchanges and communicate with state-based marketplaces. The hub communicates with several federal agencies, notably the Department of Homeland Security and the IRS, and also plugs into state Medicaid systems.
For now, the federal government cannot verify that its system is secure. Gloria Jarmon, deputy Inspector general for audit services at the U.S. Department of Health and Human Services (HHS), wrote in a report released earlier this month that security testing for the data hub is months behind schedule and officials must scramble to catch up.
Jarmon warned that several “critical” tasks remain unfinished, “such as the final independent testing of the Hub’s security controls, remediating security vulnerabilities identified during testing …”
HHS plans a final security test for Sept. 30, just two days before Americans can begin purchasing health coverage through the exchanges.
The Idaho Health Exchange oversight board last week discussed delaying its launch in case the federal government cannot prove data will be safe. The law authorizing the exchange, passed during a contentious legislative session, requires the board verify Idahoans’ data will have adequate protections.
Rep. Kelly Packer, R-McCammon, told IdahoReporter.com the board is preparing a contingency plan should the federal government fail to certify prior to Oct. 1. Packer, who supported the exchange in the legislative session, is one of three state lawmakers on the panel.
“We will delay if we cannot meet the state statute,” Packer confirmed, adding that exchange director Amy Dowd is preparing for that scenario. “We will have a safety net in place.”
Dowd did not return calls for comment on the issue. The board will discuss its backup plan in coming days and weeks, Packer confirmed.
Another state legislator on the board, Sen. Jim Rice, a Republican from Caldwell, told IdahoReporter.com Monday that the state will work to secure its own systems between now and the launch date, but that the green light will likely depend on HHS. He pledged that the board won’t move forward with the system if it deems the situation too risky.
“We are not going to expose any data to an uncertified system,” he said.
Still, Idahoans might feel somewhat suspicious of another federal government holding massive amounts of private data. During the last six months, the nation has watched as scandals involving the IRS and the National Security Agency revealed that the feds have a lot of data on Americans and occasionally use it improperly. In essence, some secure data just weren’t that safe at all.
Rice maintains that the federal data services hub won’t be abused and that the feds already hold much of the information that will flow through the system.
“It’s less than you think,” Rice said of the personal information that will wend its way through the hub, “and it’s mostly stuff they get other ways.”
Rice says the NSA and IRS scandals are “different in character” from any potential abuses that could occur with the data hub and that officials are mainly concerned with defending the digital structure against hackers.
Others are more skeptical and believe the hub is ripe for abuse.
Robert Book, a Forbes contributor, predicts HHS will ultimately fail to certify prior to the deadline, but that the administration will move forward with the hub regardless.
“Although it is very likely that privacy will be violated and identities stolen, it won’t be definite, it won’t happen on Day 1, it won’t happen to everybody, and it won’t be publicly known—or even traceable to the data hub—for some time,” Book wrote on Aug. 12.
Some important voices, including U.S. Sen. Orrin Hatch, have raised concerns about the data hub. Hatch, a Republican from Utah, earlier this month requested that the Government Accountability Office review the system to ensure it aligns with federal regulations.