Senate Minority Leader Sen. Mitch McConell (R-KY) has asked the Obama administration to delay implementation of Obamacare’s statewide insurance marketplaces — a fundamental portion of the law through which uninsured Americans will use government subsidies to buy health coverage — ostensibly over privacy and data security concerns.
“Americans ought to be assured, at an absolute minimum, that their personal and financial data will be safe from data thieves,” he wrote in a letter to the Centers for Medicare and Medicaid Services (CMS). “If you rush to go forward without adequate safeguards in place, any theft of personal information from constituents will be the result of your rush to implement a law to meet the agency’s political needs and not the operational needs of the people it is supposed to serve.”
McConnell is justifying his fears using a recently-released report from the Department of Health and Human Services’ (HHS) Office of the Inspector General (OIG) showing that HHS has missed several self-imposed deadlines on data security testing for the marketplaces. But a closer look shows that the report isn’t nearly as damning as McConnell makes it out to be, amounting to little more than technical re-shuffling ahead of the insurance marketplaces’ launch in October.
Last week’s OIG report focused on the central data “hub” through which Obamacare marketplaces around the country will access information about Americans’ income and citizenship status. That information will be used to determine what kinds of benefits and insurance subsidies Americans will qualify for under the law.
Privacy and security testing are obviously important when it comes to a data hub that exchanges such sensitive information (though it should be noted that the hub itself will not store any data, but rather be a point of transfer). The final security testing for this data was supposed to be carried out in mid-June — but as the OIG points out, that deadline was pushed back to mid-August.
That may sound problematic. But the OIG report itself points out the reason for the delay, noting that, “the [final security testing] was moved so that performance stress testing of the Hub could be finished before the [final security testing] and any vulnerabilities identified during the stress testing could be remediated.” The Washington Post’s Sarah Kliff put it another way: HHS has essentially put off technical requirements that can be done later in favor of identifying and fixing any kinks in the hub’s privacy software that exist now.
HHS officials say that they’ve already made progress on that front in the time since the report was compiled — which was more than three months before its August release date. In response to the report, CMS put out a statement claiming the agency is “on schedule and will be ready for the Marketplaces to open on October 1.” It also pointed out that the federal government has long managed to secure sensitive income and health data while administering giant government programs like Medicare, Medicaid, and the Children’s Health Insurance Program without suffering mass privacy breaches.
McConnell himself doesn’t point to any discernible or specific shortcomings in the Obamacare hub’s privacy software in his letter. In fact, he simply notes the missed deadlines before going on to list several unrelated privacy breaches that have occurred in different government programs to justify his call for the marketplaces’ delay. That might be an effective way of playing on the media’s tendency to cover anything that smells like an Obamacare controversy — but it doesn’t speak to actual problems with implementing the law’s security protections.
Obamacare critics employed a similar tactic after reports surfaced that the Internal Revenue Service (IRS) may have improperly targeted certain political organizations for extra scrutiny during the 2012 election cycle, using the agency’s bad press to argue that it couldn’t be trusted to implement Obamacare. Congressional Republicans also turned an obscure technical dispute over congressional employees’ insurance subsidy source under the health law into an opportunity to claim that Democrats were “exempting themselves” from Obamacare — something that was blatantly untrue.