Hatch Asks GAO to Review Data Hub For Helping Marketplaces Share Information

Health Insurance Report™ helps you track and analyze legal, legislative, and regulatory developments affecting the health-insurance industry throughout implementation of the Affordable Care Act...

By Kendra Casey Plank  


The Senate Finance Committee's top Republican is asking the Government Accountability Office to assess the interoperability and privacy and security features of the data hub that will be used to exchange information among state and federal agencies and health insurance marketplaces.

In a letter released Aug. 9, Sen. Orrin Hatch (R-Utah) wrote that “complex and myriad webs of information” would flow through the federal data hub and requested that GAO report on the agencies and information systems that would access data through the hub and the risk management activities that had been conducted to ensure the privacy and security of individuals' personal data exchanged through the hub.


Among federal agencies expected to exchange data through the hub are HHS, the IRS, and the Social Security Administration.  



Hatch also asked GAO to determine whether information sharing via the data hub that involves taxpayer data from the Internal Revenue Service would violate Section 6103 of the Internal Revenue Code. Section 6103 generally prohibits the disclosure of information from IRS files, including individual tax returns.

The data hub, developed and operated by the Department of Health and Human Services, will serve as a conduit for information between federal and state agencies and the health insurance marketplaces that will use the data to verify applicants' eligibility for subsidies under the Affordable Care Act. Among federal agencies expected to exchange data through the hub are HHS, the IRS, and the Social Security Administration.

Hatch specifically asked GAO to:

• describe the federal, state, and other organizations that will provide data or will access data via the data hub and their responsibilities for ensuring the privacy and security of exchanged data;

• assess risk management efforts by federal agencies that have the responsibility of ensuring interoperability of systems and privacy and security of data as well as their plans for mitigating privacy and security risks; and

• assess whether information sharing through the data hub violates Section 6103 of the Internal Revenue Code, “especially as it relates to contractors and state agencies accessing such data.”


Oct. 1 Deadline Looming

Republican lawmakers have questioned whether the federally facilitated and state-based marketplaces and the data hub will be ready by the ACA-mandated Oct. 1 deadline and have raised specific concerns about the privacy and security of data exchanged via the hub.

In an Aug. 2 report the HHS Office of Inspector General found that while HHS and the Centers for Medicare & Medicaid Services have conducted risk assessments, there remains the possibility that unidentified security risks will persist after the October launch date of the data hub and marketplaces (see previous article).

In late July, Rep. Patrick Meehan (R-Pa.) introduced a bill (H.R. 2837) that would delay the data hub for one year, starting Sept. 30. Meehan said that given the “vast” amount of data that would flow through the hub, the potential for abuse of that information was “unprecedented.” And, he said, there were too many unanswered questions about the data hub so close to the fall launch.