[House Hearing, 113 Congress]
[From the U.S. Government Publishing Office]
EVALUATING PRIVACY, SECURITY, AND FRAUD CONCERNS WITH OBAMACARE'S
INFORMATION SHARING APPARATUS
=======================================================================
JOINT HEARING
before the
SUBCOMMITTEE ON ENERGY POLICY,
HEALTH CARE AND ENTITLEMENTS
of the
COMMITTEE ON OVERSIGHT
AND GOVERNMENT REFORM
and the
SUBCOMMITTEE ON CYBERSECURITY,
INFRASTRUCTURE PROTECTION,
AND SECURITY TECHNOLOGIES
of the
COMMITTEE ON HOMELAND SECURITY
HOUSE OF REPRESENTATIVES
ONE HUNDRED THIRTEENTH CONGRESS
FIRST SESSION
__________
JULY 17, 2013
__________
Serial No. 113-66
(Committee on Oversight and Government Reform)
Serial No. 113-25
(Committee on Homeland Security)
Printed for the use of the Committee on Oversight and Government Reform
Available via the World Wide Web: http://www.fdsys.gov
http://www.house.gov/reform
----------
U.S. GOVERNMENT PRINTING OFFICE
86-193 PDF WASHINGTON : 2014
-----------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Printing
Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800
DC area (202) 512-1800 Fax: (202) 512-2104 Mail: Stop IDCC,
Washington, DC 20402-0001
COMMITTEE ON OVERSIGHT AND GOVERNMENT REFORM
DARRELL E. ISSA, California, Chairman
JOHN L. MICA, Florida ELIJAH E. CUMMINGS, Maryland,
MICHAEL R. TURNER, Ohio Ranking Minority Member
JOHN J. DUNCAN, JR., Tennessee CAROLYN B. MALONEY, New York
PATRICK T. McHENRY, North Carolina ELEANOR HOLMES NORTON, District of
JIM JORDAN, Ohio Columbia
JASON CHAFFETZ, Utah JOHN F. TIERNEY, Massachusetts
TIM WALBERG, Michigan WM. LACY CLAY, Missouri
JAMES LANKFORD, Oklahoma STEPHEN F. LYNCH, Massachusetts
JUSTIN AMASH, Michigan JIM COOPER, Tennessee
PAUL A. GOSAR, Arizona GERALD E. CONNOLLY, Virginia
PATRICK MEEHAN, Pennsylvania JACKIE SPEIER, California
SCOTT DesJARLAIS, Tennessee MATTHEW A. CARTWRIGHT,
TREY GOWDY, South Carolina Pennsylvania
BLAKE FARENTHOLD, Texas MARK POCAN, Wisconsin
DOC HASTINGS, Washington TAMMY DUCKWORTH, Illinois
CYNTHIA M. LUMMIS, Wyoming ROBIN L. KELLY, Illinois
ROB WOODALL, Georgia DANNY K. DAVIS, Illinois
THOMAS MASSIE, Kentucky PETER WELCH, Vermont
DOUG COLLINS, Georgia TONY CARDENAS, California
MARK MEADOWS, North Carolina STEVEN A. HORSFORD, Nevada
KERRY L. BENTIVOLIO, Michigan MICHELLE LUJAN GRISHAM, New Mexico
RON DeSANTIS, Florida
Lawrence J. Brady, Staff Director
John D. Cuaderes, Deputy Staff Director
Stephen Castor, General Counsel
Linda A. Good, Chief Clerk
David Rapallo, Minority Staff Director
Subcommittee on Energy Policy, Health Care and Entitlements
JAMES LANKFORD, Oklahoma, Chairman
PATRICK T. McHENRY, North Carolina JACKIE SPEIER, California, Ranking
PAUL GOSAR, Arizona Minority Member
JIM JORDAN, Ohio ELEANOR HOLMES NORTON, District of
JASON CHAFFETZ, Utah Columbia
TIM WALBERG, Michigan JIM COOPER, Tennessee
PATRICK MEEHAN, Pennsylvania MATTHEW CARTWRIGHT, Pennsylvania
SCOTT DesJARLAIS, Tennessee TAMMY DUCKWORTH, Illinois
BLAKE FARENTHOLD, Texas DANNY K. DAVIS, Illinois
DOC HASTINGS, Washington TONY CARDENAS, California
ROB WOODALL, Georgia STEVEN A. HORSFORD, Nevada
THOMAS MASSIE, Kentucky MICHELLE LUJAN GRISHAM, New Mexico
COMMITTEE ON HOMELAND SECURITY
Michael T. McCaul, Texas, Chairman
Lamar Smith, Texas Bennie G. Thompson, Mississippi
Peter T. King, New York Loretta Sanchez, California
Mike Rogers, Alabama Sheila Jackson Lee, Texas
Paul C. Broun, Georgia Yvette D. Clarke, New York
Candice S. Miller, Michigan, Vice Brian Higgins, New York
Chair Cedric L. Richmond, Louisiana
Patrick Meehan, Pennsylvania William R. Keating, Massachusetts
Jeff Duncan, South Carolina Ron Barber, Arizona
Tom Marino, Pennsylvania Dondald M. Payne, Jr., New Jersey
Jason Chaffetz, Utah Beto O'Rourke, Texas
Steven M. Palazzo, Mississippi Tulsi Gabbard, Hawaii
Lou Barletta, Pennsylvania Filemon Vela, Texas
Chris Stewart, Utah Steven A. Horsford, Nevada
Richard Hudson, North Carolina Eric Swalwell, California
Steve Daines, Montana
Susan W. Brooks, Indiana
Scott Perry, Pennsylvania
Mark Sanford, South Carolina
Greg Hill, Chief of Staff
Michael Geffroy, Deputy Chief of Staff/Chief Counsel
Michael S. Twinchek, Chief Clerk
Lanier Avant, Minority Staff Director
SUBCOMMITTEE ON CYBERSECURITY, INFRASTRUCTURE PROTECTION, AND SECURITY
TECHNOLOGIES
Patrick Meehan, Pennsylvania, Chairman
Mike Rogers, Alabama Yvette D. Clarke, New York
Tom Marino, Pennsylvania William R. Keating, Massachusetts
Jason Chaffetz, Utah Filemon Vela, Texas
Steve Daines, Montana Steven A. Horsford, Nevada
Scott Perry, Pennsylvania Bennie G. Thompson, Mississippi
Michael T. McCaul, Texas (ex (ex officio)
officio)
Alex Manning, Subcommittee Staff Director
Dennis Terry, Subcommittee Clerk
C O N T E N T S
----------
Page
Hearing held on July 17, 2013.................................... 1
WITNESSES
Mr. Alan R. Duncan, Assistant Inspector General for Security and
Information Technology Services, Treasury Inspector General for
Tax Administration
Oral Statement............................................... 9
Written Statement............................................ 11
The Hon. Daniel Werfel, Principal Deputy Commissioner, Internal
Revenue Service
Oral Statement............................................... 22
Written Statement............................................ 24
The Hon. Marilyn B. Tavenner, Administrator, Centers for Medicare
and Medicaid Services, U.S. Department of Health and Human
Services
Oral Statement............................................... 29
Written Statement............................................ 31
Mr. John Dicken, Director, Health Care, U.S. Government
Accountability Office
Oral Statement............................................... 39
Written Statement............................................ 41
APPENDIX
Letter from Mr. Daniel I. Werfel................................. 101
Opening Statement from Ranking Member Yvette D. Clarke........... 102
ACA Implementation IRS Oversight Board Briefing submitted by Mr.
Jordan......................................................... 103
Statement for the Record submitted by Ranking Member Bennie G.
Thompson....................................................... 113
EVALUATING PRIVACY, SECURITY, AND FRAUD CONCERNS WITH OBAMACARE'S
INFORMATION SHARING APPARATUS
----------
Wednesday, July 17, 2013
House of Representatives,
Subcommittee on Energy Policy, Health Care and
Entitlements, Committee on Oversight and Government
Reform, joint with the
Subcommittee on Cybersecurity, Infrastructure Protection,
and Security Technologies, Committee on Homeland Security,
Washington, D.C.
The subcommittees met, pursuant to call, at 10:00 a.m., in
Room 2154, Rayburn House Office Building, Hon. James Lankford
[chairman of the Subcommittee on Energy Policy, Health Care and
Entitlements, Committee on Oversight and Government Reform]
presiding.
Present: Representatives Lankford, Meehan, Gosar, McHenry,
Jordan, Walberg, DesJarlais, Perry, Woodall, Black, Issa (ex
officio), Speier, Clarke, Cardenas, Lujan Grisham, Maloney, and
Cummings (ex officio).
Staff present from the Committee on Government Reform: Kurt
Bardella, Senior Policy Advisor; Brian Blase, Senior
Professional Staff Member; Molly Boyl, Senior counsel and
Parliamentarian; Lawrence J. Brady, Staff Director; Caitlin
Carroll, Deputy Press Secretary; Katelyn E. Christ,
Professional Staff Member; John Cuaderes, Deputy Staff
Director; Adam P. Fromm, Director of member Services and
Committee Operations; Linda Good, Chief Clerk; Meinan Goto,
Professional Staff Member; Tyler Grimm, Senior Professional
Staff Member; Christopher Hixon, Deputy Chief Counsel,
Oversight; Mark D. Marin, Director of Oversight; Emily Martin,
Counsel; Scott Schmidt, Deputy Director of Digital Strategy;
Rebecca Watkins, Deputy Director of Communications; Jaron
Bourke, Minority Director of Administration; Yvette Cravins,
Minority Counsel; Susanne Sachsman Grooms, Minority Deputy
Staff Director/Chief Counsel; Adam Koshkin, Minority Research
Assistant; Suzanne Owen, Minority Health Policy Advisor; Safiya
Simmons, Minority Press Secretary; and Mark Stephenson,
Minority Director of Legislation.
Staff present from the Committee on Homeland Security: Alex
Manning, Subcommittee Staff Director; Kevin Gundersen, Senior
Professional Staff Member; Erik Peterson, Staff Assistant;
Margaret Anne Moore, Special Assistant to the Chief of Staff;
Michael McAdams, Deputy Press Secretary; Natalie Nixon, Deputy
Chief Clerk; Christopher Schepis, Minority Senior Professional
Staff Member; and Adam Comis, Minority Communications Director.
Mr. Lankford. Committee will come to order. I would like to
begin this hearing by stating the Oversight Committee mission
statement. We exist to secure two fundamental principles.
First, Americans have the right to know the money Washington
takes from them is well spent. Second, Americans deserve an
efficient, effective government that works for them. Our duty
on the Oversight and Government Reform Committee is to protect
these rights. Our solemn responsibility is to hold government
accountable to taxpayers because taxpayers do have a right to
know what they get from their government. We will work
tirelessly in partnership with citizen watchdogs, deliver the
facts to the American people, and bring genuine reform to the
federal bureaucracy. This is the mission of the Oversight and
Government Reform Committee.
Today's hearing is focused on the purpose and design of the
huge information-sharing apparatus being constructed to
implement the Affordable Care Act. Therein, we'll examine who
will have access to sensitive personal information, who will
contribute data, how the government will protect this
information, and why this information is necessary at all. We
have the unusual combination of the IRS and HHS in our panel
today because to accomplish the legal requirements of the ACA,
it must work together to combine data from millions of people
to allow exchanges to verify the subsidies and manage the
intricacies of the Affordable Care Act.
This is an oversight hearing on the implementation of the
law as well as with Homeland Security. The people giving
testimony today did not write the law. They are only trying to
make this confusing system work, so we get that. So we'll have
a lot of questions back and forth today to be able to process
on how to get this accomplished. We are not going to try to
hold you responsible for the origin of the law, but we will
have decisions about the variety of decisions that you have
made to prepare to implement and enforce the law.
The other large amount of information sharing raises the
risk of identity theft and other types of misuse. This risk is
even more pronounced since the Department of Health and Human
Services has missed several of their own self-imposed
deadlines, and we'll want to know where we are on that.
A document obtained for GAO revealed that as of April 2013,
the department had only completed 20 percent of its work to
establish appropriate privacy protections and capacity to
accept, store, associate, and process documents from an
individual applicant. Today, we hope to hear about the progress
of the other 80 percent of that work. Two weeks ago, Treasury
announced that they would delay the employer mandate until
2015. Just days later, the administration released another 650
pages of regulations that limited the degree of applicant
verification required by exchanges during the first year of
implementation.
Instead of verifying, applicants will now be on the honor
system for the subsidy. The potential for fraud and honest
mistakes are multiplied since no one understands this law, the
subsidies standards, how the administration defines a qualified
employer health plan or a myriad of other issues.
While I believe that the employer mandate is a terrible
public policy that's already hurt hundreds of thousands of
Americans through fewer jobs or reduced work hours, the
administration cannot just rewrite the law on the fly.
Moreover, because of the Rube Goldberg construction of
Obamacare, the delay in the employer mandate and refusal to do
proper applicant verification means that the Federal Government
will waste billions of dollars next year subsidizing people's
health insurance who are ineligible for coverage under the law.
The IRS has recently become highly politicized under this
Administration around the implementation of the ACA and the
rights of people from all political perspectives to operate on
a nonprofit and in a nonprofit organization. After the passage
of the ACA, the IRS Commissioner Shulman visited the White
House over 100 times in a 2-year period to discuss Obamacare
implementation. Shulman's predecessor at IRS, Mark Everson,
shared his concern at an Oversight Committee hearing last year
about the problem with the IRS being so deeply involved with
Obamacare and the serious threat this poses to the historic
independence of the IRS.
Sarah Hall Ingram has led IRS' implementation of the
Affordable Care Act for 3 years. She was originally invited to
testify at this hearing. However, because she may be also
intricately connected to the IRS' targeting of conservative
nonprofit groups, I have accepted Acting IRS Commissioner
Werfel's offer to testify in her place. There are many
questions and issues facing the IRS, but today's focus is on
the data hub and on data sharing that is required because of
the ACA. I welcome Commissioner Werfel's testimony today.
Marilyn Tavenner, administrator for CMS, finally, after a
very long process there as acting, is also here today to field
questions related to the Federal data hub. Hopefully, she's
prepared to address specific concerns about the possible cyber-
related attacks, as well as the recent AP story from last
weekend that the uninsured could fall victim to fraud, identity
theft, or other crimes at the hands of some of the very people
who are supposed to help them enroll.
I welcome the attendance of all of our witnesses today, and
we'll spend time introducing everyone in the moments ahead.
With that, I would like to recognize the ranking member of
Oversight committee, Ms. Speier.
Ms. Speier. Mr. Chairman, thank you, and I thank you and
Chairman Meehan for calling today's important hearing, and I
thank all of the witnesses for being here to participate.
The Affordable Care Act extends health insurance coverage
to tens of millions and uninsured and underinsured Americans to
help them obtain necessary medical care. Already, millions of
Americans have directly benefitted from the Affordable Care
Act: 2.5 million young adults, my son being one of them, now
have health insurance on their parent's plan. The parents of
over 17.6 million children with pre-existing conditions no
longer have to worry that their children will be denied
coverage. More than 32.5 million seniors have already received
one or more free preventative services, including the new
annual wellness visit. Starting this October, millions more
Americans will be able to easily compare and choose affordable
private health insurance plans for the first time when health
exchanges open in every State. Many low-income applicants will
qualify for subsidies. Those shopping for insurance will no
longer have to worry that they will be denied coverage because
of a pre-existing condition or worry that one serious illness
and hospital stay will exhaust their lifetime limits, leading
them to financial bankruptcy.
Some have speculated that Obamacare will not work or at
least that the October deadline might not be met. A June 2013
GAO report raised the issue of some missed deadlines but
ultimately concluded that implementation was feasible and on
track. This is a welcome news, and I look forward to hearing
from the GAO today on how the process is proceeding. I also
would like to know what impact sequestration has on the ability
of those who are supposed to implement the Affordable Care Act
are being frustrated.
GAO also determined that CMS has developed contingency
plans to be ready for unexpected development so the exchanges
will be able to open on schedule in October. HHS has long
experience with complicated health systems involving sensitive
personal information, like Medicare, Medicaid and Medicare Part
D. Getting the healthcare exchanges up and running is without a
doubt a highly complex undertaking, made more complicated by
the decisions of many States to have the Federal Government run
their exchanges, and it is unlikely to be perfect out of the
gate. But no major program has launched without a few hiccups.
I am pleased there are concrete plans to mitigate any
disruptions of the exchange system and to ensure the integrity
of data hub communications between HHS, the IRS, DHS, and the
Social Security Administration, States that other agencies
involved in determining applicants' eligibility. At the same
time, the scope of this new program requires that we ensure
that it is carried out in a way that protects the privacy and
security of those applying for insurance and prevents fraud by
those seeking subsidies.
The privacy of enrollee information is non-negotiable.
Legitimate concerns have been raised about whether the security
structure of the data hub that CMS has put into place will be
sufficient when the exchange is launched in October. Today, I
hope to learn from these witnesses the actual details of
efforts to ensure security and privacy in the data hub. I am
encouraged by Ms. Tavenner's written statement debunking the
notion that in pursuit of access to care, we have to sacrifice
privacy. Such statements must be backed by action and all
parties to the transaction must have the same commitment. Mere
promises are not enough, but we should also listen to the facts
and not pre-judge the efforts of thousands of dedicated Federal
and State employees working to make this law a reality.
At the same time, I'm troubled by recent reports of the
IRS' unintentional exposure of personal information submitted
by organizations seeking tax exemption under section 527 of the
IRC. I am pleased that the agency moved swiftly to correct the
situation when it was detected. Such privacy breaches are
unacceptable and should not happen at all.
Lastly, Mr. Chairman, I am concerned by the efforts of some
to sabotage the implementation of the Affordable Care Act by
making sweeping allegations about the theoretical potential for
fraud and other possible failings. I hope this hearing today is
not an attempt to do that. The purpose of this committee, as
you have pointed out in your opening statement, is to conduct
oversight of programs like the Affordable Care Act, to ensure
that it is carried out properly, and to uncover waste, fraud,
and abuse.
I look forward to additional hearings over the next several
years once we see the program actually in operation. I also
hope Congress will not deny the funding needed to ensure that
the exchanges and the data hub can operate in a safe and secure
manner. In fact, I hope to learn from our witnesses today how
sequestration and budget cuts have impacted their ability to
implement the law and protect enrollees' privacy.
The Affordable Care Act is the law of the land. It has been
upheld by the United States Supreme Court. Now, Congress' duty
is to oversee its implementation, not to seek to delay it or
cause it to fail in its mission.
Today's hearing is a distinct opportunity to address
legitimate concerns with those lead agencies charged with
bringing the exchange system to fruition. I look forward to
their testimony.
Mr. Lankford. I now recognize the chairman of the Homeland
Security Subcommittee on Cybersecurity, Infrastructure
Protection, and Security Technologies, Mr. Meehan.
Mr. Meehan. I thank the gentleman, and I thank the members
of both committees who have participated in today's hearing.
I thank the witnesses for their presence today, and all the
members of the Subcommittee on Cybersecurity, Infrastructure
Protection, and Security Technologies.
This hearing comes at a critical time in implementing one
of the key aspects of the President's healthcare law, the
Federal data hub. It's not my intention to relitigate the
Affordable Care Act at today's hearing but rather to provide
crucial oversight over the government's establishment of the
Federal data hub. As a result of the Affordable Care Act, the
Department of Health and Human Services is building an enormous
data-sharing network between State health insurance exchanges
and numerous Federal agencies.
The purpose of the data-sharing hub is for the government
to determine whether Americans who enter the exchange are
eligible to do so. As the chairman of the House Homeland
Security Committee's Cybersecurity Subcommittee, we've looked
extensively at the access to and management of personally
identifiable information by the Federal Government. I don't
need to explain to this committee or to our witnesses or to the
American public from where our concerns emanate. We've
witnessed all too recently how sensitive information can be
mismanaged by the Federal Government. We have seen how cyber
attacks from adversarial nations who seek to infiltrate our
country's military and intelligence information have breached
our most secure networks. We've watched--we have watched as
thieves have stolen our top innovators' intellectual property.
We have witnessed America's financial services institutions
succumb to barrages of attacks by those who wish to do our
nation and our very life harm.
These are the institutions that have the best in the form
of protections at this point in time. FBI Director Robert
Mueller said that the cyber threat will be the number one
threat to our country, a remarkable thing to be said. NSA
Director Keith Alexander called a loss of intellectual property
through cyber espionage the greatest transfer of wealth in
history. And Former Secretary of Defense Leon Panetta said the
cyber attacks could shift from espionage to destruction, the
variability to get inside this network and to destroy the
ability for it to communicate at all if it is not a secure
system. And the Director of National Intelligence, James
Clapper has said that potentially disruptive and even lethal
technology continues to become easier to access and that we
foresee a cyber environment in which emerging technologies are
developed and implemented before security responses can be put
in place. This is the best of our systems.
I would like to see how this system is set up to protect
against those kinds of threats. These are serious people that
are talking about these issues. We've been charged with
securing the most critical data in the world, and although no
one could certainly make the argument that the personally
identifiable information of millions of Americans is just as
critical and critical to our Nation's data security.
Javelin Strategy and Research felt that $12.6 million
Americans are victims of identity theft each year. And a
February 2000 study of the Center for Strategic and
International Studies found that 85 percent of government and
private sector network breaches took months to be discovered.
Pricewaterhouse estimates that one-third of breaches come from
employees. We are going to literally have thousands, 22,000
estimated alone, navigators just in the State of California.
With over 20 million Americans estimated to enter into the
exchange over the next 5 years, this leads to the question,
which I believe must be answered at today's hearings, Are you
ready? Does CMS have the tools in place to secure the
information for over 20 million Americans? Who and how many
will have access to this information? How do we ensure
competence in those who have access? I have grave concerns
about the ability to establish sufficient security in this
massive unprecedented network by October 1st--that's just 75
days away--when our most secure networks are being breached
every single day. Every sector, every agency, every industry
concerned with security will tell you they are only as strong
has the weakest link. I hope that our panel today can allay
some of these concerns, but I fear that our government is about
to embark in an overwhelming task that will at best carry an
unfathomable price tag and at worse place targets on every
American who enters the exchange.
I look forward to hearing from you today, and I yield back
my time.
Mr. Lankford. Now recognize the chairman of the full
committee for Oversight and Government Reform, Mr. Issa.
Mr. Issa. Thank you, Mr. Chairman, and thank you for
holding this important hearing. As my colleague from
California, Ms. Speier, said, Obamacare is the law of the land.
What she didn't say is sequestration is the law of the land,
and both were signed by this President. So my expectation is
that the President has to know that he has to live within the
budget he signed; he has to live within the funding he signed,
that the cost overruns that CBO now knows are in Obamacare--the
``it's going to be balanced,'' to ``it's going to be nearly
balanced,'' to ``it's going to be a trillion dollar train
wreck'' is coming, but that's not the subject today.
The subject today, quite frankly, is the privacy of the
American people and the accuracy of the data, and waste, fraud,
and abuse. I have less confidence in today's hearing for only
one reason: A key witness, Sarah Hall Ingram, who has 3 years
of full-time experience since the passage of the bill, in some
inexplicable way finds herself unable to be here, while I'm
uniquely offered her boss. And I appreciate the Commissioner
being here, but that's unheard of.
Time and time again this committee has asked for Cabinet
officers, only to appropriately find somebody beneath that
person who is able to answer our questions, so today we are
going to have the top boss in his 65 days and probably his 55th
appearance on Capitol Hill to answer questions. And I
appreciate his presence, and I'm not trying to belittle the
technical staff with him. But it goes to the root of this is a
program so grand and so great that it pales Medicare in its
shadow, it pales Medicaid in its shadow, and that's what we're
dealing with.
The data of every American potentially will be transferred
or will be transferred. Now, let's understand that. It's not
being transferred to one place. In the cyber world, you have to
look at every end tentacle. Somebody at some station, somewhere
in Chico, California, is going to have an outlet to the
California exchange that is going to ultimately be connected to
that data. So, although the IRS might be able to put the
database in an acceptable system and transfer it, who are they
transferring it to? Ms. Speier mentioned CMS. I think also the
chairman mentioned it. CMS. Now, this committee has recent
experience. CMS is the organization that sent $15.5 billion to
the State of New York in compensation excess of Federal law.
And then, when we approached them, they wanted to phase it out
over time. Well, they were overpaying vast amounts of money to
the State of New York, to New York institutions owned and
operated by the State.
That wasn't a long time ago. Mr. Chairman, that was this
Congress. We still don't have that $15.5 billion, so when we
talk about waste, fraud, and abuse and we talk about the
disclosure of personal information, we are dealing where
disclosures that occurred under the IRS' watch under this
President. We are dealing with waste, fraud, and abuse
estimated by the inspector general to be greater than the
Army's budget. We lose more than the Army consumes in Medicare
and Medicaid, so a program that's statutorily--and the
gentlelady from California is right; the law is the law. The
law says that we will not subsidize unless the State has an
exchange. And yet, unilaterally, the President has proposed
that State After State who chose not to be part of it are to
have subsidies. So instead of having some States, we now will
have all the States. Those who chose to do it, will be
subsidized. Those who choose not to, out of thin air, without
statutory approval, there will be a Federal exchange that will
then be subsidized. Those are some of the things.
Now, the gentlelady from California is a friend and a
colleague, but we differ on some parts. She thinks that
Obamacare has done a lot already. I think that it has already
run up the cost of healthcare. And when the President
determines, without statutory approval, that one portion will
not be implemented for an extra year, that on employers,
because, of course, it's not ready, and yet he thinks that an
individual mandate and the standing up of exchanges and the
forcing of every individual in America into a healthcare plan
not yet defined, with a database not yet secure, is okay?
I've got to tell them, I have doubts, not about if
Obamacare will some day be ready, if all the bugs can be worked
out, but with no pilot and no consistency of the legislation to
the actual implementation, I've got to tell you, we are at
least a year further out on not just the President's slowdown
but on the entire program, and I think today we are going to
see exactly that, that the plans are there but the pilot and
test, and if you will, proof of concept being tested, with
those thousands or hundreds of thousands of terminal access
points that could be what the ranking--the chairman from
Homeland Security said, that weak link needs to be tested. I
look forward to hearing all of the testimony and particularly
the questions as to the weakest link.
And I yield back.
Mr. Lankford. Thank you. All members will have 7 days to
submit their opening statements for the record.
We will now recognize our panel.
Before I recognize each individual, I would like to ask
unanimous consent that our colleague from Tennessee, Mrs.
Black, be allowed to participate in today's hearing.
Ms. Speier. Mr. Chairman, can I also request that the
ranking member from the Committee on Homeland Security
subcommittee, Ms. Yvette Clarke's statement be read--be added
to the record as well.
Mr. Lankford. Absolutely, without objection, on both of
those.
So ordered.
Mr. Lankford. Mr. Alan Duncan is the assistant inspector
general for security and information technology services, the
Office Treasury Inspector General for Tax Administration.
Mr. Terence Milholland is the chief information officer for
the IRS.
Thanks for being here.
Mr. Danny Werfel is the principal deputy commissioner of
the Internal Revenue Service.
Mr. Werfel, how many hearings have you been in so far? The
chairman had mentioned that.
Mr. Werfel. I think this is my sixth since arriving here.
Mr. Lankford. Only six. Okay. We have got to get you to the
double digits faster.
Mr. Werfel. I have another one right after this one.
Mr. Lankford. Well, we will do our best on that.
Ms. Speier. We would like to--we would like for you to run
the IRS, though, too.
Mr. Werfel. I am doing that, too.
Mr. Lankford. Yeah. The Honorable Marilyn Tavenner is the
administrator for the Centers of Medicare and Medicaid
Services.
Mr. Henry Chao is the deputy chief information officer and
deputy director of the Office of Information Services in the
Center for Medicare and Medicaid Services.
Thanks for being here.
Mr. John Dicken is the healthcare director for the U.S.
Government Accountability Office.
Thank you as well.
Mr. Lankford. Pursuant to committee rules, all witnesses
are sworn in before they testify.
Will you please stand, raise your right hands?
Do you solemnly swear or affirm that the testimony you are
about to give will be the truth, the whole truth and nothing
but the truth, so help you God?
Thank you. You may be seated.
Let the record reflect that all witnesses have answered in
the affirmative. In order to allow time for discussion, we
would ask you to limit your testimony to 5 minutes. I think all
of you have been here before, some more recently than others,
obviously. There is a clock that's in front of you to give you
a quite countdown. Your written statement is a part of the
entire record, so we will give you 5 minutes of time here.
And Mr. Duncan, I think you get to be the lead off hitter
in this one.
STATEMENT OF ALAN R. DUNCAN
Mr. Duncan. Thank you.
Chairman Lankford, Chairman Meehan, Ranking Member Speier,
Ranking Member Clarke, the members of the--and other members of
the subcommittees, thank you for the opportunity to testify on
the Treasury inspector general for tax administration's views
and observations on the Internal Revenue Service's information
technology support for the Affordable Care Act, how tax
information will be provided and the safeguards needed to
protect taxpayers' data.
The Affordable Care Act contains an extensive array of tax
law changes that present many challenges for the IRS. The ACA
will require collaboration and coordination among many
organizations. The IRS' role with respect to the ACA is to
implement and administer the ACA provisions that impact tax
administration
This requires developing and implementing computer programs
that support the State and Federal insurance exchanges and the
collection of taxes, fees, and penalties that would help fund
the ACA.
The IRS' 2014 budget request includes $440 million for
implementation of the ACA, the largest component of which is
$306 million for the implementation of information technology
systems and communications. The ACA health insurance enrollment
starts in October 2013. The IRS will be receiving health
insurance related information starting in 2014 from many
sources, including individuals, employers, insurance companies,
and the health exchanges.
The information technology security challenges for the ACA
are considerable and include implementation of interdependent
projects in a very short span of time, evolving requirements,
coordination with internal and external stakeholders, and cross
agency system integration and testing. The IRS implementation
plan for ACA exchange provisions include providing information
on eligibility, calculating the maximum advanced premium tax
credit and reconciling ACA tax credits with reportable income.
These provisions require the development of new systems,
modification of existing systems, new fraud detection systems,
and the deployment of interagency communication portals.
The ACA health insurance enrollment process starts when an
applicant applies at the exchange. To provide support for
enrollment, the IRS has developed the income and family size
verification application that will provide exchanges with an
applicant's tax information. Our audit of this application
determined that the project was on schedule and the IRS was
managing knowing information technology risk. However, we do
have concerns that the Federal tax data provided to the
exchanges may not be adequately protected in accordance with
the IRS' safeguards program.
To assist applicants in the exchanges with selection of the
appropriate insurance premium, tax credits, the IRS also
developed the advanced premium tax credit application that will
inform an applicant of the maximum amount of advanced insurance
premium that they would be eligible to apply for.
In the 2015 tax filing season, the IRS will be responsible
for reconciling the advanced premium tax credit taken with
actual income and family size during the tax year, which could
result in a refundable credit or additional tax liability. The
IRS has developed a plan to prevent and detect fraud and abuse
during tax return processing that includes ACA transactions.
TIGTA does have concerns that the new fraud prevention systems
and/or modifications to existing fraud-detection systems may
not be operational in sufficient time to identify ACA-related
fraud schemes. We believe the IRS needs to complete and embed
predicted analytical ACA fraud models into the tax filing
process prior to the start of the 2015 tax filing season.
The HHS and IRS have jointly developed an interagency test
plan for the upcoming health insurance enrollment. We are
concerned that final integration testing for all the agency
systems, communications, and the Federal and State exchanges
may not be completed before the start of the enrollment period
in 2013. The lack of adequate testing could result in
significant delays and errors in accepting and processing ACA
applications for health insurance coverage.
Because of the extensive changes to numerous Tax Code
provisions, concerns related to ACA systems and security and
the need for interagency coordination, TIGTA plans to continue
strategic oversight of evolving ACA implementations. Our plan
requires audit investigative resources to evaluate IRS' role in
ACA programs and the protection of taxpayer's data.
Chairman Lankford, Chairman Meehan, members of the
committees, thank you for the invitation to appear.
Mr. Lankford. Thank you.
[Prepared statement of Mr. Duncan follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Mr. Lankford. Mr. Werfel.
STATEMENT OF THE HONORABLE DANIEL WERFEL
Mr. Werfel. Chairman Lankford, Chairman Meehan, Ranking
Member Speier and Clark and members of subcommittees, thank you
for the opportunity to appear before you today to discuss the
systems being developed to facilitate information sharing among
the IRS, the Department of Health and Human Services and other
Federal agencies as part of the Affordable Care Act.
The IRS has been working to implementing a number of tax-
related provisions within the ACA. The most substantial of
these provides for premium assistance tax credits to help
millions of American families afford health insurance starting
in 2014, when the new health insurance marketplace, also known
as health insurance exchanges, will begin operating.
To properly administer ACA provisions, such as the premium
assistance tax credit, the IRS, HHS, and other Federal agencies
will need to share individual's personal and financial
information. For example, the marketplace will need Federal
taxpayer data to help verify individuals' eligibility for the
tax credits. Upon request, the IRS will provide income, family
size, and filing status information from recent tax returns.
Separately, the IRS will provide a support service to
compute a maximum advanced premium credit based upon inputs
from the marketplace. The ACA designates HHS as the conduit for
information being shared with the marketplace. The taxpayer
data supplied by the IRS will be transmitted over secure
encrypted channels through the HHS data hub, which was
developed to facilitate these data transfers. Our ability to
share data with HHS is being brought about through new systems
and services that our information technology division has been
developing.
We are on target to have these systems ready when open
enrollment in the marketplace starts on October 1 of this year.
Last month, we completed systems development and also finished
interagency testing with HHS and the Centers for Medicare and
Medicaid Services. Performance testing of these systems will
continue through the summer.
It is important to note that information sharing under the
ACA will be done against the backdrop of very strong
confidentiality protections that have been long part of the tax
laws. In general, section 6103 of the Internal Revenue Code
prohibits the IRS from sharing tax return data with anyone
outside the agency. Over the years, however, Congress has
created a series of narrow exceptions to the restrictions in
section 6103.
For example, the IRS is permitted to disclose tax return
information to other Federal agencies and to State tax
authorities to facilitate efficient tax administration. The ACA
provides a specific exception to section 6103 for information
sharing activities that the IRS will perform under the statute.
The IRS is already well positioned to ensure the safety and
security of the data being shared under the ACA, given the
longstanding experience we have in overseeing the transmission
of data to Federal and State agencies.
The IRS office of safeguards has the responsibility for
monitoring the nearly 300 Federal and State agencies that
currently are permitted to receive tax return data to ensure
they are complying with strict safeguarding requirements we
impose on them.
To prepare for data sharing under the ACA, the IRS has been
collaborating with HHS and other agencies on the processes and
written agreements needed to protect personal information,
including tax return data. Among our collaborative efforts, the
IRS and HHS have entered into a computer matching agreement or
CMA, which details the operations of the data exchanges and
various disclosure restrictions and other requirements.
Just this week, the CMA was signed by both agencies and
transmitted to the Treasury Data Integrity Board for approval.
After approval by Treasury and HHS, it will be transmitted to
Congress for the required notice period and be effective when
open enrollment begins on October 1.
The IRS is subjecting the health insurance marketplace and
State agencies seeking tax return data under the ACA to
significant data protection requirements. Before one of these
entities can obtain tax return information, it must submit a
Safeguard Procedures Report, or SPR to the IRS for its
approval. This report details the steps that the entity has
established or plans to take to protect the confidentiality of
the tax records it will be handling.
Taxpayer data will be withheld from entities that fail to
establish adequate safeguards. The IRS will provide a list of
entities with approved SPRs to HHS by October 1. Going forward,
we will provide ongoing oversight to ensure that all entities
involved in data sharing continue to meet the safeguarding
requirements.
Chairman Lankford, Chairman Meehan, and Ranking Member
Speier and Clarke, that concludes my statement. I would be
happy to take your questions.
[Prepared statement of Mr. Werfel follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Mr. Lankford. Ms. Tavenner.
STATEMENT OF THE HONORABLE MARILYN B. TAVENNER
Ms. Tavenner. Good morning, Chairman Lankford
Mr. Lankford. We need to get you button on there so we can
all hear you.
Ms. Tavenner. Thank you. Good morning. I would like to
thank you for the opportunity to discuss the Center for
Medicare and Medicaid Service's progress in implementing the IT
systems in support of the new health insurance marketplace.
Since the passage of the Affordable Care Act, CMS has been
hard at work designing, building, and testing secure systems
that ensure Americans are able to enroll in affordable health
coverage. I want to assure you that October 1, 2013, the health
insurance marketplace will be open for business. Consumers will
be able to log onto healthcare.gov, fill out an application and
find out what coverage and benefits they qualify for.
I also want to assure you and all Americans that when they
fill out their marketplace application, they can trust that the
information they are providing is protected through the highest
privacy standards, and the technology underlying this
application process has been tested and is secure.
I want to quickly walk you through what we're building, how
it works and what data we are storing. I know there has been
some confusion about the marketplace, its IT system and how
data will be used. I want to make two points clear.
First, while the marketplace application asks for some
personal information, such as name, address, Social Security
number, and date of birth, the marketplace application never
asks for personal health information and the marketplace IT
systems will never access or store personal health information
beyond that which is routinely used when applying for Medicaid.
Second, CMS prioritizes the privacy and security of
applicant's data. CMS designed the marketplace IT system in a
way to minimize all possible security vulnerability, and we
especially focused on storing the minimum amount of personal
data possible. With that clear, let's move to the first
question people often ask. What is it that we are building?
The Affordable Care Act directs States to establish State-
based marketplaces by January 1 of 2014. In States electing not
to establish such a marketplace, the Affordable Care Act
requires that the Federal Government establish and operate a
marketplace in the State which is frequently referred to as the
Federally Facilitated Marketplace. This marketplace will
provide consumers access to healthcare coverage through private
qualified health plans, and consumers seeking financial
assistance may qualify for insurance affordability programs
through the marketplace such as tax credits.
In order to enroll in an insurance affordability program
through the marketplace, individuals must complete an
application and meet certain eligibility requirements. To
fulfill these functions, Federally Facilitated and State-based
marketplaces are developing eligibility, redetermination and
appeals IT systems. These IT systems are similar to what
private issuers, Medicare Advantage issuers, and State Medicaid
agencies currently use to carry out the same functions. Because
these IT systems that perform the basic functions of the
marketplace, CMS is developing a tool, which is known as the
Federal Data Services Hub, which provides the electronic
connection between the eligibility systems of the marketplace
to already existing secure Federal and State databases to
verify that information is correct, and that consumer provides
in the marketplace application.
It is important to understand that the hub is not a
database. It does not retain or store information. It is a
routing tool that can validate applicant information from
various trusted government databases through secure networks.
It allows the marketplace, Medicaid and CHIP systems to query
government databases used today. The hub will only query the
databases necessary to determine eligibility for specific
applicants. The hub increases by efficiency and security by
eliminating the need for each marketplace, each Medicaid agency
and each CHIP agency to set up separate data connections to
each database. We know that vulnerability increases when the
number of connections to a database increase. That's why we
created the hub. The hub provides one highly secured connection
to trusted Federal and State partners' databases used today
instead of requiring each agency to set up what would have
amounted to hundreds of different connections.
We have completed development in the majority of the
testing of the hub services. All testing for the hub will be
completed by the end of August. And with that, I'll conclude
and be happy to answer any questions.
Mr. Lankford. Thank you.
[Prepared statement of Ms. Tavenner follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Mr. Lankford. Mr. Dicken.
STATEMENT OF JOHN DICKEN
Mr. Dicken. Good morning, Mr. Chairman, ranking members and
members of subcommittees, I am pleased to be here today to
discuss issues with data systems that will be a critical
component of the new health insurance exchanges. As you have
heard this morning, starting in October, health insurance
exchange in each State will provide new marketplaces where
eligible individuals can compare and select health plans.
To support the exchange's efforts to determine applicant's
eligibility to enroll, CMS is building a tool called the
Federal Data Services Hub. This data hub is intended to provide
one electronic connection to Federal sources for near realtime
date access to data, as well as to provide access to State and
other data sources needed to verify consumers' application
information. Several million Americans are expected to enroll
in qualified health plans offered through the exchanges, once
coverage begins in 2014.
My comments today highlight key findings from a report that
GAO issued last month on the status of CMS' efforts to
establish Federally Facilitated Exchanges in 34 States and to
establish the data hub to support exchanges in all States.
These findings are based in large part on our review of
planning documents that CMS used to track Federal and State
activities, including the development and implementation of the
data hub, as well as interviews with CMS officials.
In brief, CMS has completed many activities necessary to
establish Federally Facilitated Exchanges by October 1st,
although many activities remain to be completed and some were
behind schedule. As examples of progress made, CMS has issued
numerous regulations and guidance and taken steps to establish
processes and data systems necessary to operate the exchanges.
But the exchange's ability to effectively carry out eligibility
determination and enrollment activities on October 1st will be
dependent on CMS' successful implementation of the data hub.
CMS is expected to complete development and testing of the
information secure technology systems necessary for the data
hub by October 1st, as Administrator Tavenner just indicated.
CMS began both internal and external testing for the data hub
in October of last year as planned.
According to program officials and our review of project
schedules, CMS established milestones that aimed to complete
the development of required data hub functionality by this
month and for full implementation and operational readiness by
September. Additionally, CMS has begun to establish the
required technical security and data-sharing agreements with
federal partner agencies and States.
While CMS data does, thus far, met project schedules and
milestones for establishing agreements and developing the data
hub, at the time of our report, several critical tasks remained
to be completed before the October 1st implementation. These
included finalizing service level agreements between CMS, the
States and Federal partner agencies in completing external
testing with all Federal partner agencies in all States.
In conclusion, Federally Facilitated Exchanges in the
federal data services hub are central to the goals under the
Patient Protection and Affordable Care Act of having health
insurance exchanges operating in each State by 2014 and of
providing a single point of access to the health insurance
market for individuals. Their development has been a complex
undertaking involving the coordinated actions of multiple
Federal, State and private stakeholders. It has also required
the creation of an information system to support connectivity
and near realtime data sharing between exchanges and multiple
Federal and State agencies.
Much progress has been made; nevertheless, much remains to
be accomplished within a relatively short amount of time. CMS'
time lines provide a roadmap to completion of the required
activities by the start of enrollment on October 1st. However,
the large number of activities remaining to performed, some
close to the start of enrollment, suggests a potential for
challenges going forward. And while the interim deadlines
missed thus far may not affect implementation, additional
missed deadlines closer to the start of enrollment could do so.
At the time of our report, CMS had recently completed risk
assessments and plans for mitigating identified risks
associated with the data hub and was also working on strategies
in each State to address State preparedness contingencies.
Whether this contingency planning will assure the timely and
smooth implementation of exchanges by October 2013 cannot yet
be determined.
Mr. Chairman and ranking minority members, this concludes
my statement, and I'll be pleased to answer any questions that
you or other members of the subcommittee may have.
Mr. Lankford. Thank you.
[Prepared statement of Mr. Dicken follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Mr. Lankford. And thank you, all of you, for your
testimony.
Can anyone state to me the section of the ACA that outlines
the data hub? So, this massive undertaking started from what
within the law? Because it is a massive piece, obviously. I'm
just trying to figure out what part of the law mandates that
this data hub be created, that this is the particular vehicle
to solve the problem?
Mr. Milholland. Mr. Chairman, I will take a cut at that.
It's the requirement to exchange information between agencies.
We had to find a way that would easily work to connect to the
IRS and particularly HHS and then subsequently to the
exchanges, also to other government agencies. When we did the
architecture and design in collaboration with HHS and the other
partners, we realized that the simplest design, the one that
would make it more likely that we would implement on time, was
a hub concept.
Mr. Lankford. So you're saying that there's a statement
within the law that requires communication between the
agencies. Is this also requiring communication to the exchanges
as well?
Mr. Milholland. I will let HHS answer that specifically,
but I believe the answer is yes.
Mr. Lankford. Okay. Does anyone know on the section of law
where this comes from?
Mr. Chao. I don't--I don't believe it's in any section of
the law. I think, you know, as Terry said, we've been working
together on the most efficient implementation of the
requirement that is in the law for information sharing between
Federal agencies that are used to verify data on applications
of people who are applying for----
Mr. Lankford. Okay. So there is a section that requires
communication verification on it. How much does--does anyone
know the total cost of the hub at this point? I mean, we've got
two contractors that are working on it. Every agency has now
started engaging. We have all these agreements for computer
matching. Every State is also engaging in it, so we've got a
line that's in the law, someone says we need to verify, how
much has this cost.
Mr. Chao. I think that there are several line items within
the hub, but the total picture, as GAO reported, is about $394
million that CMS has budgeted and obligated for the various
contracts to build the capabilities for the marketplace.
Mr. Lankford. Okay. And then we've got several different
pieces here. We have the data hub, obviously connecting all the
agencies there where you're saying information is not stored at
the data hub.
Mr. Dicken referred to it's almost done in realtime, I
believe, was the statement that was made there. Is it really
realtime that's done or are we batching all these reports?
Mr. Chao. The vast majority of the design is for realtime
responses and realtime requests to get the data.
Mr. Lankford. So, exchange hits the hub, makes the query,
comes back seconds later, or does it come back hours later?
That's what I'm trying to figure out on it, the batch schedule
here.
Mr. Chao. The service levels agreement, for example, with
IRS is between 5 and 8 seconds
Mr. Lankford. Okay. That's terrific. What about the caching
of information. So when the request is made, how long is the
cache to be able to hold on to that information as it's going
through the process?
Mr. Chao. The ``caching,'' and I put quotes around that, is
kind of loosely used. When an individual is applying for the
marketplace and they begin to enroll or request enrollment via
the online application, they can pause and save that
application into what we call a ``My Account,'' and that's on
the marketplace system side.
Mr. Lankford. Okay. So, that is stored information. So, in
the data hub, you're saying, the caching is the best way to do
it is over here, so how long is the cache in the data hub
section of it?
Mr. Chao. It is a consumer--when it comes to the
application and their data, it is a consumer-elected, quote-
unquote, ``caching'' of information saved in their ``My
Account.'' In the hub, the time to live is very short. If there
is no question and response match, that data is then removed.
Mr. Lankford. So you're talking 10 minutes, 20 minutes, an
hour, somewhere through there?
Mr. Chao. Within minutes.
Mr. Lankford. Okay. All right. Then let's go on the other--
on the consumer side, where you're saying--talking about ``My
Account'' because that is where stored data is located. Give me
examples of some of the fields.
Ms. Tavenner, you mentioned a couple of those, Social
Security, birthdays and such. What are some of the other fields
that are there?
Mr. Chao. Names of household members, address, the
requirement to supply valid Social Security numbers.
Mr. Lankford. Ethnicity, is that included as well?
Mr. Chao. I believe there are race and ethnicity----
Mr. Lankford. Okay. So, home address. Is there a phone
number that's included in that?
Mr. Chao. Yes.
Mr. Lankford. Email address?
Mr. Chao. Yes, contact information.
Mr. Lankford. All of the--does it have the questions about
employer-sponsored coverage, is that included in that part as
well?
Mr. Chao. Yes.
Mr. Lankford. Just questions about some of the background
on it. Veteran status?
Mr. Chao. Yes.
Mr. Lankford. So, family members, you mentioned that. Does
it just list out family members or list out the details of the
family members?
Mr. Chao. It--I think when we examined verification and
determination of eligibility for premium tax credits with--in
conjunction with IRS and also examined Medicaid and CHIP
eligibility, there are some information that's used for
different programs.
Mr. Lankford. Okay. Let me run through several here. Indian
tribe?
Mr. Chao. Yes.
Mr. Lankford. Tribal member is listed there.
Mr. Chao. Yes.
Mr. Lankford. Pregnant, would that be a question that would
be asked or----
Mr. Chao. It depends on a series of what we call a pattern
of answers that would indicate that that might be a question
associated with----
Mr. Lankford. Obviously, ``female'' would be one of those,
I would assume, in that pattern?
Mr. Chao. I would think so, but it could be a household
member that is not the applicant, but that's mostly used for--
--
Mr. Lankford. But that is a possibility that's in there.
Applicant income, request of that?
Mr. Chao. Yes.
Mr. Lankford. Disabled, would that be listed as part of it?
Mr. Chao. Disability, no.
Mr. Lankford. Okay. All right. So that this information is
gathered and it's stored how long?
Mr. Chao. For--once the enrollment is established, you
know, via the ``My Account.''
Mr. Lankford. So the ``My Account'' is set up, that
information stored in that section, stored how long?
Mr. Chao. It is stored for as long as the person is seeking
access to affordable care and wants to enroll via the
marketplace.
Mr. Lankford. Okay. We'll have a lot of questions for you.
I want to be able to honor everyone's time in the day on this,
but I want to just set some basic parameters of what we're
talking about, because we are really talking about two
different systems. Data hub may not store anything, but we do
have a data system that is storing large amounts of information
as well, and so we'll have to be clear as we walk through it
and try to make sure that we're using correct terms as we walk
through it; is that okay?
Okay. Ms. Speier.
Ms. Speier. Mr. Chairman, thank you.
And thank you again to all the witnesses.
Three issues, privacy, security, fraud, that's what we're
focussing on today.
Let me start with Mr. Werfel and ask you a question about
privacy.
Given the number of different agencies involved, what
measures has the IRS implemented to guarantee that sensitive
taxpayer information is protected when it enters the data hub?
Mr. Werfel. Thank you for the question. We, as I mentioned
in my opening statement, we have a longstanding process because
the Tax Code has previously allowed for, in certain situations,
the IRS to share taxpayer information to Federal and State
agencies, so over time, we built a very robust process that
we're leveraging for the manner in which we'll share
information under the ACA, which created a new exception under
the Tax Code.
That process is anchored around what we call a safeguard
procedures report, and essentially, if you are to receive
taxpayer information from the IRS, then you have to have an
approved safeguard procedures report in place that IRS--and
it's a very robust set of requirements. IRS reviews and
approves that procedures report, or SPR, and then we monitor
and do like on-site visiting to make sure that they are
complying with those procedures that they outline. They deal
with things like recordkeeping, restricted access, employee
awareness about the sensitivity of the information, internal
inspections to make sure that the procedures that are in place
are robust, disposal of records when they are no longer needed,
making sure that only those records that are needed--that are
used are needed.
So, it's a--you know, we have, as an example, just to give
you a sense of how robust it is, just a template for what a
State agency or Federal agency or the hub, in this case would,
need to fill out is 61 pages, and that's just a template of
what's required.
So, really, we have a very robust set of requirements that
are well battle tested over the years. We go through a robust
process to review it and then we do on-site monitoring to make
sure that the agency involved, whether it's the hub or a State
agency or another Federal agency are making good on their
commitments.
Ms. Speier. Is there any penalty if they somehow have it
breached?
Mr. Werfel. Well, there are ongoing reviews that are done
by the inspector general as an example. There can be severe
penalties for willful breaches. What the inspector general, I
can let Mr. Duncan speak to that, usually do is determine
whether the breach was inadvertent or willful, and if it's
inadvertent, then they would issue some type of report that
would establish new sets of requirements that we may need to do
to make sure that such inadvertent disclosures don't occur
again. If it's willful, they may refer to the Justice
Department for potential prosecution. It just depends on the
circumstances.
Ms. Speier. Okay. Now, I'm going to jump first to fraud and
then come back to security because in my mind, security is the
issue here. In terms of fraud, the chairman had referenced that
there is, in effect, an honor system in place, and while that
may be the case, because you're self-attesting it to, it's an
honor system with consequences, is it not? If, in fact, you say
you make $40,000 a year and are eligible for a premium credit,
when it comes tax time the following year, if you really made
$150,000, that subsidy has to be returned to the coffers of the
U.S. taxpayers; is that not true?
Mr. Werfel. Generally. If I could have a second to explain.
So a couple of important things about the fraud and error
risk associated with the ACA.
First, what's happening when the individual enters the
marketplace and seeks a premium tax credit, the system is set
up so that any funds that they may be eligible or not eligible
for because they're trying to defraud the system don't go to
the individual. They go to the insurer.
So the individual can try to penetrate the system and gain
money, but they're not going to get money. The money is going
to be sent to the insurers.
Ms. Speier. They're going to get health care.
Mr. Werfel. They're going to get health care. And they
might get more affordable health care than they're otherwise
eligible for.
And at the back end, when they're reconciling, it may be
that they were eligible for too much when we see what their
actual income is when they file their taxes, and then they'll
owe potentially some more money.
It may be that we didn't determine that they were eligible
for enough. But what that will mean in that case is they have
been paying into this process, to the exchange, too much money
than they should have, so we're only reimbursing them the cash
that they've already paid in.
Now, there is----
Ms. Speier. I'm running out of time, and I want to get--
thank you--to the more critical issue.
I believe that the hub has a bull's eye on it and that the
potential for it being hacked is great. And while there's been
testing that has been undertaken, does ``testing'' mean that
we've allowed, you know, high school computer science whizzes
to try and hack into the system?
Mr. Chao. No, Congresswoman. The testing involves security
professionals with predefined security protocols that are
embedded and automated procedures that, for example, to try to
penetrate the system and to emulate a potential hacker, as well
as it scans for poor quality of code development with big holes
in it so that people can actually infiltrate the system.
And it also includes examining audit procedures and the
ability to log access to the system and provide the
traceabilities that auditors need in order to see who has been
accessing what data with the right--with the correct roles and
permissions.
Ms. Speier. My time has expired.
Thank you, Mr. Chairman.
Mr. Lankford. Mr. Meehan?
Mr. Meehan. Thank you, Mr. Chairman.
And I want to jump off of what the gentlelady from
California said about this being--looking at it from the
security perspective, and also to talk about it from the
perspective of what the chairman said.
And this is not a partisan effort to try to go put you on
the spot. And I also appreciate that you are the people who
have been trying to implement this.
But I also have grave, grave concerns about the scope of
information that is being put together by this system that you
put together because, you know, it was required just to make it
work. And I've been struck by the observations of numbers of
people who are outside the organization, as well.
So I know you, Ms. Tavenner, have discussed that you are
trying to take the minimal amount of information that is
necessary. But what is necessary to make the system work has
been discussed by Stephen Parente of University of Minnesota,
who studied perhaps the largest consolidation of personal data
in the history of the Republic. Do you dispute that?
Ms. Tavenner. One thing I would remind the committee is
that, currently, we are used to storing and having personal
information on large numbers of individuals, such as in the
Medicare program, in the Part D program. We take it very
seriously, and we go through the highest security and privacy
protections.
Mr. Meehan. I know you take it seriously. The question is
whether you're prepared to have this information protected
against the kind of and scope of probes that are taking place
in the real world today.
I'm going to read some observations from some people who,
you know--``This national insurance exchange system will be the
largest IT system ever created in our history, and they're not
sure how it will work, and they cannot assure the security of
this very private data. They are extensive government data-
sharing systems that lack information security and offer easy
access to hackers, identity thieves, and others interested in
surreptitiously gaining access to private information.'' This
was Twila Brase from the Citizens' Council for Health Freedom.
``Nothing like this has ever been done to this complexity
or scale and with a timeline that puts it behind schedule
almost before the ink was dry.'' This was Rick Howard, who has
an advisory firm, the Gartner firm.
This is Jim Spatz, a senior advisor at Manatt Health
Solutions: ``As crunch time is coming, they're just muddling
through and figuring out shortcuts. It might not be elegant,
but this is how they're trying to make the law work.''
These are the observations of some of the people who are
outside the system observing it. Are they accurate?
Mr. Chao. Congressman, I would refute that to say ``no,''
because CMS has vast experience--for example, there are nearly
50 million Medicare beneficiaries, and we have databases and
systems that operate in an architectural and technical pattern
very similar to what the marketplace requires, including, you
know, application for enrollment, processing eligibility
verifications, checking various sources of data, allowing for
people to come back in to report life-changing circumstances,
working with SSA to remove them when we receive a date-of-death
notice.
I think all these operations at a very, very super-scale
level in health care, CMS has applied this experience to the
marketplace program.
Mr. Meehan. Would you--I understand what you're trying to
do at CMS. Are you aware of what's going on today, Quantum Data
2, the testing thing that's being done right now on Wall Street
today by the major New York banks?
Mr. Chao. No, I'm not.
Mr. Meehan. Do you think that your system is more or less
secure than that that is being put together by the best banks
in the United States?
Mr. Chao. I really can't speak to that because I'm not
aware of what they're doing.
Mr. Meehan. Well, they're walking through, as we speak,
with regard to the ability to--that their recognition that they
are, in effect, being so remarkably challenged by the ability
of complex networks, be they criminal, be they state-oriented,
be they otherwise, to get into information systems that they
have responsibility over.
And I'm not sure that I'm aware of any system that has more
personally identifying information than your system currently.
And the question is the degree to which we're capable of being
able to protect those systems.
My time has expired, but I'm looking forward to following
up specifically on some of the questions with regard to that.
Ms. Tavenner, do you have a comment?
Ms. Tavenner. The comment I would make is that there
certainly is a lot of speculation out there about what's going
on inside CMS. And what I know is that the process that we are
following, we are used to working--we have lots of experience
with working with big data sets.
And we are following, going back to the Privacy Act of
1974, moving forward, to make sure that we have the highest
degree of security and privacy protection. And we are on
schedule to get that done----
Mr. Meehan. Do you know, what is the highest degree of
security protection? Do you know, yourself, what that is?
Ms. Tavenner. So I know, working with the team, that we
start with certain standards that are required by the
government, and we follow those standards completely and
thoroughly. And then we have a continuous monitoring process,
we have a continuous training process----
Mr. Meehan. Ms. Tavenner, let me ask a question. When was
the last time that you have sat in on a secure briefing by the
FBI or the Department of Homeland Security giving you the
current state of the cyber threat to data systems in the United
States?
Ms. Tavenner. I don't know that I've sat in on an FBI
briefing. We certainly have briefings inside HHS, and I did
sit----
Mr. Meehan. But no, no, no. I asked you a specific
question. The two agencies that have the specific
responsibility to understand the scope and nature of the
threat--are you telling me that you are the person who is
responsible for putting together what may be the biggest data
system of private information in the history of the United
States, according to testimony of numbers of people, and you
have never been to a secure briefing by the FBI or Homeland
Security about the current nature of the threat to data
systems?
Ms. Tavenner. And I am telling you that I have been to a
secure briefing.
Mr. Meehan. With whom? By HHS or FBI?
Ms. Tavenner. With HHS.
Mr. Meehan. Well, but that is not Homeland Security, is it?
Ms. Tavenner. No, sir.
Mr. Meehan. No, it is not, nor is it the FBI, who are the
two responsible for understanding the nature of the threat.
I will pursue my questioning. Thank you, Mr. Chairman.
Mr. Lankford. Ms. Clarke?
Ms. Clarke. Let me thank you, Chairman Lankford, Chairman
Meehan, and thank Ranking Member Jackie Speier for submitting
my testimony to the record.
And thank you, witnesses, for your testimony here this
morning.
My first question will go to Mr. John Dicken.
Your report on the development of the Affordable Care Act
data hub is the first of its kind for these healthcare
programs, which means we are still learning about how to go
about assessing the progress of the effort. You noted that 15
of the 34 States where Federal health officials are running the
exchanges will play some role in their operation, and this is a
good sign.
With about 7 million citizens expected to enroll in
healthcare plans, would you tell us first about the key
milestones that have been met and the plateaus that have been
reached in such a massive undertaking?
Mr. Dicken. Thank you, Ranking Member Clarke.
You are right that our report did look at two of the key
milestones that have been met. We issued our report last month
and highlighted some of the progress that has been made--
notably, issuing key regulations and guidance that are
necessary for establishing the exchanges and the data hub;
establishing, building, and developing and implementing some of
the data systems that are necessary; and beginning some of the
process for testing that is still ongoing.
Since our report came out last month, there have been some
other public milestones that have been met. I know that CMS has
relaunched the healthcare.gov website.
There are still a number of big challenges remaining,
though. Our report does highlight that there are still a number
of key milestones that do need to be met before October 1st and
the open enrollment.
Ms. Clarke. I would like to also hear from agency staff
present about what milestones they feel have been reached and
how they see their progress.
Mr. Chao. For CMS, we manage and administer the majority of
the testing with the key business partners, which are the
issuers or insurance companies that offer qualified health
plans in the marketplace. We began testing with them in June
extensively and stepping into greater and greater iterations of
more complex testing that involved enrollment that are
orchestrated with the issuers and their ability to receive an
enrollment transaction and an acknowledgment and, finally, into
a payment and a payment acknowledgment.
The States we have been testing extensively since February,
so those have been major milestones. Starting this week, we
have conducted the testing in waves, and States have been
coming in in various waves. You know, one through four is what
we categorize it, with four being the vast majority of the more
complex testing with the hub primarily and the ability to
receive information when a federally facilitated marketplace is
detecting the potential for Medicaid and CHIP eligibility.
That testing in the fourth wave began this week, and we
have 40 States participating. And when the 40 States are
testing with us, we will have all the States that have done
some level of testing with us, with the 40 probably being the
vast majority between now and August.
Ms. Clarke. Does anyone have anything else to add?
Mr. Werfel. I would just add to that from the IRS
perspective. We also, similarly to HHS, are on schedule. We
have a variety of information technology builds and upgrades
that are necessary to meet the information-sharing requirements
within the ACA, and that we're generally on target with respect
to all of those milestones. And we have a very high degree of
confidence of readiness when October 1 hits and the open season
enrollment begins.
Ms. Clarke. Well, that sounds good.
Let me go on and ask, can you update us on the Federal Data
Services Hub testing activities, including the list of tests,
which agency and stakeholder tested the data hub in each event,
the results of each test, and when the testing will be
complete?
Mr. Chao. We certainly can do that. I can generally run
through right now in just a few minutes. But I think, working
with GAO and other folks that want to come in and take a deep
look at the range and depth of our testing by testing partner,
we can certainly provide that information. It is available.
The testing that will occur in the next 70-plus days or so
is largely looking at what was mentioned earlier as integration
testing. Some folks like to use the term ``end-to-end
testing,'' as if there is just this one giant thread from start
to finish of all these complex processes that have to, in
essence, have a handshake to move this data and respond to data
in order to fulfill the request for enrollment.
We are taking segments of that or hops of that process and
testing the integration, for example, between IRS and the data
hub, the data hub with the marketplace systems, and the
marketplace systems with the issuers.
So that's just a very, very high-level example of how we
break down that integration testing into those hops and to look
at the interfaces and the data flows that are necessary to
support that business process.
Ms. Clarke. Thank you. And if you could submit to the
committee just a little detailed testing arrangements, that
would be something that we'd like to have.
Mr. Chao. We can certainly do that.
Ms. Clarke. Thank you.
Mr. Chairman, I will yield back.
Mr. Lankford. Thank you.
I recognize the chairman of the full Committee on
Oversight, Mr. Issa.
Oh, he's not here right now. He had to slip out.
Mr. Jordan?
Mr. Jordan. I thank the chairman.
Mr. Werfel, we've been given two titles for this
individual. We've been given the title Project Manager for the
Affordable Care Act and Director of the IRS's Affordable Care
Act Office. Who is that individual?
Mr. Werfel. I'm sorry, can you repeat the two titles?
Mr. Jordan. Project Manager for the Affordable Care Act and
Director of the IRS's ACA Office. Isn't it true that that
individual is----
Mr. Werfel. Yeah, I mean, I'm just--you know, we have title
changes, but I think you're referring to Sarah Hall Ingram.
Mr. Jordan. All right. And how long has Ms. Ingram worked
at the Internal Revenue Service?
Mr. Werfel. I don't know the answer to that.
Mr. Jordan. Our records show that she has worked there
since 1982, 30 years. And prior to taking over the ACA Office,
what was Ms. Ingram's title?
Mr. Werfel. Commissioner for the Tax-Exempt Government
Entities organization.
Mr. Jordan. And this is the very organization where the
targeting of conservative groups took place; isn't that
correct?
Mr. Werfel. It is the organization that was the subject of
the IG report that I think you're referring to.
Mr. Jordan. Yes. And this is also--Ms. Ingram was also Lois
Lerner's boss; isn't that correct?
Mr. Werfel. I believe for a period of time, yes.
Mr. Jordan. When the targeting took place, for 2 of the 3
years that the targeting took place, according to our records.
And isn't it true that Ms. Ingram was invited to be a
witness at today's hearing?
Mr. Werfel. That is true, yes.
Mr. Jordan. And isn't it true that you called Mr. Lankford
and asked that she not come and that you come instead?
Mr. Werfel. What I told Mr. Lankford was, based on the
topic of this hearing, which deals with data, data integrity,
and privacy, that I felt that Mr. Milholland was a better
technical expert because he's our Chief Technology Officer, and
Ms. Hall Ingram does not deal as directly in the issues of data
safeguarding.
Mr. Jordan. Is Ms. Hall Ingram in Washington today?
Mr. Werfel. Yes, she is.
Mr. Jordan. So there's no family responsibilities, no
health concerns, no other reason why she couldn't be here
today?
Mr. Werfel. I don't know about any of those situations
personally, no.
Mr. Jordan. But, to best of your knowledge, she's working,
she's a few blocks away today, right?
Mr. Werfel. Yes, she's at the IRS.
Mr. Jordan. Okay. And I know you've testified five times in
front of various--or six times, I think you said, in front of
various committees. But how long, again, have you been at the
IRS?
Mr. Werfel. Roughly a month and a half.
Mr. Jordan. Okay.
Mr. Werfel. Coming up on 2 months.
Mr. Jordan. All right.
We want to put on the screen here a couple slides, if we
could. And just so you--this was a presentation given to the
IRS Oversight Board May 2nd of this year.
And then I want to go to page 5, because this relates
directly to most of your opening statement, Mr. Werfel, where
you talked extensively about 6103. But I want to read--it may
be a little difficult. I'll read the second bullet point.
``The ACA added Section 6103(i)(21) to authorize the IRS to
disclose Federal taxpayer information to exchanges, Medicaid,
and CHIP agencies and their contractors to support income
verification for ACA needs-based eligibility determinations.''
6103 info is pretty important information; isn't that
correct, Mr. Werfel?
Mr. Werfel. Absolutely.
Mr. Jordan. Almost viewed as sacred, correct?
Mr. Werfel. Within the IRS, for sure.
Mr. Jordan. Yeah. In fact, you've used that, you've used
6103 as a reason not to answer some of my questions I've asked
you in some of those previous appearances you've had in front
of this committee. And most of your testimony dealt with it. In
fact, there's a story in yesterday's Washington Examiner where
this was breached and a political figure had personal
information, donor information, that went public, according to
the Inspector General. So this is important stuff.
Do you know who happened to--do you know who gave this
briefing to your Oversight Board on May 2nd, 2013, Mr. Werfel?
Mr. Werfel. I don't know, but I'm assuming you're going to
tell me.
Mr. Jordan. Yeah, we are. Who do you think it is? Can you
hazard a guess?
Mr. Werfel. If you would allow me, I mean, I think we can
get to some of the points you're tying to raise. I'm not going
to dispute that Ms. Hall Ingram is not integrally involved in
our ACA work. What I'm----
Mr. Jordan. No, no, no, wait, wait. What you just said a
few minutes ago, maybe a minute and a half ago, was you were
the person best equipped to answer our questions, even though
the chairman invited Ms. Hall Ingram. And yet Ms. Hall Ingram
is the very person who gave this briefing talking about 6103
information, which you highlighted in your testimony as being
so darn important.
So the very lady who is doing the oversight briefing to the
Oversight Board who we wanted to have come talk about this
information, making sure taxpayer information was confidential,
gave that briefing, you called up Chairman Lankford and said,
``No, no, I don't want her to come. I'll come instead.''
Mr. Werfel. Can I respond?
Mr. Jordan. And you've been here all of 63 days. She's been
here 31 years, since 1982. In fact, she's the central figure in
two of the biggest stories in the country, the IRS targeting
and the implementation of Obamacare. And these two gentlemen
asked her to come, and you called up and said, nope, we don't
want the lady who briefed the Oversight Board, we don't want
her to come; I'll come instead and use my 63 days of expertise,
versus her 32 years, 31 years of expertise.
Ms. Speier. Mr. Chairman, with all due respect, Mr. Werfel
has presented himself very, very competently in every area
and----
Mr. Jordan. Mr. Chairman, did I yield the time? I don't
think I yielded her time.
Mr. Lankford. Yeah, the gentleman did not yield on it. I
want the gentleman to be able to retain the time----
Mr. Werfel. May I respond?
Mr. Lankford. --and for Mr. Werfel----
Mr. Jordan. Yeah, you can respond. I hope you will respond.
Mr. Werfel. I will respond.
Mr. Lankford. And, Mr. Werfel, absolutely, we'll give you
the time to be able to respond.
Mr. Werfel. I appreciate that.
First of all, Congressman, I don't agree with your
characterization of the nature of my phone call with Mr.
Lankford and the reason why I and Mr. Milholland are sitting
here today.
What I feel is appropriate and what I think IRS
historically feels is appropriate is, when there's a hearing,
we balance a lot of different factors in figuring out who the
best witness is to present the information to Congress. Two of
those factors are accountability--and I'm the most senior
accountable official within the IRS----
Mr. Jordan. I understand that.
Mr. Werfel. --and second is technical knowledge and
expertise on this subject matter.
The hearing invite that we received asked us to pay
particular attention on our coordination with other agencies,
HHS and IRS coordinations, regarding safeguards of the personal
data of individuals who purchase coverage through the
exchanges.
So what I suggested to Mr. Lankford is a combination of me,
the most senior accountable official in the organization, and
the Chief Technology Officer of the IRS, Mr. Milholland----
Mr. Jordan. And, Mr. Werfel----
Mr. Werfel. --would provide the best input to the
substantive----
Mr. Jordan. I get it, Mr. Werfel.
Mr. Werfel. --content of this hearing.
Mr. Jordan. And I respect that.
But if I could, Mr. Chairman, we have the minutes, we have
the meeting notes from that presentation given by Ms. Hall
Ingram----
Mr. Werfel. She's knowledgeable on these issues. I'm
saying----
Mr. Jordan. No, no, no, but let me just read.
Mr. Werfel. --Mr. Milholland is more knowledgeable.
Mr. Jordan. Just let me read. Well, if he's more
knowledgeable, why didn't he do that briefing?
So let me ask you--here's what it says. ``Ms. Ingram
discussed the security and safeguard programs at the IRS, that
the IRS has in place regarding sharing of data among its
partners.'' If he's the expert, he should've done that
briefing.
And, frankly, the chairman didn't ask for Mr. Milholland.
They asked for Ms. Sarah Hall Ingram, who is head of the
Affordable Care Act Office at the IRS.
Mr. Chairman, I yield back. But, I mean, look, we've got
the two biggest issues, maybe the two biggest issues in the
country, the lady who's at the center of the storm in both of
those. We asked her to come here, and she doesn't come. Even
though she's briefing everybody else on the issue, she won't
come brief the Congress, just like Lois Lerner won't talk to
Congress.
Ms. Speier. Mr. Chairman, I have a point of inquiry.
Mr. Lankford. Yes, ma'am.
Ms. Speier. We have a 5-minute limit per Member. Mr. Jordan
just exceeded it by 1 minute and 48 seconds.
This is a hearing on evaluating privacy security and fraud
as it relates to ACA, and this entire questioning was whether
or not a particular individual should have been here versus the
head of the agency.
If we are going to conduct this hearing----
Mr. Jordan. Mr. Chairman?
Ms. Speier. --as a witch hunt----
Mr. Jordan. It's not a witch hunt Mr. Chairman.
Mr. Lankford. Hold on.
Mr. Jordan. Would the gentlelady yield?
Mr. Lankford. The gentlelady has the time. Hold on.
Ms. Speier. --then I will object. I want this to be an
oversight hearing by this committee. You have shown great
leadership in this committee.
I believe that what we should be doing is looking at where
the holes are, in terms of making sure the ACA is effective as
it is rolled out, where the resources need to be employed,
where there may be loopholes, where there are issues that we
have to address. And that's what I hope this hearing will
continue to do.
Mr. Lankford. There are multiples of those----
Mr. Jordan. Mr. Chairman?
Mr. Lankford. I will yield to the gentleman.
Mr. Jordan. I would just ask unanimous consent to enter the
meeting notes from the very meeting Ms. Hall Ingram briefed the
IRS Oversight Board, specifically this sentence: ``Ms. Ingram
discussed the security and safeguard programs the IRS has in
place regarding the sharing of data among its partners,
including those for ACA programs,'' end of story.
Mr. Lankford. Yeah. Without objection.
Mr. Lankford. The time period is obviously at the
discretion of the chair. There have been a couple Members that
have gone over by a couple minutes, some as long as 2 minutes,
actually, so far in our time period.
We are going to try to honor the 5-minute time period, but
I've always been fairly loose on that with Members on both
sides, that if there is an appropriate question that's going on
and they want to give an appropriate response--and, Mr. Werfel,
I do want you to still have time to respond to Mr. Jordan's
question that he ended with, if you choose, to be able to do
that, as well.
We did have an interchange, we had multiple conversations
on that. It was very respectful of your position. You obviously
have a difficult spot. You're walking into the middle of a lot
of issues with the IRS. This is one of several and a moving
target.
I did express to Mr. Werfel that I felt Mrs. Ingram seemed
to be, as we're looking at the flowchart, the best person to be
there. Obviously, Mr. Milholland has a crucial role in the data
transfers on that. Mr. Chao has an incredible role in this from
the HHS perspective and what's happening. A lot of what we're
dealing with deals specifically with the regulatory nature of
this.
So, Mr. Werfel----
Mr. Werfel. The only thing I would say--and I can be very
brief--is that there are multiple people within the IRS with
substantive understanding of the issues of 6103 and the
safeguarding. You have two individuals right now, one that's
the accountable official and one who is a subject matter expert
on the issue, and we're here and ready to answer any
substantive questions you have on these matters.
Mr. Lankford. Yeah, we will continue to press on with that.
Mr. Cardenas, you are recognized.
Mr. Cardenas. Thank you very much, Mr. Chairman.
I would like to compliment the witnesses so far. It must be
pretty trying, trying to stay on point even though some of the
questions are trying to take us all off point here. And it's
unfortunate that some members of this committee and this
subcommittee are just hellbent on wanting to bring issues back
before the public that really are not as relevant as the
substantive issues as to why this hearing was even convened.
But I would like to get us back on point.
In an opinion piece published in the U.S. News and World
Report in June, Congress Representative Diane Black made
allegations about the data hub that we're talking about today.
I'd like to mention one in particular and would invite the
panel to comment and clarify, if necessary, about this
information that was put out to the public by Congresswoman
Diane Black.
Congresswoman Black wrote, and I quote, ``For the purposes
of implementing and enforcing Obamacare, the Department of
Health and Human Services, through regulator fiat, is building
this hub, a Web portal where personal information such as
medical records, tax and financial information, criminal
background, and immigration status will be shared and
transmitted between agencies, including the IRS, HHS, the
Department of Justice, Department of Homeland Security, and the
Social Security Administration, as well as State governments.''
All right? And that's the end of that quote.
Ms. Tavenner and Mr. Chao, can you clarify, will personal
medical records be accessible through the data hub?
Mr. Chao. No, they will not be.
I think the quote or the description is a bit inaccurate,
in terms of it doesn't describe about the flow of information,
the type of data, and, certainly, we are not collecting, you
know, personally identifiable health information on any
individuals throughout this application process.
Mr. Cardenas. Anything else on that point?
Okay. Thank you.
It's important that there perhaps should be penalties for
any misuse or disclosure of information. As far as you can
tell, would there need to be congressional approval to
implement levels of civil or criminal penalties for those who
would willfully and knowingly violate privacy laws?
Mr. Chao. I'll also defer to IRS for their piece.
I think, for us, there are already civil and monetary kind
of penalties under U.S. Code that govern access to Federal
Systems, of which, you know, we do apply that. Specifically to
this application process, I'm not aware of anything that has
changed with that in the application of those civil monetary
penalties under U.S. Code. So I will--I can certainly get back
to you with more specifics on that.
Mr. Cardenas. Thank you.
Mr. Werfel. And I was just going to reinforce that by
saying that the protections that we're putting in place on the
data are leveraging longstanding, existing procedures that are
in place, including penalties and approaches, working with the
Inspector General, that we have long-term experience with.
Because, as I mentioned earlier, this is not the first time
that the law has contemplated sharing taxpayer information from
the IRS out into other Federal agencies and other State
agencies. And so we have a strong track record of robust
processes, and those are going to be leveraged here.
Mr. Cardenas. Are they getting better, those processes, as
technology changes and as we have to defend ourselves from
attacks?
Mr. Milholland. I'll answer that from the point of view of
the IRS.
We use a defense in depth and breadth concept. That is,
whatever the access controls might be, for example, there are
eight levels of protection as you come into the IRS
electronically. But there is also a breadth approach that says,
not just access controls, but preventative measures you might
want to take for insiders, say, and a number of implementations
of technical capabilities that allow us to try to be detect if
there is inappropriate access to the information.
So these same kind of practices we pass over to our
Safeguards group and, particularly, provide our cybersecurity
experts from Information Technology to assist them in their
safeguard reviews. So those reviews that take place outside of
the IRS have the best technical support that's available to the
IRS, in which we've built what we believe is a--I'll say a
best-in-civil-government approach to information security.
Mr. Cardenas. Thank you very much.
With what little time I have left, I would like to thank
the panelists. I think you've been doing a really good job
trying to stay on point and continuing to answer the questions
as honestly and forthrightfully as you should be before any
congressional hearing.
And I would hope that you would share with your colleagues,
whenever they're summoned to this committee or any committee,
to watch this tape so that you can show them that you can stand
your ground and don't succumb to badgering and things of that
nature trying to get you off point. Thank you so much for your
professionalism.
I yield back.
Mr. Lankford. Mr. Walberg?
Mr. Walberg. Thank you, Mr. Chairman.
And thank you to the panel for being here. And we're not
going to attempt to badger in any way, but we would like
answers to questions as quickly as possible.
Ms. Tavenner, thank you for being here. Let me ask you, in
relation to the HHS issuing a final rule that requires a
taxpayer enrolled in a health plan through a State exchange to
report certain changes in circumstances within 30 days, these
include changes in residency, as I read it, and income. Is that
accurate?
Ms. Tavenner. I believe so, but I'd have to double-check
the rules.
Mr. Walberg. Well, let me follow up, hoping that maybe this
will help.
The question I would have: If, indeed, this is the case, a
30-day requirement, if I get a raise, if I get a demotion, if I
start a new job, if I lose a job, am I required to run to my
State exchange and notify them of those changes?
Mr. Chao, if you could.
Mr. Chao. Commissioner Werfel mentioned earlier that the
process allows for a reconciliation via the tax-return-filing
process of any advance premium tax credits that were paid on
your behalf to the issuer that you enrolled in. And while we,
on a consumer, you know, kind of customer service perspective,
ask people to report it as early as possible----
Mr. Walberg. Well, it says 30 days.
Mr. Chao. Yes. Yes. And----
Mr. Walberg. But you're going to be flexible on that?
Mr. Chao. Well, I think, you know, by requirement, it's 30
days, but if something were not to be, you know, kind of
reported in that time span--and we are recommending for people
to report changes timely--there is the reconciliation that will
kind of pick up any adjustments that are necessary.
Mr. Walberg. So even I leave a State where my exchange was,
or my marketplace, I guess is the new term, I will have some
flexibility on reporting?
Mr. Chao. Correct.
Mr. Walberg. Okay.
Let me move on. Ms. Tavenner, this is just a yes/no series
of questions and answers here.
Will exchanges be allowed to enroll individuals to receive
advance premium tax credits even if their income cannot be
verified by the IRS, yes or no?
Ms. Tavenner. I think there are several steps, but, yes,
there is a possibility that if their income can't be verified
they could still be eligible after they complete another series
of tests.
Mr. Walberg. Will exchanges be allowed to enroll
individuals to receive advance premium tax credits even if
their household size cannot be verified by the IRS?
Ms. Tavenner. I think household size is verified by the
individual and to the extent that IRS can provide it. But, yes,
there are additional steps, including self-attestation.
Mr. Walberg. Will exchanges be allowed to enroll
individuals to receive advance premium tax credits even if
their citizenship status cannot be verified by the Department
of Homeland Security?
Ms. Tavenner. As you are aware, the Affordable Care Act
only allows if we are able to verify citizenship or----
Mr. Walberg. Well, in this case, they're saying they are;
there's no firm verification. So another flexible area where
we're really uncertain whether the benefits are allowed or not
allowed, right?
Mr. Chao. The process works in that, when there are
accurate data sources to verify against what's on the
application, it is done so, you know, online in realtime.
There are cases in which when data and information is not
necessarily in synchronization with what the person is
reporting as the household, we have a step in the process
whereby they move into an inconsistency period in which we have
eligibility support workers. It's a complement of almost, like,
customer service reps that will work with you to identify, you
know, other means to verify, you know, your household size,
your income.
And while it's kind of a labor-intensive process, we have
built that in so that we can get as accurate a determination
and enrollment as possible.
Mr. Walberg. But while it's going on, it's very uncertain?
Mr. Chao. No, it's a process----
Mr. Walberg. Citizenship status----
Mr. Chao. Well, for the consumer's sake or the household's
sake, the process continues, and they move on to receiving
coverage and enrollment in a QHP. But we're, in the back end,
making sure that that data is accurate.
Mr. Walberg. Will exchanges be allowed to enroll
individuals who receive advance premium tax credits even if
their Social Security number cannot be verified?
Mr. Chao. No. That process will go into that inconsistency
or exception process, and that's probably a pre-, early kind of
step in the process, because the first thing we have to do is
to validate a Social Security number via SSA before we talk to
IRS with that validated Social Security number.
Mr. Walberg. If they haven't had any previous tax returns,
for instance----
Mr. Chao. Well, that's why----
Mr. Walberg. --how do you verify this?
Mr. Chao. That's why we have that inconsistency process
whereby for 90 days we will work with the applicant filer to
make sure that that information, the required information, is
validated on the application.
Mr. Walberg. Mr. Chairman, my time has expired. Thank you
for the additional time. This is an uncertain setting, isn't
it?
Mr. Lankford. Ms. Lujan Grisham?
Ms. Lujan Grisham. Mr. Chairman, thank you very much.
And I also appreciate the opportunity to talk about the
readiness and capability and make sure that we're covering
broad consumer protections, specifically privacy.
I might point out before I get to my question that States
for decades have been collecting financial and healthcare
information from Medicaid recipients, including children, and
working very hard as the technology opportunities have enhanced
to make that interoperable and realtime so that individuals
aren't doing independent applications by hand between one
department that's covering developmentally disabled populations
and another department that's doing brain injury and another
department that's responsible for level of care and another
department that's required to do the financial verifications,
including going to their bank statements.
And we're doing that successfully. And, in fact, after 20
years, I'm not aware of a single State that's had privacy
issues as the core issue, by any stretch of the imagination, or
those consumer protections. We've had issues about Medicaid
implementation, effectiveness, some fraud by providers, and all
things that we should be looking after. But I'm not aware of
anything, including hospitals and their discharge work and
their own Medicaid eligibility sending provider to provider and
provider to State, in fact, the very same information that
we're now going to do at the Federal level.
So I'm happy to say that New Mexico is one of those States
that is glad to help you do this, because we've been doing it
successfully in many of these components for a long, long time.
But to be successful, I'm concerned--and you might have
covered this already--I'm concerned about having a budget that
gives you the staff, that checks, that double-checks, that
makes sure that you're meeting the requirements that we intend
in Congress, both for consumer protection and to make sure that
we get these eligibility issues streamlined effectively since
we're using a Web-based aspect here.
So the Republican budget out of the Appropriations
Committee cuts your budget by 24 percent. And I recognize that
this committee is concerned about IRS issues; I'm concerned. I
introduced legislation that would clarify that ``exclusive''
means exclusive for 501(c)(4)s. I don't believe that there's
been targeting, but I think we don't have the right processes
involved to do it adequately and objectively and correctly. So
this will, I think, help us.
Commissioner Werfel, can you talk to me again specifically
about what a 24 percent budget cut does to adequately and
efficiently implement the requirements of the Affordable Care
Act by the IRS?
Mr. Werfel. It's extremely challenging, in general. I think
when you talk about a 24 percent budget cut for the IRS, you
have to start with the reality that all of our mission-critical
activities will be severely impacted. That means our ability to
collect revenue, work with taxpayers to help them navigate the
Tax Code, do enforcement, go after bad actors who are seeking
to defraud the system, meet other mandates.
We have many legal mandates on our plate right now. We have
work that we're doing under a law that's called FATCA that
deals with disclosing information that's in offshore accounts
that's unreported. We have legal mandates under that.
So when you talk about a 24 percent cut, you really are
negatively impacting taxpayers--small businesses, individuals,
families----
Ms. Lujan Grisham. So this has effects well beyond the
Affordable Care Act.
Mr. Werfel. Absolutely.
Ms. Lujan Grisham. And while, before I lose my minute, I
want to make sure that you hit some of the specifics about the
Affordable Care Act, and I want you to highlight that for every
dollar that comes into the IRS--that includes the staffing
resources to do the work that you're required to do--it brings
in about 6 Federal dollars.
And, for me, this seems like a very political attempt to
undermine the implementation of the Affordable Care Act instead
of what this committee, in particular, should do, is to make
sure that the IRS can meet all of its obligations under current
law.
Mr. Werfel. Right. So I think the ACA tracks some of the
broader responsibilities for the IRS. Our efforts to
modernize--and here, for the ACA, we have to build technologies
to meet these mandates. That certainly would be impacted by
severe budget cuts.
Our ability to work with taxpayers, whether on the phone or
build new tools through IRS.gov so that they have clarity,
whether it's an individual or an employer, we do that in the
tax law generally. It would certainly be impacted by the ACA.
Harder to get someone on the phone, harder to get information
at a taxpayer assistance center, et cetera.
And then we have protecting information. You know, we have
people in place that are doing these reviews and oversight of
agencies that hold taxpayer data. Significant and severe budget
cuts would impact our ability to secure the data.
And then, obviously, enforcement has been a major theme in
this hearing about fraud. We have to have tools in place, both
technology and analytics and expertise and criminal
enforcement, to make sure that everyone's playing on a level
playing field and no one's getting a benefit or money that they
don't deserve.
Everything I just said, I think, is relevant across the
IRS. Everything I just said is relevant to the ACA. And I
welcome a debate and a dialogue around the IRS budget and, in
particular, what a 24 percent cut would do.
Again, my bottom line is I think it's important to look at
it from the perspective of the taxpayer--the individual, the
small business, the large business, the nonprofit, whatever it
is. They will face very significant concerns and consequences
with a 24 percent cut to the IRS, because they won't be able to
access critical services. Because the Tax Code doesn't go away.
They still have to comply with the Tax Code. They still have to
comply, and they often seek and get IRS help in doing so. And
our ability to provide that help and assistance will be
compromised.
Ms. Lujan Grisham. Mr. Chairman, I'm well over my time. I
seek the committee's indulgence for a quick follow-up?
Mr. Lankford. Yes.
Ms. Lujan Grisham. Quickly, so you're going to have to move
staff and shift your priorities. Have you thought about where
you would start? Give me that. Where would you shift personnel
to meet the Affordable Care Act implementation?
Mr. Werfel. Well, we're already starting--you know, if you
look at the sequester impacts, we're already, for example, our
taxpayer assistant centers are closing at 1:30 now, and so less
people are getting in. Our call centers have less people
sitting ready to take calls, so our level of service numbers
are going down.
Ms. Lujan Grisham. Okay.
Mr. Werfel. I mean, it's just--the budget cuts that we
face, the billion dollars between 2010 and 2013, which in part
is due to sequester, are impacting our ability to serve and to
enforce.
Ms. Lujan Grisham. Thank you.
Thank you, Mr. Chairman, for your indulgence, and the
committee's as well. I yield back.
Mr. Lankford. I recognize the chairman of the full
committee, Mr. Issa.
Mr. Issa. Thank you.
Mr. Werfel, when did you start at OMB?
Mr. Werfel. August 4th, 1997.
Mr. Issa. And you've got 63 days or so in your current job.
Mr. Werfel. Yeah, I'm coming up on my 2-month mark.
Mr. Issa. And so you were in a key position to work with
the President, quite frankly, during the discussion leading up
to his offering and signing what became known as sequestration,
right?
Mr. Werfel. I was not involved in the Budget Control Act
negotiations. I was involved, back in August 2011 when the
Budget Control Act--my role was to work with the Treasury
Department to prepare administratively for a potential breach
of the debt limit. But I wasn't on the side of----
Mr. Issa. Okay. Well, I'm just trying to understand the
revisionism that's going on here. OMB did have a critical role,
broadly, in the decision that the President made to go for
sequestration. So, you know, you're sort of feigning that this
is so terrible, when, in fact, this was the President's
decision, and now that it's become law and it's affecting you,
you're saying you can't do your job. Well, I appreciate that
that may be true, but let's go through some numbers.
While you were at OMB, you opposed the DATA Act that was
passed unanimously out of this committee. To a certain extent,
you were helpful in making sure the Senate never picked it up.
Now, the reason for the DATA Act was to mandate structured
data so that interoperability of government databases with
strong enough metadata to secure and ensure that confidential
information would always be in a way that it could not
accidentally go from field to field in some sort of a mix so
that organizations like the IRS, when they want to look at SEC
and they want to look at multitude of filings, would be able to
look at that data transparently in order to do better audits
with less people.
Isn't that roughly what we sold to the Senate but they
didn't buy?
Mr. Werfel. As I've testified before this committee wearing
my former hat, I personally and I think the administration
agreed with the objectives of the DATA Act. Our concerns were
not about what you were trying to achieve; it was the how. And
we were concerned about some of the additional bureaucratic
layers of new organizations in place with roles and
responsibilities on data standardization, which is what caused
us our concerns.
Mr. Issa. You know, what's amazing is I didn't get offered
one amendment from the administration in order to perfect that.
And, candidly, what we're talking about here today, data
security and the comfort level that interoperable databases and
particularly those that are exposed to non-IRS employees, which
will be every piece of information that we care about almost
when it comes to our tax records and earnings and ultimately
the healthcare information, is not going to be covered by a
mandate but rather by good intentions.
Let me go through one quick question here. As part of this
process, this committee has been looking at the IRS and figured
out that you gave, you know, $260 million, but a total of about
half a billion dollars was given to a company that was at best
a shell and perhaps a fraud. This committee had their CEO there
recently. And you've had to finally cancel that contract. But
on July 4th, 2013, CMS awarded a potential 5-year contract
worth $1.2 billion to a British company, Serco.
Now, at least our information is that the FBI has also
discovered Serco's computer systems serving with the Federal
Thrift Savings Plan were hacked. In other words, these people
who are going to run this data have already compromised,
according to the FBI, 123,000 Social Security numbers.
Additionally, the FBI has discovered that--oh, I'm sorry,
that's a repeat. Additionally, they're also being investigated
in Britain at some point.
I guess my question is--Serco has an incredibly large
contract and have proven, as of right now, a failure. Can you
say with confidence that if we give them this much larger
contract, that on day one they're not going to be in a position
to compromise another 123,000 Social Security numbers?
Mr. Chao. The Serco contract is actually with CMS, and it's
called the eligibility support worker contract.
And we've been working with Serco--just recently, you know,
they've been awarded, so for the past 2 weeks we've been
ramping up. And one of the top issues that we're going over is
the security rules and procedures and policies that apply to
them under the general, kind of, FISMA Act of 2012, HIPAA, and
their own corporate practices and procedures. They----
Mr. Issa. Right. But did you know about these problems and
failures before you awarded the contract?
Mr. Chao. No, I was not a part of the contract award
process----
Mr. Issa. Okay, but now that you know about it, we're
working with an entity that apparently does not have the
internal controls or track record, and yet you're here today
saying that, in a matter of days, they're going to have a major
role in major data; is that correct?
So we're working to get a group up to speed that doesn't
have a proven track record. My whole question to you is, in the
awarding of a contract, wouldn't you need an assurance before--
I mean, in other words, I'm not saying you couldn't make them
ready for prime time in a year or 2. The question is, where's
the pilot, where's the proof, where's the confidence that what
has just recently happened won't happen again?
You know, I don't normally have something in front of me
that says the FBI has this problem and you've got a brand-new
contract pursuant to Obamacare.
Let me just hit one more point.
Mr. Werfel, this committee has a broad set of
investigations going on related to the organization you're
trying to fix, and today is one part of our concern. But you're
familiar with the 6103, what it means; is that correct?
Mr. Werfel. Yes, sir.
Mr. Issa. And 6103 was designed and passed into law to
protect the American taxpayer from his or her tax records being
looked at by outsiders or released; is that correct?
Mr. Werfel. Yes.
Mr. Issa. Was it ever intended to protect from Congress
finding out when taxpayers have been abused? In other words,
should there ever be a claim of 6103 when the victim themselves
is asking for the release of the information?
Mr. Werfel. Well, I think you're raising a policy question
in terms of how 6103 is structured. Right now, it's
specifically structured to prevent us from sharing certain
information except to the authorizing tax committees. Whether
that should be expanded or not I think is a public policy
discussion on the nature of 6103. But we follow the law, and
the law requires us to restrict access, except to Ways and
Means.
Mr. Issa. Right. But--and I'm going to finish, because I'm
trying not to go any further over time.
The fact is that if we don't know the name and the Social
Security number or Federal ID of an entity, we don't know their
address, and we don't see financial information, that was the
intent of 6103. Today, your organization is working to say
that, for example, knowing how many groups waited how long, how
many groups are still waiting, those kinds of answers, and
whether there is so much as one individual.
And I'll give you an example here today. There are the so-
called test cases that we've had, two test cases. When we ask,
is one of them still waiting, and we find out, yes, one of them
is still waiting, people are saying, well--and I sent you a
letter yesterday, with the other chairman and subcommittee
chairman--we're being told, well, that may be 6103.
To know that a victim was isolated 3 years ago, pulled
aside, and has never been given a ``yes'' or ``no'' answer, to
know that they're still not giving a ``yes'' or ``no'' answer,
the claim that that's 6103 is a claim that, in fact, Congress
and the public is not entitled to know that information.
And I ask it that way for a reason. I understand another
committee can see certain information, but it's the public
that's entitled to know.
Isn't it true that at least one entity that applied more
than 2 years ago still does not have a ``yes'' or ``no'' after
the abuse that has become public that we're all aware about as
to ``Patriot'' and ``Tea Party'' organizations?
Mr. Werfel. So, three quick responses.
One, just to reemphasize, we do share the information, but
the law restricts us from sharing it only with the chairman of
House Ways and Means and the chairman of Senate Finance.
Second, a taxpayer can, under 6103, authorize broader
disclosure. They can waive their rights, and you can get the
taxpayer to--say, ``It's important to make this publicly aware,
but I need you to sign something,'' and often taxpayers agree
to do that.
And, third, with respect to--you know, as I've testified
before you, I'm concerned about the delay that we've seen in
application packages in our Exempt Organizations unit. And
perhaps in a different setting, whether off the record or on, I
can walk you through very important reforms that we're making
to our 501(c)(4) process to correct that from ever happening
again.
Mr. Issa. Well, just for the record, if an organization
says, we'll waive our 6103 rights so the committee can see the
individual records, the IRS's current position is they won't
show us the emails where they conspired against or debated
that, ultimately, we don't need to see their records, they can
hand us their records. We need to see who at the IRS was
delaying and denying and dealing with it, and that's individual
emails with specificity as to those 501(c)(4)s.
Thank you. I yield back.
Mr. Lankford. Ms. Maloney?
Mrs. Maloney. Well, thank you.
The chairman raised an important point, that a contractor
received this contract on very sensitive information, an
important one, and, according to his words, it doesn't have a
proven track record.
You know, I want to know how that happened. Don't you look
into the backgrounds to make sure they know what they're doing?
I'd like to speak to Mr. Chao.
And, also, I would like you, Mr. Chao, to also talk about
how difficult it is to reconfigure the data hub that you are
now raising and running if a State decides to assume more or
less responsibility for an exchange. Are you adaptable?
Now, I would like to put a little good news into the
hearing today. The New York Times reports that the health-plan
costs for New Yorkers is set to fall 50 percent. Now, this is
great news for consumers, and it's an extraordinary decline in
New York's insurance rates for individual consumers.
So it shows the profound promise of the Affordable Care
Act. But you can't get to the Affordable Care Act if the
computer system isn't working. So this is a very clear thing,
and I'd like to know more about it.
But I'd like you to comment on this article and how your
hub can address--I know that some States have not gotten their
exchanges up and running. So how are you adjusting with States
that don't have it up and running?
New York State, to its credit, has gotten it up and
running, and it has great promise for consumers.
So how are we making this configuration? And I guess, Mr.
Chao, as the head of the hub, maybe you should be the one to
answer.
Ms. Tavenner. Congresswoman, with your permission, could I
address the New York issue and the Serco issue?
Mrs. Maloney. Sure.
Ms. Tavenner. On the New York issue, we were obviously
pleased to see that this morning. And I think it reaffirms what
competition and transparency can do in a marketplace, and that
really is what we're doing in the Affordable Care Act,
effective in October and beyond.
On the Serco issue, notwithstanding what the chairman just
brought to our attention, Serco is a highly skilled company
that has a proven track record in this country and has done a
lot of work with other Federal agencies. We are actually
working with the U.S. corporation, and they are actually
present in three States. And we--they were awarded through a
full and open competition, so, obviously, they do have a track
record with security and privacy.
And I'll turn it over to Henry to answer the other
question.
Mrs. Maloney. You know, but, also, can the system handle
the varying degrees of astuteness or availability or readiness
of different States?
Ms. Tavenner. Yes, and that's where I think Henry comes in.
Mrs. Maloney. Do you have a different system for each
State, or is it all one central, big system? And is it
government or private?
Mr. Chao. The federally facilitated marketplace system is
comprised of several actual, you know, kind of, working pieces
of system architectures that perform eligibility enrollment,
QHP and plan management functions, financial management, you
know, generating payments for the issuers.
The hub, as we mentioned earlier, is a routing tool. It
affords the efficiencies that are needed for multiple points
that are requesting the same information from authoritative
data sources to connect to those data sources, and then
enforced with a uniform service level.
That is a scaleable system that is government-owned, and--
it's privately contracted, but it is government-owned. It is--
--
Mrs. Maloney. Who will run it? Will the government run it,
or will the private sector run it?
Mr. Chao. It's a combination of government, you know, staff
and contracting staff that will staff an operations center that
actually monitors its operations 24 hours a day.
Mrs. Maloney. And where is it located?
Mr. Chao. It's in Columbia, Maryland.
Mrs. Maloney. Uh-huh.
Ms. Tavenner. And I would add that one of the advantages of
having this hub is that, whether States or State-based
exchanges or some type of partnership model or whether they
default to the federally facilitated exchange, it's
transparent. It's easy for us to make those changes. And that's
part of the----
Mrs. Maloney. And what is there to protect the privacy of
the individuals' health records? How do you protect that?
Mr. Chao. Well, first of all, we don't collect any health
record information or store health records. I think that's an
interaction between a consumer that ultimately is enrolled in a
qualified health plan and then, working with that health plan,
accessing benefits and utilizing benefits, that that
relationship affords the ability to collect and store and
process. That's a relationship between the consumer and the
health plan.
The ability for us to protect privacy of the individual is
working with SSA and IRS and in enforcing the very stringent,
you know, and rightfully so, 6103 provision and flowing that
through, you know, Mr. Milholland and other chief technology
officers and chief information officers from around the Federal
Government, worked with as a group to develop what we call the
harmonized privacy and security framework.
Even though each agency operates under very strict
guidelines, its own guidelines to operationalize FISMA and
HIPAA and 6103 in IRS's case, we had to get together because
this data via the hub was moving and being requested by
multiple entities, including the State endpoints, that there
are their own marketplaces.
So we had to get together to make sure that the
implementation of those security and privacy controls and
operations was harmonized and are common across all the
agencies and not dissimilar, as if we were implementing the
program in different parts.
So we got together early on to do this, to make sure that
we have greater security and privacy, you know, kind of,
enforcement and monitoring. And the bar is set by 6103 and the
Privacy Act.
Ms. Maloney. My time is expired. Thank you.
Mr. Lankford. Mr. DesJarlais.
Mr. DesJarlais. Thank you, Mr. Chairman.
Ms. Tavenner, I have some questions for you, but first, Mr.
Werfel, I just want to revisit a little bit of the dialogue
that you had with Mr. Jordan earlier.
He had asked you if Ms. Hall Ingram was in charge of the
department that oversaw the targeting of conservative groups,
and what was your response to that?
Mr. Werfel. My response is that Ms. Hall Ingram has
specific ACA responsibilities, but there are other individuals
within IRS who have responsibilities at the same level, but Ms.
Hall Ingram does play a coordinating role amongst our various
ACA activities.
Mr. DesJarlais. Okay. And one thing we've had, I guess, a
hard time getting anyone from the IRS to say in multiple
hearings that we've had is that the IRS was guilty of targeting
conservative groups.
You stated that you are the most senior accountable member
at the IRS currently; is that correct?
Mr. Werfel. That is correct.
Mr. DesJarlais. Are you willing to go on record today and
tell the American people that the IRS did target conservative
groups?
Mr. Werfel. I have said--I've testified previously that I
believe the use of political labels to screen out applicants
for increased scrutiny, inappropriate political labels, is
equal to the term ``targeting,'' so I don't dispute that.
Mr. DesJarlais. All right. Well, it's been hard to get
someone to say that, and I know that moving forward into this
healthcare law, that you have a credibility issue with the
American people, and I think it's very important that you be
forthright, and I appreciate you saying that today when so many
others have taken the Fifth.
Ms. Tavenner, you had testified earlier about the
preparedness of the CMS, and you're feeling pretty comfortable
about the ability to be ready on October 1st?
Ms. Tavenner. Yes, sir.
Mr. DesJarlais. Okay. I would like to submit for the
record, without objection, Mr. Chairman, the data collection
instrument from the GAO report from June 2013.
Mr. Lankford. Without objection.
Mr. DesJarlais. Okay. Ms. Tavenner, we have a document that
was obtained that shows that CMS had only completed 20 percent
of its work to establish appropriate privacy protections and
the capacity to accept, store and associate and process
documents from individual applicants and enrollees
electronically and the ability to accept image upload
associates and paper documentation received from applicants and
enrollees, so the fact that Obamacare became law in March of
2015, but yet it's just a few months ago the administration had
completed only 20 percent of its work to establish appropriate
privacy protections and capacity to accept, store, associate,
and process documents from individual applicants, why would you
say the administration failed to prioritize privacy protection
and data-sharing standards?
Mr. Chao. I can answer that, Congressman.
Mr. DesJarlais. Well, Ms. Tavenner, first, you go ahead,
and then I have a question for you Mr. Chao.
Ms. Tavenner. Well, first of all, I would say that GAO
reports and other reports are taken of a snapshot in time, and
a lot of work has been completed since that time, and I will
let Henry speak to the details of that.
Mr. DesJarlais. Okay. Mr. Chao, are you 100 percent
finished establishing appropriate privacy protections?
Mr. Chao. No, we are not.
Mr. DesJarlais. Okay. If not, how much and when will you
be?
Mr. Chao. I think since the last report, we are probably--
and this is a very kind of ballpark generalized roll it up kind
of a figure, I would say with regard to the privacy and
security, we are probably about 80 percent.
Mr. DesJarlais. Okay. So the snapshot a couple of months
ago, you're at 20, and now you're saying you're at 80. Are you
going to be 100 percent on October 1st?
Mr. Chao. Yes.
Mr. DesJarlais. Ms. Tavenner, do you feel that that's
reasonable that in 3 years you got to 20 percent, and now, in
75 days, we are going to get to 100 percent?
Ms. Tavenner. Yes.
Mr. DesJarlais. Okay. In--also, there's 25 percent of the
work to establish the adequate technology infrastructure and
bandwidth to support all the activities with respect to the
exchanges. Again, why did the Administration fail to prioritize
this sooner? I'll ask the same question, Ms. Tavenner.
Ms. Tavenner. I don't know that it's a failure to
prioritize. There is a certain workflow that has to--actually,
first you have to put the regulations in process, then you
start to develop the product from the regulations, and this is
just the work in progress as any complicated project. We are
now within the 90-day period of completing the work.
Mr. DesJarlais. Mr. Chao, the CMS document given to GAO
says that the estimated completion date establishing an
adequate technology infrastructure and bandwidth was July 1st,
2013. Did you meet your deadline for completion of this task?
Mr. Chao. We have. It's a constant changing target because
the target is actually----
Mr. DesJarlais. The deadline is moving.
Mr. Chao. No, the target is October 1st, and we make
adjustments as we go to make sure that that target of October
1st is not missed. As of this month, all the infrastructure and
the required, you know, hardware, software capacity, all of
that is available and up and running. The specific application
software, such as the ``My Account'' that I talked about
earlier, the enrollment and eligibility pieces, the loading of
the QHP information to process in enrollment and a payment to
an issuer, that is an ongoing process. All that code and those
databases are still being built throughout the summer.
Mr. DesJarlais. Okay. So both of you are testifying today
that these shortfalls that are in the report that I mentioned
are going to be 100 percent complete on October 1st?
Mr. Chao. Correct.
Mr. DesJarlais. Ms. Tavenner?
Ms. Tavenner. Yes, sir. And we certainly will have
mitigation strategies. I think someone mentioned earlier, and
in our opening comments, that we will be prepared. We will
start October 1, and we will certainly have hiccups along the
way, and we are prepared to deal with this.
Mr. DesJarlais. Okay. Very quickly. When did you learn that
the employer mandate would be delayed?
Ms. Tavenner. When did I personally?
Mr. DesJarlais. Uh-huh.
Ms. Tavenner. On June 24th or June 25th.
Mr. DesJarlais. Why did the President wait till July 2nd to
announce that?
Ms. Tavenner. I don't know. I was not part of that
discussion, but I actually was made aware that it was being
considered on June 24th.
Mr. DesJarlais. All right.
I yield back, Mr. Chairman.
Mr. Lankford. Thank you.
The ranking member of the full committee, Mr. Cummings.
Mr. Cummings. Thank you very much, Mr. Chairman.
I want to thank you all for being here. I want to thank you
for what you do for the American People.
Mr. Werfel, I want to pick up on where Chairman Issa was
going to take it to a little further. I would like to ask you
about the ongoing investigation into the treatment of Tea Party
applicants for tax exempt status. During our interviews, we
have been told by more than one IRS employee that there were
progressive or left-leaning groups that received treatment
similar to the Tea Party applicants. As part of your internal
review, have you identified non-Tea Party groups that received
similar treatment?
Mr. Werfel. Yes.
Mr. Cummings. We were told that one category of applicants
had their applications denied by the IRS after a 3-year review;
is that right?
Mr. Werfel. Yes, that's my understanding that there is a
group or seven groups that had that experience, yes.
Mr. Cummings. As I understand it, last week, the IRS was
prepared to make a document production to the committee. And by
the way, this is a request from the chairman, and those
documents would have shown other categories of applicants,
categories in addition to the Tea Party groups we have been
focussing on today. Before I go any further, is that right?
Mr. Werfel. Yes.
Mr. Cummings. I understand that our committee does not get
access to information about specific taxpayers. I think it's
6103, is that right, those--there are certain that prevent us
from getting certain information, what Mr. Issa was talking
about earlier generally.
Mr. Werfel. That's correct. We'll make certain redactions
if we believe that the information would be too--have too much
information so that you could zero in on a specific taxpayer,
so we'll make those redactions.
Mr. Cummings. I understand. Under 6103 of Title 26 of the
United States Code, the IRS cannot reveal specific taxpayer
information. In order to make these determinations, and this is
going to what you just said, the IRS has a--have career
employees who are experts, this is what they do.
Mr. Werfel. Yes.
Mr. Cummings. In determining what is covered by the
statute; is that correct?
Mr. Werfel. That's correct.
Mr. Cummings. And in this case, these experts determine
that the IRS could provide this information to the committee.
They said the documents did not reveal specific taxpayers but
instead referred to categories of groups just like the Tea
Party groups; is that right?
Mr. Werfel. Yes, that's correct.
Mr. Cummings. So, based on this established process, we
should have received that information last week. And by the
way, to his credit, the chairman has been very aggressive in
going after documents, but we did not receive that information.
Instead, I understand that the Inspector General intervened.
Let me say this again. It's my understanding that the Inspector
General intervened personally.
Now, Mr. Werfel, my question is, can you tell us what he
did, did he call you, and what did he say?
Mr. Werfel. Okay. The----
Mr. Cummings. In other words, we are being denied, this
committee is being denied documents that we have requested. Let
me finish. And the chairman, to his credit, has been extremely
aggressive in trying to get documents, and I have been accused,
by the way, of obstructing the investigation, which is totally
ridiculous.
I want the documents. Now, tell me what the IG said that
prevents our committee, that our honorable chairman, Mr. Issa
requested, what did he say to you to cause us not to be able to
get the documents after your experts told us we should have
them? Can you tell us what--what that's all about?
Mr. Werfel. Yes. We were imminently going to produce a
document in an unredacted form that would indicate the identity
of a grouping of entities that we felt were similar in kind of
scope as Tea Party in terms of its grouping, so that it
wouldn't be able--you wouldn't be able to identify a particular
taxpayer because the grouping name was so broad.
And he reached out, when he learned that we were about to
produce this information, and expressed concern and indicated a
disagreement with our internal experts on whether that
information was 6103 protected or not, and out of an abundance
of caution, the IRS decided to redact that information until we
could sort through with the IG his position and understand why
it's different from ours. And we've had subsequent
conversations with him where we have reasserted our position
that the information should not be redacted, but we have not
reached resolution with him at this point.
Mr. Cummings. I don't understand. I thought that the career
officials at the IRS, the officials who do this for a living
day after day, hour after hour, already determined that it was
okay for the IRS to produce these documents to the committee
that Chairman Issa requested. This seems very strange, Mr.
Werfel. I know you just started, but has this ever, to your
knowledge, happened before, the inspector general personally
intervening to prevent disclosures to the Congress of the
United States of America, have any of your staff members ever
heard of this happening before?
Now, you're surrounded by folks. You can look around, and
they may tell you something different, and if they've got--if
they've got some other answers, if they haven't been sworn in,
Mr. Chairman, I ask that they be sworn in so we can know of
these exceptions.
And by the way, Mr. Chairman, I just want the same amount
of time that Chairman Issa was given. It was a total of 10
minutes, with unanimous consent, please.
Mr. Werfel. I just don't know the answer to that question.
I personally am not aware of any similar situation, but we can
take that question back and do a broader inquiry amongst the
IRS leadership and other professionals and get an answer.
Mr. Cummings. I ask that you please have that answer to me,
if you can, by tomorrow morning. We're going to be seeing the
inspector general tomorrow, and I want to make sure that I do
not prejudge him. I do not want to put anything out there to
accuse him of anything and then go searching for facts. I
simply want the truth so that we can restore the trust.
Our interest is in getting as much information as possible.
So, let me make sure I understand this. If the inspector
general withdraws his objection, will you produce that
information to the committee that Chairman Issa requested?
Mr. Werfel. Yes.
Mr. Cummings. Now, let me say something else. Ms. Tavenner
and Mr. Chao, I heard Mr. DesJarlais' questions, and as I sat
here and I listened to my good friend Mr. DesJarlais and he
talked about, at one point, you were at 20 percent with regard
to the privacy protections.
And then I think you said, Mr. Chao, and correct me if I'm
wrong, you are now at about 80 percent.
And then you and Ms. Tavenner agreed that by October 1st
you would be at 100 percent, and if there were any problems or
hiccups, in your words, Ms. Tavenner, you were prepared for
that; is that correct?
Ms. Tavenner. Correct.
Mr. Cummings. Well, I stop here for just a moment to thank
you for doing what you do to prepare for something that is
already the law. Although we are getting ready to vote on it,
by the way, for the 38th time, it is the law, and you all have
a duty, and I am so glad that even with all the chatter, you
have to stay focused, you have refused to be distracted and you
made sure that the American people--that the Affordable Care
Act and the part that you all have to play in that, that you
are prepared to do that, and I want to congratulate you. I know
quite often you get negative comments, but the idea that you
all took a monumental stance, and I want to say this to the
other IRS employees, we appreciate it.
Now, let me say one last thing in any last 1 minute. I've
said it from this dais before and I will say it until I day:
This is the United States of America. Every single person on
this dais, if they have ever hired anybody and ran anything,
has fired somebody, and just because we have some bad apples
that don't do the right things does not mean that we stop
operating. It means that we take the bad apples out, and we
continue forward.
This whole idea that there was a problem in the IRS and
there are ongoing problems and the problems that you are trying
to straighten out, Mr. Werfel, to your credit, we should not
then suddenly wave a white flag and say, oh, we can't carry out
the Affordable Care Act. This is America. We are better than
that, and I know that you know that, and I get tired of people
just because there are problems, suddenly they said, oh, no, we
can't carry out the law. No. We are better than that. And so, I
want to thank you all and may God bless.
Mr. Lankford. Two quick notes here, Mr. Werfel. I know you
have a hearing at 1:00 today. We've been at this for a little
over 2 hours this morning. I know you need to be excused pretty
quickly. You have time for one more question, or do you need to
go ahead and scoot out now?
Mr. Werfel. No, absolutely. Please.
Mr. Lankford. Okay. It is--Mr. Woodall is up.
Mr. Woodall. Thank you, Mr. Chairman.
And thank you, Mr. Werfel, for spending a little more time.
I actually had a couple of questions, too, because I think
you're a very serious public servant. I've been a public
servant in a couple of different capacities myself, and I think
it's fine for us to disagree about the issues. I think you have
to be serious about the work.
And I appreciate Mr. Cummings' comments about you had a
responsibility, Ms. Tavenner, you had a legal responsibility,
and you carried it out, and he's tired of hearing excuses for
why it is we can't get things done.
My question to you, Mr. Werfel, is, that's what we saw on
the Treasury blog. We just can't get things done. Ms. Tavenner
says, we were only at 20 percent a month ago, but we are going
to make it happen by October 1st.
The President seems to have decided or the Secretary seems
to have decided that, no, we just can't get things done, no
doubt to the frustration of my friend from Maryland.
We've got a bill on the floor this week that makes that
statutory change, taking the Administration at its word that
they can't get it done, we make that statutory change from 2014
to 2015. Several times during this hearing, folks have said, we
just have to follow the law.
In your discussion with the Chairman about 6103, you said,
you know, there may be some policy discussions about 6103 that
we ought to have, but we at the IRS, we just follow the law.
Mr. Cummings applauding CMS for following the law, doing what
was required by law. Why is it that we don't have Treasury's
support for making a statutory change to the law rather than
just doing things that we would like to do administratively?
I think one of the real challenges we have is we don't have
any need to work together any longer. We want to do something,
we just do it here on Capitol Hill. You guys, the
Administration decides you don't like the way things are going,
you just do something different. Why is it that it would not be
better for the public servants who have to implement these
laws, for us to actually change the law rather than do it
through blog posts of administrative decisions?
Mr. Werfel. The challenge that I have, Congressman, and I
appreciate the question, is that the role that the IRS has in
relationship to Treasury is they make determinations on policy,
they work on whether we are going to support or oppose and how
we are going to work with Congress on the laws itself, and we
really are all about administration. So, from my vantage point,
I can answer questions for you on the decision that the
Treasury made and how it impacts the IRS' ability to implement
the ACA, but in terms of the--whether it should be
legislatively incorporated is something I'd have to defer to
Treasury.
Mr. Woodall. I understand your challenges in that and
respect it. I think about what Mr. Cummings has said about
applauding the good work of IRS employees across the country
and a few bad apples. I mean, I stay regularly at town hall
meetings. You all have a horrendous job, and the job that you
have that is made so horrendous is made so horrendous by the
laws that we pass here on Capitol Hill. I feel a great burden
for the responsibility we put on you.
I guess what I'm asking is, we just perpetuate the
frustration with IRS employees when we put them in untenable
positions. And putting the IRS in the untenable position of
having statutes that require laws to be enforced and saying,
but no, we are not going to enforce those laws simply
perpetuates the negative stereotypes that go on out there
today. So, understanding that you might not be able to
speculate on why those decisions were made at Treasury,
wouldn't you push up the ladder, hey, here's the Congress that
wants to work with us to get this done in a statutory way for
the House, the Senate, the President, to come together and do
exactly what Treasury seems to be asking for, why can't we come
together and do that? Why won't you push that message up the
chain?
Mr. Werfel. Well, without particularly commenting on this
issue, I think in general what the IRS does is we--we do have a
guiding principle that the simpler the tax code, the simpler
the laws are, the more clear they are, the more we are going to
be able to administer it then effectively and efficiently. And
so, you know, we have that guiding principle, and then as we
deal with different legal issues that arise, Treasury will
consult with us on the administrative aspects of them.
Mr. Woodall. I understand that, and I absolutely agree with
that. I would say, ``shall begin after December 31st, 2013'' is
pretty simple. I would say that subsidies shall apply to State-
based exchanges is pretty simple. We've done the best we can in
terms of simple law, and folks have gone and reinterpreted what
was very simple law, and that's the frustration to me as a
legislator.
I hear what you say to the chairman, 6103 is clear, it's
black letter law, Mr. Chairman, we can't avoid it, and I'm
thinking, for Pete's sake, you decided that you don't like the
mandate timing, so you'll do something different there. You
decide you don't like the subsidy implementation, so you'll do
something different there. These are very serious men, the
chairman and the ranking member, you could just decide, you
know what, 6103, it says, Finance Committee and Ways and Means,
Chairman, but it probably should have included the oversight
guys, too, probably should have. The subsidies probably should
have done the Federal exchanges. The deadline probably should
have been a year out, but you don't.
There is a lot of lack of confidence in America in both the
administration and the Congress these days. We have
opportunities to work together instead of working against each
other, and it frustrates me that even on something as simple as
a date change, we can't even take advantage of that opportunity
to restore faith in the people's government here in Washington,
and I thank you all for being here.
Thank you, Mr. Chairman.
Mr. Lankford. Thank you.
Mr. Werfel, I know you've got to scoot out of here and get
ready for the next hearing. Thank you for being here.
Mr. Milholland, will you be able to remain or----
Mr. Milholland. I can remain.
Mr. Lankford. That would be great if you can, so if you
need to answer for IRS.
Mr. Perry.
Mr. Perry. Thank you, Mr. Chairman.
Ladies and gentlemen, thank you very much for being here.
We understand on this committee that--and in Congress, that you
have a duty to perform and you don't always necessarily agree
with what we send out of this place, but you do your duty and
you perform it as best you can. We appreciate that. We also
have a duty as well, and I would take some exception with the
statement that our duty is to make sure this works.
We have a duty to our constituents to make sure that we
echo their concerns and ask questions on their behalf, and on
my part, a lot of my constituents are concerned and skeptical
about this law and the contents therein, and so I want to ask
some questions on their behalf.
I guess, Mr. Chao, I'll start with you, because I'm not
really sure who else to start with. Who--is there one person?
Who is the charge--or who will be in charge of the data hub?
Mr. Chao. In CMS, we typically have a combination of lead
policy, what we call business owners of the hub. The
administrator ultimately is accountable and responsible for any
of the technology that we implement to support the programs,
but the day-to-day operation is governed by a board of business
and technical leadership in the agency.
Mr. Perry. In CMS or the IRS?
Mr. Chao. There is a CMS and as well as a cross agency----
Mr. Perry. So it's a bunch of people who will never have,
in my opinion and I think in a lot of American people's,
because of that, there is never really going to be true
accountability because something happens, everybody's going to
point to everybody else. I mean, it's a--how many people are we
talking about? Do you know? I mean, you're--you're in charge of
some of this stuff. Do you know?
Mr. Chao. I think what it boils down to is there is only
less than a dozen people who are truly----
Mr. Perry. Less than a dozen, okay, and some from our--
there are five agencies. Somebody from the five agencies, a
person from each within the five agencies that are getting data
in, taking data out? I mean----
Mr. Chao. Correct.
Mr. Perry. Okay. So, I mean, you are going to know my
Social Security number, my email address, my home address, my
financial information, whether I ever got a DUI, you are going
to know--this--this portion of government, the Federal
Government is going to know literally everything about me
that--and everything about every 300-plus million Americans
that they find personal and are concerned about having their
neighbors know about, and so they're right, I think, to be
concerned.
Who determines what questions are asked? And I know you
kind of alluded to, at least in one part, that you are not
going to have personal information or personally identifiable
information, but in another sense, I thought you said that
you're going to know the home address, the email address,
ethnicity. Who--who determines the question? Why is ethnicity
important? Why is whether my wife is pregnant important? And
when does she have to report it? Or when do you find out? What
do you do with that?
Mr. Chao. We make a proposal under the Paperwork Reduction
Act, in which actually the public and Congress and anyone with
the public at large can comment on the questions that we've
asked, that we've included, that we felt essential to be part
of that streamline application; that's online to apply for
affordable care.
Mr. Perry. So you make a recommendation, and we can provide
comment, and what happens with our comments when we object?
Mr. Chao. I think similar to rulemaking, we factor those
comments in and categorize them and take a serious look at the
policy and legal angles and technical implementation angles of
it and we try to accommodate the kind of the very, very huge
concerns that we get back under----
Mr. Perry. So, you're with CMS. Why is ethnicity important?
Who is it important to?
Mr. Chao. I am on the IT side. I cannot answer.
Mr. Perry. Yeah, but you're--that's the thing. You are one
of these guys that are at the top. Are you one of the less than
a dozen people on the committee in charge of the data hub? Are
you one of those people?
Mr. Chao. Yes.
Mr. Perry. Okay. So if you don't know this, who does? Who
knows the answer, and shouldn't you know it?
Mr. Chao. I think within my purview, I don't try to
question every detailed policy that I am asked to implement. I
am more concerned about capturing the requirements to make sure
the system is reflecting----
Mr. Perry. But you are one of the people that weighs in on
whether it's important or not for your organization and what
you do, and this is the American people's personal information,
so it needs to be important to somebody. If everybody took your
opinion, nothing is important to anybody as long as the next
guy said it was. I mean, the fact that you didn't know about
this Serco. I mean, do you think the American people believe or
know right now that all this information about them is going to
be handed off in some form to private contractors? Do you think
they know that?
Mr. Chao. I think they will know because they are in charge
of consenting to that release. We--when you----
Mr. Perry. So, on the release, it's going to say, ``I'm
giving my information to CMS,'' or ``I'm giving my information
to Serco''?
Mr. Chao. It's actually the process. So if you're in that
inconsistency period, you are giving consent that we will be
handling any issues that you have.
Mr. Perry. You'll be handling it, but it doesn't say that
your information will be handled through us via contract by a
private organization who's owned by a British company or by
MasterCard or whoever the contractor happens to be at that
time.
Ms. Tavenner. Let me try to help answer some of these
questions because I think the accountability obviously stops
with the CMS administrator, and that's me, and we do have
business owners, and Henry is responsible for the IT
implementation.
Let me start with your question about health information
and a reminder that the hub does not store any information, but
it does not even ask for health information. The only time that
pregnancy becomes an issue is, obviously, if someone is
qualifying for Medicaid and there are benefits, they are
eligible for Medicaid and maybe they're pregnant so it varies
State By State, so that would be the reason for the pregnancy
question.
Much of the information that we ask is required by law, and
if you'll remember, there a couple of months ago, we went from
a long application process down to what we are calling a 3-page
application for an individual who is applying on the
marketplace. But once you start to get inside, whether it's
Medicaid or CHIP, there may be additional questions that we
need to answer in order to help someone get eligibility. That's
usually done at the State level.
There is no health information. When we work with Serco,
Serco is helping with enrollment and eligibility, so there is
data that we store around things such as your email address,
such as your phone number, such as Social Security, but part of
that is stored so that if you have a dispute about whether or
not you were eligible or you have an appeal, we have that
information, but it's not kept on the hub.
Mr. Perry. It's stored somewhere.
Ms. Tavenner. Yes.
Mr. Perry. Mr. Chairman, with indulgence, one last
question, is for Mr. Milholland. We heard earlier that there
would be penalties for folks that had breached the confidence
of the American people by providing that information to folks
outside, tax information, so on and so forth, you work at the
IRS. Let me ask you this, regarding the information, regarding
targeted political organizations that we recently learned
about, has anybody been penalized at this point that you know
of in your organization?
Mr. Milholland. The only thing I am aware of is people are
no longer in the jobs they were in.
Mr. Perry. Have they lost their pay?
Mr. Milholland. That, I do not know.
Mr. Perry. Thank you, Mr. Chairman. I yield back.
Mr. Lankford. Mr. McHenry.
Mr. McHenry. Thank you, Mr. Chairman.
Mr. Duncan, in your March report of this year, TIGTA gave
no indication there would be problems with the IRS'
implementation of reporting requirements; is that correct?
Mr. Duncan. That's correct.
Mr. McHenry. Okay. So does that include section 6--6055
that requires insurers to report about the coverage that they
provide?
Mr. Duncan. There are several information requirements from
insurers, employers, from the exchange itself on a monthly and
annual basis, so all that information will flow to the Internal
Revenue Service and has to be processed, maintained and kept.
Mr. McHenry. But you had no issues with that.
Mr. Duncan. That is still not really done until 2014 will
that data start to flow to the IRS.
Mr. McHenry. Okay. But does this include section 6056 that
requires employers provide information on the health insurance
they provide, so----
Mr. Duncan. We are very concerned about that with the
recent change and the recent----
Mr. McHenry. No, no, but prior to that. We're talking about
your March reports. I mean, because you're there to make sure
that we're, you know, the IRS is moving along in the path here.
Mr. Duncan. That's correct.
Mr. McHenry. Right. And so, in your March report, you said
they didn't have any issues with this process of getting that
information, right?
Mr. Duncan. That was the information that they were
collecting for the income and family size verification.
Mr. McHenry. Right. That's what I have.
Mr. Duncan. And the overall plan that they had in place
looked good.
Mr. McHenry. Looked good. Okay. So, you know, when we see
the President announce this change, right, on employer mandates
and then we see this other movement in terms of reporting
requirements, right, which you have the business mandate, then
the reporting requirements that the President then, through
this administrative procedure here, they've said, well, we are
just not really going to verify very much, right, but is there
in basis, basis in practice, right, saying that they really
don't have that capacity, I mean, according to TIGTA?
Mr. Duncan. In accordance with what we reviewed in the
application that we looked at the IRS and our understanding, as
of today, is the IRS will continue to provide to the exchanges
through the HHS hub----
Mr. McHenry. All right.
Mr. Duncan. The income and family size information. Now, we
did not see, in our review, that there was a major change in
the IRS need or requirement to provide that information if it's
available.
Mr. McHenry. Yeah, but I mean, this is the verification
process to ensure that people are complying with it, right?
Mr. Duncan. Yeah. I just want to make sure, though, that we
understand that the IRS information is only one set of
information that the exchange will use in looking at and
determining what the final income and family size data should
be.
Mr. McHenry. Okay. So let's run a scenario here.
Mr. Duncan. Uh-huh.
Mr. McHenry. Okay. So, you know, in a state that doesn't
expand Medicaid, for instance, North Carolina being one, and I
represent a district in North Carolina. A man who earns
$15,000--I am just going to walk through this scenario so
people have an idea--would be eligible for a $3,400 subsidy if
his employer does not extend an offer of affordable coverage to
him or her, for instance. And so in 2014, with the Federal
Government, would they be able to verify whether this
individual had an offer of affordable coverage at work?
Mr. Duncan. I assume the HHS or the exchange at the state
level would be in a position----
Mr. McHenry. We don't have an exchange at the State level.
Mr. Duncan. Then the Federal exchange would have to be
doing that, and they would ask for information from the
Internal Revenue Service as well as other locations.
Mr. McHenry. Okay. So, Ms. Tavenner, if an individual fails
to report that he has an offer of affordable employer-sponsored
insurance, right, will he receive a subsidy of that $3,400?
Ms. Tavenner. When an individual does do the self-
attestation, they would verify whether or not they had
employer-sponsored insurance.
Mr. McHenry. Right, right, so they're going to say, hey,
here's the deal, didn't get it, give me $3,400 bucks, subsidy.
So, you know, if I'm verifying for myself, right?
Ms. Tavenner. If you're verifying for yourself and you say
that it's available and you didn't get it, you will not be
eligible for the tax credit. And a reminder----
Mr. McHenry. Right. But who's going to say I'm not eligible
for free stuff?
Ms. Tavenner. So, I'll remind you that you signed, when you
complete the application, that this is under law, perjury,
okay, so there are consequences to an individual who is not
truthful on their application.
Mr. McHenry. So what kind of enforcement are you going to
have on that truthfulness?
Ms. Tavenner. Obviously, we would follow law.
Mr. McHenry. Right. But you have to have people to execute
the following of the law. Are you going to ring them up and
say, hey, by the way, were you honest then this self-
attestation?
Ms. Tavenner. Well, we will look at ways to verify.
Mr. McHenry. Oh, you'll look at it. Okay. We are talking
about this going into effect this fall. We wanted something a
little more than a look for. What is your process to verify
that what they said was in fact true?
Ms. Tavenner. So, we--there are a couple of ways.
Obviously, we will verify first with the IRS, with SSA,
information that's available. If we are not able to get
everything we need there, we will work with private commercial
products, such as Equifax.
Mr. McHenry. So, Equifax would have knowledge on whether an
employee of my brother's business was offered a health
insurance plan that was commensurate with the requirement under
Federal law? Equifax would have that knowledge?
Ms. Tavenner. We are looking at a process and I'll be happy
to get back to you with those details, so I need to get--walk
you through the process, and I'm happy to.
Mr. McHenry. I would think you would sort of think this
through with this big announcement that we are going to waive
the employer mandate, right?
Ms. Tavenner. We are going----
Mr. McHenry. But you leave the individual mandate, so
people are required, under compulsion of the law, right, which
apparently you haven't thought about the enforcement of that
law, which is sort of interesting, and maybe sort of liberating
for some people, by the way, that you still have it on the law,
but you don't have any enforcement mechanism.
Ms. Tavenner. And I'm happy to get back with you of that
process.
Mr. McHenry. Well, I would hope you would get back with us,
and I hope you would think more deeply about this. When you
testify to Congress about something this important, that you
would have taken a little bit of time to think through that
verification process and that enforcement mechanism that you
have enormous authority, as well as the IRS, to enforce it.
And so, with that, Mr. Chairman, thank you for the
indulgence of time, and I didn't get to the fullness of the
questions I had, but this--this is outrageous that the non-
answer that I was given. I appreciate the chairman's work on
this.
Mr. Lankford. Ms. Tavenner, about how much time do you
need, do you think, to be able to come back on his question?
Ms. Tavenner. Yes, a few days.
Mr. Lankford. A few days. Great. Thank you for that.
Mrs. Black.
Mrs. Black. Thank you, Mr. Chairman.
I want to thank you and the committee members for allowing
me to sit on the committee and be able to ask questions to this
very important issue. I want to thank all of you for being here
to testify as well.
This is something that is really very near and dear to my
heart because I come from a State called Tennessee where we had
TennCare. We had the pilot project. So I'm very familiar with a
lot of what's going on.
As has been reported by one of the members of this
committee, there has been a lot of information out there that I
have put out to say, there are questions that need to be
answered, and I'm glad that you're here today to answer those.
I do want to go back to say that it is very concerning that
there's a conflict. There's a conflict between what you say and
what we read, and I want to start with the first of those,
because I want to go back to a system of records notice, and it
says, and I quote, records are maintained with identifiers for
all transactions for a period of 10 years after they are
entered into the system. Records are housed in both active and
archival files in accordance with the CMS data and document
management policies and standards.
It has been said over and over and over again by you, Ms.
Tavenner, that these records are not kept.
How is it that we see in the systems of records notice,
this is what we are being told, and yet you say--and this is
why there is a lack of confidence in the people of this
country, is that we don't have confidence that what we hear and
what is actually there matches up.
Ms. Tavenner, can you address that?
Ms. Tavenner. Yes, Congresswoman, I can. I have said that
we do not store information in the hub. I have also said, and
as obvious by what we supplied in our systems of record notice,
that we do store information on the marketplace, which is
separate from the hub.
Mrs. Black. So let's be very, very clear that this
information is being stored. When we continue to say, oh, this
information is not stored, I think there, that people then go,
oh, you're wrong in saying it's stored. It is stored, and we
have documentation.
Now, let me go to the second bullet.
Ms. Tavenner. Well, as I said in my opening testimony,
there are two systems, and it's important to understand that
one is the hub, which is a router, and the other is actually--
--
Mrs. Black. Which is a router that has a lot of people
inputting information and taking out information, so I'm still
not confident that what's been said here today, that all of
this is protected because I have additional questions, which I
know I won't have time to get to, about what are the background
checks? Who will have that access? But let me also go to the
next question on this, because it was referenced that there is
no personal health information that is collected, and I want to
go to a documentation that was put out, I guess, about 2 weeks
ago, and this is--I am going to the section of verification of
eligibility for minimum essential coverage other than through
an eligible employer-sponsored program, and I am in the
section, and I'll give you the number of that section, 155.320.
So, here is what it says, and I am reading out of the
fourth paragraph in here that says, ``finally, we propose and
added a paragraph to provide consistent with 45 CFR,'' and
there is a lot of other. I won't go through that, and this is a
quote, ``a health plan that is a government program providing
public benefits is expressly authorized to disclose personal
health information, as that term is defined in 45 CFR 160.103,
that relates to eligibility for or enrollment in the health
plan to HHS for verification of applicant's eligibility for
minimal essential coverage as a part of the eligibility
determination process for advanced payments for premium tax
credits.'' It specifically says in here that they are expressly
authorized to disclose private health information.
Can you speak to this?
Mr. Chao. I can answer this. You know, something--something
like a birth date that exists in one particular context can be
treated very differently and called and wrapped around, for
example, personal health information when it appears in another
contract--context, such as your health record. I think the
minimum essential coverage, the intent is to check other
sources of potential coverage to determine whether that
coverage would be duplicative, supplemental or contradictory to
what the law has indicated that you cannot be in an exchange or
a marketplace benefit receiving a premium tax credit and
enrolled in something else that's also a government program.
So, that information, when we check that, if you look at it
in the context of how it's delivered to us, for example, from
VA, it is part of the health record, but it is just the date of
eligibility. We don't hold any--you know, it's is a vernacular,
you know, kind of vocabulary contextual kind of issue, so it's
not clinically related. It is just a check on the status of
your eligibility.
Mrs. Black. Well, I hear what you're saying there, but this
specifically says, is expressly authorized to disclose personal
health information.
Mr. Chao. Right, but I think you were----
Mrs. Black. Well, I am going to need to get--and we can
have another conversation here, but I am going to need to get
assurances that when you have an expressed authorization to
disclose personal health information, that we give assurances
to our constituents, my constituents that this information is
not going to be shared with people that shouldn't be getting
it, and I don't still have assurances in what I am seeing here.
I think, Mr. Chairman, there needs to be many more of these
hearings to--both for those Congressmen that are concerned
about this as well as more importantly my constituents in the
public who are really concerned about what has happened most
recently with the IRS and how information has not been
protected and people have been targeted, and likewise, I think
there are many more questions about navigators and what kinds
of background checks they have, what kind of training they had,
this is something that certainly needs to be talked about a
whole lot more.
And again, I yield back. I know my time is up. Mr.
Chairman, once again, thank you for allowing me to be here at
this committee hearing.
Mr. Meehan. [presiding.] Okay. I thank the lady, and I
thank the panel. I know we have gone through a lot of
questioning. There is just a few of us have some follow-up
questioning, and you will indulge me on that. I certainly--I
mean, I want to echo the point that was just made by the
gentlelady from Tennessee. I mean, this is not only the idea
that it's within the regulations that you published yourself,
but the concept that there are certainly circumstances where a
lot of that can be done without the consent of the individual
whose records they are. I mean, this is--and I know it goes to
contractors, and nobody knows who those contractors are at this
point in time. And we are 75 days away from implementation and
you can't identify with specificity who it is who are some of
the contractors and what kind of things have been done, but I--
to assure the credibility of their participation in the system.
But you talked about harmonizing, Mr. Chao and others, the
work that's going to be done among the various agencies in this
database, and, therefore, you are going to pull in the
activity. And I know the IRS has a system which has been
effective or at least the more effective, but I look at the
agency score cards, and I am talking about harmonization, and
this is the agency Federal department's and agency's cross
priority goals in cybersecurity for the second quarter of 2013,
so this is the most recent one. And when we begin to talk about
those who are on the scorecard, two of the poorest performers
are HHS and the Social Security Administration, both performing
under the requirement that the executive branch will achieve 95
percent implementation of the cybersecurity capabilities.
So who's going to be, are we going to rise to the level of
the IRS, or is it going to be down to the lowest common
denominator with respect to the HHS and Social Security
Administration
Mr. Chao. I think, working with IRS, certainly I mentioned
earlier, that they've set the bar for security and privacy of
protected, you know, information. You know, specifically in
their case, under 6103 and based upon our experience, you know,
working with systems that process personally identifiable
information relative to eligibility, particularly like Medicare
eligibility or enrollment dates and history of enrollments,
we--I can't speak for the HHS level. There are 11 operating
divisions or agencies within HHS of which CMS is just 1 of the
11, so I don't know if that scorecard reflects, you know, the
individual CMS progress, but we can certainly look into that
and get back to you.
Mr. Meehan. Well, two of the three components that are
going to be critical among these are the worst performers, but
let's--let's on the part of this, is this is a dynamic network
and people keep talking about the fact, well, information isn't
going to be connected here or stored in one particular place,
but it's just once one has access into this system,
particularly in light now, the fact that it's going to have so
many different places in which responsibility for security will
be contained, including, as best as I can understand, the fact
that there are at least 15 States who will be operating their
own exchanges.
And Mr. Duncan, maybe you can speak to some of this, but as
plan management--Mr. Duncan, does plan management include
security?
Mr. Chao. I don't think Mr. Duncan can speak to that.
Mr. Meehan. Mr. Chao. Well, let me ask him this question as
inspector general, does plan management include security?
Mr. Duncan. Plan management should be considered when you
build any application; it should be baked into the application,
for sure.
Mr. Meehan. Mr. Chao, are you saying plan management does
not include security?
Mr. Chao. No, I'm saying it does include security, and plan
management is a core function inside the federally facility----
Mr. Meehan. Okay. Well, here I have--and this is the report
of the GAO that was done recently establishing, it says, for
those 15 FEEs which States will assist with plan management
functions, CMS will rely on the States to ensure the exchanges
are ready by October 2013.
So, all of this work you are talking about, the fact of the
matter is there is 15 different States and you're basically
saying, Ms. Tavenner, well, we are going to rely on them. They
are going to sign documents that say that they are okay, but we
are going to rely on them. This is your document. Is that
accurate? Ms. Tavenner.
Ms. Tavenner. I am trying to answer. Actually, it's a
little more interactive than that. We have oversight. Even
when--what we do is we allow State-based exchanges to build
their own platform, but we also work closely with them both on
security plans, on plan management.
Mr. Meehan. And how closely have you worked? Let me go down
into the footnote, footnote 42. Seven of the 15 States
submitted an application, were approved to assist and other
plan management functions. Additional seven States were not
required to submit an application, and CMS officials indicated
the agency has no formal monitoring relationship with the
States. Instead, CMS conducted a 1-day review of these States.
So here we have the greatest data hub--the greatest data
hub that has ever been put together with private information in
the history of the government. It is going to be related back
to your reliance on the States to do it. You say you have
oversight, and by the GAO's report, what was done with seven of
those States was you went and you spent one day on the review,
presumably looking at a whole variety of issues, not just
security.
Ms. Tavenner. In this case, those seven States you're
talking about--I don't have the benefit of your document, in
front of me, but----
Mr. Meehan. This is the GAO report.
Mr. Dicken, you made the report.
Ms. Tavenner. Yes, I've read the report, but I'm just
saying I don't have that page in front me, but the seven page--
the seven States that you're referring to are actually
interested in doing plan management, which is the work with the
issuers, which is a function they do today through their State
insurance commission, and so we do work closely with the
insurance commission.
Mr. Meehan. Well, what do you do to assure the security of
the system with them, because it seems to me that you are----
Ms. Tavenner. So the security of the system goes back to
the hub and accessing the hub, which is part of our plan. So
just because they do plan management that's out of State, they
do not have a separate mechanism to enter the hub. To enter the
hub the same way we've talked about, applies to all 50 States.
The two are not the same.
Mr. Chao. To add to that, we also conduct technical
reviews, which include security components, and we sign the
essential security documentation that's needed and agreements,
such as computer matching agreements and data use agreements,
with all the States. So, there are other checks and balances
that are in place, you know, as I mentioned earlier, the
overall security framework.
Mr. Meehan. What assurances do we have that the States are
capable to protect the system, at least at their entrance
point, and that your system is capable of protecting itself
against the high level of--of effectively cyber attacks that
are taking down the most sophisticated systems in the world.
Mr. Chao. I think with ingress points and connection points
with the federally operated IT and managed IT, I think we
definitely apply, as you well know, under Homeland Security and
at the department level and even at the agency level, lots of
continuous monitoring of the networks and intrusion. I think
that----
Mr. Meehan. It's saying that--the report that I just have
that came down from the colleges says they can be months before
anybody realizes that they are even in there.
Mr. Chao. And I'm saying that with regard to the ability to
impose the same Federal requirements on State systems and
networks, I don't think we have applicable law that clears our
ability to impose that on States, other than asking them to
sign agreements.
Mr. Meehan. My time is expired, and I need to respect the
time.
So I will turn it over to the gentlelady from California,
Ms. Speier.
Ms. Speier. Mr. Chairman, thank you.
You know, when Medicare was first passed as a law, there
were huge cries by many in Congress about how it was going to
be horrific and bring socialism into this country. Fast forward
to when we were debating the Affordable Care Act and signs
across this country and at town halls that I was party to were
signs that said, ``Don't touch my Medicare.'' I believe that
there will be a time when the signs will be, ``Don't touch my
ACA benefits.''
I am really apologizing to each of you for what I think has
been a counterproductive engagement today. I think most of what
has happened has been efforts to throw sand into the gears, and
I don't think that's what this committee is supposed to do. We
are supposed to drill down, to find out whether or not there
are any oversights, and if there are, help you fix those
oversights.
I have a lot of confidence in what you're doing. It is not
going to be perfect out of the shoot, it just isn't, and I
think we do great harm when we continue to spew out lies, much
like the lies about the death panels. For those that have an
agenda to dismantle the Affordable Care Act, this is not where
they need to be. For those that want to make sure it works
successfully, this is where they should be, and I want to thank
each and every one of you for your efforts to try and make this
a successful one.
Now, I would like to ask one question. As you have weighed
in, as you have dived deeply into this, implementation, is
there is a particular area that you have some concerns about
that we haven't addressed that we should address either by
legislation or by information that we convey to our
constituents?
Ms. Tavenner. I thank you for your support, and I would say
that our biggest concern is that we have adequate resources to
do the--to do the work. The President's budget has proposed
resources for 2014. It is important, if you want, and we want
to take privacy and security seriously, we need to have the
resources to be able to do that, and so I would appreciate your
support in that area, and I thank you for your earlier
comments.
We have a great team at CMS, and we are working very hard,
and we look forward to October 1st.
Ms. Speier. Anyone else?
Yes, Mr. Milholland.
Mr. Milholland. As Mr. Werfel also commented about the
budget issues, their primary concern is resources also, so I
would echo Ms. Tavenner's comments.
Ms. Speier. Mr. Duncan.
Mr. Duncan. Yes. The inspector general has three basic
concerns, and I think I mentioned those in my initial
testimony, but I'll recap them. The protection of Federal tax
data at exchanges, we believe, is a very specific requirement.
The safeguards program at the IRS, we are currently doing an
audit of that program as we speak, and we think they are going
to need the resources and funding to expand significantly to
cover the additional State exchanges and its very specific
requirements, as has been talked about before for that.
Also, the fraud prevention systems, that they're ready by
January of 2015, that's the return review program at the IRS,
which brings analytics and stops the refund from going out the
door, not after the fact and try to recoup it after the money
is sent out. And also, the thing we've been talking about quite
often, which is the interagency testing--this is all the
components, including the IRS, that there is sufficient testing
for the entire system, not just the pieces. Those would be my
three concerns.
Ms. Speier. All right. Thank you.
Anyone else?
Mr. Dicken. I can just note from our GAO report, you know,
I think we highlight, I have two key areas that are remaining
that are key for the October 1st implementation. We certainly
talked a lot today about the data hub as a key tool for that.
We talked now some about plan management as a separate core
function. The last core function that we spoke to was consumer
assistance. That's an area where much of that is happening
before October 1st and certainly another core area where there
have been some delays and then core activities that need to
take place by October 1st.
Ms. Speier. All right. Mr. Chairman, let me just end by
sharing three quotations about how people were so exercised
about Medicare when it was being contemplated. Ronald Reagan,
in 1961, said, ``If you don't stop Medicare, one of these days
you and I are going to spend our sunset years telling our
children and our children's children what it once was like in
America when men were free.''
George H. W. Bush, in 1964, described Medicare as
socialized medicine.
Barry Goldwater said, in 1964, ``Having given our
pensioners their Medical care in kind, why not food baskets,
why not public housing accommodations, why not vacation
resorts, why not a ration of cigarettes for those who smoke and
beer for those who drink?''
We really have got to get beyond the rhetoric----
Mr. Jordan. Would the gentlelady yield for a question?
Ms. Speier. I am just closing. You can certainly carry on
in your recount, but I would just say, rhetoric is not what we
need to be talking about today. What we need to be talking
about is the sum and substance of how we make this operate
effectively, efficiently with privacy concerns resolved, with
security concerns resolved and with the understanding that the
fraud that may occur, if it is fraud, or just a misassessment
of what one's salary is, is that, at the end, it is going to be
figured out and payments will be made back to the U.S. Treasury
for the fraud that may have occurred when someone said they
were making less when they were really making more.
Now, any other fraud that occurs, it may be a subject that
we would have to discuss further, but at this point, Mr.
Chairman, I thank you for chairing this hearing, and you know,
we have had a great relationship and I look forward to more of
the same.
Mr. Lankford. [Presiding.] Thank you.
Let me ask a couple of questions here. We are getting close
because I know you all have been at this a very long time. The
verification that they qualify for a subsidy, is that done at
the exchange level or CMS? Who verifies that they qualify?
Mr. Chao. The verification services are processed by CMS
systems for Federally Facilitated Marketplaces and via the hub
connecting to the income verification sources.
Mr. Lankford. Okay.
Mr. Chao. For State-based marketplaces, they do that
themselves connected to the hub via income sources.
Mr. Lankford. So, with that, they've got to have access to
all of that raw data to be able to make a decision. They are
not just getting yes-no answers. When they pull data, they're
pulling data, so it's entering fields.
Mr. Chao. Yes, but it's also--I don't want folks to think
that it's a whole array of tax return information or health
records.
Mr. Lankford. Can we get a----
Mr. Chao. It's very narrow.
Mr. Lankford. Can we get a list, as it stands at this point
right now, what information is coming down? Because I assume
it's on their 1040, line 47, such and such, this data is made
available. I'm trying to find out what is made available to an
individual in that. Because if the exchange makes the decision,
that means they've got to have access to the raw data.
Ms. Tavenner. We can get you information----
Mr. Lankford. That would be terrific. And just on the broad
range, I'm sure it's all been laid out at this point,
obviously, to know what all that involves on it.
This came up earlier, Ms. Tavenner, about the delay in the
employer mandate. You had mentioned late June, June 24th, that
you had received notification that that was going to be
delayed.
Ms. Tavenner. Let me be clear. June 24th or June 25th.
Mr. Lankford. That's fine.
Ms. Tavenner. I'm not sure which day.
Mr. Lankford. Yeah, that's fine. Yeah, I wouldn't hold you
accountable to that, one way or the other.
But the question is, this has to be an ongoing part of the
conversation. This was not a sudden decision late in June, that
the administration thought this was a bad idea, let's delay it.
There were a lot of factors that went into it.
Was the creation of this data hub and some of the
connections between the employers submitting information about
their insurance and what insurance that they're providing to
employees and the complicated nature of that, was that a part
of this conversation?
Did CMS or IRS have conversations with the administration
to say, ``We've got all of this together. This is coming
together well. We don't yet know yet how we're going to get
employers to tell us their information on the employees''?
Ms. Tavenner. Mr. Chairman, I cannot speak for IRS, but we
did not have conversation.
Mr. Lankford. So the first you'd heard about this at all or
people at CMS had heard about this at all was June 24th or
25th?
Ms. Tavenner. The first I heard of it.
Mr. Lankford. Okay.
Would the IRS side--where are you? Because, at some point,
it sounds like there will be--employers will have to submit,
``My employee has been offered this coverage.'' Is that system
in place? Is IRS prepared to be able to do that yet?
Mr. Milholland. That particular deliverable is 2015. This
direction to move it to the right slides that, I think it was
roughly about 6 months, if I recall correctly.
But, in any case, the IRS has to be prepared on day one
with respect to those employers who choose to voluntarily
provide the information. So the fact that Treasury moved the
requirement to the right for----
Mr. Lankford. No, my question is, was there dialogue
between IRS, Administration, Treasury, whoever it may be, to be
able to voice, ``We don't have a mechanism to yet be able to
verify this with the employers''? So was that a part of the
conversation?
Mr. Milholland. That----
Mr. Lankford. Has there been a notification back? Because
that, as you said, is voluntary at this point. That has all
been moved a year back. What was the dialogue in advance.
Mr. Milholland. I was not privy to that conversation.
Mr. Lankford. Okay. Is there a mechanism in place--was
there a plan to have a mechanism in place for 2014 for
employers to be able to verify their employees do have
qualified health plans?
Mr. Milholland. The mechanism that was to be in place was
that they would report to the IRS.
Mr. Lankford. Right.
Mr. Milholland. And, I mean, that was part of the
requirements----
Mr. Lankford. Is that mechanism in place now?
Mr. Milholland. No, it's not.
Mr. Lankford. Okay. When did that get pulled? Because I'm
sure that didn't get pulled June the 24th or 25th, as far as
requiring that field to be turned in.
Mr. Milholland. But it's part of the release that will come
later, 2015. I mean, it's not in the system as of October 1,
which we're doing this year.
Mr. Lankford. Right, I understand the date's been moved on
it. Prior to the 3rd of July, when it was announced that it's
going to be delayed, was this planned to be a part of the IRS
reporting system----
Mr. Milholland. The----
Mr. Lankford. --that employers would report starting in
this year?
Mr. Milholland. It was part of our plan but not to be
implemented this year.
Mr. Lankford. So, regardless, employers weren't going to
report either way?
Mr. Milholland. That's correct, this year.
Mr. Lankford. Okay. So the delay that's occurred, to say
we're not going to require that of employers this year, already
lines up with what happening with data anyway? Or there was a
change in the plan to gather data this year? That's what I'm
trying to determine.
Mr. Milholland. I'm not sure I fully understand your
question. I would just say again that the implementation of
that employer reporting wouldn't happen until 2015.
Mr. Lankford. And that was the plan from the beginning?
Mr. Milholland. From the beginning, yes, sir.
Mr. Lankford. Okay. That's what I'm--that's all I'm trying
to be able to determine from there.
Ms. Tavenner, you mentioned earlier that there are third-
party sources of financial information. You mentioned even
Equifax or some other outside organization. What's the
connection there on the database with third-party
organizations?
Mr. Chao. We're looking--because there was talk of the
requirement to have, you know, kind of, employer offering of
coverage, we tried to look at our current contractor
capabilities to see if there was some commercially available
way to do that. And it's just in conversation and discussion
right now.
Absent of, you know, when things were known or not known,
it was just--you know, for me, it was understanding the
requirement and seeing if there's a data source that's
available.
Mr. Lankford. And is that a hub-type relationship, to be
able to pull data when it's needed? Or is it a matter of
getting data from them to be able to put on to the other piece?
Because we've talked about two different functions here.
Mr. Chao. Yes, pulling--it would be connected to the hub to
pull that data from the----
Mr. Lankford. There's a tremendous amount of credit
information out there that's in error, obviously. What I'm
trying to determine is, now that we're fighting off three
different agencies that have credit information, trying to get
things fixed, we would now have to also add CMS into that mix,
as well? That if there's an error in my system, how would
people know what is there----
Mr. Chao. I----
Mr. Lankford. --and whether they'd been accepted or denied?
And how would they get that fixed?
Mr. Chao. Chairman, I believe that when the--you know,
saying ``Equifax'' and ``credit report'' is almost synonymous
these days. When we work with a company, Equifax, they have
lots of data sources that they make available.
Mr. Lankford. Right.
Mr. Chao. I think the employer offer of coverage, that
potential for having that data, is part of their overall
working with employers to pull payroll information to help
service benefit administration, you know, kind of, practices
for large employers for their employees. I don't think it falls
under the FCRA, kind of, realm of----
Mr. Lankford. Right. But the thought on it is--well,
there's a whole bunch of issues. Just false information at all
is hard enough to be able to track on it.
But the thought is here, if they work for this certain
employer, then they have been offered care, is the assumption
there? Or is Equifax assuming that they'll be somehow reported,
there's an employee that works for me, this was one was
offered, this one wasn't? Is it just a matter of they have
payroll data so they're paid by this company, this company has
a qualified health plan, so they must have been offered? Is
that just the assumption?
Mr. Chao. Based on conversation with Equifax, they are
having conversations with their employer clients that have this
data relationship, and they're seeing if that's something that
the employer community wants to provide as a service or a
benefit to their employees so that they don't have to
constantly answer questions and queries about coming back to
them about offer of coverage.
Mr. Lankford. Okay.
One last question, and then Mr. Jordan, I think, has some
wrap-up. And we need to get you all out of here, obviously.
The individuals within the exchanges--and we've got an
authorized user that's been authenticated. They've signed in.
We know who they are; yes, they're one of ours. In a State,
they're viewing data trying to make a decision; let's say this
is something that's not automated.
I assume most of the decisions are going to be made with
parameters and it's going to be automated. Is that your
assumption, as well?
Ms. Tavenner. We are certainly going to encourage
automation.
Mr. Lankford. Yeah, I would assume the vast majority--you
have millions of people coming through. Especially initially,
those decisions aren't going to be made on someone's desk with
a big stack.
Ms. Tavenner. But it will no doubt be a combination of
manual and automation.
Mr. Lankford. Okay. So that individual that's there within
a State that's making a decision on it has access to all that
information. The challenge becomes, do we have a system in
place for background checks for those individuals, limiting
those individuals?
If we visit with NSA, they can tell us exactly how many
people have access to that information. And every time that
information is accessed, there's an accountability process with
it. What I'm trying to determine is, there are occasionally
authorized users that do have access to it but they use it in
an unauthorized way, if that makes sense.
Ms. Tavenner. So they're--and I think the question you're
asking is, who would help someone with an application?
Mr. Lankford. No, not necessarily. No, it's an individual
that has access to the information; they're authenticated as a
person that is an employee there, whether it be a private
contractor that works for a State or a State employees that's
been authorized to be a part of the exchange. They have access
to that information.
What boundaries are there that they don't use that
information for unauthorized purposes?
Mr. Chao. From a program management perspective, when I
talked about the harmonized security and privacy framework--and
I did mention that there are some things that we cannot
necessarily enforce upon States, but we can sign agreements
with them. And in signing these agreements, they abide by
certain security controls and thresholds that they, in essence,
promise to uphold as part of the security practices.
Now, in the world of security and cybersecurity and
awareness today and security policies and imposing this
operationally, if you look at the multiple security frameworks
that are available--Federal Government, State government, and
commercial--there is a significant overlap, in that we adopt
the same controls, such as, you know, access management,
authentication to a certain degree of assurance in authorizing
their entrance into the systems. So we're in agreement on a
very vast majority--large, vast majority of controls that are
applied.
Mr. Lankford. Right. I'm talking about just the background
of how do we show that this person, once they've accessed data,
that data that they accessed is for official purposes, not
unofficial purposes. Because you now have data that was
previously in a closed system that's opening up a little bit to
new people that have been accessing information. So it's--am I
making sense on that?
Mr. Chao. Yes. Well----
Mr. Lankford. Again, it's an authenticated user. It's just
not using it for authorized purposes.
Mr. Chao. I think we have, you know, other security
monitoring tools. We look at behaviors and trends in how people
are using the system and----
Mr. Lankford. Right. We'll follow up on that in the days to
come.
The SPR that we talked about, Safeguard Procedures Report,
how many States currently have that, that that is done and
complete?
Mr. Milholland. Mr. Chairman, I'm told that all 15 have
submitted.
Mr. Lankford. All 15 are done?
Mr. Milholland. Yes. And I believe the Federal exchange has
also.
Is that correct?
Yes.
Mr. Lankford. I would hope that would be the easiest of all
of them.
Mr. Milholland. I would also add that we've begun our
State-by-State or exchange-by-exchange safeguards reviews,
literally, this week.
Mr. Lankford. Well, that would be one to watch for, just
unauthorized use for unauthorized purposes is one to be able to
watch and to be able to track on it.
How many--by the way, on all of our States now for
exchanges--this is off topic. I'm going to change to Mr.
Jordan, because we've got to go.
Do all of our States have more than one option on the
exchange, at this point? Are there States that, when they get
to the exchange, will only have one option when they get to the
exchange?
Ms. Tavenner. You're talking about insurers now?
Mr. Lankford. Yes, ma'am.
Ms. Tavenner. We will not have all of that data until the
end of July. But we are currently--and I think this State has
been in the press. The State that we are most concerned about
is Mississippi.
Mr. Lankford. Okay.
Ms. Tavenner. Otherwise----
Mr. Lankford. So that it looks like all States will have
more than one option on the exchange?
Ms. Tavenner. Correct.
Mr. Lankford. Okay. Thank you.
Mr. Jordan?
Mr. Jordan. Thank you, Mr. Chairman.
I just want to go back to where the chairman was and be
clear. Ms. Tavenner, were you consulted at all before the
decision was made to delay the employer mandate?
Ms. Tavenner. I was not consulted. Now, part of that, in
fairness, was I was also on vacation at the time. So I was
actually notified while I was on vacation.
Mr. Jordan. Yeah. So you were notified. So you had a cell
phone. So they got a hold of you, they could talk. I mean,
you're the head of CMS, and you weren't even--they didn't even
talk to you before they made this decision?
Ms. Tavenner. I think the decision was made with IRS as a
predominantly----
Mr. Lankford. Mr. Chao, did they talk to you? Were you
consulted before the White House decided to do this?
Mr. Chao. No.
Mr. Jordan. Mr. Milholland, were you consulted?
Mr. Milholland. No, sir.
Mr. Jordan. You weren't consulted?
Mr. Milholland. No, sir.
Mr. Jordan. Mr. Werfel told us--told me about an hour ago
you were the expert, and they didn't even call you?
Mr. Milholland. I was not consulted.
Mr. Jordan. Was Mr.--to your knowledge, was Mr. Werfel
consulted?
Mr. Milholland. I believe Mr. Werfel said he received
notification on----
Mr. Jordan. So none of the people who are going to be
implementing this were even asked, is this the right move?
Was Sarah Hall--to your knowledge, Mr. Milholland, was
Sarah Hall Ingram consulted?
Mr. Milholland. I do not know.
Mr. Jordan. That's amazing to me.
You know, Ms. Speier talked about folks who want to throw a
train wreck into--or throw a--mixed metaphor--throw sands into
the gears. I would just remind, it hasn't been Republicans
who--and we have Mr. Baucus, one of the architects of the law,
calling it a train wreck. We have the President suspending the
law without consulting the people who have to actually make it
work.
Mr. Chao, you made a statement back in March that you hoped
the exchanges wouldn't be a, quote, ``third-world experience.''
So you obviously had some knowledge and some concerns to prompt
that statement. Are those concerns still relevant, still valid?
Mr. Chao. I was speaking before an audience of issuers that
I had spoken to before, and it was a poor attempt at humor. So
I wouldn't necessarily----
Mr. Jordan. I don't know that it was a poor attempt at
humor. It may have been--you know, you may have been a
visionary, you may have been a prophet.
I mean, this is--the fact that they didn't even talk to you
is what I think is amazing. You don't talk to the head of CMS,
you don't talk to the head of the IRS, you don't talk to the
person at the IRS who is actually in charge of the Affordable
Care Act Office, you don't talk to the technical database
expert, Mr. Milholland. You just decide one day you're going to
waive part of the law.
I mean, we had the previous Democrat talk about when
Medicare was--I'd be your curious to know if the President at
the time Medicare was implemented, if he asked for a delay in
the law. Maybe he did, but I don't know about it.
This is amazing.
But let me ask you one specific question, Ms. Tavenner. In
February of this year, HHS System of Records Notice includes
the following statement: ``The Secretary''--you--``along with
other appropriate agencies, will establish an appeals process
for individuals and employers when eligibility is denied as a
result of inconsistencies between information obtained from
applicants and enrollees and employers and information and data
verified through the exchange.''
I have no idea what all that means; I hope you can tell me.
Maybe you can define what ``inconsistencies'' are. Do you have
a list of what those may be? You obviously anticipate problems
because you're setting up an appeals process, so can you give
me some insight into that?
Ms. Tavenner. So the appeals process is required in the
law, but I will remind you, there's also an appeals process
today in Medicaid and CHIP and other programs, because
sometimes----
Mr. Jordan. I understand that. Do you have--but, I mean,
specifically, what are you thinking about? Obviously, you think
that it's going to happen. The law requires you have some kind
of appeals process. That makes sense to me; we understand that.
What are some of the anticipated inconsistencies?
Ms. Tavenner. So I think perhaps people submit information
and they get denied, and they believe their information was
incorrect and they want to bring new information forward. But
I'll be happy to get you a list.
Mr. Jordan. So you don't know what the list is. You just
use the term ``inconsistency'' because you anticipate there's
going to be problems.
Ms. Tavenner. No, we're----
Mr. Jordan. You anticipate this, in fact, could be a train
wreck. You anticipate, in fact, this could be a third-world
experience.
Ms. Tavenner. I do not anticipate that. And the--we are
currently in rulemaking on the appeals process, and the final
rule will be out shortly.
Mr. Jordan. Do you think the--do you think everything could
be up and running, working on October 1st, and the start of
next year, this law can be fully implemented, working, you
think it can all function the way it's supposed to, the way the
folks who voted for it designed it to, do you think that can
all happen?
Ms. Tavenner. Yes, sir. You know, my background has been--
--
Mr. Jordan. Okay. So if you think that can all work, you
would think the administration would call you up and consult
with you before they decided to say, ``You know what? We don't
think it can, and we're going to delay part of it.'' That seems
logical to me, doesn't it?
Doesn't that seem logical to you, that you, the person in
charge of it, would be called, would be consulted? Don't you
think it makes sense for you to be consulted before a major
decision, a major element of the law is simply waived for a
year?
Ms. Tavenner. The employer mandate rests within IRS----
Mr. Jordan. That's not what I asked. Don't you think it
makes sense for you, the head of CMS, charged with implementing
this law, don't you think it makes sense for you to be
consulted?
Because if you don't, then that's scary, too. If you don't
think, as the person who heads CMS, you should be consulted
before a major decision to unilaterally just delay part of the
law should take place, if you don't think you should be
consulted, then I've got concerns on that side, as well.
So do you think you should've been consulted?
Ms. Tavenner. I think I've been consulted all along.
Mr. Jordan. Well, no, that's not--you just told me--4
minutes ago, you just told me you weren't consulted.
Ms. Tavenner. I'm----
Mr. Jordan. So which one is it? Because you have to tell us
what really happened. You can't have it both ways. Were you
consulted or weren't you consulted?
Ms. Tavenner. I was not consulted. I'm just saying that----
Mr. Jordan. Well, then----
Ms. Tavenner. --in the last year----
Mr. Jordan. Now, wait a minute. So, then, 10 seconds ago,
you just said you were.
Mr. Lankford. I'll ask the gentleman to let her answer.
Ms. Tavenner. Please let me finish my sentence.
Mr. Jordan. I want you to finish, and I just want you to
finish it truthfully, because you've told me two different
things.
Ms. Tavenner. Well, I take objection to that, because I've
told you the truth.
Mr. Jordan. We can read the transcript.
Mr. Lankford. I would ask the gentleman to let her finish
answering.
Ms. Tavenner. Thank you.
So the last 3-1/2 years, I actually started----
Mr. Jordan. I want you to answer one question. Were you
consulted or not? And now I'll let you answer.
Ms. Tavenner. I've said I was----
Mr. Jordan. Were you consulted?
Ms. Tavenner. --not consulted.
Mr. Jordan. Okay. Thank you.
Thank you, Mr. Chairman.
Ms. Tavenner. And I guess I won't get to finish my----
Mr. Lankford. No, go ahead. You can respond.
Ms. Tavenner. For the last 3-1/2 years, I've worked at CMS.
I started at the time that the rule--that the law was actually
passed. And I have been an integral part of every decision
that's made.
In the case of the IRS and the employer mandate, I was not
consulted.
I do feel like I'm part of the process.
Thank you.
Mr. Lankford. And, by the way, we assumed you are part of
the process. You have been an integral part of that. That's
somewhat the surprise to us. We're trying to figure out where
this came from. And it is a major shift in what's happening.
And we assumed there was some conversation in trying to figure
out the whys and the whats with it. And that clarification has
not come. We've also written letters to the administration to
try to get some clarification. So it's not just on you. It's a
surprise, as well. We would assume that IRS and CMS would be
consulted on this process and would be a part of the decision-
making.
You all have had a very long day. I appreciate you being
here. I hope you get a nice, relaxing lunch where it's quiet
and to be able to get some time away on that.
With that, this hearing is adjourned.
[Whereupon, at 1:10 p.m., the subcommittees were
adjourned.]
APPENDIX
----------
Material Submitted for the Hearing Record
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
�