[House Hearing, 113 Congress] [From the U.S. Government Publishing Office] EVALUATING PRIVACY, SECURITY, AND FRAUD CONCERNS WITH OBAMACARE'S INFORMATION SHARING APPARATUS ======================================================================= JOINT HEARING before the SUBCOMMITTEE ON ENERGY POLICY, HEALTH CARE AND ENTITLEMENTS of the COMMITTEE ON OVERSIGHT AND GOVERNMENT REFORM and the SUBCOMMITTEE ON CYBERSECURITY, INFRASTRUCTURE PROTECTION, AND SECURITY TECHNOLOGIES of the COMMITTEE ON HOMELAND SECURITY HOUSE OF REPRESENTATIVES ONE HUNDRED THIRTEENTH CONGRESS FIRST SESSION __________ JULY 17, 2013 __________ Serial No. 113-66 (Committee on Oversight and Government Reform) Serial No. 113-25 (Committee on Homeland Security) Printed for the use of the Committee on Oversight and Government Reform Available via the World Wide Web: http://www.fdsys.gov http://www.house.gov/reform ---------- U.S. GOVERNMENT PRINTING OFFICE 86-193 PDF WASHINGTON : 2014 ----------------------------------------------------------------------- For sale by the Superintendent of Documents, U.S. Government Printing Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800 DC area (202) 512-1800 Fax: (202) 512-2104 Mail: Stop IDCC, Washington, DC 20402-0001 COMMITTEE ON OVERSIGHT AND GOVERNMENT REFORM DARRELL E. ISSA, California, Chairman JOHN L. MICA, Florida ELIJAH E. CUMMINGS, Maryland, MICHAEL R. TURNER, Ohio Ranking Minority Member JOHN J. DUNCAN, JR., Tennessee CAROLYN B. MALONEY, New York PATRICK T. McHENRY, North Carolina ELEANOR HOLMES NORTON, District of JIM JORDAN, Ohio Columbia JASON CHAFFETZ, Utah JOHN F. TIERNEY, Massachusetts TIM WALBERG, Michigan WM. LACY CLAY, Missouri JAMES LANKFORD, Oklahoma STEPHEN F. LYNCH, Massachusetts JUSTIN AMASH, Michigan JIM COOPER, Tennessee PAUL A. GOSAR, Arizona GERALD E. CONNOLLY, Virginia PATRICK MEEHAN, Pennsylvania JACKIE SPEIER, California SCOTT DesJARLAIS, Tennessee MATTHEW A. CARTWRIGHT, TREY GOWDY, South Carolina Pennsylvania BLAKE FARENTHOLD, Texas MARK POCAN, Wisconsin DOC HASTINGS, Washington TAMMY DUCKWORTH, Illinois CYNTHIA M. LUMMIS, Wyoming ROBIN L. KELLY, Illinois ROB WOODALL, Georgia DANNY K. DAVIS, Illinois THOMAS MASSIE, Kentucky PETER WELCH, Vermont DOUG COLLINS, Georgia TONY CARDENAS, California MARK MEADOWS, North Carolina STEVEN A. HORSFORD, Nevada KERRY L. BENTIVOLIO, Michigan MICHELLE LUJAN GRISHAM, New Mexico RON DeSANTIS, Florida Lawrence J. Brady, Staff Director John D. Cuaderes, Deputy Staff Director Stephen Castor, General Counsel Linda A. Good, Chief Clerk David Rapallo, Minority Staff Director Subcommittee on Energy Policy, Health Care and Entitlements JAMES LANKFORD, Oklahoma, Chairman PATRICK T. McHENRY, North Carolina JACKIE SPEIER, California, Ranking PAUL GOSAR, Arizona Minority Member JIM JORDAN, Ohio ELEANOR HOLMES NORTON, District of JASON CHAFFETZ, Utah Columbia TIM WALBERG, Michigan JIM COOPER, Tennessee PATRICK MEEHAN, Pennsylvania MATTHEW CARTWRIGHT, Pennsylvania SCOTT DesJARLAIS, Tennessee TAMMY DUCKWORTH, Illinois BLAKE FARENTHOLD, Texas DANNY K. DAVIS, Illinois DOC HASTINGS, Washington TONY CARDENAS, California ROB WOODALL, Georgia STEVEN A. HORSFORD, Nevada THOMAS MASSIE, Kentucky MICHELLE LUJAN GRISHAM, New Mexico COMMITTEE ON HOMELAND SECURITY Michael T. McCaul, Texas, Chairman Lamar Smith, Texas Bennie G. Thompson, Mississippi Peter T. King, New York Loretta Sanchez, California Mike Rogers, Alabama Sheila Jackson Lee, Texas Paul C. Broun, Georgia Yvette D. Clarke, New York Candice S. Miller, Michigan, Vice Brian Higgins, New York Chair Cedric L. Richmond, Louisiana Patrick Meehan, Pennsylvania William R. Keating, Massachusetts Jeff Duncan, South Carolina Ron Barber, Arizona Tom Marino, Pennsylvania Dondald M. Payne, Jr., New Jersey Jason Chaffetz, Utah Beto O'Rourke, Texas Steven M. Palazzo, Mississippi Tulsi Gabbard, Hawaii Lou Barletta, Pennsylvania Filemon Vela, Texas Chris Stewart, Utah Steven A. Horsford, Nevada Richard Hudson, North Carolina Eric Swalwell, California Steve Daines, Montana Susan W. Brooks, Indiana Scott Perry, Pennsylvania Mark Sanford, South Carolina Greg Hill, Chief of Staff Michael Geffroy, Deputy Chief of Staff/Chief Counsel Michael S. Twinchek, Chief Clerk Lanier Avant, Minority Staff Director SUBCOMMITTEE ON CYBERSECURITY, INFRASTRUCTURE PROTECTION, AND SECURITY TECHNOLOGIES Patrick Meehan, Pennsylvania, Chairman Mike Rogers, Alabama Yvette D. Clarke, New York Tom Marino, Pennsylvania William R. Keating, Massachusetts Jason Chaffetz, Utah Filemon Vela, Texas Steve Daines, Montana Steven A. Horsford, Nevada Scott Perry, Pennsylvania Bennie G. Thompson, Mississippi Michael T. McCaul, Texas (ex (ex officio) officio) Alex Manning, Subcommittee Staff Director Dennis Terry, Subcommittee Clerk C O N T E N T S ---------- Page Hearing held on July 17, 2013.................................... 1 WITNESSES Mr. Alan R. Duncan, Assistant Inspector General for Security and Information Technology Services, Treasury Inspector General for Tax Administration Oral Statement............................................... 9 Written Statement............................................ 11 The Hon. Daniel Werfel, Principal Deputy Commissioner, Internal Revenue Service Oral Statement............................................... 22 Written Statement............................................ 24 The Hon. Marilyn B. Tavenner, Administrator, Centers for Medicare and Medicaid Services, U.S. Department of Health and Human Services Oral Statement............................................... 29 Written Statement............................................ 31 Mr. John Dicken, Director, Health Care, U.S. Government Accountability Office Oral Statement............................................... 39 Written Statement............................................ 41 APPENDIX Letter from Mr. Daniel I. Werfel................................. 101 Opening Statement from Ranking Member Yvette D. Clarke........... 102 ACA Implementation IRS Oversight Board Briefing submitted by Mr. Jordan......................................................... 103 Statement for the Record submitted by Ranking Member Bennie G. Thompson....................................................... 113 EVALUATING PRIVACY, SECURITY, AND FRAUD CONCERNS WITH OBAMACARE'S INFORMATION SHARING APPARATUS ---------- Wednesday, July 17, 2013 House of Representatives, Subcommittee on Energy Policy, Health Care and Entitlements, Committee on Oversight and Government Reform, joint with the Subcommittee on Cybersecurity, Infrastructure Protection, and Security Technologies, Committee on Homeland Security, Washington, D.C. The subcommittees met, pursuant to call, at 10:00 a.m., in Room 2154, Rayburn House Office Building, Hon. James Lankford [chairman of the Subcommittee on Energy Policy, Health Care and Entitlements, Committee on Oversight and Government Reform] presiding. Present: Representatives Lankford, Meehan, Gosar, McHenry, Jordan, Walberg, DesJarlais, Perry, Woodall, Black, Issa (ex officio), Speier, Clarke, Cardenas, Lujan Grisham, Maloney, and Cummings (ex officio). Staff present from the Committee on Government Reform: Kurt Bardella, Senior Policy Advisor; Brian Blase, Senior Professional Staff Member; Molly Boyl, Senior counsel and Parliamentarian; Lawrence J. Brady, Staff Director; Caitlin Carroll, Deputy Press Secretary; Katelyn E. Christ, Professional Staff Member; John Cuaderes, Deputy Staff Director; Adam P. Fromm, Director of member Services and Committee Operations; Linda Good, Chief Clerk; Meinan Goto, Professional Staff Member; Tyler Grimm, Senior Professional Staff Member; Christopher Hixon, Deputy Chief Counsel, Oversight; Mark D. Marin, Director of Oversight; Emily Martin, Counsel; Scott Schmidt, Deputy Director of Digital Strategy; Rebecca Watkins, Deputy Director of Communications; Jaron Bourke, Minority Director of Administration; Yvette Cravins, Minority Counsel; Susanne Sachsman Grooms, Minority Deputy Staff Director/Chief Counsel; Adam Koshkin, Minority Research Assistant; Suzanne Owen, Minority Health Policy Advisor; Safiya Simmons, Minority Press Secretary; and Mark Stephenson, Minority Director of Legislation. Staff present from the Committee on Homeland Security: Alex Manning, Subcommittee Staff Director; Kevin Gundersen, Senior Professional Staff Member; Erik Peterson, Staff Assistant; Margaret Anne Moore, Special Assistant to the Chief of Staff; Michael McAdams, Deputy Press Secretary; Natalie Nixon, Deputy Chief Clerk; Christopher Schepis, Minority Senior Professional Staff Member; and Adam Comis, Minority Communications Director. Mr. Lankford. Committee will come to order. I would like to begin this hearing by stating the Oversight Committee mission statement. We exist to secure two fundamental principles. First, Americans have the right to know the money Washington takes from them is well spent. Second, Americans deserve an efficient, effective government that works for them. Our duty on the Oversight and Government Reform Committee is to protect these rights. Our solemn responsibility is to hold government accountable to taxpayers because taxpayers do have a right to know what they get from their government. We will work tirelessly in partnership with citizen watchdogs, deliver the facts to the American people, and bring genuine reform to the federal bureaucracy. This is the mission of the Oversight and Government Reform Committee. Today's hearing is focused on the purpose and design of the huge information-sharing apparatus being constructed to implement the Affordable Care Act. Therein, we'll examine who will have access to sensitive personal information, who will contribute data, how the government will protect this information, and why this information is necessary at all. We have the unusual combination of the IRS and HHS in our panel today because to accomplish the legal requirements of the ACA, it must work together to combine data from millions of people to allow exchanges to verify the subsidies and manage the intricacies of the Affordable Care Act. This is an oversight hearing on the implementation of the law as well as with Homeland Security. The people giving testimony today did not write the law. They are only trying to make this confusing system work, so we get that. So we'll have a lot of questions back and forth today to be able to process on how to get this accomplished. We are not going to try to hold you responsible for the origin of the law, but we will have decisions about the variety of decisions that you have made to prepare to implement and enforce the law. The other large amount of information sharing raises the risk of identity theft and other types of misuse. This risk is even more pronounced since the Department of Health and Human Services has missed several of their own self-imposed deadlines, and we'll want to know where we are on that. A document obtained for GAO revealed that as of April 2013, the department had only completed 20 percent of its work to establish appropriate privacy protections and capacity to accept, store, associate, and process documents from an individual applicant. Today, we hope to hear about the progress of the other 80 percent of that work. Two weeks ago, Treasury announced that they would delay the employer mandate until 2015. Just days later, the administration released another 650 pages of regulations that limited the degree of applicant verification required by exchanges during the first year of implementation. Instead of verifying, applicants will now be on the honor system for the subsidy. The potential for fraud and honest mistakes are multiplied since no one understands this law, the subsidies standards, how the administration defines a qualified employer health plan or a myriad of other issues. While I believe that the employer mandate is a terrible public policy that's already hurt hundreds of thousands of Americans through fewer jobs or reduced work hours, the administration cannot just rewrite the law on the fly. Moreover, because of the Rube Goldberg construction of Obamacare, the delay in the employer mandate and refusal to do proper applicant verification means that the Federal Government will waste billions of dollars next year subsidizing people's health insurance who are ineligible for coverage under the law. The IRS has recently become highly politicized under this Administration around the implementation of the ACA and the rights of people from all political perspectives to operate on a nonprofit and in a nonprofit organization. After the passage of the ACA, the IRS Commissioner Shulman visited the White House over 100 times in a 2-year period to discuss Obamacare implementation. Shulman's predecessor at IRS, Mark Everson, shared his concern at an Oversight Committee hearing last year about the problem with the IRS being so deeply involved with Obamacare and the serious threat this poses to the historic independence of the IRS. Sarah Hall Ingram has led IRS' implementation of the Affordable Care Act for 3 years. She was originally invited to testify at this hearing. However, because she may be also intricately connected to the IRS' targeting of conservative nonprofit groups, I have accepted Acting IRS Commissioner Werfel's offer to testify in her place. There are many questions and issues facing the IRS, but today's focus is on the data hub and on data sharing that is required because of the ACA. I welcome Commissioner Werfel's testimony today. Marilyn Tavenner, administrator for CMS, finally, after a very long process there as acting, is also here today to field questions related to the Federal data hub. Hopefully, she's prepared to address specific concerns about the possible cyber- related attacks, as well as the recent AP story from last weekend that the uninsured could fall victim to fraud, identity theft, or other crimes at the hands of some of the very people who are supposed to help them enroll. I welcome the attendance of all of our witnesses today, and we'll spend time introducing everyone in the moments ahead. With that, I would like to recognize the ranking member of Oversight committee, Ms. Speier. Ms. Speier. Mr. Chairman, thank you, and I thank you and Chairman Meehan for calling today's important hearing, and I thank all of the witnesses for being here to participate. The Affordable Care Act extends health insurance coverage to tens of millions and uninsured and underinsured Americans to help them obtain necessary medical care. Already, millions of Americans have directly benefitted from the Affordable Care Act: 2.5 million young adults, my son being one of them, now have health insurance on their parent's plan. The parents of over 17.6 million children with pre-existing conditions no longer have to worry that their children will be denied coverage. More than 32.5 million seniors have already received one or more free preventative services, including the new annual wellness visit. Starting this October, millions more Americans will be able to easily compare and choose affordable private health insurance plans for the first time when health exchanges open in every State. Many low-income applicants will qualify for subsidies. Those shopping for insurance will no longer have to worry that they will be denied coverage because of a pre-existing condition or worry that one serious illness and hospital stay will exhaust their lifetime limits, leading them to financial bankruptcy. Some have speculated that Obamacare will not work or at least that the October deadline might not be met. A June 2013 GAO report raised the issue of some missed deadlines but ultimately concluded that implementation was feasible and on track. This is a welcome news, and I look forward to hearing from the GAO today on how the process is proceeding. I also would like to know what impact sequestration has on the ability of those who are supposed to implement the Affordable Care Act are being frustrated. GAO also determined that CMS has developed contingency plans to be ready for unexpected development so the exchanges will be able to open on schedule in October. HHS has long experience with complicated health systems involving sensitive personal information, like Medicare, Medicaid and Medicare Part D. Getting the healthcare exchanges up and running is without a doubt a highly complex undertaking, made more complicated by the decisions of many States to have the Federal Government run their exchanges, and it is unlikely to be perfect out of the gate. But no major program has launched without a few hiccups. I am pleased there are concrete plans to mitigate any disruptions of the exchange system and to ensure the integrity of data hub communications between HHS, the IRS, DHS, and the Social Security Administration, States that other agencies involved in determining applicants' eligibility. At the same time, the scope of this new program requires that we ensure that it is carried out in a way that protects the privacy and security of those applying for insurance and prevents fraud by those seeking subsidies. The privacy of enrollee information is non-negotiable. Legitimate concerns have been raised about whether the security structure of the data hub that CMS has put into place will be sufficient when the exchange is launched in October. Today, I hope to learn from these witnesses the actual details of efforts to ensure security and privacy in the data hub. I am encouraged by Ms. Tavenner's written statement debunking the notion that in pursuit of access to care, we have to sacrifice privacy. Such statements must be backed by action and all parties to the transaction must have the same commitment. Mere promises are not enough, but we should also listen to the facts and not pre-judge the efforts of thousands of dedicated Federal and State employees working to make this law a reality. At the same time, I'm troubled by recent reports of the IRS' unintentional exposure of personal information submitted by organizations seeking tax exemption under section 527 of the IRC. I am pleased that the agency moved swiftly to correct the situation when it was detected. Such privacy breaches are unacceptable and should not happen at all. Lastly, Mr. Chairman, I am concerned by the efforts of some to sabotage the implementation of the Affordable Care Act by making sweeping allegations about the theoretical potential for fraud and other possible failings. I hope this hearing today is not an attempt to do that. The purpose of this committee, as you have pointed out in your opening statement, is to conduct oversight of programs like the Affordable Care Act, to ensure that it is carried out properly, and to uncover waste, fraud, and abuse. I look forward to additional hearings over the next several years once we see the program actually in operation. I also hope Congress will not deny the funding needed to ensure that the exchanges and the data hub can operate in a safe and secure manner. In fact, I hope to learn from our witnesses today how sequestration and budget cuts have impacted their ability to implement the law and protect enrollees' privacy. The Affordable Care Act is the law of the land. It has been upheld by the United States Supreme Court. Now, Congress' duty is to oversee its implementation, not to seek to delay it or cause it to fail in its mission. Today's hearing is a distinct opportunity to address legitimate concerns with those lead agencies charged with bringing the exchange system to fruition. I look forward to their testimony. Mr. Lankford. I now recognize the chairman of the Homeland Security Subcommittee on Cybersecurity, Infrastructure Protection, and Security Technologies, Mr. Meehan. Mr. Meehan. I thank the gentleman, and I thank the members of both committees who have participated in today's hearing. I thank the witnesses for their presence today, and all the members of the Subcommittee on Cybersecurity, Infrastructure Protection, and Security Technologies. This hearing comes at a critical time in implementing one of the key aspects of the President's healthcare law, the Federal data hub. It's not my intention to relitigate the Affordable Care Act at today's hearing but rather to provide crucial oversight over the government's establishment of the Federal data hub. As a result of the Affordable Care Act, the Department of Health and Human Services is building an enormous data-sharing network between State health insurance exchanges and numerous Federal agencies. The purpose of the data-sharing hub is for the government to determine whether Americans who enter the exchange are eligible to do so. As the chairman of the House Homeland Security Committee's Cybersecurity Subcommittee, we've looked extensively at the access to and management of personally identifiable information by the Federal Government. I don't need to explain to this committee or to our witnesses or to the American public from where our concerns emanate. We've witnessed all too recently how sensitive information can be mismanaged by the Federal Government. We have seen how cyber attacks from adversarial nations who seek to infiltrate our country's military and intelligence information have breached our most secure networks. We've watched--we have watched as thieves have stolen our top innovators' intellectual property. We have witnessed America's financial services institutions succumb to barrages of attacks by those who wish to do our nation and our very life harm. These are the institutions that have the best in the form of protections at this point in time. FBI Director Robert Mueller said that the cyber threat will be the number one threat to our country, a remarkable thing to be said. NSA Director Keith Alexander called a loss of intellectual property through cyber espionage the greatest transfer of wealth in history. And Former Secretary of Defense Leon Panetta said the cyber attacks could shift from espionage to destruction, the variability to get inside this network and to destroy the ability for it to communicate at all if it is not a secure system. And the Director of National Intelligence, James Clapper has said that potentially disruptive and even lethal technology continues to become easier to access and that we foresee a cyber environment in which emerging technologies are developed and implemented before security responses can be put in place. This is the best of our systems. I would like to see how this system is set up to protect against those kinds of threats. These are serious people that are talking about these issues. We've been charged with securing the most critical data in the world, and although no one could certainly make the argument that the personally identifiable information of millions of Americans is just as critical and critical to our Nation's data security. Javelin Strategy and Research felt that $12.6 million Americans are victims of identity theft each year. And a February 2000 study of the Center for Strategic and International Studies found that 85 percent of government and private sector network breaches took months to be discovered. Pricewaterhouse estimates that one-third of breaches come from employees. We are going to literally have thousands, 22,000 estimated alone, navigators just in the State of California. With over 20 million Americans estimated to enter into the exchange over the next 5 years, this leads to the question, which I believe must be answered at today's hearings, Are you ready? Does CMS have the tools in place to secure the information for over 20 million Americans? Who and how many will have access to this information? How do we ensure competence in those who have access? I have grave concerns about the ability to establish sufficient security in this massive unprecedented network by October 1st--that's just 75 days away--when our most secure networks are being breached every single day. Every sector, every agency, every industry concerned with security will tell you they are only as strong has the weakest link. I hope that our panel today can allay some of these concerns, but I fear that our government is about to embark in an overwhelming task that will at best carry an unfathomable price tag and at worse place targets on every American who enters the exchange. I look forward to hearing from you today, and I yield back my time. Mr. Lankford. Now recognize the chairman of the full committee for Oversight and Government Reform, Mr. Issa. Mr. Issa. Thank you, Mr. Chairman, and thank you for holding this important hearing. As my colleague from California, Ms. Speier, said, Obamacare is the law of the land. What she didn't say is sequestration is the law of the land, and both were signed by this President. So my expectation is that the President has to know that he has to live within the budget he signed; he has to live within the funding he signed, that the cost overruns that CBO now knows are in Obamacare--the ``it's going to be balanced,'' to ``it's going to be nearly balanced,'' to ``it's going to be a trillion dollar train wreck'' is coming, but that's not the subject today. The subject today, quite frankly, is the privacy of the American people and the accuracy of the data, and waste, fraud, and abuse. I have less confidence in today's hearing for only one reason: A key witness, Sarah Hall Ingram, who has 3 years of full-time experience since the passage of the bill, in some inexplicable way finds herself unable to be here, while I'm uniquely offered her boss. And I appreciate the Commissioner being here, but that's unheard of. Time and time again this committee has asked for Cabinet officers, only to appropriately find somebody beneath that person who is able to answer our questions, so today we are going to have the top boss in his 65 days and probably his 55th appearance on Capitol Hill to answer questions. And I appreciate his presence, and I'm not trying to belittle the technical staff with him. But it goes to the root of this is a program so grand and so great that it pales Medicare in its shadow, it pales Medicaid in its shadow, and that's what we're dealing with. The data of every American potentially will be transferred or will be transferred. Now, let's understand that. It's not being transferred to one place. In the cyber world, you have to look at every end tentacle. Somebody at some station, somewhere in Chico, California, is going to have an outlet to the California exchange that is going to ultimately be connected to that data. So, although the IRS might be able to put the database in an acceptable system and transfer it, who are they transferring it to? Ms. Speier mentioned CMS. I think also the chairman mentioned it. CMS. Now, this committee has recent experience. CMS is the organization that sent $15.5 billion to the State of New York in compensation excess of Federal law. And then, when we approached them, they wanted to phase it out over time. Well, they were overpaying vast amounts of money to the State of New York, to New York institutions owned and operated by the State. That wasn't a long time ago. Mr. Chairman, that was this Congress. We still don't have that $15.5 billion, so when we talk about waste, fraud, and abuse and we talk about the disclosure of personal information, we are dealing where disclosures that occurred under the IRS' watch under this President. We are dealing with waste, fraud, and abuse estimated by the inspector general to be greater than the Army's budget. We lose more than the Army consumes in Medicare and Medicaid, so a program that's statutorily--and the gentlelady from California is right; the law is the law. The law says that we will not subsidize unless the State has an exchange. And yet, unilaterally, the President has proposed that State After State who chose not to be part of it are to have subsidies. So instead of having some States, we now will have all the States. Those who chose to do it, will be subsidized. Those who choose not to, out of thin air, without statutory approval, there will be a Federal exchange that will then be subsidized. Those are some of the things. Now, the gentlelady from California is a friend and a colleague, but we differ on some parts. She thinks that Obamacare has done a lot already. I think that it has already run up the cost of healthcare. And when the President determines, without statutory approval, that one portion will not be implemented for an extra year, that on employers, because, of course, it's not ready, and yet he thinks that an individual mandate and the standing up of exchanges and the forcing of every individual in America into a healthcare plan not yet defined, with a database not yet secure, is okay? I've got to tell them, I have doubts, not about if Obamacare will some day be ready, if all the bugs can be worked out, but with no pilot and no consistency of the legislation to the actual implementation, I've got to tell you, we are at least a year further out on not just the President's slowdown but on the entire program, and I think today we are going to see exactly that, that the plans are there but the pilot and test, and if you will, proof of concept being tested, with those thousands or hundreds of thousands of terminal access points that could be what the ranking--the chairman from Homeland Security said, that weak link needs to be tested. I look forward to hearing all of the testimony and particularly the questions as to the weakest link. And I yield back. Mr. Lankford. Thank you. All members will have 7 days to submit their opening statements for the record. We will now recognize our panel. Before I recognize each individual, I would like to ask unanimous consent that our colleague from Tennessee, Mrs. Black, be allowed to participate in today's hearing. Ms. Speier. Mr. Chairman, can I also request that the ranking member from the Committee on Homeland Security subcommittee, Ms. Yvette Clarke's statement be read--be added to the record as well. Mr. Lankford. Absolutely, without objection, on both of those. So ordered. Mr. Lankford. Mr. Alan Duncan is the assistant inspector general for security and information technology services, the Office Treasury Inspector General for Tax Administration. Mr. Terence Milholland is the chief information officer for the IRS. Thanks for being here. Mr. Danny Werfel is the principal deputy commissioner of the Internal Revenue Service. Mr. Werfel, how many hearings have you been in so far? The chairman had mentioned that. Mr. Werfel. I think this is my sixth since arriving here. Mr. Lankford. Only six. Okay. We have got to get you to the double digits faster. Mr. Werfel. I have another one right after this one. Mr. Lankford. Well, we will do our best on that. Ms. Speier. We would like to--we would like for you to run the IRS, though, too. Mr. Werfel. I am doing that, too. Mr. Lankford. Yeah. The Honorable Marilyn Tavenner is the administrator for the Centers of Medicare and Medicaid Services. Mr. Henry Chao is the deputy chief information officer and deputy director of the Office of Information Services in the Center for Medicare and Medicaid Services. Thanks for being here. Mr. John Dicken is the healthcare director for the U.S. Government Accountability Office. Thank you as well. Mr. Lankford. Pursuant to committee rules, all witnesses are sworn in before they testify. Will you please stand, raise your right hands? Do you solemnly swear or affirm that the testimony you are about to give will be the truth, the whole truth and nothing but the truth, so help you God? Thank you. You may be seated. Let the record reflect that all witnesses have answered in the affirmative. In order to allow time for discussion, we would ask you to limit your testimony to 5 minutes. I think all of you have been here before, some more recently than others, obviously. There is a clock that's in front of you to give you a quite countdown. Your written statement is a part of the entire record, so we will give you 5 minutes of time here. And Mr. Duncan, I think you get to be the lead off hitter in this one. STATEMENT OF ALAN R. DUNCAN Mr. Duncan. Thank you. Chairman Lankford, Chairman Meehan, Ranking Member Speier, Ranking Member Clarke, the members of the--and other members of the subcommittees, thank you for the opportunity to testify on the Treasury inspector general for tax administration's views and observations on the Internal Revenue Service's information technology support for the Affordable Care Act, how tax information will be provided and the safeguards needed to protect taxpayers' data. The Affordable Care Act contains an extensive array of tax law changes that present many challenges for the IRS. The ACA will require collaboration and coordination among many organizations. The IRS' role with respect to the ACA is to implement and administer the ACA provisions that impact tax administration This requires developing and implementing computer programs that support the State and Federal insurance exchanges and the collection of taxes, fees, and penalties that would help fund the ACA. The IRS' 2014 budget request includes $440 million for implementation of the ACA, the largest component of which is $306 million for the implementation of information technology systems and communications. The ACA health insurance enrollment starts in October 2013. The IRS will be receiving health insurance related information starting in 2014 from many sources, including individuals, employers, insurance companies, and the health exchanges. The information technology security challenges for the ACA are considerable and include implementation of interdependent projects in a very short span of time, evolving requirements, coordination with internal and external stakeholders, and cross agency system integration and testing. The IRS implementation plan for ACA exchange provisions include providing information on eligibility, calculating the maximum advanced premium tax credit and reconciling ACA tax credits with reportable income. These provisions require the development of new systems, modification of existing systems, new fraud detection systems, and the deployment of interagency communication portals. The ACA health insurance enrollment process starts when an applicant applies at the exchange. To provide support for enrollment, the IRS has developed the income and family size verification application that will provide exchanges with an applicant's tax information. Our audit of this application determined that the project was on schedule and the IRS was managing knowing information technology risk. However, we do have concerns that the Federal tax data provided to the exchanges may not be adequately protected in accordance with the IRS' safeguards program. To assist applicants in the exchanges with selection of the appropriate insurance premium, tax credits, the IRS also developed the advanced premium tax credit application that will inform an applicant of the maximum amount of advanced insurance premium that they would be eligible to apply for. In the 2015 tax filing season, the IRS will be responsible for reconciling the advanced premium tax credit taken with actual income and family size during the tax year, which could result in a refundable credit or additional tax liability. The IRS has developed a plan to prevent and detect fraud and abuse during tax return processing that includes ACA transactions. TIGTA does have concerns that the new fraud prevention systems and/or modifications to existing fraud-detection systems may not be operational in sufficient time to identify ACA-related fraud schemes. We believe the IRS needs to complete and embed predicted analytical ACA fraud models into the tax filing process prior to the start of the 2015 tax filing season. The HHS and IRS have jointly developed an interagency test plan for the upcoming health insurance enrollment. We are concerned that final integration testing for all the agency systems, communications, and the Federal and State exchanges may not be completed before the start of the enrollment period in 2013. The lack of adequate testing could result in significant delays and errors in accepting and processing ACA applications for health insurance coverage. Because of the extensive changes to numerous Tax Code provisions, concerns related to ACA systems and security and the need for interagency coordination, TIGTA plans to continue strategic oversight of evolving ACA implementations. Our plan requires audit investigative resources to evaluate IRS' role in ACA programs and the protection of taxpayer's data. Chairman Lankford, Chairman Meehan, members of the committees, thank you for the invitation to appear. Mr. Lankford. Thank you. [Prepared statement of Mr. Duncan follows:] [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT] Mr. Lankford. Mr. Werfel. STATEMENT OF THE HONORABLE DANIEL WERFEL Mr. Werfel. Chairman Lankford, Chairman Meehan, Ranking Member Speier and Clark and members of subcommittees, thank you for the opportunity to appear before you today to discuss the systems being developed to facilitate information sharing among the IRS, the Department of Health and Human Services and other Federal agencies as part of the Affordable Care Act. The IRS has been working to implementing a number of tax- related provisions within the ACA. The most substantial of these provides for premium assistance tax credits to help millions of American families afford health insurance starting in 2014, when the new health insurance marketplace, also known as health insurance exchanges, will begin operating. To properly administer ACA provisions, such as the premium assistance tax credit, the IRS, HHS, and other Federal agencies will need to share individual's personal and financial information. For example, the marketplace will need Federal taxpayer data to help verify individuals' eligibility for the tax credits. Upon request, the IRS will provide income, family size, and filing status information from recent tax returns. Separately, the IRS will provide a support service to compute a maximum advanced premium credit based upon inputs from the marketplace. The ACA designates HHS as the conduit for information being shared with the marketplace. The taxpayer data supplied by the IRS will be transmitted over secure encrypted channels through the HHS data hub, which was developed to facilitate these data transfers. Our ability to share data with HHS is being brought about through new systems and services that our information technology division has been developing. We are on target to have these systems ready when open enrollment in the marketplace starts on October 1 of this year. Last month, we completed systems development and also finished interagency testing with HHS and the Centers for Medicare and Medicaid Services. Performance testing of these systems will continue through the summer. It is important to note that information sharing under the ACA will be done against the backdrop of very strong confidentiality protections that have been long part of the tax laws. In general, section 6103 of the Internal Revenue Code prohibits the IRS from sharing tax return data with anyone outside the agency. Over the years, however, Congress has created a series of narrow exceptions to the restrictions in section 6103. For example, the IRS is permitted to disclose tax return information to other Federal agencies and to State tax authorities to facilitate efficient tax administration. The ACA provides a specific exception to section 6103 for information sharing activities that the IRS will perform under the statute. The IRS is already well positioned to ensure the safety and security of the data being shared under the ACA, given the longstanding experience we have in overseeing the transmission of data to Federal and State agencies. The IRS office of safeguards has the responsibility for monitoring the nearly 300 Federal and State agencies that currently are permitted to receive tax return data to ensure they are complying with strict safeguarding requirements we impose on them. To prepare for data sharing under the ACA, the IRS has been collaborating with HHS and other agencies on the processes and written agreements needed to protect personal information, including tax return data. Among our collaborative efforts, the IRS and HHS have entered into a computer matching agreement or CMA, which details the operations of the data exchanges and various disclosure restrictions and other requirements. Just this week, the CMA was signed by both agencies and transmitted to the Treasury Data Integrity Board for approval. After approval by Treasury and HHS, it will be transmitted to Congress for the required notice period and be effective when open enrollment begins on October 1. The IRS is subjecting the health insurance marketplace and State agencies seeking tax return data under the ACA to significant data protection requirements. Before one of these entities can obtain tax return information, it must submit a Safeguard Procedures Report, or SPR to the IRS for its approval. This report details the steps that the entity has established or plans to take to protect the confidentiality of the tax records it will be handling. Taxpayer data will be withheld from entities that fail to establish adequate safeguards. The IRS will provide a list of entities with approved SPRs to HHS by October 1. Going forward, we will provide ongoing oversight to ensure that all entities involved in data sharing continue to meet the safeguarding requirements. Chairman Lankford, Chairman Meehan, and Ranking Member Speier and Clarke, that concludes my statement. I would be happy to take your questions. [Prepared statement of Mr. Werfel follows:] [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT] Mr. Lankford. Ms. Tavenner. STATEMENT OF THE HONORABLE MARILYN B. TAVENNER Ms. Tavenner. Good morning, Chairman Lankford Mr. Lankford. We need to get you button on there so we can all hear you. Ms. Tavenner. Thank you. Good morning. I would like to thank you for the opportunity to discuss the Center for Medicare and Medicaid Service's progress in implementing the IT systems in support of the new health insurance marketplace. Since the passage of the Affordable Care Act, CMS has been hard at work designing, building, and testing secure systems that ensure Americans are able to enroll in affordable health coverage. I want to assure you that October 1, 2013, the health insurance marketplace will be open for business. Consumers will be able to log onto healthcare.gov, fill out an application and find out what coverage and benefits they qualify for. I also want to assure you and all Americans that when they fill out their marketplace application, they can trust that the information they are providing is protected through the highest privacy standards, and the technology underlying this application process has been tested and is secure. I want to quickly walk you through what we're building, how it works and what data we are storing. I know there has been some confusion about the marketplace, its IT system and how data will be used. I want to make two points clear. First, while the marketplace application asks for some personal information, such as name, address, Social Security number, and date of birth, the marketplace application never asks for personal health information and the marketplace IT systems will never access or store personal health information beyond that which is routinely used when applying for Medicaid. Second, CMS prioritizes the privacy and security of applicant's data. CMS designed the marketplace IT system in a way to minimize all possible security vulnerability, and we especially focused on storing the minimum amount of personal data possible. With that clear, let's move to the first question people often ask. What is it that we are building? The Affordable Care Act directs States to establish State- based marketplaces by January 1 of 2014. In States electing not to establish such a marketplace, the Affordable Care Act requires that the Federal Government establish and operate a marketplace in the State which is frequently referred to as the Federally Facilitated Marketplace. This marketplace will provide consumers access to healthcare coverage through private qualified health plans, and consumers seeking financial assistance may qualify for insurance affordability programs through the marketplace such as tax credits. In order to enroll in an insurance affordability program through the marketplace, individuals must complete an application and meet certain eligibility requirements. To fulfill these functions, Federally Facilitated and State-based marketplaces are developing eligibility, redetermination and appeals IT systems. These IT systems are similar to what private issuers, Medicare Advantage issuers, and State Medicaid agencies currently use to carry out the same functions. Because these IT systems that perform the basic functions of the marketplace, CMS is developing a tool, which is known as the Federal Data Services Hub, which provides the electronic connection between the eligibility systems of the marketplace to already existing secure Federal and State databases to verify that information is correct, and that consumer provides in the marketplace application. It is important to understand that the hub is not a database. It does not retain or store information. It is a routing tool that can validate applicant information from various trusted government databases through secure networks. It allows the marketplace, Medicaid and CHIP systems to query government databases used today. The hub will only query the databases necessary to determine eligibility for specific applicants. The hub increases by efficiency and security by eliminating the need for each marketplace, each Medicaid agency and each CHIP agency to set up separate data connections to each database. We know that vulnerability increases when the number of connections to a database increase. That's why we created the hub. The hub provides one highly secured connection to trusted Federal and State partners' databases used today instead of requiring each agency to set up what would have amounted to hundreds of different connections. We have completed development in the majority of the testing of the hub services. All testing for the hub will be completed by the end of August. And with that, I'll conclude and be happy to answer any questions. Mr. Lankford. Thank you. [Prepared statement of Ms. Tavenner follows:] [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT] Mr. Lankford. Mr. Dicken. STATEMENT OF JOHN DICKEN Mr. Dicken. Good morning, Mr. Chairman, ranking members and members of subcommittees, I am pleased to be here today to discuss issues with data systems that will be a critical component of the new health insurance exchanges. As you have heard this morning, starting in October, health insurance exchange in each State will provide new marketplaces where eligible individuals can compare and select health plans. To support the exchange's efforts to determine applicant's eligibility to enroll, CMS is building a tool called the Federal Data Services Hub. This data hub is intended to provide one electronic connection to Federal sources for near realtime date access to data, as well as to provide access to State and other data sources needed to verify consumers' application information. Several million Americans are expected to enroll in qualified health plans offered through the exchanges, once coverage begins in 2014. My comments today highlight key findings from a report that GAO issued last month on the status of CMS' efforts to establish Federally Facilitated Exchanges in 34 States and to establish the data hub to support exchanges in all States. These findings are based in large part on our review of planning documents that CMS used to track Federal and State activities, including the development and implementation of the data hub, as well as interviews with CMS officials. In brief, CMS has completed many activities necessary to establish Federally Facilitated Exchanges by October 1st, although many activities remain to be completed and some were behind schedule. As examples of progress made, CMS has issued numerous regulations and guidance and taken steps to establish processes and data systems necessary to operate the exchanges. But the exchange's ability to effectively carry out eligibility determination and enrollment activities on October 1st will be dependent on CMS' successful implementation of the data hub. CMS is expected to complete development and testing of the information secure technology systems necessary for the data hub by October 1st, as Administrator Tavenner just indicated. CMS began both internal and external testing for the data hub in October of last year as planned. According to program officials and our review of project schedules, CMS established milestones that aimed to complete the development of required data hub functionality by this month and for full implementation and operational readiness by September. Additionally, CMS has begun to establish the required technical security and data-sharing agreements with federal partner agencies and States. While CMS data does, thus far, met project schedules and milestones for establishing agreements and developing the data hub, at the time of our report, several critical tasks remained to be completed before the October 1st implementation. These included finalizing service level agreements between CMS, the States and Federal partner agencies in completing external testing with all Federal partner agencies in all States. In conclusion, Federally Facilitated Exchanges in the federal data services hub are central to the goals under the Patient Protection and Affordable Care Act of having health insurance exchanges operating in each State by 2014 and of providing a single point of access to the health insurance market for individuals. Their development has been a complex undertaking involving the coordinated actions of multiple Federal, State and private stakeholders. It has also required the creation of an information system to support connectivity and near realtime data sharing between exchanges and multiple Federal and State agencies. Much progress has been made; nevertheless, much remains to be accomplished within a relatively short amount of time. CMS' time lines provide a roadmap to completion of the required activities by the start of enrollment on October 1st. However, the large number of activities remaining to performed, some close to the start of enrollment, suggests a potential for challenges going forward. And while the interim deadlines missed thus far may not affect implementation, additional missed deadlines closer to the start of enrollment could do so. At the time of our report, CMS had recently completed risk assessments and plans for mitigating identified risks associated with the data hub and was also working on strategies in each State to address State preparedness contingencies. Whether this contingency planning will assure the timely and smooth implementation of exchanges by October 2013 cannot yet be determined. Mr. Chairman and ranking minority members, this concludes my statement, and I'll be pleased to answer any questions that you or other members of the subcommittee may have. Mr. Lankford. Thank you. [Prepared statement of Mr. Dicken follows:] [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT] Mr. Lankford. And thank you, all of you, for your testimony. Can anyone state to me the section of the ACA that outlines the data hub? So, this massive undertaking started from what within the law? Because it is a massive piece, obviously. I'm just trying to figure out what part of the law mandates that this data hub be created, that this is the particular vehicle to solve the problem? Mr. Milholland. Mr. Chairman, I will take a cut at that. It's the requirement to exchange information between agencies. We had to find a way that would easily work to connect to the IRS and particularly HHS and then subsequently to the exchanges, also to other government agencies. When we did the architecture and design in collaboration with HHS and the other partners, we realized that the simplest design, the one that would make it more likely that we would implement on time, was a hub concept. Mr. Lankford. So you're saying that there's a statement within the law that requires communication between the agencies. Is this also requiring communication to the exchanges as well? Mr. Milholland. I will let HHS answer that specifically, but I believe the answer is yes. Mr. Lankford. Okay. Does anyone know on the section of law where this comes from? Mr. Chao. I don't--I don't believe it's in any section of the law. I think, you know, as Terry said, we've been working together on the most efficient implementation of the requirement that is in the law for information sharing between Federal agencies that are used to verify data on applications of people who are applying for---- Mr. Lankford. Okay. So there is a section that requires communication verification on it. How much does--does anyone know the total cost of the hub at this point? I mean, we've got two contractors that are working on it. Every agency has now started engaging. We have all these agreements for computer matching. Every State is also engaging in it, so we've got a line that's in the law, someone says we need to verify, how much has this cost. Mr. Chao. I think that there are several line items within the hub, but the total picture, as GAO reported, is about $394 million that CMS has budgeted and obligated for the various contracts to build the capabilities for the marketplace. Mr. Lankford. Okay. And then we've got several different pieces here. We have the data hub, obviously connecting all the agencies there where you're saying information is not stored at the data hub. Mr. Dicken referred to it's almost done in realtime, I believe, was the statement that was made there. Is it really realtime that's done or are we batching all these reports? Mr. Chao. The vast majority of the design is for realtime responses and realtime requests to get the data. Mr. Lankford. So, exchange hits the hub, makes the query, comes back seconds later, or does it come back hours later? That's what I'm trying to figure out on it, the batch schedule here. Mr. Chao. The service levels agreement, for example, with IRS is between 5 and 8 seconds Mr. Lankford. Okay. That's terrific. What about the caching of information. So when the request is made, how long is the cache to be able to hold on to that information as it's going through the process? Mr. Chao. The ``caching,'' and I put quotes around that, is kind of loosely used. When an individual is applying for the marketplace and they begin to enroll or request enrollment via the online application, they can pause and save that application into what we call a ``My Account,'' and that's on the marketplace system side. Mr. Lankford. Okay. So, that is stored information. So, in the data hub, you're saying, the caching is the best way to do it is over here, so how long is the cache in the data hub section of it? Mr. Chao. It is a consumer--when it comes to the application and their data, it is a consumer-elected, quote- unquote, ``caching'' of information saved in their ``My Account.'' In the hub, the time to live is very short. If there is no question and response match, that data is then removed. Mr. Lankford. So you're talking 10 minutes, 20 minutes, an hour, somewhere through there? Mr. Chao. Within minutes. Mr. Lankford. Okay. All right. Then let's go on the other-- on the consumer side, where you're saying--talking about ``My Account'' because that is where stored data is located. Give me examples of some of the fields. Ms. Tavenner, you mentioned a couple of those, Social Security, birthdays and such. What are some of the other fields that are there? Mr. Chao. Names of household members, address, the requirement to supply valid Social Security numbers. Mr. Lankford. Ethnicity, is that included as well? Mr. Chao. I believe there are race and ethnicity---- Mr. Lankford. Okay. So, home address. Is there a phone number that's included in that? Mr. Chao. Yes. Mr. Lankford. Email address? Mr. Chao. Yes, contact information. Mr. Lankford. All of the--does it have the questions about employer-sponsored coverage, is that included in that part as well? Mr. Chao. Yes. Mr. Lankford. Just questions about some of the background on it. Veteran status? Mr. Chao. Yes. Mr. Lankford. So, family members, you mentioned that. Does it just list out family members or list out the details of the family members? Mr. Chao. It--I think when we examined verification and determination of eligibility for premium tax credits with--in conjunction with IRS and also examined Medicaid and CHIP eligibility, there are some information that's used for different programs. Mr. Lankford. Okay. Let me run through several here. Indian tribe? Mr. Chao. Yes. Mr. Lankford. Tribal member is listed there. Mr. Chao. Yes. Mr. Lankford. Pregnant, would that be a question that would be asked or---- Mr. Chao. It depends on a series of what we call a pattern of answers that would indicate that that might be a question associated with---- Mr. Lankford. Obviously, ``female'' would be one of those, I would assume, in that pattern? Mr. Chao. I would think so, but it could be a household member that is not the applicant, but that's mostly used for-- -- Mr. Lankford. But that is a possibility that's in there. Applicant income, request of that? Mr. Chao. Yes. Mr. Lankford. Disabled, would that be listed as part of it? Mr. Chao. Disability, no. Mr. Lankford. Okay. All right. So that this information is gathered and it's stored how long? Mr. Chao. For--once the enrollment is established, you know, via the ``My Account.'' Mr. Lankford. So the ``My Account'' is set up, that information stored in that section, stored how long? Mr. Chao. It is stored for as long as the person is seeking access to affordable care and wants to enroll via the marketplace. Mr. Lankford. Okay. We'll have a lot of questions for you. I want to be able to honor everyone's time in the day on this, but I want to just set some basic parameters of what we're talking about, because we are really talking about two different systems. Data hub may not store anything, but we do have a data system that is storing large amounts of information as well, and so we'll have to be clear as we walk through it and try to make sure that we're using correct terms as we walk through it; is that okay? Okay. Ms. Speier. Ms. Speier. Mr. Chairman, thank you. And thank you again to all the witnesses. Three issues, privacy, security, fraud, that's what we're focussing on today. Let me start with Mr. Werfel and ask you a question about privacy. Given the number of different agencies involved, what measures has the IRS implemented to guarantee that sensitive taxpayer information is protected when it enters the data hub? Mr. Werfel. Thank you for the question. We, as I mentioned in my opening statement, we have a longstanding process because the Tax Code has previously allowed for, in certain situations, the IRS to share taxpayer information to Federal and State agencies, so over time, we built a very robust process that we're leveraging for the manner in which we'll share information under the ACA, which created a new exception under the Tax Code. That process is anchored around what we call a safeguard procedures report, and essentially, if you are to receive taxpayer information from the IRS, then you have to have an approved safeguard procedures report in place that IRS--and it's a very robust set of requirements. IRS reviews and approves that procedures report, or SPR, and then we monitor and do like on-site visiting to make sure that they are complying with those procedures that they outline. They deal with things like recordkeeping, restricted access, employee awareness about the sensitivity of the information, internal inspections to make sure that the procedures that are in place are robust, disposal of records when they are no longer needed, making sure that only those records that are needed--that are used are needed. So, it's a--you know, we have, as an example, just to give you a sense of how robust it is, just a template for what a State agency or Federal agency or the hub, in this case would, need to fill out is 61 pages, and that's just a template of what's required. So, really, we have a very robust set of requirements that are well battle tested over the years. We go through a robust process to review it and then we do on-site monitoring to make sure that the agency involved, whether it's the hub or a State agency or another Federal agency are making good on their commitments. Ms. Speier. Is there any penalty if they somehow have it breached? Mr. Werfel. Well, there are ongoing reviews that are done by the inspector general as an example. There can be severe penalties for willful breaches. What the inspector general, I can let Mr. Duncan speak to that, usually do is determine whether the breach was inadvertent or willful, and if it's inadvertent, then they would issue some type of report that would establish new sets of requirements that we may need to do to make sure that such inadvertent disclosures don't occur again. If it's willful, they may refer to the Justice Department for potential prosecution. It just depends on the circumstances. Ms. Speier. Okay. Now, I'm going to jump first to fraud and then come back to security because in my mind, security is the issue here. In terms of fraud, the chairman had referenced that there is, in effect, an honor system in place, and while that may be the case, because you're self-attesting it to, it's an honor system with consequences, is it not? If, in fact, you say you make $40,000 a year and are eligible for a premium credit, when it comes tax time the following year, if you really made $150,000, that subsidy has to be returned to the coffers of the U.S. taxpayers; is that not true? Mr. Werfel. Generally. If I could have a second to explain. So a couple of important things about the fraud and error risk associated with the ACA. First, what's happening when the individual enters the marketplace and seeks a premium tax credit, the system is set up so that any funds that they may be eligible or not eligible for because they're trying to defraud the system don't go to the individual. They go to the insurer. So the individual can try to penetrate the system and gain money, but they're not going to get money. The money is going to be sent to the insurers. Ms. Speier. They're going to get health care. Mr. Werfel. They're going to get health care. And they might get more affordable health care than they're otherwise eligible for. And at the back end, when they're reconciling, it may be that they were eligible for too much when we see what their actual income is when they file their taxes, and then they'll owe potentially some more money. It may be that we didn't determine that they were eligible for enough. But what that will mean in that case is they have been paying into this process, to the exchange, too much money than they should have, so we're only reimbursing them the cash that they've already paid in. Now, there is---- Ms. Speier. I'm running out of time, and I want to get-- thank you--to the more critical issue. I believe that the hub has a bull's eye on it and that the potential for it being hacked is great. And while there's been testing that has been undertaken, does ``testing'' mean that we've allowed, you know, high school computer science whizzes to try and hack into the system? Mr. Chao. No, Congresswoman. The testing involves security professionals with predefined security protocols that are embedded and automated procedures that, for example, to try to penetrate the system and to emulate a potential hacker, as well as it scans for poor quality of code development with big holes in it so that people can actually infiltrate the system. And it also includes examining audit procedures and the ability to log access to the system and provide the traceabilities that auditors need in order to see who has been accessing what data with the right--with the correct roles and permissions. Ms. Speier. My time has expired. Thank you, Mr. Chairman. Mr. Lankford. Mr. Meehan? Mr. Meehan. Thank you, Mr. Chairman. And I want to jump off of what the gentlelady from California said about this being--looking at it from the security perspective, and also to talk about it from the perspective of what the chairman said. And this is not a partisan effort to try to go put you on the spot. And I also appreciate that you are the people who have been trying to implement this. But I also have grave, grave concerns about the scope of information that is being put together by this system that you put together because, you know, it was required just to make it work. And I've been struck by the observations of numbers of people who are outside the organization, as well. So I know you, Ms. Tavenner, have discussed that you are trying to take the minimal amount of information that is necessary. But what is necessary to make the system work has been discussed by Stephen Parente of University of Minnesota, who studied perhaps the largest consolidation of personal data in the history of the Republic. Do you dispute that? Ms. Tavenner. One thing I would remind the committee is that, currently, we are used to storing and having personal information on large numbers of individuals, such as in the Medicare program, in the Part D program. We take it very seriously, and we go through the highest security and privacy protections. Mr. Meehan. I know you take it seriously. The question is whether you're prepared to have this information protected against the kind of and scope of probes that are taking place in the real world today. I'm going to read some observations from some people who, you know--``This national insurance exchange system will be the largest IT system ever created in our history, and they're not sure how it will work, and they cannot assure the security of this very private data. They are extensive government data- sharing systems that lack information security and offer easy access to hackers, identity thieves, and others interested in surreptitiously gaining access to private information.'' This was Twila Brase from the Citizens' Council for Health Freedom. ``Nothing like this has ever been done to this complexity or scale and with a timeline that puts it behind schedule almost before the ink was dry.'' This was Rick Howard, who has an advisory firm, the Gartner firm. This is Jim Spatz, a senior advisor at Manatt Health Solutions: ``As crunch time is coming, they're just muddling through and figuring out shortcuts. It might not be elegant, but this is how they're trying to make the law work.'' These are the observations of some of the people who are outside the system observing it. Are they accurate? Mr. Chao. Congressman, I would refute that to say ``no,'' because CMS has vast experience--for example, there are nearly 50 million Medicare beneficiaries, and we have databases and systems that operate in an architectural and technical pattern very similar to what the marketplace requires, including, you know, application for enrollment, processing eligibility verifications, checking various sources of data, allowing for people to come back in to report life-changing circumstances, working with SSA to remove them when we receive a date-of-death notice. I think all these operations at a very, very super-scale level in health care, CMS has applied this experience to the marketplace program. Mr. Meehan. Would you--I understand what you're trying to do at CMS. Are you aware of what's going on today, Quantum Data 2, the testing thing that's being done right now on Wall Street today by the major New York banks? Mr. Chao. No, I'm not. Mr. Meehan. Do you think that your system is more or less secure than that that is being put together by the best banks in the United States? Mr. Chao. I really can't speak to that because I'm not aware of what they're doing. Mr. Meehan. Well, they're walking through, as we speak, with regard to the ability to--that their recognition that they are, in effect, being so remarkably challenged by the ability of complex networks, be they criminal, be they state-oriented, be they otherwise, to get into information systems that they have responsibility over. And I'm not sure that I'm aware of any system that has more personally identifying information than your system currently. And the question is the degree to which we're capable of being able to protect those systems. My time has expired, but I'm looking forward to following up specifically on some of the questions with regard to that. Ms. Tavenner, do you have a comment? Ms. Tavenner. The comment I would make is that there certainly is a lot of speculation out there about what's going on inside CMS. And what I know is that the process that we are following, we are used to working--we have lots of experience with working with big data sets. And we are following, going back to the Privacy Act of 1974, moving forward, to make sure that we have the highest degree of security and privacy protection. And we are on schedule to get that done---- Mr. Meehan. Do you know, what is the highest degree of security protection? Do you know, yourself, what that is? Ms. Tavenner. So I know, working with the team, that we start with certain standards that are required by the government, and we follow those standards completely and thoroughly. And then we have a continuous monitoring process, we have a continuous training process---- Mr. Meehan. Ms. Tavenner, let me ask a question. When was the last time that you have sat in on a secure briefing by the FBI or the Department of Homeland Security giving you the current state of the cyber threat to data systems in the United States? Ms. Tavenner. I don't know that I've sat in on an FBI briefing. We certainly have briefings inside HHS, and I did sit---- Mr. Meehan. But no, no, no. I asked you a specific question. The two agencies that have the specific responsibility to understand the scope and nature of the threat--are you telling me that you are the person who is responsible for putting together what may be the biggest data system of private information in the history of the United States, according to testimony of numbers of people, and you have never been to a secure briefing by the FBI or Homeland Security about the current nature of the threat to data systems? Ms. Tavenner. And I am telling you that I have been to a secure briefing. Mr. Meehan. With whom? By HHS or FBI? Ms. Tavenner. With HHS. Mr. Meehan. Well, but that is not Homeland Security, is it? Ms. Tavenner. No, sir. Mr. Meehan. No, it is not, nor is it the FBI, who are the two responsible for understanding the nature of the threat. I will pursue my questioning. Thank you, Mr. Chairman. Mr. Lankford. Ms. Clarke? Ms. Clarke. Let me thank you, Chairman Lankford, Chairman Meehan, and thank Ranking Member Jackie Speier for submitting my testimony to the record. And thank you, witnesses, for your testimony here this morning. My first question will go to Mr. John Dicken. Your report on the development of the Affordable Care Act data hub is the first of its kind for these healthcare programs, which means we are still learning about how to go about assessing the progress of the effort. You noted that 15 of the 34 States where Federal health officials are running the exchanges will play some role in their operation, and this is a good sign. With about 7 million citizens expected to enroll in healthcare plans, would you tell us first about the key milestones that have been met and the plateaus that have been reached in such a massive undertaking? Mr. Dicken. Thank you, Ranking Member Clarke. You are right that our report did look at two of the key milestones that have been met. We issued our report last month and highlighted some of the progress that has been made-- notably, issuing key regulations and guidance that are necessary for establishing the exchanges and the data hub; establishing, building, and developing and implementing some of the data systems that are necessary; and beginning some of the process for testing that is still ongoing. Since our report came out last month, there have been some other public milestones that have been met. I know that CMS has relaunched the healthcare.gov website. There are still a number of big challenges remaining, though. Our report does highlight that there are still a number of key milestones that do need to be met before October 1st and the open enrollment. Ms. Clarke. I would like to also hear from agency staff present about what milestones they feel have been reached and how they see their progress. Mr. Chao. For CMS, we manage and administer the majority of the testing with the key business partners, which are the issuers or insurance companies that offer qualified health plans in the marketplace. We began testing with them in June extensively and stepping into greater and greater iterations of more complex testing that involved enrollment that are orchestrated with the issuers and their ability to receive an enrollment transaction and an acknowledgment and, finally, into a payment and a payment acknowledgment. The States we have been testing extensively since February, so those have been major milestones. Starting this week, we have conducted the testing in waves, and States have been coming in in various waves. You know, one through four is what we categorize it, with four being the vast majority of the more complex testing with the hub primarily and the ability to receive information when a federally facilitated marketplace is detecting the potential for Medicaid and CHIP eligibility. That testing in the fourth wave began this week, and we have 40 States participating. And when the 40 States are testing with us, we will have all the States that have done some level of testing with us, with the 40 probably being the vast majority between now and August. Ms. Clarke. Does anyone have anything else to add? Mr. Werfel. I would just add to that from the IRS perspective. We also, similarly to HHS, are on schedule. We have a variety of information technology builds and upgrades that are necessary to meet the information-sharing requirements within the ACA, and that we're generally on target with respect to all of those milestones. And we have a very high degree of confidence of readiness when October 1 hits and the open season enrollment begins. Ms. Clarke. Well, that sounds good. Let me go on and ask, can you update us on the Federal Data Services Hub testing activities, including the list of tests, which agency and stakeholder tested the data hub in each event, the results of each test, and when the testing will be complete? Mr. Chao. We certainly can do that. I can generally run through right now in just a few minutes. But I think, working with GAO and other folks that want to come in and take a deep look at the range and depth of our testing by testing partner, we can certainly provide that information. It is available. The testing that will occur in the next 70-plus days or so is largely looking at what was mentioned earlier as integration testing. Some folks like to use the term ``end-to-end testing,'' as if there is just this one giant thread from start to finish of all these complex processes that have to, in essence, have a handshake to move this data and respond to data in order to fulfill the request for enrollment. We are taking segments of that or hops of that process and testing the integration, for example, between IRS and the data hub, the data hub with the marketplace systems, and the marketplace systems with the issuers. So that's just a very, very high-level example of how we break down that integration testing into those hops and to look at the interfaces and the data flows that are necessary to support that business process. Ms. Clarke. Thank you. And if you could submit to the committee just a little detailed testing arrangements, that would be something that we'd like to have. Mr. Chao. We can certainly do that. Ms. Clarke. Thank you. Mr. Chairman, I will yield back. Mr. Lankford. Thank you. I recognize the chairman of the full Committee on Oversight, Mr. Issa. Oh, he's not here right now. He had to slip out. Mr. Jordan? Mr. Jordan. I thank the chairman. Mr. Werfel, we've been given two titles for this individual. We've been given the title Project Manager for the Affordable Care Act and Director of the IRS's Affordable Care Act Office. Who is that individual? Mr. Werfel. I'm sorry, can you repeat the two titles? Mr. Jordan. Project Manager for the Affordable Care Act and Director of the IRS's ACA Office. Isn't it true that that individual is---- Mr. Werfel. Yeah, I mean, I'm just--you know, we have title changes, but I think you're referring to Sarah Hall Ingram. Mr. Jordan. All right. And how long has Ms. Ingram worked at the Internal Revenue Service? Mr. Werfel. I don't know the answer to that. Mr. Jordan. Our records show that she has worked there since 1982, 30 years. And prior to taking over the ACA Office, what was Ms. Ingram's title? Mr. Werfel. Commissioner for the Tax-Exempt Government Entities organization. Mr. Jordan. And this is the very organization where the targeting of conservative groups took place; isn't that correct? Mr. Werfel. It is the organization that was the subject of the IG report that I think you're referring to. Mr. Jordan. Yes. And this is also--Ms. Ingram was also Lois Lerner's boss; isn't that correct? Mr. Werfel. I believe for a period of time, yes. Mr. Jordan. When the targeting took place, for 2 of the 3 years that the targeting took place, according to our records. And isn't it true that Ms. Ingram was invited to be a witness at today's hearing? Mr. Werfel. That is true, yes. Mr. Jordan. And isn't it true that you called Mr. Lankford and asked that she not come and that you come instead? Mr. Werfel. What I told Mr. Lankford was, based on the topic of this hearing, which deals with data, data integrity, and privacy, that I felt that Mr. Milholland was a better technical expert because he's our Chief Technology Officer, and Ms. Hall Ingram does not deal as directly in the issues of data safeguarding. Mr. Jordan. Is Ms. Hall Ingram in Washington today? Mr. Werfel. Yes, she is. Mr. Jordan. So there's no family responsibilities, no health concerns, no other reason why she couldn't be here today? Mr. Werfel. I don't know about any of those situations personally, no. Mr. Jordan. But, to best of your knowledge, she's working, she's a few blocks away today, right? Mr. Werfel. Yes, she's at the IRS. Mr. Jordan. Okay. And I know you've testified five times in front of various--or six times, I think you said, in front of various committees. But how long, again, have you been at the IRS? Mr. Werfel. Roughly a month and a half. Mr. Jordan. Okay. Mr. Werfel. Coming up on 2 months. Mr. Jordan. All right. We want to put on the screen here a couple slides, if we could. And just so you--this was a presentation given to the IRS Oversight Board May 2nd of this year. And then I want to go to page 5, because this relates directly to most of your opening statement, Mr. Werfel, where you talked extensively about 6103. But I want to read--it may be a little difficult. I'll read the second bullet point. ``The ACA added Section 6103(i)(21) to authorize the IRS to disclose Federal taxpayer information to exchanges, Medicaid, and CHIP agencies and their contractors to support income verification for ACA needs-based eligibility determinations.'' 6103 info is pretty important information; isn't that correct, Mr. Werfel? Mr. Werfel. Absolutely. Mr. Jordan. Almost viewed as sacred, correct? Mr. Werfel. Within the IRS, for sure. Mr. Jordan. Yeah. In fact, you've used that, you've used 6103 as a reason not to answer some of my questions I've asked you in some of those previous appearances you've had in front of this committee. And most of your testimony dealt with it. In fact, there's a story in yesterday's Washington Examiner where this was breached and a political figure had personal information, donor information, that went public, according to the Inspector General. So this is important stuff. Do you know who happened to--do you know who gave this briefing to your Oversight Board on May 2nd, 2013, Mr. Werfel? Mr. Werfel. I don't know, but I'm assuming you're going to tell me. Mr. Jordan. Yeah, we are. Who do you think it is? Can you hazard a guess? Mr. Werfel. If you would allow me, I mean, I think we can get to some of the points you're tying to raise. I'm not going to dispute that Ms. Hall Ingram is not integrally involved in our ACA work. What I'm---- Mr. Jordan. No, no, no, wait, wait. What you just said a few minutes ago, maybe a minute and a half ago, was you were the person best equipped to answer our questions, even though the chairman invited Ms. Hall Ingram. And yet Ms. Hall Ingram is the very person who gave this briefing talking about 6103 information, which you highlighted in your testimony as being so darn important. So the very lady who is doing the oversight briefing to the Oversight Board who we wanted to have come talk about this information, making sure taxpayer information was confidential, gave that briefing, you called up Chairman Lankford and said, ``No, no, I don't want her to come. I'll come instead.'' Mr. Werfel. Can I respond? Mr. Jordan. And you've been here all of 63 days. She's been here 31 years, since 1982. In fact, she's the central figure in two of the biggest stories in the country, the IRS targeting and the implementation of Obamacare. And these two gentlemen asked her to come, and you called up and said, nope, we don't want the lady who briefed the Oversight Board, we don't want her to come; I'll come instead and use my 63 days of expertise, versus her 32 years, 31 years of expertise. Ms. Speier. Mr. Chairman, with all due respect, Mr. Werfel has presented himself very, very competently in every area and---- Mr. Jordan. Mr. Chairman, did I yield the time? I don't think I yielded her time. Mr. Lankford. Yeah, the gentleman did not yield on it. I want the gentleman to be able to retain the time---- Mr. Werfel. May I respond? Mr. Lankford. --and for Mr. Werfel---- Mr. Jordan. Yeah, you can respond. I hope you will respond. Mr. Werfel. I will respond. Mr. Lankford. And, Mr. Werfel, absolutely, we'll give you the time to be able to respond. Mr. Werfel. I appreciate that. First of all, Congressman, I don't agree with your characterization of the nature of my phone call with Mr. Lankford and the reason why I and Mr. Milholland are sitting here today. What I feel is appropriate and what I think IRS historically feels is appropriate is, when there's a hearing, we balance a lot of different factors in figuring out who the best witness is to present the information to Congress. Two of those factors are accountability--and I'm the most senior accountable official within the IRS---- Mr. Jordan. I understand that. Mr. Werfel. --and second is technical knowledge and expertise on this subject matter. The hearing invite that we received asked us to pay particular attention on our coordination with other agencies, HHS and IRS coordinations, regarding safeguards of the personal data of individuals who purchase coverage through the exchanges. So what I suggested to Mr. Lankford is a combination of me, the most senior accountable official in the organization, and the Chief Technology Officer of the IRS, Mr. Milholland---- Mr. Jordan. And, Mr. Werfel---- Mr. Werfel. --would provide the best input to the substantive---- Mr. Jordan. I get it, Mr. Werfel. Mr. Werfel. --content of this hearing. Mr. Jordan. And I respect that. But if I could, Mr. Chairman, we have the minutes, we have the meeting notes from that presentation given by Ms. Hall Ingram---- Mr. Werfel. She's knowledgeable on these issues. I'm saying---- Mr. Jordan. No, no, no, but let me just read. Mr. Werfel. --Mr. Milholland is more knowledgeable. Mr. Jordan. Just let me read. Well, if he's more knowledgeable, why didn't he do that briefing? So let me ask you--here's what it says. ``Ms. Ingram discussed the security and safeguard programs at the IRS, that the IRS has in place regarding sharing of data among its partners.'' If he's the expert, he should've done that briefing. And, frankly, the chairman didn't ask for Mr. Milholland. They asked for Ms. Sarah Hall Ingram, who is head of the Affordable Care Act Office at the IRS. Mr. Chairman, I yield back. But, I mean, look, we've got the two biggest issues, maybe the two biggest issues in the country, the lady who's at the center of the storm in both of those. We asked her to come here, and she doesn't come. Even though she's briefing everybody else on the issue, she won't come brief the Congress, just like Lois Lerner won't talk to Congress. Ms. Speier. Mr. Chairman, I have a point of inquiry. Mr. Lankford. Yes, ma'am. Ms. Speier. We have a 5-minute limit per Member. Mr. Jordan just exceeded it by 1 minute and 48 seconds. This is a hearing on evaluating privacy security and fraud as it relates to ACA, and this entire questioning was whether or not a particular individual should have been here versus the head of the agency. If we are going to conduct this hearing---- Mr. Jordan. Mr. Chairman? Ms. Speier. --as a witch hunt---- Mr. Jordan. It's not a witch hunt Mr. Chairman. Mr. Lankford. Hold on. Mr. Jordan. Would the gentlelady yield? Mr. Lankford. The gentlelady has the time. Hold on. Ms. Speier. --then I will object. I want this to be an oversight hearing by this committee. You have shown great leadership in this committee. I believe that what we should be doing is looking at where the holes are, in terms of making sure the ACA is effective as it is rolled out, where the resources need to be employed, where there may be loopholes, where there are issues that we have to address. And that's what I hope this hearing will continue to do. Mr. Lankford. There are multiples of those---- Mr. Jordan. Mr. Chairman? Mr. Lankford. I will yield to the gentleman. Mr. Jordan. I would just ask unanimous consent to enter the meeting notes from the very meeting Ms. Hall Ingram briefed the IRS Oversight Board, specifically this sentence: ``Ms. Ingram discussed the security and safeguard programs the IRS has in place regarding the sharing of data among its partners, including those for ACA programs,'' end of story. Mr. Lankford. Yeah. Without objection. Mr. Lankford. The time period is obviously at the discretion of the chair. There have been a couple Members that have gone over by a couple minutes, some as long as 2 minutes, actually, so far in our time period. We are going to try to honor the 5-minute time period, but I've always been fairly loose on that with Members on both sides, that if there is an appropriate question that's going on and they want to give an appropriate response--and, Mr. Werfel, I do want you to still have time to respond to Mr. Jordan's question that he ended with, if you choose, to be able to do that, as well. We did have an interchange, we had multiple conversations on that. It was very respectful of your position. You obviously have a difficult spot. You're walking into the middle of a lot of issues with the IRS. This is one of several and a moving target. I did express to Mr. Werfel that I felt Mrs. Ingram seemed to be, as we're looking at the flowchart, the best person to be there. Obviously, Mr. Milholland has a crucial role in the data transfers on that. Mr. Chao has an incredible role in this from the HHS perspective and what's happening. A lot of what we're dealing with deals specifically with the regulatory nature of this. So, Mr. Werfel---- Mr. Werfel. The only thing I would say--and I can be very brief--is that there are multiple people within the IRS with substantive understanding of the issues of 6103 and the safeguarding. You have two individuals right now, one that's the accountable official and one who is a subject matter expert on the issue, and we're here and ready to answer any substantive questions you have on these matters. Mr. Lankford. Yeah, we will continue to press on with that. Mr. Cardenas, you are recognized. Mr. Cardenas. Thank you very much, Mr. Chairman. I would like to compliment the witnesses so far. It must be pretty trying, trying to stay on point even though some of the questions are trying to take us all off point here. And it's unfortunate that some members of this committee and this subcommittee are just hellbent on wanting to bring issues back before the public that really are not as relevant as the substantive issues as to why this hearing was even convened. But I would like to get us back on point. In an opinion piece published in the U.S. News and World Report in June, Congress Representative Diane Black made allegations about the data hub that we're talking about today. I'd like to mention one in particular and would invite the panel to comment and clarify, if necessary, about this information that was put out to the public by Congresswoman Diane Black. Congresswoman Black wrote, and I quote, ``For the purposes of implementing and enforcing Obamacare, the Department of Health and Human Services, through regulator fiat, is building this hub, a Web portal where personal information such as medical records, tax and financial information, criminal background, and immigration status will be shared and transmitted between agencies, including the IRS, HHS, the Department of Justice, Department of Homeland Security, and the Social Security Administration, as well as State governments.'' All right? And that's the end of that quote. Ms. Tavenner and Mr. Chao, can you clarify, will personal medical records be accessible through the data hub? Mr. Chao. No, they will not be. I think the quote or the description is a bit inaccurate, in terms of it doesn't describe about the flow of information, the type of data, and, certainly, we are not collecting, you know, personally identifiable health information on any individuals throughout this application process. Mr. Cardenas. Anything else on that point? Okay. Thank you. It's important that there perhaps should be penalties for any misuse or disclosure of information. As far as you can tell, would there need to be congressional approval to implement levels of civil or criminal penalties for those who would willfully and knowingly violate privacy laws? Mr. Chao. I'll also defer to IRS for their piece. I think, for us, there are already civil and monetary kind of penalties under U.S. Code that govern access to Federal Systems, of which, you know, we do apply that. Specifically to this application process, I'm not aware of anything that has changed with that in the application of those civil monetary penalties under U.S. Code. So I will--I can certainly get back to you with more specifics on that. Mr. Cardenas. Thank you. Mr. Werfel. And I was just going to reinforce that by saying that the protections that we're putting in place on the data are leveraging longstanding, existing procedures that are in place, including penalties and approaches, working with the Inspector General, that we have long-term experience with. Because, as I mentioned earlier, this is not the first time that the law has contemplated sharing taxpayer information from the IRS out into other Federal agencies and other State agencies. And so we have a strong track record of robust processes, and those are going to be leveraged here. Mr. Cardenas. Are they getting better, those processes, as technology changes and as we have to defend ourselves from attacks? Mr. Milholland. I'll answer that from the point of view of the IRS. We use a defense in depth and breadth concept. That is, whatever the access controls might be, for example, there are eight levels of protection as you come into the IRS electronically. But there is also a breadth approach that says, not just access controls, but preventative measures you might want to take for insiders, say, and a number of implementations of technical capabilities that allow us to try to be detect if there is inappropriate access to the information. So these same kind of practices we pass over to our Safeguards group and, particularly, provide our cybersecurity experts from Information Technology to assist them in their safeguard reviews. So those reviews that take place outside of the IRS have the best technical support that's available to the IRS, in which we've built what we believe is a--I'll say a best-in-civil-government approach to information security. Mr. Cardenas. Thank you very much. With what little time I have left, I would like to thank the panelists. I think you've been doing a really good job trying to stay on point and continuing to answer the questions as honestly and forthrightfully as you should be before any congressional hearing. And I would hope that you would share with your colleagues, whenever they're summoned to this committee or any committee, to watch this tape so that you can show them that you can stand your ground and don't succumb to badgering and things of that nature trying to get you off point. Thank you so much for your professionalism. I yield back. Mr. Lankford. Mr. Walberg? Mr. Walberg. Thank you, Mr. Chairman. And thank you to the panel for being here. And we're not going to attempt to badger in any way, but we would like answers to questions as quickly as possible. Ms. Tavenner, thank you for being here. Let me ask you, in relation to the HHS issuing a final rule that requires a taxpayer enrolled in a health plan through a State exchange to report certain changes in circumstances within 30 days, these include changes in residency, as I read it, and income. Is that accurate? Ms. Tavenner. I believe so, but I'd have to double-check the rules. Mr. Walberg. Well, let me follow up, hoping that maybe this will help. The question I would have: If, indeed, this is the case, a 30-day requirement, if I get a raise, if I get a demotion, if I start a new job, if I lose a job, am I required to run to my State exchange and notify them of those changes? Mr. Chao, if you could. Mr. Chao. Commissioner Werfel mentioned earlier that the process allows for a reconciliation via the tax-return-filing process of any advance premium tax credits that were paid on your behalf to the issuer that you enrolled in. And while we, on a consumer, you know, kind of customer service perspective, ask people to report it as early as possible---- Mr. Walberg. Well, it says 30 days. Mr. Chao. Yes. Yes. And---- Mr. Walberg. But you're going to be flexible on that? Mr. Chao. Well, I think, you know, by requirement, it's 30 days, but if something were not to be, you know, kind of reported in that time span--and we are recommending for people to report changes timely--there is the reconciliation that will kind of pick up any adjustments that are necessary. Mr. Walberg. So even I leave a State where my exchange was, or my marketplace, I guess is the new term, I will have some flexibility on reporting? Mr. Chao. Correct. Mr. Walberg. Okay. Let me move on. Ms. Tavenner, this is just a yes/no series of questions and answers here. Will exchanges be allowed to enroll individuals to receive advance premium tax credits even if their income cannot be verified by the IRS, yes or no? Ms. Tavenner. I think there are several steps, but, yes, there is a possibility that if their income can't be verified they could still be eligible after they complete another series of tests. Mr. Walberg. Will exchanges be allowed to enroll individuals to receive advance premium tax credits even if their household size cannot be verified by the IRS? Ms. Tavenner. I think household size is verified by the individual and to the extent that IRS can provide it. But, yes, there are additional steps, including self-attestation. Mr. Walberg. Will exchanges be allowed to enroll individuals to receive advance premium tax credits even if their citizenship status cannot be verified by the Department of Homeland Security? Ms. Tavenner. As you are aware, the Affordable Care Act only allows if we are able to verify citizenship or---- Mr. Walberg. Well, in this case, they're saying they are; there's no firm verification. So another flexible area where we're really uncertain whether the benefits are allowed or not allowed, right? Mr. Chao. The process works in that, when there are accurate data sources to verify against what's on the application, it is done so, you know, online in realtime. There are cases in which when data and information is not necessarily in synchronization with what the person is reporting as the household, we have a step in the process whereby they move into an inconsistency period in which we have eligibility support workers. It's a complement of almost, like, customer service reps that will work with you to identify, you know, other means to verify, you know, your household size, your income. And while it's kind of a labor-intensive process, we have built that in so that we can get as accurate a determination and enrollment as possible. Mr. Walberg. But while it's going on, it's very uncertain? Mr. Chao. No, it's a process---- Mr. Walberg. Citizenship status---- Mr. Chao. Well, for the consumer's sake or the household's sake, the process continues, and they move on to receiving coverage and enrollment in a QHP. But we're, in the back end, making sure that that data is accurate. Mr. Walberg. Will exchanges be allowed to enroll individuals who receive advance premium tax credits even if their Social Security number cannot be verified? Mr. Chao. No. That process will go into that inconsistency or exception process, and that's probably a pre-, early kind of step in the process, because the first thing we have to do is to validate a Social Security number via SSA before we talk to IRS with that validated Social Security number. Mr. Walberg. If they haven't had any previous tax returns, for instance---- Mr. Chao. Well, that's why---- Mr. Walberg. --how do you verify this? Mr. Chao. That's why we have that inconsistency process whereby for 90 days we will work with the applicant filer to make sure that that information, the required information, is validated on the application. Mr. Walberg. Mr. Chairman, my time has expired. Thank you for the additional time. This is an uncertain setting, isn't it? Mr. Lankford. Ms. Lujan Grisham? Ms. Lujan Grisham. Mr. Chairman, thank you very much. And I also appreciate the opportunity to talk about the readiness and capability and make sure that we're covering broad consumer protections, specifically privacy. I might point out before I get to my question that States for decades have been collecting financial and healthcare information from Medicaid recipients, including children, and working very hard as the technology opportunities have enhanced to make that interoperable and realtime so that individuals aren't doing independent applications by hand between one department that's covering developmentally disabled populations and another department that's doing brain injury and another department that's responsible for level of care and another department that's required to do the financial verifications, including going to their bank statements. And we're doing that successfully. And, in fact, after 20 years, I'm not aware of a single State that's had privacy issues as the core issue, by any stretch of the imagination, or those consumer protections. We've had issues about Medicaid implementation, effectiveness, some fraud by providers, and all things that we should be looking after. But I'm not aware of anything, including hospitals and their discharge work and their own Medicaid eligibility sending provider to provider and provider to State, in fact, the very same information that we're now going to do at the Federal level. So I'm happy to say that New Mexico is one of those States that is glad to help you do this, because we've been doing it successfully in many of these components for a long, long time. But to be successful, I'm concerned--and you might have covered this already--I'm concerned about having a budget that gives you the staff, that checks, that double-checks, that makes sure that you're meeting the requirements that we intend in Congress, both for consumer protection and to make sure that we get these eligibility issues streamlined effectively since we're using a Web-based aspect here. So the Republican budget out of the Appropriations Committee cuts your budget by 24 percent. And I recognize that this committee is concerned about IRS issues; I'm concerned. I introduced legislation that would clarify that ``exclusive'' means exclusive for 501(c)(4)s. I don't believe that there's been targeting, but I think we don't have the right processes involved to do it adequately and objectively and correctly. So this will, I think, help us. Commissioner Werfel, can you talk to me again specifically about what a 24 percent budget cut does to adequately and efficiently implement the requirements of the Affordable Care Act by the IRS? Mr. Werfel. It's extremely challenging, in general. I think when you talk about a 24 percent budget cut for the IRS, you have to start with the reality that all of our mission-critical activities will be severely impacted. That means our ability to collect revenue, work with taxpayers to help them navigate the Tax Code, do enforcement, go after bad actors who are seeking to defraud the system, meet other mandates. We have many legal mandates on our plate right now. We have work that we're doing under a law that's called FATCA that deals with disclosing information that's in offshore accounts that's unreported. We have legal mandates under that. So when you talk about a 24 percent cut, you really are negatively impacting taxpayers--small businesses, individuals, families---- Ms. Lujan Grisham. So this has effects well beyond the Affordable Care Act. Mr. Werfel. Absolutely. Ms. Lujan Grisham. And while, before I lose my minute, I want to make sure that you hit some of the specifics about the Affordable Care Act, and I want you to highlight that for every dollar that comes into the IRS--that includes the staffing resources to do the work that you're required to do--it brings in about 6 Federal dollars. And, for me, this seems like a very political attempt to undermine the implementation of the Affordable Care Act instead of what this committee, in particular, should do, is to make sure that the IRS can meet all of its obligations under current law. Mr. Werfel. Right. So I think the ACA tracks some of the broader responsibilities for the IRS. Our efforts to modernize--and here, for the ACA, we have to build technologies to meet these mandates. That certainly would be impacted by severe budget cuts. Our ability to work with taxpayers, whether on the phone or build new tools through IRS.gov so that they have clarity, whether it's an individual or an employer, we do that in the tax law generally. It would certainly be impacted by the ACA. Harder to get someone on the phone, harder to get information at a taxpayer assistance center, et cetera. And then we have protecting information. You know, we have people in place that are doing these reviews and oversight of agencies that hold taxpayer data. Significant and severe budget cuts would impact our ability to secure the data. And then, obviously, enforcement has been a major theme in this hearing about fraud. We have to have tools in place, both technology and analytics and expertise and criminal enforcement, to make sure that everyone's playing on a level playing field and no one's getting a benefit or money that they don't deserve. Everything I just said, I think, is relevant across the IRS. Everything I just said is relevant to the ACA. And I welcome a debate and a dialogue around the IRS budget and, in particular, what a 24 percent cut would do. Again, my bottom line is I think it's important to look at it from the perspective of the taxpayer--the individual, the small business, the large business, the nonprofit, whatever it is. They will face very significant concerns and consequences with a 24 percent cut to the IRS, because they won't be able to access critical services. Because the Tax Code doesn't go away. They still have to comply with the Tax Code. They still have to comply, and they often seek and get IRS help in doing so. And our ability to provide that help and assistance will be compromised. Ms. Lujan Grisham. Mr. Chairman, I'm well over my time. I seek the committee's indulgence for a quick follow-up? Mr. Lankford. Yes. Ms. Lujan Grisham. Quickly, so you're going to have to move staff and shift your priorities. Have you thought about where you would start? Give me that. Where would you shift personnel to meet the Affordable Care Act implementation? Mr. Werfel. Well, we're already starting--you know, if you look at the sequester impacts, we're already, for example, our taxpayer assistant centers are closing at 1:30 now, and so less people are getting in. Our call centers have less people sitting ready to take calls, so our level of service numbers are going down. Ms. Lujan Grisham. Okay. Mr. Werfel. I mean, it's just--the budget cuts that we face, the billion dollars between 2010 and 2013, which in part is due to sequester, are impacting our ability to serve and to enforce. Ms. Lujan Grisham. Thank you. Thank you, Mr. Chairman, for your indulgence, and the committee's as well. I yield back. Mr. Lankford. I recognize the chairman of the full committee, Mr. Issa. Mr. Issa. Thank you. Mr. Werfel, when did you start at OMB? Mr. Werfel. August 4th, 1997. Mr. Issa. And you've got 63 days or so in your current job. Mr. Werfel. Yeah, I'm coming up on my 2-month mark. Mr. Issa. And so you were in a key position to work with the President, quite frankly, during the discussion leading up to his offering and signing what became known as sequestration, right? Mr. Werfel. I was not involved in the Budget Control Act negotiations. I was involved, back in August 2011 when the Budget Control Act--my role was to work with the Treasury Department to prepare administratively for a potential breach of the debt limit. But I wasn't on the side of---- Mr. Issa. Okay. Well, I'm just trying to understand the revisionism that's going on here. OMB did have a critical role, broadly, in the decision that the President made to go for sequestration. So, you know, you're sort of feigning that this is so terrible, when, in fact, this was the President's decision, and now that it's become law and it's affecting you, you're saying you can't do your job. Well, I appreciate that that may be true, but let's go through some numbers. While you were at OMB, you opposed the DATA Act that was passed unanimously out of this committee. To a certain extent, you were helpful in making sure the Senate never picked it up. Now, the reason for the DATA Act was to mandate structured data so that interoperability of government databases with strong enough metadata to secure and ensure that confidential information would always be in a way that it could not accidentally go from field to field in some sort of a mix so that organizations like the IRS, when they want to look at SEC and they want to look at multitude of filings, would be able to look at that data transparently in order to do better audits with less people. Isn't that roughly what we sold to the Senate but they didn't buy? Mr. Werfel. As I've testified before this committee wearing my former hat, I personally and I think the administration agreed with the objectives of the DATA Act. Our concerns were not about what you were trying to achieve; it was the how. And we were concerned about some of the additional bureaucratic layers of new organizations in place with roles and responsibilities on data standardization, which is what caused us our concerns. Mr. Issa. You know, what's amazing is I didn't get offered one amendment from the administration in order to perfect that. And, candidly, what we're talking about here today, data security and the comfort level that interoperable databases and particularly those that are exposed to non-IRS employees, which will be every piece of information that we care about almost when it comes to our tax records and earnings and ultimately the healthcare information, is not going to be covered by a mandate but rather by good intentions. Let me go through one quick question here. As part of this process, this committee has been looking at the IRS and figured out that you gave, you know, $260 million, but a total of about half a billion dollars was given to a company that was at best a shell and perhaps a fraud. This committee had their CEO there recently. And you've had to finally cancel that contract. But on July 4th, 2013, CMS awarded a potential 5-year contract worth $1.2 billion to a British company, Serco. Now, at least our information is that the FBI has also discovered Serco's computer systems serving with the Federal Thrift Savings Plan were hacked. In other words, these people who are going to run this data have already compromised, according to the FBI, 123,000 Social Security numbers. Additionally, the FBI has discovered that--oh, I'm sorry, that's a repeat. Additionally, they're also being investigated in Britain at some point. I guess my question is--Serco has an incredibly large contract and have proven, as of right now, a failure. Can you say with confidence that if we give them this much larger contract, that on day one they're not going to be in a position to compromise another 123,000 Social Security numbers? Mr. Chao. The Serco contract is actually with CMS, and it's called the eligibility support worker contract. And we've been working with Serco--just recently, you know, they've been awarded, so for the past 2 weeks we've been ramping up. And one of the top issues that we're going over is the security rules and procedures and policies that apply to them under the general, kind of, FISMA Act of 2012, HIPAA, and their own corporate practices and procedures. They---- Mr. Issa. Right. But did you know about these problems and failures before you awarded the contract? Mr. Chao. No, I was not a part of the contract award process---- Mr. Issa. Okay, but now that you know about it, we're working with an entity that apparently does not have the internal controls or track record, and yet you're here today saying that, in a matter of days, they're going to have a major role in major data; is that correct? So we're working to get a group up to speed that doesn't have a proven track record. My whole question to you is, in the awarding of a contract, wouldn't you need an assurance before-- I mean, in other words, I'm not saying you couldn't make them ready for prime time in a year or 2. The question is, where's the pilot, where's the proof, where's the confidence that what has just recently happened won't happen again? You know, I don't normally have something in front of me that says the FBI has this problem and you've got a brand-new contract pursuant to Obamacare. Let me just hit one more point. Mr. Werfel, this committee has a broad set of investigations going on related to the organization you're trying to fix, and today is one part of our concern. But you're familiar with the 6103, what it means; is that correct? Mr. Werfel. Yes, sir. Mr. Issa. And 6103 was designed and passed into law to protect the American taxpayer from his or her tax records being looked at by outsiders or released; is that correct? Mr. Werfel. Yes. Mr. Issa. Was it ever intended to protect from Congress finding out when taxpayers have been abused? In other words, should there ever be a claim of 6103 when the victim themselves is asking for the release of the information? Mr. Werfel. Well, I think you're raising a policy question in terms of how 6103 is structured. Right now, it's specifically structured to prevent us from sharing certain information except to the authorizing tax committees. Whether that should be expanded or not I think is a public policy discussion on the nature of 6103. But we follow the law, and the law requires us to restrict access, except to Ways and Means. Mr. Issa. Right. But--and I'm going to finish, because I'm trying not to go any further over time. The fact is that if we don't know the name and the Social Security number or Federal ID of an entity, we don't know their address, and we don't see financial information, that was the intent of 6103. Today, your organization is working to say that, for example, knowing how many groups waited how long, how many groups are still waiting, those kinds of answers, and whether there is so much as one individual. And I'll give you an example here today. There are the so- called test cases that we've had, two test cases. When we ask, is one of them still waiting, and we find out, yes, one of them is still waiting, people are saying, well--and I sent you a letter yesterday, with the other chairman and subcommittee chairman--we're being told, well, that may be 6103. To know that a victim was isolated 3 years ago, pulled aside, and has never been given a ``yes'' or ``no'' answer, to know that they're still not giving a ``yes'' or ``no'' answer, the claim that that's 6103 is a claim that, in fact, Congress and the public is not entitled to know that information. And I ask it that way for a reason. I understand another committee can see certain information, but it's the public that's entitled to know. Isn't it true that at least one entity that applied more than 2 years ago still does not have a ``yes'' or ``no'' after the abuse that has become public that we're all aware about as to ``Patriot'' and ``Tea Party'' organizations? Mr. Werfel. So, three quick responses. One, just to reemphasize, we do share the information, but the law restricts us from sharing it only with the chairman of House Ways and Means and the chairman of Senate Finance. Second, a taxpayer can, under 6103, authorize broader disclosure. They can waive their rights, and you can get the taxpayer to--say, ``It's important to make this publicly aware, but I need you to sign something,'' and often taxpayers agree to do that. And, third, with respect to--you know, as I've testified before you, I'm concerned about the delay that we've seen in application packages in our Exempt Organizations unit. And perhaps in a different setting, whether off the record or on, I can walk you through very important reforms that we're making to our 501(c)(4) process to correct that from ever happening again. Mr. Issa. Well, just for the record, if an organization says, we'll waive our 6103 rights so the committee can see the individual records, the IRS's current position is they won't show us the emails where they conspired against or debated that, ultimately, we don't need to see their records, they can hand us their records. We need to see who at the IRS was delaying and denying and dealing with it, and that's individual emails with specificity as to those 501(c)(4)s. Thank you. I yield back. Mr. Lankford. Ms. Maloney? Mrs. Maloney. Well, thank you. The chairman raised an important point, that a contractor received this contract on very sensitive information, an important one, and, according to his words, it doesn't have a proven track record. You know, I want to know how that happened. Don't you look into the backgrounds to make sure they know what they're doing? I'd like to speak to Mr. Chao. And, also, I would like you, Mr. Chao, to also talk about how difficult it is to reconfigure the data hub that you are now raising and running if a State decides to assume more or less responsibility for an exchange. Are you adaptable? Now, I would like to put a little good news into the hearing today. The New York Times reports that the health-plan costs for New Yorkers is set to fall 50 percent. Now, this is great news for consumers, and it's an extraordinary decline in New York's insurance rates for individual consumers. So it shows the profound promise of the Affordable Care Act. But you can't get to the Affordable Care Act if the computer system isn't working. So this is a very clear thing, and I'd like to know more about it. But I'd like you to comment on this article and how your hub can address--I know that some States have not gotten their exchanges up and running. So how are you adjusting with States that don't have it up and running? New York State, to its credit, has gotten it up and running, and it has great promise for consumers. So how are we making this configuration? And I guess, Mr. Chao, as the head of the hub, maybe you should be the one to answer. Ms. Tavenner. Congresswoman, with your permission, could I address the New York issue and the Serco issue? Mrs. Maloney. Sure. Ms. Tavenner. On the New York issue, we were obviously pleased to see that this morning. And I think it reaffirms what competition and transparency can do in a marketplace, and that really is what we're doing in the Affordable Care Act, effective in October and beyond. On the Serco issue, notwithstanding what the chairman just brought to our attention, Serco is a highly skilled company that has a proven track record in this country and has done a lot of work with other Federal agencies. We are actually working with the U.S. corporation, and they are actually present in three States. And we--they were awarded through a full and open competition, so, obviously, they do have a track record with security and privacy. And I'll turn it over to Henry to answer the other question. Mrs. Maloney. You know, but, also, can the system handle the varying degrees of astuteness or availability or readiness of different States? Ms. Tavenner. Yes, and that's where I think Henry comes in. Mrs. Maloney. Do you have a different system for each State, or is it all one central, big system? And is it government or private? Mr. Chao. The federally facilitated marketplace system is comprised of several actual, you know, kind of, working pieces of system architectures that perform eligibility enrollment, QHP and plan management functions, financial management, you know, generating payments for the issuers. The hub, as we mentioned earlier, is a routing tool. It affords the efficiencies that are needed for multiple points that are requesting the same information from authoritative data sources to connect to those data sources, and then enforced with a uniform service level. That is a scaleable system that is government-owned, and-- it's privately contracted, but it is government-owned. It is-- -- Mrs. Maloney. Who will run it? Will the government run it, or will the private sector run it? Mr. Chao. It's a combination of government, you know, staff and contracting staff that will staff an operations center that actually monitors its operations 24 hours a day. Mrs. Maloney. And where is it located? Mr. Chao. It's in Columbia, Maryland. Mrs. Maloney. Uh-huh. Ms. Tavenner. And I would add that one of the advantages of having this hub is that, whether States or State-based exchanges or some type of partnership model or whether they default to the federally facilitated exchange, it's transparent. It's easy for us to make those changes. And that's part of the---- Mrs. Maloney. And what is there to protect the privacy of the individuals' health records? How do you protect that? Mr. Chao. Well, first of all, we don't collect any health record information or store health records. I think that's an interaction between a consumer that ultimately is enrolled in a qualified health plan and then, working with that health plan, accessing benefits and utilizing benefits, that that relationship affords the ability to collect and store and process. That's a relationship between the consumer and the health plan. The ability for us to protect privacy of the individual is working with SSA and IRS and in enforcing the very stringent, you know, and rightfully so, 6103 provision and flowing that through, you know, Mr. Milholland and other chief technology officers and chief information officers from around the Federal Government, worked with as a group to develop what we call the harmonized privacy and security framework. Even though each agency operates under very strict guidelines, its own guidelines to operationalize FISMA and HIPAA and 6103 in IRS's case, we had to get together because this data via the hub was moving and being requested by multiple entities, including the State endpoints, that there are their own marketplaces. So we had to get together to make sure that the implementation of those security and privacy controls and operations was harmonized and are common across all the agencies and not dissimilar, as if we were implementing the program in different parts. So we got together early on to do this, to make sure that we have greater security and privacy, you know, kind of, enforcement and monitoring. And the bar is set by 6103 and the Privacy Act. Ms. Maloney. My time is expired. Thank you. Mr. Lankford. Mr. DesJarlais. Mr. DesJarlais. Thank you, Mr. Chairman. Ms. Tavenner, I have some questions for you, but first, Mr. Werfel, I just want to revisit a little bit of the dialogue that you had with Mr. Jordan earlier. He had asked you if Ms. Hall Ingram was in charge of the department that oversaw the targeting of conservative groups, and what was your response to that? Mr. Werfel. My response is that Ms. Hall Ingram has specific ACA responsibilities, but there are other individuals within IRS who have responsibilities at the same level, but Ms. Hall Ingram does play a coordinating role amongst our various ACA activities. Mr. DesJarlais. Okay. And one thing we've had, I guess, a hard time getting anyone from the IRS to say in multiple hearings that we've had is that the IRS was guilty of targeting conservative groups. You stated that you are the most senior accountable member at the IRS currently; is that correct? Mr. Werfel. That is correct. Mr. DesJarlais. Are you willing to go on record today and tell the American people that the IRS did target conservative groups? Mr. Werfel. I have said--I've testified previously that I believe the use of political labels to screen out applicants for increased scrutiny, inappropriate political labels, is equal to the term ``targeting,'' so I don't dispute that. Mr. DesJarlais. All right. Well, it's been hard to get someone to say that, and I know that moving forward into this healthcare law, that you have a credibility issue with the American people, and I think it's very important that you be forthright, and I appreciate you saying that today when so many others have taken the Fifth. Ms. Tavenner, you had testified earlier about the preparedness of the CMS, and you're feeling pretty comfortable about the ability to be ready on October 1st? Ms. Tavenner. Yes, sir. Mr. DesJarlais. Okay. I would like to submit for the record, without objection, Mr. Chairman, the data collection instrument from the GAO report from June 2013. Mr. Lankford. Without objection. Mr. DesJarlais. Okay. Ms. Tavenner, we have a document that was obtained that shows that CMS had only completed 20 percent of its work to establish appropriate privacy protections and the capacity to accept, store and associate and process documents from individual applicants and enrollees electronically and the ability to accept image upload associates and paper documentation received from applicants and enrollees, so the fact that Obamacare became law in March of 2015, but yet it's just a few months ago the administration had completed only 20 percent of its work to establish appropriate privacy protections and capacity to accept, store, associate, and process documents from individual applicants, why would you say the administration failed to prioritize privacy protection and data-sharing standards? Mr. Chao. I can answer that, Congressman. Mr. DesJarlais. Well, Ms. Tavenner, first, you go ahead, and then I have a question for you Mr. Chao. Ms. Tavenner. Well, first of all, I would say that GAO reports and other reports are taken of a snapshot in time, and a lot of work has been completed since that time, and I will let Henry speak to the details of that. Mr. DesJarlais. Okay. Mr. Chao, are you 100 percent finished establishing appropriate privacy protections? Mr. Chao. No, we are not. Mr. DesJarlais. Okay. If not, how much and when will you be? Mr. Chao. I think since the last report, we are probably-- and this is a very kind of ballpark generalized roll it up kind of a figure, I would say with regard to the privacy and security, we are probably about 80 percent. Mr. DesJarlais. Okay. So the snapshot a couple of months ago, you're at 20, and now you're saying you're at 80. Are you going to be 100 percent on October 1st? Mr. Chao. Yes. Mr. DesJarlais. Ms. Tavenner, do you feel that that's reasonable that in 3 years you got to 20 percent, and now, in 75 days, we are going to get to 100 percent? Ms. Tavenner. Yes. Mr. DesJarlais. Okay. In--also, there's 25 percent of the work to establish the adequate technology infrastructure and bandwidth to support all the activities with respect to the exchanges. Again, why did the Administration fail to prioritize this sooner? I'll ask the same question, Ms. Tavenner. Ms. Tavenner. I don't know that it's a failure to prioritize. There is a certain workflow that has to--actually, first you have to put the regulations in process, then you start to develop the product from the regulations, and this is just the work in progress as any complicated project. We are now within the 90-day period of completing the work. Mr. DesJarlais. Mr. Chao, the CMS document given to GAO says that the estimated completion date establishing an adequate technology infrastructure and bandwidth was July 1st, 2013. Did you meet your deadline for completion of this task? Mr. Chao. We have. It's a constant changing target because the target is actually---- Mr. DesJarlais. The deadline is moving. Mr. Chao. No, the target is October 1st, and we make adjustments as we go to make sure that that target of October 1st is not missed. As of this month, all the infrastructure and the required, you know, hardware, software capacity, all of that is available and up and running. The specific application software, such as the ``My Account'' that I talked about earlier, the enrollment and eligibility pieces, the loading of the QHP information to process in enrollment and a payment to an issuer, that is an ongoing process. All that code and those databases are still being built throughout the summer. Mr. DesJarlais. Okay. So both of you are testifying today that these shortfalls that are in the report that I mentioned are going to be 100 percent complete on October 1st? Mr. Chao. Correct. Mr. DesJarlais. Ms. Tavenner? Ms. Tavenner. Yes, sir. And we certainly will have mitigation strategies. I think someone mentioned earlier, and in our opening comments, that we will be prepared. We will start October 1, and we will certainly have hiccups along the way, and we are prepared to deal with this. Mr. DesJarlais. Okay. Very quickly. When did you learn that the employer mandate would be delayed? Ms. Tavenner. When did I personally? Mr. DesJarlais. Uh-huh. Ms. Tavenner. On June 24th or June 25th. Mr. DesJarlais. Why did the President wait till July 2nd to announce that? Ms. Tavenner. I don't know. I was not part of that discussion, but I actually was made aware that it was being considered on June 24th. Mr. DesJarlais. All right. I yield back, Mr. Chairman. Mr. Lankford. Thank you. The ranking member of the full committee, Mr. Cummings. Mr. Cummings. Thank you very much, Mr. Chairman. I want to thank you all for being here. I want to thank you for what you do for the American People. Mr. Werfel, I want to pick up on where Chairman Issa was going to take it to a little further. I would like to ask you about the ongoing investigation into the treatment of Tea Party applicants for tax exempt status. During our interviews, we have been told by more than one IRS employee that there were progressive or left-leaning groups that received treatment similar to the Tea Party applicants. As part of your internal review, have you identified non-Tea Party groups that received similar treatment? Mr. Werfel. Yes. Mr. Cummings. We were told that one category of applicants had their applications denied by the IRS after a 3-year review; is that right? Mr. Werfel. Yes, that's my understanding that there is a group or seven groups that had that experience, yes. Mr. Cummings. As I understand it, last week, the IRS was prepared to make a document production to the committee. And by the way, this is a request from the chairman, and those documents would have shown other categories of applicants, categories in addition to the Tea Party groups we have been focussing on today. Before I go any further, is that right? Mr. Werfel. Yes. Mr. Cummings. I understand that our committee does not get access to information about specific taxpayers. I think it's 6103, is that right, those--there are certain that prevent us from getting certain information, what Mr. Issa was talking about earlier generally. Mr. Werfel. That's correct. We'll make certain redactions if we believe that the information would be too--have too much information so that you could zero in on a specific taxpayer, so we'll make those redactions. Mr. Cummings. I understand. Under 6103 of Title 26 of the United States Code, the IRS cannot reveal specific taxpayer information. In order to make these determinations, and this is going to what you just said, the IRS has a--have career employees who are experts, this is what they do. Mr. Werfel. Yes. Mr. Cummings. In determining what is covered by the statute; is that correct? Mr. Werfel. That's correct. Mr. Cummings. And in this case, these experts determine that the IRS could provide this information to the committee. They said the documents did not reveal specific taxpayers but instead referred to categories of groups just like the Tea Party groups; is that right? Mr. Werfel. Yes, that's correct. Mr. Cummings. So, based on this established process, we should have received that information last week. And by the way, to his credit, the chairman has been very aggressive in going after documents, but we did not receive that information. Instead, I understand that the Inspector General intervened. Let me say this again. It's my understanding that the Inspector General intervened personally. Now, Mr. Werfel, my question is, can you tell us what he did, did he call you, and what did he say? Mr. Werfel. Okay. The---- Mr. Cummings. In other words, we are being denied, this committee is being denied documents that we have requested. Let me finish. And the chairman, to his credit, has been extremely aggressive in trying to get documents, and I have been accused, by the way, of obstructing the investigation, which is totally ridiculous. I want the documents. Now, tell me what the IG said that prevents our committee, that our honorable chairman, Mr. Issa requested, what did he say to you to cause us not to be able to get the documents after your experts told us we should have them? Can you tell us what--what that's all about? Mr. Werfel. Yes. We were imminently going to produce a document in an unredacted form that would indicate the identity of a grouping of entities that we felt were similar in kind of scope as Tea Party in terms of its grouping, so that it wouldn't be able--you wouldn't be able to identify a particular taxpayer because the grouping name was so broad. And he reached out, when he learned that we were about to produce this information, and expressed concern and indicated a disagreement with our internal experts on whether that information was 6103 protected or not, and out of an abundance of caution, the IRS decided to redact that information until we could sort through with the IG his position and understand why it's different from ours. And we've had subsequent conversations with him where we have reasserted our position that the information should not be redacted, but we have not reached resolution with him at this point. Mr. Cummings. I don't understand. I thought that the career officials at the IRS, the officials who do this for a living day after day, hour after hour, already determined that it was okay for the IRS to produce these documents to the committee that Chairman Issa requested. This seems very strange, Mr. Werfel. I know you just started, but has this ever, to your knowledge, happened before, the inspector general personally intervening to prevent disclosures to the Congress of the United States of America, have any of your staff members ever heard of this happening before? Now, you're surrounded by folks. You can look around, and they may tell you something different, and if they've got--if they've got some other answers, if they haven't been sworn in, Mr. Chairman, I ask that they be sworn in so we can know of these exceptions. And by the way, Mr. Chairman, I just want the same amount of time that Chairman Issa was given. It was a total of 10 minutes, with unanimous consent, please. Mr. Werfel. I just don't know the answer to that question. I personally am not aware of any similar situation, but we can take that question back and do a broader inquiry amongst the IRS leadership and other professionals and get an answer. Mr. Cummings. I ask that you please have that answer to me, if you can, by tomorrow morning. We're going to be seeing the inspector general tomorrow, and I want to make sure that I do not prejudge him. I do not want to put anything out there to accuse him of anything and then go searching for facts. I simply want the truth so that we can restore the trust. Our interest is in getting as much information as possible. So, let me make sure I understand this. If the inspector general withdraws his objection, will you produce that information to the committee that Chairman Issa requested? Mr. Werfel. Yes. Mr. Cummings. Now, let me say something else. Ms. Tavenner and Mr. Chao, I heard Mr. DesJarlais' questions, and as I sat here and I listened to my good friend Mr. DesJarlais and he talked about, at one point, you were at 20 percent with regard to the privacy protections. And then I think you said, Mr. Chao, and correct me if I'm wrong, you are now at about 80 percent. And then you and Ms. Tavenner agreed that by October 1st you would be at 100 percent, and if there were any problems or hiccups, in your words, Ms. Tavenner, you were prepared for that; is that correct? Ms. Tavenner. Correct. Mr. Cummings. Well, I stop here for just a moment to thank you for doing what you do to prepare for something that is already the law. Although we are getting ready to vote on it, by the way, for the 38th time, it is the law, and you all have a duty, and I am so glad that even with all the chatter, you have to stay focused, you have refused to be distracted and you made sure that the American people--that the Affordable Care Act and the part that you all have to play in that, that you are prepared to do that, and I want to congratulate you. I know quite often you get negative comments, but the idea that you all took a monumental stance, and I want to say this to the other IRS employees, we appreciate it. Now, let me say one last thing in any last 1 minute. I've said it from this dais before and I will say it until I day: This is the United States of America. Every single person on this dais, if they have ever hired anybody and ran anything, has fired somebody, and just because we have some bad apples that don't do the right things does not mean that we stop operating. It means that we take the bad apples out, and we continue forward. This whole idea that there was a problem in the IRS and there are ongoing problems and the problems that you are trying to straighten out, Mr. Werfel, to your credit, we should not then suddenly wave a white flag and say, oh, we can't carry out the Affordable Care Act. This is America. We are better than that, and I know that you know that, and I get tired of people just because there are problems, suddenly they said, oh, no, we can't carry out the law. No. We are better than that. And so, I want to thank you all and may God bless. Mr. Lankford. Two quick notes here, Mr. Werfel. I know you have a hearing at 1:00 today. We've been at this for a little over 2 hours this morning. I know you need to be excused pretty quickly. You have time for one more question, or do you need to go ahead and scoot out now? Mr. Werfel. No, absolutely. Please. Mr. Lankford. Okay. It is--Mr. Woodall is up. Mr. Woodall. Thank you, Mr. Chairman. And thank you, Mr. Werfel, for spending a little more time. I actually had a couple of questions, too, because I think you're a very serious public servant. I've been a public servant in a couple of different capacities myself, and I think it's fine for us to disagree about the issues. I think you have to be serious about the work. And I appreciate Mr. Cummings' comments about you had a responsibility, Ms. Tavenner, you had a legal responsibility, and you carried it out, and he's tired of hearing excuses for why it is we can't get things done. My question to you, Mr. Werfel, is, that's what we saw on the Treasury blog. We just can't get things done. Ms. Tavenner says, we were only at 20 percent a month ago, but we are going to make it happen by October 1st. The President seems to have decided or the Secretary seems to have decided that, no, we just can't get things done, no doubt to the frustration of my friend from Maryland. We've got a bill on the floor this week that makes that statutory change, taking the Administration at its word that they can't get it done, we make that statutory change from 2014 to 2015. Several times during this hearing, folks have said, we just have to follow the law. In your discussion with the Chairman about 6103, you said, you know, there may be some policy discussions about 6103 that we ought to have, but we at the IRS, we just follow the law. Mr. Cummings applauding CMS for following the law, doing what was required by law. Why is it that we don't have Treasury's support for making a statutory change to the law rather than just doing things that we would like to do administratively? I think one of the real challenges we have is we don't have any need to work together any longer. We want to do something, we just do it here on Capitol Hill. You guys, the Administration decides you don't like the way things are going, you just do something different. Why is it that it would not be better for the public servants who have to implement these laws, for us to actually change the law rather than do it through blog posts of administrative decisions? Mr. Werfel. The challenge that I have, Congressman, and I appreciate the question, is that the role that the IRS has in relationship to Treasury is they make determinations on policy, they work on whether we are going to support or oppose and how we are going to work with Congress on the laws itself, and we really are all about administration. So, from my vantage point, I can answer questions for you on the decision that the Treasury made and how it impacts the IRS' ability to implement the ACA, but in terms of the--whether it should be legislatively incorporated is something I'd have to defer to Treasury. Mr. Woodall. I understand your challenges in that and respect it. I think about what Mr. Cummings has said about applauding the good work of IRS employees across the country and a few bad apples. I mean, I stay regularly at town hall meetings. You all have a horrendous job, and the job that you have that is made so horrendous is made so horrendous by the laws that we pass here on Capitol Hill. I feel a great burden for the responsibility we put on you. I guess what I'm asking is, we just perpetuate the frustration with IRS employees when we put them in untenable positions. And putting the IRS in the untenable position of having statutes that require laws to be enforced and saying, but no, we are not going to enforce those laws simply perpetuates the negative stereotypes that go on out there today. So, understanding that you might not be able to speculate on why those decisions were made at Treasury, wouldn't you push up the ladder, hey, here's the Congress that wants to work with us to get this done in a statutory way for the House, the Senate, the President, to come together and do exactly what Treasury seems to be asking for, why can't we come together and do that? Why won't you push that message up the chain? Mr. Werfel. Well, without particularly commenting on this issue, I think in general what the IRS does is we--we do have a guiding principle that the simpler the tax code, the simpler the laws are, the more clear they are, the more we are going to be able to administer it then effectively and efficiently. And so, you know, we have that guiding principle, and then as we deal with different legal issues that arise, Treasury will consult with us on the administrative aspects of them. Mr. Woodall. I understand that, and I absolutely agree with that. I would say, ``shall begin after December 31st, 2013'' is pretty simple. I would say that subsidies shall apply to State- based exchanges is pretty simple. We've done the best we can in terms of simple law, and folks have gone and reinterpreted what was very simple law, and that's the frustration to me as a legislator. I hear what you say to the chairman, 6103 is clear, it's black letter law, Mr. Chairman, we can't avoid it, and I'm thinking, for Pete's sake, you decided that you don't like the mandate timing, so you'll do something different there. You decide you don't like the subsidy implementation, so you'll do something different there. These are very serious men, the chairman and the ranking member, you could just decide, you know what, 6103, it says, Finance Committee and Ways and Means, Chairman, but it probably should have included the oversight guys, too, probably should have. The subsidies probably should have done the Federal exchanges. The deadline probably should have been a year out, but you don't. There is a lot of lack of confidence in America in both the administration and the Congress these days. We have opportunities to work together instead of working against each other, and it frustrates me that even on something as simple as a date change, we can't even take advantage of that opportunity to restore faith in the people's government here in Washington, and I thank you all for being here. Thank you, Mr. Chairman. Mr. Lankford. Thank you. Mr. Werfel, I know you've got to scoot out of here and get ready for the next hearing. Thank you for being here. Mr. Milholland, will you be able to remain or---- Mr. Milholland. I can remain. Mr. Lankford. That would be great if you can, so if you need to answer for IRS. Mr. Perry. Mr. Perry. Thank you, Mr. Chairman. Ladies and gentlemen, thank you very much for being here. We understand on this committee that--and in Congress, that you have a duty to perform and you don't always necessarily agree with what we send out of this place, but you do your duty and you perform it as best you can. We appreciate that. We also have a duty as well, and I would take some exception with the statement that our duty is to make sure this works. We have a duty to our constituents to make sure that we echo their concerns and ask questions on their behalf, and on my part, a lot of my constituents are concerned and skeptical about this law and the contents therein, and so I want to ask some questions on their behalf. I guess, Mr. Chao, I'll start with you, because I'm not really sure who else to start with. Who--is there one person? Who is the charge--or who will be in charge of the data hub? Mr. Chao. In CMS, we typically have a combination of lead policy, what we call business owners of the hub. The administrator ultimately is accountable and responsible for any of the technology that we implement to support the programs, but the day-to-day operation is governed by a board of business and technical leadership in the agency. Mr. Perry. In CMS or the IRS? Mr. Chao. There is a CMS and as well as a cross agency---- Mr. Perry. So it's a bunch of people who will never have, in my opinion and I think in a lot of American people's, because of that, there is never really going to be true accountability because something happens, everybody's going to point to everybody else. I mean, it's a--how many people are we talking about? Do you know? I mean, you're--you're in charge of some of this stuff. Do you know? Mr. Chao. I think what it boils down to is there is only less than a dozen people who are truly---- Mr. Perry. Less than a dozen, okay, and some from our-- there are five agencies. Somebody from the five agencies, a person from each within the five agencies that are getting data in, taking data out? I mean---- Mr. Chao. Correct. Mr. Perry. Okay. So, I mean, you are going to know my Social Security number, my email address, my home address, my financial information, whether I ever got a DUI, you are going to know--this--this portion of government, the Federal Government is going to know literally everything about me that--and everything about every 300-plus million Americans that they find personal and are concerned about having their neighbors know about, and so they're right, I think, to be concerned. Who determines what questions are asked? And I know you kind of alluded to, at least in one part, that you are not going to have personal information or personally identifiable information, but in another sense, I thought you said that you're going to know the home address, the email address, ethnicity. Who--who determines the question? Why is ethnicity important? Why is whether my wife is pregnant important? And when does she have to report it? Or when do you find out? What do you do with that? Mr. Chao. We make a proposal under the Paperwork Reduction Act, in which actually the public and Congress and anyone with the public at large can comment on the questions that we've asked, that we've included, that we felt essential to be part of that streamline application; that's online to apply for affordable care. Mr. Perry. So you make a recommendation, and we can provide comment, and what happens with our comments when we object? Mr. Chao. I think similar to rulemaking, we factor those comments in and categorize them and take a serious look at the policy and legal angles and technical implementation angles of it and we try to accommodate the kind of the very, very huge concerns that we get back under---- Mr. Perry. So, you're with CMS. Why is ethnicity important? Who is it important to? Mr. Chao. I am on the IT side. I cannot answer. Mr. Perry. Yeah, but you're--that's the thing. You are one of these guys that are at the top. Are you one of the less than a dozen people on the committee in charge of the data hub? Are you one of those people? Mr. Chao. Yes. Mr. Perry. Okay. So if you don't know this, who does? Who knows the answer, and shouldn't you know it? Mr. Chao. I think within my purview, I don't try to question every detailed policy that I am asked to implement. I am more concerned about capturing the requirements to make sure the system is reflecting---- Mr. Perry. But you are one of the people that weighs in on whether it's important or not for your organization and what you do, and this is the American people's personal information, so it needs to be important to somebody. If everybody took your opinion, nothing is important to anybody as long as the next guy said it was. I mean, the fact that you didn't know about this Serco. I mean, do you think the American people believe or know right now that all this information about them is going to be handed off in some form to private contractors? Do you think they know that? Mr. Chao. I think they will know because they are in charge of consenting to that release. We--when you---- Mr. Perry. So, on the release, it's going to say, ``I'm giving my information to CMS,'' or ``I'm giving my information to Serco''? Mr. Chao. It's actually the process. So if you're in that inconsistency period, you are giving consent that we will be handling any issues that you have. Mr. Perry. You'll be handling it, but it doesn't say that your information will be handled through us via contract by a private organization who's owned by a British company or by MasterCard or whoever the contractor happens to be at that time. Ms. Tavenner. Let me try to help answer some of these questions because I think the accountability obviously stops with the CMS administrator, and that's me, and we do have business owners, and Henry is responsible for the IT implementation. Let me start with your question about health information and a reminder that the hub does not store any information, but it does not even ask for health information. The only time that pregnancy becomes an issue is, obviously, if someone is qualifying for Medicaid and there are benefits, they are eligible for Medicaid and maybe they're pregnant so it varies State By State, so that would be the reason for the pregnancy question. Much of the information that we ask is required by law, and if you'll remember, there a couple of months ago, we went from a long application process down to what we are calling a 3-page application for an individual who is applying on the marketplace. But once you start to get inside, whether it's Medicaid or CHIP, there may be additional questions that we need to answer in order to help someone get eligibility. That's usually done at the State level. There is no health information. When we work with Serco, Serco is helping with enrollment and eligibility, so there is data that we store around things such as your email address, such as your phone number, such as Social Security, but part of that is stored so that if you have a dispute about whether or not you were eligible or you have an appeal, we have that information, but it's not kept on the hub. Mr. Perry. It's stored somewhere. Ms. Tavenner. Yes. Mr. Perry. Mr. Chairman, with indulgence, one last question, is for Mr. Milholland. We heard earlier that there would be penalties for folks that had breached the confidence of the American people by providing that information to folks outside, tax information, so on and so forth, you work at the IRS. Let me ask you this, regarding the information, regarding targeted political organizations that we recently learned about, has anybody been penalized at this point that you know of in your organization? Mr. Milholland. The only thing I am aware of is people are no longer in the jobs they were in. Mr. Perry. Have they lost their pay? Mr. Milholland. That, I do not know. Mr. Perry. Thank you, Mr. Chairman. I yield back. Mr. Lankford. Mr. McHenry. Mr. McHenry. Thank you, Mr. Chairman. Mr. Duncan, in your March report of this year, TIGTA gave no indication there would be problems with the IRS' implementation of reporting requirements; is that correct? Mr. Duncan. That's correct. Mr. McHenry. Okay. So does that include section 6--6055 that requires insurers to report about the coverage that they provide? Mr. Duncan. There are several information requirements from insurers, employers, from the exchange itself on a monthly and annual basis, so all that information will flow to the Internal Revenue Service and has to be processed, maintained and kept. Mr. McHenry. But you had no issues with that. Mr. Duncan. That is still not really done until 2014 will that data start to flow to the IRS. Mr. McHenry. Okay. But does this include section 6056 that requires employers provide information on the health insurance they provide, so---- Mr. Duncan. We are very concerned about that with the recent change and the recent---- Mr. McHenry. No, no, but prior to that. We're talking about your March reports. I mean, because you're there to make sure that we're, you know, the IRS is moving along in the path here. Mr. Duncan. That's correct. Mr. McHenry. Right. And so, in your March report, you said they didn't have any issues with this process of getting that information, right? Mr. Duncan. That was the information that they were collecting for the income and family size verification. Mr. McHenry. Right. That's what I have. Mr. Duncan. And the overall plan that they had in place looked good. Mr. McHenry. Looked good. Okay. So, you know, when we see the President announce this change, right, on employer mandates and then we see this other movement in terms of reporting requirements, right, which you have the business mandate, then the reporting requirements that the President then, through this administrative procedure here, they've said, well, we are just not really going to verify very much, right, but is there in basis, basis in practice, right, saying that they really don't have that capacity, I mean, according to TIGTA? Mr. Duncan. In accordance with what we reviewed in the application that we looked at the IRS and our understanding, as of today, is the IRS will continue to provide to the exchanges through the HHS hub---- Mr. McHenry. All right. Mr. Duncan. The income and family size information. Now, we did not see, in our review, that there was a major change in the IRS need or requirement to provide that information if it's available. Mr. McHenry. Yeah, but I mean, this is the verification process to ensure that people are complying with it, right? Mr. Duncan. Yeah. I just want to make sure, though, that we understand that the IRS information is only one set of information that the exchange will use in looking at and determining what the final income and family size data should be. Mr. McHenry. Okay. So let's run a scenario here. Mr. Duncan. Uh-huh. Mr. McHenry. Okay. So, you know, in a state that doesn't expand Medicaid, for instance, North Carolina being one, and I represent a district in North Carolina. A man who earns $15,000--I am just going to walk through this scenario so people have an idea--would be eligible for a $3,400 subsidy if his employer does not extend an offer of affordable coverage to him or her, for instance. And so in 2014, with the Federal Government, would they be able to verify whether this individual had an offer of affordable coverage at work? Mr. Duncan. I assume the HHS or the exchange at the state level would be in a position---- Mr. McHenry. We don't have an exchange at the State level. Mr. Duncan. Then the Federal exchange would have to be doing that, and they would ask for information from the Internal Revenue Service as well as other locations. Mr. McHenry. Okay. So, Ms. Tavenner, if an individual fails to report that he has an offer of affordable employer-sponsored insurance, right, will he receive a subsidy of that $3,400? Ms. Tavenner. When an individual does do the self- attestation, they would verify whether or not they had employer-sponsored insurance. Mr. McHenry. Right, right, so they're going to say, hey, here's the deal, didn't get it, give me $3,400 bucks, subsidy. So, you know, if I'm verifying for myself, right? Ms. Tavenner. If you're verifying for yourself and you say that it's available and you didn't get it, you will not be eligible for the tax credit. And a reminder---- Mr. McHenry. Right. But who's going to say I'm not eligible for free stuff? Ms. Tavenner. So, I'll remind you that you signed, when you complete the application, that this is under law, perjury, okay, so there are consequences to an individual who is not truthful on their application. Mr. McHenry. So what kind of enforcement are you going to have on that truthfulness? Ms. Tavenner. Obviously, we would follow law. Mr. McHenry. Right. But you have to have people to execute the following of the law. Are you going to ring them up and say, hey, by the way, were you honest then this self- attestation? Ms. Tavenner. Well, we will look at ways to verify. Mr. McHenry. Oh, you'll look at it. Okay. We are talking about this going into effect this fall. We wanted something a little more than a look for. What is your process to verify that what they said was in fact true? Ms. Tavenner. So, we--there are a couple of ways. Obviously, we will verify first with the IRS, with SSA, information that's available. If we are not able to get everything we need there, we will work with private commercial products, such as Equifax. Mr. McHenry. So, Equifax would have knowledge on whether an employee of my brother's business was offered a health insurance plan that was commensurate with the requirement under Federal law? Equifax would have that knowledge? Ms. Tavenner. We are looking at a process and I'll be happy to get back to you with those details, so I need to get--walk you through the process, and I'm happy to. Mr. McHenry. I would think you would sort of think this through with this big announcement that we are going to waive the employer mandate, right? Ms. Tavenner. We are going---- Mr. McHenry. But you leave the individual mandate, so people are required, under compulsion of the law, right, which apparently you haven't thought about the enforcement of that law, which is sort of interesting, and maybe sort of liberating for some people, by the way, that you still have it on the law, but you don't have any enforcement mechanism. Ms. Tavenner. And I'm happy to get back with you of that process. Mr. McHenry. Well, I would hope you would get back with us, and I hope you would think more deeply about this. When you testify to Congress about something this important, that you would have taken a little bit of time to think through that verification process and that enforcement mechanism that you have enormous authority, as well as the IRS, to enforce it. And so, with that, Mr. Chairman, thank you for the indulgence of time, and I didn't get to the fullness of the questions I had, but this--this is outrageous that the non- answer that I was given. I appreciate the chairman's work on this. Mr. Lankford. Ms. Tavenner, about how much time do you need, do you think, to be able to come back on his question? Ms. Tavenner. Yes, a few days. Mr. Lankford. A few days. Great. Thank you for that. Mrs. Black. Mrs. Black. Thank you, Mr. Chairman. I want to thank you and the committee members for allowing me to sit on the committee and be able to ask questions to this very important issue. I want to thank all of you for being here to testify as well. This is something that is really very near and dear to my heart because I come from a State called Tennessee where we had TennCare. We had the pilot project. So I'm very familiar with a lot of what's going on. As has been reported by one of the members of this committee, there has been a lot of information out there that I have put out to say, there are questions that need to be answered, and I'm glad that you're here today to answer those. I do want to go back to say that it is very concerning that there's a conflict. There's a conflict between what you say and what we read, and I want to start with the first of those, because I want to go back to a system of records notice, and it says, and I quote, records are maintained with identifiers for all transactions for a period of 10 years after they are entered into the system. Records are housed in both active and archival files in accordance with the CMS data and document management policies and standards. It has been said over and over and over again by you, Ms. Tavenner, that these records are not kept. How is it that we see in the systems of records notice, this is what we are being told, and yet you say--and this is why there is a lack of confidence in the people of this country, is that we don't have confidence that what we hear and what is actually there matches up. Ms. Tavenner, can you address that? Ms. Tavenner. Yes, Congresswoman, I can. I have said that we do not store information in the hub. I have also said, and as obvious by what we supplied in our systems of record notice, that we do store information on the marketplace, which is separate from the hub. Mrs. Black. So let's be very, very clear that this information is being stored. When we continue to say, oh, this information is not stored, I think there, that people then go, oh, you're wrong in saying it's stored. It is stored, and we have documentation. Now, let me go to the second bullet. Ms. Tavenner. Well, as I said in my opening testimony, there are two systems, and it's important to understand that one is the hub, which is a router, and the other is actually-- -- Mrs. Black. Which is a router that has a lot of people inputting information and taking out information, so I'm still not confident that what's been said here today, that all of this is protected because I have additional questions, which I know I won't have time to get to, about what are the background checks? Who will have that access? But let me also go to the next question on this, because it was referenced that there is no personal health information that is collected, and I want to go to a documentation that was put out, I guess, about 2 weeks ago, and this is--I am going to the section of verification of eligibility for minimum essential coverage other than through an eligible employer-sponsored program, and I am in the section, and I'll give you the number of that section, 155.320. So, here is what it says, and I am reading out of the fourth paragraph in here that says, ``finally, we propose and added a paragraph to provide consistent with 45 CFR,'' and there is a lot of other. I won't go through that, and this is a quote, ``a health plan that is a government program providing public benefits is expressly authorized to disclose personal health information, as that term is defined in 45 CFR 160.103, that relates to eligibility for or enrollment in the health plan to HHS for verification of applicant's eligibility for minimal essential coverage as a part of the eligibility determination process for advanced payments for premium tax credits.'' It specifically says in here that they are expressly authorized to disclose private health information. Can you speak to this? Mr. Chao. I can answer this. You know, something--something like a birth date that exists in one particular context can be treated very differently and called and wrapped around, for example, personal health information when it appears in another contract--context, such as your health record. I think the minimum essential coverage, the intent is to check other sources of potential coverage to determine whether that coverage would be duplicative, supplemental or contradictory to what the law has indicated that you cannot be in an exchange or a marketplace benefit receiving a premium tax credit and enrolled in something else that's also a government program. So, that information, when we check that, if you look at it in the context of how it's delivered to us, for example, from VA, it is part of the health record, but it is just the date of eligibility. We don't hold any--you know, it's is a vernacular, you know, kind of vocabulary contextual kind of issue, so it's not clinically related. It is just a check on the status of your eligibility. Mrs. Black. Well, I hear what you're saying there, but this specifically says, is expressly authorized to disclose personal health information. Mr. Chao. Right, but I think you were---- Mrs. Black. Well, I am going to need to get--and we can have another conversation here, but I am going to need to get assurances that when you have an expressed authorization to disclose personal health information, that we give assurances to our constituents, my constituents that this information is not going to be shared with people that shouldn't be getting it, and I don't still have assurances in what I am seeing here. I think, Mr. Chairman, there needs to be many more of these hearings to--both for those Congressmen that are concerned about this as well as more importantly my constituents in the public who are really concerned about what has happened most recently with the IRS and how information has not been protected and people have been targeted, and likewise, I think there are many more questions about navigators and what kinds of background checks they have, what kind of training they had, this is something that certainly needs to be talked about a whole lot more. And again, I yield back. I know my time is up. Mr. Chairman, once again, thank you for allowing me to be here at this committee hearing. Mr. Meehan. [presiding.] Okay. I thank the lady, and I thank the panel. I know we have gone through a lot of questioning. There is just a few of us have some follow-up questioning, and you will indulge me on that. I certainly--I mean, I want to echo the point that was just made by the gentlelady from Tennessee. I mean, this is not only the idea that it's within the regulations that you published yourself, but the concept that there are certainly circumstances where a lot of that can be done without the consent of the individual whose records they are. I mean, this is--and I know it goes to contractors, and nobody knows who those contractors are at this point in time. And we are 75 days away from implementation and you can't identify with specificity who it is who are some of the contractors and what kind of things have been done, but I-- to assure the credibility of their participation in the system. But you talked about harmonizing, Mr. Chao and others, the work that's going to be done among the various agencies in this database, and, therefore, you are going to pull in the activity. And I know the IRS has a system which has been effective or at least the more effective, but I look at the agency score cards, and I am talking about harmonization, and this is the agency Federal department's and agency's cross priority goals in cybersecurity for the second quarter of 2013, so this is the most recent one. And when we begin to talk about those who are on the scorecard, two of the poorest performers are HHS and the Social Security Administration, both performing under the requirement that the executive branch will achieve 95 percent implementation of the cybersecurity capabilities. So who's going to be, are we going to rise to the level of the IRS, or is it going to be down to the lowest common denominator with respect to the HHS and Social Security Administration Mr. Chao. I think, working with IRS, certainly I mentioned earlier, that they've set the bar for security and privacy of protected, you know, information. You know, specifically in their case, under 6103 and based upon our experience, you know, working with systems that process personally identifiable information relative to eligibility, particularly like Medicare eligibility or enrollment dates and history of enrollments, we--I can't speak for the HHS level. There are 11 operating divisions or agencies within HHS of which CMS is just 1 of the 11, so I don't know if that scorecard reflects, you know, the individual CMS progress, but we can certainly look into that and get back to you. Mr. Meehan. Well, two of the three components that are going to be critical among these are the worst performers, but let's--let's on the part of this, is this is a dynamic network and people keep talking about the fact, well, information isn't going to be connected here or stored in one particular place, but it's just once one has access into this system, particularly in light now, the fact that it's going to have so many different places in which responsibility for security will be contained, including, as best as I can understand, the fact that there are at least 15 States who will be operating their own exchanges. And Mr. Duncan, maybe you can speak to some of this, but as plan management--Mr. Duncan, does plan management include security? Mr. Chao. I don't think Mr. Duncan can speak to that. Mr. Meehan. Mr. Chao. Well, let me ask him this question as inspector general, does plan management include security? Mr. Duncan. Plan management should be considered when you build any application; it should be baked into the application, for sure. Mr. Meehan. Mr. Chao, are you saying plan management does not include security? Mr. Chao. No, I'm saying it does include security, and plan management is a core function inside the federally facility---- Mr. Meehan. Okay. Well, here I have--and this is the report of the GAO that was done recently establishing, it says, for those 15 FEEs which States will assist with plan management functions, CMS will rely on the States to ensure the exchanges are ready by October 2013. So, all of this work you are talking about, the fact of the matter is there is 15 different States and you're basically saying, Ms. Tavenner, well, we are going to rely on them. They are going to sign documents that say that they are okay, but we are going to rely on them. This is your document. Is that accurate? Ms. Tavenner. Ms. Tavenner. I am trying to answer. Actually, it's a little more interactive than that. We have oversight. Even when--what we do is we allow State-based exchanges to build their own platform, but we also work closely with them both on security plans, on plan management. Mr. Meehan. And how closely have you worked? Let me go down into the footnote, footnote 42. Seven of the 15 States submitted an application, were approved to assist and other plan management functions. Additional seven States were not required to submit an application, and CMS officials indicated the agency has no formal monitoring relationship with the States. Instead, CMS conducted a 1-day review of these States. So here we have the greatest data hub--the greatest data hub that has ever been put together with private information in the history of the government. It is going to be related back to your reliance on the States to do it. You say you have oversight, and by the GAO's report, what was done with seven of those States was you went and you spent one day on the review, presumably looking at a whole variety of issues, not just security. Ms. Tavenner. In this case, those seven States you're talking about--I don't have the benefit of your document, in front of me, but---- Mr. Meehan. This is the GAO report. Mr. Dicken, you made the report. Ms. Tavenner. Yes, I've read the report, but I'm just saying I don't have that page in front me, but the seven page-- the seven States that you're referring to are actually interested in doing plan management, which is the work with the issuers, which is a function they do today through their State insurance commission, and so we do work closely with the insurance commission. Mr. Meehan. Well, what do you do to assure the security of the system with them, because it seems to me that you are---- Ms. Tavenner. So the security of the system goes back to the hub and accessing the hub, which is part of our plan. So just because they do plan management that's out of State, they do not have a separate mechanism to enter the hub. To enter the hub the same way we've talked about, applies to all 50 States. The two are not the same. Mr. Chao. To add to that, we also conduct technical reviews, which include security components, and we sign the essential security documentation that's needed and agreements, such as computer matching agreements and data use agreements, with all the States. So, there are other checks and balances that are in place, you know, as I mentioned earlier, the overall security framework. Mr. Meehan. What assurances do we have that the States are capable to protect the system, at least at their entrance point, and that your system is capable of protecting itself against the high level of--of effectively cyber attacks that are taking down the most sophisticated systems in the world. Mr. Chao. I think with ingress points and connection points with the federally operated IT and managed IT, I think we definitely apply, as you well know, under Homeland Security and at the department level and even at the agency level, lots of continuous monitoring of the networks and intrusion. I think that---- Mr. Meehan. It's saying that--the report that I just have that came down from the colleges says they can be months before anybody realizes that they are even in there. Mr. Chao. And I'm saying that with regard to the ability to impose the same Federal requirements on State systems and networks, I don't think we have applicable law that clears our ability to impose that on States, other than asking them to sign agreements. Mr. Meehan. My time is expired, and I need to respect the time. So I will turn it over to the gentlelady from California, Ms. Speier. Ms. Speier. Mr. Chairman, thank you. You know, when Medicare was first passed as a law, there were huge cries by many in Congress about how it was going to be horrific and bring socialism into this country. Fast forward to when we were debating the Affordable Care Act and signs across this country and at town halls that I was party to were signs that said, ``Don't touch my Medicare.'' I believe that there will be a time when the signs will be, ``Don't touch my ACA benefits.'' I am really apologizing to each of you for what I think has been a counterproductive engagement today. I think most of what has happened has been efforts to throw sand into the gears, and I don't think that's what this committee is supposed to do. We are supposed to drill down, to find out whether or not there are any oversights, and if there are, help you fix those oversights. I have a lot of confidence in what you're doing. It is not going to be perfect out of the shoot, it just isn't, and I think we do great harm when we continue to spew out lies, much like the lies about the death panels. For those that have an agenda to dismantle the Affordable Care Act, this is not where they need to be. For those that want to make sure it works successfully, this is where they should be, and I want to thank each and every one of you for your efforts to try and make this a successful one. Now, I would like to ask one question. As you have weighed in, as you have dived deeply into this, implementation, is there is a particular area that you have some concerns about that we haven't addressed that we should address either by legislation or by information that we convey to our constituents? Ms. Tavenner. I thank you for your support, and I would say that our biggest concern is that we have adequate resources to do the--to do the work. The President's budget has proposed resources for 2014. It is important, if you want, and we want to take privacy and security seriously, we need to have the resources to be able to do that, and so I would appreciate your support in that area, and I thank you for your earlier comments. We have a great team at CMS, and we are working very hard, and we look forward to October 1st. Ms. Speier. Anyone else? Yes, Mr. Milholland. Mr. Milholland. As Mr. Werfel also commented about the budget issues, their primary concern is resources also, so I would echo Ms. Tavenner's comments. Ms. Speier. Mr. Duncan. Mr. Duncan. Yes. The inspector general has three basic concerns, and I think I mentioned those in my initial testimony, but I'll recap them. The protection of Federal tax data at exchanges, we believe, is a very specific requirement. The safeguards program at the IRS, we are currently doing an audit of that program as we speak, and we think they are going to need the resources and funding to expand significantly to cover the additional State exchanges and its very specific requirements, as has been talked about before for that. Also, the fraud prevention systems, that they're ready by January of 2015, that's the return review program at the IRS, which brings analytics and stops the refund from going out the door, not after the fact and try to recoup it after the money is sent out. And also, the thing we've been talking about quite often, which is the interagency testing--this is all the components, including the IRS, that there is sufficient testing for the entire system, not just the pieces. Those would be my three concerns. Ms. Speier. All right. Thank you. Anyone else? Mr. Dicken. I can just note from our GAO report, you know, I think we highlight, I have two key areas that are remaining that are key for the October 1st implementation. We certainly talked a lot today about the data hub as a key tool for that. We talked now some about plan management as a separate core function. The last core function that we spoke to was consumer assistance. That's an area where much of that is happening before October 1st and certainly another core area where there have been some delays and then core activities that need to take place by October 1st. Ms. Speier. All right. Mr. Chairman, let me just end by sharing three quotations about how people were so exercised about Medicare when it was being contemplated. Ronald Reagan, in 1961, said, ``If you don't stop Medicare, one of these days you and I are going to spend our sunset years telling our children and our children's children what it once was like in America when men were free.'' George H. W. Bush, in 1964, described Medicare as socialized medicine. Barry Goldwater said, in 1964, ``Having given our pensioners their Medical care in kind, why not food baskets, why not public housing accommodations, why not vacation resorts, why not a ration of cigarettes for those who smoke and beer for those who drink?'' We really have got to get beyond the rhetoric---- Mr. Jordan. Would the gentlelady yield for a question? Ms. Speier. I am just closing. You can certainly carry on in your recount, but I would just say, rhetoric is not what we need to be talking about today. What we need to be talking about is the sum and substance of how we make this operate effectively, efficiently with privacy concerns resolved, with security concerns resolved and with the understanding that the fraud that may occur, if it is fraud, or just a misassessment of what one's salary is, is that, at the end, it is going to be figured out and payments will be made back to the U.S. Treasury for the fraud that may have occurred when someone said they were making less when they were really making more. Now, any other fraud that occurs, it may be a subject that we would have to discuss further, but at this point, Mr. Chairman, I thank you for chairing this hearing, and you know, we have had a great relationship and I look forward to more of the same. Mr. Lankford. [Presiding.] Thank you. Let me ask a couple of questions here. We are getting close because I know you all have been at this a very long time. The verification that they qualify for a subsidy, is that done at the exchange level or CMS? Who verifies that they qualify? Mr. Chao. The verification services are processed by CMS systems for Federally Facilitated Marketplaces and via the hub connecting to the income verification sources. Mr. Lankford. Okay. Mr. Chao. For State-based marketplaces, they do that themselves connected to the hub via income sources. Mr. Lankford. So, with that, they've got to have access to all of that raw data to be able to make a decision. They are not just getting yes-no answers. When they pull data, they're pulling data, so it's entering fields. Mr. Chao. Yes, but it's also--I don't want folks to think that it's a whole array of tax return information or health records. Mr. Lankford. Can we get a---- Mr. Chao. It's very narrow. Mr. Lankford. Can we get a list, as it stands at this point right now, what information is coming down? Because I assume it's on their 1040, line 47, such and such, this data is made available. I'm trying to find out what is made available to an individual in that. Because if the exchange makes the decision, that means they've got to have access to the raw data. Ms. Tavenner. We can get you information---- Mr. Lankford. That would be terrific. And just on the broad range, I'm sure it's all been laid out at this point, obviously, to know what all that involves on it. This came up earlier, Ms. Tavenner, about the delay in the employer mandate. You had mentioned late June, June 24th, that you had received notification that that was going to be delayed. Ms. Tavenner. Let me be clear. June 24th or June 25th. Mr. Lankford. That's fine. Ms. Tavenner. I'm not sure which day. Mr. Lankford. Yeah, that's fine. Yeah, I wouldn't hold you accountable to that, one way or the other. But the question is, this has to be an ongoing part of the conversation. This was not a sudden decision late in June, that the administration thought this was a bad idea, let's delay it. There were a lot of factors that went into it. Was the creation of this data hub and some of the connections between the employers submitting information about their insurance and what insurance that they're providing to employees and the complicated nature of that, was that a part of this conversation? Did CMS or IRS have conversations with the administration to say, ``We've got all of this together. This is coming together well. We don't yet know yet how we're going to get employers to tell us their information on the employees''? Ms. Tavenner. Mr. Chairman, I cannot speak for IRS, but we did not have conversation. Mr. Lankford. So the first you'd heard about this at all or people at CMS had heard about this at all was June 24th or 25th? Ms. Tavenner. The first I heard of it. Mr. Lankford. Okay. Would the IRS side--where are you? Because, at some point, it sounds like there will be--employers will have to submit, ``My employee has been offered this coverage.'' Is that system in place? Is IRS prepared to be able to do that yet? Mr. Milholland. That particular deliverable is 2015. This direction to move it to the right slides that, I think it was roughly about 6 months, if I recall correctly. But, in any case, the IRS has to be prepared on day one with respect to those employers who choose to voluntarily provide the information. So the fact that Treasury moved the requirement to the right for---- Mr. Lankford. No, my question is, was there dialogue between IRS, Administration, Treasury, whoever it may be, to be able to voice, ``We don't have a mechanism to yet be able to verify this with the employers''? So was that a part of the conversation? Mr. Milholland. That---- Mr. Lankford. Has there been a notification back? Because that, as you said, is voluntary at this point. That has all been moved a year back. What was the dialogue in advance. Mr. Milholland. I was not privy to that conversation. Mr. Lankford. Okay. Is there a mechanism in place--was there a plan to have a mechanism in place for 2014 for employers to be able to verify their employees do have qualified health plans? Mr. Milholland. The mechanism that was to be in place was that they would report to the IRS. Mr. Lankford. Right. Mr. Milholland. And, I mean, that was part of the requirements---- Mr. Lankford. Is that mechanism in place now? Mr. Milholland. No, it's not. Mr. Lankford. Okay. When did that get pulled? Because I'm sure that didn't get pulled June the 24th or 25th, as far as requiring that field to be turned in. Mr. Milholland. But it's part of the release that will come later, 2015. I mean, it's not in the system as of October 1, which we're doing this year. Mr. Lankford. Right, I understand the date's been moved on it. Prior to the 3rd of July, when it was announced that it's going to be delayed, was this planned to be a part of the IRS reporting system---- Mr. Milholland. The---- Mr. Lankford. --that employers would report starting in this year? Mr. Milholland. It was part of our plan but not to be implemented this year. Mr. Lankford. So, regardless, employers weren't going to report either way? Mr. Milholland. That's correct, this year. Mr. Lankford. Okay. So the delay that's occurred, to say we're not going to require that of employers this year, already lines up with what happening with data anyway? Or there was a change in the plan to gather data this year? That's what I'm trying to determine. Mr. Milholland. I'm not sure I fully understand your question. I would just say again that the implementation of that employer reporting wouldn't happen until 2015. Mr. Lankford. And that was the plan from the beginning? Mr. Milholland. From the beginning, yes, sir. Mr. Lankford. Okay. That's what I'm--that's all I'm trying to be able to determine from there. Ms. Tavenner, you mentioned earlier that there are third- party sources of financial information. You mentioned even Equifax or some other outside organization. What's the connection there on the database with third-party organizations? Mr. Chao. We're looking--because there was talk of the requirement to have, you know, kind of, employer offering of coverage, we tried to look at our current contractor capabilities to see if there was some commercially available way to do that. And it's just in conversation and discussion right now. Absent of, you know, when things were known or not known, it was just--you know, for me, it was understanding the requirement and seeing if there's a data source that's available. Mr. Lankford. And is that a hub-type relationship, to be able to pull data when it's needed? Or is it a matter of getting data from them to be able to put on to the other piece? Because we've talked about two different functions here. Mr. Chao. Yes, pulling--it would be connected to the hub to pull that data from the---- Mr. Lankford. There's a tremendous amount of credit information out there that's in error, obviously. What I'm trying to determine is, now that we're fighting off three different agencies that have credit information, trying to get things fixed, we would now have to also add CMS into that mix, as well? That if there's an error in my system, how would people know what is there---- Mr. Chao. I---- Mr. Lankford. --and whether they'd been accepted or denied? And how would they get that fixed? Mr. Chao. Chairman, I believe that when the--you know, saying ``Equifax'' and ``credit report'' is almost synonymous these days. When we work with a company, Equifax, they have lots of data sources that they make available. Mr. Lankford. Right. Mr. Chao. I think the employer offer of coverage, that potential for having that data, is part of their overall working with employers to pull payroll information to help service benefit administration, you know, kind of, practices for large employers for their employees. I don't think it falls under the FCRA, kind of, realm of---- Mr. Lankford. Right. But the thought on it is--well, there's a whole bunch of issues. Just false information at all is hard enough to be able to track on it. But the thought is here, if they work for this certain employer, then they have been offered care, is the assumption there? Or is Equifax assuming that they'll be somehow reported, there's an employee that works for me, this was one was offered, this one wasn't? Is it just a matter of they have payroll data so they're paid by this company, this company has a qualified health plan, so they must have been offered? Is that just the assumption? Mr. Chao. Based on conversation with Equifax, they are having conversations with their employer clients that have this data relationship, and they're seeing if that's something that the employer community wants to provide as a service or a benefit to their employees so that they don't have to constantly answer questions and queries about coming back to them about offer of coverage. Mr. Lankford. Okay. One last question, and then Mr. Jordan, I think, has some wrap-up. And we need to get you all out of here, obviously. The individuals within the exchanges--and we've got an authorized user that's been authenticated. They've signed in. We know who they are; yes, they're one of ours. In a State, they're viewing data trying to make a decision; let's say this is something that's not automated. I assume most of the decisions are going to be made with parameters and it's going to be automated. Is that your assumption, as well? Ms. Tavenner. We are certainly going to encourage automation. Mr. Lankford. Yeah, I would assume the vast majority--you have millions of people coming through. Especially initially, those decisions aren't going to be made on someone's desk with a big stack. Ms. Tavenner. But it will no doubt be a combination of manual and automation. Mr. Lankford. Okay. So that individual that's there within a State that's making a decision on it has access to all that information. The challenge becomes, do we have a system in place for background checks for those individuals, limiting those individuals? If we visit with NSA, they can tell us exactly how many people have access to that information. And every time that information is accessed, there's an accountability process with it. What I'm trying to determine is, there are occasionally authorized users that do have access to it but they use it in an unauthorized way, if that makes sense. Ms. Tavenner. So they're--and I think the question you're asking is, who would help someone with an application? Mr. Lankford. No, not necessarily. No, it's an individual that has access to the information; they're authenticated as a person that is an employee there, whether it be a private contractor that works for a State or a State employees that's been authorized to be a part of the exchange. They have access to that information. What boundaries are there that they don't use that information for unauthorized purposes? Mr. Chao. From a program management perspective, when I talked about the harmonized security and privacy framework--and I did mention that there are some things that we cannot necessarily enforce upon States, but we can sign agreements with them. And in signing these agreements, they abide by certain security controls and thresholds that they, in essence, promise to uphold as part of the security practices. Now, in the world of security and cybersecurity and awareness today and security policies and imposing this operationally, if you look at the multiple security frameworks that are available--Federal Government, State government, and commercial--there is a significant overlap, in that we adopt the same controls, such as, you know, access management, authentication to a certain degree of assurance in authorizing their entrance into the systems. So we're in agreement on a very vast majority--large, vast majority of controls that are applied. Mr. Lankford. Right. I'm talking about just the background of how do we show that this person, once they've accessed data, that data that they accessed is for official purposes, not unofficial purposes. Because you now have data that was previously in a closed system that's opening up a little bit to new people that have been accessing information. So it's--am I making sense on that? Mr. Chao. Yes. Well---- Mr. Lankford. Again, it's an authenticated user. It's just not using it for authorized purposes. Mr. Chao. I think we have, you know, other security monitoring tools. We look at behaviors and trends in how people are using the system and---- Mr. Lankford. Right. We'll follow up on that in the days to come. The SPR that we talked about, Safeguard Procedures Report, how many States currently have that, that that is done and complete? Mr. Milholland. Mr. Chairman, I'm told that all 15 have submitted. Mr. Lankford. All 15 are done? Mr. Milholland. Yes. And I believe the Federal exchange has also. Is that correct? Yes. Mr. Lankford. I would hope that would be the easiest of all of them. Mr. Milholland. I would also add that we've begun our State-by-State or exchange-by-exchange safeguards reviews, literally, this week. Mr. Lankford. Well, that would be one to watch for, just unauthorized use for unauthorized purposes is one to be able to watch and to be able to track on it. How many--by the way, on all of our States now for exchanges--this is off topic. I'm going to change to Mr. Jordan, because we've got to go. Do all of our States have more than one option on the exchange, at this point? Are there States that, when they get to the exchange, will only have one option when they get to the exchange? Ms. Tavenner. You're talking about insurers now? Mr. Lankford. Yes, ma'am. Ms. Tavenner. We will not have all of that data until the end of July. But we are currently--and I think this State has been in the press. The State that we are most concerned about is Mississippi. Mr. Lankford. Okay. Ms. Tavenner. Otherwise---- Mr. Lankford. So that it looks like all States will have more than one option on the exchange? Ms. Tavenner. Correct. Mr. Lankford. Okay. Thank you. Mr. Jordan? Mr. Jordan. Thank you, Mr. Chairman. I just want to go back to where the chairman was and be clear. Ms. Tavenner, were you consulted at all before the decision was made to delay the employer mandate? Ms. Tavenner. I was not consulted. Now, part of that, in fairness, was I was also on vacation at the time. So I was actually notified while I was on vacation. Mr. Jordan. Yeah. So you were notified. So you had a cell phone. So they got a hold of you, they could talk. I mean, you're the head of CMS, and you weren't even--they didn't even talk to you before they made this decision? Ms. Tavenner. I think the decision was made with IRS as a predominantly---- Mr. Lankford. Mr. Chao, did they talk to you? Were you consulted before the White House decided to do this? Mr. Chao. No. Mr. Jordan. Mr. Milholland, were you consulted? Mr. Milholland. No, sir. Mr. Jordan. You weren't consulted? Mr. Milholland. No, sir. Mr. Jordan. Mr. Werfel told us--told me about an hour ago you were the expert, and they didn't even call you? Mr. Milholland. I was not consulted. Mr. Jordan. Was Mr.--to your knowledge, was Mr. Werfel consulted? Mr. Milholland. I believe Mr. Werfel said he received notification on---- Mr. Jordan. So none of the people who are going to be implementing this were even asked, is this the right move? Was Sarah Hall--to your knowledge, Mr. Milholland, was Sarah Hall Ingram consulted? Mr. Milholland. I do not know. Mr. Jordan. That's amazing to me. You know, Ms. Speier talked about folks who want to throw a train wreck into--or throw a--mixed metaphor--throw sands into the gears. I would just remind, it hasn't been Republicans who--and we have Mr. Baucus, one of the architects of the law, calling it a train wreck. We have the President suspending the law without consulting the people who have to actually make it work. Mr. Chao, you made a statement back in March that you hoped the exchanges wouldn't be a, quote, ``third-world experience.'' So you obviously had some knowledge and some concerns to prompt that statement. Are those concerns still relevant, still valid? Mr. Chao. I was speaking before an audience of issuers that I had spoken to before, and it was a poor attempt at humor. So I wouldn't necessarily---- Mr. Jordan. I don't know that it was a poor attempt at humor. It may have been--you know, you may have been a visionary, you may have been a prophet. I mean, this is--the fact that they didn't even talk to you is what I think is amazing. You don't talk to the head of CMS, you don't talk to the head of the IRS, you don't talk to the person at the IRS who is actually in charge of the Affordable Care Act Office, you don't talk to the technical database expert, Mr. Milholland. You just decide one day you're going to waive part of the law. I mean, we had the previous Democrat talk about when Medicare was--I'd be your curious to know if the President at the time Medicare was implemented, if he asked for a delay in the law. Maybe he did, but I don't know about it. This is amazing. But let me ask you one specific question, Ms. Tavenner. In February of this year, HHS System of Records Notice includes the following statement: ``The Secretary''--you--``along with other appropriate agencies, will establish an appeals process for individuals and employers when eligibility is denied as a result of inconsistencies between information obtained from applicants and enrollees and employers and information and data verified through the exchange.'' I have no idea what all that means; I hope you can tell me. Maybe you can define what ``inconsistencies'' are. Do you have a list of what those may be? You obviously anticipate problems because you're setting up an appeals process, so can you give me some insight into that? Ms. Tavenner. So the appeals process is required in the law, but I will remind you, there's also an appeals process today in Medicaid and CHIP and other programs, because sometimes---- Mr. Jordan. I understand that. Do you have--but, I mean, specifically, what are you thinking about? Obviously, you think that it's going to happen. The law requires you have some kind of appeals process. That makes sense to me; we understand that. What are some of the anticipated inconsistencies? Ms. Tavenner. So I think perhaps people submit information and they get denied, and they believe their information was incorrect and they want to bring new information forward. But I'll be happy to get you a list. Mr. Jordan. So you don't know what the list is. You just use the term ``inconsistency'' because you anticipate there's going to be problems. Ms. Tavenner. No, we're---- Mr. Jordan. You anticipate this, in fact, could be a train wreck. You anticipate, in fact, this could be a third-world experience. Ms. Tavenner. I do not anticipate that. And the--we are currently in rulemaking on the appeals process, and the final rule will be out shortly. Mr. Jordan. Do you think the--do you think everything could be up and running, working on October 1st, and the start of next year, this law can be fully implemented, working, you think it can all function the way it's supposed to, the way the folks who voted for it designed it to, do you think that can all happen? Ms. Tavenner. Yes, sir. You know, my background has been-- -- Mr. Jordan. Okay. So if you think that can all work, you would think the administration would call you up and consult with you before they decided to say, ``You know what? We don't think it can, and we're going to delay part of it.'' That seems logical to me, doesn't it? Doesn't that seem logical to you, that you, the person in charge of it, would be called, would be consulted? Don't you think it makes sense for you to be consulted before a major decision, a major element of the law is simply waived for a year? Ms. Tavenner. The employer mandate rests within IRS---- Mr. Jordan. That's not what I asked. Don't you think it makes sense for you, the head of CMS, charged with implementing this law, don't you think it makes sense for you to be consulted? Because if you don't, then that's scary, too. If you don't think, as the person who heads CMS, you should be consulted before a major decision to unilaterally just delay part of the law should take place, if you don't think you should be consulted, then I've got concerns on that side, as well. So do you think you should've been consulted? Ms. Tavenner. I think I've been consulted all along. Mr. Jordan. Well, no, that's not--you just told me--4 minutes ago, you just told me you weren't consulted. Ms. Tavenner. I'm---- Mr. Jordan. So which one is it? Because you have to tell us what really happened. You can't have it both ways. Were you consulted or weren't you consulted? Ms. Tavenner. I was not consulted. I'm just saying that---- Mr. Jordan. Well, then---- Ms. Tavenner. --in the last year---- Mr. Jordan. Now, wait a minute. So, then, 10 seconds ago, you just said you were. Mr. Lankford. I'll ask the gentleman to let her answer. Ms. Tavenner. Please let me finish my sentence. Mr. Jordan. I want you to finish, and I just want you to finish it truthfully, because you've told me two different things. Ms. Tavenner. Well, I take objection to that, because I've told you the truth. Mr. Jordan. We can read the transcript. Mr. Lankford. I would ask the gentleman to let her finish answering. Ms. Tavenner. Thank you. So the last 3-1/2 years, I actually started---- Mr. Jordan. I want you to answer one question. Were you consulted or not? And now I'll let you answer. Ms. Tavenner. I've said I was---- Mr. Jordan. Were you consulted? Ms. Tavenner. --not consulted. Mr. Jordan. Okay. Thank you. Thank you, Mr. Chairman. Ms. Tavenner. And I guess I won't get to finish my---- Mr. Lankford. No, go ahead. You can respond. Ms. Tavenner. For the last 3-1/2 years, I've worked at CMS. I started at the time that the rule--that the law was actually passed. And I have been an integral part of every decision that's made. In the case of the IRS and the employer mandate, I was not consulted. I do feel like I'm part of the process. Thank you. Mr. Lankford. And, by the way, we assumed you are part of the process. You have been an integral part of that. That's somewhat the surprise to us. We're trying to figure out where this came from. And it is a major shift in what's happening. And we assumed there was some conversation in trying to figure out the whys and the whats with it. And that clarification has not come. We've also written letters to the administration to try to get some clarification. So it's not just on you. It's a surprise, as well. We would assume that IRS and CMS would be consulted on this process and would be a part of the decision- making. You all have had a very long day. I appreciate you being here. I hope you get a nice, relaxing lunch where it's quiet and to be able to get some time away on that. With that, this hearing is adjourned. [Whereupon, at 1:10 p.m., the subcommittees were adjourned.] APPENDIX ---------- Material Submitted for the Hearing Record [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]