Implementing Health Reform: Data Hub Security And Other Issues

Sep 13

From: Health Affairs

by Timothy Jost

As the summer of 2013 draws to a close, the agencies implementing the Affordable Care Act are working diligently at the tasks that must be completed before the exchanges open their doors on (or about) October 1, while opponents of the Affordable Care Act are pulling out all stops trying to stop or slow implementation.  No new regulations or proposed regulations have been released in recent days, however, nor are any expected in the near future except for the Basic Health Plan proposed regulation still at the Office of Management and Budget.  But some information and guidance has emerged.

Data hub security.  On September 11, 2013, the Department of Health and Human Services issued a fact sheet describing the security of the data hub that the exchanges will use to establish eligibility for premium tax credits and cost-sharing reduction payments.  The data hub will provide a single connection to federal data sources needed to verify applicant information for income, citizenship, immigration status, and minimum essential coverage.  It will handle a large volume of very sensitive personal information, and Congress has shown a very strong interest in hub security.  The fact sheet explains how data will be protected.

The hub will verify data provided by applicants against information in existing and secure federal and state databases, such as those of the Internal Revenue Service, Social Security Administration, the Department of Veterans Affairs, Medicare, and others.  It will provide one highly secure connection to these databases rather than requiring each exchange to set up its own connections.  The hub has several levels of protection to mitigate security risks.  It employs a continuous monitoring model to rapidly identify and take action against irregular behavior and unauthorized system changes that could indicate a potential incident.  If a security problem occurs, an incident response capability will be activated to track, investigate, and report incidents to appropriate law enforcement authorities.

The Hub completed an independent security assessment on August 23, 2013 and received authorization to operate on September 6, 2013.  The system will be tested continually through methods including independent penetration testing, automated vulnerability scans, system configuration monitoring, and active web application scanning.  All CMS exchange systems must comply with the Privacy Act of 1974; the Computer Security Act of 1987; the Federal Information Security Management Act of 2002; and regulations promulgated by HHS, the Office of Management and Budget, the Department of Homeland Security, and the National Institute of Standards and Testing.

The “18B Notice” on coverage options.  On September 11, 2013 the Employee Benefits Security Administration of the Department of Labor issued a Frequently Asked Question regarding the notice that employers must provide to their employees about options available through the health insurance exchange (marketplace).  This notice is required by an ACA amendment to the Fair Labor Standards Act, and is commonly called the “18B Notice” because this is the section of the FLSA where it is located. The FLSA applies generally to firms that do more than $500,000 in business annually, but also to health care and educational institutions and government agencies.  The notice must be provided to full- and part-time employees, but need not be provided to dependents of employees who are not employees themselves.

The notice informs employees:
.

  • that the health insurance exchange exists and how to access it;
  • that they may be able to get lower-cost private insurance in the Marketplace if their employer offers coverage that does not offer minimum value; and
  • that if employees buy insurance through the Marketplace, they may lose the employer contribution (if any) to their health benefits.

EBSA has also provided a model notice for employers that offer health insurance, and another for employers that do not.  The notices are also available in Spanish.

The FAQ states that no penalty or fine will be imposed on employers who fail to provide the notice.  Although this seems to be consistent with the statute, it is disappointing insofar as it could be interpreted as making compliance optional.  The 18B notice will be one of the primary means through which employees learn whether or not they have adequate and affordable coverage through their employer, and thus whether they are eligible for premium tax credits.  If noncompliance is widespread, it will make it that much harder for individuals to get health insurance that best meets their needs.

The preventive services mandate and HSAs.  The Internal Revenue Service has also issued a notice regarding the effect of the Affordable Care Act’s preventive services requirement on health savings accounts.  The statutory provision establishing HSAs requires that they be coupled with high-deductible health plans.  Although high-deductible health plans normally may not pay for health care services until the minimum deductible limit is reached (currently $1,250 for an individual and $2,500 for a family), they can cover preventive services without cost sharing.

This notice clarifies that those preventive services can include all preventive services that must be covered without cost sharing under the ACA.  Additionally, plans may cover without cost sharing any services that would have been allowed under earlier IRS notices, whether or not those services would qualify as preventive services under the ACA.

Navigators.  On September 9, 2013, the Department of Health and Human Services sent a letter to Congressman Frank Upton, Chair of the House Energy and Commerce Committee, responding to a letter that Republican members of the Committee had sent to 51 of the navigator program grantees demanding information about their programs.

The Republican Energy and Commerce letter inquired about the work navigators would be doing, their training, how the navigators would be monitored, how they would handle information, and what their relationship was with insurance companies.  The letter demanded a response from the navigator programs, including the production of voluminous documentation, by September 13, 2013.  In light of the fact that it was sent just as the navigators, often small nonprofits, were fully occupied hiring staff, getting them trained and certified, and preparing for the exchange launch on October 1, the motives underlying the request were questioned by the Democratic members of the committee.

The HHS letter responds in detail to the concerns the Energy and Commerce Committee had raised.  Those who follow Health Affairs Blog will find little new in it.  It is to be hoped, however, that it will satisfy the legitimate concerns of the Committee so that the navigators may get on with their work.

Video winner.  Finally, on September 12, 2013, HHS announced the early bird winner of its Healthy Young America Video Contest.  Enjoy.

 

 

Facebooktwittergoogle_plusredditpinterestlinkedinmail

Leave a Reply

Your email address will not be published.

Please Answer: *